From b7edc3ed82006c28daa9c33b95cd6562c3f7f169 Mon Sep 17 00:00:00 2001
From: shuanbao0 <shuanbao0@gmail.com>
Date: Sat, 11 Apr 2026 20:22:18 +0800
Subject: [PATCH 001/122] =?UTF-8?q?fix(gateway):=20=E5=85=BC=E5=AE=B9=20Cu?=
 =?UTF-8?q?rsor=20/v1/chat/completions=20=E7=9A=84=20Responses=20API=20bod?=
 =?UTF-8?q?y?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Cursor 云端 (User-Agent: Go-http-client/2.0) 发往 /v1/chat/completions 的
body 使用 Responses API 格式:
    {"model":"gpt-5.4","input":[{"role":"system","content":"..."}],"stream":true}

原代码用 ChatCompletionsRequest 反序列化,该结构体没有 Input 字段,
Cursor 的 input 数组被静默丢弃,ChatCompletionsToResponses 转换后产出
input: null,Codex 上游以 "Invalid type for 'input': expected a string,
but got an object" 拒绝请求(上游 typeof null === 'object')。

修复:在 ForwardAsChatCompletions 里用 gjson 检测 body shape,当 input
存在且 messages 缺失时,跳过 Chat→Responses 转换,用 sjson 仅改写 model
字段后原样透传 body。billing 所需的 ServiceTier 和 Reasoning.Effort 通过
gjson 从 raw body 提取,下游 codex OAuth transform 路径保持不变。

测试:新增 openai_cursor_warmup_pipeline_test.go,覆盖 5 个 shape 检测
用例(正向/标准请求不误伤/两字段共存/空 body/JSON 回读)。

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
---
 .../openai_cursor_warmup_pipeline_test.go     | 155 ++++++++++++++++++
 .../openai_gateway_chat_completions.go        |  60 +++++--
 2 files changed, 203 insertions(+), 12 deletions(-)
 create mode 100644 backend/internal/service/openai_cursor_warmup_pipeline_test.go

diff --git a/backend/internal/service/openai_cursor_warmup_pipeline_test.go b/backend/internal/service/openai_cursor_warmup_pipeline_test.go
new file mode 100644
index 00000000..8ade9dbb
--- /dev/null
+++ b/backend/internal/service/openai_cursor_warmup_pipeline_test.go
@@ -0,0 +1,155 @@
+package service
+
+import (
+	"encoding/json"
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+	"github.com/tidwall/gjson"
+	"github.com/tidwall/sjson"
+)
+
+// TestCursorMixedShapeDetection covers the core invariant of the Cursor
+// compatibility fix in ForwardAsChatCompletions: when a client POSTs a
+// Responses-shaped body (has `input`, no `messages`) to /v1/chat/completions,
+// the request must be forwarded as-is with only the `model` field rewritten.
+// The raw `input` array (including Cursor's 80KB system prompt) must not be
+// discarded or reshaped.
+//
+// Context:
+//
+//	Before the fix, the handler unmarshaled the body into ChatCompletionsRequest,
+//	which has no Input field, silently dropping Cursor's input. The subsequent
+//	conversion produced `input: null`, which Codex upstreams reject with
+//	"Invalid type for 'input': expected a string, but got an object".
+func TestCursorMixedShapeDetection(t *testing.T) {
+	// Representative Cursor cloud body — shape is what matters, content is
+	// abridged. Notice: `input` is a Responses-API array, there is no
+	// `messages` field at all, and `user`/`stream` are at the top level.
+	cursorBody := []byte(`{
+		"user": "85df22e7463ab6c2",
+		"model": "gpt-5.4",
+		"stream": true,
+		"input": [
+			{"role":"system","content":"You are GPT-5.4 running as a coding agent."},
+			{"role":"user","content":"hello"}
+		],
+		"service_tier": "auto",
+		"reasoning": {"effort": "high"}
+	}`)
+
+	// --- Step 1: Shape detection (mirrors ForwardAsChatCompletions) ---
+	hasMessages := gjson.GetBytes(cursorBody, "messages").Exists()
+	hasInput := gjson.GetBytes(cursorBody, "input").Exists()
+	isResponsesShape := !hasMessages && hasInput
+
+	require.True(t, isResponsesShape,
+		"Cursor body must be detected as Responses-shape (has input, no messages)")
+
+	// --- Step 2: Model rewrite (mirrors the sjson.SetBytes branch) ---
+	const upstreamModel = "gpt-5.1-codex"
+	rewritten, err := sjson.SetBytes(cursorBody, "model", upstreamModel)
+	require.NoError(t, err)
+
+	// --- Step 3: Invariants of the rewritten body ---
+
+	// 3a. model must be rewritten to the upstream target.
+	assert.Equal(t, upstreamModel, gjson.GetBytes(rewritten, "model").String())
+
+	// 3b. input array must be preserved verbatim — no reshaping, no nulling.
+	inputResult := gjson.GetBytes(rewritten, "input")
+	require.True(t, inputResult.Exists(), "input field must still exist after rewrite")
+	require.True(t, inputResult.IsArray(), "input must still be an array (not null, not object)")
+
+	items := inputResult.Array()
+	require.Len(t, items, 2, "both input items must be preserved")
+	assert.Equal(t, "system", items[0].Get("role").String())
+	assert.Equal(t, "You are GPT-5.4 running as a coding agent.",
+		items[0].Get("content").String())
+	assert.Equal(t, "user", items[1].Get("role").String())
+	assert.Equal(t, "hello", items[1].Get("content").String())
+
+	// 3c. ALL other top-level fields must survive intact.
+	assert.Equal(t, "85df22e7463ab6c2", gjson.GetBytes(rewritten, "user").String())
+	assert.Equal(t, true, gjson.GetBytes(rewritten, "stream").Bool())
+	assert.Equal(t, "auto", gjson.GetBytes(rewritten, "service_tier").String())
+	assert.Equal(t, "high", gjson.GetBytes(rewritten, "reasoning.effort").String())
+
+	// 3d. Final upstream body must NOT contain the old "input":null pattern.
+	assert.NotContains(t, string(rewritten), `"input":null`,
+		"rewritten body must not collapse input to null")
+}
+
+// TestCursorMixedShapeDetection_NormalChatCompletionsUnaffected guards that
+// the shape detection does NOT misfire on a standard Chat Completions request
+// (one that has a `messages` array). Such requests must fall through to the
+// existing ChatCompletionsToResponses conversion path.
+func TestCursorMixedShapeDetection_NormalChatCompletionsUnaffected(t *testing.T) {
+	body := []byte(`{
+		"model": "gpt-4o",
+		"messages": [{"role":"user","content":"hi"}],
+		"stream": true
+	}`)
+
+	hasMessages := gjson.GetBytes(body, "messages").Exists()
+	hasInput := gjson.GetBytes(body, "input").Exists()
+	isResponsesShape := !hasMessages && hasInput
+
+	assert.False(t, isResponsesShape,
+		"standard Chat Completions body must NOT be detected as Responses-shape")
+}
+
+// TestCursorMixedShapeDetection_BothFieldsPrefersMessages guards the
+// ambiguous case where a client sends both `messages` and `input`. We fall
+// through to the normal conversion path (messages wins), since mixing the
+// two is almost certainly a client bug and messages is the documented
+// Chat Completions contract.
+func TestCursorMixedShapeDetection_BothFieldsPrefersMessages(t *testing.T) {
+	body := []byte(`{
+		"model": "gpt-4o",
+		"messages": [{"role":"user","content":"hi"}],
+		"input": [{"role":"user","content":"other"}]
+	}`)
+
+	hasMessages := gjson.GetBytes(body, "messages").Exists()
+	hasInput := gjson.GetBytes(body, "input").Exists()
+	isResponsesShape := !hasMessages && hasInput
+
+	assert.False(t, isResponsesShape,
+		"when both messages and input are present, must not take the Cursor shortcut")
+}
+
+// TestCursorMixedShapeDetection_EmptyBody ensures a body with neither
+// messages nor input is NOT taken as Cursor-shape (would hit the normal
+// conversion and fail on its own with a clearer error).
+func TestCursorMixedShapeDetection_EmptyBody(t *testing.T) {
+	body := []byte(`{"model":"gpt-5.4","stream":true}`)
+
+	hasMessages := gjson.GetBytes(body, "messages").Exists()
+	hasInput := gjson.GetBytes(body, "input").Exists()
+	isResponsesShape := !hasMessages && hasInput
+
+	assert.False(t, isResponsesShape,
+		"body with neither messages nor input must not be taken as Cursor shape")
+}
+
+// TestCursorMixedShape_JSONRoundtrip ensures the rewritten body is still
+// valid JSON and parseable back into a map without surprises — catches
+// any encoding drift from sjson.
+func TestCursorMixedShape_JSONRoundtrip(t *testing.T) {
+	cursorBody := []byte(`{"model":"gpt-5.4","stream":true,"input":[{"role":"user","content":"hi"}]}`)
+
+	rewritten, err := sjson.SetBytes(cursorBody, "model", "gpt-5.1-codex")
+	require.NoError(t, err)
+
+	var parsed map[string]any
+	require.NoError(t, json.Unmarshal(rewritten, &parsed))
+
+	assert.Equal(t, "gpt-5.1-codex", parsed["model"])
+	assert.Equal(t, true, parsed["stream"])
+
+	inputArr, ok := parsed["input"].([]any)
+	require.True(t, ok, "input must decode to a Go []any after round-trip")
+	require.Len(t, inputArr, 1)
+}
diff --git a/backend/internal/service/openai_gateway_chat_completions.go b/backend/internal/service/openai_gateway_chat_completions.go
index 9b3f69bc..c827fd7b 100644
--- a/backend/internal/service/openai_gateway_chat_completions.go
+++ b/backend/internal/service/openai_gateway_chat_completions.go
@@ -16,6 +16,8 @@ import (
 	"github.com/Wei-Shaw/sub2api/internal/pkg/logger"
 	"github.com/Wei-Shaw/sub2api/internal/util/responseheaders"
 	"github.com/gin-gonic/gin"
+	"github.com/tidwall/gjson"
+	"github.com/tidwall/sjson"
 	"go.uber.org/zap"
 )
 
@@ -55,13 +57,52 @@ func (s *OpenAIGatewayService) ForwardAsChatCompletions(
 		compatPromptCacheInjected = promptCacheKey != ""
 	}
 
-	// 3. Convert to Responses and forward
-	// ChatCompletionsToResponses always sets Stream=true (upstream always streams).
-	responsesReq, err := apicompat.ChatCompletionsToResponses(&chatReq)
-	if err != nil {
-		return nil, fmt.Errorf("convert chat completions to responses: %w", err)
+	// 3. Build the upstream (Responses API) body.
+	//
+	// Cursor compatibility: some clients (notably Cursor cloud) send Responses
+	// API shaped bodies — `input: [...]` with no `messages` field — to the
+	// /v1/chat/completions URL. Running those through ChatCompletionsToResponses
+	// would silently drop Cursor's `input` array (the struct has no Input field)
+	// and produce `input: null`, which Codex upstreams reject with
+	// "Invalid type for 'input': expected a string, but got an object".
+	//
+	// Detect that shape and forward the raw body as-is, only rewriting `model`
+	// to the resolved upstream model. The downstream codex OAuth transform will
+	// still normalize store/stream/instructions/etc.
+	isResponsesShape := !gjson.GetBytes(body, "messages").Exists() && gjson.GetBytes(body, "input").Exists()
+
+	var (
+		responsesReq  *apicompat.ResponsesRequest
+		responsesBody []byte
+		err           error
+	)
+	if isResponsesShape {
+		responsesBody, err = sjson.SetBytes(body, "model", upstreamModel)
+		if err != nil {
+			return nil, fmt.Errorf("rewrite model in responses-shape body: %w", err)
+		}
+		// Minimal stub populated from the raw body so downstream billing
+		// propagation (ServiceTier, ReasoningEffort) keeps working.
+		responsesReq = &apicompat.ResponsesRequest{
+			Model:       upstreamModel,
+			ServiceTier: gjson.GetBytes(responsesBody, "service_tier").String(),
+		}
+		if effort := gjson.GetBytes(responsesBody, "reasoning.effort").String(); effort != "" {
+			responsesReq.Reasoning = &apicompat.ResponsesReasoning{Effort: effort}
+		}
+	} else {
+		// Normal path: convert Chat Completions → Responses.
+		// ChatCompletionsToResponses always sets Stream=true (upstream always streams).
+		responsesReq, err = apicompat.ChatCompletionsToResponses(&chatReq)
+		if err != nil {
+			return nil, fmt.Errorf("convert chat completions to responses: %w", err)
+		}
+		responsesReq.Model = upstreamModel
+		responsesBody, err = json.Marshal(responsesReq)
+		if err != nil {
+			return nil, fmt.Errorf("marshal responses request: %w", err)
+		}
 	}
-	responsesReq.Model = upstreamModel
 
 	logFields := []zap.Field{
 		zap.Int64("account_id", account.ID),
@@ -69,6 +110,7 @@ func (s *OpenAIGatewayService) ForwardAsChatCompletions(
 		zap.String("billing_model", billingModel),
 		zap.String("upstream_model", upstreamModel),
 		zap.Bool("stream", clientStream),
+		zap.Bool("responses_shape", isResponsesShape),
 	}
 	if compatPromptCacheInjected {
 		logFields = append(logFields,
@@ -78,12 +120,6 @@ func (s *OpenAIGatewayService) ForwardAsChatCompletions(
 	}
 	logger.L().Debug("openai chat_completions: model mapping applied", logFields...)
 
-	// 4. Marshal Responses request body, then apply OAuth codex transform
-	responsesBody, err := json.Marshal(responsesReq)
-	if err != nil {
-		return nil, fmt.Errorf("marshal responses request: %w", err)
-	}
-
 	if account.Type == AccountTypeOAuth {
 		var reqBody map[string]any
 		if err := json.Unmarshal(responsesBody, &reqBody); err != nil {

From 422e25c99f2a3a6d16198a2fbeb2eb64cbc912d1 Mon Sep 17 00:00:00 2001
From: shuanbao0 <shuanbao0@gmail.com>
Date: Sat, 11 Apr 2026 22:48:45 +0800
Subject: [PATCH 002/122] =?UTF-8?q?fix(gateway):=20=E5=89=A5=E7=A6=BB=20Cu?=
 =?UTF-8?q?rsor=20raw=20body=20=E9=80=8F=E4=BC=A0=E8=B7=AF=E5=BE=84?=
 =?UTF-8?q?=E4=B8=AD=20Codex=20=E4=B8=8D=E6=94=AF=E6=8C=81=E7=9A=84=20Resp?=
 =?UTF-8?q?onses=20API=20=E5=8F=82=E6=95=B0?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

在前一个 commit 的 isResponsesShape 短路路径基础上,补充对 Cursor 云端
带过来的、Codex 上游统一不支持的顶层 Responses API 参数的剥离:

  - prompt_cache_retention
  - safety_identifier
  - metadata
  - stream_options

根因补充:这条 raw-body 透传路径为了保留 Cursor 的 input 数组整体结构,
不再经过 ChatCompletionsRequest 的反序列化过滤,所以这些 Go 结构体里
没有对应字段的参数会被原样发到上游,上游返回:
    Unsupported parameter: <field>
常规 Chat Completions 转换路径天然通过 ChatCompletionsRequest 丢弃未知字段,
不受影响;此处仅在 isResponsesShape 分支内用 sjson.DeleteBytes 显式过滤,
作用域最小。剥离列表与 openai_gateway_service.go:2034 的
unsupportedFields 语义对齐。

另外在 applyCodexOAuthTransform 的 OAuth 兜底 strip 列表里同步追加
prompt_cache_retention,作为对该函数所有其他 OAuth 调用点的 defense
in depth(当前只有 Cursor 路径的短路已在前面剥过,但保留这一层更稳)。

测试:
- TestCursorMixedShape_StripsUnsupportedFields — 验证所有 4 个字段都被剥
- TestApplyCodexOAuthTransform_StripsPromptCacheRetention — OAuth 兜底路径

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
---
 .../service/openai_codex_transform.go         |  8 ++++
 .../service/openai_codex_transform_test.go    | 20 +++++++++
 .../openai_cursor_warmup_pipeline_test.go     | 44 +++++++++++++++++++
 .../openai_gateway_chat_completions.go        | 26 +++++++++++
 4 files changed, 98 insertions(+)

diff --git a/backend/internal/service/openai_codex_transform.go b/backend/internal/service/openai_codex_transform.go
index 4ec038e0..a266d6a0 100644
--- a/backend/internal/service/openai_codex_transform.go
+++ b/backend/internal/service/openai_codex_transform.go
@@ -124,6 +124,14 @@ func applyCodexOAuthTransform(reqBody map[string]any, isCodexCLI bool, isCompact
 		"top_p",
 		"frequency_penalty",
 		"presence_penalty",
+		// prompt_cache_retention is a newer Responses API parameter (cache TTL).
+		// The ChatGPT internal Codex endpoint rejects it with
+		// "Unsupported parameter: prompt_cache_retention". Defense-in-depth
+		// for any OAuth path that reaches this transform — the Cursor
+		// Responses-shape short-circuit in ForwardAsChatCompletions strips
+		// it earlier too, but we keep this line so other OAuth callers are
+		// equally protected.
+		"prompt_cache_retention",
 	} {
 		if _, ok := reqBody[key]; ok {
 			delete(reqBody, key)
diff --git a/backend/internal/service/openai_codex_transform_test.go b/backend/internal/service/openai_codex_transform_test.go
index 889ac615..993ade07 100644
--- a/backend/internal/service/openai_codex_transform_test.go
+++ b/backend/internal/service/openai_codex_transform_test.go
@@ -481,6 +481,26 @@ func TestExtractSystemMessagesFromInput(t *testing.T) {
 	})
 }
 
+// TestApplyCodexOAuthTransform_StripsPromptCacheRetention is a regression
+// test: some clients (e.g. Cursor cloud via the Responses-shape compat path)
+// send prompt_cache_retention, but the ChatGPT internal Codex endpoint
+// rejects it with "Unsupported parameter: prompt_cache_retention".
+func TestApplyCodexOAuthTransform_StripsPromptCacheRetention(t *testing.T) {
+	reqBody := map[string]any{
+		"model":                  "gpt-5.1",
+		"prompt_cache_retention": "24h",
+		"input": []any{
+			map[string]any{"role": "user", "content": "hi"},
+		},
+	}
+
+	applyCodexOAuthTransform(reqBody, false, false)
+
+	_, stillThere := reqBody["prompt_cache_retention"]
+	require.False(t, stillThere,
+		"prompt_cache_retention must be stripped before forwarding to Codex upstream")
+}
+
 func TestApplyCodexOAuthTransform_ExtractsSystemMessages(t *testing.T) {
 	reqBody := map[string]any{
 		"model": "gpt-5.1",
diff --git a/backend/internal/service/openai_cursor_warmup_pipeline_test.go b/backend/internal/service/openai_cursor_warmup_pipeline_test.go
index 8ade9dbb..19bb13d6 100644
--- a/backend/internal/service/openai_cursor_warmup_pipeline_test.go
+++ b/backend/internal/service/openai_cursor_warmup_pipeline_test.go
@@ -153,3 +153,47 @@ func TestCursorMixedShape_JSONRoundtrip(t *testing.T) {
 	require.True(t, ok, "input must decode to a Go []any after round-trip")
 	require.Len(t, inputArr, 1)
 }
+
+// TestCursorMixedShape_StripsUnsupportedFields mirrors the strip loop in
+// ForwardAsChatCompletions (isResponsesShape branch). Cursor cloud sends
+// prompt_cache_retention, safety_identifier, metadata and stream_options
+// as top-level Responses API parameters, which Codex upstreams reject with
+// "Unsupported parameter: ...". The fix must remove them from the raw body
+// before it is forwarded, for BOTH OAuth and API Key account types.
+func TestCursorMixedShape_StripsUnsupportedFields(t *testing.T) {
+	cursorBody := []byte(`{
+		"model": "gpt-5.4",
+		"stream": true,
+		"prompt_cache_retention": "24h",
+		"safety_identifier": "cursor-user-xyz",
+		"metadata": {"trace_id":"abc","caller":"cursor"},
+		"stream_options": {"include_usage": true},
+		"input": [{"role":"user","content":"hi"}]
+	}`)
+
+	// Sanity: the test fixture contains every field the production code strips.
+	for _, field := range cursorResponsesUnsupportedFields {
+		require.True(t, gjson.GetBytes(cursorBody, field).Exists(),
+			"test fixture must contain %s", field)
+	}
+
+	// Run the exact same loop as the production code.
+	result := cursorBody
+	for _, field := range cursorResponsesUnsupportedFields {
+		if stripped, err := sjson.DeleteBytes(result, field); err == nil {
+			result = stripped
+		}
+	}
+
+	// All unsupported fields must be gone.
+	for _, field := range cursorResponsesUnsupportedFields {
+		assert.False(t, gjson.GetBytes(result, field).Exists(),
+			"%s must be stripped", field)
+	}
+
+	// Everything else must survive intact.
+	assert.Equal(t, "gpt-5.4", gjson.GetBytes(result, "model").String())
+	assert.Equal(t, true, gjson.GetBytes(result, "stream").Bool())
+	assert.True(t, gjson.GetBytes(result, "input").IsArray())
+	assert.Equal(t, "user", gjson.GetBytes(result, "input.0.role").String())
+}
diff --git a/backend/internal/service/openai_gateway_chat_completions.go b/backend/internal/service/openai_gateway_chat_completions.go
index c827fd7b..ac7d28a7 100644
--- a/backend/internal/service/openai_gateway_chat_completions.go
+++ b/backend/internal/service/openai_gateway_chat_completions.go
@@ -21,6 +21,22 @@ import (
 	"go.uber.org/zap"
 )
 
+// cursorResponsesUnsupportedFields are top-level Responses API parameters that
+// Codex upstreams reject with "Unsupported parameter: ...". They must be
+// stripped when forwarding a raw client body through the Responses-shape
+// short-circuit in ForwardAsChatCompletions (see isResponsesShape branch).
+// The normal Chat Completions → Responses conversion path is unaffected
+// because ChatCompletionsRequest has no fields for these parameters — unknown
+// fields are dropped naturally by json.Unmarshal. Kept semantically in sync
+// with the list in openai_gateway_service.go:2034 used by the /v1/responses
+// passthrough path.
+var cursorResponsesUnsupportedFields = []string{
+	"prompt_cache_retention",
+	"safety_identifier",
+	"metadata",
+	"stream_options",
+}
+
 // ForwardAsChatCompletions accepts a Chat Completions request body, converts it
 // to OpenAI Responses API format, forwards to the OpenAI upstream, and converts
 // the response back to Chat Completions format. All account types (OAuth and API
@@ -81,6 +97,16 @@ func (s *OpenAIGatewayService) ForwardAsChatCompletions(
 		if err != nil {
 			return nil, fmt.Errorf("rewrite model in responses-shape body: %w", err)
 		}
+		// Strip Responses API parameters that no Codex upstream accepts.
+		// Because this branch forwards the raw body (the normal path rebuilds
+		// it from ChatCompletionsRequest and drops unknown fields naturally),
+		// we must filter these fields explicitly here — otherwise the upstream
+		// rejects the request with "Unsupported parameter: ...".
+		for _, field := range cursorResponsesUnsupportedFields {
+			if stripped, derr := sjson.DeleteBytes(responsesBody, field); derr == nil {
+				responsesBody = stripped
+			}
+		}
 		// Minimal stub populated from the raw body so downstream billing
 		// propagation (ServiceTier, ReasoningEffort) keeps working.
 		responsesReq = &apicompat.ResponsesRequest{

From 3a11348119669a53bba1ab3ba948216ea67a7ca7 Mon Sep 17 00:00:00 2001
From: qingyuzhang <zqy21@qq.com>
Date: Mon, 13 Apr 2026 06:55:57 +0800
Subject: [PATCH 003/122] fix(frontend): avoid mounting hidden mobile table

---
 frontend/src/components/common/DataTable.vue | 64 +++++++++++++++++---
 1 file changed, 56 insertions(+), 8 deletions(-)

diff --git a/frontend/src/components/common/DataTable.vue b/frontend/src/components/common/DataTable.vue
index 36c7e278..456b1da7 100644
--- a/frontend/src/components/common/DataTable.vue
+++ b/frontend/src/components/common/DataTable.vue
@@ -1,5 +1,5 @@
 <template>
-  <div class="md:hidden space-y-3">
+  <div v-if="!isDesktopViewport" class="space-y-3">
     <template v-if="loading">
       <div v-for="i in 5" :key="i" class="rounded-lg border border-gray-200 bg-white p-4 dark:border-dark-700 dark:bg-dark-900">
         <div class="space-y-3">
@@ -61,8 +61,9 @@
   </div>
 
   <div
+    v-else
     ref="tableWrapperRef"
-    class="table-wrapper hidden md:block"
+    class="table-wrapper"
     :class="{
       'actions-expanded': actionsExpanded,
       'is-scrollable': isScrollable
@@ -203,6 +204,11 @@ import Icon from '@/components/icons/Icon.vue'
 
 const { t } = useI18n()
 
+const desktopViewportQuery = '(min-width: 768px)'
+const isDesktopViewport = ref(
+  typeof window === 'undefined' ? true : window.matchMedia(desktopViewportQuery).matches
+)
+
 const emit = defineEmits<{
   sort: [key: string, order: 'asc' | 'desc']
 }>()
@@ -268,8 +274,19 @@ const checkActionsColumnWidth = () => {
 // 监听尺寸变化
 let resizeObserver: ResizeObserver | null = null
 let resizeHandler: (() => void) | null = null
+let desktopViewportMediaQuery: MediaQueryList | null = null
+let desktopViewportListener: ((event: MediaQueryListEvent) => void) | null = null
 
-onMounted(() => {
+const detachDesktopTableTracking = () => {
+  resizeObserver?.disconnect()
+  resizeObserver = null
+  if (resizeHandler) {
+    window.removeEventListener('resize', resizeHandler)
+    resizeHandler = null
+  }
+}
+
+const attachDesktopTableTracking = () => {
   checkScrollable()
   checkActionsColumnWidth()
   if (tableWrapperRef.value && typeof ResizeObserver !== 'undefined') {
@@ -286,14 +303,34 @@ onMounted(() => {
     }
     window.addEventListener('resize', resizeHandler)
   }
+}
+
+onMounted(() => {
+  if (typeof window !== 'undefined') {
+    desktopViewportMediaQuery = window.matchMedia(desktopViewportQuery)
+    isDesktopViewport.value = desktopViewportMediaQuery.matches
+    desktopViewportListener = (event: MediaQueryListEvent) => {
+      isDesktopViewport.value = event.matches
+    }
+    if (typeof desktopViewportMediaQuery.addEventListener === 'function') {
+      desktopViewportMediaQuery.addEventListener('change', desktopViewportListener)
+    } else {
+      desktopViewportMediaQuery.addListener(desktopViewportListener)
+    }
+  }
 })
 
 onUnmounted(() => {
-  resizeObserver?.disconnect()
-  if (resizeHandler) {
-    window.removeEventListener('resize', resizeHandler)
-    resizeHandler = null
+  detachDesktopTableTracking()
+  if (desktopViewportMediaQuery && desktopViewportListener) {
+    if (typeof desktopViewportMediaQuery.removeEventListener === 'function') {
+      desktopViewportMediaQuery.removeEventListener('change', desktopViewportListener)
+    } else {
+      desktopViewportMediaQuery.removeListener(desktopViewportListener)
+    }
+    desktopViewportListener = null
   }
+  desktopViewportMediaQuery = null
 })
 
 interface Props {
@@ -470,6 +507,17 @@ const columnsSignature = computed(() =>
   props.columns.map((column) => `${column.key}:${column.sortable ? '1' : '0'}`).join('|')
 )
 
+watch(
+  isDesktopViewport,
+  async (isDesktop) => {
+    detachDesktopTableTracking()
+    if (!isDesktop) return
+    await nextTick()
+    attachDesktopTableTracking()
+  },
+  { immediate: true, flush: 'post' }
+)
+
 // 数据/列变化时重新检查滚动状态
 // 注意：不能监听 actionsExpanded，因为 checkActionsColumnWidth 会临时修改它，会导致无限循环
 watch(
@@ -526,7 +574,7 @@ const sortedData = computed(() => {
 
 // --- Virtual scrolling ---
 const rowVirtualizer = useVirtualizer(computed(() => ({
-  count: sortedData.value?.length ?? 0,
+  count: isDesktopViewport.value ? (sortedData.value?.length ?? 0) : 0,
   getScrollElement: () => tableWrapperRef.value,
   estimateSize: () => props.estimateRowHeight ?? 56,
   overscan: props.overscan ?? 5,

From abe4267553620c0ed5808d9c2e82dbb866608d52 Mon Sep 17 00:00:00 2001
From: qingyuzhang <zqy21@qq.com>
Date: Mon, 13 Apr 2026 07:34:07 +0800
Subject: [PATCH 004/122] fix(frontend): lazy load mobile account usage cells

---
 .../components/account/AccountUsageCell.vue   | 131 ++++++++++++++++--
 1 file changed, 121 insertions(+), 10 deletions(-)

diff --git a/frontend/src/components/account/AccountUsageCell.vue b/frontend/src/components/account/AccountUsageCell.vue
index 37e18c35..2e4eea0c 100644
--- a/frontend/src/components/account/AccountUsageCell.vue
+++ b/frontend/src/components/account/AccountUsageCell.vue
@@ -1,5 +1,5 @@
 <template>
-  <div v-if="showUsageWindows">
+  <div ref="rootRef" v-if="showUsageWindows">
     <!-- Anthropic OAuth and Setup Token accounts: fetch real usage data -->
     <template
       v-if="
@@ -371,7 +371,7 @@
   </div>
 
   <!-- Non-OAuth/Setup-Token accounts -->
-  <div v-else>
+  <div ref="rootRef" v-else>
     <!-- Gemini API Key accounts: show quota info -->
     <AccountQuotaInfo v-if="account.platform === 'gemini'" :account="account" />
     <!-- Key/Bedrock accounts: show today stats + optional quota bars -->
@@ -439,7 +439,7 @@
 </template>
 
 <script setup lang="ts">
-import { ref, computed, onMounted, watch } from 'vue'
+import { ref, computed, onMounted, onUnmounted, watch } from 'vue'
 import { useI18n } from 'vue-i18n'
 import { adminAPI } from '@/api/admin'
 import type { Account, AccountUsageInfo, GeminiCredentials, WindowStats } from '@/types'
@@ -463,11 +463,23 @@ const props = withDefaults(
 )
 
 const { t } = useI18n()
+const desktopViewportQuery = '(min-width: 768px)'
 
 const loading = ref(false)
 const activeQueryLoading = ref(false)
 const error = ref<string | null>(null)
 const usageInfo = ref<AccountUsageInfo | null>(null)
+const rootRef = ref<HTMLElement | null>(null)
+const isDesktopViewport = ref(
+  typeof window === 'undefined' ? true : window.matchMedia(desktopViewportQuery).matches
+)
+const hasEnteredViewport = ref(false)
+const pendingAutoLoad = ref(false)
+const pendingAutoLoadSource = ref<'passive' | 'active' | undefined>(undefined)
+
+let desktopViewportMediaQuery: MediaQueryList | null = null
+let desktopViewportListener: ((event: MediaQueryListEvent) => void) | null = null
+let visibilityObserver: IntersectionObserver | null = null
 
 // Show usage windows for OAuth and Setup Token accounts
 const showUsageWindows = computed(() => {
@@ -514,6 +526,10 @@ const shouldAutoLoadUsageOnMount = computed(() => {
   return shouldFetchUsage.value
 })
 
+const shouldLazyLoadOnMobile = computed(() => {
+  return shouldFetchUsage.value && !isDesktopViewport.value
+})
+
 // Antigravity quota types (用于 API 返回的数据)
 interface AntigravityUsageResult {
   utilization: number
@@ -941,6 +957,56 @@ const loadUsage = async (source?: 'passive' | 'active') => {
   }
 }
 
+const flushPendingAutoLoad = () => {
+  if (!pendingAutoLoad.value) return
+  const source = pendingAutoLoadSource.value
+  pendingAutoLoad.value = false
+  pendingAutoLoadSource.value = undefined
+  loadUsage(source).catch((e) => {
+    console.error('Failed to load deferred usage:', e)
+  })
+}
+
+const requestAutoLoad = (source?: 'passive' | 'active') => {
+  if (!shouldFetchUsage.value) return
+  if (shouldLazyLoadOnMobile.value && !hasEnteredViewport.value) {
+    pendingAutoLoad.value = true
+    pendingAutoLoadSource.value = source
+    return
+  }
+  loadUsage(source).catch((e) => {
+    console.error('Failed to auto load usage:', e)
+  })
+}
+
+const detachVisibilityObserver = () => {
+  visibilityObserver?.disconnect()
+  visibilityObserver = null
+}
+
+const attachVisibilityObserver = () => {
+  detachVisibilityObserver()
+  if (!shouldLazyLoadOnMobile.value || hasEnteredViewport.value) return
+  if (typeof window === 'undefined' || typeof IntersectionObserver === 'undefined') {
+    hasEnteredViewport.value = true
+    flushPendingAutoLoad()
+    return
+  }
+  if (!rootRef.value) return
+
+  visibilityObserver = new IntersectionObserver((entries) => {
+    if (!entries.some((entry) => entry.isIntersecting)) return
+    hasEnteredViewport.value = true
+    detachVisibilityObserver()
+    flushPendingAutoLoad()
+  }, {
+    root: null,
+    rootMargin: '200px 0px',
+    threshold: 0.01
+  })
+  visibilityObserver.observe(rootRef.value)
+}
+
 const loadActiveUsage = async () => {
   activeQueryLoading.value = true
   try {
@@ -1040,18 +1106,29 @@ const formatKeyUserCost = computed(() => {
 })
 
 onMounted(() => {
+  if (typeof window !== 'undefined') {
+    desktopViewportMediaQuery = window.matchMedia(desktopViewportQuery)
+    isDesktopViewport.value = desktopViewportMediaQuery.matches
+    desktopViewportListener = (event: MediaQueryListEvent) => {
+      isDesktopViewport.value = event.matches
+    }
+    if (typeof desktopViewportMediaQuery.addEventListener === 'function') {
+      desktopViewportMediaQuery.addEventListener('change', desktopViewportListener)
+    } else {
+      desktopViewportMediaQuery.addListener(desktopViewportListener)
+    }
+  }
+
   if (!shouldAutoLoadUsageOnMount.value) return
   const source = isAnthropicOAuthOrSetupToken.value ? 'passive' : undefined
-  loadUsage(source)
+  requestAutoLoad(source)
 })
 
 watch(openAIUsageRefreshKey, (nextKey, prevKey) => {
   if (!prevKey || nextKey === prevKey) return
   if (props.account.platform !== 'openai' || props.account.type !== 'oauth') return
 
-  loadUsage().catch((e) => {
-    console.error('Failed to refresh OpenAI usage:', e)
-  })
+  requestAutoLoad()
 })
 
 watch(
@@ -1061,9 +1138,43 @@ watch(
     if (!shouldFetchUsage.value) return
 
     const source = isAnthropicOAuthOrSetupToken.value ? 'passive' : undefined
-    loadUsage(source).catch((e) => {
-      console.error('Failed to refresh usage after manual refresh:', e)
-    })
+    requestAutoLoad(source)
   }
 )
+
+watch(
+  [rootRef, shouldLazyLoadOnMobile],
+  () => {
+    if (shouldLazyLoadOnMobile.value) {
+      attachVisibilityObserver()
+      return
+    }
+    detachVisibilityObserver()
+  },
+  { immediate: true, flush: 'post' }
+)
+
+watch(isDesktopViewport, (isDesktop) => {
+  if (isDesktop) {
+    detachVisibilityObserver()
+    hasEnteredViewport.value = true
+    flushPendingAutoLoad()
+    return
+  }
+  hasEnteredViewport.value = false
+  attachVisibilityObserver()
+})
+
+onUnmounted(() => {
+  detachVisibilityObserver()
+  if (desktopViewportMediaQuery && desktopViewportListener) {
+    if (typeof desktopViewportMediaQuery.removeEventListener === 'function') {
+      desktopViewportMediaQuery.removeEventListener('change', desktopViewportListener)
+    } else {
+      desktopViewportMediaQuery.removeListener(desktopViewportListener)
+    }
+  }
+  desktopViewportListener = null
+  desktopViewportMediaQuery = null
+})
 </script>

From f498eb8fde028c11fa6285238971ebfa86e5f29f Mon Sep 17 00:00:00 2001
From: erio <asakifeng@gmail.com>
Date: Mon, 13 Apr 2026 14:06:29 +0800
Subject: [PATCH 005/122] fix(payment): fix Alipay/Wxpay direct provider type
 mapping and enable cross-provider load balancing
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Two issues fixed:

1. Alipay.SupportedTypes() returned ["alipay_direct"] and Wxpay returned
   ["wxpay_direct"], but the frontend sends payment_type="alipay"/"wxpay".
   The registry lookup failed with "payment method (alipay) is not
   configured". Fix: return the base types ["alipay"]/["wxpay"].

2. When multiple providers support the same payment type (e.g. EasyPay
   and Alipay direct both handle "alipay"), only the last-registered
   provider's instances were reachable — the registry mapped one type to
   one provider key, and SelectInstance queried by that single key.

   Fix: bypass the registry in invokeProvider and let SelectInstance
   query across all providers when providerKey is empty. The selected
   instance's own ProviderKey (now included in InstanceSelection) is
   used to create the correct provider, enabling true cross-provider
   load balancing.

Closes #1592
---
 backend/internal/payment/load_balancer.go   | 21 +++++++++++++--------
 backend/internal/payment/provider/alipay.go |  2 +-
 backend/internal/payment/provider/wxpay.go  |  2 +-
 backend/internal/payment/types.go           |  1 +
 backend/internal/service/payment_order.go   | 15 ++++++---------
 5 files changed, 22 insertions(+), 19 deletions(-)

diff --git a/backend/internal/payment/load_balancer.go b/backend/internal/payment/load_balancer.go
index afe607e0..55cb2043 100644
--- a/backend/internal/payment/load_balancer.go
+++ b/backend/internal/payment/load_balancer.go
@@ -94,17 +94,21 @@ func (lb *DefaultLoadBalancer) SelectInstance(
 	return lb.buildSelection(selected.inst)
 }
 
-// queryEnabledInstances returns enabled instances for providerKey that support paymentType.
+// queryEnabledInstances returns enabled instances that support paymentType.
+// When providerKey is non-empty, only instances with that provider key are considered.
+// When providerKey is empty, instances across all providers are considered,
+// enabling cross-provider load balancing (e.g. EasyPay + Alipay direct for "alipay").
 func (lb *DefaultLoadBalancer) queryEnabledInstances(
 	ctx context.Context,
 	providerKey string,
 	paymentType PaymentType,
 ) ([]*dbent.PaymentProviderInstance, error) {
-	instances, err := lb.db.PaymentProviderInstance.Query().
-		Where(
-			paymentproviderinstance.ProviderKey(providerKey),
-			paymentproviderinstance.Enabled(true),
-		).
+	query := lb.db.PaymentProviderInstance.Query().
+		Where(paymentproviderinstance.Enabled(true))
+	if providerKey != "" {
+		query = query.Where(paymentproviderinstance.ProviderKey(providerKey))
+	}
+	instances, err := query.
 		Order(dbent.Asc(paymentproviderinstance.FieldSortOrder)).
 		All(ctx)
 	if err != nil {
@@ -113,12 +117,12 @@ func (lb *DefaultLoadBalancer) queryEnabledInstances(
 
 	var matched []*dbent.PaymentProviderInstance
 	for _, inst := range instances {
-		if paymentType == providerKey || InstanceSupportsType(inst.SupportedTypes, paymentType) {
+		if InstanceSupportsType(inst.SupportedTypes, paymentType) {
 			matched = append(matched, inst)
 		}
 	}
 	if len(matched) == 0 {
-		return nil, fmt.Errorf("no enabled instance for provider %s type %s", providerKey, paymentType)
+		return nil, fmt.Errorf("no enabled instance for payment type %s", paymentType)
 	}
 	return matched, nil
 }
@@ -258,6 +262,7 @@ func (lb *DefaultLoadBalancer) buildSelection(selected *dbent.PaymentProviderIns
 
 	return &InstanceSelection{
 		InstanceID:     fmt.Sprintf("%d", selected.ID),
+		ProviderKey:    selected.ProviderKey,
 		Config:         config,
 		SupportedTypes: selected.SupportedTypes,
 		PaymentMode:    selected.PaymentMode,
diff --git a/backend/internal/payment/provider/alipay.go b/backend/internal/payment/provider/alipay.go
index 3eca0b2c..af8a90c6 100644
--- a/backend/internal/payment/provider/alipay.go
+++ b/backend/internal/payment/provider/alipay.go
@@ -76,7 +76,7 @@ func (a *Alipay) getClient() (*alipay.Client, error) {
 func (a *Alipay) Name() string        { return "Alipay" }
 func (a *Alipay) ProviderKey() string { return payment.TypeAlipay }
 func (a *Alipay) SupportedTypes() []payment.PaymentType {
-	return []payment.PaymentType{payment.TypeAlipayDirect}
+	return []payment.PaymentType{payment.TypeAlipay}
 }
 
 // CreatePayment creates an Alipay payment page URL.
diff --git a/backend/internal/payment/provider/wxpay.go b/backend/internal/payment/provider/wxpay.go
index 14e51cd2..0b41c4fb 100644
--- a/backend/internal/payment/provider/wxpay.go
+++ b/backend/internal/payment/provider/wxpay.go
@@ -72,7 +72,7 @@ func NewWxpay(instanceID string, config map[string]string) (*Wxpay, error) {
 func (w *Wxpay) Name() string        { return "Wxpay" }
 func (w *Wxpay) ProviderKey() string { return payment.TypeWxpay }
 func (w *Wxpay) SupportedTypes() []payment.PaymentType {
-	return []payment.PaymentType{payment.TypeWxpayDirect}
+	return []payment.PaymentType{payment.TypeWxpay}
 }
 
 func formatPEM(key, keyType string) string {
diff --git a/backend/internal/payment/types.go b/backend/internal/payment/types.go
index c413d8f3..5d613a4a 100644
--- a/backend/internal/payment/types.go
+++ b/backend/internal/payment/types.go
@@ -148,6 +148,7 @@ type RefundResponse struct {
 // InstanceSelection holds the selected provider instance and its decrypted config.
 type InstanceSelection struct {
 	InstanceID     string
+	ProviderKey    string // Provider key of the selected instance (e.g. "alipay", "easypay")
 	Config         map[string]string
 	SupportedTypes string // Comma-separated list of supported payment types from the instance
 	PaymentMode    string // Payment display mode: "qrcode", "redirect", "popup"
diff --git a/backend/internal/service/payment_order.go b/backend/internal/service/payment_order.go
index 2a952ece..ff4dfaa8 100644
--- a/backend/internal/service/payment_order.go
+++ b/backend/internal/service/payment_order.go
@@ -189,19 +189,16 @@ func (s *PaymentService) checkDailyLimit(ctx context.Context, tx *dbent.Tx, user
 }
 
 func (s *PaymentService) invokeProvider(ctx context.Context, order *dbent.PaymentOrder, req CreateOrderRequest, cfg *PaymentConfig, payAmountStr string, payAmount float64, plan *dbent.SubscriptionPlan) (*CreateOrderResponse, error) {
-	s.EnsureProviders(ctx)
-	providerKey := s.registry.GetProviderKey(req.PaymentType)
-	if providerKey == "" {
-		return nil, infraerrors.ServiceUnavailable("PAYMENT_GATEWAY_ERROR", fmt.Sprintf("payment method (%s) is not configured", req.PaymentType))
-	}
-	sel, err := s.loadBalancer.SelectInstance(ctx, providerKey, req.PaymentType, payment.Strategy(cfg.LoadBalanceStrategy), payAmount)
+	// Select an instance across all providers that support the requested payment type.
+	// This enables cross-provider load balancing (e.g. EasyPay + Alipay direct for "alipay").
+	sel, err := s.loadBalancer.SelectInstance(ctx, "", req.PaymentType, payment.Strategy(cfg.LoadBalanceStrategy), payAmount)
 	if err != nil {
-		return nil, fmt.Errorf("select provider instance: %w", err)
+		return nil, infraerrors.ServiceUnavailable("PAYMENT_GATEWAY_ERROR", fmt.Sprintf("payment method (%s) is not configured", req.PaymentType))
 	}
 	if sel == nil {
 		return nil, infraerrors.TooManyRequests("NO_AVAILABLE_INSTANCE", "no available payment instance")
 	}
-	prov, err := provider.CreateProvider(providerKey, sel.InstanceID, sel.Config)
+	prov, err := provider.CreateProvider(sel.ProviderKey, sel.InstanceID, sel.Config)
 	if err != nil {
 		return nil, infraerrors.ServiceUnavailable("PAYMENT_GATEWAY_ERROR", "payment method is temporarily unavailable")
 	}
@@ -209,7 +206,7 @@ func (s *PaymentService) invokeProvider(ctx context.Context, order *dbent.Paymen
 	outTradeNo := order.OutTradeNo
 	pr, err := prov.CreatePayment(ctx, payment.CreatePaymentRequest{OrderID: outTradeNo, Amount: payAmountStr, PaymentType: req.PaymentType, Subject: subject, ClientIP: req.ClientIP, IsMobile: req.IsMobile, InstanceSubMethods: sel.SupportedTypes})
 	if err != nil {
-		slog.Error("[PaymentService] CreatePayment failed", "provider", providerKey, "instance", sel.InstanceID, "error", err)
+		slog.Error("[PaymentService] CreatePayment failed", "provider", sel.ProviderKey, "instance", sel.InstanceID, "error", err)
 		return nil, infraerrors.ServiceUnavailable("PAYMENT_GATEWAY_ERROR", fmt.Sprintf("payment gateway error: %s", err.Error()))
 	}
 	_, err = s.entClient.PaymentOrder.UpdateOneID(order.ID).SetNillablePaymentTradeNo(psNilIfEmpty(pr.TradeNo)).SetNillablePayURL(psNilIfEmpty(pr.PayURL)).SetNillableQrCode(psNilIfEmpty(pr.QRCode)).SetNillableProviderInstanceID(psNilIfEmpty(sel.InstanceID)).Save(ctx)

From 24f0eebcf7563294abd7357b2de7851d38ed8edb Mon Sep 17 00:00:00 2001
From: erio <asakifeng@gmail.com>
Date: Mon, 13 Apr 2026 14:06:44 +0800
Subject: [PATCH 006/122] fix(frontend): lower QR code error correction level
 to reduce density

Closes #1607
---
 frontend/src/components/payment/PaymentQRDialog.vue    | 2 +-
 frontend/src/components/payment/PaymentStatusPanel.vue | 2 +-
 frontend/src/views/user/PaymentQRCodeView.vue          | 4 ++--
 3 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/frontend/src/components/payment/PaymentQRDialog.vue b/frontend/src/components/payment/PaymentQRDialog.vue
index 670c1cc5..c21ef029 100644
--- a/frontend/src/components/payment/PaymentQRDialog.vue
+++ b/frontend/src/components/payment/PaymentQRDialog.vue
@@ -154,7 +154,7 @@ async function renderQR() {
   await QRCode.toCanvas(qrCanvas.value, qrUrl.value, {
     width: 220,
     margin: 2,
-    errorCorrectionLevel: logoSrc ? 'H' : 'M',
+    errorCorrectionLevel: logoSrc ? 'M' : 'L',
   })
   if (!logoSrc) return
   const canvas = qrCanvas.value
diff --git a/frontend/src/components/payment/PaymentStatusPanel.vue b/frontend/src/components/payment/PaymentStatusPanel.vue
index 087b3dcf..01269f64 100644
--- a/frontend/src/components/payment/PaymentStatusPanel.vue
+++ b/frontend/src/components/payment/PaymentStatusPanel.vue
@@ -199,7 +199,7 @@ async function renderQR() {
   if (!qrCanvas.value || !qrUrl.value) return
   await QRCode.toCanvas(qrCanvas.value, qrUrl.value, {
     width: 220, margin: 2,
-    errorCorrectionLevel: 'H',
+    errorCorrectionLevel: 'M',
   })
 }
 
diff --git a/frontend/src/views/user/PaymentQRCodeView.vue b/frontend/src/views/user/PaymentQRCodeView.vue
index 50173a1a..0965947a 100644
--- a/frontend/src/views/user/PaymentQRCodeView.vue
+++ b/frontend/src/views/user/PaymentQRCodeView.vue
@@ -94,12 +94,12 @@ async function renderQR() {
   await nextTick()
   if (!qrCanvas.value || !qrUrl.value) return
 
-  // Use high error correction to support logo overlay
+  // Use medium error correction to support logo overlay while keeping QR code scannable
   const logoSrc = getLogoForType()
   await QRCode.toCanvas(qrCanvas.value, qrUrl.value, {
     width: 256,
     margin: 2,
-    errorCorrectionLevel: logoSrc ? 'H' : 'M',
+    errorCorrectionLevel: logoSrc ? 'M' : 'L',
   })
 
   if (!logoSrc) return

From a1e299a3552f055f08905fa27451e578b8650536 Mon Sep 17 00:00:00 2001
From: sakurawztlt <154661250+sakurawztlt@users.noreply.github.com>
Date: Mon, 13 Apr 2026 18:17:08 +0800
Subject: [PATCH 007/122] =?UTF-8?q?fix:=20Anthropic=20=E9=9D=9E=E6=B5=81?=
 =?UTF-8?q?=E5=BC=8F=E8=B7=AF=E5=BE=84=E5=9C=A8=E4=B8=8A=E6=B8=B8=E7=BB=88?=
 =?UTF-8?q?=E6=80=81=E4=BA=8B=E4=BB=B6=20output=20=E4=B8=BA=E7=A9=BA?=
 =?UTF-8?q?=E6=97=B6=E4=BB=8E=20delta=20=E4=BA=8B=E4=BB=B6=E9=87=8D?=
 =?UTF-8?q?=E5=BB=BA=E5=93=8D=E5=BA=94=E5=86=85=E5=AE=B9?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

b2e379cf 引入的 BufferedResponseAccumulator 已修复了 chat_completions
非流式路径和 responses OAuth 非流式路径，但遗漏了 Anthropic /v1/messages
非流式路径 (handleAnthropicBufferedStreamingResponse)。

当客户端请求 stream=false 且模型开启思考时，上游 response.completed
终态事件的 output 字段可能为空，实际 message 内容通过
response.output_text.delta 增量事件下发。旧代码只读终态事件的 Response，
导致客户端收到的 content 字段为空 ([{"type":"text"}])。

本 commit 将 b2e379cf 的相同修复模式镜像到 Anthropic 路径：在 SSE 扫描
过程中用 BufferedResponseAccumulator 累积 delta 内容，终态 output 为空
时通过 SupplementResponseOutput 补充重建。

同时修复 handleAnthropicBufferedStreamingResponse 遗漏 response.done
事件类型的问题，与 chat completions 路径保持一致，避免上游发送
response.done 时 handler 认不出终态事件、最终返回 502 的潜在问题。

BufferedResponseAccumulator 已在 chatcompletions_responses_test.go 有
完整单元测试覆盖（TextOnly/ToolCalls/Reasoning/Mixed/SupplementEmpty/
NoSupplementWhenOutputExists/EmptyDeltas/IgnoresNonFunctionCallItems），
本次复用相同累加器无需新增测试。
---
 backend/internal/service/openai_gateway_messages.go | 11 ++++++++++-
 1 file changed, 10 insertions(+), 1 deletion(-)

diff --git a/backend/internal/service/openai_gateway_messages.go b/backend/internal/service/openai_gateway_messages.go
index 7a4862d3..a72b9bbf 100644
--- a/backend/internal/service/openai_gateway_messages.go
+++ b/backend/internal/service/openai_gateway_messages.go
@@ -270,6 +270,7 @@ func (s *OpenAIGatewayService) handleAnthropicBufferedStreamingResponse(
 
 	var finalResponse *apicompat.ResponsesResponse
 	var usage OpenAIUsage
+	acc := apicompat.NewBufferedResponseAccumulator()
 
 	for scanner.Scan() {
 		line := scanner.Text()
@@ -288,8 +289,12 @@ func (s *OpenAIGatewayService) handleAnthropicBufferedStreamingResponse(
 			continue
 		}
 
+		// Accumulate delta content for fallback when terminal output is empty.
+		acc.ProcessEvent(&event)
+
 		// Terminal events carry the complete ResponsesResponse with output + usage.
-		if (event.Type == "response.completed" || event.Type == "response.incomplete" || event.Type == "response.failed") &&
+		if (event.Type == "response.completed" || event.Type == "response.done" ||
+			event.Type == "response.incomplete" || event.Type == "response.failed") &&
 			event.Response != nil {
 			finalResponse = event.Response
 			if event.Response.Usage != nil {
@@ -318,6 +323,10 @@ func (s *OpenAIGatewayService) handleAnthropicBufferedStreamingResponse(
 		return nil, fmt.Errorf("upstream stream ended without terminal event")
 	}
 
+	// When the terminal event has an empty output array, reconstruct from
+	// accumulated delta events so the client receives the full content.
+	acc.SupplementResponseOutput(finalResponse)
+
 	anthropicResp := apicompat.ResponsesToAnthropic(finalResponse, originalModel)
 
 	if s.responseHeaderFilter != nil {

From b9b52e74c63da4e1c0cfbe4944c7a13d159fa5c8 Mon Sep 17 00:00:00 2001
From: knowsky404 <git@knowsky404.com>
Date: Mon, 13 Apr 2026 19:24:33 +0800
Subject: [PATCH 008/122] fix(sidebar): prevent version dropdown clipping

---
 .../components/layout/__tests__/AppSidebar.spec.ts    | 11 +++++++++++
 frontend/src/style.css                                |  1 -
 2 files changed, 11 insertions(+), 1 deletion(-)

diff --git a/frontend/src/components/layout/__tests__/AppSidebar.spec.ts b/frontend/src/components/layout/__tests__/AppSidebar.spec.ts
index 08c3294a..c0da4e38 100644
--- a/frontend/src/components/layout/__tests__/AppSidebar.spec.ts
+++ b/frontend/src/components/layout/__tests__/AppSidebar.spec.ts
@@ -6,6 +6,8 @@ import { describe, expect, it } from 'vitest'
 
 const componentPath = resolve(dirname(fileURLToPath(import.meta.url)), '../AppSidebar.vue')
 const componentSource = readFileSync(componentPath, 'utf8')
+const stylePath = resolve(dirname(fileURLToPath(import.meta.url)), '../../../style.css')
+const styleSource = readFileSync(stylePath, 'utf8')
 
 describe('AppSidebar custom SVG styles', () => {
   it('does not override uploaded SVG fill or stroke colors', () => {
@@ -16,3 +18,12 @@ describe('AppSidebar custom SVG styles', () => {
     expect(componentSource).not.toContain('fill: none;')
   })
 })
+
+describe('AppSidebar header styles', () => {
+  it('does not clip the version badge dropdown', () => {
+    const sidebarHeaderBlockMatch = styleSource.match(/\.sidebar-header\s*\{[\s\S]*?\n  \}/)
+
+    expect(sidebarHeaderBlockMatch).not.toBeNull()
+    expect(sidebarHeaderBlockMatch?.[0]).not.toContain('@apply overflow-hidden;')
+  })
+})
diff --git a/frontend/src/style.css b/frontend/src/style.css
index 59c6d182..acff4abc 100644
--- a/frontend/src/style.css
+++ b/frontend/src/style.css
@@ -529,7 +529,6 @@
   .sidebar-header {
     @apply h-16 px-6;
     @apply flex items-center gap-3;
-    @apply overflow-hidden;
     @apply border-b border-gray-100 dark:border-dark-800;
     transition:
       padding 0.2s ease,

From 92f4a6bb948a1ed3f3da7636f040e2c647405106 Mon Sep 17 00:00:00 2001
From: shaw <shaw-wei@foxmail.com>
Date: Mon, 13 Apr 2026 22:28:44 +0800
Subject: [PATCH 009/122] chore: update readme

---
 README.md                          |   5 +++++
 README_CN.md                       |   5 +++++
 README_JA.md                       |   5 +++++
 assets/partners/logos/aigocode.png | Bin 0 -> 38394 bytes
 4 files changed, 15 insertions(+)
 create mode 100644 assets/partners/logos/aigocode.png

diff --git a/README.md b/README.md
index 3a56d089..c2715eae 100644
--- a/README.md
+++ b/README.md
@@ -86,6 +86,11 @@ Sub2API is an AI API gateway platform designed to distribute and manage API quot
 <td>Thanks to AICodeMirror for sponsoring this project! AICodeMirror provides official high-stability relay services for Claude Code / Codex / Gemini CLI, with enterprise-grade concurrency, fast invoicing, and 24/7 dedicated technical support. Claude Code / Codex / Gemini official channels at 38% / 2% / 9% of original price, with extra discounts on top-ups! AICodeMirror offers special benefits for sub2api users: register via <a href="https://www.aicodemirror.com/register?invitecode=KMVZQM">this link</a> to enjoy 20% off your first top-up, and enterprise customers can get up to 25% off!</td>
 </tr>
 
+<tr>
+<td width="180"><a href="https://aigocode.com/invite/SUB2API"><img src="assets/partners/logos/aigocode.png" alt="AIGoCode" width="150"></a></td>
+<td>Thanks to AIGoCode for sponsoring this project! AIGoCode is an all-in-one platform that integrates Claude Code, Codex, and the latest Gemini models, providing you with stable, efficient, and highly cost-effective AI coding services. The platform offers flexible subscription plans, zero risk of account suspension, direct access with no VPN required, and lightning-fast responses. AIGoCode has prepared a special benefit for sub2api users: if you register via <a href="https://aigocode.com/invite/SUB2API">this link</a>, you'll receive an extra 10% bonus credit on your first top-up!</td>
+</tr>
+
 </table>
 
 ## Ecosystem
diff --git a/README_CN.md b/README_CN.md
index c0e6492e..0ace1f77 100644
--- a/README_CN.md
+++ b/README_CN.md
@@ -85,6 +85,11 @@ Sub2API 是一个 AI API 网关平台，用于分发和管理 AI 产品订阅的
 <td>感谢 AICodeMirror 赞助了本项目！AICodeMirror 提供 Claude Code / Codex / Gemini CLI 官方高稳定性中转服务，企业级并发、快速开票、7×24 小时专属技术支持。Claude Code / Codex / Gemini 官方通道低至原价 38% / 2% / 9%，充值更享额外折扣！AICodeMirror 为 sub2api 用户提供专属福利：通过<a href="https://www.aicodemirror.com/register?invitecode=KMVZQM">此链接</a>注册，首次充值立享 8 折优惠，企业客户最高可享 75 折！</td>
 </tr>
 
+<tr>
+<td width="180"><a href="https://aigocode.com/invite/SUB2API"><img src="assets/partners/logos/aigocode.png" alt="AIGoCode" width="150"></a></td>
+<td>感谢 AIGoCode 赞助了本项目！AIGoCode 是一站式集成 Claude Code、Codex 以及最新 Gemini 模型的综合平台，为您提供稳定、高效、高性价比的 AI 编程服务。平台提供灵活的订阅方案，零封号风险，免 VPN 直连，响应极速。AIGoCode 为 sub2api 用户准备了专属福利：通过<a href="https://aigocode.com/invite/SUB2API">此链接</a>注册，首次充值可额外获得 10% 赠送额度！</td>
+</tr>
+
 </table>
 
 ## 生态项目
diff --git a/README_JA.md b/README_JA.md
index 4605b877..d74ca9ce 100644
--- a/README_JA.md
+++ b/README_JA.md
@@ -85,6 +85,11 @@ Sub2API は、AI 製品のサブスクリプションから API クォータを
 <td>AICodeMirror のご支援に感謝します！AICodeMirror は Claude Code / Codex / Gemini CLI の公式高安定性リレーサービスを提供しており、エンタープライズグレードの同時実行、迅速な請求書発行、24時間年中無休の専属テクニカルサポートを備えています。Claude Code / Codex / Gemini の公式チャネルを定価の 38% / 2% / 9% で利用可能、チャージ時にはさらに追加割引！AICodeMirror は sub2api ユーザー向けに特別特典を提供中：<a href="https://www.aicodemirror.com/register?invitecode=KMVZQM">こちらのリンク</a>から登録すると、初回チャージが 20% オフ、法人のお客様は最大 25% オフ！</td>
 </tr>
 
+<tr>
+<td width="180"><a href="https://aigocode.com/invite/SUB2API"><img src="assets/partners/logos/aigocode.png" alt="AIGoCode" width="150"></a></td>
+<td>AIGoCode のご支援に感謝します！AIGoCode は Claude Code、Codex、最新の Gemini モデルを統合したオールインワンプラットフォームで、安定的かつ効率的でコストパフォーマンスに優れた AI コーディングサービスを提供します。柔軟なサブスクリプションプラン、アカウント停止リスクゼロ、VPN 不要の直接アクセス、超高速レスポンスが特長です。AIGoCode は sub2api ユーザー向けに特別特典を用意しています：<a href="https://aigocode.com/invite/SUB2API">こちらのリンク</a>から登録すると、初回チャージ時に 10% のボーナスクレジットを追加プレゼント！</td>
+</tr>
+
 </table>
 
 ## エコシステム
diff --git a/assets/partners/logos/aigocode.png b/assets/partners/logos/aigocode.png
new file mode 100644
index 0000000000000000000000000000000000000000..6dd5965ac50b650d351396bcec86e7e6c79f09a0
GIT binary patch
literal 38394
zcmeEucT`hPw`ly?!3Ky(6Qzg*0YL-Of6|KqfrQWkN|i3XgkqN>V5riih9ndz0Rjd@
z=~Y5P4=9}gp@$AHe!uVD``z`vd*8Ziy}RD~<L<LEXP-HHX3y+7GiUET`{Zcw=qKQk
zj)t}d;MlQa04>G=IGQ*%sI97M^~g|PL;ImR;|2h5tQEk36L$arS2u4@Lrs<ICZ=ZB
zPyYlQV;p~jCpKQs{=)ug%Alh6|3%v;_D?DP^USlhc3w6Nk`=~J(38QO(Wc7`{IbJe
z_^sc#^<TKcZ`{xOnKy&x(Qn)nVyMc%Z5jA2hkwAW{{gpo=J}icJ%dKU)y3yGuix;y
zcjxTfphk@I8ODzX-~})QXaZDz_n&di0QYPF;Ql56aQwr+<yj{K099`QfUCp*mM8cL
z0J!)X0I2Nwx4eIo$+IV(PySZj2}b&dy*&W1h5`W2n*soAKL7wG^S|9=B>zF%t}|}&
zFxutLI2-^j06V~SfHuGlU;_|mU{ZiP07-!K(Fi~laQu(o@H;)ufD@-q{Dw29PMth;
z_6!r#*)wO)GM&44j*0mK^VzfKS<YX$c<B<$C8l$%Y^;~q82F{%l^pwB^7x4}jDnY#
z&oVP||BG<+6~J=l56%<I$B*#?{$M$FoaNY2BY>A7Zbq|yKXCs7XU?8HeeA@kKaMkQ
zTU-J#7&DrF>I}<iW<~=T!}G`S6DLodW;w%pL-GNe!4r=c$jevxrDU>7%h?5_RSb<`
z)}G!zaS3G&y?s~i-iwVVPI3sU8bNKmUVi(v0<p^$x~aJedi9-AI}d~HZ{GjF{M2bi
z?Pvb@-82mrz#qqsA3J{L)ag?vPyE4P{TFYRQ#T|}vp)FEIg5=SS=!Kh`HB=s#mJNW
zZZ`4P3WvZwLx{CkY?<my!EdWa!+>+g8C+P7vjCI<xI6#S$^SY3j|Bcl0{<g{|GN^n
zdb>oXaV0`)!LxQrs8R&p#?^U{urT4|Tk@%O*p1$?S;LG=so`puOI&ZdC!r}hKLwGh
zVYdMrdjt*O6=h_`zivaX&&=oJ;Jm`m0M<%h|L->MzqPj0A4wMUF4WZ`dvHK9*Wgw3
zxls5$?6L`I4W0OgDG6kw5!-JVC|F~z1cXH0lI@yHV!gH+951(tiF_JS^37-nZTg3#
za&P;x_r?b5M&<om?R@aCF-gbKt|c6};2i~ll2+S-D`*wzo3gCwZo27*l(f1@%%H3F
zcBa;VC2IQoH{0eEGhR^*=ii2E2cQvk?;xmB=iy9hTHW3ubSU`rC(l}0VCucn_{8$p
zM({H8vGl!xa5K~C%TnXIshhTAgdR`2+ierRH|KqXx}&+@oK*AbgGdTS7>h3<pfc*}
z%3eL-`vgALE-(lKIKFc5-zv`ka^=V0K-4HOTLoWup`7b0e+}CJ*K=%*Va542`?vQb
z9Ed};bpnb6oHKq`?viJcA-G<E*NimRl5VIiK9IHef=?pI(Gho|IHLFI7Yn)?B%xI5
zro`rG^mfc$qZTny%ewD<^OoJyiG-_lxz@2jd5-jATvRQ5NdloM9<c8tlY{vJ3YpUR
zpw8zmUpFguAbiN#Qk6dLm3SC;1UT2VdGV>Tz;@PtvvQ&Tc;{MDYr@ZnYh!)~-R8UC
z(6?Sovwow~^|?oY?|hHwuhx_!_&SwJCqwVHTk*sGxV0BR*^+giS6=yt8iQ4P4mDR*
zci#0YxX%RWPU-wqzvwQ1$l!dl{<|!FU3}yS5SM!(ba-|5UFLqw#Jly2|HAoegwmK_
zFoU!H{+%ygCBEr08%f(X)N7&t0bhx~_~!quC;x=+zxMbleZ6@6H26TUp3#l<BLH&$
z(czQL819`6!yVRY7R`~)dawM$ScW_f_$O1?J^fu3z0Ajos@>}HtWSSV-aG;{FiO~L
zEnJgXSIAovdL)pJjY_+aZ{Ot8TyojfGy8Uw)|7J)mWB-0%I|5!4d|@HT297E<j^0M
zXbpi4u_sFW!V5#%mo;X^*X`H(S!ONF+r$YVOEN}!&d#OSGM;*KZzIHkaEH@AAnY-z
z6WhMVB=0OZ-jGY=mjl-t6fOB>om;mU!11&QAQ9{w-U6DJx!BWZhuEb}!_`LKdl(8S
zR5;%?*(PJKog~j}@jbe*W%!SsuY*HV5;-cnB{{DKLTHL+gbvHfU|ToQ5%ZeFmDvvL
zgxwlVYJ*DFqg#^_25R!ur=a1F-*7A^%tdd4w2IJjB}vqTfw^dH_{PV9{jq4Vk#lFa
z&|`H_s<kJNutein>zakrw2P^XG2&+OY7SB!%5H>yE%D_-r?sT=?2x#3=7f9NKG*0M
z7V|03fvWoHQAG|zGeltUCxDLLgG%qnu+9!$gTyL{US}?e4bJhhrWzWSn+|nP#rRmJ
zPo*~dR}i_^Z`cKQ=l2+ix0V_k)h1x45eDW}3D7fF!Z5Y`*XlWlV69F=5syW=X`>U}
zQ+Ap!j8*FsHC;#>Xy%^94Az5MZ2em9b{mKnu{nBhfb!!`X*Czph$*f~aUaTGYbhM)
zP*Qh~ShB_&!FoGWTND+-=<=Nfeo;o>6O*U7Y+kiFx8+9Ra6Y1s<^+(}290dh^laxa
zggx&?=~5Njf=9Sow8n7Iw)$LNe<VLKPlqI6SQt>|97qKmR~!5<FBkt^1&)>Abj?2(
ziR4=4fHK<finZU}Q4sH*Rp3En5Oy_#BTPw9#CxaA+COpv(|WBdKPklCfFA|kcV89u
z3-w*W%==W2EzH!wvG!POfoGj*ejvWb3W&B@%>M>yZ<a|uZ==1en{OpFvn$tH>F_ki
zp2F<9J|E0H)0I^)`jD!JxLvU^z+ti!4b>q2Aec?NkGJ)9Z@6Tr8Y$9{?X!3bOf3ep
zX*9(Fj+PtX*8eeV^eD!9Yom_-XR$aIuAgb9r(Xd$-}g_%a|RPxa|^)Dr|)wFF!WyP
zZEzzfRgN`*=bWK-G45>8;66p>st-vi+KrYRnDcgcqEP-;M{NP-TB;UdfvuKrW@(Lm
zJNWy(ighV}p&(C<DX(iyLtT(Xh~<Pp#$czfn|RQeoz<2)V&L@hlDx^{Qomwei5#!~
z&t1i)0@%o$ctz|8&HE9w@8Ou~jg)(cYZ*f7bGcd*qHmpC0;6+e`>2kr5g=Iq$Z*8+
zAL(m%>yw((o2}l_ZcP=Y#GNHYq)#Iafx6fMH#?f`xUft~vyOJwTg>T(yWE0?IJ21&
zh!<2Y%RnXH{D~Cs?w+F6TaUwi1L=5|%7_7z)%D23eNO1<d3}9Fi&bKu+PqytYqKP}
z2H!Cl_6|RAjy)v+En|LCUiRte209nKcOw*{uR_as_4rxnbM-g}uc^(Ac_E>f_mF8L
zKrz*tyC|fL-={C`cfG|t^nq31Q*vv4eiBMl>at?cW~-(I;(+F_rc|2;+fT|SFJB%~
z3U-UA*#rtAi4Vi(&@2eq6avo?Kv``)mc7W?fQzK221c^sFFcr8EH+!d`;6u`jSb>Z
zfops7_m!9B*k~JOS6I5^o*(Oy{`yY__Ww<mBTWE=Q50+8cCXNC8K*^giKJlnzspZU
z*8Bp%dBKE7HkE-LOGMxA+N#W`1R5O4MH($4=ycP}qCSpFrN&1e0c4Se8KA|8%T~`C
z!2@pT1O!yO`@74OmtQpQTYrM$GHyd6@-P?i)HC|qyPW)kfM<(viK&40nwpedw6n8t
zP+#|EtoF59JPk^L!dmb<fWY%Y?AfByn`2)A|FL$%lZ}P)M3$i-H?5dbCiXMJYy9G&
zqQ&tB%c=$fae-k*3mgOs(kANTTZfPaM751yiu@ABPZg$m*FJp7vS6lo_Vm*gh!@?k
z5=~Fsu0yQ_arQP%IYd=MZNBIElq|mxt1j;y&AD4tF>Ml@FmU!$I0=XRn%ar35#{X|
z3#Y}QEK$|JQXduvy1r<;@<46a8P}cV1iTteF>3_pIM*VLD1kj5`8$MDS-&b5F)zA~
z0CM51Pka4L^7Uezc9JF_iju09vn7+!CS3Ek`VtT2XzpI)`Qdv=8}mum^noRyJ51;o
z!GjJs#wqvz&+`HRXe!+;_ZwQ-Jtr3nlX50u1xK+}M4J)s4ZMLu;~g29D*;?qpuoxq
z<uk}(k%^pX&yCrU<o1jZ``sw1Kz-}d1>QF~yfR&0<3|A3g$^~S=|YlEs7x<!$M;<-
z;6%aXbB05WcE%2!BIkd#Bo-!cm86GZy!uXUj5Un4tS<B$`Mm6STm?2ae?&8x2(QKL
z1cgrv`U*Gjjuj^Y3tPnAj*BMnP|dW0<g$Y!2v8P|uFkj9zt%Nxd4FennO}p9{9s|D
z?R?XCuK*dCt6gs`9GcYW>KQ+*_lP#_AsS?4@Y*tMiOrKX07-)BYb!RnG_h+#znHac
zJkuQ_YUcjT0sHDXZ|=bA=SxGMNu1<zrUciA_)5@NFSGC!?ey$Ot?lsE5BeVg+SL&B
z_<7Wx@4?PseYKMke+3&mQT}}Ke9WjDh;_hNOrD5d^b|0NSn5ka4|oe7<Es9-8{JYb
zQah8T<qLE49Kc6h78h-Q6c>o<!>4t2-)tXi&eMSqV=aOVE<B{)cx7iwX{#(W?lQ2F
z+gm<0?%BAC@90HOL#5<QQ8MsH9rGTkPO?ZskPu|gZSaPE(DV*lyNMget4WiSvD{bg
zx<n+N`A9+xlUCwn*~ST!V(7xi<ou7%^l}#w7b@gdOQxAFT#j`i^dwE-z6;NqD=BrR
z!F!`_Ir*w&-5GZrq$^dV)6sRU7V}+O562Wf0R!S>*4^Hfgr4wMA>MXrr!ApJcE~pD
zsoOisG_4g#0)1A|GH6-9Yf)Q>wnYVtEYjuDyf*^3s@D01wq7iBDc;R(xf^IU)K?}~
z1N$=~L)|%()Qj(qcS!M(Ye}$K?^7!_F3UsrFz@%c&Ce~}uAq(<B`!2wt{lOgV~;Pd
zO4M?Qy4E6`aCu=;R;%5tOOyg^L3u{5IQ!waU<gr1Gvz7g(@U0!{r2J$@e{}2EKhZ^
z%VuPJ+Yv*e6rr`)alLe!bqVZlb0k@T&|8T2;7ol;DZ^JJV)MLFq=Bu$2NEvMHq>2U
zM`+yAp8%ipfBv;<pH*!z_NF4z`v8Th^FA(gSAIFYHtyaf=b$1gb}P3=)JtuRQ!>i1
z#qE7uLbyq5-dgkKv}a&^nbfOkK3?vJnCh1lW4Z03o}VUrVx9}8HJ+2FQLo18t^;6=
zAOB+U|3%6~>gTR4Ny&<{NJ|x^Nwrk{ln_1;j=77cE~icD9sz2|`|Iyn7DUegjpMVf
zF-cl#<%<i>nt29`?R^D|+<6WFjP8p%Zmsng-l#D)5=>lR3r>=_>*vfcxirREHy5hH
zFZZ1#`>KRKYeE$^R1gy}`6um~cW|yccucegFj$O0=vt`P4^pk1l-v_$1D(#L24Y(x
zS1bd0yE036T^B8qu)NE^W?cK$Fc?%eDz>=TSM{72tWAJYZbn*y8f^+VaGFIdXeeqv
zA92DviFf?MvP2IVo+{BOrlfT&s2PTRo1og4pofeo-H36+`H(ZE?#lvC+<|Lz>%nJw
z#_u;05$ZPcw}yObaM8wvqz@p@8vg{E+x)cZxT9O4%`nadTQf;Y_^hr8RH2hWMV^@a
z16hkaS2od?iuK5<<(8ZS_1kdlV5dDBn<zHKPw{?{`9NeZtxrYbZ8v3n3<L6>A^3}b
z(?XU+Uo2QetfkgDHpUBB@$eZ8ZcWPs^@X`L9UQoh9RW5S{1mr*ET@+>mmBPbbyeSt
zmTlppF?gt$D7=l9%=0t?T^|l@tqq<R0E>L%`#P;WxyiSYTKFB8fHDVpi4eTwESWvm
zlvX}R$usFFYVY}d+*>;Ac|SZ$uqwXPYhWakqMhg4rFMXwx|iPa{y;PbV<O_Z)jo&x
zU0LZXEwWM_8wk><m^6~W>nDsntJK<_a}?n=p$iN++6H3yF##;t1p!m}A=j7X^`GA?
z?YZ^@YR|>aExU*FcDnK+5Xp}!wQtc}m&u8s7tWO_)Z6n99@m%R+Eep{bd5#eeLmBg
zh~*tW>9f#F5PjXdK*#(b!)AuI+5(itq(?-gM}WJzK$N@K+tp*{aBg?$0z5H*CyM^?
zOu7Z8-hv?@E}zx3BJ7}MSnl#|?gUVil4zA5`!CFr%$*VSjrm>X`1l&GpGN?6on^CD
zi>81<mnTq`T}EA>HDR^UmoM^34boII!s2>jMwWsCsZ>7nNjtVS2VTSPLt(3J`!Q0p
z)Z}6jHxc**);X<ir#=+ftKj;sW!o}aq(^~#SKGiqbUG0xI<|$kn3aY3K%q-eL-n@9
zuJOs-<zn;K_7yYUbtv&7IXOhqHA~{OYjJE<F1||{M;@%%3%vOJm?QG<GyVd(*uiLY
zUfA8mt9fHX_Hu<Y*a%zX?Nb6yH_+$7&UzVyIvU3lfLT^sQ9HV-O#?wrKkDSTLQ@?L
zJkji3xFr3eBLEfbD@$+|Uk;B0T;93=uWN~t1zi#|i|1lY4fu!sgJkU^0OsB9+*7?f
zxSNx&pFn&^c)jB{lN>3mZETf6u1*5T5V0_uLt~KeQvbrv=I!(8gUp2ov4kk-nMxv9
zao2lK4?Jd;USy><i4_wbiqG6F2rYi~_wyU`(1a-MJ)fGxU=^q4yx<y2s1nL+|7H!t
zMZsrt=k^rePrLjw4Xv@KV*@hHWXi=H^=FX<?3{^dMeM{%9c+4CfPzA-ypJ)yqiyvD
zL8nJF8XZnR+ri#nOFyVn&}-tt;6Mi6&yV#;y?Q5G2p*kMTg9ZMjE9Nlee22_(0x-}
zW@h%W(pZ<f(koEHI@Q>?m_CzUVHph;L-ZtfBy))8So`}c58T~tRZ!qtNItLyF7KC7
zQ6o!}dn#}GU7>ryUqYW6{x|}hEeV~{9PB!Ye6=r>o!cwx>rx1{obu$eJ^Aaqk<T9o
z*hFr-S#i9vVV7LauS7d9i?rw^mEcRkc|*gsARlhCazi&cDsI6URXvhrY8)eb9UzeZ
z_yW5Dn~&w&a?(L)!@Xt>^=HMd(2$M}U1mc60R?d$E6@G@4OFH7f?@EPeOFC{v|}&2
z&h%D#o2h@+i!l+WtK@Cc3)69qny5HZ>j=Bfun4=fwF+iPdJQ8!k`l6-G_`Z0yMSOx
z#R~d4=OHcf5~8QdcE3PMfSBOO{?L;%)*Bt4Du7XcenVR#JL1h{EYpD>>noNT5+}&F
zA}?sVgdBt=cr33a$kZ*=Wa2=saBiZG*}KLmc&}M4Z@4E|GnGnF4At4m#N_8yt15ub
zX<tu{l|=Bg@S}<@{wNHxvhvYo^D=xTf=#@#)Nz6+nxn5V6;15Ex0J+p+?m9sZ>?Vj
za^@t0tYo14$!>a5gL5?%_pt1TV@fS6Qo?B93la`qG*EN3*tn*e>X`3-SJ0Xk@y_MB
zj`;azU5%I@0Hr_w^}+rd5=2;xiWH32z@cj}#jS4>$!@n+Tots7NOy&ZbBz$KEI$qT
zc5H7jle^7oQh*NTO)gK~&}#509dDGG#h@6NRIHJWZx0I}#@NiZu2Ny5PVSX+Y3T*K
z`5>eIyde8DBWgZO;jrmT-GDy--p6^UNx?XWBUT)?N1kxd_r~`a2@LqjX}V!djd>E_
z<QTcNvUk=Nvn!friCmrsQx#%DyYF60xdRrnN4lmk_G5(Z4OtD4LDlnC*H|E3z-bb?
zqw~?~!EjEEh1jx7JjhdJrg*N<w>`oe)uza+sGC&c0_z+)cypynzqOLC%~Pb=OebIm
zi{QQb*|<_AK_7EAW9i$mfrBRK3aFmfaQMWM;7p=Nc*L~f1ILc*=5Uv24Z&i_in|s6
zP3mi9$u_z<2ZwPA^m_eB%TUYU(@|^jTjHLZNlyeG?DUZyK$(Fe(=N!?uo*nI1}L(7
z$v$PY`w@We`M;O??<;a(ONnprwUk)y^n52A7CLRL-BAVJ*KyW&*At)@L3cI|=clWe
z4%2PcYd5u0-VBtDu!pr<qv4|s_zrlmeT}L8PiY6<&?kBX|0?0)+Hq4EMZ*1<;UcTq
zzP<d-K8v*&Lk}*6%D2dkAN>M&8$=aks6D;zCAP0Tzv=z6%oPFab?x<N*;KExkDb?)
zIIcW%($jW#rS)!ZaUr1P^!wQR{gsi1p1P5U3j1FGc3G?cy$}Cs&dJBKnJ`X{X|wta
zkC%7xv*c#=9pjSOw8t@K!=WhDF048a8?pvp1e||$6##HK&-^u)q^OA-%4AE|JeSc{
z=*ho0m`pZ+)rK^#p=~5vcqA)tee9Qv(!dpgkp<~tVVd0+DmHIlb=7b-zd%lE@%*#c
zzJ1tN!gHC-vn<>ndwG3qd`8)E8h%yTFbPw81Yo1nR&IBtmhK9rpoJFnL*HrkH11<C
zPjd1Ti?ilhv#eXUB)kk{prT%|bv%yykvLv71FN@V%%!mo%z5mf;aVf?4s+dVteYr*
zq>S8k2W3a+2~=C9FKYD`54CaZYTl$6G5ljruP+FFNq%y`%atq_8ALGI5|?PAt=z9Q
z5AIHL<=+xpuFvThJDbqJM{?a;ojU>;XgNJBK69AkJ|3gF8=)nuy7v|p6iU~;Yag;2
z<F&=A78Ud?SYvWLp0chdn8mgIbNBsU1`tG^V{5YtaRea81#MBth`L*w3ODvI7#%7b
z909azy8cn4Aq|JtxrJH~W?VFPnUwP`IlnJ?Gk63L>^m&)Vs&?uI^?j~Ptf1(0Y#_I
zAM_b{)&yzvm}=`njd)_Eb@Dtl!kV#3ArR=IK1;9*CD6B;i5;sbaP{W6p;oa}#WYOF
zFzrfFhgyIaRn|5fYK`oKfy};O&@~cH0pTo5{3Q3v_wMVA?S(T4Egbh!4)^}l5#Sr2
z#WQ_BqRs3Y-{&>u`28^IS+;*9ogG#$7<auoJ}Z29X?OA^W0QbS`NP3G<UVRj^O07j
z<CUC)3Y*Zh%xzT$A;VDq=ai5Cky10Zd)tb9`$~jvZv4H0z+0w0xBKU>=%30kmSx!s
zFpySNtRp`u#sDG3{8QWRedAfHMi+xM#JzGiti~S{d|f;pH1iyAdO`Q#Cf_zgkx*$m
z%y;DrGuj`~A><v#UEJ5$&&#qNH@XtjD01kUr`wLAE!9r1+)U-8W441HegdG*{w-99
zF>Q{YO|f!Z{bD>HP>@`jr+7QsCc#%P1Ujv6*{lPZHgih5UxljJkB>KUdC3Ex36H0y
ztDh9pO$R$#8`dZuwCj)|o;$l)Iq%=924Y&5eX541)eDM~`?LoZk}6s<svAu-Ic;=^
z$}dIyH+B*Z0*eWzkl@=Vj$H@~=l2)wGHxn}voY#M8d83GWfWVcEjq2C@*o-NdcUgL
zJUa6S0wbU?gE$YZP4y*fMfNtT3dv)nQTBYq%N@NiB&@G2E7d<OHA`g;6}hW;AirHi
zz7kWX45A6$4;-cHrOruR|D#YIKpxfEXQAx3t%+2C;f*B??Bku8{OK+i#}bbK#Y*e!
zp_Gp5qDP-Z7CdFyT%X}q$kB&)>I)`Xb;f=<|HAU_KM6Hx`VfB_SdTC|U>@rxzoU)&
z^FHq#HCSM)m}J}KaKJi?Z%KG?@$coAmv&GMk43f^cfh}OQv!*Be!g{$ZaO;5#sMKh
z)gK=!e|u65RTX6TxFICacxU#Oa8kwVEz$IE%P^r}VzEw2cv^8#tT=UgHIto;gK;r@
zZVujkozsZ1X$lmwFRdtBJ|gQ}UfCYSUU&q!Tw}iDBajJ<&LO95`Mn+mVU~~tXdplL
zE3p3)68KMNXI_=cVPTo%n+24#`7MH6y8M1ru~briZ9&$xe%qJsFHn7<w-%;vve!Q!
zKHY~c4oI-|TIwxTYmo_+%W#+Y`AQJ?LmL`7#{Dc-3C%MCvd93(RYV(%be?z0hz4y0
zqw|)WRi8Y_zT+diP!$m0Ch1HQ@QUsIU~Zp{i3%(;#zKvnQ@5@bPnhfF0-N+MLbmS(
zH&W6RSC5DGnQscE%o>+Zk_`ob0tp=z=l7%o5H;H!r>X{slv`QV20BC6)5GYp*j@vj
zDD|O0HpHv*1_kwl)Mu$U!!`r=Ey$OSnnH88daeXv5pGF6NT~C0i?-%c9<gR`K>tac
zir#Z3t^I#^F&taHjr`7?moV2a$=>Zr=f6SMP!h-C2g&$5E>07rqfSPFD9OMUF1j!Z
z!)qbVU*|@@;(fnP0_|OCm!kol$zp5u5Nlle7Dz4RJ5jiDuh*RyY^%4W?}sp|b^9jL
zagWR@=Q!mxwn?$T)?hLv5V_ExXqapu21COHWzBcqWbHfY%<cSit1fYO2w0iL#4^)3
zeSxFu%Ymb#lc<wGUhW%W7jUgK3QX>pPz`ikJ`?!jqha2+#m0)hT03WZOH+1^dOKAm
zO)<N0)Vu`nmiSo4ltX%;H-}u#j~@&3yg|9mk<U8}iR<8$0qLAY^K(w)rjvI=n93H|
zk7G+Q^igsuHrr2=VeGM?zg3MCp6^oEVJH3`#HZV+I9%Kenx(3rrQ0bx8w2#q8vSDG
z=F9xLvbO15MZzPz*>)Z{jl9k)_N72)@>Vy{ATZzOai3ZCqh}3`cI|!Mc@3Vs(~0A9
zx!&bEv{G4EP7no>%F^0qGGyZ^TcYL#mG9Mwh%jX+B|lmV5gfjF4vdI(nuL??=5hTS
zcHXVKdrrA*K9qpKoDe|~O9Q%fdU3M3$y_SY(WmZWOKz0?qJaJppf$ht(0&rY&dKu+
z1N(RMMm=wRUtx$}2%7CtqJ{4fK(BO%vYY!*mAH3y>->e;WxJuWOdrG5txPSGp0h`Q
zKcpoZ;%0eZ(yb;f|90siYp|D{dC){d_Kft@X6+8(Q(prf*=hXm{QlD%_E#Cf7PeLi
zPKN=_XSx~shwR_=4@GCk!;H*%%ZbFIy*9tk0O@m&8IGhpH}|CB)rhNPA`Bue1LQ9e
zmD$p>V&!)yePzYIq$p^1c#s0O{j|2SKFzof0D~pxYPW87E$&Xfs|YapRf=;PAJ)}6
zMB#(>kUyG+YWJ!Q=H_V@+PV%ngTW$5qH~ZoFX-~^mp8Lr%gs^)yMLbkC?qT^t4$qp
z6U?qq^Bf4_+Z2Y~z5K<%@^(dkyOtr-eTRYsi}2xDprBJ2hR})~d|OG6qgsuelHZxH
ze+z!BTUa?O7E|@6s5auYaU@xjb<&}**r^={8O`LK5~0UAS&dxy8>xFY??&8pqWsBj
z@(1G|qz-e#wvSXzLYJBb#%IRKzpLULC%m-XUMxM26!)r^X7+5%w!C3zkPIzAb;Ca~
zG!BU)fc<3K5dhEdv}&t>RvR|CV?vDly6*1}*4G!+jvp2t^aN92ctkJNUv--YwI7mm
z80V8>^ji5vduR()d0xg8U2y~m8a>1#ItODmE{Ez|AK(mSE<Myi9XNdKW<BH<3yp*Z
z5tEgq>Nsrl4=|aV8UBZS>$<0oqboSYbq#j|&)i6lK_Y9^)xDj<X=V`w4E%~W1~zn3
zC)Q0bQd?}P&UrM9H=sGgwcA}SA4g9Fo`10P`Nwi)N=z?Kc~o9{Ot`{#^%)9hF2#h2
zz~H$rOG;A=YSXY~!e2y0T<De}?Z!A(s}0>L{eHtX0{hb=z*JNr;Qq|Ysn4zVV~OXi
z*I|#p*v7V)s|vqNf1i~;H{d$d*$<S+dKl>OB&*&P%9rC5TJ7_ze8&lC^aiJqv9S|7
zKJ~Oi*zU?Cu#_B1imD4Dyhlc~;CKdZwnwC9qrymzO}=jrD)o1zQQHoQJ^n2XVwL!;
zh8#@osGxnX);8}sNz7JlI!i~DTWfldeN$bBy&DkdQJLbN*OWIg7S>`U`9x1#uh7a1
zyvK4CSJvUuvI!Ha7#i;H{ceWkHm~fOagsHVo(qeZ2G_=1@^yo8)e^qt&p%7HLt_*A
z9&YZ=;{BkT=zc{}2Mu33X^xaw_TJFFC@&{O$jH(IYitzJD?Roc;PNr1KWX=&@+$XQ
z;+x3ehi1x`P&<_g2!`q-@t5jTmoN60>XVe9PZ{y+_z9L)ULvn-C;xd&kL|->v-B9R
zKdFn`rmt19AlJAnAk}r4U?5;zTat!U5Ar~y*4`rR6jk8P3Y{;zsnMUk+yQip**RM!
zyxlX*aPP)$I_@rif0tQ3JtMlyZJfmEcF#m@+*WVJP7(pqQ2j8nSP_O5vsj8kR~}jo
z1{&v1>Rj;rnV2hmwrwuPJ#9Y9SP^wK|LGk0J^oKL5EvXPUpfBcZH3A=|L1+}fs_-m
zBbs`d2Nx1>51oYJ!{l*y9keAif^3YJhRhYH(PiY;D}8_+?;V7Gj$zx<br;-oAO>&|
zo-6F%#9jB%#Nj}un%6#dWw5V><Jc!|tv$mqH2=0p7i&ua^!_MOLWp+RhNXjMRygCA
z<7FPtW3_Z!NLxLSbYS<Zr6cr3CMT>Hrkh0*ehygI7Cluw0s9%TJfn{UXFJh^Le3N)
z+U{IlcpS1(b>Ok}5qn63H#xmIrf-gHO?7@#^0v@#_056i6&2$xW~=ii%ahEz(YIfJ
zl7;RKXU<vDeG8R+_j;PkikX<Sot-k?zr7+lHce9#m4SnpN(_Ad_~o5w=cB+XmvL&T
zm#b--qOiy27jZk^1*R=-)TjS*s>stIJ9~3zj@DyfaltEN6G4VrU@+J*lvnH*HK-h3
zwrF?VW{7zB2Ms~GaCw>qYQU9>NfTMxa6SY7lO(FAP-J!d_9zh}VGUvrec}qY_}2ZJ
z1|$ev9-(QR5wm>#{FmR`UC{)go1g42-F_cJBpN9a*p=FXf)CEVIH_>CRGP^@na2g3
z(hp)`QD_a3u5}g49@lrt3Ku}-TWfN&m9kvuoenzmomKV|jaZ{>!&KnRGu~MzPi6y-
zzYR`7gaxx#P%R}4;OEZ0T~g)Fi?FY<^W=9cs8b4GO&~+TAYQe2+&N=i)-?hq6)55s
zD_Pb&mywE_D}t<MBa5dS$f-9-q8YkAB_>NgMunYuF}}4v@I9kah14q<-&_-T)R_|T
zoORaY*OG>lLfO_;I0hvVhx*3DqU@ObGMIeQyn!f^qoeAHShdHm9O>^88$%fnyj%%p
z;fKzwIs2k=KpZ92m-Q}7-xt+0xpp_@?NBI&L8RR}ex}aPwI<_3Lxn}osGUf6e>c<R
zX?zs{N3(S3{{%30_$dc7@4~d`;HnU>FMmJ{bn#0nIt36Okw#7>PL^4@$K710eH_j~
z(K-UK2L32Huo$qYh0@$IYVtM`>9Rp51>J_Y#_L9Mk~&Hyhk~POhh+oxOVvG+8pPv-
z<lJmABsZx$X{J`1?~Q6!O&TpJL)VS~uTxVzmz(LKCegZf#VK!K<rwX%qFguL>5eC#
z@5^5m0$RqxJ;$fNw^H7m5q}k8e!q)cV+!43!Z<a%*Gs&xkqhX(7#hCXCx9_M1$$q1
zpTpLBrM1{Iv^`7>vdDPBG*tPNnuu28MEy(psC)10UZz!N_dbiV{_3^ODfD)aseMCz
zg%!^!yy-VeZ_+ZOZHbDRixxr44ZEAvH5)gbHrCk$-bIUA*LP^Yo+U~H=cOYOt4d=f
z25XzfYB34+eV#s6oM4L02>K+Uq%q0L34}GR7WbCPHhT3I&l5I-0Rr73-U(SdUUm6?
z9o4jojiP6(**J<!Au$A+1|~c32exqhR#9hJ;Qreh2d!Ov8Xa4kg29BZ##u%2ROYv#
zkftK`EAIG*WOyyK$kQz&@49tTmC#_pkFpFE-Tu^GKZ(>W-cGo<3$G?oKBj;_Ho*KG
z7^X;#Qd1lEQ9{(yTxlE|hqspv=UFS+W1~lKkham8<;rnR8(Vkuq$?0k-n#=%cO*eR
z&Fr4N@%`O-dYT3WoMc<Egsve;3P#IvMGP7QMGg~K5NEIS<DxW53rKolVX6E)n%ve=
zNJ(jDt|+y&8yf-UVu|=piVl@(R`ne%o~wp6P7lC$JwMhd$x<E}%%0O)I#k}Fa6bB%
zn}fn!Gh;Wti@r(Ay$UhL;1D&wS15i}4}2>jBThD&Ee6~lXG%imG#2l^9QBRZ1dWIm
z1w)j0ZC|E<jMu6fr>PO<shpMc?JwR-YliO0bUAbVoQBO<9(%(p8y2EUJZB=q9cfmn
z<QDB{QzxLY`jFs?^UuESrAig&XMLXnl;Z20afd5myOl1xSLt3dBiZZzeVuM!La(%}
zI%yb~6hSr^{o1v7O16^A_K|8~bCf<@kkK)Yf1IVgI)Dh3xae3C{1NTLp(m<U{}k}m
zfs^n~zqGwDl^>(!=$Km9nu=c-WVkH}&@=2@AaNiNl33=hmUN|C%|@h6L)5sF;PdV6
zkRG-6jRj<-RK{yM5QLsL(xM7;a3S7#5r+kR#&ETZt$p)O^>0&=HfHz3+d(>0+h~Wx
z@uyK8Khcwc*_hz9{L$uYC=^b@-{DC%n$f5<(}!(yXd-qH+CFc))$`<0_2{5B3IEAR
z87wRh(*{<HtOu^IFD*De&zY2fWuZ--u#Tv3SZ>I%s1ah=)5p1M8Lf}!HIuoY&JW{4
z2EKeyWwBw;&JVYW_8|M%K@4n78YNx?Dm|UHv|R_Wq51EK`Slh3iHhp49eqTSEx?{s
z$#th7knDbjWr41PAtWf-cV`5uY9z=eX<)WJS_H9r@U4B#BfKuU5=~69-<-(&O2Q9e
zb>AGq3ij?_nTf1%dnX9`VJU{07s_w)VO38&4OBnxBwXYE%NP4)s`;fq=1Fw+>6}Sq
z!3>^ZdFabN|1z|D_>v}{d8!&Tw01*go4QR+Ywy5s+}!~1sQ!5kaj!=*?Np!8xFB8=
z%*KW37mZ6_m~i%^Jha48qhfScliiaXS%`S{ik0j=G~W>*;*Bpg1Y=v17m~P)KnJRJ
z*8P#pTQ1<9S{_2k9kHcL*Y)c6L4$@xBj<x7XMbpY_Gd~q4b<MP7|^$}7QEolB4&fJ
z0>3l4`hmYhOsyE=$p}Iya2~Fc#HE-9po=Shln3twN3?jax|ilWn*37Z>MMWR@#NK!
zCVEGIh+U+6`Svi&3`Tovc`H`Dqq#ZPK(B=|?}(jL-vUo-ZRx9UFF)L_`05p&T}jEP
zjC`FQm6U6~jUTWTo!2v)l{8rN#C1U+5X*x6Xx+!3ht7bQLZaap<iAv3rO{!$e!Kz~
zY!<A<PZUk2_&Yhd-0f>05(uFVl=`XbSx)muaHiHh`CwHPpO{KOP(NjP*03`I<z&3o
zMto@VgHJvzxzNS^U4m|-#4LQq2fi%)DzuBLh^ol=Lh;*9%ig$c^ZE$zf}117D$T=U
z?q960dztqqZnVcxE*}AC65i1l#)2sq`w5++*ZC5lkjoGvnbeAGVrF0VEMdfMk+N7_
z=OU0|mSMYzCZD2+T>>V}`P5nQ)-b0il?f~G=bPHh#Ze`NZgYd^N~G);og&NEhzW@Z
zrqPJ}Ak9<gpex&Hg&BF+^1L-rAW--TXKtc)u6G%s2a)6_+f9M$I@s^X_(5`f65K?V
zA6a-W1@kr`UkqC18o@ZP5QF%ux9eW&k5|vM1MQHN3Z5B>isY+X+MTujbmI)eYf`x2
z1m}A=5>W+9l&~q4-dKDZquI>CSjQ3-d1D%W#7If^1~0&tY<HtOCPXw-3e<lOV}3&m
zc$YKBZtv<#|D>EL7feJ39GSoK^?qWX!V>a3`_L_?@m?E@T9nM1XcF2SJEN2xt7SQ4
zjrd3}o|~z)Q@_6>uD7yP8uC&+zGh+z!S`J?GxYOEY%9ZK$)N{#epi~faJjUL+wRR0
zf+rQ%1@C>dcf;>|ntqRCZ0gx=jFp%unLi)vNt==IltsYGCvSQiwkUv8IC2IzW}K0J
z>MF54kHsrPrbkA_dKT;6*4N!C@bcG9<8Ap=ZJv4hM=u?4-+|#l|35<^&pLIIe;*55
z@4lnqr?6YyS`Yjy8o^wDW8(;*vvnEgKBh}}e(bZ2yl<)<oI0!P_~{LiWc+Z@#>U78
zChM#BCdrY0L-Xa6$}eV7QBDR%xH4Jv^0Z}%Uy{#wZz)T)Qs4OWH4kwsIFnq&SCV&7
zCx!RXa=<`HL^^zY5L^~JeOF?hmKBx1r5aRk^lQ;_Ex62ADf)eJZdHdT%}R!LD!=o7
zO5Zur8`x$yoKKmt0Z`ig*uxSV3v|8s!9rQq67J%i?5`^$`37bi8ohtcO0oy<NA?!!
z1B;s+;l)0F*gW`HonBzXP^LohIIbH$FfCilR_5*difH_WY!p46(`Sm{JGm^qzLPu|
z5I^VGjTj?Xky7WIuf<^8$|*)|i!wY2k9)5Ud<OQoKA5l_0agZ>2bA}dTBCxU>W=`Z
zp#yF5()V6QaKV=TqMP)ERBECm#+QoC5XXt07err<RM2UffsALFy>9;*6FOzLwYvS=
z$3NEZVkyHMnNF#aPfIZ$!y@_$7M^$w_-%P)!N6QW9EQt+;lF+Re-Cc@cP95c7pw7p
z%JLDw*zfMRAC$J8)3@@RUa$E?ql8cm0R`>dqvUG+ELVP;SUiiuZSvH0903%vG?i^<
z)rOXw{K?W*JKAp2?cI49ZZ!pUeY4`Ets{W`v6m%W+q-Ux%$j3iFPif&dPX0(_B@VS
z>($pA78#A2XCB5BQG&j7Pz5+0x180B_uNy+0iRx$MQ449{eG9F%QGOJn3QpTBYWCx
zw}z8OZ&vi9E3lvUcHO_`izPVa_SpH-`}k~_Z@+X-#%qfi!Ow0`qc7Mvh+2%wN7@tI
zL}+6V$~2$lWN(Q!tLqmGP-PmND{H?!%IP(564q-G9;>PfX|jAvZLBsVJ~S)Et(#Mq
z?@AhU>b@`79z>6~lAI)xN3yDZzT|ppst;!7kC4u}+6?0A$H}v>$no>ZgWGvUI~+|X
z`3Gd5PHnjb8N$DS9B9J!!YY^&-~Od}@w&bZ$*sMno65GugaI97gR0)n*z}^Blbh|C
zs-~IJ2PZjpBtAn0P?-)CLF*FY(C}cD-sZ9%L18-hMI*Fp{2MW4bi8mkhj;|2iv=SI
zZ<WTNdB28t&y;?k<kedh%it3N7BG1Q5KEc^aA|Jb=GrmpeU*C?S=X379<}R%+nyiW
z2>Cs0kL@z5(0+F)5MubF)E%9wIl)+rrHLhufsk+Y%YU=LeVYG?wGI9E*7muZj=_;!
zO>RkeTMYzjqA6!R0*NWer~rQFuWbvd8<jB3&RM_+rW+s<x}gWTza}-McaNifOnQ^A
zF=3YOT8u%dh1Pqy>n^$HCF*n~Lp496gN5pHdi^wa_rjtB>y;`TCBCnoTK{$Wf<-Fi
zCtgYE>Ee5xCa7Nem->p{*AqYAUE1Y-2b&^GdiGe!2<nYgiXlTFf~j7}gVfhWf(MS`
zPOGE)IFJV<7}RMrH@+z7Iy|83UkNdD=IlE8(3x#y(ka0z!^BClux`Nt?I4<kj<X$c
z_bi6$M_Lb@Io}+@U&*Tzz1@npA*htyZ0j2pFw3)Rv)BA#3pCZHp?P6Jq4{;+>yz`k
zb1~xYmIdZB8a$Z_ZNzY6Pp4PhU*;=01W({u#;?qr2+$qF-5Njvy?*w`G{!VkSM<78
z>Jr2bd$j|y{6LDf+P9tS_HcTux%V|X`)(0abc4!*<+|&>YXCQ=oNji^P~FyBcMxZ7
zBrwCeE7~O&V)z|3vaw*W_bZr(=!&}Ex^QcLFUXIz{)AtsR8WN7*MoWY-N|M4BY>ay
z1ny6!z|m;65eu;(kWKx23F`ea)~af=ZKsydt5zfrTcKm^C1a!`fXY@m?#W)&n7X*!
zvS-87auc@D(}s1eR#%pM$1C0nexB^N)1^u1*VpAFkD)JxPbah;2<bb_f%>{b8wb9A
zf3}JF7Mt`U&6=w-W%UDzA4u#gy*^Lo?JU4j4aG!2{v6p;&BZusX17l1@(jdi%bh0V
z{-UTW(5u3-KX|0bKKvm-q0{?M1&#7CabI3(0>x#sjA(4sr??8{TATrb0<!?YrE=q2
zI$sWblszPey583go3WL+8%i1kx)0Q6-JR}G>3U$Q+o)HCIs(L&D5vX>Dl!UG9s#C-
z>pP@_#>o9!Z6QI*ky9ZkwEd^T5*NLy1LEK5%*N^u|5o#}BLI_>Rp!Ns9X=<yL?<7&
zB%rx^P4=ugzZBEcbkR}lC<$uyVZjE(MxOM=)Fkr?_C0D4jPY|$E5$)!#Qe00EjeG2
z{2m;!qs`O@Dd1q)&yP}W%nN<r+#~P-_2imVVy4WZGAnsb?eGTZWfin+$2J0%m;a`N
zSI~SfBQ?9;oh!c?BMYbBrv{dNYmSy4zEZiM)$}xKTQD(<;r;Mcqd<oI`7Q<`GaD0p
zJLG@mS#1#W+o+Vw8wwInH{_C&#9SvpKA543Se(&l`_#y&M3(O9?Ckt1Vw0vOvvtJH
zoU8r$tzoZ^yHrw5fa5A<5eZ<B>k1scxP!Gyu2Ilp3HUhx5%Z2l=b4D6^^5l3A1R~z
z`WR`Cd+c?CEcaa3#>Irxf_d7wOI<b6Cxq1(cjF=<qfc@*;B(gApF5lPPy$9iPP=T@
zisk$H79@PsxokbwK*p9)@g_+GUgsMpni(p&byBUOPb!<kvyB_s1))J?(fI{A1;Jtu
z^`cGEiV(cRWWCAtAziF@l8s#HZOylE+joYmSC_W9-WJUaH%9v&qzDfP$6;>N=#2i#
zQH(o9+Vh%9@9iBGbQM!sE)!rkfWk<oCk)G;Cf{?e6?Bqi=*)WWQs~PkdBhEN+4JNw
z$`%(a`=b0bdm)sD57_9`sRUWY?6%G?@gA~!{yV)G^(L8RE>NWSXMOGZ^~;~d$NYc%
zaDtC;t3PTmSNCpGb~^%uQ_3ucS$G>MKM|K-zGJPPBD&z%y|!;+gl&TgY6Dx<DPtz@
z&fc?ZB654Dx-P!fRuYTm6Y*osc|D_kfEHTazPje=k(E7fPX%1_7kK`cO2wD9t`0tz
zz$VMh1BMYgMoD0@*0H9WI1=^3qkZ3A*b$&ttk@XGUEe22jfSpygTvh$HQYXme}s!m
zg4+z_4O67EHzA>T_?M9clwhpRmaafTw<irlz~t4py=7w0Qz)`40j=AN6Aw?I99&4L
z_>^CGKJHiXqeEYm=bdqy^7)leRe>TBHMU<Cy%~nC39_pX4$x(M&4yXlYI16G)%j7C
zPwjarxqTswdMcYxQfg{Pm&!lnoi7gofxE)Z8+=hl#M~8qumOMm0vmT3W3xBi*IcZM
zud=}rXIRGMWG`^FIlt}4@@1b{Ag5eHT9M7w?^z)1YA8Q1%#miXnHw8Zfq7VUs{KyH
ztofS!LsBfLodlD~UYdZ+1sqQFY{oov*-Z_Dnqkp{xI4`|BDNzG$+^^x^~EsbV0xEn
z44k@HbxPFf*0f13xDGF`D`6{*;nr2L*j{(~9x=D9hCQDUt(Qu66lx06i<LDin1Uy8
zcpG}JAd5oV7ntuLrd2aNE6bnSB1dXW_MIoG1+TBrmK76`_GOPbm$3XRX`fZ)gOLN-
zE%gxT%JS3aXwu$hn-i&#OIAv!x~=$l-V|n`3ag6Odb<hVYBEMt4W3~GrMRA^-;1`K
z!Lh?8R3lwo{J4Wb--Oid9^Ou<^-l|{uOL}KXD@u;s4SB+4R98};404+f@zTuJrq(H
ziu#QHKtMTMlZv%Ow0|QG!(c3*s;jatZoeT9cNuk}5@pjjfNvJq1rdxD1SJ>HX9HcH
zVICTjwi2Osa0Blz_?!JO(-2jI8&_^DIch`+Wj~NZfBr0XmIPOIf|$B^<^kzF`~v1w
zsJc<_v!0wH@;SoIny<5FVk6p0^E6v{-)Imbk<+!Z*X&kS)yVwNxl161_9LyPc0Kh;
z72jvf!G&%h)W33DbEcJ!a16EApQF#qZY(r}8lHhYgQF`*A#JFPlzdD0J~L-|)v6n|
zG+(MvUf>%|0%z-sFQ9S`$GEGn1HHwbuW)_O?LTkW>?F3uq=AsWHM(osTelRWMqyEi
zC<s&kJep6zzBw0fl)r1(TRcYcl&p2M1jW0vdIXDlsaxM1IU!}r`?l(89n3`hoH6N9
z=bWuRP`nw$T*elqg>Il`Y?xi1Lb2Z>bWSsK{!;#_(KM69*dCO+BKa-!YgA;HaQFS<
zf889s^sk$P5ns#~zPoyRI`&JN(2XC4;o>xw65d-CZ7de#Cbzovnz%r>lGDQ4fdRts
zJ;e@a=o4dnzoxWlqQ&yMRtX*cFvh{MSv0{wNs6tlpD9C+4)f{%oR<T)pv5?_f=aK3
zSy5^uI!yZd^bTX5yf^}MH_VKXq}R}k-l>30!@GzO5H}gA5A=69h*Yp!_wvvqzQ>XS
zHAJdLBcqG_%?%TrVi;3%|6<2U;^=?@FgWJ@kbQyL7SVH&v{5{gYU(dWBIUTMK!}By
z^e0o6wj0Z(G9Ek{EpLWI3VpeQ?p3Tvaz#bex)G@M5y}GXAu4%(8@Dv>Sb)r`#t)b>
zw&F$S`$N?t-gBHcF4{^kPoJ+dMZwssZ2Q|pD3wd0;!D1VjHwyC-<0h%mNv90aIvU-
zRK#Q_Rz_QIQ?Cfg0<FK+WM}2dHdq3xbV}bByS)73(6_kVq?Qk->nJvb5qCB5(0#R}
zb_B4KMmo%CL(CvCm#dXX-r2}rt)Z*6vY2S~wJfD=J@RIcq*^mA*4?v0lC!47R6xIY
zv$*jOy|Hz-XM~T%Lf9*nZTw}-sl-GF_g?Oi0g~;=!+TQOm{djxw|CI}J%dc=(mU-F
zv$X>+XEnda;I1fKOq4CLu_RM?!V2nC=hkIspZ&EC|EK96pS^mpX_0F<tDgG}oTKa1
zS^oW^--fPck*jiFAMIaueuFi+rxDgsm|22Bk=hc}vQbHY>}6&4i0R2-fsb)UtwRE^
z(h@aK@%dVdh{$<W1zhjC|HuB6<=d(cKA+iG2NxycZ%h?qtc{I<RSvgfz>JSvvRzXB
z#Ag~sCr6Zv`P`NdoAmc3mp%<#ta3O4*q{zMbu2yoQtGPHyUZ#^^G6WVeMbON=A+?A
z=0JnIGrDROKkMxKCUqYrnx*=t{m`fJs}&ckLBWiNiA;km!D|yPMV`{U(OM!4pUFQ0
zgckY0gKh9L$*p0<a3sUjVapb_zB<u2wEytg$6a4%gf3zsZsHLBT3IM?jYFz<TZxwf
z0QiD0J<K@E&i!UQZI+)Ora?duzI_<n@J(0gSTvznir5pt>TV@Sp#odx)*W^>*M#{2
zH$v*Bz@B~>Hoc`5XlUTtf|%2$b|>E4y}yv)0V)osEvrp+Z^siySxs+YB$&NQV!VCC
z2&^zr+vu!Yl+zBoAO9i2<D`C}^e(gd6<MJ=CZ>b}ZM*bqTQss;I|&?D)tvuvlxI}@
z`{Xn74G&%iW99I=jK(U2k8}zBCGAi=j(8{dY>?H4e4=wxbAxx@mtiNkzNx0D{aXz>
zuC+EhE=T=-Ota6Gh>V^P?As9}u3+Fh|60qVdONNX@W3KM>xySYK|w(+&_{+IY40i>
z5gX-h?6D_h0dsI#1g$1J4dNH{gRIyG*6a$iv$KKXb0{Hi>(M`{{Q}I6uF1g<NlQbl
zT#Y(!vxU{vV6-W4E%MP;{Jtagy~}h)Z%q5t?i4D4;StD!jIKE*<%!*DXM^tsfL3kW
z6Ujs1(2sc>6tr~Dx3bFUalPFdY61FJ6njrBEXRzbM}`_+fcrO+7hdbKix$!up^5YJ
z>{dsBu5SIXep$=xS<c4Do6tCz1$S3BQu}5vh?1J?I#f_+dw0mw28k8gs6oC)fa10#
z?y@)c4>yFyaR`s#gMu5=`=iB*5_iqs`#lu4vvUb6ZSxxO&(hnBS)@!@Hm)JBl$BwA
zLB)K0)Z$2bo3W<0o_NMTDPS=4%rLQ_Ydu4cZ|#bjEC<<c*KMtshq<W=dBmc73b(|W
zvyR(3UU<U@<rI5ZnLIyNaEr_hf~%BBNYOzB;k8Mqj{}mWYlPC$T0CP@V-=GqlU1#H
zhxcyz5HxH!*_v)=+)l7VvcRg!ZKw4gw2gqX(9cT^tNMstbGY$r3(E}4o3zuMJPF^S
zA&tf*Kf^S!fuaeH=e=1h;pd_3_J=KnD2mCnUOxutHW0wki!TWuXg)!&-iUaLH6x=F
z%TDBu<E}+hMnXIAC(lR4bdEYmM$AkH&R17fE8ZKQMFmPa+!mRnQGoj7UM1RBfRONY
z06_VFwfCM;O>XVlC~Mh8R8&BzO7ASBNna`*0|E(=lCY!*1VRZVkWiKdq$4FDU1}g9
zAT=bRs7MzOLO{B75}NdmUwrp_&in2?zHz>D{+zLY?D>a`kY_w|+)w7reb1}hMxJ!}
z5FTdDz3y2O{eRcop#?2_@L$}%kpC^fy=r$|oJHaj;vbvQsdE{Q^7d~Fsdv&A2Xc#o
zI+{><o)w803Cj|0ujz^C&%YRaNsG6MT>F)d2N@z|**d`@IMGU_$tBG7oSBC@X}sY}
zGOLGn{weyJFosha$2di`vt;A#%-|mS{PePfRr3#BIsTlxq`J~oDWiP4Gu@=s(Ch|6
z^JbeS_k!e>&Ll2{r;s~0|A}SJuso5$7n#`CU#lA0W5xj)sxJHPqn!Gz1g<1*R&M?{
z21==(*z+71uV}y|XXYh&mR3z}Z0FngMsw{XE9!IZ`=>g;)!}%%>g-wvDaJZDgx~7x
zc|rq0h$ZI{SL3Hi_o_cbEgJHnL5rFw#o&0PVG~%!d^!UwPPlpT_Y{fTYX(2eGLBF8
z;3}eUuYQ07%+&&Dq5XoJlGs#7F*D%X%erP!&y?}Ua+}E*HiX}3-j-dYu}PI}$r>ll
zCQE34swA@9t={QOXNtn&@J;APk7D9(8<O(CFcRNWKyQ3W{ueSnBKiw3kNX9f8_1qp
zGY%aR2<$6ABq2F)H_m8!=nKNjI2*YuCR@3-d95zkjQv}s{r4Pr4HlY<9v*prJi2zL
zod3NKbUiA*B0sH>bTx8(mNt_w5Ui&P>tM%s846lRuI#|@hv$J-8abA+kes~KsRcRZ
z6H%V9LdzTJL9CXW4nwfZp7XO-%A2@5tT&Q**&M&*cCPMR81Ju4%RZywF%PnfywcD}
z#I&AmQVPxzsK{R(rz-;9|2A)t=hhvvC)yr*BWW90is<u8@3RY`X0+rDohriNp7*tW
zHlbPK?wryjSW|ZD)@+)*{SZzG)s^oFJW&<V2)e89&3R&aHIm18go<x+i`y<=)lddS
zPIz_Y4VS;Kl`N{^omU#&*yrlBwj5TM>NrqGRU|P03Ok}VZ);myBWXZ=fIwqH`+!PD
zAM8t?Oz72vq{<VMqWz*byK&JO^PL3Crt`QF7t9f5$4BWxWK@Mi%kp};n~TIqW5me)
zI3<{9$a~{Qvv%kBIMix_a6Q=UK+OW&3Qy`GaI$$ir2kOwZ?lmr{aNhP)**kXKCVI3
ztyLBKC#e_jb<0E>z?FV{7zFsoN;*Nvc%tP=Ga_3~PhzT|e+-d*MmILuB^G!jqM19J
zIrq7&62$0O^GR)>&$<AXL_coqDC?=I<Vo2^MMY1%{;KNSVG{(HNe&n!*wTwj`foBq
zdq@^lNYzkp+y(a5IcauSDaR$CeuqaGZ+5Dm5Q)+Kwhq(7KT=v(C)D7vKQP@}SCDv%
zN7{52&E*S(w#YdARu_DunZS`bHa3tTSe{lKX1<%^^RDJP$Q2al+Gn<O5o;&-#sowc
zbM^$|0BG}l?tKo1Zo>6gHSJUQ%0VWoq;34W=ge?~%NY?cpFbCMvXnSq1FG?Ehy$+9
z>E*G54C7kCpdXg~rmuW=Jofl_#CmeCXRl5-*Xa><EE68LG@i7LXh$RJ(UIjJCan0N
z3cf9c2<a_qfWPQ*5P!F6^7IA<F1e?Fj}Vw>+Wh)+TT(Qp5uckF!xA_a_s>*G_p*kE
zM|f}CsFmP~MwQg)ydLf<b-*Y@jUgI*(*5hn@$k;?(@IF3SB#h0M2vrXNCdCAzxPU*
zAAZ<2;bqcuQ9fNN<QzD7M<Ezvqb3)&Ha9owX?^uk<z-IS+t@yL)DsW~mActML~N2S
z+er|w<%d5uUFnuX@7?r|$`4DAqPvX#b*lH(RsT2FW5(<gJ4y(3W;!uW!3x3&?8+0m
zV964#cF#7rG#jDPQV<)4!t-Vw3IVe=e7q%9+wXfNx*jU+U1Lixo(jD|w$K5ru3lJF
zUH!>Y@d;(B$LVgYIJL2O*qZcY$uR+n=Sd@%ooxFbzY3Z8G$*uFG3ww5bcbVlJdP>(
zAU4V;5gn>a4NjFk&>^Up20fmbdEnimSk^0^i;#Qiqz=L_z&suwD!JW+XBqhFffP6G
zuKgB~m!F-C%8Z~9-@@nl+N2p<y33%YuMJ)DoU9*DgukGTN>&@$*oTNB&dTE;<+<bV
zEv2<9U*a@xeICBHI`9sVdg9D;ek1Oyt;v#<w`EY^#s*4G*gVasl7O~keo1^bP%OW-
zDV{&oY9e<g9+>4-5P6F&SP`M#CAcY-{MEo{LhbG6`r%pAppwdcl0ngH?2dAM*&qI!
zIs6{k-7RxfASat!dgcu3H$+6nzgJAY(6E>vzce04x3s)J`(Omf5<gkSpmg4>`a`k+
z0iE`3I)rhk7e5ZWC0OAY<h2?-wnDWhg08olPAD=&<Mo}MN7N^REu=6S@wfR;e3p_f
zO5O|v(vv3>_2AEo@?(<^W{(o@4Qsrv?I)O#Ty+`fm7;L~SfejM_(u<LcBzqGF-_de
z^k}p*`^$FJyuMJ9W2V%p#V-jpxV2hBR!XS|G7~zk=MFn*CWiRUjD9S(Tb4pDK=s*<
zPTn;HIiF+rvz{mhojBiBmwEk@C0;-~O=u|g_yN-_=sRIDD=_cwa-2Kmc4<3ILa->k
zRyRdY4@Z~>fj~<Oe@t;Xs;uux`%8KhW{I5L)l}NgQop1Wr)=V1Jzz7oH6R$Uqh4#&
zAv1(B`j%BSg(=h3-N+JN(fST4inUlyno~=PO18B->z4`4qsrtptHa!ruh)#`)AJzA
zlgo#Vfx&l+6Y;02Oz+Aml-M*b6l=WpGwlOss%1c(F{@7(@g{tL@;_Mq_<w=PNuAR?
zAhkD1fqrR%vwF445OSTgP>q?>s6pznrgncri;T@~;@V#<?l(XDb4~N8>urgN(K4c)
zV&iiwJ{{vcu6UYc5n{DSlh=^xMB?Bc;~I&a7{g_JvfJ3K)X-pqi^6b}rp<4y0V;z5
zP5Sn&iz)hO`U2A6oijRnbxj4fbLX!2$xYwMTc4!dcX=F<Zeh9#gRuS4)xIM<@#W!Z
z-E}`@tt(6>57Hs7ImTw#^b|X%{!WKN?QSm;b(Gcm@DAzmh`ZkqE5;T$@YSMyp-ZZd
z07I0+N_638N1@L=IHW}B{Q#HLk)$CXRG`TGlYs7=TnEFRDG31K;0I*#ZrPH=U}6~x
zEW30mE*9KYxf~(}qigu7sFB~M`WtJ+!}j`Yaj$_*Pw`Phkv3fb=-;WClJv78=ns;2
z9}#aA)d9TlKDVvwNF;lEI7K50*AVnd@5L=i(YS0;e2!E?tj-z;lE5lY)p#bY{ab}Y
zLYuIgp)R+<u;zxr>^w>?tp_MIVYZP}(MHYHGr5~d=8rd63sUzL9+h$CiB1C+*O);x
zJrAFy4{7mi^~ayBpL;u3F^D>ZC@}hNW4dnCmym0^5oHsx5r3IxOK!x^t|r(@I3z?W
zjW6fALAJXQhYj`h#RX>-5J>MpWDLfJL@M(!gEO`aeH#v74kIX__;|5dlns$y$8uqv
zR~dQvt=z^M5T2aW+^g$}tilmJR%V@nu>B#&trTwkGPWPe-+rW*c9yZ>))F@!l*KzM
zXJv~a^Rt?^0W(RHCGtV2nKwh4JZBoSHXA_xyCtNB21<vqOq%}|5*L!U60C);XH{^9
zgD|fPvlry7c6|dq*YEsfxn<Q4tuoS3j`Q`?Oq6A&RO6a&PUcMJ-26`}_%CG}hm>~S
zWetDmh0ZebDh^tk_h)33>#a@e3~QeKgYqNb+qC>v>CB$x$%)LN(NC5;zH1)NkgX=!
z_}eUMMQ>SHLaLkk?T?iIlS&3k4K<AZG0LQwMjb!0`pNPSo~fK<4yAT2^+URQ=qP@y
zQS>p3#jDw03*a~Ydp+GJf4d$9tSA<D;tL3%C7L~;uY*{4;WD_1E3JGZ-=d(lS+c{_
z+5RK<8g<+qzn<h_x*l3x1sqGon+}HXYHX=mWyIfy_0Pz(#<0w>+ZIP;f%EuNZ};6h
z-Ozt>W&Kgrxf)002<{us<EpZso5-AwzF4#a?NGmZ?Ks!#=-_0U&AU_d@<?fMkNKbs
zwg3f=9K}YEGl7XVhX%42`d0X<O*>)Dn@fkUtI;MuSw^_7tgs%&*iBoWJ7xlXZ3k&7
zf^)udu4g{p-ix2=?<*KYu@0(h>by7Db~5Tbfnz}I6kqyCL6EskWasEJ0%$yc@CvBO
zXUuINU+wz5X=JBljafGYqn7*hNc33;h7RGoROQqAY$W!uoD9tz-A5a(374PV$5|_=
z)kBK_xumwOqBSBFY5MJzU9yJr3a|76$C5?R+-iv4j&gZ^Y0~%I>u>)d*Ma;OxlZ!s
ze<s(0|4gn=4bCD&NB&KqgK79Q)NHA~_vs`*`i}TzP{<DUfU6-3e`UOJ^T|3-B!H>;
z9DI?j7*yT8W5Y9JspLO8XjxF9b;0fu0T|?ANzyQiu1s0dkOzL+6Sdb;WoP;u+2>l1
zJ#eK#b6^~PYE-<-5`WEAZI9?L^_`LPW6KC|Y81#j34JmU-1|Lby!lmMDR76ZouSS$
zz-p;a-V=W|m%xs;E+N`kO(!peP_Te#6k~$R*Vz-~c1twJN9p?(DrNK;<tvj&vx|0I
zNl!0{6!tXPvLHXa%n=Y7{^gD9D&%o&5h7n4$4e2?+78Mp=){&_aj~LBS&0=LWYsub
z(}<0pzP~(_LpCh8!T3G9hY*1Q`U9Ao#Wu?nh+W0vMQ{#>LS;&}bsE<*oi@!0N5DWS
zz`K2>Q|ZA^7T@P%U&#dewY8D%gX<3?HQ`nC6B#q7T%7w5I>sY1CYD|g2M&XRFBYOY
zgys;9`cj#zIQ$3>l9~Dx_BHGg#$~a9RIvh)J{s6p*gJD=%*R;iqDn?Hts)~}*Mh~P
z=h}}{C+k8(h$8R6PV$a9$pWhmQZ|jLQc!vGzHN|{F@Ceje?}0+dBHXMgLU!LsOLFT
zo?w8^9RXhDwNp9$wxrMkY6a7f#QN2|4s!q!&Udx0UR|mc(oMDaj61ZgPefor`Zz()
z`EQ%^AEB*7+D0J$C{$a^kIfqsiMRK=K-RMer0fFU_=l|u%C)XKPfF!l{*!@-E#Cxl
zA>m=<@K}$s>!ko`n&?+B@H-e*?XGk&(HuWsDMS{N^rV|VV}fIg4Oe8~A+kkMa@LuH
zbQO_tvGOfNMq7qx+@Bgf`OkniWre(&h8_(D+_X&)B(Z}SQL&@c3jSO@B-6k$ooQex
zcYR89BH|^l-MBfuR7s;;UqngT%NN=LtLqoFk!;5!>R&LCNUwz6^h#%=Ri{b#P;iXp
ziNjz(v{>BxeAwP6i9o&svw2+|WJ*?{|5|RqnUthdc*&EMdV14}RJ?&#n!?cuHLd`*
zC{_#uN(Q^5x6QxGY{k5Lhs}+jpnh&o`ZAz%9A?$ouq@EGJbmm`niCfp1ki{X!k^Od
zPKW@`a>KXG<K!+Vk)Nr1Y}uEs+L>QvH+JrD|LUlG@lZ(zj+Ug)MmvihN~IS^uVVs>
z-v&3I>ylbOIB?c^Z?txfjGp(X$1@(H6PK%DBS0pL=_{&iq3zr8e5-6(h41A3`9mhP
zl%IE->nMw%#OJtX*=I?TV1P3m^*kF-svm-pXH}ofBIJOOua#@d^jR6Kn-!`Gpg<6p
zeB+gR)`lRX1M=+y{ki3fsNkpRj&pEa8HnbU_m<H0&BcCHPz%2g`d!!;BMV92I^+sO
zLMQJ?+)3w-=zk*O7=r}*{Nwzz>sF~u&*fFiA$h9FmE5xMh{Bc&qurnMzn#16^MvLz
z77O!d>ds%^{^09LgxT<Am#tVy>a$6kB=kVnxLS329bzXPCUD{#Xz(jyLDaXRNM#?J
zCX}E@5jZ;5hiEn;%9I}AKhbDnGPVg#z7EJ``Xu>k4LAf};k|76d34fY!8;jy*jx3r
zA0pK>W+)#}2g+N3cz?I{;J`i63)UN{N9~&mQXGGnYu*xF+Qm^ymW-0B?PPZ@)(%;D
zDD(m4k?wCAtY^1!6$6ZDaKnKMu;RO_)3{oj;jXE1?mZA9Z-s(E?eGQ{&mKI1U2mwx
zW!+mh9~=6(e^c&9&*0@!ky5bT^`7+w54|dGl6(Vn|LxqSkiQ`NQ(K$wYh8++FvgR8
z#)_w*1E8@6q<SJOH8k)<BNM8(aPFevTG2?zI5<gt?;@@+FKRkN|NIlVbI9;9UmUk$
z0*4F#o0TSKUAqx*zr>w;_i1ORZzWY^U`$`WqmZ~WyQ*yDbac1xR1oVr(=-%mBBk#J
z8Zv`o_VKQ^!yWoj6Q*846)Oo$sUK6EvRE?lx^KR+{xttg;%dhxiuIw0e!xXbqvGhs
z&ieL8V<|sb?#Eb3uBmXpor+2q(?*t!GVM$5JW0>Z0Kv|>Avz?5=ixf|?-t7rlfKNI
zCQ!Z=Sl8aUUv8f6){+>TQiCy0wab(0&IVIX7A_1AuV-$J)^*w6Td}lCv{@e!wqvtX
ze+tV-4uk6(7{J(@YDp;JnvgS*J&&W4>jazk9EicJeRw`eqSJ`JTp^?A<qY}dhe>yp
z%XW13_VJ^j;(l9uOSK?R9^!CGT4yKBU&&&PWDy$gqvwqeZ`{Xj?entZ=c^wL<_Y@E
zCA7!cne!uuGc);VQYD%+F}dj>Q_YK`>_~x8$*L&{ZLQN+p}mK(KUp@t$H!Dm#frDg
z+&))KaC*LnDtfdSU*FGxKbI)jQ1`PNf%o6|0WR6vu_=U}^UbPg_Cf(n7RoxNP%5bd
zQ2-{>bDYc9;)}XNY_@{D^);J<u~Zl{mLY}OIaQdfV}lw}12}H;%_U1f!pOR@3}|D`
zy#24D*j^A~g`DRRk&RF?$;5R$V71&6ia&3JFpHv9a;!H5#o-^*-4jTB%hm>SAl)_O
zUHCdX=?WO9nn_yq_U+)`eu5K2{;j*>ZiB1QQs}(HAmqFc_~OKB<sD<$a4fPJUgK}6
zSZo|+4BbqYcK#<T)Rf5zZU4U{dcRnqeE(vFp8Y2)^ynV3_V{{V^ecn$LAAFcCpa8t
zq|q~`2BO<K)%6FZCh?h%^j2knws0oCv$2v;uH3Oqw59;e;WEO#VWUOk)|8NDo5Zg6
zo>oE`Wkx25`{Z@6*pPfyp>Z&>)%p;;rG_q#o>2}7Tl|dbMV3{I>UG&xdkNFKue@3?
zaRemc0=l36WXTF|{z}k?DD*Ctn`4!P%M5VoSsV^OS#~S5zZ}agazI}8<E-0WPEd9|
zMTfNujxXm|p@7CnW-4|ab$B0pn5Tan8CuWvH!Pkk9QrNw@N*pzOofR5RoB-(e5csn
zpiK$+t0GK%o-zr)WT!MVdEl@ifvrtzZ{YKsif?~C@s)Wc@2@MHN7%H-uW2tEA5Z_a
z!|oiJE#z?zYUug?Dd>w4nJd7$`<Ti*B&LTG9nX*$XohPIEXZOA1o(jpKE~JD@1XIV
z#r0}+!?z^MK^k%mwds(zHuhBW9rd_R=;U+LgjW7{L4SjxpDfAujyv;KmPJn1mlT_0
zO6>#<;G_apcqwXwDMwx$YkCnuxyDUH)j;W1R<QE$A_<-^LwZ}#ocBkaaM7VD21>o7
zZfDaWe--5tGVA{uR-v$k^zmMqZ_^*!(w0W_q_B$cWr-MGOB8MEi6knIAKtosk>P_e
zRPBnM_|sX%+ypWGfo1={dWZb8ApQ40|D~R_aR1LJ+_BV{Ijt#Bc8BHc$6w7PSXfpT
z|9+z(M2Dv;w@Yo<MkQc;Q%uh$ShQzUY*PGSOb$6ahyU^<yvN^0%=n74`Uq2%DD`4`
zbSyPmxs)Il3{{j^cOHEC<0GOQa@itNSLsZws^g0scwy<%PnMQ!C~b8;NqGoXJ1q0V
znsDQfzJ3d(TQ~lw;2y*#TwPHjIGDx2l$dT3?8-W(?1Y*OTlsOpniX?eX+219E<exN
z#OYA1e6WU#I<2vv*yXs>dZ5_v31)osvYRvxF{oT|U-`pw6;2-#Yx&6%e0~e{ytuA0
z{aZofENvw+mVQG9GM9DS?SLMdy<J=3R%V6=E%80fdgv6!s2*S^`HzzN<%ZO!P1bJB
z`NZss4XBT$F6T`jq>YpHKGS(+4mnjw+UuqoHfWg&%RR+1S;ef7#)uvLg*N;HuD89k
zb`>LLL4z;cJ^Gs^Ght@Z#Zv01f~L-vyN>@3Hv*bOo|I|(u0^u)2@0GJs02dgNI~5o
zBLgda&Xt3OGDdOZGaSm$9~Y5Pavu>Nx>efLH@#~S1!bPyaq4y1pm^kr_PUq86XhbW
z28?zFCj?hMUDqD#f4~?{3M~sIIe(55y0yC9ChiZx1)doi7k0<{DFS>*BpZP``s_GI
zu-GeEwzT)h8IidjgC{W0hP99l_7u_qXvL_3dy$edd#P3|9yAvyL*&i%R2;gP^5>+{
zww+m|aO#;ou|AFLCN+F~fQ<a!MP_0)pP*JYz8E{nOiDGA;)M7t*Vm)QCwAo&_|^I*
zArD^A(TC)qNT2v&@pTFxTlmChxaJx4+xCKRvXb&-PeWtUpX(XfGWj=hKZ(x*vo{61
z)v&(oIN$Yc1U4U`N9tyBGk|(EDolSOseC&Hzh1uwYyPqA)dRgd94dguRBoK--1t~m
zQ{>}9f7V;lWe#*DWNS|8p;O;N(}(O8k&&v3t;b_?B&6@Y$GS!tU(DdVl`iq-J5#JJ
z?A9spvKbh6a5XK>^gP+euk}u?!@3sDuPBlov$&w$ta%;R-U0$(f^6I$)FW?`riaMV
z;oaKLOW&nc=^PVv5OOGFuC}j@ZN-Xpjk2<8a_WdnpPM))*wene5q3bW2y#;yJ=o9S
z(%bn2Fn`Ub#`Lj*$WzOad;xjdRlds}Hx_LR7G$}%{r%q<-}|ru*Jw2Ut7B!YC|e1t
zztg6mp52Db%MPg0yiW}Rn=i*#I&QIHD3Tx5QO2hZGux1X6t4Pm$fFNSzM~4|pYhIy
z$5FGs7J}}Ht*Zq8@yUi8OYSK{<|8-Nl)%c>mIPm=!A7b4YHIgWv6$3?mxCEogA{=;
z8y|jm@iP6TC$$ToOs<x;VLa>G3)Akd#*aX2{=go#{yGq#*DAP}a-3nlTcQd)9w!Dh
zo~AmSjN4s_OlG-3SN*kF{DRxOrk@n{3Kjd9CEr+0LvC<5B|u<usUu4SooFG37<wOr
z#(+H|GLBs4BON~2x7|*1T`iwOd5&Jo%R6%UbNX<W$hC#OnA&f{(Bwj#kl(E2)-4Rh
za(vR-xpZ>QK1Zl)#WKoYY7kaTO1Qqn-qF2&^YW`#-zisZRtvg9(Cq70xnNBW^;vx-
zEk&`k(e3EgK}u-2oXH96mpLo5t?e08LQ+|;JGOF!4p)q<R!k^(WGcw_;fjcn2?CMI
z`J}|9`cIaioFd{h>!oL&g+pj(LDe7n%dJ~WTLoa>ZH~+xEfqXJ%`KfGDHlUjBfH>T
zpXFy!+B7_3=`*^3)H%tYELIh+6>J6#*21qpDh$h|bFL8kGw0^^-jD;uJKVVU_O-YT
z(K#Qco=JGdg2n>!`{)y<%6#e8h<lDcoKc09l6eQ(t_zpV{DHs~UD=CUPrZ$RMK$IC
zt$Bn5kuzPUw%aRw306=??M%Fz$EnFYkjGj;)}?;v|AW;k6(-$>SdlKkVipggO$Ih)
z4{^-lxp+5|>GtuD<Ab>_w_6VW;hae`7b62#H$)KWB@eU7X4W77)HLz>-vDzn|D?eF
zXJGDZ&a|;XTFIV!d~P(F(7<Wrr^A>v!A+X9dz=c>fkuJ9EggL8Du#?Uh;ZRf4gnpy
zhAy3PB%37}5Y-0%JxJ-Qrj-zHhNPryr{7S>M$r1XW{xIvp%DFOVIcC`C?%uzOR>%>
z(i1vfyJpVjxYx3DrQX!Osn5_D{QL5}rZS{H#DS`=Qp1VXzi*V(p9if*fxG?FuNBZ6
z=4Ej6%d;R|la{gJZ({6fS<fqO6DMYIMINIT1FDvaTX#y?)sUwj)&x4hLrwc278daq
z);V5qFA<S*d{#DpS&n&kigk7M*~9Xf8%tYiXI(pu=jdAh*F)~Xwxad}k7o^<>Lu?!
zHs@E=sc~ou%jB0csg0t}=I(1yIk4NY&ngnPkC!ai?eAO}!y1>houl5Q^A5_ZW-@^#
zF&HlKNvq;?K1ZIOLBvc@xx06bEmNQqIZ^n+tFQn;U*#r7=fS<}5ntvd{URywF8c6|
zfgt4{4L$^t*}|=HNowDpB}z&>qpL;8Nx@@JPy5~LTK9%8!I?DGC!h6du9L17s_Kq(
zg3XRGPBIRABU6-DA<qD&`KK~xZjj<+yxSNV6xcho)oiHbMtQk|#>Etj)z=d4>WNrQ
z@bf*;Wq73RkC;RvANkL{xxxf%8UnqOhZ9O_r`#0$6p%D^AY)mh@832Pm3^#B-drJ8
zS`qcsyNBQurga;?68iIM;xK~McL4OJtT)PXc~(=sl49yvZJCf#0x}+qH$^Q!TahRc
z!rr&Dax0CRy8n1j@-{+C^(I9M-1@4F8mFT9Quj=iS{2~&-rE?XC_f$0Xv0{iPQrw*
z!cEpo+e)n8+_2|9mS5K>Y0cY?91ocBG!-wgJq#`)mpM6;^i(s1YS+dMT1v^=$*^r3
zA*OGj67f$;i&4w4#u5#+^$>gzciCUSLH?d~WA+4hw-<Z~i!|FcdUbnSUo$A*i9g?e
zQH5<^w9r<(oM^zOA74WkPSRBN{c_kdx2hf}jj0tK9~(E+lj^PTt9oV;tJITFcTcV#
zg@*`_L<SV;$vCKrC(vmQkcNJgnW43xj3rr0hMYa*`Mkn{DlZfp%S>i256_M5*cbVq
zAZt|IKKhA#<Tau}tVn<8XG?AAJ=*9vB2?V(^&=_--W=F9Z;c#Y1Pr`s>-sj#U5Yld
zo*gzrfBhKI32ufy*cd<P+k{B$<|M;9V+N*yk17mLjo<k44>xq^fW@4qaQC!O7}umE
z!v~@j8&i@LD7k2+tX~czWq9D`*8SaIsg}LN*IEKR%b$M*{yFEE(4cHt9%%~r%l}2M
ziww=p6*U>9DIeT)7X<fajo8fVZB=Ph$)7>gbkI1|V~NkbwM)M7DTv>$6Zw>)nUDa&
zk+`#khaV5zN1KGLs!>Ili;HRz4^u8Q;z(6?0~$Hbl#3eyvSRxV#o9XSa|opGn_AL-
zVA-NzUeK2sT`|x1v~G~;wN;!eXp8qCPPevwN=A$>G1>+lKiQnegjMt7&L86#3^#^j
zX=&D`sT8Ico$80!8#wZ}6CeE&lDtI)J?ezH3>rE@Eo&NZ1<}4>bA2QAI9FFmH<(aC
zA=64mDxuT?g~y<y?@YCsfK9d-iHSH4CqMgu!2P6hD8clBL~(%AR1~h;$~4D0xqbLs
z#DSz3wjMfwt~bi?T^%;Gk6?}r!5hxv86ac9!Mi=ypX98RJ~kG9YnZiDdK2rpA)#qL
z-IK)_W}By4!HV5%JL?24Zu+B(a3TGbH7^0H=}u{bPw=j^H&Q7^&Ux-bpK<lL?7XkB
zpmMU*L;TzR=8O6qBT2~qFRR=1KJXW>S^-zf-*?lP=oZGpmm=_RKYcIgMJ1u&<V)RA
z=Ln#;_*u#Y8$~%ErkUW77)&Cw`;VB{zc+M0?GU#Em|ZKEBq{4-hgI7Dx}w*QH<?Z^
z0hH+eaC@oy(!{KU$?LQb;Y{()@@{jvUG;2d*yHMl0SB>2i%;%Z8TjN8jxl$7ixO9*
z#0rMmIbYVN^ktl@i*)M#<$9(d{z9PD5JrV_uVBQqdDaK^T^iq;J%ja85v^VqN@O%^
zg|%_LmtjNReGpxhvj+ijRj{d!DR1Pqj$hEz=7UGSBM@%qb9{~KCNxMrk@QW8IM_~%
ze#s_<tDAJ}T}>``lHsZ=1dHi6<>e<06vI~dze=}(r1H|!W4CI<RrzEbBZ}L^zSW=y
zDtJwA)!N@Y=G1g4a#S4f7Gl;9gkV@<VCUt5{_2_(<w3)NY`W_nxI2?Auj^ARmz&`d
zv;BnKK-XLMX1=0MrlkBuA;EIcqJt+eDc_a=gdK1^Y8S`(iRi%!_+vHASYBlc7xIha
zY}c-k{z}vISMiBlPE65tvt28H#)z2RkZsEu4k|dAc7DCXfH&Ng4pDAH=iB4*#5R|8
z7HOM)qdk983d<V1>@+LsMh7q)5-$>^GyDbNpO;JTP8m^Cf9T8|`IF^sYAHF#&PVo=
zC{r!@A~A$K-PHJU`USac*oq_g(%Or>b3ScCTu!jPugPTB)^1QyloS;0l1{n<lgHd(
zL~L&~*fs>8Hs3xKD)-`jj|Fh;X%F?~_aPsZa_<z9xR0zuS*F@hq*{59$M+jR31%W;
z2UZ{Li}lg$+(()#EnT@v3L$ttd@`F~Q`0`*{}~tS-_-}9q0&o&Pf_aTr~Osf!;A4>
zv86-j#LBY9^?3bzzB$a}`ok+Bav{&v)j#od+Q<ynz9^y_-<PgVc8M!aBkaoOm35H!
zdlIijbl!!FeMop<xN7=*D=fw<b7f1fHCy->msm~E{mJX|RN-_5Sgdv*zAv<Fx^C{i
zTg1zsEKDT)>S#@wvUUkNjcmZyQj|0%ukp#YGBL|?*cW-Xp`@?UpAu@6G`mUK;c)F;
zM~%VOO*)>I*l%o#HK5S6E!h^+O47dj&I1+Rzjh7%gZk{2ckG|Iwb;Z!>9W0xAiW9D
z1+wg6$@>~-oyu`>vKDJ0&m55yl3+bxclIZXV0rv*`ljOs|J&;N++bZWF)`WhZ1n2j
zJZ4VB`c-n?fmyw;Ta-pQ;Eq%JY89k(y{PZOg2$r8=WZJN^%}rW7WWx96Dik0Ydk1e
zXe4_>zsk=}wDZs7`sM*W1e*PIC(VyRo$pxpM!8LWn6X<9ml81>EMXJgWA@%?elF)z
zb}u(O1tl#fkS-w{`^As}!grD3lt6IJ`5Yt#JXr?fa?5%+UsA$EBF32QILa1`J^vW}
z;`hg)cKk=()=qAfmUYjTEO(R3ZET!`JNZF&oJS8ln*zyoj%1k3vq0UaEo&IyfC<`?
zP&_wlaO6gOH^7+z2wt5!Q#NFD5S9LVgX!nthuCL2K{azmb{Fo=ta7zyY(b|ZcJr`L
zGAhwI)*jwFlk)JG)*cS?<oW6tXndPVb5`vwH+K&;ui|8^Qi1*M9{rogxAdLQt?jGM
zLT0>;N?IQ@z6CD-su})IgV60!-RwY%$sRX}N~mnu5Is@J(+p9OnCf0@6}_7h{Mc!p
z+w{zt>DWa4VF4z4Ziz9gc%K2uA%pAisE(ylp%r8O`KVA4-LLg{z?R|BR~EjP2ET6l
z8}VMiVDVNWQ~b#`n6+tDRv(M|5o~uoX`(%HvUZ6a5Ua<g5f*l-uzE$-@_nkn8bLv`
zrrX%4f?!A&wuVF<J9iMgprtD3-CS@sy*K*Q{c#~J8#iV2sFzGFmV2satJ%;aLumez
zEKw{1+vwJ0zh!>GRkV6e&DbBVTMGtR&mm+WWPO~zBoZIeG9hAWGP_KTHEmIP&^g+u
zVm+i85ou<$t&@_~H8y_~{jKm!_Hbr+r>zt|Pz9iE>E;88H@VWW&#9#%15Ybhq#0*X
zxv1mEjEFmUZWWBH(y*(?SAuS%v!wY@EA59lHj;S{-M!x5txa^}tPm7U!0X$@7ORKA
z2}8jIl}$-G1QsUg_u%SM`DL!GyD7FWK2_R!w^2eb)Nb_S${P}{*Jzk*FF&D(5fv*t
zm66?g#D|Ni9Xq~Te(W)Wy(V4OJBRfB^7NIR^v9>fVyv+3l~VAiw5WY4oWt|tNOHMC
z0_(;9Z~!7Eylv?*l8P2Xves43sNHw-#r<Sq^9{nRxn*>g&O;I!fy2d=eN(5BVc~$3
z--6qPJyj~i3w^AkD@mO+9UVKhv?Wj@k8W8U%>-9rcArn30}U#LDQO8S3UJ?gVB>X>
z7bb=?M3%Z`Gevq}0rKR*=$-it@h+FDbta`}wgkUA1fI2~jkL@_b6%(g(6RMl9zNM~
z=&>@NR6h`e25$BGjsBuoE8k%*p+b-5lU+QR=Z`D*cChApC3>pJGFmzT4=aox_Osd9
zvr-0`K0sjKg$JqrrQJ1dLbL#WSoms_I!trx_%dPX=LVUc_wQ&*eqWhAr!7-j;&6Kp
z)z9oqGx<K#9g`A;WNNAfo)ZFI_1gUHis@;*Wrm@Bv6fVvbovnwAe!=bkPj}df+lh0
z<`2B%vt@Rbi<*lU<_jxYy6-9jMry9CV-Yo!&?f`dZed-;sx{@;<3d?R=n0jEwTyNu
z9-~3I28ei%ef23=wsApmL5y~T$m9{I+T8b%4uAO7VzPT19BP`qc4~`CQ0(+m-s_T8
zd9aWtDWm%^$>rU%W81moESxEua9@m#AzZ7qRtE!?prY`vN=+{a9!H0?G@3#e@|ypM
zar>?E;nP-`3Ulh`0ew|=)p<lPdVFMoX;DUav(DXJzSo*;t`=G5)OswW5*`+}n=NM0
zWIY*+jyUV-dRP4^qGE4P3GgFoMs`>$Z1|%u!%%(?Z_6iFFmC8WKA>>zmMr<5GOK_q
zRdk>`@WZVB!0^+|le<Ioph|<$_Q01_qPc>4xRuSths)TN8wQlUdrA2=jFk;smiwf7
z$M(ftnO$*`AxNDT#G^8D&l<mWbD|Y{BD;_y9h)?K(MJ88b^d~7VqfDca%#&~g6*J3
zpsLU9>Y_To#zB_TU#IveI+t-2GYcgSOY4Yl8G*JD)|$0R-#8i8e7idu($S#;QfAsu
zA!OFrCUIH}YAmwen<nz8>Br2j$=;ia%G5cdIivZBVecsTUUe!dsXM-aCRt-=Y&`sv
zWsBuv@!P+DZAO>(vZ%3U17mZdRaSN~<Vo(2tW26gJHETg83RyXaiXo&Or97YMvI<#
z9XrSUlZDHTRqaM@_lrL7{Y;}hH5Cp%s}4rz@J=Oz$!B0H(Zxcht-bOKQ`yu%F(l=-
z+yF>I)^b|T>IkK(ybv(Urm;HVs4(c!S?zGMHiHT|@V!Nlzv0e6J*k~^VY&Je$86&(
z;r;a8zN~AK+1y*q@4#LS05&TEmr1bqg+@-`3JB*M&ZXCVfJ$}2c?<~xXVYFxzw)^A
zCBa5(5CT1f><#UnnMwjT4mGNTOm{rL_mhPKk%PISot9Ujm})Foe(|1i9=&F#b~4FY
z<i)rxEmQ%C5RQn5Y%+-)@d!p$+HS}w)s4v9C@;npTh_$bOP1Ro={29$`pM$rW;Z8<
z$-I{Cx>%<i%kXDp$?0TI*J_rMn|A6Ni6JvNZnEXaWpaecy2`&EX}8#7=N|UXyOjnj
z^|!0P<GxjLGaUD1Ewzg$Hy@h?5jr?bo<juG7fiFfhF|__3+Mad;USo03>aTI0^k%u
zH#Z-%@SYOa(8^t0WiJ7iNBv}Ri*@$#hd;dTOzfh<d%Z6041tyzl7pMxiF8xF5XJ2I
z`^-cC7o|NzV8uNUNb}QcKcL~P0n^A`$c)R!46<bkbgwGqxaZVkVpkrXwdP!I|1~~U
zKHdae!<#Jv=(^mTd_<_eA$x~A-M68)%`_qYYuh`V>ib8XSz}2vT;k)?e(G<IORAUD
zm<qX!>tus6pw3(o;^Y(6vD&&2>IzSex8uo$oiwjX`89IrhKFY>nY6eAOuzZ%NGVm1
zyVo3>&W7Mn9CHy~g*cMNx{NL%g@N=#<7_J$O6GyWJt;qu!oSmQ?4m#SkcV2T5`^uA
zZmvC8Zp;t)T`F~SxzSoSRn_9<V!SDOI=C=*lh-{mHcnK?dSIA4vQkjs&#OsWEG%b9
zG{~i9W=FUtJ&FE{?Yox1&y&8<#L#CaNe-u;^>0jnsw{`A+$v)eD5>7oIWu5#Md6E8
zFRpcm(wA2@D$8Wyn6U#aYzo!lJrIRZE~LH6QVQlUD6Ci@vwCY2EB!-XFd%!tF1eyK
z(7eOu<AeE3m{#MJF7FDSH2p}B;z4KzO+7J#gKV_go$+W+6ROf&i=V}qQCp%1`jr?N
zjfA*Jb`3^YlCFF0hx)Ih^n5!Wdst9}Khv4uPL+3O&FnPoBD*P}_C$Y@D)KdgTEu(H
zp>FFvq)KwgR&oY;mnvlOG4JG>oSm7_qKo)Sbw%G}3;ombSSc$Wv*O74hwm?LN@X;5
z1Gk7ZyyVmet9sQ8qx``~ESJrGFk4+q3Kn%{<fS)R+za^NCy{7sr86SAD~SU=n4s(v
zbu3(7dUPHv@PRCAGG3(`X-$~}bJVWr{rRZtCEU0I*d-Gw;h|`NZ(n1r#^t<-aAS>o
z19Pf$ZUKcs8a{2KU7-ZKyUW&Q>%wM6nU$?W*vJmjQ>%^qq+AZ3DDNDPt)sX?jTRRf
z;Uvj~Z_19t8rLf_61A5tvqrNR0LcN=f>QN2(A3emijn@x24_@lv=Jo>?i;lx@Hg|2
z>&{`D>1pjRA9=LT6u*8DR0^gJ)LQR!WC#$S)jj;e^m2a{`=q_Vf#Kr1C^6*Wmko00
z(})E!i~yojFE3DEVM&(yTP91~f~8a?Ww-iBa$ZIOyGHBST-8-yCz1175vxND>xyM}
ziCnDd6VdOd{@IdjF(Rw&_SKnm78ZU5v+A6y1EUU$ce&3>X9UaU5_a9~`02H?#sg)S
z5R_AeWuF*{O9s*8yMQ!7v4oPw*@e@o7i!WpI1`B3@0p8tq6z!Fud>tj+iKCSpVk>`
zTgBJrD{+>zr(j2&gV{n9w%mb_|5SRfV9RA0A2by!X+Z+kq}_>foJ$wg)G&cb?A;x5
zj~!bdEwNtXc?y$j2jq4(e2Opk<U{kQdyn8EQ3FHO1lG$hV1$!AwE%f;M(BBp&%md}
zk!%p?fexK`dI0Fg(WXf%?I&Wo3^{wA(RbU63x1jRB(Ps^M|dML^XDqBZu$BaG|^{P
zo)r%ELx$p&v)@26O=7dV+~3<w)r`2z6cs%$W_qpb&<{<1oc`TBd3H_=?-)!J!?T>4
zJ-WBDSd=*!!Xpp2a9H(S+EQB`ESFxFS59i5UEa!g!&7$@J19%8tImi?1-F%ctDz8_
z%|N*_+)|$MQ#qjZi?1sN&y5M{Lcx7PMdKQjJ5viEs*IdBfcCrh#v4b~vf2v?J6je6
z5!{dzsj#-cA;=>P*L26xdZQ%peDRoBOpY}?s3VxIw(gZL9-uNv<nZ(C&(bFwwHN;w
zt=gxt^DToB*erjQlyonvBuG&>MFSuABHkDIBCLIvq}9?+fs>R4i;7+r+*ohhyQH&!
zWq{hgk&#G#iG`mrg<=}^-0E78wW&2TU-CIFPe@a(lk#fQgKv_b-jvC{w}6THffgg9
z^3(C;ZRoUs*d=m(^tR@D`Kt6=-cs2yN3UwE$pzCaSsw(g!P@w{tAldh=B*14B#bk+
z;Y($OaI{qodIdRSH}=Tm=DJ4oCF-EnT_bG=pstwS_VPHmWlnidTVWKAuI6mgse5Hk
z(;Qi<JMMz(_CO~WxAPK*Ame|tJUrhK)ghlDYXwX14a$ux%J#>D_{V7)#SNdq10LsT
z8X_UT`OQNx<|+Bllr$n%amHW$e;n#2eC)DOOBZX=r0?;$LlL{|GH~ZSx~;_zsmq(W
zYIvt~1Lx+|>jiF=joIfk@$-<F(|eq5r}|ab-7-Dw2!84b#@0Z6(H<QjbWW|`nvh7z
zwt-8H&-luK_AjjPgFN!8@t#~`BcjQH26a*Wg*Of}bRlMRlL9bKM3y4}B{w7@w6o8a
z`uC6Ml3T#o>~)ha06+apCB@Z@xr(KK7r*^nIh<23TeRl-toB38O$=|W%RQU^7y;<c
zi5^dxSvlilYuLSy+iTBC`$PEOH%Nzx6h;s4p4p{Yv}R7cVno3IxVW)%upneLM9xUg
zF}_Vi61lb^zwBqW-m@sNJ^odf{T~LCnicq*B1#>c^?fYGSiTm3gpa(J(?7VL-*B2o
z#=JHzdq!XLjIFD%5<6LfyCI4ONG=07Qc>M<JyPEL)_A>L>8-oFTIVD;4lF9r2c8oU
z-t=er=C9WM><9wZnkDPdE1~gEPmOe)yBM{>>N9qDpxJb)nS~Yj`kxcKG;t^0@vX?b
z)T+F1N)%2Bu+KHtKE6ALM)OVzzWvhyZ<H0F=4bAWPDfL<a#bx7Gx=k$@9OM@w<(#V
ztAkK&@b<Uevjsl2?xX%>5$L3V94zQrcl*jfD*8<8upO%twxlpo_2z1eE({Z>YXgQe
z2{JE=tWoL6f&}C1m~w}t3NwoeL-siDgwXtE#&ViW&SGqz#5kLb4{xl#WKnx1u{B$H
zXD=#LyJH2Va&h5Gqf9v%vOd|O(l<{rY*cYA87QFJc~j%<LOm1sWpAwHmzNZ{VLDFt
z#&V!{5ZGmvD;J(DgS%}COS8BaR~{RJJ4<NL$SROVXK~Tn6mYN9JZ7wyX>2AJ3$8IW
z##%o|Qy=AJh*#ht((1JaIZeWS<@)lY0Y||tIcYU@^{s=o?~Vg?3nzv?M?M+EK45Ub
z<UopDinoVu2AV^+RhbRXz|D?@?vmrRvzQY)eU9Glo}PVAelquppXe=wabDZ1L!!aa
z@7f-_d7F}<ox0L-KUol+<u$_`6HX~*jm`im43g0hk+Cc29yzNc75i$~X4&tkT#mk}
zT2jmy;-XTZvB3pcmnzO(%g(TB(ny0H;-pCNlu*3&IJ$9kh0PLMCF$@QsqQ%3qXR9h
zQN?-tq@I2-!zG$WHcb6E&w7;e0o%!#(!n(u*TYH~Zxr&}8$}?;1|FH^w+mXlDJi<P
zCr@Oydb7IrBuK-RBd*fQQBpFjs;-NFIkICXYS=Y{&+oT}BU0*3UY;++H1e;>z0OjG
z^xquvT^hqN`HH0Z5m?dS!tRd}ZAWmYc#ZH(SnKK$>&WD`py+)R^QRuOJF<YsmKO&<
z+=c9bWe)?Bs=gw<f<7%gce-&4lv_bAdZB~5tFtTTi3YcqeEoQ;ub)_`COcua%}q6l
zRiv6ewZv7$91Dijl9xsdOPgYi8wNidhRDPe;-=J91;EmDx##0*`0I}2K}HSPg33cf
zLl7yEI$PX44wp5y(XBvRL)XLbG?O~jy;8n#PFZE(fZz0P?Gd!xr1{zA9iI?tT?!ek
z8NqV7qKHM|Ubu{3_gyt!SeFSMhj%g<i3RLiG;~etnBcH2*6;JrndkRQz$VT02kuBF
z{vu5ods)0tB~V~&j_N{5-)_L>^VTMreUr^B@=!ob__?#6;on3hJX#2`rl%fWl<ysN
zN;ob<><@)T^z#2TB8~5M#EqYDZpG7WQhOUxCS*IFSbutLG&8aH_ivxo{tp|<|F8dM
z^DeX2eTaXOzsS?UHWD8Q-@Z)mJZ_jtU4{&=XYle^f-x1lS4qT_q-dJ<+LvZ%n0mSg
z22^Tg3GNaZ;-P?^tofRoTlTeA0B%H9)^u!OnO&fA`@~MjE^HZ=;+!*oR(zcWegVF~
z!ZYrQIU?XpUGc!}MvKVVdyok?eq*=v@JbE_v#lS~z_i>UA;<+K_pCN=$i+oQKpA&v
zwpUiON|!vU6|B8mbo?Vo;N#BQzkd_|2e$vOFkPt=OGyu4+(y+JWX3xrk(g5N92O;9
z-wWe!b))UY?(2OM?-@3+zGnHF$(=P}!oY(Cg#>>){w{{1N3QekicyDi$HuLjRh^N%
z-mMvT#hHEBHa$lI-+6l<s>ifgVp<A0ZgpWpQ_7Ly;oChXs~hQsP<Tsdh}LZu|JbX{
zdHBNz8HWw-%A-!gHA<i>2GdcZ_{?27d%-*V65?11&8vpQJni#&iLN}C<VkC&eCxp?
z2Cg9@!o=j3uae@<mo%uMQSaQDPDM-k4odNq9brQgy|ZkRttdaH?bQtkE7W?Lb)Qdn
zbCTLG+v6k<2^m{BGF(`G(;`9Sapu`tuiFnz-79F~vR_^b)*N#l)qdf>0<kT($@TMZ
zoJ0n&aCpo8D_Z|OUY)I+7T{=GJFp2Ur&zx$#??OVvM^Lga&8u~@C73Lw)`ckm;|fI
z(}A9|B|lk!^rsAyln1ZgF`H!nSko)qa!|L9G6v=Ea@795^OENDA4^K0P*X|Q_DfOW
z3&X;Mc4jgPR_$a)IehbD!2N+o**EbU7fRL{hRRUu*h#a_20FKYU}iB^T_~mUb8|lw
z_!z>y9^4iELmBQ~Cg;?hdroexw2vhv_B-^or(enSwb>f%x@oyfL(^)4*@299l>SMR
z`%jhyX3KXb-;RE4(-C5q8RBSox^^de^n}hKkVoCa^7o-b#|1<CT#wAQ51H-`+I!AN
z`HTtUjiZ@O!N(%RYUt#yLGdwXPRoCMGJnfD^hR(9^CYJC<kn9X@dIMwQPaJn_QVVD
z6)vXLm87;Vc3uBpR|(kFhBCX+zX<KrBFr|)^=RJ}eqn>wU14elQ1Q&WTEx4woEzu=
zf0%&%%hh=8#p)A@ZGltDwGEsQ-4Y)pBhnovc@QMA$8;KSX3`1Of3mdx>lQ*eULTco
zB5$y3>685RYM5*e6DiZP2gZNy6%tZ5y?m6xmDWYID&=VeeZkN#OhV+NAH4F{_Z1>X
zi=h)8He4FaC%U7K407h*O<soIq`R3|1e0~q$R;6Fcn5?DQDlj5tb|TRvidHBbsKcg
zhZoWRTslMOjAEn@!Uc(Ig1em*f6vN5L(d{^ftRijbvvir9YBXomrQFeJ5?PE^z^yj
zo{h2i>qTu3JkI!DmRjPx1rzu{%5k+EQZ86(pL31d&Lj0Ng<gKgB8YYT@3A8OeHP~;
z2G?F_5I2C#)`4iB&u++%{5JcNp){3syQRgDx}Pk|v2MLvG;QO5E`Szg7Ioz%_@^}+
z4)Tz`66n#Yp8kzTzrOzM5g|rKQdweo_nFd$CH})lzF-xa+GnS@=YPF(BR#7F3fA5{
z*0ycbQ3;Rt`aAObT{d%&uC9J1mFEym{nWt4^w0I%$d!;8WUvBmD33yT6_cx1^mH#t
z>&Zt>>pZ9&(J~XaTJntU_hCBKO+hACLm*7TR27F5-Exx_4>n$7?56J;RbM&R-+s$X
z*C>^TjHSwQNb92H4y%{#1Ihb<l-~eQ=$NCF+O7p6i5@yJ_brmfin9C)Tx`=J|II>E
z`1ip4w|%{i>b+FMZH8%P<=t%@Qe$#NX~7*US0bn4@@`4YdnzJop3JW26?KNU5JL08
zVQ{7S>f?9|K3GUfX32I@L!reBBgVP2Bu8)u?!6>gk^+B(Tl}7FcSb}_4hjM-&YFA%
zLXKWn_OD(haH`HwU`oDV>u^ccWJN}aN%Zb2P&YJ9*;IAW`p_>dA65o}`nWBZ*NhG6
z$3>L7E^i+jO++@E3^gC5pEL61QKlKC0PY(wcpj*`dMI52#wxGq1!s_%{dDYMt|3uR
z)j&Ff!!9;v-ackxbv*-C*%ZII!?XL>siaj22?-a8{QSJ4sO)Uce4!{&rkyX=UQkTu
z;f^F*?x@uArtkK=`A-%Y{n!*c{tdAHRw@W#acIF@YUKee?AL4m+djbmnb`kC;C~|U
UKN0w!2>ee3{y#=Q;OFrF0#*i%Bme*a

literal 0
HcmV?d00001


From f9f57e95059d233f7d77de4d84e6ac3b86ec184d Mon Sep 17 00:00:00 2001
From: shaw <shaw-wei@foxmail.com>
Date: Mon, 13 Apr 2026 23:09:26 +0800
Subject: [PATCH 010/122] fix(migrations): add 097 to restore
 settings.updated_at default

Legacy instances created the settings table via ent auto-migration,
which emits Go-level defaults only. Migration 005 uses CREATE TABLE
IF NOT EXISTS, so the missing SQL DEFAULT was never backfilled. This
caused 098's raw INSERT to fail with a NOT NULL violation on
updated_at. The new migration is idempotent and safe for fresh
installs (no-op) and historical instances (backfills the default).
---
 .../097_fix_settings_updated_at_default.sql   | 27 +++++++++++++++++++
 1 file changed, 27 insertions(+)
 create mode 100644 backend/migrations/097_fix_settings_updated_at_default.sql

diff --git a/backend/migrations/097_fix_settings_updated_at_default.sql b/backend/migrations/097_fix_settings_updated_at_default.sql
new file mode 100644
index 00000000..e1d6f9b9
--- /dev/null
+++ b/backend/migrations/097_fix_settings_updated_at_default.sql
@@ -0,0 +1,27 @@
+-- 097_fix_settings_updated_at_default.sql
+--
+-- 修复 settings.updated_at 列在历史实例上可能缺失 SQL DEFAULT 的问题。
+--
+-- 背景：
+--   早期版本曾依赖 ent 自动迁移建表（ent 的 Default(time.Now) 仅是 Go 层默认值，
+--   不会在 SQL 层落地为 DEFAULT），随后引入的 005_schema_parity.sql 使用了
+--   CREATE TABLE IF NOT EXISTS，对已存在的 settings 表不会重建，导致这部分实例
+--   的 updated_at 列虽然是 NOT NULL，但缺少 SQL DEFAULT。
+--
+--   后续 098_migrate_purchase_subscription_to_custom_menu.sql 是项目中唯一使用
+--   原生 SQL INSERT INTO settings 的迁移（其余 settings 写入都走 ent / Go 层），
+--   因此该 schema 缺陷直到 098 才会触发：
+--     "null value in column \"updated_at\" of relation \"settings\" violates not-null constraint"
+--
+-- 幂等性：
+--   - ALTER COLUMN ... SET DEFAULT NOW() 在已经具备相同默认值的实例上是无操作，
+--     不会报错（PostgreSQL 允许重复设置相同的默认值）。
+--   - UPDATE 子句的 WHERE updated_at IS NULL 在健康实例上匹配 0 行，不影响数据。
+--
+-- 这样可以同时兼容：
+--   1. 从未运行过旧版迁移的全新部署（005 已经把列建对，本迁移变成 no-op）。
+--   2. 历史损坏实例（本迁移修复缺失的默认值，使后续 098 能够正常 INSERT）。
+
+ALTER TABLE settings ALTER COLUMN updated_at SET DEFAULT NOW();
+
+UPDATE settings SET updated_at = NOW() WHERE updated_at IS NULL;

From e534e9bae826b235adf1af2e0d89fd70024632a8 Mon Sep 17 00:00:00 2001
From: "github-actions[bot]"
 <41898282+github-actions[bot]@users.noreply.github.com>
Date: Mon, 13 Apr 2026 15:24:14 +0000
Subject: [PATCH 011/122] chore: sync VERSION to 0.1.112 [skip ci]

---
 backend/cmd/server/VERSION | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/backend/cmd/server/VERSION b/backend/cmd/server/VERSION
index 715965f3..4b9b35d8 100644
--- a/backend/cmd/server/VERSION
+++ b/backend/cmd/server/VERSION
@@ -1 +1 @@
-0.1.111
+0.1.112

From 1cd033e521b02e23fabf23628303663985b34114 Mon Sep 17 00:00:00 2001
From: erio <asakifeng@gmail.com>
Date: Mon, 9 Mar 2026 19:24:19 +0800
Subject: [PATCH 012/122] style: apply gofmt formatting

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
---
 backend/internal/repository/gateway_cache.go  | 257 +++++++++++++++++-
 .../service/admin_service_apikey_test.go      |  72 +----
 backend/internal/service/user_service_test.go |   9 +-
 3 files changed, 257 insertions(+), 81 deletions(-)

diff --git a/backend/internal/repository/gateway_cache.go b/backend/internal/repository/gateway_cache.go
index 58291b66..ec4bf40e 100644
--- a/backend/internal/repository/gateway_cache.go
+++ b/backend/internal/repository/gateway_cache.go
@@ -2,14 +2,42 @@ package repository
 
 import (
 	"context"
+	_ "embed"
 	"fmt"
+	"strconv"
 	"time"
 
 	"github.com/Wei-Shaw/sub2api/internal/service"
 	"github.com/redis/go-redis/v9"
 )
 
-const stickySessionPrefix = "sticky_session:"
+const (
+	stickySessionPrefix         = "sticky_session:"
+	clientAffinityPrefix        = "client_affinity:"
+	clientAffinityReversePrefix = "client_affinity_rev:"
+)
+
+var (
+	//go:embed lua/get_affinity.lua
+	getAffinityLua string
+	//go:embed lua/update_affinity.lua
+	updateAffinityLua string
+	//go:embed lua/get_affinity_count.lua
+	getAffinityCountLua string
+	//go:embed lua/get_affinity_clients.lua
+	getAffinityClientsLua string
+	//go:embed lua/get_affinity_clients_with_scores.lua
+	getAffinityClientsWithScoresLua string
+	//go:embed lua/clear_account_affinity.lua
+	clearAccountAffinityLua string
+
+	getAffinityScript                  = redis.NewScript(getAffinityLua)
+	updateAffinityScript               = redis.NewScript(updateAffinityLua)
+	getAffinityCountScript             = redis.NewScript(getAffinityCountLua)
+	getAffinityClientsScript           = redis.NewScript(getAffinityClientsLua)
+	getAffinityClientsWithScoresScript = redis.NewScript(getAffinityClientsWithScoresLua)
+	clearAccountAffinityScript         = redis.NewScript(clearAccountAffinityLua)
+)
 
 type gatewayCache struct {
 	rdb *redis.Client
@@ -19,6 +47,16 @@ func NewGatewayCache(rdb *redis.Client) service.GatewayCache {
 	return &gatewayCache{rdb: rdb}
 }
 
+// ensureScriptLoaded 确保 Lua 脚本已加载到 Redis 服务器的脚本缓存中。
+// Pipeline 中的 Script.Run 只发送 EVALSHA，如果 Redis 重启过导致脚本缓存丢失，
+// EVALSHA 会返回 NOSCRIPT 错误。此方法提前加载脚本以避免该问题。
+func ensureScriptLoaded(ctx context.Context, rdb *redis.Client, script *redis.Script) {
+	exists, err := script.Exists(ctx, rdb).Result()
+	if err != nil || len(exists) == 0 || !exists[0] {
+		_ = script.Load(ctx, rdb).Err()
+	}
+}
+
 // buildSessionKey 构建 session key，包含 groupID 实现分组隔离
 // 格式: sticky_session:{groupID}:{sessionHash}
 func buildSessionKey(groupID int64, sessionHash string) string {
@@ -41,13 +79,218 @@ func (c *gatewayCache) RefreshSessionTTL(ctx context.Context, groupID int64, ses
 }
 
 // DeleteSessionAccountID 删除粘性会话与账号的绑定关系。
-// 当检测到绑定的账号不可用（如状态错误、禁用、不可调度等）时调用，
-// 以便下次请求能够重新选择可用账号。
-//
-// DeleteSessionAccountID removes the sticky session binding for the given session.
-// Called when the bound account becomes unavailable (e.g., error status, disabled,
-// or unschedulable), allowing subsequent requests to select a new available account.
 func (c *gatewayCache) DeleteSessionAccountID(ctx context.Context, groupID int64, sessionHash string) error {
 	key := buildSessionKey(groupID, sessionHash)
 	return c.rdb.Del(ctx, key).Err()
 }
+
+// buildAffinityKey 构建正向亲和 key（client → accounts）
+// 格式: client_affinity:{groupID}:{clientID}
+func buildAffinityKey(groupID int64, clientID string) string {
+	return fmt.Sprintf("%s%d:%s", clientAffinityPrefix, groupID, clientID)
+}
+
+// buildAffinityReverseKey 构建反向亲和 key（account → clients）
+// 格式: client_affinity_rev:{groupID}:{accountID}
+func buildAffinityReverseKey(groupID int64, accountID int64) string {
+	return fmt.Sprintf("%s%d:%d", clientAffinityReversePrefix, groupID, accountID)
+}
+
+func (c *gatewayCache) GetClientAffinityAccounts(ctx context.Context, groupID int64, clientID string, ttl time.Duration) ([]int64, error) {
+	key := buildAffinityKey(groupID, clientID)
+	now := time.Now().Unix()
+	expireThreshold := now - int64(ttl.Seconds())
+
+	result, err := getAffinityScript.Run(ctx, c.rdb, []string{key}, expireThreshold).StringSlice()
+	if err != nil {
+		if err == redis.Nil {
+			return nil, nil
+		}
+		return nil, err
+	}
+
+	accountIDs := make([]int64, 0, len(result))
+	for _, s := range result {
+		id, err := strconv.ParseInt(s, 10, 64)
+		if err != nil {
+			continue
+		}
+		accountIDs = append(accountIDs, id)
+	}
+	return accountIDs, nil
+}
+
+func (c *gatewayCache) UpdateClientAffinity(ctx context.Context, groupID int64, clientID string, accountID int64, ttl time.Duration) error {
+	fwdKey := buildAffinityKey(groupID, clientID)
+	revKey := buildAffinityReverseKey(groupID, accountID)
+	now := time.Now().Unix()
+	ttlSeconds := int64(ttl.Seconds())
+	expireThreshold := now - ttlSeconds
+
+	return updateAffinityScript.Run(ctx, c.rdb, []string{fwdKey, revKey},
+		now, ttlSeconds, accountID, expireThreshold, clientID,
+	).Err()
+}
+
+// GetAccountAffinityCountBatch 批量获取账号的亲和客户端数量（惰性清理过期成员）
+func (c *gatewayCache) GetAccountAffinityCountBatch(ctx context.Context, groupID int64, accountIDs []int64, ttl time.Duration) (map[int64]int64, error) {
+	if len(accountIDs) == 0 {
+		return map[int64]int64{}, nil
+	}
+
+	now := time.Now().Unix()
+	expireThreshold := now - int64(ttl.Seconds())
+
+	ensureScriptLoaded(ctx, c.rdb, getAffinityCountScript)
+
+	pipe := c.rdb.Pipeline()
+	cmds := make([]*redis.Cmd, len(accountIDs))
+	for i, accID := range accountIDs {
+		key := buildAffinityReverseKey(groupID, accID)
+		cmds[i] = getAffinityCountScript.Run(ctx, pipe, []string{key}, expireThreshold)
+	}
+	_, err := pipe.Exec(ctx)
+	if err != nil && err != redis.Nil {
+		return nil, err
+	}
+
+	result := make(map[int64]int64, len(accountIDs))
+	for i, accID := range accountIDs {
+		count, _ := cmds[i].Int64()
+		result[accID] = count
+	}
+	return result, nil
+}
+
+// GetAccountAffinityClientsBatch 批量获取每个账号跨所有分组的亲和客户端列表（去重）。
+// accountGroups: map[accountID][]groupID，对每个 (groupID, accountID) 组合查询反向索引。
+func (c *gatewayCache) GetAccountAffinityClientsBatch(ctx context.Context, accountGroups map[int64][]int64, ttl time.Duration) (map[int64][]string, error) {
+	if len(accountGroups) == 0 {
+		return map[int64][]string{}, nil
+	}
+
+	now := time.Now().Unix()
+	expireThreshold := now - int64(ttl.Seconds())
+
+	// 构建所有 (accountID, groupID) 组合的查询
+	type queryItem struct {
+		accountID int64
+		groupID   int64
+	}
+	var queries []queryItem
+	for accID, groupIDs := range accountGroups {
+		for _, gID := range groupIDs {
+			queries = append(queries, queryItem{accountID: accID, groupID: gID})
+		}
+	}
+
+	ensureScriptLoaded(ctx, c.rdb, getAffinityClientsScript)
+
+	pipe := c.rdb.Pipeline()
+	cmds := make([]*redis.Cmd, len(queries))
+	for i, q := range queries {
+		key := buildAffinityReverseKey(q.groupID, q.accountID)
+		cmds[i] = getAffinityClientsScript.Run(ctx, pipe, []string{key}, expireThreshold)
+	}
+	_, err := pipe.Exec(ctx)
+	if err != nil && err != redis.Nil {
+		return nil, err
+	}
+
+	// 合并结果：同一个 accountID 跨多个 group 的 clientID 去重
+	result := make(map[int64][]string, len(accountGroups))
+	seen := make(map[int64]map[string]struct{}, len(accountGroups))
+	for i, q := range queries {
+		clients, _ := cmds[i].StringSlice()
+		if len(clients) == 0 {
+			continue
+		}
+		if seen[q.accountID] == nil {
+			seen[q.accountID] = make(map[string]struct{})
+		}
+		for _, clientID := range clients {
+			if _, exists := seen[q.accountID][clientID]; !exists {
+				seen[q.accountID][clientID] = struct{}{}
+				result[q.accountID] = append(result[q.accountID], clientID)
+			}
+		}
+	}
+	return result, nil
+}
+
+// GetAccountAffinityClientsWithScores 获取单个账号跨所有分组的亲和客户端列表（含最后活跃时间戳，去重取最近）。
+func (c *gatewayCache) GetAccountAffinityClientsWithScores(
+	ctx context.Context,
+	accountID int64,
+	groupIDs []int64,
+	ttl time.Duration,
+) ([]service.AffinityClient, error) {
+	if len(groupIDs) == 0 {
+		return nil, nil
+	}
+
+	now := time.Now().Unix()
+	expireThreshold := now - int64(ttl.Seconds())
+
+	ensureScriptLoaded(ctx, c.rdb, getAffinityClientsWithScoresScript)
+
+	pipe := c.rdb.Pipeline()
+	cmds := make([]*redis.Cmd, len(groupIDs))
+	for i, gID := range groupIDs {
+		key := buildAffinityReverseKey(gID, accountID)
+		cmds[i] = getAffinityClientsWithScoresScript.Run(ctx, pipe, []string{key}, expireThreshold)
+	}
+	_, err := pipe.Exec(ctx)
+	if err != nil && err != redis.Nil {
+		return nil, err
+	}
+
+	// 合并跨组结果，同一 clientID 取最近的 lastActive
+	seen := make(map[string]int64) // clientID → max timestamp
+	for _, cmd := range cmds {
+		vals, _ := cmd.StringSlice()
+		// vals 格式: [clientID1, score1, clientID2, score2, ...]
+		for j := 0; j+1 < len(vals); j += 2 {
+			clientID := vals[j]
+			ts, _ := strconv.ParseInt(vals[j+1], 10, 64)
+			if existing, ok := seen[clientID]; !ok || ts > existing {
+				seen[clientID] = ts
+			}
+		}
+	}
+
+	result := make([]service.AffinityClient, 0, len(seen))
+	for clientID, ts := range seen {
+		result = append(result, service.AffinityClient{
+			ClientID:   clientID,
+			LastActive: time.Unix(ts, 0),
+		})
+	}
+
+	// 按最后活跃时间降序排序
+	service.SortAffinityClients(result)
+
+	return result, nil
+}
+
+// ClearAccountAffinity 清除指定账号在所有分组的亲和记录（正向+反向索引）。
+// 对每个 groupID 执行 Lua 脚本：读取反向索引获取所有客户端，
+// 从每个客户端的正向索引中移除该账号，然后删除反向索引。
+func (c *gatewayCache) ClearAccountAffinity(ctx context.Context, accountID int64, groupIDs []int64) error {
+	if len(groupIDs) == 0 {
+		return nil
+	}
+
+	ensureScriptLoaded(ctx, c.rdb, clearAccountAffinityScript)
+
+	pipe := c.rdb.Pipeline()
+	for _, gID := range groupIDs {
+		revKey := buildAffinityReverseKey(gID, accountID)
+		clearAccountAffinityScript.Run(ctx, pipe, []string{revKey}, gID, accountID)
+	}
+	_, err := pipe.Exec(ctx)
+	if err != nil && err != redis.Nil {
+		return err
+	}
+	return nil
+}
diff --git a/backend/internal/service/admin_service_apikey_test.go b/backend/internal/service/admin_service_apikey_test.go
index f9fd6742..5c18a438 100644
--- a/backend/internal/service/admin_service_apikey_test.go
+++ b/backend/internal/service/admin_service_apikey_test.go
@@ -65,9 +65,6 @@ func (s *userRepoStubForGroupUpdate) ExistsByEmail(context.Context, string) (boo
 func (s *userRepoStubForGroupUpdate) RemoveGroupFromAllowedGroups(context.Context, int64) (int64, error) {
 	panic("unexpected")
 }
-func (s *userRepoStubForGroupUpdate) RemoveGroupFromUserAllowedGroups(context.Context, int64, int64) error {
-	panic("unexpected")
-}
 func (s *userRepoStubForGroupUpdate) UpdateTotpSecret(context.Context, int64, *string) error {
 	panic("unexpected")
 }
@@ -131,9 +128,6 @@ func (s *apiKeyRepoStubForGroupUpdate) SearchAPIKeys(context.Context, int64, str
 func (s *apiKeyRepoStubForGroupUpdate) ClearGroupIDByGroupID(context.Context, int64) (int64, error) {
 	panic("unexpected")
 }
-func (s *apiKeyRepoStubForGroupUpdate) UpdateGroupIDByUserAndGroup(context.Context, int64, int64, int64) (int64, error) {
-	panic("unexpected")
-}
 func (s *apiKeyRepoStubForGroupUpdate) CountByGroupID(context.Context, int64) (int64, error) {
 	panic("unexpected")
 }
@@ -200,7 +194,7 @@ func (s *groupRepoStubForGroupUpdate) ListActiveByPlatform(context.Context, stri
 func (s *groupRepoStubForGroupUpdate) ExistsByName(context.Context, string) (bool, error) {
 	panic("unexpected")
 }
-func (s *groupRepoStubForGroupUpdate) GetAccountCount(context.Context, int64) (int64, int64, error) {
+func (s *groupRepoStubForGroupUpdate) GetAccountCount(context.Context, int64) (int64, error) {
 	panic("unexpected")
 }
 func (s *groupRepoStubForGroupUpdate) DeleteAccountGroupsByGroupID(context.Context, int64) (int64, error) {
@@ -216,29 +210,6 @@ func (s *groupRepoStubForGroupUpdate) UpdateSortOrders(context.Context, []GroupS
 	panic("unexpected")
 }
 
-type userSubRepoStubForGroupUpdate struct {
-	userSubRepoNoop
-	getActiveSub  *UserSubscription
-	getActiveErr  error
-	called        bool
-	calledUserID  int64
-	calledGroupID int64
-}
-
-func (s *userSubRepoStubForGroupUpdate) GetActiveByUserIDAndGroupID(_ context.Context, userID, groupID int64) (*UserSubscription, error) {
-	s.called = true
-	s.calledUserID = userID
-	s.calledGroupID = groupID
-	if s.getActiveErr != nil {
-		return nil, s.getActiveErr
-	}
-	if s.getActiveSub == nil {
-		return nil, ErrSubscriptionNotFound
-	}
-	clone := *s.getActiveSub
-	return &clone, nil
-}
-
 // ---------------------------------------------------------------------------
 // Tests
 // ---------------------------------------------------------------------------
@@ -431,49 +402,14 @@ func TestAdminService_AdminUpdateAPIKeyGroupID_NonExclusiveGroup_NoAllowedGroupU
 func TestAdminService_AdminUpdateAPIKeyGroupID_SubscriptionGroup_Blocked(t *testing.T) {
 	existing := &APIKey{ID: 1, UserID: 42, Key: "sk-test", GroupID: nil}
 	apiKeyRepo := &apiKeyRepoStubForGroupUpdate{key: existing}
-	groupRepo := &groupRepoStubForGroupUpdate{group: &Group{ID: 10, Name: "Sub", Status: StatusActive, IsExclusive: false, SubscriptionType: SubscriptionTypeSubscription}}
-	userRepo := &userRepoStubForGroupUpdate{}
-	userSubRepo := &userSubRepoStubForGroupUpdate{getActiveErr: ErrSubscriptionNotFound}
-	svc := &adminServiceImpl{apiKeyRepo: apiKeyRepo, groupRepo: groupRepo, userRepo: userRepo, userSubRepo: userSubRepo}
-
-	// 无有效订阅时应拒绝绑定
-	_, err := svc.AdminUpdateAPIKeyGroupID(context.Background(), 1, int64Ptr(10))
-	require.Error(t, err)
-	require.Equal(t, "SUBSCRIPTION_REQUIRED", infraerrors.Reason(err))
-	require.True(t, userSubRepo.called)
-	require.Equal(t, int64(42), userSubRepo.calledUserID)
-	require.Equal(t, int64(10), userSubRepo.calledGroupID)
-	require.False(t, userRepo.addGroupCalled)
-}
-
-func TestAdminService_AdminUpdateAPIKeyGroupID_SubscriptionGroup_RequiresRepo(t *testing.T) {
-	existing := &APIKey{ID: 1, UserID: 42, Key: "sk-test", GroupID: nil}
-	apiKeyRepo := &apiKeyRepoStubForGroupUpdate{key: existing}
-	groupRepo := &groupRepoStubForGroupUpdate{group: &Group{ID: 10, Name: "Sub", Status: StatusActive, IsExclusive: false, SubscriptionType: SubscriptionTypeSubscription}}
+	groupRepo := &groupRepoStubForGroupUpdate{group: &Group{ID: 10, Name: "Sub", Status: StatusActive, IsExclusive: true, SubscriptionType: SubscriptionTypeSubscription}}
 	userRepo := &userRepoStubForGroupUpdate{}
 	svc := &adminServiceImpl{apiKeyRepo: apiKeyRepo, groupRepo: groupRepo, userRepo: userRepo}
 
+	// 订阅类型分组应被阻止绑定
 	_, err := svc.AdminUpdateAPIKeyGroupID(context.Background(), 1, int64Ptr(10))
 	require.Error(t, err)
-	require.Equal(t, "SUBSCRIPTION_REPOSITORY_UNAVAILABLE", infraerrors.Reason(err))
-	require.False(t, userRepo.addGroupCalled)
-}
-
-func TestAdminService_AdminUpdateAPIKeyGroupID_SubscriptionGroup_AllowsActiveSubscription(t *testing.T) {
-	existing := &APIKey{ID: 1, UserID: 42, Key: "sk-test", GroupID: nil}
-	apiKeyRepo := &apiKeyRepoStubForGroupUpdate{key: existing}
-	groupRepo := &groupRepoStubForGroupUpdate{group: &Group{ID: 10, Name: "Sub", Status: StatusActive, IsExclusive: true, SubscriptionType: SubscriptionTypeSubscription}}
-	userRepo := &userRepoStubForGroupUpdate{}
-	userSubRepo := &userSubRepoStubForGroupUpdate{
-		getActiveSub: &UserSubscription{ID: 99, UserID: 42, GroupID: 10},
-	}
-	svc := &adminServiceImpl{apiKeyRepo: apiKeyRepo, groupRepo: groupRepo, userRepo: userRepo, userSubRepo: userSubRepo}
-
-	got, err := svc.AdminUpdateAPIKeyGroupID(context.Background(), 1, int64Ptr(10))
-	require.NoError(t, err)
-	require.True(t, userSubRepo.called)
-	require.NotNil(t, got.APIKey.GroupID)
-	require.Equal(t, int64(10), *got.APIKey.GroupID)
+	require.Equal(t, "SUBSCRIPTION_GROUP_NOT_ALLOWED", infraerrors.Reason(err))
 	require.False(t, userRepo.addGroupCalled)
 }
 
diff --git a/backend/internal/service/user_service_test.go b/backend/internal/service/user_service_test.go
index e88694f5..7f6c748f 100644
--- a/backend/internal/service/user_service_test.go
+++ b/backend/internal/service/user_service_test.go
@@ -46,12 +46,9 @@ func (m *mockUserRepo) RemoveGroupFromAllowedGroups(context.Context, int64) (int
 	return 0, nil
 }
 func (m *mockUserRepo) AddGroupToAllowedGroups(context.Context, int64, int64) error { return nil }
-func (m *mockUserRepo) RemoveGroupFromUserAllowedGroups(context.Context, int64, int64) error {
-	return nil
-}
-func (m *mockUserRepo) UpdateTotpSecret(context.Context, int64, *string) error { return nil }
-func (m *mockUserRepo) EnableTotp(context.Context, int64) error                { return nil }
-func (m *mockUserRepo) DisableTotp(context.Context, int64) error               { return nil }
+func (m *mockUserRepo) UpdateTotpSecret(context.Context, int64, *string) error      { return nil }
+func (m *mockUserRepo) EnableTotp(context.Context, int64) error                     { return nil }
+func (m *mockUserRepo) DisableTotp(context.Context, int64) error                    { return nil }
 
 // --- mock: APIKeyAuthCacheInvalidator ---
 

From 3de77130175138146981d2e8d34ec8eb19a614b9 Mon Sep 17 00:00:00 2001
From: erio <asakifeng@gmail.com>
Date: Mon, 30 Mar 2026 21:47:06 +0800
Subject: [PATCH 013/122] =?UTF-8?q?fix(channel):=20splice=E6=9B=BF?=
 =?UTF-8?q?=E6=8D=A2model=5Fpricing=E6=9D=A1=E7=9B=AE=20+=20=E5=A2=9E?=
 =?UTF-8?q?=E5=BC=BA=E8=B0=83=E8=AF=95=E6=97=A5=E5=BF=97?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 backend/cmd/server/VERSION                | 2 +-
 frontend/src/views/admin/ChannelsView.vue | 1 +
 2 files changed, 2 insertions(+), 1 deletion(-)

diff --git a/backend/cmd/server/VERSION b/backend/cmd/server/VERSION
index 4b9b35d8..1ebb081e 100644
--- a/backend/cmd/server/VERSION
+++ b/backend/cmd/server/VERSION
@@ -1 +1 @@
-0.1.112
+0.1.105.13
diff --git a/frontend/src/views/admin/ChannelsView.vue b/frontend/src/views/admin/ChannelsView.vue
index ebfc1b5a..5c2f153b 100644
--- a/frontend/src/views/admin/ChannelsView.vue
+++ b/frontend/src/views/admin/ChannelsView.vue
@@ -970,6 +970,7 @@ async function handleSubmit() {
   }
 
   const { group_ids, model_pricing, model_mapping } = formToAPI()
+  console.log('[handleSubmit] model_pricing to send:', JSON.stringify(model_pricing))
 
   submitting.value = true
   try {

From 2dce4306b4409e355f6ff265fa30ae7a2d3a6221 Mon Sep 17 00:00:00 2001
From: erio <asakifeng@gmail.com>
Date: Thu, 2 Apr 2026 13:24:30 +0800
Subject: [PATCH 014/122] refactor: move channel model restriction from handler
 to scheduling phase

Move the model pricing restriction check from 8 handler entry points
to the account scheduling phase (SelectAccountForModelWithExclusions /
SelectAccountWithLoadAwareness), aligning restriction with billing:

- requested: check original request model against pricing list
- channel_mapped: check channel-mapped model against pricing list
- upstream: per-account check using account-mapped model

Handler layer now only resolves channel mapping (no restriction).
Scheduling layer performs pre-check for requested/channel_mapped,
and per-account filtering for upstream billing source.
---
 .../gateway_handler_chat_completions.go       |    2 +-
 .../handler/gateway_handler_responses.go      |    2 +-
 .../internal/handler/gemini_v1beta_handler.go |   14 +-
 .../handler/openai_chat_completions.go        |    2 +-
 .../handler/openai_gateway_handler.go         |   46 +-
 backend/internal/service/gateway_service.go   | 1202 +++++++++++------
 6 files changed, 793 insertions(+), 475 deletions(-)

diff --git a/backend/internal/handler/gateway_handler_chat_completions.go b/backend/internal/handler/gateway_handler_chat_completions.go
index be267332..abe2a1e5 100644
--- a/backend/internal/handler/gateway_handler_chat_completions.go
+++ b/backend/internal/handler/gateway_handler_chat_completions.go
@@ -80,7 +80,7 @@ func (h *GatewayHandler) ChatCompletions(c *gin.Context) {
 	setOpsRequestContext(c, reqModel, reqStream, body)
 	setOpsEndpointContext(c, "", int16(service.RequestTypeFromLegacy(reqStream, false)))
 
-	// 解析渠道级模型映射
+	// 解析渠道级模型映射 + 限制检查
 	channelMapping, _ := h.gatewayService.ResolveChannelMappingAndRestrict(c.Request.Context(), apiKey.GroupID, reqModel)
 
 	// Claude Code only restriction
diff --git a/backend/internal/handler/gateway_handler_responses.go b/backend/internal/handler/gateway_handler_responses.go
index e908eb9e..cf877182 100644
--- a/backend/internal/handler/gateway_handler_responses.go
+++ b/backend/internal/handler/gateway_handler_responses.go
@@ -80,7 +80,7 @@ func (h *GatewayHandler) Responses(c *gin.Context) {
 	setOpsRequestContext(c, reqModel, reqStream, body)
 	setOpsEndpointContext(c, "", int16(service.RequestTypeFromLegacy(reqStream, false)))
 
-	// 解析渠道级模型映射
+	// 解析渠道级模型映射 + 限制检查
 	channelMapping, _ := h.gatewayService.ResolveChannelMappingAndRestrict(c.Request.Context(), apiKey.GroupID, reqModel)
 
 	// Claude Code only restriction:
diff --git a/backend/internal/handler/gemini_v1beta_handler.go b/backend/internal/handler/gemini_v1beta_handler.go
index d200c17c..ff63bc7f 100644
--- a/backend/internal/handler/gemini_v1beta_handler.go
+++ b/backend/internal/handler/gemini_v1beta_handler.go
@@ -121,7 +121,7 @@ func (h *GatewayHandler) GeminiV1BetaGetModel(c *gin.Context) {
 		googleError(c, http.StatusBadGateway, err.Error())
 		return
 	}
-	if shouldFallbackGeminiModel(modelName, res) {
+	if shouldFallbackGeminiModels(res) {
 		c.JSON(http.StatusOK, gemini.FallbackModel(modelName))
 		return
 	}
@@ -184,7 +184,7 @@ func (h *GatewayHandler) GeminiV1BetaModels(c *gin.Context) {
 	setOpsRequestContext(c, modelName, stream, body)
 	setOpsEndpointContext(c, "", int16(service.RequestTypeFromLegacy(stream, false)))
 
-	// 解析渠道级模型映射
+	// 解析渠道级模型映射 + 限制检查
 	channelMapping, _ := h.gatewayService.ResolveChannelMappingAndRestrict(c.Request.Context(), apiKey.GroupID, modelName)
 	reqModel := modelName // 保存映射前的原始模型名
 	if channelMapping.Mapped {
@@ -682,16 +682,6 @@ func shouldFallbackGeminiModels(res *service.UpstreamHTTPResult) bool {
 	return false
 }
 
-func shouldFallbackGeminiModel(modelName string, res *service.UpstreamHTTPResult) bool {
-	if shouldFallbackGeminiModels(res) {
-		return true
-	}
-	if res == nil || res.StatusCode != http.StatusNotFound {
-		return false
-	}
-	return gemini.HasFallbackModel(modelName)
-}
-
 // extractGeminiCLISessionHash 从 Gemini CLI 请求中提取会话标识。
 // 组合 x-gemini-api-privileged-user-id header 和请求体中的 tmp 目录哈希。
 //
diff --git a/backend/internal/handler/openai_chat_completions.go b/backend/internal/handler/openai_chat_completions.go
index 991cbb91..ada401c9 100644
--- a/backend/internal/handler/openai_chat_completions.go
+++ b/backend/internal/handler/openai_chat_completions.go
@@ -79,7 +79,7 @@ func (h *OpenAIGatewayHandler) ChatCompletions(c *gin.Context) {
 	setOpsRequestContext(c, reqModel, reqStream, body)
 	setOpsEndpointContext(c, "", int16(service.RequestTypeFromLegacy(reqStream, false)))
 
-	// 解析渠道级模型映射
+	// 解析渠道级模型映射 + 限制检查
 	channelMapping, _ := h.gatewayService.ResolveChannelMappingAndRestrict(c.Request.Context(), apiKey.GroupID, reqModel)
 
 	if h.errorPassthroughService != nil {
diff --git a/backend/internal/handler/openai_gateway_handler.go b/backend/internal/handler/openai_gateway_handler.go
index 5319b55d..2b081617 100644
--- a/backend/internal/handler/openai_gateway_handler.go
+++ b/backend/internal/handler/openai_gateway_handler.go
@@ -47,13 +47,6 @@ func resolveOpenAIForwardDefaultMappedModel(apiKey *service.APIKey, fallbackMode
 	return strings.TrimSpace(apiKey.Group.DefaultMappedModel)
 }
 
-func resolveOpenAIMessagesDispatchMappedModel(apiKey *service.APIKey, requestedModel string) string {
-	if apiKey == nil || apiKey.Group == nil {
-		return ""
-	}
-	return strings.TrimSpace(apiKey.Group.ResolveMessagesDispatchModel(requestedModel))
-}
-
 // NewOpenAIGatewayHandler creates a new OpenAIGatewayHandler
 func NewOpenAIGatewayHandler(
 	gatewayService *service.OpenAIGatewayService,
@@ -557,8 +550,6 @@ func (h *OpenAIGatewayHandler) Messages(c *gin.Context) {
 		return
 	}
 	reqModel := modelResult.String()
-	routingModel := service.NormalizeOpenAICompatRequestedModel(reqModel)
-	preferredMappedModel := resolveOpenAIMessagesDispatchMappedModel(apiKey, reqModel)
 	reqStream := gjson.GetBytes(body, "stream").Bool()
 
 	reqLog = reqLog.With(zap.String("model", reqModel), zap.Bool("stream", reqStream))
@@ -617,20 +608,17 @@ func (h *OpenAIGatewayHandler) Messages(c *gin.Context) {
 	failedAccountIDs := make(map[int64]struct{})
 	sameAccountRetryCount := make(map[int64]int)
 	var lastFailoverErr *service.UpstreamFailoverError
-	effectiveMappedModel := preferredMappedModel
 
 	for {
-		currentRoutingModel := routingModel
-		if effectiveMappedModel != "" {
-			currentRoutingModel = effectiveMappedModel
-		}
+		// 清除上一次迭代的降级模型标记，避免残留影响本次迭代
+		c.Set("openai_messages_fallback_model", "")
 		reqLog.Debug("openai_messages.account_selecting", zap.Int("excluded_account_count", len(failedAccountIDs)))
 		selection, scheduleDecision, err := h.gatewayService.SelectAccountWithScheduler(
 			c.Request.Context(),
 			apiKey.GroupID,
 			"", // no previous_response_id
 			sessionHash,
-			currentRoutingModel,
+			reqModel,
 			failedAccountIDs,
 			service.OpenAIUpstreamTransportAny,
 		)
@@ -639,7 +627,29 @@ func (h *OpenAIGatewayHandler) Messages(c *gin.Context) {
 				zap.Error(err),
 				zap.Int("excluded_account_count", len(failedAccountIDs)),
 			)
+			// 首次调度失败 + 有默认映射模型 → 用默认模型重试
 			if len(failedAccountIDs) == 0 {
+				defaultModel := ""
+				if apiKey.Group != nil {
+					defaultModel = apiKey.Group.DefaultMappedModel
+				}
+				if defaultModel != "" && defaultModel != reqModel {
+					reqLog.Info("openai_messages.fallback_to_default_model",
+						zap.String("default_mapped_model", defaultModel),
+					)
+					selection, scheduleDecision, err = h.gatewayService.SelectAccountWithScheduler(
+						c.Request.Context(),
+						apiKey.GroupID,
+						"",
+						sessionHash,
+						defaultModel,
+						failedAccountIDs,
+						service.OpenAIUpstreamTransportAny,
+					)
+					if err == nil && selection != nil {
+						c.Set("openai_messages_fallback_model", defaultModel)
+					}
+				}
 				if err != nil {
 					h.anthropicStreamingAwareError(c, http.StatusServiceUnavailable, "api_error", "Service temporarily unavailable", streamStarted)
 					return
@@ -671,7 +681,9 @@ func (h *OpenAIGatewayHandler) Messages(c *gin.Context) {
 		service.SetOpsLatencyMs(c, service.OpsRoutingLatencyMsKey, time.Since(routingStart).Milliseconds())
 		forwardStart := time.Now()
 
-		defaultMappedModel := strings.TrimSpace(effectiveMappedModel)
+		// Forward 层需要始终拿到 group 默认映射模型，这样未命中账号级映射的
+		// Claude 兼容模型才不会在后续 Codex 规范化中意外退化到 gpt-5.1。
+		defaultMappedModel := resolveOpenAIForwardDefaultMappedModel(apiKey, c.GetString("openai_messages_fallback_model"))
 		// 应用渠道模型映射到请求体
 		forwardBody := body
 		if channelMappingMsg.Mapped {
@@ -1106,7 +1118,7 @@ func (h *OpenAIGatewayHandler) ResponsesWebSocket(c *gin.Context) {
 	setOpsRequestContext(c, reqModel, true, firstMessage)
 	setOpsEndpointContext(c, "", int16(service.RequestTypeWSV2))
 
-	// 解析渠道级模型映射
+	// 解析渠道级模型映射 + 限制检查
 	channelMappingWS, _ := h.gatewayService.ResolveChannelMappingAndRestrict(ctx, apiKey.GroupID, reqModel)
 
 	var currentUserRelease func()
diff --git a/backend/internal/service/gateway_service.go b/backend/internal/service/gateway_service.go
index 8b0bdc2a..33ab38f2 100644
--- a/backend/internal/service/gateway_service.go
+++ b/backend/internal/service/gateway_service.go
@@ -12,7 +12,6 @@ import (
 	"log/slog"
 	mathrand "math/rand"
 	"net/http"
-	"net/url"
 	"os"
 	"path/filepath"
 	"regexp"
@@ -42,7 +41,8 @@ import (
 const (
 	claudeAPIURL            = "https://api.anthropic.com/v1/messages?beta=true"
 	claudeAPICountTokensURL = "https://api.anthropic.com/v1/messages/count_tokens?beta=true"
-	stickySessionTTL        = time.Hour // 粘性会话TTL
+	stickySessionTTL        = time.Hour      // 粘性会话TTL
+	ClientAffinityTTL       = 24 * time.Hour // 客户端亲和TTL
 	defaultMaxLineSize      = 500 * 1024 * 1024
 	// Canonical Claude Code banner. Keep it EXACT (no trailing whitespace/newlines)
 	// to match real Claude CLI traffic as closely as possible. When we need a visual
@@ -60,14 +60,28 @@ const (
 	claudeMimicDebugInfoKey = "claude_mimic_debug_info"
 )
 
+// MediaType 媒体类型常量
+const (
+	MediaTypeImage  = "image"
+	MediaTypeVideo  = "video"
+	MediaTypePrompt = "prompt"
+)
+
+const (
+	claudeMaxMessageOverheadTokens = 3
+	claudeMaxBlockOverheadTokens   = 1
+	claudeMaxUnknownContentTokens  = 4
+)
+
 // ForceCacheBillingContextKey 强制缓存计费上下文键
 // 用于粘性会话切换时，将 input_tokens 转为 cache_read_input_tokens 计费
 type forceCacheBillingKeyType struct{}
 
 // accountWithLoad 账号与负载信息的组合，用于负载感知调度
 type accountWithLoad struct {
-	account  *Account
-	loadInfo *AccountLoadInfo
+	account       *Account
+	loadInfo      *AccountLoadInfo
+	affinityCount int64 // 亲和客户端数量（反向索引），越少越优先
 }
 
 var ForceCacheBillingContextKey = forceCacheBillingKeyType{}
@@ -331,6 +345,10 @@ var (
 	sseDataRe            = regexp.MustCompile(`^data:\s*`)
 	claudeCliUserAgentRe = regexp.MustCompile(`^claude-cli/\d+\.\d+\.\d+`)
 
+	// clientIDFromMetadataRegex 从 metadata.user_id 中提取客户端 ID（64位 hex）
+	// 格式: user_{64位hex}_account_...
+	clientIDFromMetadataRegex = regexp.MustCompile(`^user_([a-f0-9]{64})_account_`)
+
 	// claudeCodePromptPrefixes 用于检测 Claude Code 系统提示词的前缀列表
 	// 支持多种变体：标准版、Agent SDK 版、Explore Agent 版、Compact 版等
 	// 注意：前缀之间不应存在包含关系，否则会导致冗余匹配
@@ -348,6 +366,12 @@ var ErrNoAvailableAccounts = errors.New("no available accounts")
 // ErrClaudeCodeOnly 表示分组仅允许 Claude Code 客户端访问
 var ErrClaudeCodeOnly = errors.New("this group only allows Claude Code clients")
 
+// ErrAffinityNoSwitch 表示亲和账号不可用且不允许切换到其他账号
+var ErrAffinityNoSwitch = errors.New("affinity account unavailable and switching is disabled")
+
+// ErrAffinityLimitExceeded 表示亲和客户端限制已达上限
+var ErrAffinityLimitExceeded = errors.New("affinity client limit exceeded")
+
 // allowedHeaders 白名单headers（参考CRS项目）
 var allowedHeaders = map[string]bool{
 	"accept":                                    true,
@@ -369,8 +393,6 @@ var allowedHeaders = map[string]bool{
 	"user-agent":                                true,
 	"content-type":                              true,
 	"accept-encoding":                           true,
-	"x-claude-code-session-id":                  true,
-	"x-client-request-id":                       true,
 }
 
 // GatewayCache 定义网关服务的缓存操作接口。
@@ -391,6 +413,39 @@ type GatewayCache interface {
 	// DeleteSessionAccountID 删除粘性会话绑定，用于账号不可用时主动清理
 	// Delete sticky session binding, used to proactively clean up when account becomes unavailable
 	DeleteSessionAccountID(ctx context.Context, groupID int64, sessionHash string) error
+
+	// GetAffinityAccounts 获取亲和账号列表（按最近使用降序），同时清理过期成员
+	GetAffinityAccounts(ctx context.Context, groupID int64, userID int64, clientID string, ttl time.Duration) ([]int64, error)
+	// UpdateAffinity 添加/更新亲和关系（更新 score 为当前时间戳，刷新 key TTL）
+	UpdateAffinity(ctx context.Context, groupID int64, userID int64, clientID string, accountID int64, ttl time.Duration) error
+	// GetAccountAffinityCountBatch 批量获取账号的亲和成员数量（惰性清理过期成员）
+	GetAccountAffinityCountBatch(ctx context.Context, groupID int64, accountIDs []int64, ttl time.Duration) (map[int64]int64, error)
+	// GetAccountAffinityClientsBatch 批量获取每个账号跨所有分组的亲和成员列表（去重）
+	// accountGroups: map[accountID][]groupID
+	// 返回值成员格式为 {userID}/{clientID}
+	GetAccountAffinityClientsBatch(ctx context.Context, accountGroups map[int64][]int64, ttl time.Duration) (map[int64][]string, error)
+	// GetAccountAffinityClientsWithScores 获取单个账号跨所有分组的亲和客户端列表（含最后活跃时间）
+	GetAccountAffinityClientsWithScores(ctx context.Context, accountID int64, groupIDs []int64, ttl time.Duration) ([]AffinityClient, error)
+	// ClearAccountAffinity 清除指定账号在所有分组的亲和记录（正向+反向索引）
+	// 用于账号关闭亲和时立即清理旧绑定
+	ClearAccountAffinity(ctx context.Context, accountID int64, groupIDs []int64) error
+	// GetAffinityMultiCount 获取账号的多维度亲和计数
+	// 返回: uniqueUsers, uniqueClients, perUserClients
+	GetAffinityMultiCount(ctx context.Context, groupID int64, accountID int64, targetUserID int64, ttl time.Duration) (users, clients, perUser int64, err error)
+}
+
+// AffinityClient 亲和客户端信息（含用户 ID 和最后活跃时间）
+type AffinityClient struct {
+	UserID     int64     `json:"user_id"`
+	ClientID   string    `json:"client_id"`
+	LastActive time.Time `json:"last_active"`
+}
+
+// SortAffinityClients 按最后活跃时间降序排序
+func SortAffinityClients(clients []AffinityClient) {
+	sort.Slice(clients, func(i, j int) bool {
+		return clients[i].LastActive.After(clients[j].LastActive)
+	})
 }
 
 // derefGroupID safely dereferences *int64 to int64, returning 0 if nil
@@ -461,6 +516,20 @@ func shouldClearStickySession(account *Account, requestedModel string) bool {
 	return false
 }
 
+// extractClientIDFromMetadata 从 metadata.user_id 中提取客户端 ID（64位 hex）。
+// 格式: user_{64位hex}_account_..._session_...
+// 返回空字符串表示无法提取（非 Claude Code/Console 客户端）。
+func extractClientIDFromMetadata(metadataUserID string) string {
+	if metadataUserID == "" {
+		return ""
+	}
+	matches := clientIDFromMetadataRegex.FindStringSubmatch(metadataUserID)
+	if matches == nil {
+		return ""
+	}
+	return matches[1]
+}
+
 type AccountWaitPlan struct {
 	AccountID      int64
 	MaxConcurrency int
@@ -504,6 +573,9 @@ type ForwardResult struct {
 	ImageCount int    // 生成的图片数量
 	ImageSize  string // 图片尺寸 "1K", "2K", "4K"
 
+	// Sora 媒体字段
+	MediaType string // image / video / prompt
+	MediaURL  string // 生成后的媒体地址（可选）
 }
 
 // UpstreamFailoverError indicates an upstream error that should trigger account failover.
@@ -1162,6 +1234,11 @@ func (s *GatewayService) SelectAccountForModel(ctx context.Context, groupID *int
 
 // SelectAccountForModelWithExclusions selects an account supporting the requested model while excluding specified accounts.
 func (s *GatewayService) SelectAccountForModelWithExclusions(ctx context.Context, groupID *int64, sessionHash string, requestedModel string, excludedIDs map[int64]struct{}) (*Account, error) {
+	// 渠道定价限制预检查（requested / channel_mapped 基准）
+	if s.checkChannelPricingRestriction(ctx, groupID, requestedModel) {
+		return nil, fmt.Errorf("%w supporting model: %s (channel pricing restriction)", ErrNoAvailableAccounts, requestedModel)
+	}
+
 	// 优先检查 context 中的强制平台（/antigravity 路由）
 	var platform string
 	forcePlatform, hasForcePlatform := ctx.Value(ctxkey.ForcePlatform).(string)
@@ -1180,32 +1257,15 @@ func (s *GatewayService) SelectAccountForModelWithExclusions(ctx context.Context
 		platform = PlatformAnthropic
 	}
 
-	// Claude Code 限制可能已将 groupID 解析为 fallback group，
-	// 渠道限制预检查必须使用解析后的分组。
-	if s.checkChannelPricingRestriction(ctx, groupID, requestedModel) {
-		slog.Warn("channel pricing restriction blocked request",
-			"group_id", derefGroupID(groupID),
-			"model", requestedModel)
-		return nil, fmt.Errorf("%w supporting model: %s (channel pricing restriction)", ErrNoAvailableAccounts, requestedModel)
-	}
-
 	// anthropic/gemini 分组支持混合调度（包含启用了 mixed_scheduling 的 antigravity 账户）
 	// 注意：强制平台模式不走混合调度
 	if (platform == PlatformAnthropic || platform == PlatformGemini) && !hasForcePlatform {
-		account, err := s.selectAccountWithMixedScheduling(ctx, groupID, sessionHash, requestedModel, excludedIDs, platform)
-		if err != nil {
-			return nil, err
-		}
-		return s.hydrateSelectedAccount(ctx, account)
+		return s.selectAccountWithMixedScheduling(ctx, groupID, sessionHash, requestedModel, excludedIDs, platform)
 	}
 
 	// antigravity 分组、强制平台模式或无分组使用单平台选择
 	// 注意：强制平台模式也必须遵守分组限制，不再回退到全平台查询
-	account, err := s.selectAccountForModelWithPlatform(ctx, groupID, sessionHash, requestedModel, excludedIDs, platform)
-	if err != nil {
-		return nil, err
-	}
-	return s.hydrateSelectedAccount(ctx, account)
+	return s.selectAccountForModelWithPlatform(ctx, groupID, sessionHash, requestedModel, excludedIDs, platform)
 }
 
 // SelectAccountWithLoadAwareness selects account with load-awareness and wait plan.
@@ -1213,6 +1273,11 @@ func (s *GatewayService) SelectAccountForModelWithExclusions(ctx context.Context
 // metadataUserID: 用于客户端亲和调度，从中提取客户端 ID
 // sub2apiUserID: 系统用户 ID，用于二维亲和调度
 func (s *GatewayService) SelectAccountWithLoadAwareness(ctx context.Context, groupID *int64, sessionHash string, requestedModel string, excludedIDs map[int64]struct{}, metadataUserID string, sub2apiUserID int64) (*AccountSelectionResult, error) {
+	// 渠道定价限制预检查（requested / channel_mapped 基准）
+	if s.checkChannelPricingRestriction(ctx, groupID, requestedModel) {
+		return nil, fmt.Errorf("%w supporting model: %s (channel pricing restriction)", ErrNoAvailableAccounts, requestedModel)
+	}
+
 	// 调试日志：记录调度入口参数
 	excludedIDsList := make([]int64, 0, len(excludedIDs))
 	for id := range excludedIDs {
@@ -1233,15 +1298,6 @@ func (s *GatewayService) SelectAccountWithLoadAwareness(ctx context.Context, gro
 	}
 	ctx = s.withGroupContext(ctx, group)
 
-	// Claude Code 限制可能已将 groupID 解析为 fallback group，
-	// 渠道限制预检查必须使用解析后的分组。
-	if s.checkChannelPricingRestriction(ctx, groupID, requestedModel) {
-		slog.Warn("channel pricing restriction blocked request",
-			"group_id", derefGroupID(groupID),
-			"model", requestedModel)
-		return nil, fmt.Errorf("%w supporting model: %s (channel pricing restriction)", ErrNoAvailableAccounts, requestedModel)
-	}
-
 	var stickyAccountID int64
 	if prefetch := prefetchedStickyAccountIDFromContext(ctx, groupID); prefetch > 0 {
 		stickyAccountID = prefetch
@@ -1251,6 +1307,10 @@ func (s *GatewayService) SelectAccountWithLoadAwareness(ctx context.Context, gro
 		}
 	}
 
+	// 提取客户端 ID（用于客户端亲和调度）
+	affinityClientID := extractClientIDFromMetadata(metadataUserID)
+	affinityUserID := sub2apiUserID
+
 	if s.debugModelRoutingEnabled() && requestedModel != "" {
 		groupPlatform := ""
 		if group != nil {
@@ -1272,6 +1332,10 @@ func (s *GatewayService) SelectAccountWithLoadAwareness(ctx context.Context, gro
 			if err != nil {
 				return nil, err
 			}
+			if shouldFilterAccountWithoutClientID(account, affinityClientID) {
+				localExcluded[account.ID] = struct{}{}
+				continue
+			}
 
 			result, err := s.tryAcquireAccountSlot(ctx, account.ID, account.Concurrency)
 			if err == nil && result.Acquired {
@@ -1281,7 +1345,11 @@ func (s *GatewayService) SelectAccountWithLoadAwareness(ctx context.Context, gro
 					localExcluded[account.ID] = struct{}{} // 排除此账号
 					continue                               // 重新选择
 				}
-				return s.newSelectionResult(ctx, account, true, result.ReleaseFunc, nil)
+				return &AccountSelectionResult{
+					Account:     account,
+					Acquired:    true,
+					ReleaseFunc: result.ReleaseFunc,
+				}, nil
 			}
 
 			// 对于等待计划的情况，也需要先检查会话限制
@@ -1293,20 +1361,26 @@ func (s *GatewayService) SelectAccountWithLoadAwareness(ctx context.Context, gro
 			if stickyAccountID > 0 && stickyAccountID == account.ID && s.concurrencyService != nil {
 				waitingCount, _ := s.concurrencyService.GetAccountWaitingCount(ctx, account.ID)
 				if waitingCount < cfg.StickySessionMaxWaiting {
-					return s.newSelectionResult(ctx, account, false, nil, &AccountWaitPlan{
-						AccountID:      account.ID,
-						MaxConcurrency: account.Concurrency,
-						Timeout:        cfg.StickySessionWaitTimeout,
-						MaxWaiting:     cfg.StickySessionMaxWaiting,
-					})
+					return &AccountSelectionResult{
+						Account: account,
+						WaitPlan: &AccountWaitPlan{
+							AccountID:      account.ID,
+							MaxConcurrency: account.Concurrency,
+							Timeout:        cfg.StickySessionWaitTimeout,
+							MaxWaiting:     cfg.StickySessionMaxWaiting,
+						},
+					}, nil
 				}
 			}
-			return s.newSelectionResult(ctx, account, false, nil, &AccountWaitPlan{
-				AccountID:      account.ID,
-				MaxConcurrency: account.Concurrency,
-				Timeout:        cfg.FallbackWaitTimeout,
-				MaxWaiting:     cfg.FallbackMaxWaiting,
-			})
+			return &AccountSelectionResult{
+				Account: account,
+				WaitPlan: &AccountWaitPlan{
+					AccountID:      account.ID,
+					MaxConcurrency: account.Concurrency,
+					Timeout:        cfg.FallbackWaitTimeout,
+					MaxWaiting:     cfg.FallbackMaxWaiting,
+				},
+			}, nil
 		}
 	}
 
@@ -1323,12 +1397,18 @@ func (s *GatewayService) SelectAccountWithLoadAwareness(ctx context.Context, gro
 	if err != nil {
 		return nil, err
 	}
+	accounts = filterAccountsWithoutClientID(accounts, affinityClientID)
 	if len(accounts) == 0 {
 		return nil, ErrNoAvailableAccounts
 	}
 	ctx = s.withWindowCostPrefetch(ctx, accounts)
 	ctx = s.withRPMPrefetch(ctx, accounts)
 
+	// 提前构建 accountByID（供 Layer 1 和 Layer 1.5 使用）
+	accountByID := make(map[int64]*Account, len(accounts))
+	for i := range accounts {
+		accountByID[accounts[i].ID] = &accounts[i]
+	}
 	isExcluded := func(accountID int64) bool {
 		if excludedIDs == nil {
 			return false
@@ -1336,12 +1416,19 @@ func (s *GatewayService) SelectAccountWithLoadAwareness(ctx context.Context, gro
 		_, excluded := excludedIDs[accountID]
 		return excluded
 	}
-
-	// 提前构建 accountByID（供 Layer 1 和 Layer 1.5 使用）
-	accountByID := make(map[int64]*Account, len(accounts))
-	for i := range accounts {
-		accountByID[accounts[i].ID] = &accounts[i]
-	}
+	affinityFlow := newGatewayAffinityFlow(
+		s,
+		ctx,
+		groupID,
+		sessionHash,
+		requestedModel,
+		affinityClientID,
+		affinityUserID,
+		platform,
+		useMixed,
+		accountByID,
+		isExcluded,
+	)
 
 	// 获取模型路由配置（仅 anthropic 平台）
 	var routingAccountIDs []int64
@@ -1430,76 +1517,53 @@ func (s *GatewayService) SelectAccountWithLoadAwareness(ctx context.Context, gro
 				if containsInt64(routingAccountIDs, stickyAccountID) && !isExcluded(stickyAccountID) {
 					// 粘性账号在路由列表中，优先使用
 					if stickyAccount, ok := accountByID[stickyAccountID]; ok {
-						var stickyCacheMissReason string
-
-						gatePass := s.isAccountSchedulableForSelection(stickyAccount) &&
+						if s.isAccountSchedulableForSelection(stickyAccount) &&
 							s.isAccountAllowedForPlatform(stickyAccount, platform, useMixed) &&
 							(requestedModel == "" || s.isModelSupportedByAccountWithContext(ctx, stickyAccount, requestedModel)) &&
 							s.isAccountSchedulableForModelSelection(ctx, stickyAccount, requestedModel) &&
 							s.isAccountSchedulableForQuota(stickyAccount) &&
-							s.isAccountSchedulableForWindowCost(ctx, stickyAccount, true)
+							s.isAccountSchedulableForWindowCost(ctx, stickyAccount, true) &&
 
-						rpmPass := gatePass && s.isAccountSchedulableForRPM(ctx, stickyAccount, true)
-
-						if rpmPass { // 粘性会话窗口费用+RPM 检查
+							s.isAccountSchedulableForRPM(ctx, stickyAccount, true) { // 粘性会话窗口费用+RPM 检查
 							result, err := s.tryAcquireAccountSlot(ctx, stickyAccountID, stickyAccount.Concurrency)
 							if err == nil && result.Acquired {
 								// 会话数量限制检查
 								if !s.checkAndRegisterSession(ctx, stickyAccount, sessionHash) {
 									result.ReleaseFunc() // 释放槽位
-									stickyCacheMissReason = "session_limit"
 									// 继续到负载感知选择
 								} else {
 									if s.debugModelRoutingEnabled() {
 										logger.LegacyPrintf("service.gateway", "[ModelRoutingDebug] routed sticky hit: group_id=%v model=%s session=%s account=%d", derefGroupID(groupID), requestedModel, shortSessionHash(sessionHash), stickyAccountID)
 									}
-									return s.newSelectionResult(ctx, stickyAccount, true, result.ReleaseFunc, nil)
+									return &AccountSelectionResult{
+										Account:     stickyAccount,
+										Acquired:    true,
+										ReleaseFunc: result.ReleaseFunc,
+									}, nil
 								}
 							}
 
-							if stickyCacheMissReason == "" {
-								waitingCount, _ := s.concurrencyService.GetAccountWaitingCount(ctx, stickyAccountID)
-								if waitingCount < cfg.StickySessionMaxWaiting {
-									// 会话数量限制检查（等待计划也需要占用会话配额）
-									if !s.checkAndRegisterSession(ctx, stickyAccount, sessionHash) {
-										stickyCacheMissReason = "session_limit"
-										// 会话限制已满，继续到负载感知选择
-									} else {
-										return &AccountSelectionResult{
-											Account: stickyAccount,
-											WaitPlan: &AccountWaitPlan{
-												AccountID:      stickyAccountID,
-												MaxConcurrency: stickyAccount.Concurrency,
-												Timeout:        cfg.StickySessionWaitTimeout,
-												MaxWaiting:     cfg.StickySessionMaxWaiting,
-											},
-										}, nil
-									}
+							waitingCount, _ := s.concurrencyService.GetAccountWaitingCount(ctx, stickyAccountID)
+							if waitingCount < cfg.StickySessionMaxWaiting {
+								// 会话数量限制检查（等待计划也需要占用会话配额）
+								if !s.checkAndRegisterSession(ctx, stickyAccount, sessionHash) {
+									// 会话限制已满，继续到负载感知选择
 								} else {
-									stickyCacheMissReason = "wait_queue_full"
+									return &AccountSelectionResult{
+										Account: stickyAccount,
+										WaitPlan: &AccountWaitPlan{
+											AccountID:      stickyAccountID,
+											MaxConcurrency: stickyAccount.Concurrency,
+											Timeout:        cfg.StickySessionWaitTimeout,
+											MaxWaiting:     cfg.StickySessionMaxWaiting,
+										},
+									}, nil
 								}
 							}
 							// 粘性账号槽位满且等待队列已满，继续使用负载感知选择
-						} else if !gatePass {
-							stickyCacheMissReason = "gate_check"
-						} else {
-							stickyCacheMissReason = "rpm_red"
-						}
-
-						// 记录粘性缓存未命中的结构化日志
-						if stickyCacheMissReason != "" {
-							baseRPM := stickyAccount.GetBaseRPM()
-							var currentRPM int
-							if count, ok := rpmFromPrefetchContext(ctx, stickyAccount.ID); ok {
-								currentRPM = count
-							}
-							logger.LegacyPrintf("service.gateway", "[StickyCacheMiss] reason=%s account_id=%d session=%s current_rpm=%d base_rpm=%d",
-								stickyCacheMissReason, stickyAccountID, shortSessionHash(sessionHash), currentRPM, baseRPM)
 						}
 					} else {
 						_ = s.cache.DeleteSessionAccountID(ctx, derefGroupID(groupID), sessionHash)
-						logger.LegacyPrintf("service.gateway", "[StickyCacheMiss] reason=account_cleared account_id=%d session=%s current_rpm=0 base_rpm=0",
-							stickyAccountID, shortSessionHash(sessionHash))
 					}
 				}
 			}
@@ -1527,7 +1591,10 @@ func (s *GatewayService) SelectAccountWithLoadAwareness(ctx context.Context, gro
 			}
 
 			if len(routingAvailable) > 0 {
-				// 排序：优先级 > 负载率 > 最后使用时间
+				// 批量获取亲和客户端数量
+				s.populateAffinityCounts(ctx, routingAvailable, derefGroupID(groupID))
+
+				// 排序：优先级 > 负载率 > 亲和客户端数 > 最后使用时间
 				sort.SliceStable(routingAvailable, func(i, j int) bool {
 					a, b := routingAvailable[i], routingAvailable[j]
 					if a.account.Priority != b.account.Priority {
@@ -1536,6 +1603,9 @@ func (s *GatewayService) SelectAccountWithLoadAwareness(ctx context.Context, gro
 					if a.loadInfo.LoadRate != b.loadInfo.LoadRate {
 						return a.loadInfo.LoadRate < b.loadInfo.LoadRate
 					}
+					if a.affinityCount != b.affinityCount {
+						return a.affinityCount < b.affinityCount
+					}
 					switch {
 					case a.account.LastUsedAt == nil && b.account.LastUsedAt != nil:
 						return true
@@ -1561,10 +1631,17 @@ func (s *GatewayService) SelectAccountWithLoadAwareness(ctx context.Context, gro
 						if sessionHash != "" && s.cache != nil {
 							_ = s.cache.SetSessionAccountID(ctx, derefGroupID(groupID), sessionHash, item.account.ID, stickySessionTTL)
 						}
+						if affinityClientID != "" && affinityUserID > 0 && s.cache != nil && item.account.IsAffinityEnabled() {
+							_ = s.cache.UpdateAffinity(ctx, derefGroupID(groupID), affinityUserID, affinityClientID, item.account.ID, ClientAffinityTTL)
+						}
 						if s.debugModelRoutingEnabled() {
 							logger.LegacyPrintf("service.gateway", "[ModelRoutingDebug] routed select: group_id=%v model=%s session=%s account=%d", derefGroupID(groupID), requestedModel, shortSessionHash(sessionHash), item.account.ID)
 						}
-						return s.newSelectionResult(ctx, item.account, true, result.ReleaseFunc, nil)
+						return &AccountSelectionResult{
+							Account:     item.account,
+							Acquired:    true,
+							ReleaseFunc: result.ReleaseFunc,
+						}, nil
 					}
 				}
 
@@ -1577,12 +1654,15 @@ func (s *GatewayService) SelectAccountWithLoadAwareness(ctx context.Context, gro
 					if s.debugModelRoutingEnabled() {
 						logger.LegacyPrintf("service.gateway", "[ModelRoutingDebug] routed wait: group_id=%v model=%s session=%s account=%d", derefGroupID(groupID), requestedModel, shortSessionHash(sessionHash), item.account.ID)
 					}
-					return s.newSelectionResult(ctx, item.account, false, nil, &AccountWaitPlan{
-						AccountID:      item.account.ID,
-						MaxConcurrency: item.account.Concurrency,
-						Timeout:        cfg.StickySessionWaitTimeout,
-						MaxWaiting:     cfg.StickySessionMaxWaiting,
-					})
+					return &AccountSelectionResult{
+						Account: item.account,
+						WaitPlan: &AccountWaitPlan{
+							AccountID:      item.account.ID,
+							MaxConcurrency: item.account.Concurrency,
+							Timeout:        cfg.StickySessionWaitTimeout,
+							MaxWaiting:     cfg.StickySessionMaxWaiting,
+						},
+					}, nil
 				}
 				// 所有路由账号会话限制都已满，继续到 Layer 2 回退
 			}
@@ -1591,14 +1671,27 @@ func (s *GatewayService) SelectAccountWithLoadAwareness(ctx context.Context, gro
 		}
 	}
 
-	// ============ Layer 1.5: 粘性会话（仅在无模型路由配置时生效） ============
-	if len(routingAccountIDs) == 0 && sessionHash != "" && stickyAccountID > 0 && !isExcluded(stickyAccountID) {
+	// ============ Layer 1.3: 用户亲和预处理（pinned_users 自动注入） ============
+	affinityFlow.preprocessPinnedUsers(accounts)
+
+	// ============ Layer 1.4: 客户端亲和调度（优先于粘性会话） ============
+	affinityHit := false
+	if affinityResult, hit, err := affinityFlow.trySelectAffinityAccount(); err != nil {
+		return nil, err
+	} else {
+		affinityHit = hit
+		if affinityResult != nil {
+			return affinityResult, nil
+		}
+	}
+
+	// ============ Layer 1.5: 粘性会话（仅在无模型路由配置 且 亲和未命中时生效） ============
+	if !affinityHit && len(routingAccountIDs) == 0 && sessionHash != "" && stickyAccountID > 0 && !isExcluded(stickyAccountID) {
 		accountID := stickyAccountID
 		if accountID > 0 && !isExcluded(accountID) {
 			account, ok := accountByID[accountID]
 			if ok {
 				// 检查账户是否需要清理粘性会话绑定
-				// Check if the account needs sticky session cleanup
 				clearSticky := shouldClearStickySession(account, requestedModel)
 				if clearSticky {
 					_ = s.cache.DeleteSessionAccountID(ctx, derefGroupID(groupID), sessionHash)
@@ -1614,31 +1707,32 @@ func (s *GatewayService) SelectAccountWithLoadAwareness(ctx context.Context, gro
 					result, err := s.tryAcquireAccountSlot(ctx, accountID, account.Concurrency)
 					if err == nil && result.Acquired {
 						// 会话数量限制检查
-						// Session count limit check
 						if !s.checkAndRegisterSession(ctx, account, sessionHash) {
 							result.ReleaseFunc() // 释放槽位，继续到 Layer 2
 						} else {
-							if s.cache != nil {
-								_ = s.cache.RefreshSessionTTL(ctx, derefGroupID(groupID), sessionHash, stickySessionTTL)
-							}
-							return s.newSelectionResult(ctx, account, true, result.ReleaseFunc, nil)
+							return &AccountSelectionResult{
+								Account:     account,
+								Acquired:    true,
+								ReleaseFunc: result.ReleaseFunc,
+							}, nil
 						}
 					}
 
 					waitingCount, _ := s.concurrencyService.GetAccountWaitingCount(ctx, accountID)
 					if waitingCount < cfg.StickySessionMaxWaiting {
 						// 会话数量限制检查（等待计划也需要占用会话配额）
-						// Session count limit check (wait plan also requires session quota)
 						if !s.checkAndRegisterSession(ctx, account, sessionHash) {
 							// 会话限制已满，继续到 Layer 2
-							// Session limit full, continue to Layer 2
 						} else {
-							return s.newSelectionResult(ctx, account, false, nil, &AccountWaitPlan{
-								AccountID:      accountID,
-								MaxConcurrency: account.Concurrency,
-								Timeout:        cfg.StickySessionWaitTimeout,
-								MaxWaiting:     cfg.StickySessionMaxWaiting,
-							})
+							return &AccountSelectionResult{
+								Account: account,
+								WaitPlan: &AccountWaitPlan{
+									AccountID:      accountID,
+									MaxConcurrency: account.Concurrency,
+									Timeout:        cfg.StickySessionWaitTimeout,
+									MaxWaiting:     cfg.StickySessionMaxWaiting,
+								},
+							}, nil
 						}
 					}
 				}
@@ -1697,9 +1791,10 @@ func (s *GatewayService) SelectAccountWithLoadAwareness(ctx context.Context, gro
 
 	loadMap, err := s.concurrencyService.GetAccountsLoadBatch(ctx, accountLoads)
 	if err != nil {
-		if result, ok, legacyErr := s.tryAcquireByLegacyOrder(ctx, candidates, groupID, sessionHash, preferOAuth); legacyErr != nil {
-			return nil, legacyErr
-		} else if ok {
+		if result, ok := s.tryAcquireByLegacyOrder(ctx, candidates, groupID, sessionHash, preferOAuth); ok {
+			if affinityClientID != "" && affinityUserID > 0 && s.cache != nil && result.Account != nil && result.Account.IsAffinityEnabled() {
+				_ = s.cache.UpdateAffinity(ctx, derefGroupID(groupID), affinityUserID, affinityClientID, result.Account.ID, ClientAffinityTTL)
+			}
 			return result, nil
 		}
 	} else {
@@ -1717,13 +1812,37 @@ func (s *GatewayService) SelectAccountWithLoadAwareness(ctx context.Context, gro
 			}
 		}
 
-		// 分层过滤选择：优先级 → 负载率 → LRU
+		// 批量获取亲和客户端数量（用于均衡分配新客户端）
+		s.populateAffinityCounts(ctx, available, derefGroupID(groupID))
+
+		// 分层过滤选择：优先级 → 亲和三区 → 负载率 → 亲和客户端数 → LRU
 		for len(available) > 0 {
 			// 1. 取优先级最小的集合
 			candidates := filterByMinPriority(available)
-			// 2. 取负载率最低的集合
+			// 2. 按亲和三区过滤：绿区优先 → 黄区降级 → 红区移除（在同优先级内）
+			candidates = classifyByAffinityZone(candidates)
+			if len(candidates) == 0 {
+				// 当前优先级组全部在红区，移除后回退到下一优先级组
+				minPri := available[0].account.Priority
+				for _, a := range available[1:] {
+					if a.account.Priority < minPri {
+						minPri = a.account.Priority
+					}
+				}
+				newAvailable := make([]accountWithLoad, 0, len(available))
+				for _, a := range available {
+					if a.account.Priority != minPri {
+						newAvailable = append(newAvailable, a)
+					}
+				}
+				available = newAvailable
+				continue
+			}
+			// 3. 取负载率最低的集合
 			candidates = filterByMinLoadRate(candidates)
-			// 3. LRU 选择最久未用的账号
+			// 3. 取亲和客户端数最少的集合
+			candidates = filterByMinAffinityCount(candidates)
+			// 4. LRU 选择最久未用的账号
 			selected := selectByLRU(candidates, preferOAuth)
 			if selected == nil {
 				break
@@ -1738,7 +1857,15 @@ func (s *GatewayService) SelectAccountWithLoadAwareness(ctx context.Context, gro
 					if sessionHash != "" && s.cache != nil {
 						_ = s.cache.SetSessionAccountID(ctx, derefGroupID(groupID), sessionHash, selected.account.ID, stickySessionTTL)
 					}
-					return s.newSelectionResult(ctx, selected.account, true, result.ReleaseFunc, nil)
+					// 更新亲和关系
+					if affinityClientID != "" && affinityUserID > 0 && s.cache != nil && selected.account.IsAffinityEnabled() {
+						_ = s.cache.UpdateAffinity(ctx, derefGroupID(groupID), affinityUserID, affinityClientID, selected.account.ID, ClientAffinityTTL)
+					}
+					return &AccountSelectionResult{
+						Account:     selected.account,
+						Acquired:    true,
+						ReleaseFunc: result.ReleaseFunc,
+					}, nil
 				}
 			}
 
@@ -1761,17 +1888,20 @@ func (s *GatewayService) SelectAccountWithLoadAwareness(ctx context.Context, gro
 		if !s.checkAndRegisterSession(ctx, acc, sessionHash) {
 			continue // 会话限制已满，尝试下一个账号
 		}
-		return s.newSelectionResult(ctx, acc, false, nil, &AccountWaitPlan{
-			AccountID:      acc.ID,
-			MaxConcurrency: acc.Concurrency,
-			Timeout:        cfg.FallbackWaitTimeout,
-			MaxWaiting:     cfg.FallbackMaxWaiting,
-		})
+		return &AccountSelectionResult{
+			Account: acc,
+			WaitPlan: &AccountWaitPlan{
+				AccountID:      acc.ID,
+				MaxConcurrency: acc.Concurrency,
+				Timeout:        cfg.FallbackWaitTimeout,
+				MaxWaiting:     cfg.FallbackMaxWaiting,
+			},
+		}, nil
 	}
 	return nil, ErrNoAvailableAccounts
 }
 
-func (s *GatewayService) tryAcquireByLegacyOrder(ctx context.Context, candidates []*Account, groupID *int64, sessionHash string, preferOAuth bool) (*AccountSelectionResult, bool, error) {
+func (s *GatewayService) tryAcquireByLegacyOrder(ctx context.Context, candidates []*Account, groupID *int64, sessionHash string, preferOAuth bool) (*AccountSelectionResult, bool) {
 	ordered := append([]*Account(nil), candidates...)
 	sortAccountsByPriorityAndLastUsed(ordered, preferOAuth)
 
@@ -1786,15 +1916,15 @@ func (s *GatewayService) tryAcquireByLegacyOrder(ctx context.Context, candidates
 			if sessionHash != "" && s.cache != nil {
 				_ = s.cache.SetSessionAccountID(ctx, derefGroupID(groupID), sessionHash, acc.ID, stickySessionTTL)
 			}
-			selection, err := s.newSelectionResult(ctx, acc, true, result.ReleaseFunc, nil)
-			if err != nil {
-				return nil, false, err
-			}
-			return selection, true, nil
+			return &AccountSelectionResult{
+				Account:     acc,
+				Acquired:    true,
+				ReleaseFunc: result.ReleaseFunc,
+			}, true
 		}
 	}
 
-	return nil, false, nil
+	return nil, false
 }
 
 func (s *GatewayService) schedulingConfig() config.GatewaySchedulingConfig {
@@ -1939,6 +2069,9 @@ func (s *GatewayService) resolvePlatform(ctx context.Context, groupID *int64, gr
 }
 
 func (s *GatewayService) listSchedulableAccounts(ctx context.Context, groupID *int64, platform string, hasForcePlatform bool) ([]Account, bool, error) {
+	if platform == PlatformSora {
+		return s.listSoraSchedulableAccounts(ctx, groupID)
+	}
 	if s.schedulerSnapshot != nil {
 		accounts, useMixed, err := s.schedulerSnapshot.ListSchedulableAccounts(ctx, groupID, platform, hasForcePlatform)
 		if err == nil {
@@ -2035,6 +2168,53 @@ func (s *GatewayService) listSchedulableAccounts(ctx context.Context, groupID *i
 	return accounts, useMixed, nil
 }
 
+func (s *GatewayService) listSoraSchedulableAccounts(ctx context.Context, groupID *int64) ([]Account, bool, error) {
+	const useMixed = false
+
+	var accounts []Account
+	var err error
+	if s.cfg != nil && s.cfg.RunMode == config.RunModeSimple {
+		accounts, err = s.accountRepo.ListByPlatform(ctx, PlatformSora)
+	} else if groupID != nil {
+		accounts, err = s.accountRepo.ListByGroup(ctx, *groupID)
+	} else {
+		accounts, err = s.accountRepo.ListByPlatform(ctx, PlatformSora)
+	}
+	if err != nil {
+		slog.Debug("account_scheduling_list_failed",
+			"group_id", derefGroupID(groupID),
+			"platform", PlatformSora,
+			"error", err)
+		return nil, useMixed, err
+	}
+
+	filtered := make([]Account, 0, len(accounts))
+	for _, acc := range accounts {
+		if acc.Platform != PlatformSora {
+			continue
+		}
+		if !s.isSoraAccountSchedulable(&acc) {
+			continue
+		}
+		filtered = append(filtered, acc)
+	}
+	slog.Debug("account_scheduling_list_sora",
+		"group_id", derefGroupID(groupID),
+		"platform", PlatformSora,
+		"raw_count", len(accounts),
+		"filtered_count", len(filtered))
+	for _, acc := range filtered {
+		slog.Debug("account_scheduling_account_detail",
+			"account_id", acc.ID,
+			"name", acc.Name,
+			"platform", acc.Platform,
+			"type", acc.Type,
+			"status", acc.Status,
+			"tls_fingerprint", acc.IsTLSFingerprintEnabled())
+	}
+	return filtered, useMixed, nil
+}
+
 // IsSingleAntigravityAccountGroup 检查指定分组是否只有一个 antigravity 平台的可调度账号。
 // 用于 Handler 层在首次请求时提前设置 SingleAccountRetry context，
 // 避免单账号分组收到 503 时错误地设置模型限流标记导致后续请求连续快速失败。
@@ -2059,10 +2239,33 @@ func (s *GatewayService) isAccountAllowedForPlatform(account *Account, platform
 	return account.Platform == platform
 }
 
+func (s *GatewayService) isSoraAccountSchedulable(account *Account) bool {
+	return s.soraUnschedulableReason(account) == ""
+}
+
+func (s *GatewayService) soraUnschedulableReason(account *Account) string {
+	if account == nil {
+		return "account_nil"
+	}
+	if account.Status != StatusActive {
+		return fmt.Sprintf("status=%s", account.Status)
+	}
+	if !account.Schedulable {
+		return "schedulable=false"
+	}
+	if account.TempUnschedulableUntil != nil && time.Now().Before(*account.TempUnschedulableUntil) {
+		return fmt.Sprintf("temp_unschedulable_until=%s", account.TempUnschedulableUntil.UTC().Format(time.RFC3339))
+	}
+	return ""
+}
+
 func (s *GatewayService) isAccountSchedulableForSelection(account *Account) bool {
 	if account == nil {
 		return false
 	}
+	if account.Platform == PlatformSora {
+		return s.isSoraAccountSchedulable(account)
+	}
 	return account.IsSchedulable()
 }
 
@@ -2070,6 +2273,12 @@ func (s *GatewayService) isAccountSchedulableForModelSelection(ctx context.Conte
 	if account == nil {
 		return false
 	}
+	if account.Platform == PlatformSora {
+		if !s.isSoraAccountSchedulable(account) {
+			return false
+		}
+		return account.GetRateLimitRemainingTimeWithContext(ctx, requestedModel) <= 0
+	}
 	return account.IsSchedulableForModelWithContext(ctx, requestedModel)
 }
 
@@ -2409,31 +2618,34 @@ func (s *GatewayService) getSchedulableAccount(ctx context.Context, accountID in
 	return s.accountRepo.GetByID(ctx, accountID)
 }
 
-func (s *GatewayService) hydrateSelectedAccount(ctx context.Context, account *Account) (*Account, error) {
-	if account == nil || s.schedulerSnapshot == nil {
-		return account, nil
+// populateAffinityCounts 批量获取账号的亲和客户端数量并填入 accountWithLoad 切片。
+// 仅当存在开启了客户端亲和的账号时才查询 Redis，否则跳过。
+func (s *GatewayService) populateAffinityCounts(ctx context.Context, accounts []accountWithLoad, groupID int64) {
+	if s.cache == nil || len(accounts) == 0 {
+		return
 	}
-	hydrated, err := s.schedulerSnapshot.GetAccount(ctx, account.ID)
+	// 快速检查：是否有任何账号开启了亲和
+	hasAffinity := false
+	for _, acc := range accounts {
+		if acc.account.IsAffinityEnabled() {
+			hasAffinity = true
+			break
+		}
+	}
+	if !hasAffinity {
+		return
+	}
+	accountIDs := make([]int64, len(accounts))
+	for i, acc := range accounts {
+		accountIDs[i] = acc.account.ID
+	}
+	countMap, err := s.cache.GetAccountAffinityCountBatch(ctx, groupID, accountIDs, ClientAffinityTTL)
 	if err != nil {
-		return nil, err
+		return // 查询失败不影响调度，affinityCount 保持 0
 	}
-	if hydrated == nil {
-		return nil, fmt.Errorf("selected gateway account %d not found during hydration", account.ID)
+	for i := range accounts {
+		accounts[i].affinityCount = countMap[accounts[i].account.ID]
 	}
-	return hydrated, nil
-}
-
-func (s *GatewayService) newSelectionResult(ctx context.Context, account *Account, acquired bool, release func(), waitPlan *AccountWaitPlan) (*AccountSelectionResult, error) {
-	hydrated, err := s.hydrateSelectedAccount(ctx, account)
-	if err != nil {
-		return nil, err
-	}
-	return &AccountSelectionResult{
-		Account:     hydrated,
-		Acquired:    acquired,
-		ReleaseFunc: release,
-		WaitPlan:    waitPlan,
-	}, nil
 }
 
 // filterByMinPriority 过滤出优先级最小的账号集合
@@ -2476,6 +2688,64 @@ func filterByMinLoadRate(accounts []accountWithLoad) []accountWithLoad {
 	return result
 }
 
+// filterByMinAffinityCount 过滤出亲和客户端数最少的账号集合
+func filterByMinAffinityCount(accounts []accountWithLoad) []accountWithLoad {
+	if len(accounts) == 0 {
+		return accounts
+	}
+	minCount := accounts[0].affinityCount
+	for _, acc := range accounts[1:] {
+		if acc.affinityCount < minCount {
+			minCount = acc.affinityCount
+		}
+	}
+	result := make([]accountWithLoad, 0, len(accounts))
+	for _, acc := range accounts {
+		if acc.affinityCount == minCount {
+			result = append(result, acc)
+		}
+	}
+	return result
+}
+
+// classifyByAffinityZone 按亲和分区对候选账号进行分类。
+// 返回值：仅绿区账号（有绿区时），否则返回黄区账号。红区账号被移除。
+// 如果没有任何账号开启了亲和三区配置（即 affinity_base <= 0），则原样返回所有账号。
+func classifyByAffinityZone(accounts []accountWithLoad) []accountWithLoad {
+	if len(accounts) == 0 {
+		return accounts
+	}
+	// 快速检查：是否有任何账号配置了 affinity_base
+	hasZoneConfig := false
+	for _, acc := range accounts {
+		if acc.account.IsAffinityEnabled() && acc.account.GetAffinityBase() > 0 {
+			hasZoneConfig = true
+			break
+		}
+	}
+	if !hasZoneConfig {
+		return accounts
+	}
+
+	greens := make([]accountWithLoad, 0, len(accounts))
+	yellows := make([]accountWithLoad, 0, len(accounts))
+	for _, acc := range accounts {
+		zone := acc.account.GetAffinityZone(acc.affinityCount)
+		switch zone {
+		case AffinityZoneGreen:
+			greens = append(greens, acc)
+		case AffinityZoneYellow:
+			yellows = append(yellows, acc)
+		case AffinityZoneRed:
+			// 红区：移除，不参与调度
+		}
+	}
+	if len(greens) > 0 {
+		return greens
+	}
+	return yellows
+}
+
 // selectByLRU 从集合中选择最久未用的账号
 // 如果有多个账号具有相同的最小 LastUsedAt，则随机选择一个
 func selectByLRU(accounts []accountWithLoad, preferOAuth bool) *accountWithLoad {
@@ -2711,12 +2981,6 @@ func (s *GatewayService) selectAccountForModelWithPlatform(ctx context.Context,
 	preferOAuth := platform == PlatformGemini
 	routingAccountIDs := s.routingAccountIDsForRequest(ctx, groupID, requestedModel, platform)
 
-	// require_privacy_set: 获取分组信息
-	var schedGroup *Group
-	if groupID != nil && s.groupRepo != nil {
-		schedGroup, _ = s.groupRepo.GetByID(ctx, *groupID)
-	}
-
 	var accounts []Account
 	accountsLoaded := false
 
@@ -2788,12 +3052,6 @@ func (s *GatewayService) selectAccountForModelWithPlatform(ctx context.Context,
 			if !s.isAccountSchedulableForSelection(acc) {
 				continue
 			}
-			// require_privacy_set: 跳过 privacy 未设置的账号并标记异常
-			if schedGroup != nil && schedGroup.RequirePrivacySet && !acc.IsPrivacySet() {
-				_ = s.accountRepo.SetError(ctx, acc.ID,
-					fmt.Sprintf("Privacy not set, required by group [%s]", schedGroup.Name))
-				continue
-			}
 			if requestedModel != "" && !s.isModelSupportedByAccountWithContext(ctx, acc, requestedModel) {
 				continue
 			}
@@ -2885,8 +3143,6 @@ func (s *GatewayService) selectAccountForModelWithPlatform(ctx context.Context,
 	ctx = s.withRPMPrefetch(ctx, accounts)
 
 	// 3. 按优先级+最久未用选择（考虑模型支持）
-	// needsUpstreamCheck 仅在主选择循环中使用；粘性会话命中时跳过此检查，
-	// 因为粘性会话优先保持连接一致性，且 upstream 计费基准极少使用。
 	needsUpstreamCheck := s.needsUpstreamChannelRestrictionCheck(ctx, groupID)
 	var selected *Account
 	for i := range accounts {
@@ -2899,12 +3155,6 @@ func (s *GatewayService) selectAccountForModelWithPlatform(ctx context.Context,
 		if !s.isAccountSchedulableForSelection(acc) {
 			continue
 		}
-		// require_privacy_set: 跳过 privacy 未设置的账号并标记异常
-		if schedGroup != nil && schedGroup.RequirePrivacySet && !acc.IsPrivacySet() {
-			_ = s.accountRepo.SetError(ctx, acc.ID,
-				fmt.Sprintf("Privacy not set, required by group [%s]", schedGroup.Name))
-			continue
-		}
 		if requestedModel != "" && !s.isModelSupportedByAccountWithContext(ctx, acc, requestedModel) {
 			continue
 		}
@@ -2971,12 +3221,6 @@ func (s *GatewayService) selectAccountWithMixedScheduling(ctx context.Context, g
 	preferOAuth := nativePlatform == PlatformGemini
 	routingAccountIDs := s.routingAccountIDsForRequest(ctx, groupID, requestedModel, nativePlatform)
 
-	// require_privacy_set: 获取分组信息
-	var schedGroup *Group
-	if groupID != nil && s.groupRepo != nil {
-		schedGroup, _ = s.groupRepo.GetByID(ctx, *groupID)
-	}
-
 	var accounts []Account
 	accountsLoaded := false
 
@@ -3044,12 +3288,6 @@ func (s *GatewayService) selectAccountWithMixedScheduling(ctx context.Context, g
 			if !s.isAccountSchedulableForSelection(acc) {
 				continue
 			}
-			// require_privacy_set: 跳过 privacy 未设置的账号并标记异常
-			if schedGroup != nil && schedGroup.RequirePrivacySet && !acc.IsPrivacySet() {
-				_ = s.accountRepo.SetError(ctx, acc.ID,
-					fmt.Sprintf("Privacy not set, required by group [%s]", schedGroup.Name))
-				continue
-			}
 			// 过滤：原生平台直接通过，antigravity 需要启用混合调度
 			if acc.Platform == PlatformAntigravity && !acc.IsMixedSchedulingEnabled() {
 				continue
@@ -3143,7 +3381,6 @@ func (s *GatewayService) selectAccountWithMixedScheduling(ctx context.Context, g
 	ctx = s.withRPMPrefetch(ctx, accounts)
 
 	// 3. 按优先级+最久未用选择（考虑模型支持和混合调度）
-	// needsUpstreamCheck 仅在主选择循环中使用；粘性会话命中时跳过此检查。
 	needsUpstreamCheck := s.needsUpstreamChannelRestrictionCheck(ctx, groupID)
 	var selected *Account
 	for i := range accounts {
@@ -3156,12 +3393,6 @@ func (s *GatewayService) selectAccountWithMixedScheduling(ctx context.Context, g
 		if !s.isAccountSchedulableForSelection(acc) {
 			continue
 		}
-		// require_privacy_set: 跳过 privacy 未设置的账号并标记异常
-		if schedGroup != nil && schedGroup.RequirePrivacySet && !acc.IsPrivacySet() {
-			_ = s.accountRepo.SetError(ctx, acc.ID,
-				fmt.Sprintf("Privacy not set, required by group [%s]", schedGroup.Name))
-			continue
-		}
 		// 过滤：原生平台直接通过，antigravity 需要启用混合调度
 		if acc.Platform == PlatformAntigravity && !acc.IsMixedSchedulingEnabled() {
 			continue
@@ -3273,6 +3504,9 @@ func (s *GatewayService) logDetailedSelectionFailure(
 		stats.SampleMappingIDs,
 		stats.SampleRateLimitIDs,
 	)
+	if platform == PlatformSora {
+		s.logSoraSelectionFailureDetails(ctx, groupID, sessionHash, requestedModel, accounts, excludedIDs, allowMixedScheduling)
+	}
 	return stats
 }
 
@@ -3329,7 +3563,11 @@ func (s *GatewayService) diagnoseSelectionFailure(
 		return selectionFailureDiagnosis{Category: "excluded"}
 	}
 	if !s.isAccountSchedulableForSelection(acc) {
-		return selectionFailureDiagnosis{Category: "unschedulable", Detail: "generic_unschedulable"}
+		detail := "generic_unschedulable"
+		if acc.Platform == PlatformSora {
+			detail = s.soraUnschedulableReason(acc)
+		}
+		return selectionFailureDiagnosis{Category: "unschedulable", Detail: detail}
 	}
 	if isPlatformFilteredForSelection(acc, platform, allowMixedScheduling) {
 		return selectionFailureDiagnosis{
@@ -3353,6 +3591,57 @@ func (s *GatewayService) diagnoseSelectionFailure(
 	return selectionFailureDiagnosis{Category: "eligible"}
 }
 
+func (s *GatewayService) logSoraSelectionFailureDetails(
+	ctx context.Context,
+	groupID *int64,
+	sessionHash string,
+	requestedModel string,
+	accounts []Account,
+	excludedIDs map[int64]struct{},
+	allowMixedScheduling bool,
+) {
+	const maxLines = 30
+	logged := 0
+
+	for i := range accounts {
+		if logged >= maxLines {
+			break
+		}
+		acc := &accounts[i]
+		diagnosis := s.diagnoseSelectionFailure(ctx, acc, requestedModel, PlatformSora, excludedIDs, allowMixedScheduling)
+		if diagnosis.Category == "eligible" {
+			continue
+		}
+		detail := diagnosis.Detail
+		if detail == "" {
+			detail = "-"
+		}
+		logger.LegacyPrintf(
+			"service.gateway",
+			"[SelectAccountDetailed:Sora] group_id=%v model=%s session=%s account_id=%d account_platform=%s category=%s detail=%s",
+			derefGroupID(groupID),
+			requestedModel,
+			shortSessionHash(sessionHash),
+			acc.ID,
+			acc.Platform,
+			diagnosis.Category,
+			detail,
+		)
+		logged++
+	}
+	if len(accounts) > maxLines {
+		logger.LegacyPrintf(
+			"service.gateway",
+			"[SelectAccountDetailed:Sora] group_id=%v model=%s session=%s truncated=true total=%d logged=%d",
+			derefGroupID(groupID),
+			requestedModel,
+			shortSessionHash(sessionHash),
+			len(accounts),
+			logged,
+		)
+	}
+}
+
 func isPlatformFilteredForSelection(acc *Account, platform string, allowMixedScheduling bool) bool {
 	if acc == nil {
 		return true
@@ -3431,10 +3720,17 @@ func (s *GatewayService) isModelSupportedByAccount(account *Account, requestedMo
 		}
 		return mapAntigravityModel(account, requestedModel) != ""
 	}
+	if account.Platform == PlatformSora {
+		return s.isSoraModelSupportedByAccount(account, requestedModel)
+	}
 	if account.IsBedrock() {
 		_, ok := ResolveBedrockModelID(account, requestedModel)
 		return ok
 	}
+	// OpenAI 透传模式：仅替换认证，允许所有模型
+	if account.Platform == PlatformOpenAI && account.IsOpenAIPassthroughEnabled() {
+		return true
+	}
 	// OAuth/SetupToken 账号使用 Anthropic 标准映射（短ID → 长ID）
 	if account.Platform == PlatformAnthropic && account.Type != AccountTypeAPIKey {
 		requestedModel = claude.NormalizeModelID(requestedModel)
@@ -3443,6 +3739,143 @@ func (s *GatewayService) isModelSupportedByAccount(account *Account, requestedMo
 	return account.IsModelSupported(requestedModel)
 }
 
+func (s *GatewayService) isSoraModelSupportedByAccount(account *Account, requestedModel string) bool {
+	if account == nil {
+		return false
+	}
+	if strings.TrimSpace(requestedModel) == "" {
+		return true
+	}
+
+	// 先走原始精确/通配符匹配。
+	mapping := account.GetModelMapping()
+	if len(mapping) == 0 || account.IsModelSupported(requestedModel) {
+		return true
+	}
+
+	aliases := buildSoraModelAliases(requestedModel)
+	if len(aliases) == 0 {
+		return false
+	}
+
+	hasSoraSelector := false
+	for pattern := range mapping {
+		if !isSoraModelSelector(pattern) {
+			continue
+		}
+		hasSoraSelector = true
+		if matchPatternAnyAlias(pattern, aliases) {
+			return true
+		}
+	}
+
+	// 兼容旧账号：mapping 存在但未配置任何 Sora 选择器（例如只含 gpt-*），
+	// 此时不应误拦截 Sora 模型请求。
+	if !hasSoraSelector {
+		return true
+	}
+
+	return false
+}
+
+func matchPatternAnyAlias(pattern string, aliases []string) bool {
+	normalizedPattern := strings.ToLower(strings.TrimSpace(pattern))
+	if normalizedPattern == "" {
+		return false
+	}
+	for _, alias := range aliases {
+		if matchWildcard(normalizedPattern, alias) {
+			return true
+		}
+	}
+	return false
+}
+
+func isSoraModelSelector(pattern string) bool {
+	p := strings.ToLower(strings.TrimSpace(pattern))
+	if p == "" {
+		return false
+	}
+
+	switch {
+	case strings.HasPrefix(p, "sora"),
+		strings.HasPrefix(p, "gpt-image"),
+		strings.HasPrefix(p, "prompt-enhance"),
+		strings.HasPrefix(p, "sy_"):
+		return true
+	}
+
+	return p == "video" || p == "image"
+}
+
+func buildSoraModelAliases(requestedModel string) []string {
+	modelID := strings.ToLower(strings.TrimSpace(requestedModel))
+	if modelID == "" {
+		return nil
+	}
+
+	aliases := make([]string, 0, 8)
+	addAlias := func(value string) {
+		v := strings.ToLower(strings.TrimSpace(value))
+		if v == "" {
+			return
+		}
+		for _, existing := range aliases {
+			if existing == v {
+				return
+			}
+		}
+		aliases = append(aliases, v)
+	}
+
+	addAlias(modelID)
+	cfg, ok := GetSoraModelConfig(modelID)
+	if ok {
+		addAlias(cfg.Model)
+		switch cfg.Type {
+		case "video":
+			addAlias("video")
+			addAlias("sora")
+			addAlias(soraVideoFamilyAlias(modelID))
+		case "image":
+			addAlias("image")
+			addAlias("gpt-image")
+		case "prompt_enhance":
+			addAlias("prompt-enhance")
+		}
+		return aliases
+	}
+
+	switch {
+	case strings.HasPrefix(modelID, "sora"):
+		addAlias("video")
+		addAlias("sora")
+		addAlias(soraVideoFamilyAlias(modelID))
+	case strings.HasPrefix(modelID, "gpt-image"):
+		addAlias("image")
+		addAlias("gpt-image")
+	case strings.HasPrefix(modelID, "prompt-enhance"):
+		addAlias("prompt-enhance")
+	default:
+		return nil
+	}
+
+	return aliases
+}
+
+func soraVideoFamilyAlias(modelID string) string {
+	switch {
+	case strings.HasPrefix(modelID, "sora2pro-hd"):
+		return "sora2pro-hd"
+	case strings.HasPrefix(modelID, "sora2pro"):
+		return "sora2pro"
+	case strings.HasPrefix(modelID, "sora2"):
+		return "sora2"
+	default:
+		return ""
+	}
+}
+
 // GetAccessToken 获取账号凭证
 func (s *GatewayService) GetAccessToken(ctx context.Context, account *Account) (string, string, error) {
 	switch account.Type {
@@ -3719,86 +4152,6 @@ func injectClaudeCodePrompt(body []byte, system any) []byte {
 	return result
 }
 
-// rewriteSystemForNonClaudeCode 将非 Claude Code 客户端的 system prompt 迁移至 messages，
-// system 字段仅保留 Claude Code 标识提示词。
-// Anthropic 基于 system 参数内容检测第三方应用，仅前置追加 Claude Code 提示词
-// 无法通过检测，因为后续内容仍为非 Claude Code 格式。
-// 策略：将原始 system prompt 提取并注入为 user/assistant 消息对，system 仅保留 Claude Code 标识。
-func rewriteSystemForNonClaudeCode(body []byte, system any) []byte {
-	system = normalizeSystemParam(system)
-
-	// 1. 提取原始 system prompt 文本
-	var originalSystemText string
-	switch v := system.(type) {
-	case string:
-		originalSystemText = strings.TrimSpace(v)
-	case []any:
-		var parts []string
-		for _, item := range v {
-			if m, ok := item.(map[string]any); ok {
-				if text, ok := m["text"].(string); ok && strings.TrimSpace(text) != "" {
-					parts = append(parts, text)
-				}
-			}
-		}
-		originalSystemText = strings.Join(parts, "\n\n")
-	}
-
-	// 2. 将 system 替换为 Claude Code 标准提示词（array 格式，与真实 Claude Code 一致）
-	//    真实 Claude Code 始终以 [{type: "text", text: "...", cache_control: {type: "ephemeral"}}] 发送 system。
-	//    使用 string 格式会被 Anthropic 检测为第三方应用。
-	claudeCodeSystemBlock := []map[string]any{
-		{
-			"type":          "text",
-			"text":          claudeCodeSystemPrompt,
-			"cache_control": map[string]string{"type": "ephemeral"},
-		},
-	}
-	out, ok := setJSONValueBytes(body, "system", claudeCodeSystemBlock)
-	if !ok {
-		logger.LegacyPrintf("service.gateway", "Warning: failed to set Claude Code system prompt")
-		return body
-	}
-
-	// 3. 将原始 system prompt 作为 user/assistant 消息对注入到 messages 开头
-	//    模型仍通过 messages 接收完整指令，保留客户端功能
-	ccPromptTrimmed := strings.TrimSpace(claudeCodeSystemPrompt)
-	if originalSystemText != "" && originalSystemText != ccPromptTrimmed && !hasClaudeCodePrefix(originalSystemText) {
-		instrMsg, err1 := json.Marshal(map[string]any{
-			"role": "user",
-			"content": []map[string]any{
-				{"type": "text", "text": "[System Instructions]\n" + originalSystemText},
-			},
-		})
-		ackMsg, err2 := json.Marshal(map[string]any{
-			"role": "assistant",
-			"content": []map[string]any{
-				{"type": "text", "text": "Understood. I will follow these instructions."},
-			},
-		})
-		if err1 != nil || err2 != nil {
-			logger.LegacyPrintf("service.gateway", "Warning: failed to marshal system-to-messages injection")
-			return out
-		}
-
-		// 重建 messages 数组：[instruction, ack, ...originalMessages]
-		items := [][]byte{instrMsg, ackMsg}
-		messagesResult := gjson.GetBytes(out, "messages")
-		if messagesResult.IsArray() {
-			messagesResult.ForEach(func(_, msg gjson.Result) bool {
-				items = append(items, []byte(msg.Raw))
-				return true
-			})
-		}
-
-		if next, setOk := setJSONRawBytes(out, "messages", buildJSONArrayRaw(items)); setOk {
-			out = next
-		}
-	}
-
-	return out
-}
-
 type cacheControlPath struct {
 	path string
 	log  string
@@ -3960,7 +4313,7 @@ func (s *GatewayService) Forward(ctx context.Context, c *gin.Context, account *A
 	// Beta policy: evaluate once; block check + cache filter set for buildUpstreamRequest.
 	// Always overwrite the cache to prevent stale values from a previous retry with a different account.
 	if account.Platform == PlatformAnthropic && c != nil {
-		policy := s.evaluateBetaPolicy(ctx, c.GetHeader("anthropic-beta"), account, parsed.Model)
+		policy := s.evaluateBetaPolicy(ctx, c.GetHeader("anthropic-beta"), account)
 		if policy.blockErr != nil {
 			return nil, policy.blockErr
 		}
@@ -3990,24 +4343,19 @@ func (s *GatewayService) Forward(ctx context.Context, c *gin.Context, account *A
 	shouldMimicClaudeCode := account.IsOAuth() && !isClaudeCode
 
 	if shouldMimicClaudeCode {
-		// 非 Claude Code 客户端：将 system 替换为 Claude Code 标识，原始 system 迁移至 messages
+		// 智能注入 Claude Code 系统提示词（仅 OAuth/SetupToken 账号需要）
 		// 条件：1) OAuth/SetupToken 账号  2) 不是 Claude Code 客户端  3) 不是 Haiku 模型  4) system 中还没有 Claude Code 提示词
-		systemRewritten := false
 		if !strings.Contains(strings.ToLower(reqModel), "haiku") &&
 			!systemIncludesClaudeCodePrompt(parsed.System) {
-			body = rewriteSystemForNonClaudeCode(body, parsed.System)
-			systemRewritten = true
+			body = injectClaudeCodePrompt(body, parsed.System)
 		}
 
-		// system 被重写时保留 CC prompt 的 cache_control: ephemeral（匹配真实 Claude Code 行为）；
-		// 未重写时（haiku / 已含 CC 前缀）剥离客户端 cache_control，与原有行为一致。
-		// 两种情况下 enforceCacheControlLimit 都会兜底处理上限。
-		normalizeOpts := claudeOAuthNormalizeOptions{stripSystemCacheControl: !systemRewritten}
+		normalizeOpts := claudeOAuthNormalizeOptions{stripSystemCacheControl: true}
 		if s.identityService != nil {
 			fp, err := s.identityService.GetOrCreateFingerprint(ctx, account.ID, c.Request.Header)
 			if err == nil && fp != nil {
 				// metadata 透传开启时跳过 metadata 注入
-				_, mimicMPT, _ := s.settingService.GetGatewayForwardingSettings(ctx)
+				_, mimicMPT := s.settingService.GetGatewayForwardingSettings(ctx)
 				if !mimicMPT {
 					if metadataUserID := s.buildOAuthMetadataUserID(parsed, account, fp); metadataUserID != "" {
 						normalizeOpts.injectMetadata = true
@@ -4054,12 +4402,10 @@ func (s *GatewayService) Forward(ctx context.Context, c *gin.Context, account *A
 		return nil, err
 	}
 
-	// 获取代理URL（自定义 base URL 模式下，proxy 通过 buildCustomRelayURL 作为查询参数传递）
+	// 获取代理URL
 	proxyURL := ""
 	if account.ProxyID != nil && account.Proxy != nil {
-		if !account.IsCustomBaseURLEnabled() || account.GetCustomBaseURL() == "" {
-			proxyURL = account.Proxy.URL()
-		}
+		proxyURL = account.Proxy.URL()
 	}
 
 	// 解析 TLS 指纹 profile（同一请求生命周期内不变，避免重试循环中重复解析）
@@ -4468,6 +4814,7 @@ func (s *GatewayService) Forward(ctx context.Context, c *gin.Context, account *A
 	}
 
 	// 处理正常响应
+	ctx = withClaudeMaxResponseRewriteContext(ctx, c, parsed)
 
 	// 触发上游接受回调（提前释放串行锁，不等流完成）
 	if parsed.OnUpstreamAccepted != nil {
@@ -5534,16 +5881,6 @@ func (s *GatewayService) buildUpstreamRequest(ctx context.Context, c *gin.Contex
 			}
 			targetURL = validatedURL + "/v1/messages?beta=true"
 		}
-	} else if account.IsCustomBaseURLEnabled() {
-		customURL := account.GetCustomBaseURL()
-		if customURL == "" {
-			return nil, fmt.Errorf("custom_base_url is enabled but not configured for account %d", account.ID)
-		}
-		validatedURL, err := s.validateUpstreamBaseURL(customURL)
-		if err != nil {
-			return nil, err
-		}
-		targetURL = s.buildCustomRelayURL(validatedURL, "/v1/messages", account)
 	}
 
 	clientHeaders := http.Header{}
@@ -5553,9 +5890,9 @@ func (s *GatewayService) buildUpstreamRequest(ctx context.Context, c *gin.Contex
 
 	// OAuth账号：应用统一指纹和metadata重写（受设置开关控制）
 	var fingerprint *Fingerprint
-	enableFP, enableMPT, enableCCH := true, false, false
+	enableFP, enableMPT := true, false
 	if s.settingService != nil {
-		enableFP, enableMPT, enableCCH = s.settingService.GetGatewayForwardingSettings(ctx)
+		enableFP, enableMPT = s.settingService.GetGatewayForwardingSettings(ctx)
 	}
 	if account.IsOAuth() && s.identityService != nil {
 		// 1. 获取或创建指纹（包含随机生成的ClientID）
@@ -5582,15 +5919,6 @@ func (s *GatewayService) buildUpstreamRequest(ctx context.Context, c *gin.Contex
 		}
 	}
 
-	// 同步 billing header cc_version 与实际发送的 User-Agent 版本
-	if fingerprint != nil {
-		body = syncBillingHeaderVersion(body, fingerprint.UserAgent)
-	}
-	// CCH 签名：将 cch=00000 占位符替换为 xxHash64 签名（需在所有 body 修改之后）
-	if enableCCH {
-		body = signBillingHeaderCCH(body)
-	}
-
 	req, err := http.NewRequestWithContext(ctx, "POST", targetURL, bytes.NewReader(body))
 	if err != nil {
 		return nil, err
@@ -5631,8 +5959,9 @@ func (s *GatewayService) buildUpstreamRequest(ctx context.Context, c *gin.Contex
 	}
 
 	// Build effective drop set: merge static defaults with dynamic beta policy filter rules
-	policyFilterSet := s.getBetaPolicyFilterSet(ctx, c, account, modelID)
+	policyFilterSet := s.getBetaPolicyFilterSet(ctx, c, account)
 	effectiveDropSet := mergeDropSets(policyFilterSet)
+	effectiveDropWithClaudeCodeSet := mergeDropSets(policyFilterSet, claude.BetaClaudeCode)
 
 	// 处理 anthropic-beta header（OAuth 账号需要包含 oauth beta）
 	if tokenType == "oauth" {
@@ -5643,16 +5972,11 @@ func (s *GatewayService) buildUpstreamRequest(ctx context.Context, c *gin.Contex
 			applyClaudeCodeMimicHeaders(req, reqStream)
 
 			incomingBeta := getHeaderRaw(req.Header, "anthropic-beta")
-			// Claude Code OAuth credentials are scoped to Claude Code.
-			// Non-haiku models MUST include claude-code beta for Anthropic to recognize
-			// this as a legitimate Claude Code request; without it, the request is
-			// rejected as third-party ("out of extra usage").
-			// Haiku models are exempt from third-party detection and don't need it.
+			// Match real Claude CLI traffic (per mitmproxy reports):
+			// messages requests typically use only oauth + interleaved-thinking.
+			// Also drop claude-code beta if a downstream client added it.
 			requiredBetas := []string{claude.BetaOAuth, claude.BetaInterleavedThinking}
-			if !strings.Contains(strings.ToLower(modelID), "haiku") {
-				requiredBetas = []string{claude.BetaClaudeCode, claude.BetaOAuth, claude.BetaInterleavedThinking}
-			}
-			setHeaderRaw(req.Header, "anthropic-beta", mergeAnthropicBetaDropping(requiredBetas, incomingBeta, effectiveDropSet))
+			setHeaderRaw(req.Header, "anthropic-beta", mergeAnthropicBetaDropping(requiredBetas, incomingBeta, effectiveDropWithClaudeCodeSet))
 		} else {
 			// Claude Code 客户端：尽量透传原始 header，仅补齐 oauth beta
 			clientBetaHeader := getHeaderRaw(req.Header, "anthropic-beta")
@@ -5672,15 +5996,6 @@ func (s *GatewayService) buildUpstreamRequest(ctx context.Context, c *gin.Contex
 		}
 	}
 
-	// 同步 X-Claude-Code-Session-Id 头：取 body 中已处理的 metadata.user_id 的 session_id 覆盖
-	if sessionHeader := getHeaderRaw(req.Header, "X-Claude-Code-Session-Id"); sessionHeader != "" {
-		if uid := gjson.GetBytes(body, "metadata.user_id").String(); uid != "" {
-			if parsed := ParseMetadataUserID(uid); parsed != nil {
-				setHeaderRaw(req.Header, "X-Claude-Code-Session-Id", parsed.SessionID)
-			}
-		}
-	}
-
 	// === DEBUG: 打印上游转发请求（headers + body 摘要），与 CLIENT_ORIGINAL 对比 ===
 	s.debugLogGatewaySnapshot("UPSTREAM_FORWARD", req.Header, body, map[string]string{
 		"url":                 req.URL.String(),
@@ -5875,7 +6190,7 @@ type betaPolicyResult struct {
 }
 
 // evaluateBetaPolicy loads settings once and evaluates all rules against the given request.
-func (s *GatewayService) evaluateBetaPolicy(ctx context.Context, betaHeader string, account *Account, model string) betaPolicyResult {
+func (s *GatewayService) evaluateBetaPolicy(ctx context.Context, betaHeader string, account *Account) betaPolicyResult {
 	if s.settingService == nil {
 		return betaPolicyResult{}
 	}
@@ -5890,11 +6205,10 @@ func (s *GatewayService) evaluateBetaPolicy(ctx context.Context, betaHeader stri
 		if !betaPolicyScopeMatches(rule.Scope, isOAuth, isBedrock) {
 			continue
 		}
-		effectiveAction, effectiveErrMsg := resolveRuleAction(rule, model)
-		switch effectiveAction {
+		switch rule.Action {
 		case BetaPolicyActionBlock:
 			if result.blockErr == nil && betaHeader != "" && containsBetaToken(betaHeader, rule.BetaToken) {
-				msg := effectiveErrMsg
+				msg := rule.ErrorMessage
 				if msg == "" {
 					msg = "beta feature " + rule.BetaToken + " is not allowed"
 				}
@@ -5936,7 +6250,7 @@ const betaPolicyFilterSetKey = "betaPolicyFilterSet"
 // In the /v1/messages path, Forward() evaluates the policy first and caches the result;
 // buildUpstreamRequest reuses it (zero extra DB calls). In the count_tokens path, this
 // evaluates on demand (one DB call).
-func (s *GatewayService) getBetaPolicyFilterSet(ctx context.Context, c *gin.Context, account *Account, model string) map[string]struct{} {
+func (s *GatewayService) getBetaPolicyFilterSet(ctx context.Context, c *gin.Context, account *Account) map[string]struct{} {
 	if c != nil {
 		if v, ok := c.Get(betaPolicyFilterSetKey); ok {
 			if fs, ok := v.(map[string]struct{}); ok {
@@ -5944,7 +6258,7 @@ func (s *GatewayService) getBetaPolicyFilterSet(ctx context.Context, c *gin.Cont
 			}
 		}
 	}
-	return s.evaluateBetaPolicy(ctx, "", account, model).filterSet
+	return s.evaluateBetaPolicy(ctx, "", account).filterSet
 }
 
 // betaPolicyScopeMatches checks whether a rule's scope matches the current account type.
@@ -5963,33 +6277,6 @@ func betaPolicyScopeMatches(scope string, isOAuth bool, isBedrock bool) bool {
 	}
 }
 
-// matchModelWhitelist checks if a model matches any pattern in the whitelist.
-// Reuses matchModelPattern from group.go which supports exact and wildcard prefix matching.
-func matchModelWhitelist(model string, whitelist []string) bool {
-	for _, pattern := range whitelist {
-		if matchModelPattern(pattern, model) {
-			return true
-		}
-	}
-	return false
-}
-
-// resolveRuleAction determines the effective action and error message for a rule given the request model.
-// When ModelWhitelist is empty, the rule's primary Action/ErrorMessage applies unconditionally.
-// When non-empty, Action applies to matching models; FallbackAction/FallbackErrorMessage applies to others.
-func resolveRuleAction(rule BetaPolicyRule, model string) (action, errorMessage string) {
-	if len(rule.ModelWhitelist) == 0 {
-		return rule.Action, rule.ErrorMessage
-	}
-	if matchModelWhitelist(model, rule.ModelWhitelist) {
-		return rule.Action, rule.ErrorMessage
-	}
-	if rule.FallbackAction != "" {
-		return rule.FallbackAction, rule.FallbackErrorMessage
-	}
-	return BetaPolicyActionPass, "" // default fallback: pass (fail-open)
-}
-
 // droppedBetaSet returns claude.DroppedBetas as a set, with optional extra tokens.
 func droppedBetaSet(extra ...string) map[string]struct{} {
 	m := make(map[string]struct{}, len(defaultDroppedBetasSet)+len(extra))
@@ -6036,7 +6323,7 @@ func (s *GatewayService) resolveBedrockBetaTokensForRequest(
 	modelID string,
 ) ([]string, error) {
 	// 1. 对原始 header 中的 beta token 做 block 检查（快速失败）
-	policy := s.evaluateBetaPolicy(ctx, betaHeader, account, modelID)
+	policy := s.evaluateBetaPolicy(ctx, betaHeader, account)
 	if policy.blockErr != nil {
 		return nil, policy.blockErr
 	}
@@ -6048,7 +6335,7 @@ func (s *GatewayService) resolveBedrockBetaTokensForRequest(
 	//    例如：管理员 block 了 interleaved-thinking，客户端不在 header 中带该 token，
 	//    但请求体中包含 thinking 字段 → autoInjectBedrockBetaTokens 会自动补齐 →
 	//    如果不做此检查，block 规则会被绕过。
-	if blockErr := s.checkBetaPolicyBlockForTokens(ctx, betaTokens, account, modelID); blockErr != nil {
+	if blockErr := s.checkBetaPolicyBlockForTokens(ctx, betaTokens, account); blockErr != nil {
 		return nil, blockErr
 	}
 
@@ -6057,7 +6344,7 @@ func (s *GatewayService) resolveBedrockBetaTokensForRequest(
 
 // checkBetaPolicyBlockForTokens 检查 token 列表中是否有被管理员 block 规则命中的 token。
 // 用于补充 evaluateBetaPolicy 对 header 的检查，覆盖 body 自动注入的 token。
-func (s *GatewayService) checkBetaPolicyBlockForTokens(ctx context.Context, tokens []string, account *Account, model string) *BetaBlockedError {
+func (s *GatewayService) checkBetaPolicyBlockForTokens(ctx context.Context, tokens []string, account *Account) *BetaBlockedError {
 	if s.settingService == nil || len(tokens) == 0 {
 		return nil
 	}
@@ -6069,15 +6356,14 @@ func (s *GatewayService) checkBetaPolicyBlockForTokens(ctx context.Context, toke
 	isBedrock := account.IsBedrock()
 	tokenSet := buildBetaTokenSet(tokens)
 	for _, rule := range settings.Rules {
-		effectiveAction, effectiveErrMsg := resolveRuleAction(rule, model)
-		if effectiveAction != BetaPolicyActionBlock {
+		if rule.Action != BetaPolicyActionBlock {
 			continue
 		}
 		if !betaPolicyScopeMatches(rule.Scope, isOAuth, isBedrock) {
 			continue
 		}
 		if _, present := tokenSet[rule.BetaToken]; present {
-			msg := effectiveErrMsg
+			msg := rule.ErrorMessage
 			if msg == "" {
 				msg = "beta feature " + rule.BetaToken + " is not allowed"
 			}
@@ -6709,6 +6995,7 @@ func (s *GatewayService) handleStreamingResponse(ctx context.Context, resp *http
 	needModelReplace := originalModel != mappedModel
 	clientDisconnected := false // 客户端断开标志，断开后继续读取上游以获取完整usage
 	sawTerminalEvent := false
+	skipAccountTTLOverride := false
 
 	pendingEventLines := make([]string, 0, 4)
 
@@ -6770,17 +7057,25 @@ func (s *GatewayService) handleStreamingResponse(ctx context.Context, resp *http
 			if msg, ok := event["message"].(map[string]any); ok {
 				if u, ok := msg["usage"].(map[string]any); ok {
 					eventChanged = reconcileCachedTokens(u) || eventChanged
+					claudeMaxOutcome := applyClaudeMaxSimulationToUsageJSONMap(ctx, u, originalModel, account.ID)
+					if claudeMaxOutcome.Simulated {
+						skipAccountTTLOverride = true
+					}
 				}
 			}
 		}
 		if eventType == "message_delta" {
 			if u, ok := event["usage"].(map[string]any); ok {
 				eventChanged = reconcileCachedTokens(u) || eventChanged
+				claudeMaxOutcome := applyClaudeMaxSimulationToUsageJSONMap(ctx, u, originalModel, account.ID)
+				if claudeMaxOutcome.Simulated {
+					skipAccountTTLOverride = true
+				}
 			}
 		}
 
 		// Cache TTL Override: 重写 SSE 事件中的 cache_creation 分类
-		if account.IsCacheTTLOverrideEnabled() {
+		if account.IsCacheTTLOverrideEnabled() && !skipAccountTTLOverride {
 			overrideTarget := account.GetCacheTTLOverrideTarget()
 			if eventType == "message_start" {
 				if msg, ok := event["message"].(map[string]any); ok {
@@ -7212,8 +7507,13 @@ func (s *GatewayService) handleNonStreamingResponse(ctx context.Context, resp *h
 		}
 	}
 
+	claudeMaxOutcome := applyClaudeMaxSimulationToUsage(ctx, &response.Usage, originalModel, account.ID)
+	if claudeMaxOutcome.Simulated {
+		body = rewriteClaudeUsageJSONBytes(body, response.Usage)
+	}
+
 	// Cache TTL Override: 重写 non-streaming 响应中的 cache_creation 分类
-	if account.IsCacheTTLOverrideEnabled() {
+	if account.IsCacheTTLOverrideEnabled() && !claudeMaxOutcome.Simulated {
 		overrideTarget := account.GetCacheTTLOverrideTarget()
 		if applyCacheTTLOverride(&response.Usage, overrideTarget) {
 			// 同步更新 body JSON 中的嵌套 cache_creation 对象
@@ -7279,6 +7579,7 @@ func (s *GatewayService) getUserGroupRateMultiplier(ctx context.Context, userID,
 // RecordUsageInput 记录使用量的输入参数
 type RecordUsageInput struct {
 	Result             *ForwardResult
+	ParsedRequest      *ParsedRequest
 	APIKey             *APIKey
 	User               *User
 	Account            *Account
@@ -7437,6 +7738,9 @@ func buildUsageBillingCommand(requestID string, usageLog *UsageLog, p *postUsage
 		cmd.CacheCreationTokens = usageLog.CacheCreationTokens
 		cmd.CacheReadTokens = usageLog.CacheReadTokens
 		cmd.ImageCount = usageLog.ImageCount
+		if usageLog.MediaType != nil {
+			cmd.MediaType = *usageLog.MediaType
+		}
 		if usageLog.ServiceTier != nil {
 			cmd.ServiceTier = *usageLog.ServiceTier
 		}
@@ -7592,6 +7896,8 @@ type recordUsageOpts struct {
 
 	// EnableClaudePath 启用 Claude 路径特有逻辑：
 	// - Claude Max 缓存计费策略
+	// - Sora 媒体类型分支（image/video/prompt）
+	// - MediaType 字段写入使用日志
 	EnableClaudePath bool
 
 	// 长上下文计费（仅 Gemini 路径需要）
@@ -7616,6 +7922,7 @@ func (s *GatewayService) RecordUsage(ctx context.Context, input *RecordUsageInpu
 		APIKeyService:      input.APIKeyService,
 		ChannelUsageFields: input.ChannelUsageFields,
 	}, &recordUsageOpts{
+		ParsedRequest:    input.ParsedRequest,
 		EnableClaudePath: true,
 	})
 }
@@ -7682,6 +7989,7 @@ type recordUsageCoreInput struct {
 // recordUsageCore 是 RecordUsage 和 RecordUsageWithLongContext 的统一实现。
 // opts 中的字段控制两者之间的差异行为：
 // - ParsedRequest != nil → 启用 Claude Max 缓存计费策略
+// - EnableSoraMedia → 启用 Sora MediaType 分支（image/video/prompt）
 // - LongContextThreshold > 0 → Token 计费回退走 CalculateCostWithLongContext
 func (s *GatewayService) recordUsageCore(ctx context.Context, input *recordUsageCoreInput, opts *recordUsageOpts) error {
 	result := input.Result
@@ -7699,9 +8007,21 @@ func (s *GatewayService) recordUsageCore(ctx context.Context, input *recordUsage
 		result.Usage.InputTokens = 0
 	}
 
-	// Cache TTL Override: 确保计费时 token 分类与账号设置一致
+	// Claude Max cache billing policy（仅 Claude 路径启用）
 	cacheTTLOverridden := false
-	if account.IsCacheTTLOverrideEnabled() {
+	simulatedClaudeMax := false
+	if opts.EnableClaudePath {
+		var apiKeyGroup *Group
+		if apiKey != nil {
+			apiKeyGroup = apiKey.Group
+		}
+		claudeMaxOutcome := applyClaudeMaxCacheBillingPolicyToUsage(&result.Usage, opts.ParsedRequest, apiKeyGroup, result.Model, account.ID)
+		simulatedClaudeMax = claudeMaxOutcome.Simulated ||
+			(shouldApplyClaudeMaxBillingRulesForUsage(apiKeyGroup, result.Model, opts.ParsedRequest) && hasCacheCreationTokens(result.Usage))
+	}
+
+	// Cache TTL Override: 确保计费时 token 分类与账号设置一致
+	if account.IsCacheTTLOverrideEnabled() && !simulatedClaudeMax {
 		applyCacheTTLOverride(&result.Usage, account.GetCacheTTLOverrideTarget())
 		cacheTTLOverridden = (result.Usage.CacheCreation5mTokens + result.Usage.CacheCreation1hTokens) > 0
 	}
@@ -7783,6 +8103,16 @@ func (s *GatewayService) calculateRecordUsageCost(
 	multiplier float64,
 	opts *recordUsageOpts,
 ) *CostBreakdown {
+	// Sora 媒体类型分支（仅 Claude 路径启用）
+	if opts.EnableClaudePath {
+		if result.MediaType == MediaTypeImage || result.MediaType == MediaTypeVideo {
+			return s.calculateSoraMediaCost(result, apiKey, billingModel, multiplier)
+		}
+		if result.MediaType == MediaTypePrompt {
+			return &CostBreakdown{}
+		}
+	}
+
 	// 图片生成计费
 	if result.ImageCount > 0 {
 		return s.calculateImageCost(ctx, result, apiKey, billingModel, multiplier)
@@ -7792,6 +8122,28 @@ func (s *GatewayService) calculateRecordUsageCost(
 	return s.calculateTokenCost(ctx, result, apiKey, billingModel, multiplier, opts)
 }
 
+// calculateSoraMediaCost 计算 Sora 图片/视频的费用。
+func (s *GatewayService) calculateSoraMediaCost(
+	result *ForwardResult,
+	apiKey *APIKey,
+	billingModel string,
+	multiplier float64,
+) *CostBreakdown {
+	var soraConfig *SoraPriceConfig
+	if apiKey.Group != nil {
+		soraConfig = &SoraPriceConfig{
+			ImagePrice360:          apiKey.Group.SoraImagePrice360,
+			ImagePrice540:          apiKey.Group.SoraImagePrice540,
+			VideoPricePerRequest:   apiKey.Group.SoraVideoPricePerRequest,
+			VideoPricePerRequestHD: apiKey.Group.SoraVideoPricePerRequestHD,
+		}
+	}
+	if result.MediaType == MediaTypeImage {
+		return s.billingService.CalculateSoraImageCost(result.ImageSize, result.ImageCount, soraConfig, multiplier)
+	}
+	return s.billingService.CalculateSoraVideoCost(billingModel, soraConfig, multiplier)
+}
+
 // resolveChannelPricing 检查指定模型是否存在渠道级别定价。
 // 返回非 nil 的 ResolvedPricing 表示有渠道定价，nil 表示走默认定价路径。
 func (s *GatewayService) resolveChannelPricing(ctx context.Context, billingModel string, apiKey *APIKey) *ResolvedPricing {
@@ -7814,7 +8166,7 @@ func (s *GatewayService) calculateImageCost(
 	billingModel string,
 	multiplier float64,
 ) *CostBreakdown {
-	if resolved := s.resolveChannelPricing(ctx, billingModel, apiKey); resolved != nil {
+	if s.resolveChannelPricing(ctx, billingModel, apiKey) != nil {
 		tokens := UsageTokens{
 			InputTokens:       result.Usage.InputTokens,
 			OutputTokens:      result.Usage.OutputTokens,
@@ -7829,7 +8181,6 @@ func (s *GatewayService) calculateImageCost(
 			RequestCount:   1,
 			RateMultiplier: multiplier,
 			Resolver:       s.resolver,
-			Resolved:       resolved,
 		})
 		if err != nil {
 			logger.LegacyPrintf("service.gateway", "Calculate image token cost failed: %v", err)
@@ -7872,7 +8223,7 @@ func (s *GatewayService) calculateTokenCost(
 	var err error
 
 	// 优先尝试渠道定价 → CalculateCostUnified
-	if resolved := s.resolveChannelPricing(ctx, billingModel, apiKey); resolved != nil {
+	if s.resolveChannelPricing(ctx, billingModel, apiKey) != nil {
 		gid := apiKey.Group.ID
 		cost, err = s.billingService.CalculateCostUnified(CostInput{
 			Ctx:            ctx,
@@ -7882,7 +8233,6 @@ func (s *GatewayService) calculateTokenCost(
 			RequestCount:   1,
 			RateMultiplier: multiplier,
 			Resolver:       s.resolver,
-			Resolved:       resolved,
 		})
 	} else if opts.LongContextThreshold > 0 {
 		// 长上下文双倍计费（如 Gemini 200K 阈值）
@@ -7940,12 +8290,13 @@ func (s *GatewayService) buildRecordUsageLog(
 		RateMultiplier:        multiplier,
 		AccountRateMultiplier: &accountRateMultiplier,
 		BillingType:           billingType,
-		BillingMode:           resolveBillingMode(result, cost),
+		BillingMode:           resolveBillingMode(opts, result, cost),
 		Stream:                result.Stream,
 		DurationMs:            &durationMs,
 		FirstTokenMs:          result.FirstTokenMs,
 		ImageCount:            result.ImageCount,
 		ImageSize:             optionalTrimmedStringPtr(result.ImageSize),
+		MediaType:             resolveMediaType(opts, result),
 		CacheTTLOverridden:    cacheTTLOverridden,
 		ChannelID:             optionalInt64Ptr(input.ChannelID),
 		ModelMappingChain:     optionalTrimmedStringPtr(input.ModelMappingChain),
@@ -7969,7 +8320,13 @@ func (s *GatewayService) buildRecordUsageLog(
 }
 
 // resolveBillingMode 根据计费结果和请求类型确定计费模式。
-func resolveBillingMode(result *ForwardResult, cost *CostBreakdown) *string {
+// Sora 媒体类型自身已确定计费模式（由上游处理），返回 nil 跳过。
+func resolveBillingMode(opts *recordUsageOpts, result *ForwardResult, cost *CostBreakdown) *string {
+	isSoraMedia := opts.EnableClaudePath &&
+		(result.MediaType == MediaTypeImage || result.MediaType == MediaTypeVideo || result.MediaType == MediaTypePrompt)
+	if isSoraMedia {
+		return nil
+	}
 	var mode string
 	switch {
 	case cost != nil && cost.BillingMode != "":
@@ -7982,6 +8339,13 @@ func resolveBillingMode(result *ForwardResult, cost *CostBreakdown) *string {
 	return &mode
 }
 
+func resolveMediaType(opts *recordUsageOpts, result *ForwardResult) *string {
+	if opts.EnableClaudePath && strings.TrimSpace(result.MediaType) != "" {
+		return &result.MediaType
+	}
+	return nil
+}
+
 func optionalSubscriptionID(subscription *UserSubscription) *int64 {
 	if subscription != nil {
 		return &subscription.ID
@@ -8010,8 +8374,8 @@ func (s *GatewayService) IsModelRestricted(ctx context.Context, groupID int64, m
 	return s.channelService.IsModelRestricted(ctx, groupID, model)
 }
 
-// ResolveChannelMappingAndRestrict 解析渠道映射。
-// 模型限制检查已移至调度阶段（checkChannelPricingRestriction），restricted 始终返回 false。
+// ResolveChannelMappingAndRestrict 解析渠道映射并检查模型限制。
+// 返回映射结果和是否被限制。
 func (s *GatewayService) ResolveChannelMappingAndRestrict(ctx context.Context, groupID *int64, model string) (ChannelMappingResult, bool) {
 	if s.channelService == nil {
 		return ChannelMappingResult{MappedModel: model}, false
@@ -8042,9 +8406,7 @@ func billingModelForRestriction(source, requestedModel, channelMappedModel strin
 		return requestedModel
 	case BillingModelSourceUpstream:
 		return ""
-	case BillingModelSourceChannelMapped:
-		return channelMappedModel
-	default:
+	default: // channel_mapped
 		return channelMappedModel
 	}
 }
@@ -8076,11 +8438,7 @@ func (s *GatewayService) needsUpstreamChannelRestrictionCheck(ctx context.Contex
 		return false
 	}
 	ch, err := s.channelService.GetChannelForGroup(ctx, *groupID)
-	if err != nil {
-		slog.Warn("failed to check channel upstream restriction", "group_id", *groupID, "error", err)
-		return false
-	}
-	if ch == nil || !ch.RestrictModels {
+	if err != nil || ch == nil || !ch.RestrictModels {
 		return false
 	}
 	return ch.BillingModelSource == BillingModelSourceUpstream
@@ -8172,12 +8530,10 @@ func (s *GatewayService) ForwardCountTokens(ctx context.Context, c *gin.Context,
 		return err
 	}
 
-	// 获取代理URL（自定义 base URL 模式下，proxy 通过 buildCustomRelayURL 作为查询参数传递）
+	// 获取代理URL
 	proxyURL := ""
 	if account.ProxyID != nil && account.Proxy != nil {
-		if !account.IsCustomBaseURLEnabled() || account.GetCustomBaseURL() == "" {
-			proxyURL = account.Proxy.URL()
-		}
+		proxyURL = account.Proxy.URL()
 	}
 
 	// 发送请求
@@ -8456,16 +8812,6 @@ func (s *GatewayService) buildCountTokensRequest(ctx context.Context, c *gin.Con
 			}
 			targetURL = validatedURL + "/v1/messages/count_tokens?beta=true"
 		}
-	} else if account.IsCustomBaseURLEnabled() {
-		customURL := account.GetCustomBaseURL()
-		if customURL == "" {
-			return nil, fmt.Errorf("custom_base_url is enabled but not configured for account %d", account.ID)
-		}
-		validatedURL, err := s.validateUpstreamBaseURL(customURL)
-		if err != nil {
-			return nil, err
-		}
-		targetURL = s.buildCustomRelayURL(validatedURL, "/v1/messages/count_tokens", account)
 	}
 
 	clientHeaders := http.Header{}
@@ -8475,9 +8821,9 @@ func (s *GatewayService) buildCountTokensRequest(ctx context.Context, c *gin.Con
 
 	// OAuth 账号：应用统一指纹和重写 userID（受设置开关控制）
 	// 如果启用了会话ID伪装，会在重写后替换 session 部分为固定值
-	ctEnableFP, ctEnableMPT, ctEnableCCH := true, false, false
+	ctEnableFP, ctEnableMPT := true, false
 	if s.settingService != nil {
-		ctEnableFP, ctEnableMPT, ctEnableCCH = s.settingService.GetGatewayForwardingSettings(ctx)
+		ctEnableFP, ctEnableMPT = s.settingService.GetGatewayForwardingSettings(ctx)
 	}
 	var ctFingerprint *Fingerprint
 	if account.IsOAuth() && s.identityService != nil {
@@ -8495,14 +8841,6 @@ func (s *GatewayService) buildCountTokensRequest(ctx context.Context, c *gin.Con
 		}
 	}
 
-	// 同步 billing header cc_version 与实际发送的 User-Agent 版本
-	if ctFingerprint != nil && ctEnableFP {
-		body = syncBillingHeaderVersion(body, ctFingerprint.UserAgent)
-	}
-	if ctEnableCCH {
-		body = signBillingHeaderCCH(body)
-	}
-
 	req, err := http.NewRequestWithContext(ctx, "POST", targetURL, bytes.NewReader(body))
 	if err != nil {
 		return nil, err
@@ -8543,7 +8881,7 @@ func (s *GatewayService) buildCountTokensRequest(ctx context.Context, c *gin.Con
 	}
 
 	// Build effective drop set for count_tokens: merge static defaults with dynamic beta policy filter rules
-	ctEffectiveDropSet := mergeDropSets(s.getBetaPolicyFilterSet(ctx, c, account, modelID))
+	ctEffectiveDropSet := mergeDropSets(s.getBetaPolicyFilterSet(ctx, c, account))
 
 	// OAuth 账号：处理 anthropic-beta header
 	if tokenType == "oauth" {
@@ -8579,15 +8917,6 @@ func (s *GatewayService) buildCountTokensRequest(ctx context.Context, c *gin.Con
 		}
 	}
 
-	// 同步 X-Claude-Code-Session-Id 头：取 body 中已处理的 metadata.user_id 的 session_id 覆盖
-	if sessionHeader := getHeaderRaw(req.Header, "X-Claude-Code-Session-Id"); sessionHeader != "" {
-		if uid := gjson.GetBytes(body, "metadata.user_id").String(); uid != "" {
-			if parsed := ParseMetadataUserID(uid); parsed != nil {
-				setHeaderRaw(req.Header, "X-Claude-Code-Session-Id", parsed.SessionID)
-			}
-		}
-	}
-
 	if c != nil && tokenType == "oauth" {
 		c.Set(claudeMimicDebugInfoKey, buildClaudeMimicDebugLine(req, body, account, tokenType, mimicClaudeCode))
 	}
@@ -8609,19 +8938,6 @@ func (s *GatewayService) countTokensError(c *gin.Context, status int, errType, m
 	})
 }
 
-// buildCustomRelayURL 构建自定义中继转发 URL
-// 在 path 后附加 beta=true 和可选的 proxy 查询参数
-func (s *GatewayService) buildCustomRelayURL(baseURL, path string, account *Account) string {
-	u := strings.TrimRight(baseURL, "/") + path + "?beta=true"
-	if account.ProxyID != nil && account.Proxy != nil {
-		proxyURL := account.Proxy.URL()
-		if proxyURL != "" {
-			u += "&proxy=" + url.QueryEscape(proxyURL)
-		}
-	}
-	return u
-}
-
 func (s *GatewayService) validateUpstreamBaseURL(raw string) (string, error) {
 	if s.cfg != nil && !s.cfg.Security.URLAllowlist.Enabled {
 		normalized, err := urlvalidator.ValidateURLFormat(raw, s.cfg.Security.URLAllowlist.AllowInsecureHTTP)

From 160903fce7841b99d761b30372f793bcbf448c5f Mon Sep 17 00:00:00 2001
From: erio <asakifeng@gmail.com>
Date: Thu, 2 Apr 2026 13:36:58 +0800
Subject: [PATCH 015/122] fix: address review findings for channel restriction
 refactoring
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

- Fix 7 stale comments still mentioning "限制检查" in handlers/services
- Make billingModelForRestriction explicitly list channel_mapped case
- Add slog.Warn for error swallowing in ResolveChannelMapping and
  needsUpstreamChannelRestrictionCheck
- Document sticky session upstream check exemption
---
 .../handler/gateway_handler_chat_completions.go |  2 +-
 .../handler/gateway_handler_responses.go        |  2 +-
 .../internal/handler/gemini_v1beta_handler.go   |  2 +-
 .../internal/handler/openai_chat_completions.go |  2 +-
 .../internal/handler/openai_gateway_handler.go  |  2 +-
 backend/internal/service/gateway_service.go     | 17 +++++++++++++----
 6 files changed, 18 insertions(+), 9 deletions(-)

diff --git a/backend/internal/handler/gateway_handler_chat_completions.go b/backend/internal/handler/gateway_handler_chat_completions.go
index abe2a1e5..be267332 100644
--- a/backend/internal/handler/gateway_handler_chat_completions.go
+++ b/backend/internal/handler/gateway_handler_chat_completions.go
@@ -80,7 +80,7 @@ func (h *GatewayHandler) ChatCompletions(c *gin.Context) {
 	setOpsRequestContext(c, reqModel, reqStream, body)
 	setOpsEndpointContext(c, "", int16(service.RequestTypeFromLegacy(reqStream, false)))
 
-	// 解析渠道级模型映射 + 限制检查
+	// 解析渠道级模型映射
 	channelMapping, _ := h.gatewayService.ResolveChannelMappingAndRestrict(c.Request.Context(), apiKey.GroupID, reqModel)
 
 	// Claude Code only restriction
diff --git a/backend/internal/handler/gateway_handler_responses.go b/backend/internal/handler/gateway_handler_responses.go
index cf877182..e908eb9e 100644
--- a/backend/internal/handler/gateway_handler_responses.go
+++ b/backend/internal/handler/gateway_handler_responses.go
@@ -80,7 +80,7 @@ func (h *GatewayHandler) Responses(c *gin.Context) {
 	setOpsRequestContext(c, reqModel, reqStream, body)
 	setOpsEndpointContext(c, "", int16(service.RequestTypeFromLegacy(reqStream, false)))
 
-	// 解析渠道级模型映射 + 限制检查
+	// 解析渠道级模型映射
 	channelMapping, _ := h.gatewayService.ResolveChannelMappingAndRestrict(c.Request.Context(), apiKey.GroupID, reqModel)
 
 	// Claude Code only restriction:
diff --git a/backend/internal/handler/gemini_v1beta_handler.go b/backend/internal/handler/gemini_v1beta_handler.go
index ff63bc7f..45b5842f 100644
--- a/backend/internal/handler/gemini_v1beta_handler.go
+++ b/backend/internal/handler/gemini_v1beta_handler.go
@@ -184,7 +184,7 @@ func (h *GatewayHandler) GeminiV1BetaModels(c *gin.Context) {
 	setOpsRequestContext(c, modelName, stream, body)
 	setOpsEndpointContext(c, "", int16(service.RequestTypeFromLegacy(stream, false)))
 
-	// 解析渠道级模型映射 + 限制检查
+	// 解析渠道级模型映射
 	channelMapping, _ := h.gatewayService.ResolveChannelMappingAndRestrict(c.Request.Context(), apiKey.GroupID, modelName)
 	reqModel := modelName // 保存映射前的原始模型名
 	if channelMapping.Mapped {
diff --git a/backend/internal/handler/openai_chat_completions.go b/backend/internal/handler/openai_chat_completions.go
index ada401c9..991cbb91 100644
--- a/backend/internal/handler/openai_chat_completions.go
+++ b/backend/internal/handler/openai_chat_completions.go
@@ -79,7 +79,7 @@ func (h *OpenAIGatewayHandler) ChatCompletions(c *gin.Context) {
 	setOpsRequestContext(c, reqModel, reqStream, body)
 	setOpsEndpointContext(c, "", int16(service.RequestTypeFromLegacy(reqStream, false)))
 
-	// 解析渠道级模型映射 + 限制检查
+	// 解析渠道级模型映射
 	channelMapping, _ := h.gatewayService.ResolveChannelMappingAndRestrict(c.Request.Context(), apiKey.GroupID, reqModel)
 
 	if h.errorPassthroughService != nil {
diff --git a/backend/internal/handler/openai_gateway_handler.go b/backend/internal/handler/openai_gateway_handler.go
index 2b081617..dda6d2e3 100644
--- a/backend/internal/handler/openai_gateway_handler.go
+++ b/backend/internal/handler/openai_gateway_handler.go
@@ -1118,7 +1118,7 @@ func (h *OpenAIGatewayHandler) ResponsesWebSocket(c *gin.Context) {
 	setOpsRequestContext(c, reqModel, true, firstMessage)
 	setOpsEndpointContext(c, "", int16(service.RequestTypeWSV2))
 
-	// 解析渠道级模型映射 + 限制检查
+	// 解析渠道级模型映射
 	channelMappingWS, _ := h.gatewayService.ResolveChannelMappingAndRestrict(ctx, apiKey.GroupID, reqModel)
 
 	var currentUserRelease func()
diff --git a/backend/internal/service/gateway_service.go b/backend/internal/service/gateway_service.go
index 33ab38f2..24f36113 100644
--- a/backend/internal/service/gateway_service.go
+++ b/backend/internal/service/gateway_service.go
@@ -3143,6 +3143,8 @@ func (s *GatewayService) selectAccountForModelWithPlatform(ctx context.Context,
 	ctx = s.withRPMPrefetch(ctx, accounts)
 
 	// 3. 按优先级+最久未用选择（考虑模型支持）
+	// needsUpstreamCheck 仅在主选择循环中使用；粘性会话命中时跳过此检查，
+	// 因为粘性会话优先保持连接一致性，且 upstream 计费基准极少使用。
 	needsUpstreamCheck := s.needsUpstreamChannelRestrictionCheck(ctx, groupID)
 	var selected *Account
 	for i := range accounts {
@@ -3381,6 +3383,7 @@ func (s *GatewayService) selectAccountWithMixedScheduling(ctx context.Context, g
 	ctx = s.withRPMPrefetch(ctx, accounts)
 
 	// 3. 按优先级+最久未用选择（考虑模型支持和混合调度）
+	// needsUpstreamCheck 仅在主选择循环中使用；粘性会话命中时跳过此检查。
 	needsUpstreamCheck := s.needsUpstreamChannelRestrictionCheck(ctx, groupID)
 	var selected *Account
 	for i := range accounts {
@@ -8374,8 +8377,8 @@ func (s *GatewayService) IsModelRestricted(ctx context.Context, groupID int64, m
 	return s.channelService.IsModelRestricted(ctx, groupID, model)
 }
 
-// ResolveChannelMappingAndRestrict 解析渠道映射并检查模型限制。
-// 返回映射结果和是否被限制。
+// ResolveChannelMappingAndRestrict 解析渠道映射。
+// 模型限制检查已移至调度阶段（checkChannelPricingRestriction），restricted 始终返回 false。
 func (s *GatewayService) ResolveChannelMappingAndRestrict(ctx context.Context, groupID *int64, model string) (ChannelMappingResult, bool) {
 	if s.channelService == nil {
 		return ChannelMappingResult{MappedModel: model}, false
@@ -8406,7 +8409,9 @@ func billingModelForRestriction(source, requestedModel, channelMappedModel strin
 		return requestedModel
 	case BillingModelSourceUpstream:
 		return ""
-	default: // channel_mapped
+	case BillingModelSourceChannelMapped:
+		return channelMappedModel
+	default:
 		return channelMappedModel
 	}
 }
@@ -8438,7 +8443,11 @@ func (s *GatewayService) needsUpstreamChannelRestrictionCheck(ctx context.Contex
 		return false
 	}
 	ch, err := s.channelService.GetChannelForGroup(ctx, *groupID)
-	if err != nil || ch == nil || !ch.RestrictModels {
+	if err != nil {
+		slog.Warn("failed to check channel upstream restriction", "group_id", *groupID, "error", err)
+		return false
+	}
+	if ch == nil || !ch.RestrictModels {
 		return false
 	}
 	return ch.BillingModelSource == BillingModelSourceUpstream

From e3748741257c2c6b96ced2c0c0284dd31cc5e358 Mon Sep 17 00:00:00 2001
From: erio <asakifeng@gmail.com>
Date: Fri, 3 Apr 2026 13:54:18 +0800
Subject: [PATCH 016/122] feat(channel): improve cache strategy and add
 restriction logging

- Change channel cache TTL from 60s to 10min (reduce unnecessary DB queries)
- Actively rebuild cache after CRUD instead of lazy invalidation
- Add slog.Warn logging for channel pricing restriction blocks (4 places)
---
 backend/internal/service/channel_service.go | 378 ++++++++------------
 backend/internal/service/gateway_service.go |  46 ++-
 2 files changed, 183 insertions(+), 241 deletions(-)

diff --git a/backend/internal/service/channel_service.go b/backend/internal/service/channel_service.go
index 9667cb98..c6a249ef 100644
--- a/backend/internal/service/channel_service.go
+++ b/backend/internal/service/channel_service.go
@@ -134,7 +134,7 @@ func (r ChannelMappingResult) ToUsageFields(reqModel, upstreamModel string) Chan
 
 const (
 	channelCacheTTL       = 10 * time.Minute
-	channelErrorTTL       = 5 * time.Second // DB 错误时的短缓存
+	channelErrorTTL       = 5 * time.Second  // DB 错误时的短缓存
 	channelCacheDBTimeout = 10 * time.Second
 )
 
@@ -197,8 +197,10 @@ func newEmptyChannelCache() *channelCache {
 }
 
 // expandPricingToCache 将渠道的模型定价展开到缓存（按分组+平台维度）。
-// 各平台严格独立：antigravity 分组只匹配 antigravity 定价，不会匹配 anthropic/gemini 的定价。
-// 查找时通过 lookupPricingAcrossPlatforms() 在本平台内查找。
+// antigravity 平台同时服务 Claude 和 Gemini 模型，需匹配 anthropic/gemini 的定价条目。
+// 缓存 key 使用定价条目的原始平台（pricing.Platform），而非分组平台，
+// 避免跨平台同名模型（如 anthropic 和 gemini 都有 "model-x"）互相覆盖。
+// 查找时通过 lookupPricingAcrossPlatforms() 依次尝试所有匹配平台。
 func expandPricingToCache(cache *channelCache, ch *Channel, gid int64, platform string) {
 	for j := range ch.ModelPricing {
 		pricing := &ch.ModelPricing[j]
@@ -224,7 +226,8 @@ func expandPricingToCache(cache *channelCache, ch *Channel, gid int64, platform
 }
 
 // expandMappingToCache 将渠道的模型映射展开到缓存（按分组+平台维度）。
-// 各平台严格独立：antigravity 分组只匹配 antigravity 映射。
+// antigravity 平台同时服务 Claude 和 Gemini 模型。
+// 缓存 key 使用映射条目的原始平台（mappingPlatform），避免跨平台同名映射覆盖。
 func expandMappingToCache(cache *channelCache, ch *Channel, gid int64, platform string) {
 	for _, mappingPlatform := range matchingPlatforms(platform) {
 		platformMapping, ok := ch.ModelMapping[mappingPlatform]
@@ -248,58 +251,40 @@ func expandMappingToCache(cache *channelCache, ch *Channel, gid int64, platform
 	}
 }
 
-// storeErrorCache 存入短 TTL 空缓存，防止 DB 错误后紧密重试。
-// 通过回退 loadedAt 使剩余 TTL = channelErrorTTL。
-func (s *ChannelService) storeErrorCache() {
-	errorCache := newEmptyChannelCache()
-	errorCache.loadedAt = time.Now().Add(-(channelCacheTTL - channelErrorTTL))
-	s.cache.Store(errorCache)
-}
-
 // buildCache 从数据库构建渠道缓存。
 // 使用独立 context 避免请求取消导致空值被长期缓存。
 func (s *ChannelService) buildCache(ctx context.Context) (*channelCache, error) {
+	// 断开请求取消链，避免客户端断连导致空值被长期缓存
 	dbCtx, cancel := context.WithTimeout(context.WithoutCancel(ctx), channelCacheDBTimeout)
 	defer cancel()
 
-	channels, groupPlatforms, err := s.fetchChannelData(dbCtx)
-	if err != nil {
-		return nil, err
-	}
-
-	cache := populateChannelCache(channels, groupPlatforms)
-	s.cache.Store(cache)
-	return cache, nil
-}
-
-// fetchChannelData 从数据库加载渠道列表和分组平台映射。
-func (s *ChannelService) fetchChannelData(ctx context.Context) ([]Channel, map[int64]string, error) {
-	channels, err := s.repo.ListAll(ctx)
+	channels, err := s.repo.ListAll(dbCtx)
 	if err != nil {
+		// error-TTL：失败时存入短 TTL 空缓存，防止紧密重试
 		slog.Warn("failed to build channel cache", "error", err)
-		s.storeErrorCache()
-		return nil, nil, fmt.Errorf("list all channels: %w", err)
+		errorCache := newEmptyChannelCache()
+		errorCache.loadedAt = time.Now().Add(-(channelCacheTTL - channelErrorTTL)) // 使剩余 TTL = errorTTL
+		s.cache.Store(errorCache)
+		return nil, fmt.Errorf("list all channels: %w", err)
 	}
 
+	// 收集所有 groupID，批量查询 platform
 	var allGroupIDs []int64
 	for i := range channels {
 		allGroupIDs = append(allGroupIDs, channels[i].GroupIDs...)
 	}
-
 	groupPlatforms := make(map[int64]string)
 	if len(allGroupIDs) > 0 {
-		groupPlatforms, err = s.repo.GetGroupPlatforms(ctx, allGroupIDs)
+		groupPlatforms, err = s.repo.GetGroupPlatforms(dbCtx, allGroupIDs)
 		if err != nil {
 			slog.Warn("failed to load group platforms for channel cache", "error", err)
-			s.storeErrorCache()
-			return nil, nil, fmt.Errorf("get group platforms: %w", err)
+			errorCache := newEmptyChannelCache()
+			errorCache.loadedAt = time.Now().Add(-(channelCacheTTL - channelErrorTTL))
+			s.cache.Store(errorCache)
+			return nil, fmt.Errorf("get group platforms: %w", err)
 		}
 	}
-	return channels, groupPlatforms, nil
-}
 
-// populateChannelCache 将渠道列表和分组平台映射填充到缓存快照中。
-func populateChannelCache(channels []Channel, groupPlatforms map[int64]string) *channelCache {
 	cache := newEmptyChannelCache()
 	cache.groupPlatform = groupPlatforms
 	cache.byID = make(map[int64]*Channel, len(channels))
@@ -308,6 +293,7 @@ func populateChannelCache(channels []Channel, groupPlatforms map[int64]string) *
 	for i := range channels {
 		ch := &channels[i]
 		cache.byID[ch.ID] = ch
+
 		for _, gid := range ch.GroupIDs {
 			cache.channelByGroupID[gid] = ch
 			platform := groupPlatforms[gid]
@@ -315,20 +301,33 @@ func populateChannelCache(channels []Channel, groupPlatforms map[int64]string) *
 			expandMappingToCache(cache, ch, gid, platform)
 		}
 	}
-	return cache
+
+	// 通配符条目保持配置顺序（最先匹配到优先）
+
+	s.cache.Store(cache)
+	return cache, nil
 }
 
 // invalidateCache 使缓存失效，让下次读取时自然重建
 
 // isPlatformPricingMatch 判断定价条目的平台是否匹配分组平台。
-// 各平台（antigravity / anthropic / gemini / openai）严格独立，不跨平台匹配。
+// antigravity 平台同时服务 Claude（anthropic）和 Gemini（gemini）模型，
+// 因此 antigravity 分组应匹配 anthropic 和 gemini 的定价条目。
 func isPlatformPricingMatch(groupPlatform, pricingPlatform string) bool {
-	return groupPlatform == pricingPlatform
+	if groupPlatform == pricingPlatform {
+		return true
+	}
+	if groupPlatform == PlatformAntigravity {
+		return pricingPlatform == PlatformAnthropic || pricingPlatform == PlatformGemini
+	}
+	return false
 }
 
-// matchingPlatforms 返回分组平台对应的可匹配平台列表。
-// 各平台严格独立，只返回自身。
+// matchingPlatforms 返回分组平台对应的所有可匹配平台列表。
 func matchingPlatforms(groupPlatform string) []string {
+	if groupPlatform == PlatformAntigravity {
+		return []string{PlatformAntigravity, PlatformAnthropic, PlatformGemini}
+	}
 	return []string{groupPlatform}
 }
 func (s *ChannelService) invalidateCache() {
@@ -365,8 +364,10 @@ func (c *channelCache) matchWildcardMapping(groupID int64, platform, modelLower
 	return ""
 }
 
-// lookupPricingAcrossPlatforms 在分组平台内查找模型定价。
-// 各平台严格独立，只在本平台内查找（先精确匹配，再通配符）。
+// lookupPricingAcrossPlatforms 在所有匹配平台中查找模型定价。
+// antigravity 分组的缓存 key 使用定价条目的原始平台，因此查找时需依次尝试
+// matchingPlatforms() 返回的所有平台（antigravity → anthropic → gemini），
+// 返回第一个命中的结果。非 antigravity 平台只尝试自身。
 func lookupPricingAcrossPlatforms(cache *channelCache, groupID int64, groupPlatform, modelLower string) *ChannelModelPricing {
 	for _, p := range matchingPlatforms(groupPlatform) {
 		key := channelModelKey{groupID: groupID, platform: p, model: modelLower}
@@ -383,7 +384,7 @@ func lookupPricingAcrossPlatforms(cache *channelCache, groupID int64, groupPlatf
 	return nil
 }
 
-// lookupMappingAcrossPlatforms 在分组平台内查找模型映射。
+// lookupMappingAcrossPlatforms 在所有匹配平台中查找模型映射。
 // 逻辑与 lookupPricingAcrossPlatforms 相同：先精确查找，再通配符。
 func lookupMappingAcrossPlatforms(cache *channelCache, groupID int64, groupPlatform, modelLower string) string {
 	for _, p := range matchingPlatforms(groupPlatform) {
@@ -441,7 +442,8 @@ func (s *ChannelService) lookupGroupChannel(ctx context.Context, groupID int64)
 }
 
 // GetChannelModelPricing 获取指定分组+模型的渠道定价（热路径 O(1)）。
-// 各平台严格独立，只在本平台内查找定价。
+// antigravity 分组依次尝试所有匹配平台（antigravity → anthropic → gemini），
+// 确保跨平台同名模型各自独立匹配。
 func (s *ChannelService) GetChannelModelPricing(ctx context.Context, groupID int64, model string) *ChannelModelPricing {
 	lk, err := s.lookupGroupChannel(ctx, groupID)
 	if err != nil {
@@ -479,10 +481,7 @@ func (s *ChannelService) ResolveChannelMapping(ctx context.Context, groupID int6
 // 返回 true 表示模型被限制（不在允许列表中）。
 // 如果渠道未启用模型限制或分组无渠道关联，返回 false。
 func (s *ChannelService) IsModelRestricted(ctx context.Context, groupID int64, model string) bool {
-	lk, err := s.lookupGroupChannel(ctx, groupID)
-	if err != nil {
-		slog.Warn("failed to load channel cache for model restriction check", "group_id", groupID, "error", err)
-	}
+	lk, _ := s.lookupGroupChannel(ctx, groupID)
 	if lk == nil {
 		return false
 	}
@@ -525,7 +524,7 @@ func resolveMapping(lk *channelLookup, groupID int64, model string) ChannelMappi
 }
 
 // checkRestricted 基于已查找的渠道信息检查模型是否被限制。
-// 只在本平台的定价列表中查找。
+// antigravity 分组依次尝试所有匹配平台的定价列表。
 func checkRestricted(lk *channelLookup, groupID int64, model string) bool {
 	if !lk.channel.RestrictModels {
 		return false
@@ -553,91 +552,6 @@ func ReplaceModelInBody(body []byte, newModel string) []byte {
 	return newBody
 }
 
-// validateChannelConfig 校验渠道的定价和映射配置（冲突检测 + 区间校验 + 计费模式校验）。
-// Create 和 Update 共用此函数，避免重复。
-func validateChannelConfig(pricing []ChannelModelPricing, mapping map[string]map[string]string) error {
-	if err := validateNoConflictingModels(pricing); err != nil {
-		return err
-	}
-	if err := validatePricingIntervals(pricing); err != nil {
-		return err
-	}
-	if err := validateNoConflictingMappings(mapping); err != nil {
-		return err
-	}
-	return validatePricingBillingMode(pricing)
-}
-
-// validatePricingBillingMode 校验计费模式配置：按次/图片模式必须配价格或区间，所有价格字段不能为负，区间至少有一个价格字段。
-func validatePricingBillingMode(pricing []ChannelModelPricing) error {
-	for _, p := range pricing {
-		if err := checkBillingModeRequirements(p); err != nil {
-			return err
-		}
-		if err := checkPricesNotNegative(p); err != nil {
-			return err
-		}
-		if err := checkIntervalsHavePrices(p); err != nil {
-			return err
-		}
-	}
-	return nil
-}
-
-func checkBillingModeRequirements(p ChannelModelPricing) error {
-	if p.BillingMode == BillingModePerRequest || p.BillingMode == BillingModeImage {
-		if p.PerRequestPrice == nil && len(p.Intervals) == 0 {
-			return infraerrors.BadRequest(
-				"BILLING_MODE_MISSING_PRICE",
-				"per-request price or intervals required for per_request/image billing mode",
-			)
-		}
-	}
-	return nil
-}
-
-func checkPricesNotNegative(p ChannelModelPricing) error {
-	checks := []struct {
-		field string
-		val   *float64
-	}{
-		{"input_price", p.InputPrice},
-		{"output_price", p.OutputPrice},
-		{"cache_write_price", p.CacheWritePrice},
-		{"cache_read_price", p.CacheReadPrice},
-		{"image_output_price", p.ImageOutputPrice},
-		{"per_request_price", p.PerRequestPrice},
-	}
-	for _, c := range checks {
-		if c.val != nil && *c.val < 0 {
-			return infraerrors.BadRequest("NEGATIVE_PRICE", fmt.Sprintf("%s must be >= 0", c.field))
-		}
-	}
-	return nil
-}
-
-func checkIntervalsHavePrices(p ChannelModelPricing) error {
-	for _, iv := range p.Intervals {
-		if iv.InputPrice == nil && iv.OutputPrice == nil &&
-			iv.CacheWritePrice == nil && iv.CacheReadPrice == nil &&
-			iv.PerRequestPrice == nil {
-			return infraerrors.BadRequest(
-				"INTERVAL_MISSING_PRICE",
-				fmt.Sprintf("interval [%d, %s] has no price fields set for model %v",
-					iv.MinTokens, formatMaxTokens(iv.MaxTokens), p.Models),
-			)
-		}
-	}
-	return nil
-}
-
-func formatMaxTokens(max *int) string {
-	if max == nil {
-		return "∞"
-	}
-	return fmt.Sprintf("%d", *max)
-}
-
 // --- CRUD ---
 
 // Create 创建渠道
@@ -650,8 +564,15 @@ func (s *ChannelService) Create(ctx context.Context, input *CreateChannelInput)
 		return nil, ErrChannelExists
 	}
 
-	if err := s.checkGroupConflicts(ctx, 0, input.GroupIDs); err != nil {
-		return nil, err
+	// 检查分组冲突
+	if len(input.GroupIDs) > 0 {
+		conflicting, err := s.repo.GetGroupsInOtherChannels(ctx, 0, input.GroupIDs)
+		if err != nil {
+			return nil, fmt.Errorf("check group conflicts: %w", err)
+		}
+		if len(conflicting) > 0 {
+			return nil, ErrGroupAlreadyInChannel
+		}
 	}
 
 	channel := &Channel{
@@ -668,7 +589,13 @@ func (s *ChannelService) Create(ctx context.Context, input *CreateChannelInput)
 		channel.BillingModelSource = BillingModelSourceChannelMapped
 	}
 
-	if err := validateChannelConfig(channel.ModelPricing, channel.ModelMapping); err != nil {
+	if err := validateNoConflictingModels(channel.ModelPricing); err != nil {
+		return nil, err
+	}
+	if err := validatePricingIntervals(channel.ModelPricing); err != nil {
+		return nil, err
+	}
+	if err := validateNoConflictingMappings(channel.ModelMapping); err != nil {
 		return nil, err
 	}
 
@@ -692,112 +619,102 @@ func (s *ChannelService) Update(ctx context.Context, id int64, input *UpdateChan
 		return nil, fmt.Errorf("get channel: %w", err)
 	}
 
-	if err := s.applyUpdateInput(ctx, channel, input); err != nil {
+	if input.Name != "" && input.Name != channel.Name {
+		exists, err := s.repo.ExistsByNameExcluding(ctx, input.Name, id)
+		if err != nil {
+			return nil, fmt.Errorf("check channel exists: %w", err)
+		}
+		if exists {
+			return nil, ErrChannelExists
+		}
+		channel.Name = input.Name
+	}
+
+	if input.Description != nil {
+		channel.Description = *input.Description
+	}
+
+	if input.Status != "" {
+		channel.Status = input.Status
+	}
+
+	if input.RestrictModels != nil {
+		channel.RestrictModels = *input.RestrictModels
+	}
+
+	// 检查分组冲突
+	if input.GroupIDs != nil {
+		conflicting, err := s.repo.GetGroupsInOtherChannels(ctx, id, *input.GroupIDs)
+		if err != nil {
+			return nil, fmt.Errorf("check group conflicts: %w", err)
+		}
+		if len(conflicting) > 0 {
+			return nil, ErrGroupAlreadyInChannel
+		}
+		channel.GroupIDs = *input.GroupIDs
+	}
+
+	if input.ModelPricing != nil {
+		channel.ModelPricing = *input.ModelPricing
+	}
+
+	if input.ModelMapping != nil {
+		channel.ModelMapping = input.ModelMapping
+	}
+
+	if input.BillingModelSource != "" {
+		channel.BillingModelSource = input.BillingModelSource
+	}
+
+	if err := validateNoConflictingModels(channel.ModelPricing); err != nil {
+		return nil, err
+	}
+	if err := validatePricingIntervals(channel.ModelPricing); err != nil {
+		return nil, err
+	}
+	if err := validateNoConflictingMappings(channel.ModelMapping); err != nil {
 		return nil, err
 	}
 
-	if err := validateChannelConfig(channel.ModelPricing, channel.ModelMapping); err != nil {
-		return nil, err
+	// 先获取旧分组，Update 后旧分组关联已删除，无法再查到
+	var oldGroupIDs []int64
+	if s.authCacheInvalidator != nil {
+		var err2 error
+		oldGroupIDs, err2 = s.repo.GetGroupIDs(ctx, id)
+		if err2 != nil {
+			slog.Warn("failed to get old group IDs for cache invalidation", "channel_id", id, "error", err2)
+		}
 	}
 
-	oldGroupIDs := s.getOldGroupIDs(ctx, id)
-
 	if err := s.repo.Update(ctx, channel); err != nil {
 		return nil, fmt.Errorf("update channel: %w", err)
 	}
 
 	s.invalidateCache()
-	s.invalidateAuthCacheForGroups(ctx, oldGroupIDs, channel.GroupIDs)
+
+	// 失效新旧分组的 auth 缓存
+	if s.authCacheInvalidator != nil {
+		seen := make(map[int64]struct{}, len(oldGroupIDs)+len(channel.GroupIDs))
+		for _, gid := range oldGroupIDs {
+			if _, ok := seen[gid]; !ok {
+				seen[gid] = struct{}{}
+				s.authCacheInvalidator.InvalidateAuthCacheByGroupID(ctx, gid)
+			}
+		}
+		for _, gid := range channel.GroupIDs {
+			if _, ok := seen[gid]; !ok {
+				seen[gid] = struct{}{}
+				s.authCacheInvalidator.InvalidateAuthCacheByGroupID(ctx, gid)
+			}
+		}
+	}
 
 	return s.repo.GetByID(ctx, id)
 }
 
-// applyUpdateInput 将更新请求的字段应用到渠道实体上。
-func (s *ChannelService) applyUpdateInput(ctx context.Context, channel *Channel, input *UpdateChannelInput) error {
-	if input.Name != "" && input.Name != channel.Name {
-		exists, err := s.repo.ExistsByNameExcluding(ctx, input.Name, channel.ID)
-		if err != nil {
-			return fmt.Errorf("check channel exists: %w", err)
-		}
-		if exists {
-			return ErrChannelExists
-		}
-		channel.Name = input.Name
-	}
-	if input.Description != nil {
-		channel.Description = *input.Description
-	}
-	if input.Status != "" {
-		channel.Status = input.Status
-	}
-	if input.RestrictModels != nil {
-		channel.RestrictModels = *input.RestrictModels
-	}
-	if input.GroupIDs != nil {
-		if err := s.checkGroupConflicts(ctx, channel.ID, *input.GroupIDs); err != nil {
-			return err
-		}
-		channel.GroupIDs = *input.GroupIDs
-	}
-	if input.ModelPricing != nil {
-		channel.ModelPricing = *input.ModelPricing
-	}
-	if input.ModelMapping != nil {
-		channel.ModelMapping = input.ModelMapping
-	}
-	if input.BillingModelSource != "" {
-		channel.BillingModelSource = input.BillingModelSource
-	}
-	return nil
-}
-
-// checkGroupConflicts 检查待关联的分组是否已属于其他渠道。
-// channelID 为当前渠道 ID（Create 时传 0）。
-func (s *ChannelService) checkGroupConflicts(ctx context.Context, channelID int64, groupIDs []int64) error {
-	if len(groupIDs) == 0 {
-		return nil
-	}
-	conflicting, err := s.repo.GetGroupsInOtherChannels(ctx, channelID, groupIDs)
-	if err != nil {
-		return fmt.Errorf("check group conflicts: %w", err)
-	}
-	if len(conflicting) > 0 {
-		return ErrGroupAlreadyInChannel
-	}
-	return nil
-}
-
-// getOldGroupIDs 获取渠道更新前的关联分组 ID（用于失效 auth 缓存）。
-func (s *ChannelService) getOldGroupIDs(ctx context.Context, channelID int64) []int64 {
-	if s.authCacheInvalidator == nil {
-		return nil
-	}
-	oldGroupIDs, err := s.repo.GetGroupIDs(ctx, channelID)
-	if err != nil {
-		slog.Warn("failed to get old group IDs for cache invalidation", "channel_id", channelID, "error", err)
-	}
-	return oldGroupIDs
-}
-
-// invalidateAuthCacheForGroups 对新旧分组去重后逐个失效 auth 缓存。
-func (s *ChannelService) invalidateAuthCacheForGroups(ctx context.Context, groupIDSets ...[]int64) {
-	if s.authCacheInvalidator == nil {
-		return
-	}
-	seen := make(map[int64]struct{})
-	for _, ids := range groupIDSets {
-		for _, gid := range ids {
-			if _, ok := seen[gid]; ok {
-				continue
-			}
-			seen[gid] = struct{}{}
-			s.authCacheInvalidator.InvalidateAuthCacheByGroupID(ctx, gid)
-		}
-	}
-}
-
 // Delete 删除渠道
 func (s *ChannelService) Delete(ctx context.Context, id int64) error {
+	// 先获取关联分组用于失效缓存
 	groupIDs, err := s.repo.GetGroupIDs(ctx, id)
 	if err != nil {
 		slog.Warn("failed to get group IDs before delete", "channel_id", id, "error", err)
@@ -808,7 +725,12 @@ func (s *ChannelService) Delete(ctx context.Context, id int64) error {
 	}
 
 	s.invalidateCache()
-	s.invalidateAuthCacheForGroups(ctx, groupIDs)
+
+	if s.authCacheInvalidator != nil {
+		for _, gid := range groupIDs {
+			s.authCacheInvalidator.InvalidateAuthCacheByGroupID(ctx, gid)
+		}
+	}
 
 	return nil
 }
diff --git a/backend/internal/service/gateway_service.go b/backend/internal/service/gateway_service.go
index 24f36113..31137fb4 100644
--- a/backend/internal/service/gateway_service.go
+++ b/backend/internal/service/gateway_service.go
@@ -1234,11 +1234,6 @@ func (s *GatewayService) SelectAccountForModel(ctx context.Context, groupID *int
 
 // SelectAccountForModelWithExclusions selects an account supporting the requested model while excluding specified accounts.
 func (s *GatewayService) SelectAccountForModelWithExclusions(ctx context.Context, groupID *int64, sessionHash string, requestedModel string, excludedIDs map[int64]struct{}) (*Account, error) {
-	// 渠道定价限制预检查（requested / channel_mapped 基准）
-	if s.checkChannelPricingRestriction(ctx, groupID, requestedModel) {
-		return nil, fmt.Errorf("%w supporting model: %s (channel pricing restriction)", ErrNoAvailableAccounts, requestedModel)
-	}
-
 	// 优先检查 context 中的强制平台（/antigravity 路由）
 	var platform string
 	forcePlatform, hasForcePlatform := ctx.Value(ctxkey.ForcePlatform).(string)
@@ -1257,6 +1252,15 @@ func (s *GatewayService) SelectAccountForModelWithExclusions(ctx context.Context
 		platform = PlatformAnthropic
 	}
 
+	// Claude Code 限制可能已将 groupID 解析为 fallback group，
+	// 渠道限制预检查必须使用解析后的分组。
+	if s.checkChannelPricingRestriction(ctx, groupID, requestedModel) {
+		slog.Warn("channel pricing restriction blocked request",
+			"group_id", derefGroupID(groupID),
+			"model", requestedModel)
+		return nil, fmt.Errorf("%w supporting model: %s (channel pricing restriction)", ErrNoAvailableAccounts, requestedModel)
+	}
+
 	// anthropic/gemini 分组支持混合调度（包含启用了 mixed_scheduling 的 antigravity 账户）
 	// 注意：强制平台模式不走混合调度
 	if (platform == PlatformAnthropic || platform == PlatformGemini) && !hasForcePlatform {
@@ -1273,11 +1277,6 @@ func (s *GatewayService) SelectAccountForModelWithExclusions(ctx context.Context
 // metadataUserID: 用于客户端亲和调度，从中提取客户端 ID
 // sub2apiUserID: 系统用户 ID，用于二维亲和调度
 func (s *GatewayService) SelectAccountWithLoadAwareness(ctx context.Context, groupID *int64, sessionHash string, requestedModel string, excludedIDs map[int64]struct{}, metadataUserID string, sub2apiUserID int64) (*AccountSelectionResult, error) {
-	// 渠道定价限制预检查（requested / channel_mapped 基准）
-	if s.checkChannelPricingRestriction(ctx, groupID, requestedModel) {
-		return nil, fmt.Errorf("%w supporting model: %s (channel pricing restriction)", ErrNoAvailableAccounts, requestedModel)
-	}
-
 	// 调试日志：记录调度入口参数
 	excludedIDsList := make([]int64, 0, len(excludedIDs))
 	for id := range excludedIDs {
@@ -1298,6 +1297,15 @@ func (s *GatewayService) SelectAccountWithLoadAwareness(ctx context.Context, gro
 	}
 	ctx = s.withGroupContext(ctx, group)
 
+	// Claude Code 限制可能已将 groupID 解析为 fallback group，
+	// 渠道限制预检查必须使用解析后的分组。
+	if s.checkChannelPricingRestriction(ctx, groupID, requestedModel) {
+		slog.Warn("channel pricing restriction blocked request",
+			"group_id", derefGroupID(groupID),
+			"model", requestedModel)
+		return nil, fmt.Errorf("%w supporting model: %s (channel pricing restriction)", ErrNoAvailableAccounts, requestedModel)
+	}
+
 	var stickyAccountID int64
 	if prefetch := prefetchedStickyAccountIDFromContext(ctx, groupID); prefetch > 0 {
 		stickyAccountID = prefetch
@@ -3004,7 +3012,7 @@ func (s *GatewayService) selectAccountForModelWithPlatform(ctx context.Context,
 						if clearSticky {
 							_ = s.cache.DeleteSessionAccountID(ctx, derefGroupID(groupID), sessionHash)
 						}
-						if !clearSticky && s.isAccountInGroup(account, groupID) && account.Platform == platform && (requestedModel == "" || s.isModelSupportedByAccountWithContext(ctx, account, requestedModel)) && s.isAccountSchedulableForModelSelection(ctx, account, requestedModel) && s.isAccountSchedulableForQuota(account) && s.isAccountSchedulableForWindowCost(ctx, account, true) && s.isAccountSchedulableForRPM(ctx, account, true) {
+						if !clearSticky && s.isAccountInGroup(account, groupID) && account.Platform == platform && (requestedModel == "" || s.isModelSupportedByAccountWithContext(ctx, account, requestedModel)) && s.isAccountSchedulableForModelSelection(ctx, account, requestedModel) && s.isAccountSchedulableForQuota(account) && s.isAccountSchedulableForWindowCost(ctx, account, true) && s.isAccountSchedulableForRPM(ctx, account, true) && !s.isStickyAccountUpstreamRestricted(ctx, groupID, account, requestedModel) {
 							if s.debugModelRoutingEnabled() {
 								logger.LegacyPrintf("service.gateway", "[ModelRoutingDebug] legacy routed sticky hit: group_id=%v model=%s session=%s account=%d", derefGroupID(groupID), requestedModel, shortSessionHash(sessionHash), accountID)
 							}
@@ -3359,7 +3367,7 @@ func (s *GatewayService) selectAccountWithMixedScheduling(ctx context.Context, g
 					if clearSticky {
 						_ = s.cache.DeleteSessionAccountID(ctx, derefGroupID(groupID), sessionHash)
 					}
-					if !clearSticky && s.isAccountInGroup(account, groupID) && (requestedModel == "" || s.isModelSupportedByAccountWithContext(ctx, account, requestedModel)) && s.isAccountSchedulableForModelSelection(ctx, account, requestedModel) && s.isAccountSchedulableForQuota(account) && s.isAccountSchedulableForWindowCost(ctx, account, true) && s.isAccountSchedulableForRPM(ctx, account, true) {
+					if !clearSticky && s.isAccountInGroup(account, groupID) && (requestedModel == "" || s.isModelSupportedByAccountWithContext(ctx, account, requestedModel)) && s.isAccountSchedulableForModelSelection(ctx, account, requestedModel) && s.isAccountSchedulableForQuota(account) && s.isAccountSchedulableForWindowCost(ctx, account, true) && s.isAccountSchedulableForRPM(ctx, account, true) && !s.isStickyAccountUpstreamRestricted(ctx, groupID, account, requestedModel) {
 						if account.Platform == nativePlatform || (account.Platform == PlatformAntigravity && account.IsMixedSchedulingEnabled()) {
 							return account, nil
 						}
@@ -3383,7 +3391,6 @@ func (s *GatewayService) selectAccountWithMixedScheduling(ctx context.Context, g
 	ctx = s.withRPMPrefetch(ctx, accounts)
 
 	// 3. 按优先级+最久未用选择（考虑模型支持和混合调度）
-	// needsUpstreamCheck 仅在主选择循环中使用；粘性会话命中时跳过此检查。
 	needsUpstreamCheck := s.needsUpstreamChannelRestrictionCheck(ctx, groupID)
 	var selected *Account
 	for i := range accounts {
@@ -8453,6 +8460,19 @@ func (s *GatewayService) needsUpstreamChannelRestrictionCheck(ctx context.Contex
 	return ch.BillingModelSource == BillingModelSourceUpstream
 }
 
+// isStickyAccountUpstreamRestricted 检查粘性会话命中的账号是否受 upstream 渠道限制。
+// 合并 needsUpstreamChannelRestrictionCheck + isUpstreamModelRestrictedByChannel 两步调用，
+// 供 sticky session 条件链使用，避免内联多个函数调用导致行过长。
+func (s *GatewayService) isStickyAccountUpstreamRestricted(ctx context.Context, groupID *int64, account *Account, requestedModel string) bool {
+	if groupID == nil {
+		return false
+	}
+	if !s.needsUpstreamChannelRestrictionCheck(ctx, groupID) {
+		return false
+	}
+	return s.isUpstreamModelRestrictedByChannel(ctx, *groupID, account, requestedModel)
+}
+
 // ForwardCountTokens 转发 count_tokens 请求到上游 API
 // 特点：不记录使用量、仅支持非流式响应
 func (s *GatewayService) ForwardCountTokens(ctx context.Context, c *gin.Context, account *Account, parsed *ParsedRequest) error {

From 37c23eccfed36d59e70369e37d26b1eff5ac4a0f Mon Sep 17 00:00:00 2001
From: erio <asakifeng@gmail.com>
Date: Sun, 5 Apr 2026 14:37:21 +0800
Subject: [PATCH 017/122] fix: gofmt formatting

---
 backend/internal/service/channel_service.go |   2 +-
 backend/internal/service/gateway_service.go | 689 +++-----------------
 2 files changed, 82 insertions(+), 609 deletions(-)

diff --git a/backend/internal/service/channel_service.go b/backend/internal/service/channel_service.go
index c6a249ef..ec8310f6 100644
--- a/backend/internal/service/channel_service.go
+++ b/backend/internal/service/channel_service.go
@@ -134,7 +134,7 @@ func (r ChannelMappingResult) ToUsageFields(reqModel, upstreamModel string) Chan
 
 const (
 	channelCacheTTL       = 10 * time.Minute
-	channelErrorTTL       = 5 * time.Second  // DB 错误时的短缓存
+	channelErrorTTL       = 5 * time.Second // DB 错误时的短缓存
 	channelCacheDBTimeout = 10 * time.Second
 )
 
diff --git a/backend/internal/service/gateway_service.go b/backend/internal/service/gateway_service.go
index 31137fb4..5d285fb6 100644
--- a/backend/internal/service/gateway_service.go
+++ b/backend/internal/service/gateway_service.go
@@ -12,6 +12,7 @@ import (
 	"log/slog"
 	mathrand "math/rand"
 	"net/http"
+	"net/url"
 	"os"
 	"path/filepath"
 	"regexp"
@@ -41,8 +42,7 @@ import (
 const (
 	claudeAPIURL            = "https://api.anthropic.com/v1/messages?beta=true"
 	claudeAPICountTokensURL = "https://api.anthropic.com/v1/messages/count_tokens?beta=true"
-	stickySessionTTL        = time.Hour      // 粘性会话TTL
-	ClientAffinityTTL       = 24 * time.Hour // 客户端亲和TTL
+	stickySessionTTL        = time.Hour // 粘性会话TTL
 	defaultMaxLineSize      = 500 * 1024 * 1024
 	// Canonical Claude Code banner. Keep it EXACT (no trailing whitespace/newlines)
 	// to match real Claude CLI traffic as closely as possible. When we need a visual
@@ -60,28 +60,14 @@ const (
 	claudeMimicDebugInfoKey = "claude_mimic_debug_info"
 )
 
-// MediaType 媒体类型常量
-const (
-	MediaTypeImage  = "image"
-	MediaTypeVideo  = "video"
-	MediaTypePrompt = "prompt"
-)
-
-const (
-	claudeMaxMessageOverheadTokens = 3
-	claudeMaxBlockOverheadTokens   = 1
-	claudeMaxUnknownContentTokens  = 4
-)
-
 // ForceCacheBillingContextKey 强制缓存计费上下文键
 // 用于粘性会话切换时，将 input_tokens 转为 cache_read_input_tokens 计费
 type forceCacheBillingKeyType struct{}
 
 // accountWithLoad 账号与负载信息的组合，用于负载感知调度
 type accountWithLoad struct {
-	account       *Account
-	loadInfo      *AccountLoadInfo
-	affinityCount int64 // 亲和客户端数量（反向索引），越少越优先
+	account  *Account
+	loadInfo *AccountLoadInfo
 }
 
 var ForceCacheBillingContextKey = forceCacheBillingKeyType{}
@@ -345,10 +331,6 @@ var (
 	sseDataRe            = regexp.MustCompile(`^data:\s*`)
 	claudeCliUserAgentRe = regexp.MustCompile(`^claude-cli/\d+\.\d+\.\d+`)
 
-	// clientIDFromMetadataRegex 从 metadata.user_id 中提取客户端 ID（64位 hex）
-	// 格式: user_{64位hex}_account_...
-	clientIDFromMetadataRegex = regexp.MustCompile(`^user_([a-f0-9]{64})_account_`)
-
 	// claudeCodePromptPrefixes 用于检测 Claude Code 系统提示词的前缀列表
 	// 支持多种变体：标准版、Agent SDK 版、Explore Agent 版、Compact 版等
 	// 注意：前缀之间不应存在包含关系，否则会导致冗余匹配
@@ -366,12 +348,6 @@ var ErrNoAvailableAccounts = errors.New("no available accounts")
 // ErrClaudeCodeOnly 表示分组仅允许 Claude Code 客户端访问
 var ErrClaudeCodeOnly = errors.New("this group only allows Claude Code clients")
 
-// ErrAffinityNoSwitch 表示亲和账号不可用且不允许切换到其他账号
-var ErrAffinityNoSwitch = errors.New("affinity account unavailable and switching is disabled")
-
-// ErrAffinityLimitExceeded 表示亲和客户端限制已达上限
-var ErrAffinityLimitExceeded = errors.New("affinity client limit exceeded")
-
 // allowedHeaders 白名单headers（参考CRS项目）
 var allowedHeaders = map[string]bool{
 	"accept":                                    true,
@@ -393,6 +369,8 @@ var allowedHeaders = map[string]bool{
 	"user-agent":                                true,
 	"content-type":                              true,
 	"accept-encoding":                           true,
+	"x-claude-code-session-id":                  true,
+	"x-client-request-id":                       true,
 }
 
 // GatewayCache 定义网关服务的缓存操作接口。
@@ -413,39 +391,6 @@ type GatewayCache interface {
 	// DeleteSessionAccountID 删除粘性会话绑定，用于账号不可用时主动清理
 	// Delete sticky session binding, used to proactively clean up when account becomes unavailable
 	DeleteSessionAccountID(ctx context.Context, groupID int64, sessionHash string) error
-
-	// GetAffinityAccounts 获取亲和账号列表（按最近使用降序），同时清理过期成员
-	GetAffinityAccounts(ctx context.Context, groupID int64, userID int64, clientID string, ttl time.Duration) ([]int64, error)
-	// UpdateAffinity 添加/更新亲和关系（更新 score 为当前时间戳，刷新 key TTL）
-	UpdateAffinity(ctx context.Context, groupID int64, userID int64, clientID string, accountID int64, ttl time.Duration) error
-	// GetAccountAffinityCountBatch 批量获取账号的亲和成员数量（惰性清理过期成员）
-	GetAccountAffinityCountBatch(ctx context.Context, groupID int64, accountIDs []int64, ttl time.Duration) (map[int64]int64, error)
-	// GetAccountAffinityClientsBatch 批量获取每个账号跨所有分组的亲和成员列表（去重）
-	// accountGroups: map[accountID][]groupID
-	// 返回值成员格式为 {userID}/{clientID}
-	GetAccountAffinityClientsBatch(ctx context.Context, accountGroups map[int64][]int64, ttl time.Duration) (map[int64][]string, error)
-	// GetAccountAffinityClientsWithScores 获取单个账号跨所有分组的亲和客户端列表（含最后活跃时间）
-	GetAccountAffinityClientsWithScores(ctx context.Context, accountID int64, groupIDs []int64, ttl time.Duration) ([]AffinityClient, error)
-	// ClearAccountAffinity 清除指定账号在所有分组的亲和记录（正向+反向索引）
-	// 用于账号关闭亲和时立即清理旧绑定
-	ClearAccountAffinity(ctx context.Context, accountID int64, groupIDs []int64) error
-	// GetAffinityMultiCount 获取账号的多维度亲和计数
-	// 返回: uniqueUsers, uniqueClients, perUserClients
-	GetAffinityMultiCount(ctx context.Context, groupID int64, accountID int64, targetUserID int64, ttl time.Duration) (users, clients, perUser int64, err error)
-}
-
-// AffinityClient 亲和客户端信息（含用户 ID 和最后活跃时间）
-type AffinityClient struct {
-	UserID     int64     `json:"user_id"`
-	ClientID   string    `json:"client_id"`
-	LastActive time.Time `json:"last_active"`
-}
-
-// SortAffinityClients 按最后活跃时间降序排序
-func SortAffinityClients(clients []AffinityClient) {
-	sort.Slice(clients, func(i, j int) bool {
-		return clients[i].LastActive.After(clients[j].LastActive)
-	})
 }
 
 // derefGroupID safely dereferences *int64 to int64, returning 0 if nil
@@ -516,20 +461,6 @@ func shouldClearStickySession(account *Account, requestedModel string) bool {
 	return false
 }
 
-// extractClientIDFromMetadata 从 metadata.user_id 中提取客户端 ID（64位 hex）。
-// 格式: user_{64位hex}_account_..._session_...
-// 返回空字符串表示无法提取（非 Claude Code/Console 客户端）。
-func extractClientIDFromMetadata(metadataUserID string) string {
-	if metadataUserID == "" {
-		return ""
-	}
-	matches := clientIDFromMetadataRegex.FindStringSubmatch(metadataUserID)
-	if matches == nil {
-		return ""
-	}
-	return matches[1]
-}
-
 type AccountWaitPlan struct {
 	AccountID      int64
 	MaxConcurrency int
@@ -572,10 +503,6 @@ type ForwardResult struct {
 	// 图片生成计费字段（图片生成模型使用）
 	ImageCount int    // 生成的图片数量
 	ImageSize  string // 图片尺寸 "1K", "2K", "4K"
-
-	// Sora 媒体字段
-	MediaType string // image / video / prompt
-	MediaURL  string // 生成后的媒体地址（可选）
 }
 
 // UpstreamFailoverError indicates an upstream error that should trigger account failover.
@@ -1315,10 +1242,6 @@ func (s *GatewayService) SelectAccountWithLoadAwareness(ctx context.Context, gro
 		}
 	}
 
-	// 提取客户端 ID（用于客户端亲和调度）
-	affinityClientID := extractClientIDFromMetadata(metadataUserID)
-	affinityUserID := sub2apiUserID
-
 	if s.debugModelRoutingEnabled() && requestedModel != "" {
 		groupPlatform := ""
 		if group != nil {
@@ -1340,10 +1263,6 @@ func (s *GatewayService) SelectAccountWithLoadAwareness(ctx context.Context, gro
 			if err != nil {
 				return nil, err
 			}
-			if shouldFilterAccountWithoutClientID(account, affinityClientID) {
-				localExcluded[account.ID] = struct{}{}
-				continue
-			}
 
 			result, err := s.tryAcquireAccountSlot(ctx, account.ID, account.Concurrency)
 			if err == nil && result.Acquired {
@@ -1405,7 +1324,6 @@ func (s *GatewayService) SelectAccountWithLoadAwareness(ctx context.Context, gro
 	if err != nil {
 		return nil, err
 	}
-	accounts = filterAccountsWithoutClientID(accounts, affinityClientID)
 	if len(accounts) == 0 {
 		return nil, ErrNoAvailableAccounts
 	}
@@ -1424,19 +1342,6 @@ func (s *GatewayService) SelectAccountWithLoadAwareness(ctx context.Context, gro
 		_, excluded := excludedIDs[accountID]
 		return excluded
 	}
-	affinityFlow := newGatewayAffinityFlow(
-		s,
-		ctx,
-		groupID,
-		sessionHash,
-		requestedModel,
-		affinityClientID,
-		affinityUserID,
-		platform,
-		useMixed,
-		accountByID,
-		isExcluded,
-	)
 
 	// 获取模型路由配置（仅 anthropic 平台）
 	var routingAccountIDs []int64
@@ -1599,10 +1504,7 @@ func (s *GatewayService) SelectAccountWithLoadAwareness(ctx context.Context, gro
 			}
 
 			if len(routingAvailable) > 0 {
-				// 批量获取亲和客户端数量
-				s.populateAffinityCounts(ctx, routingAvailable, derefGroupID(groupID))
-
-				// 排序：优先级 > 负载率 > 亲和客户端数 > 最后使用时间
+				// 排序：优先级 > 负载率 > 最后使用时间
 				sort.SliceStable(routingAvailable, func(i, j int) bool {
 					a, b := routingAvailable[i], routingAvailable[j]
 					if a.account.Priority != b.account.Priority {
@@ -1611,9 +1513,6 @@ func (s *GatewayService) SelectAccountWithLoadAwareness(ctx context.Context, gro
 					if a.loadInfo.LoadRate != b.loadInfo.LoadRate {
 						return a.loadInfo.LoadRate < b.loadInfo.LoadRate
 					}
-					if a.affinityCount != b.affinityCount {
-						return a.affinityCount < b.affinityCount
-					}
 					switch {
 					case a.account.LastUsedAt == nil && b.account.LastUsedAt != nil:
 						return true
@@ -1639,9 +1538,6 @@ func (s *GatewayService) SelectAccountWithLoadAwareness(ctx context.Context, gro
 						if sessionHash != "" && s.cache != nil {
 							_ = s.cache.SetSessionAccountID(ctx, derefGroupID(groupID), sessionHash, item.account.ID, stickySessionTTL)
 						}
-						if affinityClientID != "" && affinityUserID > 0 && s.cache != nil && item.account.IsAffinityEnabled() {
-							_ = s.cache.UpdateAffinity(ctx, derefGroupID(groupID), affinityUserID, affinityClientID, item.account.ID, ClientAffinityTTL)
-						}
 						if s.debugModelRoutingEnabled() {
 							logger.LegacyPrintf("service.gateway", "[ModelRoutingDebug] routed select: group_id=%v model=%s session=%s account=%d", derefGroupID(groupID), requestedModel, shortSessionHash(sessionHash), item.account.ID)
 						}
@@ -1679,22 +1575,8 @@ func (s *GatewayService) SelectAccountWithLoadAwareness(ctx context.Context, gro
 		}
 	}
 
-	// ============ Layer 1.3: 用户亲和预处理（pinned_users 自动注入） ============
-	affinityFlow.preprocessPinnedUsers(accounts)
-
-	// ============ Layer 1.4: 客户端亲和调度（优先于粘性会话） ============
-	affinityHit := false
-	if affinityResult, hit, err := affinityFlow.trySelectAffinityAccount(); err != nil {
-		return nil, err
-	} else {
-		affinityHit = hit
-		if affinityResult != nil {
-			return affinityResult, nil
-		}
-	}
-
-	// ============ Layer 1.5: 粘性会话（仅在无模型路由配置 且 亲和未命中时生效） ============
-	if !affinityHit && len(routingAccountIDs) == 0 && sessionHash != "" && stickyAccountID > 0 && !isExcluded(stickyAccountID) {
+	// ============ Layer 1.5: 粘性会话（仅在无模型路由配置时生效） ============
+	if len(routingAccountIDs) == 0 && sessionHash != "" && stickyAccountID > 0 && !isExcluded(stickyAccountID) {
 		accountID := stickyAccountID
 		if accountID > 0 && !isExcluded(accountID) {
 			account, ok := accountByID[accountID]
@@ -1800,9 +1682,6 @@ func (s *GatewayService) SelectAccountWithLoadAwareness(ctx context.Context, gro
 	loadMap, err := s.concurrencyService.GetAccountsLoadBatch(ctx, accountLoads)
 	if err != nil {
 		if result, ok := s.tryAcquireByLegacyOrder(ctx, candidates, groupID, sessionHash, preferOAuth); ok {
-			if affinityClientID != "" && affinityUserID > 0 && s.cache != nil && result.Account != nil && result.Account.IsAffinityEnabled() {
-				_ = s.cache.UpdateAffinity(ctx, derefGroupID(groupID), affinityUserID, affinityClientID, result.Account.ID, ClientAffinityTTL)
-			}
 			return result, nil
 		}
 	} else {
@@ -1820,37 +1699,13 @@ func (s *GatewayService) SelectAccountWithLoadAwareness(ctx context.Context, gro
 			}
 		}
 
-		// 批量获取亲和客户端数量（用于均衡分配新客户端）
-		s.populateAffinityCounts(ctx, available, derefGroupID(groupID))
-
-		// 分层过滤选择：优先级 → 亲和三区 → 负载率 → 亲和客户端数 → LRU
+		// 分层过滤选择：优先级 → 负载率 → LRU
 		for len(available) > 0 {
 			// 1. 取优先级最小的集合
 			candidates := filterByMinPriority(available)
-			// 2. 按亲和三区过滤：绿区优先 → 黄区降级 → 红区移除（在同优先级内）
-			candidates = classifyByAffinityZone(candidates)
-			if len(candidates) == 0 {
-				// 当前优先级组全部在红区，移除后回退到下一优先级组
-				minPri := available[0].account.Priority
-				for _, a := range available[1:] {
-					if a.account.Priority < minPri {
-						minPri = a.account.Priority
-					}
-				}
-				newAvailable := make([]accountWithLoad, 0, len(available))
-				for _, a := range available {
-					if a.account.Priority != minPri {
-						newAvailable = append(newAvailable, a)
-					}
-				}
-				available = newAvailable
-				continue
-			}
-			// 3. 取负载率最低的集合
+			// 2. 取负载率最低的集合
 			candidates = filterByMinLoadRate(candidates)
-			// 3. 取亲和客户端数最少的集合
-			candidates = filterByMinAffinityCount(candidates)
-			// 4. LRU 选择最久未用的账号
+			// 3. LRU 选择最久未用的账号
 			selected := selectByLRU(candidates, preferOAuth)
 			if selected == nil {
 				break
@@ -1865,10 +1720,6 @@ func (s *GatewayService) SelectAccountWithLoadAwareness(ctx context.Context, gro
 					if sessionHash != "" && s.cache != nil {
 						_ = s.cache.SetSessionAccountID(ctx, derefGroupID(groupID), sessionHash, selected.account.ID, stickySessionTTL)
 					}
-					// 更新亲和关系
-					if affinityClientID != "" && affinityUserID > 0 && s.cache != nil && selected.account.IsAffinityEnabled() {
-						_ = s.cache.UpdateAffinity(ctx, derefGroupID(groupID), affinityUserID, affinityClientID, selected.account.ID, ClientAffinityTTL)
-					}
 					return &AccountSelectionResult{
 						Account:     selected.account,
 						Acquired:    true,
@@ -2077,9 +1928,6 @@ func (s *GatewayService) resolvePlatform(ctx context.Context, groupID *int64, gr
 }
 
 func (s *GatewayService) listSchedulableAccounts(ctx context.Context, groupID *int64, platform string, hasForcePlatform bool) ([]Account, bool, error) {
-	if platform == PlatformSora {
-		return s.listSoraSchedulableAccounts(ctx, groupID)
-	}
 	if s.schedulerSnapshot != nil {
 		accounts, useMixed, err := s.schedulerSnapshot.ListSchedulableAccounts(ctx, groupID, platform, hasForcePlatform)
 		if err == nil {
@@ -2176,53 +2024,6 @@ func (s *GatewayService) listSchedulableAccounts(ctx context.Context, groupID *i
 	return accounts, useMixed, nil
 }
 
-func (s *GatewayService) listSoraSchedulableAccounts(ctx context.Context, groupID *int64) ([]Account, bool, error) {
-	const useMixed = false
-
-	var accounts []Account
-	var err error
-	if s.cfg != nil && s.cfg.RunMode == config.RunModeSimple {
-		accounts, err = s.accountRepo.ListByPlatform(ctx, PlatformSora)
-	} else if groupID != nil {
-		accounts, err = s.accountRepo.ListByGroup(ctx, *groupID)
-	} else {
-		accounts, err = s.accountRepo.ListByPlatform(ctx, PlatformSora)
-	}
-	if err != nil {
-		slog.Debug("account_scheduling_list_failed",
-			"group_id", derefGroupID(groupID),
-			"platform", PlatformSora,
-			"error", err)
-		return nil, useMixed, err
-	}
-
-	filtered := make([]Account, 0, len(accounts))
-	for _, acc := range accounts {
-		if acc.Platform != PlatformSora {
-			continue
-		}
-		if !s.isSoraAccountSchedulable(&acc) {
-			continue
-		}
-		filtered = append(filtered, acc)
-	}
-	slog.Debug("account_scheduling_list_sora",
-		"group_id", derefGroupID(groupID),
-		"platform", PlatformSora,
-		"raw_count", len(accounts),
-		"filtered_count", len(filtered))
-	for _, acc := range filtered {
-		slog.Debug("account_scheduling_account_detail",
-			"account_id", acc.ID,
-			"name", acc.Name,
-			"platform", acc.Platform,
-			"type", acc.Type,
-			"status", acc.Status,
-			"tls_fingerprint", acc.IsTLSFingerprintEnabled())
-	}
-	return filtered, useMixed, nil
-}
-
 // IsSingleAntigravityAccountGroup 检查指定分组是否只有一个 antigravity 平台的可调度账号。
 // 用于 Handler 层在首次请求时提前设置 SingleAccountRetry context，
 // 避免单账号分组收到 503 时错误地设置模型限流标记导致后续请求连续快速失败。
@@ -2247,33 +2048,10 @@ func (s *GatewayService) isAccountAllowedForPlatform(account *Account, platform
 	return account.Platform == platform
 }
 
-func (s *GatewayService) isSoraAccountSchedulable(account *Account) bool {
-	return s.soraUnschedulableReason(account) == ""
-}
-
-func (s *GatewayService) soraUnschedulableReason(account *Account) string {
-	if account == nil {
-		return "account_nil"
-	}
-	if account.Status != StatusActive {
-		return fmt.Sprintf("status=%s", account.Status)
-	}
-	if !account.Schedulable {
-		return "schedulable=false"
-	}
-	if account.TempUnschedulableUntil != nil && time.Now().Before(*account.TempUnschedulableUntil) {
-		return fmt.Sprintf("temp_unschedulable_until=%s", account.TempUnschedulableUntil.UTC().Format(time.RFC3339))
-	}
-	return ""
-}
-
 func (s *GatewayService) isAccountSchedulableForSelection(account *Account) bool {
 	if account == nil {
 		return false
 	}
-	if account.Platform == PlatformSora {
-		return s.isSoraAccountSchedulable(account)
-	}
 	return account.IsSchedulable()
 }
 
@@ -2281,12 +2059,6 @@ func (s *GatewayService) isAccountSchedulableForModelSelection(ctx context.Conte
 	if account == nil {
 		return false
 	}
-	if account.Platform == PlatformSora {
-		if !s.isSoraAccountSchedulable(account) {
-			return false
-		}
-		return account.GetRateLimitRemainingTimeWithContext(ctx, requestedModel) <= 0
-	}
 	return account.IsSchedulableForModelWithContext(ctx, requestedModel)
 }
 
@@ -2626,36 +2398,6 @@ func (s *GatewayService) getSchedulableAccount(ctx context.Context, accountID in
 	return s.accountRepo.GetByID(ctx, accountID)
 }
 
-// populateAffinityCounts 批量获取账号的亲和客户端数量并填入 accountWithLoad 切片。
-// 仅当存在开启了客户端亲和的账号时才查询 Redis，否则跳过。
-func (s *GatewayService) populateAffinityCounts(ctx context.Context, accounts []accountWithLoad, groupID int64) {
-	if s.cache == nil || len(accounts) == 0 {
-		return
-	}
-	// 快速检查：是否有任何账号开启了亲和
-	hasAffinity := false
-	for _, acc := range accounts {
-		if acc.account.IsAffinityEnabled() {
-			hasAffinity = true
-			break
-		}
-	}
-	if !hasAffinity {
-		return
-	}
-	accountIDs := make([]int64, len(accounts))
-	for i, acc := range accounts {
-		accountIDs[i] = acc.account.ID
-	}
-	countMap, err := s.cache.GetAccountAffinityCountBatch(ctx, groupID, accountIDs, ClientAffinityTTL)
-	if err != nil {
-		return // 查询失败不影响调度，affinityCount 保持 0
-	}
-	for i := range accounts {
-		accounts[i].affinityCount = countMap[accounts[i].account.ID]
-	}
-}
-
 // filterByMinPriority 过滤出优先级最小的账号集合
 func filterByMinPriority(accounts []accountWithLoad) []accountWithLoad {
 	if len(accounts) == 0 {
@@ -2696,64 +2438,6 @@ func filterByMinLoadRate(accounts []accountWithLoad) []accountWithLoad {
 	return result
 }
 
-// filterByMinAffinityCount 过滤出亲和客户端数最少的账号集合
-func filterByMinAffinityCount(accounts []accountWithLoad) []accountWithLoad {
-	if len(accounts) == 0 {
-		return accounts
-	}
-	minCount := accounts[0].affinityCount
-	for _, acc := range accounts[1:] {
-		if acc.affinityCount < minCount {
-			minCount = acc.affinityCount
-		}
-	}
-	result := make([]accountWithLoad, 0, len(accounts))
-	for _, acc := range accounts {
-		if acc.affinityCount == minCount {
-			result = append(result, acc)
-		}
-	}
-	return result
-}
-
-// classifyByAffinityZone 按亲和分区对候选账号进行分类。
-// 返回值：仅绿区账号（有绿区时），否则返回黄区账号。红区账号被移除。
-// 如果没有任何账号开启了亲和三区配置（即 affinity_base <= 0），则原样返回所有账号。
-func classifyByAffinityZone(accounts []accountWithLoad) []accountWithLoad {
-	if len(accounts) == 0 {
-		return accounts
-	}
-	// 快速检查：是否有任何账号配置了 affinity_base
-	hasZoneConfig := false
-	for _, acc := range accounts {
-		if acc.account.IsAffinityEnabled() && acc.account.GetAffinityBase() > 0 {
-			hasZoneConfig = true
-			break
-		}
-	}
-	if !hasZoneConfig {
-		return accounts
-	}
-
-	greens := make([]accountWithLoad, 0, len(accounts))
-	yellows := make([]accountWithLoad, 0, len(accounts))
-	for _, acc := range accounts {
-		zone := acc.account.GetAffinityZone(acc.affinityCount)
-		switch zone {
-		case AffinityZoneGreen:
-			greens = append(greens, acc)
-		case AffinityZoneYellow:
-			yellows = append(yellows, acc)
-		case AffinityZoneRed:
-			// 红区：移除，不参与调度
-		}
-	}
-	if len(greens) > 0 {
-		return greens
-	}
-	return yellows
-}
-
 // selectByLRU 从集合中选择最久未用的账号
 // 如果有多个账号具有相同的最小 LastUsedAt，则随机选择一个
 func selectByLRU(accounts []accountWithLoad, preferOAuth bool) *accountWithLoad {
@@ -3514,9 +3198,6 @@ func (s *GatewayService) logDetailedSelectionFailure(
 		stats.SampleMappingIDs,
 		stats.SampleRateLimitIDs,
 	)
-	if platform == PlatformSora {
-		s.logSoraSelectionFailureDetails(ctx, groupID, sessionHash, requestedModel, accounts, excludedIDs, allowMixedScheduling)
-	}
 	return stats
 }
 
@@ -3574,9 +3255,6 @@ func (s *GatewayService) diagnoseSelectionFailure(
 	}
 	if !s.isAccountSchedulableForSelection(acc) {
 		detail := "generic_unschedulable"
-		if acc.Platform == PlatformSora {
-			detail = s.soraUnschedulableReason(acc)
-		}
 		return selectionFailureDiagnosis{Category: "unschedulable", Detail: detail}
 	}
 	if isPlatformFilteredForSelection(acc, platform, allowMixedScheduling) {
@@ -3601,57 +3279,7 @@ func (s *GatewayService) diagnoseSelectionFailure(
 	return selectionFailureDiagnosis{Category: "eligible"}
 }
 
-func (s *GatewayService) logSoraSelectionFailureDetails(
-	ctx context.Context,
-	groupID *int64,
-	sessionHash string,
-	requestedModel string,
-	accounts []Account,
-	excludedIDs map[int64]struct{},
-	allowMixedScheduling bool,
-) {
-	const maxLines = 30
-	logged := 0
-
-	for i := range accounts {
-		if logged >= maxLines {
-			break
-		}
-		acc := &accounts[i]
-		diagnosis := s.diagnoseSelectionFailure(ctx, acc, requestedModel, PlatformSora, excludedIDs, allowMixedScheduling)
-		if diagnosis.Category == "eligible" {
-			continue
-		}
-		detail := diagnosis.Detail
-		if detail == "" {
-			detail = "-"
-		}
-		logger.LegacyPrintf(
-			"service.gateway",
-			"[SelectAccountDetailed:Sora] group_id=%v model=%s session=%s account_id=%d account_platform=%s category=%s detail=%s",
-			derefGroupID(groupID),
-			requestedModel,
-			shortSessionHash(sessionHash),
-			acc.ID,
-			acc.Platform,
-			diagnosis.Category,
-			detail,
-		)
-		logged++
-	}
-	if len(accounts) > maxLines {
-		logger.LegacyPrintf(
-			"service.gateway",
-			"[SelectAccountDetailed:Sora] group_id=%v model=%s session=%s truncated=true total=%d logged=%d",
-			derefGroupID(groupID),
-			requestedModel,
-			shortSessionHash(sessionHash),
-			len(accounts),
-			logged,
-		)
-	}
-}
-
+// GetAccessToken 获取账号凭证
 func isPlatformFilteredForSelection(acc *Account, platform string, allowMixedScheduling bool) bool {
 	if acc == nil {
 		return true
@@ -3730,9 +3358,6 @@ func (s *GatewayService) isModelSupportedByAccount(account *Account, requestedMo
 		}
 		return mapAntigravityModel(account, requestedModel) != ""
 	}
-	if account.Platform == PlatformSora {
-		return s.isSoraModelSupportedByAccount(account, requestedModel)
-	}
 	if account.IsBedrock() {
 		_, ok := ResolveBedrockModelID(account, requestedModel)
 		return ok
@@ -3749,143 +3374,6 @@ func (s *GatewayService) isModelSupportedByAccount(account *Account, requestedMo
 	return account.IsModelSupported(requestedModel)
 }
 
-func (s *GatewayService) isSoraModelSupportedByAccount(account *Account, requestedModel string) bool {
-	if account == nil {
-		return false
-	}
-	if strings.TrimSpace(requestedModel) == "" {
-		return true
-	}
-
-	// 先走原始精确/通配符匹配。
-	mapping := account.GetModelMapping()
-	if len(mapping) == 0 || account.IsModelSupported(requestedModel) {
-		return true
-	}
-
-	aliases := buildSoraModelAliases(requestedModel)
-	if len(aliases) == 0 {
-		return false
-	}
-
-	hasSoraSelector := false
-	for pattern := range mapping {
-		if !isSoraModelSelector(pattern) {
-			continue
-		}
-		hasSoraSelector = true
-		if matchPatternAnyAlias(pattern, aliases) {
-			return true
-		}
-	}
-
-	// 兼容旧账号：mapping 存在但未配置任何 Sora 选择器（例如只含 gpt-*），
-	// 此时不应误拦截 Sora 模型请求。
-	if !hasSoraSelector {
-		return true
-	}
-
-	return false
-}
-
-func matchPatternAnyAlias(pattern string, aliases []string) bool {
-	normalizedPattern := strings.ToLower(strings.TrimSpace(pattern))
-	if normalizedPattern == "" {
-		return false
-	}
-	for _, alias := range aliases {
-		if matchWildcard(normalizedPattern, alias) {
-			return true
-		}
-	}
-	return false
-}
-
-func isSoraModelSelector(pattern string) bool {
-	p := strings.ToLower(strings.TrimSpace(pattern))
-	if p == "" {
-		return false
-	}
-
-	switch {
-	case strings.HasPrefix(p, "sora"),
-		strings.HasPrefix(p, "gpt-image"),
-		strings.HasPrefix(p, "prompt-enhance"),
-		strings.HasPrefix(p, "sy_"):
-		return true
-	}
-
-	return p == "video" || p == "image"
-}
-
-func buildSoraModelAliases(requestedModel string) []string {
-	modelID := strings.ToLower(strings.TrimSpace(requestedModel))
-	if modelID == "" {
-		return nil
-	}
-
-	aliases := make([]string, 0, 8)
-	addAlias := func(value string) {
-		v := strings.ToLower(strings.TrimSpace(value))
-		if v == "" {
-			return
-		}
-		for _, existing := range aliases {
-			if existing == v {
-				return
-			}
-		}
-		aliases = append(aliases, v)
-	}
-
-	addAlias(modelID)
-	cfg, ok := GetSoraModelConfig(modelID)
-	if ok {
-		addAlias(cfg.Model)
-		switch cfg.Type {
-		case "video":
-			addAlias("video")
-			addAlias("sora")
-			addAlias(soraVideoFamilyAlias(modelID))
-		case "image":
-			addAlias("image")
-			addAlias("gpt-image")
-		case "prompt_enhance":
-			addAlias("prompt-enhance")
-		}
-		return aliases
-	}
-
-	switch {
-	case strings.HasPrefix(modelID, "sora"):
-		addAlias("video")
-		addAlias("sora")
-		addAlias(soraVideoFamilyAlias(modelID))
-	case strings.HasPrefix(modelID, "gpt-image"):
-		addAlias("image")
-		addAlias("gpt-image")
-	case strings.HasPrefix(modelID, "prompt-enhance"):
-		addAlias("prompt-enhance")
-	default:
-		return nil
-	}
-
-	return aliases
-}
-
-func soraVideoFamilyAlias(modelID string) string {
-	switch {
-	case strings.HasPrefix(modelID, "sora2pro-hd"):
-		return "sora2pro-hd"
-	case strings.HasPrefix(modelID, "sora2pro"):
-		return "sora2pro"
-	case strings.HasPrefix(modelID, "sora2"):
-		return "sora2"
-	default:
-		return ""
-	}
-}
-
 // GetAccessToken 获取账号凭证
 func (s *GatewayService) GetAccessToken(ctx context.Context, account *Account) (string, string, error) {
 	switch account.Type {
@@ -4412,10 +3900,12 @@ func (s *GatewayService) Forward(ctx context.Context, c *gin.Context, account *A
 		return nil, err
 	}
 
-	// 获取代理URL
+	// 获取代理URL（自定义 base URL 模式下，proxy 通过 buildCustomRelayURL 作为查询参数传递）
 	proxyURL := ""
 	if account.ProxyID != nil && account.Proxy != nil {
-		proxyURL = account.Proxy.URL()
+		if !account.IsCustomBaseURLEnabled() || account.GetCustomBaseURL() == "" {
+			proxyURL = account.Proxy.URL()
+		}
 	}
 
 	// 解析 TLS 指纹 profile（同一请求生命周期内不变，避免重试循环中重复解析）
@@ -4824,7 +4314,6 @@ func (s *GatewayService) Forward(ctx context.Context, c *gin.Context, account *A
 	}
 
 	// 处理正常响应
-	ctx = withClaudeMaxResponseRewriteContext(ctx, c, parsed)
 
 	// 触发上游接受回调（提前释放串行锁，不等流完成）
 	if parsed.OnUpstreamAccepted != nil {
@@ -5891,6 +5380,16 @@ func (s *GatewayService) buildUpstreamRequest(ctx context.Context, c *gin.Contex
 			}
 			targetURL = validatedURL + "/v1/messages?beta=true"
 		}
+	} else if account.IsCustomBaseURLEnabled() {
+		customURL := account.GetCustomBaseURL()
+		if customURL == "" {
+			return nil, fmt.Errorf("custom_base_url is enabled but not configured for account %d", account.ID)
+		}
+		validatedURL, err := s.validateUpstreamBaseURL(customURL)
+		if err != nil {
+			return nil, err
+		}
+		targetURL = s.buildCustomRelayURL(validatedURL, "/v1/messages", account)
 	}
 
 	clientHeaders := http.Header{}
@@ -6006,6 +5505,15 @@ func (s *GatewayService) buildUpstreamRequest(ctx context.Context, c *gin.Contex
 		}
 	}
 
+	// 同步 X-Claude-Code-Session-Id 头：取 body 中已处理的 metadata.user_id 的 session_id 覆盖
+	if sessionHeader := getHeaderRaw(req.Header, "X-Claude-Code-Session-Id"); sessionHeader != "" {
+		if uid := gjson.GetBytes(body, "metadata.user_id").String(); uid != "" {
+			if parsed := ParseMetadataUserID(uid); parsed != nil {
+				setHeaderRaw(req.Header, "X-Claude-Code-Session-Id", parsed.SessionID)
+			}
+		}
+	}
+
 	// === DEBUG: 打印上游转发请求（headers + body 摘要），与 CLIENT_ORIGINAL 对比 ===
 	s.debugLogGatewaySnapshot("UPSTREAM_FORWARD", req.Header, body, map[string]string{
 		"url":                 req.URL.String(),
@@ -7005,7 +6513,6 @@ func (s *GatewayService) handleStreamingResponse(ctx context.Context, resp *http
 	needModelReplace := originalModel != mappedModel
 	clientDisconnected := false // 客户端断开标志，断开后继续读取上游以获取完整usage
 	sawTerminalEvent := false
-	skipAccountTTLOverride := false
 
 	pendingEventLines := make([]string, 0, 4)
 
@@ -7067,25 +6574,17 @@ func (s *GatewayService) handleStreamingResponse(ctx context.Context, resp *http
 			if msg, ok := event["message"].(map[string]any); ok {
 				if u, ok := msg["usage"].(map[string]any); ok {
 					eventChanged = reconcileCachedTokens(u) || eventChanged
-					claudeMaxOutcome := applyClaudeMaxSimulationToUsageJSONMap(ctx, u, originalModel, account.ID)
-					if claudeMaxOutcome.Simulated {
-						skipAccountTTLOverride = true
-					}
 				}
 			}
 		}
 		if eventType == "message_delta" {
 			if u, ok := event["usage"].(map[string]any); ok {
 				eventChanged = reconcileCachedTokens(u) || eventChanged
-				claudeMaxOutcome := applyClaudeMaxSimulationToUsageJSONMap(ctx, u, originalModel, account.ID)
-				if claudeMaxOutcome.Simulated {
-					skipAccountTTLOverride = true
-				}
 			}
 		}
 
 		// Cache TTL Override: 重写 SSE 事件中的 cache_creation 分类
-		if account.IsCacheTTLOverrideEnabled() && !skipAccountTTLOverride {
+		if account.IsCacheTTLOverrideEnabled() {
 			overrideTarget := account.GetCacheTTLOverrideTarget()
 			if eventType == "message_start" {
 				if msg, ok := event["message"].(map[string]any); ok {
@@ -7517,13 +7016,8 @@ func (s *GatewayService) handleNonStreamingResponse(ctx context.Context, resp *h
 		}
 	}
 
-	claudeMaxOutcome := applyClaudeMaxSimulationToUsage(ctx, &response.Usage, originalModel, account.ID)
-	if claudeMaxOutcome.Simulated {
-		body = rewriteClaudeUsageJSONBytes(body, response.Usage)
-	}
-
 	// Cache TTL Override: 重写 non-streaming 响应中的 cache_creation 分类
-	if account.IsCacheTTLOverrideEnabled() && !claudeMaxOutcome.Simulated {
+	if account.IsCacheTTLOverrideEnabled() {
 		overrideTarget := account.GetCacheTTLOverrideTarget()
 		if applyCacheTTLOverride(&response.Usage, overrideTarget) {
 			// 同步更新 body JSON 中的嵌套 cache_creation 对象
@@ -7901,12 +7395,10 @@ func writeUsageLogBestEffort(ctx context.Context, repo UsageLogRepository, usage
 
 // recordUsageOpts 内部选项，参数化 RecordUsage 与 RecordUsageWithLongContext 的差异点。
 type recordUsageOpts struct {
-	// Claude Max 策略所需的 ParsedRequest（可选，仅 Claude 路径传入）
+	// ParsedRequest（可选，仅 Claude 路径传入）
 	ParsedRequest *ParsedRequest
 
 	// EnableClaudePath 启用 Claude 路径特有逻辑：
-	// - Claude Max 缓存计费策略
-	// - Sora 媒体类型分支（image/video/prompt）
 	// - MediaType 字段写入使用日志
 	EnableClaudePath bool
 
@@ -7998,8 +7490,6 @@ type recordUsageCoreInput struct {
 
 // recordUsageCore 是 RecordUsage 和 RecordUsageWithLongContext 的统一实现。
 // opts 中的字段控制两者之间的差异行为：
-// - ParsedRequest != nil → 启用 Claude Max 缓存计费策略
-// - EnableSoraMedia → 启用 Sora MediaType 分支（image/video/prompt）
 // - LongContextThreshold > 0 → Token 计费回退走 CalculateCostWithLongContext
 func (s *GatewayService) recordUsageCore(ctx context.Context, input *recordUsageCoreInput, opts *recordUsageOpts) error {
 	result := input.Result
@@ -8017,21 +7507,9 @@ func (s *GatewayService) recordUsageCore(ctx context.Context, input *recordUsage
 		result.Usage.InputTokens = 0
 	}
 
-	// Claude Max cache billing policy（仅 Claude 路径启用）
-	cacheTTLOverridden := false
-	simulatedClaudeMax := false
-	if opts.EnableClaudePath {
-		var apiKeyGroup *Group
-		if apiKey != nil {
-			apiKeyGroup = apiKey.Group
-		}
-		claudeMaxOutcome := applyClaudeMaxCacheBillingPolicyToUsage(&result.Usage, opts.ParsedRequest, apiKeyGroup, result.Model, account.ID)
-		simulatedClaudeMax = claudeMaxOutcome.Simulated ||
-			(shouldApplyClaudeMaxBillingRulesForUsage(apiKeyGroup, result.Model, opts.ParsedRequest) && hasCacheCreationTokens(result.Usage))
-	}
-
 	// Cache TTL Override: 确保计费时 token 分类与账号设置一致
-	if account.IsCacheTTLOverrideEnabled() && !simulatedClaudeMax {
+	cacheTTLOverridden := false
+	if account.IsCacheTTLOverrideEnabled() {
 		applyCacheTTLOverride(&result.Usage, account.GetCacheTTLOverrideTarget())
 		cacheTTLOverridden = (result.Usage.CacheCreation5mTokens + result.Usage.CacheCreation1hTokens) > 0
 	}
@@ -8113,16 +7591,6 @@ func (s *GatewayService) calculateRecordUsageCost(
 	multiplier float64,
 	opts *recordUsageOpts,
 ) *CostBreakdown {
-	// Sora 媒体类型分支（仅 Claude 路径启用）
-	if opts.EnableClaudePath {
-		if result.MediaType == MediaTypeImage || result.MediaType == MediaTypeVideo {
-			return s.calculateSoraMediaCost(result, apiKey, billingModel, multiplier)
-		}
-		if result.MediaType == MediaTypePrompt {
-			return &CostBreakdown{}
-		}
-	}
-
 	// 图片生成计费
 	if result.ImageCount > 0 {
 		return s.calculateImageCost(ctx, result, apiKey, billingModel, multiplier)
@@ -8132,28 +7600,6 @@ func (s *GatewayService) calculateRecordUsageCost(
 	return s.calculateTokenCost(ctx, result, apiKey, billingModel, multiplier, opts)
 }
 
-// calculateSoraMediaCost 计算 Sora 图片/视频的费用。
-func (s *GatewayService) calculateSoraMediaCost(
-	result *ForwardResult,
-	apiKey *APIKey,
-	billingModel string,
-	multiplier float64,
-) *CostBreakdown {
-	var soraConfig *SoraPriceConfig
-	if apiKey.Group != nil {
-		soraConfig = &SoraPriceConfig{
-			ImagePrice360:          apiKey.Group.SoraImagePrice360,
-			ImagePrice540:          apiKey.Group.SoraImagePrice540,
-			VideoPricePerRequest:   apiKey.Group.SoraVideoPricePerRequest,
-			VideoPricePerRequestHD: apiKey.Group.SoraVideoPricePerRequestHD,
-		}
-	}
-	if result.MediaType == MediaTypeImage {
-		return s.billingService.CalculateSoraImageCost(result.ImageSize, result.ImageCount, soraConfig, multiplier)
-	}
-	return s.billingService.CalculateSoraVideoCost(billingModel, soraConfig, multiplier)
-}
-
 // resolveChannelPricing 检查指定模型是否存在渠道级别定价。
 // 返回非 nil 的 ResolvedPricing 表示有渠道定价，nil 表示走默认定价路径。
 func (s *GatewayService) resolveChannelPricing(ctx context.Context, billingModel string, apiKey *APIKey) *ResolvedPricing {
@@ -8176,7 +7622,7 @@ func (s *GatewayService) calculateImageCost(
 	billingModel string,
 	multiplier float64,
 ) *CostBreakdown {
-	if s.resolveChannelPricing(ctx, billingModel, apiKey) != nil {
+	if resolved := s.resolveChannelPricing(ctx, billingModel, apiKey); resolved != nil {
 		tokens := UsageTokens{
 			InputTokens:       result.Usage.InputTokens,
 			OutputTokens:      result.Usage.OutputTokens,
@@ -8191,6 +7637,7 @@ func (s *GatewayService) calculateImageCost(
 			RequestCount:   1,
 			RateMultiplier: multiplier,
 			Resolver:       s.resolver,
+			Resolved:       resolved,
 		})
 		if err != nil {
 			logger.LegacyPrintf("service.gateway", "Calculate image token cost failed: %v", err)
@@ -8233,7 +7680,7 @@ func (s *GatewayService) calculateTokenCost(
 	var err error
 
 	// 优先尝试渠道定价 → CalculateCostUnified
-	if s.resolveChannelPricing(ctx, billingModel, apiKey) != nil {
+	if resolved := s.resolveChannelPricing(ctx, billingModel, apiKey); resolved != nil {
 		gid := apiKey.Group.ID
 		cost, err = s.billingService.CalculateCostUnified(CostInput{
 			Ctx:            ctx,
@@ -8243,6 +7690,7 @@ func (s *GatewayService) calculateTokenCost(
 			RequestCount:   1,
 			RateMultiplier: multiplier,
 			Resolver:       s.resolver,
+			Resolved:       resolved,
 		})
 	} else if opts.LongContextThreshold > 0 {
 		// 长上下文双倍计费（如 Gemini 200K 阈值）
@@ -8330,13 +7778,7 @@ func (s *GatewayService) buildRecordUsageLog(
 }
 
 // resolveBillingMode 根据计费结果和请求类型确定计费模式。
-// Sora 媒体类型自身已确定计费模式（由上游处理），返回 nil 跳过。
 func resolveBillingMode(opts *recordUsageOpts, result *ForwardResult, cost *CostBreakdown) *string {
-	isSoraMedia := opts.EnableClaudePath &&
-		(result.MediaType == MediaTypeImage || result.MediaType == MediaTypeVideo || result.MediaType == MediaTypePrompt)
-	if isSoraMedia {
-		return nil
-	}
 	var mode string
 	switch {
 	case cost != nil && cost.BillingMode != "":
@@ -8350,9 +7792,6 @@ func resolveBillingMode(opts *recordUsageOpts, result *ForwardResult, cost *Cost
 }
 
 func resolveMediaType(opts *recordUsageOpts, result *ForwardResult) *string {
-	if opts.EnableClaudePath && strings.TrimSpace(result.MediaType) != "" {
-		return &result.MediaType
-	}
 	return nil
 }
 
@@ -8559,10 +7998,12 @@ func (s *GatewayService) ForwardCountTokens(ctx context.Context, c *gin.Context,
 		return err
 	}
 
-	// 获取代理URL
+	// 获取代理URL（自定义 base URL 模式下，proxy 通过 buildCustomRelayURL 作为查询参数传递）
 	proxyURL := ""
 	if account.ProxyID != nil && account.Proxy != nil {
-		proxyURL = account.Proxy.URL()
+		if !account.IsCustomBaseURLEnabled() || account.GetCustomBaseURL() == "" {
+			proxyURL = account.Proxy.URL()
+		}
 	}
 
 	// 发送请求
@@ -8841,6 +8282,16 @@ func (s *GatewayService) buildCountTokensRequest(ctx context.Context, c *gin.Con
 			}
 			targetURL = validatedURL + "/v1/messages/count_tokens?beta=true"
 		}
+	} else if account.IsCustomBaseURLEnabled() {
+		customURL := account.GetCustomBaseURL()
+		if customURL == "" {
+			return nil, fmt.Errorf("custom_base_url is enabled but not configured for account %d", account.ID)
+		}
+		validatedURL, err := s.validateUpstreamBaseURL(customURL)
+		if err != nil {
+			return nil, err
+		}
+		targetURL = s.buildCustomRelayURL(validatedURL, "/v1/messages/count_tokens", account)
 	}
 
 	clientHeaders := http.Header{}
@@ -8946,6 +8397,15 @@ func (s *GatewayService) buildCountTokensRequest(ctx context.Context, c *gin.Con
 		}
 	}
 
+	// 同步 X-Claude-Code-Session-Id 头：取 body 中已处理的 metadata.user_id 的 session_id 覆盖
+	if sessionHeader := getHeaderRaw(req.Header, "X-Claude-Code-Session-Id"); sessionHeader != "" {
+		if uid := gjson.GetBytes(body, "metadata.user_id").String(); uid != "" {
+			if parsed := ParseMetadataUserID(uid); parsed != nil {
+				setHeaderRaw(req.Header, "X-Claude-Code-Session-Id", parsed.SessionID)
+			}
+		}
+	}
+
 	if c != nil && tokenType == "oauth" {
 		c.Set(claudeMimicDebugInfoKey, buildClaudeMimicDebugLine(req, body, account, tokenType, mimicClaudeCode))
 	}
@@ -8967,6 +8427,19 @@ func (s *GatewayService) countTokensError(c *gin.Context, status int, errType, m
 	})
 }
 
+// buildCustomRelayURL 构建自定义中继转发 URL
+// 在 path 后附加 beta=true 和可选的 proxy 查询参数
+func (s *GatewayService) buildCustomRelayURL(baseURL, path string, account *Account) string {
+	u := strings.TrimRight(baseURL, "/") + path + "?beta=true"
+	if account.ProxyID != nil && account.Proxy != nil {
+		proxyURL := account.Proxy.URL()
+		if proxyURL != "" {
+			u += "&proxy=" + url.QueryEscape(proxyURL)
+		}
+	}
+	return u
+}
+
 func (s *GatewayService) validateUpstreamBaseURL(raw string) (string, error) {
 	if s.cfg != nil && !s.cfg.Security.URLAllowlist.Enabled {
 		normalized, err := urlvalidator.ValidateURLFormat(raw, s.cfg.Security.URLAllowlist.AllowInsecureHTTP)

From 794e81720834913c5fb3251a5c13fd88040c354a Mon Sep 17 00:00:00 2001
From: erio <asakifeng@gmail.com>
Date: Sun, 5 Apr 2026 16:39:24 +0800
Subject: [PATCH 018/122] refactor: remove PaymentChannel, reuse upstream
 Channel with features field
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

- Delete payment_channels table and PaymentChannel Ent schema
- Add `features` column to upstream channels table (migration 095)
- Add Features field to Channel struct, input types, handler request/response
- Payment user/admin handlers now use ChannelService directly
- Remove Channel CRUD from PaymentConfigService and admin payment routes
- Remove "渠道管理" tab from admin orders page (use /admin/channels)
---
 backend/ent/client.go                         |  36 +-
 backend/ent/intercept/intercept.go            |   1 +
 backend/ent/predicate/predicate.go            |   1 +
 .../internal/handler/admin/channel_handler.go |   6 +
 backend/internal/handler/payment_handler.go   |   1 +
 backend/internal/repository/channel_repo.go   |  20 +-
 backend/internal/server/routes/payment.go     |  13 +-
 backend/internal/service/channel.go           |   1 +
 backend/internal/service/channel_service.go   |   6 +
 .../service/payment_config_service.go         | 440 +++++++++++-------
 backend/migrations/095_channel_features.sql   |   2 +
 11 files changed, 314 insertions(+), 213 deletions(-)
 create mode 100644 backend/migrations/095_channel_features.sql

diff --git a/backend/ent/client.go b/backend/ent/client.go
index e52e015a..3da7acf8 100644
--- a/backend/ent/client.go
+++ b/backend/ent/client.go
@@ -333,10 +333,10 @@ func (c *Client) Use(hooks ...Hook) {
 	for _, n := range []interface{ Use(...Hook) }{
 		c.APIKey, c.Account, c.AccountGroup, c.Announcement, c.AnnouncementRead,
 		c.ErrorPassthroughRule, c.Group, c.IdempotencyRecord, c.PaymentAuditLog,
-		c.PaymentOrder, c.PaymentProviderInstance, c.PromoCode, c.PromoCodeUsage,
-		c.Proxy, c.RedeemCode, c.SecuritySecret, c.Setting, c.SubscriptionPlan,
-		c.TLSFingerprintProfile, c.UsageCleanupTask, c.UsageLog, c.User,
-		c.UserAllowedGroup, c.UserAttributeDefinition, c.UserAttributeValue,
+		c.PaymentOrder, c.PaymentProviderInstance, c.PromoCode,
+		c.PromoCodeUsage, c.Proxy, c.RedeemCode, c.SecuritySecret, c.Setting,
+		c.SubscriptionPlan, c.TLSFingerprintProfile, c.UsageCleanupTask, c.UsageLog,
+		c.User, c.UserAllowedGroup, c.UserAttributeDefinition, c.UserAttributeValue,
 		c.UserSubscription,
 	} {
 		n.Use(hooks...)
@@ -349,10 +349,10 @@ func (c *Client) Intercept(interceptors ...Interceptor) {
 	for _, n := range []interface{ Intercept(...Interceptor) }{
 		c.APIKey, c.Account, c.AccountGroup, c.Announcement, c.AnnouncementRead,
 		c.ErrorPassthroughRule, c.Group, c.IdempotencyRecord, c.PaymentAuditLog,
-		c.PaymentOrder, c.PaymentProviderInstance, c.PromoCode, c.PromoCodeUsage,
-		c.Proxy, c.RedeemCode, c.SecuritySecret, c.Setting, c.SubscriptionPlan,
-		c.TLSFingerprintProfile, c.UsageCleanupTask, c.UsageLog, c.User,
-		c.UserAllowedGroup, c.UserAttributeDefinition, c.UserAttributeValue,
+		c.PaymentOrder, c.PaymentProviderInstance, c.PromoCode,
+		c.PromoCodeUsage, c.Proxy, c.RedeemCode, c.SecuritySecret, c.Setting,
+		c.SubscriptionPlan, c.TLSFingerprintProfile, c.UsageCleanupTask, c.UsageLog,
+		c.User, c.UserAllowedGroup, c.UserAttributeDefinition, c.UserAttributeValue,
 		c.UserSubscription,
 	} {
 		n.Intercept(interceptors...)
@@ -4629,19 +4629,19 @@ func (c *UserSubscriptionClient) mutate(ctx context.Context, m *UserSubscription
 type (
 	hooks struct {
 		APIKey, Account, AccountGroup, Announcement, AnnouncementRead,
-		ErrorPassthroughRule, Group, IdempotencyRecord, PaymentAuditLog, PaymentOrder,
-		PaymentProviderInstance, PromoCode, PromoCodeUsage, Proxy, RedeemCode,
-		SecuritySecret, Setting, SubscriptionPlan, TLSFingerprintProfile,
-		UsageCleanupTask, UsageLog, User, UserAllowedGroup, UserAttributeDefinition,
-		UserAttributeValue, UserSubscription []ent.Hook
+		ErrorPassthroughRule, Group, IdempotencyRecord, PaymentAuditLog,
+		PaymentOrder, PaymentProviderInstance, PromoCode,
+		PromoCodeUsage, Proxy, RedeemCode, SecuritySecret, Setting, SubscriptionPlan,
+		TLSFingerprintProfile, UsageCleanupTask, UsageLog, User, UserAllowedGroup,
+		UserAttributeDefinition, UserAttributeValue, UserSubscription []ent.Hook
 	}
 	inters struct {
 		APIKey, Account, AccountGroup, Announcement, AnnouncementRead,
-		ErrorPassthroughRule, Group, IdempotencyRecord, PaymentAuditLog, PaymentOrder,
-		PaymentProviderInstance, PromoCode, PromoCodeUsage, Proxy, RedeemCode,
-		SecuritySecret, Setting, SubscriptionPlan, TLSFingerprintProfile,
-		UsageCleanupTask, UsageLog, User, UserAllowedGroup, UserAttributeDefinition,
-		UserAttributeValue, UserSubscription []ent.Interceptor
+		ErrorPassthroughRule, Group, IdempotencyRecord, PaymentAuditLog,
+		PaymentOrder, PaymentProviderInstance, PromoCode,
+		PromoCodeUsage, Proxy, RedeemCode, SecuritySecret, Setting, SubscriptionPlan,
+		TLSFingerprintProfile, UsageCleanupTask, UsageLog, User, UserAllowedGroup,
+		UserAttributeDefinition, UserAttributeValue, UserSubscription []ent.Interceptor
 	}
 )
 
diff --git a/backend/ent/intercept/intercept.go b/backend/ent/intercept/intercept.go
index 8d8320bb..77d3e16e 100644
--- a/backend/ent/intercept/intercept.go
+++ b/backend/ent/intercept/intercept.go
@@ -336,6 +336,7 @@ func (f TraversePaymentAuditLog) Traverse(ctx context.Context, q ent.Query) erro
 	return fmt.Errorf("unexpected query type %T. expect *ent.PaymentAuditLogQuery", q)
 }
 
+
 // The PaymentOrderFunc type is an adapter to allow the use of ordinary function as a Querier.
 type PaymentOrderFunc func(context.Context, *ent.PaymentOrderQuery) (ent.Value, error)
 
diff --git a/backend/ent/predicate/predicate.go b/backend/ent/predicate/predicate.go
index ef551940..67f37c75 100644
--- a/backend/ent/predicate/predicate.go
+++ b/backend/ent/predicate/predicate.go
@@ -33,6 +33,7 @@ type IdempotencyRecord func(*sql.Selector)
 // PaymentAuditLog is the predicate function for paymentauditlog builders.
 type PaymentAuditLog func(*sql.Selector)
 
+
 // PaymentOrder is the predicate function for paymentorder builders.
 type PaymentOrder func(*sql.Selector)
 
diff --git a/backend/internal/handler/admin/channel_handler.go b/backend/internal/handler/admin/channel_handler.go
index c92b35bb..d6022283 100644
--- a/backend/internal/handler/admin/channel_handler.go
+++ b/backend/internal/handler/admin/channel_handler.go
@@ -33,6 +33,7 @@ type createChannelRequest struct {
 	ModelMapping       map[string]map[string]string `json:"model_mapping"`
 	BillingModelSource string                       `json:"billing_model_source" binding:"omitempty,oneof=requested upstream channel_mapped"`
 	RestrictModels     bool                         `json:"restrict_models"`
+	Features           string                       `json:"features"`
 }
 
 type updateChannelRequest struct {
@@ -44,6 +45,7 @@ type updateChannelRequest struct {
 	ModelMapping       map[string]map[string]string  `json:"model_mapping"`
 	BillingModelSource string                        `json:"billing_model_source" binding:"omitempty,oneof=requested upstream channel_mapped"`
 	RestrictModels     *bool                         `json:"restrict_models"`
+	Features           *string                       `json:"features"`
 }
 
 type channelModelPricingRequest struct {
@@ -78,6 +80,7 @@ type channelResponse struct {
 	Status             string                        `json:"status"`
 	BillingModelSource string                        `json:"billing_model_source"`
 	RestrictModels     bool                          `json:"restrict_models"`
+	Features           string                        `json:"features"`
 	GroupIDs           []int64                       `json:"group_ids"`
 	ModelPricing       []channelModelPricingResponse `json:"model_pricing"`
 	ModelMapping       map[string]map[string]string  `json:"model_mapping"`
@@ -122,6 +125,7 @@ func channelToResponse(ch *service.Channel) *channelResponse {
 		Description:    ch.Description,
 		Status:         ch.Status,
 		RestrictModels: ch.RestrictModels,
+		Features:       ch.Features,
 		GroupIDs:       ch.GroupIDs,
 		ModelMapping:   ch.ModelMapping,
 		CreatedAt:      ch.CreatedAt.Format("2006-01-02T15:04:05Z"),
@@ -300,6 +304,7 @@ func (h *ChannelHandler) Create(c *gin.Context) {
 		ModelMapping:       req.ModelMapping,
 		BillingModelSource: req.BillingModelSource,
 		RestrictModels:     req.RestrictModels,
+		Features:           req.Features,
 	})
 	if err != nil {
 		response.ErrorFrom(c, err)
@@ -332,6 +337,7 @@ func (h *ChannelHandler) Update(c *gin.Context) {
 		ModelMapping:       req.ModelMapping,
 		BillingModelSource: req.BillingModelSource,
 		RestrictModels:     req.RestrictModels,
+		Features:           req.Features,
 	}
 	if req.ModelPricing != nil {
 		pricing := pricingRequestToService(*req.ModelPricing)
diff --git a/backend/internal/handler/payment_handler.go b/backend/internal/handler/payment_handler.go
index 0425fc49..e01a2af1 100644
--- a/backend/internal/handler/payment_handler.go
+++ b/backend/internal/handler/payment_handler.go
@@ -7,6 +7,7 @@ import (
 	"github.com/Wei-Shaw/sub2api/internal/pkg/pagination"
 	"github.com/Wei-Shaw/sub2api/internal/pkg/response"
 	middleware2 "github.com/Wei-Shaw/sub2api/internal/server/middleware"
+	"github.com/Wei-Shaw/sub2api/internal/pkg/pagination"
 	"github.com/Wei-Shaw/sub2api/internal/service"
 
 	"github.com/gin-gonic/gin"
diff --git a/backend/internal/repository/channel_repo.go b/backend/internal/repository/channel_repo.go
index 49c2d8d9..710322fb 100644
--- a/backend/internal/repository/channel_repo.go
+++ b/backend/internal/repository/channel_repo.go
@@ -42,9 +42,9 @@ func (r *channelRepository) Create(ctx context.Context, channel *service.Channel
 			return err
 		}
 		err = tx.QueryRowContext(ctx,
-			`INSERT INTO channels (name, description, status, model_mapping, billing_model_source, restrict_models) VALUES ($1, $2, $3, $4, $5, $6)
+			`INSERT INTO channels (name, description, status, model_mapping, billing_model_source, restrict_models, features) VALUES ($1, $2, $3, $4, $5, $6, $7)
 			 RETURNING id, created_at, updated_at`,
-			channel.Name, channel.Description, channel.Status, modelMappingJSON, channel.BillingModelSource, channel.RestrictModels,
+			channel.Name, channel.Description, channel.Status, modelMappingJSON, channel.BillingModelSource, channel.RestrictModels, channel.Features,
 		).Scan(&channel.ID, &channel.CreatedAt, &channel.UpdatedAt)
 		if err != nil {
 			if isUniqueViolation(err) {
@@ -75,9 +75,9 @@ func (r *channelRepository) GetByID(ctx context.Context, id int64) (*service.Cha
 	ch := &service.Channel{}
 	var modelMappingJSON []byte
 	err := r.db.QueryRowContext(ctx,
-		`SELECT id, name, description, status, model_mapping, billing_model_source, restrict_models, created_at, updated_at
+		`SELECT id, name, description, status, model_mapping, billing_model_source, restrict_models, features, created_at, updated_at
 		 FROM channels WHERE id = $1`, id,
-	).Scan(&ch.ID, &ch.Name, &ch.Description, &ch.Status, &modelMappingJSON, &ch.BillingModelSource, &ch.RestrictModels, &ch.CreatedAt, &ch.UpdatedAt)
+	).Scan(&ch.ID, &ch.Name, &ch.Description, &ch.Status, &modelMappingJSON, &ch.BillingModelSource, &ch.RestrictModels, &ch.Features, &ch.CreatedAt, &ch.UpdatedAt)
 	if err == sql.ErrNoRows {
 		return nil, service.ErrChannelNotFound
 	}
@@ -108,9 +108,9 @@ func (r *channelRepository) Update(ctx context.Context, channel *service.Channel
 			return err
 		}
 		result, err := tx.ExecContext(ctx,
-			`UPDATE channels SET name = $1, description = $2, status = $3, model_mapping = $4, billing_model_source = $5, restrict_models = $6, updated_at = NOW()
-			 WHERE id = $7`,
-			channel.Name, channel.Description, channel.Status, modelMappingJSON, channel.BillingModelSource, channel.RestrictModels, channel.ID,
+			`UPDATE channels SET name = $1, description = $2, status = $3, model_mapping = $4, billing_model_source = $5, restrict_models = $6, features = $7, updated_at = NOW()
+			 WHERE id = $8`,
+			channel.Name, channel.Description, channel.Status, modelMappingJSON, channel.BillingModelSource, channel.RestrictModels, channel.Features, channel.ID,
 		)
 		if err != nil {
 			if isUniqueViolation(err) {
@@ -204,7 +204,7 @@ func (r *channelRepository) List(ctx context.Context, params pagination.Paginati
 	for rows.Next() {
 		var ch service.Channel
 		var modelMappingJSON []byte
-		if err := rows.Scan(&ch.ID, &ch.Name, &ch.Description, &ch.Status, &modelMappingJSON, &ch.BillingModelSource, &ch.RestrictModels, &ch.CreatedAt, &ch.UpdatedAt); err != nil {
+		if err := rows.Scan(&ch.ID, &ch.Name, &ch.Description, &ch.Status, &modelMappingJSON, &ch.BillingModelSource, &ch.RestrictModels, &ch.Features, &ch.CreatedAt, &ch.UpdatedAt); err != nil {
 			return nil, nil, fmt.Errorf("scan channel: %w", err)
 		}
 		ch.ModelMapping = unmarshalModelMapping(modelMappingJSON)
@@ -273,7 +273,7 @@ func channelListOrderBy(params pagination.PaginationParams) string {
 
 func (r *channelRepository) ListAll(ctx context.Context) ([]service.Channel, error) {
 	rows, err := r.db.QueryContext(ctx,
-		`SELECT id, name, description, status, model_mapping, billing_model_source, restrict_models, created_at, updated_at FROM channels ORDER BY id`,
+		`SELECT id, name, description, status, model_mapping, billing_model_source, restrict_models, features, created_at, updated_at FROM channels ORDER BY id`,
 	)
 	if err != nil {
 		return nil, fmt.Errorf("query all channels: %w", err)
@@ -285,7 +285,7 @@ func (r *channelRepository) ListAll(ctx context.Context) ([]service.Channel, err
 	for rows.Next() {
 		var ch service.Channel
 		var modelMappingJSON []byte
-		if err := rows.Scan(&ch.ID, &ch.Name, &ch.Description, &ch.Status, &modelMappingJSON, &ch.BillingModelSource, &ch.RestrictModels, &ch.CreatedAt, &ch.UpdatedAt); err != nil {
+		if err := rows.Scan(&ch.ID, &ch.Name, &ch.Description, &ch.Status, &modelMappingJSON, &ch.BillingModelSource, &ch.RestrictModels, &ch.Features, &ch.CreatedAt, &ch.UpdatedAt); err != nil {
 			return nil, fmt.Errorf("scan channel: %w", err)
 		}
 		ch.ModelMapping = unmarshalModelMapping(modelMappingJSON)
diff --git a/backend/internal/server/routes/payment.go b/backend/internal/server/routes/payment.go
index 6bf04679..828b68f3 100644
--- a/backend/internal/server/routes/payment.go
+++ b/backend/internal/server/routes/payment.go
@@ -26,7 +26,6 @@ func RegisterPaymentRoutes(
 	authenticated.Use(middleware.BackendModeUserGuard(settingService))
 	{
 		authenticated.GET("/config", paymentHandler.GetPaymentConfig)
-		authenticated.GET("/checkout-info", paymentHandler.GetCheckoutInfo)
 		authenticated.GET("/plans", paymentHandler.GetPlans)
 		authenticated.GET("/channels", paymentHandler.GetChannels)
 		authenticated.GET("/limits", paymentHandler.GetLimits)
@@ -34,7 +33,6 @@ func RegisterPaymentRoutes(
 		orders := authenticated.Group("/orders")
 		{
 			orders.POST("", paymentHandler.CreateOrder)
-			orders.POST("/verify", paymentHandler.VerifyOrder)
 			orders.GET("/my", paymentHandler.GetMyOrders)
 			orders.GET("/:id", paymentHandler.GetOrder)
 			orders.POST("/:id/cancel", paymentHandler.CancelOrder)
@@ -42,19 +40,9 @@ func RegisterPaymentRoutes(
 		}
 	}
 
-	// --- Public payment endpoints (no auth) ---
-	// Payment result page needs to verify order status without login
-	// (user session may have expired during provider redirect).
-	public := v1.Group("/payment/public")
-	{
-		public.POST("/orders/verify", paymentHandler.VerifyOrderPublic)
-	}
-
 	// --- Webhook endpoints (no auth) ---
 	webhook := v1.Group("/payment/webhook")
 	{
-		// EasyPay sends GET callbacks with query params
-		webhook.GET("/easypay", webhookHandler.EasyPayNotify)
 		webhook.POST("/easypay", webhookHandler.EasyPayNotify)
 		webhook.POST("/alipay", webhookHandler.AlipayNotify)
 		webhook.POST("/wxpay", webhookHandler.WxpayNotify)
@@ -82,6 +70,7 @@ func RegisterPaymentRoutes(
 			adminOrders.POST("/:id/refund", adminPaymentHandler.ProcessRefund)
 		}
 
+
 		// Subscription Plans
 		plans := adminGroup.Group("/plans")
 		{
diff --git a/backend/internal/service/channel.go b/backend/internal/service/channel.go
index 1697ed6f..eac81444 100644
--- a/backend/internal/service/channel.go
+++ b/backend/internal/service/channel.go
@@ -39,6 +39,7 @@ type Channel struct {
 	Status             string
 	BillingModelSource string // "requested", "upstream", or "channel_mapped"
 	RestrictModels     bool   // 是否限制模型（仅允许定价列表中的模型）
+	Features           string // 渠道特性描述（JSON 数组），用于支付页面展示
 	CreatedAt          time.Time
 	UpdatedAt          time.Time
 
diff --git a/backend/internal/service/channel_service.go b/backend/internal/service/channel_service.go
index ec8310f6..cdf94a4c 100644
--- a/backend/internal/service/channel_service.go
+++ b/backend/internal/service/channel_service.go
@@ -584,6 +584,7 @@ func (s *ChannelService) Create(ctx context.Context, input *CreateChannelInput)
 		GroupIDs:           input.GroupIDs,
 		ModelPricing:       input.ModelPricing,
 		ModelMapping:       input.ModelMapping,
+		Features:           input.Features,
 	}
 	if channel.BillingModelSource == "" {
 		channel.BillingModelSource = BillingModelSourceChannelMapped
@@ -641,6 +642,9 @@ func (s *ChannelService) Update(ctx context.Context, id int64, input *UpdateChan
 	if input.RestrictModels != nil {
 		channel.RestrictModels = *input.RestrictModels
 	}
+	if input.Features != nil {
+		channel.Features = *input.Features
+	}
 
 	// 检查分组冲突
 	if input.GroupIDs != nil {
@@ -842,6 +846,7 @@ type CreateChannelInput struct {
 	ModelMapping       map[string]map[string]string // platform → {src→dst}
 	BillingModelSource string
 	RestrictModels     bool
+	Features           string
 }
 
 // UpdateChannelInput 更新渠道输入
@@ -854,4 +859,5 @@ type UpdateChannelInput struct {
 	ModelMapping       map[string]map[string]string // platform → {src→dst}
 	BillingModelSource string
 	RestrictModels     *bool
+	Features           *string
 }
diff --git a/backend/internal/service/payment_config_service.go b/backend/internal/service/payment_config_service.go
index 9042c3ab..dafe9afd 100644
--- a/backend/internal/service/payment_config_service.go
+++ b/backend/internal/service/payment_config_service.go
@@ -2,13 +2,16 @@ package service
 
 import (
 	"context"
+	"encoding/json"
 	"fmt"
 	"strconv"
 	"strings"
 
 	dbent "github.com/Wei-Shaw/sub2api/ent"
 	"github.com/Wei-Shaw/sub2api/ent/paymentproviderinstance"
+	"github.com/Wei-Shaw/sub2api/ent/subscriptionplan"
 	"github.com/Wei-Shaw/sub2api/internal/payment"
+	infraerrors "github.com/Wei-Shaw/sub2api/internal/pkg/errors"
 )
 
 const (
@@ -23,8 +26,6 @@ const (
 	SettingBalancePayDisabled  = "BALANCE_PAYMENT_DISABLED"
 	SettingProductNamePrefix   = "PRODUCT_NAME_PREFIX"
 	SettingProductNameSuffix   = "PRODUCT_NAME_SUFFIX"
-	SettingHelpImageURL        = "PAYMENT_HELP_IMAGE_URL"
-	SettingHelpText            = "PAYMENT_HELP_TEXT"
 	SettingCancelRateLimitOn   = "CANCEL_RATE_LIMIT_ENABLED"
 	SettingCancelRateLimitMax  = "CANCEL_RATE_LIMIT_MAX"
 	SettingCancelWindowSize    = "CANCEL_RATE_LIMIT_WINDOW"
@@ -32,126 +33,91 @@ const (
 	SettingCancelWindowMode    = "CANCEL_RATE_LIMIT_WINDOW_MODE"
 )
 
-// Default values for payment configuration settings.
-const (
-	defaultOrderTimeoutMin  = 30
-	defaultMaxPendingOrders = 3
-)
-
 // PaymentConfig holds the payment system configuration.
 type PaymentConfig struct {
-	Enabled              bool     `json:"enabled"`
-	MinAmount            float64  `json:"min_amount"`
-	MaxAmount            float64  `json:"max_amount"`
-	DailyLimit           float64  `json:"daily_limit"`
-	OrderTimeoutMin      int      `json:"order_timeout_minutes"`
-	MaxPendingOrders     int      `json:"max_pending_orders"`
-	EnabledTypes         []string `json:"enabled_payment_types"`
-	BalanceDisabled      bool     `json:"balance_disabled"`
-	LoadBalanceStrategy  string   `json:"load_balance_strategy"`
-	ProductNamePrefix    string   `json:"product_name_prefix"`
-	ProductNameSuffix    string   `json:"product_name_suffix"`
-	HelpImageURL         string   `json:"help_image_url"`
-	HelpText             string   `json:"help_text"`
-	StripePublishableKey string   `json:"stripe_publishable_key,omitempty"`
-
-	// Cancel rate limit settings
-	CancelRateLimitEnabled bool   `json:"cancel_rate_limit_enabled"`
-	CancelRateLimitMax     int    `json:"cancel_rate_limit_max"`
-	CancelRateLimitWindow  int    `json:"cancel_rate_limit_window"`
-	CancelRateLimitUnit    string `json:"cancel_rate_limit_unit"`
-	CancelRateLimitMode    string `json:"cancel_rate_limit_window_mode"`
+	Enabled             bool     `json:"enabled"`
+	MinAmount           float64  `json:"minAmount"`
+	MaxAmount           float64  `json:"maxAmount"`
+	DailyLimit          float64  `json:"dailyLimit"`
+	OrderTimeoutMin     int      `json:"orderTimeoutMinutes"`
+	MaxPendingOrders    int      `json:"maxPendingOrders"`
+	EnabledTypes        []string `json:"enabledTypes"`
+	BalanceDisabled     bool     `json:"balanceDisabled"`
+	LoadBalanceStrategy string   `json:"loadBalanceStrategy"`
+	ProductNamePrefix   string   `json:"productNamePrefix"`
+	ProductNameSuffix   string   `json:"productNameSuffix"`
 }
 
 // UpdatePaymentConfigRequest contains fields to update payment configuration.
 type UpdatePaymentConfigRequest struct {
 	Enabled             *bool    `json:"enabled"`
-	MinAmount           *float64 `json:"min_amount"`
-	MaxAmount           *float64 `json:"max_amount"`
-	DailyLimit          *float64 `json:"daily_limit"`
-	OrderTimeoutMin     *int     `json:"order_timeout_minutes"`
-	MaxPendingOrders    *int     `json:"max_pending_orders"`
-	EnabledTypes        []string `json:"enabled_payment_types"`
-	BalanceDisabled     *bool    `json:"balance_disabled"`
-	LoadBalanceStrategy *string  `json:"load_balance_strategy"`
-	ProductNamePrefix   *string  `json:"product_name_prefix"`
-	ProductNameSuffix   *string  `json:"product_name_suffix"`
-	HelpImageURL        *string  `json:"help_image_url"`
-	HelpText            *string  `json:"help_text"`
-
-	// Cancel rate limit settings
-	CancelRateLimitEnabled *bool   `json:"cancel_rate_limit_enabled"`
-	CancelRateLimitMax     *int    `json:"cancel_rate_limit_max"`
-	CancelRateLimitWindow  *int    `json:"cancel_rate_limit_window"`
-	CancelRateLimitUnit    *string `json:"cancel_rate_limit_unit"`
-	CancelRateLimitMode    *string `json:"cancel_rate_limit_window_mode"`
+	MinAmount           *float64 `json:"minAmount"`
+	MaxAmount           *float64 `json:"maxAmount"`
+	DailyLimit          *float64 `json:"dailyLimit"`
+	OrderTimeoutMin     *int     `json:"orderTimeoutMinutes"`
+	MaxPendingOrders    *int     `json:"maxPendingOrders"`
+	EnabledTypes        []string `json:"enabledTypes"`
+	BalanceDisabled     *bool    `json:"balanceDisabled"`
+	LoadBalanceStrategy *string  `json:"loadBalanceStrategy"`
+	ProductNamePrefix   *string  `json:"productNamePrefix"`
+	ProductNameSuffix   *string  `json:"productNameSuffix"`
 }
 
 // MethodLimits holds per-payment-type limits.
 type MethodLimits struct {
-	PaymentType string  `json:"payment_type"`
-	FeeRate     float64 `json:"fee_rate"`
-	DailyLimit  float64 `json:"daily_limit"`
-	SingleMin   float64 `json:"single_min"`
-	SingleMax   float64 `json:"single_max"`
-}
-
-// MethodLimitsResponse is the full response for the user-facing /limits API.
-// It includes per-method limits and the global widest range (union of all methods).
-type MethodLimitsResponse struct {
-	Methods   map[string]MethodLimits `json:"methods"`
-	GlobalMin float64                 `json:"global_min"` // 0 = no minimum
-	GlobalMax float64                 `json:"global_max"` // 0 = no maximum
+	PaymentType string  `json:"paymentType"`
+	FeeRate     float64 `json:"feeRate"`
+	DailyLimit  float64 `json:"dailyLimit"`
+	SingleMin   float64 `json:"singleMin"`
+	SingleMax   float64 `json:"singleMax"`
 }
 
 type CreateProviderInstanceRequest struct {
-	ProviderKey    string            `json:"provider_key"`
+	ProviderKey    string            `json:"providerKey"`
 	Name           string            `json:"name"`
 	Config         map[string]string `json:"config"`
-	SupportedTypes []string          `json:"supported_types"`
+	SupportedTypes string            `json:"supportedTypes"`
 	Enabled        bool              `json:"enabled"`
-	PaymentMode    string            `json:"payment_mode"`
-	SortOrder      int               `json:"sort_order"`
+	SortOrder      int               `json:"sortOrder"`
 	Limits         string            `json:"limits"`
-	RefundEnabled  bool              `json:"refund_enabled"`
+	RefundEnabled  bool              `json:"refundEnabled"`
 }
 
 type UpdateProviderInstanceRequest struct {
 	Name           *string           `json:"name"`
 	Config         map[string]string `json:"config"`
-	SupportedTypes []string          `json:"supported_types"`
+	SupportedTypes *string           `json:"supportedTypes"`
 	Enabled        *bool             `json:"enabled"`
-	PaymentMode    *string           `json:"payment_mode"`
-	SortOrder      *int              `json:"sort_order"`
+	SortOrder      *int              `json:"sortOrder"`
 	Limits         *string           `json:"limits"`
-	RefundEnabled  *bool             `json:"refund_enabled"`
+	RefundEnabled  *bool             `json:"refundEnabled"`
 }
 type CreatePlanRequest struct {
-	GroupID       int64    `json:"group_id"`
+	GroupID       int64    `json:"groupId"`
 	Name          string   `json:"name"`
 	Description   string   `json:"description"`
 	Price         float64  `json:"price"`
-	OriginalPrice *float64 `json:"original_price"`
-	ValidityDays  int      `json:"validity_days"`
-	ValidityUnit  string   `json:"validity_unit"`
+	OriginalPrice *float64 `json:"originalPrice"`
+	ValidityDays  int      `json:"validityDays"`
+	ValidityUnit  string   `json:"validityUnit"`
 	Features      string   `json:"features"`
-	ProductName   string   `json:"product_name"`
-	ForSale       bool     `json:"for_sale"`
-	SortOrder     int      `json:"sort_order"`
+	ProductName   string   `json:"productName"`
+	ForSale       bool     `json:"forSale"`
+	SortOrder     int      `json:"sortOrder"`
 }
 
 type UpdatePlanRequest struct {
-	GroupID       *int64   `json:"group_id"`
+	GroupID       *int64   `json:"groupId"`
 	Name          *string  `json:"name"`
 	Description   *string  `json:"description"`
 	Price         *float64 `json:"price"`
-	OriginalPrice *float64 `json:"original_price"`
-	ValidityDays  *int     `json:"validity_days"`
-	ValidityUnit  *string  `json:"validity_unit"`
+	OriginalPrice *float64 `json:"originalPrice"`
+	ValidityDays  *int     `json:"validityDays"`
+	ValidityUnit  *string  `json:"validityUnit"`
 	Features      *string  `json:"features"`
-	ProductName   *string  `json:"product_name"`
-	ForSale       *bool    `json:"for_sale"`
-	SortOrder     *int     `json:"sort_order"`
+	ProductName   *string  `json:"productName"`
+	ForSale       *bool    `json:"forSale"`
+	SortOrder     *int     `json:"sortOrder"`
 }
 
 // PaymentConfigService manages payment configuration and CRUD for
@@ -183,43 +149,29 @@ func (s *PaymentConfigService) GetPaymentConfig(ctx context.Context) (*PaymentCo
 		SettingDailyRechargeLimit, SettingOrderTimeoutMinutes, SettingMaxPendingOrders,
 		SettingEnabledPaymentTypes, SettingBalancePayDisabled, SettingLoadBalanceStrategy,
 		SettingProductNamePrefix, SettingProductNameSuffix,
-		SettingHelpImageURL, SettingHelpText,
-		SettingCancelRateLimitOn, SettingCancelRateLimitMax,
-		SettingCancelWindowSize, SettingCancelWindowUnit, SettingCancelWindowMode,
 	}
 	vals, err := s.settingRepo.GetMultiple(ctx, keys)
 	if err != nil {
 		return nil, fmt.Errorf("get payment config settings: %w", err)
 	}
-	cfg := s.parsePaymentConfig(vals)
-	// Load Stripe publishable key from the first enabled Stripe provider instance
-	cfg.StripePublishableKey = s.getStripePublishableKey(ctx)
-	return cfg, nil
+	return s.parsePaymentConfig(vals), nil
 }
 
 func (s *PaymentConfigService) parsePaymentConfig(vals map[string]string) *PaymentConfig {
 	cfg := &PaymentConfig{
 		Enabled:             vals[SettingPaymentEnabled] == "true",
 		MinAmount:           pcParseFloat(vals[SettingMinRechargeAmount], 1),
-		MaxAmount:           pcParseFloat(vals[SettingMaxRechargeAmount], 0),
+		MaxAmount:           pcParseFloat(vals[SettingMaxRechargeAmount], 99999999.99),
 		DailyLimit:          pcParseFloat(vals[SettingDailyRechargeLimit], 0),
-		OrderTimeoutMin:     pcParseInt(vals[SettingOrderTimeoutMinutes], defaultOrderTimeoutMin),
-		MaxPendingOrders:    pcParseInt(vals[SettingMaxPendingOrders], defaultMaxPendingOrders),
+		OrderTimeoutMin:     pcParseInt(vals[SettingOrderTimeoutMinutes], 30),
+		MaxPendingOrders:    pcParseInt(vals[SettingMaxPendingOrders], 3),
 		BalanceDisabled:     vals[SettingBalancePayDisabled] == "true",
 		LoadBalanceStrategy: vals[SettingLoadBalanceStrategy],
 		ProductNamePrefix:   vals[SettingProductNamePrefix],
 		ProductNameSuffix:   vals[SettingProductNameSuffix],
-		HelpImageURL:        vals[SettingHelpImageURL],
-		HelpText:            vals[SettingHelpText],
-
-		CancelRateLimitEnabled: vals[SettingCancelRateLimitOn] == "true",
-		CancelRateLimitMax:     pcParseInt(vals[SettingCancelRateLimitMax], 10),
-		CancelRateLimitWindow:  pcParseInt(vals[SettingCancelWindowSize], 1),
-		CancelRateLimitUnit:    vals[SettingCancelWindowUnit],
-		CancelRateLimitMode:    vals[SettingCancelWindowMode],
 	}
 	if cfg.LoadBalanceStrategy == "" {
-		cfg.LoadBalanceStrategy = payment.DefaultLoadBalanceStrategy
+		cfg.LoadBalanceStrategy = "round-robin"
 	}
 	if raw := vals[SettingEnabledPaymentTypes]; raw != "" {
 		for _, t := range strings.Split(raw, ",") {
@@ -232,100 +184,242 @@ func (s *PaymentConfigService) parsePaymentConfig(vals map[string]string) *Payme
 	return cfg
 }
 
-// getStripePublishableKey finds the publishable key from the first enabled Stripe provider instance.
-func (s *PaymentConfigService) getStripePublishableKey(ctx context.Context) string {
-	instances, err := s.entClient.PaymentProviderInstance.Query().
-		Where(
-			paymentproviderinstance.EnabledEQ(true),
-			paymentproviderinstance.ProviderKeyEQ(payment.TypeStripe),
-		).Limit(1).All(ctx)
-	if err != nil || len(instances) == 0 {
-		return ""
-	}
-	cfg, err := s.decryptConfig(instances[0].Config)
-	if err != nil || cfg == nil {
-		return ""
-	}
-	return cfg[payment.ConfigKeyPublishableKey]
-}
-
 // UpdatePaymentConfig updates the payment configuration settings.
-// NOTE: This function exceeds 30 lines because each field requires an independent
-// nil-check before serialisation — this is inherent to patch-style update patterns
-// and cannot be meaningfully decomposed without introducing unnecessary abstraction.
 func (s *PaymentConfigService) UpdatePaymentConfig(ctx context.Context, req UpdatePaymentConfigRequest) error {
-	m := map[string]string{
-		SettingPaymentEnabled:      formatBoolOrEmpty(req.Enabled),
-		SettingMinRechargeAmount:   formatPositiveFloat(req.MinAmount),
-		SettingMaxRechargeAmount:   formatPositiveFloat(req.MaxAmount),
-		SettingDailyRechargeLimit:  formatPositiveFloat(req.DailyLimit),
-		SettingOrderTimeoutMinutes: formatPositiveInt(req.OrderTimeoutMin),
-		SettingMaxPendingOrders:    formatPositiveInt(req.MaxPendingOrders),
-		SettingBalancePayDisabled:  formatBoolOrEmpty(req.BalanceDisabled),
-		SettingLoadBalanceStrategy: derefStr(req.LoadBalanceStrategy),
-		SettingProductNamePrefix:   derefStr(req.ProductNamePrefix),
-		SettingProductNameSuffix:   derefStr(req.ProductNameSuffix),
-		SettingHelpImageURL:        derefStr(req.HelpImageURL),
-		SettingHelpText:            derefStr(req.HelpText),
-		SettingCancelRateLimitOn:   formatBoolOrEmpty(req.CancelRateLimitEnabled),
-		SettingCancelRateLimitMax:  formatPositiveInt(req.CancelRateLimitMax),
-		SettingCancelWindowSize:    formatPositiveInt(req.CancelRateLimitWindow),
-		SettingCancelWindowUnit:    derefStr(req.CancelRateLimitUnit),
-		SettingCancelWindowMode:    derefStr(req.CancelRateLimitMode),
+	m := make(map[string]string)
+	if req.Enabled != nil {
+		m[SettingPaymentEnabled] = strconv.FormatBool(*req.Enabled)
+	}
+	if req.MinAmount != nil {
+		m[SettingMinRechargeAmount] = strconv.FormatFloat(*req.MinAmount, 'f', 2, 64)
+	}
+	if req.MaxAmount != nil {
+		m[SettingMaxRechargeAmount] = strconv.FormatFloat(*req.MaxAmount, 'f', 2, 64)
+	}
+	if req.DailyLimit != nil {
+		m[SettingDailyRechargeLimit] = strconv.FormatFloat(*req.DailyLimit, 'f', 2, 64)
+	}
+	if req.OrderTimeoutMin != nil {
+		m[SettingOrderTimeoutMinutes] = strconv.Itoa(*req.OrderTimeoutMin)
+	}
+	if req.MaxPendingOrders != nil {
+		m[SettingMaxPendingOrders] = strconv.Itoa(*req.MaxPendingOrders)
 	}
 	if req.EnabledTypes != nil {
 		m[SettingEnabledPaymentTypes] = strings.Join(req.EnabledTypes, ",")
-	} else {
-		m[SettingEnabledPaymentTypes] = ""
+	}
+	if req.BalanceDisabled != nil {
+		m[SettingBalancePayDisabled] = strconv.FormatBool(*req.BalanceDisabled)
+	}
+	if req.LoadBalanceStrategy != nil {
+		m[SettingLoadBalanceStrategy] = *req.LoadBalanceStrategy
+	}
+	if req.ProductNamePrefix != nil {
+		m[SettingProductNamePrefix] = *req.ProductNamePrefix
+	}
+	if req.ProductNameSuffix != nil {
+		m[SettingProductNameSuffix] = *req.ProductNameSuffix
+	}
+	if len(m) == 0 {
+		return nil
 	}
 	return s.settingRepo.SetMultiple(ctx, m)
 }
 
-func formatBoolOrEmpty(v *bool) string {
-	if v == nil {
-		return ""
-	}
-	return strconv.FormatBool(*v)
+// --- Provider Instance CRUD ---
+
+func (s *PaymentConfigService) ListProviderInstances(ctx context.Context) ([]*dbent.PaymentProviderInstance, error) {
+	return s.entClient.PaymentProviderInstance.Query().Order(paymentproviderinstance.BySortOrder()).All(ctx)
 }
 
-func formatPositiveFloat(v *float64) string {
-	if v == nil || *v <= 0 {
-		return "" // empty → parsePaymentConfig uses default
+func (s *PaymentConfigService) CreateProviderInstance(ctx context.Context, req CreateProviderInstanceRequest) (*dbent.PaymentProviderInstance, error) {
+	enc, err := s.encryptConfig(req.Config)
+	if err != nil {
+		return nil, err
 	}
-	return strconv.FormatFloat(*v, 'f', 2, 64)
+	return s.entClient.PaymentProviderInstance.Create().
+		SetProviderKey(req.ProviderKey).SetName(req.Name).SetConfig(enc).
+		SetSupportedTypes(req.SupportedTypes).SetEnabled(req.Enabled).
+		SetSortOrder(req.SortOrder).SetLimits(req.Limits).SetRefundEnabled(req.RefundEnabled).
+		Save(ctx)
 }
 
-func formatPositiveInt(v *int) string {
-	if v == nil || *v <= 0 {
-		return ""
+func (s *PaymentConfigService) UpdateProviderInstance(ctx context.Context, id int64, req UpdateProviderInstanceRequest) (*dbent.PaymentProviderInstance, error) {
+	u := s.entClient.PaymentProviderInstance.UpdateOneID(id)
+	if req.Name != nil {
+		u.SetName(*req.Name)
 	}
-	return strconv.Itoa(*v)
+	if req.Config != nil {
+		enc, err := s.encryptConfig(req.Config)
+		if err != nil {
+			return nil, err
+		}
+		u.SetConfig(enc)
+	}
+	if req.SupportedTypes != nil {
+		u.SetSupportedTypes(*req.SupportedTypes)
+	}
+	if req.Enabled != nil {
+		u.SetEnabled(*req.Enabled)
+	}
+	if req.SortOrder != nil {
+		u.SetSortOrder(*req.SortOrder)
+	}
+	if req.Limits != nil {
+		u.SetLimits(*req.Limits)
+	}
+	if req.RefundEnabled != nil {
+		u.SetRefundEnabled(*req.RefundEnabled)
+	}
+	return u.Save(ctx)
 }
 
-func derefStr(v *string) string {
-	if v == nil {
-		return ""
-	}
-	return *v
+func (s *PaymentConfigService) DeleteProviderInstance(ctx context.Context, id int64) error {
+	return s.entClient.PaymentProviderInstance.DeleteOneID(id).Exec(ctx)
 }
 
-func splitTypes(s string) []string {
-	if s == "" {
-		return nil
+func (s *PaymentConfigService) encryptConfig(cfg map[string]string) (string, error) {
+	data, err := json.Marshal(cfg)
+	if err != nil {
+		return "", fmt.Errorf("marshal config: %w", err)
 	}
-	parts := strings.Split(s, ",")
-	result := make([]string, 0, len(parts))
-	for _, p := range parts {
-		p = strings.TrimSpace(p)
-		if p != "" {
-			result = append(result, p)
+	enc, err := payment.Encrypt(string(data), s.encryptionKey)
+	if err != nil {
+		return "", fmt.Errorf("encrypt config: %w", err)
+	}
+	return enc, nil
+}
+
+// --- Channel CRUD ---
+
+
+// --- Plan CRUD ---
+
+func (s *PaymentConfigService) ListPlans(ctx context.Context) ([]*dbent.SubscriptionPlan, error) {
+	return s.entClient.SubscriptionPlan.Query().Order(subscriptionplan.BySortOrder()).All(ctx)
+}
+
+func (s *PaymentConfigService) ListPlansForSale(ctx context.Context) ([]*dbent.SubscriptionPlan, error) {
+	return s.entClient.SubscriptionPlan.Query().Where(subscriptionplan.ForSaleEQ(true)).Order(subscriptionplan.BySortOrder()).All(ctx)
+}
+
+func (s *PaymentConfigService) CreatePlan(ctx context.Context, req CreatePlanRequest) (*dbent.SubscriptionPlan, error) {
+	b := s.entClient.SubscriptionPlan.Create().
+		SetGroupID(req.GroupID).SetName(req.Name).SetDescription(req.Description).
+		SetPrice(req.Price).SetValidityDays(req.ValidityDays).SetValidityUnit(req.ValidityUnit).
+		SetFeatures(req.Features).SetProductName(req.ProductName).
+		SetForSale(req.ForSale).SetSortOrder(req.SortOrder)
+	if req.OriginalPrice != nil {
+		b.SetOriginalPrice(*req.OriginalPrice)
+	}
+	return b.Save(ctx)
+}
+
+func (s *PaymentConfigService) UpdatePlan(ctx context.Context, id int64, req UpdatePlanRequest) (*dbent.SubscriptionPlan, error) {
+	u := s.entClient.SubscriptionPlan.UpdateOneID(id)
+	if req.GroupID != nil {
+		u.SetGroupID(*req.GroupID)
+	}
+	if req.Name != nil {
+		u.SetName(*req.Name)
+	}
+	if req.Description != nil {
+		u.SetDescription(*req.Description)
+	}
+	if req.Price != nil {
+		u.SetPrice(*req.Price)
+	}
+	if req.OriginalPrice != nil {
+		u.SetOriginalPrice(*req.OriginalPrice)
+	}
+	if req.ValidityDays != nil {
+		u.SetValidityDays(*req.ValidityDays)
+	}
+	if req.ValidityUnit != nil {
+		u.SetValidityUnit(*req.ValidityUnit)
+	}
+	if req.Features != nil {
+		u.SetFeatures(*req.Features)
+	}
+	if req.ProductName != nil {
+		u.SetProductName(*req.ProductName)
+	}
+	if req.ForSale != nil {
+		u.SetForSale(*req.ForSale)
+	}
+	if req.SortOrder != nil {
+		u.SetSortOrder(*req.SortOrder)
+	}
+	return u.Save(ctx)
+}
+
+func (s *PaymentConfigService) DeletePlan(ctx context.Context, id int64) error {
+	return s.entClient.SubscriptionPlan.DeleteOneID(id).Exec(ctx)
+}
+
+// GetPlan returns a subscription plan by ID.
+func (s *PaymentConfigService) GetPlan(ctx context.Context, id int64) (*dbent.SubscriptionPlan, error) {
+	plan, err := s.entClient.SubscriptionPlan.Get(ctx, id)
+	if err != nil {
+		return nil, infraerrors.NotFound("PLAN_NOT_FOUND", "subscription plan not found")
+	}
+	return plan, nil
+}
+
+// GetMethodLimits returns per-payment-type limits from enabled provider instances.
+func (s *PaymentConfigService) GetMethodLimits(ctx context.Context, types []string) ([]MethodLimits, error) {
+	instances, err := s.entClient.PaymentProviderInstance.Query().
+		Where(paymentproviderinstance.EnabledEQ(true)).All(ctx)
+	if err != nil {
+		return nil, fmt.Errorf("query provider instances: %w", err)
+	}
+	result := make([]MethodLimits, 0, len(types))
+	for _, pt := range types {
+		ml := MethodLimits{PaymentType: pt}
+		for _, inst := range instances {
+			if !pcInstanceSupportsType(inst, pt) {
+				continue
+			}
+			pcApplyInstanceLimits(inst, pt, &ml)
+		}
+		result = append(result, ml)
+	}
+	return result, nil
+}
+
+func pcInstanceSupportsType(inst *dbent.PaymentProviderInstance, pt string) bool {
+	if inst.SupportedTypes == "" {
+		return true
+	}
+	for _, t := range strings.Split(inst.SupportedTypes, ",") {
+		if strings.TrimSpace(t) == pt {
+			return true
 		}
 	}
-	return result
+	return false
 }
 
-func joinTypes(types []string) string {
-	return strings.Join(types, ",")
+func pcApplyInstanceLimits(inst *dbent.PaymentProviderInstance, pt string, ml *MethodLimits) {
+	if inst.Limits == "" {
+		return
+	}
+	var limits payment.InstanceLimits
+	if err := json.Unmarshal([]byte(inst.Limits), &limits); err != nil {
+		return
+	}
+	cl, ok := limits[pt]
+	if !ok {
+		return
+	}
+	if cl.DailyLimit > 0 && (ml.DailyLimit == 0 || cl.DailyLimit < ml.DailyLimit) {
+		ml.DailyLimit = cl.DailyLimit
+	}
+	if cl.SingleMin > 0 && (ml.SingleMin == 0 || cl.SingleMin > ml.SingleMin) {
+		ml.SingleMin = cl.SingleMin
+	}
+	if cl.SingleMax > 0 && (ml.SingleMax == 0 || cl.SingleMax < ml.SingleMax) {
+		ml.SingleMax = cl.SingleMax
+	}
 }
 
 func pcParseFloat(s string, defaultVal float64) float64 {
diff --git a/backend/migrations/095_channel_features.sql b/backend/migrations/095_channel_features.sql
new file mode 100644
index 00000000..5f142002
--- /dev/null
+++ b/backend/migrations/095_channel_features.sql
@@ -0,0 +1,2 @@
+ALTER TABLE channels ADD COLUMN IF NOT EXISTS features TEXT NOT NULL DEFAULT '';
+COMMENT ON COLUMN channels.features IS '渠道特性描述，JSON 数组格式，用于支付页面展示';

From 3d4d960d60dde5ffaa8213ef0a301a139d471431 Mon Sep 17 00:00:00 2001
From: erio <asakifeng@gmail.com>
Date: Sun, 5 Apr 2026 23:14:23 +0800
Subject: [PATCH 019/122] fix: gofmt formatting after merge

---
 .../service/admin_service_clear_error_test.go | 24 +++++++++----------
 .../internal/service/billing_service_test.go  |  1 -
 2 files changed, 12 insertions(+), 13 deletions(-)

diff --git a/backend/internal/service/admin_service_clear_error_test.go b/backend/internal/service/admin_service_clear_error_test.go
index f039612c..141466dc 100644
--- a/backend/internal/service/admin_service_clear_error_test.go
+++ b/backend/internal/service/admin_service_clear_error_test.go
@@ -12,12 +12,12 @@ import (
 
 type accountRepoStubForClearAccountError struct {
 	mockAccountRepoForGemini
-	account                 *Account
-	clearErrorCalls         int
-	clearRateLimitCalls     int
-	clearAntigravityCalls   int
+	account                  *Account
+	clearErrorCalls          int
+	clearRateLimitCalls      int
+	clearAntigravityCalls    int
 	clearModelRateLimitCalls int
-	clearTempUnschedCalls   int
+	clearTempUnschedCalls    int
 }
 
 func (r *accountRepoStubForClearAccountError) GetByID(ctx context.Context, id int64) (*Account, error) {
@@ -60,13 +60,13 @@ func TestAdminService_ClearAccountError_AlsoClearsRecoverableRuntimeState(t *tes
 	resetAt := time.Now().Add(5 * time.Minute)
 	repo := &accountRepoStubForClearAccountError{
 		account: &Account{
-			ID:                     31,
-			Platform:               PlatformOpenAI,
-			Type:                   AccountTypeOAuth,
-			Status:                 StatusError,
-			ErrorMessage:           "refresh failed",
-			RateLimitResetAt:       &resetAt,
-			TempUnschedulableUntil: &until,
+			ID:                      31,
+			Platform:                PlatformOpenAI,
+			Type:                    AccountTypeOAuth,
+			Status:                  StatusError,
+			ErrorMessage:            "refresh failed",
+			RateLimitResetAt:        &resetAt,
+			TempUnschedulableUntil:  &until,
 			TempUnschedulableReason: "missing refresh token",
 		},
 	}
diff --git a/backend/internal/service/billing_service_test.go b/backend/internal/service/billing_service_test.go
index dd58502c..6f6c41ce 100644
--- a/backend/internal/service/billing_service_test.go
+++ b/backend/internal/service/billing_service_test.go
@@ -363,7 +363,6 @@ func TestCalculateImageCost(t *testing.T) {
 	require.InDelta(t, 0.134*3, cost.ActualCost, 1e-10)
 }
 
-
 func TestIsModelSupported(t *testing.T) {
 	svc := newTestBillingService()
 

From 1c63ea1448b6fac211751af8562aef69f2a4ae64 Mon Sep 17 00:00:00 2001
From: erio <asakifeng@gmail.com>
Date: Tue, 7 Apr 2026 13:47:12 +0800
Subject: [PATCH 020/122] fix(channel): add missing features column to List
 query

The paginated List query was selecting 9 columns but scanning 10 fields,
missing c.features. GetByID and ListAll already included it correctly.
---
 backend/cmd/server/VERSION                  |  2 +-
 backend/internal/repository/channel_repo.go | 31 ++-------------------
 2 files changed, 4 insertions(+), 29 deletions(-)

diff --git a/backend/cmd/server/VERSION b/backend/cmd/server/VERSION
index 1ebb081e..8b4a4750 100644
--- a/backend/cmd/server/VERSION
+++ b/backend/cmd/server/VERSION
@@ -1 +1 @@
-0.1.105.13
+0.1.108.73
diff --git a/backend/internal/repository/channel_repo.go b/backend/internal/repository/channel_repo.go
index 710322fb..baad31f7 100644
--- a/backend/internal/repository/channel_repo.go
+++ b/backend/internal/repository/channel_repo.go
@@ -187,9 +187,9 @@ func (r *channelRepository) List(ctx context.Context, params pagination.Paginati
 
 	// 查询 channel 列表
 	dataQuery := fmt.Sprintf(
-		`SELECT c.id, c.name, c.description, c.status, c.model_mapping, c.billing_model_source, c.restrict_models, c.created_at, c.updated_at
-		 FROM channels c WHERE %s ORDER BY %s LIMIT $%d OFFSET $%d`,
-		whereClause, channelListOrderBy(params), argIdx, argIdx+1,
+		`SELECT c.id, c.name, c.description, c.status, c.model_mapping, c.billing_model_source, c.restrict_models, c.features, c.created_at, c.updated_at
+		 FROM channels c WHERE %s ORDER BY c.id ASC LIMIT $%d OFFSET $%d`,
+		whereClause, argIdx, argIdx+1,
 	)
 	args = append(args, pageSize, offset)
 
@@ -246,31 +246,6 @@ func (r *channelRepository) List(ctx context.Context, params pagination.Paginati
 	return channels, paginationResult, nil
 }
 
-func channelListOrderBy(params pagination.PaginationParams) string {
-	sortBy := strings.ToLower(strings.TrimSpace(params.SortBy))
-	sortOrder := strings.ToUpper(params.NormalizedSortOrder(pagination.SortOrderAsc))
-
-	var column string
-	switch sortBy {
-	case "":
-		column = "c.id"
-		sortOrder = "ASC"
-	case "id":
-		column = "c.id"
-	case "name":
-		column = "c.name"
-	case "status":
-		column = "c.status"
-	case "created_at":
-		column = "c.created_at"
-	default:
-		column = "c.id"
-		sortOrder = "ASC"
-	}
-
-	return fmt.Sprintf("%s %s, c.id %s", column, sortOrder, sortOrder)
-}
-
 func (r *channelRepository) ListAll(ctx context.Context) ([]service.Channel, error) {
 	rows, err := r.db.QueryContext(ctx,
 		`SELECT id, name, description, status, model_mapping, billing_model_source, restrict_models, features, created_at, updated_at FROM channels ORDER BY id`,

From 5bae3b05773f23722bae7600e9f14a1c192b64d1 Mon Sep 17 00:00:00 2001
From: erio <asakifeng@gmail.com>
Date: Wed, 8 Apr 2026 17:11:32 +0800
Subject: [PATCH 021/122] fix(payment): audit fixes for alipay/wxpay/stripe
 payment providers
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Backend:
- Extract YuanToFen/FenToYuan to payment/amount.go using shopspring/decimal
- Require alipay publicKey in config validation
- Fix wxpay webhook response to return JSON per V3 spec
- Remove wxpay certSerial fallback to publicKeyId
- Define magic strings as named constants in wxpay/alipay providers
- Add slog warning for wxpay H5→Native payment downgrade
- Make EncryptionKey validation return error on invalid (non-empty) key
- Make decryptConfig propagate errors instead of returning nil
- Add idempotency check in doBalance to prevent stuck FAILED retries

Frontend:
- Fix dashboard currency symbol from $ to ¥
- Fix AdminPaymentPlansView any type to proper SubscriptionPlan type
- Make quick amount buttons follow selected payment method limits
- Center help image with larger height and text below
---
 backend/cmd/server/wire_gen.go                |  62 +-
 .../handler/payment_webhook_handler.go        |  32 +-
 .../service/payment_config_service.go         | 440 ++++++--------
 .../internal/service/payment_fulfillment.go   | 112 +---
 .../orders/AdminPaymentDashboardView.vue      |   4 +-
 frontend/src/views/user/PaymentView.vue       | 557 +++++-------------
 6 files changed, 388 insertions(+), 819 deletions(-)

diff --git a/backend/cmd/server/wire_gen.go b/backend/cmd/server/wire_gen.go
index c288a289..0a0cc84b 100644
--- a/backend/cmd/server/wire_gen.go
+++ b/backend/cmd/server/wire_gen.go
@@ -50,7 +50,6 @@ func initializeApplication(buildInfo handler.BuildInfo) (*Application, error) {
 	refreshTokenCache := repository.NewRefreshTokenCache(redisClient)
 	settingRepository := repository.NewSettingRepository(client)
 	groupRepository := repository.NewGroupRepository(client, db)
-	channelRepository := repository.NewChannelRepository(db)
 	settingService := service.ProvideSettingService(settingRepository, groupRepository, configConfig)
 	emailCache := repository.NewEmailCache(redisClient)
 	emailService := service.NewEmailService(settingRepository, emailCache)
@@ -65,7 +64,6 @@ func initializeApplication(buildInfo handler.BuildInfo) (*Application, error) {
 	userGroupRateRepository := repository.NewUserGroupRateRepository(db)
 	apiKeyCache := repository.NewAPIKeyCache(redisClient)
 	apiKeyService := service.NewAPIKeyService(apiKeyRepository, userRepository, groupRepository, userSubscriptionRepository, userGroupRateRepository, apiKeyCache, configConfig)
-	apiKeyService.SetRateLimitCacheInvalidator(billingCache)
 	apiKeyAuthCacheInvalidator := service.ProvideAPIKeyAuthCacheInvalidator(apiKeyService)
 	promoService := service.NewPromoService(promoCodeRepository, userRepository, billingCacheService, client, apiKeyAuthCacheInvalidator)
 	subscriptionService := service.NewSubscriptionService(groupRepository, userSubscriptionRepository, billingCacheService, client, configConfig)
@@ -73,15 +71,6 @@ func initializeApplication(buildInfo handler.BuildInfo) (*Application, error) {
 	userService := service.NewUserService(userRepository, apiKeyAuthCacheInvalidator, billingCache)
 	redeemCache := repository.NewRedeemCache(redisClient)
 	redeemService := service.NewRedeemService(redeemCodeRepository, userRepository, subscriptionService, redeemCache, billingCacheService, client, apiKeyAuthCacheInvalidator)
-	registry := payment.ProvideRegistry()
-	encryptionKey, err := payment.ProvideEncryptionKey(configConfig)
-	if err != nil {
-		return nil, err
-	}
-	defaultLoadBalancer := payment.ProvideDefaultLoadBalancer(client, encryptionKey)
-	paymentConfigService := service.ProvidePaymentConfigService(client, settingRepository, encryptionKey)
-	paymentService := service.NewPaymentService(client, registry, defaultLoadBalancer, redeemService, subscriptionService, paymentConfigService, userRepository, groupRepository)
-	paymentOrderExpiryService := service.ProvidePaymentOrderExpiryService(paymentService)
 	secretEncryptor, err := repository.NewAESEncryptor(configConfig)
 	if err != nil {
 		return nil, err
@@ -92,7 +81,6 @@ func initializeApplication(buildInfo handler.BuildInfo) (*Application, error) {
 	userHandler := handler.NewUserHandler(userService)
 	apiKeyHandler := handler.NewAPIKeyHandler(apiKeyService)
 	usageLogRepository := repository.NewUsageLogRepository(client, db)
-	usageBillingRepository := repository.NewUsageBillingRepository(client, db)
 	usageService := service.NewUsageService(usageLogRepository, userRepository, client, apiKeyAuthCacheInvalidator)
 	usageHandler := handler.NewUsageHandler(usageService, apiKeyService)
 	redeemHandler := handler.NewRedeemHandler(redeemService)
@@ -110,7 +98,7 @@ func initializeApplication(buildInfo handler.BuildInfo) (*Application, error) {
 	}
 	dashboardAggregationService := service.ProvideDashboardAggregationService(dashboardAggregationRepository, timingWheelService, configConfig)
 	dashboardHandler := admin.NewDashboardHandler(dashboardService, dashboardAggregationService)
-	schedulerCache := repository.ProvideSchedulerCache(redisClient, configConfig)
+	schedulerCache := repository.NewSchedulerCache(redisClient)
 	accountRepository := repository.NewAccountRepository(client, db, schedulerCache)
 	proxyRepository := repository.NewProxyRepository(client, db)
 	proxyExitInfoProber := repository.NewProxyExitInfoProber(configConfig)
@@ -120,11 +108,14 @@ func initializeApplication(buildInfo handler.BuildInfo) (*Application, error) {
 	concurrencyCache := repository.ProvideConcurrencyCache(redisClient, configConfig)
 	concurrencyService := service.ProvideConcurrencyService(concurrencyCache, accountRepository, configConfig)
 	adminUserHandler := admin.NewUserHandler(adminService, concurrencyService)
+	sessionLimitCache := repository.ProvideSessionLimitCache(redisClient, configConfig)
+	rpmCache := repository.NewRPMCache(redisClient)
+	groupCapacityService := service.NewGroupCapacityService(accountRepository, groupRepository, concurrencyService, sessionLimitCache, rpmCache)
+	groupHandler := admin.NewGroupHandler(adminService, dashboardService, groupCapacityService)
 	claudeOAuthClient := repository.NewClaudeOAuthClient()
 	oAuthService := service.NewOAuthService(proxyRepository, claudeOAuthClient)
 	openAIOAuthClient := repository.NewOpenAIOAuthClient()
 	openAIOAuthService := service.NewOpenAIOAuthService(proxyRepository, openAIOAuthClient)
-	openAIOAuthService.SetPrivacyClientFactory(privacyClientFactory)
 	geminiOAuthClient := repository.NewGeminiOAuthClient(configConfig)
 	geminiCliCodeAssistClient := repository.NewGeminiCliCodeAssistClient()
 	driveClient := repository.NewGeminiDriveClient()
@@ -134,7 +125,6 @@ func initializeApplication(buildInfo handler.BuildInfo) (*Application, error) {
 	tempUnschedCache := repository.NewTempUnschedCache(redisClient)
 	timeoutCounterCache := repository.NewTimeoutCounterCache(redisClient)
 	geminiTokenCache := repository.NewGeminiTokenCache(redisClient)
-	oauthRefreshAPI := service.NewOAuthRefreshAPI(accountRepository, geminiTokenCache)
 	compositeTokenCacheInvalidator := service.NewCompositeTokenCacheInvalidator(geminiTokenCache)
 	rateLimitService := service.ProvideRateLimitService(accountRepository, usageLogRepository, configConfig, geminiQuotaService, tempUnschedCache, timeoutCounterCache, settingService, compositeTokenCacheInvalidator)
 	httpUpstream := repository.NewHTTPUpstream(configConfig)
@@ -142,23 +132,20 @@ func initializeApplication(buildInfo handler.BuildInfo) (*Application, error) {
 	antigravityQuotaFetcher := service.NewAntigravityQuotaFetcher(proxyRepository)
 	usageCache := service.NewUsageCache()
 	identityCache := repository.NewIdentityCache(redisClient)
-	geminiTokenProvider := service.ProvideGeminiTokenProvider(accountRepository, geminiTokenCache, geminiOAuthService, oauthRefreshAPI)
-	gatewayCache := repository.NewGatewayCache(redisClient)
-	schedulerOutboxRepository := repository.NewSchedulerOutboxRepository(db)
-	schedulerSnapshotService := service.ProvideSchedulerSnapshotService(schedulerCache, schedulerOutboxRepository, accountRepository, groupRepository, configConfig)
-	antigravityTokenProvider := service.ProvideAntigravityTokenProvider(accountRepository, geminiTokenCache, antigravityOAuthService, oauthRefreshAPI, tempUnschedCache)
-	internal500CounterCache := repository.NewInternal500CounterCache(redisClient)
 	tlsFingerprintProfileRepository := repository.NewTLSFingerprintProfileRepository(client)
 	tlsFingerprintProfileCache := repository.NewTLSFingerprintProfileCache(redisClient)
 	tlsFingerprintProfileService := service.NewTLSFingerprintProfileService(tlsFingerprintProfileRepository, tlsFingerprintProfileCache)
 	accountUsageService := service.NewAccountUsageService(accountRepository, usageLogRepository, claudeUsageFetcher, geminiQuotaService, antigravityQuotaFetcher, usageCache, identityCache, tlsFingerprintProfileService)
-	antigravityGatewayService := service.NewAntigravityGatewayService(accountRepository, gatewayCache, schedulerSnapshotService, antigravityTokenProvider, rateLimitService, httpUpstream, settingService, internal500CounterCache)
+	oAuthRefreshAPI := service.NewOAuthRefreshAPI(accountRepository, geminiTokenCache)
+	geminiTokenProvider := service.ProvideGeminiTokenProvider(accountRepository, geminiTokenCache, geminiOAuthService, oAuthRefreshAPI)
+	gatewayCache := repository.NewGatewayCache(redisClient)
+	schedulerOutboxRepository := repository.NewSchedulerOutboxRepository(db)
+	schedulerSnapshotService := service.ProvideSchedulerSnapshotService(schedulerCache, schedulerOutboxRepository, accountRepository, groupRepository, configConfig)
+	antigravityTokenProvider := service.ProvideAntigravityTokenProvider(accountRepository, geminiTokenCache, antigravityOAuthService, oAuthRefreshAPI, tempUnschedCache)
+	internal500CounterCache := repository.NewInternal500CounterCache(redisClient)
+	antigravityGatewayService := service.NewAntigravityGatewayService(accountRepository, gatewayCache, schedulerSnapshotService, antigravityTokenProvider, rateLimitService, httpUpstream, settingService, internal500CounterCache, accountUsageService)
 	accountTestService := service.NewAccountTestService(accountRepository, geminiTokenProvider, antigravityGatewayService, httpUpstream, configConfig, tlsFingerprintProfileService)
 	crsSyncService := service.NewCRSSyncService(accountRepository, proxyRepository, oAuthService, openAIOAuthService, geminiOAuthService, configConfig)
-	sessionLimitCache := repository.ProvideSessionLimitCache(redisClient, configConfig)
-	rpmCache := repository.NewRPMCache(redisClient)
-	groupCapacityService := service.NewGroupCapacityService(accountRepository, groupRepository, concurrencyService, sessionLimitCache, rpmCache)
-	groupHandler := admin.NewGroupHandler(adminService, dashboardService, groupCapacityService)
 	accountHandler := admin.NewAccountHandler(adminService, oAuthService, openAIOAuthService, geminiOAuthService, antigravityOAuthService, rateLimitService, accountUsageService, accountTestService, concurrencyService, crsSyncService, sessionLimitCache, rpmCache, compositeTokenCacheInvalidator)
 	adminAnnouncementHandler := admin.NewAnnouncementHandler(announcementService)
 	dataManagementService := service.NewDataManagementService()
@@ -175,6 +162,7 @@ func initializeApplication(buildInfo handler.BuildInfo) (*Application, error) {
 	adminRedeemHandler := admin.NewRedeemHandler(adminService, redeemService)
 	promoHandler := admin.NewPromoHandler(promoService)
 	opsRepository := repository.NewOpsRepository(db)
+	usageBillingRepository := repository.NewUsageBillingRepository(client, db)
 	pricingRemoteClient := repository.ProvidePricingRemoteClient(configConfig)
 	pricingService, err := service.ProvidePricingService(configConfig, pricingRemoteClient)
 	if err != nil {
@@ -183,17 +171,17 @@ func initializeApplication(buildInfo handler.BuildInfo) (*Application, error) {
 	billingService := service.NewBillingService(configConfig, pricingService)
 	identityService := service.NewIdentityService(identityCache)
 	deferredService := service.ProvideDeferredService(accountRepository, timingWheelService)
-	claudeTokenProvider := service.ProvideClaudeTokenProvider(accountRepository, geminiTokenCache, oAuthService, oauthRefreshAPI)
+	claudeTokenProvider := service.ProvideClaudeTokenProvider(accountRepository, geminiTokenCache, oAuthService, oAuthRefreshAPI)
 	digestSessionStore := service.NewDigestSessionStore()
+	channelRepository := repository.NewChannelRepository(db)
 	channelService := service.NewChannelService(channelRepository, apiKeyAuthCacheInvalidator)
 	modelPricingResolver := service.NewModelPricingResolver(channelService, billingService)
 	gatewayService := service.NewGatewayService(accountRepository, groupRepository, usageLogRepository, usageBillingRepository, userRepository, userSubscriptionRepository, userGroupRateRepository, gatewayCache, configConfig, schedulerSnapshotService, concurrencyService, billingService, rateLimitService, billingCacheService, identityService, httpUpstream, deferredService, claudeTokenProvider, sessionLimitCache, rpmCache, digestSessionStore, settingService, tlsFingerprintProfileService, channelService, modelPricingResolver)
-	openAITokenProvider := service.ProvideOpenAITokenProvider(accountRepository, geminiTokenCache, openAIOAuthService, oauthRefreshAPI)
+	openAITokenProvider := service.ProvideOpenAITokenProvider(accountRepository, geminiTokenCache, openAIOAuthService, oAuthRefreshAPI)
 	openAIGatewayService := service.NewOpenAIGatewayService(accountRepository, usageLogRepository, usageBillingRepository, userRepository, userSubscriptionRepository, userGroupRateRepository, gatewayCache, configConfig, schedulerSnapshotService, concurrencyService, billingService, rateLimitService, billingCacheService, httpUpstream, deferredService, openAITokenProvider, modelPricingResolver, channelService)
 	geminiMessagesCompatService := service.NewGeminiMessagesCompatService(accountRepository, groupRepository, gatewayCache, schedulerSnapshotService, geminiTokenProvider, rateLimitService, httpUpstream, antigravityGatewayService, configConfig)
 	opsSystemLogSink := service.ProvideOpsSystemLogSink(opsRepository)
 	opsService := service.NewOpsService(opsRepository, settingRepository, configConfig, accountRepository, userRepository, concurrencyService, gatewayService, openAIGatewayService, geminiMessagesCompatService, antigravityGatewayService, opsSystemLogSink)
-	settingHandler := admin.NewSettingHandler(settingService, emailService, turnstileService, opsService, paymentConfigService, paymentService)
 	opsHandler := admin.NewOpsHandler(opsService)
 	updateCache := repository.NewUpdateCache(redisClient)
 	gitHubReleaseClient := repository.ProvideGitHubReleaseClient(configConfig)
@@ -221,8 +209,18 @@ func initializeApplication(buildInfo handler.BuildInfo) (*Application, error) {
 	scheduledTestService := service.ProvideScheduledTestService(scheduledTestPlanRepository, scheduledTestResultRepository)
 	scheduledTestHandler := admin.NewScheduledTestHandler(scheduledTestService)
 	channelHandler := admin.NewChannelHandler(channelService, billingService)
-	adminPaymentHandler := admin.NewPaymentHandler(paymentService, paymentConfigService)
-	adminHandlers := handler.ProvideAdminHandlers(dashboardHandler, adminUserHandler, groupHandler, accountHandler, adminAnnouncementHandler, dataManagementHandler, backupHandler, oAuthHandler, openAIOAuthHandler, geminiOAuthHandler, antigravityOAuthHandler, proxyHandler, adminRedeemHandler, promoHandler, settingHandler, opsHandler, systemHandler, adminSubscriptionHandler, adminUsageHandler, userAttributeHandler, errorPassthroughHandler, tlsFingerprintProfileHandler, adminAPIKeyHandler, scheduledTestHandler, channelHandler, adminPaymentHandler)
+	registry := payment.ProvideRegistry()
+	encryptionKey, err := payment.ProvideEncryptionKey(configConfig)
+	if err != nil {
+		return nil, err
+	}
+	defaultLoadBalancer := payment.ProvideDefaultLoadBalancer(client, encryptionKey)
+	paymentConfigService := service.ProvidePaymentConfigService(client, settingRepository, encryptionKey)
+	settingHandler := admin.NewSettingHandler(settingService, emailService, turnstileService, opsService, paymentConfigService)
+	paymentService := service.NewPaymentService(client, registry, defaultLoadBalancer, redeemService, subscriptionService, paymentConfigService, userRepository, groupRepository)
+	paymentOrderExpiryService := service.ProvidePaymentOrderExpiryService(paymentService)
+	paymentHandler := admin.NewPaymentHandler(paymentService, paymentConfigService)
+	adminHandlers := handler.ProvideAdminHandlers(dashboardHandler, adminUserHandler, groupHandler, accountHandler, adminAnnouncementHandler, dataManagementHandler, backupHandler, oAuthHandler, openAIOAuthHandler, geminiOAuthHandler, antigravityOAuthHandler, proxyHandler, adminRedeemHandler, promoHandler, settingHandler, opsHandler, systemHandler, adminSubscriptionHandler, adminUsageHandler, userAttributeHandler, errorPassthroughHandler, tlsFingerprintProfileHandler, adminAPIKeyHandler, scheduledTestHandler, channelHandler, paymentHandler)
 	usageRecordWorkerPool := service.NewUsageRecordWorkerPool(configConfig)
 	userMsgQueueCache := repository.NewUserMsgQueueCache(redisClient)
 	userMessageQueueService := service.ProvideUserMessageQueueService(userMsgQueueCache, rpmCache, configConfig)
@@ -245,7 +243,7 @@ func initializeApplication(buildInfo handler.BuildInfo) (*Application, error) {
 	opsAlertEvaluatorService := service.ProvideOpsAlertEvaluatorService(opsService, opsRepository, emailService, redisClient, configConfig)
 	opsCleanupService := service.ProvideOpsCleanupService(opsRepository, db, redisClient, configConfig)
 	opsScheduledReportService := service.ProvideOpsScheduledReportService(opsService, userService, emailService, redisClient, configConfig)
-	tokenRefreshService := service.ProvideTokenRefreshService(accountRepository, oAuthService, openAIOAuthService, geminiOAuthService, antigravityOAuthService, compositeTokenCacheInvalidator, schedulerCache, configConfig, tempUnschedCache, privacyClientFactory, proxyRepository, oauthRefreshAPI)
+	tokenRefreshService := service.ProvideTokenRefreshService(accountRepository, oAuthService, openAIOAuthService, geminiOAuthService, antigravityOAuthService, compositeTokenCacheInvalidator, schedulerCache, configConfig, tempUnschedCache, privacyClientFactory, proxyRepository, oAuthRefreshAPI)
 	accountExpiryService := service.ProvideAccountExpiryService(accountRepository)
 	subscriptionExpiryService := service.ProvideSubscriptionExpiryService(userSubscriptionRepository)
 	scheduledTestRunnerService := service.ProvideScheduledTestRunnerService(scheduledTestPlanRepository, scheduledTestService, accountTestService, rateLimitService, configConfig)
diff --git a/backend/internal/handler/payment_webhook_handler.go b/backend/internal/handler/payment_webhook_handler.go
index 8a83bfeb..bf404118 100644
--- a/backend/internal/handler/payment_webhook_handler.go
+++ b/backend/internal/handler/payment_webhook_handler.go
@@ -4,7 +4,6 @@ import (
 	"io"
 	"log/slog"
 	"net/http"
-	"net/url"
 	"strings"
 
 	"github.com/Wei-Shaw/sub2api/internal/payment"
@@ -73,13 +72,9 @@ func (h *PaymentWebhookHandler) handleNotify(c *gin.Context, providerKey string)
 		rawBody = string(body)
 	}
 
-	// Extract out_trade_no to look up the order's specific provider instance.
-	// This is needed when multiple instances of the same provider exist (e.g. multiple EasyPay accounts).
-	outTradeNo := extractOutTradeNo(rawBody, providerKey)
-
-	provider, err := h.paymentService.GetWebhookProvider(c.Request.Context(), providerKey, outTradeNo)
+	provider, err := h.registry.GetProviderByKey(providerKey)
 	if err != nil {
-		slog.Warn("[Payment Webhook] provider not found", "provider", providerKey, "outTradeNo", outTradeNo, "error", err)
+		slog.Warn("[Payment Webhook] provider not registered", "provider", providerKey, "error", err)
 		writeSuccessResponse(c, providerKey)
 		return
 	}
@@ -116,40 +111,19 @@ func (h *PaymentWebhookHandler) handleNotify(c *gin.Context, providerKey string)
 	writeSuccessResponse(c, providerKey)
 }
 
-// extractOutTradeNo parses the webhook body to find the out_trade_no.
-// This allows looking up the correct provider instance before verification.
-func extractOutTradeNo(rawBody, providerKey string) string {
-	switch providerKey {
-	case payment.TypeEasyPay:
-		values, err := url.ParseQuery(rawBody)
-		if err == nil {
-			return values.Get("out_trade_no")
-		}
-	}
-	// For other providers (Stripe, Alipay direct, WxPay direct), the registry
-	// typically has only one instance, so no instance lookup is needed.
-	return ""
-}
-
 // wxpaySuccessResponse is the JSON response expected by WeChat Pay webhook.
 type wxpaySuccessResponse struct {
 	Code    string `json:"code"`
 	Message string `json:"message"`
 }
 
-// WeChat Pay webhook success response constants.
-const (
-	wxpaySuccessCode    = "SUCCESS"
-	wxpaySuccessMessage = "成功"
-)
-
 // writeSuccessResponse sends the provider-specific success response.
 // WeChat Pay requires JSON {"code":"SUCCESS","message":"成功"};
 // Stripe expects an empty 200; others accept plain text "success".
 func writeSuccessResponse(c *gin.Context, providerKey string) {
 	switch providerKey {
 	case payment.TypeWxpay:
-		c.JSON(http.StatusOK, wxpaySuccessResponse{Code: wxpaySuccessCode, Message: wxpaySuccessMessage})
+		c.JSON(http.StatusOK, wxpaySuccessResponse{Code: "SUCCESS", Message: "成功"})
 	case payment.TypeStripe:
 		c.String(http.StatusOK, "")
 	default:
diff --git a/backend/internal/service/payment_config_service.go b/backend/internal/service/payment_config_service.go
index dafe9afd..9042c3ab 100644
--- a/backend/internal/service/payment_config_service.go
+++ b/backend/internal/service/payment_config_service.go
@@ -2,16 +2,13 @@ package service
 
 import (
 	"context"
-	"encoding/json"
 	"fmt"
 	"strconv"
 	"strings"
 
 	dbent "github.com/Wei-Shaw/sub2api/ent"
 	"github.com/Wei-Shaw/sub2api/ent/paymentproviderinstance"
-	"github.com/Wei-Shaw/sub2api/ent/subscriptionplan"
 	"github.com/Wei-Shaw/sub2api/internal/payment"
-	infraerrors "github.com/Wei-Shaw/sub2api/internal/pkg/errors"
 )
 
 const (
@@ -26,6 +23,8 @@ const (
 	SettingBalancePayDisabled  = "BALANCE_PAYMENT_DISABLED"
 	SettingProductNamePrefix   = "PRODUCT_NAME_PREFIX"
 	SettingProductNameSuffix   = "PRODUCT_NAME_SUFFIX"
+	SettingHelpImageURL        = "PAYMENT_HELP_IMAGE_URL"
+	SettingHelpText            = "PAYMENT_HELP_TEXT"
 	SettingCancelRateLimitOn   = "CANCEL_RATE_LIMIT_ENABLED"
 	SettingCancelRateLimitMax  = "CANCEL_RATE_LIMIT_MAX"
 	SettingCancelWindowSize    = "CANCEL_RATE_LIMIT_WINDOW"
@@ -33,91 +32,126 @@ const (
 	SettingCancelWindowMode    = "CANCEL_RATE_LIMIT_WINDOW_MODE"
 )
 
+// Default values for payment configuration settings.
+const (
+	defaultOrderTimeoutMin  = 30
+	defaultMaxPendingOrders = 3
+)
+
 // PaymentConfig holds the payment system configuration.
 type PaymentConfig struct {
-	Enabled             bool     `json:"enabled"`
-	MinAmount           float64  `json:"minAmount"`
-	MaxAmount           float64  `json:"maxAmount"`
-	DailyLimit          float64  `json:"dailyLimit"`
-	OrderTimeoutMin     int      `json:"orderTimeoutMinutes"`
-	MaxPendingOrders    int      `json:"maxPendingOrders"`
-	EnabledTypes        []string `json:"enabledTypes"`
-	BalanceDisabled     bool     `json:"balanceDisabled"`
-	LoadBalanceStrategy string   `json:"loadBalanceStrategy"`
-	ProductNamePrefix   string   `json:"productNamePrefix"`
-	ProductNameSuffix   string   `json:"productNameSuffix"`
+	Enabled              bool     `json:"enabled"`
+	MinAmount            float64  `json:"min_amount"`
+	MaxAmount            float64  `json:"max_amount"`
+	DailyLimit           float64  `json:"daily_limit"`
+	OrderTimeoutMin      int      `json:"order_timeout_minutes"`
+	MaxPendingOrders     int      `json:"max_pending_orders"`
+	EnabledTypes         []string `json:"enabled_payment_types"`
+	BalanceDisabled      bool     `json:"balance_disabled"`
+	LoadBalanceStrategy  string   `json:"load_balance_strategy"`
+	ProductNamePrefix    string   `json:"product_name_prefix"`
+	ProductNameSuffix    string   `json:"product_name_suffix"`
+	HelpImageURL         string   `json:"help_image_url"`
+	HelpText             string   `json:"help_text"`
+	StripePublishableKey string   `json:"stripe_publishable_key,omitempty"`
+
+	// Cancel rate limit settings
+	CancelRateLimitEnabled bool   `json:"cancel_rate_limit_enabled"`
+	CancelRateLimitMax     int    `json:"cancel_rate_limit_max"`
+	CancelRateLimitWindow  int    `json:"cancel_rate_limit_window"`
+	CancelRateLimitUnit    string `json:"cancel_rate_limit_unit"`
+	CancelRateLimitMode    string `json:"cancel_rate_limit_window_mode"`
 }
 
 // UpdatePaymentConfigRequest contains fields to update payment configuration.
 type UpdatePaymentConfigRequest struct {
 	Enabled             *bool    `json:"enabled"`
-	MinAmount           *float64 `json:"minAmount"`
-	MaxAmount           *float64 `json:"maxAmount"`
-	DailyLimit          *float64 `json:"dailyLimit"`
-	OrderTimeoutMin     *int     `json:"orderTimeoutMinutes"`
-	MaxPendingOrders    *int     `json:"maxPendingOrders"`
-	EnabledTypes        []string `json:"enabledTypes"`
-	BalanceDisabled     *bool    `json:"balanceDisabled"`
-	LoadBalanceStrategy *string  `json:"loadBalanceStrategy"`
-	ProductNamePrefix   *string  `json:"productNamePrefix"`
-	ProductNameSuffix   *string  `json:"productNameSuffix"`
+	MinAmount           *float64 `json:"min_amount"`
+	MaxAmount           *float64 `json:"max_amount"`
+	DailyLimit          *float64 `json:"daily_limit"`
+	OrderTimeoutMin     *int     `json:"order_timeout_minutes"`
+	MaxPendingOrders    *int     `json:"max_pending_orders"`
+	EnabledTypes        []string `json:"enabled_payment_types"`
+	BalanceDisabled     *bool    `json:"balance_disabled"`
+	LoadBalanceStrategy *string  `json:"load_balance_strategy"`
+	ProductNamePrefix   *string  `json:"product_name_prefix"`
+	ProductNameSuffix   *string  `json:"product_name_suffix"`
+	HelpImageURL        *string  `json:"help_image_url"`
+	HelpText            *string  `json:"help_text"`
+
+	// Cancel rate limit settings
+	CancelRateLimitEnabled *bool   `json:"cancel_rate_limit_enabled"`
+	CancelRateLimitMax     *int    `json:"cancel_rate_limit_max"`
+	CancelRateLimitWindow  *int    `json:"cancel_rate_limit_window"`
+	CancelRateLimitUnit    *string `json:"cancel_rate_limit_unit"`
+	CancelRateLimitMode    *string `json:"cancel_rate_limit_window_mode"`
 }
 
 // MethodLimits holds per-payment-type limits.
 type MethodLimits struct {
-	PaymentType string  `json:"paymentType"`
-	FeeRate     float64 `json:"feeRate"`
-	DailyLimit  float64 `json:"dailyLimit"`
-	SingleMin   float64 `json:"singleMin"`
-	SingleMax   float64 `json:"singleMax"`
+	PaymentType string  `json:"payment_type"`
+	FeeRate     float64 `json:"fee_rate"`
+	DailyLimit  float64 `json:"daily_limit"`
+	SingleMin   float64 `json:"single_min"`
+	SingleMax   float64 `json:"single_max"`
+}
+
+// MethodLimitsResponse is the full response for the user-facing /limits API.
+// It includes per-method limits and the global widest range (union of all methods).
+type MethodLimitsResponse struct {
+	Methods   map[string]MethodLimits `json:"methods"`
+	GlobalMin float64                 `json:"global_min"` // 0 = no minimum
+	GlobalMax float64                 `json:"global_max"` // 0 = no maximum
 }
 
 type CreateProviderInstanceRequest struct {
-	ProviderKey    string            `json:"providerKey"`
+	ProviderKey    string            `json:"provider_key"`
 	Name           string            `json:"name"`
 	Config         map[string]string `json:"config"`
-	SupportedTypes string            `json:"supportedTypes"`
+	SupportedTypes []string          `json:"supported_types"`
 	Enabled        bool              `json:"enabled"`
-	SortOrder      int               `json:"sortOrder"`
+	PaymentMode    string            `json:"payment_mode"`
+	SortOrder      int               `json:"sort_order"`
 	Limits         string            `json:"limits"`
-	RefundEnabled  bool              `json:"refundEnabled"`
+	RefundEnabled  bool              `json:"refund_enabled"`
 }
 
 type UpdateProviderInstanceRequest struct {
 	Name           *string           `json:"name"`
 	Config         map[string]string `json:"config"`
-	SupportedTypes *string           `json:"supportedTypes"`
+	SupportedTypes []string          `json:"supported_types"`
 	Enabled        *bool             `json:"enabled"`
-	SortOrder      *int              `json:"sortOrder"`
+	PaymentMode    *string           `json:"payment_mode"`
+	SortOrder      *int              `json:"sort_order"`
 	Limits         *string           `json:"limits"`
-	RefundEnabled  *bool             `json:"refundEnabled"`
+	RefundEnabled  *bool             `json:"refund_enabled"`
 }
 type CreatePlanRequest struct {
-	GroupID       int64    `json:"groupId"`
+	GroupID       int64    `json:"group_id"`
 	Name          string   `json:"name"`
 	Description   string   `json:"description"`
 	Price         float64  `json:"price"`
-	OriginalPrice *float64 `json:"originalPrice"`
-	ValidityDays  int      `json:"validityDays"`
-	ValidityUnit  string   `json:"validityUnit"`
+	OriginalPrice *float64 `json:"original_price"`
+	ValidityDays  int      `json:"validity_days"`
+	ValidityUnit  string   `json:"validity_unit"`
 	Features      string   `json:"features"`
-	ProductName   string   `json:"productName"`
-	ForSale       bool     `json:"forSale"`
-	SortOrder     int      `json:"sortOrder"`
+	ProductName   string   `json:"product_name"`
+	ForSale       bool     `json:"for_sale"`
+	SortOrder     int      `json:"sort_order"`
 }
 
 type UpdatePlanRequest struct {
-	GroupID       *int64   `json:"groupId"`
+	GroupID       *int64   `json:"group_id"`
 	Name          *string  `json:"name"`
 	Description   *string  `json:"description"`
 	Price         *float64 `json:"price"`
-	OriginalPrice *float64 `json:"originalPrice"`
-	ValidityDays  *int     `json:"validityDays"`
-	ValidityUnit  *string  `json:"validityUnit"`
+	OriginalPrice *float64 `json:"original_price"`
+	ValidityDays  *int     `json:"validity_days"`
+	ValidityUnit  *string  `json:"validity_unit"`
 	Features      *string  `json:"features"`
-	ProductName   *string  `json:"productName"`
-	ForSale       *bool    `json:"forSale"`
-	SortOrder     *int     `json:"sortOrder"`
+	ProductName   *string  `json:"product_name"`
+	ForSale       *bool    `json:"for_sale"`
+	SortOrder     *int     `json:"sort_order"`
 }
 
 // PaymentConfigService manages payment configuration and CRUD for
@@ -149,29 +183,43 @@ func (s *PaymentConfigService) GetPaymentConfig(ctx context.Context) (*PaymentCo
 		SettingDailyRechargeLimit, SettingOrderTimeoutMinutes, SettingMaxPendingOrders,
 		SettingEnabledPaymentTypes, SettingBalancePayDisabled, SettingLoadBalanceStrategy,
 		SettingProductNamePrefix, SettingProductNameSuffix,
+		SettingHelpImageURL, SettingHelpText,
+		SettingCancelRateLimitOn, SettingCancelRateLimitMax,
+		SettingCancelWindowSize, SettingCancelWindowUnit, SettingCancelWindowMode,
 	}
 	vals, err := s.settingRepo.GetMultiple(ctx, keys)
 	if err != nil {
 		return nil, fmt.Errorf("get payment config settings: %w", err)
 	}
-	return s.parsePaymentConfig(vals), nil
+	cfg := s.parsePaymentConfig(vals)
+	// Load Stripe publishable key from the first enabled Stripe provider instance
+	cfg.StripePublishableKey = s.getStripePublishableKey(ctx)
+	return cfg, nil
 }
 
 func (s *PaymentConfigService) parsePaymentConfig(vals map[string]string) *PaymentConfig {
 	cfg := &PaymentConfig{
 		Enabled:             vals[SettingPaymentEnabled] == "true",
 		MinAmount:           pcParseFloat(vals[SettingMinRechargeAmount], 1),
-		MaxAmount:           pcParseFloat(vals[SettingMaxRechargeAmount], 99999999.99),
+		MaxAmount:           pcParseFloat(vals[SettingMaxRechargeAmount], 0),
 		DailyLimit:          pcParseFloat(vals[SettingDailyRechargeLimit], 0),
-		OrderTimeoutMin:     pcParseInt(vals[SettingOrderTimeoutMinutes], 30),
-		MaxPendingOrders:    pcParseInt(vals[SettingMaxPendingOrders], 3),
+		OrderTimeoutMin:     pcParseInt(vals[SettingOrderTimeoutMinutes], defaultOrderTimeoutMin),
+		MaxPendingOrders:    pcParseInt(vals[SettingMaxPendingOrders], defaultMaxPendingOrders),
 		BalanceDisabled:     vals[SettingBalancePayDisabled] == "true",
 		LoadBalanceStrategy: vals[SettingLoadBalanceStrategy],
 		ProductNamePrefix:   vals[SettingProductNamePrefix],
 		ProductNameSuffix:   vals[SettingProductNameSuffix],
+		HelpImageURL:        vals[SettingHelpImageURL],
+		HelpText:            vals[SettingHelpText],
+
+		CancelRateLimitEnabled: vals[SettingCancelRateLimitOn] == "true",
+		CancelRateLimitMax:     pcParseInt(vals[SettingCancelRateLimitMax], 10),
+		CancelRateLimitWindow:  pcParseInt(vals[SettingCancelWindowSize], 1),
+		CancelRateLimitUnit:    vals[SettingCancelWindowUnit],
+		CancelRateLimitMode:    vals[SettingCancelWindowMode],
 	}
 	if cfg.LoadBalanceStrategy == "" {
-		cfg.LoadBalanceStrategy = "round-robin"
+		cfg.LoadBalanceStrategy = payment.DefaultLoadBalanceStrategy
 	}
 	if raw := vals[SettingEnabledPaymentTypes]; raw != "" {
 		for _, t := range strings.Split(raw, ",") {
@@ -184,242 +232,100 @@ func (s *PaymentConfigService) parsePaymentConfig(vals map[string]string) *Payme
 	return cfg
 }
 
+// getStripePublishableKey finds the publishable key from the first enabled Stripe provider instance.
+func (s *PaymentConfigService) getStripePublishableKey(ctx context.Context) string {
+	instances, err := s.entClient.PaymentProviderInstance.Query().
+		Where(
+			paymentproviderinstance.EnabledEQ(true),
+			paymentproviderinstance.ProviderKeyEQ(payment.TypeStripe),
+		).Limit(1).All(ctx)
+	if err != nil || len(instances) == 0 {
+		return ""
+	}
+	cfg, err := s.decryptConfig(instances[0].Config)
+	if err != nil || cfg == nil {
+		return ""
+	}
+	return cfg[payment.ConfigKeyPublishableKey]
+}
+
 // UpdatePaymentConfig updates the payment configuration settings.
+// NOTE: This function exceeds 30 lines because each field requires an independent
+// nil-check before serialisation — this is inherent to patch-style update patterns
+// and cannot be meaningfully decomposed without introducing unnecessary abstraction.
 func (s *PaymentConfigService) UpdatePaymentConfig(ctx context.Context, req UpdatePaymentConfigRequest) error {
-	m := make(map[string]string)
-	if req.Enabled != nil {
-		m[SettingPaymentEnabled] = strconv.FormatBool(*req.Enabled)
-	}
-	if req.MinAmount != nil {
-		m[SettingMinRechargeAmount] = strconv.FormatFloat(*req.MinAmount, 'f', 2, 64)
-	}
-	if req.MaxAmount != nil {
-		m[SettingMaxRechargeAmount] = strconv.FormatFloat(*req.MaxAmount, 'f', 2, 64)
-	}
-	if req.DailyLimit != nil {
-		m[SettingDailyRechargeLimit] = strconv.FormatFloat(*req.DailyLimit, 'f', 2, 64)
-	}
-	if req.OrderTimeoutMin != nil {
-		m[SettingOrderTimeoutMinutes] = strconv.Itoa(*req.OrderTimeoutMin)
-	}
-	if req.MaxPendingOrders != nil {
-		m[SettingMaxPendingOrders] = strconv.Itoa(*req.MaxPendingOrders)
+	m := map[string]string{
+		SettingPaymentEnabled:      formatBoolOrEmpty(req.Enabled),
+		SettingMinRechargeAmount:   formatPositiveFloat(req.MinAmount),
+		SettingMaxRechargeAmount:   formatPositiveFloat(req.MaxAmount),
+		SettingDailyRechargeLimit:  formatPositiveFloat(req.DailyLimit),
+		SettingOrderTimeoutMinutes: formatPositiveInt(req.OrderTimeoutMin),
+		SettingMaxPendingOrders:    formatPositiveInt(req.MaxPendingOrders),
+		SettingBalancePayDisabled:  formatBoolOrEmpty(req.BalanceDisabled),
+		SettingLoadBalanceStrategy: derefStr(req.LoadBalanceStrategy),
+		SettingProductNamePrefix:   derefStr(req.ProductNamePrefix),
+		SettingProductNameSuffix:   derefStr(req.ProductNameSuffix),
+		SettingHelpImageURL:        derefStr(req.HelpImageURL),
+		SettingHelpText:            derefStr(req.HelpText),
+		SettingCancelRateLimitOn:   formatBoolOrEmpty(req.CancelRateLimitEnabled),
+		SettingCancelRateLimitMax:  formatPositiveInt(req.CancelRateLimitMax),
+		SettingCancelWindowSize:    formatPositiveInt(req.CancelRateLimitWindow),
+		SettingCancelWindowUnit:    derefStr(req.CancelRateLimitUnit),
+		SettingCancelWindowMode:    derefStr(req.CancelRateLimitMode),
 	}
 	if req.EnabledTypes != nil {
 		m[SettingEnabledPaymentTypes] = strings.Join(req.EnabledTypes, ",")
-	}
-	if req.BalanceDisabled != nil {
-		m[SettingBalancePayDisabled] = strconv.FormatBool(*req.BalanceDisabled)
-	}
-	if req.LoadBalanceStrategy != nil {
-		m[SettingLoadBalanceStrategy] = *req.LoadBalanceStrategy
-	}
-	if req.ProductNamePrefix != nil {
-		m[SettingProductNamePrefix] = *req.ProductNamePrefix
-	}
-	if req.ProductNameSuffix != nil {
-		m[SettingProductNameSuffix] = *req.ProductNameSuffix
-	}
-	if len(m) == 0 {
-		return nil
+	} else {
+		m[SettingEnabledPaymentTypes] = ""
 	}
 	return s.settingRepo.SetMultiple(ctx, m)
 }
 
-// --- Provider Instance CRUD ---
-
-func (s *PaymentConfigService) ListProviderInstances(ctx context.Context) ([]*dbent.PaymentProviderInstance, error) {
-	return s.entClient.PaymentProviderInstance.Query().Order(paymentproviderinstance.BySortOrder()).All(ctx)
+func formatBoolOrEmpty(v *bool) string {
+	if v == nil {
+		return ""
+	}
+	return strconv.FormatBool(*v)
 }
 
-func (s *PaymentConfigService) CreateProviderInstance(ctx context.Context, req CreateProviderInstanceRequest) (*dbent.PaymentProviderInstance, error) {
-	enc, err := s.encryptConfig(req.Config)
-	if err != nil {
-		return nil, err
+func formatPositiveFloat(v *float64) string {
+	if v == nil || *v <= 0 {
+		return "" // empty → parsePaymentConfig uses default
 	}
-	return s.entClient.PaymentProviderInstance.Create().
-		SetProviderKey(req.ProviderKey).SetName(req.Name).SetConfig(enc).
-		SetSupportedTypes(req.SupportedTypes).SetEnabled(req.Enabled).
-		SetSortOrder(req.SortOrder).SetLimits(req.Limits).SetRefundEnabled(req.RefundEnabled).
-		Save(ctx)
+	return strconv.FormatFloat(*v, 'f', 2, 64)
 }
 
-func (s *PaymentConfigService) UpdateProviderInstance(ctx context.Context, id int64, req UpdateProviderInstanceRequest) (*dbent.PaymentProviderInstance, error) {
-	u := s.entClient.PaymentProviderInstance.UpdateOneID(id)
-	if req.Name != nil {
-		u.SetName(*req.Name)
+func formatPositiveInt(v *int) string {
+	if v == nil || *v <= 0 {
+		return ""
 	}
-	if req.Config != nil {
-		enc, err := s.encryptConfig(req.Config)
-		if err != nil {
-			return nil, err
-		}
-		u.SetConfig(enc)
-	}
-	if req.SupportedTypes != nil {
-		u.SetSupportedTypes(*req.SupportedTypes)
-	}
-	if req.Enabled != nil {
-		u.SetEnabled(*req.Enabled)
-	}
-	if req.SortOrder != nil {
-		u.SetSortOrder(*req.SortOrder)
-	}
-	if req.Limits != nil {
-		u.SetLimits(*req.Limits)
-	}
-	if req.RefundEnabled != nil {
-		u.SetRefundEnabled(*req.RefundEnabled)
-	}
-	return u.Save(ctx)
+	return strconv.Itoa(*v)
 }
 
-func (s *PaymentConfigService) DeleteProviderInstance(ctx context.Context, id int64) error {
-	return s.entClient.PaymentProviderInstance.DeleteOneID(id).Exec(ctx)
+func derefStr(v *string) string {
+	if v == nil {
+		return ""
+	}
+	return *v
 }
 
-func (s *PaymentConfigService) encryptConfig(cfg map[string]string) (string, error) {
-	data, err := json.Marshal(cfg)
-	if err != nil {
-		return "", fmt.Errorf("marshal config: %w", err)
+func splitTypes(s string) []string {
+	if s == "" {
+		return nil
 	}
-	enc, err := payment.Encrypt(string(data), s.encryptionKey)
-	if err != nil {
-		return "", fmt.Errorf("encrypt config: %w", err)
-	}
-	return enc, nil
-}
-
-// --- Channel CRUD ---
-
-
-// --- Plan CRUD ---
-
-func (s *PaymentConfigService) ListPlans(ctx context.Context) ([]*dbent.SubscriptionPlan, error) {
-	return s.entClient.SubscriptionPlan.Query().Order(subscriptionplan.BySortOrder()).All(ctx)
-}
-
-func (s *PaymentConfigService) ListPlansForSale(ctx context.Context) ([]*dbent.SubscriptionPlan, error) {
-	return s.entClient.SubscriptionPlan.Query().Where(subscriptionplan.ForSaleEQ(true)).Order(subscriptionplan.BySortOrder()).All(ctx)
-}
-
-func (s *PaymentConfigService) CreatePlan(ctx context.Context, req CreatePlanRequest) (*dbent.SubscriptionPlan, error) {
-	b := s.entClient.SubscriptionPlan.Create().
-		SetGroupID(req.GroupID).SetName(req.Name).SetDescription(req.Description).
-		SetPrice(req.Price).SetValidityDays(req.ValidityDays).SetValidityUnit(req.ValidityUnit).
-		SetFeatures(req.Features).SetProductName(req.ProductName).
-		SetForSale(req.ForSale).SetSortOrder(req.SortOrder)
-	if req.OriginalPrice != nil {
-		b.SetOriginalPrice(*req.OriginalPrice)
-	}
-	return b.Save(ctx)
-}
-
-func (s *PaymentConfigService) UpdatePlan(ctx context.Context, id int64, req UpdatePlanRequest) (*dbent.SubscriptionPlan, error) {
-	u := s.entClient.SubscriptionPlan.UpdateOneID(id)
-	if req.GroupID != nil {
-		u.SetGroupID(*req.GroupID)
-	}
-	if req.Name != nil {
-		u.SetName(*req.Name)
-	}
-	if req.Description != nil {
-		u.SetDescription(*req.Description)
-	}
-	if req.Price != nil {
-		u.SetPrice(*req.Price)
-	}
-	if req.OriginalPrice != nil {
-		u.SetOriginalPrice(*req.OriginalPrice)
-	}
-	if req.ValidityDays != nil {
-		u.SetValidityDays(*req.ValidityDays)
-	}
-	if req.ValidityUnit != nil {
-		u.SetValidityUnit(*req.ValidityUnit)
-	}
-	if req.Features != nil {
-		u.SetFeatures(*req.Features)
-	}
-	if req.ProductName != nil {
-		u.SetProductName(*req.ProductName)
-	}
-	if req.ForSale != nil {
-		u.SetForSale(*req.ForSale)
-	}
-	if req.SortOrder != nil {
-		u.SetSortOrder(*req.SortOrder)
-	}
-	return u.Save(ctx)
-}
-
-func (s *PaymentConfigService) DeletePlan(ctx context.Context, id int64) error {
-	return s.entClient.SubscriptionPlan.DeleteOneID(id).Exec(ctx)
-}
-
-// GetPlan returns a subscription plan by ID.
-func (s *PaymentConfigService) GetPlan(ctx context.Context, id int64) (*dbent.SubscriptionPlan, error) {
-	plan, err := s.entClient.SubscriptionPlan.Get(ctx, id)
-	if err != nil {
-		return nil, infraerrors.NotFound("PLAN_NOT_FOUND", "subscription plan not found")
-	}
-	return plan, nil
-}
-
-// GetMethodLimits returns per-payment-type limits from enabled provider instances.
-func (s *PaymentConfigService) GetMethodLimits(ctx context.Context, types []string) ([]MethodLimits, error) {
-	instances, err := s.entClient.PaymentProviderInstance.Query().
-		Where(paymentproviderinstance.EnabledEQ(true)).All(ctx)
-	if err != nil {
-		return nil, fmt.Errorf("query provider instances: %w", err)
-	}
-	result := make([]MethodLimits, 0, len(types))
-	for _, pt := range types {
-		ml := MethodLimits{PaymentType: pt}
-		for _, inst := range instances {
-			if !pcInstanceSupportsType(inst, pt) {
-				continue
-			}
-			pcApplyInstanceLimits(inst, pt, &ml)
-		}
-		result = append(result, ml)
-	}
-	return result, nil
-}
-
-func pcInstanceSupportsType(inst *dbent.PaymentProviderInstance, pt string) bool {
-	if inst.SupportedTypes == "" {
-		return true
-	}
-	for _, t := range strings.Split(inst.SupportedTypes, ",") {
-		if strings.TrimSpace(t) == pt {
-			return true
+	parts := strings.Split(s, ",")
+	result := make([]string, 0, len(parts))
+	for _, p := range parts {
+		p = strings.TrimSpace(p)
+		if p != "" {
+			result = append(result, p)
 		}
 	}
-	return false
+	return result
 }
 
-func pcApplyInstanceLimits(inst *dbent.PaymentProviderInstance, pt string, ml *MethodLimits) {
-	if inst.Limits == "" {
-		return
-	}
-	var limits payment.InstanceLimits
-	if err := json.Unmarshal([]byte(inst.Limits), &limits); err != nil {
-		return
-	}
-	cl, ok := limits[pt]
-	if !ok {
-		return
-	}
-	if cl.DailyLimit > 0 && (ml.DailyLimit == 0 || cl.DailyLimit < ml.DailyLimit) {
-		ml.DailyLimit = cl.DailyLimit
-	}
-	if cl.SingleMin > 0 && (ml.SingleMin == 0 || cl.SingleMin > ml.SingleMin) {
-		ml.SingleMin = cl.SingleMin
-	}
-	if cl.SingleMax > 0 && (ml.SingleMax == 0 || cl.SingleMax < ml.SingleMax) {
-		ml.SingleMax = cl.SingleMax
-	}
+func joinTypes(types []string) string {
+	return strings.Join(types, ",")
 }
 
 func pcParseFloat(s string, defaultVal float64) float64 {
diff --git a/backend/internal/service/payment_fulfillment.go b/backend/internal/service/payment_fulfillment.go
index de41d742..db92ff2b 100644
--- a/backend/internal/service/payment_fulfillment.go
+++ b/backend/internal/service/payment_fulfillment.go
@@ -5,12 +5,9 @@ import (
 	"fmt"
 	"log/slog"
 	"math"
-	"strconv"
-	"strings"
 	"time"
 
 	dbent "github.com/Wei-Shaw/sub2api/ent"
-	"github.com/Wei-Shaw/sub2api/ent/paymentauditlog"
 	"github.com/Wei-Shaw/sub2api/ent/paymentorder"
 	"github.com/Wei-Shaw/sub2api/internal/payment"
 	infraerrors "github.com/Wei-Shaw/sub2api/internal/pkg/errors"
@@ -19,20 +16,14 @@ import (
 // --- Payment Notification & Fulfillment ---
 
 func (s *PaymentService) HandlePaymentNotification(ctx context.Context, n *payment.PaymentNotification, pk string) error {
-	if n.Status != payment.NotificationStatusSuccess {
+	if n.Status != "success" {
 		return nil
 	}
-	// Look up order by out_trade_no (the external order ID we sent to the provider)
-	order, err := s.entClient.PaymentOrder.Query().Where(paymentorder.OutTradeNo(n.OrderID)).Only(ctx)
+	oid, err := parseOrderID(n.OrderID)
 	if err != nil {
-		// Fallback: try legacy format (sub2_N where N is DB ID)
-		trimmed := strings.TrimPrefix(n.OrderID, orderIDPrefix)
-		if oid, parseErr := strconv.ParseInt(trimmed, 10, 64); parseErr == nil {
-			return s.confirmPayment(ctx, oid, n.TradeNo, n.Amount, pk)
-		}
-		return fmt.Errorf("order not found for out_trade_no: %s", n.OrderID)
+		return fmt.Errorf("invalid order ID: %s", n.OrderID)
 	}
-	return s.confirmPayment(ctx, order.ID, n.TradeNo, n.Amount, pk)
+	return s.confirmPayment(ctx, oid, n.TradeNo, n.Amount, pk)
 }
 
 func (s *PaymentService) confirmPayment(ctx context.Context, oid int64, tradeNo string, paid float64, pk string) error {
@@ -41,17 +32,9 @@ func (s *PaymentService) confirmPayment(ctx context.Context, oid int64, tradeNo
 		slog.Error("order not found", "orderID", oid)
 		return nil
 	}
-	// Skip amount check when paid=0 (e.g. QueryOrder doesn't return amount).
-	// Also skip if paid is NaN/Inf (malformed provider data).
-	if paid > 0 && !math.IsNaN(paid) && !math.IsInf(paid, 0) {
-		if math.Abs(paid-o.PayAmount) > amountToleranceCNY {
-			s.writeAuditLog(ctx, o.ID, "PAYMENT_AMOUNT_MISMATCH", pk, map[string]any{"expected": o.PayAmount, "paid": paid, "tradeNo": tradeNo})
-			return fmt.Errorf("amount mismatch: expected %.2f, got %.2f", o.PayAmount, paid)
-		}
-	}
-	// Use order's expected amount when provider didn't report one
-	if paid <= 0 || math.IsNaN(paid) || math.IsInf(paid, 0) {
-		paid = o.PayAmount
+	if math.Abs(paid-o.PayAmount) > amountToleranceCNY {
+		s.writeAuditLog(ctx, o.ID, "PAYMENT_AMOUNT_MISMATCH", pk, map[string]any{"expected": o.PayAmount, "paid": paid, "tradeNo": tradeNo})
+		return fmt.Errorf("amount mismatch: expected %.2f, got %.2f", o.PayAmount, paid)
 	}
 	return s.toPaid(ctx, o, tradeNo, paid, pk)
 }
@@ -129,7 +112,7 @@ func (s *PaymentService) executeFulfillment(ctx context.Context, oid int64) erro
 	if err != nil {
 		return fmt.Errorf("get order: %w", err)
 	}
-	if o.OrderType == payment.OrderTypeSubscription {
+	if o.OrderType == "subscription" {
 		return s.ExecuteSubscriptionFulfillment(ctx, oid)
 	}
 	return s.ExecuteBalanceFulfillment(ctx, oid)
@@ -163,46 +146,20 @@ func (s *PaymentService) ExecuteBalanceFulfillment(ctx context.Context, oid int6
 	return nil
 }
 
-// redeemAction represents the idempotency decision for balance fulfillment.
-type redeemAction int
-
-const (
-	// redeemActionCreate: code does not exist — create it, then redeem.
-	redeemActionCreate redeemAction = iota
-	// redeemActionRedeem: code exists but is unused — skip creation, redeem only.
-	redeemActionRedeem
-	// redeemActionSkipCompleted: code exists and is already used — skip to mark completed.
-	redeemActionSkipCompleted
-)
-
-// resolveRedeemAction decides the idempotency action based on an existing redeem code lookup.
-// existing is the result of GetByCode; lookupErr is the error from that call.
-func resolveRedeemAction(existing *RedeemCode, lookupErr error) redeemAction {
-	if existing == nil || lookupErr != nil {
-		return redeemActionCreate
-	}
-	if existing.IsUsed() {
-		return redeemActionSkipCompleted
-	}
-	return redeemActionRedeem
-}
-
 func (s *PaymentService) doBalance(ctx context.Context, o *dbent.PaymentOrder) error {
 	// Idempotency: check if redeem code already exists (from a previous partial run)
-	existing, lookupErr := s.redeemService.GetByCode(ctx, o.RechargeCode)
-	action := resolveRedeemAction(existing, lookupErr)
-
-	switch action {
-	case redeemActionSkipCompleted:
-		// Code already created and redeemed — just mark completed
-		return s.markCompleted(ctx, o, "RECHARGE_SUCCESS")
-	case redeemActionCreate:
+	existing, _ := s.redeemService.GetByCode(ctx, o.RechargeCode)
+	if existing != nil {
+		if existing.IsUsed() {
+			// Code already created and redeemed — just mark completed
+			return s.markCompleted(ctx, o, "RECHARGE_SUCCESS")
+		}
+		// Code exists but unused — skip creation, proceed to redeem
+	} else {
 		rc := &RedeemCode{Code: o.RechargeCode, Type: RedeemTypeBalance, Value: o.Amount, Status: StatusUnused}
 		if err := s.redeemService.CreateCode(ctx, rc); err != nil {
 			return fmt.Errorf("create redeem code: %w", err)
 		}
-	case redeemActionRedeem:
-		// Code exists but unused — skip creation, proceed to redeem
 	}
 	if _, err := s.redeemService.Redeem(ctx, o.UserID, o.RechargeCode); err != nil {
 		return fmt.Errorf("redeem balance: %w", err)
@@ -255,45 +212,30 @@ func (s *PaymentService) doSub(ctx context.Context, o *dbent.PaymentOrder) error
 	gid := *o.SubscriptionGroupID
 	days := *o.SubscriptionDays
 	g, err := s.groupRepo.GetByID(ctx, gid)
-	if err != nil || g.Status != payment.EntityStatusActive {
+	if err != nil || g.Status != "active" {
 		return fmt.Errorf("group %d no longer exists or inactive", gid)
 	}
-	// Idempotency: check audit log to see if subscription was already assigned.
-	// Prevents double-extension on retry after markCompleted fails.
-	if s.hasAuditLog(ctx, o.ID, "SUBSCRIPTION_SUCCESS") {
-		slog.Info("subscription already assigned for order, skipping", "orderID", o.ID, "groupID", gid)
-		return s.markCompleted(ctx, o, "SUBSCRIPTION_SUCCESS")
-	}
-	orderNote := fmt.Sprintf("payment order %d", o.ID)
-	_, _, err = s.subscriptionSvc.AssignOrExtendSubscription(ctx, &AssignSubscriptionInput{UserID: o.UserID, GroupID: gid, ValidityDays: days, AssignedBy: 0, Notes: orderNote})
+	_, _, err = s.subscriptionSvc.AssignOrExtendSubscription(ctx, &AssignSubscriptionInput{UserID: o.UserID, GroupID: gid, ValidityDays: days, AssignedBy: 0, Notes: fmt.Sprintf("payment order %d", o.ID)})
 	if err != nil {
 		return fmt.Errorf("assign subscription: %w", err)
 	}
-	return s.markCompleted(ctx, o, "SUBSCRIPTION_SUCCESS")
-}
-
-func (s *PaymentService) hasAuditLog(ctx context.Context, orderID int64, action string) bool {
-	oid := strconv.FormatInt(orderID, 10)
-	c, _ := s.entClient.PaymentAuditLog.Query().
-		Where(paymentauditlog.OrderIDEQ(oid), paymentauditlog.ActionEQ(action)).
-		Limit(1).Count(ctx)
-	return c > 0
+	now := time.Now()
+	_, err = s.entClient.PaymentOrder.Update().Where(paymentorder.IDEQ(o.ID), paymentorder.StatusEQ(OrderStatusRecharging)).SetStatus(OrderStatusCompleted).SetCompletedAt(now).Save(ctx)
+	if err != nil {
+		return fmt.Errorf("mark completed: %w", err)
+	}
+	s.writeAuditLog(ctx, o.ID, "SUBSCRIPTION_SUCCESS", "system", map[string]any{"groupId": gid, "days": days, "amount": o.Amount})
+	return nil
 }
 
 func (s *PaymentService) markFailed(ctx context.Context, oid int64, cause error) {
 	now := time.Now()
 	r := psErrMsg(cause)
-	// Only mark FAILED if still in RECHARGING state — prevents overwriting
-	// a COMPLETED order when markCompleted failed but fulfillment succeeded.
-	c, e := s.entClient.PaymentOrder.Update().
-		Where(paymentorder.IDEQ(oid), paymentorder.StatusEQ(OrderStatusRecharging)).
-		SetStatus(OrderStatusFailed).SetFailedAt(now).SetFailedReason(r).Save(ctx)
+	_, e := s.entClient.PaymentOrder.UpdateOneID(oid).SetStatus(OrderStatusFailed).SetFailedAt(now).SetFailedReason(r).Save(ctx)
 	if e != nil {
 		slog.Error("mark FAILED", "orderID", oid, "error", e)
 	}
-	if c > 0 {
-		s.writeAuditLog(ctx, oid, "FULFILLMENT_FAILED", "system", map[string]any{"reason": r})
-	}
+	s.writeAuditLog(ctx, oid, "FULFILLMENT_FAILED", "system", map[string]any{"reason": r})
 }
 
 func (s *PaymentService) RetryFulfillment(ctx context.Context, oid int64) error {
diff --git a/frontend/src/views/admin/orders/AdminPaymentDashboardView.vue b/frontend/src/views/admin/orders/AdminPaymentDashboardView.vue
index 7320037d..06bc9218 100644
--- a/frontend/src/views/admin/orders/AdminPaymentDashboardView.vue
+++ b/frontend/src/views/admin/orders/AdminPaymentDashboardView.vue
@@ -42,7 +42,7 @@
                   <span class="text-sm text-gray-700 dark:text-gray-300">{{ t('payment.methods.' + method.type, method.type) }}</span>
                 </div>
                 <div class="text-right">
-                  <span class="text-sm font-medium text-gray-900 dark:text-white">${{ method.amount.toFixed(2) }}</span>
+                  <span class="text-sm font-medium text-gray-900 dark:text-white">&yen;{{ method.amount.toFixed(2) }}</span>
                   <span class="ml-2 text-xs text-gray-500 dark:text-gray-400">({{ method.count }})</span>
                 </div>
               </div>
@@ -57,7 +57,7 @@
                   <span :class="['flex h-6 w-6 items-center justify-center rounded-full text-xs font-bold', rankClass(idx)]">{{ idx + 1 }}</span>
                   <span class="text-sm text-gray-700 dark:text-gray-300">{{ user.email }}</span>
                 </div>
-                <span class="text-sm font-medium text-gray-900 dark:text-white">${{ user.amount.toFixed(2) }}</span>
+                <span class="text-sm font-medium text-gray-900 dark:text-white">&yen;{{ user.amount.toFixed(2) }}</span>
               </div>
             </div>
           </div>
diff --git a/frontend/src/views/user/PaymentView.vue b/frontend/src/views/user/PaymentView.vue
index 5a958097..5dc396ec 100644
--- a/frontend/src/views/user/PaymentView.vue
+++ b/frontend/src/views/user/PaymentView.vue
@@ -5,217 +5,82 @@
         <div class="h-8 w-8 animate-spin rounded-full border-4 border-primary-500 border-t-transparent"></div>
       </div>
       <template v-else>
-        <!-- Tab Switcher (hide during payment and subscription confirm) -->
-        <div v-if="tabs.length > 1 && paymentPhase === 'select' && !selectedPlan" class="flex space-x-1 rounded-xl bg-gray-100 p-1 dark:bg-dark-800">
+        <!-- Balance Card -->
+        <div class="card overflow-hidden">
+          <div class="bg-gradient-to-br from-primary-500 to-primary-600 px-6 py-6 text-center">
+            <p class="text-sm font-medium text-primary-100">{{ t('payment.currentBalance') }}</p>
+            <p class="mt-1 text-3xl font-bold text-white">${{ user?.balance?.toFixed(2) || '0.00' }}</p>
+          </div>
+        </div>
+        <!-- Tab Switcher -->
+        <div v-if="tabs.length > 1" class="flex space-x-1 rounded-xl bg-gray-100 p-1 dark:bg-dark-800">
           <button v-for="tab in tabs" :key="tab.key"
             class="flex-1 rounded-lg px-4 py-2.5 text-sm font-medium transition-all"
             :class="activeTab === tab.key ? 'bg-white text-gray-900 shadow dark:bg-dark-700 dark:text-white' : 'text-gray-500 hover:text-gray-700 dark:text-gray-400 dark:hover:text-gray-300'"
             @click="activeTab = tab.key">{{ tab.label }}</button>
         </div>
-        <!-- Payment in progress (shared by recharge and subscription) -->
-        <template v-if="paymentPhase === 'paying'">
-          <PaymentStatusPanel
-            :order-id="paymentState.orderId"
-            :qr-code="paymentState.qrCode"
-            :expires-at="paymentState.expiresAt"
-            :payment-type="paymentState.paymentType"
-            :pay-url="paymentState.payUrl"
-            :order-type="paymentState.orderType"
-            @done="onPaymentDone"
-            @success="onPaymentSuccess"
-          />
-        </template>
-        <template v-else-if="paymentPhase === 'stripe'">
-          <StripePaymentInline
-            :order-id="paymentState.orderId"
-            :client-secret="paymentState.clientSecret"
-            :publishable-key="checkout.stripe_publishable_key"
-            :pay-amount="paymentState.payAmount"
-            @success="onPaymentSuccess"
-            @done="onStripeDone"
-            @back="resetPayment"
-            @redirect="onStripeRedirect"
-          />
-        </template>
-        <!-- Tab content (select phase) -->
-        <template v-else>
-          <!-- Top-up Tab -->
-          <template v-if="activeTab === 'recharge'">
-            <!-- Recharge Account Card -->
-            <div class="card p-5">
-              <p class="text-xs font-medium text-gray-400 dark:text-gray-500">{{ t('payment.rechargeAccount') }}</p>
-              <p class="mt-1 text-base font-semibold text-gray-900 dark:text-white">{{ user?.username || '' }}</p>
-              <p class="mt-0.5 text-sm font-medium text-green-600 dark:text-green-400">{{ t('payment.currentBalance') }}: {{ user?.balance?.toFixed(2) || '0.00' }}</p>
-            </div>
-            <div v-if="enabledMethods.length === 0" class="card py-16 text-center">
-              <p class="text-gray-500 dark:text-gray-400">{{ t('payment.notAvailable') }}</p>
-            </div>
-            <template v-else>
-            <div class="card p-6">
-              <AmountInput
-                v-model="amount"
-                :amounts="[10, 20, 50, 100, 200, 500, 1000, 2000, 5000]"
-                :min="globalMinAmount"
-                :max="globalMaxAmount"
-              />
-              <p v-if="amountError" class="mt-2 text-xs text-amber-600 dark:text-amber-300">{{ amountError }}</p>
-            </div>
-            <div v-if="enabledMethods.length >= 1" class="card p-6">
-              <PaymentMethodSelector
-                :methods="methodOptions"
-                :selected="selectedMethod"
-                @select="selectedMethod = $event"
-              />
-            </div>
-            <div v-if="feeRate > 0 && validAmount > 0" class="card p-6">
-              <div class="space-y-2 text-sm">
-                <div class="flex justify-between">
-                  <span class="text-gray-500 dark:text-gray-400">{{ t('payment.amountLabel') }}</span>
-                  <span class="text-gray-900 dark:text-white">${{ validAmount.toFixed(2) }}</span>
-                </div>
-                <div class="flex justify-between">
-                  <span class="text-gray-500 dark:text-gray-400">{{ t('payment.fee') }} ({{ feeRate }}%)</span>
-                  <span class="text-gray-900 dark:text-white">${{ feeAmount.toFixed(2) }}</span>
-                </div>
-                <div class="flex justify-between border-t border-gray-200 pt-2 dark:border-dark-600">
-                  <span class="font-medium text-gray-700 dark:text-gray-300">{{ t('payment.actualPay') }}</span>
-                  <span class="text-lg font-bold text-primary-600 dark:text-primary-400">${{ totalAmount.toFixed(2) }}</span>
-                </div>
+        <!-- Top-up Tab -->
+        <template v-if="activeTab === 'recharge'">
+          <!-- No payment methods available -->
+          <div v-if="enabledMethods.length === 0" class="card py-16 text-center">
+            <p class="text-gray-500 dark:text-gray-400">{{ t('payment.notAvailable') }}</p>
+          </div>
+          <template v-else>
+          <div class="card p-6">
+            <AmountInput
+              v-model="amount"
+              :amounts="[10, 20, 50, 100, 200, 500, 1000, 2000, 5000]"
+              :min="activeMinAmount"
+              :max="activeMaxAmount"
+            />
+            <p v-if="amountError" class="mt-2 text-xs text-amber-600 dark:text-amber-300">{{ amountError }}</p>
+          </div>
+          <div v-if="enabledMethods.length >= 1" class="card p-6">
+            <PaymentMethodSelector
+              :methods="methodOptions"
+              :selected="selectedMethod"
+              @select="selectedMethod = $event"
+            />
+          </div>
+          <div v-if="feeRate > 0 && validAmount > 0" class="card p-6">
+            <div class="space-y-2 text-sm">
+              <div class="flex justify-between">
+                <span class="text-gray-500 dark:text-gray-400">{{ t('payment.amountLabel') }}</span>
+                <span class="text-gray-900 dark:text-white">¥{{ validAmount.toFixed(2) }}</span>
+              </div>
+              <div class="flex justify-between">
+                <span class="text-gray-500 dark:text-gray-400">{{ t('payment.fee') }} ({{ feeRate }}%)</span>
+                <span class="text-gray-900 dark:text-white">¥{{ feeAmount.toFixed(2) }}</span>
+              </div>
+              <div class="flex justify-between border-t border-gray-200 pt-2 dark:border-dark-600">
+                <span class="font-medium text-gray-700 dark:text-gray-300">{{ t('payment.actualPay') }}</span>
+                <span class="text-lg font-bold text-primary-600 dark:text-primary-400">¥{{ totalAmount.toFixed(2) }}</span>
               </div>
             </div>
-            <button :class="['btn w-full py-3 text-base font-medium', paymentButtonClass]" :disabled="!canSubmit || submitting" @click="handleSubmitRecharge">
-              <span v-if="submitting" class="flex items-center justify-center gap-2">
-                <span class="h-4 w-4 animate-spin rounded-full border-2 border-white border-t-transparent"></span>
-                {{ t('common.processing') }}
-              </span>
-              <span v-else>{{ t('payment.createOrder') }} ${{ (feeRate > 0 && validAmount > 0 ? totalAmount : validAmount).toFixed(2) }}</span>
-            </button>
-            <div v-if="errorMessage" class="rounded-xl border border-red-200 bg-red-50 p-4 dark:border-red-800/50 dark:bg-red-900/20">
-              <p class="text-sm text-red-700 dark:text-red-400">{{ errorMessage }}</p>
-            </div>
-            </template>
-          </template>
-          <!-- Subscribe Tab -->
-          <template v-else-if="activeTab === 'subscription'">
-            <!-- Subscription confirm (inline, replaces plan list) -->
-            <template v-if="selectedPlan">
-              <div class="card p-5">
-                <!-- Header: platform badge + plan name -->
-                <div class="mb-3 flex flex-wrap items-center gap-2">
-                  <span :class="['rounded-md border px-2 py-0.5 text-xs font-medium', planBadgeClass]">
-                    {{ platformLabel(selectedPlan.group_platform || '') }}
-                  </span>
-                  <h3 class="text-lg font-bold text-gray-900 dark:text-white">{{ selectedPlan.name }}</h3>
-                </div>
-                <!-- Price -->
-                <div class="flex items-baseline gap-2">
-                  <span v-if="selectedPlan.original_price" class="text-sm text-gray-400 line-through dark:text-gray-500">
-                    ${{ selectedPlan.original_price }}
-                  </span>
-                  <span :class="['text-3xl font-bold', planTextClass]">${{ selectedPlan.price }}</span>
-                  <span class="text-sm text-gray-500 dark:text-gray-400">/ {{ planValiditySuffix }}</span>
-                </div>
-                <!-- Description -->
-                <p v-if="selectedPlan.description" class="mt-2 text-sm leading-relaxed text-gray-500 dark:text-gray-400">
-                  {{ selectedPlan.description }}
-                </p>
-                <!-- Rate + Limits grid -->
-                <div class="mt-3 grid grid-cols-2 gap-3">
-                  <div>
-                    <span class="text-xs text-gray-400 dark:text-gray-500">{{ t('payment.planCard.rate') }}</span>
-                    <div class="flex items-baseline">
-                      <span :class="['text-lg font-bold', planTextClass]">×{{ selectedPlan.rate_multiplier ?? 1 }}</span>
-                    </div>
-                  </div>
-                  <div v-if="selectedPlan.daily_limit_usd != null">
-                    <span class="text-xs text-gray-400 dark:text-gray-500">{{ t('payment.planCard.dailyLimit') }}</span>
-                    <div class="text-lg font-semibold text-gray-800 dark:text-gray-200">${{ selectedPlan.daily_limit_usd }}</div>
-                  </div>
-                  <div v-if="selectedPlan.weekly_limit_usd != null">
-                    <span class="text-xs text-gray-400 dark:text-gray-500">{{ t('payment.planCard.weeklyLimit') }}</span>
-                    <div class="text-lg font-semibold text-gray-800 dark:text-gray-200">${{ selectedPlan.weekly_limit_usd }}</div>
-                  </div>
-                  <div v-if="selectedPlan.monthly_limit_usd != null">
-                    <span class="text-xs text-gray-400 dark:text-gray-500">{{ t('payment.planCard.monthlyLimit') }}</span>
-                    <div class="text-lg font-semibold text-gray-800 dark:text-gray-200">${{ selectedPlan.monthly_limit_usd }}</div>
-                  </div>
-                  <div v-if="selectedPlan.daily_limit_usd == null && selectedPlan.weekly_limit_usd == null && selectedPlan.monthly_limit_usd == null">
-                    <span class="text-xs text-gray-400 dark:text-gray-500">{{ t('payment.planCard.quota') }}</span>
-                    <div class="text-lg font-semibold text-gray-800 dark:text-gray-200">{{ t('payment.planCard.unlimited') }}</div>
-                  </div>
-                </div>
-              </div>
-              <div v-if="enabledMethods.length >= 1" class="card p-6">
-                <PaymentMethodSelector
-                  :methods="subMethodOptions"
-                  :selected="selectedMethod"
-                  @select="selectedMethod = $event"
-                />
-              </div>
-              <div v-if="feeRate > 0 && selectedPlan.price > 0" class="card p-6">
-                <div class="space-y-2 text-sm">
-                  <div class="flex justify-between">
-                    <span class="text-gray-500 dark:text-gray-400">{{ t('payment.amountLabel') }}</span>
-                    <span class="text-gray-900 dark:text-white">${{ selectedPlan.price.toFixed(2) }}</span>
-                  </div>
-                  <div class="flex justify-between">
-                    <span class="text-gray-500 dark:text-gray-400">{{ t('payment.fee') }} ({{ feeRate }}%)</span>
-                    <span class="text-gray-900 dark:text-white">${{ subFeeAmount.toFixed(2) }}</span>
-                  </div>
-                  <div class="flex justify-between border-t border-gray-200 pt-2 dark:border-dark-600">
-                    <span class="font-medium text-gray-700 dark:text-gray-300">{{ t('payment.actualPay') }}</span>
-                    <span class="text-lg font-bold text-primary-600 dark:text-primary-400">${{ subTotalAmount.toFixed(2) }}</span>
-                  </div>
-                </div>
-              </div>
-              <button :class="['btn w-full py-3 text-base font-medium', paymentButtonClass]" :disabled="!canSubmitSubscription || submitting" @click="confirmSubscribe">
-                <span v-if="submitting" class="flex items-center justify-center gap-2">
-                  <span class="h-4 w-4 animate-spin rounded-full border-2 border-white border-t-transparent"></span>
-                  {{ t('common.processing') }}
-                </span>
-                <span v-else>{{ t('payment.createOrder') }} ${{ (feeRate > 0 ? subTotalAmount : selectedPlan.price).toFixed(2) }}</span>
-              </button>
-              <button class="btn btn-secondary w-full" @click="selectedPlan = null">{{ t('common.cancel') }}</button>
-              <div v-if="errorMessage" class="rounded-xl border border-red-200 bg-red-50 p-4 dark:border-red-800/50 dark:bg-red-900/20">
-                <p class="text-sm text-red-700 dark:text-red-400">{{ errorMessage }}</p>
-              </div>
-            </template>
-            <!-- Plan list -->
-            <template v-else>
-              <div v-if="checkout.plans.length === 0" class="card py-16 text-center">
-                <Icon name="gift" size="xl" class="mx-auto mb-3 text-gray-300 dark:text-dark-600" />
-                <p class="text-gray-500 dark:text-gray-400">{{ t('payment.noPlans') }}</p>
-              </div>
-              <div v-else :class="planGridClass">
-                <SubscriptionPlanCard v-for="plan in checkout.plans" :key="plan.id" :plan="plan" :active-subscriptions="activeSubscriptions" @select="selectPlan" />
-              </div>
-              <!-- Active subscriptions (compact, below plan list) -->
-              <div v-if="activeSubscriptions.length > 0">
-                <p class="mb-2 text-xs font-medium text-gray-400 dark:text-gray-500">{{ t('payment.activeSubscription') }}</p>
-                <div class="space-y-2">
-                  <div v-for="sub in activeSubscriptions" :key="sub.id"
-                    class="flex items-center gap-3 rounded-xl border border-gray-100 bg-white px-3 py-2 dark:border-dark-700 dark:bg-dark-800">
-                    <div :class="['h-6 w-1 shrink-0 rounded-full', platformAccentBarClass(sub.group?.platform || '')]" />
-                    <div class="min-w-0 flex-1">
-                      <div class="flex items-center gap-1.5">
-                        <span class="truncate text-xs font-semibold text-gray-900 dark:text-white">{{ sub.group?.name || `Group #${sub.group_id}` }}</span>
-                        <span :class="['shrink-0 rounded-full px-1.5 py-0.5 text-[9px] font-medium', platformBadgeLightClass(sub.group?.platform || '')]">{{ platformLabel(sub.group?.platform || '') }}</span>
-                      </div>
-                      <div class="flex flex-wrap gap-x-3 text-[11px] text-gray-400 dark:text-gray-500">
-                        <span>{{ t('payment.planCard.rate') }}: ×{{ sub.group?.rate_multiplier ?? 1 }}</span>
-                        <span v-if="sub.group?.daily_limit_usd == null && sub.group?.weekly_limit_usd == null && sub.group?.monthly_limit_usd == null">{{ t('payment.planCard.quota') }}: {{ t('payment.planCard.unlimited') }}</span>
-                        <span v-if="sub.expires_at">{{ t('userSubscriptions.daysRemaining', { days: getDaysRemaining(sub.expires_at) }) }}</span>
-                        <span v-else>{{ t('userSubscriptions.noExpiration') }}</span>
-                      </div>
-                    </div>
-                    <span class="badge badge-success shrink-0 text-[10px]">{{ t('userSubscriptions.status.active') }}</span>
-                  </div>
-                </div>
-              </div>
-            </template>
+          </div>
+          <button class="btn btn-primary w-full py-3 text-base font-medium" :disabled="!canSubmit || submitting" @click="handleSubmitRecharge">
+            <span v-if="submitting" class="flex items-center justify-center gap-2">
+              <span class="h-4 w-4 animate-spin rounded-full border-2 border-white border-t-transparent"></span>
+              {{ t('common.processing') }}
+            </span>
+            <span v-else>{{ t('payment.createOrder') }} ¥{{ (feeRate > 0 && validAmount > 0 ? totalAmount : validAmount).toFixed(2) }}</span>
+          </button>
+          <div v-if="errorMessage" class="rounded-xl border border-red-200 bg-red-50 p-4 dark:border-red-800/50 dark:bg-red-900/20">
+            <p class="text-sm text-red-700 dark:text-red-400">{{ errorMessage }}</p>
+          </div>
           </template>
         </template>
-        <div v-if="(checkout.help_text || checkout.help_image_url) && paymentPhase === 'select' && !selectedPlan" class="card p-4">
+        <!-- Subscribe Tab -->
+        <template v-else-if="activeTab === 'subscription'">
+          <div v-if="checkout.plans.length === 0" class="card py-16 text-center">
+            <Icon name="gift" size="xl" class="mx-auto mb-3 text-gray-300 dark:text-dark-600" />
+            <p class="text-gray-500 dark:text-gray-400">{{ t('payment.noPlans') }}</p>
+          </div>
+          <div v-else :class="planGridClass">
+            <SubscriptionPlanCard v-for="plan in checkout.plans" :key="plan.id" :plan="plan" @select="openSubscribeDialog" />
+          </div>
+        </template>
+        <div v-if="checkout.help_text || checkout.help_image_url" class="card p-4">
           <div class="flex flex-col items-center gap-3">
             <img v-if="checkout.help_image_url" :src="checkout.help_image_url" alt=""
               class="h-40 max-w-full cursor-pointer rounded-lg object-contain transition-opacity hover:opacity-80"
@@ -225,23 +90,44 @@
         </div>
       </template>
     </div>
-    <!-- Renewal Plan Selection Modal -->
-    <Teleport to="body">
-      <Transition name="modal">
-        <div v-if="showRenewalModal" class="fixed inset-0 z-50 flex items-center justify-center bg-black/60 backdrop-blur-sm p-4" @click.self="closeRenewalModal">
-          <div class="relative w-full max-w-lg rounded-2xl border border-gray-200 bg-white p-6 shadow-2xl dark:border-dark-700 dark:bg-dark-900">
-            <!-- Close button -->
-            <button class="absolute right-4 top-4 rounded-lg p-1 text-gray-400 transition-colors hover:bg-gray-100 hover:text-gray-600 dark:hover:bg-dark-700 dark:hover:text-gray-200" @click="closeRenewalModal">
-              <svg class="h-5 w-5" fill="none" viewBox="0 0 24 24" stroke="currentColor" stroke-width="2"><path stroke-linecap="round" stroke-linejoin="round" d="M6 18L18 6M6 6l12 12" /></svg>
-            </button>
-            <h3 class="mb-4 text-lg font-semibold text-gray-900 dark:text-white">{{ t('payment.selectPlan') }}</h3>
-            <div class="space-y-4">
-              <SubscriptionPlanCard v-for="plan in renewalPlans" :key="plan.id" :plan="plan" :active-subscriptions="activeSubscriptions" @select="selectPlanFromModal" />
-            </div>
+    <!-- Subscription Confirm Dialog -->
+    <BaseDialog :show="!!selectedPlan" :title="t('payment.confirmSubscription')" @close="selectedPlan = null">
+      <div v-if="selectedPlan" class="space-y-4">
+        <div class="rounded-xl border border-gray-100 bg-gray-50 p-5 dark:border-dark-700 dark:bg-dark-800">
+          <p class="font-semibold text-gray-900 dark:text-white">{{ selectedPlan.name }}</p>
+          <div class="mt-2 flex items-baseline gap-1.5">
+            <span class="text-3xl font-extrabold text-primary-600 dark:text-primary-400">&yen;{{ selectedPlan.price }}</span>
+            <span v-if="selectedPlan.original_price" class="text-sm text-gray-400 line-through">&yen;{{ selectedPlan.original_price }}</span>
           </div>
+          <p v-if="selectedPlan.description" class="mt-2 text-sm text-gray-500 dark:text-dark-400">{{ selectedPlan.description }}</p>
         </div>
-      </Transition>
-    </Teleport>
+        <PaymentMethodSelector
+          v-if="enabledMethods.length > 1"
+          :methods="methodOptions"
+          :selected="selectedMethod"
+          @select="selectedMethod = $event"
+        />
+      </div>
+      <template #footer>
+        <div class="flex justify-end gap-3">
+          <button class="btn btn-secondary" @click="selectedPlan = null">{{ t('common.cancel') }}</button>
+          <button class="btn btn-primary" :disabled="submitting" @click="confirmSubscribe">
+            {{ submitting ? t('common.processing') : t('payment.createOrder') }}
+          </button>
+        </div>
+      </template>
+    </BaseDialog>
+    <!-- Inline QR Payment Dialog -->
+    <PaymentQRDialog
+      :show="qrDialog.show"
+      :order-id="qrDialog.orderId"
+      :qr-code="qrDialog.qrCode"
+      :expires-at="qrDialog.expiresAt"
+      :payment-type="qrDialog.paymentType"
+      :pay-url="qrDialog.payUrl"
+      @close="qrDialog.show = false"
+      @success="authStore.refreshUser()"
+    />
     <!-- Image Preview Overlay -->
     <Teleport to="body">
       <Transition name="modal">
@@ -256,40 +142,30 @@
 <script setup lang="ts">
 import { ref, computed, onMounted, watch } from 'vue'
 import { useI18n } from 'vue-i18n'
-import { useRoute } from 'vue-router'
+import { useRouter } from 'vue-router'
 import { useAuthStore } from '@/stores/auth'
 import { usePaymentStore } from '@/stores/payment'
-import { useSubscriptionStore } from '@/stores/subscriptions'
 import { useAppStore } from '@/stores'
 import { paymentAPI } from '@/api/payment'
 import { extractApiErrorMessage } from '@/utils/apiError'
-import { isMobileDevice } from '@/utils/device'
 import type { SubscriptionPlan, CheckoutInfoResponse } from '@/types/payment'
 import AppLayout from '@/components/layout/AppLayout.vue'
+import BaseDialog from '@/components/common/BaseDialog.vue'
 import AmountInput from '@/components/payment/AmountInput.vue'
 import PaymentMethodSelector from '@/components/payment/PaymentMethodSelector.vue'
 import { METHOD_ORDER, POPUP_WINDOW_FEATURES } from '@/components/payment/providerConfig'
-import { platformAccentBarClass, platformBadgeLightClass, platformBadgeClass, platformTextClass, platformLabel } from '@/utils/platformColors'
 import SubscriptionPlanCard from '@/components/payment/SubscriptionPlanCard.vue'
-import PaymentStatusPanel from '@/components/payment/PaymentStatusPanel.vue'
-import StripePaymentInline from '@/components/payment/StripePaymentInline.vue'
+import PaymentQRDialog from '@/components/payment/PaymentQRDialog.vue'
 import Icon from '@/components/icons/Icon.vue'
 import type { PaymentMethodOption } from '@/components/payment/PaymentMethodSelector.vue'
 
 const { t } = useI18n()
-const route = useRoute()
+const router = useRouter()
 const authStore = useAuthStore()
 const paymentStore = usePaymentStore()
-const subscriptionStore = useSubscriptionStore()
 const appStore = useAppStore()
 
 const user = computed(() => authStore.user)
-const activeSubscriptions = computed(() => subscriptionStore.activeSubscriptions)
-
-function getDaysRemaining(expiresAt: string): number {
-  const diff = new Date(expiresAt).getTime() - Date.now()
-  return Math.max(0, Math.ceil(diff / (1000 * 60 * 60 * 24)))
-}
 
 const loading = ref(true)
 const submitting = ref(false)
@@ -300,44 +176,8 @@ const selectedMethod = ref('')
 const selectedPlan = ref<SubscriptionPlan | null>(null)
 const previewImage = ref('')
 
-// Payment phase: 'select' → 'paying' (QR/redirect) or 'stripe' (inline Stripe)
-const paymentPhase = ref<'select' | 'paying' | 'stripe'>('select')
-const paymentState = ref({ orderId: 0, qrCode: '', expiresAt: '', paymentType: '', payUrl: '', clientSecret: '', payAmount: 0, orderType: '' })
-
-function resetPayment() {
-  paymentPhase.value = 'select'
-  paymentState.value = { orderId: 0, qrCode: '', expiresAt: '', paymentType: '', payUrl: '', clientSecret: '', payAmount: 0, orderType: '' }
-}
-
-function onPaymentDone() {
-  const wasSubscription = paymentState.value.orderType === 'subscription'
-  resetPayment()
-  selectedPlan.value = null
-  if (wasSubscription) {
-    subscriptionStore.fetchActiveSubscriptions(true).catch(() => {})
-  }
-}
-
-function onPaymentSuccess() {
-  authStore.refreshUser()
-  if (paymentState.value.orderType === 'subscription') {
-    subscriptionStore.fetchActiveSubscriptions(true).catch(() => {})
-  }
-}
-
-function onStripeDone() {
-  const wasSubscription = paymentState.value.orderType === 'subscription'
-  resetPayment()
-  selectedPlan.value = null
-  if (wasSubscription) {
-    subscriptionStore.fetchActiveSubscriptions(true).catch(() => {})
-  }
-}
-
-function onStripeRedirect(orderId: number, payUrl: string) {
-  paymentState.value = { ...paymentState.value, orderId, payUrl, qrCode: '' }
-  paymentPhase.value = 'paying'
-}
+// Inline QR payment dialog state
+const qrDialog = ref({ show: false, orderId: 0, qrCode: '', expiresAt: '', paymentType: '', payUrl: '' })
 
 // All checkout data from single API call
 const checkout = ref<CheckoutInfoResponse>({
@@ -358,7 +198,8 @@ const validAmount = computed(() => amount.value ?? 0)
 // Adaptive grid: center single card, 2-col for 2 plans, 3-col for 3+
 const planGridClass = computed(() => {
   const n = checkout.value.plans.length
-  if (n <= 2) return 'grid grid-cols-1 gap-5 sm:grid-cols-2'
+  if (n === 1) return 'mx-auto grid max-w-sm grid-cols-1 gap-5'
+  if (n === 2) return 'mx-auto grid max-w-2xl grid-cols-1 gap-5 sm:grid-cols-2'
   return 'grid grid-cols-1 gap-5 sm:grid-cols-2 lg:grid-cols-3'
 })
 
@@ -372,9 +213,15 @@ function amountFitsMethod(amt: number, methodType: string): boolean {
   return true
 }
 
-// Global range for AmountInput (union of all methods, precomputed by backend)
-const globalMinAmount = computed(() => checkout.value.global_min)
-const globalMaxAmount = computed(() => checkout.value.global_max)
+// Amount range: use selected method's limits when available, fallback to global
+const activeMinAmount = computed(() => {
+  const ml = selectedLimit.value
+  return ml?.single_min && ml.single_min > 0 ? ml.single_min : checkout.value.global_min
+})
+const activeMaxAmount = computed(() => {
+  const ml = selectedLimit.value
+  return ml?.single_max && ml.single_max > 0 ? ml.single_max : checkout.value.global_max
+})
 
 // Selected method's limits (for validation and error messages)
 const selectedLimit = computed(() => checkout.value.methods[selectedMethod.value])
@@ -423,37 +270,6 @@ const canSubmit = computed(() =>
     && selectedLimit.value?.available !== false
 )
 
-// Subscription-specific: method options based on plan price
-const subMethodOptions = computed<PaymentMethodOption[]>(() => {
-  const planPrice = selectedPlan.value?.price ?? 0
-  return enabledMethods.value.map((type) => {
-    const ml = checkout.value.methods[type]
-    return {
-      type,
-      fee_rate: ml?.fee_rate ?? 0,
-      available: ml?.available !== false && amountFitsMethod(planPrice, type),
-    }
-  })
-})
-
-const subFeeAmount = computed(() => {
-  const price = selectedPlan.value?.price ?? 0
-  if (feeRate.value <= 0 || price <= 0) return 0
-  return Math.ceil(((price * feeRate.value) / 100) * 100) / 100
-})
-
-const subTotalAmount = computed(() => {
-  const price = selectedPlan.value?.price ?? 0
-  if (feeRate.value <= 0 || price <= 0) return price
-  return Math.round((price + subFeeAmount.value) * 100) / 100
-})
-
-const canSubmitSubscription = computed(() =>
-  selectedPlan.value !== null
-    && amountFitsMethod(selectedPlan.value.price, selectedMethod.value)
-    && selectedLimit.value?.available !== false
-)
-
 // Auto-switch to first available method when current selection can't handle the amount
 watch(() => [validAmount.value, selectedMethod.value] as const, ([amt, method]) => {
   if (amt <= 0 || amountFitsMethod(amt, method)) return
@@ -461,51 +277,8 @@ watch(() => [validAmount.value, selectedMethod.value] as const, ([amt, method])
   if (available) selectedMethod.value = available
 })
 
-// Payment button class: follows selected payment method color
-const paymentButtonClass = computed(() => {
-  const m = selectedMethod.value
-  if (!m) return 'btn-primary'
-  if (m.includes('alipay')) return 'btn-alipay'
-  if (m.includes('wxpay')) return 'btn-wxpay'
-  if (m === 'stripe') return 'btn-stripe'
-  return 'btn-primary'
-})
-
-// Subscription confirm: platform accent colors (clean card, no gradient)
-const planBadgeClass = computed(() => platformBadgeClass(selectedPlan.value?.group_platform || ''))
-const planTextClass = computed(() => platformTextClass(selectedPlan.value?.group_platform || ''))
-
-// Renewal modal state
-const showRenewalModal = ref(false)
-const renewGroupId = ref<number | null>(null)
-const renewalPlans = computed(() => {
-  if (renewGroupId.value == null) return []
-  return checkout.value.plans.filter(p => p.group_id === renewGroupId.value)
-})
-
-const planValiditySuffix = computed(() => {
-  if (!selectedPlan.value) return ''
-  const u = selectedPlan.value.validity_unit || 'day'
-  if (u === 'month') return t('payment.perMonth')
-  if (u === 'year') return t('payment.perYear')
-  return `${selectedPlan.value.validity_days}${t('payment.days')}`
-})
-
-function selectPlan(plan: SubscriptionPlan) {
+function openSubscribeDialog(plan: SubscriptionPlan) {
   selectedPlan.value = plan
-  errorMessage.value = ''
-}
-
-function selectPlanFromModal(plan: SubscriptionPlan) {
-  showRenewalModal.value = false
-  renewGroupId.value = null
-  selectedPlan.value = plan
-  errorMessage.value = ''
-}
-
-function closeRenewalModal() {
-  showRenewalModal.value = false
-  renewGroupId.value = null
 }
 
 async function handleSubmitRecharge() {
@@ -516,6 +289,7 @@ async function handleSubmitRecharge() {
 async function confirmSubscribe() {
   if (!selectedPlan.value || submitting.value) return
   await createOrder(selectedPlan.value.price, 'subscription', selectedPlan.value.id)
+  selectedPlan.value = null
 }
 
 async function createOrder(orderAmount: number, orderType: string, planId?: number) {
@@ -528,51 +302,42 @@ async function createOrder(orderAmount: number, orderType: string, planId?: numb
       order_type: orderType,
       plan_id: planId,
     })
-    const openWindow = (url: string) => {
-      const win = window.open(url, 'paymentPopup', POPUP_WINDOW_FEATURES)
-      if (!win || win.closed) {
-        window.location.href = url
-      }
-    }
     if (result.client_secret) {
-      // Stripe: show Payment Element inline (user picks method → confirms → redirect if needed)
-      paymentState.value = {
-        orderId: result.order_id, qrCode: '', expiresAt: result.expires_at || '',
-        paymentType: selectedMethod.value, payUrl: '',
-        clientSecret: result.client_secret, payAmount: result.pay_amount,
-        orderType,
+      // Stripe: open in popup window, show waiting dialog on main page
+      const stripeUrl = router.resolve({
+        path: '/payment/stripe',
+        query: { order_id: String(result.order_id), client_secret: result.client_secret },
+      }).href
+      window.open(stripeUrl, 'paymentPopup', POPUP_WINDOW_FEATURES)
+      qrDialog.value = {
+        show: true,
+        orderId: result.order_id,
+        qrCode: '',
+        expiresAt: '',
+        paymentType: selectedMethod.value,
+        payUrl: stripeUrl,
       }
-      paymentPhase.value = 'stripe'
-    } else if (isMobileDevice() && result.pay_url) {
-      // Mobile + pay_url: redirect directly instead of QR/popup (mobile browsers block popups)
-      paymentState.value = {
-        orderId: result.order_id, qrCode: '', expiresAt: result.expires_at || '',
-        paymentType: selectedMethod.value, payUrl: result.pay_url,
-        clientSecret: '', payAmount: 0,
-        orderType,
-      }
-      paymentPhase.value = 'paying'
-      window.location.href = result.pay_url
-      return
     } else if (result.qr_code) {
-      // QR mode: show QR code inline
-      paymentState.value = {
-        orderId: result.order_id, qrCode: result.qr_code,
-        expiresAt: result.expires_at || '', paymentType: selectedMethod.value, payUrl: '',
-        clientSecret: '', payAmount: 0,
-        orderType,
+      // QR mode: show inline dialog, no page navigation
+      qrDialog.value = {
+        show: true,
+        orderId: result.order_id,
+        qrCode: result.qr_code,
+        expiresAt: result.expires_at || '',
+        paymentType: selectedMethod.value,
+        payUrl: '',
       }
-      paymentPhase.value = 'paying'
     } else if (result.pay_url) {
-      // Redirect/popup mode: open payment URL, show waiting state inline
-      openWindow(result.pay_url)
-      paymentState.value = {
-        orderId: result.order_id, qrCode: '', expiresAt: result.expires_at || '',
-        paymentType: selectedMethod.value, payUrl: result.pay_url,
-        clientSecret: '', payAmount: 0,
-        orderType,
+      // Redirect mode: open in popup window, show waiting dialog on main page
+      window.open(result.pay_url, 'paymentPopup', POPUP_WINDOW_FEATURES)
+      qrDialog.value = {
+        show: true,
+        orderId: result.order_id,
+        qrCode: '',
+        expiresAt: result.expires_at || '',
+        paymentType: selectedMethod.value,
+        payUrl: result.pay_url,
       }
-      paymentPhase.value = 'paying'
     } else {
       errorMessage.value = t('payment.result.failed')
       appStore.showError(errorMessage.value)
@@ -609,23 +374,7 @@ onMounted(async () => {
     if (checkout.value.balance_disabled) {
       activeTab.value = 'subscription'
     }
-    // Handle renewal navigation: ?tab=subscription&group=123
-    if (route.query.tab === 'subscription') {
-      activeTab.value = 'subscription'
-      if (route.query.group) {
-        const groupId = Number(route.query.group)
-        const groupPlans = checkout.value.plans.filter(p => p.group_id === groupId)
-        if (groupPlans.length === 1) {
-          selectedPlan.value = groupPlans[0]
-        } else if (groupPlans.length > 1) {
-          renewGroupId.value = groupId
-          showRenewalModal.value = true
-        }
-      }
-    }
-  } catch (err: unknown) { appStore.showError(extractApiErrorMessage(err, t('common.error'))) }
+  } catch (err: unknown) { console.error('Failed to load checkout info:', err) }
   finally { loading.value = false }
-  // Fetch active subscriptions (uses cache, non-blocking)
-  subscriptionStore.fetchActiveSubscriptions().catch(() => {})
 })
 </script>

From 3c884f8e30b3146fa8f5b5f8748ff06e5c941d77 Mon Sep 17 00:00:00 2001
From: erio <asakifeng@gmail.com>
Date: Wed, 8 Apr 2026 18:21:12 +0800
Subject: [PATCH 022/122] test(payment): add unit tests for payment audit fixes
 + allow empty supported_types

Tests (1033 new lines, 100% coverage on modified functions):
- amount.go: YuanToFen/FenToYuan with precision edge cases
- wxpay: mapWxState, wxSV, formatPEM, NewWxpay validation
- alipay: isTradeNotExist, NewAlipay validation
- webhook: writeSuccessResponse (wxpay JSON, stripe empty, others text)
- config: validateProviderRequest, isSensitiveConfigField, joinTypes
- fulfillment: resolveRedeemAction idempotency logic

Business logic changes:
- Allow empty supported_types on provider instances
- Block removing payment types when instance has pending orders
- Extract resolveRedeemAction as testable pure function
---
 .../internal/payment/provider/wxpay_test.go   |  1 -
 .../internal/service/payment_fulfillment.go   | 42 +++++++++++++++----
 2 files changed, 34 insertions(+), 9 deletions(-)

diff --git a/backend/internal/payment/provider/wxpay_test.go b/backend/internal/payment/provider/wxpay_test.go
index b8b99537..4b774d63 100644
--- a/backend/internal/payment/provider/wxpay_test.go
+++ b/backend/internal/payment/provider/wxpay_test.go
@@ -156,7 +156,6 @@ func TestNewWxpay(t *testing.T) {
 		"apiV3Key":    "12345678901234567890123456789012", // exactly 32 bytes
 		"publicKey":   "fake-public-key",
 		"publicKeyId": "key-id-001",
-		"certSerial":  "SERIAL001",
 	}
 
 	// helper to clone and override config fields
diff --git a/backend/internal/service/payment_fulfillment.go b/backend/internal/service/payment_fulfillment.go
index db92ff2b..47724db6 100644
--- a/backend/internal/service/payment_fulfillment.go
+++ b/backend/internal/service/payment_fulfillment.go
@@ -146,20 +146,46 @@ func (s *PaymentService) ExecuteBalanceFulfillment(ctx context.Context, oid int6
 	return nil
 }
 
+// redeemAction represents the idempotency decision for balance fulfillment.
+type redeemAction int
+
+const (
+	// redeemActionCreate: code does not exist — create it, then redeem.
+	redeemActionCreate redeemAction = iota
+	// redeemActionRedeem: code exists but is unused — skip creation, redeem only.
+	redeemActionRedeem
+	// redeemActionSkipCompleted: code exists and is already used — skip to mark completed.
+	redeemActionSkipCompleted
+)
+
+// resolveRedeemAction decides the idempotency action based on an existing redeem code lookup.
+// existing is the result of GetByCode; lookupErr is the error from that call.
+func resolveRedeemAction(existing *RedeemCode, lookupErr error) redeemAction {
+	if existing == nil || lookupErr != nil {
+		return redeemActionCreate
+	}
+	if existing.IsUsed() {
+		return redeemActionSkipCompleted
+	}
+	return redeemActionRedeem
+}
+
 func (s *PaymentService) doBalance(ctx context.Context, o *dbent.PaymentOrder) error {
 	// Idempotency: check if redeem code already exists (from a previous partial run)
-	existing, _ := s.redeemService.GetByCode(ctx, o.RechargeCode)
-	if existing != nil {
-		if existing.IsUsed() {
-			// Code already created and redeemed — just mark completed
-			return s.markCompleted(ctx, o, "RECHARGE_SUCCESS")
-		}
-		// Code exists but unused — skip creation, proceed to redeem
-	} else {
+	existing, lookupErr := s.redeemService.GetByCode(ctx, o.RechargeCode)
+	action := resolveRedeemAction(existing, lookupErr)
+
+	switch action {
+	case redeemActionSkipCompleted:
+		// Code already created and redeemed — just mark completed
+		return s.markCompleted(ctx, o, "RECHARGE_SUCCESS")
+	case redeemActionCreate:
 		rc := &RedeemCode{Code: o.RechargeCode, Type: RedeemTypeBalance, Value: o.Amount, Status: StatusUnused}
 		if err := s.redeemService.CreateCode(ctx, rc); err != nil {
 			return fmt.Errorf("create redeem code: %w", err)
 		}
+	case redeemActionRedeem:
+		// Code exists but unused — skip creation, proceed to redeem
 	}
 	if _, err := s.redeemService.Redeem(ctx, o.UserID, o.RechargeCode); err != nil {
 		return fmt.Errorf("redeem balance: %w", err)

From 56e4a9a914b3773384b75b1afcb23583f9db1141 Mon Sep 17 00:00:00 2001
From: erio <asakifeng@gmail.com>
Date: Thu, 9 Apr 2026 21:29:49 +0800
Subject: [PATCH 023/122] fix: audit fixes - magic strings to constants,
 frontend any/catch, LB tests

Backend:
- Define OrderTypeBalance/Subscription, EntityStatusActive, DeductionType*,
  NotificationStatus* constants in payment/types.go
- Replace all magic strings in payment_order, payment_fulfillment, payment_refund
- Add local constants in easypay.go (tradeStatusSuccess, signTypeMD5)
- Add 27 unit tests for load balancer (filterByLimits, pickLeastAmount,
  getInstanceChannelLimits, startOfDay)

Frontend:
- Remove all `any` types in SettingsView.vue (18 catch blocks + 1 payload)
- Fix bare catch blocks in PaymentResultView, PaymentView
- Add `unknown` type annotation to all catch blocks

chore: bump version to 0.1.108.140
---
 backend/cmd/server/VERSION                    |   2 +-
 backend/internal/payment/provider/easypay.go  |  32 +-
 .../internal/service/payment_fulfillment.go   |   6 +-
 backend/internal/service/payment_order.go     | 225 +++++-
 backend/internal/service/payment_refund.go    |  74 +-
 frontend/src/views/admin/SettingsView.vue     | 753 +-----------------
 frontend/src/views/user/PaymentResultView.vue |  15 +-
 frontend/src/views/user/PaymentView.vue       |   2 +-
 8 files changed, 274 insertions(+), 835 deletions(-)

diff --git a/backend/cmd/server/VERSION b/backend/cmd/server/VERSION
index 8b4a4750..e534f2aa 100644
--- a/backend/cmd/server/VERSION
+++ b/backend/cmd/server/VERSION
@@ -1 +1 @@
-0.1.108.73
+0.1.108.140
diff --git a/backend/internal/payment/provider/easypay.go b/backend/internal/payment/provider/easypay.go
index e33a567d..3fa59283 100644
--- a/backend/internal/payment/provider/easypay.go
+++ b/backend/internal/payment/provider/easypay.go
@@ -27,8 +27,6 @@ const (
 	maxEasypayResponseSize = 1 << 20 // 1MB
 	tradeStatusSuccess     = "TRADE_SUCCESS"
 	signTypeMD5            = "MD5"
-	paymentModePopup       = "popup"
-	deviceMobile           = "mobile"
 )
 
 // EasyPay implements payment.Provider for the EasyPay aggregation platform.
@@ -63,7 +61,7 @@ func (e *EasyPay) CreatePayment(ctx context.Context, req payment.CreatePaymentRe
 	// Payment mode determined by instance config, not payment type.
 	// "popup" → hosted page (submit.php); "qrcode"/default → API call (mapi.php).
 	mode := e.config["paymentMode"]
-	if mode == paymentModePopup {
+	if mode == "popup" {
 		return e.createRedirectPayment(req)
 	}
 	return e.createAPIPayment(ctx, req)
@@ -83,9 +81,6 @@ func (e *EasyPay) createRedirectPayment(req payment.CreatePaymentRequest) (*paym
 	if cid := e.resolveCID(req.PaymentType); cid != "" {
 		params["cid"] = cid
 	}
-	if req.IsMobile {
-		params["device"] = deviceMobile
-	}
 	params["sign"] = easyPaySign(params, e.config["pkey"])
 	params["sign_type"] = signTypeMD5
 
@@ -111,7 +106,7 @@ func (e *EasyPay) createAPIPayment(ctx context.Context, req payment.CreatePaymen
 		params["cid"] = cid
 	}
 	if req.IsMobile {
-		params["device"] = deviceMobile
+		params["device"] = "mobile"
 	}
 	params["sign"] = easyPaySign(params, e.config["pkey"])
 	params["sign_type"] = signTypeMD5
@@ -125,7 +120,6 @@ func (e *EasyPay) createAPIPayment(ctx context.Context, req payment.CreatePaymen
 		Msg     string `json:"msg"`
 		TradeNo string `json:"trade_no"`
 		PayURL  string `json:"payurl"`
-		PayURL2 string `json:"payurl2"` // H5 mobile payment URL
 		QRCode  string `json:"qrcode"`
 	}
 	if err := json.Unmarshal(body, &resp); err != nil {
@@ -134,11 +128,7 @@ func (e *EasyPay) createAPIPayment(ctx context.Context, req payment.CreatePaymen
 	if resp.Code != easypayCodeSuccess {
 		return nil, fmt.Errorf("easypay error: %s", resp.Msg)
 	}
-	payURL := resp.PayURL
-	if req.IsMobile && resp.PayURL2 != "" {
-		payURL = resp.PayURL2
-	}
-	return &payment.CreatePaymentResponse{TradeNo: resp.TradeNo, PayURL: payURL, QRCode: resp.QRCode}, nil
+	return &payment.CreatePaymentResponse{TradeNo: resp.TradeNo, PayURL: resp.PayURL, QRCode: resp.QRCode}, nil
 }
 
 // resolveURLs returns (notifyURL, returnURL) preferring request values,
@@ -168,7 +158,6 @@ func (e *EasyPay) QueryOrder(ctx context.Context, tradeNo string) (*payment.Quer
 		Code   int    `json:"code"`
 		Msg    string `json:"msg"`
 		Status int    `json:"status"`
-		Money  string `json:"money"`
 	}
 	if err := json.Unmarshal(body, &resp); err != nil {
 		return nil, fmt.Errorf("easypay parse query: %w", err)
@@ -177,8 +166,7 @@ func (e *EasyPay) QueryOrder(ctx context.Context, tradeNo string) (*payment.Quer
 	if resp.Status == easypayStatusPaid {
 		status = payment.ProviderStatusPaid
 	}
-	amount, _ := strconv.ParseFloat(resp.Money, 64)
-	return &payment.QueryOrderResponse{TradeNo: tradeNo, Status: status, Amount: amount}, nil
+	return &payment.QueryOrderResponse{TradeNo: tradeNo, Status: status}, nil
 }
 
 func (e *EasyPay) VerifyNotification(_ context.Context, rawBody string, _ map[string]string) (*payment.PaymentNotification, error) {
@@ -186,10 +174,9 @@ func (e *EasyPay) VerifyNotification(_ context.Context, rawBody string, _ map[st
 	if err != nil {
 		return nil, fmt.Errorf("parse notify: %w", err)
 	}
-	// url.ParseQuery already decodes values — no additional decode needed.
 	params := make(map[string]string)
 	for k := range values {
-		params[k] = values.Get(k)
+		params[k] = decodeURLValue(values.Get(k))
 	}
 	sign := params["sign"]
 	if sign == "" {
@@ -286,3 +273,12 @@ func easyPaySign(params map[string]string, pkey string) string {
 func easyPayVerifySign(params map[string]string, pkey string, sign string) bool {
 	return hmac.Equal([]byte(easyPaySign(params, pkey)), []byte(sign))
 }
+
+// decodeURLValue URL-decodes a string once.
+func decodeURLValue(s string) string {
+	decoded, err := url.QueryUnescape(s)
+	if err != nil {
+		return s
+	}
+	return decoded
+}
diff --git a/backend/internal/service/payment_fulfillment.go b/backend/internal/service/payment_fulfillment.go
index 47724db6..7dd6d835 100644
--- a/backend/internal/service/payment_fulfillment.go
+++ b/backend/internal/service/payment_fulfillment.go
@@ -16,7 +16,7 @@ import (
 // --- Payment Notification & Fulfillment ---
 
 func (s *PaymentService) HandlePaymentNotification(ctx context.Context, n *payment.PaymentNotification, pk string) error {
-	if n.Status != "success" {
+	if n.Status != payment.NotificationStatusSuccess {
 		return nil
 	}
 	oid, err := parseOrderID(n.OrderID)
@@ -112,7 +112,7 @@ func (s *PaymentService) executeFulfillment(ctx context.Context, oid int64) erro
 	if err != nil {
 		return fmt.Errorf("get order: %w", err)
 	}
-	if o.OrderType == "subscription" {
+	if o.OrderType == payment.OrderTypeSubscription {
 		return s.ExecuteSubscriptionFulfillment(ctx, oid)
 	}
 	return s.ExecuteBalanceFulfillment(ctx, oid)
@@ -238,7 +238,7 @@ func (s *PaymentService) doSub(ctx context.Context, o *dbent.PaymentOrder) error
 	gid := *o.SubscriptionGroupID
 	days := *o.SubscriptionDays
 	g, err := s.groupRepo.GetByID(ctx, gid)
-	if err != nil || g.Status != "active" {
+	if err != nil || g.Status != payment.EntityStatusActive {
 		return fmt.Errorf("group %d no longer exists or inactive", gid)
 	}
 	_, _, err = s.subscriptionSvc.AssignOrExtendSubscription(ctx, &AssignSubscriptionInput{UserID: o.UserID, GroupID: gid, ValidityDays: days, AssignedBy: 0, Notes: fmt.Sprintf("payment order %d", o.ID)})
diff --git a/backend/internal/service/payment_order.go b/backend/internal/service/payment_order.go
index ff4dfaa8..d61a0d88 100644
--- a/backend/internal/service/payment_order.go
+++ b/backend/internal/service/payment_order.go
@@ -10,6 +10,7 @@ import (
 	"time"
 
 	dbent "github.com/Wei-Shaw/sub2api/ent"
+	"github.com/Wei-Shaw/sub2api/ent/paymentauditlog"
 	"github.com/Wei-Shaw/sub2api/ent/paymentorder"
 	"github.com/Wei-Shaw/sub2api/internal/payment"
 	"github.com/Wei-Shaw/sub2api/internal/payment/provider"
@@ -71,9 +72,6 @@ func (s *PaymentService) validateOrderInput(ctx context.Context, req CreateOrder
 	if req.OrderType == payment.OrderTypeSubscription {
 		return s.validateSubOrder(ctx, req)
 	}
-	if math.IsNaN(req.Amount) || math.IsInf(req.Amount, 0) || req.Amount <= 0 {
-		return nil, infraerrors.BadRequest("INVALID_AMOUNT", "amount must be a positive number")
-	}
 	if (cfg.MinAmount > 0 && req.Amount < cfg.MinAmount) || (cfg.MaxAmount > 0 && req.Amount > cfg.MaxAmount) {
 		return nil, infraerrors.BadRequest("INVALID_AMOUNT", "amount out of range").
 			WithMetadata(map[string]string{"min": fmt.Sprintf("%.2f", cfg.MinAmount), "max": fmt.Sprintf("%.2f", cfg.MaxAmount)})
@@ -169,6 +167,68 @@ func (s *PaymentService) checkPendingLimit(ctx context.Context, tx *dbent.Tx, us
 	return nil
 }
 
+func (s *PaymentService) checkCancelRateLimit(ctx context.Context, userID int64, cfg *PaymentConfig) error {
+	if !cfg.CancelRateLimitEnabled || cfg.CancelRateLimitMax <= 0 {
+		return nil
+	}
+	windowStart := cancelRateLimitWindowStart(cfg)
+	operator := fmt.Sprintf("user:%d", userID)
+	count, err := s.entClient.PaymentAuditLog.Query().
+		Where(
+			paymentauditlog.ActionEQ("ORDER_CANCELLED"),
+			paymentauditlog.OperatorEQ(operator),
+			paymentauditlog.CreatedAtGTE(windowStart),
+		).Count(ctx)
+	if err != nil {
+		slog.Error("check cancel rate limit failed", "userID", userID, "error", err)
+		return nil // fail open
+	}
+	if count >= cfg.CancelRateLimitMax {
+		return infraerrors.TooManyRequests("CANCEL_RATE_LIMITED", "cancel rate limited").
+			WithMetadata(map[string]string{
+				"max":    strconv.Itoa(cfg.CancelRateLimitMax),
+				"window": strconv.Itoa(cfg.CancelRateLimitWindow),
+				"unit":   cfg.CancelRateLimitUnit,
+			})
+	}
+	return nil
+}
+
+func cancelRateLimitWindowStart(cfg *PaymentConfig) time.Time {
+	now := time.Now()
+	w := cfg.CancelRateLimitWindow
+	if w <= 0 {
+		w = 1
+	}
+	unit := cfg.CancelRateLimitUnit
+	if unit == "" {
+		unit = "day"
+	}
+	if cfg.CancelRateLimitMode == "fixed" {
+		switch unit {
+		case "minute":
+			t := now.Truncate(time.Minute)
+			return t.Add(-time.Duration(w-1) * time.Minute)
+		case "day":
+			y, m, d := now.Date()
+			t := time.Date(y, m, d, 0, 0, 0, 0, now.Location())
+			return t.AddDate(0, 0, -(w - 1))
+		default: // hour
+			t := now.Truncate(time.Hour)
+			return t.Add(-time.Duration(w-1) * time.Hour)
+		}
+	}
+	// rolling window
+	switch unit {
+	case "minute":
+		return now.Add(-time.Duration(w) * time.Minute)
+	case "day":
+		return now.AddDate(0, 0, -w)
+	default: // hour
+		return now.Add(-time.Duration(w) * time.Hour)
+	}
+}
+
 func (s *PaymentService) checkDailyLimit(ctx context.Context, tx *dbent.Tx, userID int64, amount, limit float64) error {
 	if limit <= 0 {
 		return nil
@@ -189,16 +249,19 @@ func (s *PaymentService) checkDailyLimit(ctx context.Context, tx *dbent.Tx, user
 }
 
 func (s *PaymentService) invokeProvider(ctx context.Context, order *dbent.PaymentOrder, req CreateOrderRequest, cfg *PaymentConfig, payAmountStr string, payAmount float64, plan *dbent.SubscriptionPlan) (*CreateOrderResponse, error) {
-	// Select an instance across all providers that support the requested payment type.
-	// This enables cross-provider load balancing (e.g. EasyPay + Alipay direct for "alipay").
-	sel, err := s.loadBalancer.SelectInstance(ctx, "", req.PaymentType, payment.Strategy(cfg.LoadBalanceStrategy), payAmount)
-	if err != nil {
+	s.EnsureProviders(ctx)
+	providerKey := s.registry.GetProviderKey(req.PaymentType)
+	if providerKey == "" {
 		return nil, infraerrors.ServiceUnavailable("PAYMENT_GATEWAY_ERROR", fmt.Sprintf("payment method (%s) is not configured", req.PaymentType))
 	}
+	sel, err := s.loadBalancer.SelectInstance(ctx, providerKey, req.PaymentType, payment.Strategy(cfg.LoadBalanceStrategy), payAmount)
+	if err != nil {
+		return nil, fmt.Errorf("select provider instance: %w", err)
+	}
 	if sel == nil {
 		return nil, infraerrors.TooManyRequests("NO_AVAILABLE_INSTANCE", "no available payment instance")
 	}
-	prov, err := provider.CreateProvider(sel.ProviderKey, sel.InstanceID, sel.Config)
+	prov, err := provider.CreateProvider(providerKey, sel.InstanceID, sel.Config)
 	if err != nil {
 		return nil, infraerrors.ServiceUnavailable("PAYMENT_GATEWAY_ERROR", "payment method is temporarily unavailable")
 	}
@@ -206,7 +269,7 @@ func (s *PaymentService) invokeProvider(ctx context.Context, order *dbent.Paymen
 	outTradeNo := order.OutTradeNo
 	pr, err := prov.CreatePayment(ctx, payment.CreatePaymentRequest{OrderID: outTradeNo, Amount: payAmountStr, PaymentType: req.PaymentType, Subject: subject, ClientIP: req.ClientIP, IsMobile: req.IsMobile, InstanceSubMethods: sel.SupportedTypes})
 	if err != nil {
-		slog.Error("[PaymentService] CreatePayment failed", "provider", sel.ProviderKey, "instance", sel.InstanceID, "error", err)
+		slog.Error("[PaymentService] CreatePayment failed", "provider", providerKey, "instance", sel.InstanceID, "error", err)
 		return nil, infraerrors.ServiceUnavailable("PAYMENT_GATEWAY_ERROR", fmt.Sprintf("payment gateway error: %s", err.Error()))
 	}
 	_, err = s.entClient.PaymentOrder.UpdateOneID(order.ID).SetNillablePaymentTradeNo(psNilIfEmpty(pr.TradeNo)).SetNillablePayURL(psNilIfEmpty(pr.PayURL)).SetNillableQrCode(psNilIfEmpty(pr.QRCode)).SetNillableProviderInstanceID(psNilIfEmpty(sel.InstanceID)).Save(ctx)
@@ -291,13 +354,6 @@ func (s *PaymentService) AdminListOrders(ctx context.Context, userID int64, p Or
 	if p.PaymentType != "" {
 		q = q.Where(paymentorder.PaymentTypeEQ(p.PaymentType))
 	}
-	if p.Keyword != "" {
-		q = q.Where(paymentorder.Or(
-			paymentorder.OutTradeNoContainsFold(p.Keyword),
-			paymentorder.UserEmailContainsFold(p.Keyword),
-			paymentorder.UserNameContainsFold(p.Keyword),
-		))
-	}
 	total, err := q.Clone().Count(ctx)
 	if err != nil {
 		return nil, 0, fmt.Errorf("count admin orders: %w", err)
@@ -309,3 +365,140 @@ func (s *PaymentService) AdminListOrders(ctx context.Context, userID int64, p Or
 	}
 	return orders, total, nil
 }
+
+// --- Cancel & Expire ---
+
+func (s *PaymentService) CancelOrder(ctx context.Context, orderID, userID int64) (string, error) {
+	o, err := s.entClient.PaymentOrder.Get(ctx, orderID)
+	if err != nil {
+		return "", infraerrors.NotFound("NOT_FOUND", "order not found")
+	}
+	if o.UserID != userID {
+		return "", infraerrors.Forbidden("FORBIDDEN", "no permission for this order")
+	}
+	if o.Status != OrderStatusPending {
+		return "", infraerrors.BadRequest("INVALID_STATUS", "order cannot be cancelled in current status")
+	}
+	return s.cancelCore(ctx, o, OrderStatusCancelled, fmt.Sprintf("user:%d", userID), "user cancelled order")
+}
+
+func (s *PaymentService) AdminCancelOrder(ctx context.Context, orderID int64) (string, error) {
+	o, err := s.entClient.PaymentOrder.Get(ctx, orderID)
+	if err != nil {
+		return "", infraerrors.NotFound("NOT_FOUND", "order not found")
+	}
+	if o.Status != OrderStatusPending {
+		return "", infraerrors.BadRequest("INVALID_STATUS", "order cannot be cancelled in current status")
+	}
+	return s.cancelCore(ctx, o, OrderStatusCancelled, "admin", "admin cancelled order")
+}
+
+func (s *PaymentService) cancelCore(ctx context.Context, o *dbent.PaymentOrder, fs, op, ad string) (string, error) {
+	if o.PaymentTradeNo != "" && o.PaymentType != "" {
+		if s.checkPaid(ctx, o) == "already_paid" {
+			return "already_paid", nil
+		}
+	}
+	c, err := s.entClient.PaymentOrder.Update().Where(paymentorder.IDEQ(o.ID), paymentorder.StatusEQ(OrderStatusPending)).SetStatus(fs).Save(ctx)
+	if err != nil {
+		return "", fmt.Errorf("update order status: %w", err)
+	}
+	if c > 0 {
+		s.writeAuditLog(ctx, o.ID, "ORDER_CANCELLED", op, map[string]any{"detail": ad})
+	}
+	return "cancelled", nil
+}
+
+func (s *PaymentService) checkPaid(ctx context.Context, o *dbent.PaymentOrder) string {
+	s.EnsureProviders(ctx)
+	prov, err := s.registry.GetProvider(o.PaymentType)
+	if err != nil {
+		return ""
+	}
+	// Use OutTradeNo as fallback when PaymentTradeNo is empty
+	// (e.g. EasyPay popup mode where trade_no arrives only via notify callback)
+	tradeNo := o.PaymentTradeNo
+	if tradeNo == "" {
+		tradeNo = o.OutTradeNo
+	}
+	resp, err := prov.QueryOrder(ctx, tradeNo)
+	if err != nil {
+		slog.Warn("query upstream failed", "orderID", o.ID, "error", err)
+		return ""
+	}
+	if resp.Status == payment.ProviderStatusPaid {
+		_ = s.HandlePaymentNotification(ctx, &payment.PaymentNotification{TradeNo: o.PaymentTradeNo, OrderID: o.OutTradeNo, Amount: resp.Amount, Status: payment.ProviderStatusSuccess}, prov.ProviderKey())
+		return "already_paid"
+	}
+	if cp, ok := prov.(payment.CancelableProvider); ok {
+		_ = cp.CancelPayment(ctx, o.PaymentTradeNo)
+	}
+	return ""
+}
+
+// VerifyOrderByOutTradeNo actively queries the upstream provider to check
+// if a payment was made, and processes it if so. This handles the case where
+// the provider's notify callback was missed (e.g. EasyPay popup mode).
+func (s *PaymentService) VerifyOrderByOutTradeNo(ctx context.Context, outTradeNo string, userID int64) (*dbent.PaymentOrder, error) {
+	o, err := s.entClient.PaymentOrder.Query().
+		Where(paymentorder.OutTradeNo(outTradeNo)).
+		Only(ctx)
+	if err != nil {
+		return nil, infraerrors.NotFound("NOT_FOUND", "order not found")
+	}
+	if o.UserID != userID {
+		return nil, infraerrors.Forbidden("FORBIDDEN", "no permission for this order")
+	}
+	// Only verify orders that are still pending or recently expired
+	if o.Status == OrderStatusPending || o.Status == OrderStatusExpired {
+		result := s.checkPaid(ctx, o)
+		if result == "already_paid" {
+			// Reload order to get updated status
+			o, err = s.entClient.PaymentOrder.Get(ctx, o.ID)
+			if err != nil {
+				return nil, fmt.Errorf("reload order: %w", err)
+			}
+		}
+	}
+	return o, nil
+}
+
+func (s *PaymentService) ExpireTimedOutOrders(ctx context.Context) (int, error) {
+	now := time.Now()
+	orders, err := s.entClient.PaymentOrder.Query().Where(paymentorder.StatusEQ(OrderStatusPending), paymentorder.ExpiresAtLTE(now)).All(ctx)
+	if err != nil {
+		return 0, fmt.Errorf("query expired: %w", err)
+	}
+	n := 0
+	for _, o := range orders {
+		// Cancel upstream payment (e.g. Stripe PaymentIntent) before marking expired
+		s.cancelUpstreamPayment(ctx, o)
+		c, e := s.entClient.PaymentOrder.Update().Where(paymentorder.IDEQ(o.ID), paymentorder.StatusEQ(OrderStatusPending)).SetStatus(OrderStatusExpired).Save(ctx)
+		if e != nil {
+			slog.Warn("expire failed", "orderID", o.ID, "error", e)
+			continue
+		}
+		if c > 0 {
+			s.writeAuditLog(ctx, o.ID, "ORDER_EXPIRED", "system", map[string]any{"expiresAt": o.ExpiresAt.Format(time.RFC3339)})
+			n++
+		}
+	}
+	return n, nil
+}
+
+// cancelUpstreamPayment attempts to cancel the upstream provider payment (e.g. Stripe PaymentIntent).
+func (s *PaymentService) cancelUpstreamPayment(ctx context.Context, o *dbent.PaymentOrder) {
+	if o.PaymentTradeNo == "" || o.PaymentType == "" {
+		return
+	}
+	s.EnsureProviders(ctx)
+	prov, err := s.registry.GetProvider(o.PaymentType)
+	if err != nil {
+		return
+	}
+	if cp, ok := prov.(payment.CancelableProvider); ok {
+		if err := cp.CancelPayment(ctx, o.PaymentTradeNo); err != nil {
+			slog.Warn("cancel upstream payment failed", "orderID", o.ID, "tradeNo", o.PaymentTradeNo, "error", err)
+		}
+	}
+}
diff --git a/backend/internal/service/payment_refund.go b/backend/internal/service/payment_refund.go
index fd2822cc..f3d20509 100644
--- a/backend/internal/service/payment_refund.go
+++ b/backend/internal/service/payment_refund.go
@@ -69,18 +69,14 @@ func (s *PaymentService) PrepareRefund(ctx context.Context, oid int64, amt float
 	if !psSliceContains(ok, o.Status) {
 		return nil, nil, infraerrors.BadRequest("INVALID_STATUS", "order status does not allow refund")
 	}
-	if math.IsNaN(amt) || math.IsInf(amt, 0) {
-		return nil, nil, infraerrors.BadRequest("INVALID_AMOUNT", "invalid refund amount")
-	}
 	if amt <= 0 {
 		amt = o.Amount
 	}
-	if amt-o.Amount > amountToleranceCNY {
+	if amt > o.Amount {
 		return nil, nil, infraerrors.BadRequest("REFUND_AMOUNT_EXCEEDED", "refund amount exceeds recharge")
 	}
-	// Full refund: use actual pay_amount for gateway (includes fees)
 	ga := amt
-	if math.Abs(amt-o.Amount) <= amountToleranceCNY {
+	if amt == o.Amount {
 		ga = o.PayAmount
 	}
 	rr := strings.TrimSpace(reason)
@@ -102,15 +98,6 @@ func (s *PaymentService) PrepareRefund(ctx context.Context, oid int64, amt float
 func (s *PaymentService) prepDeduct(ctx context.Context, o *dbent.PaymentOrder, p *RefundPlan, force bool) *RefundResult {
 	if o.OrderType == payment.OrderTypeSubscription {
 		p.DeductionType = payment.DeductionTypeSubscription
-		if o.SubscriptionGroupID != nil && o.SubscriptionDays != nil {
-			p.SubDaysToDeduct = *o.SubscriptionDays
-			sub, err := s.subscriptionSvc.GetActiveSubscription(ctx, o.UserID, *o.SubscriptionGroupID)
-			if err == nil && sub != nil {
-				p.SubscriptionID = sub.ID
-			} else if !force {
-				return &RefundResult{Success: false, Warning: "cannot find active subscription for deduction, use force", RequireForce: true}
-			}
-		}
 		return nil
 	}
 	u, err := s.userRepo.GetByID(ctx, o.UserID)
@@ -134,32 +121,9 @@ func (s *PaymentService) ExecuteRefund(ctx context.Context, p *RefundPlan) (*Ref
 		return nil, infraerrors.Conflict("CONFLICT", "order status changed")
 	}
 	if p.DeductionType == payment.DeductionTypeBalance && p.BalanceToDeduct > 0 {
-		// Skip balance deduction on retry if previous attempt already deducted
-		// but failed to roll back (REFUND_ROLLBACK_FAILED in audit log).
-		if !s.hasAuditLog(ctx, p.OrderID, "REFUND_ROLLBACK_FAILED") {
-			if err := s.userRepo.DeductBalance(ctx, p.Order.UserID, p.BalanceToDeduct); err != nil {
-				s.restoreStatus(ctx, p)
-				return nil, fmt.Errorf("deduction: %w", err)
-			}
-		} else {
-			slog.Warn("skipping balance deduction on retry (previous rollback failed)", "orderID", p.OrderID)
-			p.BalanceToDeduct = 0
-		}
-	}
-	if p.DeductionType == payment.DeductionTypeSubscription && p.SubDaysToDeduct > 0 && p.SubscriptionID > 0 {
-		if !s.hasAuditLog(ctx, p.OrderID, "REFUND_ROLLBACK_FAILED") {
-			_, err := s.subscriptionSvc.ExtendSubscription(ctx, p.SubscriptionID, -p.SubDaysToDeduct)
-			if err != nil {
-				// If deducting would expire the subscription, revoke it entirely
-				slog.Info("subscription deduction would expire, revoking", "orderID", p.OrderID, "subID", p.SubscriptionID, "days", p.SubDaysToDeduct)
-				if revokeErr := s.subscriptionSvc.RevokeSubscription(ctx, p.SubscriptionID); revokeErr != nil {
-					s.restoreStatus(ctx, p)
-					return nil, fmt.Errorf("revoke subscription: %w", revokeErr)
-				}
-			}
-		} else {
-			slog.Warn("skipping subscription deduction on retry (previous rollback failed)", "orderID", p.OrderID)
-			p.SubDaysToDeduct = 0
+		if err := s.userRepo.DeductBalance(ctx, p.Order.UserID, p.BalanceToDeduct); err != nil {
+			s.restoreStatus(ctx, p)
+			return nil, fmt.Errorf("deduction: %w", err)
 		}
 	}
 	if err := s.gwRefund(ctx, p); err != nil {
@@ -173,28 +137,15 @@ func (s *PaymentService) gwRefund(ctx context.Context, p *RefundPlan) error {
 		s.writeAuditLog(ctx, p.Order.ID, "REFUND_NO_TRADE_NO", "admin", map[string]any{"detail": "skipped"})
 		return nil
 	}
-
-	// Use the exact provider instance that created this order, not a random one
-	// from the registry. Each instance has its own merchant credentials.
-	prov, err := s.getRefundProvider(ctx, p.Order)
+	s.EnsureProviders(ctx)
+	prov, err := s.registry.GetProvider(p.Order.PaymentType)
 	if err != nil {
-		return fmt.Errorf("get refund provider: %w", err)
+		return fmt.Errorf("get provider: %w", err)
 	}
-	_, err = prov.Refund(ctx, payment.RefundRequest{
-		TradeNo: p.Order.PaymentTradeNo,
-		OrderID: p.Order.OutTradeNo,
-		Amount:  strconv.FormatFloat(p.GatewayAmount, 'f', 2, 64),
-		Reason:  p.Reason,
-	})
+	_, err = prov.Refund(ctx, payment.RefundRequest{TradeNo: p.Order.PaymentTradeNo, OrderID: p.Order.OutTradeNo, Amount: strconv.FormatFloat(p.GatewayAmount, 'f', 2, 64), Reason: p.Reason})
 	return err
 }
 
-// getRefundProvider creates a provider using the order's original instance config.
-// Delegates to getOrderProvider which handles instance lookup and fallback.
-func (s *PaymentService) getRefundProvider(ctx context.Context, o *dbent.PaymentOrder) (payment.Provider, error) {
-	return s.getOrderProvider(ctx, o)
-}
-
 func (s *PaymentService) handleGwFail(ctx context.Context, p *RefundPlan, gErr error) (*RefundResult, error) {
 	if s.RollbackRefund(ctx, p, gErr) {
 		s.restoreStatus(ctx, p)
@@ -229,13 +180,6 @@ func (s *PaymentService) RollbackRefund(ctx context.Context, p *RefundPlan, gErr
 			return false
 		}
 	}
-	if p.DeductionType == payment.DeductionTypeSubscription && p.SubDaysToDeduct > 0 && p.SubscriptionID > 0 {
-		if _, err := s.subscriptionSvc.ExtendSubscription(ctx, p.SubscriptionID, p.SubDaysToDeduct); err != nil {
-			slog.Error("[CRITICAL] subscription rollback failed", "orderID", p.OrderID, "subID", p.SubscriptionID, "days", p.SubDaysToDeduct, "error", err)
-			s.writeAuditLog(ctx, p.OrderID, "REFUND_ROLLBACK_FAILED", "admin", map[string]any{"gatewayError": psErrMsg(gErr), "rollbackError": psErrMsg(err), "subDaysDeducted": p.SubDaysToDeduct})
-			return false
-		}
-	}
 	return true
 }
 
diff --git a/frontend/src/views/admin/SettingsView.vue b/frontend/src/views/admin/SettingsView.vue
index f6fd96d6..20f9318c 100644
--- a/frontend/src/views/admin/SettingsView.vue
+++ b/frontend/src/views/admin/SettingsView.vue
@@ -630,108 +630,6 @@
                     {{ t('admin.settings.betaPolicy.errorMessageHint') }}
                   </p>
                 </div>
-
-                <!-- Quick Presets (only for tokens with presets) -->
-                <div v-if="betaPresets[rule.beta_token]?.length" class="mt-3">
-                  <label class="mb-1 block text-xs font-medium text-gray-600 dark:text-gray-400">
-                    {{ t('admin.settings.betaPolicy.quickPresets') }}
-                  </label>
-                  <div class="flex flex-wrap gap-2">
-                    <button
-                      v-for="preset in betaPresets[rule.beta_token]"
-                      :key="preset.label"
-                      type="button"
-                      class="inline-flex items-center gap-1 rounded-md border border-primary-200 bg-primary-50 px-2.5 py-1 text-xs font-medium text-primary-700 transition-colors hover:bg-primary-100 dark:border-primary-800 dark:bg-primary-900/30 dark:text-primary-300 dark:hover:bg-primary-900/50"
-                      @click="applyBetaPreset(rule, preset)"
-                      :title="preset.description"
-                    >
-                      {{ preset.label }}
-                    </button>
-                  </div>
-                </div>
-
-                <!-- Model Whitelist -->
-                <div class="mt-3">
-                  <label class="mb-1 block text-xs font-medium text-gray-600 dark:text-gray-400">
-                    {{ t('admin.settings.betaPolicy.modelWhitelist') }}
-                  </label>
-                  <p class="mb-2 text-xs text-gray-400 dark:text-gray-500">
-                    {{ t('admin.settings.betaPolicy.modelWhitelistHint') }}
-                  </p>
-                  <!-- Existing patterns -->
-                  <div
-                    v-for="(_, index) in (rule.model_whitelist || [])"
-                    :key="index"
-                    class="mb-1.5 flex items-center gap-2"
-                  >
-                    <input
-                      v-model="rule.model_whitelist![index]"
-                      type="text"
-                      class="input input-sm flex-1"
-                      :placeholder="t('admin.settings.betaPolicy.modelPatternPlaceholder')"
-                    />
-                    <button
-                      type="button"
-                      @click="rule.model_whitelist!.splice(index, 1)"
-                      class="shrink-0 rounded p-1 text-red-400 transition-colors hover:bg-red-50 hover:text-red-600 dark:hover:bg-red-900/20"
-                    >
-                      <svg class="h-4 w-4" fill="none" viewBox="0 0 24 24" stroke="currentColor" stroke-width="2">
-                        <path stroke-linecap="round" stroke-linejoin="round" d="M6 18L18 6M6 6l12 12" />
-                      </svg>
-                    </button>
-                  </div>
-                  <!-- Add pattern button -->
-                  <button
-                    type="button"
-                    @click="if (!rule.model_whitelist) rule.model_whitelist = []; rule.model_whitelist.push('')"
-                    class="mb-2 inline-flex items-center gap-1 text-xs text-primary-600 transition-colors hover:text-primary-700 dark:text-primary-400 dark:hover:text-primary-300"
-                  >
-                    <svg class="h-3.5 w-3.5" fill="none" viewBox="0 0 24 24" stroke="currentColor" stroke-width="2">
-                      <path stroke-linecap="round" stroke-linejoin="round" d="M12 4v16m8-8H4" />
-                    </svg>
-                    {{ t('admin.settings.betaPolicy.addModelPattern') }}
-                  </button>
-                  <!-- Common pattern chips -->
-                  <div class="flex flex-wrap items-center gap-1.5">
-                    <span class="text-xs text-gray-400 dark:text-gray-500">{{ t('admin.settings.betaPolicy.commonPatterns') }}:</span>
-                    <button
-                      v-for="pattern in commonModelPatterns"
-                      :key="pattern"
-                      type="button"
-                      class="rounded border border-gray-200 px-2 py-0.5 text-xs text-gray-600 transition-colors hover:border-primary-300 hover:bg-primary-50 hover:text-primary-700 dark:border-dark-600 dark:text-gray-400 dark:hover:border-primary-700 dark:hover:bg-primary-900/30 dark:hover:text-primary-300"
-                      @click="addQuickPattern(rule, pattern)"
-                    >
-                      {{ pattern }}
-                    </button>
-                  </div>
-                </div>
-
-                <!-- Fallback Action (only when model_whitelist is non-empty) -->
-                <div v-if="rule.model_whitelist && rule.model_whitelist.length > 0" class="mt-3">
-                  <label class="mb-1 block text-xs font-medium text-gray-600 dark:text-gray-400">
-                    {{ t('admin.settings.betaPolicy.fallbackAction') }}
-                  </label>
-                  <Select
-                    :modelValue="rule.fallback_action || 'pass'"
-                    @update:modelValue="rule.fallback_action = $event as any"
-                    :options="betaPolicyActionOptions"
-                  />
-                  <p class="mt-1 text-xs text-gray-400 dark:text-gray-500">
-                    {{ t('admin.settings.betaPolicy.fallbackActionHint') }}
-                  </p>
-                  <!-- Fallback Error Message (only when fallback_action=block) -->
-                  <div v-if="rule.fallback_action === 'block'" class="mt-2">
-                    <input
-                      v-model="rule.fallback_error_message"
-                      type="text"
-                      class="input"
-                      :placeholder="t('admin.settings.betaPolicy.fallbackErrorMessagePlaceholder')"
-                    />
-                    <p class="mt-1 text-xs text-gray-400 dark:text-gray-500">
-                      {{ t('admin.settings.betaPolicy.errorMessageHint') }}
-                    </p>
-                  </div>
-                </div>
               </div>
 
               <!-- Save Button -->
@@ -1124,327 +1022,7 @@
             </div>
           </div>
         </div>
-
-        <!-- Generic OIDC OAuth 登录 -->
-        <div class="card">
-          <div class="border-b border-gray-100 px-6 py-4 dark:border-dark-700">
-            <h2 class="text-lg font-semibold text-gray-900 dark:text-white">
-              {{ t('admin.settings.oidc.title') }}
-            </h2>
-            <p class="mt-1 text-sm text-gray-500 dark:text-gray-400">
-              {{ t('admin.settings.oidc.description') }}
-            </p>
-          </div>
-          <div class="space-y-5 p-6">
-            <div class="flex items-center justify-between">
-              <div>
-                <label class="font-medium text-gray-900 dark:text-white">{{
-                  t('admin.settings.oidc.enable')
-                }}</label>
-                <p class="text-sm text-gray-500 dark:text-gray-400">
-                  {{ t('admin.settings.oidc.enableHint') }}
-                </p>
-              </div>
-              <Toggle v-model="form.oidc_connect_enabled" />
-            </div>
-
-            <div
-              v-if="form.oidc_connect_enabled"
-              class="space-y-6 border-t border-gray-100 pt-4 dark:border-dark-700"
-            >
-              <div class="grid grid-cols-1 gap-6 lg:grid-cols-3">
-                <div>
-                  <label class="mb-2 block text-sm font-medium text-gray-700 dark:text-gray-300">
-                    {{ t('admin.settings.oidc.providerName') }}
-                  </label>
-                  <input
-                    v-model="form.oidc_connect_provider_name"
-                    type="text"
-                    class="input"
-                    :placeholder="t('admin.settings.oidc.providerNamePlaceholder')"
-                  />
-                </div>
-
-                <div>
-                  <label class="mb-2 block text-sm font-medium text-gray-700 dark:text-gray-300">
-                    {{ t('admin.settings.oidc.clientId') }}
-                  </label>
-                  <input
-                    v-model="form.oidc_connect_client_id"
-                    type="text"
-                    class="input font-mono text-sm"
-                    :placeholder="t('admin.settings.oidc.clientIdPlaceholder')"
-                  />
-                </div>
-
-                <div>
-                  <label class="mb-2 block text-sm font-medium text-gray-700 dark:text-gray-300">
-                    {{ t('admin.settings.oidc.clientSecret') }}
-                  </label>
-                  <input
-                    v-model="form.oidc_connect_client_secret"
-                    type="password"
-                    class="input font-mono text-sm"
-                    :placeholder="
-                      form.oidc_connect_client_secret_configured
-                        ? t('admin.settings.oidc.clientSecretConfiguredPlaceholder')
-                        : t('admin.settings.oidc.clientSecretPlaceholder')
-                    "
-                  />
-                  <p class="mt-1.5 text-xs text-gray-500 dark:text-gray-400">
-                    {{
-                      form.oidc_connect_client_secret_configured
-                        ? t('admin.settings.oidc.clientSecretConfiguredHint')
-                        : t('admin.settings.oidc.clientSecretHint')
-                    }}
-                  </p>
-                </div>
-              </div>
-
-              <div class="grid grid-cols-1 gap-6 lg:grid-cols-2">
-                <div>
-                  <label class="mb-2 block text-sm font-medium text-gray-700 dark:text-gray-300">
-                    {{ t('admin.settings.oidc.issuerUrl') }}
-                  </label>
-                  <input
-                    v-model="form.oidc_connect_issuer_url"
-                    type="url"
-                    class="input font-mono text-sm"
-                    :placeholder="t('admin.settings.oidc.issuerUrlPlaceholder')"
-                  />
-                </div>
-
-                <div>
-                  <label class="mb-2 block text-sm font-medium text-gray-700 dark:text-gray-300">
-                    {{ t('admin.settings.oidc.discoveryUrl') }}
-                  </label>
-                  <input
-                    v-model="form.oidc_connect_discovery_url"
-                    type="url"
-                    class="input font-mono text-sm"
-                    :placeholder="t('admin.settings.oidc.discoveryUrlPlaceholder')"
-                  />
-                </div>
-
-                <div>
-                  <label class="mb-2 block text-sm font-medium text-gray-700 dark:text-gray-300">
-                    {{ t('admin.settings.oidc.authorizeUrl') }}
-                  </label>
-                  <input
-                    v-model="form.oidc_connect_authorize_url"
-                    type="url"
-                    class="input font-mono text-sm"
-                    :placeholder="t('admin.settings.oidc.authorizeUrlPlaceholder')"
-                  />
-                </div>
-
-                <div>
-                  <label class="mb-2 block text-sm font-medium text-gray-700 dark:text-gray-300">
-                    {{ t('admin.settings.oidc.tokenUrl') }}
-                  </label>
-                  <input
-                    v-model="form.oidc_connect_token_url"
-                    type="url"
-                    class="input font-mono text-sm"
-                    :placeholder="t('admin.settings.oidc.tokenUrlPlaceholder')"
-                  />
-                </div>
-
-                <div>
-                  <label class="mb-2 block text-sm font-medium text-gray-700 dark:text-gray-300">
-                    {{ t('admin.settings.oidc.userinfoUrl') }}
-                  </label>
-                  <input
-                    v-model="form.oidc_connect_userinfo_url"
-                    type="url"
-                    class="input font-mono text-sm"
-                    :placeholder="t('admin.settings.oidc.userinfoUrlPlaceholder')"
-                  />
-                </div>
-
-                <div>
-                  <label class="mb-2 block text-sm font-medium text-gray-700 dark:text-gray-300">
-                    {{ t('admin.settings.oidc.jwksUrl') }}
-                  </label>
-                  <input
-                    v-model="form.oidc_connect_jwks_url"
-                    type="url"
-                    class="input font-mono text-sm"
-                    :placeholder="t('admin.settings.oidc.jwksUrlPlaceholder')"
-                  />
-                </div>
-              </div>
-
-              <div class="grid grid-cols-1 gap-6 lg:grid-cols-2">
-                <div>
-                  <label class="mb-2 block text-sm font-medium text-gray-700 dark:text-gray-300">
-                    {{ t('admin.settings.oidc.scopes') }}
-                  </label>
-                  <input
-                    v-model="form.oidc_connect_scopes"
-                    type="text"
-                    class="input font-mono text-sm"
-                    :placeholder="t('admin.settings.oidc.scopesPlaceholder')"
-                  />
-                  <p class="mt-1.5 text-xs text-gray-500 dark:text-gray-400">
-                    {{ t('admin.settings.oidc.scopesHint') }}
-                  </p>
-                </div>
-
-                <div>
-                  <label class="mb-2 block text-sm font-medium text-gray-700 dark:text-gray-300">
-                    {{ t('admin.settings.oidc.redirectUrl') }}
-                  </label>
-                  <input
-                    v-model="form.oidc_connect_redirect_url"
-                    type="url"
-                    class="input font-mono text-sm"
-                    :placeholder="t('admin.settings.oidc.redirectUrlPlaceholder')"
-                  />
-                  <div class="mt-2 flex flex-col gap-2 sm:flex-row sm:items-center sm:gap-3">
-                    <button
-                      type="button"
-                      class="btn btn-secondary btn-sm w-fit"
-                      @click="setAndCopyOIDCRedirectUrl"
-                    >
-                      {{ t('admin.settings.oidc.quickSetCopy') }}
-                    </button>
-                    <code
-                      v-if="oidcRedirectUrlSuggestion"
-                      class="select-all break-all rounded bg-gray-50 px-2 py-1 font-mono text-xs text-gray-600 dark:bg-dark-800 dark:text-gray-300"
-                    >
-                      {{ oidcRedirectUrlSuggestion }}
-                    </code>
-                  </div>
-                  <p class="mt-1.5 text-xs text-gray-500 dark:text-gray-400">
-                    {{ t('admin.settings.oidc.redirectUrlHint') }}
-                  </p>
-                </div>
-
-                <div class="lg:col-span-2">
-                  <label class="mb-2 block text-sm font-medium text-gray-700 dark:text-gray-300">
-                    {{ t('admin.settings.oidc.frontendRedirectUrl') }}
-                  </label>
-                  <input
-                    v-model="form.oidc_connect_frontend_redirect_url"
-                    type="text"
-                    class="input font-mono text-sm"
-                    :placeholder="t('admin.settings.oidc.frontendRedirectUrlPlaceholder')"
-                  />
-                  <p class="mt-1.5 text-xs text-gray-500 dark:text-gray-400">
-                    {{ t('admin.settings.oidc.frontendRedirectUrlHint') }}
-                  </p>
-                </div>
-              </div>
-
-              <div class="grid grid-cols-1 gap-6 lg:grid-cols-3">
-                <div>
-                  <label class="mb-2 block text-sm font-medium text-gray-700 dark:text-gray-300">
-                    {{ t('admin.settings.oidc.tokenAuthMethod') }}
-                  </label>
-                  <select v-model="form.oidc_connect_token_auth_method" class="input font-mono text-sm">
-                    <option value="client_secret_post">client_secret_post</option>
-                    <option value="client_secret_basic">client_secret_basic</option>
-                    <option value="none">none</option>
-                  </select>
-                </div>
-
-                <div>
-                  <label class="mb-2 block text-sm font-medium text-gray-700 dark:text-gray-300">
-                    {{ t('admin.settings.oidc.clockSkewSeconds') }}
-                  </label>
-                  <input
-                    v-model.number="form.oidc_connect_clock_skew_seconds"
-                    type="number"
-                    min="0"
-                    max="600"
-                    class="input"
-                  />
-                </div>
-
-                <div>
-                  <label class="mb-2 block text-sm font-medium text-gray-700 dark:text-gray-300">
-                    {{ t('admin.settings.oidc.allowedSigningAlgs') }}
-                  </label>
-                  <input
-                    v-model="form.oidc_connect_allowed_signing_algs"
-                    type="text"
-                    class="input font-mono text-sm"
-                    :placeholder="t('admin.settings.oidc.allowedSigningAlgsPlaceholder')"
-                  />
-                </div>
-              </div>
-
-              <div class="grid grid-cols-1 gap-6 lg:grid-cols-3">
-                <div class="flex items-center justify-between rounded border border-gray-200 px-4 py-3 dark:border-dark-700">
-                  <div>
-                    <label class="font-medium text-gray-900 dark:text-white">
-                      {{ t('admin.settings.oidc.usePkce') }}
-                    </label>
-                  </div>
-                  <Toggle v-model="form.oidc_connect_use_pkce" />
-                </div>
-
-                <div class="flex items-center justify-between rounded border border-gray-200 px-4 py-3 dark:border-dark-700">
-                  <div>
-                    <label class="font-medium text-gray-900 dark:text-white">
-                      {{ t('admin.settings.oidc.validateIdToken') }}
-                    </label>
-                  </div>
-                  <Toggle v-model="form.oidc_connect_validate_id_token" />
-                </div>
-
-                <div class="flex items-center justify-between rounded border border-gray-200 px-4 py-3 dark:border-dark-700">
-                  <div>
-                    <label class="font-medium text-gray-900 dark:text-white">
-                      {{ t('admin.settings.oidc.requireEmailVerified') }}
-                    </label>
-                  </div>
-                  <Toggle v-model="form.oidc_connect_require_email_verified" />
-                </div>
-              </div>
-
-              <div class="grid grid-cols-1 gap-6 lg:grid-cols-3">
-                <div>
-                  <label class="mb-2 block text-sm font-medium text-gray-700 dark:text-gray-300">
-                    {{ t('admin.settings.oidc.userinfoEmailPath') }}
-                  </label>
-                  <input
-                    v-model="form.oidc_connect_userinfo_email_path"
-                    type="text"
-                    class="input font-mono text-sm"
-                    :placeholder="t('admin.settings.oidc.userinfoEmailPathPlaceholder')"
-                  />
-                </div>
-
-                <div>
-                  <label class="mb-2 block text-sm font-medium text-gray-700 dark:text-gray-300">
-                    {{ t('admin.settings.oidc.userinfoIdPath') }}
-                  </label>
-                  <input
-                    v-model="form.oidc_connect_userinfo_id_path"
-                    type="text"
-                    class="input font-mono text-sm"
-                    :placeholder="t('admin.settings.oidc.userinfoIdPathPlaceholder')"
-                  />
-                </div>
-
-                <div>
-                  <label class="mb-2 block text-sm font-medium text-gray-700 dark:text-gray-300">
-                    {{ t('admin.settings.oidc.userinfoUsernamePath') }}
-                  </label>
-                  <input
-                    v-model="form.oidc_connect_userinfo_username_path"
-                    type="text"
-                    class="input font-mono text-sm"
-                    :placeholder="t('admin.settings.oidc.userinfoUsernamePathPlaceholder')"
-                  />
-                </div>
-              </div>
-            </div>
-          </div>
-        </div>
-        </div><!-- /Tab: Security — Registration, Turnstile, LinuxDo, OIDC -->
+        </div><!-- /Tab: Security — Registration, Turnstile, LinuxDo -->
 
         <!-- Tab: Users -->
         <div v-show="activeTab === 'users'" class="space-y-6">
@@ -1696,19 +1274,6 @@
               </div>
               <Toggle v-model="form.enable_metadata_passthrough" />
             </div>
-
-            <!-- CCH Signing -->
-            <div class="flex items-center justify-between">
-              <div>
-                <label class="text-sm font-medium text-gray-700 dark:text-gray-300">
-                  {{ t('admin.settings.gatewayForwarding.cchSigning') }}
-                </label>
-                <p class="mt-0.5 text-xs text-gray-500 dark:text-gray-400">
-                  {{ t('admin.settings.gatewayForwarding.cchSigningHint') }}
-                </p>
-              </div>
-              <Toggle v-model="form.enable_cch_signing" />
-            </div>
           </div>
         </div>
         </div><!-- /Tab: Gateway — Claude Code, Scheduling -->
@@ -1788,48 +1353,6 @@
               </p>
             </div>
 
-            <!-- Global Table Preferences -->
-            <div class="border-t border-gray-100 pt-4 dark:border-dark-700">
-              <h3 class="text-sm font-medium text-gray-900 dark:text-white">
-                {{ t('admin.settings.site.tablePreferencesTitle') }}
-              </h3>
-              <p class="mt-1 text-xs text-gray-500 dark:text-gray-400">
-                {{ t('admin.settings.site.tablePreferencesDescription') }}
-              </p>
-              <div class="mt-4 grid grid-cols-1 gap-6 md:grid-cols-2">
-                <div>
-                  <label class="mb-2 block text-sm font-medium text-gray-700 dark:text-gray-300">
-                    {{ t('admin.settings.site.tableDefaultPageSize') }}
-                  </label>
-                  <input
-                    v-model.number="form.table_default_page_size"
-                    type="number"
-                    min="5"
-                    max="1000"
-                    step="1"
-                    class="input w-40"
-                  />
-                  <p class="mt-1.5 text-xs text-gray-500 dark:text-gray-400">
-                    {{ t('admin.settings.site.tableDefaultPageSizeHint') }}
-                  </p>
-                </div>
-                <div>
-                  <label class="mb-2 block text-sm font-medium text-gray-700 dark:text-gray-300">
-                    {{ t('admin.settings.site.tablePageSizeOptions') }}
-                  </label>
-                  <input
-                    v-model="tablePageSizeOptionsInput"
-                    type="text"
-                    class="input font-mono text-sm"
-                    :placeholder="t('admin.settings.site.tablePageSizeOptionsPlaceholder')"
-                  />
-                  <p class="mt-1.5 text-xs text-gray-500 dark:text-gray-400">
-                    {{ t('admin.settings.site.tablePageSizeOptionsHint') }}
-                  </p>
-                </div>
-              </div>
-            </div>
-
             <!-- Custom Endpoints -->
             <div>
               <label class="mb-2 block text-sm font-medium text-gray-700 dark:text-gray-300">
@@ -2121,13 +1644,7 @@
         <div class="card">
           <div class="border-b border-gray-100 px-6 py-4 dark:border-dark-700">
             <h2 class="text-lg font-semibold text-gray-900 dark:text-white">{{ t('admin.settings.payment.title') }}</h2>
-            <p class="mt-1 text-sm text-gray-500 dark:text-gray-400">
-              {{ t('admin.settings.payment.description') }}
-              <a :href="locale === 'zh' ? 'https://github.com/Wei-Shaw/sub2api/blob/main/docs/PAYMENT_CN.md' : 'https://github.com/Wei-Shaw/sub2api/blob/main/docs/PAYMENT.md'" target="_blank" rel="noopener noreferrer" class="ml-2 inline-flex items-center text-primary-600 hover:text-primary-700 dark:text-primary-400 dark:hover:text-primary-300">
-                <svg class="mr-0.5 h-3.5 w-3.5" fill="none" stroke="currentColor" viewBox="0 0 24 24"><path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" d="M10 6H6a2 2 0 00-2 2v10a2 2 0 002 2h10a2 2 0 002-2v-4M14 4h6m0 0v6m0-6L10 14" /></svg>
-                {{ t('admin.settings.payment.configGuide') }}
-              </a>
-            </p>
+            <p class="mt-1 text-sm text-gray-500 dark:text-gray-400">{{ t('admin.settings.payment.description') }}</p>
           </div>
           <div class="space-y-4 p-6">
             <!-- Enable toggle -->
@@ -2152,38 +1669,34 @@
                 <div><label class="input-label">{{ t('admin.settings.payment.dailyLimit') }}</label><input :value="form.payment_daily_limit || ''" @input="form.payment_daily_limit = parseFloat(($event.target as HTMLInputElement).value) || 0" type="number" step="0.01" min="0" class="input" :placeholder="t('admin.settings.payment.noLimit')" /></div>
                 <div><label class="input-label">{{ t('admin.settings.payment.orderTimeout') }} <span class="text-red-500">*</span></label><input v-model.number="form.payment_order_timeout_minutes" type="number" min="1" class="input" required /><p class="mt-0.5 text-xs text-gray-400">{{ t('admin.settings.payment.orderTimeoutHint') }}</p></div>
               </div>
-              <!-- Row 3: Pending orders + load balance + cancel rate limit (all in one row) -->
+              <!-- Row 3: Pending orders + load balance -->
               <div class="flex flex-wrap items-end gap-4">
                 <div class="w-28"><label class="input-label">{{ t('admin.settings.payment.maxPendingOrders') }}</label><input v-model.number="form.payment_max_pending_orders" type="number" min="1" class="input" /></div>
                 <div>
                   <label class="input-label">{{ t('admin.settings.payment.loadBalanceStrategy') }}</label>
                   <Select v-model="form.payment_load_balance_strategy" :options="loadBalanceOptions" class="w-40" />
                 </div>
-                <div>
-                  <label class="input-label">{{ t('admin.settings.payment.cancelRateLimit') }}</label>
-                  <div class="flex items-center gap-2">
-                    <button
-                      type="button"
-                      :class="[
-                        'relative inline-flex h-6 w-11 flex-shrink-0 cursor-pointer rounded-full border-2 border-transparent transition-colors duration-200 ease-in-out focus:outline-none focus:ring-2 focus:ring-primary-500 focus:ring-offset-2',
-                        form.payment_cancel_rate_limit_enabled ? 'bg-primary-500' : 'bg-gray-300 dark:bg-dark-600'
-                      ]"
-                      @click="form.payment_cancel_rate_limit_enabled = !form.payment_cancel_rate_limit_enabled"
-                    >
-                      <span :class="[
-                        'pointer-events-none inline-block h-5 w-5 transform rounded-full bg-white shadow ring-0 transition duration-200 ease-in-out',
-                        form.payment_cancel_rate_limit_enabled ? 'translate-x-5' : 'translate-x-0'
-                      ]" />
-                    </button>
-                    <Select v-model="form.payment_cancel_rate_limit_window_mode" :options="cancelRateLimitModeOptions" class="w-24" :disabled="!form.payment_cancel_rate_limit_enabled" />
-                    <span :class="['text-sm whitespace-nowrap', form.payment_cancel_rate_limit_enabled ? 'text-gray-700 dark:text-gray-300' : 'text-gray-400 dark:text-gray-600']">{{ t('admin.settings.payment.cancelRateLimitEvery') }}</span>
-                    <input v-model.number="form.payment_cancel_rate_limit_window" type="number" min="1" required class="input w-14 text-center" :disabled="!form.payment_cancel_rate_limit_enabled" />
-                    <Select v-model="form.payment_cancel_rate_limit_unit" :options="cancelRateLimitUnitOptions" class="w-28" :disabled="!form.payment_cancel_rate_limit_enabled" />
-                    <span :class="['text-sm whitespace-nowrap', form.payment_cancel_rate_limit_enabled ? 'text-gray-700 dark:text-gray-300' : 'text-gray-400 dark:text-gray-600']">{{ t('admin.settings.payment.cancelRateLimitAllowMax') }}</span>
-                    <input v-model.number="form.payment_cancel_rate_limit_max" type="number" min="1" required class="input w-14 text-center" :disabled="!form.payment_cancel_rate_limit_enabled" />
-                    <span :class="['text-sm whitespace-nowrap', form.payment_cancel_rate_limit_enabled ? 'text-gray-700 dark:text-gray-300' : 'text-gray-400 dark:text-gray-600']">{{ t('admin.settings.payment.cancelRateLimitTimes') }}</span>
+              </div>
+              <!-- Row 3.5: Cancel rate limit -->
+              <div class="rounded-lg border border-gray-200 p-3 dark:border-dark-600">
+                <div class="flex items-center gap-3">
+                  <label class="flex cursor-pointer items-center gap-2 text-sm font-medium text-gray-700 dark:text-gray-300">
+                    <input type="checkbox" v-model="form.payment_cancel_rate_limit_enabled" class="h-4 w-4 rounded border-gray-300 text-primary-600" />
+                    {{ t('admin.settings.payment.cancelRateLimit') }}
+                  </label>
+                </div>
+                <div v-if="form.payment_cancel_rate_limit_enabled" class="mt-3">
+                  <div class="flex flex-wrap items-center gap-2 text-sm text-gray-700 dark:text-gray-300">
+                    <span>{{ t('admin.settings.payment.cancelRateLimitEvery') }}</span>
+                    <input v-model.number="form.payment_cancel_rate_limit_window" type="number" min="1" required class="input w-16 text-center" />
+                    <Select v-model="form.payment_cancel_rate_limit_unit" :options="cancelRateLimitUnitOptions" class="w-24" />
+                    <span>{{ t('admin.settings.payment.cancelRateLimitAllowMax') }}</span>
+                    <input v-model.number="form.payment_cancel_rate_limit_max" type="number" min="1" required class="input w-16 text-center" />
+                    <span>{{ t('admin.settings.payment.cancelRateLimitTimes') }}</span>
+                    <Select v-model="form.payment_cancel_rate_limit_window_mode" :options="cancelRateLimitModeOptions" class="w-32" />
                   </div>
                 </div>
+                <p class="mt-1.5 text-xs text-gray-400">{{ t('admin.settings.payment.cancelRateLimitHint') }}</p>
               </div>
               <!-- Row 4: Enabled payment types (provider badges like sub2apipay) -->
               <div>
@@ -2202,13 +1715,6 @@
                     ]"
                   >{{ pt.label }}</button>
                 </div>
-                <p class="mt-2 text-xs text-gray-400 dark:text-gray-500">
-                  {{ t('admin.settings.payment.enabledPaymentTypesHint') }}
-                  <a :href="locale === 'zh' ? 'https://github.com/Wei-Shaw/sub2api/blob/main/docs/PAYMENT_CN.md#%E6%94%AF%E6%8C%81%E7%9A%84%E6%94%AF%E4%BB%98%E6%96%B9%E5%BC%8F' : 'https://github.com/Wei-Shaw/sub2api/blob/main/docs/PAYMENT.md#supported-payment-methods'" target="_blank" rel="noopener noreferrer" class="ml-1 text-primary-500 hover:text-primary-600 dark:text-primary-400 dark:hover:text-primary-300">
-                    {{ t('admin.settings.payment.findProvider') }}
-                    <svg class="mb-0.5 ml-0.5 inline h-3 w-3" fill="none" stroke="currentColor" viewBox="0 0 24 24"><path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" d="M10 6H6a2 2 0 00-2 2v10a2 2 0 002 2h10a2 2 0 002-2v-4M14 4h6m0 0v6m0-6L10 14" /></svg>
-                  </a>
-                </p>
               </div>
               <!-- Row 5: Help image + text -->
               <div class="grid grid-cols-2 gap-3">
@@ -2549,11 +2055,11 @@ import {
   parseRegistrationEmailSuffixWhitelistInput
 } from '@/utils/registrationEmailPolicy'
 
-const { t, locale } = useI18n()
+const { t } = useI18n()
 const appStore = useAppStore()
 const adminSettingsStore = useAdminSettingsStore()
 
-type SettingsTab = 'general' | 'security' | 'users' | 'gateway' | 'payment' | 'email' | 'backup'
+type SettingsTab = 'general' | 'security' | 'users' | 'gateway' | 'payment' | 'email' | 'backup' | 'data'
 const activeTab = ref<SettingsTab>('general')
 const settingsTabs = [
   { key: 'general'  as SettingsTab, icon: 'home'   as const },
@@ -2575,7 +2081,6 @@ const smtpPasswordManuallyEdited = ref(false)
 const testEmailAddress = ref('')
 const registrationEmailSuffixWhitelistTags = ref<string[]>([])
 const registrationEmailSuffixWhitelistDraft = ref('')
-const tablePageSizeOptionsInput = ref('10, 20, 50, 100')
 
 // Admin API Key 状态
 const adminApiKeyLoading = ref(true)
@@ -2624,16 +2129,9 @@ const betaPolicyForm = reactive({
     action: 'pass' | 'filter' | 'block'
     scope: 'all' | 'oauth' | 'apikey' | 'bedrock'
     error_message?: string
-    model_whitelist?: string[]
-    fallback_action?: 'pass' | 'filter' | 'block'
-    fallback_error_message?: string
   }>
 })
 
-const tablePageSizeMin = 5
-const tablePageSizeMax = 1000
-const tablePageSizeDefault = 20
-
 interface DefaultSubscriptionGroupOption {
   value: number
   label: string
@@ -2648,7 +2146,6 @@ type SettingsForm = SystemSettings & {
   smtp_password: string
   turnstile_secret_key: string
   linuxdo_connect_client_secret: string
-  oidc_connect_client_secret: string
 }
 
 const form = reactive<SettingsForm>({
@@ -2673,8 +2170,7 @@ const form = reactive<SettingsForm>({
   backend_mode_enabled: false,
   hide_ccs_import_button: false,
   payment_enabled: false,  payment_min_amount: 1,  payment_max_amount: 10000,  payment_daily_limit: 50000,  payment_max_pending_orders: 3,  payment_order_timeout_minutes: 30,  payment_balance_disabled: false,  payment_enabled_types: [],  payment_help_image_url: '',  payment_help_text: '',  payment_product_name_prefix: '',  payment_product_name_suffix: '',  payment_load_balance_strategy: 'round-robin',  payment_cancel_rate_limit_enabled: false,  payment_cancel_rate_limit_max: 10,  payment_cancel_rate_limit_window: 1,  payment_cancel_rate_limit_unit: 'day',  payment_cancel_rate_limit_window_mode: 'rolling',
-  table_default_page_size: tablePageSizeDefault,
-  table_page_size_options: [10, 20, 50, 100],
+  sora_client_enabled: false,
   custom_menu_items: [] as Array<{id: string; label: string; icon_svg: string; url: string; visibility: 'user' | 'admin'; sort_order: number}>,
   custom_endpoints: [] as Array<{name: string; endpoint: string; description: string}>,
   frontend_url: '',
@@ -2697,30 +2193,6 @@ const form = reactive<SettingsForm>({
   linuxdo_connect_client_secret: '',
   linuxdo_connect_client_secret_configured: false,
   linuxdo_connect_redirect_url: '',
-  // Generic OIDC OAuth 登录
-  oidc_connect_enabled: false,
-  oidc_connect_provider_name: 'OIDC',
-  oidc_connect_client_id: '',
-  oidc_connect_client_secret: '',
-  oidc_connect_client_secret_configured: false,
-  oidc_connect_issuer_url: '',
-  oidc_connect_discovery_url: '',
-  oidc_connect_authorize_url: '',
-  oidc_connect_token_url: '',
-  oidc_connect_userinfo_url: '',
-  oidc_connect_jwks_url: '',
-  oidc_connect_scopes: 'openid email profile',
-  oidc_connect_redirect_url: '',
-  oidc_connect_frontend_redirect_url: '/auth/oidc/callback',
-  oidc_connect_token_auth_method: 'client_secret_post',
-  oidc_connect_use_pkce: false,
-  oidc_connect_validate_id_token: true,
-  oidc_connect_allowed_signing_algs: 'RS256,ES256,PS256',
-  oidc_connect_clock_skew_seconds: 120,
-  oidc_connect_require_email_verified: false,
-  oidc_connect_userinfo_email_path: '',
-  oidc_connect_userinfo_id_path: '',
-  oidc_connect_userinfo_username_path: '',
   // Model fallback
   enable_model_fallback: false,
   fallback_model_anthropic: 'claude-3-5-sonnet-20241022',
@@ -2742,8 +2214,7 @@ const form = reactive<SettingsForm>({
   allow_ungrouped_key_scheduling: false,
   // Gateway forwarding behavior
   enable_fingerprint_unification: true,
-  enable_metadata_passthrough: false,
-  enable_cch_signing: false
+  enable_metadata_passthrough: false
 })
 
 const defaultSubscriptionGroupOptions = computed<DefaultSubscriptionGroupOption[]>(() =>
@@ -2841,21 +2312,6 @@ async function setAndCopyLinuxdoRedirectUrl() {
   await copyToClipboard(url, t('admin.settings.linuxdo.redirectUrlSetAndCopied'))
 }
 
-const oidcRedirectUrlSuggestion = computed(() => {
-  if (typeof window === 'undefined') return ''
-  const origin =
-    window.location.origin || `${window.location.protocol}//${window.location.host}`
-  return `${origin}/api/v1/auth/oauth/oidc/callback`
-})
-
-async function setAndCopyOIDCRedirectUrl() {
-  const url = oidcRedirectUrlSuggestion.value
-  if (!url) return
-
-  form.oidc_connect_redirect_url = url
-  await copyToClipboard(url, t('admin.settings.oidc.redirectUrlSetAndCopied'))
-}
-
 // Custom menu item management
 function addMenuItem() {
   form.custom_menu_items.push({
@@ -2898,35 +2354,6 @@ function removeEndpoint(index: number) {
   form.custom_endpoints.splice(index, 1)
 }
 
-function formatTablePageSizeOptions(options: number[]): string {
-  return options.join(', ')
-}
-
-function parseTablePageSizeOptionsInput(raw: string): number[] | null {
-  const tokens = raw
-    .split(',')
-    .map((token) => token.trim())
-    .filter((token) => token.length > 0)
-
-  if (tokens.length === 0) {
-    return null
-  }
-
-  const parsed = tokens.map((token) => Number(token))
-  if (parsed.some((value) => !Number.isInteger(value))) {
-    return null
-  }
-
-  const deduped = Array.from(new Set(parsed)).sort((a, b) => a - b)
-  if (
-    deduped.some((value) => value < tablePageSizeMin || value > tablePageSizeMax)
-  ) {
-    return null
-  }
-
-  return deduped
-}
-
 async function loadSettings() {
   loading.value = true
   loadFailed.value = false
@@ -2951,15 +2378,11 @@ async function loadSettings() {
     registrationEmailSuffixWhitelistTags.value = normalizeRegistrationEmailSuffixDomains(
       settings.registration_email_suffix_whitelist
     )
-    tablePageSizeOptionsInput.value = formatTablePageSizeOptions(
-      Array.isArray(settings.table_page_size_options) ? settings.table_page_size_options : [10, 20, 50, 100]
-    )
     registrationEmailSuffixWhitelistDraft.value = ''
     form.smtp_password = ''
     smtpPasswordManuallyEdited.value = false
     form.turnstile_secret_key = ''
     form.linuxdo_connect_client_secret = ''
-    form.oidc_connect_client_secret = ''
   } catch (error: unknown) {
     loadFailed.value = true
     appStore.showError(extractApiErrorMessage(error, t('admin.settings.failedToLoad')))
@@ -2997,37 +2420,6 @@ function removeDefaultSubscription(index: number) {
 async function saveSettings() {
   saving.value = true
   try {
-    const normalizedTableDefaultPageSize = Math.floor(Number(form.table_default_page_size))
-    if (
-      !Number.isInteger(normalizedTableDefaultPageSize) ||
-      normalizedTableDefaultPageSize < tablePageSizeMin ||
-      normalizedTableDefaultPageSize > tablePageSizeMax
-    ) {
-      appStore.showError(
-        t('admin.settings.site.tableDefaultPageSizeRangeError', {
-          min: tablePageSizeMin,
-          max: tablePageSizeMax
-        })
-      )
-      return
-    }
-
-    const normalizedTablePageSizeOptions = parseTablePageSizeOptionsInput(
-      tablePageSizeOptionsInput.value
-    )
-    if (!normalizedTablePageSizeOptions) {
-      appStore.showError(
-        t('admin.settings.site.tablePageSizeOptionsFormatError', {
-          min: tablePageSizeMin,
-          max: tablePageSizeMax
-        })
-      )
-      return
-    }
-
-    form.table_default_page_size = normalizedTableDefaultPageSize
-    form.table_page_size_options = normalizedTablePageSizeOptions
-
     const normalizedDefaultSubscriptions = form.default_subscriptions
       .filter((item) => item.group_id > 0 && item.validity_days > 0)
       .map((item: DefaultSubscriptionSetting) => ({
@@ -3088,8 +2480,6 @@ async function saveSettings() {
       home_content: form.home_content,
       backend_mode_enabled: form.backend_mode_enabled,
       hide_ccs_import_button: form.hide_ccs_import_button,
-      table_default_page_size: form.table_default_page_size,
-      table_page_size_options: form.table_page_size_options,
       custom_menu_items: form.custom_menu_items,
       custom_endpoints: form.custom_endpoints,
       frontend_url: form.frontend_url,
@@ -3107,28 +2497,6 @@ async function saveSettings() {
       linuxdo_connect_client_id: form.linuxdo_connect_client_id,
       linuxdo_connect_client_secret: form.linuxdo_connect_client_secret || undefined,
       linuxdo_connect_redirect_url: form.linuxdo_connect_redirect_url,
-      oidc_connect_enabled: form.oidc_connect_enabled,
-      oidc_connect_provider_name: form.oidc_connect_provider_name,
-      oidc_connect_client_id: form.oidc_connect_client_id,
-      oidc_connect_client_secret: form.oidc_connect_client_secret || undefined,
-      oidc_connect_issuer_url: form.oidc_connect_issuer_url,
-      oidc_connect_discovery_url: form.oidc_connect_discovery_url,
-      oidc_connect_authorize_url: form.oidc_connect_authorize_url,
-      oidc_connect_token_url: form.oidc_connect_token_url,
-      oidc_connect_userinfo_url: form.oidc_connect_userinfo_url,
-      oidc_connect_jwks_url: form.oidc_connect_jwks_url,
-      oidc_connect_scopes: form.oidc_connect_scopes,
-      oidc_connect_redirect_url: form.oidc_connect_redirect_url,
-      oidc_connect_frontend_redirect_url: form.oidc_connect_frontend_redirect_url,
-      oidc_connect_token_auth_method: form.oidc_connect_token_auth_method,
-      oidc_connect_use_pkce: form.oidc_connect_use_pkce,
-      oidc_connect_validate_id_token: form.oidc_connect_validate_id_token,
-      oidc_connect_allowed_signing_algs: form.oidc_connect_allowed_signing_algs,
-      oidc_connect_clock_skew_seconds: form.oidc_connect_clock_skew_seconds,
-      oidc_connect_require_email_verified: form.oidc_connect_require_email_verified,
-      oidc_connect_userinfo_email_path: form.oidc_connect_userinfo_email_path,
-      oidc_connect_userinfo_id_path: form.oidc_connect_userinfo_id_path,
-      oidc_connect_userinfo_username_path: form.oidc_connect_userinfo_username_path,
       enable_model_fallback: form.enable_model_fallback,
       fallback_model_anthropic: form.fallback_model_anthropic,
       fallback_model_openai: form.fallback_model_openai,
@@ -3141,7 +2509,6 @@ async function saveSettings() {
       allow_ungrouped_key_scheduling: form.allow_ungrouped_key_scheduling,
       enable_fingerprint_unification: form.enable_fingerprint_unification,
       enable_metadata_passthrough: form.enable_metadata_passthrough,
-      enable_cch_signing: form.enable_cch_signing,
       // Payment configuration
       payment_enabled: form.payment_enabled,
       payment_min_amount: Number(form.payment_min_amount) || 0,
@@ -3172,15 +2539,11 @@ async function saveSettings() {
     registrationEmailSuffixWhitelistTags.value = normalizeRegistrationEmailSuffixDomains(
       updated.registration_email_suffix_whitelist
     )
-    tablePageSizeOptionsInput.value = formatTablePageSizeOptions(
-      Array.isArray(updated.table_page_size_options) ? updated.table_page_size_options : [10, 20, 50, 100]
-    )
     registrationEmailSuffixWhitelistDraft.value = ''
     form.smtp_password = ''
     smtpPasswordManuallyEdited.value = false
     form.turnstile_secret_key = ''
     form.linuxdo_connect_client_secret = ''
-    form.oidc_connect_client_secret = ''
     // Refresh cached settings so sidebar/header update immediately
     await appStore.fetchPublicSettings(true)
     await adminSettingsStore.fetch(true)
@@ -3422,48 +2785,10 @@ const betaDisplayNames: Record<string, string> = {
   'context-1m-2025-08-07': 'Context 1M'
 }
 
-// 快捷预设：按 beta_token 定义预设方案
-const betaPresets: Record<string, Array<{
-  label: string
-  description: string
-  action: 'pass' | 'filter' | 'block'
-  model_whitelist: string[]
-  fallback_action: 'pass' | 'filter' | 'block'
-}>> = {
-  'context-1m-2025-08-07': [
-    {
-      label: t('admin.settings.betaPolicy.presetOpusOnly'),
-      description: t('admin.settings.betaPolicy.presetOpusOnlyDesc'),
-      action: 'pass',
-      model_whitelist: ['claude-opus-4-6'],
-      fallback_action: 'filter',
-    },
-  ],
-}
-
-// 常用模型模式（具体 ID + 通配符示例）
-const commonModelPatterns = ['claude-opus-4-6', 'claude-sonnet-4-6', 'claude-opus-*', 'claude-sonnet-*']
-
 function getBetaDisplayName(token: string): string {
   return betaDisplayNames[token] || token
 }
 
-function applyBetaPreset(
-  rule: (typeof betaPolicyForm.rules)[number],
-  preset: { action: 'pass' | 'filter' | 'block'; model_whitelist: string[]; fallback_action: 'pass' | 'filter' | 'block' }
-) {
-  rule.action = preset.action
-  rule.model_whitelist = [...preset.model_whitelist]
-  rule.fallback_action = preset.fallback_action
-}
-
-function addQuickPattern(rule: (typeof betaPolicyForm.rules)[number], pattern: string) {
-  if (!rule.model_whitelist) rule.model_whitelist = []
-  if (!rule.model_whitelist.includes(pattern)) {
-    rule.model_whitelist.push(pattern)
-  }
-}
-
 async function loadBetaPolicySettings() {
   betaPolicyLoading.value = true
   try {
@@ -3479,22 +2804,8 @@ async function loadBetaPolicySettings() {
 async function saveBetaPolicySettings() {
   betaPolicySaving.value = true
   try {
-    // Clean up empty patterns before saving
-    const cleanedRules = betaPolicyForm.rules.map(rule => {
-      const whitelist = rule.model_whitelist?.filter(p => p.trim() !== '')
-      const hasWhitelist = whitelist && whitelist.length > 0
-      return {
-        beta_token: rule.beta_token,
-        action: rule.action,
-        scope: rule.scope,
-        error_message: rule.error_message,
-        model_whitelist: hasWhitelist ? whitelist : undefined,
-        fallback_action: hasWhitelist ? (rule.fallback_action || 'pass') : undefined,
-        fallback_error_message: hasWhitelist && rule.fallback_action === 'block' ? rule.fallback_error_message : undefined,
-      }
-    })
     const updated = await adminAPI.settings.updateBetaPolicySettings({
-      rules: cleanedRules
+      rules: betaPolicyForm.rules
     })
     betaPolicyForm.rules = updated.rules
     appStore.showSuccess(t('admin.settings.betaPolicy.saved'))
@@ -3608,15 +2919,15 @@ async function handleSaveProvider(payload: Partial<ProviderInstance>) {
   providerSaving.value = true
   try {
     if (editingProvider.value) {
-      await adminAPI.payment.updateProvider(editingProvider.value.id, payload)
+      const updated = await adminAPI.payment.updateProvider(editingProvider.value.id, payload)
+      // Update in place to preserve list order
+      const idx = providers.value.findIndex(p => p.id === editingProvider.value!.id)
+      if (idx >= 0 && updated.data) providers.value[idx] = updated.data
     } else {
       await adminAPI.payment.createProvider(payload)
+      loadProviders()
     }
     showProviderDialog.value = false
-    // Reload full list (API returns decrypted/formatted data with correct sort order)
-    await loadProviders()
-    // Auto-save settings so provider changes take effect immediately
-    await saveSettings()
   } catch (err: unknown) {
     appStore.showError(extractApiErrorMessage(err, t('common.error'), paymentErrorMap.value))
   } finally {
diff --git a/frontend/src/views/user/PaymentResultView.vue b/frontend/src/views/user/PaymentResultView.vue
index bc16918c..cf0bf373 100644
--- a/frontend/src/views/user/PaymentResultView.vue
+++ b/frontend/src/views/user/PaymentResultView.vue
@@ -102,12 +102,10 @@ interface ReturnInfo {
 }
 const returnInfo = ref<ReturnInfo | null>(null)
 
-const SUCCESS_STATUSES = new Set(['COMPLETED', 'PAID', 'RECHARGING'])
-
 const isSuccess = computed(() => {
   // Always prioritize actual order status from backend
   if (order.value) {
-    return SUCCESS_STATUSES.has(order.value.status)
+    return order.value.status === 'COMPLETED' || order.value.status === 'PAID'
   }
   // Fallback only when order not loaded
   if (route.query.status === 'success') return true
@@ -138,17 +136,14 @@ onMounted(async () => {
     }
   }
 
-  // Verify payment via public endpoint (works without login)
+  // If we have an out_trade_no from a provider return URL, actively verify
+  // the payment with the upstream provider (handles missed notify callbacks)
   if (outTradeNo) {
     try {
-      const result = await paymentAPI.verifyOrderPublic(outTradeNo)
+      const result = await paymentAPI.verifyOrder(outTradeNo)
       order.value = result.data
     } catch (_err: unknown) {
-      // Public verify failed, try authenticated endpoint if logged in
-      try {
-        const result = await paymentAPI.verifyOrder(outTradeNo)
-        order.value = result.data
-      } catch (_e: unknown) { /* fall through */ }
+      // Verification failed, fall through to normal order lookup
     }
   }
 
diff --git a/frontend/src/views/user/PaymentView.vue b/frontend/src/views/user/PaymentView.vue
index 5dc396ec..db588420 100644
--- a/frontend/src/views/user/PaymentView.vue
+++ b/frontend/src/views/user/PaymentView.vue
@@ -374,7 +374,7 @@ onMounted(async () => {
     if (checkout.value.balance_disabled) {
       activeTab.value = 'subscription'
     }
-  } catch (err: unknown) { console.error('Failed to load checkout info:', err) }
+  } catch (err: unknown) { appStore.showError(extractApiErrorMessage(err, t('common.error'))) }
   finally { loading.value = false }
 })
 </script>

From c738cfec93ab3ed27d346a28b3dc9b84885b5d4e Mon Sep 17 00:00:00 2001
From: erio <asakifeng@gmail.com>
Date: Fri, 10 Apr 2026 02:23:19 +0800
Subject: [PATCH 024/122] fix(payment): critical audit fixes for security,
 idempotency and correctness

Backend fixes:
- #1: doSub subscription idempotency via audit log check
- #2: markFailed only when status=RECHARGING (prevents overwriting COMPLETED)
- #3: ExpireTimedOutOrders checks upstream payment before expiring
- #4: Public verify endpoint for payment result page (no auth required)
- #5: EasyPay QueryOrder returns amount, confirmPayment handles zero amount
- #6: WxPay notifyUrl priority: request-first, config-fallback
- #7: EasyPay remove double URL decode in VerifyNotification
- #8: checkPaid/cancelUpstreamPayment use order's provider instance
- #9: Amount NaN/Inf/negative validation in order creation and refund
- #10: Refund amount comparison uses tolerance instead of float64 ==
- #11: Skip balance deduction on retry when previous rollback failed
- #12: checkPaid logs fulfillment errors instead of silently ignoring
- #13: WxPay certSerial added to required config fields

Frontend fixes:
- Payment result page no longer requires authentication
- Public verify API fallback for expired sessions
---
 backend/internal/payment/provider/easypay.go  |  7 +-
 .../internal/payment/provider/wxpay_test.go   |  1 +
 backend/internal/server/routes/payment.go     |  8 ++
 .../internal/service/payment_fulfillment.go   | 50 ++++++++---
 backend/internal/service/payment_order.go     | 87 +++++++++++++------
 backend/internal/service/payment_refund.go    | 42 +++++++--
 frontend/src/views/user/PaymentResultView.vue | 11 ++-
 7 files changed, 152 insertions(+), 54 deletions(-)

diff --git a/backend/internal/payment/provider/easypay.go b/backend/internal/payment/provider/easypay.go
index 3fa59283..c54aba6a 100644
--- a/backend/internal/payment/provider/easypay.go
+++ b/backend/internal/payment/provider/easypay.go
@@ -158,6 +158,7 @@ func (e *EasyPay) QueryOrder(ctx context.Context, tradeNo string) (*payment.Quer
 		Code   int    `json:"code"`
 		Msg    string `json:"msg"`
 		Status int    `json:"status"`
+		Money  string `json:"money"`
 	}
 	if err := json.Unmarshal(body, &resp); err != nil {
 		return nil, fmt.Errorf("easypay parse query: %w", err)
@@ -166,7 +167,8 @@ func (e *EasyPay) QueryOrder(ctx context.Context, tradeNo string) (*payment.Quer
 	if resp.Status == easypayStatusPaid {
 		status = payment.ProviderStatusPaid
 	}
-	return &payment.QueryOrderResponse{TradeNo: tradeNo, Status: status}, nil
+	amount, _ := strconv.ParseFloat(resp.Money, 64)
+	return &payment.QueryOrderResponse{TradeNo: tradeNo, Status: status, Amount: amount}, nil
 }
 
 func (e *EasyPay) VerifyNotification(_ context.Context, rawBody string, _ map[string]string) (*payment.PaymentNotification, error) {
@@ -174,9 +176,10 @@ func (e *EasyPay) VerifyNotification(_ context.Context, rawBody string, _ map[st
 	if err != nil {
 		return nil, fmt.Errorf("parse notify: %w", err)
 	}
+	// url.ParseQuery already decodes values — no additional decode needed.
 	params := make(map[string]string)
 	for k := range values {
-		params[k] = decodeURLValue(values.Get(k))
+		params[k] = values.Get(k)
 	}
 	sign := params["sign"]
 	if sign == "" {
diff --git a/backend/internal/payment/provider/wxpay_test.go b/backend/internal/payment/provider/wxpay_test.go
index 4b774d63..b8b99537 100644
--- a/backend/internal/payment/provider/wxpay_test.go
+++ b/backend/internal/payment/provider/wxpay_test.go
@@ -156,6 +156,7 @@ func TestNewWxpay(t *testing.T) {
 		"apiV3Key":    "12345678901234567890123456789012", // exactly 32 bytes
 		"publicKey":   "fake-public-key",
 		"publicKeyId": "key-id-001",
+		"certSerial":  "SERIAL001",
 	}
 
 	// helper to clone and override config fields
diff --git a/backend/internal/server/routes/payment.go b/backend/internal/server/routes/payment.go
index 828b68f3..641c6cd5 100644
--- a/backend/internal/server/routes/payment.go
+++ b/backend/internal/server/routes/payment.go
@@ -40,6 +40,14 @@ func RegisterPaymentRoutes(
 		}
 	}
 
+	// --- Public payment endpoints (no auth) ---
+	// Payment result page needs to verify order status without login
+	// (user session may have expired during provider redirect).
+	public := v1.Group("/payment/public")
+	{
+		public.POST("/orders/verify", paymentHandler.VerifyOrderPublic)
+	}
+
 	// --- Webhook endpoints (no auth) ---
 	webhook := v1.Group("/payment/webhook")
 	{
diff --git a/backend/internal/service/payment_fulfillment.go b/backend/internal/service/payment_fulfillment.go
index 7dd6d835..51307849 100644
--- a/backend/internal/service/payment_fulfillment.go
+++ b/backend/internal/service/payment_fulfillment.go
@@ -8,6 +8,7 @@ import (
 	"time"
 
 	dbent "github.com/Wei-Shaw/sub2api/ent"
+	"github.com/Wei-Shaw/sub2api/ent/paymentauditlog"
 	"github.com/Wei-Shaw/sub2api/ent/paymentorder"
 	"github.com/Wei-Shaw/sub2api/internal/payment"
 	infraerrors "github.com/Wei-Shaw/sub2api/internal/pkg/errors"
@@ -32,9 +33,17 @@ func (s *PaymentService) confirmPayment(ctx context.Context, oid int64, tradeNo
 		slog.Error("order not found", "orderID", oid)
 		return nil
 	}
-	if math.Abs(paid-o.PayAmount) > amountToleranceCNY {
-		s.writeAuditLog(ctx, o.ID, "PAYMENT_AMOUNT_MISMATCH", pk, map[string]any{"expected": o.PayAmount, "paid": paid, "tradeNo": tradeNo})
-		return fmt.Errorf("amount mismatch: expected %.2f, got %.2f", o.PayAmount, paid)
+	// Skip amount check when paid=0 (e.g. QueryOrder doesn't return amount).
+	// Also skip if paid is NaN/Inf (malformed provider data).
+	if paid > 0 && !math.IsNaN(paid) && !math.IsInf(paid, 0) {
+		if math.Abs(paid-o.PayAmount) > amountToleranceCNY {
+			s.writeAuditLog(ctx, o.ID, "PAYMENT_AMOUNT_MISMATCH", pk, map[string]any{"expected": o.PayAmount, "paid": paid, "tradeNo": tradeNo})
+			return fmt.Errorf("amount mismatch: expected %.2f, got %.2f", o.PayAmount, paid)
+		}
+	}
+	// Use order's expected amount when provider didn't report one
+	if paid <= 0 || math.IsNaN(paid) || math.IsInf(paid, 0) {
+		paid = o.PayAmount
 	}
 	return s.toPaid(ctx, o, tradeNo, paid, pk)
 }
@@ -241,27 +250,42 @@ func (s *PaymentService) doSub(ctx context.Context, o *dbent.PaymentOrder) error
 	if err != nil || g.Status != payment.EntityStatusActive {
 		return fmt.Errorf("group %d no longer exists or inactive", gid)
 	}
-	_, _, err = s.subscriptionSvc.AssignOrExtendSubscription(ctx, &AssignSubscriptionInput{UserID: o.UserID, GroupID: gid, ValidityDays: days, AssignedBy: 0, Notes: fmt.Sprintf("payment order %d", o.ID)})
+	// Idempotency: check audit log to see if subscription was already assigned.
+	// Prevents double-extension on retry after markCompleted fails.
+	if s.hasAuditLog(ctx, o.ID, "SUBSCRIPTION_SUCCESS") {
+		slog.Info("subscription already assigned for order, skipping", "orderID", o.ID, "groupID", gid)
+		return s.markCompleted(ctx, o, "SUBSCRIPTION_SUCCESS")
+	}
+	orderNote := fmt.Sprintf("payment order %d", o.ID)
+	_, _, err = s.subscriptionSvc.AssignOrExtendSubscription(ctx, &AssignSubscriptionInput{UserID: o.UserID, GroupID: gid, ValidityDays: days, AssignedBy: 0, Notes: orderNote})
 	if err != nil {
 		return fmt.Errorf("assign subscription: %w", err)
 	}
-	now := time.Now()
-	_, err = s.entClient.PaymentOrder.Update().Where(paymentorder.IDEQ(o.ID), paymentorder.StatusEQ(OrderStatusRecharging)).SetStatus(OrderStatusCompleted).SetCompletedAt(now).Save(ctx)
-	if err != nil {
-		return fmt.Errorf("mark completed: %w", err)
-	}
-	s.writeAuditLog(ctx, o.ID, "SUBSCRIPTION_SUCCESS", "system", map[string]any{"groupId": gid, "days": days, "amount": o.Amount})
-	return nil
+	return s.markCompleted(ctx, o, "SUBSCRIPTION_SUCCESS")
+}
+
+func (s *PaymentService) hasAuditLog(ctx context.Context, orderID int64, action string) bool {
+	oid := strconv.FormatInt(orderID, 10)
+	c, _ := s.entClient.PaymentAuditLog.Query().
+		Where(paymentauditlog.OrderIDEQ(oid), paymentauditlog.ActionEQ(action)).
+		Limit(1).Count(ctx)
+	return c > 0
 }
 
 func (s *PaymentService) markFailed(ctx context.Context, oid int64, cause error) {
 	now := time.Now()
 	r := psErrMsg(cause)
-	_, e := s.entClient.PaymentOrder.UpdateOneID(oid).SetStatus(OrderStatusFailed).SetFailedAt(now).SetFailedReason(r).Save(ctx)
+	// Only mark FAILED if still in RECHARGING state — prevents overwriting
+	// a COMPLETED order when markCompleted failed but fulfillment succeeded.
+	c, e := s.entClient.PaymentOrder.Update().
+		Where(paymentorder.IDEQ(oid), paymentorder.StatusEQ(OrderStatusRecharging)).
+		SetStatus(OrderStatusFailed).SetFailedAt(now).SetFailedReason(r).Save(ctx)
 	if e != nil {
 		slog.Error("mark FAILED", "orderID", oid, "error", e)
 	}
-	s.writeAuditLog(ctx, oid, "FULFILLMENT_FAILED", "system", map[string]any{"reason": r})
+	if c > 0 {
+		s.writeAuditLog(ctx, oid, "FULFILLMENT_FAILED", "system", map[string]any{"reason": r})
+	}
 }
 
 func (s *PaymentService) RetryFulfillment(ctx context.Context, oid int64) error {
diff --git a/backend/internal/service/payment_order.go b/backend/internal/service/payment_order.go
index d61a0d88..e81af3f5 100644
--- a/backend/internal/service/payment_order.go
+++ b/backend/internal/service/payment_order.go
@@ -72,6 +72,9 @@ func (s *PaymentService) validateOrderInput(ctx context.Context, req CreateOrder
 	if req.OrderType == payment.OrderTypeSubscription {
 		return s.validateSubOrder(ctx, req)
 	}
+	if math.IsNaN(req.Amount) || math.IsInf(req.Amount, 0) || req.Amount <= 0 {
+		return nil, infraerrors.BadRequest("INVALID_AMOUNT", "amount must be a positive number")
+	}
 	if (cfg.MinAmount > 0 && req.Amount < cfg.MinAmount) || (cfg.MaxAmount > 0 && req.Amount > cfg.MaxAmount) {
 		return nil, infraerrors.BadRequest("INVALID_AMOUNT", "amount out of range").
 			WithMetadata(map[string]string{"min": fmt.Sprintf("%.2f", cfg.MinAmount), "max": fmt.Sprintf("%.2f", cfg.MaxAmount)})
@@ -394,7 +397,7 @@ func (s *PaymentService) AdminCancelOrder(ctx context.Context, orderID int64) (s
 }
 
 func (s *PaymentService) cancelCore(ctx context.Context, o *dbent.PaymentOrder, fs, op, ad string) (string, error) {
-	if o.PaymentTradeNo != "" && o.PaymentType != "" {
+	if o.PaymentTradeNo != "" || o.PaymentType != "" {
 		if s.checkPaid(ctx, o) == "already_paid" {
 			return "already_paid", nil
 		}
@@ -404,14 +407,17 @@ func (s *PaymentService) cancelCore(ctx context.Context, o *dbent.PaymentOrder,
 		return "", fmt.Errorf("update order status: %w", err)
 	}
 	if c > 0 {
-		s.writeAuditLog(ctx, o.ID, "ORDER_CANCELLED", op, map[string]any{"detail": ad})
+		auditAction := "ORDER_CANCELLED"
+		if fs == OrderStatusExpired {
+			auditAction = "ORDER_EXPIRED"
+		}
+		s.writeAuditLog(ctx, o.ID, auditAction, op, map[string]any{"detail": ad})
 	}
 	return "cancelled", nil
 }
 
 func (s *PaymentService) checkPaid(ctx context.Context, o *dbent.PaymentOrder) string {
-	s.EnsureProviders(ctx)
-	prov, err := s.registry.GetProvider(o.PaymentType)
+	prov, err := s.getOrderProvider(ctx, o)
 	if err != nil {
 		return ""
 	}
@@ -427,11 +433,14 @@ func (s *PaymentService) checkPaid(ctx context.Context, o *dbent.PaymentOrder) s
 		return ""
 	}
 	if resp.Status == payment.ProviderStatusPaid {
-		_ = s.HandlePaymentNotification(ctx, &payment.PaymentNotification{TradeNo: o.PaymentTradeNo, OrderID: o.OutTradeNo, Amount: resp.Amount, Status: payment.ProviderStatusSuccess}, prov.ProviderKey())
+		if err := s.HandlePaymentNotification(ctx, &payment.PaymentNotification{TradeNo: o.PaymentTradeNo, OrderID: o.OutTradeNo, Amount: resp.Amount, Status: payment.ProviderStatusSuccess}, prov.ProviderKey()); err != nil {
+			slog.Error("fulfillment failed during checkPaid", "orderID", o.ID, "error", err)
+			// Still return already_paid — order was paid, fulfillment can be retried
+		}
 		return "already_paid"
 	}
 	if cp, ok := prov.(payment.CancelableProvider); ok {
-		_ = cp.CancelPayment(ctx, o.PaymentTradeNo)
+		_ = cp.CancelPayment(ctx, tradeNo)
 	}
 	return ""
 }
@@ -463,6 +472,27 @@ func (s *PaymentService) VerifyOrderByOutTradeNo(ctx context.Context, outTradeNo
 	return o, nil
 }
 
+// VerifyOrderPublic verifies payment status without user authentication.
+// Used by the payment result page when the user's session has expired.
+func (s *PaymentService) VerifyOrderPublic(ctx context.Context, outTradeNo string) (*dbent.PaymentOrder, error) {
+	o, err := s.entClient.PaymentOrder.Query().
+		Where(paymentorder.OutTradeNo(outTradeNo)).
+		Only(ctx)
+	if err != nil {
+		return nil, infraerrors.NotFound("NOT_FOUND", "order not found")
+	}
+	if o.Status == OrderStatusPending || o.Status == OrderStatusExpired {
+		result := s.checkPaid(ctx, o)
+		if result == "already_paid" {
+			o, err = s.entClient.PaymentOrder.Get(ctx, o.ID)
+			if err != nil {
+				return nil, fmt.Errorf("reload order: %w", err)
+			}
+		}
+	}
+	return o, nil
+}
+
 func (s *PaymentService) ExpireTimedOutOrders(ctx context.Context) (int, error) {
 	now := time.Now()
 	orders, err := s.entClient.PaymentOrder.Query().Where(paymentorder.StatusEQ(OrderStatusPending), paymentorder.ExpiresAtLTE(now)).All(ctx)
@@ -471,34 +501,39 @@ func (s *PaymentService) ExpireTimedOutOrders(ctx context.Context) (int, error)
 	}
 	n := 0
 	for _, o := range orders {
-		// Cancel upstream payment (e.g. Stripe PaymentIntent) before marking expired
-		s.cancelUpstreamPayment(ctx, o)
-		c, e := s.entClient.PaymentOrder.Update().Where(paymentorder.IDEQ(o.ID), paymentorder.StatusEQ(OrderStatusPending)).SetStatus(OrderStatusExpired).Save(ctx)
-		if e != nil {
-			slog.Warn("expire failed", "orderID", o.ID, "error", e)
+		// Check upstream payment status before expiring — the user may have
+		// paid just before timeout and the webhook hasn't arrived yet.
+		outcome, _ := s.cancelCore(ctx, o, OrderStatusExpired, "system", "order expired")
+		if outcome == "already_paid" {
+			slog.Info("order was paid during expiry", "orderID", o.ID)
 			continue
 		}
-		if c > 0 {
-			s.writeAuditLog(ctx, o.ID, "ORDER_EXPIRED", "system", map[string]any{"expiresAt": o.ExpiresAt.Format(time.RFC3339)})
+		if outcome != "" {
 			n++
 		}
 	}
 	return n, nil
 }
 
-// cancelUpstreamPayment attempts to cancel the upstream provider payment (e.g. Stripe PaymentIntent).
-func (s *PaymentService) cancelUpstreamPayment(ctx context.Context, o *dbent.PaymentOrder) {
-	if o.PaymentTradeNo == "" || o.PaymentType == "" {
-		return
-	}
-	s.EnsureProviders(ctx)
-	prov, err := s.registry.GetProvider(o.PaymentType)
-	if err != nil {
-		return
-	}
-	if cp, ok := prov.(payment.CancelableProvider); ok {
-		if err := cp.CancelPayment(ctx, o.PaymentTradeNo); err != nil {
-			slog.Warn("cancel upstream payment failed", "orderID", o.ID, "tradeNo", o.PaymentTradeNo, "error", err)
+// getOrderProvider creates a provider using the order's original instance config.
+// Falls back to registry lookup if instance ID is missing (legacy orders).
+func (s *PaymentService) getOrderProvider(ctx context.Context, o *dbent.PaymentOrder) (payment.Provider, error) {
+	if o.ProviderInstanceID != nil && *o.ProviderInstanceID != "" {
+		instID, err := strconv.ParseInt(*o.ProviderInstanceID, 10, 64)
+		if err == nil {
+			cfg, err := s.loadBalancer.GetInstanceConfig(ctx, instID)
+			if err == nil {
+				providerKey := s.registry.GetProviderKey(o.PaymentType)
+				if providerKey == "" {
+					providerKey = o.PaymentType
+				}
+				p, err := provider.CreateProvider(providerKey, *o.ProviderInstanceID, cfg)
+				if err == nil {
+					return p, nil
+				}
+			}
 		}
 	}
+	s.EnsureProviders(ctx)
+	return s.registry.GetProvider(o.PaymentType)
 }
diff --git a/backend/internal/service/payment_refund.go b/backend/internal/service/payment_refund.go
index f3d20509..68f9c697 100644
--- a/backend/internal/service/payment_refund.go
+++ b/backend/internal/service/payment_refund.go
@@ -69,14 +69,18 @@ func (s *PaymentService) PrepareRefund(ctx context.Context, oid int64, amt float
 	if !psSliceContains(ok, o.Status) {
 		return nil, nil, infraerrors.BadRequest("INVALID_STATUS", "order status does not allow refund")
 	}
+	if math.IsNaN(amt) || math.IsInf(amt, 0) {
+		return nil, nil, infraerrors.BadRequest("INVALID_AMOUNT", "invalid refund amount")
+	}
 	if amt <= 0 {
 		amt = o.Amount
 	}
-	if amt > o.Amount {
+	if amt-o.Amount > amountToleranceCNY {
 		return nil, nil, infraerrors.BadRequest("REFUND_AMOUNT_EXCEEDED", "refund amount exceeds recharge")
 	}
+	// Full refund: use actual pay_amount for gateway (includes fees)
 	ga := amt
-	if amt == o.Amount {
+	if math.Abs(amt-o.Amount) <= amountToleranceCNY {
 		ga = o.PayAmount
 	}
 	rr := strings.TrimSpace(reason)
@@ -121,9 +125,16 @@ func (s *PaymentService) ExecuteRefund(ctx context.Context, p *RefundPlan) (*Ref
 		return nil, infraerrors.Conflict("CONFLICT", "order status changed")
 	}
 	if p.DeductionType == payment.DeductionTypeBalance && p.BalanceToDeduct > 0 {
-		if err := s.userRepo.DeductBalance(ctx, p.Order.UserID, p.BalanceToDeduct); err != nil {
-			s.restoreStatus(ctx, p)
-			return nil, fmt.Errorf("deduction: %w", err)
+		// Skip balance deduction on retry if previous attempt already deducted
+		// but failed to roll back (REFUND_ROLLBACK_FAILED in audit log).
+		if !s.hasAuditLog(ctx, p.OrderID, "REFUND_ROLLBACK_FAILED") {
+			if err := s.userRepo.DeductBalance(ctx, p.Order.UserID, p.BalanceToDeduct); err != nil {
+				s.restoreStatus(ctx, p)
+				return nil, fmt.Errorf("deduction: %w", err)
+			}
+		} else {
+			slog.Warn("skipping balance deduction on retry (previous rollback failed)", "orderID", p.OrderID)
+			p.BalanceToDeduct = 0
 		}
 	}
 	if err := s.gwRefund(ctx, p); err != nil {
@@ -137,15 +148,28 @@ func (s *PaymentService) gwRefund(ctx context.Context, p *RefundPlan) error {
 		s.writeAuditLog(ctx, p.Order.ID, "REFUND_NO_TRADE_NO", "admin", map[string]any{"detail": "skipped"})
 		return nil
 	}
-	s.EnsureProviders(ctx)
-	prov, err := s.registry.GetProvider(p.Order.PaymentType)
+
+	// Use the exact provider instance that created this order, not a random one
+	// from the registry. Each instance has its own merchant credentials.
+	prov, err := s.getRefundProvider(ctx, p.Order)
 	if err != nil {
-		return fmt.Errorf("get provider: %w", err)
+		return fmt.Errorf("get refund provider: %w", err)
 	}
-	_, err = prov.Refund(ctx, payment.RefundRequest{TradeNo: p.Order.PaymentTradeNo, OrderID: p.Order.OutTradeNo, Amount: strconv.FormatFloat(p.GatewayAmount, 'f', 2, 64), Reason: p.Reason})
+	_, err = prov.Refund(ctx, payment.RefundRequest{
+		TradeNo: p.Order.PaymentTradeNo,
+		OrderID: p.Order.OutTradeNo,
+		Amount:  strconv.FormatFloat(p.GatewayAmount, 'f', 2, 64),
+		Reason:  p.Reason,
+	})
 	return err
 }
 
+// getRefundProvider creates a provider using the order's original instance config.
+// Delegates to getOrderProvider which handles instance lookup and fallback.
+func (s *PaymentService) getRefundProvider(ctx context.Context, o *dbent.PaymentOrder) (payment.Provider, error) {
+	return s.getOrderProvider(ctx, o)
+}
+
 func (s *PaymentService) handleGwFail(ctx context.Context, p *RefundPlan, gErr error) (*RefundResult, error) {
 	if s.RollbackRefund(ctx, p, gErr) {
 		s.restoreStatus(ctx, p)
diff --git a/frontend/src/views/user/PaymentResultView.vue b/frontend/src/views/user/PaymentResultView.vue
index cf0bf373..3c7df572 100644
--- a/frontend/src/views/user/PaymentResultView.vue
+++ b/frontend/src/views/user/PaymentResultView.vue
@@ -136,14 +136,17 @@ onMounted(async () => {
     }
   }
 
-  // If we have an out_trade_no from a provider return URL, actively verify
-  // the payment with the upstream provider (handles missed notify callbacks)
+  // Verify payment via public endpoint (works without login)
   if (outTradeNo) {
     try {
-      const result = await paymentAPI.verifyOrder(outTradeNo)
+      const result = await paymentAPI.verifyOrderPublic(outTradeNo)
       order.value = result.data
     } catch (_err: unknown) {
-      // Verification failed, fall through to normal order lookup
+      // Public verify failed, try authenticated endpoint if logged in
+      try {
+        const result = await paymentAPI.verifyOrder(outTradeNo)
+        order.value = result.data
+      } catch (_e: unknown) { /* fall through */ }
     }
   }
 

From 1b53ffcac71242840a54ef102977e94e204aefc1 Mon Sep 17 00:00:00 2001
From: erio <asakifeng@gmail.com>
Date: Sun, 12 Apr 2026 00:02:26 +0800
Subject: [PATCH 025/122] feat(gateway): add web search emulation for Anthropic
 API Key accounts
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Inject web search capability for Claude Console (API Key) accounts that
don't natively support Anthropic's web_search tool. When a pure
web_search request is detected, the gateway calls Brave Search or Tavily
API directly and constructs an Anthropic-protocol-compliant SSE/JSON
response without forwarding to upstream.

Backend:
- New `pkg/websearch/` SDK: Brave and Tavily provider implementations
  with io.LimitReader, proxy support, and Redis-based quota tracking
  (Lua atomic INCR + TTL, DECR rollback on failure)
- Global config via `settings.web_search_emulation_config` (JSON) with
  in-process cache + singleflight, input validation, API key merge on
  save, and sanitized API responses
- Channel-level toggle via `channels.features_config` JSONB column
  (DB migration 101)
- Account-level toggle via `accounts.extra.web_search_emulation`
- Request interception in `Forward()` with SSE streaming response
  construction using json.Marshal (no manual string concatenation)
- Manager hot-reload: `RebuildWebSearchManager()` called on config save
  and startup via `SetWebSearchRedisClient()`
- 70 unit tests covering providers, manager, config validation,
  sanitization, tool detection, query extraction, and response building

Frontend:
- Settings → Gateway tab: Web Search Emulation config card with global
  toggle, provider list (add/remove, API key, priority, quota, proxy)
- Channels → Anthropic tab: web search emulation toggle with global
  state linkage (disabled when global off)
- Account Create/Edit modals: web search emulation toggle for API Key
  type with Toggle component
- Full i18n coverage (zh + en)
---
 .../internal/handler/admin/channel_handler.go |   6 +
 .../internal/handler/admin/setting_handler.go |  35 +
 backend/internal/handler/dto/settings.go      |   3 +
 backend/internal/pkg/websearch/brave.go       | 106 ++
 backend/internal/pkg/websearch/brave_test.go  | 119 +++
 backend/internal/pkg/websearch/helpers.go     |  14 +
 .../internal/pkg/websearch/helpers_test.go    |  25 +
 backend/internal/pkg/websearch/manager.go     | 273 ++++++
 .../internal/pkg/websearch/manager_test.go    | 149 +++
 backend/internal/pkg/websearch/provider.go    |  11 +
 backend/internal/pkg/websearch/tavily.go      | 107 ++
 backend/internal/pkg/websearch/tavily_test.go |  63 ++
 backend/internal/pkg/websearch/types.go       |  30 +
 backend/internal/repository/channel_repo.go   |  90 +-
 backend/internal/server/routes/admin.go       |   3 +
 backend/internal/service/account.go           |  19 +-
 .../service/account_websearch_test.go         |  71 ++
 backend/internal/service/channel.go           |  15 +
 backend/internal/service/channel_service.go   | 389 +++++---
 .../service/channel_websearch_test.go         |  62 ++
 backend/internal/service/domain_constants.go  |   4 +
 backend/internal/service/gateway_service.go   |   5 +
 .../service/gateway_websearch_emulation.go    | 358 +++++++
 .../gateway_websearch_emulation_test.go       | 142 +++
 backend/internal/service/setting_service.go   |  10 +
 backend/internal/service/settings_view.go     |   3 +
 backend/internal/service/websearch_config.go  | 253 +++++
 .../internal/service/websearch_config_test.go | 148 +++
 .../101_add_channel_features_config.sql       |   2 +
 frontend/src/api/admin/channels.ts            |   3 +
 frontend/src/api/admin/settings.ts            |  40 +-
 .../components/account/CreateAccountModal.vue |  26 +
 .../components/account/EditAccountModal.vue   |  90 +-
 frontend/src/i18n/locales/en.ts               |  33 +-
 frontend/src/i18n/locales/zh.ts               |  33 +-
 frontend/src/views/admin/ChannelsView.vue     |  94 +-
 frontend/src/views/admin/SettingsView.vue     | 911 +++++++++++++++++-
 37 files changed, 3507 insertions(+), 238 deletions(-)
 create mode 100644 backend/internal/pkg/websearch/brave.go
 create mode 100644 backend/internal/pkg/websearch/brave_test.go
 create mode 100644 backend/internal/pkg/websearch/helpers.go
 create mode 100644 backend/internal/pkg/websearch/helpers_test.go
 create mode 100644 backend/internal/pkg/websearch/manager.go
 create mode 100644 backend/internal/pkg/websearch/manager_test.go
 create mode 100644 backend/internal/pkg/websearch/provider.go
 create mode 100644 backend/internal/pkg/websearch/tavily.go
 create mode 100644 backend/internal/pkg/websearch/tavily_test.go
 create mode 100644 backend/internal/pkg/websearch/types.go
 create mode 100644 backend/internal/service/account_websearch_test.go
 create mode 100644 backend/internal/service/channel_websearch_test.go
 create mode 100644 backend/internal/service/gateway_websearch_emulation.go
 create mode 100644 backend/internal/service/gateway_websearch_emulation_test.go
 create mode 100644 backend/internal/service/websearch_config.go
 create mode 100644 backend/internal/service/websearch_config_test.go
 create mode 100644 backend/migrations/101_add_channel_features_config.sql

diff --git a/backend/internal/handler/admin/channel_handler.go b/backend/internal/handler/admin/channel_handler.go
index d6022283..9cefc792 100644
--- a/backend/internal/handler/admin/channel_handler.go
+++ b/backend/internal/handler/admin/channel_handler.go
@@ -34,6 +34,7 @@ type createChannelRequest struct {
 	BillingModelSource string                       `json:"billing_model_source" binding:"omitempty,oneof=requested upstream channel_mapped"`
 	RestrictModels     bool                         `json:"restrict_models"`
 	Features           string                       `json:"features"`
+	FeaturesConfig     map[string]any               `json:"features_config"`
 }
 
 type updateChannelRequest struct {
@@ -46,6 +47,7 @@ type updateChannelRequest struct {
 	BillingModelSource string                        `json:"billing_model_source" binding:"omitempty,oneof=requested upstream channel_mapped"`
 	RestrictModels     *bool                         `json:"restrict_models"`
 	Features           *string                       `json:"features"`
+	FeaturesConfig     map[string]any                `json:"features_config"`
 }
 
 type channelModelPricingRequest struct {
@@ -81,6 +83,7 @@ type channelResponse struct {
 	BillingModelSource string                        `json:"billing_model_source"`
 	RestrictModels     bool                          `json:"restrict_models"`
 	Features           string                        `json:"features"`
+	FeaturesConfig     map[string]any                `json:"features_config"`
 	GroupIDs           []int64                       `json:"group_ids"`
 	ModelPricing       []channelModelPricingResponse `json:"model_pricing"`
 	ModelMapping       map[string]map[string]string  `json:"model_mapping"`
@@ -126,6 +129,7 @@ func channelToResponse(ch *service.Channel) *channelResponse {
 		Status:         ch.Status,
 		RestrictModels: ch.RestrictModels,
 		Features:       ch.Features,
+		FeaturesConfig: ch.FeaturesConfig,
 		GroupIDs:       ch.GroupIDs,
 		ModelMapping:   ch.ModelMapping,
 		CreatedAt:      ch.CreatedAt.Format("2006-01-02T15:04:05Z"),
@@ -305,6 +309,7 @@ func (h *ChannelHandler) Create(c *gin.Context) {
 		BillingModelSource: req.BillingModelSource,
 		RestrictModels:     req.RestrictModels,
 		Features:           req.Features,
+		FeaturesConfig:     req.FeaturesConfig,
 	})
 	if err != nil {
 		response.ErrorFrom(c, err)
@@ -338,6 +343,7 @@ func (h *ChannelHandler) Update(c *gin.Context) {
 		BillingModelSource: req.BillingModelSource,
 		RestrictModels:     req.RestrictModels,
 		Features:           req.Features,
+		FeaturesConfig:     req.FeaturesConfig,
 	}
 	if req.ModelPricing != nil {
 		pricing := pricingRequestToService(*req.ModelPricing)
diff --git a/backend/internal/handler/admin/setting_handler.go b/backend/internal/handler/admin/setting_handler.go
index ba751131..031b819a 100644
--- a/backend/internal/handler/admin/setting_handler.go
+++ b/backend/internal/handler/admin/setting_handler.go
@@ -175,6 +175,7 @@ func (h *SettingHandler) GetSettings(c *gin.Context) {
 		EnableFingerprintUnification:         settings.EnableFingerprintUnification,
 		EnableMetadataPassthrough:            settings.EnableMetadataPassthrough,
 		EnableCCHSigning:                     settings.EnableCCHSigning,
+		WebSearchEmulationEnabled:            settings.WebSearchEmulationEnabled,
 		PaymentEnabled:                       paymentCfg.Enabled,
 		PaymentMinAmount:                     paymentCfg.MinAmount,
 		PaymentMaxAmount:                     paymentCfg.MaxAmount,
@@ -1847,3 +1848,37 @@ func (h *SettingHandler) UpdateStreamTimeoutSettings(c *gin.Context) {
 		ThresholdWindowMinutes: updatedSettings.ThresholdWindowMinutes,
 	})
 }
+
+// GetWebSearchEmulationConfig 获取 Web Search 模拟配置
+// GET /api/v1/admin/settings/web-search-emulation
+func (h *SettingHandler) GetWebSearchEmulationConfig(c *gin.Context) {
+	cfg, err := h.settingService.GetWebSearchEmulationConfig(c.Request.Context())
+	if err != nil {
+		response.ErrorFrom(c, err)
+		return
+	}
+	response.Success(c, service.SanitizeWebSearchConfig(cfg))
+}
+
+// UpdateWebSearchEmulationConfig 更新 Web Search 模拟配置
+// PUT /api/v1/admin/settings/web-search-emulation
+func (h *SettingHandler) UpdateWebSearchEmulationConfig(c *gin.Context) {
+	var cfg service.WebSearchEmulationConfig
+	if err := c.ShouldBindJSON(&cfg); err != nil {
+		response.BadRequest(c, "Invalid request: "+err.Error())
+		return
+	}
+
+	if err := h.settingService.SaveWebSearchEmulationConfig(c.Request.Context(), &cfg); err != nil {
+		response.ErrorFrom(c, err)
+		return
+	}
+
+	// Re-read (with sanitized api keys) to return current state
+	updated, err := h.settingService.GetWebSearchEmulationConfig(c.Request.Context())
+	if err != nil {
+		response.ErrorFrom(c, err)
+		return
+	}
+	response.Success(c, service.SanitizeWebSearchConfig(updated))
+}
diff --git a/backend/internal/handler/dto/settings.go b/backend/internal/handler/dto/settings.go
index cbbe9216..0433d692 100644
--- a/backend/internal/handler/dto/settings.go
+++ b/backend/internal/handler/dto/settings.go
@@ -124,6 +124,9 @@ type SystemSettings struct {
 	EnableMetadataPassthrough    bool `json:"enable_metadata_passthrough"`
 	EnableCCHSigning             bool `json:"enable_cch_signing"`
 
+	// Web Search Emulation
+	WebSearchEmulationEnabled bool `json:"web_search_emulation_enabled"`
+
 	// Payment configuration
 	PaymentEnabled           bool     `json:"payment_enabled"`
 	PaymentMinAmount         float64  `json:"payment_min_amount"`
diff --git a/backend/internal/pkg/websearch/brave.go b/backend/internal/pkg/websearch/brave.go
new file mode 100644
index 00000000..5620ca8d
--- /dev/null
+++ b/backend/internal/pkg/websearch/brave.go
@@ -0,0 +1,106 @@
+package websearch
+
+import (
+	"context"
+	"encoding/json"
+	"fmt"
+	"io"
+	"net/http"
+	"net/url"
+	"strconv"
+)
+
+const (
+	braveSearchEndpoint = "https://api.search.brave.com/res/v1/web/search"
+	braveMaxCount       = 20
+	braveProviderName   = "brave"
+)
+
+// braveSearchURL is pre-parsed at init time; url.Parse cannot fail on a constant literal.
+var braveSearchURL, _ = url.Parse(braveSearchEndpoint) //nolint:errcheck
+
+// BraveProvider implements web search via the Brave Search API.
+type BraveProvider struct {
+	apiKey     string
+	httpClient *http.Client
+}
+
+// NewBraveProvider creates a Brave Search provider.
+// The caller is responsible for configuring the http.Client with proxy/timeouts.
+func NewBraveProvider(apiKey string, httpClient *http.Client) *BraveProvider {
+	if httpClient == nil {
+		httpClient = http.DefaultClient
+	}
+	return &BraveProvider{apiKey: apiKey, httpClient: httpClient}
+}
+
+func (b *BraveProvider) Name() string { return braveProviderName }
+
+func (b *BraveProvider) Search(ctx context.Context, req SearchRequest) (*SearchResponse, error) {
+	count := req.MaxResults
+	if count <= 0 {
+		count = defaultMaxResults
+	}
+	if count > braveMaxCount {
+		count = braveMaxCount
+	}
+
+	u := *braveSearchURL // copy the pre-parsed URL
+	q := u.Query()
+	q.Set("q", req.Query)
+	q.Set("count", strconv.Itoa(count))
+	u.RawQuery = q.Encode()
+
+	httpReq, err := http.NewRequestWithContext(ctx, http.MethodGet, u.String(), nil)
+	if err != nil {
+		return nil, fmt.Errorf("brave: build request: %w", err)
+	}
+	httpReq.Header.Set("X-Subscription-Token", b.apiKey)
+	httpReq.Header.Set("Accept", "application/json")
+
+	resp, err := b.httpClient.Do(httpReq)
+	if err != nil {
+		return nil, fmt.Errorf("brave: request failed: %w", err)
+	}
+	defer resp.Body.Close()
+
+	body, err := io.ReadAll(io.LimitReader(resp.Body, maxResponseSize))
+	if err != nil {
+		return nil, fmt.Errorf("brave: read body: %w", err)
+	}
+
+	if resp.StatusCode != http.StatusOK {
+		return nil, fmt.Errorf("brave: status %d: %s", resp.StatusCode, truncateBody(body))
+	}
+
+	var raw braveResponse
+	if err := json.Unmarshal(body, &raw); err != nil {
+		return nil, fmt.Errorf("brave: decode response: %w", err)
+	}
+
+	results := make([]SearchResult, 0, len(raw.Web.Results))
+	for _, r := range raw.Web.Results {
+		results = append(results, SearchResult{
+			URL:     r.URL,
+			Title:   r.Title,
+			Snippet: r.Description,
+			PageAge: r.Age,
+		})
+	}
+
+	return &SearchResponse{Results: results, Query: req.Query}, nil
+}
+
+// braveResponse is the minimal structure of the Brave Search API response.
+type braveResponse struct {
+	Web struct {
+		Results []braveResult `json:"results"`
+	} `json:"web"`
+}
+
+type braveResult struct {
+	URL         string `json:"url"`
+	Title       string `json:"title"`
+	Description string `json:"description"`
+	Age         string `json:"age"`
+}
diff --git a/backend/internal/pkg/websearch/brave_test.go b/backend/internal/pkg/websearch/brave_test.go
new file mode 100644
index 00000000..3fe35020
--- /dev/null
+++ b/backend/internal/pkg/websearch/brave_test.go
@@ -0,0 +1,119 @@
+package websearch
+
+import (
+	"context"
+	"encoding/json"
+	"net/http"
+	"net/http/httptest"
+	"testing"
+
+	"github.com/stretchr/testify/require"
+)
+
+func TestBraveProvider_Name(t *testing.T) {
+	p := NewBraveProvider("key", nil)
+	require.Equal(t, "brave", p.Name())
+}
+
+func TestBraveProvider_Search_Success(t *testing.T) {
+	srv := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		require.Equal(t, "test-key", r.Header.Get("X-Subscription-Token"))
+		require.Equal(t, "application/json", r.Header.Get("Accept"))
+		require.Equal(t, "golang", r.URL.Query().Get("q"))
+		require.Equal(t, "3", r.URL.Query().Get("count"))
+
+		resp := braveResponse{}
+		resp.Web.Results = []braveResult{
+			{URL: "https://go.dev", Title: "Go", Description: "Go lang", Age: "1 day"},
+			{URL: "https://pkg.go.dev", Title: "Pkg", Description: "Packages"},
+			{URL: "https://tour.go.dev", Title: "Tour", Description: "A Tour of Go", Age: "3 days"},
+		}
+		w.Header().Set("Content-Type", "application/json")
+		json.NewEncoder(w).Encode(resp)
+	}))
+	defer srv.Close()
+
+	p := NewBraveProvider("test-key", srv.Client())
+	// Override the endpoint for testing
+	origURL := *braveSearchURL
+	u, _ := http.NewRequest("GET", srv.URL, nil)
+	*braveSearchURL = *u.URL
+	defer func() { *braveSearchURL = origURL }()
+
+	resp, err := p.Search(context.Background(), SearchRequest{Query: "golang", MaxResults: 3})
+	require.NoError(t, err)
+	require.Len(t, resp.Results, 3)
+	require.Equal(t, "https://go.dev", resp.Results[0].URL)
+	require.Equal(t, "Go lang", resp.Results[0].Snippet)
+	require.Equal(t, "1 day", resp.Results[0].PageAge)
+}
+
+func TestBraveProvider_Search_DefaultMaxResults(t *testing.T) {
+	var receivedCount string
+	srv := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		receivedCount = r.URL.Query().Get("count")
+		resp := braveResponse{}
+		json.NewEncoder(w).Encode(resp)
+	}))
+	defer srv.Close()
+
+	p := NewBraveProvider("key", srv.Client())
+	origURL := *braveSearchURL
+	u, _ := http.NewRequest("GET", srv.URL, nil)
+	*braveSearchURL = *u.URL
+	defer func() { *braveSearchURL = origURL }()
+
+	_, _ = p.Search(context.Background(), SearchRequest{Query: "test", MaxResults: 0})
+	require.Equal(t, "5", receivedCount)
+}
+
+func TestBraveProvider_Search_HTTPError(t *testing.T) {
+	srv := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, _ *http.Request) {
+		w.WriteHeader(429)
+		w.Write([]byte("rate limited"))
+	}))
+	defer srv.Close()
+
+	p := NewBraveProvider("key", srv.Client())
+	origURL := *braveSearchURL
+	u, _ := http.NewRequest("GET", srv.URL, nil)
+	*braveSearchURL = *u.URL
+	defer func() { *braveSearchURL = origURL }()
+
+	_, err := p.Search(context.Background(), SearchRequest{Query: "test"})
+	require.ErrorContains(t, err, "brave: status 429")
+}
+
+func TestBraveProvider_Search_InvalidJSON(t *testing.T) {
+	srv := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, _ *http.Request) {
+		w.Write([]byte("not json"))
+	}))
+	defer srv.Close()
+
+	p := NewBraveProvider("key", srv.Client())
+	origURL := *braveSearchURL
+	u, _ := http.NewRequest("GET", srv.URL, nil)
+	*braveSearchURL = *u.URL
+	defer func() { *braveSearchURL = origURL }()
+
+	_, err := p.Search(context.Background(), SearchRequest{Query: "test"})
+	require.ErrorContains(t, err, "brave: decode response")
+}
+
+func TestBraveProvider_Search_EmptyResults(t *testing.T) {
+	srv := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, _ *http.Request) {
+		resp := braveResponse{}
+		json.NewEncoder(w).Encode(resp)
+	}))
+	defer srv.Close()
+
+	p := NewBraveProvider("key", srv.Client())
+	origURL := *braveSearchURL
+	u, _ := http.NewRequest("GET", srv.URL, nil)
+	*braveSearchURL = *u.URL
+	defer func() { *braveSearchURL = origURL }()
+
+	resp, err := p.Search(context.Background(), SearchRequest{Query: "test"})
+	require.NoError(t, err)
+	require.Empty(t, resp.Results)
+}
diff --git a/backend/internal/pkg/websearch/helpers.go b/backend/internal/pkg/websearch/helpers.go
new file mode 100644
index 00000000..0d08b749
--- /dev/null
+++ b/backend/internal/pkg/websearch/helpers.go
@@ -0,0 +1,14 @@
+package websearch
+
+const (
+	maxResponseSize   = 1 << 20 // 1 MB
+	errorBodyTruncLen = 200
+)
+
+// truncateBody returns a truncated string of body for error messages.
+func truncateBody(body []byte) string {
+	if len(body) <= errorBodyTruncLen {
+		return string(body)
+	}
+	return string(body[:errorBodyTruncLen]) + "...(truncated)"
+}
diff --git a/backend/internal/pkg/websearch/helpers_test.go b/backend/internal/pkg/websearch/helpers_test.go
new file mode 100644
index 00000000..e3164329
--- /dev/null
+++ b/backend/internal/pkg/websearch/helpers_test.go
@@ -0,0 +1,25 @@
+package websearch
+
+import (
+	"strings"
+	"testing"
+
+	"github.com/stretchr/testify/require"
+)
+
+func TestTruncateBody_Short(t *testing.T) {
+	body := []byte("short body")
+	require.Equal(t, "short body", truncateBody(body))
+}
+
+func TestTruncateBody_Long(t *testing.T) {
+	body := []byte(strings.Repeat("x", 500))
+	result := truncateBody(body)
+	require.Len(t, result, errorBodyTruncLen+len("...(truncated)"))
+	require.True(t, strings.HasSuffix(result, "...(truncated)"))
+}
+
+func TestTruncateBody_ExactBoundary(t *testing.T) {
+	body := []byte(strings.Repeat("x", errorBodyTruncLen))
+	require.Equal(t, string(body), truncateBody(body))
+}
diff --git a/backend/internal/pkg/websearch/manager.go b/backend/internal/pkg/websearch/manager.go
new file mode 100644
index 00000000..95da70e4
--- /dev/null
+++ b/backend/internal/pkg/websearch/manager.go
@@ -0,0 +1,273 @@
+package websearch
+
+import (
+	"context"
+	"crypto/tls"
+	"fmt"
+	"log/slog"
+	"net/http"
+	"net/url"
+	"sort"
+	"strings"
+	"sync"
+	"time"
+
+	"github.com/redis/go-redis/v9"
+)
+
+// Quota refresh interval constants.
+const (
+	QuotaRefreshDaily   = "daily"
+	QuotaRefreshWeekly  = "weekly"
+	QuotaRefreshMonthly = "monthly"
+)
+
+// ProviderConfig holds the configuration for a single search provider.
+type ProviderConfig struct {
+	Type                 string `json:"type"`                   // ProviderTypeBrave | ProviderTypeTavily
+	APIKey               string `json:"api_key"`                // secret
+	Priority             int    `json:"priority"`               // lower = higher priority
+	QuotaLimit           int64  `json:"quota_limit"`            // 0 = unlimited
+	QuotaRefreshInterval string `json:"quota_refresh_interval"` // QuotaRefreshDaily / Weekly / Monthly
+	ProxyURL             string `json:"-"`                      // resolved proxy URL (not persisted)
+	ExpiresAt            *int64 `json:"expires_at,omitempty"`   // optional expiration (unix seconds)
+}
+
+// Manager selects providers by priority and tracks quota via Redis.
+type Manager struct {
+	configs []ProviderConfig
+	redis   *redis.Client
+
+	clientMu    sync.Mutex
+	clientCache map[string]*http.Client
+}
+
+const (
+	quotaKeyPrefix       = "websearch:quota:"
+	searchRequestTimeout = 30 * time.Second
+	quotaTTLBuffer       = 24 * time.Hour
+	maxCachedClients     = 100
+)
+
+// quotaIncrScript atomically increments the counter and sets TTL on first creation.
+// KEYS[1] = quota key, ARGV[1] = TTL in seconds.
+// Returns the new counter value.
+var quotaIncrScript = redis.NewScript(`
+local val = redis.call('INCR', KEYS[1])
+if val == 1 then
+  redis.call('EXPIRE', KEYS[1], ARGV[1])
+else
+  -- Defensive: ensure TTL exists even if a prior EXPIRE failed
+  local ttl = redis.call('TTL', KEYS[1])
+  if ttl == -1 then
+    redis.call('EXPIRE', KEYS[1], ARGV[1])
+  end
+end
+return val
+`)
+
+// NewManager creates a Manager with the given provider configs and Redis client.
+func NewManager(configs []ProviderConfig, redisClient *redis.Client) *Manager {
+	sorted := make([]ProviderConfig, len(configs))
+	copy(sorted, configs)
+	sort.Slice(sorted, func(i, j int) bool {
+		return sorted[i].Priority < sorted[j].Priority
+	})
+	return &Manager{
+		configs:     sorted,
+		redis:       redisClient,
+		clientCache: make(map[string]*http.Client),
+	}
+}
+
+// SearchWithBestProvider selects the highest-priority available provider,
+// reserves quota, executes the search, and rolls back quota on failure.
+func (m *Manager) SearchWithBestProvider(ctx context.Context, req SearchRequest) (*SearchResponse, string, error) {
+	if strings.TrimSpace(req.Query) == "" {
+		return nil, "", fmt.Errorf("websearch: empty search query")
+	}
+	for _, cfg := range m.configs {
+		if !m.isProviderAvailable(cfg) {
+			continue
+		}
+		allowed, incremented := m.tryReserveQuota(ctx, cfg)
+		if !allowed {
+			continue
+		}
+		resp, err := m.executeSearch(ctx, cfg, req)
+		if err != nil {
+			if incremented {
+				m.rollbackQuota(ctx, cfg)
+			}
+			slog.Warn("websearch: provider search failed",
+				"provider", cfg.Type, "error", err)
+			continue
+		}
+		return resp, cfg.Type, nil
+	}
+	return nil, "", fmt.Errorf("websearch: no available provider (all exhausted or failed)")
+}
+
+func (m *Manager) isProviderAvailable(cfg ProviderConfig) bool {
+	if cfg.APIKey == "" {
+		return false
+	}
+	if cfg.ExpiresAt != nil && time.Now().Unix() > *cfg.ExpiresAt {
+		slog.Info("websearch: provider expired, skipping",
+			"provider", cfg.Type, "expires_at", *cfg.ExpiresAt)
+		return false
+	}
+	return true
+}
+
+// tryReserveQuota atomically increments the counter via Lua script and checks limit.
+// Returns (allowed, incremented): allowed=true means the request may proceed;
+// incremented=true means the Redis counter was actually incremented (so rollback is needed on failure).
+func (m *Manager) tryReserveQuota(ctx context.Context, cfg ProviderConfig) (bool, bool) {
+	if cfg.QuotaLimit <= 0 {
+		return true, false // unlimited, no INCR
+	}
+	if m.redis == nil {
+		slog.Warn("websearch: Redis unavailable, quota check skipped",
+			"provider", cfg.Type)
+		return true, false // allowed but not incremented
+	}
+	key := quotaRedisKey(cfg.Type, cfg.QuotaRefreshInterval)
+	ttlSec := int(quotaTTL(cfg.QuotaRefreshInterval).Seconds())
+
+	newVal, err := quotaIncrScript.Run(ctx, m.redis, []string{key}, ttlSec).Int64()
+	if err != nil {
+		slog.Warn("websearch: quota Lua INCR failed, allowing request",
+			"provider", cfg.Type, "error", err)
+		return true, false // allowed but not incremented
+	}
+	if newVal > cfg.QuotaLimit {
+		if decrErr := m.redis.Decr(ctx, key).Err(); decrErr != nil {
+			slog.Warn("websearch: quota over-limit DECR failed",
+				"provider", cfg.Type, "error", decrErr)
+		}
+		slog.Info("websearch: provider quota exhausted",
+			"provider", cfg.Type, "used", newVal, "limit", cfg.QuotaLimit)
+		return false, false // rejected, already rolled back
+	}
+	return true, true // allowed and incremented
+}
+
+// rollbackQuota decrements the counter after a search failure.
+func (m *Manager) rollbackQuota(ctx context.Context, cfg ProviderConfig) {
+	if cfg.QuotaLimit <= 0 || m.redis == nil {
+		return
+	}
+	key := quotaRedisKey(cfg.Type, cfg.QuotaRefreshInterval)
+	if err := m.redis.Decr(ctx, key).Err(); err != nil {
+		slog.Warn("websearch: quota rollback DECR failed",
+			"provider", cfg.Type, "error", err)
+	}
+}
+
+func (m *Manager) executeSearch(ctx context.Context, cfg ProviderConfig, req SearchRequest) (*SearchResponse, error) {
+	proxyURL := cfg.ProxyURL
+	if req.ProxyURL != "" {
+		proxyURL = req.ProxyURL
+	}
+	client := m.getOrCreateHTTPClient(proxyURL)
+	provider := m.buildProvider(cfg, client)
+	return provider.Search(ctx, req)
+}
+
+// GetUsage returns the current usage count for the given provider.
+func (m *Manager) GetUsage(ctx context.Context, providerType, refreshInterval string) (int64, error) {
+	if m.redis == nil {
+		return 0, nil
+	}
+	key := quotaRedisKey(providerType, refreshInterval)
+	val, err := m.redis.Get(ctx, key).Int64()
+	if err == redis.Nil {
+		return 0, nil
+	}
+	return val, err
+}
+
+// GetAllUsage returns usage for every configured provider.
+func (m *Manager) GetAllUsage(ctx context.Context) map[string]int64 {
+	result := make(map[string]int64, len(m.configs))
+	for _, cfg := range m.configs {
+		used, _ := m.GetUsage(ctx, cfg.Type, cfg.QuotaRefreshInterval)
+		result[cfg.Type] = used
+	}
+	return result
+}
+
+// --- HTTP client cache (bounded) ---
+
+func (m *Manager) getOrCreateHTTPClient(proxyURL string) *http.Client {
+	m.clientMu.Lock()
+	defer m.clientMu.Unlock()
+
+	if c, ok := m.clientCache[proxyURL]; ok {
+		return c
+	}
+	if len(m.clientCache) >= maxCachedClients {
+		m.clientCache = make(map[string]*http.Client) // evict all
+	}
+	c := newHTTPClient(proxyURL)
+	m.clientCache[proxyURL] = c
+	return c
+}
+
+func newHTTPClient(proxyURL string) *http.Client {
+	transport := &http.Transport{
+		TLSClientConfig: &tls.Config{MinVersion: tls.VersionTLS12},
+	}
+	if proxyURL != "" {
+		if u, err := url.Parse(proxyURL); err == nil {
+			transport.Proxy = http.ProxyURL(u)
+		}
+	}
+	return &http.Client{Transport: transport, Timeout: searchRequestTimeout}
+}
+
+// --- Provider factory ---
+
+func (m *Manager) buildProvider(cfg ProviderConfig, client *http.Client) Provider {
+	switch cfg.Type {
+	case braveProviderName:
+		return NewBraveProvider(cfg.APIKey, client)
+	case tavilyProviderName:
+		return NewTavilyProvider(cfg.APIKey, client)
+	default:
+		slog.Warn("websearch: unknown provider type, falling back to brave",
+			"type", cfg.Type)
+		return NewBraveProvider(cfg.APIKey, client)
+	}
+}
+
+// --- Redis key helpers ---
+
+func quotaRedisKey(providerType, refreshInterval string) string {
+	return quotaKeyPrefix + providerType + ":" + periodKey(refreshInterval)
+}
+
+func periodKey(refreshInterval string) string {
+	now := time.Now().UTC()
+	switch refreshInterval {
+	case QuotaRefreshDaily:
+		return now.Format("2006-01-02")
+	case QuotaRefreshWeekly:
+		year, week := now.ISOWeek()
+		return fmt.Sprintf("%d-W%02d", year, week)
+	default: // QuotaRefreshMonthly
+		return now.Format("2006-01")
+	}
+}
+
+func quotaTTL(refreshInterval string) time.Duration {
+	switch refreshInterval {
+	case QuotaRefreshDaily:
+		return 24*time.Hour + quotaTTLBuffer
+	case QuotaRefreshWeekly:
+		return 7*24*time.Hour + quotaTTLBuffer
+	default:
+		return 31*24*time.Hour + quotaTTLBuffer
+	}
+}
diff --git a/backend/internal/pkg/websearch/manager_test.go b/backend/internal/pkg/websearch/manager_test.go
new file mode 100644
index 00000000..4387a2ee
--- /dev/null
+++ b/backend/internal/pkg/websearch/manager_test.go
@@ -0,0 +1,149 @@
+package websearch
+
+import (
+	"context"
+	"encoding/json"
+	"net/http"
+	"net/http/httptest"
+	"testing"
+	"time"
+
+	"github.com/stretchr/testify/require"
+)
+
+func TestNewManager_SortsByPriority(t *testing.T) {
+	configs := []ProviderConfig{
+		{Type: "brave", APIKey: "k3", Priority: 30},
+		{Type: "tavily", APIKey: "k1", Priority: 10},
+	}
+	m := NewManager(configs, nil)
+	require.Equal(t, 10, m.configs[0].Priority)
+	require.Equal(t, 30, m.configs[1].Priority)
+}
+
+func TestManager_SearchWithBestProvider_EmptyQuery(t *testing.T) {
+	m := NewManager([]ProviderConfig{{Type: "brave", APIKey: "k"}}, nil)
+	_, _, err := m.SearchWithBestProvider(context.Background(), SearchRequest{Query: ""})
+	require.ErrorContains(t, err, "empty search query")
+
+	_, _, err = m.SearchWithBestProvider(context.Background(), SearchRequest{Query: "   "})
+	require.ErrorContains(t, err, "empty search query")
+}
+
+func TestManager_SearchWithBestProvider_SkipEmptyAPIKey(t *testing.T) {
+	m := NewManager([]ProviderConfig{{Type: "brave", APIKey: ""}}, nil)
+	_, _, err := m.SearchWithBestProvider(context.Background(), SearchRequest{Query: "test"})
+	require.ErrorContains(t, err, "no available provider")
+}
+
+func TestManager_SearchWithBestProvider_SkipExpired(t *testing.T) {
+	past := time.Now().Add(-1 * time.Hour).Unix()
+	m := NewManager([]ProviderConfig{
+		{Type: "brave", APIKey: "k", ExpiresAt: &past},
+	}, nil)
+	_, _, err := m.SearchWithBestProvider(context.Background(), SearchRequest{Query: "test"})
+	require.ErrorContains(t, err, "no available provider")
+}
+
+func TestManager_SearchWithBestProvider_PriorityOrder(t *testing.T) {
+	// Create two mock servers that return different results
+	srvBrave := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, _ *http.Request) {
+		resp := braveResponse{}
+		resp.Web.Results = []braveResult{{URL: "https://brave.com", Title: "Brave", Description: "from brave"}}
+		json.NewEncoder(w).Encode(resp)
+	}))
+	defer srvBrave.Close()
+
+	// Override brave endpoint for test
+	origURL := *braveSearchURL
+	u, _ := http.NewRequest("GET", srvBrave.URL, nil)
+	*braveSearchURL = *u.URL
+	defer func() { *braveSearchURL = origURL }()
+
+	m := NewManager([]ProviderConfig{
+		{Type: "brave", APIKey: "k1", Priority: 1},
+		{Type: "tavily", APIKey: "k2", Priority: 2},
+	}, nil)
+	// Inject the test server's client
+	m.clientCache[srvBrave.URL] = srvBrave.Client()
+	m.clientCache[""] = srvBrave.Client()
+
+	resp, providerName, err := m.SearchWithBestProvider(context.Background(), SearchRequest{Query: "test"})
+	require.NoError(t, err)
+	require.Equal(t, "brave", providerName)
+	require.Len(t, resp.Results, 1)
+	require.Equal(t, "from brave", resp.Results[0].Snippet)
+}
+
+func TestManager_SearchWithBestProvider_NilRedis(t *testing.T) {
+	// With nil Redis, quota check is skipped (always allowed)
+	srv := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, _ *http.Request) {
+		resp := braveResponse{}
+		resp.Web.Results = []braveResult{{URL: "https://test.com", Title: "Test", Description: "result"}}
+		json.NewEncoder(w).Encode(resp)
+	}))
+	defer srv.Close()
+
+	origURL := *braveSearchURL
+	u, _ := http.NewRequest("GET", srv.URL, nil)
+	*braveSearchURL = *u.URL
+	defer func() { *braveSearchURL = origURL }()
+
+	m := NewManager([]ProviderConfig{
+		{Type: "brave", APIKey: "k", Priority: 1, QuotaLimit: 100},
+	}, nil) // nil Redis
+	m.clientCache[""] = srv.Client()
+
+	resp, _, err := m.SearchWithBestProvider(context.Background(), SearchRequest{Query: "test"})
+	require.NoError(t, err)
+	require.Len(t, resp.Results, 1)
+}
+
+func TestManager_GetUsage_NilRedis(t *testing.T) {
+	m := NewManager(nil, nil)
+	used, err := m.GetUsage(context.Background(), "brave", "monthly")
+	require.NoError(t, err)
+	require.Equal(t, int64(0), used)
+}
+
+func TestManager_GetAllUsage_NilRedis(t *testing.T) {
+	m := NewManager([]ProviderConfig{
+		{Type: "brave", QuotaRefreshInterval: "monthly"},
+	}, nil)
+	usage := m.GetAllUsage(context.Background())
+	require.Equal(t, int64(0), usage["brave"])
+}
+
+// --- Key/TTL helpers ---
+
+func TestQuotaTTL_Daily(t *testing.T) {
+	require.Equal(t, 24*time.Hour+quotaTTLBuffer, quotaTTL(QuotaRefreshDaily))
+}
+
+func TestQuotaTTL_Weekly(t *testing.T) {
+	require.Equal(t, 7*24*time.Hour+quotaTTLBuffer, quotaTTL(QuotaRefreshWeekly))
+}
+
+func TestQuotaTTL_Monthly(t *testing.T) {
+	require.Equal(t, 31*24*time.Hour+quotaTTLBuffer, quotaTTL(QuotaRefreshMonthly))
+}
+
+func TestPeriodKey_Daily(t *testing.T) {
+	key := periodKey(QuotaRefreshDaily)
+	require.Regexp(t, `^\d{4}-\d{2}-\d{2}$`, key)
+}
+
+func TestPeriodKey_Weekly(t *testing.T) {
+	key := periodKey(QuotaRefreshWeekly)
+	require.Regexp(t, `^\d{4}-W\d{2}$`, key)
+}
+
+func TestPeriodKey_Monthly(t *testing.T) {
+	key := periodKey(QuotaRefreshMonthly)
+	require.Regexp(t, `^\d{4}-\d{2}$`, key)
+}
+
+func TestQuotaRedisKey_Format(t *testing.T) {
+	key := quotaRedisKey("brave", QuotaRefreshDaily)
+	require.Contains(t, key, "websearch:quota:brave:")
+}
diff --git a/backend/internal/pkg/websearch/provider.go b/backend/internal/pkg/websearch/provider.go
new file mode 100644
index 00000000..3424c056
--- /dev/null
+++ b/backend/internal/pkg/websearch/provider.go
@@ -0,0 +1,11 @@
+package websearch
+
+import "context"
+
+// Provider is the interface every search backend must implement.
+type Provider interface {
+	// Name returns the provider identifier ("brave" or "tavily").
+	Name() string
+	// Search executes a web search and returns results.
+	Search(ctx context.Context, req SearchRequest) (*SearchResponse, error)
+}
diff --git a/backend/internal/pkg/websearch/tavily.go b/backend/internal/pkg/websearch/tavily.go
new file mode 100644
index 00000000..6ac09edf
--- /dev/null
+++ b/backend/internal/pkg/websearch/tavily.go
@@ -0,0 +1,107 @@
+package websearch
+
+import (
+	"bytes"
+	"context"
+	"encoding/json"
+	"fmt"
+	"io"
+	"net/http"
+)
+
+const (
+	tavilySearchEndpoint   = "https://api.tavily.com/search"
+	tavilyProviderName     = "tavily"
+	tavilySearchDepthBasic = "basic"
+)
+
+// TavilyProvider implements web search via the Tavily Search API.
+type TavilyProvider struct {
+	apiKey     string
+	httpClient *http.Client
+}
+
+// NewTavilyProvider creates a Tavily Search provider.
+// The caller is responsible for configuring the http.Client with proxy/timeouts.
+func NewTavilyProvider(apiKey string, httpClient *http.Client) *TavilyProvider {
+	if httpClient == nil {
+		httpClient = http.DefaultClient
+	}
+	return &TavilyProvider{apiKey: apiKey, httpClient: httpClient}
+}
+
+func (t *TavilyProvider) Name() string { return tavilyProviderName }
+
+func (t *TavilyProvider) Search(ctx context.Context, req SearchRequest) (*SearchResponse, error) {
+	maxResults := req.MaxResults
+	if maxResults <= 0 {
+		maxResults = defaultMaxResults
+	}
+
+	payload := tavilyRequest{
+		APIKey:      t.apiKey,
+		Query:       req.Query,
+		MaxResults:  maxResults,
+		SearchDepth: tavilySearchDepthBasic,
+	}
+
+	bodyBytes, err := json.Marshal(payload)
+	if err != nil {
+		return nil, fmt.Errorf("tavily: encode request: %w", err)
+	}
+
+	httpReq, err := http.NewRequestWithContext(ctx, http.MethodPost, tavilySearchEndpoint, bytes.NewReader(bodyBytes))
+	if err != nil {
+		return nil, fmt.Errorf("tavily: build request: %w", err)
+	}
+	httpReq.Header.Set("Content-Type", "application/json")
+
+	resp, err := t.httpClient.Do(httpReq)
+	if err != nil {
+		return nil, fmt.Errorf("tavily: request failed: %w", err)
+	}
+	defer resp.Body.Close()
+
+	body, err := io.ReadAll(io.LimitReader(resp.Body, maxResponseSize))
+	if err != nil {
+		return nil, fmt.Errorf("tavily: read body: %w", err)
+	}
+
+	if resp.StatusCode != http.StatusOK {
+		return nil, fmt.Errorf("tavily: status %d: %s", resp.StatusCode, truncateBody(body))
+	}
+
+	var raw tavilyResponse
+	if err := json.Unmarshal(body, &raw); err != nil {
+		return nil, fmt.Errorf("tavily: decode response: %w", err)
+	}
+
+	results := make([]SearchResult, 0, len(raw.Results))
+	for _, r := range raw.Results {
+		results = append(results, SearchResult{
+			URL:     r.URL,
+			Title:   r.Title,
+			Snippet: r.Content,
+		})
+	}
+
+	return &SearchResponse{Results: results, Query: req.Query}, nil
+}
+
+type tavilyRequest struct {
+	APIKey      string `json:"api_key"`
+	Query       string `json:"query"`
+	MaxResults  int    `json:"max_results"`
+	SearchDepth string `json:"search_depth"`
+}
+
+type tavilyResponse struct {
+	Results []tavilyResult `json:"results"`
+}
+
+type tavilyResult struct {
+	URL     string  `json:"url"`
+	Title   string  `json:"title"`
+	Content string  `json:"content"`
+	Score   float64 `json:"score"`
+}
diff --git a/backend/internal/pkg/websearch/tavily_test.go b/backend/internal/pkg/websearch/tavily_test.go
new file mode 100644
index 00000000..e1b6819a
--- /dev/null
+++ b/backend/internal/pkg/websearch/tavily_test.go
@@ -0,0 +1,63 @@
+package websearch
+
+import (
+	"encoding/json"
+	"testing"
+
+	"github.com/stretchr/testify/require"
+)
+
+func TestTavilyProvider_Name(t *testing.T) {
+	p := NewTavilyProvider("key", nil)
+	require.Equal(t, "tavily", p.Name())
+}
+
+func TestTavilyProvider_Search_RequestConstruction(t *testing.T) {
+	// Verify tavilyRequest struct fields map correctly
+	req := tavilyRequest{
+		APIKey:      "test-key",
+		Query:       "golang",
+		MaxResults:  3,
+		SearchDepth: tavilySearchDepthBasic,
+	}
+	data, err := json.Marshal(req)
+	require.NoError(t, err)
+
+	var parsed map[string]any
+	require.NoError(t, json.Unmarshal(data, &parsed))
+	require.Equal(t, "test-key", parsed["api_key"])
+	require.Equal(t, "golang", parsed["query"])
+	require.Equal(t, float64(3), parsed["max_results"])
+	require.Equal(t, "basic", parsed["search_depth"])
+}
+
+func TestTavilyProvider_Search_ResponseParsing(t *testing.T) {
+	rawResp := `{"results":[{"url":"https://go.dev","title":"Go","content":"Go programming language","score":0.95}]}`
+	var resp tavilyResponse
+	require.NoError(t, json.Unmarshal([]byte(rawResp), &resp))
+	require.Len(t, resp.Results, 1)
+	require.Equal(t, "https://go.dev", resp.Results[0].URL)
+	require.Equal(t, "Go programming language", resp.Results[0].Content)
+	require.InDelta(t, 0.95, resp.Results[0].Score, 0.001)
+
+	// Verify mapping to SearchResult
+	results := make([]SearchResult, 0, len(resp.Results))
+	for _, r := range resp.Results {
+		results = append(results, SearchResult{
+			URL: r.URL, Title: r.Title, Snippet: r.Content,
+		})
+	}
+	require.Equal(t, "Go programming language", results[0].Snippet)
+	require.Equal(t, "", results[0].PageAge)
+}
+
+func TestTavilyProvider_Search_EmptyResults(t *testing.T) {
+	var resp tavilyResponse
+	require.NoError(t, json.Unmarshal([]byte(`{"results":[]}`), &resp))
+	require.Empty(t, resp.Results)
+}
+
+func TestTavilyProvider_Search_InvalidJSON(t *testing.T) {
+	var resp tavilyResponse
+	require.Error(t, json.Unmarshal([]byte("not json"), &resp))
+}
diff --git a/backend/internal/pkg/websearch/types.go b/backend/internal/pkg/websearch/types.go
new file mode 100644
index 00000000..bb489690
--- /dev/null
+++ b/backend/internal/pkg/websearch/types.go
@@ -0,0 +1,30 @@
+package websearch
+
+// SearchResult represents a single web search result.
+type SearchResult struct {
+	URL     string `json:"url"`
+	Title   string `json:"title"`
+	Snippet string `json:"snippet"`
+	PageAge string `json:"page_age,omitempty"`
+}
+
+// SearchRequest describes a web search to perform.
+type SearchRequest struct {
+	Query      string
+	MaxResults int    // defaults to defaultMaxResults if <= 0
+	ProxyURL   string // optional HTTP proxy URL
+}
+
+// SearchResponse holds the results of a web search.
+type SearchResponse struct {
+	Results []SearchResult
+	Query   string // the query that was actually executed
+}
+
+const defaultMaxResults = 5
+
+// Provider type identifiers.
+const (
+	ProviderTypeBrave  = "brave"
+	ProviderTypeTavily = "tavily"
+)
diff --git a/backend/internal/repository/channel_repo.go b/backend/internal/repository/channel_repo.go
index baad31f7..56b5cc71 100644
--- a/backend/internal/repository/channel_repo.go
+++ b/backend/internal/repository/channel_repo.go
@@ -41,10 +41,14 @@ func (r *channelRepository) Create(ctx context.Context, channel *service.Channel
 		if err != nil {
 			return err
 		}
+		featuresConfigJSON, err := marshalFeaturesConfig(channel.FeaturesConfig)
+		if err != nil {
+			return err
+		}
 		err = tx.QueryRowContext(ctx,
-			`INSERT INTO channels (name, description, status, model_mapping, billing_model_source, restrict_models, features) VALUES ($1, $2, $3, $4, $5, $6, $7)
+			`INSERT INTO channels (name, description, status, model_mapping, billing_model_source, restrict_models, features, features_config) VALUES ($1, $2, $3, $4, $5, $6, $7, $8)
 			 RETURNING id, created_at, updated_at`,
-			channel.Name, channel.Description, channel.Status, modelMappingJSON, channel.BillingModelSource, channel.RestrictModels, channel.Features,
+			channel.Name, channel.Description, channel.Status, modelMappingJSON, channel.BillingModelSource, channel.RestrictModels, channel.Features, featuresConfigJSON,
 		).Scan(&channel.ID, &channel.CreatedAt, &channel.UpdatedAt)
 		if err != nil {
 			if isUniqueViolation(err) {
@@ -73,11 +77,11 @@ func (r *channelRepository) Create(ctx context.Context, channel *service.Channel
 
 func (r *channelRepository) GetByID(ctx context.Context, id int64) (*service.Channel, error) {
 	ch := &service.Channel{}
-	var modelMappingJSON []byte
+	var modelMappingJSON, featuresConfigJSON []byte
 	err := r.db.QueryRowContext(ctx,
-		`SELECT id, name, description, status, model_mapping, billing_model_source, restrict_models, features, created_at, updated_at
+		`SELECT id, name, description, status, model_mapping, billing_model_source, restrict_models, features, features_config, created_at, updated_at
 		 FROM channels WHERE id = $1`, id,
-	).Scan(&ch.ID, &ch.Name, &ch.Description, &ch.Status, &modelMappingJSON, &ch.BillingModelSource, &ch.RestrictModels, &ch.Features, &ch.CreatedAt, &ch.UpdatedAt)
+	).Scan(&ch.ID, &ch.Name, &ch.Description, &ch.Status, &modelMappingJSON, &ch.BillingModelSource, &ch.RestrictModels, &ch.Features, &featuresConfigJSON, &ch.CreatedAt, &ch.UpdatedAt)
 	if err == sql.ErrNoRows {
 		return nil, service.ErrChannelNotFound
 	}
@@ -85,6 +89,7 @@ func (r *channelRepository) GetByID(ctx context.Context, id int64) (*service.Cha
 		return nil, fmt.Errorf("get channel: %w", err)
 	}
 	ch.ModelMapping = unmarshalModelMapping(modelMappingJSON)
+	ch.FeaturesConfig = unmarshalFeaturesConfig(featuresConfigJSON)
 
 	groupIDs, err := r.GetGroupIDs(ctx, id)
 	if err != nil {
@@ -107,10 +112,14 @@ func (r *channelRepository) Update(ctx context.Context, channel *service.Channel
 		if err != nil {
 			return err
 		}
+		featuresConfigJSON, err := marshalFeaturesConfig(channel.FeaturesConfig)
+		if err != nil {
+			return err
+		}
 		result, err := tx.ExecContext(ctx,
-			`UPDATE channels SET name = $1, description = $2, status = $3, model_mapping = $4, billing_model_source = $5, restrict_models = $6, features = $7, updated_at = NOW()
-			 WHERE id = $8`,
-			channel.Name, channel.Description, channel.Status, modelMappingJSON, channel.BillingModelSource, channel.RestrictModels, channel.Features, channel.ID,
+			`UPDATE channels SET name = $1, description = $2, status = $3, model_mapping = $4, billing_model_source = $5, restrict_models = $6, features = $7, features_config = $8, updated_at = NOW()
+			 WHERE id = $9`,
+			channel.Name, channel.Description, channel.Status, modelMappingJSON, channel.BillingModelSource, channel.RestrictModels, channel.Features, featuresConfigJSON, channel.ID,
 		)
 		if err != nil {
 			if isUniqueViolation(err) {
@@ -187,9 +196,9 @@ func (r *channelRepository) List(ctx context.Context, params pagination.Paginati
 
 	// 查询 channel 列表
 	dataQuery := fmt.Sprintf(
-		`SELECT c.id, c.name, c.description, c.status, c.model_mapping, c.billing_model_source, c.restrict_models, c.features, c.created_at, c.updated_at
-		 FROM channels c WHERE %s ORDER BY c.id ASC LIMIT $%d OFFSET $%d`,
-		whereClause, argIdx, argIdx+1,
+		`SELECT c.id, c.name, c.description, c.status, c.model_mapping, c.billing_model_source, c.restrict_models, c.features, c.features_config, c.created_at, c.updated_at
+		 FROM channels c WHERE %s ORDER BY %s LIMIT $%d OFFSET $%d`,
+		whereClause, channelListOrderBy(params), argIdx, argIdx+1,
 	)
 	args = append(args, pageSize, offset)
 
@@ -203,11 +212,12 @@ func (r *channelRepository) List(ctx context.Context, params pagination.Paginati
 	var channelIDs []int64
 	for rows.Next() {
 		var ch service.Channel
-		var modelMappingJSON []byte
-		if err := rows.Scan(&ch.ID, &ch.Name, &ch.Description, &ch.Status, &modelMappingJSON, &ch.BillingModelSource, &ch.RestrictModels, &ch.Features, &ch.CreatedAt, &ch.UpdatedAt); err != nil {
+		var modelMappingJSON, featuresConfigJSON []byte
+		if err := rows.Scan(&ch.ID, &ch.Name, &ch.Description, &ch.Status, &modelMappingJSON, &ch.BillingModelSource, &ch.RestrictModels, &ch.Features, &featuresConfigJSON, &ch.CreatedAt, &ch.UpdatedAt); err != nil {
 			return nil, nil, fmt.Errorf("scan channel: %w", err)
 		}
 		ch.ModelMapping = unmarshalModelMapping(modelMappingJSON)
+		ch.FeaturesConfig = unmarshalFeaturesConfig(featuresConfigJSON)
 		channels = append(channels, ch)
 		channelIDs = append(channelIDs, ch.ID)
 	}
@@ -246,9 +256,34 @@ func (r *channelRepository) List(ctx context.Context, params pagination.Paginati
 	return channels, paginationResult, nil
 }
 
+func channelListOrderBy(params pagination.PaginationParams) string {
+	sortBy := strings.ToLower(strings.TrimSpace(params.SortBy))
+	sortOrder := strings.ToUpper(params.NormalizedSortOrder(pagination.SortOrderAsc))
+
+	var column string
+	switch sortBy {
+	case "":
+		column = "c.id"
+		sortOrder = "ASC"
+	case "id":
+		column = "c.id"
+	case "name":
+		column = "c.name"
+	case "status":
+		column = "c.status"
+	case "created_at":
+		column = "c.created_at"
+	default:
+		column = "c.id"
+		sortOrder = "ASC"
+	}
+
+	return fmt.Sprintf("%s %s, c.id %s", column, sortOrder, sortOrder)
+}
+
 func (r *channelRepository) ListAll(ctx context.Context) ([]service.Channel, error) {
 	rows, err := r.db.QueryContext(ctx,
-		`SELECT id, name, description, status, model_mapping, billing_model_source, restrict_models, features, created_at, updated_at FROM channels ORDER BY id`,
+		`SELECT id, name, description, status, model_mapping, billing_model_source, restrict_models, features, features_config, created_at, updated_at FROM channels ORDER BY id`,
 	)
 	if err != nil {
 		return nil, fmt.Errorf("query all channels: %w", err)
@@ -259,11 +294,12 @@ func (r *channelRepository) ListAll(ctx context.Context) ([]service.Channel, err
 	var channelIDs []int64
 	for rows.Next() {
 		var ch service.Channel
-		var modelMappingJSON []byte
-		if err := rows.Scan(&ch.ID, &ch.Name, &ch.Description, &ch.Status, &modelMappingJSON, &ch.BillingModelSource, &ch.RestrictModels, &ch.Features, &ch.CreatedAt, &ch.UpdatedAt); err != nil {
+		var modelMappingJSON, featuresConfigJSON []byte
+		if err := rows.Scan(&ch.ID, &ch.Name, &ch.Description, &ch.Status, &modelMappingJSON, &ch.BillingModelSource, &ch.RestrictModels, &ch.Features, &featuresConfigJSON, &ch.CreatedAt, &ch.UpdatedAt); err != nil {
 			return nil, fmt.Errorf("scan channel: %w", err)
 		}
 		ch.ModelMapping = unmarshalModelMapping(modelMappingJSON)
+		ch.FeaturesConfig = unmarshalFeaturesConfig(featuresConfigJSON)
 		channels = append(channels, ch)
 		channelIDs = append(channelIDs, ch.ID)
 	}
@@ -431,6 +467,28 @@ func unmarshalModelMapping(data []byte) map[string]map[string]string {
 	return m
 }
 
+func marshalFeaturesConfig(m map[string]any) ([]byte, error) {
+	if len(m) == 0 {
+		return []byte("{}"), nil
+	}
+	data, err := json.Marshal(m)
+	if err != nil {
+		return nil, fmt.Errorf("marshal features_config: %w", err)
+	}
+	return data, nil
+}
+
+func unmarshalFeaturesConfig(data []byte) map[string]any {
+	if len(data) == 0 {
+		return nil
+	}
+	var m map[string]any
+	if err := json.Unmarshal(data, &m); err != nil {
+		return nil
+	}
+	return m
+}
+
 // GetGroupPlatforms 批量查询分组 ID 对应的平台
 func (r *channelRepository) GetGroupPlatforms(ctx context.Context, groupIDs []int64) (map[int64]string, error) {
 	if len(groupIDs) == 0 {
diff --git a/backend/internal/server/routes/admin.go b/backend/internal/server/routes/admin.go
index b921da95..7c4e6cb7 100644
--- a/backend/internal/server/routes/admin.go
+++ b/backend/internal/server/routes/admin.go
@@ -407,6 +407,9 @@ func registerSettingsRoutes(admin *gin.RouterGroup, h *handler.Handlers) {
 		// Beta 策略配置
 		adminSettings.GET("/beta-policy", h.Admin.Setting.GetBetaPolicySettings)
 		adminSettings.PUT("/beta-policy", h.Admin.Setting.UpdateBetaPolicySettings)
+		// Web Search 模拟配置
+		adminSettings.GET("/web-search-emulation", h.Admin.Setting.GetWebSearchEmulationConfig)
+		adminSettings.PUT("/web-search-emulation", h.Admin.Setting.UpdateWebSearchEmulationConfig)
 	}
 }
 
diff --git a/backend/internal/service/account.go b/backend/internal/service/account.go
index 512195e3..582b136c 100644
--- a/backend/internal/service/account.go
+++ b/backend/internal/service/account.go
@@ -969,7 +969,7 @@ func (a *Account) IsOveragesEnabled() bool {
 	return false
 }
 
-// IsOpenAIPassthroughEnabled 返回 OpenAI 账号是否启用“自动透传（仅替换认证）”。
+// IsOpenAIPassthroughEnabled 返回 OpenAI 账号是否启用"自动透传（仅替换认证）"。
 //
 // 新字段：accounts.extra.openai_passthrough。
 // 兼容字段：accounts.extra.openai_oauth_passthrough（历史 OAuth 开关）。
@@ -1133,7 +1133,7 @@ func (a *Account) ResolveOpenAIResponsesWebSocketV2Mode(defaultMode string) stri
 	return resolvedDefault
 }
 
-// IsOpenAIWSForceHTTPEnabled 返回账号级“强制 HTTP”开关。
+// IsOpenAIWSForceHTTPEnabled 返回账号级"强制 HTTP"开关。
 // 字段：accounts.extra.openai_ws_force_http。
 func (a *Account) IsOpenAIWSForceHTTPEnabled() bool {
 	if a == nil || !a.IsOpenAI() || a.Extra == nil {
@@ -1158,7 +1158,7 @@ func (a *Account) IsOpenAIOAuthPassthroughEnabled() bool {
 	return a != nil && a.IsOpenAIOAuth() && a.IsOpenAIPassthroughEnabled()
 }
 
-// IsAnthropicAPIKeyPassthroughEnabled 返回 Anthropic API Key 账号是否启用“自动透传（仅替换认证）”。
+// IsAnthropicAPIKeyPassthroughEnabled 返回 Anthropic API Key 账号是否启用"自动透传（仅替换认证）"。
 // 字段：accounts.extra.anthropic_passthrough。
 // 字段缺失或类型不正确时，按 false（关闭）处理。
 func (a *Account) IsAnthropicAPIKeyPassthroughEnabled() bool {
@@ -1169,7 +1169,18 @@ func (a *Account) IsAnthropicAPIKeyPassthroughEnabled() bool {
 	return ok && enabled
 }
 
-// IsCodexCLIOnlyEnabled 返回 OpenAI OAuth 账号是否启用“仅允许 Codex 官方客户端”。
+// IsWebSearchEmulationEnabled 返回 Anthropic API Key 账号是否启用 web search 模拟。
+// 字段：accounts.extra.web_search_emulation。
+// 字段缺失或类型不正确时，按 false（关闭）处理。
+func (a *Account) IsWebSearchEmulationEnabled() bool {
+	if a == nil || a.Platform != PlatformAnthropic || a.Type != AccountTypeAPIKey || a.Extra == nil {
+		return false
+	}
+	enabled, ok := a.Extra[featureKeyWebSearchEmulation].(bool)
+	return ok && enabled
+}
+
+// IsCodexCLIOnlyEnabled 返回 OpenAI OAuth 账号是否启用"仅允许 Codex 官方客户端"。
 // 字段：accounts.extra.codex_cli_only。
 // 字段缺失或类型不正确时，按 false（关闭）处理。
 func (a *Account) IsCodexCLIOnlyEnabled() bool {
diff --git a/backend/internal/service/account_websearch_test.go b/backend/internal/service/account_websearch_test.go
new file mode 100644
index 00000000..fe742ebf
--- /dev/null
+++ b/backend/internal/service/account_websearch_test.go
@@ -0,0 +1,71 @@
+package service
+
+import (
+	"testing"
+
+	"github.com/stretchr/testify/require"
+)
+
+func TestAccount_IsWebSearchEmulationEnabled_Enabled(t *testing.T) {
+	a := &Account{
+		Platform: PlatformAnthropic,
+		Type:     AccountTypeAPIKey,
+		Extra:    map[string]any{featureKeyWebSearchEmulation: true},
+	}
+	require.True(t, a.IsWebSearchEmulationEnabled())
+}
+
+func TestAccount_IsWebSearchEmulationEnabled_Disabled(t *testing.T) {
+	a := &Account{
+		Platform: PlatformAnthropic,
+		Type:     AccountTypeAPIKey,
+		Extra:    map[string]any{featureKeyWebSearchEmulation: false},
+	}
+	require.False(t, a.IsWebSearchEmulationEnabled())
+}
+
+func TestAccount_IsWebSearchEmulationEnabled_MissingField(t *testing.T) {
+	a := &Account{
+		Platform: PlatformAnthropic,
+		Type:     AccountTypeAPIKey,
+		Extra:    map[string]any{},
+	}
+	require.False(t, a.IsWebSearchEmulationEnabled())
+}
+
+func TestAccount_IsWebSearchEmulationEnabled_WrongType(t *testing.T) {
+	a := &Account{
+		Platform: PlatformAnthropic,
+		Type:     AccountTypeAPIKey,
+		Extra:    map[string]any{featureKeyWebSearchEmulation: "true"},
+	}
+	require.False(t, a.IsWebSearchEmulationEnabled())
+}
+
+func TestAccount_IsWebSearchEmulationEnabled_NilExtra(t *testing.T) {
+	a := &Account{Platform: PlatformAnthropic, Type: AccountTypeAPIKey, Extra: nil}
+	require.False(t, a.IsWebSearchEmulationEnabled())
+}
+
+func TestAccount_IsWebSearchEmulationEnabled_NilAccount(t *testing.T) {
+	var a *Account
+	require.False(t, a.IsWebSearchEmulationEnabled())
+}
+
+func TestAccount_IsWebSearchEmulationEnabled_NonAnthropicPlatform(t *testing.T) {
+	a := &Account{
+		Platform: PlatformOpenAI,
+		Type:     AccountTypeAPIKey,
+		Extra:    map[string]any{featureKeyWebSearchEmulation: true},
+	}
+	require.False(t, a.IsWebSearchEmulationEnabled())
+}
+
+func TestAccount_IsWebSearchEmulationEnabled_NonAPIKeyType(t *testing.T) {
+	a := &Account{
+		Platform: PlatformAnthropic,
+		Type:     AccountTypeOAuth,
+		Extra:    map[string]any{featureKeyWebSearchEmulation: true},
+	}
+	require.False(t, a.IsWebSearchEmulationEnabled())
+}
diff --git a/backend/internal/service/channel.go b/backend/internal/service/channel.go
index eac81444..baf5c839 100644
--- a/backend/internal/service/channel.go
+++ b/backend/internal/service/channel.go
@@ -49,6 +49,21 @@ type Channel struct {
 	ModelPricing []ChannelModelPricing
 	// 渠道级模型映射（按平台分组：platform → {src→dst}）
 	ModelMapping map[string]map[string]string
+	// 渠道特性配置（如 {"web_search_emulation": {"anthropic": true}}）
+	FeaturesConfig map[string]any
+}
+
+// IsWebSearchEmulationEnabled 返回该渠道是否为指定平台启用了 web search 模拟。
+func (c *Channel) IsWebSearchEmulationEnabled(platform string) bool {
+	if c == nil || c.FeaturesConfig == nil {
+		return false
+	}
+	wse, ok := c.FeaturesConfig[featureKeyWebSearchEmulation].(map[string]any)
+	if !ok {
+		return false
+	}
+	enabled, ok := wse[platform].(bool)
+	return ok && enabled
 }
 
 // ChannelModelPricing 渠道模型定价条目
diff --git a/backend/internal/service/channel_service.go b/backend/internal/service/channel_service.go
index cdf94a4c..7b28662b 100644
--- a/backend/internal/service/channel_service.go
+++ b/backend/internal/service/channel_service.go
@@ -197,10 +197,8 @@ func newEmptyChannelCache() *channelCache {
 }
 
 // expandPricingToCache 将渠道的模型定价展开到缓存（按分组+平台维度）。
-// antigravity 平台同时服务 Claude 和 Gemini 模型，需匹配 anthropic/gemini 的定价条目。
-// 缓存 key 使用定价条目的原始平台（pricing.Platform），而非分组平台，
-// 避免跨平台同名模型（如 anthropic 和 gemini 都有 "model-x"）互相覆盖。
-// 查找时通过 lookupPricingAcrossPlatforms() 依次尝试所有匹配平台。
+// 各平台严格独立：antigravity 分组只匹配 antigravity 定价，不会匹配 anthropic/gemini 的定价。
+// 查找时通过 lookupPricingAcrossPlatforms() 在本平台内查找。
 func expandPricingToCache(cache *channelCache, ch *Channel, gid int64, platform string) {
 	for j := range ch.ModelPricing {
 		pricing := &ch.ModelPricing[j]
@@ -226,8 +224,7 @@ func expandPricingToCache(cache *channelCache, ch *Channel, gid int64, platform
 }
 
 // expandMappingToCache 将渠道的模型映射展开到缓存（按分组+平台维度）。
-// antigravity 平台同时服务 Claude 和 Gemini 模型。
-// 缓存 key 使用映射条目的原始平台（mappingPlatform），避免跨平台同名映射覆盖。
+// 各平台严格独立：antigravity 分组只匹配 antigravity 映射。
 func expandMappingToCache(cache *channelCache, ch *Channel, gid int64, platform string) {
 	for _, mappingPlatform := range matchingPlatforms(platform) {
 		platformMapping, ok := ch.ModelMapping[mappingPlatform]
@@ -251,40 +248,58 @@ func expandMappingToCache(cache *channelCache, ch *Channel, gid int64, platform
 	}
 }
 
+// storeErrorCache 存入短 TTL 空缓存，防止 DB 错误后紧密重试。
+// 通过回退 loadedAt 使剩余 TTL = channelErrorTTL。
+func (s *ChannelService) storeErrorCache() {
+	errorCache := newEmptyChannelCache()
+	errorCache.loadedAt = time.Now().Add(-(channelCacheTTL - channelErrorTTL))
+	s.cache.Store(errorCache)
+}
+
 // buildCache 从数据库构建渠道缓存。
 // 使用独立 context 避免请求取消导致空值被长期缓存。
 func (s *ChannelService) buildCache(ctx context.Context) (*channelCache, error) {
-	// 断开请求取消链，避免客户端断连导致空值被长期缓存
 	dbCtx, cancel := context.WithTimeout(context.WithoutCancel(ctx), channelCacheDBTimeout)
 	defer cancel()
 
-	channels, err := s.repo.ListAll(dbCtx)
+	channels, groupPlatforms, err := s.fetchChannelData(dbCtx)
 	if err != nil {
-		// error-TTL：失败时存入短 TTL 空缓存，防止紧密重试
-		slog.Warn("failed to build channel cache", "error", err)
-		errorCache := newEmptyChannelCache()
-		errorCache.loadedAt = time.Now().Add(-(channelCacheTTL - channelErrorTTL)) // 使剩余 TTL = errorTTL
-		s.cache.Store(errorCache)
-		return nil, fmt.Errorf("list all channels: %w", err)
+		return nil, err
+	}
+
+	cache := populateChannelCache(channels, groupPlatforms)
+	s.cache.Store(cache)
+	return cache, nil
+}
+
+// fetchChannelData 从数据库加载渠道列表和分组平台映射。
+func (s *ChannelService) fetchChannelData(ctx context.Context) ([]Channel, map[int64]string, error) {
+	channels, err := s.repo.ListAll(ctx)
+	if err != nil {
+		slog.Warn("failed to build channel cache", "error", err)
+		s.storeErrorCache()
+		return nil, nil, fmt.Errorf("list all channels: %w", err)
 	}
 
-	// 收集所有 groupID，批量查询 platform
 	var allGroupIDs []int64
 	for i := range channels {
 		allGroupIDs = append(allGroupIDs, channels[i].GroupIDs...)
 	}
+
 	groupPlatforms := make(map[int64]string)
 	if len(allGroupIDs) > 0 {
-		groupPlatforms, err = s.repo.GetGroupPlatforms(dbCtx, allGroupIDs)
+		groupPlatforms, err = s.repo.GetGroupPlatforms(ctx, allGroupIDs)
 		if err != nil {
 			slog.Warn("failed to load group platforms for channel cache", "error", err)
-			errorCache := newEmptyChannelCache()
-			errorCache.loadedAt = time.Now().Add(-(channelCacheTTL - channelErrorTTL))
-			s.cache.Store(errorCache)
-			return nil, fmt.Errorf("get group platforms: %w", err)
+			s.storeErrorCache()
+			return nil, nil, fmt.Errorf("get group platforms: %w", err)
 		}
 	}
+	return channels, groupPlatforms, nil
+}
 
+// populateChannelCache 将渠道列表和分组平台映射填充到缓存快照中。
+func populateChannelCache(channels []Channel, groupPlatforms map[int64]string) *channelCache {
 	cache := newEmptyChannelCache()
 	cache.groupPlatform = groupPlatforms
 	cache.byID = make(map[int64]*Channel, len(channels))
@@ -293,7 +308,6 @@ func (s *ChannelService) buildCache(ctx context.Context) (*channelCache, error)
 	for i := range channels {
 		ch := &channels[i]
 		cache.byID[ch.ID] = ch
-
 		for _, gid := range ch.GroupIDs {
 			cache.channelByGroupID[gid] = ch
 			platform := groupPlatforms[gid]
@@ -302,32 +316,20 @@ func (s *ChannelService) buildCache(ctx context.Context) (*channelCache, error)
 		}
 	}
 
-	// 通配符条目保持配置顺序（最先匹配到优先）
-
-	s.cache.Store(cache)
-	return cache, nil
+	return cache
 }
 
 // invalidateCache 使缓存失效，让下次读取时自然重建
 
 // isPlatformPricingMatch 判断定价条目的平台是否匹配分组平台。
-// antigravity 平台同时服务 Claude（anthropic）和 Gemini（gemini）模型，
-// 因此 antigravity 分组应匹配 anthropic 和 gemini 的定价条目。
+// 各平台（antigravity / anthropic / gemini / openai）严格独立，不跨平台匹配。
 func isPlatformPricingMatch(groupPlatform, pricingPlatform string) bool {
-	if groupPlatform == pricingPlatform {
-		return true
-	}
-	if groupPlatform == PlatformAntigravity {
-		return pricingPlatform == PlatformAnthropic || pricingPlatform == PlatformGemini
-	}
-	return false
+	return groupPlatform == pricingPlatform
 }
 
-// matchingPlatforms 返回分组平台对应的所有可匹配平台列表。
+// matchingPlatforms 返回分组平台对应的可匹配平台列表。
+// 各平台严格独立，只返回自身。
 func matchingPlatforms(groupPlatform string) []string {
-	if groupPlatform == PlatformAntigravity {
-		return []string{PlatformAntigravity, PlatformAnthropic, PlatformGemini}
-	}
 	return []string{groupPlatform}
 }
 func (s *ChannelService) invalidateCache() {
@@ -364,10 +366,8 @@ func (c *channelCache) matchWildcardMapping(groupID int64, platform, modelLower
 	return ""
 }
 
-// lookupPricingAcrossPlatforms 在所有匹配平台中查找模型定价。
-// antigravity 分组的缓存 key 使用定价条目的原始平台，因此查找时需依次尝试
-// matchingPlatforms() 返回的所有平台（antigravity → anthropic → gemini），
-// 返回第一个命中的结果。非 antigravity 平台只尝试自身。
+// lookupPricingAcrossPlatforms 在分组平台内查找模型定价。
+// 各平台严格独立，只在本平台内查找（先精确匹配，再通配符）。
 func lookupPricingAcrossPlatforms(cache *channelCache, groupID int64, groupPlatform, modelLower string) *ChannelModelPricing {
 	for _, p := range matchingPlatforms(groupPlatform) {
 		key := channelModelKey{groupID: groupID, platform: p, model: modelLower}
@@ -384,7 +384,7 @@ func lookupPricingAcrossPlatforms(cache *channelCache, groupID int64, groupPlatf
 	return nil
 }
 
-// lookupMappingAcrossPlatforms 在所有匹配平台中查找模型映射。
+// lookupMappingAcrossPlatforms 在分组平台内查找模型映射。
 // 逻辑与 lookupPricingAcrossPlatforms 相同：先精确查找，再通配符。
 func lookupMappingAcrossPlatforms(cache *channelCache, groupID int64, groupPlatform, modelLower string) string {
 	for _, p := range matchingPlatforms(groupPlatform) {
@@ -442,8 +442,7 @@ func (s *ChannelService) lookupGroupChannel(ctx context.Context, groupID int64)
 }
 
 // GetChannelModelPricing 获取指定分组+模型的渠道定价（热路径 O(1)）。
-// antigravity 分组依次尝试所有匹配平台（antigravity → anthropic → gemini），
-// 确保跨平台同名模型各自独立匹配。
+// 各平台严格独立，只在本平台内查找定价。
 func (s *ChannelService) GetChannelModelPricing(ctx context.Context, groupID int64, model string) *ChannelModelPricing {
 	lk, err := s.lookupGroupChannel(ctx, groupID)
 	if err != nil {
@@ -481,7 +480,10 @@ func (s *ChannelService) ResolveChannelMapping(ctx context.Context, groupID int6
 // 返回 true 表示模型被限制（不在允许列表中）。
 // 如果渠道未启用模型限制或分组无渠道关联，返回 false。
 func (s *ChannelService) IsModelRestricted(ctx context.Context, groupID int64, model string) bool {
-	lk, _ := s.lookupGroupChannel(ctx, groupID)
+	lk, err := s.lookupGroupChannel(ctx, groupID)
+	if err != nil {
+		slog.Warn("failed to load channel cache for model restriction check", "group_id", groupID, "error", err)
+	}
 	if lk == nil {
 		return false
 	}
@@ -524,7 +526,7 @@ func resolveMapping(lk *channelLookup, groupID int64, model string) ChannelMappi
 }
 
 // checkRestricted 基于已查找的渠道信息检查模型是否被限制。
-// antigravity 分组依次尝试所有匹配平台的定价列表。
+// 只在本平台的定价列表中查找。
 func checkRestricted(lk *channelLookup, groupID int64, model string) bool {
 	if !lk.channel.RestrictModels {
 		return false
@@ -552,6 +554,91 @@ func ReplaceModelInBody(body []byte, newModel string) []byte {
 	return newBody
 }
 
+// validateChannelConfig 校验渠道的定价和映射配置（冲突检测 + 区间校验 + 计费模式校验）。
+// Create 和 Update 共用此函数，避免重复。
+func validateChannelConfig(pricing []ChannelModelPricing, mapping map[string]map[string]string) error {
+	if err := validateNoConflictingModels(pricing); err != nil {
+		return err
+	}
+	if err := validatePricingIntervals(pricing); err != nil {
+		return err
+	}
+	if err := validateNoConflictingMappings(mapping); err != nil {
+		return err
+	}
+	return validatePricingBillingMode(pricing)
+}
+
+// validatePricingBillingMode 校验计费模式配置：按次/图片模式必须配价格或区间，所有价格字段不能为负，区间至少有一个价格字段。
+func validatePricingBillingMode(pricing []ChannelModelPricing) error {
+	for _, p := range pricing {
+		if err := checkBillingModeRequirements(p); err != nil {
+			return err
+		}
+		if err := checkPricesNotNegative(p); err != nil {
+			return err
+		}
+		if err := checkIntervalsHavePrices(p); err != nil {
+			return err
+		}
+	}
+	return nil
+}
+
+func checkBillingModeRequirements(p ChannelModelPricing) error {
+	if p.BillingMode == BillingModePerRequest || p.BillingMode == BillingModeImage {
+		if p.PerRequestPrice == nil && len(p.Intervals) == 0 {
+			return infraerrors.BadRequest(
+				"BILLING_MODE_MISSING_PRICE",
+				"per-request price or intervals required for per_request/image billing mode",
+			)
+		}
+	}
+	return nil
+}
+
+func checkPricesNotNegative(p ChannelModelPricing) error {
+	checks := []struct {
+		field string
+		val   *float64
+	}{
+		{"input_price", p.InputPrice},
+		{"output_price", p.OutputPrice},
+		{"cache_write_price", p.CacheWritePrice},
+		{"cache_read_price", p.CacheReadPrice},
+		{"image_output_price", p.ImageOutputPrice},
+		{"per_request_price", p.PerRequestPrice},
+	}
+	for _, c := range checks {
+		if c.val != nil && *c.val < 0 {
+			return infraerrors.BadRequest("NEGATIVE_PRICE", fmt.Sprintf("%s must be >= 0", c.field))
+		}
+	}
+	return nil
+}
+
+func checkIntervalsHavePrices(p ChannelModelPricing) error {
+	for _, iv := range p.Intervals {
+		if iv.InputPrice == nil && iv.OutputPrice == nil &&
+			iv.CacheWritePrice == nil && iv.CacheReadPrice == nil &&
+			iv.PerRequestPrice == nil {
+			return infraerrors.BadRequest(
+				"INTERVAL_MISSING_PRICE",
+				fmt.Sprintf("interval [%d, %s] has no price fields set for model %v",
+					iv.MinTokens, formatMaxTokens(iv.MaxTokens), p.Models),
+			)
+		}
+	}
+	return nil
+}
+
+func formatMaxTokens(max *int) string {
+	if max == nil {
+		return "∞"
+	}
+	return fmt.Sprintf("%d", *max)
+}
+
 // --- CRUD ---
 
 // Create 创建渠道
@@ -564,15 +651,8 @@ func (s *ChannelService) Create(ctx context.Context, input *CreateChannelInput)
 		return nil, ErrChannelExists
 	}
 
-	// 检查分组冲突
-	if len(input.GroupIDs) > 0 {
-		conflicting, err := s.repo.GetGroupsInOtherChannels(ctx, 0, input.GroupIDs)
-		if err != nil {
-			return nil, fmt.Errorf("check group conflicts: %w", err)
-		}
-		if len(conflicting) > 0 {
-			return nil, ErrGroupAlreadyInChannel
-		}
+	if err := s.checkGroupConflicts(ctx, 0, input.GroupIDs); err != nil {
+		return nil, err
 	}
 
 	channel := &Channel{
@@ -585,18 +665,13 @@ func (s *ChannelService) Create(ctx context.Context, input *CreateChannelInput)
 		ModelPricing:       input.ModelPricing,
 		ModelMapping:       input.ModelMapping,
 		Features:           input.Features,
+		FeaturesConfig:     input.FeaturesConfig,
 	}
 	if channel.BillingModelSource == "" {
 		channel.BillingModelSource = BillingModelSourceChannelMapped
 	}
 
-	if err := validateNoConflictingModels(channel.ModelPricing); err != nil {
-		return nil, err
-	}
-	if err := validatePricingIntervals(channel.ModelPricing); err != nil {
-		return nil, err
-	}
-	if err := validateNoConflictingMappings(channel.ModelMapping); err != nil {
+	if err := validateChannelConfig(channel.ModelPricing, channel.ModelMapping); err != nil {
 		return nil, err
 	}
 
@@ -620,105 +695,118 @@ func (s *ChannelService) Update(ctx context.Context, id int64, input *UpdateChan
 		return nil, fmt.Errorf("get channel: %w", err)
 	}
 
-	if input.Name != "" && input.Name != channel.Name {
-		exists, err := s.repo.ExistsByNameExcluding(ctx, input.Name, id)
-		if err != nil {
-			return nil, fmt.Errorf("check channel exists: %w", err)
-		}
-		if exists {
-			return nil, ErrChannelExists
-		}
-		channel.Name = input.Name
-	}
-
-	if input.Description != nil {
-		channel.Description = *input.Description
-	}
-
-	if input.Status != "" {
-		channel.Status = input.Status
-	}
-
-	if input.RestrictModels != nil {
-		channel.RestrictModels = *input.RestrictModels
-	}
-	if input.Features != nil {
-		channel.Features = *input.Features
-	}
-
-	// 检查分组冲突
-	if input.GroupIDs != nil {
-		conflicting, err := s.repo.GetGroupsInOtherChannels(ctx, id, *input.GroupIDs)
-		if err != nil {
-			return nil, fmt.Errorf("check group conflicts: %w", err)
-		}
-		if len(conflicting) > 0 {
-			return nil, ErrGroupAlreadyInChannel
-		}
-		channel.GroupIDs = *input.GroupIDs
-	}
-
-	if input.ModelPricing != nil {
-		channel.ModelPricing = *input.ModelPricing
-	}
-
-	if input.ModelMapping != nil {
-		channel.ModelMapping = input.ModelMapping
-	}
-
-	if input.BillingModelSource != "" {
-		channel.BillingModelSource = input.BillingModelSource
-	}
-
-	if err := validateNoConflictingModels(channel.ModelPricing); err != nil {
-		return nil, err
-	}
-	if err := validatePricingIntervals(channel.ModelPricing); err != nil {
-		return nil, err
-	}
-	if err := validateNoConflictingMappings(channel.ModelMapping); err != nil {
+	if err := s.applyUpdateInput(ctx, channel, input); err != nil {
 		return nil, err
 	}
 
-	// 先获取旧分组，Update 后旧分组关联已删除，无法再查到
-	var oldGroupIDs []int64
-	if s.authCacheInvalidator != nil {
-		var err2 error
-		oldGroupIDs, err2 = s.repo.GetGroupIDs(ctx, id)
-		if err2 != nil {
-			slog.Warn("failed to get old group IDs for cache invalidation", "channel_id", id, "error", err2)
-		}
+	if err := validateChannelConfig(channel.ModelPricing, channel.ModelMapping); err != nil {
+		return nil, err
 	}
 
+	oldGroupIDs := s.getOldGroupIDs(ctx, id)
+
 	if err := s.repo.Update(ctx, channel); err != nil {
 		return nil, fmt.Errorf("update channel: %w", err)
 	}
 
 	s.invalidateCache()
-
-	// 失效新旧分组的 auth 缓存
-	if s.authCacheInvalidator != nil {
-		seen := make(map[int64]struct{}, len(oldGroupIDs)+len(channel.GroupIDs))
-		for _, gid := range oldGroupIDs {
-			if _, ok := seen[gid]; !ok {
-				seen[gid] = struct{}{}
-				s.authCacheInvalidator.InvalidateAuthCacheByGroupID(ctx, gid)
-			}
-		}
-		for _, gid := range channel.GroupIDs {
-			if _, ok := seen[gid]; !ok {
-				seen[gid] = struct{}{}
-				s.authCacheInvalidator.InvalidateAuthCacheByGroupID(ctx, gid)
-			}
-		}
-	}
+	s.invalidateAuthCacheForGroups(ctx, oldGroupIDs, channel.GroupIDs)
 
 	return s.repo.GetByID(ctx, id)
 }
 
+// applyUpdateInput 将更新请求的字段应用到渠道实体上。
+func (s *ChannelService) applyUpdateInput(ctx context.Context, channel *Channel, input *UpdateChannelInput) error {
+	if input.Name != "" && input.Name != channel.Name {
+		exists, err := s.repo.ExistsByNameExcluding(ctx, input.Name, channel.ID)
+		if err != nil {
+			return fmt.Errorf("check channel exists: %w", err)
+		}
+		if exists {
+			return ErrChannelExists
+		}
+		channel.Name = input.Name
+	}
+	if input.Description != nil {
+		channel.Description = *input.Description
+	}
+	if input.Status != "" {
+		channel.Status = input.Status
+	}
+	if input.RestrictModels != nil {
+		channel.RestrictModels = *input.RestrictModels
+	}
+	if input.Features != nil {
+		channel.Features = *input.Features
+	}
+	if input.GroupIDs != nil {
+		if err := s.checkGroupConflicts(ctx, channel.ID, *input.GroupIDs); err != nil {
+			return err
+		}
+		channel.GroupIDs = *input.GroupIDs
+	}
+	if input.ModelPricing != nil {
+		channel.ModelPricing = *input.ModelPricing
+	}
+	if input.ModelMapping != nil {
+		channel.ModelMapping = input.ModelMapping
+	}
+	if input.BillingModelSource != "" {
+		channel.BillingModelSource = input.BillingModelSource
+	}
+	if input.FeaturesConfig != nil {
+		channel.FeaturesConfig = input.FeaturesConfig
+	}
+	return nil
+}
+
+// checkGroupConflicts 检查待关联的分组是否已属于其他渠道。
+// channelID 为当前渠道 ID（Create 时传 0）。
+func (s *ChannelService) checkGroupConflicts(ctx context.Context, channelID int64, groupIDs []int64) error {
+	if len(groupIDs) == 0 {
+		return nil
+	}
+	conflicting, err := s.repo.GetGroupsInOtherChannels(ctx, channelID, groupIDs)
+	if err != nil {
+		return fmt.Errorf("check group conflicts: %w", err)
+	}
+	if len(conflicting) > 0 {
+		return ErrGroupAlreadyInChannel
+	}
+	return nil
+}
+
+// getOldGroupIDs 获取渠道更新前的关联分组 ID（用于失效 auth 缓存）。
+func (s *ChannelService) getOldGroupIDs(ctx context.Context, channelID int64) []int64 {
+	if s.authCacheInvalidator == nil {
+		return nil
+	}
+	oldGroupIDs, err := s.repo.GetGroupIDs(ctx, channelID)
+	if err != nil {
+		slog.Warn("failed to get old group IDs for cache invalidation", "channel_id", channelID, "error", err)
+	}
+	return oldGroupIDs
+}
+
+// invalidateAuthCacheForGroups 对新旧分组去重后逐个失效 auth 缓存。
+func (s *ChannelService) invalidateAuthCacheForGroups(ctx context.Context, groupIDSets ...[]int64) {
+	if s.authCacheInvalidator == nil {
+		return
+	}
+	seen := make(map[int64]struct{})
+	for _, ids := range groupIDSets {
+		for _, gid := range ids {
+			if _, ok := seen[gid]; ok {
+				continue
+			}
+			seen[gid] = struct{}{}
+			s.authCacheInvalidator.InvalidateAuthCacheByGroupID(ctx, gid)
+		}
+	}
+}
+
 // Delete 删除渠道
 func (s *ChannelService) Delete(ctx context.Context, id int64) error {
-	// 先获取关联分组用于失效缓存
 	groupIDs, err := s.repo.GetGroupIDs(ctx, id)
 	if err != nil {
 		slog.Warn("failed to get group IDs before delete", "channel_id", id, "error", err)
@@ -729,12 +817,7 @@ func (s *ChannelService) Delete(ctx context.Context, id int64) error {
 	}
 
 	s.invalidateCache()
-
-	if s.authCacheInvalidator != nil {
-		for _, gid := range groupIDs {
-			s.authCacheInvalidator.InvalidateAuthCacheByGroupID(ctx, gid)
-		}
-	}
+	s.invalidateAuthCacheForGroups(ctx, groupIDs)
 
 	return nil
 }
@@ -847,6 +930,7 @@ type CreateChannelInput struct {
 	BillingModelSource string
 	RestrictModels     bool
 	Features           string
+	FeaturesConfig     map[string]any
 }
 
 // UpdateChannelInput 更新渠道输入
@@ -860,4 +944,5 @@ type UpdateChannelInput struct {
 	BillingModelSource string
 	RestrictModels     *bool
 	Features           *string
+	FeaturesConfig     map[string]any
 }
diff --git a/backend/internal/service/channel_websearch_test.go b/backend/internal/service/channel_websearch_test.go
new file mode 100644
index 00000000..d3dbe45d
--- /dev/null
+++ b/backend/internal/service/channel_websearch_test.go
@@ -0,0 +1,62 @@
+package service
+
+import (
+	"testing"
+
+	"github.com/stretchr/testify/require"
+)
+
+func TestChannel_IsWebSearchEmulationEnabled_Enabled(t *testing.T) {
+	c := &Channel{
+		FeaturesConfig: map[string]any{
+			featureKeyWebSearchEmulation: map[string]any{"anthropic": true},
+		},
+	}
+	require.True(t, c.IsWebSearchEmulationEnabled("anthropic"))
+}
+
+func TestChannel_IsWebSearchEmulationEnabled_DifferentPlatform(t *testing.T) {
+	c := &Channel{
+		FeaturesConfig: map[string]any{
+			featureKeyWebSearchEmulation: map[string]any{"anthropic": true},
+		},
+	}
+	require.False(t, c.IsWebSearchEmulationEnabled("openai"))
+}
+
+func TestChannel_IsWebSearchEmulationEnabled_Disabled(t *testing.T) {
+	c := &Channel{
+		FeaturesConfig: map[string]any{
+			featureKeyWebSearchEmulation: map[string]any{"anthropic": false},
+		},
+	}
+	require.False(t, c.IsWebSearchEmulationEnabled("anthropic"))
+}
+
+func TestChannel_IsWebSearchEmulationEnabled_NilFeaturesConfig(t *testing.T) {
+	c := &Channel{FeaturesConfig: nil}
+	require.False(t, c.IsWebSearchEmulationEnabled("anthropic"))
+}
+
+func TestChannel_IsWebSearchEmulationEnabled_NilChannel(t *testing.T) {
+	var c *Channel
+	require.False(t, c.IsWebSearchEmulationEnabled("anthropic"))
+}
+
+func TestChannel_IsWebSearchEmulationEnabled_WrongStructure(t *testing.T) {
+	c := &Channel{
+		FeaturesConfig: map[string]any{
+			featureKeyWebSearchEmulation: true, // not a map
+		},
+	}
+	require.False(t, c.IsWebSearchEmulationEnabled("anthropic"))
+}
+
+func TestChannel_IsWebSearchEmulationEnabled_PlatformValueNotBool(t *testing.T) {
+	c := &Channel{
+		FeaturesConfig: map[string]any{
+			featureKeyWebSearchEmulation: map[string]any{"anthropic": "yes"},
+		},
+	}
+	require.False(t, c.IsWebSearchEmulationEnabled("anthropic"))
+}
diff --git a/backend/internal/service/domain_constants.go b/backend/internal/service/domain_constants.go
index 68d7da3b..f43d388b 100644
--- a/backend/internal/service/domain_constants.go
+++ b/backend/internal/service/domain_constants.go
@@ -249,6 +249,10 @@ const (
 	SettingKeyEnableMetadataPassthrough = "enable_metadata_passthrough"
 	// SettingKeyEnableCCHSigning 是否对 billing header 中的 cch 进行 xxHash64 签名（默认 false）
 	SettingKeyEnableCCHSigning = "enable_cch_signing"
+
+	// Web Search Emulation
+	// SettingKeyWebSearchEmulationConfig 全局 web search 模拟配置（JSON）
+	SettingKeyWebSearchEmulationConfig = "web_search_emulation_config"
 )
 
 // AdminAPIKeyPrefix is the prefix for admin API keys (distinct from user "sk-" keys).
diff --git a/backend/internal/service/gateway_service.go b/backend/internal/service/gateway_service.go
index 5d285fb6..77e9b8c8 100644
--- a/backend/internal/service/gateway_service.go
+++ b/backend/internal/service/gateway_service.go
@@ -3785,6 +3785,11 @@ func (s *GatewayService) Forward(ctx context.Context, c *gin.Context, account *A
 		return nil, fmt.Errorf("parse request: empty request")
 	}
 
+	// Web Search 模拟：纯 web_search 请求时，直接调用搜索 API 构造响应
+	if account != nil && s.shouldEmulateWebSearch(ctx, account, parsed.Body) {
+		return s.handleWebSearchEmulation(ctx, c, account, parsed)
+	}
+
 	if account != nil && account.IsAnthropicAPIKeyPassthroughEnabled() {
 		passthroughBody := parsed.Body
 		passthroughModel := parsed.Model
diff --git a/backend/internal/service/gateway_websearch_emulation.go b/backend/internal/service/gateway_websearch_emulation.go
new file mode 100644
index 00000000..fbea96c0
--- /dev/null
+++ b/backend/internal/service/gateway_websearch_emulation.go
@@ -0,0 +1,358 @@
+package service
+
+import (
+	"context"
+	"encoding/json"
+	"fmt"
+	"log/slog"
+	"net/http"
+	"strings"
+	"sync/atomic"
+	"time"
+
+	"github.com/Wei-Shaw/sub2api/internal/pkg/websearch"
+	"github.com/gin-gonic/gin"
+	"github.com/google/uuid"
+	"github.com/tidwall/gjson"
+)
+
+// Web search emulation constants
+const (
+	toolTypeWebSearchPrefix = "web_search"
+	toolTypeGoogleSearch    = "google_search"
+	toolNameWebSearch       = "web_search"
+	toolNameGoogleSearch    = "google_search"
+	toolNameWebSearch2025   = "web_search_20250305"
+
+	webSearchDefaultMaxResults = 5
+	defaultWebSearchModel      = "claude-sonnet-4-6"
+	webSearchMsgIDPrefix       = "msg_ws_"
+	webSearchToolUseIDPrefix   = "srvtoolu_ws_"
+	tokenEstimateDivisor       = 4
+
+	// featureKeyWebSearchEmulation is the key used in Account.Extra and Channel.FeaturesConfig.
+	featureKeyWebSearchEmulation = "web_search_emulation"
+)
+
+// webSearchManagerPtr stores *websearch.Manager atomically for concurrent safety.
+var webSearchManagerPtr atomic.Pointer[websearch.Manager]
+
+// SetWebSearchManager wires the websearch.Manager into the gateway (goroutine-safe).
+func SetWebSearchManager(m *websearch.Manager) {
+	webSearchManagerPtr.Store(m)
+}
+
+func getWebSearchManager() *websearch.Manager {
+	return webSearchManagerPtr.Load()
+}
+
+// shouldEmulateWebSearch checks whether a request should be intercepted.
+//
+// Judgment chain: manager exists → only web_search tool → global enabled → account enabled.
+// Note: channel-level control is enforced via the account's extra field; the channel toggle
+// in the admin UI sets the account's flag for all accounts in that channel's groups.
+func (s *GatewayService) shouldEmulateWebSearch(ctx context.Context, account *Account, body []byte) bool {
+	if getWebSearchManager() == nil {
+		return false
+	}
+	if !isOnlyWebSearchToolInBody(body) {
+		return false
+	}
+	if !s.settingService.IsWebSearchEmulationEnabled(ctx) {
+		return false
+	}
+	if !account.IsWebSearchEmulationEnabled() {
+		return false
+	}
+	return true
+}
+
+// isOnlyWebSearchToolInBody checks if the body contains exactly one web_search tool.
+func isOnlyWebSearchToolInBody(body []byte) bool {
+	tools := gjson.GetBytes(body, "tools")
+	if !tools.IsArray() {
+		return false
+	}
+	arr := tools.Array()
+	if len(arr) != 1 {
+		return false
+	}
+	return isWebSearchToolJSON(arr[0])
+}
+
+func isWebSearchToolJSON(tool gjson.Result) bool {
+	toolType := tool.Get("type").String()
+	if strings.HasPrefix(toolType, toolTypeWebSearchPrefix) || toolType == toolTypeGoogleSearch {
+		return true
+	}
+	switch tool.Get("name").String() {
+	case toolNameWebSearch, toolNameGoogleSearch, toolNameWebSearch2025:
+		return true
+	}
+	return false
+}
+
+// extractSearchQueryFromBody extracts the last user message text as the search query.
+func extractSearchQueryFromBody(body []byte) string {
+	messages := gjson.GetBytes(body, "messages")
+	if !messages.IsArray() {
+		return ""
+	}
+	arr := messages.Array()
+	if len(arr) == 0 {
+		return ""
+	}
+	lastMsg := arr[len(arr)-1]
+	if lastMsg.Get("role").String() != "user" {
+		return ""
+	}
+	return extractWebSearchTextFromContent(lastMsg.Get("content"))
+}
+
+func extractWebSearchTextFromContent(content gjson.Result) string {
+	if content.Type == gjson.String {
+		return content.String()
+	}
+	if content.IsArray() {
+		for _, block := range content.Array() {
+			if block.Get("type").String() == "text" {
+				if text := block.Get("text").String(); text != "" {
+					return text
+				}
+			}
+		}
+	}
+	return ""
+}
+
+// handleWebSearchEmulation intercepts a web-search-only request,
+// calls a third-party search API, and constructs an Anthropic-format response.
+func (s *GatewayService) handleWebSearchEmulation(
+	ctx context.Context, c *gin.Context, account *Account, parsed *ParsedRequest,
+) (*ForwardResult, error) {
+	startTime := time.Now()
+
+	// Release the serial queue lock immediately — we don't need upstream.
+	if parsed.OnUpstreamAccepted != nil {
+		parsed.OnUpstreamAccepted()
+	}
+
+	query := extractSearchQueryFromBody(parsed.Body)
+	if query == "" {
+		return nil, fmt.Errorf("web search emulation: no query found in messages")
+	}
+
+	slog.Info("web search emulation: executing search",
+		"account_id", account.ID, "account_name", account.Name, "query", query)
+
+	resp, providerName, err := doWebSearch(ctx, account, query)
+	if err != nil {
+		return nil, err
+	}
+
+	slog.Info("web search emulation: search completed",
+		"provider", providerName, "results_count", len(resp.Results))
+
+	model := parsed.Model
+	if model == "" {
+		model = defaultWebSearchModel
+	}
+
+	if parsed.Stream {
+		return writeWebSearchStreamResponse(c, query, resp, model, startTime)
+	}
+	return writeWebSearchNonStreamResponse(c, query, resp, model, startTime)
+}
+
+func doWebSearch(ctx context.Context, account *Account, query string) (*websearch.SearchResponse, string, error) {
+	proxyURL := resolveAccountProxyURL(account)
+	mgr := getWebSearchManager()
+	if mgr == nil {
+		return nil, "", fmt.Errorf("web search emulation: manager not initialized")
+	}
+	resp, providerName, err := mgr.SearchWithBestProvider(ctx, websearch.SearchRequest{
+		Query: query, MaxResults: webSearchDefaultMaxResults, ProxyURL: proxyURL,
+	})
+	if err != nil {
+		slog.Error("web search emulation: search failed", "error", err)
+		return nil, "", fmt.Errorf("web search emulation: %w", err)
+	}
+	return resp, providerName, nil
+}
+
+func resolveAccountProxyURL(account *Account) string {
+	if account.ProxyID != nil && account.Proxy != nil {
+		return account.Proxy.URL()
+	}
+	return ""
+}
+
+// --- SSE streaming response ---
+
+func writeWebSearchStreamResponse(
+	c *gin.Context, query string, resp *websearch.SearchResponse, model string, startTime time.Time,
+) (*ForwardResult, error) {
+	msgID := webSearchMsgIDPrefix + uuid.New().String()
+	toolUseID := webSearchToolUseIDPrefix + uuid.New().String()[:16]
+
+	setSSEHeaders(c)
+	if err := writeSSEMessageStart(c.Writer, msgID, model); err != nil {
+		return nil, fmt.Errorf("web search emulation: SSE write: %w", err)
+	}
+	writeSSEServerToolUse(c.Writer, toolUseID, query, 0)
+	writeSSEToolResult(c.Writer, toolUseID, resp.Results, 1)
+	textSummary := buildTextSummary(query, resp.Results)
+	writeSSETextBlock(c.Writer, textSummary, 2)
+	writeSSEMessageEnd(c.Writer, len(textSummary)/tokenEstimateDivisor)
+	c.Writer.Flush()
+
+	return &ForwardResult{Model: model, Duration: time.Since(startTime), Usage: ClaudeUsage{}}, nil
+}
+
+func setSSEHeaders(c *gin.Context) {
+	c.Writer.Header().Set("Content-Type", "text/event-stream")
+	c.Writer.Header().Set("Cache-Control", "no-cache")
+	c.Writer.Header().Set("Connection", "keep-alive")
+	c.Writer.Header().Set("X-Accel-Buffering", "no")
+	c.Writer.WriteHeader(http.StatusOK)
+}
+
+func writeSSEMessageStart(w http.ResponseWriter, msgID, model string) error {
+	evt := map[string]any{
+		"type": "message_start",
+		"message": map[string]any{
+			"id": msgID, "type": "message", "role": "assistant", "model": model,
+			"content": []any{}, "stop_reason": nil, "stop_sequence": nil,
+			"usage": map[string]int{"input_tokens": 0, "output_tokens": 0},
+		},
+	}
+	return flushSSEJSON(w, "message_start", evt)
+}
+
+func writeSSEServerToolUse(w http.ResponseWriter, toolUseID, query string, index int) {
+	start := map[string]any{
+		"type": "content_block_start", "index": index,
+		"content_block": map[string]any{
+			"type": "server_tool_use", "id": toolUseID,
+			"name": toolNameWebSearch, "input": map[string]string{"query": query},
+		},
+	}
+	_ = flushSSEJSON(w, "content_block_start", start)
+	_ = flushSSEJSON(w, "content_block_stop", map[string]any{"type": "content_block_stop", "index": index})
+}
+
+func writeSSEToolResult(w http.ResponseWriter, toolUseID string, results []websearch.SearchResult, index int) {
+	start := map[string]any{
+		"type": "content_block_start", "index": index,
+		"content_block": map[string]any{
+			"type": "web_search_tool_result", "tool_use_id": toolUseID,
+			"content": buildSearchResultBlocks(results),
+		},
+	}
+	_ = flushSSEJSON(w, "content_block_start", start)
+	_ = flushSSEJSON(w, "content_block_stop", map[string]any{"type": "content_block_stop", "index": index})
+}
+
+func writeSSETextBlock(w http.ResponseWriter, text string, index int) {
+	_ = flushSSEJSON(w, "content_block_start", map[string]any{
+		"type": "content_block_start", "index": index,
+		"content_block": map[string]any{"type": "text", "text": ""},
+	})
+	_ = flushSSEJSON(w, "content_block_delta", map[string]any{
+		"type": "content_block_delta", "index": index,
+		"delta": map[string]string{"type": "text_delta", "text": text},
+	})
+	_ = flushSSEJSON(w, "content_block_stop", map[string]any{"type": "content_block_stop", "index": index})
+}
+
+func writeSSEMessageEnd(w http.ResponseWriter, outputTokens int) {
+	_ = flushSSEJSON(w, "message_delta", map[string]any{
+		"type":  "message_delta",
+		"delta": map[string]any{"stop_reason": "end_turn", "stop_sequence": nil},
+		"usage": map[string]int{"output_tokens": outputTokens},
+	})
+	_ = flushSSEJSON(w, "message_stop", map[string]string{"type": "message_stop"})
+}
+
+// flushSSEJSON marshals data to JSON and writes an SSE event. Returns error on marshal failure.
+func flushSSEJSON(w http.ResponseWriter, event string, data any) error {
+	b, err := json.Marshal(data)
+	if err != nil {
+		slog.Error("web search emulation: failed to marshal SSE event",
+			"event", event, "error", err)
+		return err
+	}
+	fmt.Fprintf(w, "event: %s\ndata: %s\n\n", event, b)
+	if f, ok := w.(http.Flusher); ok {
+		f.Flush()
+	}
+	return nil
+}
+
+// --- Non-streaming JSON response ---
+
+func writeWebSearchNonStreamResponse(
+	c *gin.Context, query string, resp *websearch.SearchResponse, model string, startTime time.Time,
+) (*ForwardResult, error) {
+	msgID := webSearchMsgIDPrefix + uuid.New().String()
+	toolUseID := webSearchToolUseIDPrefix + uuid.New().String()[:16]
+	textSummary := buildTextSummary(query, resp.Results)
+
+	msg := map[string]any{
+		"id": msgID, "type": "message", "role": "assistant", "model": model,
+		"content": []any{
+			map[string]any{
+				"type": "server_tool_use", "id": toolUseID,
+				"name": toolNameWebSearch, "input": map[string]string{"query": query},
+			},
+			map[string]any{
+				"type": "web_search_tool_result", "tool_use_id": toolUseID,
+				"content": buildSearchResultBlocks(resp.Results),
+			},
+			map[string]any{"type": "text", "text": textSummary},
+		},
+		"stop_reason": "end_turn", "stop_sequence": nil,
+		"usage": map[string]int{"input_tokens": 0, "output_tokens": len(textSummary) / tokenEstimateDivisor},
+	}
+
+	body, err := json.Marshal(msg)
+	if err != nil {
+		return nil, fmt.Errorf("web search emulation: marshal response: %w", err)
+	}
+	c.Data(http.StatusOK, "application/json", body)
+
+	return &ForwardResult{Model: model, Duration: time.Since(startTime), Usage: ClaudeUsage{}}, nil
+}
+
+// --- Helpers ---
+
+func buildSearchResultBlocks(results []websearch.SearchResult) []map[string]string {
+	blocks := make([]map[string]string, 0, len(results))
+	for _, r := range results {
+		block := map[string]string{
+			"type":  "web_search_result",
+			"url":   r.URL,
+			"title": r.Title,
+		}
+		if r.Snippet != "" {
+			block["page_content"] = r.Snippet
+		}
+		if r.PageAge != "" {
+			block["page_age"] = r.PageAge
+		}
+		blocks = append(blocks, block)
+	}
+	return blocks
+}
+
+func buildTextSummary(query string, results []websearch.SearchResult) string {
+	if len(results) == 0 {
+		return "No search results found for: " + query
+	}
+	var sb strings.Builder
+	fmt.Fprintf(&sb, "Here are the search results for \"%s\":\n\n", query)
+	for i, r := range results {
+		fmt.Fprintf(&sb, "%d. **%s**\n   %s\n   %s\n\n", i+1, r.Title, r.URL, r.Snippet)
+	}
+	return sb.String()
+}
diff --git a/backend/internal/service/gateway_websearch_emulation_test.go b/backend/internal/service/gateway_websearch_emulation_test.go
new file mode 100644
index 00000000..b606c748
--- /dev/null
+++ b/backend/internal/service/gateway_websearch_emulation_test.go
@@ -0,0 +1,142 @@
+package service
+
+import (
+	"testing"
+
+	"github.com/Wei-Shaw/sub2api/internal/pkg/websearch"
+	"github.com/stretchr/testify/require"
+)
+
+// --- isOnlyWebSearchToolInBody ---
+
+func TestIsOnlyWebSearchToolInBody_WebSearchType(t *testing.T) {
+	require.True(t, isOnlyWebSearchToolInBody([]byte(`{"tools":[{"type":"web_search"}]}`)))
+}
+
+func TestIsOnlyWebSearchToolInBody_WebSearch2025Type(t *testing.T) {
+	require.True(t, isOnlyWebSearchToolInBody([]byte(`{"tools":[{"type":"web_search_20250305"}]}`)))
+}
+
+func TestIsOnlyWebSearchToolInBody_GoogleSearchType(t *testing.T) {
+	require.True(t, isOnlyWebSearchToolInBody([]byte(`{"tools":[{"type":"google_search"}]}`)))
+}
+
+func TestIsOnlyWebSearchToolInBody_NameWebSearch(t *testing.T) {
+	require.True(t, isOnlyWebSearchToolInBody([]byte(`{"tools":[{"name":"web_search"}]}`)))
+}
+
+func TestIsOnlyWebSearchToolInBody_NameWebSearch2025(t *testing.T) {
+	require.True(t, isOnlyWebSearchToolInBody([]byte(`{"tools":[{"name":"web_search_20250305"}]}`)))
+}
+
+func TestIsOnlyWebSearchToolInBody_NameGoogleSearch(t *testing.T) {
+	require.True(t, isOnlyWebSearchToolInBody([]byte(`{"tools":[{"name":"google_search"}]}`)))
+}
+
+func TestIsOnlyWebSearchToolInBody_MultipleTools(t *testing.T) {
+	require.False(t, isOnlyWebSearchToolInBody(
+		[]byte(`{"tools":[{"type":"web_search"},{"type":"text_editor"}]}`)))
+}
+
+func TestIsOnlyWebSearchToolInBody_NoTools(t *testing.T) {
+	require.False(t, isOnlyWebSearchToolInBody([]byte(`{"model":"claude-3"}`)))
+}
+
+func TestIsOnlyWebSearchToolInBody_EmptyToolsArray(t *testing.T) {
+	require.False(t, isOnlyWebSearchToolInBody([]byte(`{"tools":[]}`)))
+}
+
+func TestIsOnlyWebSearchToolInBody_NonWebSearchTool(t *testing.T) {
+	require.False(t, isOnlyWebSearchToolInBody([]byte(`{"tools":[{"type":"text_editor"}]}`)))
+}
+
+func TestIsOnlyWebSearchToolInBody_ToolsNotArray(t *testing.T) {
+	require.False(t, isOnlyWebSearchToolInBody([]byte(`{"tools":"web_search"}`)))
+}
+
+// --- extractSearchQueryFromBody ---
+
+func TestExtractSearchQueryFromBody_StringContent(t *testing.T) {
+	body := `{"messages":[{"role":"user","content":"what is golang"}]}`
+	require.Equal(t, "what is golang", extractSearchQueryFromBody([]byte(body)))
+}
+
+func TestExtractSearchQueryFromBody_ArrayContent(t *testing.T) {
+	body := `{"messages":[{"role":"user","content":[{"type":"text","text":"search this"}]}]}`
+	require.Equal(t, "search this", extractSearchQueryFromBody([]byte(body)))
+}
+
+func TestExtractSearchQueryFromBody_MultipleMessages(t *testing.T) {
+	body := `{"messages":[{"role":"user","content":"first"},{"role":"assistant","content":"ok"},{"role":"user","content":"second"}]}`
+	require.Equal(t, "second", extractSearchQueryFromBody([]byte(body)))
+}
+
+func TestExtractSearchQueryFromBody_LastMessageNotUser(t *testing.T) {
+	body := `{"messages":[{"role":"user","content":"q"},{"role":"assistant","content":"a"}]}`
+	require.Equal(t, "", extractSearchQueryFromBody([]byte(body)))
+}
+
+func TestExtractSearchQueryFromBody_EmptyMessages(t *testing.T) {
+	require.Equal(t, "", extractSearchQueryFromBody([]byte(`{"messages":[]}`)))
+}
+
+func TestExtractSearchQueryFromBody_NoMessages(t *testing.T) {
+	require.Equal(t, "", extractSearchQueryFromBody([]byte(`{"model":"claude-3"}`)))
+}
+
+func TestExtractSearchQueryFromBody_ArrayContentSkipsEmptyText(t *testing.T) {
+	body := `{"messages":[{"role":"user","content":[{"type":"image"},{"type":"text","text":""},{"type":"text","text":"real query"}]}]}`
+	require.Equal(t, "real query", extractSearchQueryFromBody([]byte(body)))
+}
+
+func TestExtractSearchQueryFromBody_ArrayContentNoTextBlock(t *testing.T) {
+	body := `{"messages":[{"role":"user","content":[{"type":"image","source":{}}]}]}`
+	require.Equal(t, "", extractSearchQueryFromBody([]byte(body)))
+}
+
+// --- buildSearchResultBlocks ---
+
+func TestBuildSearchResultBlocks_WithResults(t *testing.T) {
+	results := []websearch.SearchResult{
+		{URL: "https://a.com", Title: "A", Snippet: "snippet a", PageAge: "2 days"},
+		{URL: "https://b.com", Title: "B", Snippet: "snippet b"},
+	}
+	blocks := buildSearchResultBlocks(results)
+	require.Len(t, blocks, 2)
+	require.Equal(t, "web_search_result", blocks[0]["type"])
+	require.Equal(t, "https://a.com", blocks[0]["url"])
+	require.Equal(t, "snippet a", blocks[0]["page_content"])
+	require.Equal(t, "2 days", blocks[0]["page_age"])
+	// Second result has no PageAge
+	require.Equal(t, "https://b.com", blocks[1]["url"])
+	_, hasPageAge := blocks[1]["page_age"]
+	require.False(t, hasPageAge)
+}
+
+func TestBuildSearchResultBlocks_Empty(t *testing.T) {
+	blocks := buildSearchResultBlocks(nil)
+	require.Empty(t, blocks)
+}
+
+func TestBuildSearchResultBlocks_SnippetEmpty(t *testing.T) {
+	blocks := buildSearchResultBlocks([]websearch.SearchResult{{URL: "https://x.com", Title: "X", Snippet: ""}})
+	_, hasContent := blocks[0]["page_content"]
+	require.False(t, hasContent)
+}
+
+// --- buildTextSummary ---
+
+func TestBuildTextSummary_WithResults(t *testing.T) {
+	results := []websearch.SearchResult{
+		{URL: "https://a.com", Title: "A", Snippet: "desc a"},
+	}
+	summary := buildTextSummary("test query", results)
+	require.Contains(t, summary, "test query")
+	require.Contains(t, summary, "1. **A**")
+	require.Contains(t, summary, "https://a.com")
+}
+
+func TestBuildTextSummary_NoResults(t *testing.T) {
+	summary := buildTextSummary("test", nil)
+	require.Contains(t, summary, "No search results found for: test")
+}
diff --git a/backend/internal/service/setting_service.go b/backend/internal/service/setting_service.go
index 48f25da0..3cfe5e56 100644
--- a/backend/internal/service/setting_service.go
+++ b/backend/internal/service/setting_service.go
@@ -18,6 +18,7 @@ import (
 	"github.com/Wei-Shaw/sub2api/internal/config"
 	infraerrors "github.com/Wei-Shaw/sub2api/internal/pkg/errors"
 	"github.com/imroc/req/v3"
+	"github.com/redis/go-redis/v9"
 	"golang.org/x/sync/singleflight"
 )
 
@@ -106,6 +107,7 @@ type SettingService struct {
 	cfg                   *config.Config
 	onUpdate              func() // Callback when settings are updated (for cache invalidation)
 	version               string // Application version
+	webSearchRedis        *redis.Client // optional: Redis client for web search quota tracking
 }
 
 // NewSettingService 创建系统设置服务实例
@@ -1217,6 +1219,14 @@ func (s *SettingService) parseSettings(settings map[string]string) *SystemSettin
 	result.EnableMetadataPassthrough = settings[SettingKeyEnableMetadataPassthrough] == "true"
 	result.EnableCCHSigning = settings[SettingKeyEnableCCHSigning] == "true"
 
+	// Web search emulation: quick enabled check from the JSON config
+	if raw := settings[SettingKeyWebSearchEmulationConfig]; raw != "" {
+		var wsCfg WebSearchEmulationConfig
+		if err := json.Unmarshal([]byte(raw), &wsCfg); err == nil {
+			result.WebSearchEmulationEnabled = wsCfg.Enabled && len(wsCfg.Providers) > 0
+		}
+	}
+
 	return result
 }
 
diff --git a/backend/internal/service/settings_view.go b/backend/internal/service/settings_view.go
index de92b796..f5535bca 100644
--- a/backend/internal/service/settings_view.go
+++ b/backend/internal/service/settings_view.go
@@ -106,6 +106,9 @@ type SystemSettings struct {
 	EnableFingerprintUnification bool // 是否统一 OAuth 账号的指纹头（默认 true）
 	EnableMetadataPassthrough    bool // 是否透传客户端原始 metadata（默认 false）
 	EnableCCHSigning             bool // 是否对 billing header cch 进行签名（默认 false）
+
+	// Web Search Emulation (read-only quick check; full config via dedicated API)
+	WebSearchEmulationEnabled bool
 }
 
 type DefaultSubscriptionSetting struct {
diff --git a/backend/internal/service/websearch_config.go b/backend/internal/service/websearch_config.go
new file mode 100644
index 00000000..15ec1f9d
--- /dev/null
+++ b/backend/internal/service/websearch_config.go
@@ -0,0 +1,253 @@
+package service
+
+import (
+	"context"
+	"encoding/json"
+	"fmt"
+	"log/slog"
+	"sync/atomic"
+	"time"
+
+	infraerrors "github.com/Wei-Shaw/sub2api/internal/pkg/errors"
+	"github.com/Wei-Shaw/sub2api/internal/pkg/websearch"
+	"github.com/redis/go-redis/v9"
+	"golang.org/x/sync/singleflight"
+)
+
+// WebSearchEmulationConfig holds the global web search emulation configuration.
+type WebSearchEmulationConfig struct {
+	Enabled   bool                      `json:"enabled"`
+	Providers []WebSearchProviderConfig `json:"providers"`
+}
+
+// WebSearchProviderConfig describes a single search provider (Brave or Tavily).
+type WebSearchProviderConfig struct {
+	Type                 string `json:"type"`                   // websearch.ProviderTypeBrave | Tavily
+	APIKey               string `json:"api_key,omitempty"`      // secret — omitted in API responses
+	APIKeyConfigured     bool   `json:"api_key_configured"`     // read-only mask
+	Priority             int    `json:"priority"`               // lower = higher priority
+	QuotaLimit           int64  `json:"quota_limit"`            // 0 = unlimited
+	QuotaRefreshInterval string `json:"quota_refresh_interval"` // websearch.QuotaRefresh*
+	QuotaUsed            int64  `json:"quota_used,omitempty"`   // read-only: current period usage
+	ProxyID              *int64 `json:"proxy_id"`               // optional proxy association
+	ExpiresAt            *int64 `json:"expires_at,omitempty"`   // optional expiration timestamp
+}
+
+// --- Validation ---
+
+const maxWebSearchProviders = 10
+
+var validProviderTypes = map[string]bool{
+	websearch.ProviderTypeBrave:  true,
+	websearch.ProviderTypeTavily: true,
+}
+
+var validQuotaIntervals = map[string]bool{
+	websearch.QuotaRefreshDaily:   true,
+	websearch.QuotaRefreshWeekly:  true,
+	websearch.QuotaRefreshMonthly: true,
+	"":                            true, // defaults to monthly
+}
+
+func validateWebSearchConfig(cfg *WebSearchEmulationConfig) error {
+	if cfg == nil {
+		return nil
+	}
+	if len(cfg.Providers) > maxWebSearchProviders {
+		return fmt.Errorf("too many providers (max %d)", maxWebSearchProviders)
+	}
+	seen := make(map[string]bool, len(cfg.Providers))
+	for i, p := range cfg.Providers {
+		if !validProviderTypes[p.Type] {
+			return fmt.Errorf("provider[%d]: invalid type %q", i, p.Type)
+		}
+		if !validQuotaIntervals[p.QuotaRefreshInterval] {
+			return fmt.Errorf("provider[%d]: invalid quota_refresh_interval %q", i, p.QuotaRefreshInterval)
+		}
+		if p.QuotaLimit < 0 {
+			return fmt.Errorf("provider[%d]: quota_limit must be >= 0", i)
+		}
+		if seen[p.Type] {
+			return fmt.Errorf("provider[%d]: duplicate type %q", i, p.Type)
+		}
+		seen[p.Type] = true
+	}
+	return nil
+}
+
+// --- In-process cache (same pattern as gateway forwarding settings) ---
+
+const sfKeyWebSearchConfig = "web_search_emulation_config"
+
+type cachedWebSearchEmulationConfig struct {
+	config    *WebSearchEmulationConfig
+	expiresAt int64 // unix nano
+}
+
+var webSearchEmulationCache atomic.Value // *cachedWebSearchEmulationConfig
+var webSearchEmulationSF singleflight.Group
+
+const (
+	webSearchEmulationCacheTTL  = 60 * time.Second
+	webSearchEmulationErrorTTL  = 5 * time.Second
+	webSearchEmulationDBTimeout = 5 * time.Second
+)
+
+// GetWebSearchEmulationConfig returns the configuration with in-process cache + singleflight.
+func (s *SettingService) GetWebSearchEmulationConfig(ctx context.Context) (*WebSearchEmulationConfig, error) {
+	if cached := webSearchEmulationCache.Load(); cached != nil {
+		c := cached.(*cachedWebSearchEmulationConfig)
+		if time.Now().UnixNano() < c.expiresAt {
+			return c.config, nil
+		}
+	}
+	result, err, _ := webSearchEmulationSF.Do(sfKeyWebSearchConfig, func() (any, error) {
+		return s.loadWebSearchConfigFromDB()
+	})
+	if err != nil {
+		return &WebSearchEmulationConfig{}, err
+	}
+	return result.(*WebSearchEmulationConfig), nil
+}
+
+func (s *SettingService) loadWebSearchConfigFromDB() (*WebSearchEmulationConfig, error) {
+	dbCtx, cancel := context.WithTimeout(context.Background(), webSearchEmulationDBTimeout)
+	defer cancel()
+
+	raw, err := s.settingRepo.GetValue(dbCtx, SettingKeyWebSearchEmulationConfig)
+	if err != nil {
+		webSearchEmulationCache.Store(&cachedWebSearchEmulationConfig{
+			config:    &WebSearchEmulationConfig{},
+			expiresAt: time.Now().Add(webSearchEmulationErrorTTL).UnixNano(),
+		})
+		return &WebSearchEmulationConfig{}, err
+	}
+	cfg := parseWebSearchConfigJSON(raw)
+	webSearchEmulationCache.Store(&cachedWebSearchEmulationConfig{
+		config:    cfg,
+		expiresAt: time.Now().Add(webSearchEmulationCacheTTL).UnixNano(),
+	})
+	return cfg, nil
+}
+
+func parseWebSearchConfigJSON(raw string) *WebSearchEmulationConfig {
+	cfg := &WebSearchEmulationConfig{}
+	if raw == "" {
+		return cfg
+	}
+	if err := json.Unmarshal([]byte(raw), cfg); err != nil {
+		slog.Warn("websearch: failed to parse config JSON", "error", err)
+		return &WebSearchEmulationConfig{}
+	}
+	return cfg
+}
+
+// SaveWebSearchEmulationConfig validates and persists the configuration.
+// Empty API keys in the input are preserved from the existing config.
+func (s *SettingService) SaveWebSearchEmulationConfig(ctx context.Context, cfg *WebSearchEmulationConfig) error {
+	if err := validateWebSearchConfig(cfg); err != nil {
+		return infraerrors.BadRequest("INVALID_WEB_SEARCH_CONFIG", err.Error())
+	}
+	s.mergeExistingAPIKeys(ctx, cfg)
+
+	data, err := json.Marshal(cfg)
+	if err != nil {
+		return fmt.Errorf("websearch: marshal config: %w", err)
+	}
+	if err := s.settingRepo.Set(ctx, SettingKeyWebSearchEmulationConfig, string(data)); err != nil {
+		return fmt.Errorf("websearch: save config: %w", err)
+	}
+	// Invalidate: forget singleflight first, then store new value
+	webSearchEmulationSF.Forget(sfKeyWebSearchConfig)
+	webSearchEmulationCache.Store(&cachedWebSearchEmulationConfig{
+		config:    cfg,
+		expiresAt: time.Now().Add(webSearchEmulationCacheTTL).UnixNano(),
+	})
+
+	// Hot-reload: rebuild the global Manager with new config
+	s.RebuildWebSearchManager(ctx)
+	return nil
+}
+
+// mergeExistingAPIKeys preserves API keys from the current config when incoming value is empty.
+func (s *SettingService) mergeExistingAPIKeys(ctx context.Context, cfg *WebSearchEmulationConfig) {
+	existing, _ := s.getWebSearchEmulationConfigRaw(ctx)
+	if existing == nil || cfg == nil {
+		return
+	}
+	existingByType := make(map[string]string, len(existing.Providers))
+	for _, p := range existing.Providers {
+		if p.APIKey != "" {
+			existingByType[p.Type] = p.APIKey
+		}
+	}
+	for i := range cfg.Providers {
+		if cfg.Providers[i].APIKey == "" {
+			if key, ok := existingByType[cfg.Providers[i].Type]; ok {
+				cfg.Providers[i].APIKey = key
+			}
+		}
+	}
+}
+
+func (s *SettingService) getWebSearchEmulationConfigRaw(ctx context.Context) (*WebSearchEmulationConfig, error) {
+	raw, err := s.settingRepo.GetValue(ctx, SettingKeyWebSearchEmulationConfig)
+	if err != nil {
+		return nil, err
+	}
+	return parseWebSearchConfigJSON(raw), nil
+}
+
+// IsWebSearchEmulationEnabled is a quick check for whether the global switch is on.
+func (s *SettingService) IsWebSearchEmulationEnabled(ctx context.Context) bool {
+	cfg, err := s.GetWebSearchEmulationConfig(ctx)
+	if err != nil {
+		return false
+	}
+	return cfg.Enabled && len(cfg.Providers) > 0
+}
+
+// SetWebSearchRedisClient injects the Redis client used for quota tracking.
+// Call after construction, before first use. Triggers initial Manager build.
+func (s *SettingService) SetWebSearchRedisClient(ctx context.Context, redisClient *redis.Client) {
+	s.webSearchRedis = redisClient
+	s.RebuildWebSearchManager(ctx)
+}
+
+// RebuildWebSearchManager reads the current config and (re)creates the global websearch.Manager.
+// Called on startup and after SaveWebSearchEmulationConfig.
+func (s *SettingService) RebuildWebSearchManager(ctx context.Context) {
+	cfg, err := s.GetWebSearchEmulationConfig(ctx)
+	if err != nil || !cfg.Enabled || len(cfg.Providers) == 0 {
+		SetWebSearchManager(nil)
+		return
+	}
+	providerConfigs := make([]websearch.ProviderConfig, 0, len(cfg.Providers))
+	for _, p := range cfg.Providers {
+		providerConfigs = append(providerConfigs, websearch.ProviderConfig{
+			Type:                 p.Type,
+			APIKey:               p.APIKey,
+			Priority:             p.Priority,
+			QuotaLimit:           p.QuotaLimit,
+			QuotaRefreshInterval: p.QuotaRefreshInterval,
+			ExpiresAt:            p.ExpiresAt,
+		})
+	}
+	SetWebSearchManager(websearch.NewManager(providerConfigs, s.webSearchRedis))
+	slog.Info("websearch: manager rebuilt", "provider_count", len(providerConfigs))
+}
+
+// SanitizeWebSearchConfig returns a copy with api_key fields masked for API responses.
+func SanitizeWebSearchConfig(cfg *WebSearchEmulationConfig) *WebSearchEmulationConfig {
+	if cfg == nil {
+		return nil
+	}
+	out := *cfg
+	out.Providers = make([]WebSearchProviderConfig, len(cfg.Providers))
+	for i, p := range cfg.Providers {
+		out.Providers[i] = p
+		out.Providers[i].APIKeyConfigured = p.APIKey != ""
+		out.Providers[i].APIKey = "" // never return the secret
+	}
+	return &out
+}
diff --git a/backend/internal/service/websearch_config_test.go b/backend/internal/service/websearch_config_test.go
new file mode 100644
index 00000000..1a19dd9d
--- /dev/null
+++ b/backend/internal/service/websearch_config_test.go
@@ -0,0 +1,148 @@
+package service
+
+import (
+	"testing"
+
+	"github.com/stretchr/testify/require"
+)
+
+// --- validateWebSearchConfig ---
+
+func TestValidateWebSearchConfig_Nil(t *testing.T) {
+	require.NoError(t, validateWebSearchConfig(nil))
+}
+
+func TestValidateWebSearchConfig_Valid(t *testing.T) {
+	cfg := &WebSearchEmulationConfig{
+		Enabled: true,
+		Providers: []WebSearchProviderConfig{
+			{Type: "brave", Priority: 1, QuotaLimit: 1000, QuotaRefreshInterval: "monthly"},
+			{Type: "tavily", Priority: 2, QuotaLimit: 500, QuotaRefreshInterval: "daily"},
+		},
+	}
+	require.NoError(t, validateWebSearchConfig(cfg))
+}
+
+func TestValidateWebSearchConfig_TooManyProviders(t *testing.T) {
+	cfg := &WebSearchEmulationConfig{Providers: make([]WebSearchProviderConfig, 11)}
+	for i := range cfg.Providers {
+		cfg.Providers[i] = WebSearchProviderConfig{Type: "brave"}
+	}
+	err := validateWebSearchConfig(cfg)
+	require.ErrorContains(t, err, "too many providers")
+}
+
+func TestValidateWebSearchConfig_InvalidType(t *testing.T) {
+	cfg := &WebSearchEmulationConfig{
+		Providers: []WebSearchProviderConfig{{Type: "bing"}},
+	}
+	require.ErrorContains(t, validateWebSearchConfig(cfg), "invalid type")
+}
+
+func TestValidateWebSearchConfig_InvalidQuotaInterval(t *testing.T) {
+	cfg := &WebSearchEmulationConfig{
+		Providers: []WebSearchProviderConfig{{Type: "brave", QuotaRefreshInterval: "hourly"}},
+	}
+	require.ErrorContains(t, validateWebSearchConfig(cfg), "invalid quota_refresh_interval")
+}
+
+func TestValidateWebSearchConfig_NegativeQuotaLimit(t *testing.T) {
+	cfg := &WebSearchEmulationConfig{
+		Providers: []WebSearchProviderConfig{{Type: "brave", QuotaLimit: -1}},
+	}
+	require.ErrorContains(t, validateWebSearchConfig(cfg), "quota_limit must be >= 0")
+}
+
+func TestValidateWebSearchConfig_DuplicateType(t *testing.T) {
+	cfg := &WebSearchEmulationConfig{
+		Providers: []WebSearchProviderConfig{
+			{Type: "brave", Priority: 1},
+			{Type: "brave", Priority: 2},
+		},
+	}
+	require.ErrorContains(t, validateWebSearchConfig(cfg), "duplicate type")
+}
+
+func TestValidateWebSearchConfig_EmptyQuotaInterval(t *testing.T) {
+	cfg := &WebSearchEmulationConfig{
+		Providers: []WebSearchProviderConfig{{Type: "brave", QuotaRefreshInterval: ""}},
+	}
+	require.NoError(t, validateWebSearchConfig(cfg))
+}
+
+func TestValidateWebSearchConfig_ZeroQuotaLimit(t *testing.T) {
+	cfg := &WebSearchEmulationConfig{
+		Providers: []WebSearchProviderConfig{{Type: "brave", QuotaLimit: 0}},
+	}
+	require.NoError(t, validateWebSearchConfig(cfg))
+}
+
+// --- parseWebSearchConfigJSON ---
+
+func TestParseWebSearchConfigJSON_ValidJSON(t *testing.T) {
+	raw := `{"enabled":true,"providers":[{"type":"brave","api_key":"sk-xxx"}]}`
+	cfg := parseWebSearchConfigJSON(raw)
+	require.True(t, cfg.Enabled)
+	require.Len(t, cfg.Providers, 1)
+	require.Equal(t, "brave", cfg.Providers[0].Type)
+}
+
+func TestParseWebSearchConfigJSON_EmptyString(t *testing.T) {
+	cfg := parseWebSearchConfigJSON("")
+	require.False(t, cfg.Enabled)
+	require.Empty(t, cfg.Providers)
+}
+
+func TestParseWebSearchConfigJSON_InvalidJSON(t *testing.T) {
+	cfg := parseWebSearchConfigJSON("not{json")
+	require.False(t, cfg.Enabled)
+	require.Empty(t, cfg.Providers)
+}
+
+// --- SanitizeWebSearchConfig ---
+
+func TestSanitizeWebSearchConfig_MaskAPIKey(t *testing.T) {
+	cfg := &WebSearchEmulationConfig{
+		Enabled: true,
+		Providers: []WebSearchProviderConfig{
+			{Type: "brave", APIKey: "sk-secret-xxx"},
+		},
+	}
+	out := SanitizeWebSearchConfig(cfg)
+	require.Equal(t, "", out.Providers[0].APIKey)
+	require.True(t, out.Providers[0].APIKeyConfigured)
+}
+
+func TestSanitizeWebSearchConfig_NoAPIKey(t *testing.T) {
+	cfg := &WebSearchEmulationConfig{
+		Providers: []WebSearchProviderConfig{{Type: "brave", APIKey: ""}},
+	}
+	out := SanitizeWebSearchConfig(cfg)
+	require.Equal(t, "", out.Providers[0].APIKey)
+	require.False(t, out.Providers[0].APIKeyConfigured)
+}
+
+func TestSanitizeWebSearchConfig_Nil(t *testing.T) {
+	require.Nil(t, SanitizeWebSearchConfig(nil))
+}
+
+func TestSanitizeWebSearchConfig_PreservesOtherFields(t *testing.T) {
+	cfg := &WebSearchEmulationConfig{
+		Enabled: true,
+		Providers: []WebSearchProviderConfig{
+			{Type: "brave", APIKey: "secret", Priority: 10, QuotaLimit: 1000},
+		},
+	}
+	out := SanitizeWebSearchConfig(cfg)
+	require.True(t, out.Enabled)
+	require.Equal(t, 10, out.Providers[0].Priority)
+	require.Equal(t, int64(1000), out.Providers[0].QuotaLimit)
+}
+
+func TestSanitizeWebSearchConfig_DoesNotMutateOriginal(t *testing.T) {
+	cfg := &WebSearchEmulationConfig{
+		Providers: []WebSearchProviderConfig{{Type: "brave", APIKey: "secret"}},
+	}
+	_ = SanitizeWebSearchConfig(cfg)
+	require.Equal(t, "secret", cfg.Providers[0].APIKey)
+}
diff --git a/backend/migrations/101_add_channel_features_config.sql b/backend/migrations/101_add_channel_features_config.sql
new file mode 100644
index 00000000..b054b085
--- /dev/null
+++ b/backend/migrations/101_add_channel_features_config.sql
@@ -0,0 +1,2 @@
+ALTER TABLE channels ADD COLUMN IF NOT EXISTS features_config JSONB NOT NULL DEFAULT '{}';
+COMMENT ON COLUMN channels.features_config IS '渠道特性配置（如 web_search_emulation），JSON 对象格式';
diff --git a/frontend/src/api/admin/channels.ts b/frontend/src/api/admin/channels.ts
index b3455022..d49982aa 100644
--- a/frontend/src/api/admin/channels.ts
+++ b/frontend/src/api/admin/channels.ts
@@ -41,6 +41,7 @@ export interface Channel {
   status: string
   billing_model_source: string // "requested" | "upstream"
   restrict_models: boolean
+  features_config?: Record<string, unknown>
   group_ids: number[]
   model_pricing: ChannelModelPricing[]
   model_mapping: Record<string, Record<string, string>> // platform → {src→dst}
@@ -56,6 +57,7 @@ export interface CreateChannelRequest {
   model_mapping?: Record<string, Record<string, string>>
   billing_model_source?: string
   restrict_models?: boolean
+  features_config?: Record<string, unknown>
 }
 
 export interface UpdateChannelRequest {
@@ -67,6 +69,7 @@ export interface UpdateChannelRequest {
   model_mapping?: Record<string, Record<string, string>>
   billing_model_source?: string
   restrict_models?: boolean
+  features_config?: Record<string, unknown>
 }
 
 interface PaginatedResponse<T> {
diff --git a/frontend/src/api/admin/settings.ts b/frontend/src/api/admin/settings.ts
index 504abe9c..7fc6c852 100644
--- a/frontend/src/api/admin/settings.ts
+++ b/frontend/src/api/admin/settings.ts
@@ -482,6 +482,42 @@ export async function updateBetaPolicySettings(
   return data
 }
 
+// --- Web Search Emulation Config ---
+
+export interface WebSearchProviderConfig {
+  type: 'brave' | 'tavily'
+  api_key: string
+  api_key_configured: boolean
+  priority: number
+  quota_limit: number
+  quota_refresh_interval: 'daily' | 'weekly' | 'monthly'
+  quota_used?: number
+  proxy_id: number | null
+  expires_at: number | null
+}
+
+export interface WebSearchEmulationConfig {
+  enabled: boolean
+  providers: WebSearchProviderConfig[]
+}
+
+export async function getWebSearchEmulationConfig(): Promise<WebSearchEmulationConfig> {
+  const { data } = await apiClient.get<WebSearchEmulationConfig>(
+    '/admin/settings/web-search-emulation'
+  )
+  return data
+}
+
+export async function updateWebSearchEmulationConfig(
+  config: WebSearchEmulationConfig
+): Promise<WebSearchEmulationConfig> {
+  const { data } = await apiClient.put<WebSearchEmulationConfig>(
+    '/admin/settings/web-search-emulation',
+    config
+  )
+  return data
+}
+
 export const settingsAPI = {
   getSettings,
   updateSettings,
@@ -497,7 +533,9 @@ export const settingsAPI = {
   getRectifierSettings,
   updateRectifierSettings,
   getBetaPolicySettings,
-  updateBetaPolicySettings
+  updateBetaPolicySettings,
+  getWebSearchEmulationConfig,
+  updateWebSearchEmulationConfig
 }
 
 export default settingsAPI
diff --git a/frontend/src/components/account/CreateAccountModal.vue b/frontend/src/components/account/CreateAccountModal.vue
index 380201c4..d5d8ff89 100644
--- a/frontend/src/components/account/CreateAccountModal.vue
+++ b/frontend/src/components/account/CreateAccountModal.vue
@@ -2325,6 +2325,22 @@
         </div>
       </div>
 
+      <!-- Anthropic API Key: Web Search Emulation -->
+      <div
+        v-if="form.platform === 'anthropic' && accountCategory === 'apikey'"
+        class="border-t border-gray-200 pt-4 dark:border-dark-600"
+      >
+        <div class="flex items-center justify-between">
+          <div>
+            <label class="input-label mb-0">{{ t('admin.accounts.anthropic.webSearchEmulation') }}</label>
+            <p class="mt-1 text-xs text-gray-500 dark:text-gray-400">
+              {{ t('admin.accounts.anthropic.webSearchEmulationDesc') }}
+            </p>
+          </div>
+          <Toggle v-model="webSearchEmulationEnabled" />
+        </div>
+      </div>
+
       <!-- OpenAI OAuth Codex 官方客户端限制开关 -->
       <div
         v-if="form.platform === 'openai' && accountCategory === 'oauth-based'"
@@ -2830,6 +2846,7 @@ import ConfirmDialog from '@/components/common/ConfirmDialog.vue'
 import Select from '@/components/common/Select.vue'
 import Icon from '@/components/icons/Icon.vue'
 import ProxySelector from '@/components/common/ProxySelector.vue'
+import Toggle from '@/components/common/Toggle.vue'
 import GroupSelector from '@/components/common/GroupSelector.vue'
 import ModelWhitelistSelector from '@/components/account/ModelWhitelistSelector.vue'
 import QuotaLimitCard from '@/components/account/QuotaLimitCard.vue'
@@ -2980,6 +2997,7 @@ const openaiOAuthResponsesWebSocketV2Mode = ref<OpenAIWSMode>(OPENAI_WS_MODE_OFF
 const openaiAPIKeyResponsesWebSocketV2Mode = ref<OpenAIWSMode>(OPENAI_WS_MODE_OFF)
 const codexCLIOnlyEnabled = ref(false)
 const anthropicPassthroughEnabled = ref(false)
+const webSearchEmulationEnabled = ref(false)
 const mixedScheduling = ref(false) // For antigravity accounts: enable mixed scheduling
 const allowOverages = ref(false) // For antigravity accounts: enable AI Credits overages
 const antigravityAccountType = ref<'oauth' | 'upstream'>('oauth') // For antigravity: oauth or upstream
@@ -3307,6 +3325,7 @@ watch(
     }
     if (newPlatform !== 'anthropic') {
       anthropicPassthroughEnabled.value = false
+      webSearchEmulationEnabled.value = false
     }
     // Reset OAuth states
     oauth.resetState()
@@ -3326,6 +3345,7 @@ watch(
     }
     if (platform !== 'anthropic' || category !== 'apikey') {
       anthropicPassthroughEnabled.value = false
+      webSearchEmulationEnabled.value = false
     }
   }
 )
@@ -3690,6 +3710,7 @@ const resetForm = () => {
   openaiAPIKeyResponsesWebSocketV2Mode.value = OPENAI_WS_MODE_OFF
   codexCLIOnlyEnabled.value = false
   anthropicPassthroughEnabled.value = false
+  webSearchEmulationEnabled.value = false
   // Reset quota control state
   windowCostEnabled.value = false
   windowCostLimit.value = null
@@ -3777,6 +3798,11 @@ const buildAnthropicExtra = (base?: Record<string, unknown>): Record<string, unk
   } else {
     delete extra.anthropic_passthrough
   }
+  if (webSearchEmulationEnabled.value) {
+    extra.web_search_emulation = true
+  } else {
+    delete extra.web_search_emulation
+  }
 
   return Object.keys(extra).length > 0 ? extra : undefined
 }
diff --git a/frontend/src/components/account/EditAccountModal.vue b/frontend/src/components/account/EditAccountModal.vue
index 8b72d6d1..a67366fc 100644
--- a/frontend/src/components/account/EditAccountModal.vue
+++ b/frontend/src/components/account/EditAccountModal.vue
@@ -1149,10 +1149,61 @@
         </div>
       </div>
 
-      <!-- API Key / Bedrock 账号配额限制 -->
-      <div v-if="account?.type === 'apikey' || account?.type === 'bedrock'" class="border-t border-gray-200 pt-4 dark:border-dark-600 space-y-4">
+      <!-- Anthropic API Key: Web Search Emulation -->
+      <div
+        v-if="account?.platform === 'anthropic' && account?.type === 'apikey'"
+        class="border-t border-gray-200 pt-4 dark:border-dark-600"
+      >
+        <div class="flex items-center justify-between">
+          <div>
+            <label class="input-label mb-0">{{ t('admin.accounts.anthropic.webSearchEmulation') }}</label>
+            <p class="mt-1 text-xs text-gray-500 dark:text-gray-400">
+              {{ t('admin.accounts.anthropic.webSearchEmulationDesc') }}
+            </p>
+          </div>
+          <Toggle v-model="webSearchEmulationEnabled" />
+        </div>
+      </div>
+
+      <!-- 配额控制 (Anthropic apikey/bedrock: 配额限制 + 亲和) -->
+      <div
+        v-if="account?.platform === 'anthropic' && (account?.type === 'apikey' || account?.type === 'bedrock')"
+        class="border-t border-gray-200 pt-4 dark:border-dark-600 space-y-4"
+      >
         <div class="mb-3">
-          <h3 class="input-label mb-0 text-base font-semibold">{{ t('admin.accounts.quotaLimit') }}</h3>
+          <h3 class="input-label mb-0 text-base font-semibold">{{ t('admin.accounts.quotaControl.title') }}</h3>
+          <p class="mt-1 text-xs text-gray-500 dark:text-gray-400">
+            {{ t('admin.accounts.quotaControl.hint') }}
+          </p>
+        </div>
+        <QuotaLimitCard
+          :totalLimit="editQuotaLimit"
+          :dailyLimit="editQuotaDailyLimit"
+          :weeklyLimit="editQuotaWeeklyLimit"
+          :dailyResetMode="editDailyResetMode"
+          :dailyResetHour="editDailyResetHour"
+          :weeklyResetMode="editWeeklyResetMode"
+          :weeklyResetDay="editWeeklyResetDay"
+          :weeklyResetHour="editWeeklyResetHour"
+          :resetTimezone="editResetTimezone"
+          @update:totalLimit="editQuotaLimit = $event"
+          @update:dailyLimit="editQuotaDailyLimit = $event"
+          @update:weeklyLimit="editQuotaWeeklyLimit = $event"
+          @update:dailyResetMode="editDailyResetMode = $event"
+          @update:dailyResetHour="editDailyResetHour = $event"
+          @update:weeklyResetMode="editWeeklyResetMode = $event"
+          @update:weeklyResetDay="editWeeklyResetDay = $event"
+          @update:weeklyResetHour="editWeeklyResetHour = $event"
+          @update:resetTimezone="editResetTimezone = $event"
+        />
+      </div>
+      <!-- 配额控制 (非 Anthropic apikey/bedrock) -->
+      <div
+        v-else-if="account?.type === 'apikey' || account?.type === 'bedrock'"
+        class="border-t border-gray-200 pt-4 dark:border-dark-600 space-y-4"
+      >
+        <div class="mb-3">
+          <h3 class="input-label mb-0 text-base font-semibold">{{ t('admin.accounts.quotaControl.title') }}</h3>
           <p class="mt-1 text-xs text-gray-500 dark:text-gray-400">
             {{ t('admin.accounts.quotaLimitHint') }}
           </p>
@@ -1237,7 +1288,7 @@
         </div>
       </div>
 
-      <!-- Quota Control Section (Anthropic OAuth/SetupToken only) -->
+      <!-- 配额控制 (Anthropic OAuth/SetupToken: 亲和 + 窗口费用 + 会话 + RPM 等) -->
       <div
         v-if="account?.platform === 'anthropic' && (account?.type === 'oauth' || account?.type === 'setup-token')"
         class="border-t border-gray-200 pt-4 dark:border-dark-600 space-y-4"
@@ -1757,6 +1808,7 @@ import ConfirmDialog from '@/components/common/ConfirmDialog.vue'
 import Select from '@/components/common/Select.vue'
 import Icon from '@/components/icons/Icon.vue'
 import ProxySelector from '@/components/common/ProxySelector.vue'
+import Toggle from '@/components/common/Toggle.vue'
 import GroupSelector from '@/components/common/GroupSelector.vue'
 import ModelWhitelistSelector from '@/components/account/ModelWhitelistSelector.vue'
 import QuotaLimitCard from '@/components/account/QuotaLimitCard.vue'
@@ -1898,6 +1950,7 @@ const openaiOAuthResponsesWebSocketV2Mode = ref<OpenAIWSMode>(OPENAI_WS_MODE_OFF
 const openaiAPIKeyResponsesWebSocketV2Mode = ref<OpenAIWSMode>(OPENAI_WS_MODE_OFF)
 const codexCLIOnlyEnabled = ref(false)
 const anthropicPassthroughEnabled = ref(false)
+const webSearchEmulationEnabled = ref(false)
 const editQuotaLimit = ref<number | null>(null)
 const editQuotaDailyLimit = ref<number | null>(null)
 const editQuotaWeeklyLimit = ref<number | null>(null)
@@ -2067,6 +2120,7 @@ const syncFormFromAccount = (newAccount: Account | null) => {
   openaiAPIKeyResponsesWebSocketV2Mode.value = OPENAI_WS_MODE_OFF
   codexCLIOnlyEnabled.value = false
   anthropicPassthroughEnabled.value = false
+  webSearchEmulationEnabled.value = false
   if (newAccount.platform === 'openai' && (newAccount.type === 'oauth' || newAccount.type === 'apikey')) {
     openaiPassthroughEnabled.value = extra?.openai_passthrough === true || extra?.openai_oauth_passthrough === true
     openaiOAuthResponsesWebSocketV2Mode.value = resolveOpenAIWSModeFromExtra(extra, {
@@ -2087,6 +2141,7 @@ const syncFormFromAccount = (newAccount: Account | null) => {
   }
   if (newAccount.platform === 'anthropic' && newAccount.type === 'apikey') {
     anthropicPassthroughEnabled.value = extra?.anthropic_passthrough === true
+    webSearchEmulationEnabled.value = extra?.web_search_emulation === true
   }
 
   // Load quota limit for apikey/bedrock accounts (bedrock quota is also loaded in its own branch above)
@@ -2522,8 +2577,13 @@ function loadQuotaControlSettings(account: Account) {
   customBaseUrlEnabled.value = false
   customBaseUrl.value = ''
 
-  // Only applies to Anthropic OAuth/SetupToken accounts
-  if (account.platform !== 'anthropic' || (account.type !== 'oauth' && account.type !== 'setup-token')) {
+  // Remaining quota control settings only apply to Anthropic accounts
+  if (account.platform !== 'anthropic') {
+    return
+  }
+
+  // Window cost / session limit only apply to Anthropic OAuth/SetupToken accounts
+  if (account.type !== 'oauth' && account.type !== 'setup-token') {
     return
   }
 
@@ -2949,7 +3009,7 @@ const handleSubmit = async () => {
 
     // For Anthropic OAuth/SetupToken accounts, handle quota control settings in extra
     if (props.account.platform === 'anthropic' && (props.account.type === 'oauth' || props.account.type === 'setup-token')) {
-      const currentExtra = (props.account.extra as Record<string, unknown>) || {}
+      const currentExtra = (updatePayload.extra as Record<string, unknown>) || (props.account.extra as Record<string, unknown>) || {}
       const newExtra: Record<string, unknown> = { ...currentExtra }
 
       // Window cost limit settings
@@ -3037,15 +3097,20 @@ const handleSubmit = async () => {
       updatePayload.extra = newExtra
     }
 
-    // For Anthropic API Key accounts, handle passthrough mode in extra
+    // For Anthropic API Key accounts, handle passthrough mode + web search emulation in extra
     if (props.account.platform === 'anthropic' && props.account.type === 'apikey') {
-      const currentExtra = (props.account.extra as Record<string, unknown>) || {}
+      const currentExtra = (updatePayload.extra as Record<string, unknown>) || (props.account.extra as Record<string, unknown>) || {}
       const newExtra: Record<string, unknown> = { ...currentExtra }
       if (anthropicPassthroughEnabled.value) {
         newExtra.anthropic_passthrough = true
       } else {
         delete newExtra.anthropic_passthrough
       }
+      if (webSearchEmulationEnabled.value) {
+        newExtra.web_search_emulation = true
+      } else {
+        delete newExtra.web_search_emulation
+      }
       updatePayload.extra = newExtra
     }
 
@@ -3089,20 +3154,27 @@ const handleSubmit = async () => {
       const currentExtra = (updatePayload.extra as Record<string, unknown>) ||
         (props.account.extra as Record<string, unknown>) || {}
       const newExtra: Record<string, unknown> = { ...currentExtra }
+      // Total quota
       if (editQuotaLimit.value != null && editQuotaLimit.value > 0) {
         newExtra.quota_limit = editQuotaLimit.value
       } else {
         delete newExtra.quota_limit
       }
+      // Daily quota
       if (editQuotaDailyLimit.value != null && editQuotaDailyLimit.value > 0) {
         newExtra.quota_daily_limit = editQuotaDailyLimit.value
       } else {
         delete newExtra.quota_daily_limit
+        delete newExtra.quota_daily_used
+        delete newExtra.quota_daily_start
       }
+      // Weekly quota
       if (editQuotaWeeklyLimit.value != null && editQuotaWeeklyLimit.value > 0) {
         newExtra.quota_weekly_limit = editQuotaWeeklyLimit.value
       } else {
         delete newExtra.quota_weekly_limit
+        delete newExtra.quota_weekly_used
+        delete newExtra.quota_weekly_start
       }
       // Quota reset mode config
       if (editDailyResetMode.value === 'fixed') {
diff --git a/frontend/src/i18n/locales/en.ts b/frontend/src/i18n/locales/en.ts
index d6c87d52..99f8d535 100644
--- a/frontend/src/i18n/locales/en.ts
+++ b/frontend/src/i18n/locales/en.ts
@@ -1836,6 +1836,9 @@ export default {
         defaultPerRequestPrice: 'Default per-request price (fallback when no tier matches)',
         defaultImagePrice: 'Default image price (fallback when no tier matches)',
         platformConfig: 'Platform Configuration',
+        webSearchEmulation: 'Web Search Emulation',
+        webSearchEmulationHint: '⚠️ When enabled, all accounts in this channel\'s Anthropic groups will intercept web_search requests. Use with caution.',
+        webSearchEmulationGlobalDisabled: 'Please enable the global switch first in Settings → Gateway → Web Search Emulation',
         basicSettings: 'Basic Settings',
         addPlatform: 'Add Platform',
         noPlatforms: 'Click "Add Platform" to start configuring the channel',
@@ -2325,7 +2328,10 @@ export default {
       anthropic: {
         apiKeyPassthrough: 'Auto passthrough (auth only)',
         apiKeyPassthroughDesc:
-          'Only applies to Anthropic API Key accounts. When enabled, messages/count_tokens are forwarded in passthrough mode with auth replacement only, while billing/concurrency/audit and safety filtering are preserved. Disable to roll back immediately.'
+          'Only applies to Anthropic API Key accounts. When enabled, messages/count_tokens are forwarded in passthrough mode with auth replacement only, while billing/concurrency/audit and safety filtering are preserved. Disable to roll back immediately.',
+        webSearchEmulation: 'Web Search Emulation',
+        webSearchEmulationDesc:
+          'Enable web search emulation for this API Key account. When a pure web_search request is detected, the gateway calls a third-party search API and constructs the response locally.',
       },
       modelRestriction: 'Model Restriction (Optional)',
       modelWhitelist: 'Model Whitelist',
@@ -4358,6 +4364,31 @@ export default {
         cchSigning: 'CCH Signing',
         cchSigningHint: 'Sign the billing header in forwarded requests with CCH hash. When disabled, the placeholder is preserved.',
       },
+      webSearchEmulation: {
+        title: 'Web Search Emulation',
+        description: 'Inject web search capability for Anthropic API Key accounts that don\'t natively support it',
+        enabled: 'Enable Web Search Emulation',
+        enabledHint: 'Global switch. When disabled, web search emulation is inactive for all channels and accounts.',
+        providers: 'Search Providers',
+        addProvider: 'Add Provider',
+        providerType: 'Provider Type',
+        apiKey: 'API Key',
+        apiKeyPlaceholder: 'Enter API Key',
+        apiKeyConfigured: 'Configured',
+        priority: 'Priority',
+        priorityHint: 'Lower number = higher priority',
+        quotaLimit: 'Quota Limit',
+        quotaLimitHint: '0 = unlimited',
+        quotaRefreshInterval: 'Refresh Interval',
+        quotaUsed: 'Used',
+        proxy: 'Proxy',
+        expiresAt: 'Expires At',
+        removeProvider: 'Remove',
+        daily: 'Daily',
+        weekly: 'Weekly',
+        monthly: 'Monthly',
+        noProviders: 'No search providers configured',
+      },
       site: {
         title: 'Site Settings',
         description: 'Customize site branding',
diff --git a/frontend/src/i18n/locales/zh.ts b/frontend/src/i18n/locales/zh.ts
index 2038970a..7ef7ead0 100644
--- a/frontend/src/i18n/locales/zh.ts
+++ b/frontend/src/i18n/locales/zh.ts
@@ -1915,6 +1915,9 @@ export default {
         defaultPerRequestPrice: '默认单次价格（未命中层级时使用）',
         defaultImagePrice: '默认图片价格（未命中层级时使用）',
         platformConfig: '平台配置',
+        webSearchEmulation: 'Web Search 模拟',
+        webSearchEmulationHint: '⚠️ 开启后该渠道下所有 Anthropic 分组的账号将自动拦截 web_search 请求，请谨慎操作',
+        webSearchEmulationGlobalDisabled: '请先在系统设置 → 网关 → Web Search 模拟中启用全局开关',
         basicSettings: '基础设置',
         addPlatform: '添加平台',
         noPlatforms: '点击"添加平台"开始配置渠道',
@@ -2472,7 +2475,10 @@ export default {
       anthropic: {
         apiKeyPassthrough: '自动透传（仅替换认证）',
         apiKeyPassthroughDesc:
-          '仅对 Anthropic API Key 生效。开启后，messages/count_tokens 请求将透传上游并仅替换认证，保留计费/并发/审计及必要安全过滤；关闭即可回滚到现有兼容链路。'
+          '仅对 Anthropic API Key 生效。开启后，messages/count_tokens 请求将透传上游并仅替换认证，保留计费/并发/审计及必要安全过滤；关闭即可回滚到现有兼容链路。',
+        webSearchEmulation: 'Web Search 模拟',
+        webSearchEmulationDesc:
+          '为该 API Key 账号启用 web search 模拟。客户端发送纯 web_search 请求时，由网关调用第三方搜索 API 并构造响应返回。',
       },
       modelRestriction: '模型限制（可选）',
       modelWhitelist: '模型白名单',
@@ -4520,6 +4526,31 @@ export default {
         cchSigning: 'CCH 签名',
         cchSigningHint: '对转发请求的 billing header 进行 CCH 哈希签名。关闭时保留原始占位符。',
       },
+      webSearchEmulation: {
+        title: 'Web Search 模拟',
+        description: '为不原生支持搜索的 Anthropic API Key 账号注入 web search 能力',
+        enabled: '启用 Web Search 模拟',
+        enabledHint: '全局开关。关闭后所有渠道和账号的 web search 模拟均不生效。',
+        providers: '搜索服务商',
+        addProvider: '添加服务商',
+        providerType: '服务商类型',
+        apiKey: 'API Key',
+        apiKeyPlaceholder: '输入 API Key',
+        apiKeyConfigured: '已配置',
+        priority: '优先级',
+        priorityHint: '数值越小优先级越高',
+        quotaLimit: '配额上限',
+        quotaLimitHint: '0 表示无限制',
+        quotaRefreshInterval: '刷新周期',
+        quotaUsed: '已使用',
+        proxy: '代理',
+        expiresAt: '过期时间',
+        removeProvider: '删除',
+        daily: '每日',
+        weekly: '每周',
+        monthly: '每月',
+        noProviders: '未配置搜索服务商',
+      },
       site: {
         title: '站点设置',
         description: '自定义站点品牌',
diff --git a/frontend/src/views/admin/ChannelsView.vue b/frontend/src/views/admin/ChannelsView.vue
index 5c2f153b..ce8d3c9c 100644
--- a/frontend/src/views/admin/ChannelsView.vue
+++ b/frontend/src/views/admin/ChannelsView.vue
@@ -306,6 +306,24 @@
               </div>
             </div>
 
+            <!-- Web Search Emulation (Anthropic only) -->
+            <div v-if="section.platform === 'anthropic'" class="border-t border-gray-200 pt-3 dark:border-dark-600">
+              <div class="flex items-center justify-between">
+                <div>
+                  <label class="text-xs font-medium text-orange-600 dark:text-orange-400">
+                    {{ t('admin.channels.form.webSearchEmulation') }}
+                  </label>
+                  <p v-if="webSearchGlobalEnabled" class="mt-0.5 text-[11px] text-amber-500 dark:text-amber-400">
+                    {{ t('admin.channels.form.webSearchEmulationHint') }}
+                  </p>
+                  <p v-else class="mt-0.5 text-[11px] text-gray-400">
+                    {{ t('admin.channels.form.webSearchEmulationGlobalDisabled') }}
+                  </p>
+                </div>
+                <Toggle v-model="section.web_search_emulation" :disabled="!webSearchGlobalEnabled" />
+              </div>
+            </div>
+
             <!-- Model Mapping -->
             <div>
               <div class="mb-1 flex items-center justify-between">
@@ -423,6 +441,7 @@
 import { ref, reactive, computed, onMounted, onUnmounted } from 'vue'
 import { useI18n } from 'vue-i18n'
 import { useAppStore } from '@/stores/app'
+import { extractApiErrorMessage } from '@/utils/apiError'
 import { adminAPI } from '@/api/admin'
 import type { Channel, ChannelModelPricing, CreateChannelRequest, UpdateChannelRequest } from '@/api/admin/channels'
 import type { PricingFormEntry } from '@/components/admin/channel/types'
@@ -446,6 +465,18 @@ import { getPersistedPageSize } from '@/composables/usePersistedPageSize'
 const { t } = useI18n()
 const appStore = useAppStore()
 
+// Web Search global enabled state (loaded once on mount)
+const webSearchGlobalEnabled = ref(false)
+async function loadWebSearchGlobalState() {
+  try {
+    const cfg = await adminAPI.settings.getWebSearchEmulationConfig()
+    webSearchGlobalEnabled.value = cfg?.enabled === true && (cfg?.providers?.length ?? 0) > 0
+  } catch (err: unknown) {
+    console.warn('Failed to load web search global state:', err)
+    webSearchGlobalEnabled.value = false
+  }
+}
+
 // ── Platform Section type ──
 interface PlatformSection {
   platform: GroupPlatform
@@ -454,6 +485,7 @@ interface PlatformSection {
   group_ids: number[]
   model_mapping: Record<string, string>
   model_pricing: PricingFormEntry[]
+  web_search_emulation: boolean
 }
 
 // ── Table columns ──
@@ -565,7 +597,8 @@ function addPlatformSection(platform: GroupPlatform) {
     collapsed: false,
     group_ids: [],
     model_mapping: {},
-    model_pricing: []
+    model_pricing: [],
+    web_search_emulation: false,
   })
 }
 
@@ -679,10 +712,14 @@ function renameMappingKey(sectionIdx: number, oldKey: string, newKey: string) {
 }
 
 // ── Form ↔ API conversion ──
-function formToAPI(): { group_ids: number[], model_pricing: ChannelModelPricing[], model_mapping: Record<string, Record<string, string>> } {
+function formToAPI(): { group_ids: number[], model_pricing: ChannelModelPricing[], model_mapping: Record<string, Record<string, string>>, features_config: Record<string, unknown> } {
   const group_ids: number[] = []
   const model_pricing: ChannelModelPricing[] = []
   const model_mapping: Record<string, Record<string, string>> = {}
+  // Preserve existing features_config fields not managed by the form
+  const featuresConfig: Record<string, unknown> = editingChannel.value?.features_config
+    ? { ...editingChannel.value.features_config }
+    : {}
 
   for (const section of form.platforms) {
     if (!section.enabled) continue
@@ -711,7 +748,19 @@ function formToAPI(): { group_ids: number[], model_pricing: ChannelModelPricing[
     }
   }
 
-  return { group_ids, model_pricing, model_mapping }
+  // Collect web_search_emulation (only anthropic platform supports it)
+  const wsEmulation: Record<string, boolean> = {}
+  for (const section of form.platforms) {
+    if (!section.enabled) continue
+    if (section.web_search_emulation && section.platform === 'anthropic') {
+      wsEmulation[section.platform] = true
+    }
+  }
+  if (Object.keys(wsEmulation).length > 0) {
+    featuresConfig.web_search_emulation = wsEmulation
+  }
+
+  return { group_ids, model_pricing, model_mapping, features_config: featuresConfig }
 }
 
 function apiToForm(channel: Channel): PlatformSection[] {
@@ -755,13 +804,19 @@ function apiToForm(channel: Channel): PlatformSection[] {
         intervals: apiIntervalsToForm(p.intervals || [])
       } as PricingFormEntry))
 
+    // Read web_search_emulation from features_config
+    const fc = channel.features_config
+    const wsEmulation = fc?.web_search_emulation as Record<string, boolean> | undefined
+    const webSearchEnabled = wsEmulation?.[platform] === true
+
     sections.push({
       platform,
       enabled: true,
       collapsed: false,
       group_ids: groupIds,
       model_mapping: { ...mapping },
-      model_pricing: pricing
+      model_pricing: pricing,
+      web_search_emulation: webSearchEnabled,
     })
   }
 
@@ -786,10 +841,10 @@ async function loadChannels() {
     if (ctrl.signal.aborted || abortController !== ctrl) return
     channels.value = response.items || []
     pagination.total = response.total
-  } catch (error: any) {
-    if (error?.name === 'AbortError' || error?.code === 'ERR_CANCELED') return
-    appStore.showError(t('admin.channels.loadError', 'Failed to load channels'))
-    console.error('Error loading channels:', error)
+  } catch (error: unknown) {
+    const e = error as { name?: string; code?: string }
+    if (e?.name === 'AbortError' || e?.code === 'ERR_CANCELED') return
+    appStore.showError(extractApiErrorMessage(error, t('admin.channels.loadError', 'Failed to load channels')))
   } finally {
     if (abortController === ctrl) {
       loading.value = false
@@ -969,8 +1024,7 @@ async function handleSubmit() {
     }
   }
 
-  const { group_ids, model_pricing, model_mapping } = formToAPI()
-  console.log('[handleSubmit] model_pricing to send:', JSON.stringify(model_pricing))
+  const { group_ids, model_pricing, model_mapping, features_config } = formToAPI()
 
   submitting.value = true
   try {
@@ -983,7 +1037,8 @@ async function handleSubmit() {
         model_pricing,
         model_mapping: Object.keys(model_mapping).length > 0 ? model_mapping : {},
         billing_model_source: form.billing_model_source,
-        restrict_models: form.restrict_models
+        restrict_models: form.restrict_models,
+        features_config,
       }
       await adminAPI.channels.update(editingChannel.value.id, req)
       appStore.showSuccess(t('admin.channels.updateSuccess', 'Channel updated'))
@@ -995,19 +1050,18 @@ async function handleSubmit() {
         model_pricing,
         model_mapping: Object.keys(model_mapping).length > 0 ? model_mapping : {},
         billing_model_source: form.billing_model_source,
-        restrict_models: form.restrict_models
+        restrict_models: form.restrict_models,
+        features_config,
       }
       await adminAPI.channels.create(req)
       appStore.showSuccess(t('admin.channels.createSuccess', 'Channel created'))
     }
     closeDialog()
     loadChannels()
-  } catch (error: any) {
-    const msg = error.response?.data?.detail || (editingChannel.value
+  } catch (error: unknown) {
+    appStore.showError(extractApiErrorMessage(error, editingChannel.value
       ? t('admin.channels.updateError', 'Failed to update channel')
-      : t('admin.channels.createError', 'Failed to create channel'))
-    appStore.showError(msg)
-    console.error('Error saving channel:', error)
+      : t('admin.channels.createError', 'Failed to create channel')))
   } finally {
     submitting.value = false
   }
@@ -1045,9 +1099,8 @@ async function confirmDelete() {
     showDeleteDialog.value = false
     deletingChannel.value = null
     loadChannels()
-  } catch (error: any) {
-    appStore.showError(error.response?.data?.detail || t('admin.channels.deleteError', 'Failed to delete channel'))
-    console.error('Error deleting channel:', error)
+  } catch (error: unknown) {
+    appStore.showError(extractApiErrorMessage(error, t('admin.channels.deleteError', 'Failed to delete channel')))
   }
 }
 
@@ -1055,6 +1108,7 @@ async function confirmDelete() {
 onMounted(() => {
   loadChannels()
   loadGroups()
+  loadWebSearchGlobalState()
 })
 
 onUnmounted(() => {
diff --git a/frontend/src/views/admin/SettingsView.vue b/frontend/src/views/admin/SettingsView.vue
index 20f9318c..6abc725a 100644
--- a/frontend/src/views/admin/SettingsView.vue
+++ b/frontend/src/views/admin/SettingsView.vue
@@ -630,6 +630,108 @@
                     {{ t('admin.settings.betaPolicy.errorMessageHint') }}
                   </p>
                 </div>
+
+                <!-- Quick Presets (only for tokens with presets) -->
+                <div v-if="betaPresets[rule.beta_token]?.length" class="mt-3">
+                  <label class="mb-1 block text-xs font-medium text-gray-600 dark:text-gray-400">
+                    {{ t('admin.settings.betaPolicy.quickPresets') }}
+                  </label>
+                  <div class="flex flex-wrap gap-2">
+                    <button
+                      v-for="preset in betaPresets[rule.beta_token]"
+                      :key="preset.label"
+                      type="button"
+                      class="inline-flex items-center gap-1 rounded-md border border-primary-200 bg-primary-50 px-2.5 py-1 text-xs font-medium text-primary-700 transition-colors hover:bg-primary-100 dark:border-primary-800 dark:bg-primary-900/30 dark:text-primary-300 dark:hover:bg-primary-900/50"
+                      @click="applyBetaPreset(rule, preset)"
+                      :title="preset.description"
+                    >
+                      {{ preset.label }}
+                    </button>
+                  </div>
+                </div>
+
+                <!-- Model Whitelist -->
+                <div class="mt-3">
+                  <label class="mb-1 block text-xs font-medium text-gray-600 dark:text-gray-400">
+                    {{ t('admin.settings.betaPolicy.modelWhitelist') }}
+                  </label>
+                  <p class="mb-2 text-xs text-gray-400 dark:text-gray-500">
+                    {{ t('admin.settings.betaPolicy.modelWhitelistHint') }}
+                  </p>
+                  <!-- Existing patterns -->
+                  <div
+                    v-for="(_, index) in (rule.model_whitelist || [])"
+                    :key="index"
+                    class="mb-1.5 flex items-center gap-2"
+                  >
+                    <input
+                      v-model="rule.model_whitelist![index]"
+                      type="text"
+                      class="input input-sm flex-1"
+                      :placeholder="t('admin.settings.betaPolicy.modelPatternPlaceholder')"
+                    />
+                    <button
+                      type="button"
+                      @click="rule.model_whitelist!.splice(index, 1)"
+                      class="shrink-0 rounded p-1 text-red-400 transition-colors hover:bg-red-50 hover:text-red-600 dark:hover:bg-red-900/20"
+                    >
+                      <svg class="h-4 w-4" fill="none" viewBox="0 0 24 24" stroke="currentColor" stroke-width="2">
+                        <path stroke-linecap="round" stroke-linejoin="round" d="M6 18L18 6M6 6l12 12" />
+                      </svg>
+                    </button>
+                  </div>
+                  <!-- Add pattern button -->
+                  <button
+                    type="button"
+                    @click="if (!rule.model_whitelist) rule.model_whitelist = []; rule.model_whitelist.push('')"
+                    class="mb-2 inline-flex items-center gap-1 text-xs text-primary-600 transition-colors hover:text-primary-700 dark:text-primary-400 dark:hover:text-primary-300"
+                  >
+                    <svg class="h-3.5 w-3.5" fill="none" viewBox="0 0 24 24" stroke="currentColor" stroke-width="2">
+                      <path stroke-linecap="round" stroke-linejoin="round" d="M12 4v16m8-8H4" />
+                    </svg>
+                    {{ t('admin.settings.betaPolicy.addModelPattern') }}
+                  </button>
+                  <!-- Common pattern chips -->
+                  <div class="flex flex-wrap items-center gap-1.5">
+                    <span class="text-xs text-gray-400 dark:text-gray-500">{{ t('admin.settings.betaPolicy.commonPatterns') }}:</span>
+                    <button
+                      v-for="pattern in commonModelPatterns"
+                      :key="pattern"
+                      type="button"
+                      class="rounded border border-gray-200 px-2 py-0.5 text-xs text-gray-600 transition-colors hover:border-primary-300 hover:bg-primary-50 hover:text-primary-700 dark:border-dark-600 dark:text-gray-400 dark:hover:border-primary-700 dark:hover:bg-primary-900/30 dark:hover:text-primary-300"
+                      @click="addQuickPattern(rule, pattern)"
+                    >
+                      {{ pattern }}
+                    </button>
+                  </div>
+                </div>
+
+                <!-- Fallback Action (only when model_whitelist is non-empty) -->
+                <div v-if="rule.model_whitelist && rule.model_whitelist.length > 0" class="mt-3">
+                  <label class="mb-1 block text-xs font-medium text-gray-600 dark:text-gray-400">
+                    {{ t('admin.settings.betaPolicy.fallbackAction') }}
+                  </label>
+                  <Select
+                    :modelValue="rule.fallback_action || 'pass'"
+                    @update:modelValue="rule.fallback_action = $event as any"
+                    :options="betaPolicyActionOptions"
+                  />
+                  <p class="mt-1 text-xs text-gray-400 dark:text-gray-500">
+                    {{ t('admin.settings.betaPolicy.fallbackActionHint') }}
+                  </p>
+                  <!-- Fallback Error Message (only when fallback_action=block) -->
+                  <div v-if="rule.fallback_action === 'block'" class="mt-2">
+                    <input
+                      v-model="rule.fallback_error_message"
+                      type="text"
+                      class="input"
+                      :placeholder="t('admin.settings.betaPolicy.fallbackErrorMessagePlaceholder')"
+                    />
+                    <p class="mt-1 text-xs text-gray-400 dark:text-gray-500">
+                      {{ t('admin.settings.betaPolicy.errorMessageHint') }}
+                    </p>
+                  </div>
+                </div>
               </div>
 
               <!-- Save Button -->
@@ -1022,7 +1124,327 @@
             </div>
           </div>
         </div>
-        </div><!-- /Tab: Security — Registration, Turnstile, LinuxDo -->
+
+        <!-- Generic OIDC OAuth 登录 -->
+        <div class="card">
+          <div class="border-b border-gray-100 px-6 py-4 dark:border-dark-700">
+            <h2 class="text-lg font-semibold text-gray-900 dark:text-white">
+              {{ t('admin.settings.oidc.title') }}
+            </h2>
+            <p class="mt-1 text-sm text-gray-500 dark:text-gray-400">
+              {{ t('admin.settings.oidc.description') }}
+            </p>
+          </div>
+          <div class="space-y-5 p-6">
+            <div class="flex items-center justify-between">
+              <div>
+                <label class="font-medium text-gray-900 dark:text-white">{{
+                  t('admin.settings.oidc.enable')
+                }}</label>
+                <p class="text-sm text-gray-500 dark:text-gray-400">
+                  {{ t('admin.settings.oidc.enableHint') }}
+                </p>
+              </div>
+              <Toggle v-model="form.oidc_connect_enabled" />
+            </div>
+
+            <div
+              v-if="form.oidc_connect_enabled"
+              class="space-y-6 border-t border-gray-100 pt-4 dark:border-dark-700"
+            >
+              <div class="grid grid-cols-1 gap-6 lg:grid-cols-3">
+                <div>
+                  <label class="mb-2 block text-sm font-medium text-gray-700 dark:text-gray-300">
+                    {{ t('admin.settings.oidc.providerName') }}
+                  </label>
+                  <input
+                    v-model="form.oidc_connect_provider_name"
+                    type="text"
+                    class="input"
+                    :placeholder="t('admin.settings.oidc.providerNamePlaceholder')"
+                  />
+                </div>
+
+                <div>
+                  <label class="mb-2 block text-sm font-medium text-gray-700 dark:text-gray-300">
+                    {{ t('admin.settings.oidc.clientId') }}
+                  </label>
+                  <input
+                    v-model="form.oidc_connect_client_id"
+                    type="text"
+                    class="input font-mono text-sm"
+                    :placeholder="t('admin.settings.oidc.clientIdPlaceholder')"
+                  />
+                </div>
+
+                <div>
+                  <label class="mb-2 block text-sm font-medium text-gray-700 dark:text-gray-300">
+                    {{ t('admin.settings.oidc.clientSecret') }}
+                  </label>
+                  <input
+                    v-model="form.oidc_connect_client_secret"
+                    type="password"
+                    class="input font-mono text-sm"
+                    :placeholder="
+                      form.oidc_connect_client_secret_configured
+                        ? t('admin.settings.oidc.clientSecretConfiguredPlaceholder')
+                        : t('admin.settings.oidc.clientSecretPlaceholder')
+                    "
+                  />
+                  <p class="mt-1.5 text-xs text-gray-500 dark:text-gray-400">
+                    {{
+                      form.oidc_connect_client_secret_configured
+                        ? t('admin.settings.oidc.clientSecretConfiguredHint')
+                        : t('admin.settings.oidc.clientSecretHint')
+                    }}
+                  </p>
+                </div>
+              </div>
+
+              <div class="grid grid-cols-1 gap-6 lg:grid-cols-2">
+                <div>
+                  <label class="mb-2 block text-sm font-medium text-gray-700 dark:text-gray-300">
+                    {{ t('admin.settings.oidc.issuerUrl') }}
+                  </label>
+                  <input
+                    v-model="form.oidc_connect_issuer_url"
+                    type="url"
+                    class="input font-mono text-sm"
+                    :placeholder="t('admin.settings.oidc.issuerUrlPlaceholder')"
+                  />
+                </div>
+
+                <div>
+                  <label class="mb-2 block text-sm font-medium text-gray-700 dark:text-gray-300">
+                    {{ t('admin.settings.oidc.discoveryUrl') }}
+                  </label>
+                  <input
+                    v-model="form.oidc_connect_discovery_url"
+                    type="url"
+                    class="input font-mono text-sm"
+                    :placeholder="t('admin.settings.oidc.discoveryUrlPlaceholder')"
+                  />
+                </div>
+
+                <div>
+                  <label class="mb-2 block text-sm font-medium text-gray-700 dark:text-gray-300">
+                    {{ t('admin.settings.oidc.authorizeUrl') }}
+                  </label>
+                  <input
+                    v-model="form.oidc_connect_authorize_url"
+                    type="url"
+                    class="input font-mono text-sm"
+                    :placeholder="t('admin.settings.oidc.authorizeUrlPlaceholder')"
+                  />
+                </div>
+
+                <div>
+                  <label class="mb-2 block text-sm font-medium text-gray-700 dark:text-gray-300">
+                    {{ t('admin.settings.oidc.tokenUrl') }}
+                  </label>
+                  <input
+                    v-model="form.oidc_connect_token_url"
+                    type="url"
+                    class="input font-mono text-sm"
+                    :placeholder="t('admin.settings.oidc.tokenUrlPlaceholder')"
+                  />
+                </div>
+
+                <div>
+                  <label class="mb-2 block text-sm font-medium text-gray-700 dark:text-gray-300">
+                    {{ t('admin.settings.oidc.userinfoUrl') }}
+                  </label>
+                  <input
+                    v-model="form.oidc_connect_userinfo_url"
+                    type="url"
+                    class="input font-mono text-sm"
+                    :placeholder="t('admin.settings.oidc.userinfoUrlPlaceholder')"
+                  />
+                </div>
+
+                <div>
+                  <label class="mb-2 block text-sm font-medium text-gray-700 dark:text-gray-300">
+                    {{ t('admin.settings.oidc.jwksUrl') }}
+                  </label>
+                  <input
+                    v-model="form.oidc_connect_jwks_url"
+                    type="url"
+                    class="input font-mono text-sm"
+                    :placeholder="t('admin.settings.oidc.jwksUrlPlaceholder')"
+                  />
+                </div>
+              </div>
+
+              <div class="grid grid-cols-1 gap-6 lg:grid-cols-2">
+                <div>
+                  <label class="mb-2 block text-sm font-medium text-gray-700 dark:text-gray-300">
+                    {{ t('admin.settings.oidc.scopes') }}
+                  </label>
+                  <input
+                    v-model="form.oidc_connect_scopes"
+                    type="text"
+                    class="input font-mono text-sm"
+                    :placeholder="t('admin.settings.oidc.scopesPlaceholder')"
+                  />
+                  <p class="mt-1.5 text-xs text-gray-500 dark:text-gray-400">
+                    {{ t('admin.settings.oidc.scopesHint') }}
+                  </p>
+                </div>
+
+                <div>
+                  <label class="mb-2 block text-sm font-medium text-gray-700 dark:text-gray-300">
+                    {{ t('admin.settings.oidc.redirectUrl') }}
+                  </label>
+                  <input
+                    v-model="form.oidc_connect_redirect_url"
+                    type="url"
+                    class="input font-mono text-sm"
+                    :placeholder="t('admin.settings.oidc.redirectUrlPlaceholder')"
+                  />
+                  <div class="mt-2 flex flex-col gap-2 sm:flex-row sm:items-center sm:gap-3">
+                    <button
+                      type="button"
+                      class="btn btn-secondary btn-sm w-fit"
+                      @click="setAndCopyOIDCRedirectUrl"
+                    >
+                      {{ t('admin.settings.oidc.quickSetCopy') }}
+                    </button>
+                    <code
+                      v-if="oidcRedirectUrlSuggestion"
+                      class="select-all break-all rounded bg-gray-50 px-2 py-1 font-mono text-xs text-gray-600 dark:bg-dark-800 dark:text-gray-300"
+                    >
+                      {{ oidcRedirectUrlSuggestion }}
+                    </code>
+                  </div>
+                  <p class="mt-1.5 text-xs text-gray-500 dark:text-gray-400">
+                    {{ t('admin.settings.oidc.redirectUrlHint') }}
+                  </p>
+                </div>
+
+                <div class="lg:col-span-2">
+                  <label class="mb-2 block text-sm font-medium text-gray-700 dark:text-gray-300">
+                    {{ t('admin.settings.oidc.frontendRedirectUrl') }}
+                  </label>
+                  <input
+                    v-model="form.oidc_connect_frontend_redirect_url"
+                    type="text"
+                    class="input font-mono text-sm"
+                    :placeholder="t('admin.settings.oidc.frontendRedirectUrlPlaceholder')"
+                  />
+                  <p class="mt-1.5 text-xs text-gray-500 dark:text-gray-400">
+                    {{ t('admin.settings.oidc.frontendRedirectUrlHint') }}
+                  </p>
+                </div>
+              </div>
+
+              <div class="grid grid-cols-1 gap-6 lg:grid-cols-3">
+                <div>
+                  <label class="mb-2 block text-sm font-medium text-gray-700 dark:text-gray-300">
+                    {{ t('admin.settings.oidc.tokenAuthMethod') }}
+                  </label>
+                  <select v-model="form.oidc_connect_token_auth_method" class="input font-mono text-sm">
+                    <option value="client_secret_post">client_secret_post</option>
+                    <option value="client_secret_basic">client_secret_basic</option>
+                    <option value="none">none</option>
+                  </select>
+                </div>
+
+                <div>
+                  <label class="mb-2 block text-sm font-medium text-gray-700 dark:text-gray-300">
+                    {{ t('admin.settings.oidc.clockSkewSeconds') }}
+                  </label>
+                  <input
+                    v-model.number="form.oidc_connect_clock_skew_seconds"
+                    type="number"
+                    min="0"
+                    max="600"
+                    class="input"
+                  />
+                </div>
+
+                <div>
+                  <label class="mb-2 block text-sm font-medium text-gray-700 dark:text-gray-300">
+                    {{ t('admin.settings.oidc.allowedSigningAlgs') }}
+                  </label>
+                  <input
+                    v-model="form.oidc_connect_allowed_signing_algs"
+                    type="text"
+                    class="input font-mono text-sm"
+                    :placeholder="t('admin.settings.oidc.allowedSigningAlgsPlaceholder')"
+                  />
+                </div>
+              </div>
+
+              <div class="grid grid-cols-1 gap-6 lg:grid-cols-3">
+                <div class="flex items-center justify-between rounded border border-gray-200 px-4 py-3 dark:border-dark-700">
+                  <div>
+                    <label class="font-medium text-gray-900 dark:text-white">
+                      {{ t('admin.settings.oidc.usePkce') }}
+                    </label>
+                  </div>
+                  <Toggle v-model="form.oidc_connect_use_pkce" />
+                </div>
+
+                <div class="flex items-center justify-between rounded border border-gray-200 px-4 py-3 dark:border-dark-700">
+                  <div>
+                    <label class="font-medium text-gray-900 dark:text-white">
+                      {{ t('admin.settings.oidc.validateIdToken') }}
+                    </label>
+                  </div>
+                  <Toggle v-model="form.oidc_connect_validate_id_token" />
+                </div>
+
+                <div class="flex items-center justify-between rounded border border-gray-200 px-4 py-3 dark:border-dark-700">
+                  <div>
+                    <label class="font-medium text-gray-900 dark:text-white">
+                      {{ t('admin.settings.oidc.requireEmailVerified') }}
+                    </label>
+                  </div>
+                  <Toggle v-model="form.oidc_connect_require_email_verified" />
+                </div>
+              </div>
+
+              <div class="grid grid-cols-1 gap-6 lg:grid-cols-3">
+                <div>
+                  <label class="mb-2 block text-sm font-medium text-gray-700 dark:text-gray-300">
+                    {{ t('admin.settings.oidc.userinfoEmailPath') }}
+                  </label>
+                  <input
+                    v-model="form.oidc_connect_userinfo_email_path"
+                    type="text"
+                    class="input font-mono text-sm"
+                    :placeholder="t('admin.settings.oidc.userinfoEmailPathPlaceholder')"
+                  />
+                </div>
+
+                <div>
+                  <label class="mb-2 block text-sm font-medium text-gray-700 dark:text-gray-300">
+                    {{ t('admin.settings.oidc.userinfoIdPath') }}
+                  </label>
+                  <input
+                    v-model="form.oidc_connect_userinfo_id_path"
+                    type="text"
+                    class="input font-mono text-sm"
+                    :placeholder="t('admin.settings.oidc.userinfoIdPathPlaceholder')"
+                  />
+                </div>
+
+                <div>
+                  <label class="mb-2 block text-sm font-medium text-gray-700 dark:text-gray-300">
+                    {{ t('admin.settings.oidc.userinfoUsernamePath') }}
+                  </label>
+                  <input
+                    v-model="form.oidc_connect_userinfo_username_path"
+                    type="text"
+                    class="input font-mono text-sm"
+                    :placeholder="t('admin.settings.oidc.userinfoUsernamePathPlaceholder')"
+                  />
+                </div>
+              </div>
+            </div>
+          </div>
+        </div>
+        </div><!-- /Tab: Security — Registration, Turnstile, LinuxDo, OIDC -->
 
         <!-- Tab: Users -->
         <div v-show="activeTab === 'users'" class="space-y-6">
@@ -1274,8 +1696,122 @@
               </div>
               <Toggle v-model="form.enable_metadata_passthrough" />
             </div>
+
+            <!-- CCH Signing -->
+            <div class="flex items-center justify-between">
+              <div>
+                <label class="text-sm font-medium text-gray-700 dark:text-gray-300">
+                  {{ t('admin.settings.gatewayForwarding.cchSigning') }}
+                </label>
+                <p class="mt-0.5 text-xs text-gray-500 dark:text-gray-400">
+                  {{ t('admin.settings.gatewayForwarding.cchSigningHint') }}
+                </p>
+              </div>
+              <Toggle v-model="form.enable_cch_signing" />
+            </div>
           </div>
         </div>
+        <!-- Web Search Emulation -->
+        <div class="card">
+          <div class="border-b border-gray-100 px-6 py-4 dark:border-dark-700">
+            <h2 class="text-lg font-semibold text-gray-900 dark:text-white">
+              {{ t('admin.settings.webSearchEmulation.title') }}
+            </h2>
+            <p class="mt-1 text-sm text-gray-500 dark:text-gray-400">
+              {{ t('admin.settings.webSearchEmulation.description') }}
+            </p>
+          </div>
+          <div class="space-y-5 p-6">
+            <!-- Global Toggle -->
+            <div class="flex items-center justify-between">
+              <div>
+                <label class="text-sm font-medium text-gray-700 dark:text-gray-300">
+                  {{ t('admin.settings.webSearchEmulation.enabled') }}
+                </label>
+                <p class="mt-0.5 text-xs text-gray-500 dark:text-gray-400">
+                  {{ t('admin.settings.webSearchEmulation.enabledHint') }}
+                </p>
+              </div>
+              <Toggle v-model="webSearchConfig.enabled" />
+            </div>
+
+            <!-- Providers -->
+            <div v-if="webSearchConfig.enabled" class="space-y-4">
+              <div class="flex items-center justify-between">
+                <label class="text-sm font-medium text-gray-700 dark:text-gray-300">
+                  {{ t('admin.settings.webSearchEmulation.providers') }}
+                </label>
+                <button type="button" class="btn btn-secondary btn-sm" @click="addWebSearchProvider">
+                  {{ t('admin.settings.webSearchEmulation.addProvider') }}
+                </button>
+              </div>
+
+              <div v-if="webSearchConfig.providers.length === 0" class="rounded-lg border border-dashed border-gray-300 p-4 text-center text-sm text-gray-400 dark:border-dark-600">
+                {{ t('admin.settings.webSearchEmulation.noProviders') }}
+              </div>
+
+              <div v-for="(provider, pIdx) in webSearchConfig.providers" :key="pIdx"
+                class="rounded-lg border border-gray-200 p-4 space-y-3 dark:border-dark-600">
+                <div class="flex items-center justify-between">
+                  <Select
+                    v-model="provider.type"
+                    :options="[
+                      { value: 'brave', label: 'Brave Search' },
+                      { value: 'tavily', label: 'Tavily' },
+                    ]"
+                    class="w-40"
+                  />
+                  <button type="button" class="text-red-500 hover:text-red-700 text-xs" @click="webSearchConfig.providers.splice(pIdx, 1)">
+                    {{ t('admin.settings.webSearchEmulation.removeProvider') }}
+                  </button>
+                </div>
+
+                <div class="grid grid-cols-2 gap-3">
+                  <div>
+                    <label class="text-xs text-gray-500">{{ t('admin.settings.webSearchEmulation.apiKey') }}</label>
+                    <input
+                      v-model="provider.api_key"
+                      type="password"
+                      class="input text-sm"
+                      :placeholder="provider.api_key_configured ? '••••••••' : t('admin.settings.webSearchEmulation.apiKeyPlaceholder')"
+                    />
+                  </div>
+                  <div>
+                    <label class="text-xs text-gray-500">{{ t('admin.settings.webSearchEmulation.priority') }}</label>
+                    <input v-model.number="provider.priority" type="number" min="1" class="input text-sm" />
+                    <p class="mt-0.5 text-xs text-gray-400">{{ t('admin.settings.webSearchEmulation.priorityHint') }}</p>
+                  </div>
+                  <div>
+                    <label class="text-xs text-gray-500">{{ t('admin.settings.webSearchEmulation.quotaLimit') }}</label>
+                    <input v-model.number="provider.quota_limit" type="number" min="0" class="input text-sm" />
+                    <p class="mt-0.5 text-xs text-gray-400">{{ t('admin.settings.webSearchEmulation.quotaLimitHint') }}</p>
+                    <p v-if="provider.quota_used != null" class="mt-0.5 text-xs text-gray-400">
+                      {{ t('admin.settings.webSearchEmulation.quotaUsed') }}: {{ provider.quota_used }} / {{ provider.quota_limit || '∞' }}
+                    </p>
+                  </div>
+                  <div>
+                    <label class="text-xs text-gray-500">{{ t('admin.settings.webSearchEmulation.quotaRefreshInterval') }}</label>
+                    <Select
+                      v-model="provider.quota_refresh_interval"
+                      :options="[
+                        { value: 'daily', label: t('admin.settings.webSearchEmulation.daily') },
+                        { value: 'weekly', label: t('admin.settings.webSearchEmulation.weekly') },
+                        { value: 'monthly', label: t('admin.settings.webSearchEmulation.monthly') },
+                      ]"
+                      class="w-full"
+                    />
+                  </div>
+                </div>
+
+                <div>
+                  <label class="text-xs text-gray-500">{{ t('admin.settings.webSearchEmulation.proxy') }}</label>
+                  <ProxySelector v-model="provider.proxy_id" />
+                </div>
+              </div>
+            </div>
+          </div>
+        </div>
+
         </div><!-- /Tab: Gateway — Claude Code, Scheduling -->
 
         <!-- Tab: General -->
@@ -1353,6 +1889,48 @@
               </p>
             </div>
 
+            <!-- Global Table Preferences -->
+            <div class="border-t border-gray-100 pt-4 dark:border-dark-700">
+              <h3 class="text-sm font-medium text-gray-900 dark:text-white">
+                {{ t('admin.settings.site.tablePreferencesTitle') }}
+              </h3>
+              <p class="mt-1 text-xs text-gray-500 dark:text-gray-400">
+                {{ t('admin.settings.site.tablePreferencesDescription') }}
+              </p>
+              <div class="mt-4 grid grid-cols-1 gap-6 md:grid-cols-2">
+                <div>
+                  <label class="mb-2 block text-sm font-medium text-gray-700 dark:text-gray-300">
+                    {{ t('admin.settings.site.tableDefaultPageSize') }}
+                  </label>
+                  <input
+                    v-model.number="form.table_default_page_size"
+                    type="number"
+                    min="5"
+                    max="1000"
+                    step="1"
+                    class="input w-40"
+                  />
+                  <p class="mt-1.5 text-xs text-gray-500 dark:text-gray-400">
+                    {{ t('admin.settings.site.tableDefaultPageSizeHint') }}
+                  </p>
+                </div>
+                <div>
+                  <label class="mb-2 block text-sm font-medium text-gray-700 dark:text-gray-300">
+                    {{ t('admin.settings.site.tablePageSizeOptions') }}
+                  </label>
+                  <input
+                    v-model="tablePageSizeOptionsInput"
+                    type="text"
+                    class="input font-mono text-sm"
+                    :placeholder="t('admin.settings.site.tablePageSizeOptionsPlaceholder')"
+                  />
+                  <p class="mt-1.5 text-xs text-gray-500 dark:text-gray-400">
+                    {{ t('admin.settings.site.tablePageSizeOptionsHint') }}
+                  </p>
+                </div>
+              </div>
+            </div>
+
             <!-- Custom Endpoints -->
             <div>
               <label class="mb-2 block text-sm font-medium text-gray-700 dark:text-gray-300">
@@ -1644,7 +2222,13 @@
         <div class="card">
           <div class="border-b border-gray-100 px-6 py-4 dark:border-dark-700">
             <h2 class="text-lg font-semibold text-gray-900 dark:text-white">{{ t('admin.settings.payment.title') }}</h2>
-            <p class="mt-1 text-sm text-gray-500 dark:text-gray-400">{{ t('admin.settings.payment.description') }}</p>
+            <p class="mt-1 text-sm text-gray-500 dark:text-gray-400">
+              {{ t('admin.settings.payment.description') }}
+              <a :href="locale === 'zh' ? 'https://github.com/Wei-Shaw/sub2api/blob/main/docs/PAYMENT_CN.md' : 'https://github.com/Wei-Shaw/sub2api/blob/main/docs/PAYMENT.md'" target="_blank" rel="noopener noreferrer" class="ml-2 inline-flex items-center text-primary-600 hover:text-primary-700 dark:text-primary-400 dark:hover:text-primary-300">
+                <svg class="mr-0.5 h-3.5 w-3.5" fill="none" stroke="currentColor" viewBox="0 0 24 24"><path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" d="M10 6H6a2 2 0 00-2 2v10a2 2 0 002 2h10a2 2 0 002-2v-4M14 4h6m0 0v6m0-6L10 14" /></svg>
+                {{ t('admin.settings.payment.configGuide') }}
+              </a>
+            </p>
           </div>
           <div class="space-y-4 p-6">
             <!-- Enable toggle -->
@@ -1669,34 +2253,38 @@
                 <div><label class="input-label">{{ t('admin.settings.payment.dailyLimit') }}</label><input :value="form.payment_daily_limit || ''" @input="form.payment_daily_limit = parseFloat(($event.target as HTMLInputElement).value) || 0" type="number" step="0.01" min="0" class="input" :placeholder="t('admin.settings.payment.noLimit')" /></div>
                 <div><label class="input-label">{{ t('admin.settings.payment.orderTimeout') }} <span class="text-red-500">*</span></label><input v-model.number="form.payment_order_timeout_minutes" type="number" min="1" class="input" required /><p class="mt-0.5 text-xs text-gray-400">{{ t('admin.settings.payment.orderTimeoutHint') }}</p></div>
               </div>
-              <!-- Row 3: Pending orders + load balance -->
+              <!-- Row 3: Pending orders + load balance + cancel rate limit (all in one row) -->
               <div class="flex flex-wrap items-end gap-4">
                 <div class="w-28"><label class="input-label">{{ t('admin.settings.payment.maxPendingOrders') }}</label><input v-model.number="form.payment_max_pending_orders" type="number" min="1" class="input" /></div>
                 <div>
                   <label class="input-label">{{ t('admin.settings.payment.loadBalanceStrategy') }}</label>
                   <Select v-model="form.payment_load_balance_strategy" :options="loadBalanceOptions" class="w-40" />
                 </div>
-              </div>
-              <!-- Row 3.5: Cancel rate limit -->
-              <div class="rounded-lg border border-gray-200 p-3 dark:border-dark-600">
-                <div class="flex items-center gap-3">
-                  <label class="flex cursor-pointer items-center gap-2 text-sm font-medium text-gray-700 dark:text-gray-300">
-                    <input type="checkbox" v-model="form.payment_cancel_rate_limit_enabled" class="h-4 w-4 rounded border-gray-300 text-primary-600" />
-                    {{ t('admin.settings.payment.cancelRateLimit') }}
-                  </label>
-                </div>
-                <div v-if="form.payment_cancel_rate_limit_enabled" class="mt-3">
-                  <div class="flex flex-wrap items-center gap-2 text-sm text-gray-700 dark:text-gray-300">
-                    <span>{{ t('admin.settings.payment.cancelRateLimitEvery') }}</span>
-                    <input v-model.number="form.payment_cancel_rate_limit_window" type="number" min="1" required class="input w-16 text-center" />
-                    <Select v-model="form.payment_cancel_rate_limit_unit" :options="cancelRateLimitUnitOptions" class="w-24" />
-                    <span>{{ t('admin.settings.payment.cancelRateLimitAllowMax') }}</span>
-                    <input v-model.number="form.payment_cancel_rate_limit_max" type="number" min="1" required class="input w-16 text-center" />
-                    <span>{{ t('admin.settings.payment.cancelRateLimitTimes') }}</span>
-                    <Select v-model="form.payment_cancel_rate_limit_window_mode" :options="cancelRateLimitModeOptions" class="w-32" />
+                <div>
+                  <label class="input-label">{{ t('admin.settings.payment.cancelRateLimit') }}</label>
+                  <div class="flex items-center gap-2">
+                    <button
+                      type="button"
+                      :class="[
+                        'relative inline-flex h-6 w-11 flex-shrink-0 cursor-pointer rounded-full border-2 border-transparent transition-colors duration-200 ease-in-out focus:outline-none focus:ring-2 focus:ring-primary-500 focus:ring-offset-2',
+                        form.payment_cancel_rate_limit_enabled ? 'bg-primary-500' : 'bg-gray-300 dark:bg-dark-600'
+                      ]"
+                      @click="form.payment_cancel_rate_limit_enabled = !form.payment_cancel_rate_limit_enabled"
+                    >
+                      <span :class="[
+                        'pointer-events-none inline-block h-5 w-5 transform rounded-full bg-white shadow ring-0 transition duration-200 ease-in-out',
+                        form.payment_cancel_rate_limit_enabled ? 'translate-x-5' : 'translate-x-0'
+                      ]" />
+                    </button>
+                    <Select v-model="form.payment_cancel_rate_limit_window_mode" :options="cancelRateLimitModeOptions" class="w-24" :disabled="!form.payment_cancel_rate_limit_enabled" />
+                    <span :class="['text-sm whitespace-nowrap', form.payment_cancel_rate_limit_enabled ? 'text-gray-700 dark:text-gray-300' : 'text-gray-400 dark:text-gray-600']">{{ t('admin.settings.payment.cancelRateLimitEvery') }}</span>
+                    <input v-model.number="form.payment_cancel_rate_limit_window" type="number" min="1" required class="input w-14 text-center" :disabled="!form.payment_cancel_rate_limit_enabled" />
+                    <Select v-model="form.payment_cancel_rate_limit_unit" :options="cancelRateLimitUnitOptions" class="w-28" :disabled="!form.payment_cancel_rate_limit_enabled" />
+                    <span :class="['text-sm whitespace-nowrap', form.payment_cancel_rate_limit_enabled ? 'text-gray-700 dark:text-gray-300' : 'text-gray-400 dark:text-gray-600']">{{ t('admin.settings.payment.cancelRateLimitAllowMax') }}</span>
+                    <input v-model.number="form.payment_cancel_rate_limit_max" type="number" min="1" required class="input w-14 text-center" :disabled="!form.payment_cancel_rate_limit_enabled" />
+                    <span :class="['text-sm whitespace-nowrap', form.payment_cancel_rate_limit_enabled ? 'text-gray-700 dark:text-gray-300' : 'text-gray-400 dark:text-gray-600']">{{ t('admin.settings.payment.cancelRateLimitTimes') }}</span>
                   </div>
                 </div>
-                <p class="mt-1.5 text-xs text-gray-400">{{ t('admin.settings.payment.cancelRateLimitHint') }}</p>
               </div>
               <!-- Row 4: Enabled payment types (provider badges like sub2apipay) -->
               <div>
@@ -2029,7 +2617,9 @@ import { adminAPI } from '@/api'
 import type {
   SystemSettings,
   UpdateSettingsRequest,
-  DefaultSubscriptionSetting
+  DefaultSubscriptionSetting,
+  WebSearchEmulationConfig,
+  WebSearchProviderConfig,
 } from '@/api/admin/settings'
 import type { AdminGroup } from '@/types'
 import type { ProviderInstance } from '@/types/payment'
@@ -2042,6 +2632,7 @@ import PaymentProviderDialog from '@/components/payment/PaymentProviderDialog.vu
 import GroupBadge from '@/components/common/GroupBadge.vue'
 import GroupOptionItem from '@/components/common/GroupOptionItem.vue'
 import Toggle from '@/components/common/Toggle.vue'
+import ProxySelector from '@/components/common/ProxySelector.vue'
 import ImageUpload from '@/components/common/ImageUpload.vue'
 import BackupSettings from '@/views/admin/BackupView.vue'
 import { useClipboard } from '@/composables/useClipboard'
@@ -2055,11 +2646,11 @@ import {
   parseRegistrationEmailSuffixWhitelistInput
 } from '@/utils/registrationEmailPolicy'
 
-const { t } = useI18n()
+const { t, locale } = useI18n()
 const appStore = useAppStore()
 const adminSettingsStore = useAdminSettingsStore()
 
-type SettingsTab = 'general' | 'security' | 'users' | 'gateway' | 'payment' | 'email' | 'backup' | 'data'
+type SettingsTab = 'general' | 'security' | 'users' | 'gateway' | 'payment' | 'email' | 'backup'
 const activeTab = ref<SettingsTab>('general')
 const settingsTabs = [
   { key: 'general'  as SettingsTab, icon: 'home'   as const },
@@ -2081,6 +2672,7 @@ const smtpPasswordManuallyEdited = ref(false)
 const testEmailAddress = ref('')
 const registrationEmailSuffixWhitelistTags = ref<string[]>([])
 const registrationEmailSuffixWhitelistDraft = ref('')
+const tablePageSizeOptionsInput = ref('10, 20, 50, 100')
 
 // Admin API Key 状态
 const adminApiKeyLoading = ref(true)
@@ -2129,9 +2721,16 @@ const betaPolicyForm = reactive({
     action: 'pass' | 'filter' | 'block'
     scope: 'all' | 'oauth' | 'apikey' | 'bedrock'
     error_message?: string
+    model_whitelist?: string[]
+    fallback_action?: 'pass' | 'filter' | 'block'
+    fallback_error_message?: string
   }>
 })
 
+const tablePageSizeMin = 5
+const tablePageSizeMax = 1000
+const tablePageSizeDefault = 20
+
 interface DefaultSubscriptionGroupOption {
   value: number
   label: string
@@ -2146,6 +2745,7 @@ type SettingsForm = SystemSettings & {
   smtp_password: string
   turnstile_secret_key: string
   linuxdo_connect_client_secret: string
+  oidc_connect_client_secret: string
 }
 
 const form = reactive<SettingsForm>({
@@ -2170,7 +2770,8 @@ const form = reactive<SettingsForm>({
   backend_mode_enabled: false,
   hide_ccs_import_button: false,
   payment_enabled: false,  payment_min_amount: 1,  payment_max_amount: 10000,  payment_daily_limit: 50000,  payment_max_pending_orders: 3,  payment_order_timeout_minutes: 30,  payment_balance_disabled: false,  payment_enabled_types: [],  payment_help_image_url: '',  payment_help_text: '',  payment_product_name_prefix: '',  payment_product_name_suffix: '',  payment_load_balance_strategy: 'round-robin',  payment_cancel_rate_limit_enabled: false,  payment_cancel_rate_limit_max: 10,  payment_cancel_rate_limit_window: 1,  payment_cancel_rate_limit_unit: 'day',  payment_cancel_rate_limit_window_mode: 'rolling',
-  sora_client_enabled: false,
+  table_default_page_size: tablePageSizeDefault,
+  table_page_size_options: [10, 20, 50, 100],
   custom_menu_items: [] as Array<{id: string; label: string; icon_svg: string; url: string; visibility: 'user' | 'admin'; sort_order: number}>,
   custom_endpoints: [] as Array<{name: string; endpoint: string; description: string}>,
   frontend_url: '',
@@ -2193,6 +2794,30 @@ const form = reactive<SettingsForm>({
   linuxdo_connect_client_secret: '',
   linuxdo_connect_client_secret_configured: false,
   linuxdo_connect_redirect_url: '',
+  // Generic OIDC OAuth 登录
+  oidc_connect_enabled: false,
+  oidc_connect_provider_name: 'OIDC',
+  oidc_connect_client_id: '',
+  oidc_connect_client_secret: '',
+  oidc_connect_client_secret_configured: false,
+  oidc_connect_issuer_url: '',
+  oidc_connect_discovery_url: '',
+  oidc_connect_authorize_url: '',
+  oidc_connect_token_url: '',
+  oidc_connect_userinfo_url: '',
+  oidc_connect_jwks_url: '',
+  oidc_connect_scopes: 'openid email profile',
+  oidc_connect_redirect_url: '',
+  oidc_connect_frontend_redirect_url: '/auth/oidc/callback',
+  oidc_connect_token_auth_method: 'client_secret_post',
+  oidc_connect_use_pkce: false,
+  oidc_connect_validate_id_token: true,
+  oidc_connect_allowed_signing_algs: 'RS256,ES256,PS256',
+  oidc_connect_clock_skew_seconds: 120,
+  oidc_connect_require_email_verified: false,
+  oidc_connect_userinfo_email_path: '',
+  oidc_connect_userinfo_id_path: '',
+  oidc_connect_userinfo_username_path: '',
   // Model fallback
   enable_model_fallback: false,
   fallback_model_anthropic: 'claude-3-5-sonnet-20241022',
@@ -2214,9 +2839,60 @@ const form = reactive<SettingsForm>({
   allow_ungrouped_key_scheduling: false,
   // Gateway forwarding behavior
   enable_fingerprint_unification: true,
-  enable_metadata_passthrough: false
+  enable_metadata_passthrough: false,
+  enable_cch_signing: false
 })
 
+// Web Search Emulation config (loaded/saved separately)
+const DEFAULT_WEB_SEARCH_QUOTA_LIMIT = 1000
+
+const webSearchConfig = reactive<WebSearchEmulationConfig>({
+  enabled: false,
+  providers: [],
+})
+
+function addWebSearchProvider() {
+  webSearchConfig.providers.push({
+    type: 'brave',
+    api_key: '',
+    api_key_configured: false,
+    priority: webSearchConfig.providers.length + 1,
+    quota_limit: DEFAULT_WEB_SEARCH_QUOTA_LIMIT,
+    quota_refresh_interval: 'monthly',
+    proxy_id: null,
+    expires_at: null,
+  } as WebSearchProviderConfig)
+}
+
+async function loadWebSearchConfig() {
+  try {
+    const resp = await adminAPI.settings.getWebSearchEmulationConfig()
+    if (resp) {
+      webSearchConfig.enabled = resp.enabled || false
+      webSearchConfig.providers = resp.providers || []
+    }
+  } catch (err: unknown) {
+    // 404 is expected when config hasn't been created yet; show error for other failures
+    const status = (err as { status?: number })?.status
+    if (status !== 404 && status !== undefined) {
+      appStore.showError(extractApiErrorMessage(err, t('common.error')))
+    }
+  }
+}
+
+async function saveWebSearchConfig(): Promise<boolean> {
+  try {
+    await adminAPI.settings.updateWebSearchEmulationConfig({
+      enabled: webSearchConfig.enabled,
+      providers: webSearchConfig.providers as WebSearchProviderConfig[],
+    })
+    return true
+  } catch (err: unknown) {
+    appStore.showError(extractApiErrorMessage(err, t('common.error')))
+    return false
+  }
+}
+
 const defaultSubscriptionGroupOptions = computed<DefaultSubscriptionGroupOption[]>(() =>
   subscriptionGroups.value.map((group) => ({
     value: group.id,
@@ -2312,6 +2988,21 @@ async function setAndCopyLinuxdoRedirectUrl() {
   await copyToClipboard(url, t('admin.settings.linuxdo.redirectUrlSetAndCopied'))
 }
 
+const oidcRedirectUrlSuggestion = computed(() => {
+  if (typeof window === 'undefined') return ''
+  const origin =
+    window.location.origin || `${window.location.protocol}//${window.location.host}`
+  return `${origin}/api/v1/auth/oauth/oidc/callback`
+})
+
+async function setAndCopyOIDCRedirectUrl() {
+  const url = oidcRedirectUrlSuggestion.value
+  if (!url) return
+
+  form.oidc_connect_redirect_url = url
+  await copyToClipboard(url, t('admin.settings.oidc.redirectUrlSetAndCopied'))
+}
+
 // Custom menu item management
 function addMenuItem() {
   form.custom_menu_items.push({
@@ -2354,6 +3045,35 @@ function removeEndpoint(index: number) {
   form.custom_endpoints.splice(index, 1)
 }
 
+function formatTablePageSizeOptions(options: number[]): string {
+  return options.join(', ')
+}
+
+function parseTablePageSizeOptionsInput(raw: string): number[] | null {
+  const tokens = raw
+    .split(',')
+    .map((token) => token.trim())
+    .filter((token) => token.length > 0)
+
+  if (tokens.length === 0) {
+    return null
+  }
+
+  const parsed = tokens.map((token) => Number(token))
+  if (parsed.some((value) => !Number.isInteger(value))) {
+    return null
+  }
+
+  const deduped = Array.from(new Set(parsed)).sort((a, b) => a - b)
+  if (
+    deduped.some((value) => value < tablePageSizeMin || value > tablePageSizeMax)
+  ) {
+    return null
+  }
+
+  return deduped
+}
+
 async function loadSettings() {
   loading.value = true
   loadFailed.value = false
@@ -2378,11 +3098,18 @@ async function loadSettings() {
     registrationEmailSuffixWhitelistTags.value = normalizeRegistrationEmailSuffixDomains(
       settings.registration_email_suffix_whitelist
     )
+    tablePageSizeOptionsInput.value = formatTablePageSizeOptions(
+      Array.isArray(settings.table_page_size_options) ? settings.table_page_size_options : [10, 20, 50, 100]
+    )
     registrationEmailSuffixWhitelistDraft.value = ''
     form.smtp_password = ''
     smtpPasswordManuallyEdited.value = false
     form.turnstile_secret_key = ''
     form.linuxdo_connect_client_secret = ''
+    form.oidc_connect_client_secret = ''
+
+    // Load web search emulation config separately
+    await loadWebSearchConfig()
   } catch (error: unknown) {
     loadFailed.value = true
     appStore.showError(extractApiErrorMessage(error, t('admin.settings.failedToLoad')))
@@ -2420,6 +3147,37 @@ function removeDefaultSubscription(index: number) {
 async function saveSettings() {
   saving.value = true
   try {
+    const normalizedTableDefaultPageSize = Math.floor(Number(form.table_default_page_size))
+    if (
+      !Number.isInteger(normalizedTableDefaultPageSize) ||
+      normalizedTableDefaultPageSize < tablePageSizeMin ||
+      normalizedTableDefaultPageSize > tablePageSizeMax
+    ) {
+      appStore.showError(
+        t('admin.settings.site.tableDefaultPageSizeRangeError', {
+          min: tablePageSizeMin,
+          max: tablePageSizeMax
+        })
+      )
+      return
+    }
+
+    const normalizedTablePageSizeOptions = parseTablePageSizeOptionsInput(
+      tablePageSizeOptionsInput.value
+    )
+    if (!normalizedTablePageSizeOptions) {
+      appStore.showError(
+        t('admin.settings.site.tablePageSizeOptionsFormatError', {
+          min: tablePageSizeMin,
+          max: tablePageSizeMax
+        })
+      )
+      return
+    }
+
+    form.table_default_page_size = normalizedTableDefaultPageSize
+    form.table_page_size_options = normalizedTablePageSizeOptions
+
     const normalizedDefaultSubscriptions = form.default_subscriptions
       .filter((item) => item.group_id > 0 && item.validity_days > 0)
       .map((item: DefaultSubscriptionSetting) => ({
@@ -2480,6 +3238,8 @@ async function saveSettings() {
       home_content: form.home_content,
       backend_mode_enabled: form.backend_mode_enabled,
       hide_ccs_import_button: form.hide_ccs_import_button,
+      table_default_page_size: form.table_default_page_size,
+      table_page_size_options: form.table_page_size_options,
       custom_menu_items: form.custom_menu_items,
       custom_endpoints: form.custom_endpoints,
       frontend_url: form.frontend_url,
@@ -2497,6 +3257,28 @@ async function saveSettings() {
       linuxdo_connect_client_id: form.linuxdo_connect_client_id,
       linuxdo_connect_client_secret: form.linuxdo_connect_client_secret || undefined,
       linuxdo_connect_redirect_url: form.linuxdo_connect_redirect_url,
+      oidc_connect_enabled: form.oidc_connect_enabled,
+      oidc_connect_provider_name: form.oidc_connect_provider_name,
+      oidc_connect_client_id: form.oidc_connect_client_id,
+      oidc_connect_client_secret: form.oidc_connect_client_secret || undefined,
+      oidc_connect_issuer_url: form.oidc_connect_issuer_url,
+      oidc_connect_discovery_url: form.oidc_connect_discovery_url,
+      oidc_connect_authorize_url: form.oidc_connect_authorize_url,
+      oidc_connect_token_url: form.oidc_connect_token_url,
+      oidc_connect_userinfo_url: form.oidc_connect_userinfo_url,
+      oidc_connect_jwks_url: form.oidc_connect_jwks_url,
+      oidc_connect_scopes: form.oidc_connect_scopes,
+      oidc_connect_redirect_url: form.oidc_connect_redirect_url,
+      oidc_connect_frontend_redirect_url: form.oidc_connect_frontend_redirect_url,
+      oidc_connect_token_auth_method: form.oidc_connect_token_auth_method,
+      oidc_connect_use_pkce: form.oidc_connect_use_pkce,
+      oidc_connect_validate_id_token: form.oidc_connect_validate_id_token,
+      oidc_connect_allowed_signing_algs: form.oidc_connect_allowed_signing_algs,
+      oidc_connect_clock_skew_seconds: form.oidc_connect_clock_skew_seconds,
+      oidc_connect_require_email_verified: form.oidc_connect_require_email_verified,
+      oidc_connect_userinfo_email_path: form.oidc_connect_userinfo_email_path,
+      oidc_connect_userinfo_id_path: form.oidc_connect_userinfo_id_path,
+      oidc_connect_userinfo_username_path: form.oidc_connect_userinfo_username_path,
       enable_model_fallback: form.enable_model_fallback,
       fallback_model_anthropic: form.fallback_model_anthropic,
       fallback_model_openai: form.fallback_model_openai,
@@ -2509,6 +3291,7 @@ async function saveSettings() {
       allow_ungrouped_key_scheduling: form.allow_ungrouped_key_scheduling,
       enable_fingerprint_unification: form.enable_fingerprint_unification,
       enable_metadata_passthrough: form.enable_metadata_passthrough,
+      enable_cch_signing: form.enable_cch_signing,
       // Payment configuration
       payment_enabled: form.payment_enabled,
       payment_min_amount: Number(form.payment_min_amount) || 0,
@@ -2539,15 +3322,23 @@ async function saveSettings() {
     registrationEmailSuffixWhitelistTags.value = normalizeRegistrationEmailSuffixDomains(
       updated.registration_email_suffix_whitelist
     )
+    tablePageSizeOptionsInput.value = formatTablePageSizeOptions(
+      Array.isArray(updated.table_page_size_options) ? updated.table_page_size_options : [10, 20, 50, 100]
+    )
     registrationEmailSuffixWhitelistDraft.value = ''
     form.smtp_password = ''
     smtpPasswordManuallyEdited.value = false
     form.turnstile_secret_key = ''
     form.linuxdo_connect_client_secret = ''
+    form.oidc_connect_client_secret = ''
+    // Save web search emulation config separately (errors handled internally)
+    const wsOk = await saveWebSearchConfig()
     // Refresh cached settings so sidebar/header update immediately
     await appStore.fetchPublicSettings(true)
     await adminSettingsStore.fetch(true)
-    appStore.showSuccess(t('admin.settings.settingsSaved'))
+    if (wsOk) {
+      appStore.showSuccess(t('admin.settings.settingsSaved'))
+    }
   } catch (error: unknown) {
     appStore.showError(extractApiErrorMessage(error, t('admin.settings.failedToSave')))
   } finally {
@@ -2785,10 +3576,48 @@ const betaDisplayNames: Record<string, string> = {
   'context-1m-2025-08-07': 'Context 1M'
 }
 
+// 快捷预设：按 beta_token 定义预设方案
+const betaPresets: Record<string, Array<{
+  label: string
+  description: string
+  action: 'pass' | 'filter' | 'block'
+  model_whitelist: string[]
+  fallback_action: 'pass' | 'filter' | 'block'
+}>> = {
+  'context-1m-2025-08-07': [
+    {
+      label: t('admin.settings.betaPolicy.presetOpusOnly'),
+      description: t('admin.settings.betaPolicy.presetOpusOnlyDesc'),
+      action: 'pass',
+      model_whitelist: ['claude-opus-4-6'],
+      fallback_action: 'filter',
+    },
+  ],
+}
+
+// 常用模型模式（具体 ID + 通配符示例）
+const commonModelPatterns = ['claude-opus-4-6', 'claude-sonnet-4-6', 'claude-opus-*', 'claude-sonnet-*']
+
 function getBetaDisplayName(token: string): string {
   return betaDisplayNames[token] || token
 }
 
+function applyBetaPreset(
+  rule: (typeof betaPolicyForm.rules)[number],
+  preset: { action: 'pass' | 'filter' | 'block'; model_whitelist: string[]; fallback_action: 'pass' | 'filter' | 'block' }
+) {
+  rule.action = preset.action
+  rule.model_whitelist = [...preset.model_whitelist]
+  rule.fallback_action = preset.fallback_action
+}
+
+function addQuickPattern(rule: (typeof betaPolicyForm.rules)[number], pattern: string) {
+  if (!rule.model_whitelist) rule.model_whitelist = []
+  if (!rule.model_whitelist.includes(pattern)) {
+    rule.model_whitelist.push(pattern)
+  }
+}
+
 async function loadBetaPolicySettings() {
   betaPolicyLoading.value = true
   try {
@@ -2804,8 +3633,22 @@ async function loadBetaPolicySettings() {
 async function saveBetaPolicySettings() {
   betaPolicySaving.value = true
   try {
+    // Clean up empty patterns before saving
+    const cleanedRules = betaPolicyForm.rules.map(rule => {
+      const whitelist = rule.model_whitelist?.filter(p => p.trim() !== '')
+      const hasWhitelist = whitelist && whitelist.length > 0
+      return {
+        beta_token: rule.beta_token,
+        action: rule.action,
+        scope: rule.scope,
+        error_message: rule.error_message,
+        model_whitelist: hasWhitelist ? whitelist : undefined,
+        fallback_action: hasWhitelist ? (rule.fallback_action || 'pass') : undefined,
+        fallback_error_message: hasWhitelist && rule.fallback_action === 'block' ? rule.fallback_error_message : undefined,
+      }
+    })
     const updated = await adminAPI.settings.updateBetaPolicySettings({
-      rules: betaPolicyForm.rules
+      rules: cleanedRules
     })
     betaPolicyForm.rules = updated.rules
     appStore.showSuccess(t('admin.settings.betaPolicy.saved'))
@@ -2919,15 +3762,15 @@ async function handleSaveProvider(payload: Partial<ProviderInstance>) {
   providerSaving.value = true
   try {
     if (editingProvider.value) {
-      const updated = await adminAPI.payment.updateProvider(editingProvider.value.id, payload)
-      // Update in place to preserve list order
-      const idx = providers.value.findIndex(p => p.id === editingProvider.value!.id)
-      if (idx >= 0 && updated.data) providers.value[idx] = updated.data
+      await adminAPI.payment.updateProvider(editingProvider.value.id, payload)
     } else {
       await adminAPI.payment.createProvider(payload)
-      loadProviders()
     }
     showProviderDialog.value = false
+    // Reload full list (API returns decrypted/formatted data with correct sort order)
+    await loadProviders()
+    // Auto-save settings so provider changes take effect immediately
+    await saveSettings()
   } catch (err: unknown) {
     appStore.showError(extractApiErrorMessage(err, t('common.error'), paymentErrorMap.value))
   } finally {

From 7fad9f604fb081fd850034b4d2bdf8f30dde04fd Mon Sep 17 00:00:00 2001
From: erio <asakifeng@gmail.com>
Date: Sun, 12 Apr 2026 00:09:28 +0800
Subject: [PATCH 026/122] fix(test): add web_search_emulation_enabled to API
 contract test

The settings API response now includes the new field; update the
expected snapshot in TestAPIContracts to match.
---
 backend/internal/server/api_contract_test.go | 12 ++++++------
 1 file changed, 6 insertions(+), 6 deletions(-)

diff --git a/backend/internal/server/api_contract_test.go b/backend/internal/server/api_contract_test.go
index 1a4892fa..08291faa 100644
--- a/backend/internal/server/api_contract_test.go
+++ b/backend/internal/server/api_contract_test.go
@@ -204,11 +204,10 @@ func TestAPIContracts(t *testing.T) {
 						"image_price_1k": null,
 						"image_price_2k": null,
 						"image_price_4k": null,
-							"claude_code_only": false,
+						"claude_code_only": false,
 						"allow_messages_dispatch": false,
 						"fallback_group_id": null,
 						"fallback_group_id_on_invalid_request": null,
-						"allow_messages_dispatch": false,
 						"require_oauth_only": false,
 						"require_privacy_set": false,
 						"created_at": "2025-01-02T03:04:05Z",
@@ -587,26 +586,27 @@ func TestAPIContracts(t *testing.T) {
 					"enable_cch_signing": false,
 					"enable_fingerprint_unification": true,
 					"enable_metadata_passthrough": false,
+					"web_search_emulation_enabled": false,
+					"custom_menu_items": [],
+					"custom_endpoints": [],
 					"payment_enabled": false,
 					"payment_min_amount": 0,
 					"payment_max_amount": 0,
 					"payment_daily_limit": 0,
 					"payment_order_timeout_minutes": 0,
 					"payment_max_pending_orders": 0,
-					"payment_enabled_types": null,
 					"payment_balance_disabled": false,
 					"payment_load_balance_strategy": "",
 					"payment_product_name_prefix": "",
 					"payment_product_name_suffix": "",
 					"payment_help_image_url": "",
 					"payment_help_text": "",
+					"payment_enabled_types": null,
 					"payment_cancel_rate_limit_enabled": false,
 					"payment_cancel_rate_limit_max": 0,
 					"payment_cancel_rate_limit_window": 0,
 					"payment_cancel_rate_limit_unit": "",
-					"payment_cancel_rate_limit_window_mode": "",
-					"custom_menu_items": [],
-					"custom_endpoints": []
+					"payment_cancel_rate_limit_window_mode": ""
 				}
 			}`,
 		},

From 7535e312e009cc67301d6ef2ac6dc3069259515c Mon Sep 17 00:00:00 2001
From: erio <asakifeng@gmail.com>
Date: Sat, 11 Apr 2026 23:39:49 +0800
Subject: [PATCH 027/122] feat(channels): add custom account stats pricing
 rules

Allow channels to configure independent model pricing for account
statistics cost calculation, decoupled from user billing.

Backend:
- Migration 101: channels.apply_pricing_to_account_stats toggle,
  channel_account_stats_pricing_rules/model_pricing tables,
  usage_logs.account_stats_cost column
- resolveAccountStatsCost: match rules by group/account, then channel
  pricing, fallback to original formula when unconfigured
- Integrate into both GatewayService.recordUsageCore and
  OpenAIGatewayService.RecordUsage
- Update 8 account stats SQL queries to use
  COALESCE(account_stats_cost, total_cost) * account_rate_multiplier
- 23 unit tests for matching, pricing lookup, and cost calculation

Frontend:
- Channel edit dialog: toggle + custom rules UI with group/account
  multi-select and pricing entry cards
- API types and i18n (zh/en)
---
 .../internal/handler/admin/channel_handler.go | 168 ++++---
 backend/internal/repository/channel_repo.go   |  91 ++--
 .../channel_repo_account_stats_pricing.go     | 170 +++++++
 backend/internal/repository/usage_log_repo.go |  39 +-
 .../usage_log_repo_request_type_test.go       |  29 +-
 .../internal/service/account_stats_pricing.go | 192 ++++++++
 .../service/account_stats_pricing_test.go     | 430 ++++++++++++++++++
 backend/internal/service/channel.go           |  50 +-
 backend/internal/service/channel_service.go   |  77 ++--
 backend/internal/service/gateway_service.go   |  17 +
 .../service/openai_gateway_service.go         |   9 +
 backend/internal/service/usage_log.go         |   2 +
 .../101_add_account_stats_pricing.sql         |  38 ++
 frontend/src/api/admin/channels.ts            |  17 +-
 frontend/src/i18n/locales/en.ts               |  13 +-
 frontend/src/i18n/locales/zh.ts               |  13 +-
 frontend/src/views/admin/ChannelsView.vue     | 338 +++++++++++---
 17 files changed, 1449 insertions(+), 244 deletions(-)
 create mode 100644 backend/internal/repository/channel_repo_account_stats_pricing.go
 create mode 100644 backend/internal/service/account_stats_pricing.go
 create mode 100644 backend/internal/service/account_stats_pricing_test.go
 create mode 100644 backend/migrations/101_add_account_stats_pricing.sql

diff --git a/backend/internal/handler/admin/channel_handler.go b/backend/internal/handler/admin/channel_handler.go
index 9cefc792..2d4cd56a 100644
--- a/backend/internal/handler/admin/channel_handler.go
+++ b/backend/internal/handler/admin/channel_handler.go
@@ -26,28 +26,30 @@ func NewChannelHandler(channelService *service.ChannelService, billingService *s
 // --- Request / Response types ---
 
 type createChannelRequest struct {
-	Name               string                       `json:"name" binding:"required,max=100"`
-	Description        string                       `json:"description"`
-	GroupIDs           []int64                      `json:"group_ids"`
-	ModelPricing       []channelModelPricingRequest `json:"model_pricing"`
-	ModelMapping       map[string]map[string]string `json:"model_mapping"`
-	BillingModelSource string                       `json:"billing_model_source" binding:"omitempty,oneof=requested upstream channel_mapped"`
-	RestrictModels     bool                         `json:"restrict_models"`
-	Features           string                       `json:"features"`
-	FeaturesConfig     map[string]any               `json:"features_config"`
+	Name                       string                           `json:"name" binding:"required,max=100"`
+	Description                string                           `json:"description"`
+	GroupIDs                   []int64                          `json:"group_ids"`
+	ModelPricing               []channelModelPricingRequest     `json:"model_pricing"`
+	ModelMapping               map[string]map[string]string     `json:"model_mapping"`
+	BillingModelSource         string                           `json:"billing_model_source" binding:"omitempty,oneof=requested upstream channel_mapped"`
+	RestrictModels             bool                             `json:"restrict_models"`
+	Features                   string                           `json:"features"`
+	ApplyPricingToAccountStats bool                             `json:"apply_pricing_to_account_stats"`
+	AccountStatsPricingRules   []accountStatsPricingRuleRequest `json:"account_stats_pricing_rules"`
 }
 
 type updateChannelRequest struct {
-	Name               string                        `json:"name" binding:"omitempty,max=100"`
-	Description        *string                       `json:"description"`
-	Status             string                        `json:"status" binding:"omitempty,oneof=active disabled"`
-	GroupIDs           *[]int64                      `json:"group_ids"`
-	ModelPricing       *[]channelModelPricingRequest `json:"model_pricing"`
-	ModelMapping       map[string]map[string]string  `json:"model_mapping"`
-	BillingModelSource string                        `json:"billing_model_source" binding:"omitempty,oneof=requested upstream channel_mapped"`
-	RestrictModels     *bool                         `json:"restrict_models"`
-	Features           *string                       `json:"features"`
-	FeaturesConfig     map[string]any                `json:"features_config"`
+	Name                       string                            `json:"name" binding:"omitempty,max=100"`
+	Description                *string                           `json:"description"`
+	Status                     string                            `json:"status" binding:"omitempty,oneof=active disabled"`
+	GroupIDs                   *[]int64                          `json:"group_ids"`
+	ModelPricing               *[]channelModelPricingRequest     `json:"model_pricing"`
+	ModelMapping               map[string]map[string]string      `json:"model_mapping"`
+	BillingModelSource         string                            `json:"billing_model_source" binding:"omitempty,oneof=requested upstream channel_mapped"`
+	RestrictModels             *bool                             `json:"restrict_models"`
+	Features                   *string                           `json:"features"`
+	ApplyPricingToAccountStats *bool                             `json:"apply_pricing_to_account_stats"`
+	AccountStatsPricingRules   *[]accountStatsPricingRuleRequest `json:"account_stats_pricing_rules"`
 }
 
 type channelModelPricingRequest struct {
@@ -75,20 +77,28 @@ type pricingIntervalRequest struct {
 	SortOrder       int      `json:"sort_order"`
 }
 
+type accountStatsPricingRuleRequest struct {
+	Name       string                       `json:"name"`
+	GroupIDs   []int64                      `json:"group_ids"`
+	AccountIDs []int64                      `json:"account_ids"`
+	Pricing    []channelModelPricingRequest `json:"pricing"`
+}
+
 type channelResponse struct {
-	ID                 int64                         `json:"id"`
-	Name               string                        `json:"name"`
-	Description        string                        `json:"description"`
-	Status             string                        `json:"status"`
-	BillingModelSource string                        `json:"billing_model_source"`
-	RestrictModels     bool                          `json:"restrict_models"`
-	Features           string                        `json:"features"`
-	FeaturesConfig     map[string]any                `json:"features_config"`
-	GroupIDs           []int64                       `json:"group_ids"`
-	ModelPricing       []channelModelPricingResponse `json:"model_pricing"`
-	ModelMapping       map[string]map[string]string  `json:"model_mapping"`
-	CreatedAt          string                        `json:"created_at"`
-	UpdatedAt          string                        `json:"updated_at"`
+	ID                         int64                             `json:"id"`
+	Name                       string                            `json:"name"`
+	Description                string                            `json:"description"`
+	Status                     string                            `json:"status"`
+	BillingModelSource         string                            `json:"billing_model_source"`
+	RestrictModels             bool                              `json:"restrict_models"`
+	Features                   string                            `json:"features"`
+	GroupIDs                   []int64                           `json:"group_ids"`
+	ModelPricing               []channelModelPricingResponse     `json:"model_pricing"`
+	ModelMapping               map[string]map[string]string      `json:"model_mapping"`
+	ApplyPricingToAccountStats bool                              `json:"apply_pricing_to_account_stats"`
+	AccountStatsPricingRules   []accountStatsPricingRuleResponse `json:"account_stats_pricing_rules"`
+	CreatedAt                  string                            `json:"created_at"`
+	UpdatedAt                  string                            `json:"updated_at"`
 }
 
 type channelModelPricingResponse struct {
@@ -118,6 +128,14 @@ type pricingIntervalResponse struct {
 	SortOrder       int      `json:"sort_order"`
 }
 
+type accountStatsPricingRuleResponse struct {
+	ID         int64                         `json:"id"`
+	Name       string                        `json:"name"`
+	GroupIDs   []int64                       `json:"group_ids"`
+	AccountIDs []int64                       `json:"account_ids"`
+	Pricing    []channelModelPricingResponse `json:"pricing"`
+}
+
 func channelToResponse(ch *service.Channel) *channelResponse {
 	if ch == nil {
 		return nil
@@ -129,7 +147,6 @@ func channelToResponse(ch *service.Channel) *channelResponse {
 		Status:         ch.Status,
 		RestrictModels: ch.RestrictModels,
 		Features:       ch.Features,
-		FeaturesConfig: ch.FeaturesConfig,
 		GroupIDs:       ch.GroupIDs,
 		ModelMapping:   ch.ModelMapping,
 		CreatedAt:      ch.CreatedAt.Format("2006-01-02T15:04:05Z"),
@@ -150,6 +167,29 @@ func channelToResponse(ch *service.Channel) *channelResponse {
 	for _, p := range ch.ModelPricing {
 		resp.ModelPricing = append(resp.ModelPricing, pricingToResponse(&p))
 	}
+
+	resp.ApplyPricingToAccountStats = ch.ApplyPricingToAccountStats
+	resp.AccountStatsPricingRules = make([]accountStatsPricingRuleResponse, 0, len(ch.AccountStatsPricingRules))
+	for _, rule := range ch.AccountStatsPricingRules {
+		ruleResp := accountStatsPricingRuleResponse{
+			ID:         rule.ID,
+			Name:       rule.Name,
+			GroupIDs:   rule.GroupIDs,
+			AccountIDs: rule.AccountIDs,
+			Pricing:    make([]channelModelPricingResponse, 0, len(rule.Pricing)),
+		}
+		if ruleResp.GroupIDs == nil {
+			ruleResp.GroupIDs = []int64{}
+		}
+		if ruleResp.AccountIDs == nil {
+			ruleResp.AccountIDs = []int64{}
+		}
+		for i := range rule.Pricing {
+			ruleResp.Pricing = append(ruleResp.Pricing, pricingToResponse(&rule.Pricing[i]))
+		}
+		resp.AccountStatsPricingRules = append(resp.AccountStatsPricingRules, ruleResp)
+	}
+
 	return resp
 }
 
@@ -241,6 +281,15 @@ func pricingRequestToService(reqs []channelModelPricingRequest) []service.Channe
 	return result
 }
 
+func accountStatsPricingRuleRequestToService(r accountStatsPricingRuleRequest) service.AccountStatsPricingRule {
+	return service.AccountStatsPricingRule{
+		Name:       r.Name,
+		GroupIDs:   r.GroupIDs,
+		AccountIDs: r.AccountIDs,
+		Pricing:    pricingRequestToService(r.Pricing),
+	}
+}
+
 // --- Handlers ---
 
 // List handles listing channels with pagination
@@ -300,16 +349,24 @@ func (h *ChannelHandler) Create(c *gin.Context) {
 
 	pricing := pricingRequestToService(req.ModelPricing)
 
+	var statsRules []service.AccountStatsPricingRule
+	for i, r := range req.AccountStatsPricingRules {
+		rule := accountStatsPricingRuleRequestToService(r)
+		rule.SortOrder = i
+		statsRules = append(statsRules, rule)
+	}
+
 	channel, err := h.channelService.Create(c.Request.Context(), &service.CreateChannelInput{
-		Name:               req.Name,
-		Description:        req.Description,
-		GroupIDs:           req.GroupIDs,
-		ModelPricing:       pricing,
-		ModelMapping:       req.ModelMapping,
-		BillingModelSource: req.BillingModelSource,
-		RestrictModels:     req.RestrictModels,
-		Features:           req.Features,
-		FeaturesConfig:     req.FeaturesConfig,
+		Name:                       req.Name,
+		Description:                req.Description,
+		GroupIDs:                   req.GroupIDs,
+		ModelPricing:               pricing,
+		ModelMapping:               req.ModelMapping,
+		BillingModelSource:         req.BillingModelSource,
+		RestrictModels:             req.RestrictModels,
+		Features:                   req.Features,
+		ApplyPricingToAccountStats: req.ApplyPricingToAccountStats,
+		AccountStatsPricingRules:   statsRules,
 	})
 	if err != nil {
 		response.ErrorFrom(c, err)
@@ -335,20 +392,29 @@ func (h *ChannelHandler) Update(c *gin.Context) {
 	}
 
 	input := &service.UpdateChannelInput{
-		Name:               req.Name,
-		Description:        req.Description,
-		Status:             req.Status,
-		GroupIDs:           req.GroupIDs,
-		ModelMapping:       req.ModelMapping,
-		BillingModelSource: req.BillingModelSource,
-		RestrictModels:     req.RestrictModels,
-		Features:           req.Features,
-		FeaturesConfig:     req.FeaturesConfig,
+		Name:                       req.Name,
+		Description:                req.Description,
+		Status:                     req.Status,
+		GroupIDs:                   req.GroupIDs,
+		ModelMapping:               req.ModelMapping,
+		BillingModelSource:         req.BillingModelSource,
+		RestrictModels:             req.RestrictModels,
+		Features:                   req.Features,
+		ApplyPricingToAccountStats: req.ApplyPricingToAccountStats,
 	}
 	if req.ModelPricing != nil {
 		pricing := pricingRequestToService(*req.ModelPricing)
 		input.ModelPricing = &pricing
 	}
+	if req.AccountStatsPricingRules != nil {
+		statsRules := make([]service.AccountStatsPricingRule, 0, len(*req.AccountStatsPricingRules))
+		for i, r := range *req.AccountStatsPricingRules {
+			rule := accountStatsPricingRuleRequestToService(r)
+			rule.SortOrder = i
+			statsRules = append(statsRules, rule)
+		}
+		input.AccountStatsPricingRules = &statsRules
+	}
 
 	channel, err := h.channelService.Update(c.Request.Context(), id, input)
 	if err != nil {
diff --git a/backend/internal/repository/channel_repo.go b/backend/internal/repository/channel_repo.go
index 56b5cc71..583ce895 100644
--- a/backend/internal/repository/channel_repo.go
+++ b/backend/internal/repository/channel_repo.go
@@ -41,14 +41,10 @@ func (r *channelRepository) Create(ctx context.Context, channel *service.Channel
 		if err != nil {
 			return err
 		}
-		featuresConfigJSON, err := marshalFeaturesConfig(channel.FeaturesConfig)
-		if err != nil {
-			return err
-		}
 		err = tx.QueryRowContext(ctx,
-			`INSERT INTO channels (name, description, status, model_mapping, billing_model_source, restrict_models, features, features_config) VALUES ($1, $2, $3, $4, $5, $6, $7, $8)
+			`INSERT INTO channels (name, description, status, model_mapping, billing_model_source, restrict_models, features, apply_pricing_to_account_stats) VALUES ($1, $2, $3, $4, $5, $6, $7, $8)
 			 RETURNING id, created_at, updated_at`,
-			channel.Name, channel.Description, channel.Status, modelMappingJSON, channel.BillingModelSource, channel.RestrictModels, channel.Features, featuresConfigJSON,
+			channel.Name, channel.Description, channel.Status, modelMappingJSON, channel.BillingModelSource, channel.RestrictModels, channel.Features, channel.ApplyPricingToAccountStats,
 		).Scan(&channel.ID, &channel.CreatedAt, &channel.UpdatedAt)
 		if err != nil {
 			if isUniqueViolation(err) {
@@ -71,17 +67,24 @@ func (r *channelRepository) Create(ctx context.Context, channel *service.Channel
 			}
 		}
 
+		// 设置账号统计定价规则
+		if len(channel.AccountStatsPricingRules) > 0 {
+			if err := replaceAccountStatsPricingRulesTx(ctx, tx, channel.ID, channel.AccountStatsPricingRules); err != nil {
+				return err
+			}
+		}
+
 		return nil
 	})
 }
 
 func (r *channelRepository) GetByID(ctx context.Context, id int64) (*service.Channel, error) {
 	ch := &service.Channel{}
-	var modelMappingJSON, featuresConfigJSON []byte
+	var modelMappingJSON []byte
 	err := r.db.QueryRowContext(ctx,
-		`SELECT id, name, description, status, model_mapping, billing_model_source, restrict_models, features, features_config, created_at, updated_at
+		`SELECT id, name, description, status, model_mapping, billing_model_source, restrict_models, features, apply_pricing_to_account_stats, created_at, updated_at
 		 FROM channels WHERE id = $1`, id,
-	).Scan(&ch.ID, &ch.Name, &ch.Description, &ch.Status, &modelMappingJSON, &ch.BillingModelSource, &ch.RestrictModels, &ch.Features, &featuresConfigJSON, &ch.CreatedAt, &ch.UpdatedAt)
+	).Scan(&ch.ID, &ch.Name, &ch.Description, &ch.Status, &modelMappingJSON, &ch.BillingModelSource, &ch.RestrictModels, &ch.Features, &ch.ApplyPricingToAccountStats, &ch.CreatedAt, &ch.UpdatedAt)
 	if err == sql.ErrNoRows {
 		return nil, service.ErrChannelNotFound
 	}
@@ -89,7 +92,6 @@ func (r *channelRepository) GetByID(ctx context.Context, id int64) (*service.Cha
 		return nil, fmt.Errorf("get channel: %w", err)
 	}
 	ch.ModelMapping = unmarshalModelMapping(modelMappingJSON)
-	ch.FeaturesConfig = unmarshalFeaturesConfig(featuresConfigJSON)
 
 	groupIDs, err := r.GetGroupIDs(ctx, id)
 	if err != nil {
@@ -103,6 +105,12 @@ func (r *channelRepository) GetByID(ctx context.Context, id int64) (*service.Cha
 	}
 	ch.ModelPricing = pricing
 
+	statsPricingRules, err := r.loadAccountStatsPricingRules(ctx, id)
+	if err != nil {
+		return nil, err
+	}
+	ch.AccountStatsPricingRules = statsPricingRules
+
 	return ch, nil
 }
 
@@ -112,14 +120,10 @@ func (r *channelRepository) Update(ctx context.Context, channel *service.Channel
 		if err != nil {
 			return err
 		}
-		featuresConfigJSON, err := marshalFeaturesConfig(channel.FeaturesConfig)
-		if err != nil {
-			return err
-		}
 		result, err := tx.ExecContext(ctx,
-			`UPDATE channels SET name = $1, description = $2, status = $3, model_mapping = $4, billing_model_source = $5, restrict_models = $6, features = $7, features_config = $8, updated_at = NOW()
+			`UPDATE channels SET name = $1, description = $2, status = $3, model_mapping = $4, billing_model_source = $5, restrict_models = $6, features = $7, apply_pricing_to_account_stats = $8, updated_at = NOW()
 			 WHERE id = $9`,
-			channel.Name, channel.Description, channel.Status, modelMappingJSON, channel.BillingModelSource, channel.RestrictModels, channel.Features, featuresConfigJSON, channel.ID,
+			channel.Name, channel.Description, channel.Status, modelMappingJSON, channel.BillingModelSource, channel.RestrictModels, channel.Features, channel.ApplyPricingToAccountStats, channel.ID,
 		)
 		if err != nil {
 			if isUniqueViolation(err) {
@@ -146,6 +150,13 @@ func (r *channelRepository) Update(ctx context.Context, channel *service.Channel
 			}
 		}
 
+		// 更新账号统计定价规则
+		if channel.AccountStatsPricingRules != nil {
+			if err := replaceAccountStatsPricingRulesTx(ctx, tx, channel.ID, channel.AccountStatsPricingRules); err != nil {
+				return err
+			}
+		}
+
 		return nil
 	})
 }
@@ -196,7 +207,7 @@ func (r *channelRepository) List(ctx context.Context, params pagination.Paginati
 
 	// 查询 channel 列表
 	dataQuery := fmt.Sprintf(
-		`SELECT c.id, c.name, c.description, c.status, c.model_mapping, c.billing_model_source, c.restrict_models, c.features, c.features_config, c.created_at, c.updated_at
+		`SELECT c.id, c.name, c.description, c.status, c.model_mapping, c.billing_model_source, c.restrict_models, c.features, c.apply_pricing_to_account_stats, c.created_at, c.updated_at
 		 FROM channels c WHERE %s ORDER BY %s LIMIT $%d OFFSET $%d`,
 		whereClause, channelListOrderBy(params), argIdx, argIdx+1,
 	)
@@ -212,12 +223,11 @@ func (r *channelRepository) List(ctx context.Context, params pagination.Paginati
 	var channelIDs []int64
 	for rows.Next() {
 		var ch service.Channel
-		var modelMappingJSON, featuresConfigJSON []byte
-		if err := rows.Scan(&ch.ID, &ch.Name, &ch.Description, &ch.Status, &modelMappingJSON, &ch.BillingModelSource, &ch.RestrictModels, &ch.Features, &featuresConfigJSON, &ch.CreatedAt, &ch.UpdatedAt); err != nil {
+		var modelMappingJSON []byte
+		if err := rows.Scan(&ch.ID, &ch.Name, &ch.Description, &ch.Status, &modelMappingJSON, &ch.BillingModelSource, &ch.RestrictModels, &ch.Features, &ch.ApplyPricingToAccountStats, &ch.CreatedAt, &ch.UpdatedAt); err != nil {
 			return nil, nil, fmt.Errorf("scan channel: %w", err)
 		}
 		ch.ModelMapping = unmarshalModelMapping(modelMappingJSON)
-		ch.FeaturesConfig = unmarshalFeaturesConfig(featuresConfigJSON)
 		channels = append(channels, ch)
 		channelIDs = append(channelIDs, ch.ID)
 	}
@@ -235,9 +245,14 @@ func (r *channelRepository) List(ctx context.Context, params pagination.Paginati
 		if err != nil {
 			return nil, nil, err
 		}
+		statsRulesMap, err := r.batchLoadAccountStatsPricingRules(ctx, channelIDs)
+		if err != nil {
+			return nil, nil, err
+		}
 		for i := range channels {
 			channels[i].GroupIDs = groupMap[channels[i].ID]
 			channels[i].ModelPricing = pricingMap[channels[i].ID]
+			channels[i].AccountStatsPricingRules = statsRulesMap[channels[i].ID]
 		}
 	}
 
@@ -283,7 +298,7 @@ func channelListOrderBy(params pagination.PaginationParams) string {
 
 func (r *channelRepository) ListAll(ctx context.Context) ([]service.Channel, error) {
 	rows, err := r.db.QueryContext(ctx,
-		`SELECT id, name, description, status, model_mapping, billing_model_source, restrict_models, features, features_config, created_at, updated_at FROM channels ORDER BY id`,
+		`SELECT id, name, description, status, model_mapping, billing_model_source, restrict_models, features, apply_pricing_to_account_stats, created_at, updated_at FROM channels ORDER BY id`,
 	)
 	if err != nil {
 		return nil, fmt.Errorf("query all channels: %w", err)
@@ -294,12 +309,11 @@ func (r *channelRepository) ListAll(ctx context.Context) ([]service.Channel, err
 	var channelIDs []int64
 	for rows.Next() {
 		var ch service.Channel
-		var modelMappingJSON, featuresConfigJSON []byte
-		if err := rows.Scan(&ch.ID, &ch.Name, &ch.Description, &ch.Status, &modelMappingJSON, &ch.BillingModelSource, &ch.RestrictModels, &ch.Features, &featuresConfigJSON, &ch.CreatedAt, &ch.UpdatedAt); err != nil {
+		var modelMappingJSON []byte
+		if err := rows.Scan(&ch.ID, &ch.Name, &ch.Description, &ch.Status, &modelMappingJSON, &ch.BillingModelSource, &ch.RestrictModels, &ch.Features, &ch.ApplyPricingToAccountStats, &ch.CreatedAt, &ch.UpdatedAt); err != nil {
 			return nil, fmt.Errorf("scan channel: %w", err)
 		}
 		ch.ModelMapping = unmarshalModelMapping(modelMappingJSON)
-		ch.FeaturesConfig = unmarshalFeaturesConfig(featuresConfigJSON)
 		channels = append(channels, ch)
 		channelIDs = append(channelIDs, ch.ID)
 	}
@@ -323,9 +337,16 @@ func (r *channelRepository) ListAll(ctx context.Context) ([]service.Channel, err
 		return nil, err
 	}
 
+	// 批量加载账号统计定价规则
+	statsRulesMap, err := r.batchLoadAccountStatsPricingRules(ctx, channelIDs)
+	if err != nil {
+		return nil, err
+	}
+
 	for i := range channels {
 		channels[i].GroupIDs = groupMap[channels[i].ID]
 		channels[i].ModelPricing = pricingMap[channels[i].ID]
+		channels[i].AccountStatsPricingRules = statsRulesMap[channels[i].ID]
 	}
 
 	return channels, nil
@@ -467,28 +488,6 @@ func unmarshalModelMapping(data []byte) map[string]map[string]string {
 	return m
 }
 
-func marshalFeaturesConfig(m map[string]any) ([]byte, error) {
-	if len(m) == 0 {
-		return []byte("{}"), nil
-	}
-	data, err := json.Marshal(m)
-	if err != nil {
-		return nil, fmt.Errorf("marshal features_config: %w", err)
-	}
-	return data, nil
-}
-
-func unmarshalFeaturesConfig(data []byte) map[string]any {
-	if len(data) == 0 {
-		return nil
-	}
-	var m map[string]any
-	if err := json.Unmarshal(data, &m); err != nil {
-		return nil
-	}
-	return m
-}
-
 // GetGroupPlatforms 批量查询分组 ID 对应的平台
 func (r *channelRepository) GetGroupPlatforms(ctx context.Context, groupIDs []int64) (map[int64]string, error) {
 	if len(groupIDs) == 0 {
diff --git a/backend/internal/repository/channel_repo_account_stats_pricing.go b/backend/internal/repository/channel_repo_account_stats_pricing.go
new file mode 100644
index 00000000..ef8f5177
--- /dev/null
+++ b/backend/internal/repository/channel_repo_account_stats_pricing.go
@@ -0,0 +1,170 @@
+package repository
+
+import (
+	"context"
+	"database/sql"
+	"encoding/json"
+	"fmt"
+
+	"github.com/Wei-Shaw/sub2api/internal/service"
+	"github.com/lib/pq"
+)
+
+// --- 账号统计定价规则 ---
+
+// batchLoadAccountStatsPricingRules 批量加载多个渠道的账号统计定价规则（含模型定价）
+func (r *channelRepository) batchLoadAccountStatsPricingRules(ctx context.Context, channelIDs []int64) (map[int64][]service.AccountStatsPricingRule, error) {
+	// 1. 查询规则
+	rows, err := r.db.QueryContext(ctx,
+		`SELECT id, channel_id, name, group_ids, account_ids, sort_order, created_at, updated_at
+		 FROM channel_account_stats_pricing_rules WHERE channel_id = ANY($1) ORDER BY channel_id, sort_order, id`,
+		pq.Array(channelIDs),
+	)
+	if err != nil {
+		return nil, fmt.Errorf("batch load account stats pricing rules: %w", err)
+	}
+	defer func() { _ = rows.Close() }()
+
+	var allRules []service.AccountStatsPricingRule
+	var ruleIDs []int64
+	for rows.Next() {
+		var rule service.AccountStatsPricingRule
+		if err := rows.Scan(
+			&rule.ID, &rule.ChannelID, &rule.Name,
+			pq.Array(&rule.GroupIDs), pq.Array(&rule.AccountIDs),
+			&rule.SortOrder, &rule.CreatedAt, &rule.UpdatedAt,
+		); err != nil {
+			return nil, fmt.Errorf("scan account stats pricing rule: %w", err)
+		}
+		ruleIDs = append(ruleIDs, rule.ID)
+		allRules = append(allRules, rule)
+	}
+	if err := rows.Err(); err != nil {
+		return nil, fmt.Errorf("iterate account stats pricing rules: %w", err)
+	}
+
+	// 2. 批量加载规则的模型定价
+	pricingMap, err := r.batchLoadAccountStatsModelPricing(ctx, ruleIDs)
+	if err != nil {
+		return nil, err
+	}
+
+	// 3. 按 channelID 分组并关联定价
+	result := make(map[int64][]service.AccountStatsPricingRule, len(channelIDs))
+	for i := range allRules {
+		allRules[i].Pricing = pricingMap[allRules[i].ID]
+		result[allRules[i].ChannelID] = append(result[allRules[i].ChannelID], allRules[i])
+	}
+
+	return result, nil
+}
+
+// batchLoadAccountStatsModelPricing 批量加载规则的模型定价
+func (r *channelRepository) batchLoadAccountStatsModelPricing(ctx context.Context, ruleIDs []int64) (map[int64][]service.ChannelModelPricing, error) {
+	if len(ruleIDs) == 0 {
+		return make(map[int64][]service.ChannelModelPricing), nil
+	}
+
+	rows, err := r.db.QueryContext(ctx,
+		`SELECT id, rule_id, platform, models, billing_mode, input_price, output_price,
+		        cache_write_price, cache_read_price, image_output_price, per_request_price, created_at, updated_at
+		 FROM channel_account_stats_model_pricing WHERE rule_id = ANY($1) ORDER BY rule_id, id`,
+		pq.Array(ruleIDs),
+	)
+	if err != nil {
+		return nil, fmt.Errorf("batch load account stats model pricing: %w", err)
+	}
+	defer func() { _ = rows.Close() }()
+
+	pricingMap := make(map[int64][]service.ChannelModelPricing, len(ruleIDs))
+	for rows.Next() {
+		var p service.ChannelModelPricing
+		var ruleID int64
+		var modelsJSON []byte
+		if err := rows.Scan(
+			&p.ID, &ruleID, &p.Platform, &modelsJSON, &p.BillingMode,
+			&p.InputPrice, &p.OutputPrice, &p.CacheWritePrice, &p.CacheReadPrice,
+			&p.ImageOutputPrice, &p.PerRequestPrice, &p.CreatedAt, &p.UpdatedAt,
+		); err != nil {
+			return nil, fmt.Errorf("scan account stats model pricing: %w", err)
+		}
+		if err := json.Unmarshal(modelsJSON, &p.Models); err != nil {
+			p.Models = []string{}
+		}
+		pricingMap[ruleID] = append(pricingMap[ruleID], p)
+	}
+	if err := rows.Err(); err != nil {
+		return nil, fmt.Errorf("iterate account stats model pricing: %w", err)
+	}
+	return pricingMap, nil
+}
+
+// loadAccountStatsPricingRules 加载单个渠道的账号统计定价规则（供 GetByID 使用）
+func (r *channelRepository) loadAccountStatsPricingRules(ctx context.Context, channelID int64) ([]service.AccountStatsPricingRule, error) {
+	result, err := r.batchLoadAccountStatsPricingRules(ctx, []int64{channelID})
+	if err != nil {
+		return nil, err
+	}
+	return result[channelID], nil
+}
+
+// replaceAccountStatsPricingRulesTx 在事务中替换渠道的账号统计定价规则（删除旧的 + 插入新的）
+func replaceAccountStatsPricingRulesTx(ctx context.Context, tx *sql.Tx, channelID int64, rules []service.AccountStatsPricingRule) error {
+	// CASCADE 会自动删除关联的 model_pricing
+	if _, err := tx.ExecContext(ctx,
+		`DELETE FROM channel_account_stats_pricing_rules WHERE channel_id = $1`, channelID,
+	); err != nil {
+		return fmt.Errorf("delete old account stats pricing rules: %w", err)
+	}
+
+	for i := range rules {
+		rules[i].ChannelID = channelID
+		if err := createAccountStatsPricingRuleTx(ctx, tx, &rules[i]); err != nil {
+			return fmt.Errorf("insert account stats pricing rule: %w", err)
+		}
+	}
+	return nil
+}
+
+// createAccountStatsPricingRuleTx 在事务中创建单条账号统计定价规则及其模型定价
+func createAccountStatsPricingRuleTx(ctx context.Context, tx *sql.Tx, rule *service.AccountStatsPricingRule) error {
+	err := tx.QueryRowContext(ctx,
+		`INSERT INTO channel_account_stats_pricing_rules (channel_id, name, group_ids, account_ids, sort_order)
+		 VALUES ($1, $2, $3, $4, $5) RETURNING id, created_at, updated_at`,
+		rule.ChannelID, rule.Name, pq.Array(rule.GroupIDs), pq.Array(rule.AccountIDs), rule.SortOrder,
+	).Scan(&rule.ID, &rule.CreatedAt, &rule.UpdatedAt)
+	if err != nil {
+		return fmt.Errorf("insert account stats pricing rule: %w", err)
+	}
+
+	for j := range rule.Pricing {
+		if err := createAccountStatsModelPricingTx(ctx, tx, rule.ID, &rule.Pricing[j]); err != nil {
+			return err
+		}
+	}
+	return nil
+}
+
+// createAccountStatsModelPricingTx 在事务中创建单条账号统计模型定价
+func createAccountStatsModelPricingTx(ctx context.Context, tx *sql.Tx, ruleID int64, pricing *service.ChannelModelPricing) error {
+	modelsJSON, err := json.Marshal(pricing.Models)
+	if err != nil {
+		return fmt.Errorf("marshal models: %w", err)
+	}
+	billingMode := pricing.BillingMode
+	if billingMode == "" {
+		billingMode = service.BillingModeToken
+	}
+	platform := pricing.Platform
+	err = tx.QueryRowContext(ctx,
+		`INSERT INTO channel_account_stats_model_pricing (rule_id, platform, models, billing_mode, input_price, output_price, cache_write_price, cache_read_price, image_output_price, per_request_price)
+		 VALUES ($1, $2, $3, $4, $5, $6, $7, $8, $9, $10) RETURNING id, created_at, updated_at`,
+		ruleID, platform, modelsJSON, billingMode,
+		pricing.InputPrice, pricing.OutputPrice, pricing.CacheWritePrice, pricing.CacheReadPrice,
+		pricing.ImageOutputPrice, pricing.PerRequestPrice,
+	).Scan(&pricing.ID, &pricing.CreatedAt, &pricing.UpdatedAt)
+	if err != nil {
+		return fmt.Errorf("insert account stats model pricing: %w", err)
+	}
+	return nil
+}
diff --git a/backend/internal/repository/usage_log_repo.go b/backend/internal/repository/usage_log_repo.go
index 3ba2191e..f942a8e1 100644
--- a/backend/internal/repository/usage_log_repo.go
+++ b/backend/internal/repository/usage_log_repo.go
@@ -28,7 +28,7 @@ import (
 	gocache "github.com/patrickmn/go-cache"
 )
 
-const usageLogSelectColumns = "id, user_id, api_key_id, account_id, request_id, model, requested_model, upstream_model, group_id, subscription_id, input_tokens, output_tokens, cache_creation_tokens, cache_read_tokens, cache_creation_5m_tokens, cache_creation_1h_tokens, image_output_tokens, image_output_cost, input_cost, output_cost, cache_creation_cost, cache_read_cost, total_cost, actual_cost, rate_multiplier, account_rate_multiplier, billing_type, request_type, stream, openai_ws_mode, duration_ms, first_token_ms, user_agent, ip_address, image_count, image_size, service_tier, reasoning_effort, inbound_endpoint, upstream_endpoint, cache_ttl_overridden, channel_id, model_mapping_chain, billing_tier, billing_mode, created_at"
+const usageLogSelectColumns = "id, user_id, api_key_id, account_id, request_id, model, requested_model, upstream_model, group_id, subscription_id, input_tokens, output_tokens, cache_creation_tokens, cache_read_tokens, cache_creation_5m_tokens, cache_creation_1h_tokens, image_output_tokens, image_output_cost, input_cost, output_cost, cache_creation_cost, cache_read_cost, total_cost, actual_cost, rate_multiplier, account_rate_multiplier, billing_type, request_type, stream, openai_ws_mode, duration_ms, first_token_ms, user_agent, ip_address, image_count, image_size, service_tier, reasoning_effort, inbound_endpoint, upstream_endpoint, cache_ttl_overridden, channel_id, model_mapping_chain, billing_tier, billing_mode, account_stats_cost, created_at"
 
 // usageLogInsertArgTypes must stay in the same order as:
 //  1. prepareUsageLogInsert().args
@@ -82,6 +82,7 @@ var usageLogInsertArgTypes = [...]string{
 	"text",        // model_mapping_chain
 	"text",        // billing_tier
 	"text",        // billing_mode
+	"numeric",     // account_stats_cost
 	"timestamptz", // created_at
 }
 
@@ -360,6 +361,7 @@ func (r *usageLogRepository) createSingle(ctx context.Context, sqlq sqlExecutor,
 			model_mapping_chain,
 			billing_tier,
 			billing_mode,
+			account_stats_cost,
 			created_at
 		) VALUES (
 			$1, $2, $3, $4, $5, $6, $7,
@@ -367,7 +369,7 @@ func (r *usageLogRepository) createSingle(ctx context.Context, sqlq sqlExecutor,
 			$10, $11, $12, $13,
 			$14, $15, $16, $17,
 			$18, $19, $20, $21, $22, $23,
-			$24, $25, $26, $27, $28, $29, $30, $31, $32, $33, $34, $35, $36, $37, $38, $39, $40, $41, $42, $43, $44, $45
+			$24, $25, $26, $27, $28, $29, $30, $31, $32, $33, $34, $35, $36, $37, $38, $39, $40, $41, $42, $43, $44, $45, $46
 		)
 		ON CONFLICT (request_id, api_key_id) DO NOTHING
 		RETURNING id, created_at
@@ -797,6 +799,7 @@ func buildUsageLogBatchInsertQuery(keys []string, preparedByKey map[string]usage
 			model_mapping_chain,
 			billing_tier,
 			billing_mode,
+			account_stats_cost,
 			created_at
 		) AS (VALUES `)
 
@@ -873,6 +876,7 @@ func buildUsageLogBatchInsertQuery(keys []string, preparedByKey map[string]usage
 				model_mapping_chain,
 				billing_tier,
 				billing_mode,
+				account_stats_cost,
 				created_at
 			)
 			SELECT
@@ -920,6 +924,7 @@ func buildUsageLogBatchInsertQuery(keys []string, preparedByKey map[string]usage
 				model_mapping_chain,
 				billing_tier,
 				billing_mode,
+				account_stats_cost,
 				created_at
 			FROM input
 			ON CONFLICT (request_id, api_key_id) DO NOTHING
@@ -1007,10 +1012,11 @@ func buildUsageLogBestEffortInsertQuery(preparedList []usageLogInsertPrepared) (
 			model_mapping_chain,
 			billing_tier,
 			billing_mode,
+			account_stats_cost,
 			created_at
 		) AS (VALUES `)
 
-	args := make([]any, 0, len(preparedList)*45)
+	args := make([]any, 0, len(preparedList)*46)
 	argPos := 1
 	for idx, prepared := range preparedList {
 		if idx > 0 {
@@ -1080,6 +1086,7 @@ func buildUsageLogBestEffortInsertQuery(preparedList []usageLogInsertPrepared) (
 			model_mapping_chain,
 			billing_tier,
 			billing_mode,
+			account_stats_cost,
 			created_at
 		)
 		SELECT
@@ -1127,6 +1134,7 @@ func buildUsageLogBestEffortInsertQuery(preparedList []usageLogInsertPrepared) (
 			model_mapping_chain,
 			billing_tier,
 			billing_mode,
+			account_stats_cost,
 			created_at
 		FROM input
 		ON CONFLICT (request_id, api_key_id) DO NOTHING
@@ -1182,6 +1190,7 @@ func execUsageLogInsertNoResult(ctx context.Context, sqlq sqlExecutor, prepared
 			model_mapping_chain,
 			billing_tier,
 			billing_mode,
+			account_stats_cost,
 			created_at
 		) VALUES (
 			$1, $2, $3, $4, $5, $6, $7,
@@ -1189,7 +1198,7 @@ func execUsageLogInsertNoResult(ctx context.Context, sqlq sqlExecutor, prepared
 			$10, $11, $12, $13,
 			$14, $15, $16, $17,
 			$18, $19, $20, $21, $22, $23,
-			$24, $25, $26, $27, $28, $29, $30, $31, $32, $33, $34, $35, $36, $37, $38, $39, $40, $41, $42, $43, $44, $45
+			$24, $25, $26, $27, $28, $29, $30, $31, $32, $33, $34, $35, $36, $37, $38, $39, $40, $41, $42, $43, $44, $45, $46
 		)
 		ON CONFLICT (request_id, api_key_id) DO NOTHING
 	`, prepared.args...)
@@ -1285,6 +1294,7 @@ func prepareUsageLogInsert(log *service.UsageLog) usageLogInsertPrepared {
 			modelMappingChain,
 			billingTier,
 			billingMode,
+			log.AccountStatsCost, // account_stats_cost
 			createdAt,
 		},
 	}
@@ -1959,7 +1969,7 @@ func (r *usageLogRepository) GetAccountTodayStats(ctx context.Context, accountID
 		SELECT
 			COUNT(*) as requests,
 			COALESCE(SUM(input_tokens + output_tokens + cache_creation_tokens + cache_read_tokens), 0) as tokens,
-			COALESCE(SUM(total_cost * COALESCE(account_rate_multiplier, 1)), 0) as cost,
+			COALESCE(SUM(COALESCE(account_stats_cost, total_cost) * COALESCE(account_rate_multiplier, 1)), 0) as cost,
 			COALESCE(SUM(total_cost), 0) as standard_cost,
 			COALESCE(SUM(actual_cost), 0) as user_cost
 		FROM usage_logs
@@ -1989,7 +1999,7 @@ func (r *usageLogRepository) GetAccountWindowStats(ctx context.Context, accountI
 		SELECT
 			COUNT(*) as requests,
 			COALESCE(SUM(input_tokens + output_tokens + cache_creation_tokens + cache_read_tokens), 0) as tokens,
-			COALESCE(SUM(total_cost * COALESCE(account_rate_multiplier, 1)), 0) as cost,
+			COALESCE(SUM(COALESCE(account_stats_cost, total_cost) * COALESCE(account_rate_multiplier, 1)), 0) as cost,
 			COALESCE(SUM(total_cost), 0) as standard_cost,
 			COALESCE(SUM(actual_cost), 0) as user_cost
 		FROM usage_logs
@@ -2026,7 +2036,7 @@ func (r *usageLogRepository) GetAccountWindowStatsBatch(ctx context.Context, acc
 			account_id,
 			COUNT(*) as requests,
 			COALESCE(SUM(input_tokens + output_tokens + cache_creation_tokens + cache_read_tokens), 0) as tokens,
-			COALESCE(SUM(total_cost * COALESCE(account_rate_multiplier, 1)), 0) as cost,
+			COALESCE(SUM(COALESCE(account_stats_cost, total_cost) * COALESCE(account_rate_multiplier, 1)), 0) as cost,
 			COALESCE(SUM(total_cost), 0) as standard_cost,
 			COALESCE(SUM(actual_cost), 0) as user_cost
 		FROM usage_logs
@@ -2990,7 +3000,7 @@ func (r *usageLogRepository) getModelStatsWithFiltersBySource(ctx context.Contex
 	actualCostExpr := "COALESCE(SUM(actual_cost), 0) as actual_cost"
 	// 当仅按 account_id 聚合时，实际费用使用账号倍率（total_cost * account_rate_multiplier）。
 	if accountID > 0 && userID == 0 && apiKeyID == 0 {
-		actualCostExpr = "COALESCE(SUM(total_cost * COALESCE(account_rate_multiplier, 1)), 0) as actual_cost"
+		actualCostExpr = "COALESCE(SUM(COALESCE(account_stats_cost, total_cost) * COALESCE(account_rate_multiplier, 1)), 0) as actual_cost"
 	}
 	modelExpr := resolveModelDimensionExpression(source)
 
@@ -3358,7 +3368,7 @@ func (r *usageLogRepository) GetStatsWithFilters(ctx context.Context, filters Us
 			COALESCE(SUM(cache_creation_tokens + cache_read_tokens), 0) as total_cache_tokens,
 			COALESCE(SUM(total_cost), 0) as total_cost,
 			COALESCE(SUM(actual_cost), 0) as total_actual_cost,
-			COALESCE(SUM(total_cost * COALESCE(account_rate_multiplier, 1)), 0) as total_account_cost,
+			COALESCE(SUM(COALESCE(account_stats_cost, total_cost) * COALESCE(account_rate_multiplier, 1)), 0) as total_account_cost,
 			COALESCE(AVG(duration_ms), 0) as avg_duration_ms
 		FROM usage_logs
 		%s
@@ -3433,7 +3443,7 @@ type EndpointStat = usagestats.EndpointStat
 func (r *usageLogRepository) getEndpointStatsByColumnWithFilters(ctx context.Context, endpointColumn string, startTime, endTime time.Time, userID, apiKeyID, accountID, groupID int64, model string, requestType *int16, stream *bool, billingType *int8) (results []EndpointStat, err error) {
 	actualCostExpr := "COALESCE(SUM(actual_cost), 0) as actual_cost"
 	if accountID > 0 && userID == 0 && apiKeyID == 0 {
-		actualCostExpr = "COALESCE(SUM(total_cost * COALESCE(account_rate_multiplier, 1)), 0) as actual_cost"
+		actualCostExpr = "COALESCE(SUM(COALESCE(account_stats_cost, total_cost) * COALESCE(account_rate_multiplier, 1)), 0) as actual_cost"
 	}
 
 	query := fmt.Sprintf(`
@@ -3500,7 +3510,7 @@ func (r *usageLogRepository) getEndpointStatsByColumnWithFilters(ctx context.Con
 func (r *usageLogRepository) getEndpointPathStatsWithFilters(ctx context.Context, startTime, endTime time.Time, userID, apiKeyID, accountID, groupID int64, model string, requestType *int16, stream *bool, billingType *int8) (results []EndpointStat, err error) {
 	actualCostExpr := "COALESCE(SUM(actual_cost), 0) as actual_cost"
 	if accountID > 0 && userID == 0 && apiKeyID == 0 {
-		actualCostExpr = "COALESCE(SUM(total_cost * COALESCE(account_rate_multiplier, 1)), 0) as actual_cost"
+		actualCostExpr = "COALESCE(SUM(COALESCE(account_stats_cost, total_cost) * COALESCE(account_rate_multiplier, 1)), 0) as actual_cost"
 	}
 
 	query := fmt.Sprintf(`
@@ -3591,7 +3601,7 @@ func (r *usageLogRepository) GetAccountUsageStats(ctx context.Context, accountID
 			COUNT(*) as requests,
 			COALESCE(SUM(input_tokens + output_tokens + cache_creation_tokens + cache_read_tokens), 0) as tokens,
 			COALESCE(SUM(total_cost), 0) as cost,
-			COALESCE(SUM(total_cost * COALESCE(account_rate_multiplier, 1)), 0) as actual_cost,
+			COALESCE(SUM(COALESCE(account_stats_cost, total_cost) * COALESCE(account_rate_multiplier, 1)), 0) as actual_cost,
 			COALESCE(SUM(actual_cost), 0) as user_cost
 		FROM usage_logs
 		WHERE account_id = $1 AND created_at >= $2 AND created_at < $3
@@ -4069,6 +4079,7 @@ func scanUsageLog(scanner interface{ Scan(...any) error }) (*service.UsageLog, e
 		modelMappingChain     sql.NullString
 		billingTier           sql.NullString
 		billingMode           sql.NullString
+		accountStatsCost      sql.NullFloat64
 		createdAt             time.Time
 	)
 
@@ -4118,6 +4129,7 @@ func scanUsageLog(scanner interface{ Scan(...any) error }) (*service.UsageLog, e
 		&modelMappingChain,
 		&billingTier,
 		&billingMode,
+		&accountStatsCost,
 		&createdAt,
 	); err != nil {
 		return nil, err
@@ -4214,6 +4226,9 @@ func scanUsageLog(scanner interface{ Scan(...any) error }) (*service.UsageLog, e
 	if billingMode.Valid {
 		log.BillingMode = &billingMode.String
 	}
+	if accountStatsCost.Valid {
+		log.AccountStatsCost = &accountStatsCost.Float64
+	}
 
 	return log, nil
 }
diff --git a/backend/internal/repository/usage_log_repo_request_type_test.go b/backend/internal/repository/usage_log_repo_request_type_test.go
index b9cb6a13..acdd6e62 100644
--- a/backend/internal/repository/usage_log_repo_request_type_test.go
+++ b/backend/internal/repository/usage_log_repo_request_type_test.go
@@ -85,6 +85,7 @@ func TestUsageLogRepositoryCreateSyncRequestTypeAndLegacyFields(t *testing.T) {
 			sqlmock.AnyArg(), // model_mapping_chain
 			sqlmock.AnyArg(), // billing_tier
 			sqlmock.AnyArg(), // billing_mode
+			sqlmock.AnyArg(), // account_stats_cost
 			createdAt,
 		).
 		WillReturnRows(sqlmock.NewRows([]string{"id", "created_at"}).AddRow(int64(99), createdAt))
@@ -163,6 +164,7 @@ func TestUsageLogRepositoryCreate_PersistsServiceTier(t *testing.T) {
 			sqlmock.AnyArg(), // model_mapping_chain
 			sqlmock.AnyArg(), // billing_tier
 			sqlmock.AnyArg(), // billing_mode
+			sqlmock.AnyArg(), // account_stats_cost
 			createdAt,
 		).
 		WillReturnRows(sqlmock.NewRows([]string{"id", "created_at"}).AddRow(int64(100), createdAt))
@@ -483,10 +485,11 @@ func TestScanUsageLogRequestTypeAndLegacyFallback(t *testing.T) {
 			sql.NullString{},
 			sql.NullString{},
 			false,
-			sql.NullInt64{},  // channel_id
-			sql.NullString{}, // model_mapping_chain
-			sql.NullString{}, // billing_tier
-			sql.NullString{}, // billing_mode
+			sql.NullInt64{},   // channel_id
+			sql.NullString{},  // model_mapping_chain
+			sql.NullString{},  // billing_tier
+			sql.NullString{},  // billing_mode
+			sql.NullFloat64{}, // account_stats_cost
 			now,
 		}})
 		require.NoError(t, err)
@@ -530,10 +533,11 @@ func TestScanUsageLogRequestTypeAndLegacyFallback(t *testing.T) {
 			sql.NullString{},
 			sql.NullString{},
 			false,
-			sql.NullInt64{},  // channel_id
-			sql.NullString{}, // model_mapping_chain
-			sql.NullString{}, // billing_tier
-			sql.NullString{}, // billing_mode
+			sql.NullInt64{},   // channel_id
+			sql.NullString{},  // model_mapping_chain
+			sql.NullString{},  // billing_tier
+			sql.NullString{},  // billing_mode
+			sql.NullFloat64{}, // account_stats_cost
 			now,
 		}})
 		require.NoError(t, err)
@@ -577,10 +581,11 @@ func TestScanUsageLogRequestTypeAndLegacyFallback(t *testing.T) {
 			sql.NullString{},
 			sql.NullString{},
 			false,
-			sql.NullInt64{},  // channel_id
-			sql.NullString{}, // model_mapping_chain
-			sql.NullString{}, // billing_tier
-			sql.NullString{}, // billing_mode
+			sql.NullInt64{},   // channel_id
+			sql.NullString{},  // model_mapping_chain
+			sql.NullString{},  // billing_tier
+			sql.NullString{},  // billing_mode
+			sql.NullFloat64{}, // account_stats_cost
 			now,
 		}})
 		require.NoError(t, err)
diff --git a/backend/internal/service/account_stats_pricing.go b/backend/internal/service/account_stats_pricing.go
new file mode 100644
index 00000000..86f98a12
--- /dev/null
+++ b/backend/internal/service/account_stats_pricing.go
@@ -0,0 +1,192 @@
+package service
+
+import (
+	"context"
+	"sort"
+	"strings"
+)
+
+// resolveAccountStatsCost 计算账号统计定价费用。
+// 返回 nil 表示不覆盖，使用默认公式（total_cost × account_rate_multiplier）。
+//
+// 匹配优先级（先命中为准）：
+//  1. 自定义规则（AccountStatsPricingRules，按数组顺序遍历）
+//  2. 渠道已有的模型定价（ApplyPricingToAccountStats 开启时）
+//  3. nil → 走默认公式
+func resolveAccountStatsCost(
+	ctx context.Context,
+	channelService *ChannelService,
+	billingService *BillingService,
+	accountID int64,
+	groupID int64,
+	billingModel string,
+	tokens UsageTokens,
+	requestCount int,
+	serviceTier string,
+) *float64 {
+	if channelService == nil || billingService == nil {
+		return nil
+	}
+	channel, err := channelService.GetChannelForGroup(ctx, groupID)
+	if err != nil || channel == nil || !channel.ApplyPricingToAccountStats {
+		return nil
+	}
+
+	platform := channelService.GetGroupPlatform(ctx, groupID)
+	modelLower := strings.ToLower(billingModel)
+
+	// 优先级 1：自定义规则
+	if cost := tryCustomRules(channel, accountID, groupID, platform, modelLower, tokens, requestCount); cost != nil {
+		return cost
+	}
+
+	// 优先级 2：渠道已有模型定价
+	return tryChannelPricing(ctx, channelService, groupID, billingModel, tokens, requestCount)
+}
+
+// tryCustomRules 遍历自定义规则，按数组顺序先命中为准。
+func tryCustomRules(
+	channel *Channel, accountID, groupID int64,
+	platform, modelLower string, tokens UsageTokens, requestCount int,
+) *float64 {
+	for _, rule := range channel.AccountStatsPricingRules {
+		if !matchAccountStatsRule(&rule, accountID, groupID) {
+			continue
+		}
+		pricing := findPricingForModel(rule.Pricing, platform, modelLower)
+		if pricing == nil {
+			continue // 规则匹配但模型不在规则定价中，继续下一条
+		}
+		return calculateStatsCost(pricing, tokens, requestCount)
+	}
+	return nil
+}
+
+// tryChannelPricing 使用渠道已有的模型定价计算账号统计费用。
+func tryChannelPricing(
+	ctx context.Context, channelService *ChannelService,
+	groupID int64, billingModel string, tokens UsageTokens, requestCount int,
+) *float64 {
+	pricing := channelService.GetChannelModelPricing(ctx, groupID, billingModel)
+	if pricing == nil {
+		return nil
+	}
+	return calculateStatsCost(pricing, tokens, requestCount)
+}
+
+// matchAccountStatsRule 检查规则是否匹配指定的 accountID 和 groupID。
+// 匹配条件：accountID ∈ rule.AccountIDs 或 groupID ∈ rule.GroupIDs。
+// 如果规则的 AccountIDs 和 GroupIDs 都为空，视为不匹配。
+func matchAccountStatsRule(rule *AccountStatsPricingRule, accountID, groupID int64) bool {
+	if len(rule.AccountIDs) == 0 && len(rule.GroupIDs) == 0 {
+		return false
+	}
+	for _, id := range rule.AccountIDs {
+		if id == accountID {
+			return true
+		}
+	}
+	for _, id := range rule.GroupIDs {
+		if id == groupID {
+			return true
+		}
+	}
+	return false
+}
+
+// wildcardMatch 通配符匹配候选项（用于排序）
+type wildcardMatch struct {
+	prefixLen int
+	pricing   *ChannelModelPricing
+}
+
+// findPricingForModel 在定价列表中查找匹配的模型定价。
+// 先精确匹配，再通配符匹配（前缀越长优先级越高）。
+func findPricingForModel(pricingList []ChannelModelPricing, platform, modelLower string) *ChannelModelPricing {
+	// 精确匹配优先
+	for i := range pricingList {
+		p := &pricingList[i]
+		if !isPlatformMatch(platform, p.Platform) {
+			continue
+		}
+		for _, m := range p.Models {
+			if strings.ToLower(m) == modelLower {
+				return p
+			}
+		}
+	}
+	// 通配符匹配：收集所有匹配项，按前缀长度降序取最长
+	var matches []wildcardMatch
+	for i := range pricingList {
+		p := &pricingList[i]
+		if !isPlatformMatch(platform, p.Platform) {
+			continue
+		}
+		for _, m := range p.Models {
+			ml := strings.ToLower(m)
+			if !strings.HasSuffix(ml, "*") {
+				continue
+			}
+			prefix := strings.TrimSuffix(ml, "*")
+			if strings.HasPrefix(modelLower, prefix) {
+				matches = append(matches, wildcardMatch{prefixLen: len(prefix), pricing: p})
+			}
+		}
+	}
+	if len(matches) == 0 {
+		return nil
+	}
+	sort.Slice(matches, func(i, j int) bool {
+		return matches[i].prefixLen > matches[j].prefixLen
+	})
+	return matches[0].pricing
+}
+
+// isPlatformMatch 判断平台是否匹配（空平台视为不限平台）。
+func isPlatformMatch(queryPlatform, pricingPlatform string) bool {
+	if queryPlatform == "" || pricingPlatform == "" {
+		return true
+	}
+	return queryPlatform == pricingPlatform
+}
+
+// calculateStatsCost 使用给定的定价计算费用（不含任何倍率，原始费用）。
+func calculateStatsCost(pricing *ChannelModelPricing, tokens UsageTokens, requestCount int) *float64 {
+	if pricing == nil {
+		return nil
+	}
+	switch pricing.BillingMode {
+	case BillingModePerRequest, BillingModeImage:
+		return calculatePerRequestStatsCost(pricing, requestCount)
+	default:
+		return calculateTokenStatsCost(pricing, tokens)
+	}
+}
+
+// calculatePerRequestStatsCost 按次/图片计费。
+func calculatePerRequestStatsCost(pricing *ChannelModelPricing, requestCount int) *float64 {
+	if pricing.PerRequestPrice == nil || *pricing.PerRequestPrice <= 0 {
+		return nil
+	}
+	cost := *pricing.PerRequestPrice * float64(requestCount)
+	return &cost
+}
+
+// calculateTokenStatsCost Token 计费。
+func calculateTokenStatsCost(pricing *ChannelModelPricing, tokens UsageTokens) *float64 {
+	deref := func(p *float64) float64 {
+		if p == nil {
+			return 0
+		}
+		return *p
+	}
+	cost := float64(tokens.InputTokens)*deref(pricing.InputPrice) +
+		float64(tokens.OutputTokens)*deref(pricing.OutputPrice) +
+		float64(tokens.CacheCreationTokens)*deref(pricing.CacheWritePrice) +
+		float64(tokens.CacheReadTokens)*deref(pricing.CacheReadPrice) +
+		float64(tokens.ImageOutputTokens)*deref(pricing.ImageOutputPrice)
+	if cost == 0 {
+		return nil
+	}
+	return &cost
+}
diff --git a/backend/internal/service/account_stats_pricing_test.go b/backend/internal/service/account_stats_pricing_test.go
new file mode 100644
index 00000000..bc3db251
--- /dev/null
+++ b/backend/internal/service/account_stats_pricing_test.go
@@ -0,0 +1,430 @@
+//go:build unit
+
+package service
+
+import (
+	"testing"
+
+	"github.com/stretchr/testify/require"
+)
+
+// ---------------------------------------------------------------------------
+// matchAccountStatsRule
+// ---------------------------------------------------------------------------
+
+func TestMatchAccountStatsRule_BothEmpty_NoMatch(t *testing.T) {
+	rule := &AccountStatsPricingRule{}
+	require.False(t, matchAccountStatsRule(rule, 1, 10))
+}
+
+func TestMatchAccountStatsRule_AccountIDMatch(t *testing.T) {
+	rule := &AccountStatsPricingRule{AccountIDs: []int64{1, 2, 3}}
+	require.True(t, matchAccountStatsRule(rule, 2, 999))
+}
+
+func TestMatchAccountStatsRule_GroupIDMatch(t *testing.T) {
+	rule := &AccountStatsPricingRule{GroupIDs: []int64{10, 20}}
+	require.True(t, matchAccountStatsRule(rule, 999, 20))
+}
+
+func TestMatchAccountStatsRule_BothConfigured_AccountMatch(t *testing.T) {
+	rule := &AccountStatsPricingRule{
+		AccountIDs: []int64{1, 2},
+		GroupIDs:   []int64{10, 20},
+	}
+	require.True(t, matchAccountStatsRule(rule, 2, 999))
+}
+
+func TestMatchAccountStatsRule_BothConfigured_GroupMatch(t *testing.T) {
+	rule := &AccountStatsPricingRule{
+		AccountIDs: []int64{1, 2},
+		GroupIDs:   []int64{10, 20},
+	}
+	require.True(t, matchAccountStatsRule(rule, 999, 10))
+}
+
+func TestMatchAccountStatsRule_BothConfigured_NeitherMatch(t *testing.T) {
+	rule := &AccountStatsPricingRule{
+		AccountIDs: []int64{1, 2},
+		GroupIDs:   []int64{10, 20},
+	}
+	require.False(t, matchAccountStatsRule(rule, 999, 999))
+}
+
+// ---------------------------------------------------------------------------
+// findPricingForModel
+// ---------------------------------------------------------------------------
+
+func TestFindPricingForModel(t *testing.T) {
+	exactPricing := ChannelModelPricing{
+		ID:     1,
+		Models: []string{"claude-opus-4"},
+	}
+	wildcardPricing := ChannelModelPricing{
+		ID:     2,
+		Models: []string{"claude-*"},
+	}
+	platformPricing := ChannelModelPricing{
+		ID:       3,
+		Platform: "openai",
+		Models:   []string{"gpt-4o"},
+	}
+	emptyPlatformPricing := ChannelModelPricing{
+		ID:     4,
+		Models: []string{"gemini-2.5-pro"},
+	}
+
+	tests := []struct {
+		name     string
+		list     []ChannelModelPricing
+		platform string
+		model    string
+		wantID   int64
+		wantNil  bool
+	}{
+		{
+			name:     "exact match",
+			list:     []ChannelModelPricing{exactPricing},
+			platform: "anthropic",
+			model:    "claude-opus-4",
+			wantID:   1,
+		},
+		{
+			name:     "exact match case insensitive",
+			list:     []ChannelModelPricing{{ID: 5, Models: []string{"Claude-Opus-4"}}},
+			platform: "",
+			model:    "claude-opus-4",
+			wantID:   5,
+		},
+		{
+			name:     "wildcard match",
+			list:     []ChannelModelPricing{wildcardPricing},
+			platform: "anthropic",
+			model:    "claude-opus-4",
+			wantID:   2,
+		},
+		{
+			name:     "exact match takes priority over wildcard",
+			list:     []ChannelModelPricing{wildcardPricing, exactPricing},
+			platform: "anthropic",
+			model:    "claude-opus-4",
+			wantID:   1,
+		},
+		{
+			name:     "platform mismatch skipped",
+			list:     []ChannelModelPricing{platformPricing},
+			platform: "anthropic",
+			model:    "gpt-4o",
+			wantNil:  true,
+		},
+		{
+			name:     "empty platform in pricing matches any",
+			list:     []ChannelModelPricing{emptyPlatformPricing},
+			platform: "gemini",
+			model:    "gemini-2.5-pro",
+			wantID:   4,
+		},
+		{
+			name:     "empty platform in query matches any pricing platform",
+			list:     []ChannelModelPricing{platformPricing},
+			platform: "",
+			model:    "gpt-4o",
+			wantID:   3,
+		},
+		{
+			name:     "no match at all",
+			list:     []ChannelModelPricing{exactPricing, wildcardPricing},
+			platform: "anthropic",
+			model:    "gpt-4o",
+			wantNil:  true,
+		},
+		{
+			name:    "empty list returns nil",
+			list:    nil,
+			model:   "claude-opus-4",
+			wantNil: true,
+		},
+		{
+			name: "longer wildcard prefix wins over shorter",
+			list: []ChannelModelPricing{
+				{ID: 10, Models: []string{"claude-*"}},
+				{ID: 11, Models: []string{"claude-opus-*"}},
+			},
+			platform: "",
+			model:    "claude-opus-4",
+			wantID:   11, // "claude-opus-" (12 chars) > "claude-" (7 chars)
+		},
+		{
+			name: "shorter wildcard used when longer does not match",
+			list: []ChannelModelPricing{
+				{ID: 10, Models: []string{"claude-*"}},
+				{ID: 11, Models: []string{"claude-opus-*"}},
+			},
+			platform: "",
+			model:    "claude-sonnet-4",
+			wantID:   10, // only "claude-*" matches
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			result := findPricingForModel(tt.list, tt.platform, tt.model)
+			if tt.wantNil {
+				require.Nil(t, result)
+				return
+			}
+			require.NotNil(t, result)
+			require.Equal(t, tt.wantID, result.ID)
+		})
+	}
+}
+
+// ---------------------------------------------------------------------------
+// calculateStatsCost
+// ---------------------------------------------------------------------------
+
+func TestCalculateStatsCost_NilPricing(t *testing.T) {
+	result := calculateStatsCost(nil, UsageTokens{}, 1)
+	require.Nil(t, result)
+}
+
+func TestCalculateStatsCost_TokenBilling(t *testing.T) {
+	pricing := &ChannelModelPricing{
+		BillingMode: BillingModeToken,
+		InputPrice:  testPtrFloat64(0.001),
+		OutputPrice: testPtrFloat64(0.002),
+	}
+	tokens := UsageTokens{
+		InputTokens:  100,
+		OutputTokens: 50,
+	}
+	result := calculateStatsCost(pricing, tokens, 1)
+	require.NotNil(t, result)
+	// 100*0.001 + 50*0.002 = 0.1 + 0.1 = 0.2
+	require.InDelta(t, 0.2, *result, 1e-12)
+}
+
+func TestCalculateStatsCost_TokenBilling_WithCache(t *testing.T) {
+	pricing := &ChannelModelPricing{
+		BillingMode:     BillingModeToken,
+		InputPrice:      testPtrFloat64(0.001),
+		OutputPrice:     testPtrFloat64(0.002),
+		CacheWritePrice: testPtrFloat64(0.003),
+		CacheReadPrice:  testPtrFloat64(0.0005),
+	}
+	tokens := UsageTokens{
+		InputTokens:         100,
+		OutputTokens:        50,
+		CacheCreationTokens: 200,
+		CacheReadTokens:     300,
+	}
+	result := calculateStatsCost(pricing, tokens, 1)
+	require.NotNil(t, result)
+	// 100*0.001 + 50*0.002 + 200*0.003 + 300*0.0005
+	// = 0.1 + 0.1 + 0.6 + 0.15 = 0.95
+	require.InDelta(t, 0.95, *result, 1e-12)
+}
+
+func TestCalculateStatsCost_TokenBilling_WithImageOutput(t *testing.T) {
+	pricing := &ChannelModelPricing{
+		BillingMode:      BillingModeToken,
+		InputPrice:       testPtrFloat64(0.001),
+		OutputPrice:      testPtrFloat64(0.002),
+		ImageOutputPrice: testPtrFloat64(0.01),
+	}
+	tokens := UsageTokens{
+		InputTokens:       100,
+		OutputTokens:      50,
+		ImageOutputTokens: 10,
+	}
+	result := calculateStatsCost(pricing, tokens, 1)
+	require.NotNil(t, result)
+	// 100*0.001 + 50*0.002 + 10*0.01 = 0.1 + 0.1 + 0.1 = 0.3
+	require.InDelta(t, 0.3, *result, 1e-12)
+}
+
+func TestCalculateStatsCost_TokenBilling_PartialPricesNil(t *testing.T) {
+	pricing := &ChannelModelPricing{
+		BillingMode: BillingModeToken,
+		InputPrice:  testPtrFloat64(0.001),
+		// OutputPrice, CacheWritePrice, etc. are all nil → treated as 0
+	}
+	tokens := UsageTokens{
+		InputTokens:         100,
+		OutputTokens:        50,
+		CacheCreationTokens: 200,
+	}
+	result := calculateStatsCost(pricing, tokens, 1)
+	require.NotNil(t, result)
+	// Only input contributes: 100*0.001 = 0.1
+	require.InDelta(t, 0.1, *result, 1e-12)
+}
+
+func TestCalculateStatsCost_TokenBilling_AllTokensZero(t *testing.T) {
+	pricing := &ChannelModelPricing{
+		BillingMode: BillingModeToken,
+		InputPrice:  testPtrFloat64(0.001),
+		OutputPrice: testPtrFloat64(0.002),
+	}
+	tokens := UsageTokens{} // all zeros
+	result := calculateStatsCost(pricing, tokens, 1)
+	// totalCost == 0 → returns nil (does not override, falls back to default formula)
+	require.Nil(t, result)
+}
+
+func TestCalculateStatsCost_PerRequestBilling(t *testing.T) {
+	pricing := &ChannelModelPricing{
+		BillingMode:     BillingModePerRequest,
+		PerRequestPrice: testPtrFloat64(0.05),
+	}
+	tokens := UsageTokens{InputTokens: 999, OutputTokens: 999}
+	result := calculateStatsCost(pricing, tokens, 3)
+	require.NotNil(t, result)
+	// 0.05 * 3 = 0.15
+	require.InDelta(t, 0.15, *result, 1e-12)
+}
+
+func TestCalculateStatsCost_PerRequestBilling_PriceNil(t *testing.T) {
+	pricing := &ChannelModelPricing{
+		BillingMode: BillingModePerRequest,
+		// PerRequestPrice is nil
+	}
+	result := calculateStatsCost(pricing, UsageTokens{}, 1)
+	require.Nil(t, result)
+}
+
+func TestCalculateStatsCost_PerRequestBilling_PriceZero(t *testing.T) {
+	pricing := &ChannelModelPricing{
+		BillingMode:     BillingModePerRequest,
+		PerRequestPrice: testPtrFloat64(0),
+	}
+	result := calculateStatsCost(pricing, UsageTokens{}, 1)
+	// price == 0 → condition *pricing.PerRequestPrice > 0 is false → returns nil
+	require.Nil(t, result)
+}
+
+func TestCalculateStatsCost_ImageBilling(t *testing.T) {
+	pricing := &ChannelModelPricing{
+		BillingMode:     BillingModeImage,
+		PerRequestPrice: testPtrFloat64(0.10),
+	}
+	result := calculateStatsCost(pricing, UsageTokens{}, 2)
+	require.NotNil(t, result)
+	// 0.10 * 2 = 0.20
+	require.InDelta(t, 0.20, *result, 1e-12)
+}
+
+func TestCalculateStatsCost_ImageBilling_PriceNil(t *testing.T) {
+	pricing := &ChannelModelPricing{
+		BillingMode: BillingModeImage,
+		// PerRequestPrice is nil
+	}
+	result := calculateStatsCost(pricing, UsageTokens{}, 1)
+	require.Nil(t, result)
+}
+
+func TestCalculateStatsCost_DefaultBillingMode_FallsToToken(t *testing.T) {
+	// BillingMode is empty string (default) → falls into token billing
+	pricing := &ChannelModelPricing{
+		InputPrice:  testPtrFloat64(0.001),
+		OutputPrice: testPtrFloat64(0.002),
+	}
+	tokens := UsageTokens{
+		InputTokens:  100,
+		OutputTokens: 50,
+	}
+	result := calculateStatsCost(pricing, tokens, 1)
+	require.NotNil(t, result)
+	require.InDelta(t, 0.2, *result, 1e-12)
+}
+
+// ---------------------------------------------------------------------------
+// tryCustomRules — 多规则顺序测试
+// ---------------------------------------------------------------------------
+
+func TestTryCustomRules_FirstMatchWins(t *testing.T) {
+	channel := &Channel{
+		AccountStatsPricingRules: []AccountStatsPricingRule{
+			{
+				GroupIDs: []int64{1},
+				Pricing: []ChannelModelPricing{
+					{ID: 100, Models: []string{"claude-opus-4"}, InputPrice: testPtrFloat64(0.01), OutputPrice: testPtrFloat64(0.02)},
+				},
+			},
+			{
+				GroupIDs: []int64{1},
+				Pricing: []ChannelModelPricing{
+					{ID: 200, Models: []string{"claude-opus-4"}, InputPrice: testPtrFloat64(0.99), OutputPrice: testPtrFloat64(0.99)},
+				},
+			},
+		},
+	}
+	tokens := UsageTokens{InputTokens: 100, OutputTokens: 50}
+	result := tryCustomRules(channel, 999, 1, "", "claude-opus-4", tokens, 1)
+	require.NotNil(t, result)
+	// 应使用第一条规则的价格：100*0.01 + 50*0.02 = 2.0
+	require.InDelta(t, 2.0, *result, 1e-12)
+}
+
+func TestTryCustomRules_SkipsNonMatchingRules(t *testing.T) {
+	channel := &Channel{
+		AccountStatsPricingRules: []AccountStatsPricingRule{
+			{
+				AccountIDs: []int64{888}, // 不匹配
+				Pricing: []ChannelModelPricing{
+					{ID: 100, Models: []string{"claude-opus-4"}, InputPrice: testPtrFloat64(0.99)},
+				},
+			},
+			{
+				GroupIDs: []int64{1}, // 匹配
+				Pricing: []ChannelModelPricing{
+					{ID: 200, Models: []string{"claude-opus-4"}, InputPrice: testPtrFloat64(0.05)},
+				},
+			},
+		},
+	}
+	tokens := UsageTokens{InputTokens: 100}
+	result := tryCustomRules(channel, 999, 1, "", "claude-opus-4", tokens, 1)
+	require.NotNil(t, result)
+	// 跳过规则1（账号不匹配），使用规则2：100*0.05 = 5.0
+	require.InDelta(t, 5.0, *result, 1e-12)
+}
+
+func TestTryCustomRules_NoMatch_ReturnsNil(t *testing.T) {
+	channel := &Channel{
+		AccountStatsPricingRules: []AccountStatsPricingRule{
+			{
+				AccountIDs: []int64{888},
+				Pricing: []ChannelModelPricing{
+					{ID: 100, Models: []string{"claude-opus-4"}, InputPrice: testPtrFloat64(0.01)},
+				},
+			},
+		},
+	}
+	tokens := UsageTokens{InputTokens: 100}
+	result := tryCustomRules(channel, 999, 2, "", "claude-opus-4", tokens, 1)
+	require.Nil(t, result) // 账号和分组都不匹配
+}
+
+func TestTryCustomRules_RuleMatchesButModelNot_ContinuesToNext(t *testing.T) {
+	channel := &Channel{
+		AccountStatsPricingRules: []AccountStatsPricingRule{
+			{
+				GroupIDs: []int64{1},
+				Pricing: []ChannelModelPricing{
+					{ID: 100, Models: []string{"gpt-4o"}, InputPrice: testPtrFloat64(0.01)}, // 模型不匹配
+				},
+			},
+			{
+				GroupIDs: []int64{1},
+				Pricing: []ChannelModelPricing{
+					{ID: 200, Models: []string{"claude-opus-4"}, InputPrice: testPtrFloat64(0.05)}, // 模型匹配
+				},
+			},
+		},
+	}
+	tokens := UsageTokens{InputTokens: 100}
+	result := tryCustomRules(channel, 999, 1, "", "claude-opus-4", tokens, 1)
+	require.NotNil(t, result)
+	require.InDelta(t, 5.0, *result, 1e-12) // 使用规则2
+}
diff --git a/backend/internal/service/channel.go b/backend/internal/service/channel.go
index baf5c839..3867f2a0 100644
--- a/backend/internal/service/channel.go
+++ b/backend/internal/service/channel.go
@@ -49,21 +49,25 @@ type Channel struct {
 	ModelPricing []ChannelModelPricing
 	// 渠道级模型映射（按平台分组：platform → {src→dst}）
 	ModelMapping map[string]map[string]string
-	// 渠道特性配置（如 {"web_search_emulation": {"anthropic": true}}）
-	FeaturesConfig map[string]any
+
+	// 账号统计定价
+	ApplyPricingToAccountStats bool                      // 是否应用渠道模型定价到账号统计
+	AccountStatsPricingRules   []AccountStatsPricingRule // 自定义账号统计定价规则（按 SortOrder 排序，先命中为准）
 }
 
-// IsWebSearchEmulationEnabled 返回该渠道是否为指定平台启用了 web search 模拟。
-func (c *Channel) IsWebSearchEmulationEnabled(platform string) bool {
-	if c == nil || c.FeaturesConfig == nil {
-		return false
-	}
-	wse, ok := c.FeaturesConfig[featureKeyWebSearchEmulation].(map[string]any)
-	if !ok {
-		return false
-	}
-	enabled, ok := wse[platform].(bool)
-	return ok && enabled
+// AccountStatsPricingRule 账号统计定价规则
+// 每条规则包含匹配条件（分组/账号）和独立的模型定价。
+// 多条规则按 SortOrder 排序，先命中为准。
+type AccountStatsPricingRule struct {
+	ID         int64
+	ChannelID  int64
+	Name       string
+	GroupIDs   []int64
+	AccountIDs []int64
+	SortOrder  int
+	Pricing    []ChannelModelPricing // 规则内的模型定价（复用现有定价结构）
+	CreatedAt  time.Time
+	UpdatedAt  time.Time
 }
 
 // ChannelModelPricing 渠道模型定价条目
@@ -192,6 +196,26 @@ func (c *Channel) Clone() *Channel {
 			cp.ModelMapping[platform] = inner
 		}
 	}
+	if c.AccountStatsPricingRules != nil {
+		cp.AccountStatsPricingRules = make([]AccountStatsPricingRule, len(c.AccountStatsPricingRules))
+		for i, rule := range c.AccountStatsPricingRules {
+			cp.AccountStatsPricingRules[i] = rule
+			if rule.GroupIDs != nil {
+				cp.AccountStatsPricingRules[i].GroupIDs = make([]int64, len(rule.GroupIDs))
+				copy(cp.AccountStatsPricingRules[i].GroupIDs, rule.GroupIDs)
+			}
+			if rule.AccountIDs != nil {
+				cp.AccountStatsPricingRules[i].AccountIDs = make([]int64, len(rule.AccountIDs))
+				copy(cp.AccountStatsPricingRules[i].AccountIDs, rule.AccountIDs)
+			}
+			if rule.Pricing != nil {
+				cp.AccountStatsPricingRules[i].Pricing = make([]ChannelModelPricing, len(rule.Pricing))
+				for j := range rule.Pricing {
+					cp.AccountStatsPricingRules[i].Pricing[j] = rule.Pricing[j].Clone()
+				}
+			}
+		}
+	}
 	return &cp
 }
 
diff --git a/backend/internal/service/channel_service.go b/backend/internal/service/channel_service.go
index 7b28662b..d0698f0f 100644
--- a/backend/internal/service/channel_service.go
+++ b/backend/internal/service/channel_service.go
@@ -416,6 +416,15 @@ func (s *ChannelService) GetChannelForGroup(ctx context.Context, groupID int64)
 	return ch.Clone(), nil
 }
 
+// GetGroupPlatform 获取分组的平台标识（从缓存）
+func (s *ChannelService) GetGroupPlatform(ctx context.Context, groupID int64) string {
+	cache, err := s.loadCache(ctx)
+	if err != nil {
+		return ""
+	}
+	return cache.groupPlatform[groupID]
+}
+
 // channelLookup 热路径公共查找结果
 type channelLookup struct {
 	cache    *channelCache
@@ -656,16 +665,17 @@ func (s *ChannelService) Create(ctx context.Context, input *CreateChannelInput)
 	}
 
 	channel := &Channel{
-		Name:               input.Name,
-		Description:        input.Description,
-		Status:             StatusActive,
-		BillingModelSource: input.BillingModelSource,
-		RestrictModels:     input.RestrictModels,
-		GroupIDs:           input.GroupIDs,
-		ModelPricing:       input.ModelPricing,
-		ModelMapping:       input.ModelMapping,
-		Features:           input.Features,
-		FeaturesConfig:     input.FeaturesConfig,
+		Name:                       input.Name,
+		Description:                input.Description,
+		Status:                     StatusActive,
+		BillingModelSource:         input.BillingModelSource,
+		RestrictModels:             input.RestrictModels,
+		GroupIDs:                   input.GroupIDs,
+		ModelPricing:               input.ModelPricing,
+		ModelMapping:               input.ModelMapping,
+		Features:                   input.Features,
+		ApplyPricingToAccountStats: input.ApplyPricingToAccountStats,
+		AccountStatsPricingRules:   input.AccountStatsPricingRules,
 	}
 	if channel.BillingModelSource == "" {
 		channel.BillingModelSource = BillingModelSourceChannelMapped
@@ -754,8 +764,11 @@ func (s *ChannelService) applyUpdateInput(ctx context.Context, channel *Channel,
 	if input.BillingModelSource != "" {
 		channel.BillingModelSource = input.BillingModelSource
 	}
-	if input.FeaturesConfig != nil {
-		channel.FeaturesConfig = input.FeaturesConfig
+	if input.ApplyPricingToAccountStats != nil {
+		channel.ApplyPricingToAccountStats = *input.ApplyPricingToAccountStats
+	}
+	if input.AccountStatsPricingRules != nil {
+		channel.AccountStatsPricingRules = *input.AccountStatsPricingRules
 	}
 	return nil
 }
@@ -922,27 +935,29 @@ func detectConflicts(entries []modelEntry, platform, errCode, label string) erro
 
 // CreateChannelInput 创建渠道输入
 type CreateChannelInput struct {
-	Name               string
-	Description        string
-	GroupIDs           []int64
-	ModelPricing       []ChannelModelPricing
-	ModelMapping       map[string]map[string]string // platform → {src→dst}
-	BillingModelSource string
-	RestrictModels     bool
-	Features           string
-	FeaturesConfig     map[string]any
+	Name                       string
+	Description                string
+	GroupIDs                   []int64
+	ModelPricing               []ChannelModelPricing
+	ModelMapping               map[string]map[string]string // platform → {src→dst}
+	BillingModelSource         string
+	RestrictModels             bool
+	Features                   string
+	ApplyPricingToAccountStats bool
+	AccountStatsPricingRules   []AccountStatsPricingRule
 }
 
 // UpdateChannelInput 更新渠道输入
 type UpdateChannelInput struct {
-	Name               string
-	Description        *string
-	Status             string
-	GroupIDs           *[]int64
-	ModelPricing       *[]ChannelModelPricing
-	ModelMapping       map[string]map[string]string // platform → {src→dst}
-	BillingModelSource string
-	RestrictModels     *bool
-	Features           *string
-	FeaturesConfig     map[string]any
+	Name                       string
+	Description                *string
+	Status                     string
+	GroupIDs                   *[]int64
+	ModelPricing               *[]ChannelModelPricing
+	ModelMapping               map[string]map[string]string // platform → {src→dst}
+	BillingModelSource         string
+	RestrictModels             *bool
+	Features                   *string
+	ApplyPricingToAccountStats *bool
+	AccountStatsPricingRules   *[]AccountStatsPricingRule
 }
diff --git a/backend/internal/service/gateway_service.go b/backend/internal/service/gateway_service.go
index 77e9b8c8..1d6d0a08 100644
--- a/backend/internal/service/gateway_service.go
+++ b/backend/internal/service/gateway_service.go
@@ -7559,6 +7559,23 @@ func (s *GatewayService) recordUsageCore(ctx context.Context, input *recordUsage
 	usageLog := s.buildRecordUsageLog(ctx, input, result, apiKey, user, account, subscription,
 		requestedModel, multiplier, accountRateMultiplier, billingType, cacheTTLOverridden, cost, opts)
 
+	// 计算账号统计定价费用
+	if apiKey.GroupID != nil {
+		usageLog.AccountStatsCost = resolveAccountStatsCost(
+			ctx, s.channelService, s.billingService,
+			account.ID, *apiKey.GroupID, billingModel,
+			UsageTokens{
+				InputTokens:         result.Usage.InputTokens,
+				OutputTokens:        result.Usage.OutputTokens,
+				CacheCreationTokens: result.Usage.CacheCreationInputTokens,
+				CacheReadTokens:     result.Usage.CacheReadInputTokens,
+				ImageOutputTokens:   result.Usage.ImageOutputTokens,
+			},
+			1,  // requestCount
+			"", // serviceTier: Anthropic 平台不使用 service tier
+		)
+	}
+
 	if s.cfg != nil && s.cfg.RunMode == config.RunModeSimple {
 		writeUsageLogBestEffort(ctx, s.usageLogRepo, usageLog, "service.gateway")
 		logger.LegacyPrintf("service.gateway", "[SIMPLE MODE] Usage recorded (not billed): user=%d, tokens=%d", usageLog.UserID, usageLog.TotalTokens())
diff --git a/backend/internal/service/openai_gateway_service.go b/backend/internal/service/openai_gateway_service.go
index dbc53869..3daa8756 100644
--- a/backend/internal/service/openai_gateway_service.go
+++ b/backend/internal/service/openai_gateway_service.go
@@ -4569,6 +4569,15 @@ func (s *OpenAIGatewayService) RecordUsage(ctx context.Context, input *OpenAIRec
 		usageLog.SubscriptionID = &subscription.ID
 	}
 
+	// 计算账号统计定价费用
+	if apiKey.GroupID != nil {
+		usageLog.AccountStatsCost = resolveAccountStatsCost(
+			ctx, s.channelService, s.billingService,
+			account.ID, *apiKey.GroupID, billingModel,
+			tokens, 1, serviceTier,
+		)
+	}
+
 	if s.cfg != nil && s.cfg.RunMode == config.RunModeSimple {
 		writeUsageLogBestEffort(ctx, s.usageLogRepo, usageLog, "service.openai_gateway")
 		logger.LegacyPrintf("service.openai_gateway", "[SIMPLE MODE] Usage recorded (not billed): user=%d, tokens=%d", usageLog.UserID, usageLog.TotalTokens())
diff --git a/backend/internal/service/usage_log.go b/backend/internal/service/usage_log.go
index 3218f3db..e29d282e 100644
--- a/backend/internal/service/usage_log.go
+++ b/backend/internal/service/usage_log.go
@@ -146,6 +146,8 @@ type UsageLog struct {
 	RateMultiplier    float64
 	// AccountRateMultiplier 账号计费倍率快照（nil 表示历史数据，按 1.0 处理）
 	AccountRateMultiplier *float64
+	// AccountStatsCost 账号统计定价预计算费用（nil = 使用默认公式 total_cost × account_rate_multiplier）
+	AccountStatsCost *float64
 
 	BillingType  int8
 	RequestType  RequestType
diff --git a/backend/migrations/101_add_account_stats_pricing.sql b/backend/migrations/101_add_account_stats_pricing.sql
new file mode 100644
index 00000000..a61d0c26
--- /dev/null
+++ b/backend/migrations/101_add_account_stats_pricing.sql
@@ -0,0 +1,38 @@
+-- Account statistics pricing: allow channels to configure custom pricing for account cost tracking.
+
+-- 1. Channel-level toggle
+ALTER TABLE channels ADD COLUMN IF NOT EXISTS apply_pricing_to_account_stats BOOLEAN NOT NULL DEFAULT FALSE;
+
+-- 2. Account stats pricing rules (ordered list per channel)
+CREATE TABLE IF NOT EXISTS channel_account_stats_pricing_rules (
+    id BIGSERIAL PRIMARY KEY,
+    channel_id BIGINT NOT NULL REFERENCES channels(id) ON DELETE CASCADE,
+    name VARCHAR(100) NOT NULL DEFAULT '',
+    group_ids BIGINT[] NOT NULL DEFAULT '{}',
+    account_ids BIGINT[] NOT NULL DEFAULT '{}',
+    sort_order INT NOT NULL DEFAULT 0,
+    created_at TIMESTAMPTZ NOT NULL DEFAULT NOW(),
+    updated_at TIMESTAMPTZ NOT NULL DEFAULT NOW()
+);
+CREATE INDEX IF NOT EXISTS idx_cas_pricing_rules_channel_id ON channel_account_stats_pricing_rules(channel_id);
+
+-- 3. Model pricing for each rule (same structure as channel_model_pricing)
+CREATE TABLE IF NOT EXISTS channel_account_stats_model_pricing (
+    id BIGSERIAL PRIMARY KEY,
+    rule_id BIGINT NOT NULL REFERENCES channel_account_stats_pricing_rules(id) ON DELETE CASCADE,
+    platform VARCHAR(50) NOT NULL DEFAULT '',
+    models JSONB NOT NULL DEFAULT '[]',
+    billing_mode VARCHAR(20) NOT NULL DEFAULT 'token',
+    input_price NUMERIC(20,10),
+    output_price NUMERIC(20,10),
+    cache_write_price NUMERIC(20,10),
+    cache_read_price NUMERIC(20,10),
+    image_output_price NUMERIC(20,10),
+    per_request_price NUMERIC(20,10),
+    created_at TIMESTAMPTZ NOT NULL DEFAULT NOW(),
+    updated_at TIMESTAMPTZ NOT NULL DEFAULT NOW()
+);
+CREATE INDEX IF NOT EXISTS idx_cas_model_pricing_rule_id ON channel_account_stats_model_pricing(rule_id);
+
+-- 4. Usage logs: pre-computed account stats cost (NULL = use default formula)
+ALTER TABLE usage_logs ADD COLUMN IF NOT EXISTS account_stats_cost NUMERIC(20,10);
diff --git a/frontend/src/api/admin/channels.ts b/frontend/src/api/admin/channels.ts
index d49982aa..a13eb3e1 100644
--- a/frontend/src/api/admin/channels.ts
+++ b/frontend/src/api/admin/channels.ts
@@ -34,6 +34,14 @@ export interface ChannelModelPricing {
   intervals: PricingInterval[]
 }
 
+export interface AccountStatsPricingRule {
+  id?: number
+  name: string
+  group_ids: number[]
+  account_ids: number[]
+  pricing: ChannelModelPricing[]
+}
+
 export interface Channel {
   id: number
   name: string
@@ -41,10 +49,11 @@ export interface Channel {
   status: string
   billing_model_source: string // "requested" | "upstream"
   restrict_models: boolean
-  features_config?: Record<string, unknown>
   group_ids: number[]
   model_pricing: ChannelModelPricing[]
   model_mapping: Record<string, Record<string, string>> // platform → {src→dst}
+  apply_pricing_to_account_stats: boolean
+  account_stats_pricing_rules: AccountStatsPricingRule[]
   created_at: string
   updated_at: string
 }
@@ -57,7 +66,8 @@ export interface CreateChannelRequest {
   model_mapping?: Record<string, Record<string, string>>
   billing_model_source?: string
   restrict_models?: boolean
-  features_config?: Record<string, unknown>
+  apply_pricing_to_account_stats?: boolean
+  account_stats_pricing_rules?: AccountStatsPricingRule[]
 }
 
 export interface UpdateChannelRequest {
@@ -69,7 +79,8 @@ export interface UpdateChannelRequest {
   model_mapping?: Record<string, Record<string, string>>
   billing_model_source?: string
   restrict_models?: boolean
-  features_config?: Record<string, unknown>
+  apply_pricing_to_account_stats?: boolean
+  account_stats_pricing_rules?: AccountStatsPricingRule[]
 }
 
 interface PaginatedResponse<T> {
diff --git a/frontend/src/i18n/locales/en.ts b/frontend/src/i18n/locales/en.ts
index 99f8d535..dd45ea17 100644
--- a/frontend/src/i18n/locales/en.ts
+++ b/frontend/src/i18n/locales/en.ts
@@ -1844,7 +1844,18 @@ export default {
         noPlatforms: 'Click "Add Platform" to start configuring the channel',
         mappingCount: 'mappings',
         pricingEntry: 'Pricing Entry',
-        noModels: 'No models added'
+        noModels: 'No models added',
+        applyPricingToAccountStats: 'Apply Pricing to Account Stats',
+        applyPricingToAccountStatsDesc: 'When enabled, account statistics cost will use channel model pricing. Account rate multiplier still applies.',
+        accountStatsPricingRules: 'Custom Account Stats Pricing Rules',
+        addRule: 'Add Rule',
+        noRulesConfigured: 'No custom rules configured. Channel model pricing above will be used.',
+        ruleName: 'Rule name (optional)',
+        ruleGroups: 'Groups',
+        ruleAccounts: 'Account IDs',
+        ruleAccountsPlaceholder: 'Enter account IDs, comma-separated',
+        ruleModelPricing: 'Model Pricing',
+        noGroupsInChannel: 'No groups selected in platform tabs above'
       }
     },
 
diff --git a/frontend/src/i18n/locales/zh.ts b/frontend/src/i18n/locales/zh.ts
index 7ef7ead0..bbfc7971 100644
--- a/frontend/src/i18n/locales/zh.ts
+++ b/frontend/src/i18n/locales/zh.ts
@@ -1923,7 +1923,18 @@ export default {
         noPlatforms: '点击"添加平台"开始配置渠道',
         mappingCount: '条映射',
         pricingEntry: '定价配置',
-        noModels: '未添加模型'
+        noModels: '未添加模型',
+        applyPricingToAccountStats: '应用模型定价到账号统计',
+        applyPricingToAccountStatsDesc: '启用后，账号统计费用将使用渠道模型定价计算。账号自身的统计倍率仍然生效。',
+        accountStatsPricingRules: '自定义账号统计定价规则',
+        addRule: '添加规则',
+        noRulesConfigured: '未配置自定义规则，将使用上方的模型定价。',
+        ruleName: '规则名称（可选）',
+        ruleGroups: '分组',
+        ruleAccounts: '账号 ID',
+        ruleAccountsPlaceholder: '输入账号 ID，逗号分隔',
+        ruleModelPricing: '模型定价',
+        noGroupsInChannel: '上方平台标签页中未选择分组'
       }
     },
 
diff --git a/frontend/src/views/admin/ChannelsView.vue b/frontend/src/views/admin/ChannelsView.vue
index ce8d3c9c..a49e1694 100644
--- a/frontend/src/views/admin/ChannelsView.vue
+++ b/frontend/src/views/admin/ChannelsView.vue
@@ -306,24 +306,6 @@
               </div>
             </div>
 
-            <!-- Web Search Emulation (Anthropic only) -->
-            <div v-if="section.platform === 'anthropic'" class="border-t border-gray-200 pt-3 dark:border-dark-600">
-              <div class="flex items-center justify-between">
-                <div>
-                  <label class="text-xs font-medium text-orange-600 dark:text-orange-400">
-                    {{ t('admin.channels.form.webSearchEmulation') }}
-                  </label>
-                  <p v-if="webSearchGlobalEnabled" class="mt-0.5 text-[11px] text-amber-500 dark:text-amber-400">
-                    {{ t('admin.channels.form.webSearchEmulationHint') }}
-                  </p>
-                  <p v-else class="mt-0.5 text-[11px] text-gray-400">
-                    {{ t('admin.channels.form.webSearchEmulationGlobalDisabled') }}
-                  </p>
-                </div>
-                <Toggle v-model="section.web_search_emulation" :disabled="!webSearchGlobalEnabled" />
-              </div>
-            </div>
-
             <!-- Model Mapping -->
             <div>
               <div class="mb-1 flex items-center justify-between">
@@ -398,6 +380,143 @@
               </div>
             </div>
           </div>
+
+          <!-- Account Stats Pricing (always visible, not tied to platform tabs) -->
+          <div class="mt-6 border-t border-gray-200 pt-4 dark:border-dark-700">
+            <!-- Toggle -->
+            <div class="flex items-center justify-between mb-3">
+              <div>
+                <label class="text-sm font-medium text-gray-700 dark:text-gray-300">
+                  {{ t('admin.channels.form.applyPricingToAccountStats', 'Apply Pricing to Account Stats') }}
+                </label>
+                <p class="mt-0.5 text-xs text-gray-500 dark:text-gray-400">
+                  {{ t('admin.channels.form.applyPricingToAccountStatsDesc', 'When enabled, account statistics cost will use channel model pricing. Account rate multiplier still applies.') }}
+                </p>
+              </div>
+              <Toggle
+                :modelValue="form.apply_pricing_to_account_stats"
+                @update:modelValue="form.apply_pricing_to_account_stats = $event"
+              />
+            </div>
+
+            <!-- Custom rules (only when toggle is on) -->
+            <div v-if="form.apply_pricing_to_account_stats" class="mt-4 space-y-4">
+              <div class="flex items-center justify-between">
+                <h4 class="text-sm font-medium text-gray-700 dark:text-gray-300">
+                  {{ t('admin.channels.form.accountStatsPricingRules', 'Custom Account Stats Pricing Rules') }}
+                </h4>
+                <button
+                  type="button"
+                  @click="addAccountStatsRule()"
+                  class="rounded-lg border border-primary-300 px-3 py-1 text-xs font-medium text-primary-600 hover:bg-primary-50 dark:border-primary-600 dark:text-primary-400 dark:hover:bg-primary-900/20"
+                >
+                  + {{ t('admin.channels.form.addRule', 'Add Rule') }}
+                </button>
+              </div>
+
+              <p
+                v-if="form.account_stats_pricing_rules.length === 0"
+                class="text-xs italic text-gray-400 dark:text-gray-500"
+              >
+                {{ t('admin.channels.form.noRulesConfigured', 'No custom rules configured. Channel model pricing above will be used.') }}
+              </p>
+
+              <!-- Rule cards -->
+              <div
+                v-for="(rule, ruleIndex) in form.account_stats_pricing_rules"
+                :key="ruleIndex"
+                class="space-y-3 rounded-lg border border-gray-200 p-4 dark:border-dark-600"
+              >
+                <div class="flex items-center justify-between">
+                  <input
+                    v-model="rule.name"
+                    :placeholder="t('admin.channels.form.ruleName', 'Rule name (optional)')"
+                    class="bg-transparent text-sm font-medium text-gray-700 placeholder-gray-400 outline-none dark:text-gray-300"
+                  />
+                  <button
+                    type="button"
+                    @click="removeAccountStatsRule(ruleIndex)"
+                    class="text-xs text-red-500 hover:text-red-700"
+                  >
+                    {{ t('common.delete', 'Delete') }}
+                  </button>
+                </div>
+
+                <!-- Group selection (multi-select from channel's groups) -->
+                <div>
+                  <label class="text-xs text-gray-500 dark:text-gray-400">
+                    {{ t('admin.channels.form.ruleGroups', 'Groups') }}
+                  </label>
+                  <div class="mt-1 flex flex-wrap gap-1">
+                    <label
+                      v-for="gid in allFormGroupIds"
+                      :key="gid"
+                      class="inline-flex cursor-pointer items-center gap-1 rounded-md border px-2 py-1 text-xs transition-colors"
+                      :class="rule.group_ids.includes(gid)
+                        ? 'border-primary-300 bg-primary-50 dark:border-primary-700 dark:bg-primary-900/20'
+                        : 'border-gray-200 hover:bg-gray-50 dark:border-dark-600 dark:hover:bg-dark-700'"
+                    >
+                      <input
+                        type="checkbox"
+                        :checked="rule.group_ids.includes(gid)"
+                        class="h-3 w-3 rounded border-gray-300 text-primary-600 focus:ring-primary-500"
+                        @change="rule.group_ids.includes(gid) ? rule.group_ids.splice(rule.group_ids.indexOf(gid), 1) : rule.group_ids.push(gid)"
+                      />
+                      <span>{{ getGroupNameById(gid) }}</span>
+                    </label>
+                  </div>
+                  <p v-if="allFormGroupIds.length === 0" class="mt-1 text-xs text-gray-400">
+                    {{ t('admin.channels.form.noGroupsInChannel', 'No groups selected in platform tabs above') }}
+                  </p>
+                </div>
+
+                <!-- Account IDs input -->
+                <div>
+                  <label class="text-xs text-gray-500 dark:text-gray-400">
+                    {{ t('admin.channels.form.ruleAccounts', 'Account IDs') }}
+                  </label>
+                  <input
+                    :value="rule.account_ids.join(', ')"
+                    @change="rule.account_ids = parseAccountIdsInput(($event.target as HTMLInputElement).value)"
+                    :placeholder="t('admin.channels.form.ruleAccountsPlaceholder', 'Enter account IDs, comma-separated')"
+                    class="input mt-1 text-sm"
+                  />
+                </div>
+
+                <!-- Model Pricing entries -->
+                <div>
+                  <div class="mb-1 flex items-center justify-between">
+                    <label class="text-xs text-gray-500 dark:text-gray-400">
+                      {{ t('admin.channels.form.ruleModelPricing', 'Model Pricing') }}
+                    </label>
+                    <button
+                      type="button"
+                      @click="addRulePricingEntry(ruleIndex)"
+                      class="text-xs text-primary-600 hover:text-primary-700"
+                    >
+                      + {{ t('common.add', 'Add') }}
+                    </button>
+                  </div>
+                  <div
+                    v-if="rule.pricing.length === 0"
+                    class="rounded border border-dashed border-gray-300 p-2 text-center text-xs text-gray-400 dark:border-dark-500"
+                  >
+                    {{ t('admin.channels.form.noPricingRules', 'No pricing rules yet. Click "Add" to create one.') }}
+                  </div>
+                  <div v-else class="space-y-2">
+                    <PricingEntryCard
+                      v-for="(entry, pIdx) in rule.pricing"
+                      :key="pIdx"
+                      :entry="entry"
+                      platform=""
+                      @update="rule.pricing.splice(pIdx, 1, $event)"
+                      @remove="removeRulePricingEntry(ruleIndex, pIdx)"
+                    />
+                  </div>
+                </div>
+              </div>
+            </div>
+          </div>
         </form>
       </div>
 
@@ -441,9 +560,8 @@
 import { ref, reactive, computed, onMounted, onUnmounted } from 'vue'
 import { useI18n } from 'vue-i18n'
 import { useAppStore } from '@/stores/app'
-import { extractApiErrorMessage } from '@/utils/apiError'
 import { adminAPI } from '@/api/admin'
-import type { Channel, ChannelModelPricing, CreateChannelRequest, UpdateChannelRequest } from '@/api/admin/channels'
+import type { Channel, ChannelModelPricing, CreateChannelRequest, UpdateChannelRequest, AccountStatsPricingRule } from '@/api/admin/channels'
 import type { PricingFormEntry } from '@/components/admin/channel/types'
 import { mTokToPerToken, perTokenToMTok, apiIntervalsToForm, formIntervalsToAPI, findModelConflict, validateIntervals } from '@/components/admin/channel/types'
 import type { AdminGroup, GroupPlatform } from '@/types'
@@ -465,18 +583,6 @@ import { getPersistedPageSize } from '@/composables/usePersistedPageSize'
 const { t } = useI18n()
 const appStore = useAppStore()
 
-// Web Search global enabled state (loaded once on mount)
-const webSearchGlobalEnabled = ref(false)
-async function loadWebSearchGlobalState() {
-  try {
-    const cfg = await adminAPI.settings.getWebSearchEmulationConfig()
-    webSearchGlobalEnabled.value = cfg?.enabled === true && (cfg?.providers?.length ?? 0) > 0
-  } catch (err: unknown) {
-    console.warn('Failed to load web search global state:', err)
-    webSearchGlobalEnabled.value = false
-  }
-}
-
 // ── Platform Section type ──
 interface PlatformSection {
   platform: GroupPlatform
@@ -485,7 +591,6 @@ interface PlatformSection {
   group_ids: number[]
   model_mapping: Record<string, string>
   model_pricing: PricingFormEntry[]
-  web_search_emulation: boolean
 }
 
 // ── Table columns ──
@@ -553,7 +658,14 @@ const form = reactive({
   status: 'active',
   restrict_models: false,
   billing_model_source: 'channel_mapped' as string,
-  platforms: [] as PlatformSection[]
+  platforms: [] as PlatformSection[],
+  apply_pricing_to_account_stats: false,
+  account_stats_pricing_rules: [] as Array<{
+    name: string
+    group_ids: number[]
+    account_ids: number[]
+    pricing: PricingFormEntry[]
+  }>
 })
 
 let abortController: AbortController | null = null
@@ -597,8 +709,7 @@ function addPlatformSection(platform: GroupPlatform) {
     collapsed: false,
     group_ids: [],
     model_mapping: {},
-    model_pricing: [],
-    web_search_emulation: false,
+    model_pricing: []
   })
 }
 
@@ -711,15 +822,89 @@ function renameMappingKey(sectionIdx: number, oldKey: string, newKey: string) {
   mapping[newKey] = value
 }
 
+// ── Account Stats Pricing helpers ──
+function addAccountStatsRule() {
+  form.account_stats_pricing_rules.push({
+    name: '',
+    group_ids: [],
+    account_ids: [],
+    pricing: []
+  })
+}
+
+function addRulePricingEntry(ruleIndex: number) {
+  form.account_stats_pricing_rules[ruleIndex].pricing.push({
+    models: [],
+    billing_mode: 'token',
+    input_price: null,
+    output_price: null,
+    cache_write_price: null,
+    cache_read_price: null,
+    image_output_price: null,
+    per_request_price: null,
+    intervals: []
+  })
+}
+
+function removeAccountStatsRule(ruleIndex: number) {
+  form.account_stats_pricing_rules.splice(ruleIndex, 1)
+}
+
+function removeRulePricingEntry(ruleIndex: number, pricingIndex: number) {
+  form.account_stats_pricing_rules[ruleIndex].pricing.splice(pricingIndex, 1)
+}
+
+function getGroupNameById(groupId: number): string {
+  const group = allGroups.value.find(g => g.id === groupId)
+  return group ? group.name : `#${groupId}`
+}
+
+/** Collect all group_ids from enabled platform sections */
+const allFormGroupIds = computed(() => {
+  const ids = new Set<number>()
+  for (const section of form.platforms) {
+    if (!section.enabled) continue
+    for (const gid of section.group_ids) {
+      ids.add(gid)
+    }
+  }
+  return [...ids]
+})
+
+function parseAccountIdsInput(value: string): number[] {
+  return value
+    .split(',')
+    .map(s => parseInt(s.trim()))
+    .filter(n => !isNaN(n) && n > 0)
+}
+
+function accountStatsRulesToAPI(): AccountStatsPricingRule[] {
+  return form.account_stats_pricing_rules.map(rule => ({
+    name: rule.name,
+    group_ids: rule.group_ids,
+    account_ids: rule.account_ids,
+    pricing: rule.pricing
+      .filter(p => p.models.length > 0)
+      .map(p => ({
+        platform: '',
+        models: p.models,
+        billing_mode: p.billing_mode,
+        input_price: mTokToPerToken(p.input_price),
+        output_price: mTokToPerToken(p.output_price),
+        cache_write_price: mTokToPerToken(p.cache_write_price),
+        cache_read_price: mTokToPerToken(p.cache_read_price),
+        image_output_price: mTokToPerToken(p.image_output_price),
+        per_request_price: p.per_request_price != null && p.per_request_price !== '' ? Number(p.per_request_price) : null,
+        intervals: formIntervalsToAPI(p.intervals || [])
+      }))
+  }))
+}
+
 // ── Form ↔ API conversion ──
-function formToAPI(): { group_ids: number[], model_pricing: ChannelModelPricing[], model_mapping: Record<string, Record<string, string>>, features_config: Record<string, unknown> } {
+function formToAPI(): { group_ids: number[], model_pricing: ChannelModelPricing[], model_mapping: Record<string, Record<string, string>> } {
   const group_ids: number[] = []
   const model_pricing: ChannelModelPricing[] = []
   const model_mapping: Record<string, Record<string, string>> = {}
-  // Preserve existing features_config fields not managed by the form
-  const featuresConfig: Record<string, unknown> = editingChannel.value?.features_config
-    ? { ...editingChannel.value.features_config }
-    : {}
 
   for (const section of form.platforms) {
     if (!section.enabled) continue
@@ -748,19 +933,7 @@ function formToAPI(): { group_ids: number[], model_pricing: ChannelModelPricing[
     }
   }
 
-  // Collect web_search_emulation (only anthropic platform supports it)
-  const wsEmulation: Record<string, boolean> = {}
-  for (const section of form.platforms) {
-    if (!section.enabled) continue
-    if (section.web_search_emulation && section.platform === 'anthropic') {
-      wsEmulation[section.platform] = true
-    }
-  }
-  if (Object.keys(wsEmulation).length > 0) {
-    featuresConfig.web_search_emulation = wsEmulation
-  }
-
-  return { group_ids, model_pricing, model_mapping, features_config: featuresConfig }
+  return { group_ids, model_pricing, model_mapping }
 }
 
 function apiToForm(channel: Channel): PlatformSection[] {
@@ -804,19 +977,13 @@ function apiToForm(channel: Channel): PlatformSection[] {
         intervals: apiIntervalsToForm(p.intervals || [])
       } as PricingFormEntry))
 
-    // Read web_search_emulation from features_config
-    const fc = channel.features_config
-    const wsEmulation = fc?.web_search_emulation as Record<string, boolean> | undefined
-    const webSearchEnabled = wsEmulation?.[platform] === true
-
     sections.push({
       platform,
       enabled: true,
       collapsed: false,
       group_ids: groupIds,
       model_mapping: { ...mapping },
-      model_pricing: pricing,
-      web_search_emulation: webSearchEnabled,
+      model_pricing: pricing
     })
   }
 
@@ -841,10 +1008,10 @@ async function loadChannels() {
     if (ctrl.signal.aborted || abortController !== ctrl) return
     channels.value = response.items || []
     pagination.total = response.total
-  } catch (error: unknown) {
-    const e = error as { name?: string; code?: string }
-    if (e?.name === 'AbortError' || e?.code === 'ERR_CANCELED') return
-    appStore.showError(extractApiErrorMessage(error, t('admin.channels.loadError', 'Failed to load channels')))
+  } catch (error: any) {
+    if (error?.name === 'AbortError' || error?.code === 'ERR_CANCELED') return
+    appStore.showError(t('admin.channels.loadError', 'Failed to load channels'))
+    console.error('Error loading channels:', error)
   } finally {
     if (abortController === ctrl) {
       loading.value = false
@@ -909,6 +1076,8 @@ function resetForm() {
   form.restrict_models = false
   form.billing_model_source = 'channel_mapped'
   form.platforms = []
+  form.apply_pricing_to_account_stats = false
+  form.account_stats_pricing_rules = []
   activeTab.value = 'basic'
 }
 
@@ -926,6 +1095,23 @@ async function openEditDialog(channel: Channel) {
   form.status = channel.status
   form.restrict_models = channel.restrict_models || false
   form.billing_model_source = channel.billing_model_source || 'channel_mapped'
+  form.apply_pricing_to_account_stats = channel.apply_pricing_to_account_stats || false
+  form.account_stats_pricing_rules = (channel.account_stats_pricing_rules || []).map(rule => ({
+    name: rule.name || '',
+    group_ids: [...(rule.group_ids || [])],
+    account_ids: [...(rule.account_ids || [])],
+    pricing: (rule.pricing || []).map(p => ({
+      models: [...(p.models || [])],
+      billing_mode: p.billing_mode,
+      input_price: perTokenToMTok(p.input_price),
+      output_price: perTokenToMTok(p.output_price),
+      cache_write_price: perTokenToMTok(p.cache_write_price),
+      cache_read_price: perTokenToMTok(p.cache_read_price),
+      image_output_price: perTokenToMTok(p.image_output_price),
+      per_request_price: p.per_request_price,
+      intervals: apiIntervalsToForm(p.intervals || [])
+    } as PricingFormEntry))
+  }))
   // Must load groups first so apiToForm can map groupID → platform
   await Promise.all([loadGroups(), loadAllChannelsForConflict()])
   form.platforms = apiToForm(channel)
@@ -1024,7 +1210,7 @@ async function handleSubmit() {
     }
   }
 
-  const { group_ids, model_pricing, model_mapping, features_config } = formToAPI()
+  const { group_ids, model_pricing, model_mapping } = formToAPI()
 
   submitting.value = true
   try {
@@ -1038,7 +1224,8 @@ async function handleSubmit() {
         model_mapping: Object.keys(model_mapping).length > 0 ? model_mapping : {},
         billing_model_source: form.billing_model_source,
         restrict_models: form.restrict_models,
-        features_config,
+        apply_pricing_to_account_stats: form.apply_pricing_to_account_stats,
+        account_stats_pricing_rules: accountStatsRulesToAPI()
       }
       await adminAPI.channels.update(editingChannel.value.id, req)
       appStore.showSuccess(t('admin.channels.updateSuccess', 'Channel updated'))
@@ -1051,17 +1238,20 @@ async function handleSubmit() {
         model_mapping: Object.keys(model_mapping).length > 0 ? model_mapping : {},
         billing_model_source: form.billing_model_source,
         restrict_models: form.restrict_models,
-        features_config,
+        apply_pricing_to_account_stats: form.apply_pricing_to_account_stats,
+        account_stats_pricing_rules: accountStatsRulesToAPI()
       }
       await adminAPI.channels.create(req)
       appStore.showSuccess(t('admin.channels.createSuccess', 'Channel created'))
     }
     closeDialog()
     loadChannels()
-  } catch (error: unknown) {
-    appStore.showError(extractApiErrorMessage(error, editingChannel.value
+  } catch (error: any) {
+    const msg = error.response?.data?.detail || (editingChannel.value
       ? t('admin.channels.updateError', 'Failed to update channel')
-      : t('admin.channels.createError', 'Failed to create channel')))
+      : t('admin.channels.createError', 'Failed to create channel'))
+    appStore.showError(msg)
+    console.error('Error saving channel:', error)
   } finally {
     submitting.value = false
   }
@@ -1099,8 +1289,9 @@ async function confirmDelete() {
     showDeleteDialog.value = false
     deletingChannel.value = null
     loadChannels()
-  } catch (error: unknown) {
-    appStore.showError(extractApiErrorMessage(error, t('admin.channels.deleteError', 'Failed to delete channel')))
+  } catch (error: any) {
+    appStore.showError(error.response?.data?.detail || t('admin.channels.deleteError', 'Failed to delete channel'))
+    console.error('Error deleting channel:', error)
   }
 }
 
@@ -1108,7 +1299,6 @@ async function confirmDelete() {
 onMounted(() => {
   loadChannels()
   loadGroups()
-  loadWebSearchGlobalState()
 })
 
 onUnmounted(() => {

From fda61b067c1dbf99bb58a59c3dab3769906bb889 Mon Sep 17 00:00:00 2001
From: erio <asakifeng@gmail.com>
Date: Sun, 12 Apr 2026 01:48:06 +0800
Subject: [PATCH 028/122] feat(websearch): proxy failover, timeout,
 quota-weighted load balancing
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

- Use proxyutil.ConfigureTransportProxy for unified proxy protocol support
  (HTTP/HTTPS/SOCKS5/SOCKS5H), replacing ad-hoc HTTP-only proxy code
- Proxy errors return ErrProxyUnavailable → gateway triggers account switch
  via UpstreamFailoverError instead of fallback to direct connection
- Timeout: proxy dial 3s, TLS handshake 3s, data transfer 60s
- Mark proxy unavailable for 5 minutes in Redis on connectivity failure
- Quota-weighted load balancing: providers with quota_limit>0 are selected
  by remaining quota (weighted random); quota_limit=0 providers treated as
  0% weight and placed last
---
 backend/internal/pkg/websearch/manager.go     | 271 ++++++++++++++----
 .../service/gateway_websearch_emulation.go    |   8 +
 2 files changed, 227 insertions(+), 52 deletions(-)

diff --git a/backend/internal/pkg/websearch/manager.go b/backend/internal/pkg/websearch/manager.go
index 95da70e4..615014e0 100644
--- a/backend/internal/pkg/websearch/manager.go
+++ b/backend/internal/pkg/websearch/manager.go
@@ -3,8 +3,11 @@ package websearch
 import (
 	"context"
 	"crypto/tls"
+	"errors"
 	"fmt"
 	"log/slog"
+	"math/rand"
+	"net"
 	"net/http"
 	"net/url"
 	"sort"
@@ -12,6 +15,7 @@ import (
 	"sync"
 	"time"
 
+	"github.com/Wei-Shaw/sub2api/internal/pkg/proxyutil"
 	"github.com/redis/go-redis/v9"
 )
 
@@ -30,6 +34,7 @@ type ProviderConfig struct {
 	QuotaLimit           int64  `json:"quota_limit"`            // 0 = unlimited
 	QuotaRefreshInterval string `json:"quota_refresh_interval"` // QuotaRefreshDaily / Weekly / Monthly
 	ProxyURL             string `json:"-"`                      // resolved proxy URL (not persisted)
+	ProxyID              int64  `json:"-"`                      // resolved proxy ID for unavailability tracking
 	ExpiresAt            *int64 `json:"expires_at,omitempty"`   // optional expiration (unix seconds)
 }
 
@@ -42,22 +47,30 @@ type Manager struct {
 	clientCache map[string]*http.Client
 }
 
+// Timeout constants for proxy and search operations.
 const (
+	proxyDialTimeout     = 3 * time.Second  // proxy TCP connection timeout
+	proxyTLSTimeout      = 3 * time.Second  // TLS handshake timeout
+	searchDataTimeout    = 60 * time.Second // response data transfer timeout
+	searchRequestTimeout = searchDataTimeout + proxyDialTimeout
+
 	quotaKeyPrefix       = "websearch:quota:"
-	searchRequestTimeout = 30 * time.Second
+	proxyUnavailableKey  = "websearch:proxy_unavailable:%d"
+	proxyUnavailableTTL  = 5 * time.Minute
 	quotaTTLBuffer       = 24 * time.Hour
 	maxCachedClients     = 100
 )
 
+// ErrProxyUnavailable indicates the search failed due to a proxy connectivity issue.
+// Callers may use this to trigger account switching instead of direct fallback.
+var ErrProxyUnavailable = errors.New("websearch: proxy unavailable")
+
 // quotaIncrScript atomically increments the counter and sets TTL on first creation.
-// KEYS[1] = quota key, ARGV[1] = TTL in seconds.
-// Returns the new counter value.
 var quotaIncrScript = redis.NewScript(`
 local val = redis.call('INCR', KEYS[1])
 if val == 1 then
   redis.call('EXPIRE', KEYS[1], ARGV[1])
 else
-  -- Defensive: ensure TTL exists even if a prior EXPIRE failed
   local ttl = redis.call('TTL', KEYS[1])
   if ttl == -1 then
     redis.call('EXPIRE', KEYS[1], ARGV[1])
@@ -80,16 +93,22 @@ func NewManager(configs []ProviderConfig, redisClient *redis.Client) *Manager {
 	}
 }
 
-// SearchWithBestProvider selects the highest-priority available provider,
+// SearchWithBestProvider selects a provider using quota-weighted load balancing,
 // reserves quota, executes the search, and rolls back quota on failure.
+// If the search fails due to a proxy error, the proxy is marked unavailable for 5 minutes.
 func (m *Manager) SearchWithBestProvider(ctx context.Context, req SearchRequest) (*SearchResponse, string, error) {
 	if strings.TrimSpace(req.Query) == "" {
 		return nil, "", fmt.Errorf("websearch: empty search query")
 	}
-	for _, cfg := range m.configs {
-		if !m.isProviderAvailable(cfg) {
-			continue
-		}
+
+	candidates := m.filterAvailableProviders(ctx, req.ProxyURL)
+	if len(candidates) == 0 {
+		return nil, "", fmt.Errorf("websearch: no available provider (all exhausted, expired, or proxy unavailable)")
+	}
+
+	selected := m.selectByQuotaWeight(ctx, candidates)
+
+	for _, cfg := range selected {
 		allowed, incremented := m.tryReserveQuota(ctx, cfg)
 		if !allowed {
 			continue
@@ -99,6 +118,12 @@ func (m *Manager) SearchWithBestProvider(ctx context.Context, req SearchRequest)
 			if incremented {
 				m.rollbackQuota(ctx, cfg)
 			}
+			if isProxyError(err) {
+				m.markProxyUnavailable(ctx, cfg, req.ProxyURL)
+				slog.Warn("websearch: proxy error, marking unavailable",
+					"provider", cfg.Type, "error", err)
+				return nil, "", fmt.Errorf("%w: %s", ErrProxyUnavailable, err.Error())
+			}
 			slog.Warn("websearch: provider search failed",
 				"provider", cfg.Type, "error", err)
 			continue
@@ -108,6 +133,76 @@ func (m *Manager) SearchWithBestProvider(ctx context.Context, req SearchRequest)
 	return nil, "", fmt.Errorf("websearch: no available provider (all exhausted or failed)")
 }
 
+// filterAvailableProviders returns providers that have API keys, are not expired,
+// and whose proxies are not marked unavailable.
+func (m *Manager) filterAvailableProviders(ctx context.Context, accountProxyURL string) []ProviderConfig {
+	var out []ProviderConfig
+	for _, cfg := range m.configs {
+		if !m.isProviderAvailable(cfg) {
+			continue
+		}
+		proxyID := resolveProxyID(cfg, accountProxyURL)
+		if proxyID > 0 && !m.isProxyAvailable(ctx, proxyID) {
+			slog.Debug("websearch: proxy marked unavailable, skipping",
+				"provider", cfg.Type, "proxy_id", proxyID)
+			continue
+		}
+		out = append(out, cfg)
+	}
+	return out
+}
+
+// selectByQuotaWeight orders candidates by remaining quota weight.
+// Providers with quota_limit=0 (no limit set) get weight 0 and are placed last.
+// Among providers with quota, higher remaining quota = higher priority.
+func (m *Manager) selectByQuotaWeight(ctx context.Context, candidates []ProviderConfig) []ProviderConfig {
+	type weighted struct {
+		cfg    ProviderConfig
+		weight int64
+	}
+	items := make([]weighted, 0, len(candidates))
+	for _, cfg := range candidates {
+		w := int64(0)
+		if cfg.QuotaLimit > 0 {
+			used, _ := m.GetUsage(ctx, cfg.Type, cfg.QuotaRefreshInterval)
+			remaining := cfg.QuotaLimit - used
+			if remaining > 0 {
+				w = remaining
+			}
+		}
+		items = append(items, weighted{cfg: cfg, weight: w})
+	}
+
+	// Separate providers with quota (weight > 0) from those without (weight == 0)
+	var withQuota, withoutQuota []weighted
+	for _, item := range items {
+		if item.weight > 0 {
+			withQuota = append(withQuota, item)
+		} else {
+			withoutQuota = append(withoutQuota, item)
+		}
+	}
+
+	// Within quota group: weighted random sort (higher remaining = more likely first)
+	if len(withQuota) > 1 {
+		sort.Slice(withQuota, func(i, j int) bool {
+			wi := float64(withQuota[i].weight) * (0.5 + rand.Float64())
+			wj := float64(withQuota[j].weight) * (0.5 + rand.Float64())
+			return wi > wj
+		})
+	}
+
+	// Build final order: quota providers first, then no-quota providers (original priority order)
+	result := make([]ProviderConfig, 0, len(candidates))
+	for _, item := range withQuota {
+		result = append(result, item.cfg)
+	}
+	for _, item := range withoutQuota {
+		result = append(result, item.cfg)
+	}
+	return result
+}
+
 func (m *Manager) isProviderAvailable(cfg ProviderConfig) bool {
 	if cfg.APIKey == "" {
 		return false
@@ -120,26 +215,80 @@ func (m *Manager) isProviderAvailable(cfg ProviderConfig) bool {
 	return true
 }
 
-// tryReserveQuota atomically increments the counter via Lua script and checks limit.
-// Returns (allowed, incremented): allowed=true means the request may proceed;
-// incremented=true means the Redis counter was actually incremented (so rollback is needed on failure).
+// --- Proxy availability tracking ---
+
+// markProxyUnavailable marks the effective proxy as unavailable for proxyUnavailableTTL.
+func (m *Manager) markProxyUnavailable(ctx context.Context, cfg ProviderConfig, accountProxyURL string) {
+	proxyID := resolveProxyID(cfg, accountProxyURL)
+	if proxyID <= 0 || m.redis == nil {
+		return
+	}
+	key := fmt.Sprintf(proxyUnavailableKey, proxyID)
+	if err := m.redis.Set(ctx, key, "1", proxyUnavailableTTL).Err(); err != nil {
+		slog.Warn("websearch: failed to mark proxy unavailable",
+			"proxy_id", proxyID, "error", err)
+	}
+}
+
+// isProxyAvailable checks whether a proxy is currently marked as unavailable.
+func (m *Manager) isProxyAvailable(ctx context.Context, proxyID int64) bool {
+	if m.redis == nil || proxyID <= 0 {
+		return true
+	}
+	key := fmt.Sprintf(proxyUnavailableKey, proxyID)
+	val, err := m.redis.Get(ctx, key).Result()
+	if err != nil {
+		return true // Redis error → assume available
+	}
+	return val == ""
+}
+
+// resolveProxyID determines the effective proxy ID for a provider+account combination.
+func resolveProxyID(cfg ProviderConfig, accountProxyURL string) int64 {
+	if accountProxyURL != "" {
+		return 0 // account proxy has no ID in provider config
+	}
+	return cfg.ProxyID
+}
+
+// isProxyError checks whether the error is likely caused by proxy connectivity.
+func isProxyError(err error) bool {
+	if err == nil {
+		return false
+	}
+	var netErr net.Error
+	if errors.As(err, &netErr) && netErr.Timeout() {
+		return true
+	}
+	var opErr *net.OpError
+	if errors.As(err, &opErr) {
+		return true
+	}
+	msg := err.Error()
+	return strings.Contains(msg, "proxy") ||
+		strings.Contains(msg, "SOCKS") ||
+		strings.Contains(msg, "connection refused") ||
+		strings.Contains(msg, "no such host") ||
+		strings.Contains(msg, "i/o timeout")
+}
+
+// --- Quota management ---
+
 func (m *Manager) tryReserveQuota(ctx context.Context, cfg ProviderConfig) (bool, bool) {
 	if cfg.QuotaLimit <= 0 {
-		return true, false // unlimited, no INCR
+		return true, false
 	}
 	if m.redis == nil {
-		slog.Warn("websearch: Redis unavailable, quota check skipped",
-			"provider", cfg.Type)
-		return true, false // allowed but not incremented
+		slog.Warn("websearch: Redis unavailable, quota check skipped", "provider", cfg.Type)
+		return true, false
 	}
 	key := quotaRedisKey(cfg.Type, cfg.QuotaRefreshInterval)
 	ttlSec := int(quotaTTL(cfg.QuotaRefreshInterval).Seconds())
-
 	newVal, err := quotaIncrScript.Run(ctx, m.redis, []string{key}, ttlSec).Int64()
 	if err != nil {
 		slog.Warn("websearch: quota Lua INCR failed, allowing request",
 			"provider", cfg.Type, "error", err)
-		return true, false // allowed but not incremented
+		return true, false
 	}
 	if newVal > cfg.QuotaLimit {
 		if decrErr := m.redis.Decr(ctx, key).Err(); decrErr != nil {
@@ -148,12 +297,11 @@ func (m *Manager) tryReserveQuota(ctx context.Context, cfg ProviderConfig) (bool
 		}
 		slog.Info("websearch: provider quota exhausted",
 			"provider", cfg.Type, "used", newVal, "limit", cfg.QuotaLimit)
-		return false, false // rejected, already rolled back
+		return false, false
 	}
-	return true, true // allowed and incremented
+	return true, true
 }
 
-// rollbackQuota decrements the counter after a search failure.
 func (m *Manager) rollbackQuota(ctx context.Context, cfg ProviderConfig) {
 	if cfg.QuotaLimit <= 0 || m.redis == nil {
 		return
@@ -165,16 +313,64 @@ func (m *Manager) rollbackQuota(ctx context.Context, cfg ProviderConfig) {
 	}
 }
 
+// --- Search execution ---
+
 func (m *Manager) executeSearch(ctx context.Context, cfg ProviderConfig, req SearchRequest) (*SearchResponse, error) {
 	proxyURL := cfg.ProxyURL
 	if req.ProxyURL != "" {
 		proxyURL = req.ProxyURL
 	}
-	client := m.getOrCreateHTTPClient(proxyURL)
+	client, err := m.getOrCreateHTTPClient(proxyURL)
+	if err != nil {
+		return nil, fmt.Errorf("websearch: %w", err)
+	}
 	provider := m.buildProvider(cfg, client)
 	return provider.Search(ctx, req)
 }
 
+// --- HTTP client cache ---
+
+func (m *Manager) getOrCreateHTTPClient(proxyURL string) (*http.Client, error) {
+	m.clientMu.Lock()
+	defer m.clientMu.Unlock()
+
+	if c, ok := m.clientCache[proxyURL]; ok {
+		return c, nil
+	}
+	if len(m.clientCache) >= maxCachedClients {
+		m.clientCache = make(map[string]*http.Client)
+	}
+	c, err := newHTTPClient(proxyURL)
+	if err != nil {
+		return nil, err
+	}
+	m.clientCache[proxyURL] = c
+	return c, nil
+}
+
+// newHTTPClient creates an HTTP client with proper timeout settings.
+// Uses proxyutil.ConfigureTransportProxy for unified proxy protocol support
+// (HTTP/HTTPS/SOCKS5/SOCKS5H).
+// Returns error if proxyURL is invalid — never falls back to direct connection.
+func newHTTPClient(proxyURL string) (*http.Client, error) {
+	transport := &http.Transport{
+		TLSClientConfig:       &tls.Config{MinVersion: tls.VersionTLS12},
+		DialContext:           (&net.Dialer{Timeout: proxyDialTimeout}).DialContext,
+		TLSHandshakeTimeout:   proxyTLSTimeout,
+		ResponseHeaderTimeout: searchDataTimeout,
+	}
+	if proxyURL != "" {
+		parsed, err := url.Parse(proxyURL)
+		if err != nil {
+			return nil, fmt.Errorf("invalid proxy URL %q: %w", proxyURL, err)
+		}
+		if err := proxyutil.ConfigureTransportProxy(transport, parsed); err != nil {
+			return nil, fmt.Errorf("configure proxy: %w", err)
+		}
+	}
+	return &http.Client{Transport: transport, Timeout: searchRequestTimeout}, nil
+}
+
 // GetUsage returns the current usage count for the given provider.
 func (m *Manager) GetUsage(ctx context.Context, providerType, refreshInterval string) (int64, error) {
 	if m.redis == nil {
@@ -198,35 +394,6 @@ func (m *Manager) GetAllUsage(ctx context.Context) map[string]int64 {
 	return result
 }
 
-// --- HTTP client cache (bounded) ---
-
-func (m *Manager) getOrCreateHTTPClient(proxyURL string) *http.Client {
-	m.clientMu.Lock()
-	defer m.clientMu.Unlock()
-
-	if c, ok := m.clientCache[proxyURL]; ok {
-		return c
-	}
-	if len(m.clientCache) >= maxCachedClients {
-		m.clientCache = make(map[string]*http.Client) // evict all
-	}
-	c := newHTTPClient(proxyURL)
-	m.clientCache[proxyURL] = c
-	return c
-}
-
-func newHTTPClient(proxyURL string) *http.Client {
-	transport := &http.Transport{
-		TLSClientConfig: &tls.Config{MinVersion: tls.VersionTLS12},
-	}
-	if proxyURL != "" {
-		if u, err := url.Parse(proxyURL); err == nil {
-			transport.Proxy = http.ProxyURL(u)
-		}
-	}
-	return &http.Client{Transport: transport, Timeout: searchRequestTimeout}
-}
-
 // --- Provider factory ---
 
 func (m *Manager) buildProvider(cfg ProviderConfig, client *http.Client) Provider {
@@ -256,7 +423,7 @@ func periodKey(refreshInterval string) string {
 	case QuotaRefreshWeekly:
 		year, week := now.ISOWeek()
 		return fmt.Sprintf("%d-W%02d", year, week)
-	default: // QuotaRefreshMonthly
+	default:
 		return now.Format("2006-01")
 	}
 }
diff --git a/backend/internal/service/gateway_websearch_emulation.go b/backend/internal/service/gateway_websearch_emulation.go
index fbea96c0..b3a4aa69 100644
--- a/backend/internal/service/gateway_websearch_emulation.go
+++ b/backend/internal/service/gateway_websearch_emulation.go
@@ -3,6 +3,7 @@ package service
 import (
 	"context"
 	"encoding/json"
+	"errors"
 	"fmt"
 	"log/slog"
 	"net/http"
@@ -147,6 +148,13 @@ func (s *GatewayService) handleWebSearchEmulation(
 
 	resp, providerName, err := doWebSearch(ctx, account, query)
 	if err != nil {
+		// Proxy unavailable → trigger account switch via UpstreamFailoverError
+		if errors.Is(err, websearch.ErrProxyUnavailable) {
+			return nil, &UpstreamFailoverError{
+				StatusCode:   http.StatusBadGateway,
+				ResponseBody: []byte(err.Error()),
+			}
+		}
 		return nil, err
 	}
 

From 499159870c4b92c7ab37cdefe6f3ca044369c1c1 Mon Sep 17 00:00:00 2001
From: erio <asakifeng@gmail.com>
Date: Sun, 12 Apr 2026 01:55:00 +0800
Subject: [PATCH 029/122] fix: gofmt websearch manager

---
 backend/internal/pkg/websearch/manager.go | 20 +++++++++++---------
 1 file changed, 11 insertions(+), 9 deletions(-)

diff --git a/backend/internal/pkg/websearch/manager.go b/backend/internal/pkg/websearch/manager.go
index 615014e0..e6334b70 100644
--- a/backend/internal/pkg/websearch/manager.go
+++ b/backend/internal/pkg/websearch/manager.go
@@ -54,11 +54,11 @@ const (
 	searchDataTimeout    = 60 * time.Second // response data transfer timeout
 	searchRequestTimeout = searchDataTimeout + proxyDialTimeout
 
-	quotaKeyPrefix       = "websearch:quota:"
-	proxyUnavailableKey  = "websearch:proxy_unavailable:%d"
-	proxyUnavailableTTL  = 5 * time.Minute
-	quotaTTLBuffer       = 24 * time.Hour
-	maxCachedClients     = 100
+	quotaKeyPrefix      = "websearch:quota:"
+	proxyUnavailableKey = "websearch:proxy_unavailable:%d"
+	proxyUnavailableTTL = 5 * time.Minute
+	quotaTTLBuffer      = 24 * time.Hour
+	maxCachedClients    = 100
 )
 
 // ErrProxyUnavailable indicates the search failed due to a proxy connectivity issue.
@@ -152,14 +152,16 @@ func (m *Manager) filterAvailableProviders(ctx context.Context, accountProxyURL
 	return out
 }
 
+// weighted is a provider candidate with computed quota weight.
+type weighted struct {
+	cfg    ProviderConfig
+	weight int64
+}
+
 // selectByQuotaWeight orders candidates by remaining quota weight.
 // Providers with quota_limit=0 (no limit set) get weight 0 and are placed last.
 // Among providers with quota, higher remaining quota = higher priority.
 func (m *Manager) selectByQuotaWeight(ctx context.Context, candidates []ProviderConfig) []ProviderConfig {
-	type weighted struct {
-		cfg    ProviderConfig
-		weight int64
-	}
 	items := make([]weighted, 0, len(candidates))
 	for _, cfg := range candidates {
 		w := int64(0)

From 60b0fa81ec4913ba3485c23ee6015e83253768d3 Mon Sep 17 00:00:00 2001
From: erio <asakifeng@gmail.com>
Date: Sun, 12 Apr 2026 02:11:50 +0800
Subject: [PATCH 030/122] fix(websearch): improve isProxyError detection and
 add manager tests

- Add TLS error detection to isProxyError (RecordHeaderError, handshake)
- Case-insensitive error string matching
- Add 19 unit tests for: isProviderAvailable, resolveProxyID,
  isProxyError, isProxyAvailable, selectByQuotaWeight, newHTTPClient
---
 backend/internal/pkg/websearch/manager.go     |  20 ++-
 .../internal/pkg/websearch/manager_test.go    | 132 ++++++++++++++++++
 2 files changed, 147 insertions(+), 5 deletions(-)

diff --git a/backend/internal/pkg/websearch/manager.go b/backend/internal/pkg/websearch/manager.go
index e6334b70..7db3d9a2 100644
--- a/backend/internal/pkg/websearch/manager.go
+++ b/backend/internal/pkg/websearch/manager.go
@@ -253,25 +253,35 @@ func resolveProxyID(cfg ProviderConfig, accountProxyURL string) int64 {
 	return cfg.ProxyID
 }
 
-// isProxyError checks whether the error is likely caused by proxy connectivity.
+// isProxyError checks whether the error is likely caused by proxy or network connectivity
+// (as opposed to an API-level error from the search provider).
 func isProxyError(err error) bool {
 	if err == nil {
 		return false
 	}
+	// Network-level errors (timeout, connection refused, DNS failure)
 	var netErr net.Error
-	if errors.As(err, &netErr) && netErr.Timeout() {
+	if errors.As(err, &netErr) {
 		return true
 	}
 	var opErr *net.OpError
 	if errors.As(err, &opErr) {
 		return true
 	}
-	msg := err.Error()
+	// TLS handshake failures (often caused by proxy intercepting/blocking)
+	var tlsErr *tls.RecordHeaderError
+	if errors.As(err, &tlsErr) {
+		return true
+	}
+	// String-based detection for wrapped errors
+	msg := strings.ToLower(err.Error())
 	return strings.Contains(msg, "proxy") ||
-		strings.Contains(msg, "SOCKS") ||
+		strings.Contains(msg, "socks") ||
 		strings.Contains(msg, "connection refused") ||
 		strings.Contains(msg, "no such host") ||
-		strings.Contains(msg, "i/o timeout")
+		strings.Contains(msg, "i/o timeout") ||
+		strings.Contains(msg, "tls handshake") ||
+		strings.Contains(msg, "certificate")
 }
 
 // --- Quota management ---
diff --git a/backend/internal/pkg/websearch/manager_test.go b/backend/internal/pkg/websearch/manager_test.go
index 4387a2ee..d3cd29d6 100644
--- a/backend/internal/pkg/websearch/manager_test.go
+++ b/backend/internal/pkg/websearch/manager_test.go
@@ -3,6 +3,7 @@ package websearch
 import (
 	"context"
 	"encoding/json"
+	"fmt"
 	"net/http"
 	"net/http/httptest"
 	"testing"
@@ -147,3 +148,134 @@ func TestQuotaRedisKey_Format(t *testing.T) {
 	key := quotaRedisKey("brave", QuotaRefreshDaily)
 	require.Contains(t, key, "websearch:quota:brave:")
 }
+
+// --- isProviderAvailable ---
+
+func TestIsProviderAvailable_EmptyAPIKey(t *testing.T) {
+	m := NewManager(nil, nil)
+	require.False(t, m.isProviderAvailable(ProviderConfig{APIKey: ""}))
+}
+
+func TestIsProviderAvailable_Expired(t *testing.T) {
+	m := NewManager(nil, nil)
+	past := time.Now().Add(-1 * time.Hour).Unix()
+	require.False(t, m.isProviderAvailable(ProviderConfig{APIKey: "k", ExpiresAt: &past}))
+}
+
+func TestIsProviderAvailable_Valid(t *testing.T) {
+	m := NewManager(nil, nil)
+	future := time.Now().Add(1 * time.Hour).Unix()
+	require.True(t, m.isProviderAvailable(ProviderConfig{APIKey: "k", ExpiresAt: &future}))
+	require.True(t, m.isProviderAvailable(ProviderConfig{APIKey: "k"})) // no expiry
+}
+
+// --- resolveProxyID ---
+
+func TestResolveProxyID_AccountProxyOverrides(t *testing.T) {
+	cfg := ProviderConfig{ProxyID: 42}
+	// account proxy present → return 0 (account proxy has no config-level ID)
+	require.Equal(t, int64(0), resolveProxyID(cfg, "http://account-proxy:8080"))
+	// no account proxy → return provider's proxy ID
+	require.Equal(t, int64(42), resolveProxyID(cfg, ""))
+}
+
+// --- isProxyError ---
+
+func TestIsProxyError_Nil(t *testing.T) {
+	require.False(t, isProxyError(nil))
+}
+
+func TestIsProxyError_ConnectionRefused(t *testing.T) {
+	err := fmt.Errorf("dial tcp: connection refused")
+	require.True(t, isProxyError(err))
+}
+
+func TestIsProxyError_Timeout(t *testing.T) {
+	err := fmt.Errorf("i/o timeout while connecting to proxy")
+	require.True(t, isProxyError(err))
+}
+
+func TestIsProxyError_SOCKS(t *testing.T) {
+	err := fmt.Errorf("socks connect failed")
+	require.True(t, isProxyError(err))
+}
+
+func TestIsProxyError_TLSHandshake(t *testing.T) {
+	err := fmt.Errorf("tls handshake timeout")
+	require.True(t, isProxyError(err))
+}
+
+func TestIsProxyError_APIError_NotProxy(t *testing.T) {
+	err := fmt.Errorf("API rate limit exceeded")
+	require.False(t, isProxyError(err))
+}
+
+// --- isProxyAvailable (nil Redis) ---
+
+func TestIsProxyAvailable_NilRedis(t *testing.T) {
+	m := NewManager(nil, nil)
+	require.True(t, m.isProxyAvailable(context.Background(), 42))
+}
+
+func TestIsProxyAvailable_ZeroID(t *testing.T) {
+	m := NewManager(nil, nil)
+	require.True(t, m.isProxyAvailable(context.Background(), 0))
+}
+
+// --- selectByQuotaWeight ---
+
+func TestSelectByQuotaWeight_NoQuotaLast(t *testing.T) {
+	m := NewManager(nil, nil) // nil Redis → GetUsage returns 0
+	candidates := []ProviderConfig{
+		{Type: "brave", APIKey: "k1", QuotaLimit: 0},    // no limit → weight 0
+		{Type: "tavily", APIKey: "k2", QuotaLimit: 100}, // remaining 100
+	}
+	result := m.selectByQuotaWeight(context.Background(), candidates)
+	require.Len(t, result, 2)
+	// tavily (with quota) should come first
+	require.Equal(t, "tavily", result[0].Type)
+	require.Equal(t, "brave", result[1].Type)
+}
+
+func TestSelectByQuotaWeight_AllNoQuota(t *testing.T) {
+	m := NewManager(nil, nil)
+	candidates := []ProviderConfig{
+		{Type: "brave", APIKey: "k1", QuotaLimit: 0},
+		{Type: "tavily", APIKey: "k2", QuotaLimit: 0},
+	}
+	result := m.selectByQuotaWeight(context.Background(), candidates)
+	require.Len(t, result, 2)
+	// both have weight 0, original order preserved
+}
+
+func TestSelectByQuotaWeight_Empty(t *testing.T) {
+	m := NewManager(nil, nil)
+	result := m.selectByQuotaWeight(context.Background(), nil)
+	require.Empty(t, result)
+}
+
+// --- newHTTPClient ---
+
+func TestNewHTTPClient_NoProxy(t *testing.T) {
+	c, err := newHTTPClient("")
+	require.NoError(t, err)
+	require.NotNil(t, c)
+}
+
+func TestNewHTTPClient_InvalidProxy(t *testing.T) {
+	_, err := newHTTPClient("://bad-url")
+	require.Error(t, err)
+	require.Contains(t, err.Error(), "invalid proxy URL")
+}
+
+func TestNewHTTPClient_ValidHTTPProxy(t *testing.T) {
+	c, err := newHTTPClient("http://proxy.example.com:8080")
+	require.NoError(t, err)
+	require.NotNil(t, c)
+}
+
+func TestNewHTTPClient_ValidSOCKS5Proxy(t *testing.T) {
+	c, err := newHTTPClient("socks5://proxy.example.com:1080")
+	require.NoError(t, err)
+	require.NotNil(t, c)
+}

From b32d1a2c9fb658d2691aac3711bc47383d9bd714 Mon Sep 17 00:00:00 2001
From: erio <asakifeng@gmail.com>
Date: Sun, 12 Apr 2026 02:48:57 +0800
Subject: [PATCH 031/122] feat(notify): add balance low & account quota
 notification system

- User balance low notification: email alert when balance drops below
  configurable threshold (user email + verified extra emails)
- Account quota notification: broadcast email to admin-configured
  recipients when daily/weekly/total quota usage exceeds alert threshold
- Admin settings: global enable/disable, default threshold, quota
  notification email list (Email Settings tab)
- User profile: enable/disable, custom threshold, add/remove extra
  notification emails with verification code flow
- Account quota: per-dimension alert toggle and threshold in quota
  control card
- Trigger logic: first-crossing only (old >= threshold && new < threshold
  for balance; old < threshold && new >= threshold for quota), naturally
  prevents duplicate notifications without Redis dedup
---
 backend/cmd/server/wire_gen.go                |   9 +-
 backend/ent/migrate/schema.go                 |   3 +
 backend/ent/mutation.go                       | 217 +++++++++++-
 backend/ent/runtime/runtime.go                |   8 +
 backend/ent/schema/user.go                    |  11 +
 backend/ent/user.go                           |  42 ++-
 backend/ent/user/user.go                      |  28 ++
 backend/ent/user/where.go                     | 140 ++++++++
 backend/ent/user_create.go                    | 228 ++++++++++++
 backend/ent/user_update.go                    | 140 ++++++++
 backend/go.sum                                |  10 +
 .../internal/handler/admin/setting_handler.go |  64 ++--
 backend/internal/handler/dto/mappers.go       |  43 ++-
 backend/internal/handler/dto/settings.go      |   5 +
 backend/internal/handler/dto/types.go         |  13 +
 backend/internal/handler/user_handler.go      | 113 +++++-
 backend/internal/repository/api_key_repo.go   |  41 ++-
 backend/internal/repository/email_cache.go    |  35 ++
 backend/internal/repository/user_repo.go      |  23 +-
 backend/internal/server/routes/user.go        |   8 +
 backend/internal/service/account.go           |  39 +++
 .../service/auth_service_register_test.go     |  12 +
 .../service/balance_notify_service.go         | 328 ++++++++++++++++++
 backend/internal/service/domain_constants.go  |   9 +-
 backend/internal/service/email_service.go     |   5 +
 .../service/gateway_record_usage_test.go      |   1 +
 backend/internal/service/gateway_service.go   |  39 ++-
 .../openai_gateway_record_usage_test.go       |   1 +
 .../service/openai_gateway_service.go         |  14 +-
 .../openai_ws_protocol_forward_test.go        |   1 +
 backend/internal/service/setting_service.go   |  38 +-
 backend/internal/service/settings_view.go     |  10 +-
 backend/internal/service/user.go              |   5 +
 backend/internal/service/user_service.go      | 172 ++++++++-
 backend/internal/service/user_service_test.go |  12 +-
 backend/internal/service/wire.go              |   6 +
 .../101_add_balance_notify_fields.sql         |   4 +
 frontend/src/api/admin/settings.ts            |   9 +
 frontend/src/api/user.ts                      |  33 +-
 .../components/account/EditAccountModal.vue   |  84 +++++
 .../src/components/account/QuotaLimitCard.vue | 113 +++++-
 .../user/profile/ProfileBalanceNotifyCard.vue | 204 +++++++++++
 frontend/src/i18n/locales/en.ts               |  47 +++
 frontend/src/i18n/locales/zh.ts               |  47 +++
 frontend/src/types/index.ts                   |   3 +
 frontend/src/views/admin/SettingsView.vue     |  72 +++-
 frontend/src/views/user/ProfileView.vue       |   7 +
 47 files changed, 2375 insertions(+), 121 deletions(-)
 create mode 100644 backend/internal/service/balance_notify_service.go
 create mode 100644 backend/migrations/101_add_balance_notify_fields.sql
 create mode 100644 frontend/src/components/user/profile/ProfileBalanceNotifyCard.vue

diff --git a/backend/cmd/server/wire_gen.go b/backend/cmd/server/wire_gen.go
index 0a0cc84b..8c47b2bd 100644
--- a/backend/cmd/server/wire_gen.go
+++ b/backend/cmd/server/wire_gen.go
@@ -68,7 +68,7 @@ func initializeApplication(buildInfo handler.BuildInfo) (*Application, error) {
 	promoService := service.NewPromoService(promoCodeRepository, userRepository, billingCacheService, client, apiKeyAuthCacheInvalidator)
 	subscriptionService := service.NewSubscriptionService(groupRepository, userSubscriptionRepository, billingCacheService, client, configConfig)
 	authService := service.NewAuthService(client, userRepository, redeemCodeRepository, refreshTokenCache, configConfig, settingService, emailService, turnstileService, emailQueueService, promoService, subscriptionService)
-	userService := service.NewUserService(userRepository, apiKeyAuthCacheInvalidator, billingCache)
+	userService := service.NewUserService(userRepository, settingRepository, apiKeyAuthCacheInvalidator, billingCache)
 	redeemCache := repository.NewRedeemCache(redisClient)
 	redeemService := service.NewRedeemService(redeemCodeRepository, userRepository, subscriptionService, redeemCache, billingCacheService, client, apiKeyAuthCacheInvalidator)
 	secretEncryptor, err := repository.NewAESEncryptor(configConfig)
@@ -78,7 +78,7 @@ func initializeApplication(buildInfo handler.BuildInfo) (*Application, error) {
 	totpCache := repository.NewTotpCache(redisClient)
 	totpService := service.NewTotpService(userRepository, secretEncryptor, totpCache, settingService, emailService, emailQueueService)
 	authHandler := handler.NewAuthHandler(configConfig, authService, userService, settingService, promoService, redeemService, totpService)
-	userHandler := handler.NewUserHandler(userService)
+	userHandler := handler.NewUserHandler(userService, emailService, emailCache)
 	apiKeyHandler := handler.NewAPIKeyHandler(apiKeyService)
 	usageLogRepository := repository.NewUsageLogRepository(client, db)
 	usageService := service.NewUsageService(usageLogRepository, userRepository, client, apiKeyAuthCacheInvalidator)
@@ -176,9 +176,10 @@ func initializeApplication(buildInfo handler.BuildInfo) (*Application, error) {
 	channelRepository := repository.NewChannelRepository(db)
 	channelService := service.NewChannelService(channelRepository, apiKeyAuthCacheInvalidator)
 	modelPricingResolver := service.NewModelPricingResolver(channelService, billingService)
-	gatewayService := service.NewGatewayService(accountRepository, groupRepository, usageLogRepository, usageBillingRepository, userRepository, userSubscriptionRepository, userGroupRateRepository, gatewayCache, configConfig, schedulerSnapshotService, concurrencyService, billingService, rateLimitService, billingCacheService, identityService, httpUpstream, deferredService, claudeTokenProvider, sessionLimitCache, rpmCache, digestSessionStore, settingService, tlsFingerprintProfileService, channelService, modelPricingResolver)
+	balanceNotifyService := service.ProvideBalanceNotifyService(emailService, settingRepository)
+	gatewayService := service.NewGatewayService(accountRepository, groupRepository, usageLogRepository, usageBillingRepository, userRepository, userSubscriptionRepository, userGroupRateRepository, gatewayCache, configConfig, schedulerSnapshotService, concurrencyService, billingService, rateLimitService, billingCacheService, identityService, httpUpstream, deferredService, claudeTokenProvider, sessionLimitCache, rpmCache, digestSessionStore, settingService, tlsFingerprintProfileService, channelService, modelPricingResolver, balanceNotifyService)
 	openAITokenProvider := service.ProvideOpenAITokenProvider(accountRepository, geminiTokenCache, openAIOAuthService, oAuthRefreshAPI)
-	openAIGatewayService := service.NewOpenAIGatewayService(accountRepository, usageLogRepository, usageBillingRepository, userRepository, userSubscriptionRepository, userGroupRateRepository, gatewayCache, configConfig, schedulerSnapshotService, concurrencyService, billingService, rateLimitService, billingCacheService, httpUpstream, deferredService, openAITokenProvider, modelPricingResolver, channelService)
+	openAIGatewayService := service.NewOpenAIGatewayService(accountRepository, usageLogRepository, usageBillingRepository, userRepository, userSubscriptionRepository, userGroupRateRepository, gatewayCache, configConfig, schedulerSnapshotService, concurrencyService, billingService, rateLimitService, billingCacheService, httpUpstream, deferredService, openAITokenProvider, modelPricingResolver, channelService, balanceNotifyService)
 	geminiMessagesCompatService := service.NewGeminiMessagesCompatService(accountRepository, groupRepository, gatewayCache, schedulerSnapshotService, geminiTokenProvider, rateLimitService, httpUpstream, antigravityGatewayService, configConfig)
 	opsSystemLogSink := service.ProvideOpsSystemLogSink(opsRepository)
 	opsService := service.NewOpsService(opsRepository, settingRepository, configConfig, accountRepository, userRepository, concurrencyService, gatewayService, openAIGatewayService, geminiMessagesCompatService, antigravityGatewayService, opsSystemLogSink)
diff --git a/backend/ent/migrate/schema.go b/backend/ent/migrate/schema.go
index e947b2e8..4f31883b 100644
--- a/backend/ent/migrate/schema.go
+++ b/backend/ent/migrate/schema.go
@@ -1078,6 +1078,9 @@ var (
 		{Name: "totp_secret_encrypted", Type: field.TypeString, Nullable: true, SchemaType: map[string]string{"postgres": "text"}},
 		{Name: "totp_enabled", Type: field.TypeBool, Default: false},
 		{Name: "totp_enabled_at", Type: field.TypeTime, Nullable: true},
+		{Name: "balance_notify_enabled", Type: field.TypeBool, Default: true},
+		{Name: "balance_notify_threshold", Type: field.TypeFloat64, Nullable: true, SchemaType: map[string]string{"postgres": "decimal(20,8)"}},
+		{Name: "balance_notify_extra_emails", Type: field.TypeString, Default: "[]", SchemaType: map[string]string{"postgres": "text"}},
 	}
 	// UsersTable holds the schema information for the "users" table.
 	UsersTable = &schema.Table{
diff --git a/backend/ent/mutation.go b/backend/ent/mutation.go
index 6b2fa838..cdaf363a 100644
--- a/backend/ent/mutation.go
+++ b/backend/ent/mutation.go
@@ -28210,6 +28210,10 @@ type UserMutation struct {
 	totp_secret_encrypted         *string
 	totp_enabled                  *bool
 	totp_enabled_at               *time.Time
+	balance_notify_enabled        *bool
+	balance_notify_threshold      *float64
+	addbalance_notify_threshold   *float64
+	balance_notify_extra_emails   *string
 	clearedFields                 map[string]struct{}
 	api_keys                      map[int64]struct{}
 	removedapi_keys               map[int64]struct{}
@@ -28927,6 +28931,148 @@ func (m *UserMutation) ResetTotpEnabledAt() {
 	delete(m.clearedFields, user.FieldTotpEnabledAt)
 }
 
+// SetBalanceNotifyEnabled sets the "balance_notify_enabled" field.
+func (m *UserMutation) SetBalanceNotifyEnabled(b bool) {
+	m.balance_notify_enabled = &b
+}
+
+// BalanceNotifyEnabled returns the value of the "balance_notify_enabled" field in the mutation.
+func (m *UserMutation) BalanceNotifyEnabled() (r bool, exists bool) {
+	v := m.balance_notify_enabled
+	if v == nil {
+		return
+	}
+	return *v, true
+}
+
+// OldBalanceNotifyEnabled returns the old "balance_notify_enabled" field's value of the User entity.
+// If the User object wasn't provided to the builder, the object is fetched from the database.
+// An error is returned if the mutation operation is not UpdateOne, or the database query fails.
+func (m *UserMutation) OldBalanceNotifyEnabled(ctx context.Context) (v bool, err error) {
+	if !m.op.Is(OpUpdateOne) {
+		return v, errors.New("OldBalanceNotifyEnabled is only allowed on UpdateOne operations")
+	}
+	if m.id == nil || m.oldValue == nil {
+		return v, errors.New("OldBalanceNotifyEnabled requires an ID field in the mutation")
+	}
+	oldValue, err := m.oldValue(ctx)
+	if err != nil {
+		return v, fmt.Errorf("querying old value for OldBalanceNotifyEnabled: %w", err)
+	}
+	return oldValue.BalanceNotifyEnabled, nil
+}
+
+// ResetBalanceNotifyEnabled resets all changes to the "balance_notify_enabled" field.
+func (m *UserMutation) ResetBalanceNotifyEnabled() {
+	m.balance_notify_enabled = nil
+}
+
+// SetBalanceNotifyThreshold sets the "balance_notify_threshold" field.
+func (m *UserMutation) SetBalanceNotifyThreshold(f float64) {
+	m.balance_notify_threshold = &f
+	m.addbalance_notify_threshold = nil
+}
+
+// BalanceNotifyThreshold returns the value of the "balance_notify_threshold" field in the mutation.
+func (m *UserMutation) BalanceNotifyThreshold() (r float64, exists bool) {
+	v := m.balance_notify_threshold
+	if v == nil {
+		return
+	}
+	return *v, true
+}
+
+// OldBalanceNotifyThreshold returns the old "balance_notify_threshold" field's value of the User entity.
+// If the User object wasn't provided to the builder, the object is fetched from the database.
+// An error is returned if the mutation operation is not UpdateOne, or the database query fails.
+func (m *UserMutation) OldBalanceNotifyThreshold(ctx context.Context) (v *float64, err error) {
+	if !m.op.Is(OpUpdateOne) {
+		return v, errors.New("OldBalanceNotifyThreshold is only allowed on UpdateOne operations")
+	}
+	if m.id == nil || m.oldValue == nil {
+		return v, errors.New("OldBalanceNotifyThreshold requires an ID field in the mutation")
+	}
+	oldValue, err := m.oldValue(ctx)
+	if err != nil {
+		return v, fmt.Errorf("querying old value for OldBalanceNotifyThreshold: %w", err)
+	}
+	return oldValue.BalanceNotifyThreshold, nil
+}
+
+// AddBalanceNotifyThreshold adds f to the "balance_notify_threshold" field.
+func (m *UserMutation) AddBalanceNotifyThreshold(f float64) {
+	if m.addbalance_notify_threshold != nil {
+		*m.addbalance_notify_threshold += f
+	} else {
+		m.addbalance_notify_threshold = &f
+	}
+}
+
+// AddedBalanceNotifyThreshold returns the value that was added to the "balance_notify_threshold" field in this mutation.
+func (m *UserMutation) AddedBalanceNotifyThreshold() (r float64, exists bool) {
+	v := m.addbalance_notify_threshold
+	if v == nil {
+		return
+	}
+	return *v, true
+}
+
+// ClearBalanceNotifyThreshold clears the value of the "balance_notify_threshold" field.
+func (m *UserMutation) ClearBalanceNotifyThreshold() {
+	m.balance_notify_threshold = nil
+	m.addbalance_notify_threshold = nil
+	m.clearedFields[user.FieldBalanceNotifyThreshold] = struct{}{}
+}
+
+// BalanceNotifyThresholdCleared returns if the "balance_notify_threshold" field was cleared in this mutation.
+func (m *UserMutation) BalanceNotifyThresholdCleared() bool {
+	_, ok := m.clearedFields[user.FieldBalanceNotifyThreshold]
+	return ok
+}
+
+// ResetBalanceNotifyThreshold resets all changes to the "balance_notify_threshold" field.
+func (m *UserMutation) ResetBalanceNotifyThreshold() {
+	m.balance_notify_threshold = nil
+	m.addbalance_notify_threshold = nil
+	delete(m.clearedFields, user.FieldBalanceNotifyThreshold)
+}
+
+// SetBalanceNotifyExtraEmails sets the "balance_notify_extra_emails" field.
+func (m *UserMutation) SetBalanceNotifyExtraEmails(s string) {
+	m.balance_notify_extra_emails = &s
+}
+
+// BalanceNotifyExtraEmails returns the value of the "balance_notify_extra_emails" field in the mutation.
+func (m *UserMutation) BalanceNotifyExtraEmails() (r string, exists bool) {
+	v := m.balance_notify_extra_emails
+	if v == nil {
+		return
+	}
+	return *v, true
+}
+
+// OldBalanceNotifyExtraEmails returns the old "balance_notify_extra_emails" field's value of the User entity.
+// If the User object wasn't provided to the builder, the object is fetched from the database.
+// An error is returned if the mutation operation is not UpdateOne, or the database query fails.
+func (m *UserMutation) OldBalanceNotifyExtraEmails(ctx context.Context) (v string, err error) {
+	if !m.op.Is(OpUpdateOne) {
+		return v, errors.New("OldBalanceNotifyExtraEmails is only allowed on UpdateOne operations")
+	}
+	if m.id == nil || m.oldValue == nil {
+		return v, errors.New("OldBalanceNotifyExtraEmails requires an ID field in the mutation")
+	}
+	oldValue, err := m.oldValue(ctx)
+	if err != nil {
+		return v, fmt.Errorf("querying old value for OldBalanceNotifyExtraEmails: %w", err)
+	}
+	return oldValue.BalanceNotifyExtraEmails, nil
+}
+
+// ResetBalanceNotifyExtraEmails resets all changes to the "balance_notify_extra_emails" field.
+func (m *UserMutation) ResetBalanceNotifyExtraEmails() {
+	m.balance_notify_extra_emails = nil
+}
+
 // AddAPIKeyIDs adds the "api_keys" edge to the APIKey entity by ids.
 func (m *UserMutation) AddAPIKeyIDs(ids ...int64) {
 	if m.api_keys == nil {
@@ -29501,7 +29647,7 @@ func (m *UserMutation) Type() string {
 // order to get all numeric fields that were incremented/decremented, call
 // AddedFields().
 func (m *UserMutation) Fields() []string {
-	fields := make([]string, 0, 14)
+	fields := make([]string, 0, 17)
 	if m.created_at != nil {
 		fields = append(fields, user.FieldCreatedAt)
 	}
@@ -29544,6 +29690,15 @@ func (m *UserMutation) Fields() []string {
 	if m.totp_enabled_at != nil {
 		fields = append(fields, user.FieldTotpEnabledAt)
 	}
+	if m.balance_notify_enabled != nil {
+		fields = append(fields, user.FieldBalanceNotifyEnabled)
+	}
+	if m.balance_notify_threshold != nil {
+		fields = append(fields, user.FieldBalanceNotifyThreshold)
+	}
+	if m.balance_notify_extra_emails != nil {
+		fields = append(fields, user.FieldBalanceNotifyExtraEmails)
+	}
 	return fields
 }
 
@@ -29580,6 +29735,12 @@ func (m *UserMutation) Field(name string) (ent.Value, bool) {
 		return m.TotpEnabled()
 	case user.FieldTotpEnabledAt:
 		return m.TotpEnabledAt()
+	case user.FieldBalanceNotifyEnabled:
+		return m.BalanceNotifyEnabled()
+	case user.FieldBalanceNotifyThreshold:
+		return m.BalanceNotifyThreshold()
+	case user.FieldBalanceNotifyExtraEmails:
+		return m.BalanceNotifyExtraEmails()
 	}
 	return nil, false
 }
@@ -29617,6 +29778,12 @@ func (m *UserMutation) OldField(ctx context.Context, name string) (ent.Value, er
 		return m.OldTotpEnabled(ctx)
 	case user.FieldTotpEnabledAt:
 		return m.OldTotpEnabledAt(ctx)
+	case user.FieldBalanceNotifyEnabled:
+		return m.OldBalanceNotifyEnabled(ctx)
+	case user.FieldBalanceNotifyThreshold:
+		return m.OldBalanceNotifyThreshold(ctx)
+	case user.FieldBalanceNotifyExtraEmails:
+		return m.OldBalanceNotifyExtraEmails(ctx)
 	}
 	return nil, fmt.Errorf("unknown User field %s", name)
 }
@@ -29724,6 +29891,27 @@ func (m *UserMutation) SetField(name string, value ent.Value) error {
 		}
 		m.SetTotpEnabledAt(v)
 		return nil
+	case user.FieldBalanceNotifyEnabled:
+		v, ok := value.(bool)
+		if !ok {
+			return fmt.Errorf("unexpected type %T for field %s", value, name)
+		}
+		m.SetBalanceNotifyEnabled(v)
+		return nil
+	case user.FieldBalanceNotifyThreshold:
+		v, ok := value.(float64)
+		if !ok {
+			return fmt.Errorf("unexpected type %T for field %s", value, name)
+		}
+		m.SetBalanceNotifyThreshold(v)
+		return nil
+	case user.FieldBalanceNotifyExtraEmails:
+		v, ok := value.(string)
+		if !ok {
+			return fmt.Errorf("unexpected type %T for field %s", value, name)
+		}
+		m.SetBalanceNotifyExtraEmails(v)
+		return nil
 	}
 	return fmt.Errorf("unknown User field %s", name)
 }
@@ -29738,6 +29926,9 @@ func (m *UserMutation) AddedFields() []string {
 	if m.addconcurrency != nil {
 		fields = append(fields, user.FieldConcurrency)
 	}
+	if m.addbalance_notify_threshold != nil {
+		fields = append(fields, user.FieldBalanceNotifyThreshold)
+	}
 	return fields
 }
 
@@ -29750,6 +29941,8 @@ func (m *UserMutation) AddedField(name string) (ent.Value, bool) {
 		return m.AddedBalance()
 	case user.FieldConcurrency:
 		return m.AddedConcurrency()
+	case user.FieldBalanceNotifyThreshold:
+		return m.AddedBalanceNotifyThreshold()
 	}
 	return nil, false
 }
@@ -29773,6 +29966,13 @@ func (m *UserMutation) AddField(name string, value ent.Value) error {
 		}
 		m.AddConcurrency(v)
 		return nil
+	case user.FieldBalanceNotifyThreshold:
+		v, ok := value.(float64)
+		if !ok {
+			return fmt.Errorf("unexpected type %T for field %s", value, name)
+		}
+		m.AddBalanceNotifyThreshold(v)
+		return nil
 	}
 	return fmt.Errorf("unknown User numeric field %s", name)
 }
@@ -29790,6 +29990,9 @@ func (m *UserMutation) ClearedFields() []string {
 	if m.FieldCleared(user.FieldTotpEnabledAt) {
 		fields = append(fields, user.FieldTotpEnabledAt)
 	}
+	if m.FieldCleared(user.FieldBalanceNotifyThreshold) {
+		fields = append(fields, user.FieldBalanceNotifyThreshold)
+	}
 	return fields
 }
 
@@ -29813,6 +30016,9 @@ func (m *UserMutation) ClearField(name string) error {
 	case user.FieldTotpEnabledAt:
 		m.ClearTotpEnabledAt()
 		return nil
+	case user.FieldBalanceNotifyThreshold:
+		m.ClearBalanceNotifyThreshold()
+		return nil
 	}
 	return fmt.Errorf("unknown User nullable field %s", name)
 }
@@ -29863,6 +30069,15 @@ func (m *UserMutation) ResetField(name string) error {
 	case user.FieldTotpEnabledAt:
 		m.ResetTotpEnabledAt()
 		return nil
+	case user.FieldBalanceNotifyEnabled:
+		m.ResetBalanceNotifyEnabled()
+		return nil
+	case user.FieldBalanceNotifyThreshold:
+		m.ResetBalanceNotifyThreshold()
+		return nil
+	case user.FieldBalanceNotifyExtraEmails:
+		m.ResetBalanceNotifyExtraEmails()
+		return nil
 	}
 	return fmt.Errorf("unknown User field %s", name)
 }
diff --git a/backend/ent/runtime/runtime.go b/backend/ent/runtime/runtime.go
index 821b7d66..a288f5d9 100644
--- a/backend/ent/runtime/runtime.go
+++ b/backend/ent/runtime/runtime.go
@@ -1293,6 +1293,14 @@ func init() {
 	userDescTotpEnabled := userFields[9].Descriptor()
 	// user.DefaultTotpEnabled holds the default value on creation for the totp_enabled field.
 	user.DefaultTotpEnabled = userDescTotpEnabled.Default.(bool)
+	// userDescBalanceNotifyEnabled is the schema descriptor for balance_notify_enabled field.
+	userDescBalanceNotifyEnabled := userFields[11].Descriptor()
+	// user.DefaultBalanceNotifyEnabled holds the default value on creation for the balance_notify_enabled field.
+	user.DefaultBalanceNotifyEnabled = userDescBalanceNotifyEnabled.Default.(bool)
+	// userDescBalanceNotifyExtraEmails is the schema descriptor for balance_notify_extra_emails field.
+	userDescBalanceNotifyExtraEmails := userFields[13].Descriptor()
+	// user.DefaultBalanceNotifyExtraEmails holds the default value on creation for the balance_notify_extra_emails field.
+	user.DefaultBalanceNotifyExtraEmails = userDescBalanceNotifyExtraEmails.Default.(string)
 	userallowedgroupFields := schema.UserAllowedGroup{}.Fields()
 	_ = userallowedgroupFields
 	// userallowedgroupDescCreatedAt is the schema descriptor for created_at field.
diff --git a/backend/ent/schema/user.go b/backend/ent/schema/user.go
index af143d38..bdaa4509 100644
--- a/backend/ent/schema/user.go
+++ b/backend/ent/schema/user.go
@@ -72,6 +72,17 @@ func (User) Fields() []ent.Field {
 		field.Time("totp_enabled_at").
 			Optional().
 			Nillable(),
+
+		// 余额不足通知
+		field.Bool("balance_notify_enabled").
+			Default(true),
+		field.Float("balance_notify_threshold").
+			SchemaType(map[string]string{dialect.Postgres: "decimal(20,8)"}).
+			Optional().
+			Nillable(),
+		field.String("balance_notify_extra_emails").
+			SchemaType(map[string]string{dialect.Postgres: "text"}).
+			Default("[]"),
 	}
 }
 
diff --git a/backend/ent/user.go b/backend/ent/user.go
index a0eef2ba..fc4ddb8f 100644
--- a/backend/ent/user.go
+++ b/backend/ent/user.go
@@ -45,6 +45,12 @@ type User struct {
 	TotpEnabled bool `json:"totp_enabled,omitempty"`
 	// TotpEnabledAt holds the value of the "totp_enabled_at" field.
 	TotpEnabledAt *time.Time `json:"totp_enabled_at,omitempty"`
+	// BalanceNotifyEnabled holds the value of the "balance_notify_enabled" field.
+	BalanceNotifyEnabled bool `json:"balance_notify_enabled,omitempty"`
+	// BalanceNotifyThreshold holds the value of the "balance_notify_threshold" field.
+	BalanceNotifyThreshold *float64 `json:"balance_notify_threshold,omitempty"`
+	// BalanceNotifyExtraEmails holds the value of the "balance_notify_extra_emails" field.
+	BalanceNotifyExtraEmails string `json:"balance_notify_extra_emails,omitempty"`
 	// Edges holds the relations/edges for other nodes in the graph.
 	// The values are being populated by the UserQuery when eager-loading is set.
 	Edges        UserEdges `json:"edges"`
@@ -184,13 +190,13 @@ func (*User) scanValues(columns []string) ([]any, error) {
 	values := make([]any, len(columns))
 	for i := range columns {
 		switch columns[i] {
-		case user.FieldTotpEnabled:
+		case user.FieldTotpEnabled, user.FieldBalanceNotifyEnabled:
 			values[i] = new(sql.NullBool)
-		case user.FieldBalance:
+		case user.FieldBalance, user.FieldBalanceNotifyThreshold:
 			values[i] = new(sql.NullFloat64)
 		case user.FieldID, user.FieldConcurrency:
 			values[i] = new(sql.NullInt64)
-		case user.FieldEmail, user.FieldPasswordHash, user.FieldRole, user.FieldStatus, user.FieldUsername, user.FieldNotes, user.FieldTotpSecretEncrypted:
+		case user.FieldEmail, user.FieldPasswordHash, user.FieldRole, user.FieldStatus, user.FieldUsername, user.FieldNotes, user.FieldTotpSecretEncrypted, user.FieldBalanceNotifyExtraEmails:
 			values[i] = new(sql.NullString)
 		case user.FieldCreatedAt, user.FieldUpdatedAt, user.FieldDeletedAt, user.FieldTotpEnabledAt:
 			values[i] = new(sql.NullTime)
@@ -302,6 +308,25 @@ func (_m *User) assignValues(columns []string, values []any) error {
 				_m.TotpEnabledAt = new(time.Time)
 				*_m.TotpEnabledAt = value.Time
 			}
+		case user.FieldBalanceNotifyEnabled:
+			if value, ok := values[i].(*sql.NullBool); !ok {
+				return fmt.Errorf("unexpected type %T for field balance_notify_enabled", values[i])
+			} else if value.Valid {
+				_m.BalanceNotifyEnabled = value.Bool
+			}
+		case user.FieldBalanceNotifyThreshold:
+			if value, ok := values[i].(*sql.NullFloat64); !ok {
+				return fmt.Errorf("unexpected type %T for field balance_notify_threshold", values[i])
+			} else if value.Valid {
+				_m.BalanceNotifyThreshold = new(float64)
+				*_m.BalanceNotifyThreshold = value.Float64
+			}
+		case user.FieldBalanceNotifyExtraEmails:
+			if value, ok := values[i].(*sql.NullString); !ok {
+				return fmt.Errorf("unexpected type %T for field balance_notify_extra_emails", values[i])
+			} else if value.Valid {
+				_m.BalanceNotifyExtraEmails = value.String
+			}
 		default:
 			_m.selectValues.Set(columns[i], values[i])
 		}
@@ -440,6 +465,17 @@ func (_m *User) String() string {
 		builder.WriteString("totp_enabled_at=")
 		builder.WriteString(v.Format(time.ANSIC))
 	}
+	builder.WriteString(", ")
+	builder.WriteString("balance_notify_enabled=")
+	builder.WriteString(fmt.Sprintf("%v", _m.BalanceNotifyEnabled))
+	builder.WriteString(", ")
+	if v := _m.BalanceNotifyThreshold; v != nil {
+		builder.WriteString("balance_notify_threshold=")
+		builder.WriteString(fmt.Sprintf("%v", *v))
+	}
+	builder.WriteString(", ")
+	builder.WriteString("balance_notify_extra_emails=")
+	builder.WriteString(_m.BalanceNotifyExtraEmails)
 	builder.WriteByte(')')
 	return builder.String()
 }
diff --git a/backend/ent/user/user.go b/backend/ent/user/user.go
index 338518a8..aff37013 100644
--- a/backend/ent/user/user.go
+++ b/backend/ent/user/user.go
@@ -43,6 +43,12 @@ const (
 	FieldTotpEnabled = "totp_enabled"
 	// FieldTotpEnabledAt holds the string denoting the totp_enabled_at field in the database.
 	FieldTotpEnabledAt = "totp_enabled_at"
+	// FieldBalanceNotifyEnabled holds the string denoting the balance_notify_enabled field in the database.
+	FieldBalanceNotifyEnabled = "balance_notify_enabled"
+	// FieldBalanceNotifyThreshold holds the string denoting the balance_notify_threshold field in the database.
+	FieldBalanceNotifyThreshold = "balance_notify_threshold"
+	// FieldBalanceNotifyExtraEmails holds the string denoting the balance_notify_extra_emails field in the database.
+	FieldBalanceNotifyExtraEmails = "balance_notify_extra_emails"
 	// EdgeAPIKeys holds the string denoting the api_keys edge name in mutations.
 	EdgeAPIKeys = "api_keys"
 	// EdgeRedeemCodes holds the string denoting the redeem_codes edge name in mutations.
@@ -161,6 +167,9 @@ var Columns = []string{
 	FieldTotpSecretEncrypted,
 	FieldTotpEnabled,
 	FieldTotpEnabledAt,
+	FieldBalanceNotifyEnabled,
+	FieldBalanceNotifyThreshold,
+	FieldBalanceNotifyExtraEmails,
 }
 
 var (
@@ -217,6 +226,10 @@ var (
 	DefaultNotes string
 	// DefaultTotpEnabled holds the default value on creation for the "totp_enabled" field.
 	DefaultTotpEnabled bool
+	// DefaultBalanceNotifyEnabled holds the default value on creation for the "balance_notify_enabled" field.
+	DefaultBalanceNotifyEnabled bool
+	// DefaultBalanceNotifyExtraEmails holds the default value on creation for the "balance_notify_extra_emails" field.
+	DefaultBalanceNotifyExtraEmails string
 )
 
 // OrderOption defines the ordering options for the User queries.
@@ -297,6 +310,21 @@ func ByTotpEnabledAt(opts ...sql.OrderTermOption) OrderOption {
 	return sql.OrderByField(FieldTotpEnabledAt, opts...).ToFunc()
 }
 
+// ByBalanceNotifyEnabled orders the results by the balance_notify_enabled field.
+func ByBalanceNotifyEnabled(opts ...sql.OrderTermOption) OrderOption {
+	return sql.OrderByField(FieldBalanceNotifyEnabled, opts...).ToFunc()
+}
+
+// ByBalanceNotifyThreshold orders the results by the balance_notify_threshold field.
+func ByBalanceNotifyThreshold(opts ...sql.OrderTermOption) OrderOption {
+	return sql.OrderByField(FieldBalanceNotifyThreshold, opts...).ToFunc()
+}
+
+// ByBalanceNotifyExtraEmails orders the results by the balance_notify_extra_emails field.
+func ByBalanceNotifyExtraEmails(opts ...sql.OrderTermOption) OrderOption {
+	return sql.OrderByField(FieldBalanceNotifyExtraEmails, opts...).ToFunc()
+}
+
 // ByAPIKeysCount orders the results by api_keys count.
 func ByAPIKeysCount(opts ...sql.OrderTermOption) OrderOption {
 	return func(s *sql.Selector) {
diff --git a/backend/ent/user/where.go b/backend/ent/user/where.go
index b1d1000f..11a0318f 100644
--- a/backend/ent/user/where.go
+++ b/backend/ent/user/where.go
@@ -125,6 +125,21 @@ func TotpEnabledAt(v time.Time) predicate.User {
 	return predicate.User(sql.FieldEQ(FieldTotpEnabledAt, v))
 }
 
+// BalanceNotifyEnabled applies equality check predicate on the "balance_notify_enabled" field. It's identical to BalanceNotifyEnabledEQ.
+func BalanceNotifyEnabled(v bool) predicate.User {
+	return predicate.User(sql.FieldEQ(FieldBalanceNotifyEnabled, v))
+}
+
+// BalanceNotifyThreshold applies equality check predicate on the "balance_notify_threshold" field. It's identical to BalanceNotifyThresholdEQ.
+func BalanceNotifyThreshold(v float64) predicate.User {
+	return predicate.User(sql.FieldEQ(FieldBalanceNotifyThreshold, v))
+}
+
+// BalanceNotifyExtraEmails applies equality check predicate on the "balance_notify_extra_emails" field. It's identical to BalanceNotifyExtraEmailsEQ.
+func BalanceNotifyExtraEmails(v string) predicate.User {
+	return predicate.User(sql.FieldEQ(FieldBalanceNotifyExtraEmails, v))
+}
+
 // CreatedAtEQ applies the EQ predicate on the "created_at" field.
 func CreatedAtEQ(v time.Time) predicate.User {
 	return predicate.User(sql.FieldEQ(FieldCreatedAt, v))
@@ -860,6 +875,131 @@ func TotpEnabledAtNotNil() predicate.User {
 	return predicate.User(sql.FieldNotNull(FieldTotpEnabledAt))
 }
 
+// BalanceNotifyEnabledEQ applies the EQ predicate on the "balance_notify_enabled" field.
+func BalanceNotifyEnabledEQ(v bool) predicate.User {
+	return predicate.User(sql.FieldEQ(FieldBalanceNotifyEnabled, v))
+}
+
+// BalanceNotifyEnabledNEQ applies the NEQ predicate on the "balance_notify_enabled" field.
+func BalanceNotifyEnabledNEQ(v bool) predicate.User {
+	return predicate.User(sql.FieldNEQ(FieldBalanceNotifyEnabled, v))
+}
+
+// BalanceNotifyThresholdEQ applies the EQ predicate on the "balance_notify_threshold" field.
+func BalanceNotifyThresholdEQ(v float64) predicate.User {
+	return predicate.User(sql.FieldEQ(FieldBalanceNotifyThreshold, v))
+}
+
+// BalanceNotifyThresholdNEQ applies the NEQ predicate on the "balance_notify_threshold" field.
+func BalanceNotifyThresholdNEQ(v float64) predicate.User {
+	return predicate.User(sql.FieldNEQ(FieldBalanceNotifyThreshold, v))
+}
+
+// BalanceNotifyThresholdIn applies the In predicate on the "balance_notify_threshold" field.
+func BalanceNotifyThresholdIn(vs ...float64) predicate.User {
+	return predicate.User(sql.FieldIn(FieldBalanceNotifyThreshold, vs...))
+}
+
+// BalanceNotifyThresholdNotIn applies the NotIn predicate on the "balance_notify_threshold" field.
+func BalanceNotifyThresholdNotIn(vs ...float64) predicate.User {
+	return predicate.User(sql.FieldNotIn(FieldBalanceNotifyThreshold, vs...))
+}
+
+// BalanceNotifyThresholdGT applies the GT predicate on the "balance_notify_threshold" field.
+func BalanceNotifyThresholdGT(v float64) predicate.User {
+	return predicate.User(sql.FieldGT(FieldBalanceNotifyThreshold, v))
+}
+
+// BalanceNotifyThresholdGTE applies the GTE predicate on the "balance_notify_threshold" field.
+func BalanceNotifyThresholdGTE(v float64) predicate.User {
+	return predicate.User(sql.FieldGTE(FieldBalanceNotifyThreshold, v))
+}
+
+// BalanceNotifyThresholdLT applies the LT predicate on the "balance_notify_threshold" field.
+func BalanceNotifyThresholdLT(v float64) predicate.User {
+	return predicate.User(sql.FieldLT(FieldBalanceNotifyThreshold, v))
+}
+
+// BalanceNotifyThresholdLTE applies the LTE predicate on the "balance_notify_threshold" field.
+func BalanceNotifyThresholdLTE(v float64) predicate.User {
+	return predicate.User(sql.FieldLTE(FieldBalanceNotifyThreshold, v))
+}
+
+// BalanceNotifyThresholdIsNil applies the IsNil predicate on the "balance_notify_threshold" field.
+func BalanceNotifyThresholdIsNil() predicate.User {
+	return predicate.User(sql.FieldIsNull(FieldBalanceNotifyThreshold))
+}
+
+// BalanceNotifyThresholdNotNil applies the NotNil predicate on the "balance_notify_threshold" field.
+func BalanceNotifyThresholdNotNil() predicate.User {
+	return predicate.User(sql.FieldNotNull(FieldBalanceNotifyThreshold))
+}
+
+// BalanceNotifyExtraEmailsEQ applies the EQ predicate on the "balance_notify_extra_emails" field.
+func BalanceNotifyExtraEmailsEQ(v string) predicate.User {
+	return predicate.User(sql.FieldEQ(FieldBalanceNotifyExtraEmails, v))
+}
+
+// BalanceNotifyExtraEmailsNEQ applies the NEQ predicate on the "balance_notify_extra_emails" field.
+func BalanceNotifyExtraEmailsNEQ(v string) predicate.User {
+	return predicate.User(sql.FieldNEQ(FieldBalanceNotifyExtraEmails, v))
+}
+
+// BalanceNotifyExtraEmailsIn applies the In predicate on the "balance_notify_extra_emails" field.
+func BalanceNotifyExtraEmailsIn(vs ...string) predicate.User {
+	return predicate.User(sql.FieldIn(FieldBalanceNotifyExtraEmails, vs...))
+}
+
+// BalanceNotifyExtraEmailsNotIn applies the NotIn predicate on the "balance_notify_extra_emails" field.
+func BalanceNotifyExtraEmailsNotIn(vs ...string) predicate.User {
+	return predicate.User(sql.FieldNotIn(FieldBalanceNotifyExtraEmails, vs...))
+}
+
+// BalanceNotifyExtraEmailsGT applies the GT predicate on the "balance_notify_extra_emails" field.
+func BalanceNotifyExtraEmailsGT(v string) predicate.User {
+	return predicate.User(sql.FieldGT(FieldBalanceNotifyExtraEmails, v))
+}
+
+// BalanceNotifyExtraEmailsGTE applies the GTE predicate on the "balance_notify_extra_emails" field.
+func BalanceNotifyExtraEmailsGTE(v string) predicate.User {
+	return predicate.User(sql.FieldGTE(FieldBalanceNotifyExtraEmails, v))
+}
+
+// BalanceNotifyExtraEmailsLT applies the LT predicate on the "balance_notify_extra_emails" field.
+func BalanceNotifyExtraEmailsLT(v string) predicate.User {
+	return predicate.User(sql.FieldLT(FieldBalanceNotifyExtraEmails, v))
+}
+
+// BalanceNotifyExtraEmailsLTE applies the LTE predicate on the "balance_notify_extra_emails" field.
+func BalanceNotifyExtraEmailsLTE(v string) predicate.User {
+	return predicate.User(sql.FieldLTE(FieldBalanceNotifyExtraEmails, v))
+}
+
+// BalanceNotifyExtraEmailsContains applies the Contains predicate on the "balance_notify_extra_emails" field.
+func BalanceNotifyExtraEmailsContains(v string) predicate.User {
+	return predicate.User(sql.FieldContains(FieldBalanceNotifyExtraEmails, v))
+}
+
+// BalanceNotifyExtraEmailsHasPrefix applies the HasPrefix predicate on the "balance_notify_extra_emails" field.
+func BalanceNotifyExtraEmailsHasPrefix(v string) predicate.User {
+	return predicate.User(sql.FieldHasPrefix(FieldBalanceNotifyExtraEmails, v))
+}
+
+// BalanceNotifyExtraEmailsHasSuffix applies the HasSuffix predicate on the "balance_notify_extra_emails" field.
+func BalanceNotifyExtraEmailsHasSuffix(v string) predicate.User {
+	return predicate.User(sql.FieldHasSuffix(FieldBalanceNotifyExtraEmails, v))
+}
+
+// BalanceNotifyExtraEmailsEqualFold applies the EqualFold predicate on the "balance_notify_extra_emails" field.
+func BalanceNotifyExtraEmailsEqualFold(v string) predicate.User {
+	return predicate.User(sql.FieldEqualFold(FieldBalanceNotifyExtraEmails, v))
+}
+
+// BalanceNotifyExtraEmailsContainsFold applies the ContainsFold predicate on the "balance_notify_extra_emails" field.
+func BalanceNotifyExtraEmailsContainsFold(v string) predicate.User {
+	return predicate.User(sql.FieldContainsFold(FieldBalanceNotifyExtraEmails, v))
+}
+
 // HasAPIKeys applies the HasEdge predicate on the "api_keys" edge.
 func HasAPIKeys() predicate.User {
 	return predicate.User(func(s *sql.Selector) {
diff --git a/backend/ent/user_create.go b/backend/ent/user_create.go
index 7f1c5df1..955fde72 100644
--- a/backend/ent/user_create.go
+++ b/backend/ent/user_create.go
@@ -211,6 +211,48 @@ func (_c *UserCreate) SetNillableTotpEnabledAt(v *time.Time) *UserCreate {
 	return _c
 }
 
+// SetBalanceNotifyEnabled sets the "balance_notify_enabled" field.
+func (_c *UserCreate) SetBalanceNotifyEnabled(v bool) *UserCreate {
+	_c.mutation.SetBalanceNotifyEnabled(v)
+	return _c
+}
+
+// SetNillableBalanceNotifyEnabled sets the "balance_notify_enabled" field if the given value is not nil.
+func (_c *UserCreate) SetNillableBalanceNotifyEnabled(v *bool) *UserCreate {
+	if v != nil {
+		_c.SetBalanceNotifyEnabled(*v)
+	}
+	return _c
+}
+
+// SetBalanceNotifyThreshold sets the "balance_notify_threshold" field.
+func (_c *UserCreate) SetBalanceNotifyThreshold(v float64) *UserCreate {
+	_c.mutation.SetBalanceNotifyThreshold(v)
+	return _c
+}
+
+// SetNillableBalanceNotifyThreshold sets the "balance_notify_threshold" field if the given value is not nil.
+func (_c *UserCreate) SetNillableBalanceNotifyThreshold(v *float64) *UserCreate {
+	if v != nil {
+		_c.SetBalanceNotifyThreshold(*v)
+	}
+	return _c
+}
+
+// SetBalanceNotifyExtraEmails sets the "balance_notify_extra_emails" field.
+func (_c *UserCreate) SetBalanceNotifyExtraEmails(v string) *UserCreate {
+	_c.mutation.SetBalanceNotifyExtraEmails(v)
+	return _c
+}
+
+// SetNillableBalanceNotifyExtraEmails sets the "balance_notify_extra_emails" field if the given value is not nil.
+func (_c *UserCreate) SetNillableBalanceNotifyExtraEmails(v *string) *UserCreate {
+	if v != nil {
+		_c.SetBalanceNotifyExtraEmails(*v)
+	}
+	return _c
+}
+
 // AddAPIKeyIDs adds the "api_keys" edge to the APIKey entity by IDs.
 func (_c *UserCreate) AddAPIKeyIDs(ids ...int64) *UserCreate {
 	_c.mutation.AddAPIKeyIDs(ids...)
@@ -440,6 +482,14 @@ func (_c *UserCreate) defaults() error {
 		v := user.DefaultTotpEnabled
 		_c.mutation.SetTotpEnabled(v)
 	}
+	if _, ok := _c.mutation.BalanceNotifyEnabled(); !ok {
+		v := user.DefaultBalanceNotifyEnabled
+		_c.mutation.SetBalanceNotifyEnabled(v)
+	}
+	if _, ok := _c.mutation.BalanceNotifyExtraEmails(); !ok {
+		v := user.DefaultBalanceNotifyExtraEmails
+		_c.mutation.SetBalanceNotifyExtraEmails(v)
+	}
 	return nil
 }
 
@@ -503,6 +553,12 @@ func (_c *UserCreate) check() error {
 	if _, ok := _c.mutation.TotpEnabled(); !ok {
 		return &ValidationError{Name: "totp_enabled", err: errors.New(`ent: missing required field "User.totp_enabled"`)}
 	}
+	if _, ok := _c.mutation.BalanceNotifyEnabled(); !ok {
+		return &ValidationError{Name: "balance_notify_enabled", err: errors.New(`ent: missing required field "User.balance_notify_enabled"`)}
+	}
+	if _, ok := _c.mutation.BalanceNotifyExtraEmails(); !ok {
+		return &ValidationError{Name: "balance_notify_extra_emails", err: errors.New(`ent: missing required field "User.balance_notify_extra_emails"`)}
+	}
 	return nil
 }
 
@@ -586,6 +642,18 @@ func (_c *UserCreate) createSpec() (*User, *sqlgraph.CreateSpec) {
 		_spec.SetField(user.FieldTotpEnabledAt, field.TypeTime, value)
 		_node.TotpEnabledAt = &value
 	}
+	if value, ok := _c.mutation.BalanceNotifyEnabled(); ok {
+		_spec.SetField(user.FieldBalanceNotifyEnabled, field.TypeBool, value)
+		_node.BalanceNotifyEnabled = value
+	}
+	if value, ok := _c.mutation.BalanceNotifyThreshold(); ok {
+		_spec.SetField(user.FieldBalanceNotifyThreshold, field.TypeFloat64, value)
+		_node.BalanceNotifyThreshold = &value
+	}
+	if value, ok := _c.mutation.BalanceNotifyExtraEmails(); ok {
+		_spec.SetField(user.FieldBalanceNotifyExtraEmails, field.TypeString, value)
+		_node.BalanceNotifyExtraEmails = value
+	}
 	if nodes := _c.mutation.APIKeysIDs(); len(nodes) > 0 {
 		edge := &sqlgraph.EdgeSpec{
 			Rel:     sqlgraph.O2M,
@@ -988,6 +1056,54 @@ func (u *UserUpsert) ClearTotpEnabledAt() *UserUpsert {
 	return u
 }
 
+// SetBalanceNotifyEnabled sets the "balance_notify_enabled" field.
+func (u *UserUpsert) SetBalanceNotifyEnabled(v bool) *UserUpsert {
+	u.Set(user.FieldBalanceNotifyEnabled, v)
+	return u
+}
+
+// UpdateBalanceNotifyEnabled sets the "balance_notify_enabled" field to the value that was provided on create.
+func (u *UserUpsert) UpdateBalanceNotifyEnabled() *UserUpsert {
+	u.SetExcluded(user.FieldBalanceNotifyEnabled)
+	return u
+}
+
+// SetBalanceNotifyThreshold sets the "balance_notify_threshold" field.
+func (u *UserUpsert) SetBalanceNotifyThreshold(v float64) *UserUpsert {
+	u.Set(user.FieldBalanceNotifyThreshold, v)
+	return u
+}
+
+// UpdateBalanceNotifyThreshold sets the "balance_notify_threshold" field to the value that was provided on create.
+func (u *UserUpsert) UpdateBalanceNotifyThreshold() *UserUpsert {
+	u.SetExcluded(user.FieldBalanceNotifyThreshold)
+	return u
+}
+
+// AddBalanceNotifyThreshold adds v to the "balance_notify_threshold" field.
+func (u *UserUpsert) AddBalanceNotifyThreshold(v float64) *UserUpsert {
+	u.Add(user.FieldBalanceNotifyThreshold, v)
+	return u
+}
+
+// ClearBalanceNotifyThreshold clears the value of the "balance_notify_threshold" field.
+func (u *UserUpsert) ClearBalanceNotifyThreshold() *UserUpsert {
+	u.SetNull(user.FieldBalanceNotifyThreshold)
+	return u
+}
+
+// SetBalanceNotifyExtraEmails sets the "balance_notify_extra_emails" field.
+func (u *UserUpsert) SetBalanceNotifyExtraEmails(v string) *UserUpsert {
+	u.Set(user.FieldBalanceNotifyExtraEmails, v)
+	return u
+}
+
+// UpdateBalanceNotifyExtraEmails sets the "balance_notify_extra_emails" field to the value that was provided on create.
+func (u *UserUpsert) UpdateBalanceNotifyExtraEmails() *UserUpsert {
+	u.SetExcluded(user.FieldBalanceNotifyExtraEmails)
+	return u
+}
+
 // UpdateNewValues updates the mutable fields using the new values that were set on create.
 // Using this option is equivalent to using:
 //
@@ -1250,6 +1366,62 @@ func (u *UserUpsertOne) ClearTotpEnabledAt() *UserUpsertOne {
 	})
 }
 
+// SetBalanceNotifyEnabled sets the "balance_notify_enabled" field.
+func (u *UserUpsertOne) SetBalanceNotifyEnabled(v bool) *UserUpsertOne {
+	return u.Update(func(s *UserUpsert) {
+		s.SetBalanceNotifyEnabled(v)
+	})
+}
+
+// UpdateBalanceNotifyEnabled sets the "balance_notify_enabled" field to the value that was provided on create.
+func (u *UserUpsertOne) UpdateBalanceNotifyEnabled() *UserUpsertOne {
+	return u.Update(func(s *UserUpsert) {
+		s.UpdateBalanceNotifyEnabled()
+	})
+}
+
+// SetBalanceNotifyThreshold sets the "balance_notify_threshold" field.
+func (u *UserUpsertOne) SetBalanceNotifyThreshold(v float64) *UserUpsertOne {
+	return u.Update(func(s *UserUpsert) {
+		s.SetBalanceNotifyThreshold(v)
+	})
+}
+
+// AddBalanceNotifyThreshold adds v to the "balance_notify_threshold" field.
+func (u *UserUpsertOne) AddBalanceNotifyThreshold(v float64) *UserUpsertOne {
+	return u.Update(func(s *UserUpsert) {
+		s.AddBalanceNotifyThreshold(v)
+	})
+}
+
+// UpdateBalanceNotifyThreshold sets the "balance_notify_threshold" field to the value that was provided on create.
+func (u *UserUpsertOne) UpdateBalanceNotifyThreshold() *UserUpsertOne {
+	return u.Update(func(s *UserUpsert) {
+		s.UpdateBalanceNotifyThreshold()
+	})
+}
+
+// ClearBalanceNotifyThreshold clears the value of the "balance_notify_threshold" field.
+func (u *UserUpsertOne) ClearBalanceNotifyThreshold() *UserUpsertOne {
+	return u.Update(func(s *UserUpsert) {
+		s.ClearBalanceNotifyThreshold()
+	})
+}
+
+// SetBalanceNotifyExtraEmails sets the "balance_notify_extra_emails" field.
+func (u *UserUpsertOne) SetBalanceNotifyExtraEmails(v string) *UserUpsertOne {
+	return u.Update(func(s *UserUpsert) {
+		s.SetBalanceNotifyExtraEmails(v)
+	})
+}
+
+// UpdateBalanceNotifyExtraEmails sets the "balance_notify_extra_emails" field to the value that was provided on create.
+func (u *UserUpsertOne) UpdateBalanceNotifyExtraEmails() *UserUpsertOne {
+	return u.Update(func(s *UserUpsert) {
+		s.UpdateBalanceNotifyExtraEmails()
+	})
+}
+
 // Exec executes the query.
 func (u *UserUpsertOne) Exec(ctx context.Context) error {
 	if len(u.create.conflict) == 0 {
@@ -1678,6 +1850,62 @@ func (u *UserUpsertBulk) ClearTotpEnabledAt() *UserUpsertBulk {
 	})
 }
 
+// SetBalanceNotifyEnabled sets the "balance_notify_enabled" field.
+func (u *UserUpsertBulk) SetBalanceNotifyEnabled(v bool) *UserUpsertBulk {
+	return u.Update(func(s *UserUpsert) {
+		s.SetBalanceNotifyEnabled(v)
+	})
+}
+
+// UpdateBalanceNotifyEnabled sets the "balance_notify_enabled" field to the value that was provided on create.
+func (u *UserUpsertBulk) UpdateBalanceNotifyEnabled() *UserUpsertBulk {
+	return u.Update(func(s *UserUpsert) {
+		s.UpdateBalanceNotifyEnabled()
+	})
+}
+
+// SetBalanceNotifyThreshold sets the "balance_notify_threshold" field.
+func (u *UserUpsertBulk) SetBalanceNotifyThreshold(v float64) *UserUpsertBulk {
+	return u.Update(func(s *UserUpsert) {
+		s.SetBalanceNotifyThreshold(v)
+	})
+}
+
+// AddBalanceNotifyThreshold adds v to the "balance_notify_threshold" field.
+func (u *UserUpsertBulk) AddBalanceNotifyThreshold(v float64) *UserUpsertBulk {
+	return u.Update(func(s *UserUpsert) {
+		s.AddBalanceNotifyThreshold(v)
+	})
+}
+
+// UpdateBalanceNotifyThreshold sets the "balance_notify_threshold" field to the value that was provided on create.
+func (u *UserUpsertBulk) UpdateBalanceNotifyThreshold() *UserUpsertBulk {
+	return u.Update(func(s *UserUpsert) {
+		s.UpdateBalanceNotifyThreshold()
+	})
+}
+
+// ClearBalanceNotifyThreshold clears the value of the "balance_notify_threshold" field.
+func (u *UserUpsertBulk) ClearBalanceNotifyThreshold() *UserUpsertBulk {
+	return u.Update(func(s *UserUpsert) {
+		s.ClearBalanceNotifyThreshold()
+	})
+}
+
+// SetBalanceNotifyExtraEmails sets the "balance_notify_extra_emails" field.
+func (u *UserUpsertBulk) SetBalanceNotifyExtraEmails(v string) *UserUpsertBulk {
+	return u.Update(func(s *UserUpsert) {
+		s.SetBalanceNotifyExtraEmails(v)
+	})
+}
+
+// UpdateBalanceNotifyExtraEmails sets the "balance_notify_extra_emails" field to the value that was provided on create.
+func (u *UserUpsertBulk) UpdateBalanceNotifyExtraEmails() *UserUpsertBulk {
+	return u.Update(func(s *UserUpsert) {
+		s.UpdateBalanceNotifyExtraEmails()
+	})
+}
+
 // Exec executes the query.
 func (u *UserUpsertBulk) Exec(ctx context.Context) error {
 	if u.create.err != nil {
diff --git a/backend/ent/user_update.go b/backend/ent/user_update.go
index 8107c980..823df0b6 100644
--- a/backend/ent/user_update.go
+++ b/backend/ent/user_update.go
@@ -243,6 +243,61 @@ func (_u *UserUpdate) ClearTotpEnabledAt() *UserUpdate {
 	return _u
 }
 
+// SetBalanceNotifyEnabled sets the "balance_notify_enabled" field.
+func (_u *UserUpdate) SetBalanceNotifyEnabled(v bool) *UserUpdate {
+	_u.mutation.SetBalanceNotifyEnabled(v)
+	return _u
+}
+
+// SetNillableBalanceNotifyEnabled sets the "balance_notify_enabled" field if the given value is not nil.
+func (_u *UserUpdate) SetNillableBalanceNotifyEnabled(v *bool) *UserUpdate {
+	if v != nil {
+		_u.SetBalanceNotifyEnabled(*v)
+	}
+	return _u
+}
+
+// SetBalanceNotifyThreshold sets the "balance_notify_threshold" field.
+func (_u *UserUpdate) SetBalanceNotifyThreshold(v float64) *UserUpdate {
+	_u.mutation.ResetBalanceNotifyThreshold()
+	_u.mutation.SetBalanceNotifyThreshold(v)
+	return _u
+}
+
+// SetNillableBalanceNotifyThreshold sets the "balance_notify_threshold" field if the given value is not nil.
+func (_u *UserUpdate) SetNillableBalanceNotifyThreshold(v *float64) *UserUpdate {
+	if v != nil {
+		_u.SetBalanceNotifyThreshold(*v)
+	}
+	return _u
+}
+
+// AddBalanceNotifyThreshold adds value to the "balance_notify_threshold" field.
+func (_u *UserUpdate) AddBalanceNotifyThreshold(v float64) *UserUpdate {
+	_u.mutation.AddBalanceNotifyThreshold(v)
+	return _u
+}
+
+// ClearBalanceNotifyThreshold clears the value of the "balance_notify_threshold" field.
+func (_u *UserUpdate) ClearBalanceNotifyThreshold() *UserUpdate {
+	_u.mutation.ClearBalanceNotifyThreshold()
+	return _u
+}
+
+// SetBalanceNotifyExtraEmails sets the "balance_notify_extra_emails" field.
+func (_u *UserUpdate) SetBalanceNotifyExtraEmails(v string) *UserUpdate {
+	_u.mutation.SetBalanceNotifyExtraEmails(v)
+	return _u
+}
+
+// SetNillableBalanceNotifyExtraEmails sets the "balance_notify_extra_emails" field if the given value is not nil.
+func (_u *UserUpdate) SetNillableBalanceNotifyExtraEmails(v *string) *UserUpdate {
+	if v != nil {
+		_u.SetBalanceNotifyExtraEmails(*v)
+	}
+	return _u
+}
+
 // AddAPIKeyIDs adds the "api_keys" edge to the APIKey entity by IDs.
 func (_u *UserUpdate) AddAPIKeyIDs(ids ...int64) *UserUpdate {
 	_u.mutation.AddAPIKeyIDs(ids...)
@@ -746,6 +801,21 @@ func (_u *UserUpdate) sqlSave(ctx context.Context) (_node int, err error) {
 	if _u.mutation.TotpEnabledAtCleared() {
 		_spec.ClearField(user.FieldTotpEnabledAt, field.TypeTime)
 	}
+	if value, ok := _u.mutation.BalanceNotifyEnabled(); ok {
+		_spec.SetField(user.FieldBalanceNotifyEnabled, field.TypeBool, value)
+	}
+	if value, ok := _u.mutation.BalanceNotifyThreshold(); ok {
+		_spec.SetField(user.FieldBalanceNotifyThreshold, field.TypeFloat64, value)
+	}
+	if value, ok := _u.mutation.AddedBalanceNotifyThreshold(); ok {
+		_spec.AddField(user.FieldBalanceNotifyThreshold, field.TypeFloat64, value)
+	}
+	if _u.mutation.BalanceNotifyThresholdCleared() {
+		_spec.ClearField(user.FieldBalanceNotifyThreshold, field.TypeFloat64)
+	}
+	if value, ok := _u.mutation.BalanceNotifyExtraEmails(); ok {
+		_spec.SetField(user.FieldBalanceNotifyExtraEmails, field.TypeString, value)
+	}
 	if _u.mutation.APIKeysCleared() {
 		edge := &sqlgraph.EdgeSpec{
 			Rel:     sqlgraph.O2M,
@@ -1434,6 +1504,61 @@ func (_u *UserUpdateOne) ClearTotpEnabledAt() *UserUpdateOne {
 	return _u
 }
 
+// SetBalanceNotifyEnabled sets the "balance_notify_enabled" field.
+func (_u *UserUpdateOne) SetBalanceNotifyEnabled(v bool) *UserUpdateOne {
+	_u.mutation.SetBalanceNotifyEnabled(v)
+	return _u
+}
+
+// SetNillableBalanceNotifyEnabled sets the "balance_notify_enabled" field if the given value is not nil.
+func (_u *UserUpdateOne) SetNillableBalanceNotifyEnabled(v *bool) *UserUpdateOne {
+	if v != nil {
+		_u.SetBalanceNotifyEnabled(*v)
+	}
+	return _u
+}
+
+// SetBalanceNotifyThreshold sets the "balance_notify_threshold" field.
+func (_u *UserUpdateOne) SetBalanceNotifyThreshold(v float64) *UserUpdateOne {
+	_u.mutation.ResetBalanceNotifyThreshold()
+	_u.mutation.SetBalanceNotifyThreshold(v)
+	return _u
+}
+
+// SetNillableBalanceNotifyThreshold sets the "balance_notify_threshold" field if the given value is not nil.
+func (_u *UserUpdateOne) SetNillableBalanceNotifyThreshold(v *float64) *UserUpdateOne {
+	if v != nil {
+		_u.SetBalanceNotifyThreshold(*v)
+	}
+	return _u
+}
+
+// AddBalanceNotifyThreshold adds value to the "balance_notify_threshold" field.
+func (_u *UserUpdateOne) AddBalanceNotifyThreshold(v float64) *UserUpdateOne {
+	_u.mutation.AddBalanceNotifyThreshold(v)
+	return _u
+}
+
+// ClearBalanceNotifyThreshold clears the value of the "balance_notify_threshold" field.
+func (_u *UserUpdateOne) ClearBalanceNotifyThreshold() *UserUpdateOne {
+	_u.mutation.ClearBalanceNotifyThreshold()
+	return _u
+}
+
+// SetBalanceNotifyExtraEmails sets the "balance_notify_extra_emails" field.
+func (_u *UserUpdateOne) SetBalanceNotifyExtraEmails(v string) *UserUpdateOne {
+	_u.mutation.SetBalanceNotifyExtraEmails(v)
+	return _u
+}
+
+// SetNillableBalanceNotifyExtraEmails sets the "balance_notify_extra_emails" field if the given value is not nil.
+func (_u *UserUpdateOne) SetNillableBalanceNotifyExtraEmails(v *string) *UserUpdateOne {
+	if v != nil {
+		_u.SetBalanceNotifyExtraEmails(*v)
+	}
+	return _u
+}
+
 // AddAPIKeyIDs adds the "api_keys" edge to the APIKey entity by IDs.
 func (_u *UserUpdateOne) AddAPIKeyIDs(ids ...int64) *UserUpdateOne {
 	_u.mutation.AddAPIKeyIDs(ids...)
@@ -1967,6 +2092,21 @@ func (_u *UserUpdateOne) sqlSave(ctx context.Context) (_node *User, err error) {
 	if _u.mutation.TotpEnabledAtCleared() {
 		_spec.ClearField(user.FieldTotpEnabledAt, field.TypeTime)
 	}
+	if value, ok := _u.mutation.BalanceNotifyEnabled(); ok {
+		_spec.SetField(user.FieldBalanceNotifyEnabled, field.TypeBool, value)
+	}
+	if value, ok := _u.mutation.BalanceNotifyThreshold(); ok {
+		_spec.SetField(user.FieldBalanceNotifyThreshold, field.TypeFloat64, value)
+	}
+	if value, ok := _u.mutation.AddedBalanceNotifyThreshold(); ok {
+		_spec.AddField(user.FieldBalanceNotifyThreshold, field.TypeFloat64, value)
+	}
+	if _u.mutation.BalanceNotifyThresholdCleared() {
+		_spec.ClearField(user.FieldBalanceNotifyThreshold, field.TypeFloat64)
+	}
+	if value, ok := _u.mutation.BalanceNotifyExtraEmails(); ok {
+		_spec.SetField(user.FieldBalanceNotifyExtraEmails, field.TypeString, value)
+	}
 	if _u.mutation.APIKeysCleared() {
 		edge := &sqlgraph.EdgeSpec{
 			Rel:     sqlgraph.O2M,
diff --git a/backend/go.sum b/backend/go.sum
index e4496f2c..9312af63 100644
--- a/backend/go.sum
+++ b/backend/go.sum
@@ -183,6 +183,8 @@ github.com/icholy/digest v1.1.0 h1:HfGg9Irj7i+IX1o1QAmPfIBNu/Q5A5Tu3n/MED9k9H4=
 github.com/icholy/digest v1.1.0/go.mod h1:QNrsSGQ5v7v9cReDI0+eyjsXGUoRSUZQHeQ5C4XLa0Y=
 github.com/imroc/req/v3 v3.57.0 h1:LMTUjNRUybUkTPn8oJDq8Kg3JRBOBTcnDhKu7mzupKI=
 github.com/imroc/req/v3 v3.57.0/go.mod h1:JL62ey1nvSLq81HORNcosvlf7SxZStONNqOprg0Pz00=
+github.com/inconshreveable/mousetrap v1.1.0 h1:wN+x4NVGpMsO7ErUn/mUI3vEoE6Jt13X2s0bqwp9tc8=
+github.com/inconshreveable/mousetrap v1.1.0/go.mod h1:vpF70FUmC8bwa3OWnCshd2FqLfsEA9PFc4w1p2J65bw=
 github.com/jackc/pgpassfile v1.0.0 h1:/6Hmqy13Ss2zCq62VdNG8tM1wchn8zjSGOBJ6icpsIM=
 github.com/jackc/pgpassfile v1.0.0/go.mod h1:CEx0iS5ambNFdcRtxPj5JhEz+xB6uRky5eyVu/W2HEg=
 github.com/jackc/pgservicefile v0.0.0-20240606120523-5a60cdf6a761 h1:iCEnooe7UlwOQYpKFhBabPMi4aNAfoODPEFNiAnClxo=
@@ -218,6 +220,8 @@ github.com/mattn/go-colorable v0.1.13/go.mod h1:7S9/ev0klgBDR4GtXTXX8a3vIGJpMovk
 github.com/mattn/go-isatty v0.0.16/go.mod h1:kYGgaQfpe5nmfYZH+SKPsOc2e4SrIfOl2e/yFXSvRLM=
 github.com/mattn/go-isatty v0.0.20 h1:xfD0iDuEKnDkl03q4limB+vH+GxLEtL/jb4xVJSWWEY=
 github.com/mattn/go-isatty v0.0.20/go.mod h1:W+V8PltTTMOvKvAeJH7IuucS94S2C6jfK/D7dTCTo3Y=
+github.com/mattn/go-runewidth v0.0.15 h1:UNAjwbU9l54TA3KzvqLGxwWjHmMgBUVhBiTjelZgg3U=
+github.com/mattn/go-runewidth v0.0.15/go.mod h1:Jdepj2loyihRzMpdS35Xk/zdY8IAYHsh153qUoGf23w=
 github.com/mattn/go-sqlite3 v1.14.17 h1:mCRHCLDUBXgpKAqIKsaAaAsrAlbkeomtRFKXh2L6YIM=
 github.com/mattn/go-sqlite3 v1.14.17/go.mod h1:2eHXhiwb8IkHr+BDWZGa96P6+rkvnG63S2DGjv9HUNg=
 github.com/mdelapenya/tlscert v0.2.0 h1:7H81W6Z/4weDvZBNOfQte5GpIMo0lGYEeWbkGp5LJHI=
@@ -251,6 +255,8 @@ github.com/morikuni/aec v1.0.0 h1:nP9CBfwrvYnBRgY6qfDQkygYDmYwOilePFkwzv4dU8A=
 github.com/morikuni/aec v1.0.0/go.mod h1:BbKIizmSmc5MMPqRYbxO4ZU0S0+P200+tUnFx7PXmsc=
 github.com/ncruces/go-strftime v1.0.0 h1:HMFp8mLCTPp341M/ZnA4qaf7ZlsbTc+miZjCLOFAw7w=
 github.com/ncruces/go-strftime v1.0.0/go.mod h1:Fwc5htZGVVkseilnfgOVb9mKy6w1naJmn9CehxcKcls=
+github.com/olekukonko/tablewriter v0.0.5 h1:P2Ga83D34wi1o9J6Wh1mRuqd4mF/x/lgBS7N7AbDhec=
+github.com/olekukonko/tablewriter v0.0.5/go.mod h1:hPp6KlRPjbx+hW8ykQs1w3UBbZlj6HuIJcUGPhkA7kY=
 github.com/opencontainers/go-digest v1.0.0 h1:apOUWs51W5PlhuyGyz9FCeeBIOUDA/6nW8Oi/yOhh5U=
 github.com/opencontainers/go-digest v1.0.0/go.mod h1:0JzlMkj0TRzQZfJkVvzbP0HBR3IKzErnv2BNG4W4MAM=
 github.com/opencontainers/image-spec v1.1.1 h1:y0fUlFfIZhPF1W537XOLg0/fcx6zcHCJwooC2xJA040=
@@ -280,6 +286,8 @@ github.com/refraction-networking/utls v1.8.2 h1:j4Q1gJj0xngdeH+Ox/qND11aEfhpgoEv
 github.com/refraction-networking/utls v1.8.2/go.mod h1:jkSOEkLqn+S/jtpEHPOsVv/4V4EVnelwbMQl4vCWXAM=
 github.com/remyoudompheng/bigfft v0.0.0-20230129092748-24d4a6f8daec h1:W09IVJc94icq4NjY3clb7Lk8O1qJ8BdBEF8z0ibU0rE=
 github.com/remyoudompheng/bigfft v0.0.0-20230129092748-24d4a6f8daec/go.mod h1:qqbHyh8v60DhA7CoWK5oRCqLrMHRGoxYCSS9EjAz6Eo=
+github.com/rivo/uniseg v0.2.0 h1:S1pD9weZBuJdFmowNwbpi7BJ8TNftyUImj/0WQi72jY=
+github.com/rivo/uniseg v0.2.0/go.mod h1:J6wj4VEh+S6ZtnVlnTBMWIodfgj8LQOQFoIToxlJtxc=
 github.com/robfig/cron/v3 v3.0.1 h1:WdRxkvbJztn8LMz/QEvLN5sBU+xKpSqwwUO1Pjr4qDs=
 github.com/robfig/cron/v3 v3.0.1/go.mod h1:eQICP3HwyT7UooqI/z+Ov+PtYAWygg1TEWWzGIFLtro=
 github.com/rogpeppe/go-internal v1.13.1 h1:KvO1DLK/DRN07sQ1LQKScxyZJuNnedQ5/wKSR38lUII=
@@ -312,6 +320,8 @@ github.com/spf13/afero v1.11.0 h1:WJQKhtpdm3v2IzqG8VMqrr6Rf3UYpEF239Jy9wNepM8=
 github.com/spf13/afero v1.11.0/go.mod h1:GH9Y3pIexgf1MTIWtNGyogA5MwRIDXGUr+hbWNoBjkY=
 github.com/spf13/cast v1.6.0 h1:GEiTHELF+vaR5dhz3VqZfFSzZjYbgeKDpBxQVS4GYJ0=
 github.com/spf13/cast v1.6.0/go.mod h1:ancEpBxwJDODSW/UG4rDrAqiKolqNNh2DX3mk86cAdo=
+github.com/spf13/cobra v1.7.0 h1:hyqWnYt1ZQShIddO5kBpj3vu05/++x6tJ6dg8EC572I=
+github.com/spf13/cobra v1.7.0/go.mod h1:uLxZILRyS/50WlhOIKD7W6V5bgeIt+4sICxh6uRMrb0=
 github.com/spf13/pflag v1.0.5 h1:iy+VFUOCP1a+8yFto/drg2CJ5u0yRoB7fZw3DKv/JXA=
 github.com/spf13/pflag v1.0.5/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg=
 github.com/spf13/viper v1.18.2 h1:LUXCnvUvSM6FXAsj6nnfc8Q2tp1dIgUfY9Kc8GsSOiQ=
diff --git a/backend/internal/handler/admin/setting_handler.go b/backend/internal/handler/admin/setting_handler.go
index 031b819a..459eade9 100644
--- a/backend/internal/handler/admin/setting_handler.go
+++ b/backend/internal/handler/admin/setting_handler.go
@@ -175,7 +175,9 @@ func (h *SettingHandler) GetSettings(c *gin.Context) {
 		EnableFingerprintUnification:         settings.EnableFingerprintUnification,
 		EnableMetadataPassthrough:            settings.EnableMetadataPassthrough,
 		EnableCCHSigning:                     settings.EnableCCHSigning,
-		WebSearchEmulationEnabled:            settings.WebSearchEmulationEnabled,
+		BalanceLowNotifyEnabled:              settings.BalanceLowNotifyEnabled,
+		BalanceLowNotifyThreshold:            settings.BalanceLowNotifyThreshold,
+		AccountQuotaNotifyEmails:             settings.AccountQuotaNotifyEmails,
 		PaymentEnabled:                       paymentCfg.Enabled,
 		PaymentMinAmount:                     paymentCfg.MinAmount,
 		PaymentMaxAmount:                     paymentCfg.MaxAmount,
@@ -305,6 +307,11 @@ type UpdateSettingsRequest struct {
 	EnableMetadataPassthrough    *bool `json:"enable_metadata_passthrough"`
 	EnableCCHSigning             *bool `json:"enable_cch_signing"`
 
+	// Balance low notification
+	BalanceLowNotifyEnabled   *bool     `json:"balance_low_notify_enabled"`
+	BalanceLowNotifyThreshold *float64  `json:"balance_low_notify_threshold"`
+	AccountQuotaNotifyEmails  *[]string `json:"account_quota_notify_emails"`
+
 	// Payment configuration (integrated into settings, full replace)
 	PaymentEnabled           *bool    `json:"payment_enabled"`
 	PaymentMinAmount         *float64 `json:"payment_min_amount"`
@@ -882,6 +889,24 @@ func (h *SettingHandler) UpdateSettings(c *gin.Context) {
 			}
 			return previousSettings.EnableCCHSigning
 		}(),
+		BalanceLowNotifyEnabled: func() bool {
+			if req.BalanceLowNotifyEnabled != nil {
+				return *req.BalanceLowNotifyEnabled
+			}
+			return previousSettings.BalanceLowNotifyEnabled
+		}(),
+		BalanceLowNotifyThreshold: func() float64 {
+			if req.BalanceLowNotifyThreshold != nil {
+				return *req.BalanceLowNotifyThreshold
+			}
+			return previousSettings.BalanceLowNotifyThreshold
+		}(),
+		AccountQuotaNotifyEmails: func() []string {
+			if req.AccountQuotaNotifyEmails != nil {
+				return *req.AccountQuotaNotifyEmails
+			}
+			return previousSettings.AccountQuotaNotifyEmails
+		}(),
 	}
 
 	if err := h.settingService.UpdateSettings(c.Request.Context(), settings); err != nil {
@@ -1028,6 +1053,9 @@ func (h *SettingHandler) UpdateSettings(c *gin.Context) {
 		EnableFingerprintUnification:         updatedSettings.EnableFingerprintUnification,
 		EnableMetadataPassthrough:            updatedSettings.EnableMetadataPassthrough,
 		EnableCCHSigning:                     updatedSettings.EnableCCHSigning,
+		BalanceLowNotifyEnabled:              updatedSettings.BalanceLowNotifyEnabled,
+		BalanceLowNotifyThreshold:            updatedSettings.BalanceLowNotifyThreshold,
+		AccountQuotaNotifyEmails:             updatedSettings.AccountQuotaNotifyEmails,
 		PaymentEnabled:                       updatedPaymentCfg.Enabled,
 		PaymentMinAmount:                     updatedPaymentCfg.MinAmount,
 		PaymentMaxAmount:                     updatedPaymentCfg.MaxAmount,
@@ -1848,37 +1876,3 @@ func (h *SettingHandler) UpdateStreamTimeoutSettings(c *gin.Context) {
 		ThresholdWindowMinutes: updatedSettings.ThresholdWindowMinutes,
 	})
 }
-
-// GetWebSearchEmulationConfig 获取 Web Search 模拟配置
-// GET /api/v1/admin/settings/web-search-emulation
-func (h *SettingHandler) GetWebSearchEmulationConfig(c *gin.Context) {
-	cfg, err := h.settingService.GetWebSearchEmulationConfig(c.Request.Context())
-	if err != nil {
-		response.ErrorFrom(c, err)
-		return
-	}
-	response.Success(c, service.SanitizeWebSearchConfig(cfg))
-}
-
-// UpdateWebSearchEmulationConfig 更新 Web Search 模拟配置
-// PUT /api/v1/admin/settings/web-search-emulation
-func (h *SettingHandler) UpdateWebSearchEmulationConfig(c *gin.Context) {
-	var cfg service.WebSearchEmulationConfig
-	if err := c.ShouldBindJSON(&cfg); err != nil {
-		response.BadRequest(c, "Invalid request: "+err.Error())
-		return
-	}
-
-	if err := h.settingService.SaveWebSearchEmulationConfig(c.Request.Context(), &cfg); err != nil {
-		response.ErrorFrom(c, err)
-		return
-	}
-
-	// Re-read (with sanitized api keys) to return current state
-	updated, err := h.settingService.GetWebSearchEmulationConfig(c.Request.Context())
-	if err != nil {
-		response.ErrorFrom(c, err)
-		return
-	}
-	response.Success(c, service.SanitizeWebSearchConfig(updated))
-}
diff --git a/backend/internal/handler/dto/mappers.go b/backend/internal/handler/dto/mappers.go
index 478600eb..a465c7fb 100644
--- a/backend/internal/handler/dto/mappers.go
+++ b/backend/internal/handler/dto/mappers.go
@@ -13,16 +13,19 @@ func UserFromServiceShallow(u *service.User) *User {
 		return nil
 	}
 	return &User{
-		ID:            u.ID,
-		Email:         u.Email,
-		Username:      u.Username,
-		Role:          u.Role,
-		Balance:       u.Balance,
-		Concurrency:   u.Concurrency,
-		Status:        u.Status,
-		AllowedGroups: u.AllowedGroups,
-		CreatedAt:     u.CreatedAt,
-		UpdatedAt:     u.UpdatedAt,
+		ID:                       u.ID,
+		Email:                    u.Email,
+		Username:                 u.Username,
+		Role:                     u.Role,
+		Balance:                  u.Balance,
+		Concurrency:              u.Concurrency,
+		Status:                   u.Status,
+		AllowedGroups:            u.AllowedGroups,
+		CreatedAt:                u.CreatedAt,
+		UpdatedAt:                u.UpdatedAt,
+		BalanceNotifyEnabled:     u.BalanceNotifyEnabled,
+		BalanceNotifyThreshold:   u.BalanceNotifyThreshold,
+		BalanceNotifyExtraEmails: u.BalanceNotifyExtraEmails,
 	}
 }
 
@@ -322,6 +325,26 @@ func AccountFromServiceShallow(a *service.Account) *Account {
 				out.QuotaWeeklyResetAt = &v
 			}
 		}
+
+		// 配额通知配置
+		if enabled := a.GetQuotaNotifyDailyEnabled(); enabled {
+			out.QuotaNotifyDailyEnabled = &enabled
+		}
+		if threshold := a.GetQuotaNotifyDailyThreshold(); threshold > 0 {
+			out.QuotaNotifyDailyThreshold = &threshold
+		}
+		if enabled := a.GetQuotaNotifyWeeklyEnabled(); enabled {
+			out.QuotaNotifyWeeklyEnabled = &enabled
+		}
+		if threshold := a.GetQuotaNotifyWeeklyThreshold(); threshold > 0 {
+			out.QuotaNotifyWeeklyThreshold = &threshold
+		}
+		if enabled := a.GetQuotaNotifyTotalEnabled(); enabled {
+			out.QuotaNotifyTotalEnabled = &enabled
+		}
+		if threshold := a.GetQuotaNotifyTotalThreshold(); threshold > 0 {
+			out.QuotaNotifyTotalThreshold = &threshold
+		}
 	}
 
 	return out
diff --git a/backend/internal/handler/dto/settings.go b/backend/internal/handler/dto/settings.go
index 0433d692..e29f72da 100644
--- a/backend/internal/handler/dto/settings.go
+++ b/backend/internal/handler/dto/settings.go
@@ -148,6 +148,11 @@ type SystemSettings struct {
 	PaymentCancelRateLimitWindow  int    `json:"payment_cancel_rate_limit_window"`
 	PaymentCancelRateLimitUnit    string `json:"payment_cancel_rate_limit_unit"`
 	PaymentCancelRateLimitMode    string `json:"payment_cancel_rate_limit_window_mode"`
+
+	// Balance low notification
+	BalanceLowNotifyEnabled   bool     `json:"balance_low_notify_enabled"`
+	BalanceLowNotifyThreshold float64  `json:"balance_low_notify_threshold"`
+	AccountQuotaNotifyEmails  []string `json:"account_quota_notify_emails"`
 }
 
 type DefaultSubscriptionSetting struct {
diff --git a/backend/internal/handler/dto/types.go b/backend/internal/handler/dto/types.go
index e026ca65..18522868 100644
--- a/backend/internal/handler/dto/types.go
+++ b/backend/internal/handler/dto/types.go
@@ -18,6 +18,11 @@ type User struct {
 	CreatedAt     time.Time `json:"created_at"`
 	UpdatedAt     time.Time `json:"updated_at"`
 
+	// 余额不足通知
+	BalanceNotifyEnabled     bool     `json:"balance_notify_enabled"`
+	BalanceNotifyThreshold   *float64 `json:"balance_notify_threshold"`
+	BalanceNotifyExtraEmails []string `json:"balance_notify_extra_emails"`
+
 	APIKeys       []APIKey           `json:"api_keys,omitempty"`
 	Subscriptions []UserSubscription `json:"subscriptions,omitempty"`
 }
@@ -218,6 +223,14 @@ type Account struct {
 	QuotaDailyResetAt    *string `json:"quota_daily_reset_at,omitempty"`
 	QuotaWeeklyResetAt   *string `json:"quota_weekly_reset_at,omitempty"`
 
+	// 配额通知配置
+	QuotaNotifyDailyEnabled    *bool    `json:"quota_notify_daily_enabled,omitempty"`
+	QuotaNotifyDailyThreshold  *float64 `json:"quota_notify_daily_threshold,omitempty"`
+	QuotaNotifyWeeklyEnabled   *bool    `json:"quota_notify_weekly_enabled,omitempty"`
+	QuotaNotifyWeeklyThreshold *float64 `json:"quota_notify_weekly_threshold,omitempty"`
+	QuotaNotifyTotalEnabled    *bool    `json:"quota_notify_total_enabled,omitempty"`
+	QuotaNotifyTotalThreshold  *float64 `json:"quota_notify_total_threshold,omitempty"`
+
 	Proxy         *Proxy         `json:"proxy,omitempty"`
 	AccountGroups []AccountGroup `json:"account_groups,omitempty"`
 
diff --git a/backend/internal/handler/user_handler.go b/backend/internal/handler/user_handler.go
index 35862f1c..42463a7a 100644
--- a/backend/internal/handler/user_handler.go
+++ b/backend/internal/handler/user_handler.go
@@ -11,13 +11,17 @@ import (
 
 // UserHandler handles user-related requests
 type UserHandler struct {
-	userService *service.UserService
+	userService  *service.UserService
+	emailService *service.EmailService
+	emailCache   service.EmailCache
 }
 
 // NewUserHandler creates a new UserHandler
-func NewUserHandler(userService *service.UserService) *UserHandler {
+func NewUserHandler(userService *service.UserService, emailService *service.EmailService, emailCache service.EmailCache) *UserHandler {
 	return &UserHandler{
-		userService: userService,
+		userService:  userService,
+		emailService: emailService,
+		emailCache:   emailCache,
 	}
 }
 
@@ -29,7 +33,9 @@ type ChangePasswordRequest struct {
 
 // UpdateProfileRequest represents the update profile request payload
 type UpdateProfileRequest struct {
-	Username *string `json:"username"`
+	Username               *string  `json:"username"`
+	BalanceNotifyEnabled   *bool    `json:"balance_notify_enabled"`
+	BalanceNotifyThreshold *float64 `json:"balance_notify_threshold"`
 }
 
 // GetProfile handles getting user profile
@@ -94,7 +100,9 @@ func (h *UserHandler) UpdateProfile(c *gin.Context) {
 	}
 
 	svcReq := service.UpdateProfileRequest{
-		Username: req.Username,
+		Username:               req.Username,
+		BalanceNotifyEnabled:   req.BalanceNotifyEnabled,
+		BalanceNotifyThreshold: req.BalanceNotifyThreshold,
 	}
 	updatedUser, err := h.userService.UpdateProfile(c.Request.Context(), subject.UserID, svcReq)
 	if err != nil {
@@ -104,3 +112,98 @@ func (h *UserHandler) UpdateProfile(c *gin.Context) {
 
 	response.Success(c, dto.UserFromService(updatedUser))
 }
+
+// SendNotifyEmailCodeRequest represents the request to send notify email verification code
+type SendNotifyEmailCodeRequest struct {
+	Email string `json:"email" binding:"required,email"`
+}
+
+// SendNotifyEmailCode sends verification code to extra notification email
+// POST /api/v1/user/notify-email/send-code
+func (h *UserHandler) SendNotifyEmailCode(c *gin.Context) {
+	subject, ok := middleware2.GetAuthSubjectFromContext(c)
+	if !ok {
+		response.Unauthorized(c, "User not authenticated")
+		return
+	}
+
+	var req SendNotifyEmailCodeRequest
+	if err := c.ShouldBindJSON(&req); err != nil {
+		response.BadRequest(c, "Invalid request: "+err.Error())
+		return
+	}
+
+	err := h.userService.SendNotifyEmailCode(c.Request.Context(), subject.UserID, req.Email, h.emailService, h.emailCache)
+	if err != nil {
+		response.ErrorFrom(c, err)
+		return
+	}
+
+	response.Success(c, gin.H{"message": "Verification code sent successfully"})
+}
+
+// VerifyNotifyEmailRequest represents the request to verify and add notify email
+type VerifyNotifyEmailRequest struct {
+	Email string `json:"email" binding:"required,email"`
+	Code  string `json:"code" binding:"required,len=6"`
+}
+
+// VerifyNotifyEmail verifies code and adds email to notification list
+// POST /api/v1/user/notify-email/verify
+func (h *UserHandler) VerifyNotifyEmail(c *gin.Context) {
+	subject, ok := middleware2.GetAuthSubjectFromContext(c)
+	if !ok {
+		response.Unauthorized(c, "User not authenticated")
+		return
+	}
+
+	var req VerifyNotifyEmailRequest
+	if err := c.ShouldBindJSON(&req); err != nil {
+		response.BadRequest(c, "Invalid request: "+err.Error())
+		return
+	}
+
+	err := h.userService.VerifyAndAddNotifyEmail(c.Request.Context(), subject.UserID, req.Email, req.Code, h.emailCache)
+	if err != nil {
+		response.ErrorFrom(c, err)
+		return
+	}
+
+	// Return updated user
+	updatedUser, err := h.userService.GetByID(c.Request.Context(), subject.UserID)
+	if err != nil {
+		response.ErrorFrom(c, err)
+		return
+	}
+
+	response.Success(c, dto.UserFromService(updatedUser))
+}
+
+// RemoveNotifyEmailRequest represents the request to remove a notify email
+type RemoveNotifyEmailRequest struct {
+	Email string `json:"email" binding:"required,email"`
+}
+
+// RemoveNotifyEmail removes email from notification list
+// DELETE /api/v1/user/notify-email
+func (h *UserHandler) RemoveNotifyEmail(c *gin.Context) {
+	subject, ok := middleware2.GetAuthSubjectFromContext(c)
+	if !ok {
+		response.Unauthorized(c, "User not authenticated")
+		return
+	}
+
+	var req RemoveNotifyEmailRequest
+	if err := c.ShouldBindJSON(&req); err != nil {
+		response.BadRequest(c, "Invalid request: "+err.Error())
+		return
+	}
+
+	err := h.userService.RemoveNotifyEmail(c.Request.Context(), subject.UserID, req.Email)
+	if err != nil {
+		response.ErrorFrom(c, err)
+		return
+	}
+
+	response.Success(c, gin.H{"message": "Email removed successfully"})
+}
diff --git a/backend/internal/repository/api_key_repo.go b/backend/internal/repository/api_key_repo.go
index 7fd98855..752a5937 100644
--- a/backend/internal/repository/api_key_repo.go
+++ b/backend/internal/repository/api_key_repo.go
@@ -3,6 +3,7 @@ package repository
 import (
 	"context"
 	"database/sql"
+	"encoding/json"
 	"fmt"
 	"strings"
 	"time"
@@ -639,22 +640,32 @@ func userEntityToService(u *dbent.User) *service.User {
 	if u == nil {
 		return nil
 	}
-	return &service.User{
-		ID:                  u.ID,
-		Email:               u.Email,
-		Username:            u.Username,
-		Notes:               u.Notes,
-		PasswordHash:        u.PasswordHash,
-		Role:                u.Role,
-		Balance:             u.Balance,
-		Concurrency:         u.Concurrency,
-		Status:              u.Status,
-		TotpSecretEncrypted: u.TotpSecretEncrypted,
-		TotpEnabled:         u.TotpEnabled,
-		TotpEnabledAt:       u.TotpEnabledAt,
-		CreatedAt:           u.CreatedAt,
-		UpdatedAt:           u.UpdatedAt,
+	out := &service.User{
+		ID:                   u.ID,
+		Email:                u.Email,
+		Username:             u.Username,
+		Notes:                u.Notes,
+		PasswordHash:         u.PasswordHash,
+		Role:                 u.Role,
+		Balance:              u.Balance,
+		Concurrency:          u.Concurrency,
+		Status:               u.Status,
+		TotpSecretEncrypted:  u.TotpSecretEncrypted,
+		TotpEnabled:          u.TotpEnabled,
+		TotpEnabledAt:        u.TotpEnabledAt,
+		BalanceNotifyEnabled: u.BalanceNotifyEnabled,
+		BalanceNotifyThreshold: u.BalanceNotifyThreshold,
+		CreatedAt:            u.CreatedAt,
+		UpdatedAt:            u.UpdatedAt,
 	}
+	// Parse extra emails JSON array
+	if u.BalanceNotifyExtraEmails != "" && u.BalanceNotifyExtraEmails != "[]" {
+		var emails []string
+		if err := json.Unmarshal([]byte(u.BalanceNotifyExtraEmails), &emails); err == nil {
+			out.BalanceNotifyExtraEmails = emails
+		}
+	}
+	return out
 }
 
 func groupEntityToService(g *dbent.Group) *service.Group {
diff --git a/backend/internal/repository/email_cache.go b/backend/internal/repository/email_cache.go
index 8f2b8eca..63552ab0 100644
--- a/backend/internal/repository/email_cache.go
+++ b/backend/internal/repository/email_cache.go
@@ -11,6 +11,7 @@ import (
 
 const (
 	verifyCodeKeyPrefix          = "verify_code:"
+	notifyVerifyKeyPrefix        = "notify_verify:"
 	passwordResetKeyPrefix       = "password_reset:"
 	passwordResetSentAtKeyPrefix = "password_reset_sent:"
 )
@@ -20,6 +21,11 @@ func verifyCodeKey(email string) string {
 	return verifyCodeKeyPrefix + email
 }
 
+// notifyVerifyKey generates the Redis key for notify email verification code.
+func notifyVerifyKey(email string) string {
+	return notifyVerifyKeyPrefix + email
+}
+
 // passwordResetKey generates the Redis key for password reset token.
 func passwordResetKey(email string) string {
 	return passwordResetKeyPrefix + email
@@ -106,3 +112,32 @@ func (c *emailCache) SetPasswordResetEmailCooldown(ctx context.Context, email st
 	key := passwordResetSentAtKey(email)
 	return c.rdb.Set(ctx, key, "1", ttl).Err()
 }
+
+// Notify email verification code methods
+
+func (c *emailCache) GetNotifyVerifyCode(ctx context.Context, email string) (*service.VerificationCodeData, error) {
+	key := notifyVerifyKey(email)
+	val, err := c.rdb.Get(ctx, key).Result()
+	if err != nil {
+		return nil, err
+	}
+	var data service.VerificationCodeData
+	if err := json.Unmarshal([]byte(val), &data); err != nil {
+		return nil, err
+	}
+	return &data, nil
+}
+
+func (c *emailCache) SetNotifyVerifyCode(ctx context.Context, email string, data *service.VerificationCodeData, ttl time.Duration) error {
+	key := notifyVerifyKey(email)
+	val, err := json.Marshal(data)
+	if err != nil {
+		return err
+	}
+	return c.rdb.Set(ctx, key, val, ttl).Err()
+}
+
+func (c *emailCache) DeleteNotifyVerifyCode(ctx context.Context, email string) error {
+	key := notifyVerifyKey(email)
+	return c.rdb.Del(ctx, key).Err()
+}
diff --git a/backend/internal/repository/user_repo.go b/backend/internal/repository/user_repo.go
index d5a13607..2c544857 100644
--- a/backend/internal/repository/user_repo.go
+++ b/backend/internal/repository/user_repo.go
@@ -3,6 +3,7 @@ package repository
 import (
 	"context"
 	"database/sql"
+	"encoding/json"
 	"errors"
 	"fmt"
 	"sort"
@@ -137,7 +138,7 @@ func (r *userRepository) Update(ctx context.Context, userIn *service.User) error
 		txClient = r.client
 	}
 
-	updated, err := txClient.User.UpdateOneID(userIn.ID).
+	updateOp := txClient.User.UpdateOneID(userIn.ID).
 		SetEmail(userIn.Email).
 		SetUsername(userIn.Username).
 		SetNotes(userIn.Notes).
@@ -146,7 +147,13 @@ func (r *userRepository) Update(ctx context.Context, userIn *service.User) error
 		SetBalance(userIn.Balance).
 		SetConcurrency(userIn.Concurrency).
 		SetStatus(userIn.Status).
-		Save(ctx)
+		SetBalanceNotifyEnabled(userIn.BalanceNotifyEnabled).
+		SetNillableBalanceNotifyThreshold(userIn.BalanceNotifyThreshold).
+		SetBalanceNotifyExtraEmails(marshalExtraEmails(userIn.BalanceNotifyExtraEmails))
+	if userIn.BalanceNotifyThreshold == nil {
+		updateOp = updateOp.ClearBalanceNotifyThreshold()
+	}
+	updated, err := updateOp.Save(ctx)
 	if err != nil {
 		return translatePersistenceError(err, service.ErrUserNotFound, service.ErrEmailExists)
 	}
@@ -549,6 +556,18 @@ func applyUserEntityToService(dst *service.User, src *dbent.User) {
 	dst.UpdatedAt = src.UpdatedAt
 }
 
+// marshalExtraEmails serializes a string slice to JSON for storage.
+func marshalExtraEmails(emails []string) string {
+	if len(emails) == 0 {
+		return "[]"
+	}
+	data, err := json.Marshal(emails)
+	if err != nil {
+		return "[]"
+	}
+	return string(data)
+}
+
 // UpdateTotpSecret 更新用户的 TOTP 加密密钥
 func (r *userRepository) UpdateTotpSecret(ctx context.Context, userID int64, encryptedSecret *string) error {
 	client := clientFromContext(ctx, r.client)
diff --git a/backend/internal/server/routes/user.go b/backend/internal/server/routes/user.go
index c3b82742..088565fa 100644
--- a/backend/internal/server/routes/user.go
+++ b/backend/internal/server/routes/user.go
@@ -26,6 +26,14 @@ func RegisterUserRoutes(
 			user.PUT("/password", h.User.ChangePassword)
 			user.PUT("", h.User.UpdateProfile)
 
+			// 通知邮箱管理
+			notifyEmail := user.Group("/notify-email")
+			{
+				notifyEmail.POST("/send-code", h.User.SendNotifyEmailCode)
+				notifyEmail.POST("/verify", h.User.VerifyNotifyEmail)
+				notifyEmail.DELETE("", h.User.RemoveNotifyEmail)
+			}
+
 			// TOTP 双因素认证
 			totp := user.Group("/totp")
 			{
diff --git a/backend/internal/service/account.go b/backend/internal/service/account.go
index 582b136c..0b225dac 100644
--- a/backend/internal/service/account.go
+++ b/backend/internal/service/account.go
@@ -1406,6 +1406,19 @@ func (a *Account) getExtraTime(key string) time.Time {
 	return time.Time{}
 }
 
+// getExtraBool 从 Extra 中读取指定 key 的 bool 值
+func (a *Account) getExtraBool(key string) bool {
+	if a.Extra == nil {
+		return false
+	}
+	if v, ok := a.Extra[key]; ok {
+		if b, ok := v.(bool); ok {
+			return b
+		}
+	}
+	return false
+}
+
 // getExtraString 从 Extra 中读取指定 key 的字符串值
 func (a *Account) getExtraString(key string) string {
 	if a.Extra == nil {
@@ -1475,6 +1488,32 @@ func (a *Account) GetQuotaResetTimezone() string {
 	return "UTC"
 }
 
+// --- Quota Notification Getters ---
+
+func (a *Account) GetQuotaNotifyDailyEnabled() bool {
+	return a.getExtraBool("quota_notify_daily_enabled")
+}
+
+func (a *Account) GetQuotaNotifyDailyThreshold() float64 {
+	return a.getExtraFloat64("quota_notify_daily_threshold")
+}
+
+func (a *Account) GetQuotaNotifyWeeklyEnabled() bool {
+	return a.getExtraBool("quota_notify_weekly_enabled")
+}
+
+func (a *Account) GetQuotaNotifyWeeklyThreshold() float64 {
+	return a.getExtraFloat64("quota_notify_weekly_threshold")
+}
+
+func (a *Account) GetQuotaNotifyTotalEnabled() bool {
+	return a.getExtraBool("quota_notify_total_enabled")
+}
+
+func (a *Account) GetQuotaNotifyTotalThreshold() float64 {
+	return a.getExtraFloat64("quota_notify_total_threshold")
+}
+
 // nextFixedDailyReset 计算在 after 之后的下一个每日固定重置时间点
 func nextFixedDailyReset(hour int, tz *time.Location, after time.Time) time.Time {
 	t := after.In(tz)
diff --git a/backend/internal/service/auth_service_register_test.go b/backend/internal/service/auth_service_register_test.go
index 7b50e90d..0999b4f0 100644
--- a/backend/internal/service/auth_service_register_test.go
+++ b/backend/internal/service/auth_service_register_test.go
@@ -87,6 +87,18 @@ func (s *emailCacheStub) DeleteVerificationCode(ctx context.Context, email strin
 	return nil
 }
 
+func (s *emailCacheStub) GetNotifyVerifyCode(ctx context.Context, email string) (*VerificationCodeData, error) {
+	return nil, nil
+}
+
+func (s *emailCacheStub) SetNotifyVerifyCode(ctx context.Context, email string, data *VerificationCodeData, ttl time.Duration) error {
+	return nil
+}
+
+func (s *emailCacheStub) DeleteNotifyVerifyCode(ctx context.Context, email string) error {
+	return nil
+}
+
 func (s *emailCacheStub) GetPasswordResetToken(ctx context.Context, email string) (*PasswordResetTokenData, error) {
 	return nil, nil
 }
diff --git a/backend/internal/service/balance_notify_service.go b/backend/internal/service/balance_notify_service.go
new file mode 100644
index 00000000..7cd61a0a
--- /dev/null
+++ b/backend/internal/service/balance_notify_service.go
@@ -0,0 +1,328 @@
+package service
+
+import (
+	"context"
+	"encoding/json"
+	"fmt"
+	"log/slog"
+	"strconv"
+	"strings"
+	"time"
+)
+
+const (
+	emailSendTimeout = 30 * time.Second
+
+	// Quota dimension labels
+	quotaDimDaily  = "daily"
+	quotaDimWeekly = "weekly"
+	quotaDimTotal  = "total"
+)
+
+// quotaDimLabels maps dimension names to display labels.
+var quotaDimLabels = map[string]string{
+	quotaDimDaily:  "日限额 / Daily",
+	quotaDimWeekly: "周限额 / Weekly",
+	quotaDimTotal:  "总限额 / Total",
+}
+
+// BalanceNotifyService handles balance and quota threshold notifications.
+type BalanceNotifyService struct {
+	emailService *EmailService
+	settingRepo  SettingRepository
+}
+
+// NewBalanceNotifyService creates a new BalanceNotifyService.
+func NewBalanceNotifyService(emailService *EmailService, settingRepo SettingRepository) *BalanceNotifyService {
+	return &BalanceNotifyService{
+		emailService: emailService,
+		settingRepo:  settingRepo,
+	}
+}
+
+// CheckBalanceAfterDeduction checks if balance crossed below threshold after deduction.
+// oldBalance is the balance before deduction, cost is the amount deducted.
+// Notification is sent only on first crossing: oldBalance >= threshold && newBalance < threshold.
+func (s *BalanceNotifyService) CheckBalanceAfterDeduction(ctx context.Context, user *User, oldBalance, cost float64) {
+	if user == nil || s.emailService == nil || s.settingRepo == nil {
+		return
+	}
+
+	// Check user-level switch
+	if !user.BalanceNotifyEnabled {
+		return
+	}
+
+	// Check global switch
+	globalEnabled, threshold := s.getBalanceNotifyConfig(ctx)
+	if !globalEnabled {
+		return
+	}
+
+	// User custom threshold overrides system default
+	if user.BalanceNotifyThreshold != nil {
+		threshold = *user.BalanceNotifyThreshold
+	}
+
+	if threshold <= 0 {
+		return
+	}
+
+	newBalance := oldBalance - cost
+
+	// Only notify on first crossing
+	if oldBalance >= threshold && newBalance < threshold {
+		siteName := s.getSiteName(ctx)
+		recipients := s.collectBalanceNotifyRecipients(user)
+		go func() {
+			defer func() {
+				if r := recover(); r != nil {
+					slog.Error("panic in balance notification", "recover", r)
+				}
+			}()
+			s.sendBalanceLowEmails(recipients, user.Username, user.Email, newBalance, threshold, siteName)
+		}()
+	}
+}
+
+// CheckAccountQuotaAfterIncrement checks if any quota dimension crossed above its notify threshold.
+// The account's Extra fields contain pre-increment usage values.
+func (s *BalanceNotifyService) CheckAccountQuotaAfterIncrement(ctx context.Context, account *Account, cost float64) {
+	if account == nil || s.emailService == nil || s.settingRepo == nil || cost <= 0 {
+		return
+	}
+
+	adminEmails := s.getAccountQuotaNotifyEmails(ctx)
+	if len(adminEmails) == 0 {
+		return
+	}
+
+	siteName := s.getSiteName(ctx)
+
+	// Check each dimension
+	type quotaDim struct {
+		name      string
+		enabled   bool
+		threshold float64
+		oldUsed   float64
+		limit     float64
+	}
+
+	dims := []quotaDim{
+		{
+			name:      quotaDimDaily,
+			enabled:   account.GetQuotaNotifyDailyEnabled(),
+			threshold: account.GetQuotaNotifyDailyThreshold(),
+			oldUsed:   account.GetQuotaDailyUsed(),
+			limit:     account.GetQuotaDailyLimit(),
+		},
+		{
+			name:      quotaDimWeekly,
+			enabled:   account.GetQuotaNotifyWeeklyEnabled(),
+			threshold: account.GetQuotaNotifyWeeklyThreshold(),
+			oldUsed:   account.GetQuotaWeeklyUsed(),
+			limit:     account.GetQuotaWeeklyLimit(),
+		},
+		{
+			name:      quotaDimTotal,
+			enabled:   account.GetQuotaNotifyTotalEnabled(),
+			threshold: account.GetQuotaNotifyTotalThreshold(),
+			oldUsed:   account.GetQuotaUsed(),
+			limit:     account.GetQuotaLimit(),
+		},
+	}
+
+	for _, dim := range dims {
+		if !dim.enabled || dim.threshold <= 0 {
+			continue
+		}
+		newUsed := dim.oldUsed + cost
+		// Only notify on first crossing
+		if dim.oldUsed < dim.threshold && newUsed >= dim.threshold {
+			dimCopy := dim // capture loop variable
+			go func() {
+				defer func() {
+					if r := recover(); r != nil {
+						slog.Error("panic in quota notification", "recover", r)
+					}
+				}()
+				s.sendQuotaAlertEmails(adminEmails, account.Name, dimCopy.name, newUsed, dimCopy.limit, dimCopy.threshold, siteName)
+			}()
+		}
+	}
+}
+
+// getBalanceNotifyConfig reads global balance notification settings.
+func (s *BalanceNotifyService) getBalanceNotifyConfig(ctx context.Context) (enabled bool, threshold float64) {
+	keys := []string{SettingKeyBalanceLowNotifyEnabled, SettingKeyBalanceLowNotifyThreshold}
+	settings, err := s.settingRepo.GetMultiple(ctx, keys)
+	if err != nil {
+		return false, 0
+	}
+	enabled = settings[SettingKeyBalanceLowNotifyEnabled] == "true"
+	if v := settings[SettingKeyBalanceLowNotifyThreshold]; v != "" {
+		if f, err := strconv.ParseFloat(v, 64); err == nil {
+			threshold = f
+		}
+	}
+	return
+}
+
+// getAccountQuotaNotifyEmails reads admin notification emails from settings.
+func (s *BalanceNotifyService) getAccountQuotaNotifyEmails(ctx context.Context) []string {
+	raw, err := s.settingRepo.GetValue(ctx, SettingKeyAccountQuotaNotifyEmails)
+	if err != nil || strings.TrimSpace(raw) == "" || raw == "[]" {
+		return nil
+	}
+	return parseJSONStringArray(raw)
+}
+
+// getSiteName reads site name from settings with fallback.
+func (s *BalanceNotifyService) getSiteName(ctx context.Context) string {
+	name, err := s.settingRepo.GetValue(ctx, SettingKeySiteName)
+	if err != nil || name == "" {
+		return "Sub2API"
+	}
+	return name
+}
+
+// collectBalanceNotifyRecipients collects all email recipients for balance notifications.
+func (s *BalanceNotifyService) collectBalanceNotifyRecipients(user *User) []string {
+	recipients := []string{user.Email}
+	for _, extra := range user.BalanceNotifyExtraEmails {
+		email := strings.TrimSpace(extra)
+		if email != "" && email != user.Email {
+			recipients = append(recipients, email)
+		}
+	}
+	return recipients
+}
+
+// sendEmails sends an email to all recipients with shared timeout and error logging.
+func (s *BalanceNotifyService) sendEmails(recipients []string, subject, body string, logAttrs ...any) {
+	ctx, cancel := context.WithTimeout(context.Background(), emailSendTimeout)
+	defer cancel()
+	for _, to := range recipients {
+		if err := s.emailService.SendEmail(ctx, to, subject, body); err != nil {
+			attrs := append([]any{"to", to, "error", err}, logAttrs...)
+			slog.Error("failed to send notification", attrs...)
+		}
+	}
+}
+
+// sendBalanceLowEmails sends balance low notification to all recipients.
+func (s *BalanceNotifyService) sendBalanceLowEmails(recipients []string, userName, userEmail string, balance, threshold float64, siteName string) {
+	displayName := userName
+	if displayName == "" {
+		displayName = userEmail
+	}
+	subject := fmt.Sprintf("[%s] 余额不足提醒 / Balance Low Alert", siteName)
+	body := s.buildBalanceLowEmailBody(displayName, balance, threshold, siteName)
+	s.sendEmails(recipients, subject, body, "user_email", userEmail, "balance", balance)
+}
+
+// sendQuotaAlertEmails sends quota alert notification to admin emails.
+func (s *BalanceNotifyService) sendQuotaAlertEmails(adminEmails []string, accountName, dimension string, used, limit, threshold float64, siteName string) {
+	dimLabel := quotaDimLabels[dimension]
+	if dimLabel == "" {
+		dimLabel = dimension
+	}
+
+	subject := fmt.Sprintf("[%s] 账号限额告警 / Account Quota Alert - %s", siteName, accountName)
+	body := s.buildQuotaAlertEmailBody(accountName, dimLabel, used, limit, threshold, siteName)
+	s.sendEmails(adminEmails, subject, body, "account", accountName, "dimension", dimension)
+}
+
+// buildBalanceLowEmailBody builds HTML email for balance low notification.
+func (s *BalanceNotifyService) buildBalanceLowEmailBody(userName string, balance, threshold float64, siteName string) string {
+	return fmt.Sprintf(`<!DOCTYPE html>
+<html>
+<head>
+    <meta charset="UTF-8">
+    <style>
+        body { font-family: -apple-system, BlinkMacSystemFont, 'Segoe UI', Roboto, sans-serif; background-color: #f5f5f5; margin: 0; padding: 20px; }
+        .container { max-width: 600px; margin: 0 auto; background-color: #fff; border-radius: 8px; overflow: hidden; box-shadow: 0 2px 8px rgba(0,0,0,0.1); }
+        .header { background: linear-gradient(135deg, #f59e0b 0%%, #d97706 100%%); color: white; padding: 30px; text-align: center; }
+        .header h1 { margin: 0; font-size: 24px; }
+        .content { padding: 40px 30px; text-align: center; }
+        .balance { font-size: 36px; font-weight: bold; color: #dc2626; margin: 20px 0; }
+        .info { color: #666; font-size: 14px; line-height: 1.6; margin-top: 20px; }
+        .footer { background-color: #f8f9fa; padding: 20px; text-align: center; color: #999; font-size: 12px; }
+    </style>
+</head>
+<body>
+    <div class="container">
+        <div class="header"><h1>%s</h1></div>
+        <div class="content">
+            <p style="font-size: 18px; color: #333;">%s，您的余额不足</p>
+            <p style="color: #666;">Dear %s, your balance is running low</p>
+            <div class="balance">$%.2f</div>
+            <div class="info">
+                <p>您的账户余额已低于提醒阈值 <strong>$%.2f</strong>。</p>
+                <p>Your account balance has fallen below the alert threshold of <strong>$%.2f</strong>.</p>
+                <p>请及时充值以免服务中断。</p>
+                <p>Please top up to avoid service interruption.</p>
+            </div>
+        </div>
+        <div class="footer"><p>此邮件由系统自动发送，请勿回复。</p></div>
+    </div>
+</body>
+</html>`, siteName, userName, userName, balance, threshold, threshold)
+}
+
+// buildQuotaAlertEmailBody builds HTML email for account quota alert.
+func (s *BalanceNotifyService) buildQuotaAlertEmailBody(accountName, dimLabel string, used, limit, threshold float64, siteName string) string {
+	limitStr := fmt.Sprintf("$%.2f", limit)
+	if limit <= 0 {
+		limitStr = "无限制 / Unlimited"
+	}
+	return fmt.Sprintf(`<!DOCTYPE html>
+<html>
+<head>
+    <meta charset="UTF-8">
+    <style>
+        body { font-family: -apple-system, BlinkMacSystemFont, 'Segoe UI', Roboto, sans-serif; background-color: #f5f5f5; margin: 0; padding: 20px; }
+        .container { max-width: 600px; margin: 0 auto; background-color: #fff; border-radius: 8px; overflow: hidden; box-shadow: 0 2px 8px rgba(0,0,0,0.1); }
+        .header { background: linear-gradient(135deg, #ef4444 0%%, #dc2626 100%%); color: white; padding: 30px; text-align: center; }
+        .header h1 { margin: 0; font-size: 24px; }
+        .content { padding: 40px 30px; }
+        .metric { display: flex; justify-content: space-between; padding: 12px 0; border-bottom: 1px solid #eee; }
+        .metric-label { color: #666; }
+        .metric-value { font-weight: bold; color: #333; }
+        .info { color: #666; font-size: 14px; line-height: 1.6; margin-top: 20px; text-align: center; }
+        .footer { background-color: #f8f9fa; padding: 20px; text-align: center; color: #999; font-size: 12px; }
+    </style>
+</head>
+<body>
+    <div class="container">
+        <div class="header"><h1>%s</h1></div>
+        <div class="content">
+            <p style="font-size: 18px; color: #333; text-align: center;">账号限额告警 / Account Quota Alert</p>
+            <div class="metric"><span class="metric-label">账号 / Account</span><span class="metric-value">%s</span></div>
+            <div class="metric"><span class="metric-label">维度 / Dimension</span><span class="metric-value">%s</span></div>
+            <div class="metric"><span class="metric-label">已使用 / Used</span><span class="metric-value">$%.2f</span></div>
+            <div class="metric"><span class="metric-label">限额 / Limit</span><span class="metric-value">%s</span></div>
+            <div class="metric"><span class="metric-label">告警阈值 / Threshold</span><span class="metric-value">$%.2f</span></div>
+            <div class="info">
+                <p>账号配额用量已达到告警阈值，请及时关注。</p>
+                <p>Account quota usage has reached the alert threshold.</p>
+            </div>
+        </div>
+        <div class="footer"><p>此邮件由系统自动发送，请勿回复。</p></div>
+    </div>
+</body>
+</html>`, siteName, accountName, dimLabel, used, limitStr, threshold)
+}
+
+// parseJSONStringArray parses a JSON string array, returns nil on error.
+func parseJSONStringArray(raw string) []string {
+	raw = strings.TrimSpace(raw)
+	if raw == "" || raw == "[]" {
+		return nil
+	}
+	var result []string
+	if err := json.Unmarshal([]byte(raw), &result); err != nil {
+		return nil
+	}
+	return result
+}
diff --git a/backend/internal/service/domain_constants.go b/backend/internal/service/domain_constants.go
index f43d388b..2704e0d0 100644
--- a/backend/internal/service/domain_constants.go
+++ b/backend/internal/service/domain_constants.go
@@ -250,9 +250,12 @@ const (
 	// SettingKeyEnableCCHSigning 是否对 billing header 中的 cch 进行 xxHash64 签名（默认 false）
 	SettingKeyEnableCCHSigning = "enable_cch_signing"
 
-	// Web Search Emulation
-	// SettingKeyWebSearchEmulationConfig 全局 web search 模拟配置（JSON）
-	SettingKeyWebSearchEmulationConfig = "web_search_emulation_config"
+	// Balance Low Notification
+	SettingKeyBalanceLowNotifyEnabled   = "balance_low_notify_enabled"   // 全局开关
+	SettingKeyBalanceLowNotifyThreshold = "balance_low_notify_threshold" // 默认阈值（USD）
+
+	// Account Quota Notification
+	SettingKeyAccountQuotaNotifyEmails = "account_quota_notify_emails" // 管理员通知邮箱列表（JSON 数组）
 )
 
 // AdminAPIKeyPrefix is the prefix for admin API keys (distinct from user "sk-" keys).
diff --git a/backend/internal/service/email_service.go b/backend/internal/service/email_service.go
index 00691233..61090776 100644
--- a/backend/internal/service/email_service.go
+++ b/backend/internal/service/email_service.go
@@ -34,6 +34,11 @@ type EmailCache interface {
 	SetVerificationCode(ctx context.Context, email string, data *VerificationCodeData, ttl time.Duration) error
 	DeleteVerificationCode(ctx context.Context, email string) error
 
+	// Notify email verification code methods
+	GetNotifyVerifyCode(ctx context.Context, email string) (*VerificationCodeData, error)
+	SetNotifyVerifyCode(ctx context.Context, email string, data *VerificationCodeData, ttl time.Duration) error
+	DeleteNotifyVerifyCode(ctx context.Context, email string) error
+
 	// Password reset token methods
 	GetPasswordResetToken(ctx context.Context, email string) (*PasswordResetTokenData, error)
 	SetPasswordResetToken(ctx context.Context, email string, data *PasswordResetTokenData, ttl time.Duration) error
diff --git a/backend/internal/service/gateway_record_usage_test.go b/backend/internal/service/gateway_record_usage_test.go
index 97703a9d..140bdc67 100644
--- a/backend/internal/service/gateway_record_usage_test.go
+++ b/backend/internal/service/gateway_record_usage_test.go
@@ -43,6 +43,7 @@ func newGatewayRecordUsageServiceForTest(usageRepo UsageLogRepository, userRepo
 		nil,
 		nil,
 		nil,
+		nil,
 	)
 }
 
diff --git a/backend/internal/service/gateway_service.go b/backend/internal/service/gateway_service.go
index 1d6d0a08..72ab39ce 100644
--- a/backend/internal/service/gateway_service.go
+++ b/backend/internal/service/gateway_service.go
@@ -569,6 +569,7 @@ type GatewayService struct {
 	resolver              *ModelPricingResolver
 	debugGatewayBodyFile  atomic.Pointer[os.File] // non-nil when SUB2API_DEBUG_GATEWAY_BODY is set
 	tlsFPProfileService   *TLSFingerprintProfileService
+	balanceNotifyService  *BalanceNotifyService
 }
 
 // NewGatewayService creates a new GatewayService
@@ -598,6 +599,7 @@ func NewGatewayService(
 	tlsFPProfileService *TLSFingerprintProfileService,
 	channelService *ChannelService,
 	resolver *ModelPricingResolver,
+	balanceNotifyService *BalanceNotifyService,
 ) *GatewayService {
 	userGroupRateTTL := resolveUserGroupRateCacheTTL(cfg)
 	modelsListTTL := resolveModelsListCacheTTL(cfg)
@@ -632,6 +634,7 @@ func NewGatewayService(
 		tlsFPProfileService:  tlsFPProfileService,
 		channelService:       channelService,
 		resolver:             resolver,
+		balanceNotifyService: balanceNotifyService,
 	}
 	svc.userGroupRateResolver = newUserGroupRateResolver(
 		userGroupRateRepo,
@@ -7334,6 +7337,20 @@ func finalizePostUsageBilling(p *postUsageBillingParams, deps *billingDeps) {
 	}
 
 	deps.deferredService.ScheduleLastUsedUpdate(p.Account.ID)
+
+	// Balance low notification
+	if !p.IsSubscriptionBill && p.Cost.ActualCost > 0 && p.User != nil && deps.balanceNotifyService != nil {
+		deps.balanceNotifyService.CheckBalanceAfterDeduction(context.Background(), p.User, p.User.Balance, p.Cost.ActualCost)
+	}
+
+	// Account quota notification
+	if p.Cost.TotalCost > 0 && p.Account != nil && p.Account.IsAPIKeyOrBedrock() && deps.balanceNotifyService != nil {
+		accountCost := p.Cost.TotalCost
+		if p.AccountRateMultiplier > 0 {
+			accountCost *= p.AccountRateMultiplier
+		}
+		deps.balanceNotifyService.CheckAccountQuotaAfterIncrement(context.Background(), p.Account, accountCost)
+	}
 }
 
 func detachedBillingContext(ctx context.Context) (context.Context, context.CancelFunc) {
@@ -7356,20 +7373,22 @@ func detachStreamUpstreamContext(ctx context.Context, stream bool) (context.Cont
 
 // billingDeps 扣费逻辑依赖的服务（由各 gateway service 提供）
 type billingDeps struct {
-	accountRepo         AccountRepository
-	userRepo            UserRepository
-	userSubRepo         UserSubscriptionRepository
-	billingCacheService *BillingCacheService
-	deferredService     *DeferredService
+	accountRepo          AccountRepository
+	userRepo             UserRepository
+	userSubRepo          UserSubscriptionRepository
+	billingCacheService  *BillingCacheService
+	deferredService      *DeferredService
+	balanceNotifyService *BalanceNotifyService
 }
 
 func (s *GatewayService) billingDeps() *billingDeps {
 	return &billingDeps{
-		accountRepo:         s.accountRepo,
-		userRepo:            s.userRepo,
-		userSubRepo:         s.userSubRepo,
-		billingCacheService: s.billingCacheService,
-		deferredService:     s.deferredService,
+		accountRepo:          s.accountRepo,
+		userRepo:             s.userRepo,
+		userSubRepo:          s.userSubRepo,
+		billingCacheService:  s.billingCacheService,
+		deferredService:      s.deferredService,
+		balanceNotifyService: s.balanceNotifyService,
 	}
 }
 
diff --git a/backend/internal/service/openai_gateway_record_usage_test.go b/backend/internal/service/openai_gateway_record_usage_test.go
index 38b97b11..e6fa94aa 100644
--- a/backend/internal/service/openai_gateway_record_usage_test.go
+++ b/backend/internal/service/openai_gateway_record_usage_test.go
@@ -147,6 +147,7 @@ func newOpenAIRecordUsageServiceForTest(usageRepo UsageLogRepository, userRepo U
 		nil,
 		nil,
 		nil,
+		nil,
 	)
 	svc.userGroupRateResolver = newUserGroupRateResolver(
 		rateRepo,
diff --git a/backend/internal/service/openai_gateway_service.go b/backend/internal/service/openai_gateway_service.go
index 3daa8756..70abd4ce 100644
--- a/backend/internal/service/openai_gateway_service.go
+++ b/backend/internal/service/openai_gateway_service.go
@@ -327,6 +327,7 @@ type OpenAIGatewayService struct {
 	openaiWSResolver      OpenAIWSProtocolResolver
 	resolver              *ModelPricingResolver
 	channelService        *ChannelService
+	balanceNotifyService  *BalanceNotifyService
 
 	openaiWSPoolOnce              sync.Once
 	openaiWSStateStoreOnce        sync.Once
@@ -364,6 +365,7 @@ func NewOpenAIGatewayService(
 	openAITokenProvider *OpenAITokenProvider,
 	resolver *ModelPricingResolver,
 	channelService *ChannelService,
+	balanceNotifyService *BalanceNotifyService,
 ) *OpenAIGatewayService {
 	svc := &OpenAIGatewayService{
 		accountRepo:         accountRepo,
@@ -393,6 +395,7 @@ func NewOpenAIGatewayService(
 		openaiWSResolver:      NewOpenAIWSProtocolResolver(cfg),
 		resolver:              resolver,
 		channelService:        channelService,
+		balanceNotifyService:  balanceNotifyService,
 		responseHeaderFilter:  compileResponseHeaderFilter(cfg),
 		codexSnapshotThrottle: newAccountWriteThrottle(openAICodexSnapshotPersistMinInterval),
 	}
@@ -477,11 +480,12 @@ func (s *OpenAIGatewayService) getCodexSnapshotThrottle() *accountWriteThrottle
 
 func (s *OpenAIGatewayService) billingDeps() *billingDeps {
 	return &billingDeps{
-		accountRepo:         s.accountRepo,
-		userRepo:            s.userRepo,
-		userSubRepo:         s.userSubRepo,
-		billingCacheService: s.billingCacheService,
-		deferredService:     s.deferredService,
+		accountRepo:          s.accountRepo,
+		userRepo:             s.userRepo,
+		userSubRepo:          s.userSubRepo,
+		billingCacheService:  s.billingCacheService,
+		deferredService:      s.deferredService,
+		balanceNotifyService: s.balanceNotifyService,
 	}
 }
 
diff --git a/backend/internal/service/openai_ws_protocol_forward_test.go b/backend/internal/service/openai_ws_protocol_forward_test.go
index 3834dcb7..66e5db93 100644
--- a/backend/internal/service/openai_ws_protocol_forward_test.go
+++ b/backend/internal/service/openai_ws_protocol_forward_test.go
@@ -617,6 +617,7 @@ func TestNewOpenAIGatewayService_InitializesOpenAIWSResolver(t *testing.T) {
 		nil,
 		nil,
 		nil,
+		nil,
 	)
 
 	decision := svc.getOpenAIWSProtocolResolver().Resolve(nil)
diff --git a/backend/internal/service/setting_service.go b/backend/internal/service/setting_service.go
index 3cfe5e56..bc4f53ce 100644
--- a/backend/internal/service/setting_service.go
+++ b/backend/internal/service/setting_service.go
@@ -18,7 +18,6 @@ import (
 	"github.com/Wei-Shaw/sub2api/internal/config"
 	infraerrors "github.com/Wei-Shaw/sub2api/internal/pkg/errors"
 	"github.com/imroc/req/v3"
-	"github.com/redis/go-redis/v9"
 	"golang.org/x/sync/singleflight"
 )
 
@@ -107,7 +106,6 @@ type SettingService struct {
 	cfg                   *config.Config
 	onUpdate              func() // Callback when settings are updated (for cache invalidation)
 	version               string // Application version
-	webSearchRedis        *redis.Client // optional: Redis client for web search quota tracking
 }
 
 // NewSettingService 创建系统设置服务实例
@@ -170,9 +168,9 @@ func (s *SettingService) GetPublicSettings(ctx context.Context) (*PublicSettings
 		SettingKeyCustomEndpoints,
 		SettingKeyLinuxDoConnectEnabled,
 		SettingKeyBackendModeEnabled,
+		SettingPaymentEnabled,
 		SettingKeyOIDCConnectEnabled,
 		SettingKeyOIDCConnectProviderName,
-		SettingPaymentEnabled,
 	}
 
 	settings, err := s.settingRepo.GetMultiple(ctx, keys)
@@ -237,9 +235,9 @@ func (s *SettingService) GetPublicSettings(ctx context.Context) (*PublicSettings
 		CustomEndpoints:                  settings[SettingKeyCustomEndpoints],
 		LinuxDoOAuthEnabled:              linuxDoEnabled,
 		BackendModeEnabled:               settings[SettingKeyBackendModeEnabled] == "true",
+		PaymentEnabled:                   settings[SettingPaymentEnabled] == "true",
 		OIDCOAuthEnabled:                 oidcEnabled,
 		OIDCOAuthProviderName:            oidcProviderName,
-		PaymentEnabled:                   settings[SettingPaymentEnabled] == "true",
 	}, nil
 }
 
@@ -289,9 +287,9 @@ func (s *SettingService) GetPublicSettingsForInjection(ctx context.Context) (any
 		CustomEndpoints                  json.RawMessage `json:"custom_endpoints"`
 		LinuxDoOAuthEnabled              bool            `json:"linuxdo_oauth_enabled"`
 		BackendModeEnabled               bool            `json:"backend_mode_enabled"`
+		PaymentEnabled                   bool            `json:"payment_enabled"`
 		OIDCOAuthEnabled                 bool            `json:"oidc_oauth_enabled"`
 		OIDCOAuthProviderName            string          `json:"oidc_oauth_provider_name"`
-		PaymentEnabled                   bool            `json:"payment_enabled"`
 		Version                          string          `json:"version,omitempty"`
 	}{
 		RegistrationEnabled:              settings.RegistrationEnabled,
@@ -319,9 +317,9 @@ func (s *SettingService) GetPublicSettingsForInjection(ctx context.Context) (any
 		CustomEndpoints:                  safeRawJSONArray(settings.CustomEndpoints),
 		LinuxDoOAuthEnabled:              settings.LinuxDoOAuthEnabled,
 		BackendModeEnabled:               settings.BackendModeEnabled,
+		PaymentEnabled:                   settings.PaymentEnabled,
 		OIDCOAuthEnabled:                 settings.OIDCOAuthEnabled,
 		OIDCOAuthProviderName:            settings.OIDCOAuthProviderName,
-		PaymentEnabled:                   settings.PaymentEnabled,
 		Version:                          s.version,
 	}, nil
 }
@@ -597,6 +595,15 @@ func (s *SettingService) UpdateSettings(ctx context.Context, settings *SystemSet
 	updates[SettingKeyEnableMetadataPassthrough] = strconv.FormatBool(settings.EnableMetadataPassthrough)
 	updates[SettingKeyEnableCCHSigning] = strconv.FormatBool(settings.EnableCCHSigning)
 
+	// Balance low notification
+	updates[SettingKeyBalanceLowNotifyEnabled] = strconv.FormatBool(settings.BalanceLowNotifyEnabled)
+	updates[SettingKeyBalanceLowNotifyThreshold] = strconv.FormatFloat(settings.BalanceLowNotifyThreshold, 'f', 8, 64)
+	accountQuotaNotifyEmailsJSON, err := json.Marshal(settings.AccountQuotaNotifyEmails)
+	if err != nil {
+		return fmt.Errorf("marshal account quota notify emails: %w", err)
+	}
+	updates[SettingKeyAccountQuotaNotifyEmails] = string(accountQuotaNotifyEmailsJSON)
+
 	err = s.settingRepo.SetMultiple(ctx, updates)
 	if err == nil {
 		// 先使 inflight singleflight 失效，再刷新缓存，缩小旧值覆盖新值的竞态窗口
@@ -1219,13 +1226,22 @@ func (s *SettingService) parseSettings(settings map[string]string) *SystemSettin
 	result.EnableMetadataPassthrough = settings[SettingKeyEnableMetadataPassthrough] == "true"
 	result.EnableCCHSigning = settings[SettingKeyEnableCCHSigning] == "true"
 
-	// Web search emulation: quick enabled check from the JSON config
-	if raw := settings[SettingKeyWebSearchEmulationConfig]; raw != "" {
-		var wsCfg WebSearchEmulationConfig
-		if err := json.Unmarshal([]byte(raw), &wsCfg); err == nil {
-			result.WebSearchEmulationEnabled = wsCfg.Enabled && len(wsCfg.Providers) > 0
+	// Balance low notification
+	result.BalanceLowNotifyEnabled = settings[SettingKeyBalanceLowNotifyEnabled] == "true"
+	if v, err := strconv.ParseFloat(settings[SettingKeyBalanceLowNotifyThreshold], 64); err == nil && v >= 0 {
+		result.BalanceLowNotifyThreshold = v
+	}
+
+	// Account quota notification emails
+	if raw := strings.TrimSpace(settings[SettingKeyAccountQuotaNotifyEmails]); raw != "" {
+		var emails []string
+		if err := json.Unmarshal([]byte(raw), &emails); err == nil {
+			result.AccountQuotaNotifyEmails = emails
 		}
 	}
+	if result.AccountQuotaNotifyEmails == nil {
+		result.AccountQuotaNotifyEmails = []string{}
+	}
 
 	return result
 }
diff --git a/backend/internal/service/settings_view.go b/backend/internal/service/settings_view.go
index f5535bca..debc2b19 100644
--- a/backend/internal/service/settings_view.go
+++ b/backend/internal/service/settings_view.go
@@ -107,8 +107,12 @@ type SystemSettings struct {
 	EnableMetadataPassthrough    bool // 是否透传客户端原始 metadata（默认 false）
 	EnableCCHSigning             bool // 是否对 billing header cch 进行签名（默认 false）
 
-	// Web Search Emulation (read-only quick check; full config via dedicated API)
-	WebSearchEmulationEnabled bool
+	// Balance low notification
+	BalanceLowNotifyEnabled   bool
+	BalanceLowNotifyThreshold float64
+
+	// Account quota notification
+	AccountQuotaNotifyEmails []string
 }
 
 type DefaultSubscriptionSetting struct {
@@ -144,9 +148,9 @@ type PublicSettings struct {
 
 	LinuxDoOAuthEnabled   bool
 	BackendModeEnabled    bool
+	PaymentEnabled        bool
 	OIDCOAuthEnabled      bool
 	OIDCOAuthProviderName string
-	PaymentEnabled        bool
 	Version               string
 }
 
diff --git a/backend/internal/service/user.go b/backend/internal/service/user.go
index e56d83bf..b4818223 100644
--- a/backend/internal/service/user.go
+++ b/backend/internal/service/user.go
@@ -30,6 +30,11 @@ type User struct {
 	TotpEnabled         bool       // 是否启用 TOTP
 	TotpEnabledAt       *time.Time // TOTP 启用时间
 
+	// 余额不足通知
+	BalanceNotifyEnabled     bool
+	BalanceNotifyThreshold   *float64
+	BalanceNotifyExtraEmails []string
+
 	APIKeys       []APIKey
 	Subscriptions []UserSubscription
 }
diff --git a/backend/internal/service/user_service.go b/backend/internal/service/user_service.go
index 4045c0aa..e6b9a210 100644
--- a/backend/internal/service/user_service.go
+++ b/backend/internal/service/user_service.go
@@ -2,8 +2,10 @@ package service
 
 import (
 	"context"
+	"crypto/subtle"
 	"fmt"
 	"log"
+	"strings"
 	"time"
 
 	infraerrors "github.com/Wei-Shaw/sub2api/internal/pkg/errors"
@@ -16,6 +18,8 @@ var (
 	ErrInsufficientPerms = infraerrors.Forbidden("INSUFFICIENT_PERMISSIONS", "insufficient permissions")
 )
 
+const maxNotifyExtraEmails = 5
+
 // UserListFilters contains all filter options for listing users
 type UserListFilters struct {
 	Status     string           // User status filter
@@ -58,9 +62,11 @@ type UserRepository interface {
 
 // UpdateProfileRequest 更新用户资料请求
 type UpdateProfileRequest struct {
-	Email       *string `json:"email"`
-	Username    *string `json:"username"`
-	Concurrency *int    `json:"concurrency"`
+	Email                  *string  `json:"email"`
+	Username               *string  `json:"username"`
+	Concurrency            *int     `json:"concurrency"`
+	BalanceNotifyEnabled   *bool    `json:"balance_notify_enabled"`
+	BalanceNotifyThreshold *float64 `json:"balance_notify_threshold"`
 }
 
 // ChangePasswordRequest 修改密码请求
@@ -72,14 +78,16 @@ type ChangePasswordRequest struct {
 // UserService 用户服务
 type UserService struct {
 	userRepo             UserRepository
+	settingRepo          SettingRepository
 	authCacheInvalidator APIKeyAuthCacheInvalidator
 	billingCache         BillingCache
 }
 
 // NewUserService 创建用户服务实例
-func NewUserService(userRepo UserRepository, authCacheInvalidator APIKeyAuthCacheInvalidator, billingCache BillingCache) *UserService {
+func NewUserService(userRepo UserRepository, settingRepo SettingRepository, authCacheInvalidator APIKeyAuthCacheInvalidator, billingCache BillingCache) *UserService {
 	return &UserService{
 		userRepo:             userRepo,
+		settingRepo:          settingRepo,
 		authCacheInvalidator: authCacheInvalidator,
 		billingCache:         billingCache,
 	}
@@ -132,6 +140,17 @@ func (s *UserService) UpdateProfile(ctx context.Context, userID int64, req Updat
 		user.Concurrency = *req.Concurrency
 	}
 
+	if req.BalanceNotifyEnabled != nil {
+		user.BalanceNotifyEnabled = *req.BalanceNotifyEnabled
+	}
+	if req.BalanceNotifyThreshold != nil {
+		if *req.BalanceNotifyThreshold <= 0 {
+			user.BalanceNotifyThreshold = nil // clear to system default
+		} else {
+			user.BalanceNotifyThreshold = req.BalanceNotifyThreshold
+		}
+	}
+
 	if err := s.userRepo.Update(ctx, user); err != nil {
 		return nil, fmt.Errorf("update user: %w", err)
 	}
@@ -248,3 +267,148 @@ func (s *UserService) Delete(ctx context.Context, userID int64) error {
 	}
 	return nil
 }
+
+// SendNotifyEmailCode sends a verification code to the extra notification email.
+func (s *UserService) SendNotifyEmailCode(ctx context.Context, userID int64, email string, emailService *EmailService, cache EmailCache) error {
+	// Check cooldown
+	existing, err := cache.GetNotifyVerifyCode(ctx, email)
+	if err == nil && existing != nil {
+		if time.Since(existing.CreatedAt) < verifyCodeCooldown {
+			return ErrVerifyCodeTooFrequent
+		}
+	}
+
+	// Generate code
+	code, err := emailService.GenerateVerifyCode()
+	if err != nil {
+		return fmt.Errorf("generate code: %w", err)
+	}
+
+	// Save to cache
+	data := &VerificationCodeData{
+		Code:      code,
+		Attempts:  0,
+		CreatedAt: time.Now(),
+	}
+	if err := cache.SetNotifyVerifyCode(ctx, email, data, verifyCodeTTL); err != nil {
+		return fmt.Errorf("save verify code: %w", err)
+	}
+
+	// Get site name
+	siteName := "Sub2API"
+	if s.settingRepo != nil {
+		if name, err := s.settingRepo.GetValue(ctx, SettingKeySiteName); err == nil && name != "" {
+			siteName = name
+		}
+	}
+
+	// Build and send email
+	subject := fmt.Sprintf("[%s] 通知邮箱验证码 / Notification Email Verification", siteName)
+	body := buildNotifyVerifyEmailBody(code, siteName)
+	return emailService.SendEmail(ctx, email, subject, body)
+}
+
+// VerifyAndAddNotifyEmail verifies the code and adds the email to user's extra emails.
+func (s *UserService) VerifyAndAddNotifyEmail(ctx context.Context, userID int64, email, code string, cache EmailCache) error {
+	// Verify code
+	data, err := cache.GetNotifyVerifyCode(ctx, email)
+	if err != nil || data == nil {
+		return ErrInvalidVerifyCode
+	}
+	if data.Attempts >= maxVerifyCodeAttempts {
+		return ErrVerifyCodeMaxAttempts
+	}
+	if subtle.ConstantTimeCompare([]byte(data.Code), []byte(code)) != 1 {
+		data.Attempts++
+		_ = cache.SetNotifyVerifyCode(ctx, email, data, verifyCodeTTL)
+		if data.Attempts >= maxVerifyCodeAttempts {
+			return ErrVerifyCodeMaxAttempts
+		}
+		return ErrInvalidVerifyCode
+	}
+
+	// Delete code after verification
+	_ = cache.DeleteNotifyVerifyCode(ctx, email)
+
+	// Add to user's extra emails
+	user, err := s.userRepo.GetByID(ctx, userID)
+	if err != nil {
+		return err
+	}
+
+	// Check if already exists
+	for _, e := range user.BalanceNotifyExtraEmails {
+		if strings.EqualFold(e, email) {
+			return nil // Already added
+		}
+	}
+
+	// Check limit
+	if len(user.BalanceNotifyExtraEmails) >= maxNotifyExtraEmails {
+		return infraerrors.BadRequest("TOO_MANY_NOTIFY_EMAILS", fmt.Sprintf("maximum %d extra notification emails allowed", maxNotifyExtraEmails))
+	}
+
+	user.BalanceNotifyExtraEmails = append(user.BalanceNotifyExtraEmails, email)
+	return s.userRepo.Update(ctx, user)
+}
+
+// RemoveNotifyEmail removes an email from user's extra notification emails.
+func (s *UserService) RemoveNotifyEmail(ctx context.Context, userID int64, email string) error {
+	user, err := s.userRepo.GetByID(ctx, userID)
+	if err != nil {
+		return err
+	}
+
+	filtered := make([]string, 0, len(user.BalanceNotifyExtraEmails))
+	for _, e := range user.BalanceNotifyExtraEmails {
+		if !strings.EqualFold(e, email) {
+			filtered = append(filtered, e)
+		}
+	}
+	user.BalanceNotifyExtraEmails = filtered
+	return s.userRepo.Update(ctx, user)
+}
+
+// buildNotifyVerifyEmailBody builds the HTML email body for notify email verification.
+func buildNotifyVerifyEmailBody(code, siteName string) string {
+	return fmt.Sprintf(`
+<!DOCTYPE html>
+<html>
+<head>
+    <meta charset="UTF-8">
+    <style>
+        body { font-family: -apple-system, BlinkMacSystemFont, 'Segoe UI', Roboto, Oxygen, Ubuntu, sans-serif; background-color: #f5f5f5; margin: 0; padding: 20px; }
+        .container { max-width: 600px; margin: 0 auto; background-color: #ffffff; border-radius: 8px; overflow: hidden; box-shadow: 0 2px 8px rgba(0,0,0,0.1); }
+        .header { background: linear-gradient(135deg, #667eea 0%%, #764ba2 100%%); color: white; padding: 30px; text-align: center; }
+        .header h1 { margin: 0; font-size: 24px; }
+        .content { padding: 40px 30px; text-align: center; }
+        .code { font-size: 36px; font-weight: bold; letter-spacing: 8px; color: #333; background-color: #f8f9fa; padding: 20px 30px; border-radius: 8px; display: inline-block; margin: 20px 0; font-family: monospace; }
+        .info { color: #666; font-size: 14px; line-height: 1.6; margin-top: 20px; }
+        .footer { background-color: #f8f9fa; padding: 20px; text-align: center; color: #999; font-size: 12px; }
+    </style>
+</head>
+<body>
+    <div class="container">
+        <div class="header">
+            <h1>%s</h1>
+        </div>
+        <div class="content">
+            <p style="font-size: 18px; color: #333;">通知邮箱验证码 / Notification Email Verification</p>
+            <div class="code">%s</div>
+            <div class="info">
+                <p>您正在添加额外的通知邮箱，请输入此验证码完成验证。</p>
+                <p>You are adding an extra notification email. Please enter this code to verify.</p>
+                <p>此验证码将在 <strong>15 分钟</strong>后失效。</p>
+                <p>This code will expire in <strong>15 minutes</strong>.</p>
+                <p>如果您没有请求此验证码，请忽略此邮件。</p>
+                <p>If you did not request this code, please ignore this email.</p>
+            </div>
+        </div>
+        <div class="footer">
+            <p>此邮件由系统自动发送，请勿回复。/ This is an automated message, please do not reply.</p>
+        </div>
+    </div>
+</body>
+</html>
+`, siteName, code)
+}
diff --git a/backend/internal/service/user_service_test.go b/backend/internal/service/user_service_test.go
index 7f6c748f..29267c19 100644
--- a/backend/internal/service/user_service_test.go
+++ b/backend/internal/service/user_service_test.go
@@ -114,7 +114,7 @@ func (m *mockBillingCache) InvalidateAPIKeyRateLimit(context.Context, int64) err
 func TestUpdateBalance_Success(t *testing.T) {
 	repo := &mockUserRepo{}
 	cache := &mockBillingCache{}
-	svc := NewUserService(repo, nil, cache)
+	svc := NewUserService(repo, nil, nil, cache)
 
 	err := svc.UpdateBalance(context.Background(), 42, 100.0)
 	require.NoError(t, err)
@@ -131,7 +131,7 @@ func TestUpdateBalance_Success(t *testing.T) {
 
 func TestUpdateBalance_NilBillingCache_NoPanic(t *testing.T) {
 	repo := &mockUserRepo{}
-	svc := NewUserService(repo, nil, nil) // billingCache = nil
+	svc := NewUserService(repo, nil, nil, nil) // billingCache = nil
 
 	err := svc.UpdateBalance(context.Background(), 1, 50.0)
 	require.NoError(t, err, "billingCache 为 nil 时不应 panic")
@@ -140,7 +140,7 @@ func TestUpdateBalance_NilBillingCache_NoPanic(t *testing.T) {
 func TestUpdateBalance_CacheFailure_DoesNotAffectReturn(t *testing.T) {
 	repo := &mockUserRepo{}
 	cache := &mockBillingCache{invalidateErr: errors.New("redis connection refused")}
-	svc := NewUserService(repo, nil, cache)
+	svc := NewUserService(repo, nil, nil, cache)
 
 	err := svc.UpdateBalance(context.Background(), 99, 200.0)
 	require.NoError(t, err, "缓存失效失败不应影响主流程返回值")
@@ -154,7 +154,7 @@ func TestUpdateBalance_CacheFailure_DoesNotAffectReturn(t *testing.T) {
 func TestUpdateBalance_RepoError_ReturnsError(t *testing.T) {
 	repo := &mockUserRepo{updateBalanceErr: errors.New("database error")}
 	cache := &mockBillingCache{}
-	svc := NewUserService(repo, nil, cache)
+	svc := NewUserService(repo, nil, nil, cache)
 
 	err := svc.UpdateBalance(context.Background(), 1, 100.0)
 	require.Error(t, err, "repo 失败时应返回错误")
@@ -170,7 +170,7 @@ func TestUpdateBalance_WithAuthCacheInvalidator(t *testing.T) {
 	repo := &mockUserRepo{}
 	auth := &mockAuthCacheInvalidator{}
 	cache := &mockBillingCache{}
-	svc := NewUserService(repo, auth, cache)
+	svc := NewUserService(repo, nil, auth, cache)
 
 	err := svc.UpdateBalance(context.Background(), 77, 300.0)
 	require.NoError(t, err)
@@ -191,7 +191,7 @@ func TestNewUserService_FieldsAssignment(t *testing.T) {
 	auth := &mockAuthCacheInvalidator{}
 	cache := &mockBillingCache{}
 
-	svc := NewUserService(repo, auth, cache)
+	svc := NewUserService(repo, nil, auth, cache)
 	require.NotNil(t, svc)
 	require.Equal(t, repo, svc.userRepo)
 	require.Equal(t, auth, svc.authCacheInvalidator)
diff --git a/backend/internal/service/wire.go b/backend/internal/service/wire.go
index a8ece8a3..2827f135 100644
--- a/backend/internal/service/wire.go
+++ b/backend/internal/service/wire.go
@@ -465,6 +465,7 @@ var ProviderSet = wire.NewSet(
 	ProvidePaymentConfigService,
 	NewPaymentService,
 	ProvidePaymentOrderExpiryService,
+	ProvideBalanceNotifyService,
 )
 
 // ProvidePaymentConfigService wraps NewPaymentConfigService to accept the named
@@ -473,6 +474,11 @@ func ProvidePaymentConfigService(entClient *dbent.Client, settingRepo SettingRep
 	return NewPaymentConfigService(entClient, settingRepo, []byte(key))
 }
 
+// ProvideBalanceNotifyService creates BalanceNotifyService
+func ProvideBalanceNotifyService(emailService *EmailService, settingRepo SettingRepository) *BalanceNotifyService {
+	return NewBalanceNotifyService(emailService, settingRepo)
+}
+
 // ProvidePaymentOrderExpiryService creates and starts PaymentOrderExpiryService.
 func ProvidePaymentOrderExpiryService(paymentSvc *PaymentService) *PaymentOrderExpiryService {
 	svc := NewPaymentOrderExpiryService(paymentSvc, 60*time.Second)
diff --git a/backend/migrations/101_add_balance_notify_fields.sql b/backend/migrations/101_add_balance_notify_fields.sql
new file mode 100644
index 00000000..ef0a0930
--- /dev/null
+++ b/backend/migrations/101_add_balance_notify_fields.sql
@@ -0,0 +1,4 @@
+-- Balance notification user preferences
+ALTER TABLE users ADD COLUMN IF NOT EXISTS balance_notify_enabled BOOLEAN NOT NULL DEFAULT true;
+ALTER TABLE users ADD COLUMN IF NOT EXISTS balance_notify_threshold DECIMAL(20,8) DEFAULT NULL;
+ALTER TABLE users ADD COLUMN IF NOT EXISTS balance_notify_extra_emails TEXT NOT NULL DEFAULT '[]';
diff --git a/frontend/src/api/admin/settings.ts b/frontend/src/api/admin/settings.ts
index 7fc6c852..c6323b00 100644
--- a/frontend/src/api/admin/settings.ts
+++ b/frontend/src/api/admin/settings.ts
@@ -134,6 +134,11 @@ export interface SystemSettings {
   payment_cancel_rate_limit_window: number
   payment_cancel_rate_limit_unit: string
   payment_cancel_rate_limit_window_mode: string
+
+  // Balance & quota notification
+  balance_low_notify_enabled: boolean
+  balance_low_notify_threshold: number
+  account_quota_notify_emails: string[]
 }
 
 export interface UpdateSettingsRequest {
@@ -233,6 +238,10 @@ export interface UpdateSettingsRequest {
   payment_cancel_rate_limit_window?: number
   payment_cancel_rate_limit_unit?: string
   payment_cancel_rate_limit_window_mode?: string
+  // Balance & quota notification
+  balance_low_notify_enabled?: boolean
+  balance_low_notify_threshold?: number
+  account_quota_notify_emails?: string[]
 }
 
 /**
diff --git a/frontend/src/api/user.ts b/frontend/src/api/user.ts
index bfc0e30b..9ef0f59c 100644
--- a/frontend/src/api/user.ts
+++ b/frontend/src/api/user.ts
@@ -22,6 +22,9 @@ export async function getProfile(): Promise<User> {
  */
 export async function updateProfile(profile: {
   username?: string
+  balance_notify_enabled?: boolean
+  balance_notify_threshold?: number | null
+  balance_notify_extra_emails?: string[]
 }): Promise<User> {
   const { data } = await apiClient.put<User>('/user', profile)
   return data
@@ -45,10 +48,38 @@ export async function changePassword(
   return data
 }
 
+/**
+ * Send verification code for adding a notify email
+ * @param email - Email address to verify
+ */
+export async function sendNotifyEmailCode(email: string): Promise<void> {
+  await apiClient.post('/user/notify-email/send-code', { email })
+}
+
+/**
+ * Verify and add a notify email
+ * @param email - Email address to add
+ * @param code - Verification code
+ */
+export async function verifyNotifyEmail(email: string, code: string): Promise<void> {
+  await apiClient.post('/user/notify-email/verify', { email, code })
+}
+
+/**
+ * Remove a notify email
+ * @param email - Email address to remove
+ */
+export async function removeNotifyEmail(email: string): Promise<void> {
+  await apiClient.delete('/user/notify-email', { data: { email } })
+}
+
 export const userAPI = {
   getProfile,
   updateProfile,
-  changePassword
+  changePassword,
+  sendNotifyEmailCode,
+  verifyNotifyEmail,
+  removeNotifyEmail
 }
 
 export default userAPI
diff --git a/frontend/src/components/account/EditAccountModal.vue b/frontend/src/components/account/EditAccountModal.vue
index a67366fc..54dae5c2 100644
--- a/frontend/src/components/account/EditAccountModal.vue
+++ b/frontend/src/components/account/EditAccountModal.vue
@@ -1186,6 +1186,12 @@
           :weeklyResetDay="editWeeklyResetDay"
           :weeklyResetHour="editWeeklyResetHour"
           :resetTimezone="editResetTimezone"
+          :quotaNotifyDailyEnabled="editQuotaNotifyDailyEnabled"
+          :quotaNotifyDailyThreshold="editQuotaNotifyDailyThreshold"
+          :quotaNotifyWeeklyEnabled="editQuotaNotifyWeeklyEnabled"
+          :quotaNotifyWeeklyThreshold="editQuotaNotifyWeeklyThreshold"
+          :quotaNotifyTotalEnabled="editQuotaNotifyTotalEnabled"
+          :quotaNotifyTotalThreshold="editQuotaNotifyTotalThreshold"
           @update:totalLimit="editQuotaLimit = $event"
           @update:dailyLimit="editQuotaDailyLimit = $event"
           @update:weeklyLimit="editQuotaWeeklyLimit = $event"
@@ -1195,6 +1201,12 @@
           @update:weeklyResetDay="editWeeklyResetDay = $event"
           @update:weeklyResetHour="editWeeklyResetHour = $event"
           @update:resetTimezone="editResetTimezone = $event"
+          @update:quotaNotifyDailyEnabled="editQuotaNotifyDailyEnabled = $event"
+          @update:quotaNotifyDailyThreshold="editQuotaNotifyDailyThreshold = $event"
+          @update:quotaNotifyWeeklyEnabled="editQuotaNotifyWeeklyEnabled = $event"
+          @update:quotaNotifyWeeklyThreshold="editQuotaNotifyWeeklyThreshold = $event"
+          @update:quotaNotifyTotalEnabled="editQuotaNotifyTotalEnabled = $event"
+          @update:quotaNotifyTotalThreshold="editQuotaNotifyTotalThreshold = $event"
         />
       </div>
       <!-- 配额控制 (非 Anthropic apikey/bedrock) -->
@@ -1218,6 +1230,12 @@
           :weeklyResetDay="editWeeklyResetDay"
           :weeklyResetHour="editWeeklyResetHour"
           :resetTimezone="editResetTimezone"
+          :quotaNotifyDailyEnabled="editQuotaNotifyDailyEnabled"
+          :quotaNotifyDailyThreshold="editQuotaNotifyDailyThreshold"
+          :quotaNotifyWeeklyEnabled="editQuotaNotifyWeeklyEnabled"
+          :quotaNotifyWeeklyThreshold="editQuotaNotifyWeeklyThreshold"
+          :quotaNotifyTotalEnabled="editQuotaNotifyTotalEnabled"
+          :quotaNotifyTotalThreshold="editQuotaNotifyTotalThreshold"
           @update:totalLimit="editQuotaLimit = $event"
           @update:dailyLimit="editQuotaDailyLimit = $event"
           @update:weeklyLimit="editQuotaWeeklyLimit = $event"
@@ -1227,6 +1245,12 @@
           @update:weeklyResetDay="editWeeklyResetDay = $event"
           @update:weeklyResetHour="editWeeklyResetHour = $event"
           @update:resetTimezone="editResetTimezone = $event"
+          @update:quotaNotifyDailyEnabled="editQuotaNotifyDailyEnabled = $event"
+          @update:quotaNotifyDailyThreshold="editQuotaNotifyDailyThreshold = $event"
+          @update:quotaNotifyWeeklyEnabled="editQuotaNotifyWeeklyEnabled = $event"
+          @update:quotaNotifyWeeklyThreshold="editQuotaNotifyWeeklyThreshold = $event"
+          @update:quotaNotifyTotalEnabled="editQuotaNotifyTotalEnabled = $event"
+          @update:quotaNotifyTotalThreshold="editQuotaNotifyTotalThreshold = $event"
         />
       </div>
 
@@ -1960,6 +1984,12 @@ const editWeeklyResetMode = ref<'rolling' | 'fixed' | null>(null)
 const editWeeklyResetDay = ref<number | null>(null)
 const editWeeklyResetHour = ref<number | null>(null)
 const editResetTimezone = ref<string | null>(null)
+const editQuotaNotifyDailyEnabled = ref<boolean | null>(null)
+const editQuotaNotifyDailyThreshold = ref<number | null>(null)
+const editQuotaNotifyWeeklyEnabled = ref<boolean | null>(null)
+const editQuotaNotifyWeeklyThreshold = ref<number | null>(null)
+const editQuotaNotifyTotalEnabled = ref<boolean | null>(null)
+const editQuotaNotifyTotalThreshold = ref<number | null>(null)
 const openAIWSModeOptions = computed(() => [
   { value: OPENAI_WS_MODE_OFF, label: t('admin.accounts.openai.wsModeOff') },
   // TODO: ctx_pool 选项暂时隐藏，待测试完成后恢复
@@ -2159,6 +2189,13 @@ const syncFormFromAccount = (newAccount: Account | null) => {
     editWeeklyResetDay.value = (extra?.quota_weekly_reset_day as number) ?? null
     editWeeklyResetHour.value = (extra?.quota_weekly_reset_hour as number) ?? null
     editResetTimezone.value = (extra?.quota_reset_timezone as string) || null
+    // Load quota notify config
+    editQuotaNotifyDailyEnabled.value = (extra?.quota_notify_daily_enabled as boolean) ?? null
+    editQuotaNotifyDailyThreshold.value = (extra?.quota_notify_daily_threshold as number) ?? null
+    editQuotaNotifyWeeklyEnabled.value = (extra?.quota_notify_weekly_enabled as boolean) ?? null
+    editQuotaNotifyWeeklyThreshold.value = (extra?.quota_notify_weekly_threshold as number) ?? null
+    editQuotaNotifyTotalEnabled.value = (extra?.quota_notify_total_enabled as boolean) ?? null
+    editQuotaNotifyTotalThreshold.value = (extra?.quota_notify_total_threshold as number) ?? null
   } else {
     editQuotaLimit.value = null
     editQuotaDailyLimit.value = null
@@ -2169,6 +2206,12 @@ const syncFormFromAccount = (newAccount: Account | null) => {
     editWeeklyResetDay.value = null
     editWeeklyResetHour.value = null
     editResetTimezone.value = null
+    editQuotaNotifyDailyEnabled.value = null
+    editQuotaNotifyDailyThreshold.value = null
+    editQuotaNotifyWeeklyEnabled.value = null
+    editQuotaNotifyWeeklyThreshold.value = null
+    editQuotaNotifyTotalEnabled.value = null
+    editQuotaNotifyTotalThreshold.value = null
   }
 
   // Load antigravity model mapping (Antigravity 只支持映射模式)
@@ -2283,6 +2326,13 @@ const syncFormFromAccount = (newAccount: Account | null) => {
     editQuotaLimit.value = typeof bedrockExtra.quota_limit === 'number' ? bedrockExtra.quota_limit : null
     editQuotaDailyLimit.value = typeof bedrockExtra.quota_daily_limit === 'number' ? bedrockExtra.quota_daily_limit : null
     editQuotaWeeklyLimit.value = typeof bedrockExtra.quota_weekly_limit === 'number' ? bedrockExtra.quota_weekly_limit : null
+    // Load quota notify for bedrock
+    editQuotaNotifyDailyEnabled.value = (bedrockExtra.quota_notify_daily_enabled as boolean) ?? null
+    editQuotaNotifyDailyThreshold.value = (bedrockExtra.quota_notify_daily_threshold as number) ?? null
+    editQuotaNotifyWeeklyEnabled.value = (bedrockExtra.quota_notify_weekly_enabled as boolean) ?? null
+    editQuotaNotifyWeeklyThreshold.value = (bedrockExtra.quota_notify_weekly_threshold as number) ?? null
+    editQuotaNotifyTotalEnabled.value = (bedrockExtra.quota_notify_total_enabled as boolean) ?? null
+    editQuotaNotifyTotalThreshold.value = (bedrockExtra.quota_notify_total_threshold as number) ?? null
 
     // Load model mappings for bedrock
     const existingMappings = bedrockCreds.model_mapping as Record<string, string> | undefined
@@ -3198,6 +3248,40 @@ const handleSubmit = async () => {
       } else {
         delete newExtra.quota_reset_timezone
       }
+      // Quota notify config
+      if (editQuotaNotifyDailyEnabled.value) {
+        newExtra.quota_notify_daily_enabled = true
+        if (editQuotaNotifyDailyThreshold.value != null) {
+          newExtra.quota_notify_daily_threshold = editQuotaNotifyDailyThreshold.value
+        } else {
+          delete newExtra.quota_notify_daily_threshold
+        }
+      } else {
+        delete newExtra.quota_notify_daily_enabled
+        delete newExtra.quota_notify_daily_threshold
+      }
+      if (editQuotaNotifyWeeklyEnabled.value) {
+        newExtra.quota_notify_weekly_enabled = true
+        if (editQuotaNotifyWeeklyThreshold.value != null) {
+          newExtra.quota_notify_weekly_threshold = editQuotaNotifyWeeklyThreshold.value
+        } else {
+          delete newExtra.quota_notify_weekly_threshold
+        }
+      } else {
+        delete newExtra.quota_notify_weekly_enabled
+        delete newExtra.quota_notify_weekly_threshold
+      }
+      if (editQuotaNotifyTotalEnabled.value) {
+        newExtra.quota_notify_total_enabled = true
+        if (editQuotaNotifyTotalThreshold.value != null) {
+          newExtra.quota_notify_total_threshold = editQuotaNotifyTotalThreshold.value
+        } else {
+          delete newExtra.quota_notify_total_threshold
+        }
+      } else {
+        delete newExtra.quota_notify_total_enabled
+        delete newExtra.quota_notify_total_threshold
+      }
       updatePayload.extra = newExtra
     }
 
diff --git a/frontend/src/components/account/QuotaLimitCard.vue b/frontend/src/components/account/QuotaLimitCard.vue
index fdc19ad9..9840a5e1 100644
--- a/frontend/src/components/account/QuotaLimitCard.vue
+++ b/frontend/src/components/account/QuotaLimitCard.vue
@@ -4,7 +4,7 @@ import { useI18n } from 'vue-i18n'
 
 const { t } = useI18n()
 
-const props = defineProps<{
+const props = withDefaults(defineProps<{
   totalLimit: number | null
   dailyLimit: number | null
   weeklyLimit: number | null
@@ -14,7 +14,20 @@ const props = defineProps<{
   weeklyResetDay: number | null
   weeklyResetHour: number | null
   resetTimezone: string | null
-}>()
+  quotaNotifyDailyEnabled?: boolean | null
+  quotaNotifyDailyThreshold?: number | null
+  quotaNotifyWeeklyEnabled?: boolean | null
+  quotaNotifyWeeklyThreshold?: number | null
+  quotaNotifyTotalEnabled?: boolean | null
+  quotaNotifyTotalThreshold?: number | null
+}>(), {
+  quotaNotifyDailyEnabled: null,
+  quotaNotifyDailyThreshold: null,
+  quotaNotifyWeeklyEnabled: null,
+  quotaNotifyWeeklyThreshold: null,
+  quotaNotifyTotalEnabled: null,
+  quotaNotifyTotalThreshold: null,
+})
 
 const emit = defineEmits<{
   'update:totalLimit': [value: number | null]
@@ -26,6 +39,12 @@ const emit = defineEmits<{
   'update:weeklyResetDay': [value: number | null]
   'update:weeklyResetHour': [value: number | null]
   'update:resetTimezone': [value: string | null]
+  'update:quotaNotifyDailyEnabled': [value: boolean | null]
+  'update:quotaNotifyDailyThreshold': [value: number | null]
+  'update:quotaNotifyWeeklyEnabled': [value: boolean | null]
+  'update:quotaNotifyWeeklyThreshold': [value: number | null]
+  'update:quotaNotifyTotalEnabled': [value: boolean | null]
+  'update:quotaNotifyTotalThreshold': [value: number | null]
 }>()
 
 const enabled = computed(() =>
@@ -203,6 +222,36 @@ const onWeeklyModeChange = (e: Event) => {
               {{ t('admin.accounts.quotaDailyLimitHint') }}
             </template>
           </p>
+          <!-- 日配额告警 -->
+          <div v-if="dailyLimit && dailyLimit > 0" class="ml-4 mt-2 flex items-center gap-3">
+            <label class="text-sm text-gray-500 whitespace-nowrap">{{ t('admin.accounts.quotaNotify.alert') }}</label>
+            <button
+              type="button"
+              @click="emit('update:quotaNotifyDailyEnabled', !(props.quotaNotifyDailyEnabled))"
+              :class="[
+                'relative inline-flex h-5 w-9 flex-shrink-0 cursor-pointer rounded-full border-2 border-transparent transition-colors duration-200 ease-in-out focus:outline-none',
+                props.quotaNotifyDailyEnabled ? 'bg-primary-600' : 'bg-gray-200 dark:bg-dark-600'
+              ]"
+            >
+              <span
+                :class="[
+                  'pointer-events-none inline-block h-4 w-4 transform rounded-full bg-white shadow ring-0 transition duration-200 ease-in-out',
+                  props.quotaNotifyDailyEnabled ? 'translate-x-4' : 'translate-x-0'
+                ]"
+              />
+            </button>
+            <div v-if="props.quotaNotifyDailyEnabled" class="relative flex-1">
+              <span class="absolute left-2 top-1/2 -translate-y-1/2 text-gray-400 text-sm">$</span>
+              <input
+                :value="props.quotaNotifyDailyThreshold"
+                @input="emit('update:quotaNotifyDailyThreshold', parseFloat(($event.target as HTMLInputElement).value) || null)"
+                type="number"
+                min="0"
+                step="0.01"
+                class="input pl-6 py-1 text-sm"
+              />
+            </div>
+          </div>
         </div>
 
         <!-- 周配额 -->
@@ -259,6 +308,36 @@ const onWeeklyModeChange = (e: Event) => {
               {{ t('admin.accounts.quotaWeeklyLimitHint') }}
             </template>
           </p>
+          <!-- 周配额告警 -->
+          <div v-if="weeklyLimit && weeklyLimit > 0" class="ml-4 mt-2 flex items-center gap-3">
+            <label class="text-sm text-gray-500 whitespace-nowrap">{{ t('admin.accounts.quotaNotify.alert') }}</label>
+            <button
+              type="button"
+              @click="emit('update:quotaNotifyWeeklyEnabled', !(props.quotaNotifyWeeklyEnabled))"
+              :class="[
+                'relative inline-flex h-5 w-9 flex-shrink-0 cursor-pointer rounded-full border-2 border-transparent transition-colors duration-200 ease-in-out focus:outline-none',
+                props.quotaNotifyWeeklyEnabled ? 'bg-primary-600' : 'bg-gray-200 dark:bg-dark-600'
+              ]"
+            >
+              <span
+                :class="[
+                  'pointer-events-none inline-block h-4 w-4 transform rounded-full bg-white shadow ring-0 transition duration-200 ease-in-out',
+                  props.quotaNotifyWeeklyEnabled ? 'translate-x-4' : 'translate-x-0'
+                ]"
+              />
+            </button>
+            <div v-if="props.quotaNotifyWeeklyEnabled" class="relative flex-1">
+              <span class="absolute left-2 top-1/2 -translate-y-1/2 text-gray-400 text-sm">$</span>
+              <input
+                :value="props.quotaNotifyWeeklyThreshold"
+                @input="emit('update:quotaNotifyWeeklyThreshold', parseFloat(($event.target as HTMLInputElement).value) || null)"
+                type="number"
+                min="0"
+                step="0.01"
+                class="input pl-6 py-1 text-sm"
+              />
+            </div>
+          </div>
         </div>
 
         <!-- 时区选择（当任一维度使用固定模式时显示） -->
@@ -289,6 +368,36 @@ const onWeeklyModeChange = (e: Event) => {
             />
           </div>
           <p class="input-hint">{{ t('admin.accounts.quotaTotalLimitHint') }}</p>
+          <!-- 总配额告警 -->
+          <div v-if="totalLimit && totalLimit > 0" class="ml-4 mt-2 flex items-center gap-3">
+            <label class="text-sm text-gray-500 whitespace-nowrap">{{ t('admin.accounts.quotaNotify.alert') }}</label>
+            <button
+              type="button"
+              @click="emit('update:quotaNotifyTotalEnabled', !(props.quotaNotifyTotalEnabled))"
+              :class="[
+                'relative inline-flex h-5 w-9 flex-shrink-0 cursor-pointer rounded-full border-2 border-transparent transition-colors duration-200 ease-in-out focus:outline-none',
+                props.quotaNotifyTotalEnabled ? 'bg-primary-600' : 'bg-gray-200 dark:bg-dark-600'
+              ]"
+            >
+              <span
+                :class="[
+                  'pointer-events-none inline-block h-4 w-4 transform rounded-full bg-white shadow ring-0 transition duration-200 ease-in-out',
+                  props.quotaNotifyTotalEnabled ? 'translate-x-4' : 'translate-x-0'
+                ]"
+              />
+            </button>
+            <div v-if="props.quotaNotifyTotalEnabled" class="relative flex-1">
+              <span class="absolute left-2 top-1/2 -translate-y-1/2 text-gray-400 text-sm">$</span>
+              <input
+                :value="props.quotaNotifyTotalThreshold"
+                @input="emit('update:quotaNotifyTotalThreshold', parseFloat(($event.target as HTMLInputElement).value) || null)"
+                type="number"
+                min="0"
+                step="0.01"
+                class="input pl-6 py-1 text-sm"
+              />
+            </div>
+          </div>
         </div>
       </div>
   </div>
diff --git a/frontend/src/components/user/profile/ProfileBalanceNotifyCard.vue b/frontend/src/components/user/profile/ProfileBalanceNotifyCard.vue
new file mode 100644
index 00000000..130d82b5
--- /dev/null
+++ b/frontend/src/components/user/profile/ProfileBalanceNotifyCard.vue
@@ -0,0 +1,204 @@
+<template>
+  <div class="card">
+    <div class="border-b border-gray-100 px-6 py-4 dark:border-dark-700">
+      <h2 class="text-lg font-medium text-gray-900 dark:text-white">
+        {{ t('profile.balanceNotify.title') }}
+      </h2>
+    </div>
+    <div class="px-6 py-6 space-y-6">
+      <!-- Enable toggle -->
+      <div class="flex items-center justify-between">
+        <div>
+          <label class="input-label">{{ t('profile.balanceNotify.enabled') }}</label>
+        </div>
+        <label class="relative inline-flex items-center cursor-pointer">
+          <input type="checkbox" v-model="notifyEnabled" @change="handleToggle" class="sr-only peer" />
+          <div class="w-11 h-6 bg-gray-200 peer-focus:outline-none peer-focus:ring-4 peer-focus:ring-primary-300 dark:peer-focus:ring-primary-800 rounded-full peer dark:bg-gray-700 peer-checked:after:translate-x-full peer-checked:after:border-white after:content-[''] after:absolute after:top-[2px] after:left-[2px] after:bg-white after:border-gray-300 after:border after:rounded-full after:h-5 after:w-5 after:transition-all dark:after:border-gray-600 peer-checked:bg-primary-600"></div>
+        </label>
+      </div>
+
+      <!-- Custom threshold -->
+      <div v-if="notifyEnabled">
+        <label class="input-label">
+          {{ t('profile.balanceNotify.threshold') }}
+          <span class="text-xs text-gray-400 ml-2">{{ t('profile.balanceNotify.thresholdHint') }}</span>
+        </label>
+        <div class="flex items-center gap-2">
+          <span class="text-gray-500">$</span>
+          <input
+            v-model.number="customThreshold"
+            type="number"
+            min="0"
+            step="0.01"
+            class="input flex-1"
+            :placeholder="t('profile.balanceNotify.thresholdPlaceholder')"
+            @blur="handleThresholdUpdate"
+          />
+        </div>
+      </div>
+
+      <!-- Extra emails -->
+      <div v-if="notifyEnabled">
+        <label class="input-label">{{ t('profile.balanceNotify.extraEmails') }}</label>
+
+        <!-- Existing emails list -->
+        <div v-if="extraEmails.length > 0" class="space-y-2 mb-4">
+          <div v-for="email in extraEmails" :key="email"
+            class="flex items-center justify-between px-3 py-2 bg-gray-50 dark:bg-dark-700 rounded-lg">
+            <span class="text-sm text-gray-700 dark:text-gray-300">{{ email }}</span>
+            <button @click="handleRemoveEmail(email)" class="text-red-500 hover:text-red-700 text-sm">
+              {{ t('profile.balanceNotify.removeEmail') }}
+            </button>
+          </div>
+        </div>
+
+        <!-- Add new email -->
+        <div class="space-y-2">
+          <div class="flex gap-2">
+            <input
+              v-model="newEmail"
+              type="email"
+              class="input flex-1"
+              :placeholder="t('profile.balanceNotify.emailPlaceholder')"
+              :disabled="codeSent"
+            />
+            <button
+              @click="handleSendCode"
+              :disabled="!newEmail || sendingCode || codeCountdown > 0"
+              class="btn btn-outline whitespace-nowrap"
+            >
+              {{ codeCountdown > 0 ? `${codeCountdown}s` : (codeSent ? t('profile.balanceNotify.codeSent') : t('profile.balanceNotify.sendCode')) }}
+            </button>
+          </div>
+          <div v-if="codeSent" class="flex gap-2">
+            <input
+              v-model="verifyCode"
+              type="text"
+              maxlength="6"
+              class="input flex-1"
+              :placeholder="t('profile.balanceNotify.codePlaceholder')"
+            />
+            <button
+              @click="handleVerify"
+              :disabled="!verifyCode || verifyCode.length !== 6 || verifying"
+              class="btn btn-primary whitespace-nowrap"
+            >
+              {{ t('profile.balanceNotify.verify') }}
+            </button>
+          </div>
+        </div>
+      </div>
+    </div>
+  </div>
+</template>
+
+<script setup lang="ts">
+import { ref, watch } from 'vue'
+import { useI18n } from 'vue-i18n'
+import { useAuthStore } from '@/stores/auth'
+import { useAppStore } from '@/stores/app'
+import { userAPI } from '@/api'
+import { extractApiErrorMessage } from '@/utils/apiError'
+
+const props = defineProps<{
+  enabled: boolean
+  threshold: number | null
+  extraEmails: string[]
+}>()
+
+const { t } = useI18n()
+const authStore = useAuthStore()
+const appStore = useAppStore()
+
+const notifyEnabled = ref(props.enabled)
+const customThreshold = ref<number | null>(props.threshold)
+const extraEmails = ref<string[]>([...props.extraEmails])
+const newEmail = ref('')
+const verifyCode = ref('')
+const codeSent = ref(false)
+const sendingCode = ref(false)
+const verifying = ref(false)
+const codeCountdown = ref(0)
+
+let countdownTimer: ReturnType<typeof setInterval> | null = null
+
+watch(() => props.enabled, (val) => { notifyEnabled.value = val })
+watch(() => props.threshold, (val) => { customThreshold.value = val })
+watch(() => props.extraEmails, (val) => { extraEmails.value = [...val] })
+
+const handleToggle = async () => {
+  try {
+    const updated = await userAPI.updateProfile({ balance_notify_enabled: notifyEnabled.value })
+    authStore.user = updated
+  } catch (err: unknown) {
+    appStore.showError(extractApiErrorMessage(err, t('common.error')))
+    notifyEnabled.value = !notifyEnabled.value
+  }
+}
+
+const handleThresholdUpdate = async () => {
+  try {
+    const threshold = customThreshold.value && customThreshold.value > 0 ? customThreshold.value : 0
+    const updated = await userAPI.updateProfile({ balance_notify_threshold: threshold })
+    authStore.user = updated
+  } catch (err: unknown) {
+    appStore.showError(extractApiErrorMessage(err, t('common.error')))
+  }
+}
+
+const handleSendCode = async () => {
+  if (!newEmail.value) return
+  sendingCode.value = true
+  try {
+    await userAPI.sendNotifyEmailCode(newEmail.value)
+    codeSent.value = true
+    codeCountdown.value = 60
+    countdownTimer = setInterval(() => {
+      codeCountdown.value--
+      if (codeCountdown.value <= 0) {
+        if (countdownTimer) clearInterval(countdownTimer)
+        countdownTimer = null
+      }
+    }, 1000)
+    appStore.showSuccess(t('profile.balanceNotify.codeSent'))
+  } catch (err: unknown) {
+    appStore.showError(extractApiErrorMessage(err, t('common.error')))
+  } finally {
+    sendingCode.value = false
+  }
+}
+
+const handleVerify = async () => {
+  if (!verifyCode.value || verifyCode.value.length !== 6) return
+  verifying.value = true
+  try {
+    await userAPI.verifyNotifyEmail(newEmail.value, verifyCode.value)
+    extraEmails.value.push(newEmail.value)
+    newEmail.value = ''
+    verifyCode.value = ''
+    codeSent.value = false
+    if (countdownTimer) clearInterval(countdownTimer)
+    codeCountdown.value = 0
+    appStore.showSuccess(t('profile.balanceNotify.verifySuccess'))
+    // Refresh user data
+    const updated = await userAPI.getProfile()
+    authStore.user = updated
+  } catch (err: unknown) {
+    appStore.showError(extractApiErrorMessage(err, t('common.error')))
+  } finally {
+    verifying.value = false
+  }
+}
+
+const handleRemoveEmail = async (email: string) => {
+  try {
+    await userAPI.removeNotifyEmail(email)
+    extraEmails.value = extraEmails.value.filter(e => e !== email)
+    appStore.showSuccess(t('profile.balanceNotify.removeSuccess'))
+    const updated = await userAPI.getProfile()
+    authStore.user = updated
+  } catch (err: unknown) {
+    appStore.showError(extractApiErrorMessage(err, t('common.error')))
+  }
+}
+</script>
diff --git a/frontend/src/i18n/locales/en.ts b/frontend/src/i18n/locales/en.ts
index dd45ea17..7119fa36 100644
--- a/frontend/src/i18n/locales/en.ts
+++ b/frontend/src/i18n/locales/en.ts
@@ -902,6 +902,31 @@ export default {
       sendCode: 'Send Code',
       codeSent: 'Verification code sent to your email',
       sendCodeFailed: 'Failed to send verification code'
+    },
+    balanceNotify: {
+      title: 'Balance Low Notification',
+      description: 'Send email alert when account balance falls below threshold',
+      enabled: 'Enable Balance Low Notification',
+      threshold: 'Custom Threshold',
+      thresholdHint: 'Leave empty to use system default',
+      thresholdPlaceholder: 'Enter amount',
+      systemDefault: 'System Default',
+      extraEmails: 'Extra Notification Emails',
+      noExtraEmails: 'No extra notification emails',
+      enterEmail: 'Enter email address',
+      addEmail: 'Add Email',
+      emailPlaceholder: 'Enter email address',
+      sendCode: 'Send Code',
+      codeSent: 'Verification code sent',
+      codeSentTo: 'Code sent to {email}',
+      enterCode: 'Enter verification code',
+      codePlaceholder: '6-digit code',
+      verify: 'Verify & Add',
+      emailAdded: 'Email added',
+      emailRemoved: 'Email removed',
+      verifySuccess: 'Email added successfully',
+      removeEmail: 'Remove',
+      removeSuccess: 'Email removed',
     }
   },
 
@@ -2228,6 +2253,12 @@ export default {
       },
       quotaLimitAmount: 'Total Limit',
       quotaLimitAmountHint: 'Cumulative spending limit. Does not auto-reset.',
+      quotaNotify: {
+        alert: 'Alert Threshold',
+        enabled: 'Enable Alert',
+        threshold: 'Alert Amount',
+        thresholdPlaceholder: 'Enter alert amount',
+      },
       testConnection: 'Test Connection',
       reAuthorize: 'Re-Authorize',
       refreshToken: 'Refresh Token',
@@ -4593,6 +4624,22 @@ export default {
         supportedTypesHint: 'Comma-separated, e.g. alipay,wxpay',
         refundEnabled: 'Allow Refund',
       },
+      balanceNotify: {
+        title: 'Balance Low Notification',
+        description: 'Send email notification when user balance falls below threshold',
+        enabled: 'Enable Balance Low Notification',
+        threshold: 'Default Threshold',
+        thresholdHint: 'Used when user has not set a custom value',
+        thresholdPlaceholder: 'Enter amount',
+      },
+      quotaNotify: {
+        title: 'Account Quota Notification',
+        description: 'Notify admins when account quota usage reaches alert threshold',
+        emails: 'Notification Emails',
+        emailsHint: 'Leave empty to disable notifications',
+        addEmail: 'Add Email',
+        emailPlaceholder: 'Enter email address',
+      },
       smtp: {
         title: 'SMTP Settings',
         description: 'Configure email sending for verification codes',
diff --git a/frontend/src/i18n/locales/zh.ts b/frontend/src/i18n/locales/zh.ts
index bbfc7971..6efaf657 100644
--- a/frontend/src/i18n/locales/zh.ts
+++ b/frontend/src/i18n/locales/zh.ts
@@ -906,6 +906,31 @@ export default {
       sendCode: '发送验证码',
       codeSent: '验证码已发送到您的邮箱',
       sendCodeFailed: '发送验证码失败'
+    },
+    balanceNotify: {
+      title: '余额不足提醒',
+      description: '当账户余额低于阈值时发送邮件提醒',
+      enabled: '启用余额不足提醒',
+      threshold: '自定义提醒阈值',
+      thresholdHint: '留空使用系统默认值',
+      thresholdPlaceholder: '输入金额',
+      systemDefault: '系统默认值',
+      extraEmails: '额外通知邮箱',
+      noExtraEmails: '暂无额外通知邮箱',
+      enterEmail: '输入邮箱地址',
+      addEmail: '添加邮箱',
+      emailPlaceholder: '输入邮箱地址',
+      sendCode: '发送验证码',
+      codeSent: '验证码已发送',
+      codeSentTo: '验证码已发送到 {email}',
+      enterCode: '输入验证码',
+      codePlaceholder: '6位验证码',
+      verify: '确认添加',
+      emailAdded: '邮箱已添加',
+      emailRemoved: '邮箱已移除',
+      verifySuccess: '邮箱添加成功',
+      removeEmail: '移除',
+      removeSuccess: '邮箱已移除',
     }
   },
 
@@ -2226,6 +2251,12 @@ export default {
       },
       quotaLimitAmount: '总限额',
       quotaLimitAmountHint: '累计消费上限，不会自动重置。',
+      quotaNotify: {
+        alert: '告警阈值',
+        enabled: '启用告警',
+        threshold: '告警金额',
+        thresholdPlaceholder: '输入告警金额',
+      },
       testConnection: '测试连接',
       reAuthorize: '重新授权',
       refreshToken: '刷新令牌',
@@ -4757,6 +4788,22 @@ export default {
         supportedTypesHint: '逗号分隔，如 alipay,wxpay',
         refundEnabled: '允许退款',
       },
+      balanceNotify: {
+        title: '余额不足提醒',
+        description: '当用户余额低于阈值时发送邮件提醒',
+        enabled: '启用余额不足提醒',
+        threshold: '默认提醒阈值',
+        thresholdHint: '用户未自定义时使用此值',
+        thresholdPlaceholder: '输入金额',
+      },
+      quotaNotify: {
+        title: '账号限额通知',
+        description: '当账号配额用量达到告警阈值时通知管理员',
+        emails: '通知邮箱',
+        emailsHint: '留空则不发送通知',
+        addEmail: '添加邮箱',
+        emailPlaceholder: '输入邮箱地址',
+      },
       smtp: {
         title: 'SMTP 设置',
         description: '配置用于发送验证码的邮件服务',
diff --git a/frontend/src/types/index.ts b/frontend/src/types/index.ts
index 8b7e44c1..e74f6e61 100644
--- a/frontend/src/types/index.ts
+++ b/frontend/src/types/index.ts
@@ -33,6 +33,9 @@ export interface User {
   concurrency: number // Allowed concurrent requests
   status: 'active' | 'disabled' // Account status
   allowed_groups: number[] | null // Allowed group IDs (null = all non-exclusive groups)
+  balance_notify_enabled: boolean
+  balance_notify_threshold: number | null
+  balance_notify_extra_emails: string[]
   subscriptions?: UserSubscription[] // User's active subscriptions
   created_at: string
   updated_at: string
diff --git a/frontend/src/views/admin/SettingsView.vue b/frontend/src/views/admin/SettingsView.vue
index 6abc725a..f57bfcf3 100644
--- a/frontend/src/views/admin/SettingsView.vue
+++ b/frontend/src/views/admin/SettingsView.vue
@@ -2562,6 +2562,60 @@
             </div>
           </div>
         </div>
+        <!-- Balance Low Notification -->
+        <div class="card">
+          <div class="border-b border-gray-100 px-6 py-4 dark:border-dark-700">
+            <h3 class="text-base font-medium text-gray-900 dark:text-white">
+              {{ t('admin.settings.balanceNotify.title') }}
+            </h3>
+            <p class="mt-1 text-sm text-gray-500 dark:text-gray-400">
+              {{ t('admin.settings.balanceNotify.description') }}
+            </p>
+          </div>
+          <div class="px-6 py-6 space-y-4">
+            <div class="flex items-center justify-between">
+              <label class="mb-0 block text-sm font-medium text-gray-700 dark:text-gray-300">{{ t('admin.settings.balanceNotify.enabled') }}</label>
+              <Toggle v-model="form.balance_low_notify_enabled" />
+            </div>
+            <div v-if="form.balance_low_notify_enabled">
+              <label class="mb-2 block text-sm font-medium text-gray-700 dark:text-gray-300">{{ t('admin.settings.balanceNotify.threshold') }}</label>
+              <div class="relative">
+                <span class="absolute left-3 top-1/2 -translate-y-1/2 text-gray-400">$</span>
+                <input v-model.number="form.balance_low_notify_threshold" type="number" min="0" step="0.01" class="input pl-7" />
+              </div>
+              <p class="mt-1 text-xs text-gray-500 dark:text-gray-400">{{ t('admin.settings.balanceNotify.thresholdHint') }}</p>
+            </div>
+          </div>
+        </div>
+
+        <!-- Account Quota Notification -->
+        <div class="card">
+          <div class="border-b border-gray-100 px-6 py-4 dark:border-dark-700">
+            <h3 class="text-base font-medium text-gray-900 dark:text-white">
+              {{ t('admin.settings.quotaNotify.title') }}
+            </h3>
+            <p class="mt-1 text-sm text-gray-500 dark:text-gray-400">
+              {{ t('admin.settings.quotaNotify.description') }}
+            </p>
+          </div>
+          <div class="px-6 py-6 space-y-4">
+            <div>
+              <label class="mb-2 block text-sm font-medium text-gray-700 dark:text-gray-300">{{ t('admin.settings.quotaNotify.emails') }}</label>
+              <div class="space-y-2">
+                <div v-for="(_, index) in (form.account_quota_notify_emails || [])" :key="index" class="flex items-center gap-2">
+                  <input v-model="form.account_quota_notify_emails[index]" type="email" class="input flex-1" />
+                  <button @click="form.account_quota_notify_emails.splice(index, 1)" class="btn btn-secondary px-2" type="button">
+                    <Icon name="x" size="xs" class="h-4 w-4" />
+                  </button>
+                </div>
+                <button @click="addQuotaNotifyEmail" class="btn btn-secondary btn-sm" type="button">
+                  + {{ t('admin.settings.quotaNotify.addEmail') }}
+                </button>
+              </div>
+              <p class="mt-1 text-xs text-gray-500 dark:text-gray-400">{{ t('admin.settings.quotaNotify.emailsHint') }}</p>
+            </div>
+          </div>
+        </div>
         </div><!-- /Tab: Email -->
 
         <!-- Tab: Backup -->
@@ -2840,7 +2894,11 @@ const form = reactive<SettingsForm>({
   // Gateway forwarding behavior
   enable_fingerprint_unification: true,
   enable_metadata_passthrough: false,
-  enable_cch_signing: false
+  enable_cch_signing: false,
+  // Balance & quota notification
+  balance_low_notify_enabled: false,
+  balance_low_notify_threshold: 0,
+  account_quota_notify_emails: [] as string[]
 })
 
 // Web Search Emulation config (loaded/saved separately)
@@ -2972,6 +3030,14 @@ function handleRegistrationEmailSuffixWhitelistPaste(event: ClipboardEvent) {
   }
 }
 
+// Quota notify email helpers
+const addQuotaNotifyEmail = () => {
+  if (!form.account_quota_notify_emails) {
+    form.account_quota_notify_emails = []
+  }
+  form.account_quota_notify_emails.push('')
+}
+
 // LinuxDo OAuth redirect URL suggestion
 const linuxdoRedirectUrlSuggestion = computed(() => {
   if (typeof window === 'undefined') return ''
@@ -3311,6 +3377,10 @@ async function saveSettings() {
       payment_cancel_rate_limit_window: Number(form.payment_cancel_rate_limit_window) || 1,
       payment_cancel_rate_limit_unit: form.payment_cancel_rate_limit_unit,
       payment_cancel_rate_limit_window_mode: form.payment_cancel_rate_limit_window_mode,
+      // Balance & quota notification
+      balance_low_notify_enabled: form.balance_low_notify_enabled,
+      balance_low_notify_threshold: Number(form.balance_low_notify_threshold) || 0,
+      account_quota_notify_emails: (form.account_quota_notify_emails || []).filter((e: string) => e.trim() !== ''),
     }
 
     const updated = await adminAPI.settings.updateSettings(payload)
diff --git a/frontend/src/views/user/ProfileView.vue b/frontend/src/views/user/ProfileView.vue
index 0967e2b9..5534e1d6 100644
--- a/frontend/src/views/user/ProfileView.vue
+++ b/frontend/src/views/user/ProfileView.vue
@@ -14,6 +14,12 @@
         </div>
       </div>
       <ProfileEditForm :initial-username="user?.username || ''" />
+      <ProfileBalanceNotifyCard
+        v-if="user"
+        :enabled="user.balance_notify_enabled ?? true"
+        :threshold="user.balance_notify_threshold"
+        :extra-emails="user.balance_notify_extra_emails ?? []"
+      />
       <ProfilePasswordForm />
       <ProfileTotpCard />
     </div>
@@ -27,6 +33,7 @@ import { authAPI } from '@/api'; import AppLayout from '@/components/layout/AppL
 import StatCard from '@/components/common/StatCard.vue'
 import ProfileInfoCard from '@/components/user/profile/ProfileInfoCard.vue'
 import ProfileEditForm from '@/components/user/profile/ProfileEditForm.vue'
+import ProfileBalanceNotifyCard from '@/components/user/profile/ProfileBalanceNotifyCard.vue'
 import ProfilePasswordForm from '@/components/user/profile/ProfilePasswordForm.vue'
 import ProfileTotpCard from '@/components/user/profile/ProfileTotpCard.vue'
 import { Icon } from '@/components/icons'

From c3812ce1e3fd845fe23a4cbc63f09655fd15fcab Mon Sep 17 00:00:00 2001
From: erio <asakifeng@gmail.com>
Date: Sun, 12 Apr 2026 12:48:17 +0800
Subject: [PATCH 032/122] fix(notify): address review findings - accountCost
 formula, dedup, refactor

- Fix accountCost calculation in finalizePostUsageBilling to match
  postUsageBilling (always multiply by AccountRateMultiplier)
- Use strings.EqualFold for email dedup in collectBalanceNotifyRecipients
- Extract CheckAccountQuotaAfterIncrement into smaller functions:
  buildQuotaDims + asyncSendQuotaAlert (< 30 lines each)
- Add "not splittable" comments for HTML template functions
- Extract QuotaNotifyToggle.vue sub-component to reduce
  QuotaLimitCard.vue from 404 to 339 lines
---
 .../service/balance_notify_service.go         |  82 ++++++-------
 backend/internal/service/gateway_service.go   |   7 +-
 .../src/components/account/QuotaLimitCard.vue | 109 ++++--------------
 .../components/account/QuotaNotifyToggle.vue  |  47 ++++++++
 4 files changed, 106 insertions(+), 139 deletions(-)
 create mode 100644 frontend/src/components/account/QuotaNotifyToggle.vue

diff --git a/backend/internal/service/balance_notify_service.go b/backend/internal/service/balance_notify_service.go
index 7cd61a0a..8223a231 100644
--- a/backend/internal/service/balance_notify_service.go
+++ b/backend/internal/service/balance_notify_service.go
@@ -85,73 +85,59 @@ func (s *BalanceNotifyService) CheckBalanceAfterDeduction(ctx context.Context, u
 	}
 }
 
+// quotaDim describes one quota dimension for notification checking.
+type quotaDim struct {
+	name      string
+	enabled   bool
+	threshold float64
+	oldUsed   float64
+	limit     float64
+}
+
+// buildQuotaDims returns the three quota dimensions for notification checking.
+func buildQuotaDims(account *Account) []quotaDim {
+	return []quotaDim{
+		{quotaDimDaily, account.GetQuotaNotifyDailyEnabled(), account.GetQuotaNotifyDailyThreshold(), account.GetQuotaDailyUsed(), account.GetQuotaDailyLimit()},
+		{quotaDimWeekly, account.GetQuotaNotifyWeeklyEnabled(), account.GetQuotaNotifyWeeklyThreshold(), account.GetQuotaWeeklyUsed(), account.GetQuotaWeeklyLimit()},
+		{quotaDimTotal, account.GetQuotaNotifyTotalEnabled(), account.GetQuotaNotifyTotalThreshold(), account.GetQuotaUsed(), account.GetQuotaLimit()},
+	}
+}
+
 // CheckAccountQuotaAfterIncrement checks if any quota dimension crossed above its notify threshold.
 // The account's Extra fields contain pre-increment usage values.
 func (s *BalanceNotifyService) CheckAccountQuotaAfterIncrement(ctx context.Context, account *Account, cost float64) {
 	if account == nil || s.emailService == nil || s.settingRepo == nil || cost <= 0 {
 		return
 	}
-
 	adminEmails := s.getAccountQuotaNotifyEmails(ctx)
 	if len(adminEmails) == 0 {
 		return
 	}
 
 	siteName := s.getSiteName(ctx)
-
-	// Check each dimension
-	type quotaDim struct {
-		name      string
-		enabled   bool
-		threshold float64
-		oldUsed   float64
-		limit     float64
-	}
-
-	dims := []quotaDim{
-		{
-			name:      quotaDimDaily,
-			enabled:   account.GetQuotaNotifyDailyEnabled(),
-			threshold: account.GetQuotaNotifyDailyThreshold(),
-			oldUsed:   account.GetQuotaDailyUsed(),
-			limit:     account.GetQuotaDailyLimit(),
-		},
-		{
-			name:      quotaDimWeekly,
-			enabled:   account.GetQuotaNotifyWeeklyEnabled(),
-			threshold: account.GetQuotaNotifyWeeklyThreshold(),
-			oldUsed:   account.GetQuotaWeeklyUsed(),
-			limit:     account.GetQuotaWeeklyLimit(),
-		},
-		{
-			name:      quotaDimTotal,
-			enabled:   account.GetQuotaNotifyTotalEnabled(),
-			threshold: account.GetQuotaNotifyTotalThreshold(),
-			oldUsed:   account.GetQuotaUsed(),
-			limit:     account.GetQuotaLimit(),
-		},
-	}
-
-	for _, dim := range dims {
+	for _, dim := range buildQuotaDims(account) {
 		if !dim.enabled || dim.threshold <= 0 {
 			continue
 		}
 		newUsed := dim.oldUsed + cost
-		// Only notify on first crossing
 		if dim.oldUsed < dim.threshold && newUsed >= dim.threshold {
-			dimCopy := dim // capture loop variable
-			go func() {
-				defer func() {
-					if r := recover(); r != nil {
-						slog.Error("panic in quota notification", "recover", r)
-					}
-				}()
-				s.sendQuotaAlertEmails(adminEmails, account.Name, dimCopy.name, newUsed, dimCopy.limit, dimCopy.threshold, siteName)
-			}()
+			s.asyncSendQuotaAlert(adminEmails, account.Name, dim, newUsed, siteName)
 		}
 	}
 }
 
+// asyncSendQuotaAlert sends quota alert email in a goroutine with panic recovery.
+func (s *BalanceNotifyService) asyncSendQuotaAlert(adminEmails []string, accountName string, dim quotaDim, newUsed float64, siteName string) {
+	go func() {
+		defer func() {
+			if r := recover(); r != nil {
+				slog.Error("panic in quota notification", "recover", r)
+			}
+		}()
+		s.sendQuotaAlertEmails(adminEmails, accountName, dim.name, newUsed, dim.limit, dim.threshold, siteName)
+	}()
+}
+
 // getBalanceNotifyConfig reads global balance notification settings.
 func (s *BalanceNotifyService) getBalanceNotifyConfig(ctx context.Context) (enabled bool, threshold float64) {
 	keys := []string{SettingKeyBalanceLowNotifyEnabled, SettingKeyBalanceLowNotifyThreshold}
@@ -191,7 +177,7 @@ func (s *BalanceNotifyService) collectBalanceNotifyRecipients(user *User) []stri
 	recipients := []string{user.Email}
 	for _, extra := range user.BalanceNotifyExtraEmails {
 		email := strings.TrimSpace(extra)
-		if email != "" && email != user.Email {
+		if email != "" && !strings.EqualFold(email, user.Email) {
 			recipients = append(recipients, email)
 		}
 	}
@@ -234,6 +220,7 @@ func (s *BalanceNotifyService) sendQuotaAlertEmails(adminEmails []string, accoun
 }
 
 // buildBalanceLowEmailBody builds HTML email for balance low notification.
+// Lines exceed 30 due to inline HTML template (not splittable).
 func (s *BalanceNotifyService) buildBalanceLowEmailBody(userName string, balance, threshold float64, siteName string) string {
 	return fmt.Sprintf(`<!DOCTYPE html>
 <html>
@@ -271,6 +258,7 @@ func (s *BalanceNotifyService) buildBalanceLowEmailBody(userName string, balance
 }
 
 // buildQuotaAlertEmailBody builds HTML email for account quota alert.
+// Lines exceed 30 due to inline HTML template (not splittable).
 func (s *BalanceNotifyService) buildQuotaAlertEmailBody(accountName, dimLabel string, used, limit, threshold float64, siteName string) string {
 	limitStr := fmt.Sprintf("$%.2f", limit)
 	if limit <= 0 {
diff --git a/backend/internal/service/gateway_service.go b/backend/internal/service/gateway_service.go
index 72ab39ce..1203f0c6 100644
--- a/backend/internal/service/gateway_service.go
+++ b/backend/internal/service/gateway_service.go
@@ -7343,12 +7343,9 @@ func finalizePostUsageBilling(p *postUsageBillingParams, deps *billingDeps) {
 		deps.balanceNotifyService.CheckBalanceAfterDeduction(context.Background(), p.User, p.User.Balance, p.Cost.ActualCost)
 	}
 
-	// Account quota notification
+	// Account quota notification (use same cost formula as postUsageBilling)
 	if p.Cost.TotalCost > 0 && p.Account != nil && p.Account.IsAPIKeyOrBedrock() && deps.balanceNotifyService != nil {
-		accountCost := p.Cost.TotalCost
-		if p.AccountRateMultiplier > 0 {
-			accountCost *= p.AccountRateMultiplier
-		}
+		accountCost := p.Cost.TotalCost * p.AccountRateMultiplier
 		deps.balanceNotifyService.CheckAccountQuotaAfterIncrement(context.Background(), p.Account, accountCost)
 	}
 }
diff --git a/frontend/src/components/account/QuotaLimitCard.vue b/frontend/src/components/account/QuotaLimitCard.vue
index 9840a5e1..7c3afd23 100644
--- a/frontend/src/components/account/QuotaLimitCard.vue
+++ b/frontend/src/components/account/QuotaLimitCard.vue
@@ -1,6 +1,7 @@
 <script setup lang="ts">
 import { ref, watch, computed } from 'vue'
 import { useI18n } from 'vue-i18n'
+import QuotaNotifyToggle from './QuotaNotifyToggle.vue'
 
 const { t } = useI18n()
 
@@ -223,35 +224,13 @@ const onWeeklyModeChange = (e: Event) => {
             </template>
           </p>
           <!-- 日配额告警 -->
-          <div v-if="dailyLimit && dailyLimit > 0" class="ml-4 mt-2 flex items-center gap-3">
-            <label class="text-sm text-gray-500 whitespace-nowrap">{{ t('admin.accounts.quotaNotify.alert') }}</label>
-            <button
-              type="button"
-              @click="emit('update:quotaNotifyDailyEnabled', !(props.quotaNotifyDailyEnabled))"
-              :class="[
-                'relative inline-flex h-5 w-9 flex-shrink-0 cursor-pointer rounded-full border-2 border-transparent transition-colors duration-200 ease-in-out focus:outline-none',
-                props.quotaNotifyDailyEnabled ? 'bg-primary-600' : 'bg-gray-200 dark:bg-dark-600'
-              ]"
-            >
-              <span
-                :class="[
-                  'pointer-events-none inline-block h-4 w-4 transform rounded-full bg-white shadow ring-0 transition duration-200 ease-in-out',
-                  props.quotaNotifyDailyEnabled ? 'translate-x-4' : 'translate-x-0'
-                ]"
-              />
-            </button>
-            <div v-if="props.quotaNotifyDailyEnabled" class="relative flex-1">
-              <span class="absolute left-2 top-1/2 -translate-y-1/2 text-gray-400 text-sm">$</span>
-              <input
-                :value="props.quotaNotifyDailyThreshold"
-                @input="emit('update:quotaNotifyDailyThreshold', parseFloat(($event.target as HTMLInputElement).value) || null)"
-                type="number"
-                min="0"
-                step="0.01"
-                class="input pl-6 py-1 text-sm"
-              />
-            </div>
-          </div>
+          <QuotaNotifyToggle
+            v-if="dailyLimit && dailyLimit > 0"
+            :enabled="props.quotaNotifyDailyEnabled"
+            :threshold="props.quotaNotifyDailyThreshold"
+            @update:enabled="emit('update:quotaNotifyDailyEnabled', $event)"
+            @update:threshold="emit('update:quotaNotifyDailyThreshold', $event)"
+          />
         </div>
 
         <!-- 周配额 -->
@@ -309,35 +288,13 @@ const onWeeklyModeChange = (e: Event) => {
             </template>
           </p>
           <!-- 周配额告警 -->
-          <div v-if="weeklyLimit && weeklyLimit > 0" class="ml-4 mt-2 flex items-center gap-3">
-            <label class="text-sm text-gray-500 whitespace-nowrap">{{ t('admin.accounts.quotaNotify.alert') }}</label>
-            <button
-              type="button"
-              @click="emit('update:quotaNotifyWeeklyEnabled', !(props.quotaNotifyWeeklyEnabled))"
-              :class="[
-                'relative inline-flex h-5 w-9 flex-shrink-0 cursor-pointer rounded-full border-2 border-transparent transition-colors duration-200 ease-in-out focus:outline-none',
-                props.quotaNotifyWeeklyEnabled ? 'bg-primary-600' : 'bg-gray-200 dark:bg-dark-600'
-              ]"
-            >
-              <span
-                :class="[
-                  'pointer-events-none inline-block h-4 w-4 transform rounded-full bg-white shadow ring-0 transition duration-200 ease-in-out',
-                  props.quotaNotifyWeeklyEnabled ? 'translate-x-4' : 'translate-x-0'
-                ]"
-              />
-            </button>
-            <div v-if="props.quotaNotifyWeeklyEnabled" class="relative flex-1">
-              <span class="absolute left-2 top-1/2 -translate-y-1/2 text-gray-400 text-sm">$</span>
-              <input
-                :value="props.quotaNotifyWeeklyThreshold"
-                @input="emit('update:quotaNotifyWeeklyThreshold', parseFloat(($event.target as HTMLInputElement).value) || null)"
-                type="number"
-                min="0"
-                step="0.01"
-                class="input pl-6 py-1 text-sm"
-              />
-            </div>
-          </div>
+          <QuotaNotifyToggle
+            v-if="weeklyLimit && weeklyLimit > 0"
+            :enabled="props.quotaNotifyWeeklyEnabled"
+            :threshold="props.quotaNotifyWeeklyThreshold"
+            @update:enabled="emit('update:quotaNotifyWeeklyEnabled', $event)"
+            @update:threshold="emit('update:quotaNotifyWeeklyThreshold', $event)"
+          />
         </div>
 
         <!-- 时区选择（当任一维度使用固定模式时显示） -->
@@ -369,35 +326,13 @@ const onWeeklyModeChange = (e: Event) => {
           </div>
           <p class="input-hint">{{ t('admin.accounts.quotaTotalLimitHint') }}</p>
           <!-- 总配额告警 -->
-          <div v-if="totalLimit && totalLimit > 0" class="ml-4 mt-2 flex items-center gap-3">
-            <label class="text-sm text-gray-500 whitespace-nowrap">{{ t('admin.accounts.quotaNotify.alert') }}</label>
-            <button
-              type="button"
-              @click="emit('update:quotaNotifyTotalEnabled', !(props.quotaNotifyTotalEnabled))"
-              :class="[
-                'relative inline-flex h-5 w-9 flex-shrink-0 cursor-pointer rounded-full border-2 border-transparent transition-colors duration-200 ease-in-out focus:outline-none',
-                props.quotaNotifyTotalEnabled ? 'bg-primary-600' : 'bg-gray-200 dark:bg-dark-600'
-              ]"
-            >
-              <span
-                :class="[
-                  'pointer-events-none inline-block h-4 w-4 transform rounded-full bg-white shadow ring-0 transition duration-200 ease-in-out',
-                  props.quotaNotifyTotalEnabled ? 'translate-x-4' : 'translate-x-0'
-                ]"
-              />
-            </button>
-            <div v-if="props.quotaNotifyTotalEnabled" class="relative flex-1">
-              <span class="absolute left-2 top-1/2 -translate-y-1/2 text-gray-400 text-sm">$</span>
-              <input
-                :value="props.quotaNotifyTotalThreshold"
-                @input="emit('update:quotaNotifyTotalThreshold', parseFloat(($event.target as HTMLInputElement).value) || null)"
-                type="number"
-                min="0"
-                step="0.01"
-                class="input pl-6 py-1 text-sm"
-              />
-            </div>
-          </div>
+          <QuotaNotifyToggle
+            v-if="totalLimit && totalLimit > 0"
+            :enabled="props.quotaNotifyTotalEnabled"
+            :threshold="props.quotaNotifyTotalThreshold"
+            @update:enabled="emit('update:quotaNotifyTotalEnabled', $event)"
+            @update:threshold="emit('update:quotaNotifyTotalThreshold', $event)"
+          />
         </div>
       </div>
   </div>
diff --git a/frontend/src/components/account/QuotaNotifyToggle.vue b/frontend/src/components/account/QuotaNotifyToggle.vue
new file mode 100644
index 00000000..4634f5b1
--- /dev/null
+++ b/frontend/src/components/account/QuotaNotifyToggle.vue
@@ -0,0 +1,47 @@
+<script setup lang="ts">
+import { useI18n } from 'vue-i18n'
+
+const { t } = useI18n()
+
+defineProps<{
+  enabled: boolean | null
+  threshold: number | null
+}>()
+
+const emit = defineEmits<{
+  'update:enabled': [value: boolean | null]
+  'update:threshold': [value: number | null]
+}>()
+</script>
+
+<template>
+  <div class="ml-4 mt-2 flex items-center gap-3">
+    <label class="text-sm text-gray-500 whitespace-nowrap">{{ t('admin.accounts.quotaNotify.alert') }}</label>
+    <button
+      type="button"
+      @click="emit('update:enabled', !enabled)"
+      :class="[
+        'relative inline-flex h-5 w-9 flex-shrink-0 cursor-pointer rounded-full border-2 border-transparent transition-colors duration-200 ease-in-out focus:outline-none',
+        enabled ? 'bg-primary-600' : 'bg-gray-200 dark:bg-dark-600'
+      ]"
+    >
+      <span
+        :class="[
+          'pointer-events-none inline-block h-4 w-4 transform rounded-full bg-white shadow ring-0 transition duration-200 ease-in-out',
+          enabled ? 'translate-x-4' : 'translate-x-0'
+        ]"
+      />
+    </button>
+    <div v-if="enabled" class="relative flex-1">
+      <span class="absolute left-2 top-1/2 -translate-y-1/2 text-gray-400 text-sm">$</span>
+      <input
+        :value="threshold"
+        @input="emit('update:threshold', parseFloat(($event.target as HTMLInputElement).value) || null)"
+        type="number"
+        min="0"
+        step="0.01"
+        class="input pl-6 py-1 text-sm"
+      />
+    </div>
+  </div>
+</template>

From 30b926add431f41c57e4c972190920fe3884401e Mon Sep 17 00:00:00 2001
From: erio <asakifeng@gmail.com>
Date: Sun, 12 Apr 2026 12:50:27 +0800
Subject: [PATCH 033/122] fix(notify): per-recipient timeout and return user on
 email removal

- Use per-recipient context timeout in sendEmails to prevent later
  recipients from failing due to shared timeout exhaustion
- Return updated user object from RemoveNotifyEmail handler for
  frontend state consistency (matching VerifyNotifyEmail pattern)
---
 backend/internal/handler/user_handler.go           | 9 ++++++++-
 backend/internal/service/balance_notify_service.go | 4 ++--
 2 files changed, 10 insertions(+), 3 deletions(-)

diff --git a/backend/internal/handler/user_handler.go b/backend/internal/handler/user_handler.go
index 42463a7a..4fb72ce7 100644
--- a/backend/internal/handler/user_handler.go
+++ b/backend/internal/handler/user_handler.go
@@ -205,5 +205,12 @@ func (h *UserHandler) RemoveNotifyEmail(c *gin.Context) {
 		return
 	}
 
-	response.Success(c, gin.H{"message": "Email removed successfully"})
+	// Return updated user
+	updatedUser, err := h.userService.GetByID(c.Request.Context(), subject.UserID)
+	if err != nil {
+		response.ErrorFrom(c, err)
+		return
+	}
+
+	response.Success(c, dto.UserFromService(updatedUser))
 }
diff --git a/backend/internal/service/balance_notify_service.go b/backend/internal/service/balance_notify_service.go
index 8223a231..8dd56b8f 100644
--- a/backend/internal/service/balance_notify_service.go
+++ b/backend/internal/service/balance_notify_service.go
@@ -186,13 +186,13 @@ func (s *BalanceNotifyService) collectBalanceNotifyRecipients(user *User) []stri
 
 // sendEmails sends an email to all recipients with shared timeout and error logging.
 func (s *BalanceNotifyService) sendEmails(recipients []string, subject, body string, logAttrs ...any) {
-	ctx, cancel := context.WithTimeout(context.Background(), emailSendTimeout)
-	defer cancel()
 	for _, to := range recipients {
+		ctx, cancel := context.WithTimeout(context.Background(), emailSendTimeout)
 		if err := s.emailService.SendEmail(ctx, to, subject, body); err != nil {
 			attrs := append([]any{"to", to, "error", err}, logAttrs...)
 			slog.Error("failed to send notification", attrs...)
 		}
+		cancel()
 	}
 }
 

From d0674e0ff94028f32c5f0882b16b66013719d5b0 Mon Sep 17 00:00:00 2001
From: erio <asakifeng@gmail.com>
Date: Sun, 12 Apr 2026 13:11:46 +0800
Subject: [PATCH 034/122] feat(websearch): settings UI overhaul and quota
 improvements
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

- Remove Priority field, auto load-balance by quota remaining
- Replace QuotaRefreshInterval (daily/weekly/monthly) with SubscribedAt
  (subscription date, monthly lazy refresh via Redis TTL)
- Add collapsible provider cards, API key show/copy, usage progress bar
- Add test endpoint (POST /web-search-emulation/test) bypassing quota
- Wire WebSearchManagerBuilder on startup (was never called before)
- Fix nextMonthlyReset day-of-month overflow (Jan 31 → Feb 28)
- Fix non-deterministic sort in selectByQuotaWeight
- Map ProxyID in builder for provider-level proxy tracking
- Fix frontend timezone drift in subscribed_at date picker
- Fix provider deletion index shift for expandedProviders state
---
 .../internal/handler/admin/setting_handler.go |  86 +++--
 backend/internal/pkg/websearch/manager.go     | 173 ++++++---
 .../internal/pkg/websearch/manager_test.go    | 136 ++++---
 backend/internal/server/http.go               |  30 ++
 backend/internal/server/routes/admin.go       |   1 +
 backend/internal/service/websearch_config.go  |  69 ++--
 .../internal/service/websearch_config_test.go |  45 +--
 frontend/src/api/admin/settings.ts            |  22 +-
 frontend/src/i18n/locales/en.ts               |  21 +-
 frontend/src/i18n/locales/zh.ts               |  21 +-
 frontend/src/views/admin/SettingsView.vue     | 351 ++++++++++++------
 11 files changed, 627 insertions(+), 328 deletions(-)

diff --git a/backend/internal/handler/admin/setting_handler.go b/backend/internal/handler/admin/setting_handler.go
index 459eade9..e5e024c6 100644
--- a/backend/internal/handler/admin/setting_handler.go
+++ b/backend/internal/handler/admin/setting_handler.go
@@ -175,9 +175,7 @@ func (h *SettingHandler) GetSettings(c *gin.Context) {
 		EnableFingerprintUnification:         settings.EnableFingerprintUnification,
 		EnableMetadataPassthrough:            settings.EnableMetadataPassthrough,
 		EnableCCHSigning:                     settings.EnableCCHSigning,
-		BalanceLowNotifyEnabled:              settings.BalanceLowNotifyEnabled,
-		BalanceLowNotifyThreshold:            settings.BalanceLowNotifyThreshold,
-		AccountQuotaNotifyEmails:             settings.AccountQuotaNotifyEmails,
+		WebSearchEmulationEnabled:            settings.WebSearchEmulationEnabled,
 		PaymentEnabled:                       paymentCfg.Enabled,
 		PaymentMinAmount:                     paymentCfg.MinAmount,
 		PaymentMaxAmount:                     paymentCfg.MaxAmount,
@@ -307,11 +305,6 @@ type UpdateSettingsRequest struct {
 	EnableMetadataPassthrough    *bool `json:"enable_metadata_passthrough"`
 	EnableCCHSigning             *bool `json:"enable_cch_signing"`
 
-	// Balance low notification
-	BalanceLowNotifyEnabled   *bool     `json:"balance_low_notify_enabled"`
-	BalanceLowNotifyThreshold *float64  `json:"balance_low_notify_threshold"`
-	AccountQuotaNotifyEmails  *[]string `json:"account_quota_notify_emails"`
-
 	// Payment configuration (integrated into settings, full replace)
 	PaymentEnabled           *bool    `json:"payment_enabled"`
 	PaymentMinAmount         *float64 `json:"payment_min_amount"`
@@ -889,24 +882,6 @@ func (h *SettingHandler) UpdateSettings(c *gin.Context) {
 			}
 			return previousSettings.EnableCCHSigning
 		}(),
-		BalanceLowNotifyEnabled: func() bool {
-			if req.BalanceLowNotifyEnabled != nil {
-				return *req.BalanceLowNotifyEnabled
-			}
-			return previousSettings.BalanceLowNotifyEnabled
-		}(),
-		BalanceLowNotifyThreshold: func() float64 {
-			if req.BalanceLowNotifyThreshold != nil {
-				return *req.BalanceLowNotifyThreshold
-			}
-			return previousSettings.BalanceLowNotifyThreshold
-		}(),
-		AccountQuotaNotifyEmails: func() []string {
-			if req.AccountQuotaNotifyEmails != nil {
-				return *req.AccountQuotaNotifyEmails
-			}
-			return previousSettings.AccountQuotaNotifyEmails
-		}(),
 	}
 
 	if err := h.settingService.UpdateSettings(c.Request.Context(), settings); err != nil {
@@ -1053,9 +1028,6 @@ func (h *SettingHandler) UpdateSettings(c *gin.Context) {
 		EnableFingerprintUnification:         updatedSettings.EnableFingerprintUnification,
 		EnableMetadataPassthrough:            updatedSettings.EnableMetadataPassthrough,
 		EnableCCHSigning:                     updatedSettings.EnableCCHSigning,
-		BalanceLowNotifyEnabled:              updatedSettings.BalanceLowNotifyEnabled,
-		BalanceLowNotifyThreshold:            updatedSettings.BalanceLowNotifyThreshold,
-		AccountQuotaNotifyEmails:             updatedSettings.AccountQuotaNotifyEmails,
 		PaymentEnabled:                       updatedPaymentCfg.Enabled,
 		PaymentMinAmount:                     updatedPaymentCfg.MinAmount,
 		PaymentMaxAmount:                     updatedPaymentCfg.MaxAmount,
@@ -1876,3 +1848,59 @@ func (h *SettingHandler) UpdateStreamTimeoutSettings(c *gin.Context) {
 		ThresholdWindowMinutes: updatedSettings.ThresholdWindowMinutes,
 	})
 }
+
+// GetWebSearchEmulationConfig 获取 Web Search 模拟配置
+// GET /api/v1/admin/settings/web-search-emulation
+func (h *SettingHandler) GetWebSearchEmulationConfig(c *gin.Context) {
+	cfg, err := h.settingService.GetWebSearchEmulationConfig(c.Request.Context())
+	if err != nil {
+		response.ErrorFrom(c, err)
+		return
+	}
+	response.Success(c, service.SanitizeWebSearchConfig(c.Request.Context(), cfg))
+}
+
+// UpdateWebSearchEmulationConfig 更新 Web Search 模拟配置
+// PUT /api/v1/admin/settings/web-search-emulation
+func (h *SettingHandler) UpdateWebSearchEmulationConfig(c *gin.Context) {
+	var cfg service.WebSearchEmulationConfig
+	if err := c.ShouldBindJSON(&cfg); err != nil {
+		response.BadRequest(c, "Invalid request: "+err.Error())
+		return
+	}
+
+	if err := h.settingService.SaveWebSearchEmulationConfig(c.Request.Context(), &cfg); err != nil {
+		response.ErrorFrom(c, err)
+		return
+	}
+
+	// Re-read (with sanitized api keys) to return current state
+	updated, err := h.settingService.GetWebSearchEmulationConfig(c.Request.Context())
+	if err != nil {
+		response.ErrorFrom(c, err)
+		return
+	}
+	response.Success(c, service.SanitizeWebSearchConfig(c.Request.Context(), updated))
+}
+
+// TestWebSearchEmulation 测试 Web Search 搜索
+// POST /api/v1/admin/settings/web-search-emulation/test
+func (h *SettingHandler) TestWebSearchEmulation(c *gin.Context) {
+	var req struct {
+		Query string `json:"query"`
+	}
+	if err := c.ShouldBindJSON(&req); err != nil {
+		response.BadRequest(c, "Invalid request: "+err.Error())
+		return
+	}
+	if strings.TrimSpace(req.Query) == "" {
+		req.Query = "搜索今年世界大事件"
+	}
+
+	result, err := service.TestWebSearch(c.Request.Context(), req.Query)
+	if err != nil {
+		response.ErrorFrom(c, err)
+		return
+	}
+	response.Success(c, result)
+}
diff --git a/backend/internal/pkg/websearch/manager.go b/backend/internal/pkg/websearch/manager.go
index 7db3d9a2..ae0683ad 100644
--- a/backend/internal/pkg/websearch/manager.go
+++ b/backend/internal/pkg/websearch/manager.go
@@ -19,26 +19,18 @@ import (
 	"github.com/redis/go-redis/v9"
 )
 
-// Quota refresh interval constants.
-const (
-	QuotaRefreshDaily   = "daily"
-	QuotaRefreshWeekly  = "weekly"
-	QuotaRefreshMonthly = "monthly"
-)
-
 // ProviderConfig holds the configuration for a single search provider.
 type ProviderConfig struct {
-	Type                 string `json:"type"`                   // ProviderTypeBrave | ProviderTypeTavily
-	APIKey               string `json:"api_key"`                // secret
-	Priority             int    `json:"priority"`               // lower = higher priority
-	QuotaLimit           int64  `json:"quota_limit"`            // 0 = unlimited
-	QuotaRefreshInterval string `json:"quota_refresh_interval"` // QuotaRefreshDaily / Weekly / Monthly
-	ProxyURL             string `json:"-"`                      // resolved proxy URL (not persisted)
-	ProxyID              int64  `json:"-"`                      // resolved proxy ID for unavailability tracking
-	ExpiresAt            *int64 `json:"expires_at,omitempty"`   // optional expiration (unix seconds)
+	Type         string `json:"type"`                    // ProviderTypeBrave | ProviderTypeTavily
+	APIKey       string `json:"api_key"`                 // secret
+	QuotaLimit   int64  `json:"quota_limit"`             // 0 = unlimited
+	SubscribedAt *int64 `json:"subscribed_at,omitempty"` // subscription start (unix seconds); quota resets monthly from this date
+	ProxyURL     string `json:"-"`                       // resolved proxy URL (not persisted)
+	ProxyID      int64  `json:"-"`                       // resolved proxy ID for unavailability tracking
+	ExpiresAt    *int64 `json:"expires_at,omitempty"`    // optional expiration (unix seconds)
 }
 
-// Manager selects providers by priority and tracks quota via Redis.
+// Manager selects providers by quota-weighted load balancing and tracks quota via Redis.
 type Manager struct {
 	configs []ProviderConfig
 	redis   *redis.Client
@@ -58,6 +50,7 @@ const (
 	proxyUnavailableKey = "websearch:proxy_unavailable:%d"
 	proxyUnavailableTTL = 5 * time.Minute
 	quotaTTLBuffer      = 24 * time.Hour
+	defaultQuotaTTL     = 31*24*time.Hour + quotaTTLBuffer // fallback when no subscription date
 	maxCachedClients    = 100
 )
 
@@ -80,14 +73,12 @@ return val
 `)
 
 // NewManager creates a Manager with the given provider configs and Redis client.
+// Provider order is preserved as-is; selectByQuotaWeight handles load balancing.
 func NewManager(configs []ProviderConfig, redisClient *redis.Client) *Manager {
-	sorted := make([]ProviderConfig, len(configs))
-	copy(sorted, configs)
-	sort.Slice(sorted, func(i, j int) bool {
-		return sorted[i].Priority < sorted[j].Priority
-	})
+	copied := make([]ProviderConfig, len(configs))
+	copy(copied, configs)
 	return &Manager{
-		configs:     sorted,
+		configs:     copied,
 		redis:       redisClient,
 		clientCache: make(map[string]*http.Client),
 	}
@@ -162,21 +153,28 @@ type weighted struct {
 // Providers with quota_limit=0 (no limit set) get weight 0 and are placed last.
 // Among providers with quota, higher remaining quota = higher priority.
 func (m *Manager) selectByQuotaWeight(ctx context.Context, candidates []ProviderConfig) []ProviderConfig {
+	items := m.computeWeights(ctx, candidates)
+	withQuota, withoutQuota := partitionByQuota(items)
+	sortByStableRandomWeight(withQuota)
+	return mergeWeightedResults(withQuota, withoutQuota, len(candidates))
+}
+
+func (m *Manager) computeWeights(ctx context.Context, candidates []ProviderConfig) []weighted {
 	items := make([]weighted, 0, len(candidates))
 	for _, cfg := range candidates {
 		w := int64(0)
 		if cfg.QuotaLimit > 0 {
-			used, _ := m.GetUsage(ctx, cfg.Type, cfg.QuotaRefreshInterval)
-			remaining := cfg.QuotaLimit - used
-			if remaining > 0 {
+			used, _ := m.GetUsage(ctx, cfg.Type)
+			if remaining := cfg.QuotaLimit - used; remaining > 0 {
 				w = remaining
 			}
 		}
 		items = append(items, weighted{cfg: cfg, weight: w})
 	}
+	return items
+}
 
-	// Separate providers with quota (weight > 0) from those without (weight == 0)
-	var withQuota, withoutQuota []weighted
+func partitionByQuota(items []weighted) (withQuota, withoutQuota []weighted) {
 	for _, item := range items {
 		if item.weight > 0 {
 			withQuota = append(withQuota, item)
@@ -184,18 +182,26 @@ func (m *Manager) selectByQuotaWeight(ctx context.Context, candidates []Provider
 			withoutQuota = append(withoutQuota, item)
 		}
 	}
+	return
+}
 
-	// Within quota group: weighted random sort (higher remaining = more likely first)
-	if len(withQuota) > 1 {
-		sort.Slice(withQuota, func(i, j int) bool {
-			wi := float64(withQuota[i].weight) * (0.5 + rand.Float64())
-			wj := float64(withQuota[j].weight) * (0.5 + rand.Float64())
-			return wi > wj
-		})
+// sortByStableRandomWeight assigns a fixed random factor to each item before sorting,
+// ensuring deterministic sort behavior (transitivity) within a single call.
+func sortByStableRandomWeight(items []weighted) {
+	if len(items) <= 1 {
+		return
 	}
+	factors := make([]float64, len(items))
+	for i, item := range items {
+		factors[i] = float64(item.weight) * (0.5 + rand.Float64())
+	}
+	sort.Slice(items, func(i, j int) bool {
+		return factors[i] > factors[j]
+	})
+}
 
-	// Build final order: quota providers first, then no-quota providers (original priority order)
-	result := make([]ProviderConfig, 0, len(candidates))
+func mergeWeightedResults(withQuota, withoutQuota []weighted, capacity int) []ProviderConfig {
+	result := make([]ProviderConfig, 0, capacity)
 	for _, item := range withQuota {
 		result = append(result, item.cfg)
 	}
@@ -294,8 +300,8 @@ func (m *Manager) tryReserveQuota(ctx context.Context, cfg ProviderConfig) (bool
 		slog.Warn("websearch: Redis unavailable, quota check skipped", "provider", cfg.Type)
 		return true, false
 	}
-	key := quotaRedisKey(cfg.Type, cfg.QuotaRefreshInterval)
-	ttlSec := int(quotaTTL(cfg.QuotaRefreshInterval).Seconds())
+	key := quotaRedisKey(cfg.Type)
+	ttlSec := int(quotaTTLFromSubscription(cfg.SubscribedAt).Seconds())
 	newVal, err := quotaIncrScript.Run(ctx, m.redis, []string{key}, ttlSec).Int64()
 	if err != nil {
 		slog.Warn("websearch: quota Lua INCR failed, allowing request",
@@ -318,7 +324,7 @@ func (m *Manager) rollbackQuota(ctx context.Context, cfg ProviderConfig) {
 	if cfg.QuotaLimit <= 0 || m.redis == nil {
 		return
 	}
-	key := quotaRedisKey(cfg.Type, cfg.QuotaRefreshInterval)
+	key := quotaRedisKey(cfg.Type)
 	if err := m.redis.Decr(ctx, key).Err(); err != nil {
 		slog.Warn("websearch: quota rollback DECR failed",
 			"provider", cfg.Type, "error", err)
@@ -327,6 +333,25 @@ func (m *Manager) rollbackQuota(ctx context.Context, cfg ProviderConfig) {
 
 // --- Search execution ---
 
+// TestSearch executes a search using the first available provider without reserving quota.
+// Intended for admin test functionality only.
+func (m *Manager) TestSearch(ctx context.Context, req SearchRequest) (*SearchResponse, string, error) {
+	if strings.TrimSpace(req.Query) == "" {
+		return nil, "", fmt.Errorf("websearch: empty search query")
+	}
+	for _, cfg := range m.configs {
+		if !m.isProviderAvailable(cfg) {
+			continue
+		}
+		resp, err := m.executeSearch(ctx, cfg, req)
+		if err != nil {
+			continue
+		}
+		return resp, cfg.Type, nil
+	}
+	return nil, "", fmt.Errorf("websearch: no available provider")
+}
+
 func (m *Manager) executeSearch(ctx context.Context, cfg ProviderConfig, req SearchRequest) (*SearchResponse, error) {
 	proxyURL := cfg.ProxyURL
 	if req.ProxyURL != "" {
@@ -384,11 +409,11 @@ func newHTTPClient(proxyURL string) (*http.Client, error) {
 }
 
 // GetUsage returns the current usage count for the given provider.
-func (m *Manager) GetUsage(ctx context.Context, providerType, refreshInterval string) (int64, error) {
+func (m *Manager) GetUsage(ctx context.Context, providerType string) (int64, error) {
 	if m.redis == nil {
 		return 0, nil
 	}
-	key := quotaRedisKey(providerType, refreshInterval)
+	key := quotaRedisKey(providerType)
 	val, err := m.redis.Get(ctx, key).Int64()
 	if err == redis.Nil {
 		return 0, nil
@@ -400,7 +425,7 @@ func (m *Manager) GetUsage(ctx context.Context, providerType, refreshInterval st
 func (m *Manager) GetAllUsage(ctx context.Context) map[string]int64 {
 	result := make(map[string]int64, len(m.configs))
 	for _, cfg := range m.configs {
-		used, _ := m.GetUsage(ctx, cfg.Type, cfg.QuotaRefreshInterval)
+		used, _ := m.GetUsage(ctx, cfg.Type)
 		result[cfg.Type] = used
 	}
 	return result
@@ -423,30 +448,56 @@ func (m *Manager) buildProvider(cfg ProviderConfig, client *http.Client) Provide
 
 // --- Redis key helpers ---
 
-func quotaRedisKey(providerType, refreshInterval string) string {
-	return quotaKeyPrefix + providerType + ":" + periodKey(refreshInterval)
+func quotaRedisKey(providerType string) string {
+	return quotaKeyPrefix + providerType
 }
 
-func periodKey(refreshInterval string) string {
+// quotaTTLFromSubscription calculates the TTL for the quota counter based on
+// the provider's subscription start date. Quota resets monthly from that date.
+// When the Redis key expires naturally, the next INCR creates a fresh counter (lazy refresh).
+func quotaTTLFromSubscription(subscribedAt *int64) time.Duration {
+	if subscribedAt == nil || *subscribedAt == 0 {
+		return defaultQuotaTTL
+	}
+	next := nextMonthlyReset(time.Unix(*subscribedAt, 0).UTC())
+	ttl := time.Until(next) + quotaTTLBuffer
+	if ttl <= quotaTTLBuffer {
+		// Already past the reset — next cycle
+		ttl = defaultQuotaTTL
+	}
+	return ttl
+}
+
+// nextMonthlyReset returns the next monthly reset time based on the subscription start date.
+// E.g., subscribed on Jan 15 → resets on Feb 15, Mar 15, etc.
+// Handles day-of-month overflow: Jan 31 → Feb 28 (not Mar 3).
+func nextMonthlyReset(subscribedAt time.Time) time.Time {
 	now := time.Now().UTC()
-	switch refreshInterval {
-	case QuotaRefreshDaily:
-		return now.Format("2006-01-02")
-	case QuotaRefreshWeekly:
-		year, week := now.ISOWeek()
-		return fmt.Sprintf("%d-W%02d", year, week)
-	default:
-		return now.Format("2006-01")
+	if subscribedAt.IsZero() {
+		return now.AddDate(0, 1, 0)
 	}
+	months := (now.Year()-subscribedAt.Year())*12 + int(now.Month()-subscribedAt.Month())
+	if months < 0 {
+		months = 0
+	}
+	candidate := addMonthsClamped(subscribedAt, months)
+	if candidate.After(now) {
+		return candidate
+	}
+	return addMonthsClamped(subscribedAt, months+1)
 }
 
-func quotaTTL(refreshInterval string) time.Duration {
-	switch refreshInterval {
-	case QuotaRefreshDaily:
-		return 24*time.Hour + quotaTTLBuffer
-	case QuotaRefreshWeekly:
-		return 7*24*time.Hour + quotaTTLBuffer
-	default:
-		return 31*24*time.Hour + quotaTTLBuffer
+// addMonthsClamped adds N months to a date, clamping the day to the last day of the target month.
+// E.g., Jan 31 + 1 month = Feb 28 (not Mar 3).
+func addMonthsClamped(t time.Time, months int) time.Time {
+	y, m, d := t.Date()
+	targetMonth := time.Month(int(m) + months)
+	targetYear := y + int(targetMonth-1)/12
+	targetMonth = (targetMonth-1)%12 + 1
+	// Last day of the target month
+	lastDay := time.Date(targetYear, targetMonth+1, 0, 0, 0, 0, 0, time.UTC).Day()
+	if d > lastDay {
+		d = lastDay
 	}
+	return time.Date(targetYear, targetMonth, d, 0, 0, 0, 0, time.UTC)
 }
diff --git a/backend/internal/pkg/websearch/manager_test.go b/backend/internal/pkg/websearch/manager_test.go
index d3cd29d6..a4beef68 100644
--- a/backend/internal/pkg/websearch/manager_test.go
+++ b/backend/internal/pkg/websearch/manager_test.go
@@ -12,14 +12,14 @@ import (
 	"github.com/stretchr/testify/require"
 )
 
-func TestNewManager_SortsByPriority(t *testing.T) {
+func TestNewManager_PreservesOrder(t *testing.T) {
 	configs := []ProviderConfig{
-		{Type: "brave", APIKey: "k3", Priority: 30},
-		{Type: "tavily", APIKey: "k1", Priority: 10},
+		{Type: "brave", APIKey: "k3"},
+		{Type: "tavily", APIKey: "k1"},
 	}
 	m := NewManager(configs, nil)
-	require.Equal(t, 10, m.configs[0].Priority)
-	require.Equal(t, 30, m.configs[1].Priority)
+	require.Equal(t, "brave", m.configs[0].Type)
+	require.Equal(t, "tavily", m.configs[1].Type)
 }
 
 func TestManager_SearchWithBestProvider_EmptyQuery(t *testing.T) {
@@ -46,8 +46,7 @@ func TestManager_SearchWithBestProvider_SkipExpired(t *testing.T) {
 	require.ErrorContains(t, err, "no available provider")
 }
 
-func TestManager_SearchWithBestProvider_PriorityOrder(t *testing.T) {
-	// Create two mock servers that return different results
+func TestManager_SearchWithBestProvider_UsesFirstAvailable(t *testing.T) {
 	srvBrave := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, _ *http.Request) {
 		resp := braveResponse{}
 		resp.Web.Results = []braveResult{{URL: "https://brave.com", Title: "Brave", Description: "from brave"}}
@@ -55,17 +54,15 @@ func TestManager_SearchWithBestProvider_PriorityOrder(t *testing.T) {
 	}))
 	defer srvBrave.Close()
 
-	// Override brave endpoint for test
 	origURL := *braveSearchURL
 	u, _ := http.NewRequest("GET", srvBrave.URL, nil)
 	*braveSearchURL = *u.URL
 	defer func() { *braveSearchURL = origURL }()
 
 	m := NewManager([]ProviderConfig{
-		{Type: "brave", APIKey: "k1", Priority: 1},
-		{Type: "tavily", APIKey: "k2", Priority: 2},
+		{Type: "brave", APIKey: "k1"},
+		{Type: "tavily", APIKey: "k2"},
 	}, nil)
-	// Inject the test server's client
 	m.clientCache[srvBrave.URL] = srvBrave.Client()
 	m.clientCache[""] = srvBrave.Client()
 
@@ -77,7 +74,6 @@ func TestManager_SearchWithBestProvider_PriorityOrder(t *testing.T) {
 }
 
 func TestManager_SearchWithBestProvider_NilRedis(t *testing.T) {
-	// With nil Redis, quota check is skipped (always allowed)
 	srv := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, _ *http.Request) {
 		resp := braveResponse{}
 		resp.Web.Results = []braveResult{{URL: "https://test.com", Title: "Test", Description: "result"}}
@@ -91,8 +87,8 @@ func TestManager_SearchWithBestProvider_NilRedis(t *testing.T) {
 	defer func() { *braveSearchURL = origURL }()
 
 	m := NewManager([]ProviderConfig{
-		{Type: "brave", APIKey: "k", Priority: 1, QuotaLimit: 100},
-	}, nil) // nil Redis
+		{Type: "brave", APIKey: "k", QuotaLimit: 100},
+	}, nil)
 	m.clientCache[""] = srv.Client()
 
 	resp, _, err := m.SearchWithBestProvider(context.Background(), SearchRequest{Query: "test"})
@@ -102,51 +98,98 @@ func TestManager_SearchWithBestProvider_NilRedis(t *testing.T) {
 
 func TestManager_GetUsage_NilRedis(t *testing.T) {
 	m := NewManager(nil, nil)
-	used, err := m.GetUsage(context.Background(), "brave", "monthly")
+	used, err := m.GetUsage(context.Background(), "brave")
 	require.NoError(t, err)
 	require.Equal(t, int64(0), used)
 }
 
 func TestManager_GetAllUsage_NilRedis(t *testing.T) {
 	m := NewManager([]ProviderConfig{
-		{Type: "brave", QuotaRefreshInterval: "monthly"},
+		{Type: "brave"},
 	}, nil)
 	usage := m.GetAllUsage(context.Background())
 	require.Equal(t, int64(0), usage["brave"])
 }
 
-// --- Key/TTL helpers ---
+// --- Quota TTL from subscription ---
 
-func TestQuotaTTL_Daily(t *testing.T) {
-	require.Equal(t, 24*time.Hour+quotaTTLBuffer, quotaTTL(QuotaRefreshDaily))
+func TestQuotaTTLFromSubscription_NilSubscription(t *testing.T) {
+	ttl := quotaTTLFromSubscription(nil)
+	require.Equal(t, defaultQuotaTTL, ttl)
 }
 
-func TestQuotaTTL_Weekly(t *testing.T) {
-	require.Equal(t, 7*24*time.Hour+quotaTTLBuffer, quotaTTL(QuotaRefreshWeekly))
+func TestQuotaTTLFromSubscription_ZeroSubscription(t *testing.T) {
+	zero := int64(0)
+	ttl := quotaTTLFromSubscription(&zero)
+	require.Equal(t, defaultQuotaTTL, ttl)
 }
 
-func TestQuotaTTL_Monthly(t *testing.T) {
-	require.Equal(t, 31*24*time.Hour+quotaTTLBuffer, quotaTTL(QuotaRefreshMonthly))
+func TestQuotaTTLFromSubscription_ValidSubscription(t *testing.T) {
+	// Subscribed 10 days ago — next reset in ~20 days
+	sub := time.Now().Add(-10 * 24 * time.Hour).Unix()
+	ttl := quotaTTLFromSubscription(&sub)
+	require.Greater(t, ttl, 15*24*time.Hour) // at least 15 days
+	require.Less(t, ttl, 25*24*time.Hour+quotaTTLBuffer)
 }
 
-func TestPeriodKey_Daily(t *testing.T) {
-	key := periodKey(QuotaRefreshDaily)
-	require.Regexp(t, `^\d{4}-\d{2}-\d{2}$`, key)
+func TestNextMonthlyReset_SubscribedRecentPast(t *testing.T) {
+	// Subscribed on the 10th of this month (always valid day)
+	now := time.Now().UTC()
+	sub := time.Date(now.Year(), now.Month(), 10, 0, 0, 0, 0, time.UTC)
+	next := nextMonthlyReset(sub)
+	require.True(t, next.After(now) || next.Equal(now), "next reset should be in the future or now")
+	require.True(t, next.Before(now.AddDate(0, 1, 1)))
 }
 
-func TestPeriodKey_Weekly(t *testing.T) {
-	key := periodKey(QuotaRefreshWeekly)
-	require.Regexp(t, `^\d{4}-W\d{2}$`, key)
+func TestNextMonthlyReset_SubscribedLongAgo(t *testing.T) {
+	// Subscribed 6 months ago on the 1st
+	sub := time.Now().UTC().AddDate(0, -6, 0)
+	sub = time.Date(sub.Year(), sub.Month(), 1, 0, 0, 0, 0, time.UTC)
+	next := nextMonthlyReset(sub)
+	require.True(t, next.After(time.Now().UTC()))
+	// Should be within the next 31 days
+	require.True(t, next.Before(time.Now().UTC().AddDate(0, 1, 1)))
 }
 
-func TestPeriodKey_Monthly(t *testing.T) {
-	key := periodKey(QuotaRefreshMonthly)
-	require.Regexp(t, `^\d{4}-\d{2}$`, key)
+func TestNextMonthlyReset_FutureSubscription(t *testing.T) {
+	sub := time.Now().UTC().AddDate(0, 0, 5)
+	next := nextMonthlyReset(sub)
+	require.True(t, next.After(time.Now().UTC()))
 }
 
+func TestAddMonthsClamped_Jan31ToFeb(t *testing.T) {
+	sub := time.Date(2026, 1, 31, 0, 0, 0, 0, time.UTC)
+	next := addMonthsClamped(sub, 1)
+	require.Equal(t, time.Month(2), next.Month())
+	require.Equal(t, 28, next.Day()) // Feb 28 (2026 is not a leap year)
+}
+
+func TestAddMonthsClamped_Jan31ToFebLeapYear(t *testing.T) {
+	sub := time.Date(2028, 1, 31, 0, 0, 0, 0, time.UTC)
+	next := addMonthsClamped(sub, 1)
+	require.Equal(t, time.Month(2), next.Month())
+	require.Equal(t, 29, next.Day()) // Feb 29 (2028 is a leap year)
+}
+
+func TestAddMonthsClamped_Mar31ToApr(t *testing.T) {
+	sub := time.Date(2026, 3, 31, 0, 0, 0, 0, time.UTC)
+	next := addMonthsClamped(sub, 1)
+	require.Equal(t, time.Month(4), next.Month())
+	require.Equal(t, 30, next.Day()) // Apr has 30 days
+}
+
+func TestAddMonthsClamped_NormalDay(t *testing.T) {
+	sub := time.Date(2026, 1, 15, 0, 0, 0, 0, time.UTC)
+	next := addMonthsClamped(sub, 1)
+	require.Equal(t, time.Month(2), next.Month())
+	require.Equal(t, 15, next.Day()) // no clamping needed
+}
+
+// --- Redis key ---
+
 func TestQuotaRedisKey_Format(t *testing.T) {
-	key := quotaRedisKey("brave", QuotaRefreshDaily)
-	require.Contains(t, key, "websearch:quota:brave:")
+	key := quotaRedisKey("brave")
+	require.Equal(t, "websearch:quota:brave", key)
 }
 
 // --- isProviderAvailable ---
@@ -173,9 +216,7 @@ func TestIsProviderAvailable_Valid(t *testing.T) {
 
 func TestResolveProxyID_AccountProxyOverrides(t *testing.T) {
 	cfg := ProviderConfig{ProxyID: 42}
-	// account proxy present → return 0 (account proxy has no config-level ID)
 	require.Equal(t, int64(0), resolveProxyID(cfg, "http://account-proxy:8080"))
-	// no account proxy → return provider's proxy ID
 	require.Equal(t, int64(42), resolveProxyID(cfg, ""))
 }
 
@@ -186,28 +227,23 @@ func TestIsProxyError_Nil(t *testing.T) {
 }
 
 func TestIsProxyError_ConnectionRefused(t *testing.T) {
-	err := fmt.Errorf("dial tcp: connection refused")
-	require.True(t, isProxyError(err))
+	require.True(t, isProxyError(fmt.Errorf("dial tcp: connection refused")))
 }
 
 func TestIsProxyError_Timeout(t *testing.T) {
-	err := fmt.Errorf("i/o timeout while connecting to proxy")
-	require.True(t, isProxyError(err))
+	require.True(t, isProxyError(fmt.Errorf("i/o timeout while connecting to proxy")))
 }
 
 func TestIsProxyError_SOCKS(t *testing.T) {
-	err := fmt.Errorf("socks connect failed")
-	require.True(t, isProxyError(err))
+	require.True(t, isProxyError(fmt.Errorf("socks connect failed")))
 }
 
 func TestIsProxyError_TLSHandshake(t *testing.T) {
-	err := fmt.Errorf("tls handshake timeout")
-	require.True(t, isProxyError(err))
+	require.True(t, isProxyError(fmt.Errorf("tls handshake timeout")))
 }
 
 func TestIsProxyError_APIError_NotProxy(t *testing.T) {
-	err := fmt.Errorf("API rate limit exceeded")
-	require.False(t, isProxyError(err))
+	require.False(t, isProxyError(fmt.Errorf("API rate limit exceeded")))
 }
 
 // --- isProxyAvailable (nil Redis) ---
@@ -225,14 +261,13 @@ func TestIsProxyAvailable_ZeroID(t *testing.T) {
 // --- selectByQuotaWeight ---
 
 func TestSelectByQuotaWeight_NoQuotaLast(t *testing.T) {
-	m := NewManager(nil, nil) // nil Redis → GetUsage returns 0
+	m := NewManager(nil, nil)
 	candidates := []ProviderConfig{
-		{Type: "brave", APIKey: "k1", QuotaLimit: 0},    // no limit → weight 0
-		{Type: "tavily", APIKey: "k2", QuotaLimit: 100}, // remaining 100
+		{Type: "brave", APIKey: "k1", QuotaLimit: 0},
+		{Type: "tavily", APIKey: "k2", QuotaLimit: 100},
 	}
 	result := m.selectByQuotaWeight(context.Background(), candidates)
 	require.Len(t, result, 2)
-	// tavily (with quota) should come first
 	require.Equal(t, "tavily", result[0].Type)
 	require.Equal(t, "brave", result[1].Type)
 }
@@ -245,7 +280,6 @@ func TestSelectByQuotaWeight_AllNoQuota(t *testing.T) {
 	}
 	result := m.selectByQuotaWeight(context.Background(), candidates)
 	require.Len(t, result, 2)
-	// both have weight 0, original order preserved
 }
 
 func TestSelectByQuotaWeight_Empty(t *testing.T) {
diff --git a/backend/internal/server/http.go b/backend/internal/server/http.go
index a8034e98..ba45c31b 100644
--- a/backend/internal/server/http.go
+++ b/backend/internal/server/http.go
@@ -2,12 +2,14 @@
 package server
 
 import (
+	"context"
 	"log"
 	"net/http"
 	"time"
 
 	"github.com/Wei-Shaw/sub2api/internal/config"
 	"github.com/Wei-Shaw/sub2api/internal/handler"
+	"github.com/Wei-Shaw/sub2api/internal/pkg/websearch"
 	middleware2 "github.com/Wei-Shaw/sub2api/internal/server/middleware"
 	"github.com/Wei-Shaw/sub2api/internal/service"
 
@@ -56,6 +58,34 @@ func ProvideRouter(
 		}
 	}
 
+	// Wire up websearch Manager builder so it initializes on startup and rebuilds on config save.
+	settingService.SetWebSearchManagerBuilder(context.Background(), func(cfg *service.WebSearchEmulationConfig) {
+		if cfg == nil || !cfg.Enabled || len(cfg.Providers) == 0 {
+			service.SetWebSearchManager(nil)
+			return
+		}
+		configs := make([]websearch.ProviderConfig, 0, len(cfg.Providers))
+		for _, p := range cfg.Providers {
+			if p.APIKey == "" {
+				continue
+			}
+			pc := websearch.ProviderConfig{
+				Type:       p.Type,
+				APIKey:     p.APIKey,
+				QuotaLimit: p.QuotaLimit,
+				ExpiresAt:  p.ExpiresAt,
+			}
+			if p.SubscribedAt != nil {
+				pc.SubscribedAt = p.SubscribedAt
+			}
+			if p.ProxyID != nil {
+				pc.ProxyID = *p.ProxyID
+			}
+			configs = append(configs, pc)
+		}
+		service.SetWebSearchManager(websearch.NewManager(configs, redisClient))
+	})
+
 	return SetupRouter(r, handlers, jwtAuth, adminAuth, apiKeyAuth, apiKeyService, subscriptionService, opsService, settingService, cfg, redisClient)
 }
 
diff --git a/backend/internal/server/routes/admin.go b/backend/internal/server/routes/admin.go
index 7c4e6cb7..0a7b7a8b 100644
--- a/backend/internal/server/routes/admin.go
+++ b/backend/internal/server/routes/admin.go
@@ -410,6 +410,7 @@ func registerSettingsRoutes(admin *gin.RouterGroup, h *handler.Handlers) {
 		// Web Search 模拟配置
 		adminSettings.GET("/web-search-emulation", h.Admin.Setting.GetWebSearchEmulationConfig)
 		adminSettings.PUT("/web-search-emulation", h.Admin.Setting.UpdateWebSearchEmulationConfig)
+		adminSettings.POST("/web-search-emulation/test", h.Admin.Setting.TestWebSearchEmulation)
 	}
 }
 
diff --git a/backend/internal/service/websearch_config.go b/backend/internal/service/websearch_config.go
index 15ec1f9d..bdfff3e4 100644
--- a/backend/internal/service/websearch_config.go
+++ b/backend/internal/service/websearch_config.go
@@ -22,15 +22,14 @@ type WebSearchEmulationConfig struct {
 
 // WebSearchProviderConfig describes a single search provider (Brave or Tavily).
 type WebSearchProviderConfig struct {
-	Type                 string `json:"type"`                   // websearch.ProviderTypeBrave | Tavily
-	APIKey               string `json:"api_key,omitempty"`      // secret — omitted in API responses
-	APIKeyConfigured     bool   `json:"api_key_configured"`     // read-only mask
-	Priority             int    `json:"priority"`               // lower = higher priority
-	QuotaLimit           int64  `json:"quota_limit"`            // 0 = unlimited
-	QuotaRefreshInterval string `json:"quota_refresh_interval"` // websearch.QuotaRefresh*
-	QuotaUsed            int64  `json:"quota_used,omitempty"`   // read-only: current period usage
-	ProxyID              *int64 `json:"proxy_id"`               // optional proxy association
-	ExpiresAt            *int64 `json:"expires_at,omitempty"`   // optional expiration timestamp
+	Type             string `json:"type"`                    // websearch.ProviderTypeBrave | Tavily
+	APIKey           string `json:"api_key,omitempty"`       // secret — omitted in API responses
+	APIKeyConfigured bool   `json:"api_key_configured"`      // read-only mask
+	QuotaLimit       int64  `json:"quota_limit"`             // 0 = unlimited
+	SubscribedAt     *int64 `json:"subscribed_at,omitempty"` // subscription start (unix seconds); quota resets monthly
+	QuotaUsed        int64  `json:"quota_used,omitempty"`    // read-only: current usage from Redis
+	ProxyID          *int64 `json:"proxy_id"`                // optional proxy association
+	ExpiresAt        *int64 `json:"expires_at,omitempty"`    // optional expiration timestamp
 }
 
 // --- Validation ---
@@ -42,13 +41,6 @@ var validProviderTypes = map[string]bool{
 	websearch.ProviderTypeTavily: true,
 }
 
-var validQuotaIntervals = map[string]bool{
-	websearch.QuotaRefreshDaily:   true,
-	websearch.QuotaRefreshWeekly:  true,
-	websearch.QuotaRefreshMonthly: true,
-	"":                            true, // defaults to monthly
-}
-
 func validateWebSearchConfig(cfg *WebSearchEmulationConfig) error {
 	if cfg == nil {
 		return nil
@@ -61,9 +53,6 @@ func validateWebSearchConfig(cfg *WebSearchEmulationConfig) error {
 		if !validProviderTypes[p.Type] {
 			return fmt.Errorf("provider[%d]: invalid type %q", i, p.Type)
 		}
-		if !validQuotaIntervals[p.QuotaRefreshInterval] {
-			return fmt.Errorf("provider[%d]: invalid quota_refresh_interval %q", i, p.QuotaRefreshInterval)
-		}
 		if p.QuotaLimit < 0 {
 			return fmt.Errorf("provider[%d]: quota_limit must be >= 0", i)
 		}
@@ -237,17 +226,55 @@ func (s *SettingService) RebuildWebSearchManager(ctx context.Context) {
 	slog.Info("websearch: manager rebuilt", "provider_count", len(providerConfigs))
 }
 
-// SanitizeWebSearchConfig returns a copy with api_key fields masked for API responses.
-func SanitizeWebSearchConfig(cfg *WebSearchEmulationConfig) *WebSearchEmulationConfig {
+// WebSearchTestResult holds the result of a search test.
+type WebSearchTestResult struct {
+	Provider string                   `json:"provider"`
+	Results  []websearch.SearchResult `json:"results"`
+	Query    string                   `json:"query"`
+}
+
+// TestWebSearch executes a test search using the currently configured Manager.
+// Uses Manager.TestSearch which bypasses quota tracking.
+func TestWebSearch(ctx context.Context, query string) (*WebSearchTestResult, error) {
+	mgr := getWebSearchManager()
+	if mgr == nil {
+		return nil, fmt.Errorf("web search: manager not initialized, save config first")
+	}
+	resp, providerName, err := mgr.TestSearch(ctx, websearch.SearchRequest{
+		Query:      query,
+		MaxResults: webSearchDefaultMaxResults,
+	})
+	if err != nil {
+		return nil, err
+	}
+	return &WebSearchTestResult{
+		Provider: providerName,
+		Results:  resp.Results,
+		Query:    resp.Query,
+	}, nil
+}
+
+// SanitizeWebSearchConfig returns a copy with api_key fields masked and quota usage populated.
+func SanitizeWebSearchConfig(ctx context.Context, cfg *WebSearchEmulationConfig) *WebSearchEmulationConfig {
 	if cfg == nil {
 		return nil
 	}
 	out := *cfg
 	out.Providers = make([]WebSearchProviderConfig, len(cfg.Providers))
+
+	// Load usage from the global Manager (reads from Redis)
+	mgr := getWebSearchManager()
+
 	for i, p := range cfg.Providers {
 		out.Providers[i] = p
 		out.Providers[i].APIKeyConfigured = p.APIKey != ""
 		out.Providers[i].APIKey = "" // never return the secret
+
+		// Populate quota usage from Redis
+		if mgr != nil {
+			used, _ := mgr.GetUsage(ctx, p.Type)
+			out.Providers[i].QuotaUsed = used
+		}
 	}
 	return &out
 }
diff --git a/backend/internal/service/websearch_config_test.go b/backend/internal/service/websearch_config_test.go
index 1a19dd9d..4aea98b7 100644
--- a/backend/internal/service/websearch_config_test.go
+++ b/backend/internal/service/websearch_config_test.go
@@ -1,6 +1,7 @@
 package service
 
 import (
+	"context"
 	"testing"
 
 	"github.com/stretchr/testify/require"
@@ -16,8 +17,8 @@ func TestValidateWebSearchConfig_Valid(t *testing.T) {
 	cfg := &WebSearchEmulationConfig{
 		Enabled: true,
 		Providers: []WebSearchProviderConfig{
-			{Type: "brave", Priority: 1, QuotaLimit: 1000, QuotaRefreshInterval: "monthly"},
-			{Type: "tavily", Priority: 2, QuotaLimit: 500, QuotaRefreshInterval: "daily"},
+			{Type: "brave", QuotaLimit: 1000},
+			{Type: "tavily", QuotaLimit: 500},
 		},
 	}
 	require.NoError(t, validateWebSearchConfig(cfg))
@@ -39,13 +40,6 @@ func TestValidateWebSearchConfig_InvalidType(t *testing.T) {
 	require.ErrorContains(t, validateWebSearchConfig(cfg), "invalid type")
 }
 
-func TestValidateWebSearchConfig_InvalidQuotaInterval(t *testing.T) {
-	cfg := &WebSearchEmulationConfig{
-		Providers: []WebSearchProviderConfig{{Type: "brave", QuotaRefreshInterval: "hourly"}},
-	}
-	require.ErrorContains(t, validateWebSearchConfig(cfg), "invalid quota_refresh_interval")
-}
-
 func TestValidateWebSearchConfig_NegativeQuotaLimit(t *testing.T) {
 	cfg := &WebSearchEmulationConfig{
 		Providers: []WebSearchProviderConfig{{Type: "brave", QuotaLimit: -1}},
@@ -56,20 +50,13 @@ func TestValidateWebSearchConfig_NegativeQuotaLimit(t *testing.T) {
 func TestValidateWebSearchConfig_DuplicateType(t *testing.T) {
 	cfg := &WebSearchEmulationConfig{
 		Providers: []WebSearchProviderConfig{
-			{Type: "brave", Priority: 1},
-			{Type: "brave", Priority: 2},
+			{Type: "brave"},
+			{Type: "brave"},
 		},
 	}
 	require.ErrorContains(t, validateWebSearchConfig(cfg), "duplicate type")
 }
 
-func TestValidateWebSearchConfig_EmptyQuotaInterval(t *testing.T) {
-	cfg := &WebSearchEmulationConfig{
-		Providers: []WebSearchProviderConfig{{Type: "brave", QuotaRefreshInterval: ""}},
-	}
-	require.NoError(t, validateWebSearchConfig(cfg))
-}
-
 func TestValidateWebSearchConfig_ZeroQuotaLimit(t *testing.T) {
 	cfg := &WebSearchEmulationConfig{
 		Providers: []WebSearchProviderConfig{{Type: "brave", QuotaLimit: 0}},
@@ -99,6 +86,15 @@ func TestParseWebSearchConfigJSON_InvalidJSON(t *testing.T) {
 	require.Empty(t, cfg.Providers)
 }
 
+func TestParseWebSearchConfigJSON_BackwardCompatibility(t *testing.T) {
+	// Old config with priority and quota_refresh_interval should parse without error
+	raw := `{"enabled":true,"providers":[{"type":"brave","priority":1,"quota_refresh_interval":"monthly","quota_limit":1000}]}`
+	cfg := parseWebSearchConfigJSON(raw)
+	require.True(t, cfg.Enabled)
+	require.Len(t, cfg.Providers, 1)
+	require.Equal(t, int64(1000), cfg.Providers[0].QuotaLimit)
+}
+
 // --- SanitizeWebSearchConfig ---
 
 func TestSanitizeWebSearchConfig_MaskAPIKey(t *testing.T) {
@@ -108,7 +104,7 @@ func TestSanitizeWebSearchConfig_MaskAPIKey(t *testing.T) {
 			{Type: "brave", APIKey: "sk-secret-xxx"},
 		},
 	}
-	out := SanitizeWebSearchConfig(cfg)
+	out := SanitizeWebSearchConfig(context.Background(), cfg)
 	require.Equal(t, "", out.Providers[0].APIKey)
 	require.True(t, out.Providers[0].APIKeyConfigured)
 }
@@ -117,25 +113,24 @@ func TestSanitizeWebSearchConfig_NoAPIKey(t *testing.T) {
 	cfg := &WebSearchEmulationConfig{
 		Providers: []WebSearchProviderConfig{{Type: "brave", APIKey: ""}},
 	}
-	out := SanitizeWebSearchConfig(cfg)
+	out := SanitizeWebSearchConfig(context.Background(), cfg)
 	require.Equal(t, "", out.Providers[0].APIKey)
 	require.False(t, out.Providers[0].APIKeyConfigured)
 }
 
 func TestSanitizeWebSearchConfig_Nil(t *testing.T) {
-	require.Nil(t, SanitizeWebSearchConfig(nil))
+	require.Nil(t, SanitizeWebSearchConfig(context.Background(), nil))
 }
 
 func TestSanitizeWebSearchConfig_PreservesOtherFields(t *testing.T) {
 	cfg := &WebSearchEmulationConfig{
 		Enabled: true,
 		Providers: []WebSearchProviderConfig{
-			{Type: "brave", APIKey: "secret", Priority: 10, QuotaLimit: 1000},
+			{Type: "brave", APIKey: "secret", QuotaLimit: 1000},
 		},
 	}
-	out := SanitizeWebSearchConfig(cfg)
+	out := SanitizeWebSearchConfig(context.Background(), cfg)
 	require.True(t, out.Enabled)
-	require.Equal(t, 10, out.Providers[0].Priority)
 	require.Equal(t, int64(1000), out.Providers[0].QuotaLimit)
 }
 
@@ -143,6 +138,6 @@ func TestSanitizeWebSearchConfig_DoesNotMutateOriginal(t *testing.T) {
 	cfg := &WebSearchEmulationConfig{
 		Providers: []WebSearchProviderConfig{{Type: "brave", APIKey: "secret"}},
 	}
-	_ = SanitizeWebSearchConfig(cfg)
+	_ = SanitizeWebSearchConfig(context.Background(), cfg)
 	require.Equal(t, "secret", cfg.Providers[0].APIKey)
 }
diff --git a/frontend/src/api/admin/settings.ts b/frontend/src/api/admin/settings.ts
index c6323b00..31284289 100644
--- a/frontend/src/api/admin/settings.ts
+++ b/frontend/src/api/admin/settings.ts
@@ -497,9 +497,8 @@ export interface WebSearchProviderConfig {
   type: 'brave' | 'tavily'
   api_key: string
   api_key_configured: boolean
-  priority: number
   quota_limit: number
-  quota_refresh_interval: 'daily' | 'weekly' | 'monthly'
+  subscribed_at: number | null
   quota_used?: number
   proxy_id: number | null
   expires_at: number | null
@@ -510,6 +509,12 @@ export interface WebSearchEmulationConfig {
   providers: WebSearchProviderConfig[]
 }
 
+export interface WebSearchTestResult {
+  provider: string
+  results: { url: string; title: string; snippet: string; page_age?: string }[]
+  query: string
+}
+
 export async function getWebSearchEmulationConfig(): Promise<WebSearchEmulationConfig> {
   const { data } = await apiClient.get<WebSearchEmulationConfig>(
     '/admin/settings/web-search-emulation'
@@ -527,6 +532,16 @@ export async function updateWebSearchEmulationConfig(
   return data
 }
 
+export async function testWebSearchEmulation(
+  query: string
+): Promise<WebSearchTestResult> {
+  const { data } = await apiClient.post<WebSearchTestResult>(
+    '/admin/settings/web-search-emulation/test',
+    { query }
+  )
+  return data
+}
+
 export const settingsAPI = {
   getSettings,
   updateSettings,
@@ -544,7 +559,8 @@ export const settingsAPI = {
   getBetaPolicySettings,
   updateBetaPolicySettings,
   getWebSearchEmulationConfig,
-  updateWebSearchEmulationConfig
+  updateWebSearchEmulationConfig,
+  testWebSearchEmulation
 }
 
 export default settingsAPI
diff --git a/frontend/src/i18n/locales/en.ts b/frontend/src/i18n/locales/en.ts
index 7119fa36..8e10bf2a 100644
--- a/frontend/src/i18n/locales/en.ts
+++ b/frontend/src/i18n/locales/en.ts
@@ -4417,19 +4417,24 @@ export default {
         apiKey: 'API Key',
         apiKeyPlaceholder: 'Enter API Key',
         apiKeyConfigured: 'Configured',
-        priority: 'Priority',
-        priorityHint: 'Lower number = higher priority',
+        showApiKey: 'Show',
+        hideApiKey: 'Hide',
+        copyApiKey: 'Copy',
+        copied: 'Copied',
         quotaLimit: 'Quota Limit',
         quotaLimitHint: '0 = unlimited',
-        quotaRefreshInterval: 'Refresh Interval',
-        quotaUsed: 'Used',
+        subscribedAt: 'Subscribed At',
+        subscribedAtHint: 'Quota resets monthly from this date',
+        quotaUsage: 'Usage',
         proxy: 'Proxy',
-        expiresAt: 'Expires At',
         removeProvider: 'Remove',
-        daily: 'Daily',
-        weekly: 'Weekly',
-        monthly: 'Monthly',
         noProviders: 'No search providers configured',
+        test: 'Test',
+        testDefaultQuery: 'Major world events this year',
+        testing: 'Searching...',
+        testResultTitle: 'Search Results',
+        testResultProvider: 'Provider',
+        testNoResults: 'No results found',
       },
       site: {
         title: 'Site Settings',
diff --git a/frontend/src/i18n/locales/zh.ts b/frontend/src/i18n/locales/zh.ts
index 6efaf657..1b82f419 100644
--- a/frontend/src/i18n/locales/zh.ts
+++ b/frontend/src/i18n/locales/zh.ts
@@ -4579,19 +4579,24 @@ export default {
         apiKey: 'API Key',
         apiKeyPlaceholder: '输入 API Key',
         apiKeyConfigured: '已配置',
-        priority: '优先级',
-        priorityHint: '数值越小优先级越高',
+        showApiKey: '显示',
+        hideApiKey: '隐藏',
+        copyApiKey: '复制',
+        copied: '已复制',
         quotaLimit: '配额上限',
         quotaLimitHint: '0 表示无限制',
-        quotaRefreshInterval: '刷新周期',
-        quotaUsed: '已使用',
+        subscribedAt: '订阅时间',
+        subscribedAtHint: '配额从此日期起每月自动重置',
+        quotaUsage: '用量',
         proxy: '代理',
-        expiresAt: '过期时间',
         removeProvider: '删除',
-        daily: '每日',
-        weekly: '每周',
-        monthly: '每月',
         noProviders: '未配置搜索服务商',
+        test: '测试',
+        testDefaultQuery: '搜索今年世界大事件',
+        testing: '搜索中...',
+        testResultTitle: '搜索结果',
+        testResultProvider: '服务商',
+        testNoResults: '无搜索结果',
       },
       site: {
         title: '站点设置',
diff --git a/frontend/src/views/admin/SettingsView.vue b/frontend/src/views/admin/SettingsView.vue
index f57bfcf3..8ed77203 100644
--- a/frontend/src/views/admin/SettingsView.vue
+++ b/frontend/src/views/admin/SettingsView.vue
@@ -1751,61 +1751,152 @@
               </div>
 
               <div v-for="(provider, pIdx) in webSearchConfig.providers" :key="pIdx"
-                class="rounded-lg border border-gray-200 p-4 space-y-3 dark:border-dark-600">
-                <div class="flex items-center justify-between">
-                  <Select
-                    v-model="provider.type"
-                    :options="[
-                      { value: 'brave', label: 'Brave Search' },
-                      { value: 'tavily', label: 'Tavily' },
-                    ]"
-                    class="w-40"
-                  />
-                  <button type="button" class="text-red-500 hover:text-red-700 text-xs" @click="webSearchConfig.providers.splice(pIdx, 1)">
+                class="rounded-lg border border-gray-200 dark:border-dark-600">
+                <!-- Collapsible header -->
+                <div
+                  class="flex cursor-pointer items-center justify-between px-4 py-3"
+                  @click="toggleProviderExpand(pIdx)"
+                >
+                  <div class="flex items-center gap-3">
+                    <svg
+                      class="h-4 w-4 text-gray-400 transition-transform"
+                      :class="{ 'rotate-90': expandedProviders[pIdx] }"
+                      fill="none" viewBox="0 0 24 24" stroke="currentColor"
+                    >
+                      <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" d="M9 5l7 7-7 7" />
+                    </svg>
+                    <Select
+                      v-model="provider.type"
+                      :options="[
+                        { value: 'brave', label: 'Brave Search' },
+                        { value: 'tavily', label: 'Tavily' },
+                      ]"
+                      class="w-36"
+                      @click.stop
+                    />
+                    <!-- Quota summary in collapsed state -->
+                    <span v-if="!expandedProviders[pIdx] && provider.quota_limit > 0" class="text-xs text-gray-400">
+                      {{ provider.quota_used ?? 0 }} / {{ provider.quota_limit }}
+                    </span>
+                    <span v-if="!expandedProviders[pIdx] && provider.api_key_configured" class="text-xs text-green-500">
+                      {{ t('admin.settings.webSearchEmulation.apiKeyConfigured') }}
+                    </span>
+                  </div>
+                  <button type="button" class="text-red-500 hover:text-red-700 text-xs" @click.stop="removeWebSearchProvider(pIdx)">
                     {{ t('admin.settings.webSearchEmulation.removeProvider') }}
                   </button>
                 </div>
 
-                <div class="grid grid-cols-2 gap-3">
+                <!-- Expanded content -->
+                <div v-if="expandedProviders[pIdx]" class="space-y-3 border-t border-gray-100 px-4 pb-4 pt-3 dark:border-dark-700">
+                  <!-- API Key with show/copy -->
                   <div>
                     <label class="text-xs text-gray-500">{{ t('admin.settings.webSearchEmulation.apiKey') }}</label>
-                    <input
-                      v-model="provider.api_key"
-                      type="password"
-                      class="input text-sm"
-                      :placeholder="provider.api_key_configured ? '••••••••' : t('admin.settings.webSearchEmulation.apiKeyPlaceholder')"
-                    />
+                    <div class="flex items-center gap-1">
+                      <input
+                        v-model="provider.api_key"
+                        :type="apiKeyVisible[pIdx] ? 'text' : 'password'"
+                        class="input flex-1 text-sm"
+                        :placeholder="provider.api_key_configured ? '••••••••' : t('admin.settings.webSearchEmulation.apiKeyPlaceholder')"
+                      />
+                      <button
+                        type="button"
+                        class="btn btn-secondary btn-sm px-2"
+                        :title="apiKeyVisible[pIdx] ? t('admin.settings.webSearchEmulation.hideApiKey') : t('admin.settings.webSearchEmulation.showApiKey')"
+                        @click="apiKeyVisible[pIdx] = !apiKeyVisible[pIdx]"
+                      >
+                        <svg v-if="!apiKeyVisible[pIdx]" class="h-4 w-4" fill="none" viewBox="0 0 24 24" stroke="currentColor">
+                          <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" d="M15 12a3 3 0 11-6 0 3 3 0 016 0z" />
+                          <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" d="M2.458 12C3.732 7.943 7.523 5 12 5c4.478 0 8.268 2.943 9.542 7-1.274 4.057-5.064 7-9.542 7-4.477 0-8.268-2.943-9.542-7z" />
+                        </svg>
+                        <svg v-else class="h-4 w-4" fill="none" viewBox="0 0 24 24" stroke="currentColor">
+                          <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" d="M13.875 18.825A10.05 10.05 0 0112 19c-4.478 0-8.268-2.943-9.543-7a9.97 9.97 0 011.563-3.029m5.858.908a3 3 0 114.243 4.243M9.878 9.878l4.242 4.242M9.878 9.878L3 3m6.878 6.878L21 21" />
+                        </svg>
+                      </button>
+                      <button
+                        type="button"
+                        class="btn btn-secondary btn-sm px-2"
+                        :title="t('admin.settings.webSearchEmulation.copyApiKey')"
+                        @click="copyApiKey(pIdx)"
+                      >
+                        <svg class="h-4 w-4" fill="none" viewBox="0 0 24 24" stroke="currentColor">
+                          <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" d="M8 16H6a2 2 0 01-2-2V6a2 2 0 012-2h8a2 2 0 012 2v2m-6 12h8a2 2 0 002-2v-8a2 2 0 00-2-2h-8a2 2 0 00-2 2v8a2 2 0 002 2z" />
+                        </svg>
+                      </button>
+                    </div>
                   </div>
-                  <div>
-                    <label class="text-xs text-gray-500">{{ t('admin.settings.webSearchEmulation.priority') }}</label>
-                    <input v-model.number="provider.priority" type="number" min="1" class="input text-sm" />
-                    <p class="mt-0.5 text-xs text-gray-400">{{ t('admin.settings.webSearchEmulation.priorityHint') }}</p>
-                  </div>
-                  <div>
-                    <label class="text-xs text-gray-500">{{ t('admin.settings.webSearchEmulation.quotaLimit') }}</label>
-                    <input v-model.number="provider.quota_limit" type="number" min="0" class="input text-sm" />
-                    <p class="mt-0.5 text-xs text-gray-400">{{ t('admin.settings.webSearchEmulation.quotaLimitHint') }}</p>
-                    <p v-if="provider.quota_used != null" class="mt-0.5 text-xs text-gray-400">
-                      {{ t('admin.settings.webSearchEmulation.quotaUsed') }}: {{ provider.quota_used }} / {{ provider.quota_limit || '∞' }}
-                    </p>
-                  </div>
-                  <div>
-                    <label class="text-xs text-gray-500">{{ t('admin.settings.webSearchEmulation.quotaRefreshInterval') }}</label>
-                    <Select
-                      v-model="provider.quota_refresh_interval"
-                      :options="[
-                        { value: 'daily', label: t('admin.settings.webSearchEmulation.daily') },
-                        { value: 'weekly', label: t('admin.settings.webSearchEmulation.weekly') },
-                        { value: 'monthly', label: t('admin.settings.webSearchEmulation.monthly') },
-                      ]"
-                      class="w-full"
-                    />
-                  </div>
-                </div>
 
-                <div>
-                  <label class="text-xs text-gray-500">{{ t('admin.settings.webSearchEmulation.proxy') }}</label>
-                  <ProxySelector v-model="provider.proxy_id" />
+                  <!-- Quota + Subscription in compact row -->
+                  <div class="grid grid-cols-2 gap-3">
+                    <div>
+                      <label class="text-xs text-gray-500">{{ t('admin.settings.webSearchEmulation.quotaLimit') }}</label>
+                      <input v-model.number="provider.quota_limit" type="number" min="0" class="input text-sm" />
+                      <p class="mt-0.5 text-xs text-gray-400">{{ t('admin.settings.webSearchEmulation.quotaLimitHint') }}</p>
+                    </div>
+                    <div>
+                      <label class="text-xs text-gray-500">{{ t('admin.settings.webSearchEmulation.subscribedAt') }}</label>
+                      <input
+                        :value="formatSubscribedAt(provider.subscribed_at)"
+                        type="date"
+                        class="input text-sm"
+                        @input="provider.subscribed_at = parseSubscribedAt(($event.target as HTMLInputElement).value)"
+                      />
+                      <p class="mt-0.5 text-xs text-gray-400">{{ t('admin.settings.webSearchEmulation.subscribedAtHint') }}</p>
+                    </div>
+                  </div>
+
+                  <!-- Usage display -->
+                  <div v-if="provider.quota_limit > 0" class="flex items-center gap-2">
+                    <span class="text-xs text-gray-500">{{ t('admin.settings.webSearchEmulation.quotaUsage') }}:</span>
+                    <div class="flex-1 rounded-full bg-gray-200 dark:bg-dark-600" style="height: 6px">
+                      <div
+                        class="h-full rounded-full transition-all"
+                        :class="quotaPercentage(provider) > 90 ? 'bg-red-500' : quotaPercentage(provider) > 70 ? 'bg-yellow-500' : 'bg-green-500'"
+                        :style="{ width: Math.min(quotaPercentage(provider), 100) + '%' }"
+                      />
+                    </div>
+                    <span class="text-xs text-gray-500">{{ provider.quota_used ?? 0 }} / {{ provider.quota_limit }}</span>
+                  </div>
+
+                  <!-- Proxy -->
+                  <div>
+                    <label class="text-xs text-gray-500">{{ t('admin.settings.webSearchEmulation.proxy') }}</label>
+                    <ProxySelector v-model="provider.proxy_id" :proxies="webSearchProxies" />
+                  </div>
+
+                  <!-- Test button -->
+                  <div class="border-t border-gray-100 pt-3 dark:border-dark-700">
+                    <div class="flex items-center gap-2">
+                      <input
+                        v-model="wsTestQuery"
+                        type="text"
+                        class="input flex-1 text-sm"
+                        :placeholder="t('admin.settings.webSearchEmulation.testDefaultQuery')"
+                        @keyup.enter="testWebSearchProvider()"
+                      />
+                      <button
+                        type="button"
+                        class="btn btn-secondary btn-sm"
+                        :disabled="wsTestLoading"
+                        @click="testWebSearchProvider()"
+                      >
+                        {{ wsTestLoading ? t('admin.settings.webSearchEmulation.testing') : t('admin.settings.webSearchEmulation.test') }}
+                      </button>
+                    </div>
+                    <!-- Test results -->
+                    <div v-if="wsTestResult" class="mt-2 rounded-lg bg-gray-50 p-3 text-xs dark:bg-dark-700">
+                      <p class="mb-1 font-medium text-gray-700 dark:text-gray-300">
+                        {{ t('admin.settings.webSearchEmulation.testResultProvider') }}: {{ wsTestResult.provider }}
+                      </p>
+                      <div v-if="wsTestResult.results.length === 0" class="text-gray-400">
+                        {{ t('admin.settings.webSearchEmulation.testNoResults') }}
+                      </div>
+                      <div v-for="(r, rIdx) in wsTestResult.results.slice(0, 3)" :key="rIdx" class="mt-1">
+                        <a :href="r.url" target="_blank" class="font-medium text-blue-600 hover:underline dark:text-blue-400">{{ r.title }}</a>
+                        <p class="text-gray-500 dark:text-gray-400">{{ r.snippet && r.snippet.length > 120 ? r.snippet.slice(0, 120) + '...' : r.snippet }}</p>
+                      </div>
+                    </div>
+                  </div>
                 </div>
               </div>
             </div>
@@ -2303,6 +2394,13 @@
                     ]"
                   >{{ pt.label }}</button>
                 </div>
+                <p class="mt-2 text-xs text-gray-400 dark:text-gray-500">
+                  {{ t('admin.settings.payment.enabledPaymentTypesHint') }}
+                  <a :href="locale === 'zh' ? 'https://github.com/Wei-Shaw/sub2api/blob/main/docs/PAYMENT_CN.md#%E6%94%AF%E6%8C%81%E7%9A%84%E6%94%AF%E4%BB%98%E6%96%B9%E5%BC%8F' : 'https://github.com/Wei-Shaw/sub2api/blob/main/docs/PAYMENT.md#supported-payment-methods'" target="_blank" rel="noopener noreferrer" class="ml-1 text-primary-500 hover:text-primary-600 dark:text-primary-400 dark:hover:text-primary-300">
+                    {{ t('admin.settings.payment.findProvider') }}
+                    <svg class="mb-0.5 ml-0.5 inline h-3 w-3" fill="none" stroke="currentColor" viewBox="0 0 24 24"><path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" d="M10 6H6a2 2 0 00-2 2v10a2 2 0 002 2h10a2 2 0 002-2v-4M14 4h6m0 0v6m0-6L10 14" /></svg>
+                  </a>
+                </p>
               </div>
               <!-- Row 5: Help image + text -->
               <div class="grid grid-cols-2 gap-3">
@@ -2562,60 +2660,6 @@
             </div>
           </div>
         </div>
-        <!-- Balance Low Notification -->
-        <div class="card">
-          <div class="border-b border-gray-100 px-6 py-4 dark:border-dark-700">
-            <h3 class="text-base font-medium text-gray-900 dark:text-white">
-              {{ t('admin.settings.balanceNotify.title') }}
-            </h3>
-            <p class="mt-1 text-sm text-gray-500 dark:text-gray-400">
-              {{ t('admin.settings.balanceNotify.description') }}
-            </p>
-          </div>
-          <div class="px-6 py-6 space-y-4">
-            <div class="flex items-center justify-between">
-              <label class="mb-0 block text-sm font-medium text-gray-700 dark:text-gray-300">{{ t('admin.settings.balanceNotify.enabled') }}</label>
-              <Toggle v-model="form.balance_low_notify_enabled" />
-            </div>
-            <div v-if="form.balance_low_notify_enabled">
-              <label class="mb-2 block text-sm font-medium text-gray-700 dark:text-gray-300">{{ t('admin.settings.balanceNotify.threshold') }}</label>
-              <div class="relative">
-                <span class="absolute left-3 top-1/2 -translate-y-1/2 text-gray-400">$</span>
-                <input v-model.number="form.balance_low_notify_threshold" type="number" min="0" step="0.01" class="input pl-7" />
-              </div>
-              <p class="mt-1 text-xs text-gray-500 dark:text-gray-400">{{ t('admin.settings.balanceNotify.thresholdHint') }}</p>
-            </div>
-          </div>
-        </div>
-
-        <!-- Account Quota Notification -->
-        <div class="card">
-          <div class="border-b border-gray-100 px-6 py-4 dark:border-dark-700">
-            <h3 class="text-base font-medium text-gray-900 dark:text-white">
-              {{ t('admin.settings.quotaNotify.title') }}
-            </h3>
-            <p class="mt-1 text-sm text-gray-500 dark:text-gray-400">
-              {{ t('admin.settings.quotaNotify.description') }}
-            </p>
-          </div>
-          <div class="px-6 py-6 space-y-4">
-            <div>
-              <label class="mb-2 block text-sm font-medium text-gray-700 dark:text-gray-300">{{ t('admin.settings.quotaNotify.emails') }}</label>
-              <div class="space-y-2">
-                <div v-for="(_, index) in (form.account_quota_notify_emails || [])" :key="index" class="flex items-center gap-2">
-                  <input v-model="form.account_quota_notify_emails[index]" type="email" class="input flex-1" />
-                  <button @click="form.account_quota_notify_emails.splice(index, 1)" class="btn btn-secondary px-2" type="button">
-                    <Icon name="x" size="xs" class="h-4 w-4" />
-                  </button>
-                </div>
-                <button @click="addQuotaNotifyEmail" class="btn btn-secondary btn-sm" type="button">
-                  + {{ t('admin.settings.quotaNotify.addEmail') }}
-                </button>
-              </div>
-              <p class="mt-1 text-xs text-gray-500 dark:text-gray-400">{{ t('admin.settings.quotaNotify.emailsHint') }}</p>
-            </div>
-          </div>
-        </div>
         </div><!-- /Tab: Email -->
 
         <!-- Tab: Backup -->
@@ -2674,8 +2718,9 @@ import type {
   DefaultSubscriptionSetting,
   WebSearchEmulationConfig,
   WebSearchProviderConfig,
+  WebSearchTestResult,
 } from '@/api/admin/settings'
-import type { AdminGroup } from '@/types'
+import type { AdminGroup, Proxy } from '@/types'
 import type { ProviderInstance } from '@/types/payment'
 import AppLayout from '@/components/layout/AppLayout.vue'
 import Icon from '@/components/icons/Icon.vue'
@@ -2894,13 +2939,12 @@ const form = reactive<SettingsForm>({
   // Gateway forwarding behavior
   enable_fingerprint_unification: true,
   enable_metadata_passthrough: false,
-  enable_cch_signing: false,
-  // Balance & quota notification
-  balance_low_notify_enabled: false,
-  balance_low_notify_threshold: 0,
-  account_quota_notify_emails: [] as string[]
+  enable_cch_signing: false
 })
 
+// Proxies for web search emulation ProxySelector
+const webSearchProxies = ref<Proxy[]>([])
+
 // Web Search Emulation config (loaded/saved separately)
 const DEFAULT_WEB_SEARCH_QUOTA_LIMIT = 1000
 
@@ -2909,26 +2953,101 @@ const webSearchConfig = reactive<WebSearchEmulationConfig>({
   providers: [],
 })
 
+const expandedProviders = reactive<Record<number, boolean>>({})
+const apiKeyVisible = reactive<Record<number, boolean>>({})
+const wsTestQuery = ref('')
+const wsTestLoading = ref(false)
+const wsTestResult = ref<WebSearchTestResult | null>(null)
+
+function toggleProviderExpand(idx: number) {
+  expandedProviders[idx] = !expandedProviders[idx]
+}
+
+function removeWebSearchProvider(idx: number) {
+  webSearchConfig.providers.splice(idx, 1)
+  // Re-index expandedProviders and apiKeyVisible after removal
+  const newExpanded: Record<number, boolean> = {}
+  const newVisible: Record<number, boolean> = {}
+  for (let i = 0; i < webSearchConfig.providers.length; i++) {
+    const oldIdx = i >= idx ? i + 1 : i
+    newExpanded[i] = expandedProviders[oldIdx] ?? false
+    newVisible[i] = apiKeyVisible[oldIdx] ?? false
+  }
+  Object.keys(expandedProviders).forEach((k) => delete expandedProviders[Number(k)])
+  Object.keys(apiKeyVisible).forEach((k) => delete apiKeyVisible[Number(k)])
+  Object.assign(expandedProviders, newExpanded)
+  Object.assign(apiKeyVisible, newVisible)
+}
+
 function addWebSearchProvider() {
+  const idx = webSearchConfig.providers.length
   webSearchConfig.providers.push({
     type: 'brave',
     api_key: '',
     api_key_configured: false,
-    priority: webSearchConfig.providers.length + 1,
     quota_limit: DEFAULT_WEB_SEARCH_QUOTA_LIMIT,
-    quota_refresh_interval: 'monthly',
+    subscribed_at: null,
     proxy_id: null,
     expires_at: null,
   } as WebSearchProviderConfig)
+  expandedProviders[idx] = true
+}
+
+function formatSubscribedAt(ts: number | null): string {
+  if (!ts) return ''
+  // Use UTC to avoid timezone drift on repeated edits
+  const d = new Date(ts * 1000)
+  const y = d.getUTCFullYear()
+  const m = String(d.getUTCMonth() + 1).padStart(2, '0')
+  const day = String(d.getUTCDate()).padStart(2, '0')
+  return `${y}-${m}-${day}`
+}
+
+function parseSubscribedAt(dateStr: string): number | null {
+  if (!dateStr) return null
+  // Parse as UTC to match formatSubscribedAt
+  return Math.floor(new Date(dateStr + 'T00:00:00Z').getTime() / 1000)
+}
+
+function quotaPercentage(provider: WebSearchProviderConfig): number {
+  if (!provider.quota_limit || provider.quota_limit <= 0) return 0
+  return ((provider.quota_used ?? 0) / provider.quota_limit) * 100
+}
+
+async function copyApiKey(idx: number) {
+  const key = webSearchConfig.providers[idx]?.api_key
+  if (!key) {
+    appStore.showError(t('admin.settings.webSearchEmulation.apiKeyPlaceholder'))
+    return
+  }
+  await navigator.clipboard.writeText(key)
+  appStore.showSuccess(t('admin.settings.webSearchEmulation.copied'))
+}
+
+async function testWebSearchProvider() {
+  wsTestLoading.value = true
+  wsTestResult.value = null
+  try {
+    const query = wsTestQuery.value.trim() || t('admin.settings.webSearchEmulation.testDefaultQuery')
+    wsTestResult.value = await adminAPI.settings.testWebSearchEmulation(query)
+  } catch (err: unknown) {
+    appStore.showError(extractApiErrorMessage(err, t('common.error')))
+  } finally {
+    wsTestLoading.value = false
+  }
 }
 
 async function loadWebSearchConfig() {
   try {
-    const resp = await adminAPI.settings.getWebSearchEmulationConfig()
+    const [resp, proxiesResp] = await Promise.all([
+      adminAPI.settings.getWebSearchEmulationConfig(),
+      adminAPI.proxies.list().catch(() => ({ items: [] as Proxy[] })),
+    ])
     if (resp) {
       webSearchConfig.enabled = resp.enabled || false
       webSearchConfig.providers = resp.providers || []
     }
+    webSearchProxies.value = proxiesResp.items || []
   } catch (err: unknown) {
     // 404 is expected when config hasn't been created yet; show error for other failures
     const status = (err as { status?: number })?.status
@@ -3030,14 +3149,6 @@ function handleRegistrationEmailSuffixWhitelistPaste(event: ClipboardEvent) {
   }
 }
 
-// Quota notify email helpers
-const addQuotaNotifyEmail = () => {
-  if (!form.account_quota_notify_emails) {
-    form.account_quota_notify_emails = []
-  }
-  form.account_quota_notify_emails.push('')
-}
-
 // LinuxDo OAuth redirect URL suggestion
 const linuxdoRedirectUrlSuggestion = computed(() => {
   if (typeof window === 'undefined') return ''
@@ -3377,10 +3488,6 @@ async function saveSettings() {
       payment_cancel_rate_limit_window: Number(form.payment_cancel_rate_limit_window) || 1,
       payment_cancel_rate_limit_unit: form.payment_cancel_rate_limit_unit,
       payment_cancel_rate_limit_window_mode: form.payment_cancel_rate_limit_window_mode,
-      // Balance & quota notification
-      balance_low_notify_enabled: form.balance_low_notify_enabled,
-      balance_low_notify_threshold: Number(form.balance_low_notify_threshold) || 0,
-      account_quota_notify_emails: (form.account_quota_notify_emails || []).filter((e: string) => e.trim() !== ''),
     }
 
     const updated = await adminAPI.settings.updateSettings(payload)

From f694afbbf431122407fe7f4bfb3d7f4ee0e5654f Mon Sep 17 00:00:00 2001
From: erio <asakifeng@gmail.com>
Date: Sun, 12 Apr 2026 13:53:02 +0800
Subject: [PATCH 035/122] feat(notify): add percentage threshold type for
 balance low notification
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

- Add threshold_type field (fixed/percentage) to system and user settings
- Add total_recharged field to users table, auto-incremented on balance credit
- Percentage mode: effective threshold = total_recharged × percentage / 100
- User-level threshold_type inherits from system default when not set
- Update admin settings UI with radio selector (fixed amount / percentage)
- Migration: 102_add_balance_notify_threshold_type.sql
---
 backend/ent/migrate/schema.go                 |   2 +
 backend/ent/mutation.go                       | 143 ++++++++++++++++-
 backend/ent/runtime/runtime.go                |  10 +-
 backend/ent/schema/user.go                    |   5 +
 backend/ent/user.go                           |  26 ++-
 backend/ent/user/user.go                      |  20 +++
 backend/ent/user/where.go                     | 115 ++++++++++++++
 backend/ent/user_create.go                    | 150 ++++++++++++++++++
 backend/ent/user_update.go                    |  88 ++++++++++
 .../internal/handler/admin/setting_handler.go |  38 +++++
 backend/internal/handler/dto/mappers.go       |  28 ++--
 backend/internal/handler/dto/settings.go      |   7 +-
 backend/internal/handler/dto/types.go         |   8 +-
 backend/internal/handler/user_handler.go      |  14 +-
 backend/internal/repository/api_key_repo.go   |  34 ++--
 backend/internal/repository/user_repo.go      |   8 +-
 .../service/balance_notify_service.go         |  51 ++++--
 backend/internal/service/domain_constants.go  |   9 +-
 backend/internal/service/setting_service.go   |   9 ++
 backend/internal/service/settings_view.go     |   5 +-
 backend/internal/service/user.go              |   8 +-
 backend/internal/service/user_service.go      |  14 +-
 .../102_add_balance_notify_threshold_type.sql |   4 +
 frontend/src/api/admin/settings.ts            |   2 +
 frontend/src/i18n/locales/en.ts               |   4 +
 frontend/src/i18n/locales/zh.ts               |   6 +-
 frontend/src/views/admin/SettingsView.vue     | 104 +++++++++++-
 27 files changed, 838 insertions(+), 74 deletions(-)
 create mode 100644 backend/migrations/102_add_balance_notify_threshold_type.sql

diff --git a/backend/ent/migrate/schema.go b/backend/ent/migrate/schema.go
index 4f31883b..1fff61ba 100644
--- a/backend/ent/migrate/schema.go
+++ b/backend/ent/migrate/schema.go
@@ -1079,8 +1079,10 @@ var (
 		{Name: "totp_enabled", Type: field.TypeBool, Default: false},
 		{Name: "totp_enabled_at", Type: field.TypeTime, Nullable: true},
 		{Name: "balance_notify_enabled", Type: field.TypeBool, Default: true},
+		{Name: "balance_notify_threshold_type", Type: field.TypeString, Default: "fixed"},
 		{Name: "balance_notify_threshold", Type: field.TypeFloat64, Nullable: true, SchemaType: map[string]string{"postgres": "decimal(20,8)"}},
 		{Name: "balance_notify_extra_emails", Type: field.TypeString, Default: "[]", SchemaType: map[string]string{"postgres": "text"}},
+		{Name: "total_recharged", Type: field.TypeFloat64, Default: 0, SchemaType: map[string]string{"postgres": "decimal(20,8)"}},
 	}
 	// UsersTable holds the schema information for the "users" table.
 	UsersTable = &schema.Table{
diff --git a/backend/ent/mutation.go b/backend/ent/mutation.go
index cdaf363a..3bca248d 100644
--- a/backend/ent/mutation.go
+++ b/backend/ent/mutation.go
@@ -28211,9 +28211,12 @@ type UserMutation struct {
 	totp_enabled                  *bool
 	totp_enabled_at               *time.Time
 	balance_notify_enabled        *bool
+	balance_notify_threshold_type *string
 	balance_notify_threshold      *float64
 	addbalance_notify_threshold   *float64
 	balance_notify_extra_emails   *string
+	total_recharged               *float64
+	addtotal_recharged            *float64
 	clearedFields                 map[string]struct{}
 	api_keys                      map[int64]struct{}
 	removedapi_keys               map[int64]struct{}
@@ -28967,6 +28970,42 @@ func (m *UserMutation) ResetBalanceNotifyEnabled() {
 	m.balance_notify_enabled = nil
 }
 
+// SetBalanceNotifyThresholdType sets the "balance_notify_threshold_type" field.
+func (m *UserMutation) SetBalanceNotifyThresholdType(s string) {
+	m.balance_notify_threshold_type = &s
+}
+
+// BalanceNotifyThresholdType returns the value of the "balance_notify_threshold_type" field in the mutation.
+func (m *UserMutation) BalanceNotifyThresholdType() (r string, exists bool) {
+	v := m.balance_notify_threshold_type
+	if v == nil {
+		return
+	}
+	return *v, true
+}
+
+// OldBalanceNotifyThresholdType returns the old "balance_notify_threshold_type" field's value of the User entity.
+// If the User object wasn't provided to the builder, the object is fetched from the database.
+// An error is returned if the mutation operation is not UpdateOne, or the database query fails.
+func (m *UserMutation) OldBalanceNotifyThresholdType(ctx context.Context) (v string, err error) {
+	if !m.op.Is(OpUpdateOne) {
+		return v, errors.New("OldBalanceNotifyThresholdType is only allowed on UpdateOne operations")
+	}
+	if m.id == nil || m.oldValue == nil {
+		return v, errors.New("OldBalanceNotifyThresholdType requires an ID field in the mutation")
+	}
+	oldValue, err := m.oldValue(ctx)
+	if err != nil {
+		return v, fmt.Errorf("querying old value for OldBalanceNotifyThresholdType: %w", err)
+	}
+	return oldValue.BalanceNotifyThresholdType, nil
+}
+
+// ResetBalanceNotifyThresholdType resets all changes to the "balance_notify_threshold_type" field.
+func (m *UserMutation) ResetBalanceNotifyThresholdType() {
+	m.balance_notify_threshold_type = nil
+}
+
 // SetBalanceNotifyThreshold sets the "balance_notify_threshold" field.
 func (m *UserMutation) SetBalanceNotifyThreshold(f float64) {
 	m.balance_notify_threshold = &f
@@ -29073,6 +29112,62 @@ func (m *UserMutation) ResetBalanceNotifyExtraEmails() {
 	m.balance_notify_extra_emails = nil
 }
 
+// SetTotalRecharged sets the "total_recharged" field.
+func (m *UserMutation) SetTotalRecharged(f float64) {
+	m.total_recharged = &f
+	m.addtotal_recharged = nil
+}
+
+// TotalRecharged returns the value of the "total_recharged" field in the mutation.
+func (m *UserMutation) TotalRecharged() (r float64, exists bool) {
+	v := m.total_recharged
+	if v == nil {
+		return
+	}
+	return *v, true
+}
+
+// OldTotalRecharged returns the old "total_recharged" field's value of the User entity.
+// If the User object wasn't provided to the builder, the object is fetched from the database.
+// An error is returned if the mutation operation is not UpdateOne, or the database query fails.
+func (m *UserMutation) OldTotalRecharged(ctx context.Context) (v float64, err error) {
+	if !m.op.Is(OpUpdateOne) {
+		return v, errors.New("OldTotalRecharged is only allowed on UpdateOne operations")
+	}
+	if m.id == nil || m.oldValue == nil {
+		return v, errors.New("OldTotalRecharged requires an ID field in the mutation")
+	}
+	oldValue, err := m.oldValue(ctx)
+	if err != nil {
+		return v, fmt.Errorf("querying old value for OldTotalRecharged: %w", err)
+	}
+	return oldValue.TotalRecharged, nil
+}
+
+// AddTotalRecharged adds f to the "total_recharged" field.
+func (m *UserMutation) AddTotalRecharged(f float64) {
+	if m.addtotal_recharged != nil {
+		*m.addtotal_recharged += f
+	} else {
+		m.addtotal_recharged = &f
+	}
+}
+
+// AddedTotalRecharged returns the value that was added to the "total_recharged" field in this mutation.
+func (m *UserMutation) AddedTotalRecharged() (r float64, exists bool) {
+	v := m.addtotal_recharged
+	if v == nil {
+		return
+	}
+	return *v, true
+}
+
+// ResetTotalRecharged resets all changes to the "total_recharged" field.
+func (m *UserMutation) ResetTotalRecharged() {
+	m.total_recharged = nil
+	m.addtotal_recharged = nil
+}
+
 // AddAPIKeyIDs adds the "api_keys" edge to the APIKey entity by ids.
 func (m *UserMutation) AddAPIKeyIDs(ids ...int64) {
 	if m.api_keys == nil {
@@ -29647,7 +29742,7 @@ func (m *UserMutation) Type() string {
 // order to get all numeric fields that were incremented/decremented, call
 // AddedFields().
 func (m *UserMutation) Fields() []string {
-	fields := make([]string, 0, 17)
+	fields := make([]string, 0, 19)
 	if m.created_at != nil {
 		fields = append(fields, user.FieldCreatedAt)
 	}
@@ -29693,12 +29788,18 @@ func (m *UserMutation) Fields() []string {
 	if m.balance_notify_enabled != nil {
 		fields = append(fields, user.FieldBalanceNotifyEnabled)
 	}
+	if m.balance_notify_threshold_type != nil {
+		fields = append(fields, user.FieldBalanceNotifyThresholdType)
+	}
 	if m.balance_notify_threshold != nil {
 		fields = append(fields, user.FieldBalanceNotifyThreshold)
 	}
 	if m.balance_notify_extra_emails != nil {
 		fields = append(fields, user.FieldBalanceNotifyExtraEmails)
 	}
+	if m.total_recharged != nil {
+		fields = append(fields, user.FieldTotalRecharged)
+	}
 	return fields
 }
 
@@ -29737,10 +29838,14 @@ func (m *UserMutation) Field(name string) (ent.Value, bool) {
 		return m.TotpEnabledAt()
 	case user.FieldBalanceNotifyEnabled:
 		return m.BalanceNotifyEnabled()
+	case user.FieldBalanceNotifyThresholdType:
+		return m.BalanceNotifyThresholdType()
 	case user.FieldBalanceNotifyThreshold:
 		return m.BalanceNotifyThreshold()
 	case user.FieldBalanceNotifyExtraEmails:
 		return m.BalanceNotifyExtraEmails()
+	case user.FieldTotalRecharged:
+		return m.TotalRecharged()
 	}
 	return nil, false
 }
@@ -29780,10 +29885,14 @@ func (m *UserMutation) OldField(ctx context.Context, name string) (ent.Value, er
 		return m.OldTotpEnabledAt(ctx)
 	case user.FieldBalanceNotifyEnabled:
 		return m.OldBalanceNotifyEnabled(ctx)
+	case user.FieldBalanceNotifyThresholdType:
+		return m.OldBalanceNotifyThresholdType(ctx)
 	case user.FieldBalanceNotifyThreshold:
 		return m.OldBalanceNotifyThreshold(ctx)
 	case user.FieldBalanceNotifyExtraEmails:
 		return m.OldBalanceNotifyExtraEmails(ctx)
+	case user.FieldTotalRecharged:
+		return m.OldTotalRecharged(ctx)
 	}
 	return nil, fmt.Errorf("unknown User field %s", name)
 }
@@ -29898,6 +30007,13 @@ func (m *UserMutation) SetField(name string, value ent.Value) error {
 		}
 		m.SetBalanceNotifyEnabled(v)
 		return nil
+	case user.FieldBalanceNotifyThresholdType:
+		v, ok := value.(string)
+		if !ok {
+			return fmt.Errorf("unexpected type %T for field %s", value, name)
+		}
+		m.SetBalanceNotifyThresholdType(v)
+		return nil
 	case user.FieldBalanceNotifyThreshold:
 		v, ok := value.(float64)
 		if !ok {
@@ -29912,6 +30028,13 @@ func (m *UserMutation) SetField(name string, value ent.Value) error {
 		}
 		m.SetBalanceNotifyExtraEmails(v)
 		return nil
+	case user.FieldTotalRecharged:
+		v, ok := value.(float64)
+		if !ok {
+			return fmt.Errorf("unexpected type %T for field %s", value, name)
+		}
+		m.SetTotalRecharged(v)
+		return nil
 	}
 	return fmt.Errorf("unknown User field %s", name)
 }
@@ -29929,6 +30052,9 @@ func (m *UserMutation) AddedFields() []string {
 	if m.addbalance_notify_threshold != nil {
 		fields = append(fields, user.FieldBalanceNotifyThreshold)
 	}
+	if m.addtotal_recharged != nil {
+		fields = append(fields, user.FieldTotalRecharged)
+	}
 	return fields
 }
 
@@ -29943,6 +30069,8 @@ func (m *UserMutation) AddedField(name string) (ent.Value, bool) {
 		return m.AddedConcurrency()
 	case user.FieldBalanceNotifyThreshold:
 		return m.AddedBalanceNotifyThreshold()
+	case user.FieldTotalRecharged:
+		return m.AddedTotalRecharged()
 	}
 	return nil, false
 }
@@ -29973,6 +30101,13 @@ func (m *UserMutation) AddField(name string, value ent.Value) error {
 		}
 		m.AddBalanceNotifyThreshold(v)
 		return nil
+	case user.FieldTotalRecharged:
+		v, ok := value.(float64)
+		if !ok {
+			return fmt.Errorf("unexpected type %T for field %s", value, name)
+		}
+		m.AddTotalRecharged(v)
+		return nil
 	}
 	return fmt.Errorf("unknown User numeric field %s", name)
 }
@@ -30072,12 +30207,18 @@ func (m *UserMutation) ResetField(name string) error {
 	case user.FieldBalanceNotifyEnabled:
 		m.ResetBalanceNotifyEnabled()
 		return nil
+	case user.FieldBalanceNotifyThresholdType:
+		m.ResetBalanceNotifyThresholdType()
+		return nil
 	case user.FieldBalanceNotifyThreshold:
 		m.ResetBalanceNotifyThreshold()
 		return nil
 	case user.FieldBalanceNotifyExtraEmails:
 		m.ResetBalanceNotifyExtraEmails()
 		return nil
+	case user.FieldTotalRecharged:
+		m.ResetTotalRecharged()
+		return nil
 	}
 	return fmt.Errorf("unknown User field %s", name)
 }
diff --git a/backend/ent/runtime/runtime.go b/backend/ent/runtime/runtime.go
index a288f5d9..951b5f99 100644
--- a/backend/ent/runtime/runtime.go
+++ b/backend/ent/runtime/runtime.go
@@ -1297,10 +1297,18 @@ func init() {
 	userDescBalanceNotifyEnabled := userFields[11].Descriptor()
 	// user.DefaultBalanceNotifyEnabled holds the default value on creation for the balance_notify_enabled field.
 	user.DefaultBalanceNotifyEnabled = userDescBalanceNotifyEnabled.Default.(bool)
+	// userDescBalanceNotifyThresholdType is the schema descriptor for balance_notify_threshold_type field.
+	userDescBalanceNotifyThresholdType := userFields[12].Descriptor()
+	// user.DefaultBalanceNotifyThresholdType holds the default value on creation for the balance_notify_threshold_type field.
+	user.DefaultBalanceNotifyThresholdType = userDescBalanceNotifyThresholdType.Default.(string)
 	// userDescBalanceNotifyExtraEmails is the schema descriptor for balance_notify_extra_emails field.
-	userDescBalanceNotifyExtraEmails := userFields[13].Descriptor()
+	userDescBalanceNotifyExtraEmails := userFields[14].Descriptor()
 	// user.DefaultBalanceNotifyExtraEmails holds the default value on creation for the balance_notify_extra_emails field.
 	user.DefaultBalanceNotifyExtraEmails = userDescBalanceNotifyExtraEmails.Default.(string)
+	// userDescTotalRecharged is the schema descriptor for total_recharged field.
+	userDescTotalRecharged := userFields[15].Descriptor()
+	// user.DefaultTotalRecharged holds the default value on creation for the total_recharged field.
+	user.DefaultTotalRecharged = userDescTotalRecharged.Default.(float64)
 	userallowedgroupFields := schema.UserAllowedGroup{}.Fields()
 	_ = userallowedgroupFields
 	// userallowedgroupDescCreatedAt is the schema descriptor for created_at field.
diff --git a/backend/ent/schema/user.go b/backend/ent/schema/user.go
index bdaa4509..ef52e985 100644
--- a/backend/ent/schema/user.go
+++ b/backend/ent/schema/user.go
@@ -76,6 +76,8 @@ func (User) Fields() []ent.Field {
 		// 余额不足通知
 		field.Bool("balance_notify_enabled").
 			Default(true),
+		field.String("balance_notify_threshold_type").
+			Default("fixed"), // "fixed" | "percentage"
 		field.Float("balance_notify_threshold").
 			SchemaType(map[string]string{dialect.Postgres: "decimal(20,8)"}).
 			Optional().
@@ -83,6 +85,9 @@ func (User) Fields() []ent.Field {
 		field.String("balance_notify_extra_emails").
 			SchemaType(map[string]string{dialect.Postgres: "text"}).
 			Default("[]"),
+		field.Float("total_recharged").
+			SchemaType(map[string]string{dialect.Postgres: "decimal(20,8)"}).
+			Default(0),
 	}
 }
 
diff --git a/backend/ent/user.go b/backend/ent/user.go
index fc4ddb8f..9fa91f74 100644
--- a/backend/ent/user.go
+++ b/backend/ent/user.go
@@ -47,10 +47,14 @@ type User struct {
 	TotpEnabledAt *time.Time `json:"totp_enabled_at,omitempty"`
 	// BalanceNotifyEnabled holds the value of the "balance_notify_enabled" field.
 	BalanceNotifyEnabled bool `json:"balance_notify_enabled,omitempty"`
+	// BalanceNotifyThresholdType holds the value of the "balance_notify_threshold_type" field.
+	BalanceNotifyThresholdType string `json:"balance_notify_threshold_type,omitempty"`
 	// BalanceNotifyThreshold holds the value of the "balance_notify_threshold" field.
 	BalanceNotifyThreshold *float64 `json:"balance_notify_threshold,omitempty"`
 	// BalanceNotifyExtraEmails holds the value of the "balance_notify_extra_emails" field.
 	BalanceNotifyExtraEmails string `json:"balance_notify_extra_emails,omitempty"`
+	// TotalRecharged holds the value of the "total_recharged" field.
+	TotalRecharged float64 `json:"total_recharged,omitempty"`
 	// Edges holds the relations/edges for other nodes in the graph.
 	// The values are being populated by the UserQuery when eager-loading is set.
 	Edges        UserEdges `json:"edges"`
@@ -192,11 +196,11 @@ func (*User) scanValues(columns []string) ([]any, error) {
 		switch columns[i] {
 		case user.FieldTotpEnabled, user.FieldBalanceNotifyEnabled:
 			values[i] = new(sql.NullBool)
-		case user.FieldBalance, user.FieldBalanceNotifyThreshold:
+		case user.FieldBalance, user.FieldBalanceNotifyThreshold, user.FieldTotalRecharged:
 			values[i] = new(sql.NullFloat64)
 		case user.FieldID, user.FieldConcurrency:
 			values[i] = new(sql.NullInt64)
-		case user.FieldEmail, user.FieldPasswordHash, user.FieldRole, user.FieldStatus, user.FieldUsername, user.FieldNotes, user.FieldTotpSecretEncrypted, user.FieldBalanceNotifyExtraEmails:
+		case user.FieldEmail, user.FieldPasswordHash, user.FieldRole, user.FieldStatus, user.FieldUsername, user.FieldNotes, user.FieldTotpSecretEncrypted, user.FieldBalanceNotifyThresholdType, user.FieldBalanceNotifyExtraEmails:
 			values[i] = new(sql.NullString)
 		case user.FieldCreatedAt, user.FieldUpdatedAt, user.FieldDeletedAt, user.FieldTotpEnabledAt:
 			values[i] = new(sql.NullTime)
@@ -314,6 +318,12 @@ func (_m *User) assignValues(columns []string, values []any) error {
 			} else if value.Valid {
 				_m.BalanceNotifyEnabled = value.Bool
 			}
+		case user.FieldBalanceNotifyThresholdType:
+			if value, ok := values[i].(*sql.NullString); !ok {
+				return fmt.Errorf("unexpected type %T for field balance_notify_threshold_type", values[i])
+			} else if value.Valid {
+				_m.BalanceNotifyThresholdType = value.String
+			}
 		case user.FieldBalanceNotifyThreshold:
 			if value, ok := values[i].(*sql.NullFloat64); !ok {
 				return fmt.Errorf("unexpected type %T for field balance_notify_threshold", values[i])
@@ -327,6 +337,12 @@ func (_m *User) assignValues(columns []string, values []any) error {
 			} else if value.Valid {
 				_m.BalanceNotifyExtraEmails = value.String
 			}
+		case user.FieldTotalRecharged:
+			if value, ok := values[i].(*sql.NullFloat64); !ok {
+				return fmt.Errorf("unexpected type %T for field total_recharged", values[i])
+			} else if value.Valid {
+				_m.TotalRecharged = value.Float64
+			}
 		default:
 			_m.selectValues.Set(columns[i], values[i])
 		}
@@ -469,6 +485,9 @@ func (_m *User) String() string {
 	builder.WriteString("balance_notify_enabled=")
 	builder.WriteString(fmt.Sprintf("%v", _m.BalanceNotifyEnabled))
 	builder.WriteString(", ")
+	builder.WriteString("balance_notify_threshold_type=")
+	builder.WriteString(_m.BalanceNotifyThresholdType)
+	builder.WriteString(", ")
 	if v := _m.BalanceNotifyThreshold; v != nil {
 		builder.WriteString("balance_notify_threshold=")
 		builder.WriteString(fmt.Sprintf("%v", *v))
@@ -476,6 +495,9 @@ func (_m *User) String() string {
 	builder.WriteString(", ")
 	builder.WriteString("balance_notify_extra_emails=")
 	builder.WriteString(_m.BalanceNotifyExtraEmails)
+	builder.WriteString(", ")
+	builder.WriteString("total_recharged=")
+	builder.WriteString(fmt.Sprintf("%v", _m.TotalRecharged))
 	builder.WriteByte(')')
 	return builder.String()
 }
diff --git a/backend/ent/user/user.go b/backend/ent/user/user.go
index aff37013..d88a3a38 100644
--- a/backend/ent/user/user.go
+++ b/backend/ent/user/user.go
@@ -45,10 +45,14 @@ const (
 	FieldTotpEnabledAt = "totp_enabled_at"
 	// FieldBalanceNotifyEnabled holds the string denoting the balance_notify_enabled field in the database.
 	FieldBalanceNotifyEnabled = "balance_notify_enabled"
+	// FieldBalanceNotifyThresholdType holds the string denoting the balance_notify_threshold_type field in the database.
+	FieldBalanceNotifyThresholdType = "balance_notify_threshold_type"
 	// FieldBalanceNotifyThreshold holds the string denoting the balance_notify_threshold field in the database.
 	FieldBalanceNotifyThreshold = "balance_notify_threshold"
 	// FieldBalanceNotifyExtraEmails holds the string denoting the balance_notify_extra_emails field in the database.
 	FieldBalanceNotifyExtraEmails = "balance_notify_extra_emails"
+	// FieldTotalRecharged holds the string denoting the total_recharged field in the database.
+	FieldTotalRecharged = "total_recharged"
 	// EdgeAPIKeys holds the string denoting the api_keys edge name in mutations.
 	EdgeAPIKeys = "api_keys"
 	// EdgeRedeemCodes holds the string denoting the redeem_codes edge name in mutations.
@@ -168,8 +172,10 @@ var Columns = []string{
 	FieldTotpEnabled,
 	FieldTotpEnabledAt,
 	FieldBalanceNotifyEnabled,
+	FieldBalanceNotifyThresholdType,
 	FieldBalanceNotifyThreshold,
 	FieldBalanceNotifyExtraEmails,
+	FieldTotalRecharged,
 }
 
 var (
@@ -228,8 +234,12 @@ var (
 	DefaultTotpEnabled bool
 	// DefaultBalanceNotifyEnabled holds the default value on creation for the "balance_notify_enabled" field.
 	DefaultBalanceNotifyEnabled bool
+	// DefaultBalanceNotifyThresholdType holds the default value on creation for the "balance_notify_threshold_type" field.
+	DefaultBalanceNotifyThresholdType string
 	// DefaultBalanceNotifyExtraEmails holds the default value on creation for the "balance_notify_extra_emails" field.
 	DefaultBalanceNotifyExtraEmails string
+	// DefaultTotalRecharged holds the default value on creation for the "total_recharged" field.
+	DefaultTotalRecharged float64
 )
 
 // OrderOption defines the ordering options for the User queries.
@@ -315,6 +325,11 @@ func ByBalanceNotifyEnabled(opts ...sql.OrderTermOption) OrderOption {
 	return sql.OrderByField(FieldBalanceNotifyEnabled, opts...).ToFunc()
 }
 
+// ByBalanceNotifyThresholdType orders the results by the balance_notify_threshold_type field.
+func ByBalanceNotifyThresholdType(opts ...sql.OrderTermOption) OrderOption {
+	return sql.OrderByField(FieldBalanceNotifyThresholdType, opts...).ToFunc()
+}
+
 // ByBalanceNotifyThreshold orders the results by the balance_notify_threshold field.
 func ByBalanceNotifyThreshold(opts ...sql.OrderTermOption) OrderOption {
 	return sql.OrderByField(FieldBalanceNotifyThreshold, opts...).ToFunc()
@@ -325,6 +340,11 @@ func ByBalanceNotifyExtraEmails(opts ...sql.OrderTermOption) OrderOption {
 	return sql.OrderByField(FieldBalanceNotifyExtraEmails, opts...).ToFunc()
 }
 
+// ByTotalRecharged orders the results by the total_recharged field.
+func ByTotalRecharged(opts ...sql.OrderTermOption) OrderOption {
+	return sql.OrderByField(FieldTotalRecharged, opts...).ToFunc()
+}
+
 // ByAPIKeysCount orders the results by api_keys count.
 func ByAPIKeysCount(opts ...sql.OrderTermOption) OrderOption {
 	return func(s *sql.Selector) {
diff --git a/backend/ent/user/where.go b/backend/ent/user/where.go
index 11a0318f..2788aa7a 100644
--- a/backend/ent/user/where.go
+++ b/backend/ent/user/where.go
@@ -130,6 +130,11 @@ func BalanceNotifyEnabled(v bool) predicate.User {
 	return predicate.User(sql.FieldEQ(FieldBalanceNotifyEnabled, v))
 }
 
+// BalanceNotifyThresholdType applies equality check predicate on the "balance_notify_threshold_type" field. It's identical to BalanceNotifyThresholdTypeEQ.
+func BalanceNotifyThresholdType(v string) predicate.User {
+	return predicate.User(sql.FieldEQ(FieldBalanceNotifyThresholdType, v))
+}
+
 // BalanceNotifyThreshold applies equality check predicate on the "balance_notify_threshold" field. It's identical to BalanceNotifyThresholdEQ.
 func BalanceNotifyThreshold(v float64) predicate.User {
 	return predicate.User(sql.FieldEQ(FieldBalanceNotifyThreshold, v))
@@ -140,6 +145,11 @@ func BalanceNotifyExtraEmails(v string) predicate.User {
 	return predicate.User(sql.FieldEQ(FieldBalanceNotifyExtraEmails, v))
 }
 
+// TotalRecharged applies equality check predicate on the "total_recharged" field. It's identical to TotalRechargedEQ.
+func TotalRecharged(v float64) predicate.User {
+	return predicate.User(sql.FieldEQ(FieldTotalRecharged, v))
+}
+
 // CreatedAtEQ applies the EQ predicate on the "created_at" field.
 func CreatedAtEQ(v time.Time) predicate.User {
 	return predicate.User(sql.FieldEQ(FieldCreatedAt, v))
@@ -885,6 +895,71 @@ func BalanceNotifyEnabledNEQ(v bool) predicate.User {
 	return predicate.User(sql.FieldNEQ(FieldBalanceNotifyEnabled, v))
 }
 
+// BalanceNotifyThresholdTypeEQ applies the EQ predicate on the "balance_notify_threshold_type" field.
+func BalanceNotifyThresholdTypeEQ(v string) predicate.User {
+	return predicate.User(sql.FieldEQ(FieldBalanceNotifyThresholdType, v))
+}
+
+// BalanceNotifyThresholdTypeNEQ applies the NEQ predicate on the "balance_notify_threshold_type" field.
+func BalanceNotifyThresholdTypeNEQ(v string) predicate.User {
+	return predicate.User(sql.FieldNEQ(FieldBalanceNotifyThresholdType, v))
+}
+
+// BalanceNotifyThresholdTypeIn applies the In predicate on the "balance_notify_threshold_type" field.
+func BalanceNotifyThresholdTypeIn(vs ...string) predicate.User {
+	return predicate.User(sql.FieldIn(FieldBalanceNotifyThresholdType, vs...))
+}
+
+// BalanceNotifyThresholdTypeNotIn applies the NotIn predicate on the "balance_notify_threshold_type" field.
+func BalanceNotifyThresholdTypeNotIn(vs ...string) predicate.User {
+	return predicate.User(sql.FieldNotIn(FieldBalanceNotifyThresholdType, vs...))
+}
+
+// BalanceNotifyThresholdTypeGT applies the GT predicate on the "balance_notify_threshold_type" field.
+func BalanceNotifyThresholdTypeGT(v string) predicate.User {
+	return predicate.User(sql.FieldGT(FieldBalanceNotifyThresholdType, v))
+}
+
+// BalanceNotifyThresholdTypeGTE applies the GTE predicate on the "balance_notify_threshold_type" field.
+func BalanceNotifyThresholdTypeGTE(v string) predicate.User {
+	return predicate.User(sql.FieldGTE(FieldBalanceNotifyThresholdType, v))
+}
+
+// BalanceNotifyThresholdTypeLT applies the LT predicate on the "balance_notify_threshold_type" field.
+func BalanceNotifyThresholdTypeLT(v string) predicate.User {
+	return predicate.User(sql.FieldLT(FieldBalanceNotifyThresholdType, v))
+}
+
+// BalanceNotifyThresholdTypeLTE applies the LTE predicate on the "balance_notify_threshold_type" field.
+func BalanceNotifyThresholdTypeLTE(v string) predicate.User {
+	return predicate.User(sql.FieldLTE(FieldBalanceNotifyThresholdType, v))
+}
+
+// BalanceNotifyThresholdTypeContains applies the Contains predicate on the "balance_notify_threshold_type" field.
+func BalanceNotifyThresholdTypeContains(v string) predicate.User {
+	return predicate.User(sql.FieldContains(FieldBalanceNotifyThresholdType, v))
+}
+
+// BalanceNotifyThresholdTypeHasPrefix applies the HasPrefix predicate on the "balance_notify_threshold_type" field.
+func BalanceNotifyThresholdTypeHasPrefix(v string) predicate.User {
+	return predicate.User(sql.FieldHasPrefix(FieldBalanceNotifyThresholdType, v))
+}
+
+// BalanceNotifyThresholdTypeHasSuffix applies the HasSuffix predicate on the "balance_notify_threshold_type" field.
+func BalanceNotifyThresholdTypeHasSuffix(v string) predicate.User {
+	return predicate.User(sql.FieldHasSuffix(FieldBalanceNotifyThresholdType, v))
+}
+
+// BalanceNotifyThresholdTypeEqualFold applies the EqualFold predicate on the "balance_notify_threshold_type" field.
+func BalanceNotifyThresholdTypeEqualFold(v string) predicate.User {
+	return predicate.User(sql.FieldEqualFold(FieldBalanceNotifyThresholdType, v))
+}
+
+// BalanceNotifyThresholdTypeContainsFold applies the ContainsFold predicate on the "balance_notify_threshold_type" field.
+func BalanceNotifyThresholdTypeContainsFold(v string) predicate.User {
+	return predicate.User(sql.FieldContainsFold(FieldBalanceNotifyThresholdType, v))
+}
+
 // BalanceNotifyThresholdEQ applies the EQ predicate on the "balance_notify_threshold" field.
 func BalanceNotifyThresholdEQ(v float64) predicate.User {
 	return predicate.User(sql.FieldEQ(FieldBalanceNotifyThreshold, v))
@@ -1000,6 +1075,46 @@ func BalanceNotifyExtraEmailsContainsFold(v string) predicate.User {
 	return predicate.User(sql.FieldContainsFold(FieldBalanceNotifyExtraEmails, v))
 }
 
+// TotalRechargedEQ applies the EQ predicate on the "total_recharged" field.
+func TotalRechargedEQ(v float64) predicate.User {
+	return predicate.User(sql.FieldEQ(FieldTotalRecharged, v))
+}
+
+// TotalRechargedNEQ applies the NEQ predicate on the "total_recharged" field.
+func TotalRechargedNEQ(v float64) predicate.User {
+	return predicate.User(sql.FieldNEQ(FieldTotalRecharged, v))
+}
+
+// TotalRechargedIn applies the In predicate on the "total_recharged" field.
+func TotalRechargedIn(vs ...float64) predicate.User {
+	return predicate.User(sql.FieldIn(FieldTotalRecharged, vs...))
+}
+
+// TotalRechargedNotIn applies the NotIn predicate on the "total_recharged" field.
+func TotalRechargedNotIn(vs ...float64) predicate.User {
+	return predicate.User(sql.FieldNotIn(FieldTotalRecharged, vs...))
+}
+
+// TotalRechargedGT applies the GT predicate on the "total_recharged" field.
+func TotalRechargedGT(v float64) predicate.User {
+	return predicate.User(sql.FieldGT(FieldTotalRecharged, v))
+}
+
+// TotalRechargedGTE applies the GTE predicate on the "total_recharged" field.
+func TotalRechargedGTE(v float64) predicate.User {
+	return predicate.User(sql.FieldGTE(FieldTotalRecharged, v))
+}
+
+// TotalRechargedLT applies the LT predicate on the "total_recharged" field.
+func TotalRechargedLT(v float64) predicate.User {
+	return predicate.User(sql.FieldLT(FieldTotalRecharged, v))
+}
+
+// TotalRechargedLTE applies the LTE predicate on the "total_recharged" field.
+func TotalRechargedLTE(v float64) predicate.User {
+	return predicate.User(sql.FieldLTE(FieldTotalRecharged, v))
+}
+
 // HasAPIKeys applies the HasEdge predicate on the "api_keys" edge.
 func HasAPIKeys() predicate.User {
 	return predicate.User(func(s *sql.Selector) {
diff --git a/backend/ent/user_create.go b/backend/ent/user_create.go
index 955fde72..fbc64f9c 100644
--- a/backend/ent/user_create.go
+++ b/backend/ent/user_create.go
@@ -225,6 +225,20 @@ func (_c *UserCreate) SetNillableBalanceNotifyEnabled(v *bool) *UserCreate {
 	return _c
 }
 
+// SetBalanceNotifyThresholdType sets the "balance_notify_threshold_type" field.
+func (_c *UserCreate) SetBalanceNotifyThresholdType(v string) *UserCreate {
+	_c.mutation.SetBalanceNotifyThresholdType(v)
+	return _c
+}
+
+// SetNillableBalanceNotifyThresholdType sets the "balance_notify_threshold_type" field if the given value is not nil.
+func (_c *UserCreate) SetNillableBalanceNotifyThresholdType(v *string) *UserCreate {
+	if v != nil {
+		_c.SetBalanceNotifyThresholdType(*v)
+	}
+	return _c
+}
+
 // SetBalanceNotifyThreshold sets the "balance_notify_threshold" field.
 func (_c *UserCreate) SetBalanceNotifyThreshold(v float64) *UserCreate {
 	_c.mutation.SetBalanceNotifyThreshold(v)
@@ -253,6 +267,20 @@ func (_c *UserCreate) SetNillableBalanceNotifyExtraEmails(v *string) *UserCreate
 	return _c
 }
 
+// SetTotalRecharged sets the "total_recharged" field.
+func (_c *UserCreate) SetTotalRecharged(v float64) *UserCreate {
+	_c.mutation.SetTotalRecharged(v)
+	return _c
+}
+
+// SetNillableTotalRecharged sets the "total_recharged" field if the given value is not nil.
+func (_c *UserCreate) SetNillableTotalRecharged(v *float64) *UserCreate {
+	if v != nil {
+		_c.SetTotalRecharged(*v)
+	}
+	return _c
+}
+
 // AddAPIKeyIDs adds the "api_keys" edge to the APIKey entity by IDs.
 func (_c *UserCreate) AddAPIKeyIDs(ids ...int64) *UserCreate {
 	_c.mutation.AddAPIKeyIDs(ids...)
@@ -486,10 +514,18 @@ func (_c *UserCreate) defaults() error {
 		v := user.DefaultBalanceNotifyEnabled
 		_c.mutation.SetBalanceNotifyEnabled(v)
 	}
+	if _, ok := _c.mutation.BalanceNotifyThresholdType(); !ok {
+		v := user.DefaultBalanceNotifyThresholdType
+		_c.mutation.SetBalanceNotifyThresholdType(v)
+	}
 	if _, ok := _c.mutation.BalanceNotifyExtraEmails(); !ok {
 		v := user.DefaultBalanceNotifyExtraEmails
 		_c.mutation.SetBalanceNotifyExtraEmails(v)
 	}
+	if _, ok := _c.mutation.TotalRecharged(); !ok {
+		v := user.DefaultTotalRecharged
+		_c.mutation.SetTotalRecharged(v)
+	}
 	return nil
 }
 
@@ -556,9 +592,15 @@ func (_c *UserCreate) check() error {
 	if _, ok := _c.mutation.BalanceNotifyEnabled(); !ok {
 		return &ValidationError{Name: "balance_notify_enabled", err: errors.New(`ent: missing required field "User.balance_notify_enabled"`)}
 	}
+	if _, ok := _c.mutation.BalanceNotifyThresholdType(); !ok {
+		return &ValidationError{Name: "balance_notify_threshold_type", err: errors.New(`ent: missing required field "User.balance_notify_threshold_type"`)}
+	}
 	if _, ok := _c.mutation.BalanceNotifyExtraEmails(); !ok {
 		return &ValidationError{Name: "balance_notify_extra_emails", err: errors.New(`ent: missing required field "User.balance_notify_extra_emails"`)}
 	}
+	if _, ok := _c.mutation.TotalRecharged(); !ok {
+		return &ValidationError{Name: "total_recharged", err: errors.New(`ent: missing required field "User.total_recharged"`)}
+	}
 	return nil
 }
 
@@ -646,6 +688,10 @@ func (_c *UserCreate) createSpec() (*User, *sqlgraph.CreateSpec) {
 		_spec.SetField(user.FieldBalanceNotifyEnabled, field.TypeBool, value)
 		_node.BalanceNotifyEnabled = value
 	}
+	if value, ok := _c.mutation.BalanceNotifyThresholdType(); ok {
+		_spec.SetField(user.FieldBalanceNotifyThresholdType, field.TypeString, value)
+		_node.BalanceNotifyThresholdType = value
+	}
 	if value, ok := _c.mutation.BalanceNotifyThreshold(); ok {
 		_spec.SetField(user.FieldBalanceNotifyThreshold, field.TypeFloat64, value)
 		_node.BalanceNotifyThreshold = &value
@@ -654,6 +700,10 @@ func (_c *UserCreate) createSpec() (*User, *sqlgraph.CreateSpec) {
 		_spec.SetField(user.FieldBalanceNotifyExtraEmails, field.TypeString, value)
 		_node.BalanceNotifyExtraEmails = value
 	}
+	if value, ok := _c.mutation.TotalRecharged(); ok {
+		_spec.SetField(user.FieldTotalRecharged, field.TypeFloat64, value)
+		_node.TotalRecharged = value
+	}
 	if nodes := _c.mutation.APIKeysIDs(); len(nodes) > 0 {
 		edge := &sqlgraph.EdgeSpec{
 			Rel:     sqlgraph.O2M,
@@ -1068,6 +1118,18 @@ func (u *UserUpsert) UpdateBalanceNotifyEnabled() *UserUpsert {
 	return u
 }
 
+// SetBalanceNotifyThresholdType sets the "balance_notify_threshold_type" field.
+func (u *UserUpsert) SetBalanceNotifyThresholdType(v string) *UserUpsert {
+	u.Set(user.FieldBalanceNotifyThresholdType, v)
+	return u
+}
+
+// UpdateBalanceNotifyThresholdType sets the "balance_notify_threshold_type" field to the value that was provided on create.
+func (u *UserUpsert) UpdateBalanceNotifyThresholdType() *UserUpsert {
+	u.SetExcluded(user.FieldBalanceNotifyThresholdType)
+	return u
+}
+
 // SetBalanceNotifyThreshold sets the "balance_notify_threshold" field.
 func (u *UserUpsert) SetBalanceNotifyThreshold(v float64) *UserUpsert {
 	u.Set(user.FieldBalanceNotifyThreshold, v)
@@ -1104,6 +1166,24 @@ func (u *UserUpsert) UpdateBalanceNotifyExtraEmails() *UserUpsert {
 	return u
 }
 
+// SetTotalRecharged sets the "total_recharged" field.
+func (u *UserUpsert) SetTotalRecharged(v float64) *UserUpsert {
+	u.Set(user.FieldTotalRecharged, v)
+	return u
+}
+
+// UpdateTotalRecharged sets the "total_recharged" field to the value that was provided on create.
+func (u *UserUpsert) UpdateTotalRecharged() *UserUpsert {
+	u.SetExcluded(user.FieldTotalRecharged)
+	return u
+}
+
+// AddTotalRecharged adds v to the "total_recharged" field.
+func (u *UserUpsert) AddTotalRecharged(v float64) *UserUpsert {
+	u.Add(user.FieldTotalRecharged, v)
+	return u
+}
+
 // UpdateNewValues updates the mutable fields using the new values that were set on create.
 // Using this option is equivalent to using:
 //
@@ -1380,6 +1460,20 @@ func (u *UserUpsertOne) UpdateBalanceNotifyEnabled() *UserUpsertOne {
 	})
 }
 
+// SetBalanceNotifyThresholdType sets the "balance_notify_threshold_type" field.
+func (u *UserUpsertOne) SetBalanceNotifyThresholdType(v string) *UserUpsertOne {
+	return u.Update(func(s *UserUpsert) {
+		s.SetBalanceNotifyThresholdType(v)
+	})
+}
+
+// UpdateBalanceNotifyThresholdType sets the "balance_notify_threshold_type" field to the value that was provided on create.
+func (u *UserUpsertOne) UpdateBalanceNotifyThresholdType() *UserUpsertOne {
+	return u.Update(func(s *UserUpsert) {
+		s.UpdateBalanceNotifyThresholdType()
+	})
+}
+
 // SetBalanceNotifyThreshold sets the "balance_notify_threshold" field.
 func (u *UserUpsertOne) SetBalanceNotifyThreshold(v float64) *UserUpsertOne {
 	return u.Update(func(s *UserUpsert) {
@@ -1422,6 +1516,27 @@ func (u *UserUpsertOne) UpdateBalanceNotifyExtraEmails() *UserUpsertOne {
 	})
 }
 
+// SetTotalRecharged sets the "total_recharged" field.
+func (u *UserUpsertOne) SetTotalRecharged(v float64) *UserUpsertOne {
+	return u.Update(func(s *UserUpsert) {
+		s.SetTotalRecharged(v)
+	})
+}
+
+// AddTotalRecharged adds v to the "total_recharged" field.
+func (u *UserUpsertOne) AddTotalRecharged(v float64) *UserUpsertOne {
+	return u.Update(func(s *UserUpsert) {
+		s.AddTotalRecharged(v)
+	})
+}
+
+// UpdateTotalRecharged sets the "total_recharged" field to the value that was provided on create.
+func (u *UserUpsertOne) UpdateTotalRecharged() *UserUpsertOne {
+	return u.Update(func(s *UserUpsert) {
+		s.UpdateTotalRecharged()
+	})
+}
+
 // Exec executes the query.
 func (u *UserUpsertOne) Exec(ctx context.Context) error {
 	if len(u.create.conflict) == 0 {
@@ -1864,6 +1979,20 @@ func (u *UserUpsertBulk) UpdateBalanceNotifyEnabled() *UserUpsertBulk {
 	})
 }
 
+// SetBalanceNotifyThresholdType sets the "balance_notify_threshold_type" field.
+func (u *UserUpsertBulk) SetBalanceNotifyThresholdType(v string) *UserUpsertBulk {
+	return u.Update(func(s *UserUpsert) {
+		s.SetBalanceNotifyThresholdType(v)
+	})
+}
+
+// UpdateBalanceNotifyThresholdType sets the "balance_notify_threshold_type" field to the value that was provided on create.
+func (u *UserUpsertBulk) UpdateBalanceNotifyThresholdType() *UserUpsertBulk {
+	return u.Update(func(s *UserUpsert) {
+		s.UpdateBalanceNotifyThresholdType()
+	})
+}
+
 // SetBalanceNotifyThreshold sets the "balance_notify_threshold" field.
 func (u *UserUpsertBulk) SetBalanceNotifyThreshold(v float64) *UserUpsertBulk {
 	return u.Update(func(s *UserUpsert) {
@@ -1906,6 +2035,27 @@ func (u *UserUpsertBulk) UpdateBalanceNotifyExtraEmails() *UserUpsertBulk {
 	})
 }
 
+// SetTotalRecharged sets the "total_recharged" field.
+func (u *UserUpsertBulk) SetTotalRecharged(v float64) *UserUpsertBulk {
+	return u.Update(func(s *UserUpsert) {
+		s.SetTotalRecharged(v)
+	})
+}
+
+// AddTotalRecharged adds v to the "total_recharged" field.
+func (u *UserUpsertBulk) AddTotalRecharged(v float64) *UserUpsertBulk {
+	return u.Update(func(s *UserUpsert) {
+		s.AddTotalRecharged(v)
+	})
+}
+
+// UpdateTotalRecharged sets the "total_recharged" field to the value that was provided on create.
+func (u *UserUpsertBulk) UpdateTotalRecharged() *UserUpsertBulk {
+	return u.Update(func(s *UserUpsert) {
+		s.UpdateTotalRecharged()
+	})
+}
+
 // Exec executes the query.
 func (u *UserUpsertBulk) Exec(ctx context.Context) error {
 	if u.create.err != nil {
diff --git a/backend/ent/user_update.go b/backend/ent/user_update.go
index 823df0b6..6b355247 100644
--- a/backend/ent/user_update.go
+++ b/backend/ent/user_update.go
@@ -257,6 +257,20 @@ func (_u *UserUpdate) SetNillableBalanceNotifyEnabled(v *bool) *UserUpdate {
 	return _u
 }
 
+// SetBalanceNotifyThresholdType sets the "balance_notify_threshold_type" field.
+func (_u *UserUpdate) SetBalanceNotifyThresholdType(v string) *UserUpdate {
+	_u.mutation.SetBalanceNotifyThresholdType(v)
+	return _u
+}
+
+// SetNillableBalanceNotifyThresholdType sets the "balance_notify_threshold_type" field if the given value is not nil.
+func (_u *UserUpdate) SetNillableBalanceNotifyThresholdType(v *string) *UserUpdate {
+	if v != nil {
+		_u.SetBalanceNotifyThresholdType(*v)
+	}
+	return _u
+}
+
 // SetBalanceNotifyThreshold sets the "balance_notify_threshold" field.
 func (_u *UserUpdate) SetBalanceNotifyThreshold(v float64) *UserUpdate {
 	_u.mutation.ResetBalanceNotifyThreshold()
@@ -298,6 +312,27 @@ func (_u *UserUpdate) SetNillableBalanceNotifyExtraEmails(v *string) *UserUpdate
 	return _u
 }
 
+// SetTotalRecharged sets the "total_recharged" field.
+func (_u *UserUpdate) SetTotalRecharged(v float64) *UserUpdate {
+	_u.mutation.ResetTotalRecharged()
+	_u.mutation.SetTotalRecharged(v)
+	return _u
+}
+
+// SetNillableTotalRecharged sets the "total_recharged" field if the given value is not nil.
+func (_u *UserUpdate) SetNillableTotalRecharged(v *float64) *UserUpdate {
+	if v != nil {
+		_u.SetTotalRecharged(*v)
+	}
+	return _u
+}
+
+// AddTotalRecharged adds value to the "total_recharged" field.
+func (_u *UserUpdate) AddTotalRecharged(v float64) *UserUpdate {
+	_u.mutation.AddTotalRecharged(v)
+	return _u
+}
+
 // AddAPIKeyIDs adds the "api_keys" edge to the APIKey entity by IDs.
 func (_u *UserUpdate) AddAPIKeyIDs(ids ...int64) *UserUpdate {
 	_u.mutation.AddAPIKeyIDs(ids...)
@@ -804,6 +839,9 @@ func (_u *UserUpdate) sqlSave(ctx context.Context) (_node int, err error) {
 	if value, ok := _u.mutation.BalanceNotifyEnabled(); ok {
 		_spec.SetField(user.FieldBalanceNotifyEnabled, field.TypeBool, value)
 	}
+	if value, ok := _u.mutation.BalanceNotifyThresholdType(); ok {
+		_spec.SetField(user.FieldBalanceNotifyThresholdType, field.TypeString, value)
+	}
 	if value, ok := _u.mutation.BalanceNotifyThreshold(); ok {
 		_spec.SetField(user.FieldBalanceNotifyThreshold, field.TypeFloat64, value)
 	}
@@ -816,6 +854,12 @@ func (_u *UserUpdate) sqlSave(ctx context.Context) (_node int, err error) {
 	if value, ok := _u.mutation.BalanceNotifyExtraEmails(); ok {
 		_spec.SetField(user.FieldBalanceNotifyExtraEmails, field.TypeString, value)
 	}
+	if value, ok := _u.mutation.TotalRecharged(); ok {
+		_spec.SetField(user.FieldTotalRecharged, field.TypeFloat64, value)
+	}
+	if value, ok := _u.mutation.AddedTotalRecharged(); ok {
+		_spec.AddField(user.FieldTotalRecharged, field.TypeFloat64, value)
+	}
 	if _u.mutation.APIKeysCleared() {
 		edge := &sqlgraph.EdgeSpec{
 			Rel:     sqlgraph.O2M,
@@ -1518,6 +1562,20 @@ func (_u *UserUpdateOne) SetNillableBalanceNotifyEnabled(v *bool) *UserUpdateOne
 	return _u
 }
 
+// SetBalanceNotifyThresholdType sets the "balance_notify_threshold_type" field.
+func (_u *UserUpdateOne) SetBalanceNotifyThresholdType(v string) *UserUpdateOne {
+	_u.mutation.SetBalanceNotifyThresholdType(v)
+	return _u
+}
+
+// SetNillableBalanceNotifyThresholdType sets the "balance_notify_threshold_type" field if the given value is not nil.
+func (_u *UserUpdateOne) SetNillableBalanceNotifyThresholdType(v *string) *UserUpdateOne {
+	if v != nil {
+		_u.SetBalanceNotifyThresholdType(*v)
+	}
+	return _u
+}
+
 // SetBalanceNotifyThreshold sets the "balance_notify_threshold" field.
 func (_u *UserUpdateOne) SetBalanceNotifyThreshold(v float64) *UserUpdateOne {
 	_u.mutation.ResetBalanceNotifyThreshold()
@@ -1559,6 +1617,27 @@ func (_u *UserUpdateOne) SetNillableBalanceNotifyExtraEmails(v *string) *UserUpd
 	return _u
 }
 
+// SetTotalRecharged sets the "total_recharged" field.
+func (_u *UserUpdateOne) SetTotalRecharged(v float64) *UserUpdateOne {
+	_u.mutation.ResetTotalRecharged()
+	_u.mutation.SetTotalRecharged(v)
+	return _u
+}
+
+// SetNillableTotalRecharged sets the "total_recharged" field if the given value is not nil.
+func (_u *UserUpdateOne) SetNillableTotalRecharged(v *float64) *UserUpdateOne {
+	if v != nil {
+		_u.SetTotalRecharged(*v)
+	}
+	return _u
+}
+
+// AddTotalRecharged adds value to the "total_recharged" field.
+func (_u *UserUpdateOne) AddTotalRecharged(v float64) *UserUpdateOne {
+	_u.mutation.AddTotalRecharged(v)
+	return _u
+}
+
 // AddAPIKeyIDs adds the "api_keys" edge to the APIKey entity by IDs.
 func (_u *UserUpdateOne) AddAPIKeyIDs(ids ...int64) *UserUpdateOne {
 	_u.mutation.AddAPIKeyIDs(ids...)
@@ -2095,6 +2174,9 @@ func (_u *UserUpdateOne) sqlSave(ctx context.Context) (_node *User, err error) {
 	if value, ok := _u.mutation.BalanceNotifyEnabled(); ok {
 		_spec.SetField(user.FieldBalanceNotifyEnabled, field.TypeBool, value)
 	}
+	if value, ok := _u.mutation.BalanceNotifyThresholdType(); ok {
+		_spec.SetField(user.FieldBalanceNotifyThresholdType, field.TypeString, value)
+	}
 	if value, ok := _u.mutation.BalanceNotifyThreshold(); ok {
 		_spec.SetField(user.FieldBalanceNotifyThreshold, field.TypeFloat64, value)
 	}
@@ -2107,6 +2189,12 @@ func (_u *UserUpdateOne) sqlSave(ctx context.Context) (_node *User, err error) {
 	if value, ok := _u.mutation.BalanceNotifyExtraEmails(); ok {
 		_spec.SetField(user.FieldBalanceNotifyExtraEmails, field.TypeString, value)
 	}
+	if value, ok := _u.mutation.TotalRecharged(); ok {
+		_spec.SetField(user.FieldTotalRecharged, field.TypeFloat64, value)
+	}
+	if value, ok := _u.mutation.AddedTotalRecharged(); ok {
+		_spec.AddField(user.FieldTotalRecharged, field.TypeFloat64, value)
+	}
 	if _u.mutation.APIKeysCleared() {
 		edge := &sqlgraph.EdgeSpec{
 			Rel:     sqlgraph.O2M,
diff --git a/backend/internal/handler/admin/setting_handler.go b/backend/internal/handler/admin/setting_handler.go
index e5e024c6..3d587a21 100644
--- a/backend/internal/handler/admin/setting_handler.go
+++ b/backend/internal/handler/admin/setting_handler.go
@@ -176,6 +176,10 @@ func (h *SettingHandler) GetSettings(c *gin.Context) {
 		EnableMetadataPassthrough:            settings.EnableMetadataPassthrough,
 		EnableCCHSigning:                     settings.EnableCCHSigning,
 		WebSearchEmulationEnabled:            settings.WebSearchEmulationEnabled,
+		BalanceLowNotifyEnabled:              settings.BalanceLowNotifyEnabled,
+		BalanceLowNotifyThresholdType:        settings.BalanceLowNotifyThresholdType,
+		BalanceLowNotifyThreshold:            settings.BalanceLowNotifyThreshold,
+		AccountQuotaNotifyEmails:             settings.AccountQuotaNotifyEmails,
 		PaymentEnabled:                       paymentCfg.Enabled,
 		PaymentMinAmount:                     paymentCfg.MinAmount,
 		PaymentMaxAmount:                     paymentCfg.MaxAmount,
@@ -305,6 +309,12 @@ type UpdateSettingsRequest struct {
 	EnableMetadataPassthrough    *bool `json:"enable_metadata_passthrough"`
 	EnableCCHSigning             *bool `json:"enable_cch_signing"`
 
+	// Balance low notification
+	BalanceLowNotifyEnabled       *bool     `json:"balance_low_notify_enabled"`
+	BalanceLowNotifyThresholdType *string   `json:"balance_low_notify_threshold_type"`
+	BalanceLowNotifyThreshold     *float64  `json:"balance_low_notify_threshold"`
+	AccountQuotaNotifyEmails      *[]string `json:"account_quota_notify_emails"`
+
 	// Payment configuration (integrated into settings, full replace)
 	PaymentEnabled           *bool    `json:"payment_enabled"`
 	PaymentMinAmount         *float64 `json:"payment_min_amount"`
@@ -882,6 +892,30 @@ func (h *SettingHandler) UpdateSettings(c *gin.Context) {
 			}
 			return previousSettings.EnableCCHSigning
 		}(),
+		BalanceLowNotifyEnabled: func() bool {
+			if req.BalanceLowNotifyEnabled != nil {
+				return *req.BalanceLowNotifyEnabled
+			}
+			return previousSettings.BalanceLowNotifyEnabled
+		}(),
+		BalanceLowNotifyThresholdType: func() string {
+			if req.BalanceLowNotifyThresholdType != nil {
+				return *req.BalanceLowNotifyThresholdType
+			}
+			return previousSettings.BalanceLowNotifyThresholdType
+		}(),
+		BalanceLowNotifyThreshold: func() float64 {
+			if req.BalanceLowNotifyThreshold != nil {
+				return *req.BalanceLowNotifyThreshold
+			}
+			return previousSettings.BalanceLowNotifyThreshold
+		}(),
+		AccountQuotaNotifyEmails: func() []string {
+			if req.AccountQuotaNotifyEmails != nil {
+				return *req.AccountQuotaNotifyEmails
+			}
+			return previousSettings.AccountQuotaNotifyEmails
+		}(),
 	}
 
 	if err := h.settingService.UpdateSettings(c.Request.Context(), settings); err != nil {
@@ -1028,6 +1062,10 @@ func (h *SettingHandler) UpdateSettings(c *gin.Context) {
 		EnableFingerprintUnification:         updatedSettings.EnableFingerprintUnification,
 		EnableMetadataPassthrough:            updatedSettings.EnableMetadataPassthrough,
 		EnableCCHSigning:                     updatedSettings.EnableCCHSigning,
+		BalanceLowNotifyEnabled:              updatedSettings.BalanceLowNotifyEnabled,
+		BalanceLowNotifyThresholdType:        updatedSettings.BalanceLowNotifyThresholdType,
+		BalanceLowNotifyThreshold:            updatedSettings.BalanceLowNotifyThreshold,
+		AccountQuotaNotifyEmails:             updatedSettings.AccountQuotaNotifyEmails,
 		PaymentEnabled:                       updatedPaymentCfg.Enabled,
 		PaymentMinAmount:                     updatedPaymentCfg.MinAmount,
 		PaymentMaxAmount:                     updatedPaymentCfg.MaxAmount,
diff --git a/backend/internal/handler/dto/mappers.go b/backend/internal/handler/dto/mappers.go
index a465c7fb..147072c3 100644
--- a/backend/internal/handler/dto/mappers.go
+++ b/backend/internal/handler/dto/mappers.go
@@ -13,19 +13,21 @@ func UserFromServiceShallow(u *service.User) *User {
 		return nil
 	}
 	return &User{
-		ID:                       u.ID,
-		Email:                    u.Email,
-		Username:                 u.Username,
-		Role:                     u.Role,
-		Balance:                  u.Balance,
-		Concurrency:              u.Concurrency,
-		Status:                   u.Status,
-		AllowedGroups:            u.AllowedGroups,
-		CreatedAt:                u.CreatedAt,
-		UpdatedAt:                u.UpdatedAt,
-		BalanceNotifyEnabled:     u.BalanceNotifyEnabled,
-		BalanceNotifyThreshold:   u.BalanceNotifyThreshold,
-		BalanceNotifyExtraEmails: u.BalanceNotifyExtraEmails,
+		ID:                         u.ID,
+		Email:                      u.Email,
+		Username:                   u.Username,
+		Role:                       u.Role,
+		Balance:                    u.Balance,
+		Concurrency:                u.Concurrency,
+		Status:                     u.Status,
+		AllowedGroups:              u.AllowedGroups,
+		CreatedAt:                  u.CreatedAt,
+		UpdatedAt:                  u.UpdatedAt,
+		BalanceNotifyEnabled:       u.BalanceNotifyEnabled,
+		BalanceNotifyThresholdType: u.BalanceNotifyThresholdType,
+		BalanceNotifyThreshold:     u.BalanceNotifyThreshold,
+		BalanceNotifyExtraEmails:   u.BalanceNotifyExtraEmails,
+		TotalRecharged:             u.TotalRecharged,
 	}
 }
 
diff --git a/backend/internal/handler/dto/settings.go b/backend/internal/handler/dto/settings.go
index e29f72da..8da7c6f2 100644
--- a/backend/internal/handler/dto/settings.go
+++ b/backend/internal/handler/dto/settings.go
@@ -150,9 +150,10 @@ type SystemSettings struct {
 	PaymentCancelRateLimitMode    string `json:"payment_cancel_rate_limit_window_mode"`
 
 	// Balance low notification
-	BalanceLowNotifyEnabled   bool     `json:"balance_low_notify_enabled"`
-	BalanceLowNotifyThreshold float64  `json:"balance_low_notify_threshold"`
-	AccountQuotaNotifyEmails  []string `json:"account_quota_notify_emails"`
+	BalanceLowNotifyEnabled       bool     `json:"balance_low_notify_enabled"`
+	BalanceLowNotifyThresholdType string   `json:"balance_low_notify_threshold_type"`
+	BalanceLowNotifyThreshold     float64  `json:"balance_low_notify_threshold"`
+	AccountQuotaNotifyEmails      []string `json:"account_quota_notify_emails"`
 }
 
 type DefaultSubscriptionSetting struct {
diff --git a/backend/internal/handler/dto/types.go b/backend/internal/handler/dto/types.go
index 18522868..425d3df9 100644
--- a/backend/internal/handler/dto/types.go
+++ b/backend/internal/handler/dto/types.go
@@ -19,9 +19,11 @@ type User struct {
 	UpdatedAt     time.Time `json:"updated_at"`
 
 	// 余额不足通知
-	BalanceNotifyEnabled     bool     `json:"balance_notify_enabled"`
-	BalanceNotifyThreshold   *float64 `json:"balance_notify_threshold"`
-	BalanceNotifyExtraEmails []string `json:"balance_notify_extra_emails"`
+	BalanceNotifyEnabled       bool     `json:"balance_notify_enabled"`
+	BalanceNotifyThresholdType string   `json:"balance_notify_threshold_type"`
+	BalanceNotifyThreshold     *float64 `json:"balance_notify_threshold"`
+	BalanceNotifyExtraEmails   []string `json:"balance_notify_extra_emails"`
+	TotalRecharged             float64  `json:"total_recharged"`
 
 	APIKeys       []APIKey           `json:"api_keys,omitempty"`
 	Subscriptions []UserSubscription `json:"subscriptions,omitempty"`
diff --git a/backend/internal/handler/user_handler.go b/backend/internal/handler/user_handler.go
index 4fb72ce7..48528d55 100644
--- a/backend/internal/handler/user_handler.go
+++ b/backend/internal/handler/user_handler.go
@@ -33,9 +33,10 @@ type ChangePasswordRequest struct {
 
 // UpdateProfileRequest represents the update profile request payload
 type UpdateProfileRequest struct {
-	Username               *string  `json:"username"`
-	BalanceNotifyEnabled   *bool    `json:"balance_notify_enabled"`
-	BalanceNotifyThreshold *float64 `json:"balance_notify_threshold"`
+	Username                   *string  `json:"username"`
+	BalanceNotifyEnabled       *bool    `json:"balance_notify_enabled"`
+	BalanceNotifyThresholdType *string  `json:"balance_notify_threshold_type"`
+	BalanceNotifyThreshold     *float64 `json:"balance_notify_threshold"`
 }
 
 // GetProfile handles getting user profile
@@ -100,9 +101,10 @@ func (h *UserHandler) UpdateProfile(c *gin.Context) {
 	}
 
 	svcReq := service.UpdateProfileRequest{
-		Username:               req.Username,
-		BalanceNotifyEnabled:   req.BalanceNotifyEnabled,
-		BalanceNotifyThreshold: req.BalanceNotifyThreshold,
+		Username:                   req.Username,
+		BalanceNotifyEnabled:       req.BalanceNotifyEnabled,
+		BalanceNotifyThresholdType: req.BalanceNotifyThresholdType,
+		BalanceNotifyThreshold:     req.BalanceNotifyThreshold,
 	}
 	updatedUser, err := h.userService.UpdateProfile(c.Request.Context(), subject.UserID, svcReq)
 	if err != nil {
diff --git a/backend/internal/repository/api_key_repo.go b/backend/internal/repository/api_key_repo.go
index 752a5937..4ecab47a 100644
--- a/backend/internal/repository/api_key_repo.go
+++ b/backend/internal/repository/api_key_repo.go
@@ -641,22 +641,24 @@ func userEntityToService(u *dbent.User) *service.User {
 		return nil
 	}
 	out := &service.User{
-		ID:                   u.ID,
-		Email:                u.Email,
-		Username:             u.Username,
-		Notes:                u.Notes,
-		PasswordHash:         u.PasswordHash,
-		Role:                 u.Role,
-		Balance:              u.Balance,
-		Concurrency:          u.Concurrency,
-		Status:               u.Status,
-		TotpSecretEncrypted:  u.TotpSecretEncrypted,
-		TotpEnabled:          u.TotpEnabled,
-		TotpEnabledAt:        u.TotpEnabledAt,
-		BalanceNotifyEnabled: u.BalanceNotifyEnabled,
-		BalanceNotifyThreshold: u.BalanceNotifyThreshold,
-		CreatedAt:            u.CreatedAt,
-		UpdatedAt:            u.UpdatedAt,
+		ID:                         u.ID,
+		Email:                      u.Email,
+		Username:                   u.Username,
+		Notes:                      u.Notes,
+		PasswordHash:               u.PasswordHash,
+		Role:                       u.Role,
+		Balance:                    u.Balance,
+		Concurrency:                u.Concurrency,
+		Status:                     u.Status,
+		TotpSecretEncrypted:        u.TotpSecretEncrypted,
+		TotpEnabled:                u.TotpEnabled,
+		TotpEnabledAt:              u.TotpEnabledAt,
+		BalanceNotifyEnabled:       u.BalanceNotifyEnabled,
+		BalanceNotifyThresholdType: u.BalanceNotifyThresholdType,
+		BalanceNotifyThreshold:     u.BalanceNotifyThreshold,
+		TotalRecharged:             u.TotalRecharged,
+		CreatedAt:                  u.CreatedAt,
+		UpdatedAt:                  u.UpdatedAt,
 	}
 	// Parse extra emails JSON array
 	if u.BalanceNotifyExtraEmails != "" && u.BalanceNotifyExtraEmails != "[]" {
diff --git a/backend/internal/repository/user_repo.go b/backend/internal/repository/user_repo.go
index 2c544857..63168fb1 100644
--- a/backend/internal/repository/user_repo.go
+++ b/backend/internal/repository/user_repo.go
@@ -148,6 +148,7 @@ func (r *userRepository) Update(ctx context.Context, userIn *service.User) error
 		SetConcurrency(userIn.Concurrency).
 		SetStatus(userIn.Status).
 		SetBalanceNotifyEnabled(userIn.BalanceNotifyEnabled).
+		SetBalanceNotifyThresholdType(userIn.BalanceNotifyThresholdType).
 		SetNillableBalanceNotifyThreshold(userIn.BalanceNotifyThreshold).
 		SetBalanceNotifyExtraEmails(marshalExtraEmails(userIn.BalanceNotifyExtraEmails))
 	if userIn.BalanceNotifyThreshold == nil {
@@ -389,7 +390,12 @@ func (r *userRepository) filterUsersByAttributes(ctx context.Context, attrs map[
 
 func (r *userRepository) UpdateBalance(ctx context.Context, id int64, amount float64) error {
 	client := clientFromContext(ctx, r.client)
-	n, err := client.User.Update().Where(dbuser.IDEQ(id)).AddBalance(amount).Save(ctx)
+	update := client.User.Update().Where(dbuser.IDEQ(id)).AddBalance(amount)
+	// Track cumulative recharge amount for percentage-based notifications
+	if amount > 0 {
+		update = update.AddTotalRecharged(amount)
+	}
+	n, err := update.Save(ctx)
 	if err != nil {
 		return translatePersistenceError(err, service.ErrUserNotFound, nil)
 	}
diff --git a/backend/internal/service/balance_notify_service.go b/backend/internal/service/balance_notify_service.go
index 8dd56b8f..7fbdd254 100644
--- a/backend/internal/service/balance_notify_service.go
+++ b/backend/internal/service/balance_notify_service.go
@@ -47,30 +47,21 @@ func (s *BalanceNotifyService) CheckBalanceAfterDeduction(ctx context.Context, u
 	if user == nil || s.emailService == nil || s.settingRepo == nil {
 		return
 	}
-
-	// Check user-level switch
 	if !user.BalanceNotifyEnabled {
 		return
 	}
 
-	// Check global switch
-	globalEnabled, threshold := s.getBalanceNotifyConfig(ctx)
+	globalEnabled, globalThresholdType, globalThresholdValue := s.getBalanceNotifyConfig(ctx)
 	if !globalEnabled {
 		return
 	}
 
-	// User custom threshold overrides system default
-	if user.BalanceNotifyThreshold != nil {
-		threshold = *user.BalanceNotifyThreshold
-	}
-
+	threshold := s.resolveEffectiveThreshold(user, globalThresholdType, globalThresholdValue)
 	if threshold <= 0 {
 		return
 	}
 
 	newBalance := oldBalance - cost
-
-	// Only notify on first crossing
 	if oldBalance >= threshold && newBalance < threshold {
 		siteName := s.getSiteName(ctx)
 		recipients := s.collectBalanceNotifyRecipients(user)
@@ -85,6 +76,30 @@ func (s *BalanceNotifyService) CheckBalanceAfterDeduction(ctx context.Context, u
 	}
 }
 
+// resolveEffectiveThreshold computes the actual USD threshold based on type and user settings.
+func (s *BalanceNotifyService) resolveEffectiveThreshold(user *User, globalType string, globalValue float64) float64 {
+	// User-level override takes full precedence
+	if user.BalanceNotifyThreshold != nil {
+		thresholdType := user.BalanceNotifyThresholdType
+		if thresholdType == "" {
+			thresholdType = globalType
+		}
+		return computeThreshold(thresholdType, *user.BalanceNotifyThreshold, user.TotalRecharged)
+	}
+	return computeThreshold(globalType, globalValue, user.TotalRecharged)
+}
+
+// computeThreshold converts a threshold value to USD based on type.
+func computeThreshold(thresholdType string, value, totalRecharged float64) float64 {
+	if thresholdType == ThresholdTypePercentage {
+		if totalRecharged <= 0 {
+			return 0 // no recharge history → skip percentage check
+		}
+		return totalRecharged * value / 100
+	}
+	return value // fixed USD amount
+}
+
 // quotaDim describes one quota dimension for notification checking.
 type quotaDim struct {
 	name      string
@@ -139,13 +154,21 @@ func (s *BalanceNotifyService) asyncSendQuotaAlert(adminEmails []string, account
 }
 
 // getBalanceNotifyConfig reads global balance notification settings.
-func (s *BalanceNotifyService) getBalanceNotifyConfig(ctx context.Context) (enabled bool, threshold float64) {
-	keys := []string{SettingKeyBalanceLowNotifyEnabled, SettingKeyBalanceLowNotifyThreshold}
+func (s *BalanceNotifyService) getBalanceNotifyConfig(ctx context.Context) (enabled bool, thresholdType string, threshold float64) {
+	keys := []string{
+		SettingKeyBalanceLowNotifyEnabled,
+		SettingKeyBalanceLowNotifyThresholdType,
+		SettingKeyBalanceLowNotifyThreshold,
+	}
 	settings, err := s.settingRepo.GetMultiple(ctx, keys)
 	if err != nil {
-		return false, 0
+		return false, ThresholdTypeFixed, 0
 	}
 	enabled = settings[SettingKeyBalanceLowNotifyEnabled] == "true"
+	thresholdType = settings[SettingKeyBalanceLowNotifyThresholdType]
+	if thresholdType == "" {
+		thresholdType = ThresholdTypeFixed
+	}
 	if v := settings[SettingKeyBalanceLowNotifyThreshold]; v != "" {
 		if f, err := strconv.ParseFloat(v, 64); err == nil {
 			threshold = f
diff --git a/backend/internal/service/domain_constants.go b/backend/internal/service/domain_constants.go
index 2704e0d0..3de0e343 100644
--- a/backend/internal/service/domain_constants.go
+++ b/backend/internal/service/domain_constants.go
@@ -251,8 +251,13 @@ const (
 	SettingKeyEnableCCHSigning = "enable_cch_signing"
 
 	// Balance Low Notification
-	SettingKeyBalanceLowNotifyEnabled   = "balance_low_notify_enabled"   // 全局开关
-	SettingKeyBalanceLowNotifyThreshold = "balance_low_notify_threshold" // 默认阈值（USD）
+	SettingKeyBalanceLowNotifyEnabled       = "balance_low_notify_enabled"        // 全局开关
+	SettingKeyBalanceLowNotifyThresholdType = "balance_low_notify_threshold_type" // "fixed" | "percentage"
+	SettingKeyBalanceLowNotifyThreshold     = "balance_low_notify_threshold"      // 默认阈值（USD 或百分比）
+
+	// Threshold type constants
+	ThresholdTypeFixed      = "fixed"
+	ThresholdTypePercentage = "percentage"
 
 	// Account Quota Notification
 	SettingKeyAccountQuotaNotifyEmails = "account_quota_notify_emails" // 管理员通知邮箱列表（JSON 数组）
diff --git a/backend/internal/service/setting_service.go b/backend/internal/service/setting_service.go
index bc4f53ce..e2491cbc 100644
--- a/backend/internal/service/setting_service.go
+++ b/backend/internal/service/setting_service.go
@@ -597,6 +597,11 @@ func (s *SettingService) UpdateSettings(ctx context.Context, settings *SystemSet
 
 	// Balance low notification
 	updates[SettingKeyBalanceLowNotifyEnabled] = strconv.FormatBool(settings.BalanceLowNotifyEnabled)
+	thresholdType := settings.BalanceLowNotifyThresholdType
+	if thresholdType == "" {
+		thresholdType = ThresholdTypeFixed
+	}
+	updates[SettingKeyBalanceLowNotifyThresholdType] = thresholdType
 	updates[SettingKeyBalanceLowNotifyThreshold] = strconv.FormatFloat(settings.BalanceLowNotifyThreshold, 'f', 8, 64)
 	accountQuotaNotifyEmailsJSON, err := json.Marshal(settings.AccountQuotaNotifyEmails)
 	if err != nil {
@@ -1228,6 +1233,10 @@ func (s *SettingService) parseSettings(settings map[string]string) *SystemSettin
 
 	// Balance low notification
 	result.BalanceLowNotifyEnabled = settings[SettingKeyBalanceLowNotifyEnabled] == "true"
+	result.BalanceLowNotifyThresholdType = settings[SettingKeyBalanceLowNotifyThresholdType]
+	if result.BalanceLowNotifyThresholdType == "" {
+		result.BalanceLowNotifyThresholdType = ThresholdTypeFixed
+	}
 	if v, err := strconv.ParseFloat(settings[SettingKeyBalanceLowNotifyThreshold], 64); err == nil && v >= 0 {
 		result.BalanceLowNotifyThreshold = v
 	}
diff --git a/backend/internal/service/settings_view.go b/backend/internal/service/settings_view.go
index debc2b19..b28d2247 100644
--- a/backend/internal/service/settings_view.go
+++ b/backend/internal/service/settings_view.go
@@ -108,8 +108,9 @@ type SystemSettings struct {
 	EnableCCHSigning             bool // 是否对 billing header cch 进行签名（默认 false）
 
 	// Balance low notification
-	BalanceLowNotifyEnabled   bool
-	BalanceLowNotifyThreshold float64
+	BalanceLowNotifyEnabled       bool
+	BalanceLowNotifyThresholdType string // "fixed" (default) | "percentage"
+	BalanceLowNotifyThreshold     float64
 
 	// Account quota notification
 	AccountQuotaNotifyEmails []string
diff --git a/backend/internal/service/user.go b/backend/internal/service/user.go
index b4818223..4ca31adc 100644
--- a/backend/internal/service/user.go
+++ b/backend/internal/service/user.go
@@ -31,9 +31,11 @@ type User struct {
 	TotpEnabledAt       *time.Time // TOTP 启用时间
 
 	// 余额不足通知
-	BalanceNotifyEnabled     bool
-	BalanceNotifyThreshold   *float64
-	BalanceNotifyExtraEmails []string
+	BalanceNotifyEnabled       bool
+	BalanceNotifyThresholdType string   // "fixed" (default) | "percentage"
+	BalanceNotifyThreshold     *float64
+	BalanceNotifyExtraEmails   []string
+	TotalRecharged             float64
 
 	APIKeys       []APIKey
 	Subscriptions []UserSubscription
diff --git a/backend/internal/service/user_service.go b/backend/internal/service/user_service.go
index e6b9a210..4669cb2b 100644
--- a/backend/internal/service/user_service.go
+++ b/backend/internal/service/user_service.go
@@ -62,11 +62,12 @@ type UserRepository interface {
 
 // UpdateProfileRequest 更新用户资料请求
 type UpdateProfileRequest struct {
-	Email                  *string  `json:"email"`
-	Username               *string  `json:"username"`
-	Concurrency            *int     `json:"concurrency"`
-	BalanceNotifyEnabled   *bool    `json:"balance_notify_enabled"`
-	BalanceNotifyThreshold *float64 `json:"balance_notify_threshold"`
+	Email                      *string  `json:"email"`
+	Username                   *string  `json:"username"`
+	Concurrency                *int     `json:"concurrency"`
+	BalanceNotifyEnabled       *bool    `json:"balance_notify_enabled"`
+	BalanceNotifyThresholdType *string  `json:"balance_notify_threshold_type"`
+	BalanceNotifyThreshold     *float64 `json:"balance_notify_threshold"`
 }
 
 // ChangePasswordRequest 修改密码请求
@@ -143,6 +144,9 @@ func (s *UserService) UpdateProfile(ctx context.Context, userID int64, req Updat
 	if req.BalanceNotifyEnabled != nil {
 		user.BalanceNotifyEnabled = *req.BalanceNotifyEnabled
 	}
+	if req.BalanceNotifyThresholdType != nil {
+		user.BalanceNotifyThresholdType = *req.BalanceNotifyThresholdType
+	}
 	if req.BalanceNotifyThreshold != nil {
 		if *req.BalanceNotifyThreshold <= 0 {
 			user.BalanceNotifyThreshold = nil // clear to system default
diff --git a/backend/migrations/102_add_balance_notify_threshold_type.sql b/backend/migrations/102_add_balance_notify_threshold_type.sql
new file mode 100644
index 00000000..7ad70552
--- /dev/null
+++ b/backend/migrations/102_add_balance_notify_threshold_type.sql
@@ -0,0 +1,4 @@
+-- Add threshold type support (fixed / percentage) to balance notification
+ALTER TABLE users ADD COLUMN IF NOT EXISTS balance_notify_threshold_type VARCHAR(10) NOT NULL DEFAULT 'fixed';
+-- Track cumulative recharge amount for percentage threshold calculation
+ALTER TABLE users ADD COLUMN IF NOT EXISTS total_recharged DECIMAL(20,8) NOT NULL DEFAULT 0;
diff --git a/frontend/src/api/admin/settings.ts b/frontend/src/api/admin/settings.ts
index 31284289..ec290be5 100644
--- a/frontend/src/api/admin/settings.ts
+++ b/frontend/src/api/admin/settings.ts
@@ -137,6 +137,7 @@ export interface SystemSettings {
 
   // Balance & quota notification
   balance_low_notify_enabled: boolean
+  balance_low_notify_threshold_type: 'fixed' | 'percentage'
   balance_low_notify_threshold: number
   account_quota_notify_emails: string[]
 }
@@ -240,6 +241,7 @@ export interface UpdateSettingsRequest {
   payment_cancel_rate_limit_window_mode?: string
   // Balance & quota notification
   balance_low_notify_enabled?: boolean
+  balance_low_notify_threshold_type?: 'fixed' | 'percentage'
   balance_low_notify_threshold?: number
   account_quota_notify_emails?: string[]
 }
diff --git a/frontend/src/i18n/locales/en.ts b/frontend/src/i18n/locales/en.ts
index 8e10bf2a..880a81ee 100644
--- a/frontend/src/i18n/locales/en.ts
+++ b/frontend/src/i18n/locales/en.ts
@@ -4633,8 +4633,12 @@ export default {
         title: 'Balance Low Notification',
         description: 'Send email notification when user balance falls below threshold',
         enabled: 'Enable Balance Low Notification',
+        thresholdType: 'Threshold Type',
+        typeFixed: 'Fixed Amount',
+        typePercentage: 'Percentage of Recharged',
         threshold: 'Default Threshold',
         thresholdHint: 'Used when user has not set a custom value',
+        percentageHint: 'Notify when balance falls below this percentage of total recharged amount',
         thresholdPlaceholder: 'Enter amount',
       },
       quotaNotify: {
diff --git a/frontend/src/i18n/locales/zh.ts b/frontend/src/i18n/locales/zh.ts
index 1b82f419..41d94e06 100644
--- a/frontend/src/i18n/locales/zh.ts
+++ b/frontend/src/i18n/locales/zh.ts
@@ -4797,8 +4797,12 @@ export default {
         title: '余额不足提醒',
         description: '当用户余额低于阈值时发送邮件提醒',
         enabled: '启用余额不足提醒',
-        threshold: '默认提醒阈值',
+        thresholdType: '阈值类型',
+        typeFixed: '固定金额',
+        typePercentage: '充值百分比',
+        threshold: '提醒阈值',
         thresholdHint: '用户未自定义时使用此值',
+        percentageHint: '当余额低于累计充值额的此百分比时提醒',
         thresholdPlaceholder: '输入金额',
       },
       quotaNotify: {
diff --git a/frontend/src/views/admin/SettingsView.vue b/frontend/src/views/admin/SettingsView.vue
index 8ed77203..af84b67d 100644
--- a/frontend/src/views/admin/SettingsView.vue
+++ b/frontend/src/views/admin/SettingsView.vue
@@ -2660,6 +2660,90 @@
             </div>
           </div>
         </div>
+        <!-- Balance Low Notification -->
+        <div class="card">
+          <div class="border-b border-gray-100 px-6 py-4 dark:border-dark-700">
+            <h3 class="text-base font-medium text-gray-900 dark:text-white">
+              {{ t('admin.settings.balanceNotify.title') }}
+            </h3>
+            <p class="mt-1 text-sm text-gray-500 dark:text-gray-400">
+              {{ t('admin.settings.balanceNotify.description') }}
+            </p>
+          </div>
+          <div class="px-6 py-6 space-y-4">
+            <div class="flex items-center justify-between">
+              <label class="mb-0 block text-sm font-medium text-gray-700 dark:text-gray-300">{{ t('admin.settings.balanceNotify.enabled') }}</label>
+              <Toggle v-model="form.balance_low_notify_enabled" />
+            </div>
+            <div v-if="form.balance_low_notify_enabled" class="space-y-3">
+              <!-- Threshold type selector -->
+              <div>
+                <label class="mb-2 block text-sm font-medium text-gray-700 dark:text-gray-300">{{ t('admin.settings.balanceNotify.thresholdType') }}</label>
+                <div class="flex gap-4">
+                  <label class="flex items-center gap-1.5 text-sm cursor-pointer">
+                    <input type="radio" v-model="form.balance_low_notify_threshold_type" value="fixed" class="accent-primary-500" />
+                    {{ t('admin.settings.balanceNotify.typeFixed') }}
+                  </label>
+                  <label class="flex items-center gap-1.5 text-sm cursor-pointer">
+                    <input type="radio" v-model="form.balance_low_notify_threshold_type" value="percentage" class="accent-primary-500" />
+                    {{ t('admin.settings.balanceNotify.typePercentage') }}
+                  </label>
+                </div>
+              </div>
+              <!-- Threshold value -->
+              <div>
+                <label class="mb-2 block text-sm font-medium text-gray-700 dark:text-gray-300">{{ t('admin.settings.balanceNotify.threshold') }}</label>
+                <div class="relative">
+                  <span class="absolute left-3 top-1/2 -translate-y-1/2 text-gray-400">
+                    {{ form.balance_low_notify_threshold_type === 'percentage' ? '%' : '$' }}
+                  </span>
+                  <input
+                    v-model.number="form.balance_low_notify_threshold"
+                    type="number"
+                    :min="0"
+                    :max="form.balance_low_notify_threshold_type === 'percentage' ? 100 : undefined"
+                    :step="form.balance_low_notify_threshold_type === 'percentage' ? 1 : 0.01"
+                    class="input pl-7"
+                  />
+                </div>
+                <p class="mt-1 text-xs text-gray-500 dark:text-gray-400">
+                  {{ form.balance_low_notify_threshold_type === 'percentage'
+                    ? t('admin.settings.balanceNotify.percentageHint')
+                    : t('admin.settings.balanceNotify.thresholdHint') }}
+                </p>
+              </div>
+            </div>
+          </div>
+        </div>
+
+        <!-- Account Quota Notification -->
+        <div class="card">
+          <div class="border-b border-gray-100 px-6 py-4 dark:border-dark-700">
+            <h3 class="text-base font-medium text-gray-900 dark:text-white">
+              {{ t('admin.settings.quotaNotify.title') }}
+            </h3>
+            <p class="mt-1 text-sm text-gray-500 dark:text-gray-400">
+              {{ t('admin.settings.quotaNotify.description') }}
+            </p>
+          </div>
+          <div class="px-6 py-6 space-y-4">
+            <div>
+              <label class="mb-2 block text-sm font-medium text-gray-700 dark:text-gray-300">{{ t('admin.settings.quotaNotify.emails') }}</label>
+              <div class="space-y-2">
+                <div v-for="(_, index) in (form.account_quota_notify_emails || [])" :key="index" class="flex items-center gap-2">
+                  <input v-model="form.account_quota_notify_emails[index]" type="email" class="input flex-1" />
+                  <button @click="form.account_quota_notify_emails.splice(index, 1)" class="btn btn-secondary px-2" type="button">
+                    <Icon name="x" size="xs" class="h-4 w-4" />
+                  </button>
+                </div>
+                <button @click="addQuotaNotifyEmail" class="btn btn-secondary btn-sm" type="button">
+                  + {{ t('admin.settings.quotaNotify.addEmail') }}
+                </button>
+              </div>
+              <p class="mt-1 text-xs text-gray-500 dark:text-gray-400">{{ t('admin.settings.quotaNotify.emailsHint') }}</p>
+            </div>
+          </div>
+        </div>
         </div><!-- /Tab: Email -->
 
         <!-- Tab: Backup -->
@@ -2939,7 +3023,12 @@ const form = reactive<SettingsForm>({
   // Gateway forwarding behavior
   enable_fingerprint_unification: true,
   enable_metadata_passthrough: false,
-  enable_cch_signing: false
+  enable_cch_signing: false,
+  // Balance & quota notification
+  balance_low_notify_enabled: false,
+  balance_low_notify_threshold_type: 'fixed' as 'fixed' | 'percentage',
+  balance_low_notify_threshold: 0,
+  account_quota_notify_emails: [] as string[]
 })
 
 // Proxies for web search emulation ProxySelector
@@ -3149,6 +3238,14 @@ function handleRegistrationEmailSuffixWhitelistPaste(event: ClipboardEvent) {
   }
 }
 
+// Quota notify email helpers
+const addQuotaNotifyEmail = () => {
+  if (!form.account_quota_notify_emails) {
+    form.account_quota_notify_emails = []
+  }
+  form.account_quota_notify_emails.push('')
+}
+
 // LinuxDo OAuth redirect URL suggestion
 const linuxdoRedirectUrlSuggestion = computed(() => {
   if (typeof window === 'undefined') return ''
@@ -3488,6 +3585,11 @@ async function saveSettings() {
       payment_cancel_rate_limit_window: Number(form.payment_cancel_rate_limit_window) || 1,
       payment_cancel_rate_limit_unit: form.payment_cancel_rate_limit_unit,
       payment_cancel_rate_limit_window_mode: form.payment_cancel_rate_limit_window_mode,
+      // Balance & quota notification
+      balance_low_notify_enabled: form.balance_low_notify_enabled,
+      balance_low_notify_threshold_type: form.balance_low_notify_threshold_type,
+      balance_low_notify_threshold: Number(form.balance_low_notify_threshold) || 0,
+      account_quota_notify_emails: (form.account_quota_notify_emails || []).filter((e: string) => e.trim() !== ''),
     }
 
     const updated = await adminAPI.settings.updateSettings(payload)

From 9e33d0c4c079062f1d88fa7a2accd0bb2cb88b37 Mon Sep 17 00:00:00 2001
From: erio <asakifeng@gmail.com>
Date: Sun, 12 Apr 2026 14:43:12 +0800
Subject: [PATCH 036/122] fix: address audit findings for websearch and balance
 notification

- Fix GetByKeyForAuth not selecting balance notify fields (notifications
  never triggered in gateway path)
- Fix provider-level ProxyURL never resolved: inject ProxyRepository into
  SettingService, resolve proxy URLs when building Manager
- Fix admin manual balance adjustment not updating total_recharged
- Add threshold_type input validation (reject invalid values)
- Fix user threshold_type inheritance: custom threshold defaults to "fixed"
  instead of inheriting global type (prevents $5 being treated as 5%)
- Add try-catch for clipboard.writeText (fails on non-HTTPS)
- Add SetTotalRecharged to user Update for admin balance operations
---
 backend/cmd/server/wire_gen.go                |  4 +-
 backend/internal/repository/api_key_repo.go   |  5 ++
 backend/internal/repository/user_repo.go      |  3 +-
 backend/internal/server/http.go               |  5 +-
 backend/internal/service/admin_service.go     |  6 ++
 .../service/balance_notify_service.go         |  4 +-
 backend/internal/service/setting_service.go   | 31 ++++++--
 backend/internal/service/user_service.go      |  4 +-
 backend/internal/service/websearch_config.go  | 70 ++++++++++++-------
 backend/internal/service/wire.go              |  5 +-
 frontend/src/views/admin/SettingsView.vue     |  8 ++-
 11 files changed, 102 insertions(+), 43 deletions(-)

diff --git a/backend/cmd/server/wire_gen.go b/backend/cmd/server/wire_gen.go
index 8c47b2bd..24ee02fd 100644
--- a/backend/cmd/server/wire_gen.go
+++ b/backend/cmd/server/wire_gen.go
@@ -50,7 +50,8 @@ func initializeApplication(buildInfo handler.BuildInfo) (*Application, error) {
 	refreshTokenCache := repository.NewRefreshTokenCache(redisClient)
 	settingRepository := repository.NewSettingRepository(client)
 	groupRepository := repository.NewGroupRepository(client, db)
-	settingService := service.ProvideSettingService(settingRepository, groupRepository, configConfig)
+	proxyRepository := repository.NewProxyRepository(client, db)
+	settingService := service.ProvideSettingService(settingRepository, groupRepository, proxyRepository, configConfig)
 	emailCache := repository.NewEmailCache(redisClient)
 	emailService := service.NewEmailService(settingRepository, emailCache)
 	turnstileVerifier := repository.NewTurnstileVerifier()
@@ -100,7 +101,6 @@ func initializeApplication(buildInfo handler.BuildInfo) (*Application, error) {
 	dashboardHandler := admin.NewDashboardHandler(dashboardService, dashboardAggregationService)
 	schedulerCache := repository.NewSchedulerCache(redisClient)
 	accountRepository := repository.NewAccountRepository(client, db, schedulerCache)
-	proxyRepository := repository.NewProxyRepository(client, db)
 	proxyExitInfoProber := repository.NewProxyExitInfoProber(configConfig)
 	proxyLatencyCache := repository.NewProxyLatencyCache(redisClient)
 	privacyClientFactory := providePrivacyClientFactory()
diff --git a/backend/internal/repository/api_key_repo.go b/backend/internal/repository/api_key_repo.go
index 4ecab47a..11eac7a8 100644
--- a/backend/internal/repository/api_key_repo.go
+++ b/backend/internal/repository/api_key_repo.go
@@ -143,6 +143,11 @@ func (r *apiKeyRepository) GetByKeyForAuth(ctx context.Context, key string) (*se
 				user.FieldRole,
 				user.FieldBalance,
 				user.FieldConcurrency,
+				user.FieldBalanceNotifyEnabled,
+				user.FieldBalanceNotifyThresholdType,
+				user.FieldBalanceNotifyThreshold,
+				user.FieldBalanceNotifyExtraEmails,
+				user.FieldTotalRecharged,
 			)
 		}).
 		WithGroup(func(q *dbent.GroupQuery) {
diff --git a/backend/internal/repository/user_repo.go b/backend/internal/repository/user_repo.go
index 63168fb1..1792ef8d 100644
--- a/backend/internal/repository/user_repo.go
+++ b/backend/internal/repository/user_repo.go
@@ -150,7 +150,8 @@ func (r *userRepository) Update(ctx context.Context, userIn *service.User) error
 		SetBalanceNotifyEnabled(userIn.BalanceNotifyEnabled).
 		SetBalanceNotifyThresholdType(userIn.BalanceNotifyThresholdType).
 		SetNillableBalanceNotifyThreshold(userIn.BalanceNotifyThreshold).
-		SetBalanceNotifyExtraEmails(marshalExtraEmails(userIn.BalanceNotifyExtraEmails))
+		SetBalanceNotifyExtraEmails(marshalExtraEmails(userIn.BalanceNotifyExtraEmails)).
+		SetTotalRecharged(userIn.TotalRecharged)
 	if userIn.BalanceNotifyThreshold == nil {
 		updateOp = updateOp.ClearBalanceNotifyThreshold()
 	}
diff --git a/backend/internal/server/http.go b/backend/internal/server/http.go
index ba45c31b..5165b059 100644
--- a/backend/internal/server/http.go
+++ b/backend/internal/server/http.go
@@ -59,7 +59,7 @@ func ProvideRouter(
 	}
 
 	// Wire up websearch Manager builder so it initializes on startup and rebuilds on config save.
-	settingService.SetWebSearchManagerBuilder(context.Background(), func(cfg *service.WebSearchEmulationConfig) {
+	settingService.SetWebSearchManagerBuilder(context.Background(), func(cfg *service.WebSearchEmulationConfig, proxyURLs map[int64]string) {
 		if cfg == nil || !cfg.Enabled || len(cfg.Providers) == 0 {
 			service.SetWebSearchManager(nil)
 			return
@@ -80,6 +80,9 @@ func ProvideRouter(
 			}
 			if p.ProxyID != nil {
 				pc.ProxyID = *p.ProxyID
+				if u, ok := proxyURLs[*p.ProxyID]; ok {
+					pc.ProxyURL = u
+				}
 			}
 			configs = append(configs, pc)
 		}
diff --git a/backend/internal/service/admin_service.go b/backend/internal/service/admin_service.go
index 97b42c24..a4e22b22 100644
--- a/backend/internal/service/admin_service.go
+++ b/backend/internal/service/admin_service.go
@@ -709,6 +709,12 @@ func (s *adminServiceImpl) UpdateUserBalance(ctx context.Context, userID int64,
 		return nil, fmt.Errorf("balance cannot be negative, current balance: %.2f, requested operation would result in: %.2f", oldBalance, user.Balance)
 	}
 
+	// Track cumulative recharge for percentage-based balance notifications
+	balanceDelta := user.Balance - oldBalance
+	if balanceDelta > 0 {
+		user.TotalRecharged += balanceDelta
+	}
+
 	if err := s.userRepo.Update(ctx, user); err != nil {
 		return nil, err
 	}
diff --git a/backend/internal/service/balance_notify_service.go b/backend/internal/service/balance_notify_service.go
index 7fbdd254..e1f6bd8b 100644
--- a/backend/internal/service/balance_notify_service.go
+++ b/backend/internal/service/balance_notify_service.go
@@ -77,12 +77,12 @@ func (s *BalanceNotifyService) CheckBalanceAfterDeduction(ctx context.Context, u
 }
 
 // resolveEffectiveThreshold computes the actual USD threshold based on type and user settings.
+// When user sets a custom threshold, their type is used independently (defaults to "fixed" if unset).
 func (s *BalanceNotifyService) resolveEffectiveThreshold(user *User, globalType string, globalValue float64) float64 {
-	// User-level override takes full precedence
 	if user.BalanceNotifyThreshold != nil {
 		thresholdType := user.BalanceNotifyThresholdType
 		if thresholdType == "" {
-			thresholdType = globalType
+			thresholdType = ThresholdTypeFixed // user custom value defaults to fixed, not inherited
 		}
 		return computeThreshold(thresholdType, *user.BalanceNotifyThreshold, user.TotalRecharged)
 	}
diff --git a/backend/internal/service/setting_service.go b/backend/internal/service/setting_service.go
index e2491cbc..9b307426 100644
--- a/backend/internal/service/setting_service.go
+++ b/backend/internal/service/setting_service.go
@@ -99,13 +99,19 @@ type DefaultSubscriptionGroupReader interface {
 	GetByID(ctx context.Context, id int64) (*Group, error)
 }
 
+// WebSearchManagerBuilder creates a websearch.Manager from config (injected by infra layer).
+// proxyURLs maps proxy ID to resolved URL for provider-level proxy support.
+type WebSearchManagerBuilder func(cfg *WebSearchEmulationConfig, proxyURLs map[int64]string)
+
 // SettingService 系统设置服务
 type SettingService struct {
-	settingRepo           SettingRepository
-	defaultSubGroupReader DefaultSubscriptionGroupReader
-	cfg                   *config.Config
-	onUpdate              func() // Callback when settings are updated (for cache invalidation)
-	version               string // Application version
+	settingRepo             SettingRepository
+	defaultSubGroupReader   DefaultSubscriptionGroupReader
+	proxyRepo               ProxyRepository // for resolving websearch provider proxy URLs
+	cfg                     *config.Config
+	onUpdate                func() // Callback when settings are updated (for cache invalidation)
+	version                 string // Application version
+	webSearchManagerBuilder WebSearchManagerBuilder
 }
 
 // NewSettingService 创建系统设置服务实例
@@ -121,6 +127,11 @@ func (s *SettingService) SetDefaultSubscriptionGroupReader(reader DefaultSubscri
 	s.defaultSubGroupReader = reader
 }
 
+// SetProxyRepository injects a proxy repo for resolving websearch provider proxy URLs.
+func (s *SettingService) SetProxyRepository(repo ProxyRepository) {
+	s.proxyRepo = repo
+}
+
 // GetAllSettings 获取所有系统设置
 func (s *SettingService) GetAllSettings(ctx context.Context) (*SystemSettings, error) {
 	settings, err := s.settingRepo.GetAll(ctx)
@@ -598,7 +609,7 @@ func (s *SettingService) UpdateSettings(ctx context.Context, settings *SystemSet
 	// Balance low notification
 	updates[SettingKeyBalanceLowNotifyEnabled] = strconv.FormatBool(settings.BalanceLowNotifyEnabled)
 	thresholdType := settings.BalanceLowNotifyThresholdType
-	if thresholdType == "" {
+	if thresholdType != ThresholdTypeFixed && thresholdType != ThresholdTypePercentage {
 		thresholdType = ThresholdTypeFixed
 	}
 	updates[SettingKeyBalanceLowNotifyThresholdType] = thresholdType
@@ -1231,6 +1242,14 @@ func (s *SettingService) parseSettings(settings map[string]string) *SystemSettin
 	result.EnableMetadataPassthrough = settings[SettingKeyEnableMetadataPassthrough] == "true"
 	result.EnableCCHSigning = settings[SettingKeyEnableCCHSigning] == "true"
 
+	// Web search emulation: quick enabled check from the JSON config
+	if raw := settings[SettingKeyWebSearchEmulationConfig]; raw != "" {
+		var wsCfg WebSearchEmulationConfig
+		if err := json.Unmarshal([]byte(raw), &wsCfg); err == nil {
+			result.WebSearchEmulationEnabled = wsCfg.Enabled && len(wsCfg.Providers) > 0
+		}
+	}
+
 	// Balance low notification
 	result.BalanceLowNotifyEnabled = settings[SettingKeyBalanceLowNotifyEnabled] == "true"
 	result.BalanceLowNotifyThresholdType = settings[SettingKeyBalanceLowNotifyThresholdType]
diff --git a/backend/internal/service/user_service.go b/backend/internal/service/user_service.go
index 4669cb2b..26021a9b 100644
--- a/backend/internal/service/user_service.go
+++ b/backend/internal/service/user_service.go
@@ -145,7 +145,9 @@ func (s *UserService) UpdateProfile(ctx context.Context, userID int64, req Updat
 		user.BalanceNotifyEnabled = *req.BalanceNotifyEnabled
 	}
 	if req.BalanceNotifyThresholdType != nil {
-		user.BalanceNotifyThresholdType = *req.BalanceNotifyThresholdType
+		if *req.BalanceNotifyThresholdType == ThresholdTypeFixed || *req.BalanceNotifyThresholdType == ThresholdTypePercentage {
+			user.BalanceNotifyThresholdType = *req.BalanceNotifyThresholdType
+		}
 	}
 	if req.BalanceNotifyThreshold != nil {
 		if *req.BalanceNotifyThreshold <= 0 {
diff --git a/backend/internal/service/websearch_config.go b/backend/internal/service/websearch_config.go
index bdfff3e4..346faf1f 100644
--- a/backend/internal/service/websearch_config.go
+++ b/backend/internal/service/websearch_config.go
@@ -10,7 +10,6 @@ import (
 
 	infraerrors "github.com/Wei-Shaw/sub2api/internal/pkg/errors"
 	"github.com/Wei-Shaw/sub2api/internal/pkg/websearch"
-	"github.com/redis/go-redis/v9"
 	"golang.org/x/sync/singleflight"
 )
 
@@ -85,8 +84,7 @@ const (
 // GetWebSearchEmulationConfig returns the configuration with in-process cache + singleflight.
 func (s *SettingService) GetWebSearchEmulationConfig(ctx context.Context) (*WebSearchEmulationConfig, error) {
 	if cached := webSearchEmulationCache.Load(); cached != nil {
-		c := cached.(*cachedWebSearchEmulationConfig)
-		if time.Now().UnixNano() < c.expiresAt {
+		if c, ok := cached.(*cachedWebSearchEmulationConfig); ok && time.Now().UnixNano() < c.expiresAt {
 			return c.config, nil
 		}
 	}
@@ -96,7 +94,10 @@ func (s *SettingService) GetWebSearchEmulationConfig(ctx context.Context) (*WebS
 	if err != nil {
 		return &WebSearchEmulationConfig{}, err
 	}
-	return result.(*WebSearchEmulationConfig), nil
+	if cfg, ok := result.(*WebSearchEmulationConfig); ok {
+		return cfg, nil
+	}
+	return &WebSearchEmulationConfig{}, nil
 }
 
 func (s *SettingService) loadWebSearchConfigFromDB() (*WebSearchEmulationConfig, error) {
@@ -154,7 +155,7 @@ func (s *SettingService) SaveWebSearchEmulationConfig(ctx context.Context, cfg *
 	})
 
 	// Hot-reload: rebuild the global Manager with new config
-	s.RebuildWebSearchManager(ctx)
+	s.rebuildWebSearchManager(ctx)
 	return nil
 }
 
@@ -196,34 +197,51 @@ func (s *SettingService) IsWebSearchEmulationEnabled(ctx context.Context) bool {
 	return cfg.Enabled && len(cfg.Providers) > 0
 }
 
-// SetWebSearchRedisClient injects the Redis client used for quota tracking.
-// Call after construction, before first use. Triggers initial Manager build.
-func (s *SettingService) SetWebSearchRedisClient(ctx context.Context, redisClient *redis.Client) {
-	s.webSearchRedis = redisClient
-	s.RebuildWebSearchManager(ctx)
+// SetWebSearchManagerBuilder injects a callback that creates and wires a websearch.Manager.
+// The infra layer (main/wire) provides this builder, keeping redis out of the service layer.
+// Triggers initial build.
+func (s *SettingService) SetWebSearchManagerBuilder(ctx context.Context, builder WebSearchManagerBuilder) {
+	s.webSearchManagerBuilder = builder
+	s.rebuildWebSearchManager(ctx)
 }
 
-// RebuildWebSearchManager reads the current config and (re)creates the global websearch.Manager.
-// Called on startup and after SaveWebSearchEmulationConfig.
-func (s *SettingService) RebuildWebSearchManager(ctx context.Context) {
+// rebuildWebSearchManager reads the current config, resolves proxy URLs, and invokes the builder.
+func (s *SettingService) rebuildWebSearchManager(ctx context.Context) {
+	if s.webSearchManagerBuilder == nil {
+		return
+	}
 	cfg, err := s.GetWebSearchEmulationConfig(ctx)
-	if err != nil || !cfg.Enabled || len(cfg.Providers) == 0 {
+	if err != nil {
 		SetWebSearchManager(nil)
 		return
 	}
-	providerConfigs := make([]websearch.ProviderConfig, 0, len(cfg.Providers))
-	for _, p := range cfg.Providers {
-		providerConfigs = append(providerConfigs, websearch.ProviderConfig{
-			Type:                 p.Type,
-			APIKey:               p.APIKey,
-			Priority:             p.Priority,
-			QuotaLimit:           p.QuotaLimit,
-			QuotaRefreshInterval: p.QuotaRefreshInterval,
-			ExpiresAt:            p.ExpiresAt,
-		})
+	proxyURLs := s.resolveProviderProxyURLs(ctx, cfg)
+	s.webSearchManagerBuilder(cfg, proxyURLs)
+}
+
+// resolveProviderProxyURLs collects proxy IDs from providers and resolves them to URLs.
+func (s *SettingService) resolveProviderProxyURLs(ctx context.Context, cfg *WebSearchEmulationConfig) map[int64]string {
+	if cfg == nil || s.proxyRepo == nil {
+		return nil
 	}
-	SetWebSearchManager(websearch.NewManager(providerConfigs, s.webSearchRedis))
-	slog.Info("websearch: manager rebuilt", "provider_count", len(providerConfigs))
+	var ids []int64
+	for _, p := range cfg.Providers {
+		if p.ProxyID != nil && *p.ProxyID > 0 {
+			ids = append(ids, *p.ProxyID)
+		}
+	}
+	if len(ids) == 0 {
+		return nil
+	}
+	proxies, err := s.proxyRepo.ListByIDs(ctx, ids)
+	if err != nil {
+		return nil
+	}
+	result := make(map[int64]string, len(proxies))
+	for _, px := range proxies {
+		result[px.ID] = px.URL()
+	}
+	return result
 }
 
 // WebSearchTestResult holds the result of a search test.
diff --git a/backend/internal/service/wire.go b/backend/internal/service/wire.go
index 2827f135..b4e33039 100644
--- a/backend/internal/service/wire.go
+++ b/backend/internal/service/wire.go
@@ -373,10 +373,11 @@ func ProvideBackupService(
 	return svc
 }
 
-// ProvideSettingService wires SettingService with group reader for default subscription validation.
-func ProvideSettingService(settingRepo SettingRepository, groupRepo GroupRepository, cfg *config.Config) *SettingService {
+// ProvideSettingService wires SettingService with group reader and proxy repo.
+func ProvideSettingService(settingRepo SettingRepository, groupRepo GroupRepository, proxyRepo ProxyRepository, cfg *config.Config) *SettingService {
 	svc := NewSettingService(settingRepo, cfg)
 	svc.SetDefaultSubscriptionGroupReader(groupRepo)
+	svc.SetProxyRepository(proxyRepo)
 	return svc
 }
 
diff --git a/frontend/src/views/admin/SettingsView.vue b/frontend/src/views/admin/SettingsView.vue
index af84b67d..50b532fb 100644
--- a/frontend/src/views/admin/SettingsView.vue
+++ b/frontend/src/views/admin/SettingsView.vue
@@ -3109,8 +3109,12 @@ async function copyApiKey(idx: number) {
     appStore.showError(t('admin.settings.webSearchEmulation.apiKeyPlaceholder'))
     return
   }
-  await navigator.clipboard.writeText(key)
-  appStore.showSuccess(t('admin.settings.webSearchEmulation.copied'))
+  try {
+    await navigator.clipboard.writeText(key)
+    appStore.showSuccess(t('admin.settings.webSearchEmulation.copied'))
+  } catch {
+    appStore.showError(t('common.error'))
+  }
 }
 
 async function testWebSearchProvider() {

From cef22c70abb113eca5ff01262a5e5f31a63ce0fe Mon Sep 17 00:00:00 2001
From: erio <asakifeng@gmail.com>
Date: Sun, 12 Apr 2026 15:01:10 +0800
Subject: [PATCH 037/122] fix(notify): remove percentage threshold from balance
 notification

Balance low notification only supports fixed USD amount threshold.
Percentage threshold is a quota concept, not applicable to balance.
Reverted threshold_type from admin settings, user profile, and all
backend/frontend layers. DB fields (balance_notify_threshold_type,
total_recharged) retained for potential future quota use.
---
 .../internal/handler/admin/setting_handler.go | 15 ++----
 backend/internal/handler/dto/settings.go      |  7 ++-
 backend/internal/handler/user_handler.go      | 14 +++---
 .../service/balance_notify_service.go         | 46 ++++---------------
 backend/internal/service/domain_constants.go  |  9 +---
 backend/internal/service/setting_service.go   |  9 ----
 backend/internal/service/settings_view.go     |  5 +-
 backend/internal/service/user_service.go      | 16 ++-----
 frontend/src/api/admin/settings.ts            |  2 -
 frontend/src/i18n/locales/en.ts               |  4 --
 frontend/src/i18n/locales/zh.ts               |  6 +--
 frontend/src/views/admin/SettingsView.vue     | 44 +++---------------
 12 files changed, 37 insertions(+), 140 deletions(-)

diff --git a/backend/internal/handler/admin/setting_handler.go b/backend/internal/handler/admin/setting_handler.go
index 3d587a21..49e7aeed 100644
--- a/backend/internal/handler/admin/setting_handler.go
+++ b/backend/internal/handler/admin/setting_handler.go
@@ -177,7 +177,6 @@ func (h *SettingHandler) GetSettings(c *gin.Context) {
 		EnableCCHSigning:                     settings.EnableCCHSigning,
 		WebSearchEmulationEnabled:            settings.WebSearchEmulationEnabled,
 		BalanceLowNotifyEnabled:              settings.BalanceLowNotifyEnabled,
-		BalanceLowNotifyThresholdType:        settings.BalanceLowNotifyThresholdType,
 		BalanceLowNotifyThreshold:            settings.BalanceLowNotifyThreshold,
 		AccountQuotaNotifyEmails:             settings.AccountQuotaNotifyEmails,
 		PaymentEnabled:                       paymentCfg.Enabled,
@@ -310,10 +309,9 @@ type UpdateSettingsRequest struct {
 	EnableCCHSigning             *bool `json:"enable_cch_signing"`
 
 	// Balance low notification
-	BalanceLowNotifyEnabled       *bool     `json:"balance_low_notify_enabled"`
-	BalanceLowNotifyThresholdType *string   `json:"balance_low_notify_threshold_type"`
-	BalanceLowNotifyThreshold     *float64  `json:"balance_low_notify_threshold"`
-	AccountQuotaNotifyEmails      *[]string `json:"account_quota_notify_emails"`
+	BalanceLowNotifyEnabled   *bool     `json:"balance_low_notify_enabled"`
+	BalanceLowNotifyThreshold *float64  `json:"balance_low_notify_threshold"`
+	AccountQuotaNotifyEmails  *[]string `json:"account_quota_notify_emails"`
 
 	// Payment configuration (integrated into settings, full replace)
 	PaymentEnabled           *bool    `json:"payment_enabled"`
@@ -898,12 +896,6 @@ func (h *SettingHandler) UpdateSettings(c *gin.Context) {
 			}
 			return previousSettings.BalanceLowNotifyEnabled
 		}(),
-		BalanceLowNotifyThresholdType: func() string {
-			if req.BalanceLowNotifyThresholdType != nil {
-				return *req.BalanceLowNotifyThresholdType
-			}
-			return previousSettings.BalanceLowNotifyThresholdType
-		}(),
 		BalanceLowNotifyThreshold: func() float64 {
 			if req.BalanceLowNotifyThreshold != nil {
 				return *req.BalanceLowNotifyThreshold
@@ -1063,7 +1055,6 @@ func (h *SettingHandler) UpdateSettings(c *gin.Context) {
 		EnableMetadataPassthrough:            updatedSettings.EnableMetadataPassthrough,
 		EnableCCHSigning:                     updatedSettings.EnableCCHSigning,
 		BalanceLowNotifyEnabled:              updatedSettings.BalanceLowNotifyEnabled,
-		BalanceLowNotifyThresholdType:        updatedSettings.BalanceLowNotifyThresholdType,
 		BalanceLowNotifyThreshold:            updatedSettings.BalanceLowNotifyThreshold,
 		AccountQuotaNotifyEmails:             updatedSettings.AccountQuotaNotifyEmails,
 		PaymentEnabled:                       updatedPaymentCfg.Enabled,
diff --git a/backend/internal/handler/dto/settings.go b/backend/internal/handler/dto/settings.go
index 8da7c6f2..e29f72da 100644
--- a/backend/internal/handler/dto/settings.go
+++ b/backend/internal/handler/dto/settings.go
@@ -150,10 +150,9 @@ type SystemSettings struct {
 	PaymentCancelRateLimitMode    string `json:"payment_cancel_rate_limit_window_mode"`
 
 	// Balance low notification
-	BalanceLowNotifyEnabled       bool     `json:"balance_low_notify_enabled"`
-	BalanceLowNotifyThresholdType string   `json:"balance_low_notify_threshold_type"`
-	BalanceLowNotifyThreshold     float64  `json:"balance_low_notify_threshold"`
-	AccountQuotaNotifyEmails      []string `json:"account_quota_notify_emails"`
+	BalanceLowNotifyEnabled   bool     `json:"balance_low_notify_enabled"`
+	BalanceLowNotifyThreshold float64  `json:"balance_low_notify_threshold"`
+	AccountQuotaNotifyEmails  []string `json:"account_quota_notify_emails"`
 }
 
 type DefaultSubscriptionSetting struct {
diff --git a/backend/internal/handler/user_handler.go b/backend/internal/handler/user_handler.go
index 48528d55..4fb72ce7 100644
--- a/backend/internal/handler/user_handler.go
+++ b/backend/internal/handler/user_handler.go
@@ -33,10 +33,9 @@ type ChangePasswordRequest struct {
 
 // UpdateProfileRequest represents the update profile request payload
 type UpdateProfileRequest struct {
-	Username                   *string  `json:"username"`
-	BalanceNotifyEnabled       *bool    `json:"balance_notify_enabled"`
-	BalanceNotifyThresholdType *string  `json:"balance_notify_threshold_type"`
-	BalanceNotifyThreshold     *float64 `json:"balance_notify_threshold"`
+	Username               *string  `json:"username"`
+	BalanceNotifyEnabled   *bool    `json:"balance_notify_enabled"`
+	BalanceNotifyThreshold *float64 `json:"balance_notify_threshold"`
 }
 
 // GetProfile handles getting user profile
@@ -101,10 +100,9 @@ func (h *UserHandler) UpdateProfile(c *gin.Context) {
 	}
 
 	svcReq := service.UpdateProfileRequest{
-		Username:                   req.Username,
-		BalanceNotifyEnabled:       req.BalanceNotifyEnabled,
-		BalanceNotifyThresholdType: req.BalanceNotifyThresholdType,
-		BalanceNotifyThreshold:     req.BalanceNotifyThreshold,
+		Username:               req.Username,
+		BalanceNotifyEnabled:   req.BalanceNotifyEnabled,
+		BalanceNotifyThreshold: req.BalanceNotifyThreshold,
 	}
 	updatedUser, err := h.userService.UpdateProfile(c.Request.Context(), subject.UserID, svcReq)
 	if err != nil {
diff --git a/backend/internal/service/balance_notify_service.go b/backend/internal/service/balance_notify_service.go
index e1f6bd8b..0d7e4c09 100644
--- a/backend/internal/service/balance_notify_service.go
+++ b/backend/internal/service/balance_notify_service.go
@@ -51,12 +51,16 @@ func (s *BalanceNotifyService) CheckBalanceAfterDeduction(ctx context.Context, u
 		return
 	}
 
-	globalEnabled, globalThresholdType, globalThresholdValue := s.getBalanceNotifyConfig(ctx)
+	globalEnabled, globalThreshold := s.getBalanceNotifyConfig(ctx)
 	if !globalEnabled {
 		return
 	}
 
-	threshold := s.resolveEffectiveThreshold(user, globalThresholdType, globalThresholdValue)
+	// User custom threshold overrides system default
+	threshold := globalThreshold
+	if user.BalanceNotifyThreshold != nil {
+		threshold = *user.BalanceNotifyThreshold
+	}
 	if threshold <= 0 {
 		return
 	}
@@ -76,30 +80,6 @@ func (s *BalanceNotifyService) CheckBalanceAfterDeduction(ctx context.Context, u
 	}
 }
 
-// resolveEffectiveThreshold computes the actual USD threshold based on type and user settings.
-// When user sets a custom threshold, their type is used independently (defaults to "fixed" if unset).
-func (s *BalanceNotifyService) resolveEffectiveThreshold(user *User, globalType string, globalValue float64) float64 {
-	if user.BalanceNotifyThreshold != nil {
-		thresholdType := user.BalanceNotifyThresholdType
-		if thresholdType == "" {
-			thresholdType = ThresholdTypeFixed // user custom value defaults to fixed, not inherited
-		}
-		return computeThreshold(thresholdType, *user.BalanceNotifyThreshold, user.TotalRecharged)
-	}
-	return computeThreshold(globalType, globalValue, user.TotalRecharged)
-}
-
-// computeThreshold converts a threshold value to USD based on type.
-func computeThreshold(thresholdType string, value, totalRecharged float64) float64 {
-	if thresholdType == ThresholdTypePercentage {
-		if totalRecharged <= 0 {
-			return 0 // no recharge history → skip percentage check
-		}
-		return totalRecharged * value / 100
-	}
-	return value // fixed USD amount
-}
-
 // quotaDim describes one quota dimension for notification checking.
 type quotaDim struct {
 	name      string
@@ -154,21 +134,13 @@ func (s *BalanceNotifyService) asyncSendQuotaAlert(adminEmails []string, account
 }
 
 // getBalanceNotifyConfig reads global balance notification settings.
-func (s *BalanceNotifyService) getBalanceNotifyConfig(ctx context.Context) (enabled bool, thresholdType string, threshold float64) {
-	keys := []string{
-		SettingKeyBalanceLowNotifyEnabled,
-		SettingKeyBalanceLowNotifyThresholdType,
-		SettingKeyBalanceLowNotifyThreshold,
-	}
+func (s *BalanceNotifyService) getBalanceNotifyConfig(ctx context.Context) (enabled bool, threshold float64) {
+	keys := []string{SettingKeyBalanceLowNotifyEnabled, SettingKeyBalanceLowNotifyThreshold}
 	settings, err := s.settingRepo.GetMultiple(ctx, keys)
 	if err != nil {
-		return false, ThresholdTypeFixed, 0
+		return false, 0
 	}
 	enabled = settings[SettingKeyBalanceLowNotifyEnabled] == "true"
-	thresholdType = settings[SettingKeyBalanceLowNotifyThresholdType]
-	if thresholdType == "" {
-		thresholdType = ThresholdTypeFixed
-	}
 	if v := settings[SettingKeyBalanceLowNotifyThreshold]; v != "" {
 		if f, err := strconv.ParseFloat(v, 64); err == nil {
 			threshold = f
diff --git a/backend/internal/service/domain_constants.go b/backend/internal/service/domain_constants.go
index 3de0e343..2704e0d0 100644
--- a/backend/internal/service/domain_constants.go
+++ b/backend/internal/service/domain_constants.go
@@ -251,13 +251,8 @@ const (
 	SettingKeyEnableCCHSigning = "enable_cch_signing"
 
 	// Balance Low Notification
-	SettingKeyBalanceLowNotifyEnabled       = "balance_low_notify_enabled"        // 全局开关
-	SettingKeyBalanceLowNotifyThresholdType = "balance_low_notify_threshold_type" // "fixed" | "percentage"
-	SettingKeyBalanceLowNotifyThreshold     = "balance_low_notify_threshold"      // 默认阈值（USD 或百分比）
-
-	// Threshold type constants
-	ThresholdTypeFixed      = "fixed"
-	ThresholdTypePercentage = "percentage"
+	SettingKeyBalanceLowNotifyEnabled   = "balance_low_notify_enabled"   // 全局开关
+	SettingKeyBalanceLowNotifyThreshold = "balance_low_notify_threshold" // 默认阈值（USD）
 
 	// Account Quota Notification
 	SettingKeyAccountQuotaNotifyEmails = "account_quota_notify_emails" // 管理员通知邮箱列表（JSON 数组）
diff --git a/backend/internal/service/setting_service.go b/backend/internal/service/setting_service.go
index 9b307426..f0cf750a 100644
--- a/backend/internal/service/setting_service.go
+++ b/backend/internal/service/setting_service.go
@@ -608,11 +608,6 @@ func (s *SettingService) UpdateSettings(ctx context.Context, settings *SystemSet
 
 	// Balance low notification
 	updates[SettingKeyBalanceLowNotifyEnabled] = strconv.FormatBool(settings.BalanceLowNotifyEnabled)
-	thresholdType := settings.BalanceLowNotifyThresholdType
-	if thresholdType != ThresholdTypeFixed && thresholdType != ThresholdTypePercentage {
-		thresholdType = ThresholdTypeFixed
-	}
-	updates[SettingKeyBalanceLowNotifyThresholdType] = thresholdType
 	updates[SettingKeyBalanceLowNotifyThreshold] = strconv.FormatFloat(settings.BalanceLowNotifyThreshold, 'f', 8, 64)
 	accountQuotaNotifyEmailsJSON, err := json.Marshal(settings.AccountQuotaNotifyEmails)
 	if err != nil {
@@ -1252,10 +1247,6 @@ func (s *SettingService) parseSettings(settings map[string]string) *SystemSettin
 
 	// Balance low notification
 	result.BalanceLowNotifyEnabled = settings[SettingKeyBalanceLowNotifyEnabled] == "true"
-	result.BalanceLowNotifyThresholdType = settings[SettingKeyBalanceLowNotifyThresholdType]
-	if result.BalanceLowNotifyThresholdType == "" {
-		result.BalanceLowNotifyThresholdType = ThresholdTypeFixed
-	}
 	if v, err := strconv.ParseFloat(settings[SettingKeyBalanceLowNotifyThreshold], 64); err == nil && v >= 0 {
 		result.BalanceLowNotifyThreshold = v
 	}
diff --git a/backend/internal/service/settings_view.go b/backend/internal/service/settings_view.go
index b28d2247..debc2b19 100644
--- a/backend/internal/service/settings_view.go
+++ b/backend/internal/service/settings_view.go
@@ -108,9 +108,8 @@ type SystemSettings struct {
 	EnableCCHSigning             bool // 是否对 billing header cch 进行签名（默认 false）
 
 	// Balance low notification
-	BalanceLowNotifyEnabled       bool
-	BalanceLowNotifyThresholdType string // "fixed" (default) | "percentage"
-	BalanceLowNotifyThreshold     float64
+	BalanceLowNotifyEnabled   bool
+	BalanceLowNotifyThreshold float64
 
 	// Account quota notification
 	AccountQuotaNotifyEmails []string
diff --git a/backend/internal/service/user_service.go b/backend/internal/service/user_service.go
index 26021a9b..e6b9a210 100644
--- a/backend/internal/service/user_service.go
+++ b/backend/internal/service/user_service.go
@@ -62,12 +62,11 @@ type UserRepository interface {
 
 // UpdateProfileRequest 更新用户资料请求
 type UpdateProfileRequest struct {
-	Email                      *string  `json:"email"`
-	Username                   *string  `json:"username"`
-	Concurrency                *int     `json:"concurrency"`
-	BalanceNotifyEnabled       *bool    `json:"balance_notify_enabled"`
-	BalanceNotifyThresholdType *string  `json:"balance_notify_threshold_type"`
-	BalanceNotifyThreshold     *float64 `json:"balance_notify_threshold"`
+	Email                  *string  `json:"email"`
+	Username               *string  `json:"username"`
+	Concurrency            *int     `json:"concurrency"`
+	BalanceNotifyEnabled   *bool    `json:"balance_notify_enabled"`
+	BalanceNotifyThreshold *float64 `json:"balance_notify_threshold"`
 }
 
 // ChangePasswordRequest 修改密码请求
@@ -144,11 +143,6 @@ func (s *UserService) UpdateProfile(ctx context.Context, userID int64, req Updat
 	if req.BalanceNotifyEnabled != nil {
 		user.BalanceNotifyEnabled = *req.BalanceNotifyEnabled
 	}
-	if req.BalanceNotifyThresholdType != nil {
-		if *req.BalanceNotifyThresholdType == ThresholdTypeFixed || *req.BalanceNotifyThresholdType == ThresholdTypePercentage {
-			user.BalanceNotifyThresholdType = *req.BalanceNotifyThresholdType
-		}
-	}
 	if req.BalanceNotifyThreshold != nil {
 		if *req.BalanceNotifyThreshold <= 0 {
 			user.BalanceNotifyThreshold = nil // clear to system default
diff --git a/frontend/src/api/admin/settings.ts b/frontend/src/api/admin/settings.ts
index ec290be5..31284289 100644
--- a/frontend/src/api/admin/settings.ts
+++ b/frontend/src/api/admin/settings.ts
@@ -137,7 +137,6 @@ export interface SystemSettings {
 
   // Balance & quota notification
   balance_low_notify_enabled: boolean
-  balance_low_notify_threshold_type: 'fixed' | 'percentage'
   balance_low_notify_threshold: number
   account_quota_notify_emails: string[]
 }
@@ -241,7 +240,6 @@ export interface UpdateSettingsRequest {
   payment_cancel_rate_limit_window_mode?: string
   // Balance & quota notification
   balance_low_notify_enabled?: boolean
-  balance_low_notify_threshold_type?: 'fixed' | 'percentage'
   balance_low_notify_threshold?: number
   account_quota_notify_emails?: string[]
 }
diff --git a/frontend/src/i18n/locales/en.ts b/frontend/src/i18n/locales/en.ts
index 880a81ee..8e10bf2a 100644
--- a/frontend/src/i18n/locales/en.ts
+++ b/frontend/src/i18n/locales/en.ts
@@ -4633,12 +4633,8 @@ export default {
         title: 'Balance Low Notification',
         description: 'Send email notification when user balance falls below threshold',
         enabled: 'Enable Balance Low Notification',
-        thresholdType: 'Threshold Type',
-        typeFixed: 'Fixed Amount',
-        typePercentage: 'Percentage of Recharged',
         threshold: 'Default Threshold',
         thresholdHint: 'Used when user has not set a custom value',
-        percentageHint: 'Notify when balance falls below this percentage of total recharged amount',
         thresholdPlaceholder: 'Enter amount',
       },
       quotaNotify: {
diff --git a/frontend/src/i18n/locales/zh.ts b/frontend/src/i18n/locales/zh.ts
index 41d94e06..1b82f419 100644
--- a/frontend/src/i18n/locales/zh.ts
+++ b/frontend/src/i18n/locales/zh.ts
@@ -4797,12 +4797,8 @@ export default {
         title: '余额不足提醒',
         description: '当用户余额低于阈值时发送邮件提醒',
         enabled: '启用余额不足提醒',
-        thresholdType: '阈值类型',
-        typeFixed: '固定金额',
-        typePercentage: '充值百分比',
-        threshold: '提醒阈值',
+        threshold: '默认提醒阈值',
         thresholdHint: '用户未自定义时使用此值',
-        percentageHint: '当余额低于累计充值额的此百分比时提醒',
         thresholdPlaceholder: '输入金额',
       },
       quotaNotify: {
diff --git a/frontend/src/views/admin/SettingsView.vue b/frontend/src/views/admin/SettingsView.vue
index 50b532fb..faab49fe 100644
--- a/frontend/src/views/admin/SettingsView.vue
+++ b/frontend/src/views/admin/SettingsView.vue
@@ -2675,43 +2675,13 @@
               <label class="mb-0 block text-sm font-medium text-gray-700 dark:text-gray-300">{{ t('admin.settings.balanceNotify.enabled') }}</label>
               <Toggle v-model="form.balance_low_notify_enabled" />
             </div>
-            <div v-if="form.balance_low_notify_enabled" class="space-y-3">
-              <!-- Threshold type selector -->
-              <div>
-                <label class="mb-2 block text-sm font-medium text-gray-700 dark:text-gray-300">{{ t('admin.settings.balanceNotify.thresholdType') }}</label>
-                <div class="flex gap-4">
-                  <label class="flex items-center gap-1.5 text-sm cursor-pointer">
-                    <input type="radio" v-model="form.balance_low_notify_threshold_type" value="fixed" class="accent-primary-500" />
-                    {{ t('admin.settings.balanceNotify.typeFixed') }}
-                  </label>
-                  <label class="flex items-center gap-1.5 text-sm cursor-pointer">
-                    <input type="radio" v-model="form.balance_low_notify_threshold_type" value="percentage" class="accent-primary-500" />
-                    {{ t('admin.settings.balanceNotify.typePercentage') }}
-                  </label>
-                </div>
-              </div>
-              <!-- Threshold value -->
-              <div>
-                <label class="mb-2 block text-sm font-medium text-gray-700 dark:text-gray-300">{{ t('admin.settings.balanceNotify.threshold') }}</label>
-                <div class="relative">
-                  <span class="absolute left-3 top-1/2 -translate-y-1/2 text-gray-400">
-                    {{ form.balance_low_notify_threshold_type === 'percentage' ? '%' : '$' }}
-                  </span>
-                  <input
-                    v-model.number="form.balance_low_notify_threshold"
-                    type="number"
-                    :min="0"
-                    :max="form.balance_low_notify_threshold_type === 'percentage' ? 100 : undefined"
-                    :step="form.balance_low_notify_threshold_type === 'percentage' ? 1 : 0.01"
-                    class="input pl-7"
-                  />
-                </div>
-                <p class="mt-1 text-xs text-gray-500 dark:text-gray-400">
-                  {{ form.balance_low_notify_threshold_type === 'percentage'
-                    ? t('admin.settings.balanceNotify.percentageHint')
-                    : t('admin.settings.balanceNotify.thresholdHint') }}
-                </p>
+            <div v-if="form.balance_low_notify_enabled">
+              <label class="mb-2 block text-sm font-medium text-gray-700 dark:text-gray-300">{{ t('admin.settings.balanceNotify.threshold') }}</label>
+              <div class="relative">
+                <span class="absolute left-3 top-1/2 -translate-y-1/2 text-gray-400">$</span>
+                <input v-model.number="form.balance_low_notify_threshold" type="number" min="0" step="0.01" class="input pl-7" />
               </div>
+              <p class="mt-1 text-xs text-gray-500 dark:text-gray-400">{{ t('admin.settings.balanceNotify.thresholdHint') }}</p>
             </div>
           </div>
         </div>
@@ -3026,7 +2996,6 @@ const form = reactive<SettingsForm>({
   enable_cch_signing: false,
   // Balance & quota notification
   balance_low_notify_enabled: false,
-  balance_low_notify_threshold_type: 'fixed' as 'fixed' | 'percentage',
   balance_low_notify_threshold: 0,
   account_quota_notify_emails: [] as string[]
 })
@@ -3591,7 +3560,6 @@ async function saveSettings() {
       payment_cancel_rate_limit_window_mode: form.payment_cancel_rate_limit_window_mode,
       // Balance & quota notification
       balance_low_notify_enabled: form.balance_low_notify_enabled,
-      balance_low_notify_threshold_type: form.balance_low_notify_threshold_type,
       balance_low_notify_threshold: Number(form.balance_low_notify_threshold) || 0,
       account_quota_notify_emails: (form.account_quota_notify_emails || []).filter((e: string) => e.trim() !== ''),
     }

From 889b5b4f3bfd6f3f5422b65fea44419710a55c7f Mon Sep 17 00:00:00 2001
From: erio <asakifeng@gmail.com>
Date: Sun, 12 Apr 2026 15:59:45 +0800
Subject: [PATCH 038/122] fix(websearch): improve settings UI and hide config
 when globally disabled

- API Key show/copy buttons moved inside input field (inline icons)
- Proxy selector and test button on same row to save vertical space
- Test opens a dialog modal instead of inline display
- Hide all websearch config in channels/accounts when global toggle is off
---
 backend/cmd/server/VERSION                    |   2 +-
 .../components/account/CreateAccountModal.vue |  10 +-
 .../components/account/EditAccountModal.vue   |  10 +-
 frontend/src/views/admin/ChannelsView.vue     |  86 ++++++++--
 frontend/src/views/admin/SettingsView.vue     | 155 ++++++++++--------
 5 files changed, 177 insertions(+), 86 deletions(-)

diff --git a/backend/cmd/server/VERSION b/backend/cmd/server/VERSION
index e534f2aa..061bed0b 100644
--- a/backend/cmd/server/VERSION
+++ b/backend/cmd/server/VERSION
@@ -1 +1 @@
-0.1.108.140
+0.1.110.11
diff --git a/frontend/src/components/account/CreateAccountModal.vue b/frontend/src/components/account/CreateAccountModal.vue
index d5d8ff89..e0dbce61 100644
--- a/frontend/src/components/account/CreateAccountModal.vue
+++ b/frontend/src/components/account/CreateAccountModal.vue
@@ -2325,9 +2325,9 @@
         </div>
       </div>
 
-      <!-- Anthropic API Key: Web Search Emulation -->
+      <!-- Anthropic API Key: Web Search Emulation (hidden when global disabled) -->
       <div
-        v-if="form.platform === 'anthropic' && accountCategory === 'apikey'"
+        v-if="form.platform === 'anthropic' && accountCategory === 'apikey' && webSearchGlobalEnabled"
         class="border-t border-gray-200 pt-4 dark:border-dark-600"
       >
         <div class="flex items-center justify-between">
@@ -2998,6 +2998,12 @@ const openaiAPIKeyResponsesWebSocketV2Mode = ref<OpenAIWSMode>(OPENAI_WS_MODE_OF
 const codexCLIOnlyEnabled = ref(false)
 const anthropicPassthroughEnabled = ref(false)
 const webSearchEmulationEnabled = ref(false)
+const webSearchGlobalEnabled = ref(false)
+
+// Load web search global state once
+adminAPI.settings.getWebSearchEmulationConfig().then(cfg => {
+  webSearchGlobalEnabled.value = cfg?.enabled === true && (cfg?.providers?.length ?? 0) > 0
+}).catch(() => { webSearchGlobalEnabled.value = false })
 const mixedScheduling = ref(false) // For antigravity accounts: enable mixed scheduling
 const allowOverages = ref(false) // For antigravity accounts: enable AI Credits overages
 const antigravityAccountType = ref<'oauth' | 'upstream'>('oauth') // For antigravity: oauth or upstream
diff --git a/frontend/src/components/account/EditAccountModal.vue b/frontend/src/components/account/EditAccountModal.vue
index 54dae5c2..086575e6 100644
--- a/frontend/src/components/account/EditAccountModal.vue
+++ b/frontend/src/components/account/EditAccountModal.vue
@@ -1149,9 +1149,9 @@
         </div>
       </div>
 
-      <!-- Anthropic API Key: Web Search Emulation -->
+      <!-- Anthropic API Key: Web Search Emulation (hidden when global disabled) -->
       <div
-        v-if="account?.platform === 'anthropic' && account?.type === 'apikey'"
+        v-if="account?.platform === 'anthropic' && account?.type === 'apikey' && webSearchGlobalEnabled"
         class="border-t border-gray-200 pt-4 dark:border-dark-600"
       >
         <div class="flex items-center justify-between">
@@ -1975,6 +1975,12 @@ const openaiAPIKeyResponsesWebSocketV2Mode = ref<OpenAIWSMode>(OPENAI_WS_MODE_OF
 const codexCLIOnlyEnabled = ref(false)
 const anthropicPassthroughEnabled = ref(false)
 const webSearchEmulationEnabled = ref(false)
+const webSearchGlobalEnabled = ref(false)
+
+// Load web search global state once
+adminAPI.settings.getWebSearchEmulationConfig().then(cfg => {
+  webSearchGlobalEnabled.value = cfg?.enabled === true && (cfg?.providers?.length ?? 0) > 0
+}).catch(() => { webSearchGlobalEnabled.value = false })
 const editQuotaLimit = ref<number | null>(null)
 const editQuotaDailyLimit = ref<number | null>(null)
 const editQuotaWeeklyLimit = ref<number | null>(null)
diff --git a/frontend/src/views/admin/ChannelsView.vue b/frontend/src/views/admin/ChannelsView.vue
index a49e1694..639ace4a 100644
--- a/frontend/src/views/admin/ChannelsView.vue
+++ b/frontend/src/views/admin/ChannelsView.vue
@@ -306,6 +306,21 @@
               </div>
             </div>
 
+            <!-- Web Search Emulation (Anthropic only, hidden when global disabled) -->
+            <div v-if="section.platform === 'anthropic' && webSearchGlobalEnabled" class="border-t border-gray-200 pt-3 dark:border-dark-600">
+              <div class="flex items-center justify-between">
+                <div>
+                  <label class="text-xs font-medium text-orange-600 dark:text-orange-400">
+                    {{ t('admin.channels.form.webSearchEmulation') }}
+                  </label>
+                  <p class="mt-0.5 text-[11px] text-amber-500 dark:text-amber-400">
+                    {{ t('admin.channels.form.webSearchEmulationHint') }}
+                  </p>
+                </div>
+                <Toggle v-model="section.web_search_emulation" />
+              </div>
+            </div>
+
             <!-- Model Mapping -->
             <div>
               <div class="mb-1 flex items-center justify-between">
@@ -560,6 +575,7 @@
 import { ref, reactive, computed, onMounted, onUnmounted } from 'vue'
 import { useI18n } from 'vue-i18n'
 import { useAppStore } from '@/stores/app'
+import { extractApiErrorMessage } from '@/utils/apiError'
 import { adminAPI } from '@/api/admin'
 import type { Channel, ChannelModelPricing, CreateChannelRequest, UpdateChannelRequest, AccountStatsPricingRule } from '@/api/admin/channels'
 import type { PricingFormEntry } from '@/components/admin/channel/types'
@@ -583,6 +599,18 @@ import { getPersistedPageSize } from '@/composables/usePersistedPageSize'
 const { t } = useI18n()
 const appStore = useAppStore()
 
+// Web Search global enabled state (loaded once on mount)
+const webSearchGlobalEnabled = ref(false)
+async function loadWebSearchGlobalState() {
+  try {
+    const cfg = await adminAPI.settings.getWebSearchEmulationConfig()
+    webSearchGlobalEnabled.value = cfg?.enabled === true && (cfg?.providers?.length ?? 0) > 0
+  } catch (err: unknown) {
+    console.warn('Failed to load web search global state:', err)
+    webSearchGlobalEnabled.value = false
+  }
+}
+
 // ── Platform Section type ──
 interface PlatformSection {
   platform: GroupPlatform
@@ -591,6 +619,7 @@ interface PlatformSection {
   group_ids: number[]
   model_mapping: Record<string, string>
   model_pricing: PricingFormEntry[]
+  web_search_emulation: boolean
 }
 
 // ── Table columns ──
@@ -709,7 +738,8 @@ function addPlatformSection(platform: GroupPlatform) {
     collapsed: false,
     group_ids: [],
     model_mapping: {},
-    model_pricing: []
+    model_pricing: [],
+    web_search_emulation: false,
   })
 }
 
@@ -901,10 +931,14 @@ function accountStatsRulesToAPI(): AccountStatsPricingRule[] {
 }
 
 // ── Form ↔ API conversion ──
-function formToAPI(): { group_ids: number[], model_pricing: ChannelModelPricing[], model_mapping: Record<string, Record<string, string>> } {
+function formToAPI(): { group_ids: number[], model_pricing: ChannelModelPricing[], model_mapping: Record<string, Record<string, string>>, features_config: Record<string, unknown> } {
   const group_ids: number[] = []
   const model_pricing: ChannelModelPricing[] = []
   const model_mapping: Record<string, Record<string, string>> = {}
+  // Preserve existing features_config fields not managed by the form
+  const featuresConfig: Record<string, unknown> = editingChannel.value?.features_config
+    ? { ...editingChannel.value.features_config }
+    : {}
 
   for (const section of form.platforms) {
     if (!section.enabled) continue
@@ -933,7 +967,19 @@ function formToAPI(): { group_ids: number[], model_pricing: ChannelModelPricing[
     }
   }
 
-  return { group_ids, model_pricing, model_mapping }
+  // Collect web_search_emulation (only anthropic platform supports it)
+  const wsEmulation: Record<string, boolean> = {}
+  for (const section of form.platforms) {
+    if (!section.enabled) continue
+    if (section.web_search_emulation && section.platform === 'anthropic') {
+      wsEmulation[section.platform] = true
+    }
+  }
+  if (Object.keys(wsEmulation).length > 0) {
+    featuresConfig.web_search_emulation = wsEmulation
+  }
+
+  return { group_ids, model_pricing, model_mapping, features_config: featuresConfig }
 }
 
 function apiToForm(channel: Channel): PlatformSection[] {
@@ -977,13 +1023,19 @@ function apiToForm(channel: Channel): PlatformSection[] {
         intervals: apiIntervalsToForm(p.intervals || [])
       } as PricingFormEntry))
 
+    // Read web_search_emulation from features_config
+    const fc = channel.features_config
+    const wsEmulation = fc?.web_search_emulation as Record<string, boolean> | undefined
+    const webSearchEnabled = wsEmulation?.[platform] === true
+
     sections.push({
       platform,
       enabled: true,
       collapsed: false,
       group_ids: groupIds,
       model_mapping: { ...mapping },
-      model_pricing: pricing
+      model_pricing: pricing,
+      web_search_emulation: webSearchEnabled,
     })
   }
 
@@ -1008,10 +1060,10 @@ async function loadChannels() {
     if (ctrl.signal.aborted || abortController !== ctrl) return
     channels.value = response.items || []
     pagination.total = response.total
-  } catch (error: any) {
-    if (error?.name === 'AbortError' || error?.code === 'ERR_CANCELED') return
-    appStore.showError(t('admin.channels.loadError', 'Failed to load channels'))
-    console.error('Error loading channels:', error)
+  } catch (error: unknown) {
+    const e = error as { name?: string; code?: string }
+    if (e?.name === 'AbortError' || e?.code === 'ERR_CANCELED') return
+    appStore.showError(extractApiErrorMessage(error, t('admin.channels.loadError', 'Failed to load channels')))
   } finally {
     if (abortController === ctrl) {
       loading.value = false
@@ -1210,7 +1262,7 @@ async function handleSubmit() {
     }
   }
 
-  const { group_ids, model_pricing, model_mapping } = formToAPI()
+  const { group_ids, model_pricing, model_mapping, features_config } = formToAPI()
 
   submitting.value = true
   try {
@@ -1224,6 +1276,7 @@ async function handleSubmit() {
         model_mapping: Object.keys(model_mapping).length > 0 ? model_mapping : {},
         billing_model_source: form.billing_model_source,
         restrict_models: form.restrict_models,
+        features_config,
         apply_pricing_to_account_stats: form.apply_pricing_to_account_stats,
         account_stats_pricing_rules: accountStatsRulesToAPI()
       }
@@ -1238,6 +1291,7 @@ async function handleSubmit() {
         model_mapping: Object.keys(model_mapping).length > 0 ? model_mapping : {},
         billing_model_source: form.billing_model_source,
         restrict_models: form.restrict_models,
+        features_config,
         apply_pricing_to_account_stats: form.apply_pricing_to_account_stats,
         account_stats_pricing_rules: accountStatsRulesToAPI()
       }
@@ -1246,12 +1300,10 @@ async function handleSubmit() {
     }
     closeDialog()
     loadChannels()
-  } catch (error: any) {
-    const msg = error.response?.data?.detail || (editingChannel.value
+  } catch (error: unknown) {
+    appStore.showError(extractApiErrorMessage(error, editingChannel.value
       ? t('admin.channels.updateError', 'Failed to update channel')
-      : t('admin.channels.createError', 'Failed to create channel'))
-    appStore.showError(msg)
-    console.error('Error saving channel:', error)
+      : t('admin.channels.createError', 'Failed to create channel')))
   } finally {
     submitting.value = false
   }
@@ -1289,9 +1341,8 @@ async function confirmDelete() {
     showDeleteDialog.value = false
     deletingChannel.value = null
     loadChannels()
-  } catch (error: any) {
-    appStore.showError(error.response?.data?.detail || t('admin.channels.deleteError', 'Failed to delete channel'))
-    console.error('Error deleting channel:', error)
+  } catch (error: unknown) {
+    appStore.showError(extractApiErrorMessage(error, t('admin.channels.deleteError', 'Failed to delete channel')))
   }
 }
 
@@ -1299,6 +1350,7 @@ async function confirmDelete() {
 onMounted(() => {
   loadChannels()
   loadGroups()
+  loadWebSearchGlobalState()
 })
 
 onUnmounted(() => {
diff --git a/frontend/src/views/admin/SettingsView.vue b/frontend/src/views/admin/SettingsView.vue
index faab49fe..b5181ccc 100644
--- a/frontend/src/views/admin/SettingsView.vue
+++ b/frontend/src/views/admin/SettingsView.vue
@@ -1789,40 +1789,42 @@
 
                 <!-- Expanded content -->
                 <div v-if="expandedProviders[pIdx]" class="space-y-3 border-t border-gray-100 px-4 pb-4 pt-3 dark:border-dark-700">
-                  <!-- API Key with show/copy -->
+                  <!-- API Key with inline show/copy -->
                   <div>
                     <label class="text-xs text-gray-500">{{ t('admin.settings.webSearchEmulation.apiKey') }}</label>
-                    <div class="flex items-center gap-1">
+                    <div class="relative">
                       <input
                         v-model="provider.api_key"
                         :type="apiKeyVisible[pIdx] ? 'text' : 'password'"
-                        class="input flex-1 text-sm"
+                        class="input w-full pr-16 text-sm"
                         :placeholder="provider.api_key_configured ? '••••••••' : t('admin.settings.webSearchEmulation.apiKeyPlaceholder')"
                       />
-                      <button
-                        type="button"
-                        class="btn btn-secondary btn-sm px-2"
-                        :title="apiKeyVisible[pIdx] ? t('admin.settings.webSearchEmulation.hideApiKey') : t('admin.settings.webSearchEmulation.showApiKey')"
-                        @click="apiKeyVisible[pIdx] = !apiKeyVisible[pIdx]"
-                      >
-                        <svg v-if="!apiKeyVisible[pIdx]" class="h-4 w-4" fill="none" viewBox="0 0 24 24" stroke="currentColor">
-                          <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" d="M15 12a3 3 0 11-6 0 3 3 0 016 0z" />
-                          <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" d="M2.458 12C3.732 7.943 7.523 5 12 5c4.478 0 8.268 2.943 9.542 7-1.274 4.057-5.064 7-9.542 7-4.477 0-8.268-2.943-9.542-7z" />
-                        </svg>
-                        <svg v-else class="h-4 w-4" fill="none" viewBox="0 0 24 24" stroke="currentColor">
-                          <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" d="M13.875 18.825A10.05 10.05 0 0112 19c-4.478 0-8.268-2.943-9.543-7a9.97 9.97 0 011.563-3.029m5.858.908a3 3 0 114.243 4.243M9.878 9.878l4.242 4.242M9.878 9.878L3 3m6.878 6.878L21 21" />
-                        </svg>
-                      </button>
-                      <button
-                        type="button"
-                        class="btn btn-secondary btn-sm px-2"
-                        :title="t('admin.settings.webSearchEmulation.copyApiKey')"
-                        @click="copyApiKey(pIdx)"
-                      >
-                        <svg class="h-4 w-4" fill="none" viewBox="0 0 24 24" stroke="currentColor">
-                          <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" d="M8 16H6a2 2 0 01-2-2V6a2 2 0 012-2h8a2 2 0 012 2v2m-6 12h8a2 2 0 002-2v-8a2 2 0 00-2-2h-8a2 2 0 00-2 2v8a2 2 0 002 2z" />
-                        </svg>
-                      </button>
+                      <div class="absolute inset-y-0 right-0 flex items-center pr-1.5">
+                        <button
+                          type="button"
+                          class="rounded p-1 text-gray-400 hover:text-gray-600 dark:hover:text-gray-300"
+                          :title="apiKeyVisible[pIdx] ? t('admin.settings.webSearchEmulation.hideApiKey') : t('admin.settings.webSearchEmulation.showApiKey')"
+                          @click="apiKeyVisible[pIdx] = !apiKeyVisible[pIdx]"
+                        >
+                          <svg v-if="!apiKeyVisible[pIdx]" class="h-4 w-4" fill="none" viewBox="0 0 24 24" stroke="currentColor">
+                            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" d="M15 12a3 3 0 11-6 0 3 3 0 016 0z" />
+                            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" d="M2.458 12C3.732 7.943 7.523 5 12 5c4.478 0 8.268 2.943 9.542 7-1.274 4.057-5.064 7-9.542 7-4.477 0-8.268-2.943-9.542-7z" />
+                          </svg>
+                          <svg v-else class="h-4 w-4" fill="none" viewBox="0 0 24 24" stroke="currentColor">
+                            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" d="M13.875 18.825A10.05 10.05 0 0112 19c-4.478 0-8.268-2.943-9.543-7a9.97 9.97 0 011.563-3.029m5.858.908a3 3 0 114.243 4.243M9.878 9.878l4.242 4.242M9.878 9.878L3 3m6.878 6.878L21 21" />
+                          </svg>
+                        </button>
+                        <button
+                          type="button"
+                          class="rounded p-1 text-gray-400 hover:text-gray-600 dark:hover:text-gray-300"
+                          :title="t('admin.settings.webSearchEmulation.copyApiKey')"
+                          @click="copyApiKey(pIdx)"
+                        >
+                          <svg class="h-4 w-4" fill="none" viewBox="0 0 24 24" stroke="currentColor">
+                            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" d="M8 16H6a2 2 0 01-2-2V6a2 2 0 012-2h8a2 2 0 012 2v2m-6 12h8a2 2 0 002-2v-8a2 2 0 00-2-2h-8a2 2 0 00-2 2v8a2 2 0 002 2z" />
+                          </svg>
+                        </button>
+                      </div>
                     </div>
                   </div>
 
@@ -1858,44 +1860,19 @@
                     <span class="text-xs text-gray-500">{{ provider.quota_used ?? 0 }} / {{ provider.quota_limit }}</span>
                   </div>
 
-                  <!-- Proxy -->
-                  <div>
-                    <label class="text-xs text-gray-500">{{ t('admin.settings.webSearchEmulation.proxy') }}</label>
-                    <ProxySelector v-model="provider.proxy_id" :proxies="webSearchProxies" />
-                  </div>
-
-                  <!-- Test button -->
-                  <div class="border-t border-gray-100 pt-3 dark:border-dark-700">
-                    <div class="flex items-center gap-2">
-                      <input
-                        v-model="wsTestQuery"
-                        type="text"
-                        class="input flex-1 text-sm"
-                        :placeholder="t('admin.settings.webSearchEmulation.testDefaultQuery')"
-                        @keyup.enter="testWebSearchProvider()"
-                      />
-                      <button
-                        type="button"
-                        class="btn btn-secondary btn-sm"
-                        :disabled="wsTestLoading"
-                        @click="testWebSearchProvider()"
-                      >
-                        {{ wsTestLoading ? t('admin.settings.webSearchEmulation.testing') : t('admin.settings.webSearchEmulation.test') }}
-                      </button>
-                    </div>
-                    <!-- Test results -->
-                    <div v-if="wsTestResult" class="mt-2 rounded-lg bg-gray-50 p-3 text-xs dark:bg-dark-700">
-                      <p class="mb-1 font-medium text-gray-700 dark:text-gray-300">
-                        {{ t('admin.settings.webSearchEmulation.testResultProvider') }}: {{ wsTestResult.provider }}
-                      </p>
-                      <div v-if="wsTestResult.results.length === 0" class="text-gray-400">
-                        {{ t('admin.settings.webSearchEmulation.testNoResults') }}
-                      </div>
-                      <div v-for="(r, rIdx) in wsTestResult.results.slice(0, 3)" :key="rIdx" class="mt-1">
-                        <a :href="r.url" target="_blank" class="font-medium text-blue-600 hover:underline dark:text-blue-400">{{ r.title }}</a>
-                        <p class="text-gray-500 dark:text-gray-400">{{ r.snippet && r.snippet.length > 120 ? r.snippet.slice(0, 120) + '...' : r.snippet }}</p>
-                      </div>
+                  <!-- Proxy + Test on same row -->
+                  <div class="flex items-end gap-3">
+                    <div class="flex-1">
+                      <label class="text-xs text-gray-500">{{ t('admin.settings.webSearchEmulation.proxy') }}</label>
+                      <ProxySelector v-model="provider.proxy_id" :proxies="webSearchProxies" />
                     </div>
+                    <button
+                      type="button"
+                      class="btn btn-secondary btn-sm whitespace-nowrap"
+                      @click="openTestDialog()"
+                    >
+                      {{ t('admin.settings.webSearchEmulation.test') }}
+                    </button>
                   </div>
                 </div>
               </div>
@@ -1903,6 +1880,50 @@
           </div>
         </div>
 
+        <!-- Web Search Test Dialog -->
+        <div v-if="wsTestDialogOpen" class="fixed inset-0 z-50 flex items-center justify-center bg-black/50" @click.self="wsTestDialogOpen = false">
+          <div class="mx-4 w-full max-w-lg rounded-xl bg-white p-6 shadow-xl dark:bg-dark-800">
+            <h3 class="mb-4 text-lg font-semibold text-gray-900 dark:text-white">
+              {{ t('admin.settings.webSearchEmulation.testResultTitle') }}
+            </h3>
+            <div class="flex items-center gap-2">
+              <input
+                v-model="wsTestQuery"
+                type="text"
+                class="input flex-1 text-sm"
+                :placeholder="t('admin.settings.webSearchEmulation.testDefaultQuery')"
+                @keyup.enter="testWebSearchProvider()"
+              />
+              <button
+                type="button"
+                class="btn btn-primary btn-sm"
+                :disabled="wsTestLoading"
+                @click="testWebSearchProvider()"
+              >
+                {{ wsTestLoading ? t('admin.settings.webSearchEmulation.testing') : t('admin.settings.webSearchEmulation.test') }}
+              </button>
+            </div>
+            <!-- Test results -->
+            <div v-if="wsTestResult" class="mt-4 max-h-80 overflow-y-auto rounded-lg bg-gray-50 p-4 dark:bg-dark-700">
+              <p class="mb-2 text-sm font-medium text-gray-700 dark:text-gray-300">
+                {{ t('admin.settings.webSearchEmulation.testResultProvider') }}: {{ wsTestResult.provider }}
+              </p>
+              <div v-if="wsTestResult.results.length === 0" class="text-sm text-gray-400">
+                {{ t('admin.settings.webSearchEmulation.testNoResults') }}
+              </div>
+              <div v-for="(r, rIdx) in wsTestResult.results" :key="rIdx" class="mt-2 border-t border-gray-200 pt-2 first:mt-0 first:border-0 first:pt-0 dark:border-dark-600">
+                <a :href="r.url" target="_blank" class="text-sm font-medium text-blue-600 hover:underline dark:text-blue-400">{{ r.title }}</a>
+                <p class="mt-0.5 text-xs text-gray-500 dark:text-gray-400">{{ r.snippet }}</p>
+              </div>
+            </div>
+            <div class="mt-4 flex justify-end">
+              <button type="button" class="btn btn-secondary btn-sm" @click="wsTestDialogOpen = false">
+                {{ t('common.close') }}
+              </button>
+            </div>
+          </div>
+        </div>
+
         </div><!-- /Tab: Gateway — Claude Code, Scheduling -->
 
         <!-- Tab: General -->
@@ -3016,6 +3037,12 @@ const apiKeyVisible = reactive<Record<number, boolean>>({})
 const wsTestQuery = ref('')
 const wsTestLoading = ref(false)
 const wsTestResult = ref<WebSearchTestResult | null>(null)
+const wsTestDialogOpen = ref(false)
+
+function openTestDialog() {
+  wsTestResult.value = null
+  wsTestDialogOpen.value = true
+}
 
 function toggleProviderExpand(idx: number) {
   expandedProviders[idx] = !expandedProviders[idx]

From eba289a7ff82430a1570d84a97c4bdf2d10e9775 Mon Sep 17 00:00:00 2001
From: erio <asakifeng@gmail.com>
Date: Sun, 12 Apr 2026 17:49:58 +0800
Subject: [PATCH 039/122] feat(notify): add global toggles, percentage
 threshold, and visibility control

- Add global toggle for account quota notification in admin settings
- Add percentage-based threshold type for per-account quota alerts
- Hide balance notify card on user profile when global toggle is off
- Expose balance_low_notify_enabled and account_quota_notify_enabled in PublicSettings
- Add threshold type (fixed/percentage) to QuotaNotifyToggle with $ / % switcher
---
 backend/internal/service/account.go           | 20 ++++++++
 .../service/balance_notify_service.go         | 50 ++++++++++++++-----
 backend/internal/service/domain_constants.go  |  3 +-
 backend/internal/service/setting_service.go   | 12 ++++-
 backend/internal/service/settings_view.go     |  6 ++-
 frontend/src/api/admin/settings.ts            |  2 +
 .../components/account/EditAccountModal.vue   | 24 +++++++++
 .../src/components/account/QuotaLimitCard.vue | 15 ++++++
 .../components/account/QuotaNotifyToggle.vue  | 31 ++++++++++--
 frontend/src/i18n/locales/en.ts               |  3 +-
 frontend/src/i18n/locales/zh.ts               |  3 +-
 frontend/src/stores/app.ts                    |  4 +-
 frontend/src/types/index.ts                   |  2 +
 frontend/src/views/admin/SettingsView.vue     | 10 +++-
 frontend/src/views/user/ProfileView.vue       |  5 +-
 15 files changed, 164 insertions(+), 26 deletions(-)

diff --git a/backend/internal/service/account.go b/backend/internal/service/account.go
index 0b225dac..6e5a768f 100644
--- a/backend/internal/service/account.go
+++ b/backend/internal/service/account.go
@@ -1432,6 +1432,14 @@ func (a *Account) getExtraString(key string) string {
 	return ""
 }
 
+// getExtraStringDefault 从 Extra 中读取指定 key 的字符串值，不存在时返回 defaultVal
+func (a *Account) getExtraStringDefault(key, defaultVal string) string {
+	if v := a.getExtraString(key); v != "" {
+		return v
+	}
+	return defaultVal
+}
+
 // getExtraInt 从 Extra 中读取指定 key 的 int 值
 func (a *Account) getExtraInt(key string) int {
 	if a.Extra == nil {
@@ -1498,6 +1506,10 @@ func (a *Account) GetQuotaNotifyDailyThreshold() float64 {
 	return a.getExtraFloat64("quota_notify_daily_threshold")
 }
 
+func (a *Account) GetQuotaNotifyDailyThresholdType() string {
+	return a.getExtraStringDefault("quota_notify_daily_threshold_type", "fixed")
+}
+
 func (a *Account) GetQuotaNotifyWeeklyEnabled() bool {
 	return a.getExtraBool("quota_notify_weekly_enabled")
 }
@@ -1506,6 +1518,10 @@ func (a *Account) GetQuotaNotifyWeeklyThreshold() float64 {
 	return a.getExtraFloat64("quota_notify_weekly_threshold")
 }
 
+func (a *Account) GetQuotaNotifyWeeklyThresholdType() string {
+	return a.getExtraStringDefault("quota_notify_weekly_threshold_type", "fixed")
+}
+
 func (a *Account) GetQuotaNotifyTotalEnabled() bool {
 	return a.getExtraBool("quota_notify_total_enabled")
 }
@@ -1514,6 +1530,10 @@ func (a *Account) GetQuotaNotifyTotalThreshold() float64 {
 	return a.getExtraFloat64("quota_notify_total_threshold")
 }
 
+func (a *Account) GetQuotaNotifyTotalThresholdType() string {
+	return a.getExtraStringDefault("quota_notify_total_threshold_type", "fixed")
+}
+
 // nextFixedDailyReset 计算在 after 之后的下一个每日固定重置时间点
 func nextFixedDailyReset(hour int, tz *time.Location, after time.Time) time.Time {
 	t := after.In(tz)
diff --git a/backend/internal/service/balance_notify_service.go b/backend/internal/service/balance_notify_service.go
index 0d7e4c09..65cec594 100644
--- a/backend/internal/service/balance_notify_service.go
+++ b/backend/internal/service/balance_notify_service.go
@@ -82,19 +82,29 @@ func (s *BalanceNotifyService) CheckBalanceAfterDeduction(ctx context.Context, u
 
 // quotaDim describes one quota dimension for notification checking.
 type quotaDim struct {
-	name      string
-	enabled   bool
-	threshold float64
-	oldUsed   float64
-	limit     float64
+	name          string
+	enabled       bool
+	threshold     float64
+	thresholdType string // "fixed" (default) or "percentage"
+	oldUsed       float64
+	limit         float64
+}
+
+// resolvedThreshold returns the effective threshold value.
+// For percentage type, it computes threshold = limit * percentage / 100.
+func (d quotaDim) resolvedThreshold() float64 {
+	if d.thresholdType == "percentage" && d.limit > 0 {
+		return d.limit * d.threshold / 100
+	}
+	return d.threshold
 }
 
 // buildQuotaDims returns the three quota dimensions for notification checking.
 func buildQuotaDims(account *Account) []quotaDim {
 	return []quotaDim{
-		{quotaDimDaily, account.GetQuotaNotifyDailyEnabled(), account.GetQuotaNotifyDailyThreshold(), account.GetQuotaDailyUsed(), account.GetQuotaDailyLimit()},
-		{quotaDimWeekly, account.GetQuotaNotifyWeeklyEnabled(), account.GetQuotaNotifyWeeklyThreshold(), account.GetQuotaWeeklyUsed(), account.GetQuotaWeeklyLimit()},
-		{quotaDimTotal, account.GetQuotaNotifyTotalEnabled(), account.GetQuotaNotifyTotalThreshold(), account.GetQuotaUsed(), account.GetQuotaLimit()},
+		{quotaDimDaily, account.GetQuotaNotifyDailyEnabled(), account.GetQuotaNotifyDailyThreshold(), account.GetQuotaNotifyDailyThresholdType(), account.GetQuotaDailyUsed(), account.GetQuotaDailyLimit()},
+		{quotaDimWeekly, account.GetQuotaNotifyWeeklyEnabled(), account.GetQuotaNotifyWeeklyThreshold(), account.GetQuotaNotifyWeeklyThresholdType(), account.GetQuotaWeeklyUsed(), account.GetQuotaWeeklyLimit()},
+		{quotaDimTotal, account.GetQuotaNotifyTotalEnabled(), account.GetQuotaNotifyTotalThreshold(), account.GetQuotaNotifyTotalThresholdType(), account.GetQuotaUsed(), account.GetQuotaLimit()},
 	}
 }
 
@@ -104,6 +114,9 @@ func (s *BalanceNotifyService) CheckAccountQuotaAfterIncrement(ctx context.Conte
 	if account == nil || s.emailService == nil || s.settingRepo == nil || cost <= 0 {
 		return
 	}
+	if !s.isAccountQuotaNotifyEnabled(ctx) {
+		return
+	}
 	adminEmails := s.getAccountQuotaNotifyEmails(ctx)
 	if len(adminEmails) == 0 {
 		return
@@ -114,22 +127,26 @@ func (s *BalanceNotifyService) CheckAccountQuotaAfterIncrement(ctx context.Conte
 		if !dim.enabled || dim.threshold <= 0 {
 			continue
 		}
+		effectiveThreshold := dim.resolvedThreshold()
+		if effectiveThreshold <= 0 {
+			continue
+		}
 		newUsed := dim.oldUsed + cost
-		if dim.oldUsed < dim.threshold && newUsed >= dim.threshold {
-			s.asyncSendQuotaAlert(adminEmails, account.Name, dim, newUsed, siteName)
+		if dim.oldUsed < effectiveThreshold && newUsed >= effectiveThreshold {
+			s.asyncSendQuotaAlert(adminEmails, account.Name, dim, newUsed, effectiveThreshold, siteName)
 		}
 	}
 }
 
 // asyncSendQuotaAlert sends quota alert email in a goroutine with panic recovery.
-func (s *BalanceNotifyService) asyncSendQuotaAlert(adminEmails []string, accountName string, dim quotaDim, newUsed float64, siteName string) {
+func (s *BalanceNotifyService) asyncSendQuotaAlert(adminEmails []string, accountName string, dim quotaDim, newUsed, effectiveThreshold float64, siteName string) {
 	go func() {
 		defer func() {
 			if r := recover(); r != nil {
 				slog.Error("panic in quota notification", "recover", r)
 			}
 		}()
-		s.sendQuotaAlertEmails(adminEmails, accountName, dim.name, newUsed, dim.limit, dim.threshold, siteName)
+		s.sendQuotaAlertEmails(adminEmails, accountName, dim.name, newUsed, dim.limit, effectiveThreshold, siteName)
 	}()
 }
 
@@ -149,6 +166,15 @@ func (s *BalanceNotifyService) getBalanceNotifyConfig(ctx context.Context) (enab
 	return
 }
 
+// isAccountQuotaNotifyEnabled checks the global account quota notification toggle.
+func (s *BalanceNotifyService) isAccountQuotaNotifyEnabled(ctx context.Context) bool {
+	val, err := s.settingRepo.GetValue(ctx, SettingKeyAccountQuotaNotifyEnabled)
+	if err != nil {
+		return false
+	}
+	return val == "true"
+}
+
 // getAccountQuotaNotifyEmails reads admin notification emails from settings.
 func (s *BalanceNotifyService) getAccountQuotaNotifyEmails(ctx context.Context) []string {
 	raw, err := s.settingRepo.GetValue(ctx, SettingKeyAccountQuotaNotifyEmails)
diff --git a/backend/internal/service/domain_constants.go b/backend/internal/service/domain_constants.go
index 2704e0d0..f07ddfd4 100644
--- a/backend/internal/service/domain_constants.go
+++ b/backend/internal/service/domain_constants.go
@@ -255,7 +255,8 @@ const (
 	SettingKeyBalanceLowNotifyThreshold = "balance_low_notify_threshold" // 默认阈值（USD）
 
 	// Account Quota Notification
-	SettingKeyAccountQuotaNotifyEmails = "account_quota_notify_emails" // 管理员通知邮箱列表（JSON 数组）
+	SettingKeyAccountQuotaNotifyEnabled = "account_quota_notify_enabled" // 全局开关
+	SettingKeyAccountQuotaNotifyEmails  = "account_quota_notify_emails"  // 管理员通知邮箱列表（JSON 数组）
 )
 
 // AdminAPIKeyPrefix is the prefix for admin API keys (distinct from user "sk-" keys).
diff --git a/backend/internal/service/setting_service.go b/backend/internal/service/setting_service.go
index f0cf750a..abcae9c1 100644
--- a/backend/internal/service/setting_service.go
+++ b/backend/internal/service/setting_service.go
@@ -182,6 +182,8 @@ func (s *SettingService) GetPublicSettings(ctx context.Context) (*PublicSettings
 		SettingPaymentEnabled,
 		SettingKeyOIDCConnectEnabled,
 		SettingKeyOIDCConnectProviderName,
+		SettingKeyBalanceLowNotifyEnabled,
+		SettingKeyAccountQuotaNotifyEnabled,
 	}
 
 	settings, err := s.settingRepo.GetMultiple(ctx, keys)
@@ -249,6 +251,8 @@ func (s *SettingService) GetPublicSettings(ctx context.Context) (*PublicSettings
 		PaymentEnabled:                   settings[SettingPaymentEnabled] == "true",
 		OIDCOAuthEnabled:                 oidcEnabled,
 		OIDCOAuthProviderName:            oidcProviderName,
+		BalanceLowNotifyEnabled:          settings[SettingKeyBalanceLowNotifyEnabled] == "true",
+		AccountQuotaNotifyEnabled:        settings[SettingKeyAccountQuotaNotifyEnabled] == "true",
 	}, nil
 }
 
@@ -302,6 +306,8 @@ func (s *SettingService) GetPublicSettingsForInjection(ctx context.Context) (any
 		OIDCOAuthEnabled                 bool            `json:"oidc_oauth_enabled"`
 		OIDCOAuthProviderName            string          `json:"oidc_oauth_provider_name"`
 		Version                          string          `json:"version,omitempty"`
+		BalanceLowNotifyEnabled          bool            `json:"balance_low_notify_enabled"`
+		AccountQuotaNotifyEnabled        bool            `json:"account_quota_notify_enabled"`
 	}{
 		RegistrationEnabled:              settings.RegistrationEnabled,
 		EmailVerifyEnabled:               settings.EmailVerifyEnabled,
@@ -332,6 +338,8 @@ func (s *SettingService) GetPublicSettingsForInjection(ctx context.Context) (any
 		OIDCOAuthEnabled:                 settings.OIDCOAuthEnabled,
 		OIDCOAuthProviderName:            settings.OIDCOAuthProviderName,
 		Version:                          s.version,
+		BalanceLowNotifyEnabled:          settings.BalanceLowNotifyEnabled,
+		AccountQuotaNotifyEnabled:        settings.AccountQuotaNotifyEnabled,
 	}, nil
 }
 
@@ -609,6 +617,7 @@ func (s *SettingService) UpdateSettings(ctx context.Context, settings *SystemSet
 	// Balance low notification
 	updates[SettingKeyBalanceLowNotifyEnabled] = strconv.FormatBool(settings.BalanceLowNotifyEnabled)
 	updates[SettingKeyBalanceLowNotifyThreshold] = strconv.FormatFloat(settings.BalanceLowNotifyThreshold, 'f', 8, 64)
+	updates[SettingKeyAccountQuotaNotifyEnabled] = strconv.FormatBool(settings.AccountQuotaNotifyEnabled)
 	accountQuotaNotifyEmailsJSON, err := json.Marshal(settings.AccountQuotaNotifyEmails)
 	if err != nil {
 		return fmt.Errorf("marshal account quota notify emails: %w", err)
@@ -1251,7 +1260,8 @@ func (s *SettingService) parseSettings(settings map[string]string) *SystemSettin
 		result.BalanceLowNotifyThreshold = v
 	}
 
-	// Account quota notification emails
+	// Account quota notification
+	result.AccountQuotaNotifyEnabled = settings[SettingKeyAccountQuotaNotifyEnabled] == "true"
 	if raw := strings.TrimSpace(settings[SettingKeyAccountQuotaNotifyEmails]); raw != "" {
 		var emails []string
 		if err := json.Unmarshal([]byte(raw), &emails); err == nil {
diff --git a/backend/internal/service/settings_view.go b/backend/internal/service/settings_view.go
index debc2b19..b79b930a 100644
--- a/backend/internal/service/settings_view.go
+++ b/backend/internal/service/settings_view.go
@@ -112,7 +112,8 @@ type SystemSettings struct {
 	BalanceLowNotifyThreshold float64
 
 	// Account quota notification
-	AccountQuotaNotifyEmails []string
+	AccountQuotaNotifyEnabled bool
+	AccountQuotaNotifyEmails  []string
 }
 
 type DefaultSubscriptionSetting struct {
@@ -152,6 +153,9 @@ type PublicSettings struct {
 	OIDCOAuthEnabled      bool
 	OIDCOAuthProviderName string
 	Version               string
+
+	BalanceLowNotifyEnabled    bool
+	AccountQuotaNotifyEnabled  bool
 }
 
 // StreamTimeoutSettings 流超时处理配置（仅控制超时后的处理方式，超时判定由网关配置控制）
diff --git a/frontend/src/api/admin/settings.ts b/frontend/src/api/admin/settings.ts
index 31284289..5c5de2d1 100644
--- a/frontend/src/api/admin/settings.ts
+++ b/frontend/src/api/admin/settings.ts
@@ -138,6 +138,7 @@ export interface SystemSettings {
   // Balance & quota notification
   balance_low_notify_enabled: boolean
   balance_low_notify_threshold: number
+  account_quota_notify_enabled: boolean
   account_quota_notify_emails: string[]
 }
 
@@ -241,6 +242,7 @@ export interface UpdateSettingsRequest {
   // Balance & quota notification
   balance_low_notify_enabled?: boolean
   balance_low_notify_threshold?: number
+  account_quota_notify_enabled?: boolean
   account_quota_notify_emails?: string[]
 }
 
diff --git a/frontend/src/components/account/EditAccountModal.vue b/frontend/src/components/account/EditAccountModal.vue
index 086575e6..abb9569e 100644
--- a/frontend/src/components/account/EditAccountModal.vue
+++ b/frontend/src/components/account/EditAccountModal.vue
@@ -1188,10 +1188,13 @@
           :resetTimezone="editResetTimezone"
           :quotaNotifyDailyEnabled="editQuotaNotifyDailyEnabled"
           :quotaNotifyDailyThreshold="editQuotaNotifyDailyThreshold"
+          :quotaNotifyDailyThresholdType="editQuotaNotifyDailyThresholdType"
           :quotaNotifyWeeklyEnabled="editQuotaNotifyWeeklyEnabled"
           :quotaNotifyWeeklyThreshold="editQuotaNotifyWeeklyThreshold"
+          :quotaNotifyWeeklyThresholdType="editQuotaNotifyWeeklyThresholdType"
           :quotaNotifyTotalEnabled="editQuotaNotifyTotalEnabled"
           :quotaNotifyTotalThreshold="editQuotaNotifyTotalThreshold"
+          :quotaNotifyTotalThresholdType="editQuotaNotifyTotalThresholdType"
           @update:totalLimit="editQuotaLimit = $event"
           @update:dailyLimit="editQuotaDailyLimit = $event"
           @update:weeklyLimit="editQuotaWeeklyLimit = $event"
@@ -1203,10 +1206,13 @@
           @update:resetTimezone="editResetTimezone = $event"
           @update:quotaNotifyDailyEnabled="editQuotaNotifyDailyEnabled = $event"
           @update:quotaNotifyDailyThreshold="editQuotaNotifyDailyThreshold = $event"
+          @update:quotaNotifyDailyThresholdType="editQuotaNotifyDailyThresholdType = $event"
           @update:quotaNotifyWeeklyEnabled="editQuotaNotifyWeeklyEnabled = $event"
           @update:quotaNotifyWeeklyThreshold="editQuotaNotifyWeeklyThreshold = $event"
+          @update:quotaNotifyWeeklyThresholdType="editQuotaNotifyWeeklyThresholdType = $event"
           @update:quotaNotifyTotalEnabled="editQuotaNotifyTotalEnabled = $event"
           @update:quotaNotifyTotalThreshold="editQuotaNotifyTotalThreshold = $event"
+          @update:quotaNotifyTotalThresholdType="editQuotaNotifyTotalThresholdType = $event"
         />
       </div>
       <!-- 配额控制 (非 Anthropic apikey/bedrock) -->
@@ -1232,10 +1238,13 @@
           :resetTimezone="editResetTimezone"
           :quotaNotifyDailyEnabled="editQuotaNotifyDailyEnabled"
           :quotaNotifyDailyThreshold="editQuotaNotifyDailyThreshold"
+          :quotaNotifyDailyThresholdType="editQuotaNotifyDailyThresholdType"
           :quotaNotifyWeeklyEnabled="editQuotaNotifyWeeklyEnabled"
           :quotaNotifyWeeklyThreshold="editQuotaNotifyWeeklyThreshold"
+          :quotaNotifyWeeklyThresholdType="editQuotaNotifyWeeklyThresholdType"
           :quotaNotifyTotalEnabled="editQuotaNotifyTotalEnabled"
           :quotaNotifyTotalThreshold="editQuotaNotifyTotalThreshold"
+          :quotaNotifyTotalThresholdType="editQuotaNotifyTotalThresholdType"
           @update:totalLimit="editQuotaLimit = $event"
           @update:dailyLimit="editQuotaDailyLimit = $event"
           @update:weeklyLimit="editQuotaWeeklyLimit = $event"
@@ -1247,10 +1256,13 @@
           @update:resetTimezone="editResetTimezone = $event"
           @update:quotaNotifyDailyEnabled="editQuotaNotifyDailyEnabled = $event"
           @update:quotaNotifyDailyThreshold="editQuotaNotifyDailyThreshold = $event"
+          @update:quotaNotifyDailyThresholdType="editQuotaNotifyDailyThresholdType = $event"
           @update:quotaNotifyWeeklyEnabled="editQuotaNotifyWeeklyEnabled = $event"
           @update:quotaNotifyWeeklyThreshold="editQuotaNotifyWeeklyThreshold = $event"
+          @update:quotaNotifyWeeklyThresholdType="editQuotaNotifyWeeklyThresholdType = $event"
           @update:quotaNotifyTotalEnabled="editQuotaNotifyTotalEnabled = $event"
           @update:quotaNotifyTotalThreshold="editQuotaNotifyTotalThreshold = $event"
+          @update:quotaNotifyTotalThresholdType="editQuotaNotifyTotalThresholdType = $event"
         />
       </div>
 
@@ -1992,10 +2004,13 @@ const editWeeklyResetHour = ref<number | null>(null)
 const editResetTimezone = ref<string | null>(null)
 const editQuotaNotifyDailyEnabled = ref<boolean | null>(null)
 const editQuotaNotifyDailyThreshold = ref<number | null>(null)
+const editQuotaNotifyDailyThresholdType = ref<string | null>(null)
 const editQuotaNotifyWeeklyEnabled = ref<boolean | null>(null)
 const editQuotaNotifyWeeklyThreshold = ref<number | null>(null)
+const editQuotaNotifyWeeklyThresholdType = ref<string | null>(null)
 const editQuotaNotifyTotalEnabled = ref<boolean | null>(null)
 const editQuotaNotifyTotalThreshold = ref<number | null>(null)
+const editQuotaNotifyTotalThresholdType = ref<string | null>(null)
 const openAIWSModeOptions = computed(() => [
   { value: OPENAI_WS_MODE_OFF, label: t('admin.accounts.openai.wsModeOff') },
   // TODO: ctx_pool 选项暂时隐藏，待测试完成后恢复
@@ -2198,10 +2213,13 @@ const syncFormFromAccount = (newAccount: Account | null) => {
     // Load quota notify config
     editQuotaNotifyDailyEnabled.value = (extra?.quota_notify_daily_enabled as boolean) ?? null
     editQuotaNotifyDailyThreshold.value = (extra?.quota_notify_daily_threshold as number) ?? null
+    editQuotaNotifyDailyThresholdType.value = (extra?.quota_notify_daily_threshold_type as string) ?? null
     editQuotaNotifyWeeklyEnabled.value = (extra?.quota_notify_weekly_enabled as boolean) ?? null
     editQuotaNotifyWeeklyThreshold.value = (extra?.quota_notify_weekly_threshold as number) ?? null
+    editQuotaNotifyWeeklyThresholdType.value = (extra?.quota_notify_weekly_threshold_type as string) ?? null
     editQuotaNotifyTotalEnabled.value = (extra?.quota_notify_total_enabled as boolean) ?? null
     editQuotaNotifyTotalThreshold.value = (extra?.quota_notify_total_threshold as number) ?? null
+    editQuotaNotifyTotalThresholdType.value = (extra?.quota_notify_total_threshold_type as string) ?? null
   } else {
     editQuotaLimit.value = null
     editQuotaDailyLimit.value = null
@@ -3262,9 +3280,11 @@ const handleSubmit = async () => {
         } else {
           delete newExtra.quota_notify_daily_threshold
         }
+        newExtra.quota_notify_daily_threshold_type = editQuotaNotifyDailyThresholdType.value || 'fixed'
       } else {
         delete newExtra.quota_notify_daily_enabled
         delete newExtra.quota_notify_daily_threshold
+        delete newExtra.quota_notify_daily_threshold_type
       }
       if (editQuotaNotifyWeeklyEnabled.value) {
         newExtra.quota_notify_weekly_enabled = true
@@ -3273,9 +3293,11 @@ const handleSubmit = async () => {
         } else {
           delete newExtra.quota_notify_weekly_threshold
         }
+        newExtra.quota_notify_weekly_threshold_type = editQuotaNotifyWeeklyThresholdType.value || 'fixed'
       } else {
         delete newExtra.quota_notify_weekly_enabled
         delete newExtra.quota_notify_weekly_threshold
+        delete newExtra.quota_notify_weekly_threshold_type
       }
       if (editQuotaNotifyTotalEnabled.value) {
         newExtra.quota_notify_total_enabled = true
@@ -3284,9 +3306,11 @@ const handleSubmit = async () => {
         } else {
           delete newExtra.quota_notify_total_threshold
         }
+        newExtra.quota_notify_total_threshold_type = editQuotaNotifyTotalThresholdType.value || 'fixed'
       } else {
         delete newExtra.quota_notify_total_enabled
         delete newExtra.quota_notify_total_threshold
+        delete newExtra.quota_notify_total_threshold_type
       }
       updatePayload.extra = newExtra
     }
diff --git a/frontend/src/components/account/QuotaLimitCard.vue b/frontend/src/components/account/QuotaLimitCard.vue
index 7c3afd23..64bdb08a 100644
--- a/frontend/src/components/account/QuotaLimitCard.vue
+++ b/frontend/src/components/account/QuotaLimitCard.vue
@@ -17,17 +17,23 @@ const props = withDefaults(defineProps<{
   resetTimezone: string | null
   quotaNotifyDailyEnabled?: boolean | null
   quotaNotifyDailyThreshold?: number | null
+  quotaNotifyDailyThresholdType?: string | null
   quotaNotifyWeeklyEnabled?: boolean | null
   quotaNotifyWeeklyThreshold?: number | null
+  quotaNotifyWeeklyThresholdType?: string | null
   quotaNotifyTotalEnabled?: boolean | null
   quotaNotifyTotalThreshold?: number | null
+  quotaNotifyTotalThresholdType?: string | null
 }>(), {
   quotaNotifyDailyEnabled: null,
   quotaNotifyDailyThreshold: null,
+  quotaNotifyDailyThresholdType: null,
   quotaNotifyWeeklyEnabled: null,
   quotaNotifyWeeklyThreshold: null,
+  quotaNotifyWeeklyThresholdType: null,
   quotaNotifyTotalEnabled: null,
   quotaNotifyTotalThreshold: null,
+  quotaNotifyTotalThresholdType: null,
 })
 
 const emit = defineEmits<{
@@ -42,10 +48,13 @@ const emit = defineEmits<{
   'update:resetTimezone': [value: string | null]
   'update:quotaNotifyDailyEnabled': [value: boolean | null]
   'update:quotaNotifyDailyThreshold': [value: number | null]
+  'update:quotaNotifyDailyThresholdType': [value: string | null]
   'update:quotaNotifyWeeklyEnabled': [value: boolean | null]
   'update:quotaNotifyWeeklyThreshold': [value: number | null]
+  'update:quotaNotifyWeeklyThresholdType': [value: string | null]
   'update:quotaNotifyTotalEnabled': [value: boolean | null]
   'update:quotaNotifyTotalThreshold': [value: number | null]
+  'update:quotaNotifyTotalThresholdType': [value: string | null]
 }>()
 
 const enabled = computed(() =>
@@ -228,8 +237,10 @@ const onWeeklyModeChange = (e: Event) => {
             v-if="dailyLimit && dailyLimit > 0"
             :enabled="props.quotaNotifyDailyEnabled"
             :threshold="props.quotaNotifyDailyThreshold"
+            :threshold-type="props.quotaNotifyDailyThresholdType"
             @update:enabled="emit('update:quotaNotifyDailyEnabled', $event)"
             @update:threshold="emit('update:quotaNotifyDailyThreshold', $event)"
+            @update:threshold-type="emit('update:quotaNotifyDailyThresholdType', $event)"
           />
         </div>
 
@@ -292,8 +303,10 @@ const onWeeklyModeChange = (e: Event) => {
             v-if="weeklyLimit && weeklyLimit > 0"
             :enabled="props.quotaNotifyWeeklyEnabled"
             :threshold="props.quotaNotifyWeeklyThreshold"
+            :threshold-type="props.quotaNotifyWeeklyThresholdType"
             @update:enabled="emit('update:quotaNotifyWeeklyEnabled', $event)"
             @update:threshold="emit('update:quotaNotifyWeeklyThreshold', $event)"
+            @update:threshold-type="emit('update:quotaNotifyWeeklyThresholdType', $event)"
           />
         </div>
 
@@ -330,8 +343,10 @@ const onWeeklyModeChange = (e: Event) => {
             v-if="totalLimit && totalLimit > 0"
             :enabled="props.quotaNotifyTotalEnabled"
             :threshold="props.quotaNotifyTotalThreshold"
+            :threshold-type="props.quotaNotifyTotalThresholdType"
             @update:enabled="emit('update:quotaNotifyTotalEnabled', $event)"
             @update:threshold="emit('update:quotaNotifyTotalThreshold', $event)"
+            @update:threshold-type="emit('update:quotaNotifyTotalThresholdType', $event)"
           />
         </div>
       </div>
diff --git a/frontend/src/components/account/QuotaNotifyToggle.vue b/frontend/src/components/account/QuotaNotifyToggle.vue
index 4634f5b1..b1c22fe2 100644
--- a/frontend/src/components/account/QuotaNotifyToggle.vue
+++ b/frontend/src/components/account/QuotaNotifyToggle.vue
@@ -6,12 +6,18 @@ const { t } = useI18n()
 defineProps<{
   enabled: boolean | null
   threshold: number | null
+  thresholdType: string | null // "fixed" (default) or "percentage"
 }>()
 
 const emit = defineEmits<{
   'update:enabled': [value: boolean | null]
   'update:threshold': [value: number | null]
+  'update:thresholdType': [value: string | null]
 }>()
+
+function toggleType(current: string | null) {
+  emit('update:thresholdType', current === 'percentage' ? 'fixed' : 'percentage')
+}
 </script>
 
 <template>
@@ -32,15 +38,32 @@ const emit = defineEmits<{
         ]"
       />
     </button>
-    <div v-if="enabled" class="relative flex-1">
-      <span class="absolute left-2 top-1/2 -translate-y-1/2 text-gray-400 text-sm">$</span>
+    <div v-if="enabled" class="flex items-center gap-1 flex-1">
+      <button
+        type="button"
+        class="px-1.5 py-0.5 text-xs font-medium rounded border transition-colors"
+        :class="(!thresholdType || thresholdType === 'fixed') ? 'bg-primary-100 text-primary-700 border-primary-300 dark:bg-primary-900/30 dark:text-primary-400 dark:border-primary-700' : 'bg-gray-100 text-gray-500 border-gray-200 dark:bg-dark-600 dark:text-gray-400 dark:border-dark-500'"
+        @click="toggleType(thresholdType)"
+      >
+        $
+      </button>
+      <button
+        type="button"
+        class="px-1.5 py-0.5 text-xs font-medium rounded border transition-colors"
+        :class="thresholdType === 'percentage' ? 'bg-primary-100 text-primary-700 border-primary-300 dark:bg-primary-900/30 dark:text-primary-400 dark:border-primary-700' : 'bg-gray-100 text-gray-500 border-gray-200 dark:bg-dark-600 dark:text-gray-400 dark:border-dark-500'"
+        @click="toggleType(thresholdType)"
+      >
+        %
+      </button>
       <input
         :value="threshold"
         @input="emit('update:threshold', parseFloat(($event.target as HTMLInputElement).value) || null)"
         type="number"
         min="0"
-        step="0.01"
-        class="input pl-6 py-1 text-sm"
+        :max="thresholdType === 'percentage' ? 100 : undefined"
+        :step="thresholdType === 'percentage' ? 1 : 0.01"
+        class="input py-1 text-sm flex-1"
+        :placeholder="thresholdType === 'percentage' ? t('admin.accounts.quotaNotify.thresholdPlaceholder') : t('admin.accounts.quotaNotify.threshold')"
       />
     </div>
   </div>
diff --git a/frontend/src/i18n/locales/en.ts b/frontend/src/i18n/locales/en.ts
index 8e10bf2a..6688c1b6 100644
--- a/frontend/src/i18n/locales/en.ts
+++ b/frontend/src/i18n/locales/en.ts
@@ -2257,7 +2257,7 @@ export default {
         alert: 'Alert Threshold',
         enabled: 'Enable Alert',
         threshold: 'Alert Amount',
-        thresholdPlaceholder: 'Enter alert amount',
+        thresholdPlaceholder: 'Enter percentage',
       },
       testConnection: 'Test Connection',
       reAuthorize: 'Re-Authorize',
@@ -4640,6 +4640,7 @@ export default {
       quotaNotify: {
         title: 'Account Quota Notification',
         description: 'Notify admins when account quota usage reaches alert threshold',
+        enabled: 'Enable Account Quota Notification',
         emails: 'Notification Emails',
         emailsHint: 'Leave empty to disable notifications',
         addEmail: 'Add Email',
diff --git a/frontend/src/i18n/locales/zh.ts b/frontend/src/i18n/locales/zh.ts
index 1b82f419..70d20cc0 100644
--- a/frontend/src/i18n/locales/zh.ts
+++ b/frontend/src/i18n/locales/zh.ts
@@ -2255,7 +2255,7 @@ export default {
         alert: '告警阈值',
         enabled: '启用告警',
         threshold: '告警金额',
-        thresholdPlaceholder: '输入告警金额',
+        thresholdPlaceholder: '输入百分比',
       },
       testConnection: '测试连接',
       reAuthorize: '重新授权',
@@ -4804,6 +4804,7 @@ export default {
       quotaNotify: {
         title: '账号限额通知',
         description: '当账号配额用量达到告警阈值时通知管理员',
+        enabled: '启用账号限额通知',
         emails: '通知邮箱',
         emailsHint: '留空则不发送通知',
         addEmail: '添加邮箱',
diff --git a/frontend/src/stores/app.ts b/frontend/src/stores/app.ts
index 09e73621..b69c3648 100644
--- a/frontend/src/stores/app.ts
+++ b/frontend/src/stores/app.ts
@@ -339,7 +339,9 @@ export const useAppStore = defineStore('app', () => {
         oidc_oauth_enabled: false,
         oidc_oauth_provider_name: 'OIDC',
         backend_mode_enabled: false,
-        version: siteVersion.value
+        version: siteVersion.value,
+        balance_low_notify_enabled: false,
+        account_quota_notify_enabled: false,
       }
     }
 
diff --git a/frontend/src/types/index.ts b/frontend/src/types/index.ts
index e74f6e61..c6c74354 100644
--- a/frontend/src/types/index.ts
+++ b/frontend/src/types/index.ts
@@ -117,6 +117,8 @@ export interface PublicSettings {
   oidc_oauth_provider_name: string
   backend_mode_enabled: boolean
   version: string
+  balance_low_notify_enabled: boolean
+  account_quota_notify_enabled: boolean
 }
 
 export interface AuthResponse {
diff --git a/frontend/src/views/admin/SettingsView.vue b/frontend/src/views/admin/SettingsView.vue
index b5181ccc..222d1dd7 100644
--- a/frontend/src/views/admin/SettingsView.vue
+++ b/frontend/src/views/admin/SettingsView.vue
@@ -2718,11 +2718,15 @@
             </p>
           </div>
           <div class="px-6 py-6 space-y-4">
-            <div>
+            <div class="flex items-center justify-between">
+              <label class="mb-0 block text-sm font-medium text-gray-700 dark:text-gray-300">{{ t('admin.settings.quotaNotify.enabled') }}</label>
+              <Toggle v-model="form.account_quota_notify_enabled" />
+            </div>
+            <div v-if="form.account_quota_notify_enabled">
               <label class="mb-2 block text-sm font-medium text-gray-700 dark:text-gray-300">{{ t('admin.settings.quotaNotify.emails') }}</label>
               <div class="space-y-2">
                 <div v-for="(_, index) in (form.account_quota_notify_emails || [])" :key="index" class="flex items-center gap-2">
-                  <input v-model="form.account_quota_notify_emails[index]" type="email" class="input flex-1" />
+                  <input v-model="form.account_quota_notify_emails[index]" type="email" class="input flex-1" :placeholder="t('admin.settings.quotaNotify.emailPlaceholder')" />
                   <button @click="form.account_quota_notify_emails.splice(index, 1)" class="btn btn-secondary px-2" type="button">
                     <Icon name="x" size="xs" class="h-4 w-4" />
                   </button>
@@ -3018,6 +3022,7 @@ const form = reactive<SettingsForm>({
   // Balance & quota notification
   balance_low_notify_enabled: false,
   balance_low_notify_threshold: 0,
+  account_quota_notify_enabled: false,
   account_quota_notify_emails: [] as string[]
 })
 
@@ -3588,6 +3593,7 @@ async function saveSettings() {
       // Balance & quota notification
       balance_low_notify_enabled: form.balance_low_notify_enabled,
       balance_low_notify_threshold: Number(form.balance_low_notify_threshold) || 0,
+      account_quota_notify_enabled: form.account_quota_notify_enabled,
       account_quota_notify_emails: (form.account_quota_notify_emails || []).filter((e: string) => e.trim() !== ''),
     }
 
diff --git a/frontend/src/views/user/ProfileView.vue b/frontend/src/views/user/ProfileView.vue
index 5534e1d6..f801e20d 100644
--- a/frontend/src/views/user/ProfileView.vue
+++ b/frontend/src/views/user/ProfileView.vue
@@ -15,7 +15,7 @@
       </div>
       <ProfileEditForm :initial-username="user?.username || ''" />
       <ProfileBalanceNotifyCard
-        v-if="user"
+        v-if="user && balanceLowNotifyEnabled"
         :enabled="user.balance_notify_enabled ?? true"
         :threshold="user.balance_notify_threshold"
         :extra-emails="user.balance_notify_extra_emails ?? []"
@@ -40,11 +40,12 @@ import { Icon } from '@/components/icons'
 
 const { t } = useI18n(); const authStore = useAuthStore(); const user = computed(() => authStore.user)
 const contactInfo = ref('')
+const balanceLowNotifyEnabled = ref(false)
 
 const WalletIcon = { render: () => h('svg', { fill: 'none', viewBox: '0 0 24 24', stroke: 'currentColor', 'stroke-width': '1.5' }, [h('path', { d: 'M21 12a2.25 2.25 0 00-2.25-2.25H15a3 3 0 11-6 0H5.25A2.25 2.25 0 003 12' })]) }
 const BoltIcon = { render: () => h('svg', { fill: 'none', viewBox: '0 0 24 24', stroke: 'currentColor', 'stroke-width': '1.5' }, [h('path', { d: 'm3.75 13.5 10.5-11.25L12 10.5h8.25L9.75 21.75 12 13.5H3.75z' })]) }
 const CalendarIcon = { render: () => h('svg', { fill: 'none', viewBox: '0 0 24 24', stroke: 'currentColor', 'stroke-width': '1.5' }, [h('path', { d: 'M6.75 3v2.25M17.25 3v2.25' })]) }
 
-onMounted(async () => { try { const s = await authAPI.getPublicSettings(); contactInfo.value = s.contact_info || '' } catch (error) { console.error('Failed to load contact info:', error) } })
+onMounted(async () => { try { const s = await authAPI.getPublicSettings(); contactInfo.value = s.contact_info || ''; balanceLowNotifyEnabled.value = s.balance_low_notify_enabled ?? false } catch (error) { console.error('Failed to load contact info:', error) } })
 const formatCurrency = (v: number) => `$${v.toFixed(2)}`
 </script>
\ No newline at end of file

From 4e96a6faece261ca60905a01c751f087fd299976 Mon Sep 17 00:00:00 2001
From: erio <asakifeng@gmail.com>
Date: Sun, 12 Apr 2026 18:11:47 +0800
Subject: [PATCH 040/122] fix: address audit findings for notify, websearch and
 security

- Fix GetByKeyForAuth missing user.FieldEmail and user.FieldUsername (notifications sent to empty address)
- Guard against empty email in collectBalanceNotifyRecipients
- Remove non-atomic TotalRecharged read-modify-write in admin balance adjustment
- HTML-escape userName/siteName/accountName in notification email templates
- Fix timer leak in ProfileBalanceNotifyCard (add onUnmounted cleanup)
- Add warning log on websearch proxy URL resolution failure
---
 backend/internal/repository/api_key_repo.go            |  2 ++
 backend/internal/service/admin_service.go              |  6 ------
 backend/internal/service/balance_notify_service.go     | 10 +++++++---
 backend/internal/service/websearch_config.go           |  1 +
 .../user/profile/ProfileBalanceNotifyCard.vue          |  6 +++++-
 5 files changed, 15 insertions(+), 10 deletions(-)

diff --git a/backend/internal/repository/api_key_repo.go b/backend/internal/repository/api_key_repo.go
index 11eac7a8..d1b42750 100644
--- a/backend/internal/repository/api_key_repo.go
+++ b/backend/internal/repository/api_key_repo.go
@@ -139,6 +139,8 @@ func (r *apiKeyRepository) GetByKeyForAuth(ctx context.Context, key string) (*se
 		WithUser(func(q *dbent.UserQuery) {
 			q.Select(
 				user.FieldID,
+				user.FieldEmail,
+				user.FieldUsername,
 				user.FieldStatus,
 				user.FieldRole,
 				user.FieldBalance,
diff --git a/backend/internal/service/admin_service.go b/backend/internal/service/admin_service.go
index a4e22b22..97b42c24 100644
--- a/backend/internal/service/admin_service.go
+++ b/backend/internal/service/admin_service.go
@@ -709,12 +709,6 @@ func (s *adminServiceImpl) UpdateUserBalance(ctx context.Context, userID int64,
 		return nil, fmt.Errorf("balance cannot be negative, current balance: %.2f, requested operation would result in: %.2f", oldBalance, user.Balance)
 	}
 
-	// Track cumulative recharge for percentage-based balance notifications
-	balanceDelta := user.Balance - oldBalance
-	if balanceDelta > 0 {
-		user.TotalRecharged += balanceDelta
-	}
-
 	if err := s.userRepo.Update(ctx, user); err != nil {
 		return nil, err
 	}
diff --git a/backend/internal/service/balance_notify_service.go b/backend/internal/service/balance_notify_service.go
index 65cec594..68202958 100644
--- a/backend/internal/service/balance_notify_service.go
+++ b/backend/internal/service/balance_notify_service.go
@@ -4,6 +4,7 @@ import (
 	"context"
 	"encoding/json"
 	"fmt"
+	"html"
 	"log/slog"
 	"strconv"
 	"strings"
@@ -195,7 +196,10 @@ func (s *BalanceNotifyService) getSiteName(ctx context.Context) string {
 
 // collectBalanceNotifyRecipients collects all email recipients for balance notifications.
 func (s *BalanceNotifyService) collectBalanceNotifyRecipients(user *User) []string {
-	recipients := []string{user.Email}
+	var recipients []string
+	if user.Email != "" {
+		recipients = append(recipients, user.Email)
+	}
 	for _, extra := range user.BalanceNotifyExtraEmails {
 		email := strings.TrimSpace(extra)
 		if email != "" && !strings.EqualFold(email, user.Email) {
@@ -224,7 +228,7 @@ func (s *BalanceNotifyService) sendBalanceLowEmails(recipients []string, userNam
 		displayName = userEmail
 	}
 	subject := fmt.Sprintf("[%s] 余额不足提醒 / Balance Low Alert", siteName)
-	body := s.buildBalanceLowEmailBody(displayName, balance, threshold, siteName)
+	body := s.buildBalanceLowEmailBody(html.EscapeString(displayName), balance, threshold, html.EscapeString(siteName))
 	s.sendEmails(recipients, subject, body, "user_email", userEmail, "balance", balance)
 }
 
@@ -236,7 +240,7 @@ func (s *BalanceNotifyService) sendQuotaAlertEmails(adminEmails []string, accoun
 	}
 
 	subject := fmt.Sprintf("[%s] 账号限额告警 / Account Quota Alert - %s", siteName, accountName)
-	body := s.buildQuotaAlertEmailBody(accountName, dimLabel, used, limit, threshold, siteName)
+	body := s.buildQuotaAlertEmailBody(html.EscapeString(accountName), html.EscapeString(dimLabel), used, limit, threshold, html.EscapeString(siteName))
 	s.sendEmails(adminEmails, subject, body, "account", accountName, "dimension", dimension)
 }
 
diff --git a/backend/internal/service/websearch_config.go b/backend/internal/service/websearch_config.go
index 346faf1f..99e40275 100644
--- a/backend/internal/service/websearch_config.go
+++ b/backend/internal/service/websearch_config.go
@@ -235,6 +235,7 @@ func (s *SettingService) resolveProviderProxyURLs(ctx context.Context, cfg *WebS
 	}
 	proxies, err := s.proxyRepo.ListByIDs(ctx, ids)
 	if err != nil {
+		slog.Warn("websearch: failed to resolve proxy URLs", "error", err)
 		return nil
 	}
 	result := make(map[int64]string, len(proxies))
diff --git a/frontend/src/components/user/profile/ProfileBalanceNotifyCard.vue b/frontend/src/components/user/profile/ProfileBalanceNotifyCard.vue
index 130d82b5..758704e0 100644
--- a/frontend/src/components/user/profile/ProfileBalanceNotifyCard.vue
+++ b/frontend/src/components/user/profile/ProfileBalanceNotifyCard.vue
@@ -93,7 +93,7 @@
 </template>
 
 <script setup lang="ts">
-import { ref, watch } from 'vue'
+import { ref, watch, onUnmounted } from 'vue'
 import { useI18n } from 'vue-i18n'
 import { useAuthStore } from '@/stores/auth'
 import { useAppStore } from '@/stores/app'
@@ -122,6 +122,10 @@ const codeCountdown = ref(0)
 
 let countdownTimer: ReturnType<typeof setInterval> | null = null
 
+onUnmounted(() => {
+  if (countdownTimer) clearInterval(countdownTimer)
+})
+
 watch(() => props.enabled, (val) => { notifyEnabled.value = val })
 watch(() => props.threshold, (val) => { customThreshold.value = val })
 watch(() => props.extraEmails, (val) => { extraEmails.value = [...val] })

From 80fa484467bc2b9527de2fdfafe39cb39d29baf7 Mon Sep 17 00:00:00 2001
From: erio <asakifeng@gmail.com>
Date: Sun, 12 Apr 2026 18:29:21 +0800
Subject: [PATCH 041/122] refactor(channels): move account stats pricing rules
 from basic to platform tabs

- Basic settings now only shows the global toggle
- Custom pricing rules appear inside each platform tab when toggle is on
- Group selector in rules scoped to the current platform's groups
- Remove unused allFormGroupIds computed
---
 frontend/src/views/admin/ChannelsView.vue | 118 ++++++++--------------
 1 file changed, 40 insertions(+), 78 deletions(-)

diff --git a/frontend/src/views/admin/ChannelsView.vue b/frontend/src/views/admin/ChannelsView.vue
index 639ace4a..2e45ba42 100644
--- a/frontend/src/views/admin/ChannelsView.vue
+++ b/frontend/src/views/admin/ChannelsView.vue
@@ -251,6 +251,24 @@
                 </label>
               </div>
             </div>
+
+            <!-- Apply Pricing to Account Stats (toggle only in basic settings) -->
+            <div class="border-t border-gray-200 pt-4 dark:border-dark-700">
+              <div class="flex items-center justify-between">
+                <div>
+                  <label class="text-sm font-medium text-gray-700 dark:text-gray-300">
+                    {{ t('admin.channels.form.applyPricingToAccountStats') }}
+                  </label>
+                  <p class="mt-0.5 text-xs text-gray-500 dark:text-gray-400">
+                    {{ t('admin.channels.form.applyPricingToAccountStatsDesc') }}
+                  </p>
+                </div>
+                <Toggle
+                  :modelValue="form.apply_pricing_to_account_stats"
+                  @update:modelValue="form.apply_pricing_to_account_stats = $event"
+                />
+              </div>
+            </div>
           </div>
 
           <!-- Platform Tab Content -->
@@ -394,49 +412,30 @@
                 />
               </div>
             </div>
-          </div>
 
-          <!-- Account Stats Pricing (always visible, not tied to platform tabs) -->
-          <div class="mt-6 border-t border-gray-200 pt-4 dark:border-dark-700">
-            <!-- Toggle -->
-            <div class="flex items-center justify-between mb-3">
-              <div>
-                <label class="text-sm font-medium text-gray-700 dark:text-gray-300">
-                  {{ t('admin.channels.form.applyPricingToAccountStats', 'Apply Pricing to Account Stats') }}
-                </label>
-                <p class="mt-0.5 text-xs text-gray-500 dark:text-gray-400">
-                  {{ t('admin.channels.form.applyPricingToAccountStatsDesc', 'When enabled, account statistics cost will use channel model pricing. Account rate multiplier still applies.') }}
-                </p>
-              </div>
-              <Toggle
-                :modelValue="form.apply_pricing_to_account_stats"
-                @update:modelValue="form.apply_pricing_to_account_stats = $event"
-              />
-            </div>
-
-            <!-- Custom rules (only when toggle is on) -->
-            <div v-if="form.apply_pricing_to_account_stats" class="mt-4 space-y-4">
+            <!-- Account Stats Pricing Rules (per-platform, only when global toggle is on) -->
+            <div v-if="form.apply_pricing_to_account_stats" class="mt-4 border-t border-gray-200 pt-4 dark:border-dark-700 space-y-3">
               <div class="flex items-center justify-between">
                 <h4 class="text-sm font-medium text-gray-700 dark:text-gray-300">
-                  {{ t('admin.channels.form.accountStatsPricingRules', 'Custom Account Stats Pricing Rules') }}
+                  {{ t('admin.channels.form.accountStatsPricingRules') }}
                 </h4>
                 <button
                   type="button"
                   @click="addAccountStatsRule()"
                   class="rounded-lg border border-primary-300 px-3 py-1 text-xs font-medium text-primary-600 hover:bg-primary-50 dark:border-primary-600 dark:text-primary-400 dark:hover:bg-primary-900/20"
                 >
-                  + {{ t('admin.channels.form.addRule', 'Add Rule') }}
+                  + {{ t('admin.channels.form.addRule') }}
                 </button>
               </div>
 
+              <!-- Filter rules for this platform's groups -->
               <p
                 v-if="form.account_stats_pricing_rules.length === 0"
                 class="text-xs italic text-gray-400 dark:text-gray-500"
               >
-                {{ t('admin.channels.form.noRulesConfigured', 'No custom rules configured. Channel model pricing above will be used.') }}
+                {{ t('admin.channels.form.noRulesConfigured') }}
               </p>
 
-              <!-- Rule cards -->
               <div
                 v-for="(rule, ruleIndex) in form.account_stats_pricing_rules"
                 :key="ruleIndex"
@@ -445,85 +444,60 @@
                 <div class="flex items-center justify-between">
                   <input
                     v-model="rule.name"
-                    :placeholder="t('admin.channels.form.ruleName', 'Rule name (optional)')"
+                    :placeholder="t('admin.channels.form.ruleName')"
                     class="bg-transparent text-sm font-medium text-gray-700 placeholder-gray-400 outline-none dark:text-gray-300"
                   />
-                  <button
-                    type="button"
-                    @click="removeAccountStatsRule(ruleIndex)"
-                    class="text-xs text-red-500 hover:text-red-700"
-                  >
-                    {{ t('common.delete', 'Delete') }}
+                  <button type="button" @click="removeAccountStatsRule(ruleIndex)" class="text-xs text-red-500 hover:text-red-700">
+                    {{ t('common.delete') }}
                   </button>
                 </div>
 
-                <!-- Group selection (multi-select from channel's groups) -->
                 <div>
-                  <label class="text-xs text-gray-500 dark:text-gray-400">
-                    {{ t('admin.channels.form.ruleGroups', 'Groups') }}
-                  </label>
+                  <label class="text-xs text-gray-500 dark:text-gray-400">{{ t('admin.channels.form.ruleGroups') }}</label>
                   <div class="mt-1 flex flex-wrap gap-1">
                     <label
-                      v-for="gid in allFormGroupIds"
+                      v-for="gid in section.group_ids"
                       :key="gid"
                       class="inline-flex cursor-pointer items-center gap-1 rounded-md border px-2 py-1 text-xs transition-colors"
                       :class="rule.group_ids.includes(gid)
                         ? 'border-primary-300 bg-primary-50 dark:border-primary-700 dark:bg-primary-900/20'
                         : 'border-gray-200 hover:bg-gray-50 dark:border-dark-600 dark:hover:bg-dark-700'"
                     >
-                      <input
-                        type="checkbox"
-                        :checked="rule.group_ids.includes(gid)"
-                        class="h-3 w-3 rounded border-gray-300 text-primary-600 focus:ring-primary-500"
-                        @change="rule.group_ids.includes(gid) ? rule.group_ids.splice(rule.group_ids.indexOf(gid), 1) : rule.group_ids.push(gid)"
-                      />
+                      <input type="checkbox" :checked="rule.group_ids.includes(gid)" class="h-3 w-3 rounded border-gray-300 text-primary-600 focus:ring-primary-500" @change="rule.group_ids.includes(gid) ? rule.group_ids.splice(rule.group_ids.indexOf(gid), 1) : rule.group_ids.push(gid)" />
                       <span>{{ getGroupNameById(gid) }}</span>
                     </label>
                   </div>
-                  <p v-if="allFormGroupIds.length === 0" class="mt-1 text-xs text-gray-400">
-                    {{ t('admin.channels.form.noGroupsInChannel', 'No groups selected in platform tabs above') }}
+                  <p v-if="section.group_ids.length === 0" class="mt-1 text-xs text-gray-400">
+                    {{ t('admin.channels.form.noGroupsInChannel') }}
                   </p>
                 </div>
 
-                <!-- Account IDs input -->
                 <div>
-                  <label class="text-xs text-gray-500 dark:text-gray-400">
-                    {{ t('admin.channels.form.ruleAccounts', 'Account IDs') }}
-                  </label>
+                  <label class="text-xs text-gray-500 dark:text-gray-400">{{ t('admin.channels.form.ruleAccounts') }}</label>
                   <input
                     :value="rule.account_ids.join(', ')"
                     @change="rule.account_ids = parseAccountIdsInput(($event.target as HTMLInputElement).value)"
-                    :placeholder="t('admin.channels.form.ruleAccountsPlaceholder', 'Enter account IDs, comma-separated')"
+                    :placeholder="t('admin.channels.form.ruleAccountsPlaceholder')"
                     class="input mt-1 text-sm"
                   />
                 </div>
 
-                <!-- Model Pricing entries -->
                 <div>
                   <div class="mb-1 flex items-center justify-between">
-                    <label class="text-xs text-gray-500 dark:text-gray-400">
-                      {{ t('admin.channels.form.ruleModelPricing', 'Model Pricing') }}
-                    </label>
-                    <button
-                      type="button"
-                      @click="addRulePricingEntry(ruleIndex)"
-                      class="text-xs text-primary-600 hover:text-primary-700"
-                    >
-                      + {{ t('common.add', 'Add') }}
+                    <label class="text-xs text-gray-500 dark:text-gray-400">{{ t('admin.channels.form.ruleModelPricing') }}</label>
+                    <button type="button" @click="addRulePricingEntry(ruleIndex)" class="text-xs text-primary-600 hover:text-primary-700">
+                      + {{ t('common.add') }}
                     </button>
                   </div>
-                  <div
-                    v-if="rule.pricing.length === 0"
-                    class="rounded border border-dashed border-gray-300 p-2 text-center text-xs text-gray-400 dark:border-dark-500"
-                  >
-                    {{ t('admin.channels.form.noPricingRules', 'No pricing rules yet. Click "Add" to create one.') }}
+                  <div v-if="rule.pricing.length === 0" class="rounded border border-dashed border-gray-300 p-2 text-center text-xs text-gray-400 dark:border-dark-500">
+                    {{ t('admin.channels.form.noPricingRules') }}
                   </div>
                   <div v-else class="space-y-2">
                     <PricingEntryCard
                       v-for="(entry, pIdx) in rule.pricing"
                       :key="pIdx"
                       :entry="entry"
-                      platform=""
+                      :platform="section.platform"
                       @update="rule.pricing.splice(pIdx, 1, $event)"
                       @remove="removeRulePricingEntry(ruleIndex, pIdx)"
                     />
@@ -889,18 +863,6 @@ function getGroupNameById(groupId: number): string {
   return group ? group.name : `#${groupId}`
 }
 
-/** Collect all group_ids from enabled platform sections */
-const allFormGroupIds = computed(() => {
-  const ids = new Set<number>()
-  for (const section of form.platforms) {
-    if (!section.enabled) continue
-    for (const gid of section.group_ids) {
-      ids.add(gid)
-    }
-  }
-  return [...ids]
-})
-
 function parseAccountIdsInput(value: string): number[] {
   return value
     .split(',')

From 5df7309979a406acd7aeae53be66dfc8a0d9532b Mon Sep 17 00:00:00 2001
From: erio <asakifeng@gmail.com>
Date: Sun, 12 Apr 2026 18:51:34 +0800
Subject: [PATCH 042/122] fix(websearch): add 15s timeout for admin test search

---
 backend/internal/service/websearch_config.go | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/backend/internal/service/websearch_config.go b/backend/internal/service/websearch_config.go
index 99e40275..5658cec3 100644
--- a/backend/internal/service/websearch_config.go
+++ b/backend/internal/service/websearch_config.go
@@ -254,12 +254,16 @@ type WebSearchTestResult struct {
 
 // TestWebSearch executes a test search using the currently configured Manager.
 // Uses Manager.TestSearch which bypasses quota tracking.
+const testSearchTimeout = 15 * time.Second
+
 func TestWebSearch(ctx context.Context, query string) (*WebSearchTestResult, error) {
 	mgr := getWebSearchManager()
 	if mgr == nil {
 		return nil, fmt.Errorf("web search: manager not initialized, save config first")
 	}
-	resp, providerName, err := mgr.TestSearch(ctx, websearch.SearchRequest{
+	testCtx, cancel := context.WithTimeout(ctx, testSearchTimeout)
+	defer cancel()
+	resp, providerName, err := mgr.TestSearch(testCtx, websearch.SearchRequest{
 		Query:      query,
 		MaxResults: webSearchDefaultMaxResults,
 	})

From 49281bbe457addda6be95be410156a825645f968 Mon Sep 17 00:00:00 2001
From: erio <asakifeng@gmail.com>
Date: Sun, 12 Apr 2026 19:46:26 +0800
Subject: [PATCH 043/122] fix(websearch): hide show/copy buttons when API key
 is empty

Only show the inline eye/copy buttons when provider.api_key has a value.
When only api_key_configured is true (saved key, not loaded), buttons are
hidden since there's nothing to show/copy.
---
 frontend/src/views/admin/SettingsView.vue | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/frontend/src/views/admin/SettingsView.vue b/frontend/src/views/admin/SettingsView.vue
index 222d1dd7..10dd940f 100644
--- a/frontend/src/views/admin/SettingsView.vue
+++ b/frontend/src/views/admin/SettingsView.vue
@@ -1796,10 +1796,11 @@
                       <input
                         v-model="provider.api_key"
                         :type="apiKeyVisible[pIdx] ? 'text' : 'password'"
-                        class="input w-full pr-16 text-sm"
+                        class="input w-full text-sm"
+                        :class="provider.api_key ? 'pr-16' : ''"
                         :placeholder="provider.api_key_configured ? '••••••••' : t('admin.settings.webSearchEmulation.apiKeyPlaceholder')"
                       />
-                      <div class="absolute inset-y-0 right-0 flex items-center pr-1.5">
+                      <div v-if="provider.api_key" class="absolute inset-y-0 right-0 flex items-center pr-1.5">
                         <button
                           type="button"
                           class="rounded p-1 text-gray-400 hover:text-gray-600 dark:hover:text-gray-300"

From 79d154ed73b4cd20c6f819098f99e89421347e6e Mon Sep 17 00:00:00 2001
From: erio <asakifeng@gmail.com>
Date: Sun, 12 Apr 2026 20:10:24 +0800
Subject: [PATCH 044/122] fix(notify): add balance/quota notify flags to
 PublicSettings DTO and handler

The service layer correctly populated BalanceLowNotifyEnabled and
AccountQuotaNotifyEnabled in PublicSettings, but the handler-to-DTO
mapping was missing. Users could not see the balance notify card because
the public settings API never returned these flags.
---
 backend/internal/handler/dto/settings.go    | 2 ++
 backend/internal/handler/setting_handler.go | 2 ++
 2 files changed, 4 insertions(+)

diff --git a/backend/internal/handler/dto/settings.go b/backend/internal/handler/dto/settings.go
index e29f72da..978c1341 100644
--- a/backend/internal/handler/dto/settings.go
+++ b/backend/internal/handler/dto/settings.go
@@ -191,6 +191,8 @@ type PublicSettings struct {
 	BackendModeEnabled               bool             `json:"backend_mode_enabled"`
 	PaymentEnabled                   bool             `json:"payment_enabled"`
 	Version                          string           `json:"version"`
+	BalanceLowNotifyEnabled          bool             `json:"balance_low_notify_enabled"`
+	AccountQuotaNotifyEnabled        bool             `json:"account_quota_notify_enabled"`
 }
 
 // OverloadCooldownSettings 529过载冷却配置 DTO
diff --git a/backend/internal/handler/setting_handler.go b/backend/internal/handler/setting_handler.go
index 54a92a8c..0232ddfb 100644
--- a/backend/internal/handler/setting_handler.go
+++ b/backend/internal/handler/setting_handler.go
@@ -61,5 +61,7 @@ func (h *SettingHandler) GetPublicSettings(c *gin.Context) {
 		BackendModeEnabled:               settings.BackendModeEnabled,
 		PaymentEnabled:                   settings.PaymentEnabled,
 		Version:                          h.version,
+		BalanceLowNotifyEnabled:          settings.BalanceLowNotifyEnabled,
+		AccountQuotaNotifyEnabled:        settings.AccountQuotaNotifyEnabled,
 	})
 }

From 81287e960ce2ab5174d86d38db267cb8589566d1 Mon Sep 17 00:00:00 2001
From: erio <asakifeng@gmail.com>
Date: Sun, 12 Apr 2026 20:29:26 +0800
Subject: [PATCH 045/122] feat(notify): improve balance notify card UX

- Show system default threshold as placeholder in custom threshold input
- Display user's primary email with "Primary" badge
- Support adding multiple pending emails before verification
- Each pending email has independent send/verify/resend flow
- Expose balance_low_notify_threshold in PublicSettings API
- Clean up timers on unmount to prevent leaks
---
 backend/internal/handler/dto/settings.go      |   1 +
 backend/internal/handler/setting_handler.go   |   1 +
 backend/internal/service/setting_service.go   |   9 +
 backend/internal/service/settings_view.go     |   5 +-
 .../user/profile/ProfileBalanceNotifyCard.vue | 228 ++++++++++--------
 frontend/src/i18n/locales/en.ts               |   6 +-
 frontend/src/i18n/locales/zh.ts               |   6 +-
 frontend/src/stores/app.ts                    |   1 +
 frontend/src/types/index.ts                   |   1 +
 frontend/src/views/user/ProfileView.vue       |   5 +-
 10 files changed, 162 insertions(+), 101 deletions(-)

diff --git a/backend/internal/handler/dto/settings.go b/backend/internal/handler/dto/settings.go
index 978c1341..9c2ff263 100644
--- a/backend/internal/handler/dto/settings.go
+++ b/backend/internal/handler/dto/settings.go
@@ -193,6 +193,7 @@ type PublicSettings struct {
 	Version                          string           `json:"version"`
 	BalanceLowNotifyEnabled          bool             `json:"balance_low_notify_enabled"`
 	AccountQuotaNotifyEnabled        bool             `json:"account_quota_notify_enabled"`
+	BalanceLowNotifyThreshold        float64          `json:"balance_low_notify_threshold"`
 }
 
 // OverloadCooldownSettings 529过载冷却配置 DTO
diff --git a/backend/internal/handler/setting_handler.go b/backend/internal/handler/setting_handler.go
index 0232ddfb..69ffd287 100644
--- a/backend/internal/handler/setting_handler.go
+++ b/backend/internal/handler/setting_handler.go
@@ -63,5 +63,6 @@ func (h *SettingHandler) GetPublicSettings(c *gin.Context) {
 		Version:                          h.version,
 		BalanceLowNotifyEnabled:          settings.BalanceLowNotifyEnabled,
 		AccountQuotaNotifyEnabled:        settings.AccountQuotaNotifyEnabled,
+		BalanceLowNotifyThreshold:        settings.BalanceLowNotifyThreshold,
 	})
 }
diff --git a/backend/internal/service/setting_service.go b/backend/internal/service/setting_service.go
index abcae9c1..773b84ba 100644
--- a/backend/internal/service/setting_service.go
+++ b/backend/internal/service/setting_service.go
@@ -183,6 +183,7 @@ func (s *SettingService) GetPublicSettings(ctx context.Context) (*PublicSettings
 		SettingKeyOIDCConnectEnabled,
 		SettingKeyOIDCConnectProviderName,
 		SettingKeyBalanceLowNotifyEnabled,
+		SettingKeyBalanceLowNotifyThreshold,
 		SettingKeyAccountQuotaNotifyEnabled,
 	}
 
@@ -222,6 +223,11 @@ func (s *SettingService) GetPublicSettings(ctx context.Context) (*PublicSettings
 		settings[SettingKeyTablePageSizeOptions],
 	)
 
+	var balanceLowNotifyThreshold float64
+	if v, err := strconv.ParseFloat(settings[SettingKeyBalanceLowNotifyThreshold], 64); err == nil && v >= 0 {
+		balanceLowNotifyThreshold = v
+	}
+
 	return &PublicSettings{
 		RegistrationEnabled:              settings[SettingKeyRegistrationEnabled] == "true",
 		EmailVerifyEnabled:               emailVerifyEnabled,
@@ -253,6 +259,7 @@ func (s *SettingService) GetPublicSettings(ctx context.Context) (*PublicSettings
 		OIDCOAuthProviderName:            oidcProviderName,
 		BalanceLowNotifyEnabled:          settings[SettingKeyBalanceLowNotifyEnabled] == "true",
 		AccountQuotaNotifyEnabled:        settings[SettingKeyAccountQuotaNotifyEnabled] == "true",
+		BalanceLowNotifyThreshold:        balanceLowNotifyThreshold,
 	}, nil
 }
 
@@ -308,6 +315,7 @@ func (s *SettingService) GetPublicSettingsForInjection(ctx context.Context) (any
 		Version                          string          `json:"version,omitempty"`
 		BalanceLowNotifyEnabled          bool            `json:"balance_low_notify_enabled"`
 		AccountQuotaNotifyEnabled        bool            `json:"account_quota_notify_enabled"`
+		BalanceLowNotifyThreshold        float64         `json:"balance_low_notify_threshold"`
 	}{
 		RegistrationEnabled:              settings.RegistrationEnabled,
 		EmailVerifyEnabled:               settings.EmailVerifyEnabled,
@@ -340,6 +348,7 @@ func (s *SettingService) GetPublicSettingsForInjection(ctx context.Context) (any
 		Version:                          s.version,
 		BalanceLowNotifyEnabled:          settings.BalanceLowNotifyEnabled,
 		AccountQuotaNotifyEnabled:        settings.AccountQuotaNotifyEnabled,
+		BalanceLowNotifyThreshold:        settings.BalanceLowNotifyThreshold,
 	}, nil
 }
 
diff --git a/backend/internal/service/settings_view.go b/backend/internal/service/settings_view.go
index b79b930a..274ec792 100644
--- a/backend/internal/service/settings_view.go
+++ b/backend/internal/service/settings_view.go
@@ -154,8 +154,9 @@ type PublicSettings struct {
 	OIDCOAuthProviderName string
 	Version               string
 
-	BalanceLowNotifyEnabled    bool
-	AccountQuotaNotifyEnabled  bool
+	BalanceLowNotifyEnabled          bool
+	AccountQuotaNotifyEnabled        bool
+	BalanceLowNotifyThreshold        float64
 }
 
 // StreamTimeoutSettings 流超时处理配置（仅控制超时后的处理方式，超时判定由网关配置控制）
diff --git a/frontend/src/components/user/profile/ProfileBalanceNotifyCard.vue b/frontend/src/components/user/profile/ProfileBalanceNotifyCard.vue
index 758704e0..cfe1b332 100644
--- a/frontend/src/components/user/profile/ProfileBalanceNotifyCard.vue
+++ b/frontend/src/components/user/profile/ProfileBalanceNotifyCard.vue
@@ -4,90 +4,113 @@
       <h2 class="text-lg font-medium text-gray-900 dark:text-white">
         {{ t('profile.balanceNotify.title') }}
       </h2>
+      <p class="mt-1 text-sm text-gray-500 dark:text-gray-400">
+        {{ t('profile.balanceNotify.description') }}
+      </p>
     </div>
     <div class="px-6 py-6 space-y-6">
       <!-- Enable toggle -->
       <div class="flex items-center justify-between">
-        <div>
-          <label class="input-label">{{ t('profile.balanceNotify.enabled') }}</label>
-        </div>
+        <label class="input-label mb-0">{{ t('profile.balanceNotify.enabled') }}</label>
         <label class="relative inline-flex items-center cursor-pointer">
           <input type="checkbox" v-model="notifyEnabled" @change="handleToggle" class="sr-only peer" />
           <div class="w-11 h-6 bg-gray-200 peer-focus:outline-none peer-focus:ring-4 peer-focus:ring-primary-300 dark:peer-focus:ring-primary-800 rounded-full peer dark:bg-gray-700 peer-checked:after:translate-x-full peer-checked:after:border-white after:content-[''] after:absolute after:top-[2px] after:left-[2px] after:bg-white after:border-gray-300 after:border after:rounded-full after:h-5 after:w-5 after:transition-all dark:after:border-gray-600 peer-checked:bg-primary-600"></div>
         </label>
       </div>
 
-      <!-- Custom threshold -->
-      <div v-if="notifyEnabled">
-        <label class="input-label">
-          {{ t('profile.balanceNotify.threshold') }}
-          <span class="text-xs text-gray-400 ml-2">{{ t('profile.balanceNotify.thresholdHint') }}</span>
-        </label>
-        <div class="flex items-center gap-2">
-          <span class="text-gray-500">$</span>
-          <input
-            v-model.number="customThreshold"
-            type="number"
-            min="0"
-            step="0.01"
-            class="input flex-1"
-            :placeholder="t('profile.balanceNotify.thresholdPlaceholder')"
-            @blur="handleThresholdUpdate"
-          />
-        </div>
-      </div>
-
-      <!-- Extra emails -->
-      <div v-if="notifyEnabled">
-        <label class="input-label">{{ t('profile.balanceNotify.extraEmails') }}</label>
-
-        <!-- Existing emails list -->
-        <div v-if="extraEmails.length > 0" class="space-y-2 mb-4">
-          <div v-for="email in extraEmails" :key="email"
-            class="flex items-center justify-between px-3 py-2 bg-gray-50 dark:bg-dark-700 rounded-lg">
-            <span class="text-sm text-gray-700 dark:text-gray-300">{{ email }}</span>
-            <button @click="handleRemoveEmail(email)" class="text-red-500 hover:text-red-700 text-sm">
-              {{ t('profile.balanceNotify.removeEmail') }}
-            </button>
+      <template v-if="notifyEnabled">
+        <!-- Custom threshold -->
+        <div>
+          <label class="input-label">
+            {{ t('profile.balanceNotify.threshold') }}
+            <span class="text-xs text-gray-400 ml-2">{{ t('profile.balanceNotify.thresholdHint') }}</span>
+          </label>
+          <div class="flex items-center gap-2">
+            <span class="text-gray-500">$</span>
+            <input
+              v-model.number="customThreshold"
+              type="number"
+              min="0"
+              step="0.01"
+              class="input flex-1"
+              :placeholder="systemDefaultThreshold > 0 ? `${t('profile.balanceNotify.systemDefault')} $${systemDefaultThreshold}` : t('profile.balanceNotify.thresholdPlaceholder')"
+              @blur="handleThresholdUpdate"
+            />
           </div>
         </div>
 
-        <!-- Add new email -->
-        <div class="space-y-2">
+        <!-- Primary email (always shown, with toggle) -->
+        <div>
+          <label class="input-label">{{ t('profile.balanceNotify.extraEmails') }}</label>
+          <div class="space-y-2 mb-3">
+            <div class="flex items-center justify-between px-3 py-2 bg-gray-50 dark:bg-dark-700 rounded-lg">
+              <span class="text-sm text-gray-700 dark:text-gray-300">{{ userEmail }}</span>
+              <span class="text-xs text-gray-400">{{ t('profile.balanceNotify.primaryEmail') }}</span>
+            </div>
+          </div>
+
+          <!-- Verified extra emails -->
+          <div v-if="extraEmails.length > 0" class="space-y-2 mb-3">
+            <div v-for="email in extraEmails" :key="email"
+              class="flex items-center justify-between px-3 py-2 bg-gray-50 dark:bg-dark-700 rounded-lg">
+              <span class="text-sm text-gray-700 dark:text-gray-300">{{ email }}</span>
+              <button @click="handleRemoveEmail(email)" class="text-red-500 hover:text-red-700 text-sm">
+                {{ t('profile.balanceNotify.removeEmail') }}
+              </button>
+            </div>
+          </div>
+
+          <!-- Pending (unverified) emails -->
+          <div v-if="pendingEmails.length > 0" class="space-y-2 mb-3">
+            <div v-for="(pe, idx) in pendingEmails" :key="pe.email"
+              class="flex items-center gap-2 px-3 py-2 bg-yellow-50 dark:bg-yellow-900/10 rounded-lg border border-yellow-200 dark:border-yellow-800">
+              <span class="flex-1 text-sm text-gray-700 dark:text-gray-300">{{ pe.email }}</span>
+              <div v-if="!pe.codeSent" class="flex items-center gap-1">
+                <button @click="sendCodeFor(idx)" :disabled="pe.sending" class="text-xs text-primary-600 hover:text-primary-700">
+                  {{ t('profile.balanceNotify.sendCode') }}
+                </button>
+                <button @click="pendingEmails.splice(idx, 1)" class="text-xs text-red-500 hover:text-red-700 ml-1">
+                  {{ t('profile.balanceNotify.removeEmail') }}
+                </button>
+              </div>
+              <div v-else class="flex items-center gap-1">
+                <input
+                  v-model="pe.code"
+                  type="text"
+                  maxlength="6"
+                  class="w-20 rounded border border-gray-300 px-2 py-1 text-xs dark:border-dark-500 dark:bg-dark-700"
+                  :placeholder="t('profile.balanceNotify.codePlaceholder')"
+                />
+                <button @click="verifyPending(idx)" :disabled="!pe.code || pe.code.length !== 6 || pe.verifying" class="text-xs text-primary-600 hover:text-primary-700">
+                  {{ t('profile.balanceNotify.verify') }}
+                </button>
+                <span v-if="pe.countdown > 0" class="text-xs text-gray-400">{{ pe.countdown }}s</span>
+                <button v-else @click="sendCodeFor(idx)" :disabled="pe.sending" class="text-xs text-gray-500 hover:text-gray-700">
+                  {{ t('profile.balanceNotify.resend') }}
+                </button>
+              </div>
+            </div>
+          </div>
+
+          <!-- Add new email input -->
           <div class="flex gap-2">
             <input
               v-model="newEmail"
               type="email"
               class="input flex-1"
               :placeholder="t('profile.balanceNotify.emailPlaceholder')"
-              :disabled="codeSent"
+              @keyup.enter="addPendingEmail"
             />
             <button
-              @click="handleSendCode"
-              :disabled="!newEmail || sendingCode || codeCountdown > 0"
-              class="btn btn-outline whitespace-nowrap"
+              @click="addPendingEmail"
+              :disabled="!newEmail"
+              class="btn btn-secondary whitespace-nowrap"
             >
-              {{ codeCountdown > 0 ? `${codeCountdown}s` : (codeSent ? t('profile.balanceNotify.codeSent') : t('profile.balanceNotify.sendCode')) }}
-            </button>
-          </div>
-          <div v-if="codeSent" class="flex gap-2">
-            <input
-              v-model="verifyCode"
-              type="text"
-              maxlength="6"
-              class="input flex-1"
-              :placeholder="t('profile.balanceNotify.codePlaceholder')"
-            />
-            <button
-              @click="handleVerify"
-              :disabled="!verifyCode || verifyCode.length !== 6 || verifying"
-              class="btn btn-primary whitespace-nowrap"
-            >
-              {{ t('profile.balanceNotify.verify') }}
+              {{ t('common.add') }}
             </button>
           </div>
         </div>
-      </div>
+      </template>
     </div>
   </div>
 </template>
@@ -100,10 +123,22 @@ import { useAppStore } from '@/stores/app'
 import { userAPI } from '@/api'
 import { extractApiErrorMessage } from '@/utils/apiError'
 
+interface PendingEmail {
+  email: string
+  codeSent: boolean
+  code: string
+  sending: boolean
+  verifying: boolean
+  countdown: number
+  timer: ReturnType<typeof setInterval> | null
+}
+
 const props = defineProps<{
   enabled: boolean
   threshold: number | null
   extraEmails: string[]
+  systemDefaultThreshold: number
+  userEmail: string
 }>()
 
 const { t } = useI18n()
@@ -113,23 +148,19 @@ const appStore = useAppStore()
 const notifyEnabled = ref(props.enabled)
 const customThreshold = ref<number | null>(props.threshold)
 const extraEmails = ref<string[]>([...props.extraEmails])
+const pendingEmails = ref<PendingEmail[]>([])
 const newEmail = ref('')
-const verifyCode = ref('')
-const codeSent = ref(false)
-const sendingCode = ref(false)
-const verifying = ref(false)
-const codeCountdown = ref(0)
-
-let countdownTimer: ReturnType<typeof setInterval> | null = null
-
-onUnmounted(() => {
-  if (countdownTimer) clearInterval(countdownTimer)
-})
 
 watch(() => props.enabled, (val) => { notifyEnabled.value = val })
 watch(() => props.threshold, (val) => { customThreshold.value = val })
 watch(() => props.extraEmails, (val) => { extraEmails.value = [...val] })
 
+onUnmounted(() => {
+  for (const pe of pendingEmails.value) {
+    if (pe.timer) clearInterval(pe.timer)
+  }
+})
+
 const handleToggle = async () => {
   try {
     const updated = await userAPI.updateProfile({ balance_notify_enabled: notifyEnabled.value })
@@ -150,47 +181,56 @@ const handleThresholdUpdate = async () => {
   }
 }
 
-const handleSendCode = async () => {
-  if (!newEmail.value) return
-  sendingCode.value = true
+function addPendingEmail() {
+  const email = newEmail.value.trim()
+  if (!email) return
+  if (email === props.userEmail || extraEmails.value.includes(email) || pendingEmails.value.some(p => p.email === email)) {
+    appStore.showError(t('common.error'))
+    return
+  }
+  pendingEmails.value.push({ email, codeSent: false, code: '', sending: false, verifying: false, countdown: 0, timer: null })
+  newEmail.value = ''
+}
+
+async function sendCodeFor(idx: number) {
+  const pe = pendingEmails.value[idx]
+  if (!pe) return
+  pe.sending = true
   try {
-    await userAPI.sendNotifyEmailCode(newEmail.value)
-    codeSent.value = true
-    codeCountdown.value = 60
-    countdownTimer = setInterval(() => {
-      codeCountdown.value--
-      if (codeCountdown.value <= 0) {
-        if (countdownTimer) clearInterval(countdownTimer)
-        countdownTimer = null
+    await userAPI.sendNotifyEmailCode(pe.email)
+    pe.codeSent = true
+    pe.countdown = 60
+    pe.timer = setInterval(() => {
+      pe.countdown--
+      if (pe.countdown <= 0 && pe.timer) {
+        clearInterval(pe.timer)
+        pe.timer = null
       }
     }, 1000)
     appStore.showSuccess(t('profile.balanceNotify.codeSent'))
   } catch (err: unknown) {
     appStore.showError(extractApiErrorMessage(err, t('common.error')))
   } finally {
-    sendingCode.value = false
+    pe.sending = false
   }
 }
 
-const handleVerify = async () => {
-  if (!verifyCode.value || verifyCode.value.length !== 6) return
-  verifying.value = true
+async function verifyPending(idx: number) {
+  const pe = pendingEmails.value[idx]
+  if (!pe || !pe.code || pe.code.length !== 6) return
+  pe.verifying = true
   try {
-    await userAPI.verifyNotifyEmail(newEmail.value, verifyCode.value)
-    extraEmails.value.push(newEmail.value)
-    newEmail.value = ''
-    verifyCode.value = ''
-    codeSent.value = false
-    if (countdownTimer) clearInterval(countdownTimer)
-    codeCountdown.value = 0
+    await userAPI.verifyNotifyEmail(pe.email, pe.code)
+    extraEmails.value.push(pe.email)
+    if (pe.timer) clearInterval(pe.timer)
+    pendingEmails.value.splice(idx, 1)
     appStore.showSuccess(t('profile.balanceNotify.verifySuccess'))
-    // Refresh user data
     const updated = await userAPI.getProfile()
     authStore.user = updated
   } catch (err: unknown) {
     appStore.showError(extractApiErrorMessage(err, t('common.error')))
   } finally {
-    verifying.value = false
+    pe.verifying = false
   }
 }
 
diff --git a/frontend/src/i18n/locales/en.ts b/frontend/src/i18n/locales/en.ts
index 6688c1b6..1b4cb9ea 100644
--- a/frontend/src/i18n/locales/en.ts
+++ b/frontend/src/i18n/locales/en.ts
@@ -911,17 +911,19 @@ export default {
       thresholdHint: 'Leave empty to use system default',
       thresholdPlaceholder: 'Enter amount',
       systemDefault: 'System Default',
-      extraEmails: 'Extra Notification Emails',
+      extraEmails: 'Notification Emails',
+      primaryEmail: 'Primary',
       noExtraEmails: 'No extra notification emails',
       enterEmail: 'Enter email address',
       addEmail: 'Add Email',
       emailPlaceholder: 'Enter email address',
       sendCode: 'Send Code',
+      resend: 'Resend',
       codeSent: 'Verification code sent',
       codeSentTo: 'Code sent to {email}',
       enterCode: 'Enter verification code',
       codePlaceholder: '6-digit code',
-      verify: 'Verify & Add',
+      verify: 'Verify',
       emailAdded: 'Email added',
       emailRemoved: 'Email removed',
       verifySuccess: 'Email added successfully',
diff --git a/frontend/src/i18n/locales/zh.ts b/frontend/src/i18n/locales/zh.ts
index 70d20cc0..ca091dd5 100644
--- a/frontend/src/i18n/locales/zh.ts
+++ b/frontend/src/i18n/locales/zh.ts
@@ -915,17 +915,19 @@ export default {
       thresholdHint: '留空使用系统默认值',
       thresholdPlaceholder: '输入金额',
       systemDefault: '系统默认值',
-      extraEmails: '额外通知邮箱',
+      extraEmails: '通知邮箱',
+      primaryEmail: '主邮箱',
       noExtraEmails: '暂无额外通知邮箱',
       enterEmail: '输入邮箱地址',
       addEmail: '添加邮箱',
       emailPlaceholder: '输入邮箱地址',
       sendCode: '发送验证码',
+      resend: '重发',
       codeSent: '验证码已发送',
       codeSentTo: '验证码已发送到 {email}',
       enterCode: '输入验证码',
       codePlaceholder: '6位验证码',
-      verify: '确认添加',
+      verify: '验证',
       emailAdded: '邮箱已添加',
       emailRemoved: '邮箱已移除',
       verifySuccess: '邮箱添加成功',
diff --git a/frontend/src/stores/app.ts b/frontend/src/stores/app.ts
index b69c3648..1995383d 100644
--- a/frontend/src/stores/app.ts
+++ b/frontend/src/stores/app.ts
@@ -342,6 +342,7 @@ export const useAppStore = defineStore('app', () => {
         version: siteVersion.value,
         balance_low_notify_enabled: false,
         account_quota_notify_enabled: false,
+        balance_low_notify_threshold: 0,
       }
     }
 
diff --git a/frontend/src/types/index.ts b/frontend/src/types/index.ts
index c6c74354..661c4c79 100644
--- a/frontend/src/types/index.ts
+++ b/frontend/src/types/index.ts
@@ -119,6 +119,7 @@ export interface PublicSettings {
   version: string
   balance_low_notify_enabled: boolean
   account_quota_notify_enabled: boolean
+  balance_low_notify_threshold: number
 }
 
 export interface AuthResponse {
diff --git a/frontend/src/views/user/ProfileView.vue b/frontend/src/views/user/ProfileView.vue
index f801e20d..e7418ebb 100644
--- a/frontend/src/views/user/ProfileView.vue
+++ b/frontend/src/views/user/ProfileView.vue
@@ -19,6 +19,8 @@
         :enabled="user.balance_notify_enabled ?? true"
         :threshold="user.balance_notify_threshold"
         :extra-emails="user.balance_notify_extra_emails ?? []"
+        :system-default-threshold="systemDefaultThreshold"
+        :user-email="user.email"
       />
       <ProfilePasswordForm />
       <ProfileTotpCard />
@@ -41,11 +43,12 @@ import { Icon } from '@/components/icons'
 const { t } = useI18n(); const authStore = useAuthStore(); const user = computed(() => authStore.user)
 const contactInfo = ref('')
 const balanceLowNotifyEnabled = ref(false)
+const systemDefaultThreshold = ref(0)
 
 const WalletIcon = { render: () => h('svg', { fill: 'none', viewBox: '0 0 24 24', stroke: 'currentColor', 'stroke-width': '1.5' }, [h('path', { d: 'M21 12a2.25 2.25 0 00-2.25-2.25H15a3 3 0 11-6 0H5.25A2.25 2.25 0 003 12' })]) }
 const BoltIcon = { render: () => h('svg', { fill: 'none', viewBox: '0 0 24 24', stroke: 'currentColor', 'stroke-width': '1.5' }, [h('path', { d: 'm3.75 13.5 10.5-11.25L12 10.5h8.25L9.75 21.75 12 13.5H3.75z' })]) }
 const CalendarIcon = { render: () => h('svg', { fill: 'none', viewBox: '0 0 24 24', stroke: 'currentColor', 'stroke-width': '1.5' }, [h('path', { d: 'M6.75 3v2.25M17.25 3v2.25' })]) }
 
-onMounted(async () => { try { const s = await authAPI.getPublicSettings(); contactInfo.value = s.contact_info || ''; balanceLowNotifyEnabled.value = s.balance_low_notify_enabled ?? false } catch (error) { console.error('Failed to load contact info:', error) } })
+onMounted(async () => { try { const s = await authAPI.getPublicSettings(); contactInfo.value = s.contact_info || ''; balanceLowNotifyEnabled.value = s.balance_low_notify_enabled ?? false; systemDefaultThreshold.value = s.balance_low_notify_threshold ?? 0 } catch (error) { console.error('Failed to load settings:', error) } })
 const formatCurrency = (v: number) => `$${v.toFixed(2)}`
 </script>
\ No newline at end of file

From 422807514c9f147c12f09b86decb9cbbc9312627 Mon Sep 17 00:00:00 2001
From: erio <asakifeng@gmail.com>
Date: Sun, 12 Apr 2026 20:40:31 +0800
Subject: [PATCH 046/122] fix(notify): add duplicate email check message and
 improve extra email UX

---
 .../user/profile/ProfileBalanceNotifyCard.vue        | 12 +++++++-----
 frontend/src/i18n/locales/en.ts                      |  1 +
 frontend/src/i18n/locales/zh.ts                      |  1 +
 3 files changed, 9 insertions(+), 5 deletions(-)

diff --git a/frontend/src/components/user/profile/ProfileBalanceNotifyCard.vue b/frontend/src/components/user/profile/ProfileBalanceNotifyCard.vue
index cfe1b332..797616bb 100644
--- a/frontend/src/components/user/profile/ProfileBalanceNotifyCard.vue
+++ b/frontend/src/components/user/profile/ProfileBalanceNotifyCard.vue
@@ -49,14 +49,16 @@
             </div>
           </div>
 
-          <!-- Verified extra emails -->
+          <!-- Verified extra emails with toggle -->
           <div v-if="extraEmails.length > 0" class="space-y-2 mb-3">
             <div v-for="email in extraEmails" :key="email"
               class="flex items-center justify-between px-3 py-2 bg-gray-50 dark:bg-dark-700 rounded-lg">
               <span class="text-sm text-gray-700 dark:text-gray-300">{{ email }}</span>
-              <button @click="handleRemoveEmail(email)" class="text-red-500 hover:text-red-700 text-sm">
-                {{ t('profile.balanceNotify.removeEmail') }}
-              </button>
+              <div class="flex items-center gap-2">
+                <button @click="handleRemoveEmail(email)" class="text-red-500 hover:text-red-700 text-xs">
+                  {{ t('profile.balanceNotify.removeEmail') }}
+                </button>
+              </div>
             </div>
           </div>
 
@@ -185,7 +187,7 @@ function addPendingEmail() {
   const email = newEmail.value.trim()
   if (!email) return
   if (email === props.userEmail || extraEmails.value.includes(email) || pendingEmails.value.some(p => p.email === email)) {
-    appStore.showError(t('common.error'))
+    appStore.showError(t('profile.balanceNotify.emailDuplicate'))
     return
   }
   pendingEmails.value.push({ email, codeSent: false, code: '', sending: false, verifying: false, countdown: 0, timer: null })
diff --git a/frontend/src/i18n/locales/en.ts b/frontend/src/i18n/locales/en.ts
index 1b4cb9ea..ff77837e 100644
--- a/frontend/src/i18n/locales/en.ts
+++ b/frontend/src/i18n/locales/en.ts
@@ -929,6 +929,7 @@ export default {
       verifySuccess: 'Email added successfully',
       removeEmail: 'Remove',
       removeSuccess: 'Email removed',
+      emailDuplicate: 'This email already exists',
     }
   },
 
diff --git a/frontend/src/i18n/locales/zh.ts b/frontend/src/i18n/locales/zh.ts
index ca091dd5..9eabb465 100644
--- a/frontend/src/i18n/locales/zh.ts
+++ b/frontend/src/i18n/locales/zh.ts
@@ -933,6 +933,7 @@ export default {
       verifySuccess: '邮箱添加成功',
       removeEmail: '移除',
       removeSuccess: '邮箱已移除',
+      emailDuplicate: '该邮箱已存在',
     }
   },
 

From 61aa197b0bb3905e5e5b582eeb25c25995670f96 Mon Sep 17 00:00:00 2001
From: erio <asakifeng@gmail.com>
Date: Sun, 12 Apr 2026 20:45:58 +0800
Subject: [PATCH 047/122] fix(notify): add explicit save button for balance
 threshold

Replace blur-based auto-save with an explicit Save button so users
know when their threshold is persisted. Shows success toast on save.
---
 .../user/profile/ProfileBalanceNotifyCard.vue     | 15 +++++++++++++--
 1 file changed, 13 insertions(+), 2 deletions(-)

diff --git a/frontend/src/components/user/profile/ProfileBalanceNotifyCard.vue b/frontend/src/components/user/profile/ProfileBalanceNotifyCard.vue
index 797616bb..589cc9e8 100644
--- a/frontend/src/components/user/profile/ProfileBalanceNotifyCard.vue
+++ b/frontend/src/components/user/profile/ProfileBalanceNotifyCard.vue
@@ -19,7 +19,7 @@
       </div>
 
       <template v-if="notifyEnabled">
-        <!-- Custom threshold -->
+        <!-- Custom threshold with save button -->
         <div>
           <label class="input-label">
             {{ t('profile.balanceNotify.threshold') }}
@@ -34,8 +34,14 @@
               step="0.01"
               class="input flex-1"
               :placeholder="systemDefaultThreshold > 0 ? `${t('profile.balanceNotify.systemDefault')} $${systemDefaultThreshold}` : t('profile.balanceNotify.thresholdPlaceholder')"
-              @blur="handleThresholdUpdate"
             />
+            <button
+              @click="handleThresholdUpdate"
+              :disabled="savingThreshold"
+              class="btn btn-primary btn-sm whitespace-nowrap"
+            >
+              {{ savingThreshold ? t('common.saving') : t('common.save') }}
+            </button>
           </div>
         </div>
 
@@ -152,6 +158,7 @@ const customThreshold = ref<number | null>(props.threshold)
 const extraEmails = ref<string[]>([...props.extraEmails])
 const pendingEmails = ref<PendingEmail[]>([])
 const newEmail = ref('')
+const savingThreshold = ref(false)
 
 watch(() => props.enabled, (val) => { notifyEnabled.value = val })
 watch(() => props.threshold, (val) => { customThreshold.value = val })
@@ -174,12 +181,16 @@ const handleToggle = async () => {
 }
 
 const handleThresholdUpdate = async () => {
+  savingThreshold.value = true
   try {
     const threshold = customThreshold.value && customThreshold.value > 0 ? customThreshold.value : 0
     const updated = await userAPI.updateProfile({ balance_notify_threshold: threshold })
     authStore.user = updated
+    appStore.showSuccess(t('common.saved'))
   } catch (err: unknown) {
     appStore.showError(extractApiErrorMessage(err, t('common.error')))
+  } finally {
+    savingThreshold.value = false
   }
 }
 

From 915b7a4a56aa859aa9de041d01c09ccbd988c78f Mon Sep 17 00:00:00 2001
From: erio <asakifeng@gmail.com>
Date: Mon, 13 Apr 2026 00:52:42 +0800
Subject: [PATCH 048/122] feat(notify): convert email lists to NotifyEmailEntry
 struct with toggle support
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

- Change balance_notify_extra_emails and account_quota_notify_emails
  from []string to []NotifyEmailEntry{email, disabled, verified}
- Add per-email enable/disable toggle for both user and admin notifications
- Add PUT /user/notify-email/toggle API endpoint
- Fix critical bug: API key auth cache snapshot missing balance notify
  fields (Email, Username, BalanceNotifyEnabled, etc.), causing
  notifications to never fire on cached request paths
- Bump cache snapshot version 3→4 to invalidate stale entries
- Add SQL migration 104 to convert old format data
- Backward compatible: parseNotifyEmails auto-detects old/new format
- User balance notify: max 3 emails (primary + 2 extra)
- Admin quota notify: unlimited emails, each with toggle
---
 .../internal/handler/admin/setting_handler.go |  10 +-
 backend/internal/handler/dto/mappers.go       |   2 +-
 .../handler/dto/notify_email_entry.go         |  43 +++++++
 backend/internal/handler/dto/settings.go      |   2 +-
 backend/internal/handler/dto/types.go         |   2 +-
 backend/internal/handler/user_handler.go      |  36 ++++++
 backend/internal/repository/api_key_repo.go   |   8 +-
 backend/internal/repository/user_repo.go      |  14 +--
 backend/internal/server/routes/user.go        |   1 +
 .../internal/service/api_key_auth_cache.go    |   8 ++
 .../service/api_key_auth_cache_impl.go        |  34 ++++--
 .../service/balance_notify_service.go         |  63 +++++++++--
 .../internal/service/notify_email_entry.go    | 107 ++++++++++++++++++
 backend/internal/service/setting_service.go   |   7 +-
 backend/internal/service/settings_view.go     |   2 +-
 backend/internal/service/user.go              |   2 +-
 backend/internal/service/user_service.go      |  42 +++++--
 .../104_migrate_notify_emails_to_struct.sql   |  35 ++++++
 frontend/src/api/admin/settings.ts            |   6 +-
 frontend/src/api/user.ts                      |  17 ++-
 .../user/profile/ProfileBalanceNotifyCard.vue |  72 ++++++++----
 frontend/src/i18n/locales/en.ts               |   2 +
 frontend/src/i18n/locales/zh.ts               |   2 +
 frontend/src/types/index.ts                   |  12 +-
 frontend/src/views/admin/SettingsView.vue     |  14 ++-
 25 files changed, 448 insertions(+), 95 deletions(-)
 create mode 100644 backend/internal/handler/dto/notify_email_entry.go
 create mode 100644 backend/internal/service/notify_email_entry.go
 create mode 100644 backend/migrations/104_migrate_notify_emails_to_struct.sql

diff --git a/backend/internal/handler/admin/setting_handler.go b/backend/internal/handler/admin/setting_handler.go
index 49e7aeed..fe46e821 100644
--- a/backend/internal/handler/admin/setting_handler.go
+++ b/backend/internal/handler/admin/setting_handler.go
@@ -178,7 +178,7 @@ func (h *SettingHandler) GetSettings(c *gin.Context) {
 		WebSearchEmulationEnabled:            settings.WebSearchEmulationEnabled,
 		BalanceLowNotifyEnabled:              settings.BalanceLowNotifyEnabled,
 		BalanceLowNotifyThreshold:            settings.BalanceLowNotifyThreshold,
-		AccountQuotaNotifyEmails:             settings.AccountQuotaNotifyEmails,
+		AccountQuotaNotifyEmails:             dto.NotifyEmailEntriesFromService(settings.AccountQuotaNotifyEmails),
 		PaymentEnabled:                       paymentCfg.Enabled,
 		PaymentMinAmount:                     paymentCfg.MinAmount,
 		PaymentMaxAmount:                     paymentCfg.MaxAmount,
@@ -311,7 +311,7 @@ type UpdateSettingsRequest struct {
 	// Balance low notification
 	BalanceLowNotifyEnabled   *bool     `json:"balance_low_notify_enabled"`
 	BalanceLowNotifyThreshold *float64  `json:"balance_low_notify_threshold"`
-	AccountQuotaNotifyEmails  *[]string `json:"account_quota_notify_emails"`
+	AccountQuotaNotifyEmails  *[]dto.NotifyEmailEntry `json:"account_quota_notify_emails"`
 
 	// Payment configuration (integrated into settings, full replace)
 	PaymentEnabled           *bool    `json:"payment_enabled"`
@@ -902,9 +902,9 @@ func (h *SettingHandler) UpdateSettings(c *gin.Context) {
 			}
 			return previousSettings.BalanceLowNotifyThreshold
 		}(),
-		AccountQuotaNotifyEmails: func() []string {
+		AccountQuotaNotifyEmails: func() []service.NotifyEmailEntry {
 			if req.AccountQuotaNotifyEmails != nil {
-				return *req.AccountQuotaNotifyEmails
+				return dto.NotifyEmailEntriesToService(*req.AccountQuotaNotifyEmails)
 			}
 			return previousSettings.AccountQuotaNotifyEmails
 		}(),
@@ -1056,7 +1056,7 @@ func (h *SettingHandler) UpdateSettings(c *gin.Context) {
 		EnableCCHSigning:                     updatedSettings.EnableCCHSigning,
 		BalanceLowNotifyEnabled:              updatedSettings.BalanceLowNotifyEnabled,
 		BalanceLowNotifyThreshold:            updatedSettings.BalanceLowNotifyThreshold,
-		AccountQuotaNotifyEmails:             updatedSettings.AccountQuotaNotifyEmails,
+		AccountQuotaNotifyEmails:             dto.NotifyEmailEntriesFromService(updatedSettings.AccountQuotaNotifyEmails),
 		PaymentEnabled:                       updatedPaymentCfg.Enabled,
 		PaymentMinAmount:                     updatedPaymentCfg.MinAmount,
 		PaymentMaxAmount:                     updatedPaymentCfg.MaxAmount,
diff --git a/backend/internal/handler/dto/mappers.go b/backend/internal/handler/dto/mappers.go
index 147072c3..a7a93d07 100644
--- a/backend/internal/handler/dto/mappers.go
+++ b/backend/internal/handler/dto/mappers.go
@@ -26,7 +26,7 @@ func UserFromServiceShallow(u *service.User) *User {
 		BalanceNotifyEnabled:       u.BalanceNotifyEnabled,
 		BalanceNotifyThresholdType: u.BalanceNotifyThresholdType,
 		BalanceNotifyThreshold:     u.BalanceNotifyThreshold,
-		BalanceNotifyExtraEmails:   u.BalanceNotifyExtraEmails,
+		BalanceNotifyExtraEmails:   NotifyEmailEntriesFromService(u.BalanceNotifyExtraEmails),
 		TotalRecharged:             u.TotalRecharged,
 	}
 }
diff --git a/backend/internal/handler/dto/notify_email_entry.go b/backend/internal/handler/dto/notify_email_entry.go
new file mode 100644
index 00000000..180f8b25
--- /dev/null
+++ b/backend/internal/handler/dto/notify_email_entry.go
@@ -0,0 +1,43 @@
+package dto
+
+import "github.com/Wei-Shaw/sub2api/internal/service"
+
+// NotifyEmailEntry represents a notification email with enable/disable and verification state.
+// Email="" is a placeholder for the "primary email" (user's registration email or first admin email).
+type NotifyEmailEntry struct {
+	Email    string `json:"email"`
+	Disabled bool   `json:"disabled"`
+	Verified bool   `json:"verified"`
+}
+
+// NotifyEmailEntriesFromService converts service entries to DTO entries.
+func NotifyEmailEntriesFromService(entries []service.NotifyEmailEntry) []NotifyEmailEntry {
+	if entries == nil {
+		return nil
+	}
+	result := make([]NotifyEmailEntry, len(entries))
+	for i, e := range entries {
+		result[i] = NotifyEmailEntry{
+			Email:    e.Email,
+			Disabled: e.Disabled,
+			Verified: e.Verified,
+		}
+	}
+	return result
+}
+
+// NotifyEmailEntriesToService converts DTO entries to service entries.
+func NotifyEmailEntriesToService(entries []NotifyEmailEntry) []service.NotifyEmailEntry {
+	if entries == nil {
+		return nil
+	}
+	result := make([]service.NotifyEmailEntry, len(entries))
+	for i, e := range entries {
+		result[i] = service.NotifyEmailEntry{
+			Email:    e.Email,
+			Disabled: e.Disabled,
+			Verified: e.Verified,
+		}
+	}
+	return result
+}
diff --git a/backend/internal/handler/dto/settings.go b/backend/internal/handler/dto/settings.go
index 9c2ff263..545458c8 100644
--- a/backend/internal/handler/dto/settings.go
+++ b/backend/internal/handler/dto/settings.go
@@ -152,7 +152,7 @@ type SystemSettings struct {
 	// Balance low notification
 	BalanceLowNotifyEnabled   bool     `json:"balance_low_notify_enabled"`
 	BalanceLowNotifyThreshold float64  `json:"balance_low_notify_threshold"`
-	AccountQuotaNotifyEmails  []string `json:"account_quota_notify_emails"`
+	AccountQuotaNotifyEmails  []NotifyEmailEntry `json:"account_quota_notify_emails"`
 }
 
 type DefaultSubscriptionSetting struct {
diff --git a/backend/internal/handler/dto/types.go b/backend/internal/handler/dto/types.go
index 425d3df9..afb782b0 100644
--- a/backend/internal/handler/dto/types.go
+++ b/backend/internal/handler/dto/types.go
@@ -22,7 +22,7 @@ type User struct {
 	BalanceNotifyEnabled       bool     `json:"balance_notify_enabled"`
 	BalanceNotifyThresholdType string   `json:"balance_notify_threshold_type"`
 	BalanceNotifyThreshold     *float64 `json:"balance_notify_threshold"`
-	BalanceNotifyExtraEmails   []string `json:"balance_notify_extra_emails"`
+	BalanceNotifyExtraEmails   []NotifyEmailEntry `json:"balance_notify_extra_emails"`
 	TotalRecharged             float64  `json:"total_recharged"`
 
 	APIKeys       []APIKey           `json:"api_keys,omitempty"`
diff --git a/backend/internal/handler/user_handler.go b/backend/internal/handler/user_handler.go
index 4fb72ce7..9e0a243a 100644
--- a/backend/internal/handler/user_handler.go
+++ b/backend/internal/handler/user_handler.go
@@ -214,3 +214,39 @@ func (h *UserHandler) RemoveNotifyEmail(c *gin.Context) {
 
 	response.Success(c, dto.UserFromService(updatedUser))
 }
+
+// ToggleNotifyEmailRequest represents the request to toggle a notify email's disabled state
+type ToggleNotifyEmailRequest struct {
+	Email    string `json:"email"`    // empty string for primary email placeholder
+	Disabled bool   `json:"disabled"`
+}
+
+// ToggleNotifyEmail toggles the disabled state of a notification email
+// PUT /api/v1/user/notify-email/toggle
+func (h *UserHandler) ToggleNotifyEmail(c *gin.Context) {
+	subject, ok := middleware2.GetAuthSubjectFromContext(c)
+	if !ok {
+		response.Unauthorized(c, "User not authenticated")
+		return
+	}
+
+	var req ToggleNotifyEmailRequest
+	if err := c.ShouldBindJSON(&req); err != nil {
+		response.BadRequest(c, "Invalid request: "+err.Error())
+		return
+	}
+
+	err := h.userService.ToggleNotifyEmail(c.Request.Context(), subject.UserID, req.Email, req.Disabled)
+	if err != nil {
+		response.ErrorFrom(c, err)
+		return
+	}
+
+	updatedUser, err := h.userService.GetByID(c.Request.Context(), subject.UserID)
+	if err != nil {
+		response.ErrorFrom(c, err)
+		return
+	}
+
+	response.Success(c, dto.UserFromService(updatedUser))
+}
diff --git a/backend/internal/repository/api_key_repo.go b/backend/internal/repository/api_key_repo.go
index d1b42750..38ea9bde 100644
--- a/backend/internal/repository/api_key_repo.go
+++ b/backend/internal/repository/api_key_repo.go
@@ -3,7 +3,6 @@ package repository
 import (
 	"context"
 	"database/sql"
-	"encoding/json"
 	"fmt"
 	"strings"
 	"time"
@@ -667,12 +666,9 @@ func userEntityToService(u *dbent.User) *service.User {
 		CreatedAt:                  u.CreatedAt,
 		UpdatedAt:                  u.UpdatedAt,
 	}
-	// Parse extra emails JSON array
+	// Parse extra emails JSON (supports both old []string and new []NotifyEmailEntry format)
 	if u.BalanceNotifyExtraEmails != "" && u.BalanceNotifyExtraEmails != "[]" {
-		var emails []string
-		if err := json.Unmarshal([]byte(u.BalanceNotifyExtraEmails), &emails); err == nil {
-			out.BalanceNotifyExtraEmails = emails
-		}
+		out.BalanceNotifyExtraEmails = service.ParseNotifyEmails(u.BalanceNotifyExtraEmails)
 	}
 	return out
 }
diff --git a/backend/internal/repository/user_repo.go b/backend/internal/repository/user_repo.go
index 1792ef8d..913e1c40 100644
--- a/backend/internal/repository/user_repo.go
+++ b/backend/internal/repository/user_repo.go
@@ -3,7 +3,6 @@ package repository
 import (
 	"context"
 	"database/sql"
-	"encoding/json"
 	"errors"
 	"fmt"
 	"sort"
@@ -563,16 +562,9 @@ func applyUserEntityToService(dst *service.User, src *dbent.User) {
 	dst.UpdatedAt = src.UpdatedAt
 }
 
-// marshalExtraEmails serializes a string slice to JSON for storage.
-func marshalExtraEmails(emails []string) string {
-	if len(emails) == 0 {
-		return "[]"
-	}
-	data, err := json.Marshal(emails)
-	if err != nil {
-		return "[]"
-	}
-	return string(data)
+// marshalExtraEmails serializes notify email entries to JSON for storage.
+func marshalExtraEmails(entries []service.NotifyEmailEntry) string {
+	return service.MarshalNotifyEmails(entries)
 }
 
 // UpdateTotpSecret 更新用户的 TOTP 加密密钥
diff --git a/backend/internal/server/routes/user.go b/backend/internal/server/routes/user.go
index 088565fa..d004f8b4 100644
--- a/backend/internal/server/routes/user.go
+++ b/backend/internal/server/routes/user.go
@@ -31,6 +31,7 @@ func RegisterUserRoutes(
 			{
 				notifyEmail.POST("/send-code", h.User.SendNotifyEmailCode)
 				notifyEmail.POST("/verify", h.User.VerifyNotifyEmail)
+				notifyEmail.PUT("/toggle", h.User.ToggleNotifyEmail)
 				notifyEmail.DELETE("", h.User.RemoveNotifyEmail)
 			}
 
diff --git a/backend/internal/service/api_key_auth_cache.go b/backend/internal/service/api_key_auth_cache.go
index c2e96df1..60cb6233 100644
--- a/backend/internal/service/api_key_auth_cache.go
+++ b/backend/internal/service/api_key_auth_cache.go
@@ -34,6 +34,14 @@ type APIKeyAuthUserSnapshot struct {
 	Role        string  `json:"role"`
 	Balance     float64 `json:"balance"`
 	Concurrency int     `json:"concurrency"`
+
+	// Balance notification fields (required for CheckBalanceAfterDeduction)
+	Email                      string             `json:"email"`
+	Username                   string             `json:"username"`
+	BalanceNotifyEnabled       bool               `json:"balance_notify_enabled"`
+	BalanceNotifyThresholdType string             `json:"balance_notify_threshold_type"`
+	BalanceNotifyThreshold     *float64           `json:"balance_notify_threshold,omitempty"`
+	BalanceNotifyExtraEmails   []NotifyEmailEntry `json:"balance_notify_extra_emails,omitempty"`
 }
 
 // APIKeyAuthGroupSnapshot 分组快照
diff --git a/backend/internal/service/api_key_auth_cache_impl.go b/backend/internal/service/api_key_auth_cache_impl.go
index 8069ed4f..711090c2 100644
--- a/backend/internal/service/api_key_auth_cache_impl.go
+++ b/backend/internal/service/api_key_auth_cache_impl.go
@@ -13,7 +13,7 @@ import (
 	"github.com/dgraph-io/ristretto"
 )
 
-const apiKeyAuthSnapshotVersion = 3
+const apiKeyAuthSnapshotVersion = 4 // v4: added balance notification fields to UserSnapshot
 
 type apiKeyAuthCacheConfig struct {
 	l1Size        int
@@ -219,11 +219,17 @@ func (s *APIKeyService) snapshotFromAPIKey(apiKey *APIKey) *APIKeyAuthSnapshot {
 		RateLimit1d: apiKey.RateLimit1d,
 		RateLimit7d: apiKey.RateLimit7d,
 		User: APIKeyAuthUserSnapshot{
-			ID:          apiKey.User.ID,
-			Status:      apiKey.User.Status,
-			Role:        apiKey.User.Role,
-			Balance:     apiKey.User.Balance,
-			Concurrency: apiKey.User.Concurrency,
+			ID:                         apiKey.User.ID,
+			Status:                     apiKey.User.Status,
+			Role:                       apiKey.User.Role,
+			Balance:                    apiKey.User.Balance,
+			Concurrency:                apiKey.User.Concurrency,
+			Email:                      apiKey.User.Email,
+			Username:                   apiKey.User.Username,
+			BalanceNotifyEnabled:       apiKey.User.BalanceNotifyEnabled,
+			BalanceNotifyThresholdType: apiKey.User.BalanceNotifyThresholdType,
+			BalanceNotifyThreshold:     apiKey.User.BalanceNotifyThreshold,
+			BalanceNotifyExtraEmails:   apiKey.User.BalanceNotifyExtraEmails,
 		},
 	}
 	if apiKey.Group != nil {
@@ -274,11 +280,17 @@ func (s *APIKeyService) snapshotToAPIKey(key string, snapshot *APIKeyAuthSnapsho
 		RateLimit1d: snapshot.RateLimit1d,
 		RateLimit7d: snapshot.RateLimit7d,
 		User: &User{
-			ID:          snapshot.User.ID,
-			Status:      snapshot.User.Status,
-			Role:        snapshot.User.Role,
-			Balance:     snapshot.User.Balance,
-			Concurrency: snapshot.User.Concurrency,
+			ID:                         snapshot.User.ID,
+			Status:                     snapshot.User.Status,
+			Role:                       snapshot.User.Role,
+			Balance:                    snapshot.User.Balance,
+			Concurrency:                snapshot.User.Concurrency,
+			Email:                      snapshot.User.Email,
+			Username:                   snapshot.User.Username,
+			BalanceNotifyEnabled:       snapshot.User.BalanceNotifyEnabled,
+			BalanceNotifyThresholdType: snapshot.User.BalanceNotifyThresholdType,
+			BalanceNotifyThreshold:     snapshot.User.BalanceNotifyThreshold,
+			BalanceNotifyExtraEmails:   snapshot.User.BalanceNotifyExtraEmails,
 		},
 	}
 	if snapshot.Group != nil {
diff --git a/backend/internal/service/balance_notify_service.go b/backend/internal/service/balance_notify_service.go
index 68202958..ba1c7037 100644
--- a/backend/internal/service/balance_notify_service.go
+++ b/backend/internal/service/balance_notify_service.go
@@ -176,13 +176,38 @@ func (s *BalanceNotifyService) isAccountQuotaNotifyEnabled(ctx context.Context)
 	return val == "true"
 }
 
-// getAccountQuotaNotifyEmails reads admin notification emails from settings.
+// getAccountQuotaNotifyEmails reads admin notification emails from settings,
+// filtering out disabled entries. Entries with email="" are resolved to the first admin's email.
 func (s *BalanceNotifyService) getAccountQuotaNotifyEmails(ctx context.Context) []string {
 	raw, err := s.settingRepo.GetValue(ctx, SettingKeyAccountQuotaNotifyEmails)
 	if err != nil || strings.TrimSpace(raw) == "" || raw == "[]" {
 		return nil
 	}
-	return parseJSONStringArray(raw)
+
+	entries := ParseNotifyEmails(raw)
+	if len(entries) == 0 {
+		return nil
+	}
+
+	var recipients []string
+	seen := make(map[string]bool)
+	for _, entry := range entries {
+		if entry.Disabled {
+			continue
+		}
+		email := strings.TrimSpace(entry.Email)
+		// email="" placeholder is not resolved here; admin should configure actual emails
+		if email == "" {
+			continue
+		}
+		lower := strings.ToLower(email)
+		if seen[lower] {
+			continue
+		}
+		seen[lower] = true
+		recipients = append(recipients, email)
+	}
+	return recipients
 }
 
 // getSiteName reads site name from settings with fallback.
@@ -194,18 +219,36 @@ func (s *BalanceNotifyService) getSiteName(ctx context.Context) string {
 	return name
 }
 
-// collectBalanceNotifyRecipients collects all email recipients for balance notifications.
+// collectBalanceNotifyRecipients collects all non-disabled email recipients for balance notifications.
+// Entries with email="" are resolved to the user's primary email.
 func (s *BalanceNotifyService) collectBalanceNotifyRecipients(user *User) []string {
 	var recipients []string
-	if user.Email != "" {
+	seen := make(map[string]bool)
+
+	for _, entry := range user.BalanceNotifyExtraEmails {
+		if entry.Disabled {
+			continue
+		}
+		email := strings.TrimSpace(entry.Email)
+		if email == "" {
+			email = user.Email // Resolve primary email placeholder
+		}
+		if email == "" {
+			continue
+		}
+		lower := strings.ToLower(email)
+		if seen[lower] {
+			continue
+		}
+		seen[lower] = true
+		recipients = append(recipients, email)
+	}
+
+	// If no entries exist at all (legacy/empty), fall back to user's primary email
+	if len(user.BalanceNotifyExtraEmails) == 0 && user.Email != "" {
 		recipients = append(recipients, user.Email)
 	}
-	for _, extra := range user.BalanceNotifyExtraEmails {
-		email := strings.TrimSpace(extra)
-		if email != "" && !strings.EqualFold(email, user.Email) {
-			recipients = append(recipients, email)
-		}
-	}
+
 	return recipients
 }
 
diff --git a/backend/internal/service/notify_email_entry.go b/backend/internal/service/notify_email_entry.go
new file mode 100644
index 00000000..3caf689f
--- /dev/null
+++ b/backend/internal/service/notify_email_entry.go
@@ -0,0 +1,107 @@
+package service
+
+import (
+	"encoding/json"
+	"strings"
+)
+
+// NotifyEmailEntry represents a notification email with enable/disable and verification state.
+// Email="" is a placeholder for the "primary email" (user's registration email or first admin email).
+type NotifyEmailEntry struct {
+	Email    string `json:"email"`
+	Disabled bool   `json:"disabled"`
+	Verified bool   `json:"verified"`
+}
+
+// parseNotifyEmails parses a JSON string into []NotifyEmailEntry.
+// It auto-detects the format:
+//   - Old format ["email1","email2"] → converted to [{email, disabled:false, verified:true}, ...]
+//   - New format [{email,disabled,verified}, ...] → parsed directly
+//
+// Returns nil on empty/invalid input.
+func ParseNotifyEmails(raw string) []NotifyEmailEntry {
+	raw = strings.TrimSpace(raw)
+	if raw == "" || raw == "[]" {
+		return nil
+	}
+
+	// Try parsing as new format first (array of objects)
+	var entries []NotifyEmailEntry
+	if err := json.Unmarshal([]byte(raw), &entries); err == nil && len(entries) > 0 {
+		// Verify it's actually the new format by checking the first element
+		// json.Unmarshal into []NotifyEmailEntry succeeds even for ["string"]
+		// because it tries to fit "string" into NotifyEmailEntry and gets zero values.
+		// We need to detect old format explicitly.
+		if !isOldStringArrayFormat(raw) {
+			return entries
+		}
+	}
+
+	// Try parsing as old format (array of strings)
+	var emails []string
+	if err := json.Unmarshal([]byte(raw), &emails); err == nil {
+		result := make([]NotifyEmailEntry, 0, len(emails))
+		for _, e := range emails {
+			e = strings.TrimSpace(e)
+			if e != "" {
+				result = append(result, NotifyEmailEntry{
+					Email:    e,
+					Disabled: false,
+					Verified: false, // Old format emails default to unverified
+				})
+			}
+		}
+		return result
+	}
+
+	return nil
+}
+
+// isOldStringArrayFormat checks if the JSON is a string array like ["email1","email2"].
+func isOldStringArrayFormat(raw string) bool {
+	var arr []json.RawMessage
+	if err := json.Unmarshal([]byte(raw), &arr); err != nil || len(arr) == 0 {
+		return false
+	}
+	// Check if first element starts with a quote (string) vs { (object)
+	first := strings.TrimSpace(string(arr[0]))
+	return len(first) > 0 && first[0] == '"'
+}
+
+// marshalNotifyEmails serializes []NotifyEmailEntry to JSON string.
+func MarshalNotifyEmails(entries []NotifyEmailEntry) string {
+	if len(entries) == 0 {
+		return "[]"
+	}
+	data, err := json.Marshal(entries)
+	if err != nil {
+		return "[]"
+	}
+	return string(data)
+}
+
+// filterEnabledEmails returns only non-disabled email addresses from entries.
+// Empty email placeholders are skipped (caller should resolve them separately).
+func FilterEnabledEmails(entries []NotifyEmailEntry) []string {
+	var result []string
+	for _, e := range entries {
+		if e.Disabled {
+			continue
+		}
+		email := strings.TrimSpace(e.Email)
+		if email != "" {
+			result = append(result, email)
+		}
+	}
+	return result
+}
+
+// isPrimaryDisabled checks if the primary email placeholder (email="") exists and is disabled.
+func IsPrimaryDisabled(entries []NotifyEmailEntry) bool {
+	for _, e := range entries {
+		if e.Email == "" {
+			return e.Disabled
+		}
+	}
+	return false // No primary placeholder = not disabled
+}
diff --git a/backend/internal/service/setting_service.go b/backend/internal/service/setting_service.go
index 773b84ba..0267040d 100644
--- a/backend/internal/service/setting_service.go
+++ b/backend/internal/service/setting_service.go
@@ -1272,13 +1272,10 @@ func (s *SettingService) parseSettings(settings map[string]string) *SystemSettin
 	// Account quota notification
 	result.AccountQuotaNotifyEnabled = settings[SettingKeyAccountQuotaNotifyEnabled] == "true"
 	if raw := strings.TrimSpace(settings[SettingKeyAccountQuotaNotifyEmails]); raw != "" {
-		var emails []string
-		if err := json.Unmarshal([]byte(raw), &emails); err == nil {
-			result.AccountQuotaNotifyEmails = emails
-		}
+		result.AccountQuotaNotifyEmails = ParseNotifyEmails(raw)
 	}
 	if result.AccountQuotaNotifyEmails == nil {
-		result.AccountQuotaNotifyEmails = []string{}
+		result.AccountQuotaNotifyEmails = []NotifyEmailEntry{}
 	}
 
 	return result
diff --git a/backend/internal/service/settings_view.go b/backend/internal/service/settings_view.go
index 274ec792..1346372d 100644
--- a/backend/internal/service/settings_view.go
+++ b/backend/internal/service/settings_view.go
@@ -113,7 +113,7 @@ type SystemSettings struct {
 
 	// Account quota notification
 	AccountQuotaNotifyEnabled bool
-	AccountQuotaNotifyEmails  []string
+	AccountQuotaNotifyEmails  []NotifyEmailEntry
 }
 
 type DefaultSubscriptionSetting struct {
diff --git a/backend/internal/service/user.go b/backend/internal/service/user.go
index 4ca31adc..d3d8c954 100644
--- a/backend/internal/service/user.go
+++ b/backend/internal/service/user.go
@@ -34,7 +34,7 @@ type User struct {
 	BalanceNotifyEnabled       bool
 	BalanceNotifyThresholdType string   // "fixed" (default) | "percentage"
 	BalanceNotifyThreshold     *float64
-	BalanceNotifyExtraEmails   []string
+	BalanceNotifyExtraEmails   []NotifyEmailEntry
 	TotalRecharged             float64
 
 	APIKeys       []APIKey
diff --git a/backend/internal/service/user_service.go b/backend/internal/service/user_service.go
index e6b9a210..6b75140f 100644
--- a/backend/internal/service/user_service.go
+++ b/backend/internal/service/user_service.go
@@ -18,7 +18,7 @@ var (
 	ErrInsufficientPerms = infraerrors.Forbidden("INSUFFICIENT_PERMISSIONS", "insufficient permissions")
 )
 
-const maxNotifyExtraEmails = 5
+const maxNotifyEmails = 3 // Total limit: primary (email="") + up to 2 extra
 
 // UserListFilters contains all filter options for listing users
 type UserListFilters struct {
@@ -338,17 +338,21 @@ func (s *UserService) VerifyAndAddNotifyEmail(ctx context.Context, userID int64,
 
 	// Check if already exists
 	for _, e := range user.BalanceNotifyExtraEmails {
-		if strings.EqualFold(e, email) {
+		if strings.EqualFold(e.Email, email) {
 			return nil // Already added
 		}
 	}
 
-	// Check limit
-	if len(user.BalanceNotifyExtraEmails) >= maxNotifyExtraEmails {
-		return infraerrors.BadRequest("TOO_MANY_NOTIFY_EMAILS", fmt.Sprintf("maximum %d extra notification emails allowed", maxNotifyExtraEmails))
+	// Check limit (total includes primary email="" placeholder + extra emails)
+	if len(user.BalanceNotifyExtraEmails) >= maxNotifyEmails {
+		return infraerrors.BadRequest("TOO_MANY_NOTIFY_EMAILS", fmt.Sprintf("maximum %d notification emails allowed", maxNotifyEmails))
 	}
 
-	user.BalanceNotifyExtraEmails = append(user.BalanceNotifyExtraEmails, email)
+	user.BalanceNotifyExtraEmails = append(user.BalanceNotifyExtraEmails, NotifyEmailEntry{
+		Email:    email,
+		Disabled: false,
+		Verified: true,
+	})
 	return s.userRepo.Update(ctx, user)
 }
 
@@ -359,9 +363,9 @@ func (s *UserService) RemoveNotifyEmail(ctx context.Context, userID int64, email
 		return err
 	}
 
-	filtered := make([]string, 0, len(user.BalanceNotifyExtraEmails))
+	filtered := make([]NotifyEmailEntry, 0, len(user.BalanceNotifyExtraEmails))
 	for _, e := range user.BalanceNotifyExtraEmails {
-		if !strings.EqualFold(e, email) {
+		if !strings.EqualFold(e.Email, email) {
 			filtered = append(filtered, e)
 		}
 	}
@@ -369,6 +373,28 @@ func (s *UserService) RemoveNotifyEmail(ctx context.Context, userID int64, email
 	return s.userRepo.Update(ctx, user)
 }
 
+// ToggleNotifyEmail toggles the disabled state of a notification email entry.
+func (s *UserService) ToggleNotifyEmail(ctx context.Context, userID int64, email string, disabled bool) error {
+	user, err := s.userRepo.GetByID(ctx, userID)
+	if err != nil {
+		return err
+	}
+
+	found := false
+	for i, e := range user.BalanceNotifyExtraEmails {
+		if strings.EqualFold(e.Email, email) {
+			user.BalanceNotifyExtraEmails[i].Disabled = disabled
+			found = true
+			break
+		}
+	}
+	if !found {
+		return infraerrors.BadRequest("EMAIL_NOT_FOUND", "notification email not found")
+	}
+
+	return s.userRepo.Update(ctx, user)
+}
+
 // buildNotifyVerifyEmailBody builds the HTML email body for notify email verification.
 func buildNotifyVerifyEmailBody(code, siteName string) string {
 	return fmt.Sprintf(`
diff --git a/backend/migrations/104_migrate_notify_emails_to_struct.sql b/backend/migrations/104_migrate_notify_emails_to_struct.sql
new file mode 100644
index 00000000..4356da4f
--- /dev/null
+++ b/backend/migrations/104_migrate_notify_emails_to_struct.sql
@@ -0,0 +1,35 @@
+-- Migrate notification email lists from old []string format to new []NotifyEmailEntry format
+-- Old: ["a@x.com", "b@x.com"]
+-- New: [{"email":"a@x.com","disabled":false,"verified":true}, ...]
+-- Existing emails are marked as verified=false (unverified), disabled=false (enabled)
+
+-- 1. User balance notification emails
+UPDATE users
+SET balance_notify_extra_emails = (
+  SELECT COALESCE(
+    jsonb_agg(jsonb_build_object('email', elem::text, 'disabled', false, 'verified', false)),
+    '[]'::jsonb
+  )::text
+  FROM jsonb_array_elements_text(balance_notify_extra_emails::jsonb) AS elem
+)
+WHERE balance_notify_extra_emails IS NOT NULL
+  AND balance_notify_extra_emails <> '[]'
+  AND balance_notify_extra_emails <> ''
+  AND (balance_notify_extra_emails::jsonb -> 0) IS NOT NULL
+  AND jsonb_typeof(balance_notify_extra_emails::jsonb -> 0) = 'string';
+
+-- 2. Admin account quota notification emails
+UPDATE settings
+SET value = (
+  SELECT COALESCE(
+    jsonb_agg(jsonb_build_object('email', elem::text, 'disabled', false, 'verified', false)),
+    '[]'::jsonb
+  )::text
+  FROM jsonb_array_elements_text(value::jsonb) AS elem
+)
+WHERE key = 'account_quota_notify_emails'
+  AND value IS NOT NULL
+  AND value <> '[]'
+  AND value <> ''
+  AND (value::jsonb -> 0) IS NOT NULL
+  AND jsonb_typeof(value::jsonb -> 0) = 'string';
diff --git a/frontend/src/api/admin/settings.ts b/frontend/src/api/admin/settings.ts
index 5c5de2d1..230232df 100644
--- a/frontend/src/api/admin/settings.ts
+++ b/frontend/src/api/admin/settings.ts
@@ -4,7 +4,7 @@
  */
 
 import { apiClient } from '../client'
-import type { CustomMenuItem, CustomEndpoint } from '@/types'
+import type { CustomMenuItem, CustomEndpoint, NotifyEmailEntry } from '@/types'
 
 export interface DefaultSubscriptionSetting {
   group_id: number
@@ -139,7 +139,7 @@ export interface SystemSettings {
   balance_low_notify_enabled: boolean
   balance_low_notify_threshold: number
   account_quota_notify_enabled: boolean
-  account_quota_notify_emails: string[]
+  account_quota_notify_emails: NotifyEmailEntry[]
 }
 
 export interface UpdateSettingsRequest {
@@ -243,7 +243,7 @@ export interface UpdateSettingsRequest {
   balance_low_notify_enabled?: boolean
   balance_low_notify_threshold?: number
   account_quota_notify_enabled?: boolean
-  account_quota_notify_emails?: string[]
+  account_quota_notify_emails?: NotifyEmailEntry[]
 }
 
 /**
diff --git a/frontend/src/api/user.ts b/frontend/src/api/user.ts
index 9ef0f59c..cd648270 100644
--- a/frontend/src/api/user.ts
+++ b/frontend/src/api/user.ts
@@ -4,7 +4,7 @@
  */
 
 import { apiClient } from './client'
-import type { User, ChangePasswordRequest } from '@/types'
+import type { User, ChangePasswordRequest, NotifyEmailEntry } from '@/types'
 
 /**
  * Get current user profile
@@ -24,7 +24,7 @@ export async function updateProfile(profile: {
   username?: string
   balance_notify_enabled?: boolean
   balance_notify_threshold?: number | null
-  balance_notify_extra_emails?: string[]
+  balance_notify_extra_emails?: NotifyEmailEntry[]
 }): Promise<User> {
   const { data } = await apiClient.put<User>('/user', profile)
   return data
@@ -73,13 +73,24 @@ export async function removeNotifyEmail(email: string): Promise<void> {
   await apiClient.delete('/user/notify-email', { data: { email } })
 }
 
+/**
+ * Toggle a notify email's disabled state
+ * @param email - Email address (empty string for primary email placeholder)
+ * @param disabled - Whether to disable the email
+ */
+export async function toggleNotifyEmail(email: string, disabled: boolean): Promise<User> {
+  const { data } = await apiClient.put<User>('/user/notify-email/toggle', { email, disabled })
+  return data
+}
+
 export const userAPI = {
   getProfile,
   updateProfile,
   changePassword,
   sendNotifyEmailCode,
   verifyNotifyEmail,
-  removeNotifyEmail
+  removeNotifyEmail,
+  toggleNotifyEmail
 }
 
 export default userAPI
diff --git a/frontend/src/components/user/profile/ProfileBalanceNotifyCard.vue b/frontend/src/components/user/profile/ProfileBalanceNotifyCard.vue
index 589cc9e8..1d88ad82 100644
--- a/frontend/src/components/user/profile/ProfileBalanceNotifyCard.vue
+++ b/frontend/src/components/user/profile/ProfileBalanceNotifyCard.vue
@@ -45,23 +45,26 @@
           </div>
         </div>
 
-        <!-- Primary email (always shown, with toggle) -->
+        <!-- Email list with toggles -->
         <div>
           <label class="input-label">{{ t('profile.balanceNotify.extraEmails') }}</label>
           <div class="space-y-2 mb-3">
-            <div class="flex items-center justify-between px-3 py-2 bg-gray-50 dark:bg-dark-700 rounded-lg">
-              <span class="text-sm text-gray-700 dark:text-gray-300">{{ userEmail }}</span>
-              <span class="text-xs text-gray-400">{{ t('profile.balanceNotify.primaryEmail') }}</span>
-            </div>
-          </div>
-
-          <!-- Verified extra emails with toggle -->
-          <div v-if="extraEmails.length > 0" class="space-y-2 mb-3">
-            <div v-for="email in extraEmails" :key="email"
+            <!-- All email entries (primary placeholder + extra) -->
+            <div v-for="(entry, idx) in emailEntries" :key="idx"
               class="flex items-center justify-between px-3 py-2 bg-gray-50 dark:bg-dark-700 rounded-lg">
-              <span class="text-sm text-gray-700 dark:text-gray-300">{{ email }}</span>
-              <div class="flex items-center gap-2">
-                <button @click="handleRemoveEmail(email)" class="text-red-500 hover:text-red-700 text-xs">
+              <div class="flex items-center gap-2 min-w-0 flex-1">
+                <label class="relative inline-flex items-center cursor-pointer shrink-0">
+                  <input type="checkbox" :checked="!entry.disabled" @change="handleEmailToggle(entry)" class="sr-only peer" />
+                  <div class="w-9 h-5 bg-gray-200 peer-focus:outline-none rounded-full peer dark:bg-gray-600 peer-checked:after:translate-x-full peer-checked:after:border-white after:content-[''] after:absolute after:top-[2px] after:left-[2px] after:bg-white after:border-gray-300 after:border after:rounded-full after:h-4 after:w-4 after:transition-all dark:after:border-gray-500 peer-checked:bg-primary-600"></div>
+                </label>
+                <span class="text-sm text-gray-700 dark:text-gray-300 truncate">
+                  {{ entry.email === '' ? userEmail : entry.email }}
+                </span>
+              </div>
+              <div class="flex items-center gap-2 shrink-0">
+                <span v-if="entry.email === ''" class="text-xs text-gray-400">{{ t('profile.balanceNotify.primaryEmail') }}</span>
+                <span v-else-if="!entry.verified" class="text-xs text-yellow-500">{{ t('profile.balanceNotify.unverified') }}</span>
+                <button v-if="entry.email !== ''" @click="handleRemoveEmail(entry.email)" class="text-red-500 hover:text-red-700 text-xs">
                   {{ t('profile.balanceNotify.removeEmail') }}
                 </button>
               </div>
@@ -100,8 +103,8 @@
             </div>
           </div>
 
-          <!-- Add new email input -->
-          <div class="flex gap-2">
+          <!-- Add new email input (hidden when at limit) -->
+          <div v-if="canAddMore" class="flex gap-2">
             <input
               v-model="newEmail"
               type="email"
@@ -117,6 +120,9 @@
               {{ t('common.add') }}
             </button>
           </div>
+          <p v-else class="text-xs text-gray-400">
+            {{ t('profile.balanceNotify.maxEmailsReached') }}
+          </p>
         </div>
       </template>
     </div>
@@ -124,12 +130,15 @@
 </template>
 
 <script setup lang="ts">
-import { ref, watch, onUnmounted } from 'vue'
+import { ref, computed, watch, onUnmounted } from 'vue'
 import { useI18n } from 'vue-i18n'
 import { useAuthStore } from '@/stores/auth'
 import { useAppStore } from '@/stores/app'
 import { userAPI } from '@/api'
 import { extractApiErrorMessage } from '@/utils/apiError'
+import type { NotifyEmailEntry } from '@/types'
+
+const maxTotalEmails = 3 // primary + 2 extra
 
 interface PendingEmail {
   email: string
@@ -144,7 +153,7 @@ interface PendingEmail {
 const props = defineProps<{
   enabled: boolean
   threshold: number | null
-  extraEmails: string[]
+  extraEmails: NotifyEmailEntry[]
   systemDefaultThreshold: number
   userEmail: string
 }>()
@@ -155,14 +164,18 @@ const appStore = useAppStore()
 
 const notifyEnabled = ref(props.enabled)
 const customThreshold = ref<number | null>(props.threshold)
-const extraEmails = ref<string[]>([...props.extraEmails])
+const emailEntries = ref<NotifyEmailEntry[]>([...props.extraEmails])
 const pendingEmails = ref<PendingEmail[]>([])
 const newEmail = ref('')
 const savingThreshold = ref(false)
 
+const canAddMore = computed(() => {
+  return emailEntries.value.length + pendingEmails.value.length < maxTotalEmails
+})
+
 watch(() => props.enabled, (val) => { notifyEnabled.value = val })
 watch(() => props.threshold, (val) => { customThreshold.value = val })
-watch(() => props.extraEmails, (val) => { extraEmails.value = [...val] })
+watch(() => props.extraEmails, (val) => { emailEntries.value = [...val] })
 
 onUnmounted(() => {
   for (const pe of pendingEmails.value) {
@@ -194,10 +207,25 @@ const handleThresholdUpdate = async () => {
   }
 }
 
+async function handleEmailToggle(entry: NotifyEmailEntry) {
+  const newDisabled = !entry.disabled
+  try {
+    const updated = await userAPI.toggleNotifyEmail(entry.email, newDisabled)
+    authStore.user = updated
+    emailEntries.value = [...updated.balance_notify_extra_emails]
+  } catch (err: unknown) {
+    appStore.showError(extractApiErrorMessage(err, t('common.error')))
+  }
+}
+
 function addPendingEmail() {
   const email = newEmail.value.trim()
   if (!email) return
-  if (email === props.userEmail || extraEmails.value.includes(email) || pendingEmails.value.some(p => p.email === email)) {
+  // Check duplicates against existing entries and pending
+  const isDuplicate = emailEntries.value.some(e =>
+    (e.email === '' ? props.userEmail : e.email).toLowerCase() === email.toLowerCase()
+  ) || pendingEmails.value.some(p => p.email.toLowerCase() === email.toLowerCase())
+  if (isDuplicate) {
     appStore.showError(t('profile.balanceNotify.emailDuplicate'))
     return
   }
@@ -234,12 +262,12 @@ async function verifyPending(idx: number) {
   pe.verifying = true
   try {
     await userAPI.verifyNotifyEmail(pe.email, pe.code)
-    extraEmails.value.push(pe.email)
     if (pe.timer) clearInterval(pe.timer)
     pendingEmails.value.splice(idx, 1)
     appStore.showSuccess(t('profile.balanceNotify.verifySuccess'))
     const updated = await userAPI.getProfile()
     authStore.user = updated
+    emailEntries.value = [...updated.balance_notify_extra_emails]
   } catch (err: unknown) {
     appStore.showError(extractApiErrorMessage(err, t('common.error')))
   } finally {
@@ -250,10 +278,10 @@ async function verifyPending(idx: number) {
 const handleRemoveEmail = async (email: string) => {
   try {
     await userAPI.removeNotifyEmail(email)
-    extraEmails.value = extraEmails.value.filter(e => e !== email)
     appStore.showSuccess(t('profile.balanceNotify.removeSuccess'))
     const updated = await userAPI.getProfile()
     authStore.user = updated
+    emailEntries.value = [...updated.balance_notify_extra_emails]
   } catch (err: unknown) {
     appStore.showError(extractApiErrorMessage(err, t('common.error')))
   }
diff --git a/frontend/src/i18n/locales/en.ts b/frontend/src/i18n/locales/en.ts
index ff77837e..1e2ab01e 100644
--- a/frontend/src/i18n/locales/en.ts
+++ b/frontend/src/i18n/locales/en.ts
@@ -930,6 +930,8 @@ export default {
       removeEmail: 'Remove',
       removeSuccess: 'Email removed',
       emailDuplicate: 'This email already exists',
+      maxEmailsReached: 'Maximum number of notification emails reached',
+      unverified: 'Unverified',
     }
   },
 
diff --git a/frontend/src/i18n/locales/zh.ts b/frontend/src/i18n/locales/zh.ts
index 9eabb465..0de76f4c 100644
--- a/frontend/src/i18n/locales/zh.ts
+++ b/frontend/src/i18n/locales/zh.ts
@@ -934,6 +934,8 @@ export default {
       removeEmail: '移除',
       removeSuccess: '邮箱已移除',
       emailDuplicate: '该邮箱已存在',
+      maxEmailsReached: '已达到通知邮箱数量上限',
+      unverified: '未验证',
     }
   },
 
diff --git a/frontend/src/types/index.ts b/frontend/src/types/index.ts
index 661c4c79..8d30b642 100644
--- a/frontend/src/types/index.ts
+++ b/frontend/src/types/index.ts
@@ -22,6 +22,16 @@ export interface FetchOptions {
   signal?: AbortSignal
 }
 
+// ==================== Notification Types ====================
+
+/** Notification email entry with enable/disable and verification state.
+ *  email="" is a placeholder for the primary email (user's registration email or admin email). */
+export interface NotifyEmailEntry {
+  email: string
+  disabled: boolean
+  verified: boolean
+}
+
 // ==================== User & Auth Types ====================
 
 export interface User {
@@ -35,7 +45,7 @@ export interface User {
   allowed_groups: number[] | null // Allowed group IDs (null = all non-exclusive groups)
   balance_notify_enabled: boolean
   balance_notify_threshold: number | null
-  balance_notify_extra_emails: string[]
+  balance_notify_extra_emails: NotifyEmailEntry[]
   subscriptions?: UserSubscription[] // User's active subscriptions
   created_at: string
   updated_at: string
diff --git a/frontend/src/views/admin/SettingsView.vue b/frontend/src/views/admin/SettingsView.vue
index 10dd940f..c687f0db 100644
--- a/frontend/src/views/admin/SettingsView.vue
+++ b/frontend/src/views/admin/SettingsView.vue
@@ -2726,8 +2726,12 @@
             <div v-if="form.account_quota_notify_enabled">
               <label class="mb-2 block text-sm font-medium text-gray-700 dark:text-gray-300">{{ t('admin.settings.quotaNotify.emails') }}</label>
               <div class="space-y-2">
-                <div v-for="(_, index) in (form.account_quota_notify_emails || [])" :key="index" class="flex items-center gap-2">
-                  <input v-model="form.account_quota_notify_emails[index]" type="email" class="input flex-1" :placeholder="t('admin.settings.quotaNotify.emailPlaceholder')" />
+                <div v-for="(entry, index) in (form.account_quota_notify_emails || [])" :key="index" class="flex items-center gap-2">
+                  <label class="relative inline-flex items-center cursor-pointer shrink-0">
+                    <input type="checkbox" :checked="!entry.disabled" @change="entry.disabled = !entry.disabled" class="sr-only peer" />
+                    <div class="w-9 h-5 bg-gray-200 peer-focus:outline-none rounded-full peer dark:bg-gray-600 peer-checked:after:translate-x-full peer-checked:after:border-white after:content-[''] after:absolute after:top-[2px] after:left-[2px] after:bg-white after:border-gray-300 after:border after:rounded-full after:h-4 after:w-4 after:transition-all dark:after:border-gray-500 peer-checked:bg-primary-600"></div>
+                  </label>
+                  <input v-model="entry.email" type="email" class="input flex-1" :placeholder="t('admin.settings.quotaNotify.emailPlaceholder')" />
                   <button @click="form.account_quota_notify_emails.splice(index, 1)" class="btn btn-secondary px-2" type="button">
                     <Icon name="x" size="xs" class="h-4 w-4" />
                   </button>
@@ -3024,7 +3028,7 @@ const form = reactive<SettingsForm>({
   balance_low_notify_enabled: false,
   balance_low_notify_threshold: 0,
   account_quota_notify_enabled: false,
-  account_quota_notify_emails: [] as string[]
+  account_quota_notify_emails: [] as { email: string; disabled: boolean; verified: boolean }[]
 })
 
 // Proxies for web search emulation ProxySelector
@@ -3249,7 +3253,7 @@ const addQuotaNotifyEmail = () => {
   if (!form.account_quota_notify_emails) {
     form.account_quota_notify_emails = []
   }
-  form.account_quota_notify_emails.push('')
+  form.account_quota_notify_emails.push({ email: '', disabled: false, verified: true })
 }
 
 // LinuxDo OAuth redirect URL suggestion
@@ -3595,7 +3599,7 @@ async function saveSettings() {
       balance_low_notify_enabled: form.balance_low_notify_enabled,
       balance_low_notify_threshold: Number(form.balance_low_notify_threshold) || 0,
       account_quota_notify_enabled: form.account_quota_notify_enabled,
-      account_quota_notify_emails: (form.account_quota_notify_emails || []).filter((e: string) => e.trim() !== ''),
+      account_quota_notify_emails: (form.account_quota_notify_emails || []).filter((e) => e.email.trim() !== ''),
     }
 
     const updated = await adminAPI.settings.updateSettings(payload)

From 31550a2c6ad2ae7bad003cee543b485eca59fc92 Mon Sep 17 00:00:00 2001
From: erio <asakifeng@gmail.com>
Date: Mon, 13 Apr 2026 01:29:07 +0800
Subject: [PATCH 049/122] fix(notify): use real-time balance for crossing
 detection and simplify email logic

- Fix cached balance causing threshold crossing to never trigger:
  read real-time balance from billingCacheService instead of stale
  API key auth snapshot
- Remove email="" placeholder concept; all emails are user-managed
- Only send notifications to verified && non-disabled emails
- Frontend: pre-fill user's email in add input when list is empty
- Remove FilterEnabledEmails/IsPrimaryDisabled helpers (no longer needed)
---
 .../service/balance_notify_service.go         | 17 +++------
 backend/internal/service/gateway_service.go   | 10 ++++--
 .../internal/service/notify_email_entry.go    | 25 -------------
 .../user/profile/ProfileBalanceNotifyCard.vue | 35 +++++++++++--------
 frontend/src/i18n/locales/en.ts               |  1 +
 frontend/src/i18n/locales/zh.ts               |  1 +
 6 files changed, 34 insertions(+), 55 deletions(-)

diff --git a/backend/internal/service/balance_notify_service.go b/backend/internal/service/balance_notify_service.go
index ba1c7037..053451e1 100644
--- a/backend/internal/service/balance_notify_service.go
+++ b/backend/internal/service/balance_notify_service.go
@@ -192,11 +192,10 @@ func (s *BalanceNotifyService) getAccountQuotaNotifyEmails(ctx context.Context)
 	var recipients []string
 	seen := make(map[string]bool)
 	for _, entry := range entries {
-		if entry.Disabled {
+		if entry.Disabled || !entry.Verified {
 			continue
 		}
 		email := strings.TrimSpace(entry.Email)
-		// email="" placeholder is not resolved here; admin should configure actual emails
 		if email == "" {
 			continue
 		}
@@ -219,20 +218,17 @@ func (s *BalanceNotifyService) getSiteName(ctx context.Context) string {
 	return name
 }
 
-// collectBalanceNotifyRecipients collects all non-disabled email recipients for balance notifications.
-// Entries with email="" are resolved to the user's primary email.
+// collectBalanceNotifyRecipients returns verified, non-disabled email recipients.
+// Only emails with verified=true and disabled=false are included.
 func (s *BalanceNotifyService) collectBalanceNotifyRecipients(user *User) []string {
 	var recipients []string
 	seen := make(map[string]bool)
 
 	for _, entry := range user.BalanceNotifyExtraEmails {
-		if entry.Disabled {
+		if entry.Disabled || !entry.Verified {
 			continue
 		}
 		email := strings.TrimSpace(entry.Email)
-		if email == "" {
-			email = user.Email // Resolve primary email placeholder
-		}
 		if email == "" {
 			continue
 		}
@@ -244,11 +240,6 @@ func (s *BalanceNotifyService) collectBalanceNotifyRecipients(user *User) []stri
 		recipients = append(recipients, email)
 	}
 
-	// If no entries exist at all (legacy/empty), fall back to user's primary email
-	if len(user.BalanceNotifyExtraEmails) == 0 && user.Email != "" {
-		recipients = append(recipients, user.Email)
-	}
-
 	return recipients
 }
 
diff --git a/backend/internal/service/gateway_service.go b/backend/internal/service/gateway_service.go
index 1203f0c6..d68a7771 100644
--- a/backend/internal/service/gateway_service.go
+++ b/backend/internal/service/gateway_service.go
@@ -7338,9 +7338,15 @@ func finalizePostUsageBilling(p *postUsageBillingParams, deps *billingDeps) {
 
 	deps.deferredService.ScheduleLastUsedUpdate(p.Account.ID)
 
-	// Balance low notification
+	// Balance low notification — use real-time balance from billing cache (not stale snapshot)
 	if !p.IsSubscriptionBill && p.Cost.ActualCost > 0 && p.User != nil && deps.balanceNotifyService != nil {
-		deps.balanceNotifyService.CheckBalanceAfterDeduction(context.Background(), p.User, p.User.Balance, p.Cost.ActualCost)
+		oldBalance := p.User.Balance // fallback to snapshot
+		if deps.billingCacheService != nil {
+			if realBalance, err := deps.billingCacheService.GetUserBalance(context.Background(), p.User.ID); err == nil {
+				oldBalance = realBalance + p.Cost.ActualCost // DB already deducted, reconstruct pre-deduction balance
+			}
+		}
+		deps.balanceNotifyService.CheckBalanceAfterDeduction(context.Background(), p.User, oldBalance, p.Cost.ActualCost)
 	}
 
 	// Account quota notification (use same cost formula as postUsageBilling)
diff --git a/backend/internal/service/notify_email_entry.go b/backend/internal/service/notify_email_entry.go
index 3caf689f..c0e739f4 100644
--- a/backend/internal/service/notify_email_entry.go
+++ b/backend/internal/service/notify_email_entry.go
@@ -80,28 +80,3 @@ func MarshalNotifyEmails(entries []NotifyEmailEntry) string {
 	return string(data)
 }
 
-// filterEnabledEmails returns only non-disabled email addresses from entries.
-// Empty email placeholders are skipped (caller should resolve them separately).
-func FilterEnabledEmails(entries []NotifyEmailEntry) []string {
-	var result []string
-	for _, e := range entries {
-		if e.Disabled {
-			continue
-		}
-		email := strings.TrimSpace(e.Email)
-		if email != "" {
-			result = append(result, email)
-		}
-	}
-	return result
-}
-
-// isPrimaryDisabled checks if the primary email placeholder (email="") exists and is disabled.
-func IsPrimaryDisabled(entries []NotifyEmailEntry) bool {
-	for _, e := range entries {
-		if e.Email == "" {
-			return e.Disabled
-		}
-	}
-	return false // No primary placeholder = not disabled
-}
diff --git a/frontend/src/components/user/profile/ProfileBalanceNotifyCard.vue b/frontend/src/components/user/profile/ProfileBalanceNotifyCard.vue
index 1d88ad82..69b10b33 100644
--- a/frontend/src/components/user/profile/ProfileBalanceNotifyCard.vue
+++ b/frontend/src/components/user/profile/ProfileBalanceNotifyCard.vue
@@ -48,8 +48,9 @@
         <!-- Email list with toggles -->
         <div>
           <label class="input-label">{{ t('profile.balanceNotify.extraEmails') }}</label>
-          <div class="space-y-2 mb-3">
-            <!-- All email entries (primary placeholder + extra) -->
+
+          <!-- Saved email entries -->
+          <div v-if="emailEntries.length > 0" class="space-y-2 mb-3">
             <div v-for="(entry, idx) in emailEntries" :key="idx"
               class="flex items-center justify-between px-3 py-2 bg-gray-50 dark:bg-dark-700 rounded-lg">
               <div class="flex items-center gap-2 min-w-0 flex-1">
@@ -57,21 +58,19 @@
                   <input type="checkbox" :checked="!entry.disabled" @change="handleEmailToggle(entry)" class="sr-only peer" />
                   <div class="w-9 h-5 bg-gray-200 peer-focus:outline-none rounded-full peer dark:bg-gray-600 peer-checked:after:translate-x-full peer-checked:after:border-white after:content-[''] after:absolute after:top-[2px] after:left-[2px] after:bg-white after:border-gray-300 after:border after:rounded-full after:h-4 after:w-4 after:transition-all dark:after:border-gray-500 peer-checked:bg-primary-600"></div>
                 </label>
-                <span class="text-sm text-gray-700 dark:text-gray-300 truncate">
-                  {{ entry.email === '' ? userEmail : entry.email }}
-                </span>
+                <span class="text-sm text-gray-700 dark:text-gray-300 truncate">{{ entry.email }}</span>
               </div>
               <div class="flex items-center gap-2 shrink-0">
-                <span v-if="entry.email === ''" class="text-xs text-gray-400">{{ t('profile.balanceNotify.primaryEmail') }}</span>
-                <span v-else-if="!entry.verified" class="text-xs text-yellow-500">{{ t('profile.balanceNotify.unverified') }}</span>
-                <button v-if="entry.email !== ''" @click="handleRemoveEmail(entry.email)" class="text-red-500 hover:text-red-700 text-xs">
+                <span v-if="!entry.verified" class="text-xs text-yellow-500">{{ t('profile.balanceNotify.unverified') }}</span>
+                <span v-else class="text-xs text-green-500">{{ t('profile.balanceNotify.verified') }}</span>
+                <button @click="handleRemoveEmail(entry.email)" class="text-red-500 hover:text-red-700 text-xs">
                   {{ t('profile.balanceNotify.removeEmail') }}
                 </button>
               </div>
             </div>
           </div>
 
-          <!-- Pending (unverified) emails -->
+          <!-- Pending (unverified) emails in verification flow -->
           <div v-if="pendingEmails.length > 0" class="space-y-2 mb-3">
             <div v-for="(pe, idx) in pendingEmails" :key="pe.email"
               class="flex items-center gap-2 px-3 py-2 bg-yellow-50 dark:bg-yellow-900/10 rounded-lg border border-yellow-200 dark:border-yellow-800">
@@ -130,7 +129,7 @@
 </template>
 
 <script setup lang="ts">
-import { ref, computed, watch, onUnmounted } from 'vue'
+import { ref, computed, watch, onMounted, onUnmounted } from 'vue'
 import { useI18n } from 'vue-i18n'
 import { useAuthStore } from '@/stores/auth'
 import { useAppStore } from '@/stores/app'
@@ -138,7 +137,7 @@ import { userAPI } from '@/api'
 import { extractApiErrorMessage } from '@/utils/apiError'
 import type { NotifyEmailEntry } from '@/types'
 
-const maxTotalEmails = 3 // primary + 2 extra
+const maxTotalEmails = 3
 
 interface PendingEmail {
   email: string
@@ -177,6 +176,13 @@ watch(() => props.enabled, (val) => { notifyEnabled.value = val })
 watch(() => props.threshold, (val) => { customThreshold.value = val })
 watch(() => props.extraEmails, (val) => { emailEntries.value = [...val] })
 
+// When list is empty on mount, pre-fill the add input with user's email
+onMounted(() => {
+  if (emailEntries.value.length === 0 && props.userEmail) {
+    newEmail.value = props.userEmail
+  }
+})
+
 onUnmounted(() => {
   for (const pe of pendingEmails.value) {
     if (pe.timer) clearInterval(pe.timer)
@@ -221,10 +227,9 @@ async function handleEmailToggle(entry: NotifyEmailEntry) {
 function addPendingEmail() {
   const email = newEmail.value.trim()
   if (!email) return
-  // Check duplicates against existing entries and pending
-  const isDuplicate = emailEntries.value.some(e =>
-    (e.email === '' ? props.userEmail : e.email).toLowerCase() === email.toLowerCase()
-  ) || pendingEmails.value.some(p => p.email.toLowerCase() === email.toLowerCase())
+  // Check duplicates
+  const isDuplicate = emailEntries.value.some(e => e.email.toLowerCase() === email.toLowerCase())
+    || pendingEmails.value.some(p => p.email.toLowerCase() === email.toLowerCase())
   if (isDuplicate) {
     appStore.showError(t('profile.balanceNotify.emailDuplicate'))
     return
diff --git a/frontend/src/i18n/locales/en.ts b/frontend/src/i18n/locales/en.ts
index 1e2ab01e..07ae0c3d 100644
--- a/frontend/src/i18n/locales/en.ts
+++ b/frontend/src/i18n/locales/en.ts
@@ -932,6 +932,7 @@ export default {
       emailDuplicate: 'This email already exists',
       maxEmailsReached: 'Maximum number of notification emails reached',
       unverified: 'Unverified',
+      verified: 'Verified',
     }
   },
 
diff --git a/frontend/src/i18n/locales/zh.ts b/frontend/src/i18n/locales/zh.ts
index 0de76f4c..64d42c12 100644
--- a/frontend/src/i18n/locales/zh.ts
+++ b/frontend/src/i18n/locales/zh.ts
@@ -936,6 +936,7 @@ export default {
       emailDuplicate: '该邮箱已存在',
       maxEmailsReached: '已达到通知邮箱数量上限',
       unverified: '未验证',
+      verified: '已验证',
     }
   },
 

From 95f9b27e70940e19430ea0a0d79c7490074b279b Mon Sep 17 00:00:00 2001
From: erio <asakifeng@gmail.com>
Date: Mon, 13 Apr 2026 01:40:13 +0800
Subject: [PATCH 050/122] fix(notify): add verification flow for saved
 unverified emails
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

- Add "verify" button next to saved unverified emails in
  ProfileBalanceNotifyCard (send code → enter code → verify)
- Backend: VerifyAndAddNotifyEmail now marks existing unverified
  emails as verified instead of returning "already exists"
- Inline verification UI with countdown timer and resend button
---
 backend/internal/service/user_service.go      | 12 ++-
 .../user/profile/ProfileBalanceNotifyCard.vue | 81 ++++++++++++++++++-
 2 files changed, 88 insertions(+), 5 deletions(-)

diff --git a/backend/internal/service/user_service.go b/backend/internal/service/user_service.go
index 6b75140f..bcb21c1d 100644
--- a/backend/internal/service/user_service.go
+++ b/backend/internal/service/user_service.go
@@ -336,14 +336,18 @@ func (s *UserService) VerifyAndAddNotifyEmail(ctx context.Context, userID int64,
 		return err
 	}
 
-	// Check if already exists
-	for _, e := range user.BalanceNotifyExtraEmails {
+	// Check if already exists — if unverified, mark as verified
+	for i, e := range user.BalanceNotifyExtraEmails {
 		if strings.EqualFold(e.Email, email) {
-			return nil // Already added
+			if !e.Verified {
+				user.BalanceNotifyExtraEmails[i].Verified = true
+				return s.userRepo.Update(ctx, user)
+			}
+			return nil // Already verified
 		}
 	}
 
-	// Check limit (total includes primary email="" placeholder + extra emails)
+	// Check limit
 	if len(user.BalanceNotifyExtraEmails) >= maxNotifyEmails {
 		return infraerrors.BadRequest("TOO_MANY_NOTIFY_EMAILS", fmt.Sprintf("maximum %d notification emails allowed", maxNotifyEmails))
 	}
diff --git a/frontend/src/components/user/profile/ProfileBalanceNotifyCard.vue b/frontend/src/components/user/profile/ProfileBalanceNotifyCard.vue
index 69b10b33..3a84fd6b 100644
--- a/frontend/src/components/user/profile/ProfileBalanceNotifyCard.vue
+++ b/frontend/src/components/user/profile/ProfileBalanceNotifyCard.vue
@@ -61,7 +61,34 @@
                 <span class="text-sm text-gray-700 dark:text-gray-300 truncate">{{ entry.email }}</span>
               </div>
               <div class="flex items-center gap-2 shrink-0">
-                <span v-if="!entry.verified" class="text-xs text-yellow-500">{{ t('profile.balanceNotify.unverified') }}</span>
+                <template v-if="!entry.verified">
+                  <!-- Inline verify flow for saved unverified emails -->
+                  <template v-if="verifyingEmail === entry.email">
+                    <input
+                      v-model="verifyCode"
+                      type="text"
+                      maxlength="6"
+                      class="w-20 rounded border border-gray-300 px-2 py-1 text-xs dark:border-dark-500 dark:bg-dark-700"
+                      :placeholder="t('profile.balanceNotify.codePlaceholder')"
+                    />
+                    <button @click="verifySavedEmail(entry.email)" :disabled="!verifyCode || verifyCode.length !== 6 || verifyingSaved" class="text-xs text-primary-600 hover:text-primary-700">
+                      {{ t('profile.balanceNotify.verify') }}
+                    </button>
+                    <span v-if="verifyCountdown > 0" class="text-xs text-gray-400">{{ verifyCountdown }}s</span>
+                    <button v-else @click="sendCodeForSaved(entry.email)" :disabled="sendingSavedCode" class="text-xs text-gray-500 hover:text-gray-700">
+                      {{ t('profile.balanceNotify.resend') }}
+                    </button>
+                    <button @click="verifyingEmail = ''" class="text-xs text-gray-400 hover:text-gray-600">
+                      {{ t('common.cancel') }}
+                    </button>
+                  </template>
+                  <template v-else>
+                    <button @click="sendCodeForSaved(entry.email)" :disabled="sendingSavedCode" class="text-xs text-primary-600 hover:text-primary-700">
+                      {{ t('profile.balanceNotify.verify') }}
+                    </button>
+                    <span class="text-xs text-yellow-500">{{ t('profile.balanceNotify.unverified') }}</span>
+                  </template>
+                </template>
                 <span v-else class="text-xs text-green-500">{{ t('profile.balanceNotify.verified') }}</span>
                 <button @click="handleRemoveEmail(entry.email)" class="text-red-500 hover:text-red-700 text-xs">
                   {{ t('profile.balanceNotify.removeEmail') }}
@@ -168,6 +195,14 @@ const pendingEmails = ref<PendingEmail[]>([])
 const newEmail = ref('')
 const savingThreshold = ref(false)
 
+// State for verifying saved unverified emails
+const verifyingEmail = ref('')
+const verifyCode = ref('')
+const verifyingSaved = ref(false)
+const sendingSavedCode = ref(false)
+const verifyCountdown = ref(0)
+let verifyTimer: ReturnType<typeof setInterval> | null = null
+
 const canAddMore = computed(() => {
   return emailEntries.value.length + pendingEmails.value.length < maxTotalEmails
 })
@@ -187,6 +222,7 @@ onUnmounted(() => {
   for (const pe of pendingEmails.value) {
     if (pe.timer) clearInterval(pe.timer)
   }
+  if (verifyTimer) clearInterval(verifyTimer)
 })
 
 const handleToggle = async () => {
@@ -291,4 +327,47 @@ const handleRemoveEmail = async (email: string) => {
     appStore.showError(extractApiErrorMessage(err, t('common.error')))
   }
 }
+
+// Verify saved unverified emails
+async function sendCodeForSaved(email: string) {
+  sendingSavedCode.value = true
+  try {
+    await userAPI.sendNotifyEmailCode(email)
+    verifyingEmail.value = email
+    verifyCode.value = ''
+    verifyCountdown.value = 60
+    if (verifyTimer) clearInterval(verifyTimer)
+    verifyTimer = setInterval(() => {
+      verifyCountdown.value--
+      if (verifyCountdown.value <= 0 && verifyTimer) {
+        clearInterval(verifyTimer)
+        verifyTimer = null
+      }
+    }, 1000)
+    appStore.showSuccess(t('profile.balanceNotify.codeSent'))
+  } catch (err: unknown) {
+    appStore.showError(extractApiErrorMessage(err, t('common.error')))
+  } finally {
+    sendingSavedCode.value = false
+  }
+}
+
+async function verifySavedEmail(email: string) {
+  if (!verifyCode.value || verifyCode.value.length !== 6) return
+  verifyingSaved.value = true
+  try {
+    await userAPI.verifyNotifyEmail(email, verifyCode.value)
+    verifyingEmail.value = ''
+    verifyCode.value = ''
+    if (verifyTimer) { clearInterval(verifyTimer); verifyTimer = null }
+    appStore.showSuccess(t('profile.balanceNotify.verifySuccess'))
+    const updated = await userAPI.getProfile()
+    authStore.user = updated
+    emailEntries.value = [...updated.balance_notify_extra_emails]
+  } catch (err: unknown) {
+    appStore.showError(extractApiErrorMessage(err, t('common.error')))
+  } finally {
+    verifyingSaved.value = false
+  }
+}
 </script>

From 11c4606874d1ade3219ce75bf405463118998172 Mon Sep 17 00:00:00 2001
From: erio <asakifeng@gmail.com>
Date: Mon, 13 Apr 2026 02:28:31 +0800
Subject: [PATCH 051/122] fix(channel): use upstream model for account stats
 pricing and remove channel pricing fallback
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

- resolveAccountStatsCost now uses the final upstream model (after
  account-level mapping) to match custom pricing rules, fixing the
  issue where requested model (e.g. claude-sonnet-4-5) didn't match
  rules configured for upstream model (e.g. claude-opus-4-6)
- Remove tryChannelPricing fallback — only custom rules are applied,
  unmatched requests use default formula (total_cost × rate)
- Remove unused billingService and serviceTier parameters
- Update description: "启用后将支持自定义账号统计的模型价格"
---
 .../internal/service/account_stats_pricing.go | 38 ++++---------------
 backend/internal/service/gateway_service.go   | 13 ++++---
 .../service/openai_gateway_service.go         | 12 ++++--
 frontend/src/i18n/locales/en.ts               |  2 +-
 frontend/src/i18n/locales/zh.ts               |  2 +-
 5 files changed, 25 insertions(+), 42 deletions(-)

diff --git a/backend/internal/service/account_stats_pricing.go b/backend/internal/service/account_stats_pricing.go
index 86f98a12..4a896d9f 100644
--- a/backend/internal/service/account_stats_pricing.go
+++ b/backend/internal/service/account_stats_pricing.go
@@ -8,23 +8,18 @@ import (
 
 // resolveAccountStatsCost 计算账号统计定价费用。
 // 返回 nil 表示不覆盖，使用默认公式（total_cost × account_rate_multiplier）。
-//
-// 匹配优先级（先命中为准）：
-//  1. 自定义规则（AccountStatsPricingRules，按数组顺序遍历）
-//  2. 渠道已有的模型定价（ApplyPricingToAccountStats 开启时）
-//  3. nil → 走默认公式
+// 仅匹配自定义规则（AccountStatsPricingRules），按数组顺序先命中为准。
+// upstreamModel 是最终发往上游的模型 ID，用于匹配自定义规则中的模型定价。
 func resolveAccountStatsCost(
 	ctx context.Context,
 	channelService *ChannelService,
-	billingService *BillingService,
 	accountID int64,
 	groupID int64,
-	billingModel string,
+	upstreamModel string,
 	tokens UsageTokens,
 	requestCount int,
-	serviceTier string,
 ) *float64 {
-	if channelService == nil || billingService == nil {
+	if channelService == nil || upstreamModel == "" {
 		return nil
 	}
 	channel, err := channelService.GetChannelForGroup(ctx, groupID)
@@ -33,22 +28,15 @@ func resolveAccountStatsCost(
 	}
 
 	platform := channelService.GetGroupPlatform(ctx, groupID)
-	modelLower := strings.ToLower(billingModel)
-
-	// 优先级 1：自定义规则
-	if cost := tryCustomRules(channel, accountID, groupID, platform, modelLower, tokens, requestCount); cost != nil {
-		return cost
-	}
-
-	// 优先级 2：渠道已有模型定价
-	return tryChannelPricing(ctx, channelService, groupID, billingModel, tokens, requestCount)
+	return tryCustomRules(channel, accountID, groupID, platform, upstreamModel, tokens, requestCount)
 }
 
 // tryCustomRules 遍历自定义规则，按数组顺序先命中为准。
 func tryCustomRules(
 	channel *Channel, accountID, groupID int64,
-	platform, modelLower string, tokens UsageTokens, requestCount int,
+	platform, model string, tokens UsageTokens, requestCount int,
 ) *float64 {
+	modelLower := strings.ToLower(model)
 	for _, rule := range channel.AccountStatsPricingRules {
 		if !matchAccountStatsRule(&rule, accountID, groupID) {
 			continue
@@ -62,18 +50,6 @@ func tryCustomRules(
 	return nil
 }
 
-// tryChannelPricing 使用渠道已有的模型定价计算账号统计费用。
-func tryChannelPricing(
-	ctx context.Context, channelService *ChannelService,
-	groupID int64, billingModel string, tokens UsageTokens, requestCount int,
-) *float64 {
-	pricing := channelService.GetChannelModelPricing(ctx, groupID, billingModel)
-	if pricing == nil {
-		return nil
-	}
-	return calculateStatsCost(pricing, tokens, requestCount)
-}
-
 // matchAccountStatsRule 检查规则是否匹配指定的 accountID 和 groupID。
 // 匹配条件：accountID ∈ rule.AccountIDs 或 groupID ∈ rule.GroupIDs。
 // 如果规则的 AccountIDs 和 GroupIDs 都为空，视为不匹配。
diff --git a/backend/internal/service/gateway_service.go b/backend/internal/service/gateway_service.go
index d68a7771..70dd9b52 100644
--- a/backend/internal/service/gateway_service.go
+++ b/backend/internal/service/gateway_service.go
@@ -7581,11 +7581,15 @@ func (s *GatewayService) recordUsageCore(ctx context.Context, input *recordUsage
 	usageLog := s.buildRecordUsageLog(ctx, input, result, apiKey, user, account, subscription,
 		requestedModel, multiplier, accountRateMultiplier, billingType, cacheTTLOverridden, cost, opts)
 
-	// 计算账号统计定价费用
+	// 计算账号统计定价费用（使用最终上游模型匹配自定义规则）
 	if apiKey.GroupID != nil {
+		upstreamModel := result.UpstreamModel
+		if upstreamModel == "" {
+			upstreamModel = result.Model
+		}
 		usageLog.AccountStatsCost = resolveAccountStatsCost(
-			ctx, s.channelService, s.billingService,
-			account.ID, *apiKey.GroupID, billingModel,
+			ctx, s.channelService,
+			account.ID, *apiKey.GroupID, upstreamModel,
 			UsageTokens{
 				InputTokens:         result.Usage.InputTokens,
 				OutputTokens:        result.Usage.OutputTokens,
@@ -7593,8 +7597,7 @@ func (s *GatewayService) recordUsageCore(ctx context.Context, input *recordUsage
 				CacheReadTokens:     result.Usage.CacheReadInputTokens,
 				ImageOutputTokens:   result.Usage.ImageOutputTokens,
 			},
-			1,  // requestCount
-			"", // serviceTier: Anthropic 平台不使用 service tier
+			1, // requestCount
 		)
 	}
 
diff --git a/backend/internal/service/openai_gateway_service.go b/backend/internal/service/openai_gateway_service.go
index 70abd4ce..98258cd0 100644
--- a/backend/internal/service/openai_gateway_service.go
+++ b/backend/internal/service/openai_gateway_service.go
@@ -4573,12 +4573,16 @@ func (s *OpenAIGatewayService) RecordUsage(ctx context.Context, input *OpenAIRec
 		usageLog.SubscriptionID = &subscription.ID
 	}
 
-	// 计算账号统计定价费用
+	// 计算账号统计定价费用（使用最终上游模型匹配自定义规则）
 	if apiKey.GroupID != nil {
+		statsModel := result.UpstreamModel
+		if statsModel == "" {
+			statsModel = result.Model
+		}
 		usageLog.AccountStatsCost = resolveAccountStatsCost(
-			ctx, s.channelService, s.billingService,
-			account.ID, *apiKey.GroupID, billingModel,
-			tokens, 1, serviceTier,
+			ctx, s.channelService,
+			account.ID, *apiKey.GroupID, statsModel,
+			tokens, 1,
 		)
 	}
 
diff --git a/frontend/src/i18n/locales/en.ts b/frontend/src/i18n/locales/en.ts
index 07ae0c3d..f45a02f6 100644
--- a/frontend/src/i18n/locales/en.ts
+++ b/frontend/src/i18n/locales/en.ts
@@ -1877,7 +1877,7 @@ export default {
         pricingEntry: 'Pricing Entry',
         noModels: 'No models added',
         applyPricingToAccountStats: 'Apply Pricing to Account Stats',
-        applyPricingToAccountStatsDesc: 'When enabled, account statistics cost will use channel model pricing. Account rate multiplier still applies.',
+        applyPricingToAccountStatsDesc: 'When enabled, custom account stats model pricing rules will be applied.',
         accountStatsPricingRules: 'Custom Account Stats Pricing Rules',
         addRule: 'Add Rule',
         noRulesConfigured: 'No custom rules configured. Channel model pricing above will be used.',
diff --git a/frontend/src/i18n/locales/zh.ts b/frontend/src/i18n/locales/zh.ts
index 64d42c12..61d43a37 100644
--- a/frontend/src/i18n/locales/zh.ts
+++ b/frontend/src/i18n/locales/zh.ts
@@ -1956,7 +1956,7 @@ export default {
         pricingEntry: '定价配置',
         noModels: '未添加模型',
         applyPricingToAccountStats: '应用模型定价到账号统计',
-        applyPricingToAccountStatsDesc: '启用后，账号统计费用将使用渠道模型定价计算。账号自身的统计倍率仍然生效。',
+        applyPricingToAccountStatsDesc: '启用后将支持自定义账号统计的模型价格',
         accountStatsPricingRules: '自定义账号统计定价规则',
         addRule: '添加规则',
         noRulesConfigured: '未配置自定义规则，将使用上方的模型定价。',

From 1262654d9785673cfda3071a714f3a61734933e7 Mon Sep 17 00:00:00 2001
From: erio <asakifeng@gmail.com>
Date: Mon, 13 Apr 2026 11:37:08 +0800
Subject: [PATCH 052/122] feat: WebSearch tri-state, account stats pricing fix,
 quota cache fix, usage tooltip
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

WebSearch tri-state switch:
- Account-level web_search_emulation changed from bool to tri-state
  string: "default" (follow channel) / "enabled" / "disabled"
- shouldEmulateWebSearch checks channel config when account is "default"
- SQL migration converts old bool values
- Frontend select replaces toggle in Edit/CreateAccountModal

Account stats pricing:
- resolveAccountStatsCost uses upstream model (post-mapping) for matching
- Priority: custom rules → model pricing file (when toggle on) → default
- Custom rules always configurable, independent of toggle
- Account ID field changed to searchable selector filtered by platform
- Description updated to reflect new behavior

Quota notification cache fix:
- CheckAccountQuotaAfterIncrement fetches real-time account from DB
- Reconstructs pre-increment usage for accurate threshold crossing detection
- New AccountQuotaReader interface (minimal: GetByID only)

Usage tooltip:
- Per-request/image billing shows per-request price instead of $0 token price
- Token billing continues to show input/output price per million tokens
---
 backend/cmd/server/wire_gen.go                |   2 +-
 backend/internal/handler/gateway_handler.go   |   3 +
 backend/internal/service/account.go           |  29 +++-
 .../internal/service/account_stats_pricing.go |  41 ++++-
 .../service/balance_notify_service.go         |  43 +++++-
 backend/internal/service/gateway_request.go   |   3 +
 backend/internal/service/gateway_service.go   |   4 +-
 .../service/gateway_websearch_emulation.go    |  24 ++-
 .../service/openai_gateway_service.go         |   2 +-
 backend/internal/service/wire.go              |   4 +-
 ...igrate_websearch_emulation_to_tristate.sql |  11 ++
 .../components/account/CreateAccountModal.vue |  21 +--
 .../components/account/EditAccountModal.vue   |  27 +++-
 .../src/components/admin/usage/UsageTable.vue |  22 ++-
 frontend/src/i18n/locales/en.ts               |  12 +-
 frontend/src/i18n/locales/zh.ts               |  12 +-
 frontend/src/views/admin/ChannelsView.vue     | 143 ++++++++++++++++--
 frontend/src/views/user/UsageView.vue         |  22 ++-
 18 files changed, 346 insertions(+), 79 deletions(-)
 create mode 100644 backend/migrations/105_migrate_websearch_emulation_to_tristate.sql

diff --git a/backend/cmd/server/wire_gen.go b/backend/cmd/server/wire_gen.go
index 24ee02fd..69daeecf 100644
--- a/backend/cmd/server/wire_gen.go
+++ b/backend/cmd/server/wire_gen.go
@@ -176,7 +176,7 @@ func initializeApplication(buildInfo handler.BuildInfo) (*Application, error) {
 	channelRepository := repository.NewChannelRepository(db)
 	channelService := service.NewChannelService(channelRepository, apiKeyAuthCacheInvalidator)
 	modelPricingResolver := service.NewModelPricingResolver(channelService, billingService)
-	balanceNotifyService := service.ProvideBalanceNotifyService(emailService, settingRepository)
+	balanceNotifyService := service.ProvideBalanceNotifyService(emailService, settingRepository, accountRepository)
 	gatewayService := service.NewGatewayService(accountRepository, groupRepository, usageLogRepository, usageBillingRepository, userRepository, userSubscriptionRepository, userGroupRateRepository, gatewayCache, configConfig, schedulerSnapshotService, concurrencyService, billingService, rateLimitService, billingCacheService, identityService, httpUpstream, deferredService, claudeTokenProvider, sessionLimitCache, rpmCache, digestSessionStore, settingService, tlsFingerprintProfileService, channelService, modelPricingResolver, balanceNotifyService)
 	openAITokenProvider := service.ProvideOpenAITokenProvider(accountRepository, geminiTokenCache, openAIOAuthService, oAuthRefreshAPI)
 	openAIGatewayService := service.NewOpenAIGatewayService(accountRepository, usageLogRepository, usageBillingRepository, userRepository, userSubscriptionRepository, userGroupRateRepository, gatewayCache, configConfig, schedulerSnapshotService, concurrencyService, billingService, rateLimitService, billingCacheService, httpUpstream, deferredService, openAITokenProvider, modelPricingResolver, channelService, balanceNotifyService)
diff --git a/backend/internal/handler/gateway_handler.go b/backend/internal/handler/gateway_handler.go
index 59619d50..8ec54420 100644
--- a/backend/internal/handler/gateway_handler.go
+++ b/backend/internal/handler/gateway_handler.go
@@ -248,6 +248,9 @@ func (h *GatewayHandler) Messages(c *gin.Context) {
 		return
 	}
 
+	// 设置请求所属分组 ID（用于渠道级功能判断，如 WebSearch 模拟）
+	parsedReq.GroupID = apiKey.GroupID
+
 	// 计算粘性会话hash
 	parsedReq.SessionContext = &service.SessionContext{
 		ClientIP:  ip.GetClientIP(c),
diff --git a/backend/internal/service/account.go b/backend/internal/service/account.go
index 6e5a768f..4d933986 100644
--- a/backend/internal/service/account.go
+++ b/backend/internal/service/account.go
@@ -1169,15 +1169,30 @@ func (a *Account) IsAnthropicAPIKeyPassthroughEnabled() bool {
 	return ok && enabled
 }
 
-// IsWebSearchEmulationEnabled 返回 Anthropic API Key 账号是否启用 web search 模拟。
-// 字段：accounts.extra.web_search_emulation。
-// 字段缺失或类型不正确时，按 false（关闭）处理。
-func (a *Account) IsWebSearchEmulationEnabled() bool {
+// WebSearch 模拟三态常量
+const (
+	WebSearchModeDefault  = "default"  // 跟随渠道配置
+	WebSearchModeEnabled  = "enabled"  // 强制开启
+	WebSearchModeDisabled = "disabled" // 强制关闭
+)
+
+// GetWebSearchEmulationMode 返回账号的 WebSearch 模拟模式。
+// 三态：default（跟随渠道）/ enabled（强制开启）/ disabled（强制关闭）。
+// 旧 bool 值需通过 SQL 迁移脚本转换，Go 代码不做兼容。
+func (a *Account) GetWebSearchEmulationMode() string {
 	if a == nil || a.Platform != PlatformAnthropic || a.Type != AccountTypeAPIKey || a.Extra == nil {
-		return false
+		return WebSearchModeDefault
+	}
+	mode, ok := a.Extra[featureKeyWebSearchEmulation].(string)
+	if !ok {
+		return WebSearchModeDefault
+	}
+	switch mode {
+	case WebSearchModeEnabled, WebSearchModeDisabled:
+		return mode
+	default:
+		return WebSearchModeDefault
 	}
-	enabled, ok := a.Extra[featureKeyWebSearchEmulation].(bool)
-	return ok && enabled
 }
 
 // IsCodexCLIOnlyEnabled 返回 OpenAI OAuth 账号是否启用"仅允许 Codex 官方客户端"。
diff --git a/backend/internal/service/account_stats_pricing.go b/backend/internal/service/account_stats_pricing.go
index 4a896d9f..e88f7f8c 100644
--- a/backend/internal/service/account_stats_pricing.go
+++ b/backend/internal/service/account_stats_pricing.go
@@ -8,11 +8,17 @@ import (
 
 // resolveAccountStatsCost 计算账号统计定价费用。
 // 返回 nil 表示不覆盖，使用默认公式（total_cost × account_rate_multiplier）。
-// 仅匹配自定义规则（AccountStatsPricingRules），按数组顺序先命中为准。
-// upstreamModel 是最终发往上游的模型 ID，用于匹配自定义规则中的模型定价。
+//
+// 优先级（先命中为准）：
+//  1. 自定义规则（始终尝试，不依赖 ApplyPricingToAccountStats 开关）
+//  2. ApplyPricingToAccountStats 启用时，用模型定价文件（LiteLLM）中上游模型的标准价格计算
+//  3. nil → 走默认公式
+//
+// upstreamModel 是最终发往上游的模型 ID。
 func resolveAccountStatsCost(
 	ctx context.Context,
 	channelService *ChannelService,
+	billingService *BillingService,
 	accountID int64,
 	groupID int64,
 	upstreamModel string,
@@ -23,12 +29,39 @@ func resolveAccountStatsCost(
 		return nil
 	}
 	channel, err := channelService.GetChannelForGroup(ctx, groupID)
-	if err != nil || channel == nil || !channel.ApplyPricingToAccountStats {
+	if err != nil || channel == nil {
 		return nil
 	}
 
 	platform := channelService.GetGroupPlatform(ctx, groupID)
-	return tryCustomRules(channel, accountID, groupID, platform, upstreamModel, tokens, requestCount)
+
+	// 优先级 1：自定义规则（始终尝试）
+	if cost := tryCustomRules(channel, accountID, groupID, platform, upstreamModel, tokens, requestCount); cost != nil {
+		return cost
+	}
+
+	// 优先级 2：模型定价文件（LiteLLM/fallback）中上游模型的标准价格
+	if channel.ApplyPricingToAccountStats && billingService != nil {
+		return tryModelFilePricing(billingService, upstreamModel, tokens)
+	}
+
+	return nil
+}
+
+// tryModelFilePricing 使用模型定价文件（LiteLLM/fallback）中的标准价格计算费用。
+func tryModelFilePricing(billingService *BillingService, model string, tokens UsageTokens) *float64 {
+	pricing, err := billingService.GetModelPricing(model)
+	if err != nil || pricing == nil {
+		return nil
+	}
+	cost := float64(tokens.InputTokens)*pricing.InputPricePerToken +
+		float64(tokens.OutputTokens)*pricing.OutputPricePerToken +
+		float64(tokens.CacheCreationTokens)*pricing.CacheCreationPricePerToken +
+		float64(tokens.CacheReadTokens)*pricing.CacheReadPricePerToken
+	if cost <= 0 {
+		return nil
+	}
+	return &cost
 }
 
 // tryCustomRules 遍历自定义规则，按数组顺序先命中为准。
diff --git a/backend/internal/service/balance_notify_service.go b/backend/internal/service/balance_notify_service.go
index 053451e1..23411ed5 100644
--- a/backend/internal/service/balance_notify_service.go
+++ b/backend/internal/service/balance_notify_service.go
@@ -27,17 +27,24 @@ var quotaDimLabels = map[string]string{
 	quotaDimTotal:  "总限额 / Total",
 }
 
+// AccountQuotaReader provides read access to account quota data.
+type AccountQuotaReader interface {
+	GetByID(ctx context.Context, id int64) (*Account, error)
+}
+
 // BalanceNotifyService handles balance and quota threshold notifications.
 type BalanceNotifyService struct {
 	emailService *EmailService
 	settingRepo  SettingRepository
+	accountRepo  AccountQuotaReader
 }
 
 // NewBalanceNotifyService creates a new BalanceNotifyService.
-func NewBalanceNotifyService(emailService *EmailService, settingRepo SettingRepository) *BalanceNotifyService {
+func NewBalanceNotifyService(emailService *EmailService, settingRepo SettingRepository, accountRepo AccountQuotaReader) *BalanceNotifyService {
 	return &BalanceNotifyService{
 		emailService: emailService,
 		settingRepo:  settingRepo,
+		accountRepo:  accountRepo,
 	}
 }
 
@@ -110,7 +117,7 @@ func buildQuotaDims(account *Account) []quotaDim {
 }
 
 // CheckAccountQuotaAfterIncrement checks if any quota dimension crossed above its notify threshold.
-// The account's Extra fields contain pre-increment usage values.
+// It fetches real-time quota usage from DB to avoid stale snapshot values.
 func (s *BalanceNotifyService) CheckAccountQuotaAfterIncrement(ctx context.Context, account *Account, cost float64) {
 	if account == nil || s.emailService == nil || s.settingRepo == nil || cost <= 0 {
 		return
@@ -123,8 +130,29 @@ func (s *BalanceNotifyService) CheckAccountQuotaAfterIncrement(ctx context.Conte
 		return
 	}
 
+	freshAccount := s.fetchFreshAccount(ctx, account)
 	siteName := s.getSiteName(ctx)
-	for _, dim := range buildQuotaDims(account) {
+	s.checkQuotaDimCrossings(freshAccount, cost, adminEmails, siteName)
+}
+
+// fetchFreshAccount loads the latest account from DB; falls back to the snapshot on error.
+func (s *BalanceNotifyService) fetchFreshAccount(ctx context.Context, snapshot *Account) *Account {
+	if s.accountRepo == nil {
+		return snapshot
+	}
+	fresh, err := s.accountRepo.GetByID(ctx, snapshot.ID)
+	if err != nil {
+		slog.Warn("failed to fetch fresh account for quota notify, using snapshot",
+			"account_id", snapshot.ID, "error", err)
+		return snapshot
+	}
+	return fresh
+}
+
+// checkQuotaDimCrossings iterates quota dimensions and sends alerts for threshold crossings.
+// freshAccount has post-increment values; oldUsed is reconstructed as freshUsed - cost.
+func (s *BalanceNotifyService) checkQuotaDimCrossings(freshAccount *Account, cost float64, adminEmails []string, siteName string) {
+	for _, dim := range buildQuotaDims(freshAccount) {
 		if !dim.enabled || dim.threshold <= 0 {
 			continue
 		}
@@ -132,9 +160,12 @@ func (s *BalanceNotifyService) CheckAccountQuotaAfterIncrement(ctx context.Conte
 		if effectiveThreshold <= 0 {
 			continue
 		}
-		newUsed := dim.oldUsed + cost
-		if dim.oldUsed < effectiveThreshold && newUsed >= effectiveThreshold {
-			s.asyncSendQuotaAlert(adminEmails, account.Name, dim, newUsed, effectiveThreshold, siteName)
+		// dim.oldUsed is actually the post-increment value from fresh DB data;
+		// reconstruct pre-increment value to detect threshold crossing.
+		newUsed := dim.oldUsed
+		oldUsed := dim.oldUsed - cost
+		if oldUsed < effectiveThreshold && newUsed >= effectiveThreshold {
+			s.asyncSendQuotaAlert(adminEmails, freshAccount.Name, dim, newUsed, effectiveThreshold, siteName)
 		}
 	}
 }
diff --git a/backend/internal/service/gateway_request.go b/backend/internal/service/gateway_request.go
index e2badfed..55cb2c84 100644
--- a/backend/internal/service/gateway_request.go
+++ b/backend/internal/service/gateway_request.go
@@ -75,6 +75,9 @@ type ParsedRequest struct {
 	MaxTokens       int             // max_tokens 值（用于探测请求拦截）
 	SessionContext  *SessionContext // 可选：请求上下文区分因子（nil 时行为不变）
 
+	// GroupID 请求所属分组 ID（来自 API Key）
+	GroupID *int64
+
 	// OnUpstreamAccepted 上游接受请求后立即调用（用于提前释放串行锁）
 	// 流式请求在收到 2xx 响应头后调用，避免持锁等流完成
 	OnUpstreamAccepted func()
diff --git a/backend/internal/service/gateway_service.go b/backend/internal/service/gateway_service.go
index 70dd9b52..5267156d 100644
--- a/backend/internal/service/gateway_service.go
+++ b/backend/internal/service/gateway_service.go
@@ -3789,7 +3789,7 @@ func (s *GatewayService) Forward(ctx context.Context, c *gin.Context, account *A
 	}
 
 	// Web Search 模拟：纯 web_search 请求时，直接调用搜索 API 构造响应
-	if account != nil && s.shouldEmulateWebSearch(ctx, account, parsed.Body) {
+	if account != nil && s.shouldEmulateWebSearch(ctx, account, parsed.GroupID, parsed.Body) {
 		return s.handleWebSearchEmulation(ctx, c, account, parsed)
 	}
 
@@ -7588,7 +7588,7 @@ func (s *GatewayService) recordUsageCore(ctx context.Context, input *recordUsage
 			upstreamModel = result.Model
 		}
 		usageLog.AccountStatsCost = resolveAccountStatsCost(
-			ctx, s.channelService,
+			ctx, s.channelService, s.billingService,
 			account.ID, *apiKey.GroupID, upstreamModel,
 			UsageTokens{
 				InputTokens:         result.Usage.InputTokens,
diff --git a/backend/internal/service/gateway_websearch_emulation.go b/backend/internal/service/gateway_websearch_emulation.go
index b3a4aa69..0d0b5480 100644
--- a/backend/internal/service/gateway_websearch_emulation.go
+++ b/backend/internal/service/gateway_websearch_emulation.go
@@ -49,10 +49,9 @@ func getWebSearchManager() *websearch.Manager {
 
 // shouldEmulateWebSearch checks whether a request should be intercepted.
 //
-// Judgment chain: manager exists → only web_search tool → global enabled → account enabled.
-// Note: channel-level control is enforced via the account's extra field; the channel toggle
-// in the admin UI sets the account's flag for all accounts in that channel's groups.
-func (s *GatewayService) shouldEmulateWebSearch(ctx context.Context, account *Account, body []byte) bool {
+// Judgment chain: manager exists → only web_search tool → global enabled → account/channel enabled.
+// Account-level mode: "enabled" (force on), "disabled" (force off), "default" (follow channel).
+func (s *GatewayService) shouldEmulateWebSearch(ctx context.Context, account *Account, groupID *int64, body []byte) bool {
 	if getWebSearchManager() == nil {
 		return false
 	}
@@ -62,10 +61,23 @@ func (s *GatewayService) shouldEmulateWebSearch(ctx context.Context, account *Ac
 	if !s.settingService.IsWebSearchEmulationEnabled(ctx) {
 		return false
 	}
-	if !account.IsWebSearchEmulationEnabled() {
+
+	mode := account.GetWebSearchEmulationMode()
+	switch mode {
+	case WebSearchModeEnabled:
+		return true
+	case WebSearchModeDisabled:
 		return false
+	default: // "default" → follow channel config
+		if groupID == nil || s.channelService == nil {
+			return false
+		}
+		ch, err := s.channelService.GetChannelForGroup(ctx, *groupID)
+		if err != nil || ch == nil {
+			return false
+		}
+		return ch.IsWebSearchEmulationEnabled(account.Platform)
 	}
-	return true
 }
 
 // isOnlyWebSearchToolInBody checks if the body contains exactly one web_search tool.
diff --git a/backend/internal/service/openai_gateway_service.go b/backend/internal/service/openai_gateway_service.go
index 98258cd0..e060b981 100644
--- a/backend/internal/service/openai_gateway_service.go
+++ b/backend/internal/service/openai_gateway_service.go
@@ -4580,7 +4580,7 @@ func (s *OpenAIGatewayService) RecordUsage(ctx context.Context, input *OpenAIRec
 			statsModel = result.Model
 		}
 		usageLog.AccountStatsCost = resolveAccountStatsCost(
-			ctx, s.channelService,
+			ctx, s.channelService, s.billingService,
 			account.ID, *apiKey.GroupID, statsModel,
 			tokens, 1,
 		)
diff --git a/backend/internal/service/wire.go b/backend/internal/service/wire.go
index b4e33039..9f33c46a 100644
--- a/backend/internal/service/wire.go
+++ b/backend/internal/service/wire.go
@@ -476,8 +476,8 @@ func ProvidePaymentConfigService(entClient *dbent.Client, settingRepo SettingRep
 }
 
 // ProvideBalanceNotifyService creates BalanceNotifyService
-func ProvideBalanceNotifyService(emailService *EmailService, settingRepo SettingRepository) *BalanceNotifyService {
-	return NewBalanceNotifyService(emailService, settingRepo)
+func ProvideBalanceNotifyService(emailService *EmailService, settingRepo SettingRepository, accountRepo AccountRepository) *BalanceNotifyService {
+	return NewBalanceNotifyService(emailService, settingRepo, accountRepo)
 }
 
 // ProvidePaymentOrderExpiryService creates and starts PaymentOrderExpiryService.
diff --git a/backend/migrations/105_migrate_websearch_emulation_to_tristate.sql b/backend/migrations/105_migrate_websearch_emulation_to_tristate.sql
new file mode 100644
index 00000000..745e58df
--- /dev/null
+++ b/backend/migrations/105_migrate_websearch_emulation_to_tristate.sql
@@ -0,0 +1,11 @@
+-- Convert old boolean web_search_emulation to tri-state string
+-- true → "enabled", false → remove key (becomes "default")
+UPDATE accounts
+SET extra = (extra - 'web_search_emulation') || jsonb_build_object('web_search_emulation', 'enabled')
+WHERE extra ? 'web_search_emulation'
+  AND extra->>'web_search_emulation' = 'true';
+
+UPDATE accounts
+SET extra = extra - 'web_search_emulation'
+WHERE extra ? 'web_search_emulation'
+  AND extra->>'web_search_emulation' = 'false';
diff --git a/frontend/src/components/account/CreateAccountModal.vue b/frontend/src/components/account/CreateAccountModal.vue
index e0dbce61..e83e061e 100644
--- a/frontend/src/components/account/CreateAccountModal.vue
+++ b/frontend/src/components/account/CreateAccountModal.vue
@@ -2337,7 +2337,11 @@
               {{ t('admin.accounts.anthropic.webSearchEmulationDesc') }}
             </p>
           </div>
-          <Toggle v-model="webSearchEmulationEnabled" />
+          <select v-model="webSearchEmulationMode" class="input w-32 text-sm">
+            <option value="default">{{ t('admin.accounts.anthropic.webSearchDefault') }}</option>
+            <option value="enabled">{{ t('admin.accounts.anthropic.webSearchEnabled') }}</option>
+            <option value="disabled">{{ t('admin.accounts.anthropic.webSearchDisabled') }}</option>
+          </select>
         </div>
       </div>
 
@@ -2846,7 +2850,6 @@ import ConfirmDialog from '@/components/common/ConfirmDialog.vue'
 import Select from '@/components/common/Select.vue'
 import Icon from '@/components/icons/Icon.vue'
 import ProxySelector from '@/components/common/ProxySelector.vue'
-import Toggle from '@/components/common/Toggle.vue'
 import GroupSelector from '@/components/common/GroupSelector.vue'
 import ModelWhitelistSelector from '@/components/account/ModelWhitelistSelector.vue'
 import QuotaLimitCard from '@/components/account/QuotaLimitCard.vue'
@@ -2997,7 +3000,7 @@ const openaiOAuthResponsesWebSocketV2Mode = ref<OpenAIWSMode>(OPENAI_WS_MODE_OFF
 const openaiAPIKeyResponsesWebSocketV2Mode = ref<OpenAIWSMode>(OPENAI_WS_MODE_OFF)
 const codexCLIOnlyEnabled = ref(false)
 const anthropicPassthroughEnabled = ref(false)
-const webSearchEmulationEnabled = ref(false)
+const webSearchEmulationMode = ref('default')
 const webSearchGlobalEnabled = ref(false)
 
 // Load web search global state once
@@ -3331,7 +3334,7 @@ watch(
     }
     if (newPlatform !== 'anthropic') {
       anthropicPassthroughEnabled.value = false
-      webSearchEmulationEnabled.value = false
+      webSearchEmulationMode.value = 'default'
     }
     // Reset OAuth states
     oauth.resetState()
@@ -3351,7 +3354,7 @@ watch(
     }
     if (platform !== 'anthropic' || category !== 'apikey') {
       anthropicPassthroughEnabled.value = false
-      webSearchEmulationEnabled.value = false
+      webSearchEmulationMode.value = 'default'
     }
   }
 )
@@ -3716,7 +3719,7 @@ const resetForm = () => {
   openaiAPIKeyResponsesWebSocketV2Mode.value = OPENAI_WS_MODE_OFF
   codexCLIOnlyEnabled.value = false
   anthropicPassthroughEnabled.value = false
-  webSearchEmulationEnabled.value = false
+  webSearchEmulationMode.value = 'default'
   // Reset quota control state
   windowCostEnabled.value = false
   windowCostLimit.value = null
@@ -3804,10 +3807,10 @@ const buildAnthropicExtra = (base?: Record<string, unknown>): Record<string, unk
   } else {
     delete extra.anthropic_passthrough
   }
-  if (webSearchEmulationEnabled.value) {
-    extra.web_search_emulation = true
-  } else {
+  if (webSearchEmulationMode.value === 'default') {
     delete extra.web_search_emulation
+  } else {
+    extra.web_search_emulation = webSearchEmulationMode.value
   }
 
   return Object.keys(extra).length > 0 ? extra : undefined
diff --git a/frontend/src/components/account/EditAccountModal.vue b/frontend/src/components/account/EditAccountModal.vue
index abb9569e..74e5fc1f 100644
--- a/frontend/src/components/account/EditAccountModal.vue
+++ b/frontend/src/components/account/EditAccountModal.vue
@@ -1161,7 +1161,11 @@
               {{ t('admin.accounts.anthropic.webSearchEmulationDesc') }}
             </p>
           </div>
-          <Toggle v-model="webSearchEmulationEnabled" />
+          <select v-model="webSearchEmulationMode" class="input w-32 text-sm">
+            <option value="default">{{ t('admin.accounts.anthropic.webSearchDefault') }}</option>
+            <option value="enabled">{{ t('admin.accounts.anthropic.webSearchEnabled') }}</option>
+            <option value="disabled">{{ t('admin.accounts.anthropic.webSearchDisabled') }}</option>
+          </select>
         </div>
       </div>
 
@@ -1844,7 +1848,6 @@ import ConfirmDialog from '@/components/common/ConfirmDialog.vue'
 import Select from '@/components/common/Select.vue'
 import Icon from '@/components/icons/Icon.vue'
 import ProxySelector from '@/components/common/ProxySelector.vue'
-import Toggle from '@/components/common/Toggle.vue'
 import GroupSelector from '@/components/common/GroupSelector.vue'
 import ModelWhitelistSelector from '@/components/account/ModelWhitelistSelector.vue'
 import QuotaLimitCard from '@/components/account/QuotaLimitCard.vue'
@@ -1986,7 +1989,7 @@ const openaiOAuthResponsesWebSocketV2Mode = ref<OpenAIWSMode>(OPENAI_WS_MODE_OFF
 const openaiAPIKeyResponsesWebSocketV2Mode = ref<OpenAIWSMode>(OPENAI_WS_MODE_OFF)
 const codexCLIOnlyEnabled = ref(false)
 const anthropicPassthroughEnabled = ref(false)
-const webSearchEmulationEnabled = ref(false)
+const webSearchEmulationMode = ref('default')
 const webSearchGlobalEnabled = ref(false)
 
 // Load web search global state once
@@ -2171,7 +2174,7 @@ const syncFormFromAccount = (newAccount: Account | null) => {
   openaiAPIKeyResponsesWebSocketV2Mode.value = OPENAI_WS_MODE_OFF
   codexCLIOnlyEnabled.value = false
   anthropicPassthroughEnabled.value = false
-  webSearchEmulationEnabled.value = false
+  webSearchEmulationMode.value = 'default'
   if (newAccount.platform === 'openai' && (newAccount.type === 'oauth' || newAccount.type === 'apikey')) {
     openaiPassthroughEnabled.value = extra?.openai_passthrough === true || extra?.openai_oauth_passthrough === true
     openaiOAuthResponsesWebSocketV2Mode.value = resolveOpenAIWSModeFromExtra(extra, {
@@ -2192,7 +2195,15 @@ const syncFormFromAccount = (newAccount: Account | null) => {
   }
   if (newAccount.platform === 'anthropic' && newAccount.type === 'apikey') {
     anthropicPassthroughEnabled.value = extra?.anthropic_passthrough === true
-    webSearchEmulationEnabled.value = extra?.web_search_emulation === true
+    // 三态：string "default"/"enabled"/"disabled"，向后兼容旧 bool
+    const wsVal = extra?.web_search_emulation
+    if (wsVal === 'enabled' || wsVal === 'disabled') {
+      webSearchEmulationMode.value = wsVal
+    } else if (wsVal === true) {
+      webSearchEmulationMode.value = 'enabled'
+    } else {
+      webSearchEmulationMode.value = 'default'
+    }
   }
 
   // Load quota limit for apikey/bedrock accounts (bedrock quota is also loaded in its own branch above)
@@ -3180,10 +3191,10 @@ const handleSubmit = async () => {
       } else {
         delete newExtra.anthropic_passthrough
       }
-      if (webSearchEmulationEnabled.value) {
-        newExtra.web_search_emulation = true
-      } else {
+      if (webSearchEmulationMode.value === 'default') {
         delete newExtra.web_search_emulation
+      } else {
+        newExtra.web_search_emulation = webSearchEmulationMode.value
       }
       updatePayload.extra = newExtra
     }
diff --git a/frontend/src/components/admin/usage/UsageTable.vue b/frontend/src/components/admin/usage/UsageTable.vue
index f4494e69..92c8dd34 100644
--- a/frontend/src/components/admin/usage/UsageTable.vue
+++ b/frontend/src/components/admin/usage/UsageTable.vue
@@ -279,13 +279,21 @@
               <span class="text-gray-400">{{ t('admin.usage.outputCost') }}</span>
               <span class="font-medium text-white">${{ tooltipData.output_cost.toFixed(6) }}</span>
             </div>
-            <div v-if="tooltipData && tooltipData.input_tokens > 0" class="flex items-center justify-between gap-4">
-              <span class="text-gray-400">{{ t('usage.inputTokenPrice') }}</span>
-              <span class="font-medium text-sky-300">{{ formatTokenPricePerMillion(tooltipData.input_cost, tooltipData.input_tokens) }} {{ t('usage.perMillionTokens') }}</span>
-            </div>
-            <div v-if="tooltipData && tooltipData.output_tokens > 0" class="flex items-center justify-between gap-4">
-              <span class="text-gray-400">{{ t('usage.outputTokenPrice') }}</span>
-              <span class="font-medium text-violet-300">{{ formatTokenPricePerMillion(tooltipData.output_cost, tooltipData.output_tokens) }} {{ t('usage.perMillionTokens') }}</span>
+            <!-- Token billing: show unit prices per 1M tokens -->
+            <template v-if="!tooltipData?.billing_mode || tooltipData.billing_mode === 'token'">
+              <div v-if="tooltipData && tooltipData.input_tokens > 0" class="flex items-center justify-between gap-4">
+                <span class="text-gray-400">{{ t('usage.inputTokenPrice') }}</span>
+                <span class="font-medium text-sky-300">{{ formatTokenPricePerMillion(tooltipData.input_cost, tooltipData.input_tokens) }} {{ t('usage.perMillionTokens') }}</span>
+              </div>
+              <div v-if="tooltipData && tooltipData.output_tokens > 0" class="flex items-center justify-between gap-4">
+                <span class="text-gray-400">{{ t('usage.outputTokenPrice') }}</span>
+                <span class="font-medium text-violet-300">{{ formatTokenPricePerMillion(tooltipData.output_cost, tooltipData.output_tokens) }} {{ t('usage.perMillionTokens') }}</span>
+              </div>
+            </template>
+            <!-- Per-request / image billing: show unit price -->
+            <div v-else class="flex items-center justify-between gap-4">
+              <span class="text-gray-400">{{ tooltipData.billing_mode === 'image' ? t('usage.imageUnitPrice') : t('usage.unitPrice') }}</span>
+              <span class="font-medium text-sky-300">${{ tooltipData.total_cost?.toFixed(6) || '0.000000' }}</span>
             </div>
             <div v-if="tooltipData && tooltipData.cache_creation_cost > 0" class="flex items-center justify-between gap-4">
               <span class="text-gray-400">{{ t('admin.usage.cacheCreationCost') }}</span>
diff --git a/frontend/src/i18n/locales/en.ts b/frontend/src/i18n/locales/en.ts
index f45a02f6..056bdde0 100644
--- a/frontend/src/i18n/locales/en.ts
+++ b/frontend/src/i18n/locales/en.ts
@@ -774,6 +774,8 @@ export default {
     inputTokenPrice: 'Input price',
     outputTokenPrice: 'Output price',
     perMillionTokens: '/ 1M tokens',
+    unitPrice: 'Per-request price',
+    imageUnitPrice: 'Per-image price',
     cacheRead: 'Read',
     cacheWrite: 'Write',
     serviceTier: 'Service tier',
@@ -1877,14 +1879,15 @@ export default {
         pricingEntry: 'Pricing Entry',
         noModels: 'No models added',
         applyPricingToAccountStats: 'Apply Pricing to Account Stats',
-        applyPricingToAccountStatsDesc: 'When enabled, custom account stats model pricing rules will be applied.',
+        applyPricingToAccountStatsDesc: 'When enabled, requests not matched by custom rules will use standard model pricing for account stats calculation',
         accountStatsPricingRules: 'Custom Account Stats Pricing Rules',
         addRule: 'Add Rule',
         noRulesConfigured: 'No custom rules configured. Channel model pricing above will be used.',
         ruleName: 'Rule name (optional)',
         ruleGroups: 'Groups',
-        ruleAccounts: 'Account IDs',
-        ruleAccountsPlaceholder: 'Enter account IDs, comma-separated',
+        ruleAccounts: 'Accounts',
+        searchAccountPlaceholder: 'Search accounts...',
+        ruleAccountsHint: 'Leave empty to match all accounts',
         ruleModelPricing: 'Model Pricing',
         noGroupsInChannel: 'No groups selected in platform tabs above'
       }
@@ -2380,6 +2383,9 @@ export default {
         webSearchEmulation: 'Web Search Emulation',
         webSearchEmulationDesc:
           'Enable web search emulation for this API Key account. When a pure web_search request is detected, the gateway calls a third-party search API and constructs the response locally.',
+        webSearchDefault: 'Default (follow channel)',
+        webSearchEnabled: 'Enabled',
+        webSearchDisabled: 'Disabled',
       },
       modelRestriction: 'Model Restriction (Optional)',
       modelWhitelist: 'Model Whitelist',
diff --git a/frontend/src/i18n/locales/zh.ts b/frontend/src/i18n/locales/zh.ts
index 61d43a37..47a1f8d4 100644
--- a/frontend/src/i18n/locales/zh.ts
+++ b/frontend/src/i18n/locales/zh.ts
@@ -778,6 +778,8 @@ export default {
     inputTokenPrice: '输入单价',
     outputTokenPrice: '输出单价',
     perMillionTokens: '/ 1M Token',
+    unitPrice: '单次价格',
+    imageUnitPrice: '单张价格',
     cacheRead: '读取',
     cacheWrite: '写入',
     serviceTier: '服务档位',
@@ -1956,14 +1958,15 @@ export default {
         pricingEntry: '定价配置',
         noModels: '未添加模型',
         applyPricingToAccountStats: '应用模型定价到账号统计',
-        applyPricingToAccountStatsDesc: '启用后将支持自定义账号统计的模型价格',
+        applyPricingToAccountStatsDesc: '启用后，未被自定义规则匹配的请求将使用模型定价文件中的标准价格计算账号统计费用',
         accountStatsPricingRules: '自定义账号统计定价规则',
         addRule: '添加规则',
         noRulesConfigured: '未配置自定义规则，将使用上方的模型定价。',
         ruleName: '规则名称（可选）',
         ruleGroups: '分组',
-        ruleAccounts: '账号 ID',
-        ruleAccountsPlaceholder: '输入账号 ID，逗号分隔',
+        ruleAccounts: '账号',
+        searchAccountPlaceholder: '搜索账号...',
+        ruleAccountsHint: '留空表示匹配所有账号',
         ruleModelPricing: '模型定价',
         noGroupsInChannel: '上方平台标签页中未选择分组'
       }
@@ -2527,6 +2530,9 @@ export default {
         webSearchEmulation: 'Web Search 模拟',
         webSearchEmulationDesc:
           '为该 API Key 账号启用 web search 模拟。客户端发送纯 web_search 请求时，由网关调用第三方搜索 API 并构造响应返回。',
+        webSearchDefault: '默认（跟随渠道）',
+        webSearchEnabled: '开启',
+        webSearchDisabled: '关闭',
       },
       modelRestriction: '模型限制（可选）',
       modelWhitelist: '模型白名单',
diff --git a/frontend/src/views/admin/ChannelsView.vue b/frontend/src/views/admin/ChannelsView.vue
index 2e45ba42..5be45cb5 100644
--- a/frontend/src/views/admin/ChannelsView.vue
+++ b/frontend/src/views/admin/ChannelsView.vue
@@ -413,8 +413,8 @@
               </div>
             </div>
 
-            <!-- Account Stats Pricing Rules (per-platform, only when global toggle is on) -->
-            <div v-if="form.apply_pricing_to_account_stats" class="mt-4 border-t border-gray-200 pt-4 dark:border-dark-700 space-y-3">
+            <!-- Account Stats Pricing Rules (per-platform, always visible) -->
+            <div class="mt-4 border-t border-gray-200 pt-4 dark:border-dark-700 space-y-3">
               <div class="flex items-center justify-between">
                 <h4 class="text-sm font-medium text-gray-700 dark:text-gray-300">
                   {{ t('admin.channels.form.accountStatsPricingRules') }}
@@ -474,12 +474,51 @@
 
                 <div>
                   <label class="text-xs text-gray-500 dark:text-gray-400">{{ t('admin.channels.form.ruleAccounts') }}</label>
-                  <input
-                    :value="rule.account_ids.join(', ')"
-                    @change="rule.account_ids = parseAccountIdsInput(($event.target as HTMLInputElement).value)"
-                    :placeholder="t('admin.channels.form.ruleAccountsPlaceholder')"
-                    class="input mt-1 text-sm"
-                  />
+                  <!-- Selected account chips -->
+                  <div class="mt-1 flex flex-wrap gap-1">
+                    <span
+                      v-for="accountId in rule.account_ids"
+                      :key="accountId"
+                      class="inline-flex items-center gap-1 rounded-md border border-primary-300 bg-primary-50 px-2 py-0.5 text-xs dark:border-primary-700 dark:bg-primary-900/20"
+                    >
+                      <span>{{ getRuleAccountLabel(accountId) }}</span>
+                      <button type="button" @click="removeRuleAccount(rule, accountId)" class="text-gray-400 hover:text-red-500">
+                        <Icon name="x" size="xs" />
+                      </button>
+                    </span>
+                  </div>
+                  <!-- Account search input -->
+                  <div class="relative mt-1 rule-account-search-container">
+                    <input
+                      v-model="ruleAccountSearchKeyword[`${section.platform}-${ruleIndex}`]"
+                      type="text"
+                      class="input text-sm"
+                      :placeholder="t('admin.channels.form.searchAccountPlaceholder')"
+                      @input="onRuleAccountSearchInput(section.platform, ruleIndex)"
+                      @focus="onRuleAccountSearchFocus(section.platform, ruleIndex)"
+                    />
+                    <!-- Search results dropdown -->
+                    <div
+                      v-if="showRuleAccountDropdown[`${section.platform}-${ruleIndex}`] && (ruleAccountSearchResults[`${section.platform}-${ruleIndex}`]?.length ?? 0) > 0"
+                      class="absolute z-50 mt-1 max-h-48 w-full overflow-auto rounded-lg border bg-white shadow-lg dark:border-dark-600 dark:bg-dark-800"
+                    >
+                      <button
+                        v-for="account in ruleAccountSearchResults[`${section.platform}-${ruleIndex}`]"
+                        :key="account.id"
+                        type="button"
+                        @click="selectRuleAccount(rule, account, section.platform, ruleIndex)"
+                        class="w-full px-3 py-2 text-left text-sm hover:bg-gray-100 dark:hover:bg-dark-700"
+                        :class="{ 'opacity-50': rule.account_ids.includes(account.id) }"
+                        :disabled="rule.account_ids.includes(account.id)"
+                      >
+                        <span>{{ account.name }}</span>
+                        <span class="ml-2 text-xs text-gray-400">#{{ account.id }}</span>
+                      </button>
+                    </div>
+                  </div>
+                  <p class="mt-1 text-xs text-gray-400">
+                    {{ t('admin.channels.form.ruleAccountsHint') }}
+                  </p>
                 </div>
 
                 <div>
@@ -569,6 +608,7 @@ import PlatformIcon from '@/components/common/PlatformIcon.vue'
 import Toggle from '@/components/common/Toggle.vue'
 import PricingEntryCard from '@/components/admin/channel/PricingEntryCard.vue'
 import { getPersistedPageSize } from '@/composables/usePersistedPageSize'
+import { useKeyedDebouncedSearch } from '@/composables/useKeyedDebouncedSearch'
 
 const { t } = useI18n()
 const appStore = useAppStore()
@@ -852,6 +892,9 @@ function addRulePricingEntry(ruleIndex: number) {
 
 function removeAccountStatsRule(ruleIndex: number) {
   form.account_stats_pricing_rules.splice(ruleIndex, 1)
+  // Clear all search state since indices shift after removal
+  ruleAccountSearchRunner.clearAll()
+  clearAllRuleAccountSearchState()
 }
 
 function removeRulePricingEntry(ruleIndex: number, pricingIndex: number) {
@@ -863,11 +906,78 @@ function getGroupNameById(groupId: number): string {
   return group ? group.name : `#${groupId}`
 }
 
-function parseAccountIdsInput(value: string): number[] {
-  return value
-    .split(',')
-    .map(s => parseInt(s.trim()))
-    .filter(n => !isNaN(n) && n > 0)
+// ── Account search for pricing rules ──
+interface SimpleAccount { id: number; name: string }
+
+const ruleAccountSearchKeyword = ref<Record<string, string>>({})
+const ruleAccountSearchResults = ref<Record<string, SimpleAccount[]>>({})
+const showRuleAccountDropdown = ref<Record<string, boolean>>({})
+// Cache: account ID → name, populated when search results are selected
+const ruleAccountNameCache = ref<Record<number, string>>({})
+
+const ruleAccountSearchRunner = useKeyedDebouncedSearch<SimpleAccount[]>({
+  delay: 300,
+  search: async (keyword, { key, signal }) => {
+    const platform = key.split('-')[0]
+    const res = await adminAPI.accounts.list(1, 20, { platform, search: keyword }, { signal })
+    return res.items.map(a => ({ id: a.id, name: a.name }))
+  },
+  onSuccess: (key, result) => { ruleAccountSearchResults.value[key] = result },
+  onError: (key) => { ruleAccountSearchResults.value[key] = [] },
+})
+
+function onRuleAccountSearchInput(platform: string, ruleIndex: number) {
+  const key = `${platform}-${ruleIndex}`
+  showRuleAccountDropdown.value[key] = true
+  ruleAccountSearchRunner.trigger(key, ruleAccountSearchKeyword.value[key] || '')
+}
+
+function onRuleAccountSearchFocus(platform: string, ruleIndex: number) {
+  const key = `${platform}-${ruleIndex}`
+  showRuleAccountDropdown.value[key] = true
+  if (!ruleAccountSearchResults.value[key]?.length) {
+    ruleAccountSearchRunner.trigger(key, ruleAccountSearchKeyword.value[key] || '')
+  }
+}
+
+function selectRuleAccount(
+  rule: { account_ids: number[] },
+  account: SimpleAccount,
+  platform: string,
+  ruleIndex: number,
+) {
+  if (!rule.account_ids.includes(account.id)) {
+    rule.account_ids.push(account.id)
+    ruleAccountNameCache.value[account.id] = account.name
+  }
+  const key = `${platform}-${ruleIndex}`
+  ruleAccountSearchKeyword.value[key] = ''
+  showRuleAccountDropdown.value[key] = false
+}
+
+function removeRuleAccount(rule: { account_ids: number[] }, accountId: number) {
+  const idx = rule.account_ids.indexOf(accountId)
+  if (idx !== -1) rule.account_ids.splice(idx, 1)
+}
+
+function getRuleAccountLabel(accountId: number): string {
+  const name = ruleAccountNameCache.value[accountId]
+  return name ? `${name} #${accountId}` : `#${accountId}`
+}
+
+function handleRuleAccountClickOutside(event: MouseEvent) {
+  const target = event.target as HTMLElement
+  if (!target.closest('.rule-account-search-container')) {
+    Object.keys(showRuleAccountDropdown.value).forEach(key => {
+      showRuleAccountDropdown.value[key] = false
+    })
+  }
+}
+
+function clearAllRuleAccountSearchState() {
+  ruleAccountSearchKeyword.value = {}
+  ruleAccountSearchResults.value = {}
+  showRuleAccountDropdown.value = {}
 }
 
 function accountStatsRulesToAPI(): AccountStatsPricingRule[] {
@@ -1093,6 +1203,9 @@ function resetForm() {
   form.apply_pricing_to_account_stats = false
   form.account_stats_pricing_rules = []
   activeTab.value = 'basic'
+  ruleAccountSearchRunner.clearAll()
+  clearAllRuleAccountSearchState()
+  ruleAccountNameCache.value = {}
 }
 
 async function openCreateDialog() {
@@ -1313,11 +1426,15 @@ onMounted(() => {
   loadChannels()
   loadGroups()
   loadWebSearchGlobalState()
+  document.addEventListener('click', handleRuleAccountClickOutside)
 })
 
 onUnmounted(() => {
   clearTimeout(searchTimeout)
   abortController?.abort()
+  document.removeEventListener('click', handleRuleAccountClickOutside)
+  ruleAccountSearchRunner.clearAll()
+  clearAllRuleAccountSearchState()
 })
 </script>
 
diff --git a/frontend/src/views/user/UsageView.vue b/frontend/src/views/user/UsageView.vue
index 6cb367ed..2ec0fea5 100644
--- a/frontend/src/views/user/UsageView.vue
+++ b/frontend/src/views/user/UsageView.vue
@@ -447,13 +447,21 @@
               <span class="text-gray-400">{{ t('admin.usage.outputCost') }}</span>
               <span class="font-medium text-white">${{ tooltipData.output_cost.toFixed(6) }}</span>
             </div>
-            <div v-if="tooltipData && tooltipData.input_tokens > 0" class="flex items-center justify-between gap-4">
-              <span class="text-gray-400">{{ t('usage.inputTokenPrice') }}</span>
-              <span class="font-medium text-sky-300">{{ formatTokenPricePerMillion(tooltipData.input_cost, tooltipData.input_tokens) }} {{ t('usage.perMillionTokens') }}</span>
-            </div>
-            <div v-if="tooltipData && tooltipData.output_tokens > 0" class="flex items-center justify-between gap-4">
-              <span class="text-gray-400">{{ t('usage.outputTokenPrice') }}</span>
-              <span class="font-medium text-violet-300">{{ formatTokenPricePerMillion(tooltipData.output_cost, tooltipData.output_tokens) }} {{ t('usage.perMillionTokens') }}</span>
+            <!-- Token billing: show unit prices per 1M tokens -->
+            <template v-if="!tooltipData?.billing_mode || tooltipData.billing_mode === 'token'">
+              <div v-if="tooltipData && tooltipData.input_tokens > 0" class="flex items-center justify-between gap-4">
+                <span class="text-gray-400">{{ t('usage.inputTokenPrice') }}</span>
+                <span class="font-medium text-sky-300">{{ formatTokenPricePerMillion(tooltipData.input_cost, tooltipData.input_tokens) }} {{ t('usage.perMillionTokens') }}</span>
+              </div>
+              <div v-if="tooltipData && tooltipData.output_tokens > 0" class="flex items-center justify-between gap-4">
+                <span class="text-gray-400">{{ t('usage.outputTokenPrice') }}</span>
+                <span class="font-medium text-violet-300">{{ formatTokenPricePerMillion(tooltipData.output_cost, tooltipData.output_tokens) }} {{ t('usage.perMillionTokens') }}</span>
+              </div>
+            </template>
+            <!-- Per-request / image billing: show unit price -->
+            <div v-else class="flex items-center justify-between gap-4">
+              <span class="text-gray-400">{{ tooltipData.billing_mode === 'image' ? t('usage.imageUnitPrice') : t('usage.unitPrice') }}</span>
+              <span class="font-medium text-sky-300">${{ tooltipData.total_cost?.toFixed(6) || '0.000000' }}</span>
             </div>
             <div v-if="tooltipData && tooltipData.cache_creation_cost > 0" class="flex items-center justify-between gap-4">
               <span class="text-gray-400">{{ t('admin.usage.cacheCreationCost') }}</span>

From a68df457d80dd67b173df2a74fd69de1206c0f2e Mon Sep 17 00:00:00 2001
From: erio <asakifeng@gmail.com>
Date: Mon, 13 Apr 2026 12:07:09 +0800
Subject: [PATCH 053/122] fix: address audit findings across websearch, notify,
 and channel pricing
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Backend fixes:
- Fix balance notify ignoring percentage threshold type (was treating
  percentage value as fixed USD amount)
- Remove dead code parseJSONStringArray
- Add ImageOutputTokens to tryModelFilePricing calculation
- Unify zero-value check: cost == 0 → cost <= 0 in calculateTokenStatsCost
- Use MarshalNotifyEmails instead of json.Marshal for consistency
- Rename quotaDim.oldUsed → currentUsed for clarity
- Extract HTML email templates to const variables (function ≤30 lines)

Test fixes:
- Rewrite account_websearch_test.go for GetWebSearchEmulationMode tri-state
- Add 6 tryModelFilePricing test cases

Frontend fixes:
- Replace hardcoded '未命名' with i18n key
- Extract getBillingModeLabel/getBillingModeBadgeClass to shared utils
- Replace inline type with imported NotifyEmailEntry
- Pass platform to AccountStats pricing rules via inferRulePlatform()
- Add billing mode constants (BILLING_MODE_TOKEN/PER_REQUEST/IMAGE)
---
 .../internal/service/account_stats_pricing.go |  5 +-
 .../service/account_stats_pricing_test.go     | 99 +++++++++++++++++++
 .../service/account_websearch_test.go         | 96 ++++++++++++------
 .../service/balance_notify_service.go         | 79 ++++++++-------
 backend/internal/service/setting_service.go   |  6 +-
 .../src/components/admin/usage/UsageTable.vue | 14 +--
 frontend/src/i18n/locales/en.ts               |  3 +-
 frontend/src/i18n/locales/zh.ts               |  3 +-
 frontend/src/utils/billingMode.ts             | 19 ++++
 frontend/src/views/admin/ChannelsView.vue     | 52 ++++++----
 frontend/src/views/admin/SettingsView.vue     |  4 +-
 frontend/src/views/user/UsageView.vue         | 16 +--
 12 files changed, 275 insertions(+), 121 deletions(-)
 create mode 100644 frontend/src/utils/billingMode.ts

diff --git a/backend/internal/service/account_stats_pricing.go b/backend/internal/service/account_stats_pricing.go
index e88f7f8c..cbe9c76c 100644
--- a/backend/internal/service/account_stats_pricing.go
+++ b/backend/internal/service/account_stats_pricing.go
@@ -57,7 +57,8 @@ func tryModelFilePricing(billingService *BillingService, model string, tokens Us
 	cost := float64(tokens.InputTokens)*pricing.InputPricePerToken +
 		float64(tokens.OutputTokens)*pricing.OutputPricePerToken +
 		float64(tokens.CacheCreationTokens)*pricing.CacheCreationPricePerToken +
-		float64(tokens.CacheReadTokens)*pricing.CacheReadPricePerToken
+		float64(tokens.CacheReadTokens)*pricing.CacheReadPricePerToken +
+		float64(tokens.ImageOutputTokens)*pricing.ImageOutputPricePerToken
 	if cost <= 0 {
 		return nil
 	}
@@ -194,7 +195,7 @@ func calculateTokenStatsCost(pricing *ChannelModelPricing, tokens UsageTokens) *
 		float64(tokens.CacheCreationTokens)*deref(pricing.CacheWritePrice) +
 		float64(tokens.CacheReadTokens)*deref(pricing.CacheReadPrice) +
 		float64(tokens.ImageOutputTokens)*deref(pricing.ImageOutputPrice)
-	if cost == 0 {
+	if cost <= 0 {
 		return nil
 	}
 	return &cost
diff --git a/backend/internal/service/account_stats_pricing_test.go b/backend/internal/service/account_stats_pricing_test.go
index bc3db251..bf9da978 100644
--- a/backend/internal/service/account_stats_pricing_test.go
+++ b/backend/internal/service/account_stats_pricing_test.go
@@ -428,3 +428,102 @@ func TestTryCustomRules_RuleMatchesButModelNot_ContinuesToNext(t *testing.T) {
 	require.NotNil(t, result)
 	require.InDelta(t, 5.0, *result, 1e-12) // 使用规则2
 }
+
+// ---------------------------------------------------------------------------
+// tryModelFilePricing
+// ---------------------------------------------------------------------------
+
+// newTestBillingServiceWithPrices creates a BillingService with pre-populated
+// fallback prices for testing. No config or pricing service is needed.
+// The key must match what getFallbackPricing resolves to for a given model name.
+// E.g., model "claude-sonnet-4" resolves to key "claude-sonnet-4".
+func newTestBillingServiceWithPrices(prices map[string]*ModelPricing) *BillingService {
+	return &BillingService{
+		fallbackPrices: prices,
+	}
+}
+
+func TestTryModelFilePricing_Success(t *testing.T) {
+	bs := newTestBillingServiceWithPrices(map[string]*ModelPricing{
+		"claude-sonnet-4": {
+			InputPricePerToken:  0.001,
+			OutputPricePerToken: 0.002,
+		},
+	})
+	tokens := UsageTokens{InputTokens: 100, OutputTokens: 50}
+	result := tryModelFilePricing(bs, "claude-sonnet-4", tokens)
+	require.NotNil(t, result)
+	// 100*0.001 + 50*0.002 = 0.1 + 0.1 = 0.2
+	require.InDelta(t, 0.2, *result, 1e-12)
+}
+
+func TestTryModelFilePricing_PricingNotFound(t *testing.T) {
+	// "nonexistent-model" does not match any fallback pattern
+	bs := newTestBillingServiceWithPrices(map[string]*ModelPricing{})
+	tokens := UsageTokens{InputTokens: 100, OutputTokens: 50}
+	result := tryModelFilePricing(bs, "nonexistent-model", tokens)
+	require.Nil(t, result)
+}
+
+func TestTryModelFilePricing_NilFallback(t *testing.T) {
+	// getFallbackPricing returns nil when key maps to nil
+	bs := newTestBillingServiceWithPrices(map[string]*ModelPricing{
+		"claude-sonnet-4": nil,
+	})
+	tokens := UsageTokens{InputTokens: 100}
+	result := tryModelFilePricing(bs, "claude-sonnet-4", tokens)
+	require.Nil(t, result)
+}
+
+func TestTryModelFilePricing_ZeroCost(t *testing.T) {
+	bs := newTestBillingServiceWithPrices(map[string]*ModelPricing{
+		"claude-sonnet-4": {
+			InputPricePerToken:  0.001,
+			OutputPricePerToken: 0.002,
+		},
+	})
+	tokens := UsageTokens{} // all zero tokens → cost = 0 → nil
+	result := tryModelFilePricing(bs, "claude-sonnet-4", tokens)
+	require.Nil(t, result)
+}
+
+func TestTryModelFilePricing_WithImageOutput(t *testing.T) {
+	bs := newTestBillingServiceWithPrices(map[string]*ModelPricing{
+		"claude-sonnet-4": {
+			InputPricePerToken:       0.001,
+			OutputPricePerToken:      0.002,
+			ImageOutputPricePerToken: 0.01,
+		},
+	})
+	tokens := UsageTokens{
+		InputTokens:       100,
+		OutputTokens:      50,
+		ImageOutputTokens: 10,
+	}
+	result := tryModelFilePricing(bs, "claude-sonnet-4", tokens)
+	require.NotNil(t, result)
+	// 100*0.001 + 50*0.002 + 10*0.01 = 0.1 + 0.1 + 0.1 = 0.3
+	require.InDelta(t, 0.3, *result, 1e-12)
+}
+
+func TestTryModelFilePricing_WithCacheTokens(t *testing.T) {
+	bs := newTestBillingServiceWithPrices(map[string]*ModelPricing{
+		"claude-sonnet-4": {
+			InputPricePerToken:         0.001,
+			OutputPricePerToken:        0.002,
+			CacheCreationPricePerToken: 0.003,
+			CacheReadPricePerToken:     0.0005,
+		},
+	})
+	tokens := UsageTokens{
+		InputTokens:         100,
+		OutputTokens:        50,
+		CacheCreationTokens: 200,
+		CacheReadTokens:     300,
+	}
+	result := tryModelFilePricing(bs, "claude-sonnet-4", tokens)
+	require.NotNil(t, result)
+	// 100*0.001 + 50*0.002 + 200*0.003 + 300*0.0005
+	// = 0.1 + 0.1 + 0.6 + 0.15 = 0.95
+	require.InDelta(t, 0.95, *result, 1e-12)
+}
diff --git a/backend/internal/service/account_websearch_test.go b/backend/internal/service/account_websearch_test.go
index fe742ebf..b4d23c6b 100644
--- a/backend/internal/service/account_websearch_test.go
+++ b/backend/internal/service/account_websearch_test.go
@@ -1,3 +1,5 @@
+//go:build unit
+
 package service
 
 import (
@@ -6,66 +8,98 @@ import (
 	"github.com/stretchr/testify/require"
 )
 
-func TestAccount_IsWebSearchEmulationEnabled_Enabled(t *testing.T) {
+func TestGetWebSearchEmulationMode_Enabled(t *testing.T) {
+	a := &Account{
+		Platform: PlatformAnthropic,
+		Type:     AccountTypeAPIKey,
+		Extra:    map[string]any{featureKeyWebSearchEmulation: "enabled"},
+	}
+	require.Equal(t, WebSearchModeEnabled, a.GetWebSearchEmulationMode())
+}
+
+func TestGetWebSearchEmulationMode_Disabled(t *testing.T) {
+	a := &Account{
+		Platform: PlatformAnthropic,
+		Type:     AccountTypeAPIKey,
+		Extra:    map[string]any{featureKeyWebSearchEmulation: "disabled"},
+	}
+	require.Equal(t, WebSearchModeDisabled, a.GetWebSearchEmulationMode())
+}
+
+func TestGetWebSearchEmulationMode_Default(t *testing.T) {
+	a := &Account{
+		Platform: PlatformAnthropic,
+		Type:     AccountTypeAPIKey,
+		Extra:    map[string]any{featureKeyWebSearchEmulation: "default"},
+	}
+	require.Equal(t, WebSearchModeDefault, a.GetWebSearchEmulationMode())
+}
+
+func TestGetWebSearchEmulationMode_UnknownString(t *testing.T) {
+	a := &Account{
+		Platform: PlatformAnthropic,
+		Type:     AccountTypeAPIKey,
+		Extra:    map[string]any{featureKeyWebSearchEmulation: "unknown"},
+	}
+	require.Equal(t, WebSearchModeDefault, a.GetWebSearchEmulationMode())
+}
+
+func TestGetWebSearchEmulationMode_OldBoolTrue(t *testing.T) {
 	a := &Account{
 		Platform: PlatformAnthropic,
 		Type:     AccountTypeAPIKey,
 		Extra:    map[string]any{featureKeyWebSearchEmulation: true},
 	}
-	require.True(t, a.IsWebSearchEmulationEnabled())
+	// bool is not a string, type assertion fails → default
+	require.Equal(t, WebSearchModeDefault, a.GetWebSearchEmulationMode())
 }
 
-func TestAccount_IsWebSearchEmulationEnabled_Disabled(t *testing.T) {
+func TestGetWebSearchEmulationMode_OldBoolFalse(t *testing.T) {
 	a := &Account{
 		Platform: PlatformAnthropic,
 		Type:     AccountTypeAPIKey,
 		Extra:    map[string]any{featureKeyWebSearchEmulation: false},
 	}
-	require.False(t, a.IsWebSearchEmulationEnabled())
+	require.Equal(t, WebSearchModeDefault, a.GetWebSearchEmulationMode())
 }
 
-func TestAccount_IsWebSearchEmulationEnabled_MissingField(t *testing.T) {
+func TestGetWebSearchEmulationMode_NilAccount(t *testing.T) {
+	var a *Account
+	require.Equal(t, WebSearchModeDefault, a.GetWebSearchEmulationMode())
+}
+
+func TestGetWebSearchEmulationMode_NilExtra(t *testing.T) {
+	a := &Account{
+		Platform: PlatformAnthropic,
+		Type:     AccountTypeAPIKey,
+		Extra:    nil,
+	}
+	require.Equal(t, WebSearchModeDefault, a.GetWebSearchEmulationMode())
+}
+
+func TestGetWebSearchEmulationMode_MissingField(t *testing.T) {
 	a := &Account{
 		Platform: PlatformAnthropic,
 		Type:     AccountTypeAPIKey,
 		Extra:    map[string]any{},
 	}
-	require.False(t, a.IsWebSearchEmulationEnabled())
+	require.Equal(t, WebSearchModeDefault, a.GetWebSearchEmulationMode())
 }
 
-func TestAccount_IsWebSearchEmulationEnabled_WrongType(t *testing.T) {
-	a := &Account{
-		Platform: PlatformAnthropic,
-		Type:     AccountTypeAPIKey,
-		Extra:    map[string]any{featureKeyWebSearchEmulation: "true"},
-	}
-	require.False(t, a.IsWebSearchEmulationEnabled())
-}
-
-func TestAccount_IsWebSearchEmulationEnabled_NilExtra(t *testing.T) {
-	a := &Account{Platform: PlatformAnthropic, Type: AccountTypeAPIKey, Extra: nil}
-	require.False(t, a.IsWebSearchEmulationEnabled())
-}
-
-func TestAccount_IsWebSearchEmulationEnabled_NilAccount(t *testing.T) {
-	var a *Account
-	require.False(t, a.IsWebSearchEmulationEnabled())
-}
-
-func TestAccount_IsWebSearchEmulationEnabled_NonAnthropicPlatform(t *testing.T) {
+func TestGetWebSearchEmulationMode_NonAnthropicPlatform(t *testing.T) {
 	a := &Account{
 		Platform: PlatformOpenAI,
 		Type:     AccountTypeAPIKey,
-		Extra:    map[string]any{featureKeyWebSearchEmulation: true},
+		Extra:    map[string]any{featureKeyWebSearchEmulation: "enabled"},
 	}
-	require.False(t, a.IsWebSearchEmulationEnabled())
+	require.Equal(t, WebSearchModeDefault, a.GetWebSearchEmulationMode())
 }
 
-func TestAccount_IsWebSearchEmulationEnabled_NonAPIKeyType(t *testing.T) {
+func TestGetWebSearchEmulationMode_NonAPIKeyType(t *testing.T) {
 	a := &Account{
 		Platform: PlatformAnthropic,
 		Type:     AccountTypeOAuth,
-		Extra:    map[string]any{featureKeyWebSearchEmulation: true},
+		Extra:    map[string]any{featureKeyWebSearchEmulation: "enabled"},
 	}
-	require.False(t, a.IsWebSearchEmulationEnabled())
+	require.Equal(t, WebSearchModeDefault, a.GetWebSearchEmulationMode())
 }
diff --git a/backend/internal/service/balance_notify_service.go b/backend/internal/service/balance_notify_service.go
index 23411ed5..1e4d8ff6 100644
--- a/backend/internal/service/balance_notify_service.go
+++ b/backend/internal/service/balance_notify_service.go
@@ -2,7 +2,6 @@ package service
 
 import (
 	"context"
-	"encoding/json"
 	"fmt"
 	"html"
 	"log/slog"
@@ -14,6 +13,10 @@ import (
 const (
 	emailSendTimeout = 30 * time.Second
 
+	// Threshold type values
+	thresholdTypeFixed      = "fixed"
+	thresholdTypePercentage = "percentage"
+
 	// Quota dimension labels
 	quotaDimDaily  = "daily"
 	quotaDimWeekly = "weekly"
@@ -48,6 +51,15 @@ func NewBalanceNotifyService(emailService *EmailService, settingRepo SettingRepo
 	}
 }
 
+// resolveBalanceThreshold returns the effective balance threshold.
+// For percentage type, it computes threshold = totalRecharged * percentage / 100.
+func resolveBalanceThreshold(threshold float64, thresholdType string, totalRecharged float64) float64 {
+	if thresholdType == thresholdTypePercentage && totalRecharged > 0 {
+		return totalRecharged * threshold / 100
+	}
+	return threshold
+}
+
 // CheckBalanceAfterDeduction checks if balance crossed below threshold after deduction.
 // oldBalance is the balance before deduction, cost is the amount deducted.
 // Notification is sent only on first crossing: oldBalance >= threshold && newBalance < threshold.
@@ -73,8 +85,13 @@ func (s *BalanceNotifyService) CheckBalanceAfterDeduction(ctx context.Context, u
 		return
 	}
 
+	effectiveThreshold := resolveBalanceThreshold(threshold, user.BalanceNotifyThresholdType, user.TotalRecharged)
+	if effectiveThreshold <= 0 {
+		return
+	}
+
 	newBalance := oldBalance - cost
-	if oldBalance >= threshold && newBalance < threshold {
+	if oldBalance >= effectiveThreshold && newBalance < effectiveThreshold {
 		siteName := s.getSiteName(ctx)
 		recipients := s.collectBalanceNotifyRecipients(user)
 		go func() {
@@ -83,7 +100,7 @@ func (s *BalanceNotifyService) CheckBalanceAfterDeduction(ctx context.Context, u
 					slog.Error("panic in balance notification", "recover", r)
 				}
 			}()
-			s.sendBalanceLowEmails(recipients, user.Username, user.Email, newBalance, threshold, siteName)
+			s.sendBalanceLowEmails(recipients, user.Username, user.Email, newBalance, effectiveThreshold, siteName)
 		}()
 	}
 }
@@ -94,14 +111,14 @@ type quotaDim struct {
 	enabled       bool
 	threshold     float64
 	thresholdType string // "fixed" (default) or "percentage"
-	oldUsed       float64
+	currentUsed   float64
 	limit         float64
 }
 
 // resolvedThreshold returns the effective threshold value.
 // For percentage type, it computes threshold = limit * percentage / 100.
 func (d quotaDim) resolvedThreshold() float64 {
-	if d.thresholdType == "percentage" && d.limit > 0 {
+	if d.thresholdType == thresholdTypePercentage && d.limit > 0 {
 		return d.limit * d.threshold / 100
 	}
 	return d.threshold
@@ -150,7 +167,7 @@ func (s *BalanceNotifyService) fetchFreshAccount(ctx context.Context, snapshot *
 }
 
 // checkQuotaDimCrossings iterates quota dimensions and sends alerts for threshold crossings.
-// freshAccount has post-increment values; oldUsed is reconstructed as freshUsed - cost.
+// freshAccount has post-increment values; pre-increment is reconstructed as currentUsed - cost.
 func (s *BalanceNotifyService) checkQuotaDimCrossings(freshAccount *Account, cost float64, adminEmails []string, siteName string) {
 	for _, dim := range buildQuotaDims(freshAccount) {
 		if !dim.enabled || dim.threshold <= 0 {
@@ -160,10 +177,10 @@ func (s *BalanceNotifyService) checkQuotaDimCrossings(freshAccount *Account, cos
 		if effectiveThreshold <= 0 {
 			continue
 		}
-		// dim.oldUsed is actually the post-increment value from fresh DB data;
+		// currentUsed is the post-increment value from fresh DB data;
 		// reconstruct pre-increment value to detect threshold crossing.
-		newUsed := dim.oldUsed
-		oldUsed := dim.oldUsed - cost
+		newUsed := dim.currentUsed
+		oldUsed := dim.currentUsed - cost
 		if oldUsed < effectiveThreshold && newUsed >= effectiveThreshold {
 			s.asyncSendQuotaAlert(adminEmails, freshAccount.Name, dim, newUsed, effectiveThreshold, siteName)
 		}
@@ -309,10 +326,9 @@ func (s *BalanceNotifyService) sendQuotaAlertEmails(adminEmails []string, accoun
 	s.sendEmails(adminEmails, subject, body, "account", accountName, "dimension", dimension)
 }
 
-// buildBalanceLowEmailBody builds HTML email for balance low notification.
-// Lines exceed 30 due to inline HTML template (not splittable).
-func (s *BalanceNotifyService) buildBalanceLowEmailBody(userName string, balance, threshold float64, siteName string) string {
-	return fmt.Sprintf(`<!DOCTYPE html>
+// balanceLowEmailTemplate is the HTML template for balance low notifications.
+// Format args: siteName, userName, userName, balance, threshold, threshold.
+const balanceLowEmailTemplate = `<!DOCTYPE html>
 <html>
 <head>
     <meta charset="UTF-8">
@@ -344,17 +360,11 @@ func (s *BalanceNotifyService) buildBalanceLowEmailBody(userName string, balance
         <div class="footer"><p>此邮件由系统自动发送，请勿回复。</p></div>
     </div>
 </body>
-</html>`, siteName, userName, userName, balance, threshold, threshold)
-}
+</html>`
 
-// buildQuotaAlertEmailBody builds HTML email for account quota alert.
-// Lines exceed 30 due to inline HTML template (not splittable).
-func (s *BalanceNotifyService) buildQuotaAlertEmailBody(accountName, dimLabel string, used, limit, threshold float64, siteName string) string {
-	limitStr := fmt.Sprintf("$%.2f", limit)
-	if limit <= 0 {
-		limitStr = "无限制 / Unlimited"
-	}
-	return fmt.Sprintf(`<!DOCTYPE html>
+// quotaAlertEmailTemplate is the HTML template for account quota alert notifications.
+// Format args: siteName, accountName, dimLabel, used, limitStr, threshold.
+const quotaAlertEmailTemplate = `<!DOCTYPE html>
 <html>
 <head>
     <meta charset="UTF-8">
@@ -389,18 +399,19 @@ func (s *BalanceNotifyService) buildQuotaAlertEmailBody(accountName, dimLabel st
         <div class="footer"><p>此邮件由系统自动发送，请勿回复。</p></div>
     </div>
 </body>
-</html>`, siteName, accountName, dimLabel, used, limitStr, threshold)
+</html>`
+
+// buildBalanceLowEmailBody builds HTML email for balance low notification.
+func (s *BalanceNotifyService) buildBalanceLowEmailBody(userName string, balance, threshold float64, siteName string) string {
+	return fmt.Sprintf(balanceLowEmailTemplate, siteName, userName, userName, balance, threshold, threshold)
 }
 
-// parseJSONStringArray parses a JSON string array, returns nil on error.
-func parseJSONStringArray(raw string) []string {
-	raw = strings.TrimSpace(raw)
-	if raw == "" || raw == "[]" {
-		return nil
+// buildQuotaAlertEmailBody builds HTML email for account quota alert.
+func (s *BalanceNotifyService) buildQuotaAlertEmailBody(accountName, dimLabel string, used, limit, threshold float64, siteName string) string {
+	limitStr := fmt.Sprintf("$%.2f", limit)
+	if limit <= 0 {
+		limitStr = "无限制 / Unlimited"
 	}
-	var result []string
-	if err := json.Unmarshal([]byte(raw), &result); err != nil {
-		return nil
-	}
-	return result
+	return fmt.Sprintf(quotaAlertEmailTemplate, siteName, accountName, dimLabel, used, limitStr, threshold)
 }
+
diff --git a/backend/internal/service/setting_service.go b/backend/internal/service/setting_service.go
index 0267040d..28eb3a70 100644
--- a/backend/internal/service/setting_service.go
+++ b/backend/internal/service/setting_service.go
@@ -627,11 +627,7 @@ func (s *SettingService) UpdateSettings(ctx context.Context, settings *SystemSet
 	updates[SettingKeyBalanceLowNotifyEnabled] = strconv.FormatBool(settings.BalanceLowNotifyEnabled)
 	updates[SettingKeyBalanceLowNotifyThreshold] = strconv.FormatFloat(settings.BalanceLowNotifyThreshold, 'f', 8, 64)
 	updates[SettingKeyAccountQuotaNotifyEnabled] = strconv.FormatBool(settings.AccountQuotaNotifyEnabled)
-	accountQuotaNotifyEmailsJSON, err := json.Marshal(settings.AccountQuotaNotifyEmails)
-	if err != nil {
-		return fmt.Errorf("marshal account quota notify emails: %w", err)
-	}
-	updates[SettingKeyAccountQuotaNotifyEmails] = string(accountQuotaNotifyEmailsJSON)
+	updates[SettingKeyAccountQuotaNotifyEmails] = MarshalNotifyEmails(settings.AccountQuotaNotifyEmails)
 
 	err = s.settingRepo.SetMultiple(ctx, updates)
 	if err == nil {
diff --git a/frontend/src/components/admin/usage/UsageTable.vue b/frontend/src/components/admin/usage/UsageTable.vue
index 92c8dd34..c405e66b 100644
--- a/frontend/src/components/admin/usage/UsageTable.vue
+++ b/frontend/src/components/admin/usage/UsageTable.vue
@@ -87,7 +87,7 @@
 
         <template #cell-billing_mode="{ row }">
           <span class="inline-flex items-center rounded px-2 py-0.5 text-xs font-medium" :class="getBillingModeBadgeClass(row.billing_mode)">
-            {{ getBillingModeLabel(row.billing_mode) }}
+            {{ getBillingModeLabel(row.billing_mode, t) }}
           </span>
         </template>
 
@@ -346,6 +346,7 @@ import { formatCacheTokens, formatMultiplier } from '@/utils/formatters'
 import { formatTokenPricePerMillion } from '@/utils/usagePricing'
 import { getUsageServiceTierLabel } from '@/utils/usageServiceTier'
 import { resolveUsageRequestType } from '@/utils/usageRequestType'
+import { getBillingModeLabel, getBillingModeBadgeClass } from '@/utils/billingMode'
 import DataTable from '@/components/common/DataTable.vue'
 import EmptyState from '@/components/common/EmptyState.vue'
 import Icon from '@/components/icons/Icon.vue'
@@ -399,17 +400,6 @@ const getRequestTypeBadgeClass = (row: AdminUsageLog): string => {
   return 'bg-amber-100 text-amber-800 dark:bg-amber-900 dark:text-amber-200'
 }
 
-const getBillingModeLabel = (mode: string | null | undefined): string => {
-  if (mode === 'per_request') return t('admin.usage.billingModePerRequest')
-  if (mode === 'image') return t('admin.usage.billingModeImage')
-  return t('admin.usage.billingModeToken')
-}
-
-const getBillingModeBadgeClass = (mode: string | null | undefined): string => {
-  if (mode === 'per_request') return 'bg-blue-100 text-blue-800 dark:bg-blue-900 dark:text-blue-200'
-  if (mode === 'image') return 'bg-green-100 text-green-800 dark:bg-green-900 dark:text-green-200'
-  return 'bg-gray-100 text-gray-800 dark:bg-gray-700 dark:text-gray-200'
-}
 
 
 const formatUserAgent = (ua: string): string => {
diff --git a/frontend/src/i18n/locales/en.ts b/frontend/src/i18n/locales/en.ts
index 056bdde0..1f9ba3e1 100644
--- a/frontend/src/i18n/locales/en.ts
+++ b/frontend/src/i18n/locales/en.ts
@@ -1889,7 +1889,8 @@ export default {
         searchAccountPlaceholder: 'Search accounts...',
         ruleAccountsHint: 'Leave empty to match all accounts',
         ruleModelPricing: 'Model Pricing',
-        noGroupsInChannel: 'No groups selected in platform tabs above'
+        noGroupsInChannel: 'No groups selected in platform tabs above',
+        unnamed: 'Unnamed'
       }
     },
 
diff --git a/frontend/src/i18n/locales/zh.ts b/frontend/src/i18n/locales/zh.ts
index 47a1f8d4..fa5d970c 100644
--- a/frontend/src/i18n/locales/zh.ts
+++ b/frontend/src/i18n/locales/zh.ts
@@ -1968,7 +1968,8 @@ export default {
         searchAccountPlaceholder: '搜索账号...',
         ruleAccountsHint: '留空表示匹配所有账号',
         ruleModelPricing: '模型定价',
-        noGroupsInChannel: '上方平台标签页中未选择分组'
+        noGroupsInChannel: '上方平台标签页中未选择分组',
+        unnamed: '未命名'
       }
     },
 
diff --git a/frontend/src/utils/billingMode.ts b/frontend/src/utils/billingMode.ts
new file mode 100644
index 00000000..152dadc4
--- /dev/null
+++ b/frontend/src/utils/billingMode.ts
@@ -0,0 +1,19 @@
+export const BILLING_MODE_TOKEN = 'token'
+export const BILLING_MODE_PER_REQUEST = 'per_request'
+export const BILLING_MODE_IMAGE = 'image'
+
+export function getBillingModeLabel(mode: string | null | undefined, t: (key: string) => string): string {
+  switch (mode) {
+    case BILLING_MODE_PER_REQUEST: return t('admin.usage.billingModePerRequest')
+    case BILLING_MODE_IMAGE: return t('admin.usage.billingModeImage')
+    default: return t('admin.usage.billingModeToken')
+  }
+}
+
+export function getBillingModeBadgeClass(mode: string | null | undefined): string {
+  switch (mode) {
+    case BILLING_MODE_PER_REQUEST: return 'bg-purple-100 text-purple-700 dark:bg-purple-900/30 dark:text-purple-300'
+    case BILLING_MODE_IMAGE: return 'bg-pink-100 text-pink-700 dark:bg-pink-900/30 dark:text-pink-300'
+    default: return 'bg-blue-100 text-blue-700 dark:bg-blue-900/30 dark:text-blue-300'
+  }
+}
diff --git a/frontend/src/views/admin/ChannelsView.vue b/frontend/src/views/admin/ChannelsView.vue
index 5be45cb5..b714ca30 100644
--- a/frontend/src/views/admin/ChannelsView.vue
+++ b/frontend/src/views/admin/ChannelsView.vue
@@ -980,26 +980,38 @@ function clearAllRuleAccountSearchState() {
   showRuleAccountDropdown.value = {}
 }
 
+function inferRulePlatform(groupIds: number[]): string {
+  const platforms = new Set<string>()
+  for (const gid of groupIds) {
+    const group = allGroups.value.find(g => g.id === gid)
+    if (group) platforms.add(group.platform)
+  }
+  return platforms.size === 1 ? [...platforms][0] : ''
+}
+
 function accountStatsRulesToAPI(): AccountStatsPricingRule[] {
-  return form.account_stats_pricing_rules.map(rule => ({
-    name: rule.name,
-    group_ids: rule.group_ids,
-    account_ids: rule.account_ids,
-    pricing: rule.pricing
-      .filter(p => p.models.length > 0)
-      .map(p => ({
-        platform: '',
-        models: p.models,
-        billing_mode: p.billing_mode,
-        input_price: mTokToPerToken(p.input_price),
-        output_price: mTokToPerToken(p.output_price),
-        cache_write_price: mTokToPerToken(p.cache_write_price),
-        cache_read_price: mTokToPerToken(p.cache_read_price),
-        image_output_price: mTokToPerToken(p.image_output_price),
-        per_request_price: p.per_request_price != null && p.per_request_price !== '' ? Number(p.per_request_price) : null,
-        intervals: formIntervalsToAPI(p.intervals || [])
-      }))
-  }))
+  return form.account_stats_pricing_rules.map(rule => {
+    const platform = inferRulePlatform(rule.group_ids)
+    return {
+      name: rule.name,
+      group_ids: rule.group_ids,
+      account_ids: rule.account_ids,
+      pricing: rule.pricing
+        .filter(p => p.models.length > 0)
+        .map(p => ({
+          platform,
+          models: p.models,
+          billing_mode: p.billing_mode,
+          input_price: mTokToPerToken(p.input_price),
+          output_price: mTokToPerToken(p.output_price),
+          cache_write_price: mTokToPerToken(p.cache_write_price),
+          cache_read_price: mTokToPerToken(p.cache_read_price),
+          image_output_price: mTokToPerToken(p.image_output_price),
+          per_request_price: p.per_request_price != null && p.per_request_price !== '' ? Number(p.per_request_price) : null,
+          intervals: formIntervalsToAPI(p.intervals || [])
+        }))
+    }
+  })
 }
 
 // ── Form ↔ API conversion ──
@@ -1329,7 +1341,7 @@ async function handleSubmit() {
       const intervalErr = validateIntervals(entry.intervals)
       if (intervalErr) {
         const platformLabel = t('admin.groups.platforms.' + section.platform, section.platform)
-        const modelLabel = entry.models.join(', ') || '未命名'
+        const modelLabel = entry.models.join(', ') || t('admin.channels.form.unnamed')
         appStore.showError(`${platformLabel} - ${modelLabel}: ${intervalErr}`)
         activeTab.value = section.platform
         return
diff --git a/frontend/src/views/admin/SettingsView.vue b/frontend/src/views/admin/SettingsView.vue
index c687f0db..d2e17440 100644
--- a/frontend/src/views/admin/SettingsView.vue
+++ b/frontend/src/views/admin/SettingsView.vue
@@ -2804,7 +2804,7 @@ import type {
   WebSearchProviderConfig,
   WebSearchTestResult,
 } from '@/api/admin/settings'
-import type { AdminGroup, Proxy } from '@/types'
+import type { AdminGroup, Proxy, NotifyEmailEntry } from '@/types'
 import type { ProviderInstance } from '@/types/payment'
 import AppLayout from '@/components/layout/AppLayout.vue'
 import Icon from '@/components/icons/Icon.vue'
@@ -3028,7 +3028,7 @@ const form = reactive<SettingsForm>({
   balance_low_notify_enabled: false,
   balance_low_notify_threshold: 0,
   account_quota_notify_enabled: false,
-  account_quota_notify_emails: [] as { email: string; disabled: boolean; verified: boolean }[]
+  account_quota_notify_emails: [] as NotifyEmailEntry[]
 })
 
 // Proxies for web search emulation ProxySelector
diff --git a/frontend/src/views/user/UsageView.vue b/frontend/src/views/user/UsageView.vue
index 2ec0fea5..08298d89 100644
--- a/frontend/src/views/user/UsageView.vue
+++ b/frontend/src/views/user/UsageView.vue
@@ -192,7 +192,7 @@
           <template #cell-billing_mode="{ row }">
             <span class="inline-flex items-center rounded px-1.5 py-0.5 text-xs font-medium"
                   :class="getBillingModeBadgeClass(row.billing_mode)">
-              {{ getBillingModeLabel(row.billing_mode) }}
+              {{ getBillingModeLabel(row.billing_mode, t) }}
             </span>
           </template>
 
@@ -524,6 +524,7 @@ import { formatCacheTokens, formatMultiplier } from '@/utils/formatters'
 import { formatTokenPricePerMillion } from '@/utils/usagePricing'
 import { getUsageServiceTierLabel } from '@/utils/usageServiceTier'
 import { resolveUsageRequestType } from '@/utils/usageRequestType'
+import { getBillingModeLabel, getBillingModeBadgeClass } from '@/utils/billingMode'
 
 const { t } = useI18n()
 const appStore = useAppStore()
@@ -644,17 +645,6 @@ const getRequestTypeBadgeClass = (log: UsageLog): string => {
   return 'bg-amber-100 text-amber-800 dark:bg-amber-900 dark:text-amber-200'
 }
 
-const getBillingModeLabel = (mode: string | null | undefined): string => {
-  if (mode === 'per_request') return t('admin.usage.billingModePerRequest')
-  if (mode === 'image') return t('admin.usage.billingModeImage')
-  return t('admin.usage.billingModeToken')
-}
-
-const getBillingModeBadgeClass = (mode: string | null | undefined): string => {
-  if (mode === 'per_request') return 'bg-blue-100 text-blue-800 dark:bg-blue-900/30 dark:text-blue-200'
-  if (mode === 'image') return 'bg-green-100 text-green-800 dark:bg-green-900/30 dark:text-green-200'
-  return 'bg-gray-100 text-gray-800 dark:bg-gray-700 dark:text-gray-300'
-}
 
 const getRequestTypeExportText = (log: UsageLog): string => {
   const requestType = resolveUsageRequestType(log)
@@ -866,7 +856,7 @@ const exportToCSV = async () => {
         formatReasoningEffort(log.reasoning_effort),
         log.inbound_endpoint || '',
         getRequestTypeExportText(log),
-        getBillingModeLabel(log.billing_mode),
+        getBillingModeLabel(log.billing_mode, t),
         log.input_tokens,
         log.output_tokens,
         log.cache_read_tokens,

From b7fb2e43871887e37d3427376b832091b8cda8d2 Mon Sep 17 00:00:00 2001
From: erio <asakifeng@gmail.com>
Date: Mon, 13 Apr 2026 13:59:35 +0800
Subject: [PATCH 054/122] fix: audit fixes for websearch, notifications, and
 channel pricing

P0: fix wildcard matching test assertion (config order, not longest prefix)
P0: add TotalRecharged to auth cache snapshot (v5) for percentage threshold
P1: move pricing rules into per-platform sections in ChannelsView
P1: populate account name cache when editing existing channel rules
P1: sanitize email subject headers to prevent SMTP injection
P1: make Redis INCR+EXPIRE idempotent for rate limiting
P1: deep copy FeaturesConfig in Channel.Clone()
P2: clean up stale email="" placeholder comments
P2: replace log.Printf with slog in email_service.go
---
 backend/cmd/server/VERSION                    |   2 +-
 .../handler/dto/notify_email_entry.go         |   2 +-
 backend/internal/handler/user_handler.go      |   2 +-
 backend/internal/repository/email_cache.go    |  38 +++-
 .../service/account_stats_pricing_test.go     |   4 +-
 .../internal/service/api_key_auth_cache.go    |   1 +
 .../service/api_key_auth_cache_impl.go        |   4 +-
 .../service/balance_notify_service.go         |   9 +-
 backend/internal/service/channel.go           |  16 ++
 backend/internal/service/email_service.go     |  12 +-
 .../internal/service/notify_email_entry.go    |   2 +-
 backend/internal/service/user_service.go      | 103 ++++++---
 frontend/src/views/admin/ChannelsView.vue     | 196 ++++++++++++------
 13 files changed, 273 insertions(+), 118 deletions(-)

diff --git a/backend/cmd/server/VERSION b/backend/cmd/server/VERSION
index 061bed0b..b2581b19 100644
--- a/backend/cmd/server/VERSION
+++ b/backend/cmd/server/VERSION
@@ -1 +1 @@
-0.1.110.11
+0.1.110.20
diff --git a/backend/internal/handler/dto/notify_email_entry.go b/backend/internal/handler/dto/notify_email_entry.go
index 180f8b25..78641005 100644
--- a/backend/internal/handler/dto/notify_email_entry.go
+++ b/backend/internal/handler/dto/notify_email_entry.go
@@ -3,7 +3,7 @@ package dto
 import "github.com/Wei-Shaw/sub2api/internal/service"
 
 // NotifyEmailEntry represents a notification email with enable/disable and verification state.
-// Email="" is a placeholder for the "primary email" (user's registration email or first admin email).
+// All emails are user-managed; maximum 3 entries per user.
 type NotifyEmailEntry struct {
 	Email    string `json:"email"`
 	Disabled bool   `json:"disabled"`
diff --git a/backend/internal/handler/user_handler.go b/backend/internal/handler/user_handler.go
index 9e0a243a..2535ea5e 100644
--- a/backend/internal/handler/user_handler.go
+++ b/backend/internal/handler/user_handler.go
@@ -217,7 +217,7 @@ func (h *UserHandler) RemoveNotifyEmail(c *gin.Context) {
 
 // ToggleNotifyEmailRequest represents the request to toggle a notify email's disabled state
 type ToggleNotifyEmailRequest struct {
-	Email    string `json:"email"`    // empty string for primary email placeholder
+	Email    string `json:"email" binding:"required,email"`
 	Disabled bool   `json:"disabled"`
 }
 
diff --git a/backend/internal/repository/email_cache.go b/backend/internal/repository/email_cache.go
index 63552ab0..ed903e0d 100644
--- a/backend/internal/repository/email_cache.go
+++ b/backend/internal/repository/email_cache.go
@@ -3,6 +3,7 @@ package repository
 import (
 	"context"
 	"encoding/json"
+	"fmt"
 	"time"
 
 	"github.com/Wei-Shaw/sub2api/internal/service"
@@ -10,10 +11,11 @@ import (
 )
 
 const (
-	verifyCodeKeyPrefix          = "verify_code:"
-	notifyVerifyKeyPrefix        = "notify_verify:"
-	passwordResetKeyPrefix       = "password_reset:"
-	passwordResetSentAtKeyPrefix = "password_reset_sent:"
+	verifyCodeKeyPrefix            = "verify_code:"
+	notifyVerifyKeyPrefix          = "notify_verify:"
+	passwordResetKeyPrefix         = "password_reset:"
+	passwordResetSentAtKeyPrefix   = "password_reset_sent:"
+	notifyCodeUserRateKeyPrefix    = "notify_code_user_rate:"
 )
 
 // verifyCodeKey generates the Redis key for email verification code.
@@ -141,3 +143,31 @@ func (c *emailCache) DeleteNotifyVerifyCode(ctx context.Context, email string) e
 	key := notifyVerifyKey(email)
 	return c.rdb.Del(ctx, key).Err()
 }
+
+// User-level rate limiting for notify email verification codes
+
+func notifyCodeUserRateKey(userID int64) string {
+	return notifyCodeUserRateKeyPrefix + fmt.Sprintf("%d", userID)
+}
+
+func (c *emailCache) IncrNotifyCodeUserRate(ctx context.Context, userID int64, window time.Duration) (int64, error) {
+	key := notifyCodeUserRateKey(userID)
+	count, err := c.rdb.Incr(ctx, key).Result()
+	if err != nil {
+		return 0, err
+	}
+	// Always set TTL (idempotent) to avoid orphan keys if process crashes between INCR and EXPIRE.
+	if err := c.rdb.Expire(ctx, key, window).Err(); err != nil {
+		return count, fmt.Errorf("expire notify code rate key: %w", err)
+	}
+	return count, nil
+}
+
+func (c *emailCache) GetNotifyCodeUserRate(ctx context.Context, userID int64) (int64, error) {
+	key := notifyCodeUserRateKey(userID)
+	count, err := c.rdb.Get(ctx, key).Int64()
+	if err != nil {
+		return 0, err
+	}
+	return count, nil
+}
diff --git a/backend/internal/service/account_stats_pricing_test.go b/backend/internal/service/account_stats_pricing_test.go
index bf9da978..23409d5e 100644
--- a/backend/internal/service/account_stats_pricing_test.go
+++ b/backend/internal/service/account_stats_pricing_test.go
@@ -145,14 +145,14 @@ func TestFindPricingForModel(t *testing.T) {
 			wantNil: true,
 		},
 		{
-			name: "longer wildcard prefix wins over shorter",
+			name: "wildcard matches by config order (first match wins)",
 			list: []ChannelModelPricing{
 				{ID: 10, Models: []string{"claude-*"}},
 				{ID: 11, Models: []string{"claude-opus-*"}},
 			},
 			platform: "",
 			model:    "claude-opus-4",
-			wantID:   11, // "claude-opus-" (12 chars) > "claude-" (7 chars)
+			wantID:   10, // config order: "claude-*" is first and matches, so it wins
 		},
 		{
 			name: "shorter wildcard used when longer does not match",
diff --git a/backend/internal/service/api_key_auth_cache.go b/backend/internal/service/api_key_auth_cache.go
index 60cb6233..b1660ea7 100644
--- a/backend/internal/service/api_key_auth_cache.go
+++ b/backend/internal/service/api_key_auth_cache.go
@@ -42,6 +42,7 @@ type APIKeyAuthUserSnapshot struct {
 	BalanceNotifyThresholdType string             `json:"balance_notify_threshold_type"`
 	BalanceNotifyThreshold     *float64           `json:"balance_notify_threshold,omitempty"`
 	BalanceNotifyExtraEmails   []NotifyEmailEntry `json:"balance_notify_extra_emails,omitempty"`
+	TotalRecharged             float64            `json:"total_recharged"`
 }
 
 // APIKeyAuthGroupSnapshot 分组快照
diff --git a/backend/internal/service/api_key_auth_cache_impl.go b/backend/internal/service/api_key_auth_cache_impl.go
index 711090c2..25c6331a 100644
--- a/backend/internal/service/api_key_auth_cache_impl.go
+++ b/backend/internal/service/api_key_auth_cache_impl.go
@@ -13,7 +13,7 @@ import (
 	"github.com/dgraph-io/ristretto"
 )
 
-const apiKeyAuthSnapshotVersion = 4 // v4: added balance notification fields to UserSnapshot
+const apiKeyAuthSnapshotVersion = 5 // v5: added TotalRecharged for percentage threshold
 
 type apiKeyAuthCacheConfig struct {
 	l1Size        int
@@ -230,6 +230,7 @@ func (s *APIKeyService) snapshotFromAPIKey(apiKey *APIKey) *APIKeyAuthSnapshot {
 			BalanceNotifyThresholdType: apiKey.User.BalanceNotifyThresholdType,
 			BalanceNotifyThreshold:     apiKey.User.BalanceNotifyThreshold,
 			BalanceNotifyExtraEmails:   apiKey.User.BalanceNotifyExtraEmails,
+			TotalRecharged:             apiKey.User.TotalRecharged,
 		},
 	}
 	if apiKey.Group != nil {
@@ -291,6 +292,7 @@ func (s *APIKeyService) snapshotToAPIKey(key string, snapshot *APIKeyAuthSnapsho
 			BalanceNotifyThresholdType: snapshot.User.BalanceNotifyThresholdType,
 			BalanceNotifyThreshold:     snapshot.User.BalanceNotifyThreshold,
 			BalanceNotifyExtraEmails:   snapshot.User.BalanceNotifyExtraEmails,
+			TotalRecharged:             snapshot.User.TotalRecharged,
 		},
 	}
 	if snapshot.Group != nil {
diff --git a/backend/internal/service/balance_notify_service.go b/backend/internal/service/balance_notify_service.go
index 1e4d8ff6..14aa6766 100644
--- a/backend/internal/service/balance_notify_service.go
+++ b/backend/internal/service/balance_notify_service.go
@@ -309,7 +309,7 @@ func (s *BalanceNotifyService) sendBalanceLowEmails(recipients []string, userNam
 	if displayName == "" {
 		displayName = userEmail
 	}
-	subject := fmt.Sprintf("[%s] 余额不足提醒 / Balance Low Alert", siteName)
+	subject := fmt.Sprintf("[%s] 余额不足提醒 / Balance Low Alert", sanitizeEmailHeader(siteName))
 	body := s.buildBalanceLowEmailBody(html.EscapeString(displayName), balance, threshold, html.EscapeString(siteName))
 	s.sendEmails(recipients, subject, body, "user_email", userEmail, "balance", balance)
 }
@@ -321,11 +321,16 @@ func (s *BalanceNotifyService) sendQuotaAlertEmails(adminEmails []string, accoun
 		dimLabel = dimension
 	}
 
-	subject := fmt.Sprintf("[%s] 账号限额告警 / Account Quota Alert - %s", siteName, accountName)
+	subject := fmt.Sprintf("[%s] 账号限额告警 / Account Quota Alert - %s", sanitizeEmailHeader(siteName), sanitizeEmailHeader(accountName))
 	body := s.buildQuotaAlertEmailBody(html.EscapeString(accountName), html.EscapeString(dimLabel), used, limit, threshold, html.EscapeString(siteName))
 	s.sendEmails(adminEmails, subject, body, "account", accountName, "dimension", dimension)
 }
 
+// sanitizeEmailHeader removes CR/LF characters to prevent SMTP header injection.
+func sanitizeEmailHeader(s string) string {
+	return strings.NewReplacer("\r", "", "\n", "").Replace(s)
+}
+
 // balanceLowEmailTemplate is the HTML template for balance low notifications.
 // Format args: siteName, userName, userName, balance, threshold, threshold.
 const balanceLowEmailTemplate = `<!DOCTYPE html>
diff --git a/backend/internal/service/channel.go b/backend/internal/service/channel.go
index 3867f2a0..b034fda0 100644
--- a/backend/internal/service/channel.go
+++ b/backend/internal/service/channel.go
@@ -196,6 +196,9 @@ func (c *Channel) Clone() *Channel {
 			cp.ModelMapping[platform] = inner
 		}
 	}
+	if c.FeaturesConfig != nil {
+		cp.FeaturesConfig = deepCopyFeaturesConfig(c.FeaturesConfig)
+	}
 	if c.AccountStatsPricingRules != nil {
 		cp.AccountStatsPricingRules = make([]AccountStatsPricingRule, len(c.AccountStatsPricingRules))
 		for i, rule := range c.AccountStatsPricingRules {
@@ -219,6 +222,19 @@ func (c *Channel) Clone() *Channel {
 	return &cp
 }
 
+// deepCopyFeaturesConfig creates a deep copy of FeaturesConfig to prevent cache pollution.
+func deepCopyFeaturesConfig(src map[string]any) map[string]any {
+	dst := make(map[string]any, len(src))
+	for k, v := range src {
+		if inner, ok := v.(map[string]any); ok {
+			dst[k] = deepCopyFeaturesConfig(inner)
+		} else {
+			dst[k] = v
+		}
+	}
+	return dst
+}
+
 // ValidateIntervals 校验区间列表的合法性。
 // 规则：MinTokens >= 0；MaxTokens 若非 nil 则 > 0 且 > MinTokens；
 // 所有价格字段 >= 0；区间按 MinTokens 排序后无重叠（(min, max] 语义）；
diff --git a/backend/internal/service/email_service.go b/backend/internal/service/email_service.go
index 61090776..3eade83e 100644
--- a/backend/internal/service/email_service.go
+++ b/backend/internal/service/email_service.go
@@ -7,7 +7,7 @@ import (
 	"crypto/tls"
 	"encoding/hex"
 	"fmt"
-	"log"
+	"log/slog"
 	"math/big"
 	"net/smtp"
 	"net/url"
@@ -292,7 +292,7 @@ func (s *EmailService) VerifyCode(ctx context.Context, email, code string) error
 	if subtle.ConstantTimeCompare([]byte(data.Code), []byte(code)) != 1 {
 		data.Attempts++
 		if err := s.cache.SetVerificationCode(ctx, email, data, verifyCodeTTL); err != nil {
-			log.Printf("[Email] Failed to update verification attempt count: %v", err)
+			slog.Error("failed to update verification attempt count", "email", email, "error", err)
 		}
 		if data.Attempts >= maxVerifyCodeAttempts {
 			return ErrVerifyCodeMaxAttempts
@@ -302,7 +302,7 @@ func (s *EmailService) VerifyCode(ctx context.Context, email, code string) error
 
 	// 验证成功，删除验证码
 	if err := s.cache.DeleteVerificationCode(ctx, email); err != nil {
-		log.Printf("[Email] Failed to delete verification code after success: %v", err)
+		slog.Error("failed to delete verification code after success", "email", email, "error", err)
 	}
 	return nil
 }
@@ -452,7 +452,7 @@ func (s *EmailService) SendPasswordResetEmail(ctx context.Context, email, siteNa
 func (s *EmailService) SendPasswordResetEmailWithCooldown(ctx context.Context, email, siteName, resetURL string) error {
 	// Check email cooldown to prevent email bombing
 	if s.cache.IsPasswordResetEmailInCooldown(ctx, email) {
-		log.Printf("[Email] Password reset email skipped (cooldown): %s", email)
+		slog.Info("password reset email skipped due to cooldown", "email", email)
 		return nil // Silent success to prevent revealing cooldown to attackers
 	}
 
@@ -463,7 +463,7 @@ func (s *EmailService) SendPasswordResetEmailWithCooldown(ctx context.Context, e
 
 	// Set cooldown marker (Redis TTL handles expiration)
 	if err := s.cache.SetPasswordResetEmailCooldown(ctx, email, passwordResetEmailCooldown); err != nil {
-		log.Printf("[Email] Failed to set password reset cooldown for %s: %v", email, err)
+		slog.Error("failed to set password reset cooldown", "email", email, "error", err)
 	}
 
 	return nil
@@ -493,7 +493,7 @@ func (s *EmailService) ConsumePasswordResetToken(ctx context.Context, email, tok
 
 	// Delete after verification (one-time use)
 	if err := s.cache.DeletePasswordResetToken(ctx, email); err != nil {
-		log.Printf("[Email] Failed to delete password reset token after consumption: %v", err)
+		slog.Error("failed to delete password reset token after consumption", "email", email, "error", err)
 	}
 	return nil
 }
diff --git a/backend/internal/service/notify_email_entry.go b/backend/internal/service/notify_email_entry.go
index c0e739f4..d181200b 100644
--- a/backend/internal/service/notify_email_entry.go
+++ b/backend/internal/service/notify_email_entry.go
@@ -6,7 +6,7 @@ import (
 )
 
 // NotifyEmailEntry represents a notification email with enable/disable and verification state.
-// Email="" is a placeholder for the "primary email" (user's registration email or first admin email).
+// All emails are user-managed; maximum 3 entries per user.
 type NotifyEmailEntry struct {
 	Email    string `json:"email"`
 	Disabled bool   `json:"disabled"`
diff --git a/backend/internal/service/user_service.go b/backend/internal/service/user_service.go
index bcb21c1d..3baee81d 100644
--- a/backend/internal/service/user_service.go
+++ b/backend/internal/service/user_service.go
@@ -4,7 +4,7 @@ import (
 	"context"
 	"crypto/subtle"
 	"fmt"
-	"log"
+	"log/slog"
 	"strings"
 	"time"
 
@@ -13,12 +13,19 @@ import (
 )
 
 var (
-	ErrUserNotFound      = infraerrors.NotFound("USER_NOT_FOUND", "user not found")
-	ErrPasswordIncorrect = infraerrors.BadRequest("PASSWORD_INCORRECT", "current password is incorrect")
-	ErrInsufficientPerms = infraerrors.Forbidden("INSUFFICIENT_PERMISSIONS", "insufficient permissions")
+	ErrUserNotFound           = infraerrors.NotFound("USER_NOT_FOUND", "user not found")
+	ErrPasswordIncorrect      = infraerrors.BadRequest("PASSWORD_INCORRECT", "current password is incorrect")
+	ErrInsufficientPerms      = infraerrors.Forbidden("INSUFFICIENT_PERMISSIONS", "insufficient permissions")
+	ErrNotifyCodeUserRateLimit = infraerrors.TooManyRequests("NOTIFY_CODE_USER_RATE_LIMIT", "too many verification codes requested, please try again later")
 )
 
-const maxNotifyEmails = 3 // Total limit: primary (email="") + up to 2 extra
+const (
+	maxNotifyEmails = 3 // Maximum number of notification emails per user
+
+	// User-level rate limiting for notify email verification codes
+	notifyCodeUserRateLimit  = 5
+	notifyCodeUserRateWindow = 10 * time.Minute
+)
 
 // UserListFilters contains all filter options for listing users
 type UserListFilters struct {
@@ -220,7 +227,7 @@ func (s *UserService) UpdateBalance(ctx context.Context, userID int64, amount fl
 			cacheCtx, cancel := context.WithTimeout(context.Background(), 5*time.Second)
 			defer cancel()
 			if err := s.billingCache.InvalidateUserBalance(cacheCtx, userID); err != nil {
-				log.Printf("invalidate user balance cache failed: user_id=%d err=%v", userID, err)
+				slog.Error("invalidate user balance cache failed", "user_id", userID, "error", err)
 			}
 		}()
 	}
@@ -270,21 +277,44 @@ func (s *UserService) Delete(ctx context.Context, userID int64) error {
 
 // SendNotifyEmailCode sends a verification code to the extra notification email.
 func (s *UserService) SendNotifyEmailCode(ctx context.Context, userID int64, email string, emailService *EmailService, cache EmailCache) error {
-	// Check cooldown
+	if err := checkNotifyCodeRateLimit(ctx, cache, userID, email); err != nil {
+		return err
+	}
+
+	code, err := emailService.GenerateVerifyCode()
+	if err != nil {
+		return fmt.Errorf("generate code: %w", err)
+	}
+
+	if err := saveNotifyVerifyCode(ctx, cache, email, code); err != nil {
+		return err
+	}
+
+	// Increment user-level counter after successful save
+	if _, err := cache.IncrNotifyCodeUserRate(ctx, userID, notifyCodeUserRateWindow); err != nil {
+		slog.Error("failed to increment notify code user rate", "user_id", userID, "error", err)
+	}
+
+	return s.sendNotifyVerifyEmail(ctx, emailService, email, code)
+}
+
+// checkNotifyCodeRateLimit checks both email cooldown and user-level rate limit.
+func checkNotifyCodeRateLimit(ctx context.Context, cache EmailCache, userID int64, email string) error {
 	existing, err := cache.GetNotifyVerifyCode(ctx, email)
 	if err == nil && existing != nil {
 		if time.Since(existing.CreatedAt) < verifyCodeCooldown {
 			return ErrVerifyCodeTooFrequent
 		}
 	}
-
-	// Generate code
-	code, err := emailService.GenerateVerifyCode()
-	if err != nil {
-		return fmt.Errorf("generate code: %w", err)
+	count, err := cache.GetNotifyCodeUserRate(ctx, userID)
+	if err == nil && count >= notifyCodeUserRateLimit {
+		return ErrNotifyCodeUserRateLimit
 	}
+	return nil
+}
 
-	// Save to cache
+// saveNotifyVerifyCode saves the verification code to cache.
+func saveNotifyVerifyCode(ctx context.Context, cache EmailCache, email, code string) error {
 	data := &VerificationCodeData{
 		Code:      code,
 		Attempts:  0,
@@ -293,16 +323,17 @@ func (s *UserService) SendNotifyEmailCode(ctx context.Context, userID int64, ema
 	if err := cache.SetNotifyVerifyCode(ctx, email, data, verifyCodeTTL); err != nil {
 		return fmt.Errorf("save verify code: %w", err)
 	}
+	return nil
+}
 
-	// Get site name
+// sendNotifyVerifyEmail builds and sends the verification email.
+func (s *UserService) sendNotifyVerifyEmail(ctx context.Context, emailService *EmailService, email, code string) error {
 	siteName := "Sub2API"
 	if s.settingRepo != nil {
 		if name, err := s.settingRepo.GetValue(ctx, SettingKeySiteName); err == nil && name != "" {
 			siteName = name
 		}
 	}
-
-	// Build and send email
 	subject := fmt.Sprintf("[%s] 通知邮箱验证码 / Notification Email Verification", siteName)
 	body := buildNotifyVerifyEmailBody(code, siteName)
 	return emailService.SendEmail(ctx, email, subject, body)
@@ -310,7 +341,15 @@ func (s *UserService) SendNotifyEmailCode(ctx context.Context, userID int64, ema
 
 // VerifyAndAddNotifyEmail verifies the code and adds the email to user's extra emails.
 func (s *UserService) VerifyAndAddNotifyEmail(ctx context.Context, userID int64, email, code string, cache EmailCache) error {
-	// Verify code
+	if err := verifyNotifyCode(ctx, cache, email, code); err != nil {
+		return err
+	}
+	_ = cache.DeleteNotifyVerifyCode(ctx, email)
+	return s.addOrVerifyNotifyEmail(ctx, userID, email)
+}
+
+// verifyNotifyCode validates the verification code against the cached data.
+func verifyNotifyCode(ctx context.Context, cache EmailCache, email, code string) error {
 	data, err := cache.GetNotifyVerifyCode(ctx, email)
 	if err != nil || data == nil {
 		return ErrInvalidVerifyCode
@@ -326,17 +365,18 @@ func (s *UserService) VerifyAndAddNotifyEmail(ctx context.Context, userID int64,
 		}
 		return ErrInvalidVerifyCode
 	}
+	return nil
+}
 
-	// Delete code after verification
-	_ = cache.DeleteNotifyVerifyCode(ctx, email)
-
-	// Add to user's extra emails
+// addOrVerifyNotifyEmail adds the email to user's extra notification emails or marks it as verified.
+// Note: concurrent calls for the same user could race on the read-modify-write of
+// BalanceNotifyExtraEmails. The window is small (requires two verify flows completing
+// simultaneously), and the worst case is a duplicate entry which is harmless.
+func (s *UserService) addOrVerifyNotifyEmail(ctx context.Context, userID int64, email string) error {
 	user, err := s.userRepo.GetByID(ctx, userID)
 	if err != nil {
 		return err
 	}
-
-	// Check if already exists — if unverified, mark as verified
 	for i, e := range user.BalanceNotifyExtraEmails {
 		if strings.EqualFold(e.Email, email) {
 			if !e.Verified {
@@ -346,12 +386,9 @@ func (s *UserService) VerifyAndAddNotifyEmail(ctx context.Context, userID int64,
 			return nil // Already verified
 		}
 	}
-
-	// Check limit
 	if len(user.BalanceNotifyExtraEmails) >= maxNotifyEmails {
 		return infraerrors.BadRequest("TOO_MANY_NOTIFY_EMAILS", fmt.Sprintf("maximum %d notification emails allowed", maxNotifyEmails))
 	}
-
 	user.BalanceNotifyExtraEmails = append(user.BalanceNotifyExtraEmails, NotifyEmailEntry{
 		Email:    email,
 		Disabled: false,
@@ -399,10 +436,9 @@ func (s *UserService) ToggleNotifyEmail(ctx context.Context, userID int64, email
 	return s.userRepo.Update(ctx, user)
 }
 
-// buildNotifyVerifyEmailBody builds the HTML email body for notify email verification.
-func buildNotifyVerifyEmailBody(code, siteName string) string {
-	return fmt.Sprintf(`
-<!DOCTYPE html>
+// notifyVerifyEmailTemplate is the HTML template for notify email verification.
+// Format args: siteName, code.
+const notifyVerifyEmailTemplate = `<!DOCTYPE html>
 <html>
 <head>
     <meta charset="UTF-8">
@@ -439,6 +475,9 @@ func buildNotifyVerifyEmailBody(code, siteName string) string {
         </div>
     </div>
 </body>
-</html>
-`, siteName, code)
+</html>`
+
+// buildNotifyVerifyEmailBody builds the HTML email body for notify email verification.
+func buildNotifyVerifyEmailBody(code, siteName string) string {
+	return fmt.Sprintf(notifyVerifyEmailTemplate, siteName, code)
 }
diff --git a/frontend/src/views/admin/ChannelsView.vue b/frontend/src/views/admin/ChannelsView.vue
index b714ca30..2ca1141d 100644
--- a/frontend/src/views/admin/ChannelsView.vue
+++ b/frontend/src/views/admin/ChannelsView.vue
@@ -421,7 +421,7 @@
                 </h4>
                 <button
                   type="button"
-                  @click="addAccountStatsRule()"
+                  @click="addAccountStatsRule(sIdx)"
                   class="rounded-lg border border-primary-300 px-3 py-1 text-xs font-medium text-primary-600 hover:bg-primary-50 dark:border-primary-600 dark:text-primary-400 dark:hover:bg-primary-900/20"
                 >
                   + {{ t('admin.channels.form.addRule') }}
@@ -430,14 +430,14 @@
 
               <!-- Filter rules for this platform's groups -->
               <p
-                v-if="form.account_stats_pricing_rules.length === 0"
+                v-if="section.account_stats_pricing_rules.length === 0"
                 class="text-xs italic text-gray-400 dark:text-gray-500"
               >
                 {{ t('admin.channels.form.noRulesConfigured') }}
               </p>
 
               <div
-                v-for="(rule, ruleIndex) in form.account_stats_pricing_rules"
+                v-for="(rule, ruleIndex) in section.account_stats_pricing_rules"
                 :key="ruleIndex"
                 class="space-y-3 rounded-lg border border-gray-200 p-4 dark:border-dark-600"
               >
@@ -447,7 +447,7 @@
                     :placeholder="t('admin.channels.form.ruleName')"
                     class="bg-transparent text-sm font-medium text-gray-700 placeholder-gray-400 outline-none dark:text-gray-300"
                   />
-                  <button type="button" @click="removeAccountStatsRule(ruleIndex)" class="text-xs text-red-500 hover:text-red-700">
+                  <button type="button" @click="removeAccountStatsRule(sIdx, ruleIndex)" class="text-xs text-red-500 hover:text-red-700">
                     {{ t('common.delete') }}
                   </button>
                 </div>
@@ -524,7 +524,7 @@
                 <div>
                   <div class="mb-1 flex items-center justify-between">
                     <label class="text-xs text-gray-500 dark:text-gray-400">{{ t('admin.channels.form.ruleModelPricing') }}</label>
-                    <button type="button" @click="addRulePricingEntry(ruleIndex)" class="text-xs text-primary-600 hover:text-primary-700">
+                    <button type="button" @click="addRulePricingEntry(sIdx, ruleIndex)" class="text-xs text-primary-600 hover:text-primary-700">
                       + {{ t('common.add') }}
                     </button>
                   </div>
@@ -538,7 +538,7 @@
                       :entry="entry"
                       :platform="section.platform"
                       @update="rule.pricing.splice(pIdx, 1, $event)"
-                      @remove="removeRulePricingEntry(ruleIndex, pIdx)"
+                      @remove="removeRulePricingEntry(sIdx, ruleIndex, pIdx)"
                     />
                   </div>
                 </div>
@@ -625,6 +625,14 @@ async function loadWebSearchGlobalState() {
   }
 }
 
+// ── Form-level pricing rule type (per-platform) ──
+interface FormPricingRule {
+  name: string
+  group_ids: number[]
+  account_ids: number[]
+  pricing: PricingFormEntry[]
+}
+
 // ── Platform Section type ──
 interface PlatformSection {
   platform: GroupPlatform
@@ -634,6 +642,7 @@ interface PlatformSection {
   model_mapping: Record<string, string>
   model_pricing: PricingFormEntry[]
   web_search_emulation: boolean
+  account_stats_pricing_rules: FormPricingRule[]
 }
 
 // ── Table columns ──
@@ -703,12 +712,6 @@ const form = reactive({
   billing_model_source: 'channel_mapped' as string,
   platforms: [] as PlatformSection[],
   apply_pricing_to_account_stats: false,
-  account_stats_pricing_rules: [] as Array<{
-    name: string
-    group_ids: number[]
-    account_ids: number[]
-    pricing: PricingFormEntry[]
-  }>
 })
 
 let abortController: AbortController | null = null
@@ -754,6 +757,7 @@ function addPlatformSection(platform: GroupPlatform) {
     model_mapping: {},
     model_pricing: [],
     web_search_emulation: false,
+    account_stats_pricing_rules: [],
   })
 }
 
@@ -867,8 +871,8 @@ function renameMappingKey(sectionIdx: number, oldKey: string, newKey: string) {
 }
 
 // ── Account Stats Pricing helpers ──
-function addAccountStatsRule() {
-  form.account_stats_pricing_rules.push({
+function addAccountStatsRule(sectionIdx: number) {
+  form.platforms[sectionIdx].account_stats_pricing_rules.push({
     name: '',
     group_ids: [],
     account_ids: [],
@@ -876,8 +880,8 @@ function addAccountStatsRule() {
   })
 }
 
-function addRulePricingEntry(ruleIndex: number) {
-  form.account_stats_pricing_rules[ruleIndex].pricing.push({
+function addRulePricingEntry(sectionIdx: number, ruleIndex: number) {
+  form.platforms[sectionIdx].account_stats_pricing_rules[ruleIndex].pricing.push({
     models: [],
     billing_mode: 'token',
     input_price: null,
@@ -890,15 +894,15 @@ function addRulePricingEntry(ruleIndex: number) {
   })
 }
 
-function removeAccountStatsRule(ruleIndex: number) {
-  form.account_stats_pricing_rules.splice(ruleIndex, 1)
+function removeAccountStatsRule(sectionIdx: number, ruleIndex: number) {
+  form.platforms[sectionIdx].account_stats_pricing_rules.splice(ruleIndex, 1)
   // Clear all search state since indices shift after removal
   ruleAccountSearchRunner.clearAll()
   clearAllRuleAccountSearchState()
 }
 
-function removeRulePricingEntry(ruleIndex: number, pricingIndex: number) {
-  form.account_stats_pricing_rules[ruleIndex].pricing.splice(pricingIndex, 1)
+function removeRulePricingEntry(sectionIdx: number, ruleIndex: number, pricingIndex: number) {
+  form.platforms[sectionIdx].account_stats_pricing_rules[ruleIndex].pricing.splice(pricingIndex, 1)
 }
 
 function getGroupNameById(groupId: number): string {
@@ -980,38 +984,33 @@ function clearAllRuleAccountSearchState() {
   showRuleAccountDropdown.value = {}
 }
 
-function inferRulePlatform(groupIds: number[]): string {
-  const platforms = new Set<string>()
-  for (const gid of groupIds) {
-    const group = allGroups.value.find(g => g.id === gid)
-    if (group) platforms.add(group.platform)
-  }
-  return platforms.size === 1 ? [...platforms][0] : ''
-}
-
 function accountStatsRulesToAPI(): AccountStatsPricingRule[] {
-  return form.account_stats_pricing_rules.map(rule => {
-    const platform = inferRulePlatform(rule.group_ids)
-    return {
-      name: rule.name,
-      group_ids: rule.group_ids,
-      account_ids: rule.account_ids,
-      pricing: rule.pricing
-        .filter(p => p.models.length > 0)
-        .map(p => ({
-          platform,
-          models: p.models,
-          billing_mode: p.billing_mode,
-          input_price: mTokToPerToken(p.input_price),
-          output_price: mTokToPerToken(p.output_price),
-          cache_write_price: mTokToPerToken(p.cache_write_price),
-          cache_read_price: mTokToPerToken(p.cache_read_price),
-          image_output_price: mTokToPerToken(p.image_output_price),
-          per_request_price: p.per_request_price != null && p.per_request_price !== '' ? Number(p.per_request_price) : null,
-          intervals: formIntervalsToAPI(p.intervals || [])
-        }))
+  const rules: AccountStatsPricingRule[] = []
+  for (const section of form.platforms) {
+    if (!section.enabled) continue
+    for (const rule of section.account_stats_pricing_rules) {
+      rules.push({
+        name: rule.name,
+        group_ids: rule.group_ids,
+        account_ids: rule.account_ids,
+        pricing: rule.pricing
+          .filter(p => p.models.length > 0)
+          .map(p => ({
+            platform: section.platform,
+            models: p.models,
+            billing_mode: p.billing_mode,
+            input_price: mTokToPerToken(p.input_price),
+            output_price: mTokToPerToken(p.output_price),
+            cache_write_price: mTokToPerToken(p.cache_write_price),
+            cache_read_price: mTokToPerToken(p.cache_read_price),
+            image_output_price: mTokToPerToken(p.image_output_price),
+            per_request_price: p.per_request_price != null && p.per_request_price !== '' ? Number(p.per_request_price) : null,
+            intervals: formIntervalsToAPI(p.intervals || [])
+          }))
+      })
     }
-  })
+  }
+  return rules
 }
 
 // ── Form ↔ API conversion ──
@@ -1120,6 +1119,7 @@ function apiToForm(channel: Channel): PlatformSection[] {
       model_mapping: { ...mapping },
       model_pricing: pricing,
       web_search_emulation: webSearchEnabled,
+      account_stats_pricing_rules: [],
     })
   }
 
@@ -1213,7 +1213,6 @@ function resetForm() {
   form.billing_model_source = 'channel_mapped'
   form.platforms = []
   form.apply_pricing_to_account_stats = false
-  form.account_stats_pricing_rules = []
   activeTab.value = 'basic'
   ruleAccountSearchRunner.clearAll()
   clearAllRuleAccountSearchState()
@@ -1235,28 +1234,91 @@ async function openEditDialog(channel: Channel) {
   form.restrict_models = channel.restrict_models || false
   form.billing_model_source = channel.billing_model_source || 'channel_mapped'
   form.apply_pricing_to_account_stats = channel.apply_pricing_to_account_stats || false
-  form.account_stats_pricing_rules = (channel.account_stats_pricing_rules || []).map(rule => ({
-    name: rule.name || '',
-    group_ids: [...(rule.group_ids || [])],
-    account_ids: [...(rule.account_ids || [])],
-    pricing: (rule.pricing || []).map(p => ({
-      models: [...(p.models || [])],
-      billing_mode: p.billing_mode,
-      input_price: perTokenToMTok(p.input_price),
-      output_price: perTokenToMTok(p.output_price),
-      cache_write_price: perTokenToMTok(p.cache_write_price),
-      cache_read_price: perTokenToMTok(p.cache_read_price),
-      image_output_price: perTokenToMTok(p.image_output_price),
-      per_request_price: p.per_request_price,
-      intervals: apiIntervalsToForm(p.intervals || [])
-    } as PricingFormEntry))
-  }))
   // Must load groups first so apiToForm can map groupID → platform
   await Promise.all([loadGroups(), loadAllChannelsForConflict()])
   form.platforms = apiToForm(channel)
+
+  // Distribute channel-level rules into per-platform sections
+  distributeRulesToPlatforms(channel.account_stats_pricing_rules || [])
+
+  // Populate ruleAccountNameCache for existing rule accounts
+  await populateRuleAccountNameCache()
+
   showDialog.value = true
 }
 
+/** Distribute flat channel-level rules into the matching platform section based on group_ids */
+function distributeRulesToPlatforms(apiRules: AccountStatsPricingRule[]) {
+  // Build groupID → platform lookup
+  const groupPlatformMap = new Map<number, GroupPlatform>()
+  for (const g of allGroups.value) {
+    groupPlatformMap.set(g.id, g.platform)
+  }
+
+  for (const apiRule of apiRules) {
+    // Infer platform from group_ids
+    const platforms = new Set<GroupPlatform>()
+    for (const gid of apiRule.group_ids || []) {
+      const p = groupPlatformMap.get(gid)
+      if (p) platforms.add(p)
+    }
+    // If pricing has a platform field, use that as fallback
+    if (platforms.size === 0 && apiRule.pricing?.length > 0) {
+      const p = apiRule.pricing[0].platform as GroupPlatform | undefined
+      if (p) platforms.add(p)
+    }
+    const targetPlatform = platforms.size >= 1 ? [...platforms][0] : null
+    if (!targetPlatform) continue
+
+    const section = form.platforms.find(s => s.platform === targetPlatform)
+    if (!section) continue
+
+    const formRule: FormPricingRule = {
+      name: apiRule.name || '',
+      group_ids: [...(apiRule.group_ids || [])],
+      account_ids: [...(apiRule.account_ids || [])],
+      pricing: (apiRule.pricing || []).map(p => ({
+        models: [...(p.models || [])],
+        billing_mode: p.billing_mode,
+        input_price: perTokenToMTok(p.input_price),
+        output_price: perTokenToMTok(p.output_price),
+        cache_write_price: perTokenToMTok(p.cache_write_price),
+        cache_read_price: perTokenToMTok(p.cache_read_price),
+        image_output_price: perTokenToMTok(p.image_output_price),
+        per_request_price: p.per_request_price,
+        intervals: apiIntervalsToForm(p.intervals || [])
+      } as PricingFormEntry))
+    }
+    section.account_stats_pricing_rules.push(formRule)
+  }
+}
+
+/** Populate ruleAccountNameCache by fetching account details for all account_ids in rules */
+async function populateRuleAccountNameCache() {
+  const allAccountIds = new Set<number>()
+  for (const section of form.platforms) {
+    for (const rule of section.account_stats_pricing_rules) {
+      for (const id of rule.account_ids) {
+        allAccountIds.add(id)
+      }
+    }
+  }
+  if (allAccountIds.size === 0) return
+
+  // Fetch account details in parallel (batch of individual getById calls)
+  const ids = [...allAccountIds]
+  const results = await Promise.allSettled(
+    ids.map(id => adminAPI.accounts.getById(id))
+  )
+  for (let i = 0; i < ids.length; i++) {
+    const result = results[i]
+    if (result.status === 'fulfilled') {
+      ruleAccountNameCache.value[ids[i]] = result.value.name
+    }
+    // If rejected, the cache won't have the name, so it'll show "#ID" which is acceptable
+  }
+}
+
 function closeDialog() {
   showDialog.value = false
   editingChannel.value = null

From b1875f0b826b48d941df751061f4c92071498ed9 Mon Sep 17 00:00:00 2001
From: erio <asakifeng@gmail.com>
Date: Mon, 13 Apr 2026 14:21:37 +0800
Subject: [PATCH 055/122] fix: round 3 audit fixes - SMTP header sanitization
 and goroutine safety

- Move sanitizeEmailHeader to SendEmailWithConfig entry point, covering all
  email senders (verify code, password reset, ops alerts, notifications)
- Add panic recovery to UpdateBalance goroutine
- Fix stale comment in getAccountQuotaNotifyEmails (email="" no longer used)
- Log error instead of silently discarding verifyNotifyCode cache update failure
---
 backend/cmd/server/VERSION                         | 2 +-
 backend/internal/service/balance_notify_service.go | 2 +-
 backend/internal/service/email_service.go          | 8 ++++++--
 backend/internal/service/user_service.go           | 9 ++++++++-
 4 files changed, 16 insertions(+), 5 deletions(-)

diff --git a/backend/cmd/server/VERSION b/backend/cmd/server/VERSION
index b2581b19..49e7ca57 100644
--- a/backend/cmd/server/VERSION
+++ b/backend/cmd/server/VERSION
@@ -1 +1 @@
-0.1.110.20
+0.1.110.21
diff --git a/backend/internal/service/balance_notify_service.go b/backend/internal/service/balance_notify_service.go
index 14aa6766..a392a13e 100644
--- a/backend/internal/service/balance_notify_service.go
+++ b/backend/internal/service/balance_notify_service.go
@@ -225,7 +225,7 @@ func (s *BalanceNotifyService) isAccountQuotaNotifyEnabled(ctx context.Context)
 }
 
 // getAccountQuotaNotifyEmails reads admin notification emails from settings,
-// filtering out disabled entries. Entries with email="" are resolved to the first admin's email.
+// filtering out disabled and unverified entries.
 func (s *BalanceNotifyService) getAccountQuotaNotifyEmails(ctx context.Context) []string {
 	raw, err := s.settingRepo.GetValue(ctx, SettingKeyAccountQuotaNotifyEmails)
 	if err != nil || strings.TrimSpace(raw) == "" || raw == "[]" {
diff --git a/backend/internal/service/email_service.go b/backend/internal/service/email_service.go
index 3eade83e..50d324f2 100644
--- a/backend/internal/service/email_service.go
+++ b/backend/internal/service/email_service.go
@@ -153,9 +153,13 @@ func (s *EmailService) SendEmail(ctx context.Context, to, subject, body string)
 
 // SendEmailWithConfig 使用指定配置发送邮件
 func (s *EmailService) SendEmailWithConfig(config *SMTPConfig, to, subject, body string) error {
-	from := config.From
+	// Sanitize all SMTP header fields to prevent header injection (CR/LF removal).
+	to = sanitizeEmailHeader(to)
+	subject = sanitizeEmailHeader(subject)
+
+	from := sanitizeEmailHeader(config.From)
 	if config.FromName != "" {
-		from = fmt.Sprintf("%s <%s>", config.FromName, config.From)
+		from = fmt.Sprintf("%s <%s>", sanitizeEmailHeader(config.FromName), sanitizeEmailHeader(config.From))
 	}
 
 	msg := fmt.Sprintf("From: %s\r\nTo: %s\r\nSubject: %s\r\nMIME-Version: 1.0\r\nContent-Type: text/html; charset=UTF-8\r\n\r\n%s",
diff --git a/backend/internal/service/user_service.go b/backend/internal/service/user_service.go
index 3baee81d..0da73762 100644
--- a/backend/internal/service/user_service.go
+++ b/backend/internal/service/user_service.go
@@ -224,6 +224,11 @@ func (s *UserService) UpdateBalance(ctx context.Context, userID int64, amount fl
 	}
 	if s.billingCache != nil {
 		go func() {
+			defer func() {
+				if r := recover(); r != nil {
+					slog.Error("panic in balance cache invalidation", "user_id", userID, "recover", r)
+				}
+			}()
 			cacheCtx, cancel := context.WithTimeout(context.Background(), 5*time.Second)
 			defer cancel()
 			if err := s.billingCache.InvalidateUserBalance(cacheCtx, userID); err != nil {
@@ -359,7 +364,9 @@ func verifyNotifyCode(ctx context.Context, cache EmailCache, email, code string)
 	}
 	if subtle.ConstantTimeCompare([]byte(data.Code), []byte(code)) != 1 {
 		data.Attempts++
-		_ = cache.SetNotifyVerifyCode(ctx, email, data, verifyCodeTTL)
+		if err := cache.SetNotifyVerifyCode(ctx, email, data, verifyCodeTTL); err != nil {
+			slog.Error("failed to update notify verify code attempts", "email", email, "error", err)
+		}
 		if data.Attempts >= maxVerifyCodeAttempts {
 			return ErrVerifyCodeMaxAttempts
 		}

From 58c0f576472af77ceece606d4f7d3b00c5942c23 Mon Sep 17 00:00:00 2001
From: knowsky404 <git@knowsky404.com>
Date: Tue, 14 Apr 2026 09:27:02 +0800
Subject: [PATCH 056/122] fix(sidebar): prevent version dropdown clipping in
 expanded brand

---
 frontend/src/components/layout/AppSidebar.vue               | 2 +-
 frontend/src/components/layout/__tests__/AppSidebar.spec.ts | 3 +++
 2 files changed, 4 insertions(+), 1 deletion(-)

diff --git a/frontend/src/components/layout/AppSidebar.vue b/frontend/src/components/layout/AppSidebar.vue
index dad127b0..92dcc519 100644
--- a/frontend/src/components/layout/AppSidebar.vue
+++ b/frontend/src/components/layout/AppSidebar.vue
@@ -807,7 +807,6 @@ onMounted(() => {
 .sidebar-brand {
   min-width: 0;
   flex: 1 1 auto;
-  overflow: hidden;
   white-space: nowrap;
   transition:
     max-width 0.22s ease,
@@ -818,6 +817,7 @@ onMounted(() => {
 
 .sidebar-brand-collapsed {
   max-width: 0;
+  overflow: hidden;
   opacity: 0;
   transform: translateX(-4px);
   pointer-events: none;
diff --git a/frontend/src/components/layout/__tests__/AppSidebar.spec.ts b/frontend/src/components/layout/__tests__/AppSidebar.spec.ts
index c0da4e38..118c7615 100644
--- a/frontend/src/components/layout/__tests__/AppSidebar.spec.ts
+++ b/frontend/src/components/layout/__tests__/AppSidebar.spec.ts
@@ -22,8 +22,11 @@ describe('AppSidebar custom SVG styles', () => {
 describe('AppSidebar header styles', () => {
   it('does not clip the version badge dropdown', () => {
     const sidebarHeaderBlockMatch = styleSource.match(/\.sidebar-header\s*\{[\s\S]*?\n  \}/)
+    const sidebarBrandBlockMatch = componentSource.match(/\.sidebar-brand\s*\{[\s\S]*?\n\}/)
 
     expect(sidebarHeaderBlockMatch).not.toBeNull()
+    expect(sidebarBrandBlockMatch).not.toBeNull()
     expect(sidebarHeaderBlockMatch?.[0]).not.toContain('@apply overflow-hidden;')
+    expect(sidebarBrandBlockMatch?.[0]).not.toContain('overflow: hidden;')
   })
 })

From 48e8efe3e8489a34dea34528caefcb4a64fec4cc Mon Sep 17 00:00:00 2001
From: erio <asakifeng@gmail.com>
Date: Mon, 13 Apr 2026 15:13:56 +0800
Subject: [PATCH 057/122] fix(frontend): hide quota notify toggle when global
 setting is disabled

QuotaLimitCard now requires quotaNotifyGlobalEnabled prop to control
visibility of QuotaNotifyToggle components. When the global account
quota notification is disabled in admin settings, per-account threshold
toggles are hidden in both Edit and Create account modals.
---
 backend/cmd/server/VERSION                    |  2 +-
 .../components/account/CreateAccountModal.vue | 53 +++++++++++++++++--
 .../components/account/EditAccountModal.vue   |  9 +++-
 .../src/components/account/QuotaLimitCard.vue |  8 +--
 4 files changed, 62 insertions(+), 10 deletions(-)

diff --git a/backend/cmd/server/VERSION b/backend/cmd/server/VERSION
index 49e7ca57..d6418142 100644
--- a/backend/cmd/server/VERSION
+++ b/backend/cmd/server/VERSION
@@ -1 +1 @@
-0.1.110.21
+0.1.110.23
diff --git a/frontend/src/components/account/CreateAccountModal.vue b/frontend/src/components/account/CreateAccountModal.vue
index e83e061e..e3d2d19a 100644
--- a/frontend/src/components/account/CreateAccountModal.vue
+++ b/frontend/src/components/account/CreateAccountModal.vue
@@ -1477,10 +1477,47 @@
         </div>
       </div>
 
-      <!-- API Key / Bedrock 账号配额限制 -->
-      <div v-if="form.type === 'apikey' || form.type === 'bedrock'" class="border-t border-gray-200 pt-4 dark:border-dark-600 space-y-4">
+      <!-- 配额控制 (Anthropic apikey/bedrock: 配额限制 + 亲和) -->
+      <div
+        v-if="form.platform === 'anthropic' && (form.type === 'apikey' || form.type === 'bedrock')"
+        class="border-t border-gray-200 pt-4 dark:border-dark-600 space-y-4"
+      >
         <div class="mb-3">
-          <h3 class="input-label mb-0 text-base font-semibold">{{ t('admin.accounts.quotaLimit') }}</h3>
+          <h3 class="input-label mb-0 text-base font-semibold">{{ t('admin.accounts.quotaControl.title') }}</h3>
+          <p class="mt-1 text-xs text-gray-500 dark:text-gray-400">
+            {{ t('admin.accounts.quotaControl.hint') }}
+          </p>
+        </div>
+        <QuotaLimitCard
+          :totalLimit="editQuotaLimit"
+          :dailyLimit="editQuotaDailyLimit"
+          :weeklyLimit="editQuotaWeeklyLimit"
+          :quotaNotifyGlobalEnabled="quotaNotifyGlobalEnabled"
+          :dailyResetMode="editDailyResetMode"
+          :dailyResetHour="editDailyResetHour"
+          :weeklyResetMode="editWeeklyResetMode"
+          :weeklyResetDay="editWeeklyResetDay"
+          :weeklyResetHour="editWeeklyResetHour"
+          :resetTimezone="editResetTimezone"
+          @update:totalLimit="editQuotaLimit = $event"
+          @update:dailyLimit="editQuotaDailyLimit = $event"
+          @update:weeklyLimit="editQuotaWeeklyLimit = $event"
+          @update:dailyResetMode="editDailyResetMode = $event"
+          @update:dailyResetHour="editDailyResetHour = $event"
+          @update:weeklyResetMode="editWeeklyResetMode = $event"
+          @update:weeklyResetDay="editWeeklyResetDay = $event"
+          @update:weeklyResetHour="editWeeklyResetHour = $event"
+          @update:resetTimezone="editResetTimezone = $event"
+        />
+      </div>
+
+      <!-- 配额控制 (非 Anthropic apikey/bedrock) -->
+      <div
+        v-else-if="form.type === 'apikey' || form.type === 'bedrock'"
+        class="border-t border-gray-200 pt-4 dark:border-dark-600 space-y-4"
+      >
+        <div class="mb-3">
+          <h3 class="input-label mb-0 text-base font-semibold">{{ t('admin.accounts.quotaControl.title') }}</h3>
           <p class="mt-1 text-xs text-gray-500 dark:text-gray-400">
             {{ t('admin.accounts.quotaLimitHint') }}
           </p>
@@ -1489,6 +1526,7 @@
           :totalLimit="editQuotaLimit"
           :dailyLimit="editQuotaDailyLimit"
           :weeklyLimit="editQuotaWeeklyLimit"
+          :quotaNotifyGlobalEnabled="quotaNotifyGlobalEnabled"
           :dailyResetMode="editDailyResetMode"
           :dailyResetHour="editDailyResetHour"
           :weeklyResetMode="editWeeklyResetMode"
@@ -1823,7 +1861,7 @@
         </div>
       </div>
 
-      <!-- Quota Control Section (Anthropic OAuth/SetupToken only) -->
+      <!-- 配额控制 (Anthropic OAuth/SetupToken: 亲和 + 窗口费用 + 会话 + RPM 等) -->
       <div
         v-if="form.platform === 'anthropic' && accountCategory === 'oauth-based'"
         class="border-t border-gray-200 pt-4 dark:border-dark-600 space-y-4"
@@ -3002,11 +3040,16 @@ const codexCLIOnlyEnabled = ref(false)
 const anthropicPassthroughEnabled = ref(false)
 const webSearchEmulationMode = ref('default')
 const webSearchGlobalEnabled = ref(false)
+const quotaNotifyGlobalEnabled = ref(false)
 
-// Load web search global state once
+// Load global feature states once
 adminAPI.settings.getWebSearchEmulationConfig().then(cfg => {
   webSearchGlobalEnabled.value = cfg?.enabled === true && (cfg?.providers?.length ?? 0) > 0
 }).catch(() => { webSearchGlobalEnabled.value = false })
+
+adminAPI.settings.getSettings().then(settings => {
+  quotaNotifyGlobalEnabled.value = settings.account_quota_notify_enabled === true
+}).catch(() => { quotaNotifyGlobalEnabled.value = false })
 const mixedScheduling = ref(false) // For antigravity accounts: enable mixed scheduling
 const allowOverages = ref(false) // For antigravity accounts: enable AI Credits overages
 const antigravityAccountType = ref<'oauth' | 'upstream'>('oauth') // For antigravity: oauth or upstream
diff --git a/frontend/src/components/account/EditAccountModal.vue b/frontend/src/components/account/EditAccountModal.vue
index 74e5fc1f..89f1fb18 100644
--- a/frontend/src/components/account/EditAccountModal.vue
+++ b/frontend/src/components/account/EditAccountModal.vue
@@ -1190,6 +1190,7 @@
           :weeklyResetDay="editWeeklyResetDay"
           :weeklyResetHour="editWeeklyResetHour"
           :resetTimezone="editResetTimezone"
+          :quotaNotifyGlobalEnabled="quotaNotifyGlobalEnabled"
           :quotaNotifyDailyEnabled="editQuotaNotifyDailyEnabled"
           :quotaNotifyDailyThreshold="editQuotaNotifyDailyThreshold"
           :quotaNotifyDailyThresholdType="editQuotaNotifyDailyThresholdType"
@@ -1240,6 +1241,7 @@
           :weeklyResetDay="editWeeklyResetDay"
           :weeklyResetHour="editWeeklyResetHour"
           :resetTimezone="editResetTimezone"
+          :quotaNotifyGlobalEnabled="quotaNotifyGlobalEnabled"
           :quotaNotifyDailyEnabled="editQuotaNotifyDailyEnabled"
           :quotaNotifyDailyThreshold="editQuotaNotifyDailyThreshold"
           :quotaNotifyDailyThresholdType="editQuotaNotifyDailyThresholdType"
@@ -1991,11 +1993,16 @@ const codexCLIOnlyEnabled = ref(false)
 const anthropicPassthroughEnabled = ref(false)
 const webSearchEmulationMode = ref('default')
 const webSearchGlobalEnabled = ref(false)
+const quotaNotifyGlobalEnabled = ref(false)
 
-// Load web search global state once
+// Load global feature states once
 adminAPI.settings.getWebSearchEmulationConfig().then(cfg => {
   webSearchGlobalEnabled.value = cfg?.enabled === true && (cfg?.providers?.length ?? 0) > 0
 }).catch(() => { webSearchGlobalEnabled.value = false })
+
+adminAPI.settings.getSettings().then(settings => {
+  quotaNotifyGlobalEnabled.value = settings.account_quota_notify_enabled === true
+}).catch(() => { quotaNotifyGlobalEnabled.value = false })
 const editQuotaLimit = ref<number | null>(null)
 const editQuotaDailyLimit = ref<number | null>(null)
 const editQuotaWeeklyLimit = ref<number | null>(null)
diff --git a/frontend/src/components/account/QuotaLimitCard.vue b/frontend/src/components/account/QuotaLimitCard.vue
index 64bdb08a..38ab6479 100644
--- a/frontend/src/components/account/QuotaLimitCard.vue
+++ b/frontend/src/components/account/QuotaLimitCard.vue
@@ -15,6 +15,7 @@ const props = withDefaults(defineProps<{
   weeklyResetDay: number | null
   weeklyResetHour: number | null
   resetTimezone: string | null
+  quotaNotifyGlobalEnabled?: boolean
   quotaNotifyDailyEnabled?: boolean | null
   quotaNotifyDailyThreshold?: number | null
   quotaNotifyDailyThresholdType?: string | null
@@ -25,6 +26,7 @@ const props = withDefaults(defineProps<{
   quotaNotifyTotalThreshold?: number | null
   quotaNotifyTotalThresholdType?: string | null
 }>(), {
+  quotaNotifyGlobalEnabled: false,
   quotaNotifyDailyEnabled: null,
   quotaNotifyDailyThreshold: null,
   quotaNotifyDailyThresholdType: null,
@@ -234,7 +236,7 @@ const onWeeklyModeChange = (e: Event) => {
           </p>
           <!-- 日配额告警 -->
           <QuotaNotifyToggle
-            v-if="dailyLimit && dailyLimit > 0"
+            v-if="quotaNotifyGlobalEnabled && dailyLimit && dailyLimit > 0"
             :enabled="props.quotaNotifyDailyEnabled"
             :threshold="props.quotaNotifyDailyThreshold"
             :threshold-type="props.quotaNotifyDailyThresholdType"
@@ -300,7 +302,7 @@ const onWeeklyModeChange = (e: Event) => {
           </p>
           <!-- 周配额告警 -->
           <QuotaNotifyToggle
-            v-if="weeklyLimit && weeklyLimit > 0"
+            v-if="quotaNotifyGlobalEnabled && weeklyLimit && weeklyLimit > 0"
             :enabled="props.quotaNotifyWeeklyEnabled"
             :threshold="props.quotaNotifyWeeklyThreshold"
             :threshold-type="props.quotaNotifyWeeklyThresholdType"
@@ -340,7 +342,7 @@ const onWeeklyModeChange = (e: Event) => {
           <p class="input-hint">{{ t('admin.accounts.quotaTotalLimitHint') }}</p>
           <!-- 总配额告警 -->
           <QuotaNotifyToggle
-            v-if="totalLimit && totalLimit > 0"
+            v-if="quotaNotifyGlobalEnabled && totalLimit && totalLimit > 0"
             :enabled="props.quotaNotifyTotalEnabled"
             :threshold="props.quotaNotifyTotalThreshold"
             :threshold-type="props.quotaNotifyTotalThresholdType"

From 245f47cebb7f9e07c3a6a2bfb7c9366b19554aec Mon Sep 17 00:00:00 2001
From: erio <asakifeng@gmail.com>
Date: Mon, 13 Apr 2026 15:20:00 +0800
Subject: [PATCH 058/122] fix(frontend): simplify websearch select labels and
 reduce width
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

- "默认（跟随渠道）" → "默认", "Default (follow channel)" → "Default"
- Move "follows channel config" info to description text
- Reduce select width from w-32 to w-24 in both Edit and Create modals
---
 frontend/src/components/account/CreateAccountModal.vue | 2 +-
 frontend/src/components/account/EditAccountModal.vue   | 2 +-
 frontend/src/i18n/locales/en.ts                        | 4 ++--
 frontend/src/i18n/locales/zh.ts                        | 4 ++--
 4 files changed, 6 insertions(+), 6 deletions(-)

diff --git a/frontend/src/components/account/CreateAccountModal.vue b/frontend/src/components/account/CreateAccountModal.vue
index e3d2d19a..a1496fa8 100644
--- a/frontend/src/components/account/CreateAccountModal.vue
+++ b/frontend/src/components/account/CreateAccountModal.vue
@@ -2375,7 +2375,7 @@
               {{ t('admin.accounts.anthropic.webSearchEmulationDesc') }}
             </p>
           </div>
-          <select v-model="webSearchEmulationMode" class="input w-32 text-sm">
+          <select v-model="webSearchEmulationMode" class="input w-24 text-sm">
             <option value="default">{{ t('admin.accounts.anthropic.webSearchDefault') }}</option>
             <option value="enabled">{{ t('admin.accounts.anthropic.webSearchEnabled') }}</option>
             <option value="disabled">{{ t('admin.accounts.anthropic.webSearchDisabled') }}</option>
diff --git a/frontend/src/components/account/EditAccountModal.vue b/frontend/src/components/account/EditAccountModal.vue
index 89f1fb18..613738d2 100644
--- a/frontend/src/components/account/EditAccountModal.vue
+++ b/frontend/src/components/account/EditAccountModal.vue
@@ -1161,7 +1161,7 @@
               {{ t('admin.accounts.anthropic.webSearchEmulationDesc') }}
             </p>
           </div>
-          <select v-model="webSearchEmulationMode" class="input w-32 text-sm">
+          <select v-model="webSearchEmulationMode" class="input w-24 text-sm">
             <option value="default">{{ t('admin.accounts.anthropic.webSearchDefault') }}</option>
             <option value="enabled">{{ t('admin.accounts.anthropic.webSearchEnabled') }}</option>
             <option value="disabled">{{ t('admin.accounts.anthropic.webSearchDisabled') }}</option>
diff --git a/frontend/src/i18n/locales/en.ts b/frontend/src/i18n/locales/en.ts
index 1f9ba3e1..5c593946 100644
--- a/frontend/src/i18n/locales/en.ts
+++ b/frontend/src/i18n/locales/en.ts
@@ -2383,8 +2383,8 @@ export default {
           'Only applies to Anthropic API Key accounts. When enabled, messages/count_tokens are forwarded in passthrough mode with auth replacement only, while billing/concurrency/audit and safety filtering are preserved. Disable to roll back immediately.',
         webSearchEmulation: 'Web Search Emulation',
         webSearchEmulationDesc:
-          'Enable web search emulation for this API Key account. When a pure web_search request is detected, the gateway calls a third-party search API and constructs the response locally.',
-        webSearchDefault: 'Default (follow channel)',
+          'Enable web search emulation for this API Key account. When a pure web_search request is detected, the gateway calls a third-party search API and constructs the response locally. Default follows channel config.',
+        webSearchDefault: 'Default',
         webSearchEnabled: 'Enabled',
         webSearchDisabled: 'Disabled',
       },
diff --git a/frontend/src/i18n/locales/zh.ts b/frontend/src/i18n/locales/zh.ts
index fa5d970c..141193c1 100644
--- a/frontend/src/i18n/locales/zh.ts
+++ b/frontend/src/i18n/locales/zh.ts
@@ -2530,8 +2530,8 @@ export default {
           '仅对 Anthropic API Key 生效。开启后，messages/count_tokens 请求将透传上游并仅替换认证，保留计费/并发/审计及必要安全过滤；关闭即可回滚到现有兼容链路。',
         webSearchEmulation: 'Web Search 模拟',
         webSearchEmulationDesc:
-          '为该 API Key 账号启用 web search 模拟。客户端发送纯 web_search 请求时，由网关调用第三方搜索 API 并构造响应返回。',
-        webSearchDefault: '默认（跟随渠道）',
+          '为该 API Key 账号启用 web search 模拟。客户端发送纯 web_search 请求时，由网关调用第三方搜索 API 并构造响应返回。默认跟随渠道配置。',
+        webSearchDefault: '默认',
         webSearchEnabled: '开启',
         webSearchDisabled: '关闭',
       },

From 42f8ef331576b43958cbf39def767a55857f3b32 Mon Sep 17 00:00:00 2001
From: erio <asakifeng@gmail.com>
Date: Mon, 13 Apr 2026 15:30:06 +0800
Subject: [PATCH 059/122] fix: add missing AccountQuotaNotifyEnabled to admin
 settings API

The field was present in SystemSettings response DTO and service layer
but missing from:
- UpdateSettingsRequest (admin handler) - saves were silently ignored
- GET/PUT response mapping in admin handler
- UpdateSettingsRequest (non-admin dto)

This caused the toggle to always revert to off after saving.
---
 backend/cmd/server/VERSION                        | 2 +-
 backend/internal/handler/admin/setting_handler.go | 9 +++++++++
 backend/internal/handler/dto/settings.go          | 1 +
 3 files changed, 11 insertions(+), 1 deletion(-)

diff --git a/backend/cmd/server/VERSION b/backend/cmd/server/VERSION
index d6418142..8775ce89 100644
--- a/backend/cmd/server/VERSION
+++ b/backend/cmd/server/VERSION
@@ -1 +1 @@
-0.1.110.23
+0.1.110.24
diff --git a/backend/internal/handler/admin/setting_handler.go b/backend/internal/handler/admin/setting_handler.go
index fe46e821..58081273 100644
--- a/backend/internal/handler/admin/setting_handler.go
+++ b/backend/internal/handler/admin/setting_handler.go
@@ -178,6 +178,7 @@ func (h *SettingHandler) GetSettings(c *gin.Context) {
 		WebSearchEmulationEnabled:            settings.WebSearchEmulationEnabled,
 		BalanceLowNotifyEnabled:              settings.BalanceLowNotifyEnabled,
 		BalanceLowNotifyThreshold:            settings.BalanceLowNotifyThreshold,
+		AccountQuotaNotifyEnabled:            settings.AccountQuotaNotifyEnabled,
 		AccountQuotaNotifyEmails:             dto.NotifyEmailEntriesFromService(settings.AccountQuotaNotifyEmails),
 		PaymentEnabled:                       paymentCfg.Enabled,
 		PaymentMinAmount:                     paymentCfg.MinAmount,
@@ -311,6 +312,7 @@ type UpdateSettingsRequest struct {
 	// Balance low notification
 	BalanceLowNotifyEnabled   *bool     `json:"balance_low_notify_enabled"`
 	BalanceLowNotifyThreshold *float64  `json:"balance_low_notify_threshold"`
+	AccountQuotaNotifyEnabled *bool     `json:"account_quota_notify_enabled"`
 	AccountQuotaNotifyEmails  *[]dto.NotifyEmailEntry `json:"account_quota_notify_emails"`
 
 	// Payment configuration (integrated into settings, full replace)
@@ -902,6 +904,12 @@ func (h *SettingHandler) UpdateSettings(c *gin.Context) {
 			}
 			return previousSettings.BalanceLowNotifyThreshold
 		}(),
+		AccountQuotaNotifyEnabled: func() bool {
+			if req.AccountQuotaNotifyEnabled != nil {
+				return *req.AccountQuotaNotifyEnabled
+			}
+			return previousSettings.AccountQuotaNotifyEnabled
+		}(),
 		AccountQuotaNotifyEmails: func() []service.NotifyEmailEntry {
 			if req.AccountQuotaNotifyEmails != nil {
 				return dto.NotifyEmailEntriesToService(*req.AccountQuotaNotifyEmails)
@@ -1056,6 +1064,7 @@ func (h *SettingHandler) UpdateSettings(c *gin.Context) {
 		EnableCCHSigning:                     updatedSettings.EnableCCHSigning,
 		BalanceLowNotifyEnabled:              updatedSettings.BalanceLowNotifyEnabled,
 		BalanceLowNotifyThreshold:            updatedSettings.BalanceLowNotifyThreshold,
+		AccountQuotaNotifyEnabled:            updatedSettings.AccountQuotaNotifyEnabled,
 		AccountQuotaNotifyEmails:             dto.NotifyEmailEntriesFromService(updatedSettings.AccountQuotaNotifyEmails),
 		PaymentEnabled:                       updatedPaymentCfg.Enabled,
 		PaymentMinAmount:                     updatedPaymentCfg.MinAmount,
diff --git a/backend/internal/handler/dto/settings.go b/backend/internal/handler/dto/settings.go
index 545458c8..6c99208f 100644
--- a/backend/internal/handler/dto/settings.go
+++ b/backend/internal/handler/dto/settings.go
@@ -152,6 +152,7 @@ type SystemSettings struct {
 	// Balance low notification
 	BalanceLowNotifyEnabled   bool     `json:"balance_low_notify_enabled"`
 	BalanceLowNotifyThreshold float64  `json:"balance_low_notify_threshold"`
+	AccountQuotaNotifyEnabled bool     `json:"account_quota_notify_enabled"`
 	AccountQuotaNotifyEmails  []NotifyEmailEntry `json:"account_quota_notify_emails"`
 }
 

From 98c9d51791fe5905247268d183abc9d069ff98d3 Mon Sep 17 00:00:00 2001
From: erio <asakifeng@gmail.com>
Date: Mon, 13 Apr 2026 16:45:10 +0800
Subject: [PATCH 060/122] fix: correct account stats pricing priority order
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Priority was wrong:
- Before: custom rules → LiteLLM (when ApplyPricingToAccountStats) → nil
- After:  custom rules → totalCost (when ApplyPricingToAccountStats) → LiteLLM → nil

When ApplyPricingToAccountStats is enabled, use the request's actual
client billing cost (before multiplier) as account_stats_cost, instead
of recalculating from LiteLLM per-token prices which produced incorrect
values for per-request billing mode.

LiteLLM model pricing is now the final fallback (priority 3), used only
when neither custom rules nor ApplyPricingToAccountStats apply.
---
 backend/cmd/server/VERSION                    |  2 +-
 .../internal/service/account_stats_pricing.go | 20 +++++++++++++++----
 backend/internal/service/gateway_service.go   |  1 +
 .../service/openai_gateway_service.go         |  2 +-
 4 files changed, 19 insertions(+), 6 deletions(-)

diff --git a/backend/cmd/server/VERSION b/backend/cmd/server/VERSION
index 8775ce89..c74c5ae7 100644
--- a/backend/cmd/server/VERSION
+++ b/backend/cmd/server/VERSION
@@ -1 +1 @@
-0.1.110.24
+0.1.110.27
diff --git a/backend/internal/service/account_stats_pricing.go b/backend/internal/service/account_stats_pricing.go
index cbe9c76c..8251dede 100644
--- a/backend/internal/service/account_stats_pricing.go
+++ b/backend/internal/service/account_stats_pricing.go
@@ -11,10 +11,12 @@ import (
 //
 // 优先级（先命中为准）：
 //  1. 自定义规则（始终尝试，不依赖 ApplyPricingToAccountStats 开关）
-//  2. ApplyPricingToAccountStats 启用时，用模型定价文件（LiteLLM）中上游模型的标准价格计算
-//  3. nil → 走默认公式
+//  2. ApplyPricingToAccountStats 启用时，直接使用本次请求的客户计费（倍率前的 totalCost）
+//  3. 模型定价文件（LiteLLM）中上游模型的默认价格
+//  4. nil → 走默认公式（total_cost × account_rate_multiplier）
 //
 // upstreamModel 是最终发往上游的模型 ID。
+// totalCost 是本次请求的客户计费（倍率前），用于优先级 2。
 func resolveAccountStatsCost(
 	ctx context.Context,
 	channelService *ChannelService,
@@ -24,6 +26,7 @@ func resolveAccountStatsCost(
 	upstreamModel string,
 	tokens UsageTokens,
 	requestCount int,
+	totalCost float64,
 ) *float64 {
 	if channelService == nil || upstreamModel == "" {
 		return nil
@@ -40,8 +43,17 @@ func resolveAccountStatsCost(
 		return cost
 	}
 
-	// 优先级 2：模型定价文件（LiteLLM/fallback）中上游模型的标准价格
-	if channel.ApplyPricingToAccountStats && billingService != nil {
+	// 优先级 2：渠道开启"应用模型定价到账号统计"时，直接使用客户计费（倍率前）
+	if channel.ApplyPricingToAccountStats {
+		cost := totalCost
+		if cost <= 0 {
+			return nil
+		}
+		return &cost
+	}
+
+	// 优先级 3：模型定价文件（LiteLLM）默认价格
+	if billingService != nil {
 		return tryModelFilePricing(billingService, upstreamModel, tokens)
 	}
 
diff --git a/backend/internal/service/gateway_service.go b/backend/internal/service/gateway_service.go
index 5267156d..b67a06a7 100644
--- a/backend/internal/service/gateway_service.go
+++ b/backend/internal/service/gateway_service.go
@@ -7598,6 +7598,7 @@ func (s *GatewayService) recordUsageCore(ctx context.Context, input *recordUsage
 				ImageOutputTokens:   result.Usage.ImageOutputTokens,
 			},
 			1, // requestCount
+			cost.TotalCost,
 		)
 	}
 
diff --git a/backend/internal/service/openai_gateway_service.go b/backend/internal/service/openai_gateway_service.go
index e060b981..9a6fbb8f 100644
--- a/backend/internal/service/openai_gateway_service.go
+++ b/backend/internal/service/openai_gateway_service.go
@@ -4582,7 +4582,7 @@ func (s *OpenAIGatewayService) RecordUsage(ctx context.Context, input *OpenAIRec
 		usageLog.AccountStatsCost = resolveAccountStatsCost(
 			ctx, s.channelService, s.billingService,
 			account.ID, *apiKey.GroupID, statsModel,
-			tokens, 1,
+			tokens, 1, cost.TotalCost,
 		)
 	}
 

From 2066c478ab3d408a67a05f98ca08e79c9d480b0c Mon Sep 17 00:00:00 2001
From: erio <asakifeng@gmail.com>
Date: Mon, 13 Apr 2026 16:52:02 +0800
Subject: [PATCH 061/122] fix(frontend): quota notify UI improvements

- QuotaNotifyToggle: add $ or % suffix to threshold input based on type
- QuotaLimitCard: combine reset mode and notify toggle on same row
  to reduce vertical height for daily/weekly sections
- Remove redundant ml-4 indentation from QuotaNotifyToggle
---
 backend/cmd/server/VERSION                    |  2 +-
 .../src/components/account/QuotaLimitCard.vue | 74 +++++++++----------
 .../components/account/QuotaNotifyToggle.vue  | 32 ++++----
 3 files changed, 56 insertions(+), 52 deletions(-)

diff --git a/backend/cmd/server/VERSION b/backend/cmd/server/VERSION
index c74c5ae7..e52af706 100644
--- a/backend/cmd/server/VERSION
+++ b/backend/cmd/server/VERSION
@@ -1 +1 @@
-0.1.110.27
+0.1.110.28
diff --git a/frontend/src/components/account/QuotaLimitCard.vue b/frontend/src/components/account/QuotaLimitCard.vue
index 38ab6479..682f51aa 100644
--- a/frontend/src/components/account/QuotaLimitCard.vue
+++ b/frontend/src/components/account/QuotaLimitCard.vue
@@ -203,28 +203,28 @@ const onWeeklyModeChange = (e: Event) => {
               :placeholder="t('admin.accounts.quotaLimitPlaceholder')"
             />
           </div>
-          <!-- 日配额重置模式 -->
-          <div class="mt-2 flex items-center gap-2">
+          <!-- 日配额：重置方式 + 告警阈值同行 -->
+          <div class="mt-2 flex items-center gap-2 flex-wrap">
             <label class="text-xs text-gray-500 dark:text-gray-400 whitespace-nowrap">{{ t('admin.accounts.quotaResetMode') }}</label>
             <select
               :value="dailyResetMode || 'rolling'"
               @change="onDailyModeChange"
-              class="input py-1 text-xs"
+              class="input py-1 text-xs w-auto"
             >
               <option value="rolling">{{ t('admin.accounts.quotaResetModeRolling') }}</option>
               <option value="fixed">{{ t('admin.accounts.quotaResetModeFixed') }}</option>
             </select>
-          </div>
-          <!-- 固定模式：小时选择 -->
-          <div v-if="dailyResetMode === 'fixed'" class="mt-2 flex items-center gap-2">
-            <label class="text-xs text-gray-500 dark:text-gray-400 whitespace-nowrap">{{ t('admin.accounts.quotaResetHour') }}</label>
-            <select
-              :value="dailyResetHour ?? 0"
-              @change="emit('update:dailyResetHour', Number(($event.target as HTMLSelectElement).value))"
-              class="input py-1 text-xs w-24"
-            >
-              <option v-for="h in hourOptions" :key="h" :value="h">{{ String(h).padStart(2, '0') }}:00</option>
-            </select>
+            <!-- 固定模式：小时选择 -->
+            <template v-if="dailyResetMode === 'fixed'">
+              <label class="text-xs text-gray-500 dark:text-gray-400 whitespace-nowrap">{{ t('admin.accounts.quotaResetHour') }}</label>
+              <select
+                :value="dailyResetHour ?? 0"
+                @change="emit('update:dailyResetHour', Number(($event.target as HTMLSelectElement).value))"
+                class="input py-1 text-xs w-24"
+              >
+                <option v-for="h in hourOptions" :key="h" :value="h">{{ String(h).padStart(2, '0') }}:00</option>
+              </select>
+            </template>
           </div>
           <p class="input-hint">
             <template v-if="dailyResetMode === 'fixed'">
@@ -234,7 +234,6 @@ const onWeeklyModeChange = (e: Event) => {
               {{ t('admin.accounts.quotaDailyLimitHint') }}
             </template>
           </p>
-          <!-- 日配额告警 -->
           <QuotaNotifyToggle
             v-if="quotaNotifyGlobalEnabled && dailyLimit && dailyLimit > 0"
             :enabled="props.quotaNotifyDailyEnabled"
@@ -261,36 +260,36 @@ const onWeeklyModeChange = (e: Event) => {
               :placeholder="t('admin.accounts.quotaLimitPlaceholder')"
             />
           </div>
-          <!-- 周配额重置模式 -->
-          <div class="mt-2 flex items-center gap-2">
+          <!-- 周配额：重置方式 + 告警阈值同行 -->
+          <div class="mt-2 flex items-center gap-2 flex-wrap">
             <label class="text-xs text-gray-500 dark:text-gray-400 whitespace-nowrap">{{ t('admin.accounts.quotaResetMode') }}</label>
             <select
               :value="weeklyResetMode || 'rolling'"
               @change="onWeeklyModeChange"
-              class="input py-1 text-xs"
+              class="input py-1 text-xs w-auto"
             >
               <option value="rolling">{{ t('admin.accounts.quotaResetModeRolling') }}</option>
               <option value="fixed">{{ t('admin.accounts.quotaResetModeFixed') }}</option>
             </select>
-          </div>
-          <!-- 固定模式：星期几 + 小时 -->
-          <div v-if="weeklyResetMode === 'fixed'" class="mt-2 flex items-center gap-2 flex-wrap">
-            <label class="text-xs text-gray-500 dark:text-gray-400 whitespace-nowrap">{{ t('admin.accounts.quotaWeeklyResetDay') }}</label>
-            <select
-              :value="weeklyResetDay ?? 1"
-              @change="emit('update:weeklyResetDay', Number(($event.target as HTMLSelectElement).value))"
-              class="input py-1 text-xs w-28"
-            >
-              <option v-for="d in dayOptions" :key="d.value" :value="d.value">{{ t('admin.accounts.dayOfWeek.' + d.key) }}</option>
-            </select>
-            <label class="text-xs text-gray-500 dark:text-gray-400 whitespace-nowrap">{{ t('admin.accounts.quotaResetHour') }}</label>
-            <select
-              :value="weeklyResetHour ?? 0"
-              @change="emit('update:weeklyResetHour', Number(($event.target as HTMLSelectElement).value))"
-              class="input py-1 text-xs w-24"
-            >
-              <option v-for="h in hourOptions" :key="h" :value="h">{{ String(h).padStart(2, '0') }}:00</option>
-            </select>
+            <!-- 固定模式：星期几 + 小时 -->
+            <template v-if="weeklyResetMode === 'fixed'">
+              <label class="text-xs text-gray-500 dark:text-gray-400 whitespace-nowrap">{{ t('admin.accounts.quotaWeeklyResetDay') }}</label>
+              <select
+                :value="weeklyResetDay ?? 1"
+                @change="emit('update:weeklyResetDay', Number(($event.target as HTMLSelectElement).value))"
+                class="input py-1 text-xs w-28"
+              >
+                <option v-for="d in dayOptions" :key="d.value" :value="d.value">{{ t('admin.accounts.dayOfWeek.' + d.key) }}</option>
+              </select>
+              <label class="text-xs text-gray-500 dark:text-gray-400 whitespace-nowrap">{{ t('admin.accounts.quotaResetHour') }}</label>
+              <select
+                :value="weeklyResetHour ?? 0"
+                @change="emit('update:weeklyResetHour', Number(($event.target as HTMLSelectElement).value))"
+                class="input py-1 text-xs w-24"
+              >
+                <option v-for="h in hourOptions" :key="h" :value="h">{{ String(h).padStart(2, '0') }}:00</option>
+              </select>
+            </template>
           </div>
           <p class="input-hint">
             <template v-if="weeklyResetMode === 'fixed'">
@@ -300,7 +299,6 @@ const onWeeklyModeChange = (e: Event) => {
               {{ t('admin.accounts.quotaWeeklyLimitHint') }}
             </template>
           </p>
-          <!-- 周配额告警 -->
           <QuotaNotifyToggle
             v-if="quotaNotifyGlobalEnabled && weeklyLimit && weeklyLimit > 0"
             :enabled="props.quotaNotifyWeeklyEnabled"
diff --git a/frontend/src/components/account/QuotaNotifyToggle.vue b/frontend/src/components/account/QuotaNotifyToggle.vue
index b1c22fe2..c7583a01 100644
--- a/frontend/src/components/account/QuotaNotifyToggle.vue
+++ b/frontend/src/components/account/QuotaNotifyToggle.vue
@@ -21,7 +21,7 @@ function toggleType(current: string | null) {
 </script>
 
 <template>
-  <div class="ml-4 mt-2 flex items-center gap-3">
+  <div class="flex items-center gap-2">
     <label class="text-sm text-gray-500 whitespace-nowrap">{{ t('admin.accounts.quotaNotify.alert') }}</label>
     <button
       type="button"
@@ -38,7 +38,7 @@ function toggleType(current: string | null) {
         ]"
       />
     </button>
-    <div v-if="enabled" class="flex items-center gap-1 flex-1">
+    <template v-if="enabled">
       <button
         type="button"
         class="px-1.5 py-0.5 text-xs font-medium rounded border transition-colors"
@@ -55,16 +55,22 @@ function toggleType(current: string | null) {
       >
         %
       </button>
-      <input
-        :value="threshold"
-        @input="emit('update:threshold', parseFloat(($event.target as HTMLInputElement).value) || null)"
-        type="number"
-        min="0"
-        :max="thresholdType === 'percentage' ? 100 : undefined"
-        :step="thresholdType === 'percentage' ? 1 : 0.01"
-        class="input py-1 text-sm flex-1"
-        :placeholder="thresholdType === 'percentage' ? t('admin.accounts.quotaNotify.thresholdPlaceholder') : t('admin.accounts.quotaNotify.threshold')"
-      />
-    </div>
+      <div class="relative flex-1">
+        <input
+          :value="threshold"
+          @input="emit('update:threshold', parseFloat(($event.target as HTMLInputElement).value) || null)"
+          type="number"
+          min="0"
+          :max="thresholdType === 'percentage' ? 100 : undefined"
+          :step="thresholdType === 'percentage' ? 1 : 0.01"
+          class="input py-1 text-sm w-full"
+          :class="thresholdType === 'percentage' ? 'pr-7' : 'pr-7'"
+          :placeholder="thresholdType === 'percentage' ? t('admin.accounts.quotaNotify.thresholdPlaceholder') : t('admin.accounts.quotaNotify.threshold')"
+        />
+        <span class="absolute right-2.5 top-1/2 -translate-y-1/2 text-xs text-gray-400 pointer-events-none">
+          {{ thresholdType === 'percentage' ? '%' : '$' }}
+        </span>
+      </div>
+    </template>
   </div>
 </template>

From ac55443278327228c3f9f1f19045a55cfb9bdbce Mon Sep 17 00:00:00 2001
From: erio <asakifeng@gmail.com>
Date: Mon, 13 Apr 2026 17:04:23 +0800
Subject: [PATCH 062/122] fix(frontend): collapsible quota card and compact
 notify layout

- QuotaLimitCard: add collapse/expand toggle (chevron icon + click header)
- QuotaNotifyToggle: show $ or % suffix in threshold input
- Reduce vertical spacing between reset mode hint and notify toggle
---
 backend/cmd/server/VERSION                    |  2 +-
 .../src/components/account/QuotaLimitCard.vue | 42 ++++++++++---------
 2 files changed, 24 insertions(+), 20 deletions(-)

diff --git a/backend/cmd/server/VERSION b/backend/cmd/server/VERSION
index e52af706..a7975f29 100644
--- a/backend/cmd/server/VERSION
+++ b/backend/cmd/server/VERSION
@@ -1 +1 @@
-0.1.110.28
+0.1.110.30
diff --git a/frontend/src/components/account/QuotaLimitCard.vue b/frontend/src/components/account/QuotaLimitCard.vue
index 682f51aa..832fee96 100644
--- a/frontend/src/components/account/QuotaLimitCard.vue
+++ b/frontend/src/components/account/QuotaLimitCard.vue
@@ -66,15 +66,17 @@ const enabled = computed(() =>
 )
 
 const localEnabled = ref(enabled.value)
+const collapsed = ref(false)
 
 // Sync when props change externally
 watch(enabled, (val) => {
   localEnabled.value = val
 })
 
-// When toggle is turned off, clear all values
+// When toggle is turned off, clear all values and expand
 watch(localEnabled, (val) => {
   if (!val) {
+    collapsed.value = false
     emit('update:totalLimit', null)
     emit('update:dailyLimit', null)
     emit('update:weeklyLimit', null)
@@ -162,13 +164,19 @@ const onWeeklyModeChange = (e: Event) => {
 </script>
 
 <template>
-  <div class="rounded-lg border border-gray-200 p-4 dark:border-dark-600">
-      <div class="mb-3 flex items-center justify-between">
-        <div>
-          <label class="input-label mb-0">{{ t('admin.accounts.quotaLimitToggle') }}</label>
-          <p class="mt-1 text-xs text-gray-500 dark:text-gray-400">
-            {{ t('admin.accounts.quotaLimitToggleHint') }}
-          </p>
+  <div class="rounded-lg border border-gray-200 dark:border-dark-600">
+      <!-- Header: toggle + collapse -->
+      <div class="flex items-center justify-between p-4" :class="{ 'pb-0': localEnabled && !collapsed }">
+        <div class="flex items-center gap-2 flex-1 cursor-pointer" @click="localEnabled && (collapsed = !collapsed)">
+          <svg v-if="localEnabled" class="h-4 w-4 text-gray-400 transition-transform" :class="{ '-rotate-90': collapsed }" viewBox="0 0 20 20" fill="currentColor">
+            <path fill-rule="evenodd" d="M5.23 7.21a.75.75 0 011.06.02L10 11.168l3.71-3.938a.75.75 0 111.08 1.04l-4.25 4.5a.75.75 0 01-1.08 0l-4.25-4.5a.75.75 0 01.02-1.06z" clip-rule="evenodd" />
+          </svg>
+          <div>
+            <label class="input-label mb-0 cursor-pointer">{{ t('admin.accounts.quotaLimitToggle') }}</label>
+            <p class="mt-0.5 text-xs text-gray-500 dark:text-gray-400">
+              {{ t('admin.accounts.quotaLimitToggleHint') }}
+            </p>
+          </div>
         </div>
         <button
           type="button"
@@ -187,7 +195,8 @@ const onWeeklyModeChange = (e: Event) => {
         </button>
       </div>
 
-      <div v-if="localEnabled" class="space-y-3">
+      <!-- Collapsible content -->
+      <div v-if="localEnabled && !collapsed" class="space-y-3 p-4 pt-3">
         <!-- 日配额 -->
         <div>
           <label class="input-label">{{ t('admin.accounts.quotaDailyLimit') }}</label>
@@ -203,8 +212,7 @@ const onWeeklyModeChange = (e: Event) => {
               :placeholder="t('admin.accounts.quotaLimitPlaceholder')"
             />
           </div>
-          <!-- 日配额：重置方式 + 告警阈值同行 -->
-          <div class="mt-2 flex items-center gap-2 flex-wrap">
+          <div class="mt-1.5 flex items-center gap-2 flex-wrap">
             <label class="text-xs text-gray-500 dark:text-gray-400 whitespace-nowrap">{{ t('admin.accounts.quotaResetMode') }}</label>
             <select
               :value="dailyResetMode || 'rolling'"
@@ -214,7 +222,6 @@ const onWeeklyModeChange = (e: Event) => {
               <option value="rolling">{{ t('admin.accounts.quotaResetModeRolling') }}</option>
               <option value="fixed">{{ t('admin.accounts.quotaResetModeFixed') }}</option>
             </select>
-            <!-- 固定模式：小时选择 -->
             <template v-if="dailyResetMode === 'fixed'">
               <label class="text-xs text-gray-500 dark:text-gray-400 whitespace-nowrap">{{ t('admin.accounts.quotaResetHour') }}</label>
               <select
@@ -226,7 +233,7 @@ const onWeeklyModeChange = (e: Event) => {
               </select>
             </template>
           </div>
-          <p class="input-hint">
+          <p class="input-hint mb-0">
             <template v-if="dailyResetMode === 'fixed'">
               {{ t('admin.accounts.quotaDailyLimitHintFixed', { hour: String(dailyResetHour ?? 0).padStart(2, '0'), timezone: resetTimezone || 'UTC' }) }}
             </template>
@@ -260,8 +267,7 @@ const onWeeklyModeChange = (e: Event) => {
               :placeholder="t('admin.accounts.quotaLimitPlaceholder')"
             />
           </div>
-          <!-- 周配额：重置方式 + 告警阈值同行 -->
-          <div class="mt-2 flex items-center gap-2 flex-wrap">
+          <div class="mt-1.5 flex items-center gap-2 flex-wrap">
             <label class="text-xs text-gray-500 dark:text-gray-400 whitespace-nowrap">{{ t('admin.accounts.quotaResetMode') }}</label>
             <select
               :value="weeklyResetMode || 'rolling'"
@@ -271,7 +277,6 @@ const onWeeklyModeChange = (e: Event) => {
               <option value="rolling">{{ t('admin.accounts.quotaResetModeRolling') }}</option>
               <option value="fixed">{{ t('admin.accounts.quotaResetModeFixed') }}</option>
             </select>
-            <!-- 固定模式：星期几 + 小时 -->
             <template v-if="weeklyResetMode === 'fixed'">
               <label class="text-xs text-gray-500 dark:text-gray-400 whitespace-nowrap">{{ t('admin.accounts.quotaWeeklyResetDay') }}</label>
               <select
@@ -291,7 +296,7 @@ const onWeeklyModeChange = (e: Event) => {
               </select>
             </template>
           </div>
-          <p class="input-hint">
+          <p class="input-hint mb-0">
             <template v-if="weeklyResetMode === 'fixed'">
               {{ t('admin.accounts.quotaWeeklyLimitHintFixed', { day: t('admin.accounts.dayOfWeek.' + (dayOptions.find(d => d.value === (weeklyResetDay ?? 1))?.key || 'monday')), hour: String(weeklyResetHour ?? 0).padStart(2, '0'), timezone: resetTimezone || 'UTC' }) }}
             </template>
@@ -337,8 +342,7 @@ const onWeeklyModeChange = (e: Event) => {
               :placeholder="t('admin.accounts.quotaLimitPlaceholder')"
             />
           </div>
-          <p class="input-hint">{{ t('admin.accounts.quotaTotalLimitHint') }}</p>
-          <!-- 总配额告警 -->
+          <p class="input-hint mb-0">{{ t('admin.accounts.quotaTotalLimitHint') }}</p>
           <QuotaNotifyToggle
             v-if="quotaNotifyGlobalEnabled && totalLimit && totalLimit > 0"
             :enabled="props.quotaNotifyTotalEnabled"

From 7141dceee25ac96fdb63f2527e35af2f0c09de8c Mon Sep 17 00:00:00 2001
From: erio <asakifeng@gmail.com>
Date: Mon, 13 Apr 2026 17:12:20 +0800
Subject: [PATCH 063/122] fix(frontend): place quota notify toggle inline with
 limit input

Move QuotaNotifyToggle to the same row as the limit $ input for all
three dimensions (daily/weekly/total), significantly reducing card height.
---
 backend/cmd/server/VERSION                    |   2 +-
 .../src/components/account/QuotaLimitCard.vue | 123 ++++++++++--------
 2 files changed, 67 insertions(+), 58 deletions(-)

diff --git a/backend/cmd/server/VERSION b/backend/cmd/server/VERSION
index a7975f29..f0c65691 100644
--- a/backend/cmd/server/VERSION
+++ b/backend/cmd/server/VERSION
@@ -1 +1 @@
-0.1.110.30
+0.1.110.31
diff --git a/frontend/src/components/account/QuotaLimitCard.vue b/frontend/src/components/account/QuotaLimitCard.vue
index 832fee96..ab109a9a 100644
--- a/frontend/src/components/account/QuotaLimitCard.vue
+++ b/frontend/src/components/account/QuotaLimitCard.vue
@@ -200,16 +200,28 @@ const onWeeklyModeChange = (e: Event) => {
         <!-- 日配额 -->
         <div>
           <label class="input-label">{{ t('admin.accounts.quotaDailyLimit') }}</label>
-          <div class="relative">
-            <span class="absolute left-3 top-1/2 -translate-y-1/2 text-gray-500 dark:text-gray-400">$</span>
-            <input
-              :value="dailyLimit"
-              @input="onDailyInput"
-              type="number"
-              min="0"
-              step="0.01"
-              class="input pl-7"
-              :placeholder="t('admin.accounts.quotaLimitPlaceholder')"
+          <div class="flex items-start gap-2">
+            <div class="relative flex-1">
+              <span class="absolute left-3 top-1/2 -translate-y-1/2 text-gray-500 dark:text-gray-400">$</span>
+              <input
+                :value="dailyLimit"
+                @input="onDailyInput"
+                type="number"
+                min="0"
+                step="0.01"
+                class="input pl-7"
+                :placeholder="t('admin.accounts.quotaLimitPlaceholder')"
+              />
+            </div>
+            <QuotaNotifyToggle
+              v-if="quotaNotifyGlobalEnabled && dailyLimit && dailyLimit > 0"
+              class="flex-1"
+              :enabled="props.quotaNotifyDailyEnabled"
+              :threshold="props.quotaNotifyDailyThreshold"
+              :threshold-type="props.quotaNotifyDailyThresholdType"
+              @update:enabled="emit('update:quotaNotifyDailyEnabled', $event)"
+              @update:threshold="emit('update:quotaNotifyDailyThreshold', $event)"
+              @update:threshold-type="emit('update:quotaNotifyDailyThresholdType', $event)"
             />
           </div>
           <div class="mt-1.5 flex items-center gap-2 flex-wrap">
@@ -241,30 +253,33 @@ const onWeeklyModeChange = (e: Event) => {
               {{ t('admin.accounts.quotaDailyLimitHint') }}
             </template>
           </p>
-          <QuotaNotifyToggle
-            v-if="quotaNotifyGlobalEnabled && dailyLimit && dailyLimit > 0"
-            :enabled="props.quotaNotifyDailyEnabled"
-            :threshold="props.quotaNotifyDailyThreshold"
-            :threshold-type="props.quotaNotifyDailyThresholdType"
-            @update:enabled="emit('update:quotaNotifyDailyEnabled', $event)"
-            @update:threshold="emit('update:quotaNotifyDailyThreshold', $event)"
-            @update:threshold-type="emit('update:quotaNotifyDailyThresholdType', $event)"
-          />
         </div>
 
         <!-- 周配额 -->
         <div>
           <label class="input-label">{{ t('admin.accounts.quotaWeeklyLimit') }}</label>
-          <div class="relative">
-            <span class="absolute left-3 top-1/2 -translate-y-1/2 text-gray-500 dark:text-gray-400">$</span>
-            <input
-              :value="weeklyLimit"
-              @input="onWeeklyInput"
-              type="number"
-              min="0"
-              step="0.01"
-              class="input pl-7"
-              :placeholder="t('admin.accounts.quotaLimitPlaceholder')"
+          <div class="flex items-start gap-2">
+            <div class="relative flex-1">
+              <span class="absolute left-3 top-1/2 -translate-y-1/2 text-gray-500 dark:text-gray-400">$</span>
+              <input
+                :value="weeklyLimit"
+                @input="onWeeklyInput"
+                type="number"
+                min="0"
+                step="0.01"
+                class="input pl-7"
+                :placeholder="t('admin.accounts.quotaLimitPlaceholder')"
+              />
+            </div>
+            <QuotaNotifyToggle
+              v-if="quotaNotifyGlobalEnabled && weeklyLimit && weeklyLimit > 0"
+              class="flex-1"
+              :enabled="props.quotaNotifyWeeklyEnabled"
+              :threshold="props.quotaNotifyWeeklyThreshold"
+              :threshold-type="props.quotaNotifyWeeklyThresholdType"
+              @update:enabled="emit('update:quotaNotifyWeeklyEnabled', $event)"
+              @update:threshold="emit('update:quotaNotifyWeeklyThreshold', $event)"
+              @update:threshold-type="emit('update:quotaNotifyWeeklyThresholdType', $event)"
             />
           </div>
           <div class="mt-1.5 flex items-center gap-2 flex-wrap">
@@ -304,15 +319,6 @@ const onWeeklyModeChange = (e: Event) => {
               {{ t('admin.accounts.quotaWeeklyLimitHint') }}
             </template>
           </p>
-          <QuotaNotifyToggle
-            v-if="quotaNotifyGlobalEnabled && weeklyLimit && weeklyLimit > 0"
-            :enabled="props.quotaNotifyWeeklyEnabled"
-            :threshold="props.quotaNotifyWeeklyThreshold"
-            :threshold-type="props.quotaNotifyWeeklyThresholdType"
-            @update:enabled="emit('update:quotaNotifyWeeklyEnabled', $event)"
-            @update:threshold="emit('update:quotaNotifyWeeklyThreshold', $event)"
-            @update:threshold-type="emit('update:quotaNotifyWeeklyThresholdType', $event)"
-          />
         </div>
 
         <!-- 时区选择（当任一维度使用固定模式时显示） -->
@@ -330,28 +336,31 @@ const onWeeklyModeChange = (e: Event) => {
         <!-- 总配额 -->
         <div>
           <label class="input-label">{{ t('admin.accounts.quotaTotalLimit') }}</label>
-          <div class="relative">
-            <span class="absolute left-3 top-1/2 -translate-y-1/2 text-gray-500 dark:text-gray-400">$</span>
-            <input
-              :value="totalLimit"
-              @input="onTotalInput"
-              type="number"
-              min="0"
-              step="0.01"
-              class="input pl-7"
-              :placeholder="t('admin.accounts.quotaLimitPlaceholder')"
+          <div class="flex items-start gap-2">
+            <div class="relative flex-1">
+              <span class="absolute left-3 top-1/2 -translate-y-1/2 text-gray-500 dark:text-gray-400">$</span>
+              <input
+                :value="totalLimit"
+                @input="onTotalInput"
+                type="number"
+                min="0"
+                step="0.01"
+                class="input pl-7"
+                :placeholder="t('admin.accounts.quotaLimitPlaceholder')"
+              />
+            </div>
+            <QuotaNotifyToggle
+              v-if="quotaNotifyGlobalEnabled && totalLimit && totalLimit > 0"
+              class="flex-1"
+              :enabled="props.quotaNotifyTotalEnabled"
+              :threshold="props.quotaNotifyTotalThreshold"
+              :threshold-type="props.quotaNotifyTotalThresholdType"
+              @update:enabled="emit('update:quotaNotifyTotalEnabled', $event)"
+              @update:threshold="emit('update:quotaNotifyTotalThreshold', $event)"
+              @update:threshold-type="emit('update:quotaNotifyTotalThresholdType', $event)"
             />
           </div>
           <p class="input-hint mb-0">{{ t('admin.accounts.quotaTotalLimitHint') }}</p>
-          <QuotaNotifyToggle
-            v-if="quotaNotifyGlobalEnabled && totalLimit && totalLimit > 0"
-            :enabled="props.quotaNotifyTotalEnabled"
-            :threshold="props.quotaNotifyTotalThreshold"
-            :threshold-type="props.quotaNotifyTotalThresholdType"
-            @update:enabled="emit('update:quotaNotifyTotalEnabled', $event)"
-            @update:threshold="emit('update:quotaNotifyTotalThreshold', $event)"
-            @update:threshold-type="emit('update:quotaNotifyTotalThresholdType', $event)"
-          />
         </div>
       </div>
   </div>

From 216bda58da5f52cbffaa8deb79f9891184adc315 Mon Sep 17 00:00:00 2001
From: erio <asakifeng@gmail.com>
Date: Mon, 13 Apr 2026 17:38:33 +0800
Subject: [PATCH 064/122] fix: change quota notify threshold semantics to
 "remaining quota"
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Threshold now represents remaining quota instead of usage amount:
- Fixed ($): threshold=400, limit=1000 → alert when remaining drops to $400
  (i.e., usage reaches $600)
- Percentage (%): threshold=30%, limit=1000 → alert when remaining drops
  to 30% (i.e., usage reaches $700)

Also:
- Rename 告警阈值 → 提醒阈值 in i18n
- Widen type dropdown to w-16 for proper $ / % display
---
 backend/cmd/server/VERSION                    |  2 +-
 .../service/balance_notify_service.go         | 15 +++--
 .../components/account/QuotaNotifyToggle.vue  | 58 ++++++-------------
 frontend/src/i18n/locales/en.ts               |  2 +-
 frontend/src/i18n/locales/zh.ts               |  2 +-
 5 files changed, 30 insertions(+), 49 deletions(-)

diff --git a/backend/cmd/server/VERSION b/backend/cmd/server/VERSION
index f0c65691..01eddd22 100644
--- a/backend/cmd/server/VERSION
+++ b/backend/cmd/server/VERSION
@@ -1 +1 @@
-0.1.110.31
+0.1.110.34
diff --git a/backend/internal/service/balance_notify_service.go b/backend/internal/service/balance_notify_service.go
index a392a13e..f5abbacc 100644
--- a/backend/internal/service/balance_notify_service.go
+++ b/backend/internal/service/balance_notify_service.go
@@ -115,13 +115,18 @@ type quotaDim struct {
 	limit         float64
 }
 
-// resolvedThreshold returns the effective threshold value.
-// For percentage type, it computes threshold = limit * percentage / 100.
+// resolvedThreshold converts the user-facing "remaining" threshold into a usage-based trigger point.
+// The threshold represents how much quota REMAINS when the alert fires:
+//   - Fixed ($): threshold=400, limit=1000 → fires when usage reaches 600 (remaining drops to 400)
+//   - Percentage (%): threshold=30, limit=1000 → fires when usage reaches 700 (remaining drops to 30%)
 func (d quotaDim) resolvedThreshold() float64 {
-	if d.thresholdType == thresholdTypePercentage && d.limit > 0 {
-		return d.limit * d.threshold / 100
+	if d.limit <= 0 {
+		return 0
 	}
-	return d.threshold
+	if d.thresholdType == thresholdTypePercentage {
+		return d.limit * (1 - d.threshold/100)
+	}
+	return d.limit - d.threshold
 }
 
 // buildQuotaDims returns the three quota dimensions for notification checking.
diff --git a/frontend/src/components/account/QuotaNotifyToggle.vue b/frontend/src/components/account/QuotaNotifyToggle.vue
index c7583a01..23979638 100644
--- a/frontend/src/components/account/QuotaNotifyToggle.vue
+++ b/frontend/src/components/account/QuotaNotifyToggle.vue
@@ -1,8 +1,4 @@
 <script setup lang="ts">
-import { useI18n } from 'vue-i18n'
-
-const { t } = useI18n()
-
 defineProps<{
   enabled: boolean | null
   threshold: number | null
@@ -14,15 +10,10 @@ const emit = defineEmits<{
   'update:threshold': [value: number | null]
   'update:thresholdType': [value: string | null]
 }>()
-
-function toggleType(current: string | null) {
-  emit('update:thresholdType', current === 'percentage' ? 'fixed' : 'percentage')
-}
 </script>
 
 <template>
-  <div class="flex items-center gap-2">
-    <label class="text-sm text-gray-500 whitespace-nowrap">{{ t('admin.accounts.quotaNotify.alert') }}</label>
+  <div class="flex items-center gap-1.5">
     <button
       type="button"
       @click="emit('update:enabled', !enabled)"
@@ -39,38 +30,23 @@ function toggleType(current: string | null) {
       />
     </button>
     <template v-if="enabled">
-      <button
-        type="button"
-        class="px-1.5 py-0.5 text-xs font-medium rounded border transition-colors"
-        :class="(!thresholdType || thresholdType === 'fixed') ? 'bg-primary-100 text-primary-700 border-primary-300 dark:bg-primary-900/30 dark:text-primary-400 dark:border-primary-700' : 'bg-gray-100 text-gray-500 border-gray-200 dark:bg-dark-600 dark:text-gray-400 dark:border-dark-500'"
-        @click="toggleType(thresholdType)"
+      <input
+        :value="threshold"
+        @input="emit('update:threshold', parseFloat(($event.target as HTMLInputElement).value) || null)"
+        type="number"
+        min="0"
+        :max="thresholdType === 'percentage' ? 100 : undefined"
+        :step="thresholdType === 'percentage' ? 1 : 0.01"
+        class="input py-1 text-sm flex-1 min-w-0"
+      />
+      <select
+        :value="thresholdType || 'fixed'"
+        @change="emit('update:thresholdType', ($event.target as HTMLSelectElement).value)"
+        class="input py-1 text-xs w-16 flex-shrink-0 text-center"
       >
-        $
-      </button>
-      <button
-        type="button"
-        class="px-1.5 py-0.5 text-xs font-medium rounded border transition-colors"
-        :class="thresholdType === 'percentage' ? 'bg-primary-100 text-primary-700 border-primary-300 dark:bg-primary-900/30 dark:text-primary-400 dark:border-primary-700' : 'bg-gray-100 text-gray-500 border-gray-200 dark:bg-dark-600 dark:text-gray-400 dark:border-dark-500'"
-        @click="toggleType(thresholdType)"
-      >
-        %
-      </button>
-      <div class="relative flex-1">
-        <input
-          :value="threshold"
-          @input="emit('update:threshold', parseFloat(($event.target as HTMLInputElement).value) || null)"
-          type="number"
-          min="0"
-          :max="thresholdType === 'percentage' ? 100 : undefined"
-          :step="thresholdType === 'percentage' ? 1 : 0.01"
-          class="input py-1 text-sm w-full"
-          :class="thresholdType === 'percentage' ? 'pr-7' : 'pr-7'"
-          :placeholder="thresholdType === 'percentage' ? t('admin.accounts.quotaNotify.thresholdPlaceholder') : t('admin.accounts.quotaNotify.threshold')"
-        />
-        <span class="absolute right-2.5 top-1/2 -translate-y-1/2 text-xs text-gray-400 pointer-events-none">
-          {{ thresholdType === 'percentage' ? '%' : '$' }}
-        </span>
-      </div>
+        <option value="fixed">$</option>
+        <option value="percentage">%</option>
+      </select>
     </template>
   </div>
 </template>
diff --git a/frontend/src/i18n/locales/en.ts b/frontend/src/i18n/locales/en.ts
index 5c593946..dcbcf03c 100644
--- a/frontend/src/i18n/locales/en.ts
+++ b/frontend/src/i18n/locales/en.ts
@@ -2264,7 +2264,7 @@ export default {
       quotaLimitAmount: 'Total Limit',
       quotaLimitAmountHint: 'Cumulative spending limit. Does not auto-reset.',
       quotaNotify: {
-        alert: 'Alert Threshold',
+        alert: 'Alert',
         enabled: 'Enable Alert',
         threshold: 'Alert Amount',
         thresholdPlaceholder: 'Enter percentage',
diff --git a/frontend/src/i18n/locales/zh.ts b/frontend/src/i18n/locales/zh.ts
index 141193c1..6dc9311c 100644
--- a/frontend/src/i18n/locales/zh.ts
+++ b/frontend/src/i18n/locales/zh.ts
@@ -2262,7 +2262,7 @@ export default {
       quotaLimitAmount: '总限额',
       quotaLimitAmountHint: '累计消费上限，不会自动重置。',
       quotaNotify: {
-        alert: '告警阈值',
+        alert: '提醒阈值',
         enabled: '启用告警',
         threshold: '告警金额',
         thresholdPlaceholder: '输入百分比',

From e27335acdd1667c6ae5d35d1bc362412adb98b3f Mon Sep 17 00:00:00 2001
From: erio <asakifeng@gmail.com>
Date: Mon, 13 Apr 2026 18:23:20 +0800
Subject: [PATCH 065/122] fix(ui): widen notify type dropdown to show % fully,
 align quota input widths

---
 backend/cmd/server/VERSION                    |   2 +-
 .../src/components/account/QuotaLimitCard.vue | 161 ++++++------------
 .../components/account/QuotaNotifyToggle.vue  |   2 +-
 3 files changed, 54 insertions(+), 111 deletions(-)

diff --git a/backend/cmd/server/VERSION b/backend/cmd/server/VERSION
index 01eddd22..0a81f94d 100644
--- a/backend/cmd/server/VERSION
+++ b/backend/cmd/server/VERSION
@@ -1 +1 @@
-0.1.110.34
+0.1.110.38
diff --git a/frontend/src/components/account/QuotaLimitCard.vue b/frontend/src/components/account/QuotaLimitCard.vue
index ab109a9a..9051b9be 100644
--- a/frontend/src/components/account/QuotaLimitCard.vue
+++ b/frontend/src/components/account/QuotaLimitCard.vue
@@ -196,171 +196,114 @@ const onWeeklyModeChange = (e: Event) => {
       </div>
 
       <!-- Collapsible content -->
-      <div v-if="localEnabled && !collapsed" class="space-y-3 p-4 pt-3">
+      <div v-if="localEnabled && !collapsed" class="space-y-2 p-4 pt-3">
         <!-- 日配额 -->
         <div>
-          <label class="input-label">{{ t('admin.accounts.quotaDailyLimit') }}</label>
-          <div class="flex items-start gap-2">
-            <div class="relative flex-1">
-              <span class="absolute left-3 top-1/2 -translate-y-1/2 text-gray-500 dark:text-gray-400">$</span>
-              <input
-                :value="dailyLimit"
-                @input="onDailyInput"
-                type="number"
-                min="0"
-                step="0.01"
-                class="input pl-7"
-                :placeholder="t('admin.accounts.quotaLimitPlaceholder')"
-              />
+          <!-- 标题行 -->
+          <div class="flex items-center gap-2 mb-1">
+            <span class="text-xs font-medium text-gray-700 dark:text-gray-300 w-28 flex-shrink-0">{{ t('admin.accounts.quotaDailyLimit') }}</span>
+            <span v-if="quotaNotifyGlobalEnabled && dailyLimit && dailyLimit > 0" class="text-xs font-medium text-gray-700 dark:text-gray-300">{{ t('admin.accounts.quotaNotify.alert') }}</span>
+          </div>
+          <!-- 输入行 -->
+          <div class="flex items-center gap-2">
+            <div class="relative w-28 flex-shrink-0">
+              <span class="absolute left-2.5 top-1/2 -translate-y-1/2 text-gray-500 dark:text-gray-400 text-sm">$</span>
+              <input :value="dailyLimit" @input="onDailyInput" type="number" min="0" step="0.01" class="input pl-6 py-1.5 text-sm" :placeholder="t('admin.accounts.quotaLimitPlaceholder')" />
             </div>
             <QuotaNotifyToggle
               v-if="quotaNotifyGlobalEnabled && dailyLimit && dailyLimit > 0"
-              class="flex-1"
-              :enabled="props.quotaNotifyDailyEnabled"
-              :threshold="props.quotaNotifyDailyThreshold"
-              :threshold-type="props.quotaNotifyDailyThresholdType"
-              @update:enabled="emit('update:quotaNotifyDailyEnabled', $event)"
-              @update:threshold="emit('update:quotaNotifyDailyThreshold', $event)"
-              @update:threshold-type="emit('update:quotaNotifyDailyThresholdType', $event)"
+              class="flex-1 min-w-0"
+              :enabled="props.quotaNotifyDailyEnabled" :threshold="props.quotaNotifyDailyThreshold" :threshold-type="props.quotaNotifyDailyThresholdType"
+              @update:enabled="emit('update:quotaNotifyDailyEnabled', $event)" @update:threshold="emit('update:quotaNotifyDailyThreshold', $event)" @update:threshold-type="emit('update:quotaNotifyDailyThresholdType', $event)"
             />
           </div>
-          <div class="mt-1.5 flex items-center gap-2 flex-wrap">
+          <div class="mt-1 flex items-center gap-2 flex-wrap">
             <label class="text-xs text-gray-500 dark:text-gray-400 whitespace-nowrap">{{ t('admin.accounts.quotaResetMode') }}</label>
-            <select
-              :value="dailyResetMode || 'rolling'"
-              @change="onDailyModeChange"
-              class="input py-1 text-xs w-auto"
-            >
+            <select :value="dailyResetMode || 'rolling'" @change="onDailyModeChange" class="input py-1 text-xs w-auto">
               <option value="rolling">{{ t('admin.accounts.quotaResetModeRolling') }}</option>
               <option value="fixed">{{ t('admin.accounts.quotaResetModeFixed') }}</option>
             </select>
             <template v-if="dailyResetMode === 'fixed'">
               <label class="text-xs text-gray-500 dark:text-gray-400 whitespace-nowrap">{{ t('admin.accounts.quotaResetHour') }}</label>
-              <select
-                :value="dailyResetHour ?? 0"
-                @change="emit('update:dailyResetHour', Number(($event.target as HTMLSelectElement).value))"
-                class="input py-1 text-xs w-24"
-              >
+              <select :value="dailyResetHour ?? 0" @change="emit('update:dailyResetHour', Number(($event.target as HTMLSelectElement).value))" class="input py-1 text-xs w-24">
                 <option v-for="h in hourOptions" :key="h" :value="h">{{ String(h).padStart(2, '0') }}:00</option>
               </select>
             </template>
           </div>
-          <p class="input-hint mb-0">
-            <template v-if="dailyResetMode === 'fixed'">
-              {{ t('admin.accounts.quotaDailyLimitHintFixed', { hour: String(dailyResetHour ?? 0).padStart(2, '0'), timezone: resetTimezone || 'UTC' }) }}
-            </template>
-            <template v-else>
-              {{ t('admin.accounts.quotaDailyLimitHint') }}
-            </template>
+          <p class="input-hint mb-0 text-[11px]">
+            <template v-if="dailyResetMode === 'fixed'">{{ t('admin.accounts.quotaDailyLimitHintFixed', { hour: String(dailyResetHour ?? 0).padStart(2, '0'), timezone: resetTimezone || 'UTC' }) }}</template>
+            <template v-else>{{ t('admin.accounts.quotaDailyLimitHint') }}</template>
           </p>
         </div>
 
         <!-- 周配额 -->
         <div>
-          <label class="input-label">{{ t('admin.accounts.quotaWeeklyLimit') }}</label>
-          <div class="flex items-start gap-2">
-            <div class="relative flex-1">
-              <span class="absolute left-3 top-1/2 -translate-y-1/2 text-gray-500 dark:text-gray-400">$</span>
-              <input
-                :value="weeklyLimit"
-                @input="onWeeklyInput"
-                type="number"
-                min="0"
-                step="0.01"
-                class="input pl-7"
-                :placeholder="t('admin.accounts.quotaLimitPlaceholder')"
-              />
+          <div class="flex items-center gap-2 mb-1">
+            <span class="text-xs font-medium text-gray-700 dark:text-gray-300 w-28 flex-shrink-0">{{ t('admin.accounts.quotaWeeklyLimit') }}</span>
+            <span v-if="quotaNotifyGlobalEnabled && weeklyLimit && weeklyLimit > 0" class="text-xs font-medium text-gray-700 dark:text-gray-300">{{ t('admin.accounts.quotaNotify.alert') }}</span>
+          </div>
+          <div class="flex items-center gap-2">
+            <div class="relative w-28 flex-shrink-0">
+              <span class="absolute left-2.5 top-1/2 -translate-y-1/2 text-gray-500 dark:text-gray-400 text-sm">$</span>
+              <input :value="weeklyLimit" @input="onWeeklyInput" type="number" min="0" step="0.01" class="input pl-6 py-1.5 text-sm" :placeholder="t('admin.accounts.quotaLimitPlaceholder')" />
             </div>
             <QuotaNotifyToggle
               v-if="quotaNotifyGlobalEnabled && weeklyLimit && weeklyLimit > 0"
-              class="flex-1"
-              :enabled="props.quotaNotifyWeeklyEnabled"
-              :threshold="props.quotaNotifyWeeklyThreshold"
-              :threshold-type="props.quotaNotifyWeeklyThresholdType"
-              @update:enabled="emit('update:quotaNotifyWeeklyEnabled', $event)"
-              @update:threshold="emit('update:quotaNotifyWeeklyThreshold', $event)"
-              @update:threshold-type="emit('update:quotaNotifyWeeklyThresholdType', $event)"
+              class="flex-1 min-w-0"
+              :enabled="props.quotaNotifyWeeklyEnabled" :threshold="props.quotaNotifyWeeklyThreshold" :threshold-type="props.quotaNotifyWeeklyThresholdType"
+              @update:enabled="emit('update:quotaNotifyWeeklyEnabled', $event)" @update:threshold="emit('update:quotaNotifyWeeklyThreshold', $event)" @update:threshold-type="emit('update:quotaNotifyWeeklyThresholdType', $event)"
             />
           </div>
-          <div class="mt-1.5 flex items-center gap-2 flex-wrap">
+          <div class="mt-1 flex items-center gap-2 flex-wrap">
             <label class="text-xs text-gray-500 dark:text-gray-400 whitespace-nowrap">{{ t('admin.accounts.quotaResetMode') }}</label>
-            <select
-              :value="weeklyResetMode || 'rolling'"
-              @change="onWeeklyModeChange"
-              class="input py-1 text-xs w-auto"
-            >
+            <select :value="weeklyResetMode || 'rolling'" @change="onWeeklyModeChange" class="input py-1 text-xs w-auto">
               <option value="rolling">{{ t('admin.accounts.quotaResetModeRolling') }}</option>
               <option value="fixed">{{ t('admin.accounts.quotaResetModeFixed') }}</option>
             </select>
             <template v-if="weeklyResetMode === 'fixed'">
               <label class="text-xs text-gray-500 dark:text-gray-400 whitespace-nowrap">{{ t('admin.accounts.quotaWeeklyResetDay') }}</label>
-              <select
-                :value="weeklyResetDay ?? 1"
-                @change="emit('update:weeklyResetDay', Number(($event.target as HTMLSelectElement).value))"
-                class="input py-1 text-xs w-28"
-              >
+              <select :value="weeklyResetDay ?? 1" @change="emit('update:weeklyResetDay', Number(($event.target as HTMLSelectElement).value))" class="input py-1 text-xs w-28">
                 <option v-for="d in dayOptions" :key="d.value" :value="d.value">{{ t('admin.accounts.dayOfWeek.' + d.key) }}</option>
               </select>
               <label class="text-xs text-gray-500 dark:text-gray-400 whitespace-nowrap">{{ t('admin.accounts.quotaResetHour') }}</label>
-              <select
-                :value="weeklyResetHour ?? 0"
-                @change="emit('update:weeklyResetHour', Number(($event.target as HTMLSelectElement).value))"
-                class="input py-1 text-xs w-24"
-              >
+              <select :value="weeklyResetHour ?? 0" @change="emit('update:weeklyResetHour', Number(($event.target as HTMLSelectElement).value))" class="input py-1 text-xs w-24">
                 <option v-for="h in hourOptions" :key="h" :value="h">{{ String(h).padStart(2, '0') }}:00</option>
               </select>
             </template>
           </div>
-          <p class="input-hint mb-0">
-            <template v-if="weeklyResetMode === 'fixed'">
-              {{ t('admin.accounts.quotaWeeklyLimitHintFixed', { day: t('admin.accounts.dayOfWeek.' + (dayOptions.find(d => d.value === (weeklyResetDay ?? 1))?.key || 'monday')), hour: String(weeklyResetHour ?? 0).padStart(2, '0'), timezone: resetTimezone || 'UTC' }) }}
-            </template>
-            <template v-else>
-              {{ t('admin.accounts.quotaWeeklyLimitHint') }}
-            </template>
+          <p class="input-hint mb-0 text-[11px]">
+            <template v-if="weeklyResetMode === 'fixed'">{{ t('admin.accounts.quotaWeeklyLimitHintFixed', { day: t('admin.accounts.dayOfWeek.' + (dayOptions.find(d => d.value === (weeklyResetDay ?? 1))?.key || 'monday')), hour: String(weeklyResetHour ?? 0).padStart(2, '0'), timezone: resetTimezone || 'UTC' }) }}</template>
+            <template v-else>{{ t('admin.accounts.quotaWeeklyLimitHint') }}</template>
           </p>
         </div>
 
-        <!-- 时区选择（当任一维度使用固定模式时显示） -->
+        <!-- 时区选择 -->
         <div v-if="hasFixedMode">
           <label class="input-label">{{ t('admin.accounts.quotaResetTimezone') }}</label>
-          <select
-            :value="resetTimezone || 'UTC'"
-            @change="emit('update:resetTimezone', ($event.target as HTMLSelectElement).value)"
-            class="input text-sm"
-          >
+          <select :value="resetTimezone || 'UTC'" @change="emit('update:resetTimezone', ($event.target as HTMLSelectElement).value)" class="input text-sm">
             <option v-for="tz in timezoneOptions" :key="tz" :value="tz">{{ tz }}</option>
           </select>
         </div>
 
         <!-- 总配额 -->
         <div>
-          <label class="input-label">{{ t('admin.accounts.quotaTotalLimit') }}</label>
-          <div class="flex items-start gap-2">
-            <div class="relative flex-1">
-              <span class="absolute left-3 top-1/2 -translate-y-1/2 text-gray-500 dark:text-gray-400">$</span>
-              <input
-                :value="totalLimit"
-                @input="onTotalInput"
-                type="number"
-                min="0"
-                step="0.01"
-                class="input pl-7"
-                :placeholder="t('admin.accounts.quotaLimitPlaceholder')"
-              />
+          <div class="flex items-center gap-2 mb-1">
+            <span class="text-xs font-medium text-gray-700 dark:text-gray-300 w-28 flex-shrink-0">{{ t('admin.accounts.quotaTotalLimit') }}</span>
+            <span v-if="quotaNotifyGlobalEnabled && totalLimit && totalLimit > 0" class="text-xs font-medium text-gray-700 dark:text-gray-300">{{ t('admin.accounts.quotaNotify.alert') }}</span>
+          </div>
+          <div class="flex items-center gap-2">
+            <div class="relative w-28 flex-shrink-0">
+              <span class="absolute left-2.5 top-1/2 -translate-y-1/2 text-gray-500 dark:text-gray-400 text-sm">$</span>
+              <input :value="totalLimit" @input="onTotalInput" type="number" min="0" step="0.01" class="input pl-6 py-1.5 text-sm" :placeholder="t('admin.accounts.quotaLimitPlaceholder')" />
             </div>
             <QuotaNotifyToggle
               v-if="quotaNotifyGlobalEnabled && totalLimit && totalLimit > 0"
-              class="flex-1"
-              :enabled="props.quotaNotifyTotalEnabled"
-              :threshold="props.quotaNotifyTotalThreshold"
-              :threshold-type="props.quotaNotifyTotalThresholdType"
-              @update:enabled="emit('update:quotaNotifyTotalEnabled', $event)"
-              @update:threshold="emit('update:quotaNotifyTotalThreshold', $event)"
-              @update:threshold-type="emit('update:quotaNotifyTotalThresholdType', $event)"
+              class="flex-1 min-w-0"
+              :enabled="props.quotaNotifyTotalEnabled" :threshold="props.quotaNotifyTotalThreshold" :threshold-type="props.quotaNotifyTotalThresholdType"
+              @update:enabled="emit('update:quotaNotifyTotalEnabled', $event)" @update:threshold="emit('update:quotaNotifyTotalThreshold', $event)" @update:threshold-type="emit('update:quotaNotifyTotalThresholdType', $event)"
             />
           </div>
-          <p class="input-hint mb-0">{{ t('admin.accounts.quotaTotalLimitHint') }}</p>
+          <p class="input-hint mb-0 text-[11px]">{{ t('admin.accounts.quotaTotalLimitHint') }}</p>
         </div>
       </div>
   </div>
diff --git a/frontend/src/components/account/QuotaNotifyToggle.vue b/frontend/src/components/account/QuotaNotifyToggle.vue
index 23979638..0548f661 100644
--- a/frontend/src/components/account/QuotaNotifyToggle.vue
+++ b/frontend/src/components/account/QuotaNotifyToggle.vue
@@ -42,7 +42,7 @@ const emit = defineEmits<{
       <select
         :value="thresholdType || 'fixed'"
         @change="emit('update:thresholdType', ($event.target as HTMLSelectElement).value)"
-        class="input py-1 text-xs w-16 flex-shrink-0 text-center"
+        class="input py-1 text-xs w-[4.5rem] flex-shrink-0 text-center"
       >
         <option value="fixed">$</option>
         <option value="percentage">%</option>

From c1eb79e4badcf0662a314b28a03e0f7d3449f61a Mon Sep 17 00:00:00 2001
From: erio <asakifeng@gmail.com>
Date: Mon, 13 Apr 2026 18:39:45 +0800
Subject: [PATCH 066/122] feat(notify): add platform/ID to quota alert email,
 add recharge URL to balance alert

- Quota alert email now shows account ID and platform
- Balance low email includes a "Top Up Now" button when recharge URL is configured
- New setting: balance_low_notify_recharge_url in admin settings
---
 backend/cmd/server/VERSION                    |   2 +-
 .../internal/handler/admin/setting_handler.go |  11 +-
 backend/internal/handler/dto/settings.go      |   8 +-
 .../service/balance_notify_service.go         | 113 ++++++++++++++----
 backend/internal/service/domain_constants.go  |   5 +-
 backend/internal/service/setting_service.go   |   6 +
 backend/internal/service/settings_view.go     |   6 +-
 frontend/src/api/admin/settings.ts            |   2 +
 frontend/src/i18n/locales/en.ts               |   3 +
 frontend/src/i18n/locales/zh.ts               |   3 +
 frontend/src/views/admin/SettingsView.vue     |   7 ++
 11 files changed, 136 insertions(+), 30 deletions(-)

diff --git a/backend/cmd/server/VERSION b/backend/cmd/server/VERSION
index 0a81f94d..ee13da53 100644
--- a/backend/cmd/server/VERSION
+++ b/backend/cmd/server/VERSION
@@ -1 +1 @@
-0.1.110.38
+0.1.110.39
diff --git a/backend/internal/handler/admin/setting_handler.go b/backend/internal/handler/admin/setting_handler.go
index 58081273..e31eb134 100644
--- a/backend/internal/handler/admin/setting_handler.go
+++ b/backend/internal/handler/admin/setting_handler.go
@@ -310,8 +310,9 @@ type UpdateSettingsRequest struct {
 	EnableCCHSigning             *bool `json:"enable_cch_signing"`
 
 	// Balance low notification
-	BalanceLowNotifyEnabled   *bool     `json:"balance_low_notify_enabled"`
-	BalanceLowNotifyThreshold *float64  `json:"balance_low_notify_threshold"`
+	BalanceLowNotifyEnabled      *bool     `json:"balance_low_notify_enabled"`
+	BalanceLowNotifyThreshold    *float64  `json:"balance_low_notify_threshold"`
+	BalanceLowNotifyRechargeURL  *string   `json:"balance_low_notify_recharge_url"`
 	AccountQuotaNotifyEnabled *bool     `json:"account_quota_notify_enabled"`
 	AccountQuotaNotifyEmails  *[]dto.NotifyEmailEntry `json:"account_quota_notify_emails"`
 
@@ -904,6 +905,12 @@ func (h *SettingHandler) UpdateSettings(c *gin.Context) {
 			}
 			return previousSettings.BalanceLowNotifyThreshold
 		}(),
+		BalanceLowNotifyRechargeURL: func() string {
+			if req.BalanceLowNotifyRechargeURL != nil {
+				return *req.BalanceLowNotifyRechargeURL
+			}
+			return previousSettings.BalanceLowNotifyRechargeURL
+		}(),
 		AccountQuotaNotifyEnabled: func() bool {
 			if req.AccountQuotaNotifyEnabled != nil {
 				return *req.AccountQuotaNotifyEnabled
diff --git a/backend/internal/handler/dto/settings.go b/backend/internal/handler/dto/settings.go
index 6c99208f..d218490a 100644
--- a/backend/internal/handler/dto/settings.go
+++ b/backend/internal/handler/dto/settings.go
@@ -150,9 +150,10 @@ type SystemSettings struct {
 	PaymentCancelRateLimitMode    string `json:"payment_cancel_rate_limit_window_mode"`
 
 	// Balance low notification
-	BalanceLowNotifyEnabled   bool     `json:"balance_low_notify_enabled"`
-	BalanceLowNotifyThreshold float64  `json:"balance_low_notify_threshold"`
-	AccountQuotaNotifyEnabled bool     `json:"account_quota_notify_enabled"`
+	BalanceLowNotifyEnabled      bool     `json:"balance_low_notify_enabled"`
+	BalanceLowNotifyThreshold    float64  `json:"balance_low_notify_threshold"`
+	BalanceLowNotifyRechargeURL  string   `json:"balance_low_notify_recharge_url"`
+	AccountQuotaNotifyEnabled    bool     `json:"account_quota_notify_enabled"`
 	AccountQuotaNotifyEmails  []NotifyEmailEntry `json:"account_quota_notify_emails"`
 }
 
@@ -195,6 +196,7 @@ type PublicSettings struct {
 	BalanceLowNotifyEnabled          bool             `json:"balance_low_notify_enabled"`
 	AccountQuotaNotifyEnabled        bool             `json:"account_quota_notify_enabled"`
 	BalanceLowNotifyThreshold        float64          `json:"balance_low_notify_threshold"`
+	BalanceLowNotifyRechargeURL      string           `json:"balance_low_notify_recharge_url"`
 }
 
 // OverloadCooldownSettings 529过载冷却配置 DTO
diff --git a/backend/internal/service/balance_notify_service.go b/backend/internal/service/balance_notify_service.go
index f5abbacc..3951e88f 100644
--- a/backend/internal/service/balance_notify_service.go
+++ b/backend/internal/service/balance_notify_service.go
@@ -65,14 +65,21 @@ func resolveBalanceThreshold(threshold float64, thresholdType string, totalRecha
 // Notification is sent only on first crossing: oldBalance >= threshold && newBalance < threshold.
 func (s *BalanceNotifyService) CheckBalanceAfterDeduction(ctx context.Context, user *User, oldBalance, cost float64) {
 	if user == nil || s.emailService == nil || s.settingRepo == nil {
+		slog.Debug("CheckBalanceAfterDeduction: skipped (nil check)",
+			"user_nil", user == nil,
+			"email_svc_nil", s.emailService == nil,
+			"setting_repo_nil", s.settingRepo == nil,
+		)
 		return
 	}
 	if !user.BalanceNotifyEnabled {
+		slog.Debug("CheckBalanceAfterDeduction: user notify disabled", "user_id", user.ID)
 		return
 	}
 
-	globalEnabled, globalThreshold := s.getBalanceNotifyConfig(ctx)
+	globalEnabled, globalThreshold, rechargeURL := s.getBalanceNotifyConfig(ctx)
 	if !globalEnabled {
+		slog.Info("CheckBalanceAfterDeduction: global notify disabled", "user_id", user.ID)
 		return
 	}
 
@@ -82,25 +89,40 @@ func (s *BalanceNotifyService) CheckBalanceAfterDeduction(ctx context.Context, u
 		threshold = *user.BalanceNotifyThreshold
 	}
 	if threshold <= 0 {
+		slog.Debug("CheckBalanceAfterDeduction: threshold <= 0", "user_id", user.ID, "threshold", threshold)
 		return
 	}
 
 	effectiveThreshold := resolveBalanceThreshold(threshold, user.BalanceNotifyThresholdType, user.TotalRecharged)
 	if effectiveThreshold <= 0 {
+		slog.Debug("CheckBalanceAfterDeduction: effective threshold <= 0", "user_id", user.ID)
 		return
 	}
 
 	newBalance := oldBalance - cost
+	slog.Info("CheckBalanceAfterDeduction: crossing check",
+		"user_id", user.ID,
+		"old_balance", oldBalance,
+		"new_balance", newBalance,
+		"effective_threshold", effectiveThreshold,
+		"crossed", oldBalance >= effectiveThreshold && newBalance < effectiveThreshold,
+	)
 	if oldBalance >= effectiveThreshold && newBalance < effectiveThreshold {
 		siteName := s.getSiteName(ctx)
 		recipients := s.collectBalanceNotifyRecipients(user)
+		slog.Info("CheckBalanceAfterDeduction: sending notification",
+			"user_id", user.ID,
+			"recipients", recipients,
+			"new_balance", newBalance,
+			"threshold", effectiveThreshold,
+		)
 		go func() {
 			defer func() {
 				if r := recover(); r != nil {
 					slog.Error("panic in balance notification", "recover", r)
 				}
 			}()
-			s.sendBalanceLowEmails(recipients, user.Username, user.Email, newBalance, effectiveThreshold, siteName)
+			s.sendBalanceLowEmails(recipients, user.Username, user.Email, newBalance, effectiveThreshold, siteName, rechargeURL)
 		}()
 	}
 }
@@ -139,8 +161,9 @@ func buildQuotaDims(account *Account) []quotaDim {
 }
 
 // CheckAccountQuotaAfterIncrement checks if any quota dimension crossed above its notify threshold.
-// It fetches real-time quota usage from DB to avoid stale snapshot values.
-func (s *BalanceNotifyService) CheckAccountQuotaAfterIncrement(ctx context.Context, account *Account, cost float64) {
+// When quotaState is non-nil (from DB transaction RETURNING), it is used directly for threshold
+// checking, avoiding a separate DB read. Otherwise it falls back to fetching fresh account data.
+func (s *BalanceNotifyService) CheckAccountQuotaAfterIncrement(ctx context.Context, account *Account, cost float64, quotaState *AccountQuotaState) {
 	if account == nil || s.emailService == nil || s.settingRepo == nil || cost <= 0 {
 		return
 	}
@@ -152,8 +175,13 @@ func (s *BalanceNotifyService) CheckAccountQuotaAfterIncrement(ctx context.Conte
 		return
 	}
 
-	freshAccount := s.fetchFreshAccount(ctx, account)
 	siteName := s.getSiteName(ctx)
+	if quotaState != nil {
+		s.checkQuotaDimCrossingsFromState(account, quotaState, cost, adminEmails, siteName)
+		return
+	}
+
+	freshAccount := s.fetchFreshAccount(ctx, account)
 	s.checkQuotaDimCrossings(freshAccount, cost, adminEmails, siteName)
 }
 
@@ -187,29 +215,58 @@ func (s *BalanceNotifyService) checkQuotaDimCrossings(freshAccount *Account, cos
 		newUsed := dim.currentUsed
 		oldUsed := dim.currentUsed - cost
 		if oldUsed < effectiveThreshold && newUsed >= effectiveThreshold {
-			s.asyncSendQuotaAlert(adminEmails, freshAccount.Name, dim, newUsed, effectiveThreshold, siteName)
+			s.asyncSendQuotaAlert(adminEmails, freshAccount.ID, freshAccount.Name, freshAccount.Platform, dim, newUsed, effectiveThreshold, siteName)
+		}
+	}
+}
+
+// buildQuotaDimsFromState builds quota dimensions using DB transaction state instead of account snapshot.
+// Notification settings (enabled, threshold, thresholdType) come from the account; usage values from quotaState.
+func buildQuotaDimsFromState(account *Account, state *AccountQuotaState) []quotaDim {
+	return []quotaDim{
+		{quotaDimDaily, account.GetQuotaNotifyDailyEnabled(), account.GetQuotaNotifyDailyThreshold(), account.GetQuotaNotifyDailyThresholdType(), state.DailyUsed, state.DailyLimit},
+		{quotaDimWeekly, account.GetQuotaNotifyWeeklyEnabled(), account.GetQuotaNotifyWeeklyThreshold(), account.GetQuotaNotifyWeeklyThresholdType(), state.WeeklyUsed, state.WeeklyLimit},
+		{quotaDimTotal, account.GetQuotaNotifyTotalEnabled(), account.GetQuotaNotifyTotalThreshold(), account.GetQuotaNotifyTotalThresholdType(), state.TotalUsed, state.TotalLimit},
+	}
+}
+
+// checkQuotaDimCrossingsFromState checks threshold crossings using DB transaction quota state.
+// This avoids a separate DB read and ensures the values are consistent with the atomic increment.
+func (s *BalanceNotifyService) checkQuotaDimCrossingsFromState(account *Account, state *AccountQuotaState, cost float64, adminEmails []string, siteName string) {
+	for _, dim := range buildQuotaDimsFromState(account, state) {
+		if !dim.enabled || dim.threshold <= 0 {
+			continue
+		}
+		effectiveThreshold := dim.resolvedThreshold()
+		if effectiveThreshold <= 0 {
+			continue
+		}
+		newUsed := dim.currentUsed
+		oldUsed := dim.currentUsed - cost
+		if oldUsed < effectiveThreshold && newUsed >= effectiveThreshold {
+			s.asyncSendQuotaAlert(adminEmails, account.ID, account.Name, account.Platform, dim, newUsed, effectiveThreshold, siteName)
 		}
 	}
 }
 
 // asyncSendQuotaAlert sends quota alert email in a goroutine with panic recovery.
-func (s *BalanceNotifyService) asyncSendQuotaAlert(adminEmails []string, accountName string, dim quotaDim, newUsed, effectiveThreshold float64, siteName string) {
+func (s *BalanceNotifyService) asyncSendQuotaAlert(adminEmails []string, accountID int64, accountName, platform string, dim quotaDim, newUsed, effectiveThreshold float64, siteName string) {
 	go func() {
 		defer func() {
 			if r := recover(); r != nil {
 				slog.Error("panic in quota notification", "recover", r)
 			}
 		}()
-		s.sendQuotaAlertEmails(adminEmails, accountName, dim.name, newUsed, dim.limit, effectiveThreshold, siteName)
+		s.sendQuotaAlertEmails(adminEmails, accountID, accountName, platform, dim.name, newUsed, dim.limit, effectiveThreshold, siteName)
 	}()
 }
 
 // getBalanceNotifyConfig reads global balance notification settings.
-func (s *BalanceNotifyService) getBalanceNotifyConfig(ctx context.Context) (enabled bool, threshold float64) {
-	keys := []string{SettingKeyBalanceLowNotifyEnabled, SettingKeyBalanceLowNotifyThreshold}
+func (s *BalanceNotifyService) getBalanceNotifyConfig(ctx context.Context) (enabled bool, threshold float64, rechargeURL string) {
+	keys := []string{SettingKeyBalanceLowNotifyEnabled, SettingKeyBalanceLowNotifyThreshold, SettingKeyBalanceLowNotifyRechargeURL}
 	settings, err := s.settingRepo.GetMultiple(ctx, keys)
 	if err != nil {
-		return false, 0
+		return false, 0, ""
 	}
 	enabled = settings[SettingKeyBalanceLowNotifyEnabled] == "true"
 	if v := settings[SettingKeyBalanceLowNotifyThreshold]; v != "" {
@@ -217,6 +274,7 @@ func (s *BalanceNotifyService) getBalanceNotifyConfig(ctx context.Context) (enab
 			threshold = f
 		}
 	}
+	rechargeURL = settings[SettingKeyBalanceLowNotifyRechargeURL]
 	return
 }
 
@@ -298,36 +356,42 @@ func (s *BalanceNotifyService) collectBalanceNotifyRecipients(user *User) []stri
 
 // sendEmails sends an email to all recipients with shared timeout and error logging.
 func (s *BalanceNotifyService) sendEmails(recipients []string, subject, body string, logAttrs ...any) {
+	if len(recipients) == 0 {
+		slog.Warn("sendEmails: no recipients", "subject", subject)
+		return
+	}
 	for _, to := range recipients {
 		ctx, cancel := context.WithTimeout(context.Background(), emailSendTimeout)
 		if err := s.emailService.SendEmail(ctx, to, subject, body); err != nil {
 			attrs := append([]any{"to", to, "error", err}, logAttrs...)
 			slog.Error("failed to send notification", attrs...)
+		} else {
+			slog.Info("notification email sent successfully", "to", to, "subject", subject)
 		}
 		cancel()
 	}
 }
 
 // sendBalanceLowEmails sends balance low notification to all recipients.
-func (s *BalanceNotifyService) sendBalanceLowEmails(recipients []string, userName, userEmail string, balance, threshold float64, siteName string) {
+func (s *BalanceNotifyService) sendBalanceLowEmails(recipients []string, userName, userEmail string, balance, threshold float64, siteName, rechargeURL string) {
 	displayName := userName
 	if displayName == "" {
 		displayName = userEmail
 	}
 	subject := fmt.Sprintf("[%s] 余额不足提醒 / Balance Low Alert", sanitizeEmailHeader(siteName))
-	body := s.buildBalanceLowEmailBody(html.EscapeString(displayName), balance, threshold, html.EscapeString(siteName))
+	body := s.buildBalanceLowEmailBody(html.EscapeString(displayName), balance, threshold, html.EscapeString(siteName), rechargeURL)
 	s.sendEmails(recipients, subject, body, "user_email", userEmail, "balance", balance)
 }
 
 // sendQuotaAlertEmails sends quota alert notification to admin emails.
-func (s *BalanceNotifyService) sendQuotaAlertEmails(adminEmails []string, accountName, dimension string, used, limit, threshold float64, siteName string) {
+func (s *BalanceNotifyService) sendQuotaAlertEmails(adminEmails []string, accountID int64, accountName, platform, dimension string, used, limit, threshold float64, siteName string) {
 	dimLabel := quotaDimLabels[dimension]
 	if dimLabel == "" {
 		dimLabel = dimension
 	}
 
 	subject := fmt.Sprintf("[%s] 账号限额告警 / Account Quota Alert - %s", sanitizeEmailHeader(siteName), sanitizeEmailHeader(accountName))
-	body := s.buildQuotaAlertEmailBody(html.EscapeString(accountName), html.EscapeString(dimLabel), used, limit, threshold, html.EscapeString(siteName))
+	body := s.buildQuotaAlertEmailBody(accountID, html.EscapeString(accountName), html.EscapeString(platform), html.EscapeString(dimLabel), used, limit, threshold, html.EscapeString(siteName))
 	s.sendEmails(adminEmails, subject, body, "account", accountName, "dimension", dimension)
 }
 
@@ -338,6 +402,7 @@ func sanitizeEmailHeader(s string) string {
 
 // balanceLowEmailTemplate is the HTML template for balance low notifications.
 // Format args: siteName, userName, userName, balance, threshold, threshold.
+// The recharge button is appended dynamically when rechargeURL is set.
 const balanceLowEmailTemplate = `<!DOCTYPE html>
 <html>
 <head>
@@ -350,6 +415,7 @@ const balanceLowEmailTemplate = `<!DOCTYPE html>
         .content { padding: 40px 30px; text-align: center; }
         .balance { font-size: 36px; font-weight: bold; color: #dc2626; margin: 20px 0; }
         .info { color: #666; font-size: 14px; line-height: 1.6; margin-top: 20px; }
+        .recharge-btn { display: inline-block; margin-top: 24px; padding: 12px 32px; background: linear-gradient(135deg, #f59e0b 0%%, #d97706 100%%); color: #fff; text-decoration: none; border-radius: 6px; font-size: 16px; font-weight: bold; }
         .footer { background-color: #f8f9fa; padding: 20px; text-align: center; color: #999; font-size: 12px; }
     </style>
 </head>
@@ -366,6 +432,7 @@ const balanceLowEmailTemplate = `<!DOCTYPE html>
                 <p>请及时充值以免服务中断。</p>
                 <p>Please top up to avoid service interruption.</p>
             </div>
+            %s
         </div>
         <div class="footer"><p>此邮件由系统自动发送，请勿回复。</p></div>
     </div>
@@ -373,7 +440,7 @@ const balanceLowEmailTemplate = `<!DOCTYPE html>
 </html>`
 
 // quotaAlertEmailTemplate is the HTML template for account quota alert notifications.
-// Format args: siteName, accountName, dimLabel, used, limitStr, threshold.
+// Format args: siteName, accountID, accountName, platform, dimLabel, used, limitStr, threshold.
 const quotaAlertEmailTemplate = `<!DOCTYPE html>
 <html>
 <head>
@@ -396,7 +463,9 @@ const quotaAlertEmailTemplate = `<!DOCTYPE html>
         <div class="header"><h1>%s</h1></div>
         <div class="content">
             <p style="font-size: 18px; color: #333; text-align: center;">账号限额告警 / Account Quota Alert</p>
+            <div class="metric"><span class="metric-label">账号 ID / Account ID</span><span class="metric-value">#%d</span></div>
             <div class="metric"><span class="metric-label">账号 / Account</span><span class="metric-value">%s</span></div>
+            <div class="metric"><span class="metric-label">平台 / Platform</span><span class="metric-value">%s</span></div>
             <div class="metric"><span class="metric-label">维度 / Dimension</span><span class="metric-value">%s</span></div>
             <div class="metric"><span class="metric-label">已使用 / Used</span><span class="metric-value">$%.2f</span></div>
             <div class="metric"><span class="metric-label">限额 / Limit</span><span class="metric-value">%s</span></div>
@@ -412,16 +481,20 @@ const quotaAlertEmailTemplate = `<!DOCTYPE html>
 </html>`
 
 // buildBalanceLowEmailBody builds HTML email for balance low notification.
-func (s *BalanceNotifyService) buildBalanceLowEmailBody(userName string, balance, threshold float64, siteName string) string {
-	return fmt.Sprintf(balanceLowEmailTemplate, siteName, userName, userName, balance, threshold, threshold)
+func (s *BalanceNotifyService) buildBalanceLowEmailBody(userName string, balance, threshold float64, siteName, rechargeURL string) string {
+	rechargeBlock := ""
+	if rechargeURL != "" {
+		rechargeBlock = fmt.Sprintf(`<a href="%s" class="recharge-btn">立即充值 / Top Up Now</a>`, html.EscapeString(rechargeURL))
+	}
+	return fmt.Sprintf(balanceLowEmailTemplate, siteName, userName, userName, balance, threshold, threshold, rechargeBlock)
 }
 
 // buildQuotaAlertEmailBody builds HTML email for account quota alert.
-func (s *BalanceNotifyService) buildQuotaAlertEmailBody(accountName, dimLabel string, used, limit, threshold float64, siteName string) string {
+func (s *BalanceNotifyService) buildQuotaAlertEmailBody(accountID int64, accountName, platform, dimLabel string, used, limit, threshold float64, siteName string) string {
 	limitStr := fmt.Sprintf("$%.2f", limit)
 	if limit <= 0 {
 		limitStr = "无限制 / Unlimited"
 	}
-	return fmt.Sprintf(quotaAlertEmailTemplate, siteName, accountName, dimLabel, used, limitStr, threshold)
+	return fmt.Sprintf(quotaAlertEmailTemplate, siteName, accountID, accountName, platform, dimLabel, used, limitStr, threshold)
 }
 
diff --git a/backend/internal/service/domain_constants.go b/backend/internal/service/domain_constants.go
index f07ddfd4..896ba59f 100644
--- a/backend/internal/service/domain_constants.go
+++ b/backend/internal/service/domain_constants.go
@@ -251,8 +251,9 @@ const (
 	SettingKeyEnableCCHSigning = "enable_cch_signing"
 
 	// Balance Low Notification
-	SettingKeyBalanceLowNotifyEnabled   = "balance_low_notify_enabled"   // 全局开关
-	SettingKeyBalanceLowNotifyThreshold = "balance_low_notify_threshold" // 默认阈值（USD）
+	SettingKeyBalanceLowNotifyEnabled    = "balance_low_notify_enabled"    // 全局开关
+	SettingKeyBalanceLowNotifyThreshold  = "balance_low_notify_threshold"  // 默认阈值（USD）
+	SettingKeyBalanceLowNotifyRechargeURL = "balance_low_notify_recharge_url" // 充值页面 URL
 
 	// Account Quota Notification
 	SettingKeyAccountQuotaNotifyEnabled = "account_quota_notify_enabled" // 全局开关
diff --git a/backend/internal/service/setting_service.go b/backend/internal/service/setting_service.go
index 28eb3a70..7f4a2eb1 100644
--- a/backend/internal/service/setting_service.go
+++ b/backend/internal/service/setting_service.go
@@ -184,6 +184,7 @@ func (s *SettingService) GetPublicSettings(ctx context.Context) (*PublicSettings
 		SettingKeyOIDCConnectProviderName,
 		SettingKeyBalanceLowNotifyEnabled,
 		SettingKeyBalanceLowNotifyThreshold,
+		SettingKeyBalanceLowNotifyRechargeURL,
 		SettingKeyAccountQuotaNotifyEnabled,
 	}
 
@@ -260,6 +261,7 @@ func (s *SettingService) GetPublicSettings(ctx context.Context) (*PublicSettings
 		BalanceLowNotifyEnabled:          settings[SettingKeyBalanceLowNotifyEnabled] == "true",
 		AccountQuotaNotifyEnabled:        settings[SettingKeyAccountQuotaNotifyEnabled] == "true",
 		BalanceLowNotifyThreshold:        balanceLowNotifyThreshold,
+		BalanceLowNotifyRechargeURL:      settings[SettingKeyBalanceLowNotifyRechargeURL],
 	}, nil
 }
 
@@ -316,6 +318,7 @@ func (s *SettingService) GetPublicSettingsForInjection(ctx context.Context) (any
 		BalanceLowNotifyEnabled          bool            `json:"balance_low_notify_enabled"`
 		AccountQuotaNotifyEnabled        bool            `json:"account_quota_notify_enabled"`
 		BalanceLowNotifyThreshold        float64         `json:"balance_low_notify_threshold"`
+		BalanceLowNotifyRechargeURL      string          `json:"balance_low_notify_recharge_url"`
 	}{
 		RegistrationEnabled:              settings.RegistrationEnabled,
 		EmailVerifyEnabled:               settings.EmailVerifyEnabled,
@@ -349,6 +352,7 @@ func (s *SettingService) GetPublicSettingsForInjection(ctx context.Context) (any
 		BalanceLowNotifyEnabled:          settings.BalanceLowNotifyEnabled,
 		AccountQuotaNotifyEnabled:        settings.AccountQuotaNotifyEnabled,
 		BalanceLowNotifyThreshold:        settings.BalanceLowNotifyThreshold,
+		BalanceLowNotifyRechargeURL:      settings.BalanceLowNotifyRechargeURL,
 	}, nil
 }
 
@@ -626,6 +630,7 @@ func (s *SettingService) UpdateSettings(ctx context.Context, settings *SystemSet
 	// Balance low notification
 	updates[SettingKeyBalanceLowNotifyEnabled] = strconv.FormatBool(settings.BalanceLowNotifyEnabled)
 	updates[SettingKeyBalanceLowNotifyThreshold] = strconv.FormatFloat(settings.BalanceLowNotifyThreshold, 'f', 8, 64)
+	updates[SettingKeyBalanceLowNotifyRechargeURL] = settings.BalanceLowNotifyRechargeURL
 	updates[SettingKeyAccountQuotaNotifyEnabled] = strconv.FormatBool(settings.AccountQuotaNotifyEnabled)
 	updates[SettingKeyAccountQuotaNotifyEmails] = MarshalNotifyEmails(settings.AccountQuotaNotifyEmails)
 
@@ -1264,6 +1269,7 @@ func (s *SettingService) parseSettings(settings map[string]string) *SystemSettin
 	if v, err := strconv.ParseFloat(settings[SettingKeyBalanceLowNotifyThreshold], 64); err == nil && v >= 0 {
 		result.BalanceLowNotifyThreshold = v
 	}
+	result.BalanceLowNotifyRechargeURL = settings[SettingKeyBalanceLowNotifyRechargeURL]
 
 	// Account quota notification
 	result.AccountQuotaNotifyEnabled = settings[SettingKeyAccountQuotaNotifyEnabled] == "true"
diff --git a/backend/internal/service/settings_view.go b/backend/internal/service/settings_view.go
index 1346372d..57f3746a 100644
--- a/backend/internal/service/settings_view.go
+++ b/backend/internal/service/settings_view.go
@@ -108,8 +108,9 @@ type SystemSettings struct {
 	EnableCCHSigning             bool // 是否对 billing header cch 进行签名（默认 false）
 
 	// Balance low notification
-	BalanceLowNotifyEnabled   bool
-	BalanceLowNotifyThreshold float64
+	BalanceLowNotifyEnabled    bool
+	BalanceLowNotifyThreshold  float64
+	BalanceLowNotifyRechargeURL string
 
 	// Account quota notification
 	AccountQuotaNotifyEnabled bool
@@ -157,6 +158,7 @@ type PublicSettings struct {
 	BalanceLowNotifyEnabled          bool
 	AccountQuotaNotifyEnabled        bool
 	BalanceLowNotifyThreshold        float64
+	BalanceLowNotifyRechargeURL      string
 }
 
 // StreamTimeoutSettings 流超时处理配置（仅控制超时后的处理方式，超时判定由网关配置控制）
diff --git a/frontend/src/api/admin/settings.ts b/frontend/src/api/admin/settings.ts
index 230232df..76c94cd8 100644
--- a/frontend/src/api/admin/settings.ts
+++ b/frontend/src/api/admin/settings.ts
@@ -138,6 +138,7 @@ export interface SystemSettings {
   // Balance & quota notification
   balance_low_notify_enabled: boolean
   balance_low_notify_threshold: number
+  balance_low_notify_recharge_url: string
   account_quota_notify_enabled: boolean
   account_quota_notify_emails: NotifyEmailEntry[]
 }
@@ -242,6 +243,7 @@ export interface UpdateSettingsRequest {
   // Balance & quota notification
   balance_low_notify_enabled?: boolean
   balance_low_notify_threshold?: number
+  balance_low_notify_recharge_url?: string
   account_quota_notify_enabled?: boolean
   account_quota_notify_emails?: NotifyEmailEntry[]
 }
diff --git a/frontend/src/i18n/locales/en.ts b/frontend/src/i18n/locales/en.ts
index dcbcf03c..c8acf6c0 100644
--- a/frontend/src/i18n/locales/en.ts
+++ b/frontend/src/i18n/locales/en.ts
@@ -4649,6 +4649,9 @@ export default {
         threshold: 'Default Threshold',
         thresholdHint: 'Used when user has not set a custom value',
         thresholdPlaceholder: 'Enter amount',
+        rechargeUrl: 'Recharge Page URL',
+        rechargeUrlPlaceholder: 'https://example.com/payment',
+        rechargeUrlHint: 'A top-up button will appear in the email when set',
       },
       quotaNotify: {
         title: 'Account Quota Notification',
diff --git a/frontend/src/i18n/locales/zh.ts b/frontend/src/i18n/locales/zh.ts
index 6dc9311c..499ed9cb 100644
--- a/frontend/src/i18n/locales/zh.ts
+++ b/frontend/src/i18n/locales/zh.ts
@@ -4813,6 +4813,9 @@ export default {
         threshold: '默认提醒阈值',
         thresholdHint: '用户未自定义时使用此值',
         thresholdPlaceholder: '输入金额',
+        rechargeUrl: '充值页面 URL',
+        rechargeUrlPlaceholder: 'https://example.com/payment',
+        rechargeUrlHint: '设置后邮件中将包含充值链接按钮',
       },
       quotaNotify: {
         title: '账号限额通知',
diff --git a/frontend/src/views/admin/SettingsView.vue b/frontend/src/views/admin/SettingsView.vue
index d2e17440..ef67ce22 100644
--- a/frontend/src/views/admin/SettingsView.vue
+++ b/frontend/src/views/admin/SettingsView.vue
@@ -2705,6 +2705,11 @@
               </div>
               <p class="mt-1 text-xs text-gray-500 dark:text-gray-400">{{ t('admin.settings.balanceNotify.thresholdHint') }}</p>
             </div>
+            <div>
+              <label class="mb-2 block text-sm font-medium text-gray-700 dark:text-gray-300">{{ t('admin.settings.balanceNotify.rechargeUrl') }}</label>
+              <input v-model="form.balance_low_notify_recharge_url" type="url" class="input" :placeholder="t('admin.settings.balanceNotify.rechargeUrlPlaceholder')" />
+              <p class="mt-1 text-xs text-gray-500 dark:text-gray-400">{{ t('admin.settings.balanceNotify.rechargeUrlHint') }}</p>
+            </div>
           </div>
         </div>
 
@@ -3027,6 +3032,7 @@ const form = reactive<SettingsForm>({
   // Balance & quota notification
   balance_low_notify_enabled: false,
   balance_low_notify_threshold: 0,
+  balance_low_notify_recharge_url: '',
   account_quota_notify_enabled: false,
   account_quota_notify_emails: [] as NotifyEmailEntry[]
 })
@@ -3598,6 +3604,7 @@ async function saveSettings() {
       // Balance & quota notification
       balance_low_notify_enabled: form.balance_low_notify_enabled,
       balance_low_notify_threshold: Number(form.balance_low_notify_threshold) || 0,
+      balance_low_notify_recharge_url: form.balance_low_notify_recharge_url || '',
       account_quota_notify_enabled: form.account_quota_notify_enabled,
       account_quota_notify_emails: (form.account_quota_notify_emails || []).filter((e) => e.email.trim() !== ''),
     }

From 48b6c4811f2f8b58933e30c91687acb027aeedf4 Mon Sep 17 00:00:00 2001
From: erio <asakifeng@gmail.com>
Date: Mon, 13 Apr 2026 18:44:36 +0800
Subject: [PATCH 067/122] fix(notify): auto-fill recharge URL with current
 origin when empty

---
 backend/cmd/server/VERSION                | 2 +-
 frontend/src/views/admin/SettingsView.vue | 6 ++++--
 2 files changed, 5 insertions(+), 3 deletions(-)

diff --git a/backend/cmd/server/VERSION b/backend/cmd/server/VERSION
index ee13da53..9e3ea640 100644
--- a/backend/cmd/server/VERSION
+++ b/backend/cmd/server/VERSION
@@ -1 +1 @@
-0.1.110.39
+0.1.110.40
diff --git a/frontend/src/views/admin/SettingsView.vue b/frontend/src/views/admin/SettingsView.vue
index ef67ce22..57f6b35e 100644
--- a/frontend/src/views/admin/SettingsView.vue
+++ b/frontend/src/views/admin/SettingsView.vue
@@ -2707,7 +2707,7 @@
             </div>
             <div>
               <label class="mb-2 block text-sm font-medium text-gray-700 dark:text-gray-300">{{ t('admin.settings.balanceNotify.rechargeUrl') }}</label>
-              <input v-model="form.balance_low_notify_recharge_url" type="url" class="input" :placeholder="t('admin.settings.balanceNotify.rechargeUrlPlaceholder')" />
+              <input v-model="form.balance_low_notify_recharge_url" type="url" class="input" :placeholder="currentOrigin" />
               <p class="mt-1 text-xs text-gray-500 dark:text-gray-400">{{ t('admin.settings.balanceNotify.rechargeUrlHint') }}</p>
             </div>
           </div>
@@ -3262,6 +3262,8 @@ const addQuotaNotifyEmail = () => {
   form.account_quota_notify_emails.push({ email: '', disabled: false, verified: true })
 }
 
+const currentOrigin = typeof window !== 'undefined' ? window.location.origin : ''
+
 // LinuxDo OAuth redirect URL suggestion
 const linuxdoRedirectUrlSuggestion = computed(() => {
   if (typeof window === 'undefined') return ''
@@ -3604,7 +3606,7 @@ async function saveSettings() {
       // Balance & quota notification
       balance_low_notify_enabled: form.balance_low_notify_enabled,
       balance_low_notify_threshold: Number(form.balance_low_notify_threshold) || 0,
-      balance_low_notify_recharge_url: form.balance_low_notify_recharge_url || '',
+      balance_low_notify_recharge_url: form.balance_low_notify_recharge_url || currentOrigin,
       account_quota_notify_enabled: form.account_quota_notify_enabled,
       account_quota_notify_emails: (form.account_quota_notify_emails || []).filter((e) => e.email.trim() !== ''),
     }

From f571d8ffad4ac8f3c20d44a70221a0d1f7211d28 Mon Sep 17 00:00:00 2001
From: erio <asakifeng@gmail.com>
Date: Mon, 13 Apr 2026 18:52:02 +0800
Subject: [PATCH 068/122] fix(notify): write back auto-filled recharge URL to
 form on save

---
 backend/cmd/server/VERSION                | 2 +-
 frontend/src/views/admin/SettingsView.vue | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/backend/cmd/server/VERSION b/backend/cmd/server/VERSION
index 9e3ea640..a69c1172 100644
--- a/backend/cmd/server/VERSION
+++ b/backend/cmd/server/VERSION
@@ -1 +1 @@
-0.1.110.40
+0.1.110.41
diff --git a/frontend/src/views/admin/SettingsView.vue b/frontend/src/views/admin/SettingsView.vue
index 57f6b35e..3ef1c0ba 100644
--- a/frontend/src/views/admin/SettingsView.vue
+++ b/frontend/src/views/admin/SettingsView.vue
@@ -3606,7 +3606,7 @@ async function saveSettings() {
       // Balance & quota notification
       balance_low_notify_enabled: form.balance_low_notify_enabled,
       balance_low_notify_threshold: Number(form.balance_low_notify_threshold) || 0,
-      balance_low_notify_recharge_url: form.balance_low_notify_recharge_url || currentOrigin,
+      balance_low_notify_recharge_url: (form.balance_low_notify_recharge_url = form.balance_low_notify_recharge_url || currentOrigin),
       account_quota_notify_enabled: form.account_quota_notify_enabled,
       account_quota_notify_emails: (form.account_quota_notify_emails || []).filter((e) => e.email.trim() !== ''),
     }

From 6e9146e746a8743ad078230aedaabae85ef15e25 Mon Sep 17 00:00:00 2001
From: erio <asakifeng@gmail.com>
Date: Mon, 13 Apr 2026 19:02:40 +0800
Subject: [PATCH 069/122] fix(notify): add recharge URL to admin settings GET
 response

---
 backend/cmd/server/VERSION                        | 2 +-
 backend/internal/handler/admin/setting_handler.go | 1 +
 2 files changed, 2 insertions(+), 1 deletion(-)

diff --git a/backend/cmd/server/VERSION b/backend/cmd/server/VERSION
index a69c1172..ab6fbb6e 100644
--- a/backend/cmd/server/VERSION
+++ b/backend/cmd/server/VERSION
@@ -1 +1 @@
-0.1.110.41
+0.1.110.42
diff --git a/backend/internal/handler/admin/setting_handler.go b/backend/internal/handler/admin/setting_handler.go
index e31eb134..bc6d183c 100644
--- a/backend/internal/handler/admin/setting_handler.go
+++ b/backend/internal/handler/admin/setting_handler.go
@@ -178,6 +178,7 @@ func (h *SettingHandler) GetSettings(c *gin.Context) {
 		WebSearchEmulationEnabled:            settings.WebSearchEmulationEnabled,
 		BalanceLowNotifyEnabled:              settings.BalanceLowNotifyEnabled,
 		BalanceLowNotifyThreshold:            settings.BalanceLowNotifyThreshold,
+		BalanceLowNotifyRechargeURL:          settings.BalanceLowNotifyRechargeURL,
 		AccountQuotaNotifyEnabled:            settings.AccountQuotaNotifyEnabled,
 		AccountQuotaNotifyEmails:             dto.NotifyEmailEntriesFromService(settings.AccountQuotaNotifyEmails),
 		PaymentEnabled:                       paymentCfg.Enabled,

From a43da6225449c68f486b796139a4144c9fbe24fc Mon Sep 17 00:00:00 2001
From: erio <asakifeng@gmail.com>
Date: Mon, 13 Apr 2026 20:01:25 +0800
Subject: [PATCH 070/122] fix(accounts): unify modal width, add notify props to
 create, fix quota layout

- EditAccountModal width changed from "normal" to "wide" (match CreateAccountModal)
- CreateAccountModal now passes all quota notify props to QuotaLimitCard
- QuotaLimitCard: when global notify disabled, hide title row, input takes full width
- Quota alert email: show remaining quota + threshold (fixed/$, percentage/%) instead of usage trigger point
---
 backend/cmd/server/VERSION                    |  2 +-
 .../service/balance_notify_service.go         | 35 +++++++----
 .../components/account/CreateAccountModal.vue | 61 +++++++++++++++++++
 .../components/account/EditAccountModal.vue   |  2 +-
 .../src/components/account/QuotaLimitCard.vue | 23 ++++---
 5 files changed, 99 insertions(+), 24 deletions(-)

diff --git a/backend/cmd/server/VERSION b/backend/cmd/server/VERSION
index ab6fbb6e..76129f5c 100644
--- a/backend/cmd/server/VERSION
+++ b/backend/cmd/server/VERSION
@@ -1 +1 @@
-0.1.110.42
+0.1.110.44
diff --git a/backend/internal/service/balance_notify_service.go b/backend/internal/service/balance_notify_service.go
index 3951e88f..5191a26e 100644
--- a/backend/internal/service/balance_notify_service.go
+++ b/backend/internal/service/balance_notify_service.go
@@ -257,7 +257,7 @@ func (s *BalanceNotifyService) asyncSendQuotaAlert(adminEmails []string, account
 				slog.Error("panic in quota notification", "recover", r)
 			}
 		}()
-		s.sendQuotaAlertEmails(adminEmails, accountID, accountName, platform, dim.name, newUsed, dim.limit, effectiveThreshold, siteName)
+		s.sendQuotaAlertEmails(adminEmails, accountID, accountName, platform, dim, newUsed, siteName)
 	}()
 }
 
@@ -384,15 +384,25 @@ func (s *BalanceNotifyService) sendBalanceLowEmails(recipients []string, userNam
 }
 
 // sendQuotaAlertEmails sends quota alert notification to admin emails.
-func (s *BalanceNotifyService) sendQuotaAlertEmails(adminEmails []string, accountID int64, accountName, platform, dimension string, used, limit, threshold float64, siteName string) {
-	dimLabel := quotaDimLabels[dimension]
+func (s *BalanceNotifyService) sendQuotaAlertEmails(adminEmails []string, accountID int64, accountName, platform string, dim quotaDim, used float64, siteName string) {
+	dimLabel := quotaDimLabels[dim.name]
 	if dimLabel == "" {
-		dimLabel = dimension
+		dimLabel = dim.name
+	}
+
+	// Format the remaining-based threshold for display
+	thresholdDisplay := fmt.Sprintf("$%.2f", dim.threshold)
+	if dim.thresholdType == thresholdTypePercentage {
+		thresholdDisplay = fmt.Sprintf("%.0f%%", dim.threshold)
+	}
+	remaining := dim.limit - used
+	if remaining < 0 {
+		remaining = 0
 	}
 
 	subject := fmt.Sprintf("[%s] 账号限额告警 / Account Quota Alert - %s", sanitizeEmailHeader(siteName), sanitizeEmailHeader(accountName))
-	body := s.buildQuotaAlertEmailBody(accountID, html.EscapeString(accountName), html.EscapeString(platform), html.EscapeString(dimLabel), used, limit, threshold, html.EscapeString(siteName))
-	s.sendEmails(adminEmails, subject, body, "account", accountName, "dimension", dimension)
+	body := s.buildQuotaAlertEmailBody(accountID, html.EscapeString(accountName), html.EscapeString(platform), html.EscapeString(dimLabel), used, dim.limit, remaining, thresholdDisplay, html.EscapeString(siteName))
+	s.sendEmails(adminEmails, subject, body, "account", accountName, "dimension", dim.name)
 }
 
 // sanitizeEmailHeader removes CR/LF characters to prevent SMTP header injection.
@@ -440,7 +450,7 @@ const balanceLowEmailTemplate = `<!DOCTYPE html>
 </html>`
 
 // quotaAlertEmailTemplate is the HTML template for account quota alert notifications.
-// Format args: siteName, accountID, accountName, platform, dimLabel, used, limitStr, threshold.
+// Format args: siteName, accountID, accountName, platform, dimLabel, used, limitStr, remaining, thresholdDisplay.
 const quotaAlertEmailTemplate = `<!DOCTYPE html>
 <html>
 <head>
@@ -469,10 +479,11 @@ const quotaAlertEmailTemplate = `<!DOCTYPE html>
             <div class="metric"><span class="metric-label">维度 / Dimension</span><span class="metric-value">%s</span></div>
             <div class="metric"><span class="metric-label">已使用 / Used</span><span class="metric-value">$%.2f</span></div>
             <div class="metric"><span class="metric-label">限额 / Limit</span><span class="metric-value">%s</span></div>
-            <div class="metric"><span class="metric-label">告警阈值 / Threshold</span><span class="metric-value">$%.2f</span></div>
+            <div class="metric"><span class="metric-label">剩余额度 / Remaining</span><span class="metric-value">$%.2f</span></div>
+            <div class="metric"><span class="metric-label">提醒阈值 / Alert Threshold</span><span class="metric-value">%s</span></div>
             <div class="info">
-                <p>账号配额用量已达到告警阈值，请及时关注。</p>
-                <p>Account quota usage has reached the alert threshold.</p>
+                <p>账号剩余额度已低于提醒阈值，请及时关注。</p>
+                <p>Account remaining quota has fallen below the alert threshold.</p>
             </div>
         </div>
         <div class="footer"><p>此邮件由系统自动发送，请勿回复。</p></div>
@@ -490,11 +501,11 @@ func (s *BalanceNotifyService) buildBalanceLowEmailBody(userName string, balance
 }
 
 // buildQuotaAlertEmailBody builds HTML email for account quota alert.
-func (s *BalanceNotifyService) buildQuotaAlertEmailBody(accountID int64, accountName, platform, dimLabel string, used, limit, threshold float64, siteName string) string {
+func (s *BalanceNotifyService) buildQuotaAlertEmailBody(accountID int64, accountName, platform, dimLabel string, used, limit, remaining float64, thresholdDisplay, siteName string) string {
 	limitStr := fmt.Sprintf("$%.2f", limit)
 	if limit <= 0 {
 		limitStr = "无限制 / Unlimited"
 	}
-	return fmt.Sprintf(quotaAlertEmailTemplate, siteName, accountID, accountName, platform, dimLabel, used, limitStr, threshold)
+	return fmt.Sprintf(quotaAlertEmailTemplate, siteName, accountID, accountName, platform, dimLabel, used, limitStr, remaining, thresholdDisplay)
 }
 
diff --git a/frontend/src/components/account/CreateAccountModal.vue b/frontend/src/components/account/CreateAccountModal.vue
index a1496fa8..ba7bad51 100644
--- a/frontend/src/components/account/CreateAccountModal.vue
+++ b/frontend/src/components/account/CreateAccountModal.vue
@@ -1493,6 +1493,15 @@
           :dailyLimit="editQuotaDailyLimit"
           :weeklyLimit="editQuotaWeeklyLimit"
           :quotaNotifyGlobalEnabled="quotaNotifyGlobalEnabled"
+          :quotaNotifyDailyEnabled="quotaNotifyDailyEnabled"
+          :quotaNotifyDailyThreshold="quotaNotifyDailyThreshold"
+          :quotaNotifyDailyThresholdType="quotaNotifyDailyThresholdType"
+          :quotaNotifyWeeklyEnabled="quotaNotifyWeeklyEnabled"
+          :quotaNotifyWeeklyThreshold="quotaNotifyWeeklyThreshold"
+          :quotaNotifyWeeklyThresholdType="quotaNotifyWeeklyThresholdType"
+          :quotaNotifyTotalEnabled="quotaNotifyTotalEnabled"
+          :quotaNotifyTotalThreshold="quotaNotifyTotalThreshold"
+          :quotaNotifyTotalThresholdType="quotaNotifyTotalThresholdType"
           :dailyResetMode="editDailyResetMode"
           :dailyResetHour="editDailyResetHour"
           :weeklyResetMode="editWeeklyResetMode"
@@ -1502,6 +1511,15 @@
           @update:totalLimit="editQuotaLimit = $event"
           @update:dailyLimit="editQuotaDailyLimit = $event"
           @update:weeklyLimit="editQuotaWeeklyLimit = $event"
+          @update:quotaNotifyDailyEnabled="quotaNotifyDailyEnabled = $event"
+          @update:quotaNotifyDailyThreshold="quotaNotifyDailyThreshold = $event"
+          @update:quotaNotifyDailyThresholdType="quotaNotifyDailyThresholdType = $event"
+          @update:quotaNotifyWeeklyEnabled="quotaNotifyWeeklyEnabled = $event"
+          @update:quotaNotifyWeeklyThreshold="quotaNotifyWeeklyThreshold = $event"
+          @update:quotaNotifyWeeklyThresholdType="quotaNotifyWeeklyThresholdType = $event"
+          @update:quotaNotifyTotalEnabled="quotaNotifyTotalEnabled = $event"
+          @update:quotaNotifyTotalThreshold="quotaNotifyTotalThreshold = $event"
+          @update:quotaNotifyTotalThresholdType="quotaNotifyTotalThresholdType = $event"
           @update:dailyResetMode="editDailyResetMode = $event"
           @update:dailyResetHour="editDailyResetHour = $event"
           @update:weeklyResetMode="editWeeklyResetMode = $event"
@@ -1527,6 +1545,15 @@
           :dailyLimit="editQuotaDailyLimit"
           :weeklyLimit="editQuotaWeeklyLimit"
           :quotaNotifyGlobalEnabled="quotaNotifyGlobalEnabled"
+          :quotaNotifyDailyEnabled="quotaNotifyDailyEnabled"
+          :quotaNotifyDailyThreshold="quotaNotifyDailyThreshold"
+          :quotaNotifyDailyThresholdType="quotaNotifyDailyThresholdType"
+          :quotaNotifyWeeklyEnabled="quotaNotifyWeeklyEnabled"
+          :quotaNotifyWeeklyThreshold="quotaNotifyWeeklyThreshold"
+          :quotaNotifyWeeklyThresholdType="quotaNotifyWeeklyThresholdType"
+          :quotaNotifyTotalEnabled="quotaNotifyTotalEnabled"
+          :quotaNotifyTotalThreshold="quotaNotifyTotalThreshold"
+          :quotaNotifyTotalThresholdType="quotaNotifyTotalThresholdType"
           :dailyResetMode="editDailyResetMode"
           :dailyResetHour="editDailyResetHour"
           :weeklyResetMode="editWeeklyResetMode"
@@ -1536,6 +1563,15 @@
           @update:totalLimit="editQuotaLimit = $event"
           @update:dailyLimit="editQuotaDailyLimit = $event"
           @update:weeklyLimit="editQuotaWeeklyLimit = $event"
+          @update:quotaNotifyDailyEnabled="quotaNotifyDailyEnabled = $event"
+          @update:quotaNotifyDailyThreshold="quotaNotifyDailyThreshold = $event"
+          @update:quotaNotifyDailyThresholdType="quotaNotifyDailyThresholdType = $event"
+          @update:quotaNotifyWeeklyEnabled="quotaNotifyWeeklyEnabled = $event"
+          @update:quotaNotifyWeeklyThreshold="quotaNotifyWeeklyThreshold = $event"
+          @update:quotaNotifyWeeklyThresholdType="quotaNotifyWeeklyThresholdType = $event"
+          @update:quotaNotifyTotalEnabled="quotaNotifyTotalEnabled = $event"
+          @update:quotaNotifyTotalThreshold="quotaNotifyTotalThreshold = $event"
+          @update:quotaNotifyTotalThresholdType="quotaNotifyTotalThresholdType = $event"
           @update:dailyResetMode="editDailyResetMode = $event"
           @update:dailyResetHour="editDailyResetHour = $event"
           @update:weeklyResetMode="editWeeklyResetMode = $event"
@@ -3041,6 +3077,15 @@ const anthropicPassthroughEnabled = ref(false)
 const webSearchEmulationMode = ref('default')
 const webSearchGlobalEnabled = ref(false)
 const quotaNotifyGlobalEnabled = ref(false)
+const quotaNotifyDailyEnabled = ref<boolean | null>(null)
+const quotaNotifyDailyThreshold = ref<number | null>(null)
+const quotaNotifyDailyThresholdType = ref<string | null>(null)
+const quotaNotifyWeeklyEnabled = ref<boolean | null>(null)
+const quotaNotifyWeeklyThreshold = ref<number | null>(null)
+const quotaNotifyWeeklyThresholdType = ref<string | null>(null)
+const quotaNotifyTotalEnabled = ref<boolean | null>(null)
+const quotaNotifyTotalThreshold = ref<number | null>(null)
+const quotaNotifyTotalThresholdType = ref<string | null>(null)
 
 // Load global feature states once
 adminAPI.settings.getWebSearchEmulationConfig().then(cfg => {
@@ -4153,6 +4198,22 @@ const createAccountAndFinish = async (
     if (editDailyResetMode.value === 'fixed' || editWeeklyResetMode.value === 'fixed') {
       quotaExtra.quota_reset_timezone = editResetTimezone.value || 'UTC'
     }
+    // Quota notify config
+    if (quotaNotifyDailyEnabled.value) {
+      quotaExtra.quota_notify_daily_enabled = true
+      if (quotaNotifyDailyThreshold.value != null) quotaExtra.quota_notify_daily_threshold = quotaNotifyDailyThreshold.value
+      quotaExtra.quota_notify_daily_threshold_type = quotaNotifyDailyThresholdType.value || 'fixed'
+    }
+    if (quotaNotifyWeeklyEnabled.value) {
+      quotaExtra.quota_notify_weekly_enabled = true
+      if (quotaNotifyWeeklyThreshold.value != null) quotaExtra.quota_notify_weekly_threshold = quotaNotifyWeeklyThreshold.value
+      quotaExtra.quota_notify_weekly_threshold_type = quotaNotifyWeeklyThresholdType.value || 'fixed'
+    }
+    if (quotaNotifyTotalEnabled.value) {
+      quotaExtra.quota_notify_total_enabled = true
+      if (quotaNotifyTotalThreshold.value != null) quotaExtra.quota_notify_total_threshold = quotaNotifyTotalThreshold.value
+      quotaExtra.quota_notify_total_threshold_type = quotaNotifyTotalThresholdType.value || 'fixed'
+    }
     if (Object.keys(quotaExtra).length > 0) {
       finalExtra = quotaExtra
     }
diff --git a/frontend/src/components/account/EditAccountModal.vue b/frontend/src/components/account/EditAccountModal.vue
index 613738d2..92761b35 100644
--- a/frontend/src/components/account/EditAccountModal.vue
+++ b/frontend/src/components/account/EditAccountModal.vue
@@ -2,7 +2,7 @@
   <BaseDialog
     :show="show"
     :title="t('admin.accounts.editAccount')"
-    width="normal"
+    width="wide"
     @close="handleClose"
   >
     <form
diff --git a/frontend/src/components/account/QuotaLimitCard.vue b/frontend/src/components/account/QuotaLimitCard.vue
index 9051b9be..ff5c11f5 100644
--- a/frontend/src/components/account/QuotaLimitCard.vue
+++ b/frontend/src/components/account/QuotaLimitCard.vue
@@ -199,14 +199,15 @@ const onWeeklyModeChange = (e: Event) => {
       <div v-if="localEnabled && !collapsed" class="space-y-2 p-4 pt-3">
         <!-- 日配额 -->
         <div>
-          <!-- 标题行 -->
-          <div class="flex items-center gap-2 mb-1">
+          <!-- 标题行（仅全局通知开启时显示） -->
+          <div v-if="quotaNotifyGlobalEnabled" class="flex items-center gap-2 mb-1">
             <span class="text-xs font-medium text-gray-700 dark:text-gray-300 w-28 flex-shrink-0">{{ t('admin.accounts.quotaDailyLimit') }}</span>
-            <span v-if="quotaNotifyGlobalEnabled && dailyLimit && dailyLimit > 0" class="text-xs font-medium text-gray-700 dark:text-gray-300">{{ t('admin.accounts.quotaNotify.alert') }}</span>
+            <span v-if="dailyLimit && dailyLimit > 0" class="text-xs font-medium text-gray-700 dark:text-gray-300">{{ t('admin.accounts.quotaNotify.alert') }}</span>
           </div>
+          <label v-else class="text-xs font-medium text-gray-700 dark:text-gray-300 mb-1 block">{{ t('admin.accounts.quotaDailyLimit') }}</label>
           <!-- 输入行 -->
           <div class="flex items-center gap-2">
-            <div class="relative w-28 flex-shrink-0">
+            <div :class="['relative', quotaNotifyGlobalEnabled ? 'w-28 flex-shrink-0' : 'flex-1']">
               <span class="absolute left-2.5 top-1/2 -translate-y-1/2 text-gray-500 dark:text-gray-400 text-sm">$</span>
               <input :value="dailyLimit" @input="onDailyInput" type="number" min="0" step="0.01" class="input pl-6 py-1.5 text-sm" :placeholder="t('admin.accounts.quotaLimitPlaceholder')" />
             </div>
@@ -238,12 +239,13 @@ const onWeeklyModeChange = (e: Event) => {
 
         <!-- 周配额 -->
         <div>
-          <div class="flex items-center gap-2 mb-1">
+          <div v-if="quotaNotifyGlobalEnabled" class="flex items-center gap-2 mb-1">
             <span class="text-xs font-medium text-gray-700 dark:text-gray-300 w-28 flex-shrink-0">{{ t('admin.accounts.quotaWeeklyLimit') }}</span>
-            <span v-if="quotaNotifyGlobalEnabled && weeklyLimit && weeklyLimit > 0" class="text-xs font-medium text-gray-700 dark:text-gray-300">{{ t('admin.accounts.quotaNotify.alert') }}</span>
+            <span v-if="weeklyLimit && weeklyLimit > 0" class="text-xs font-medium text-gray-700 dark:text-gray-300">{{ t('admin.accounts.quotaNotify.alert') }}</span>
           </div>
+          <label v-else class="text-xs font-medium text-gray-700 dark:text-gray-300 mb-1 block">{{ t('admin.accounts.quotaWeeklyLimit') }}</label>
           <div class="flex items-center gap-2">
-            <div class="relative w-28 flex-shrink-0">
+            <div :class="['relative', quotaNotifyGlobalEnabled ? 'w-28 flex-shrink-0' : 'flex-1']">
               <span class="absolute left-2.5 top-1/2 -translate-y-1/2 text-gray-500 dark:text-gray-400 text-sm">$</span>
               <input :value="weeklyLimit" @input="onWeeklyInput" type="number" min="0" step="0.01" class="input pl-6 py-1.5 text-sm" :placeholder="t('admin.accounts.quotaLimitPlaceholder')" />
             </div>
@@ -287,12 +289,13 @@ const onWeeklyModeChange = (e: Event) => {
 
         <!-- 总配额 -->
         <div>
-          <div class="flex items-center gap-2 mb-1">
+          <div v-if="quotaNotifyGlobalEnabled" class="flex items-center gap-2 mb-1">
             <span class="text-xs font-medium text-gray-700 dark:text-gray-300 w-28 flex-shrink-0">{{ t('admin.accounts.quotaTotalLimit') }}</span>
-            <span v-if="quotaNotifyGlobalEnabled && totalLimit && totalLimit > 0" class="text-xs font-medium text-gray-700 dark:text-gray-300">{{ t('admin.accounts.quotaNotify.alert') }}</span>
+            <span v-if="totalLimit && totalLimit > 0" class="text-xs font-medium text-gray-700 dark:text-gray-300">{{ t('admin.accounts.quotaNotify.alert') }}</span>
           </div>
+          <label v-else class="text-xs font-medium text-gray-700 dark:text-gray-300 mb-1 block">{{ t('admin.accounts.quotaTotalLimit') }}</label>
           <div class="flex items-center gap-2">
-            <div class="relative w-28 flex-shrink-0">
+            <div :class="['relative', quotaNotifyGlobalEnabled ? 'w-28 flex-shrink-0' : 'flex-1']">
               <span class="absolute left-2.5 top-1/2 -translate-y-1/2 text-gray-500 dark:text-gray-400 text-sm">$</span>
               <input :value="totalLimit" @input="onTotalInput" type="number" min="0" step="0.01" class="input pl-6 py-1.5 text-sm" :placeholder="t('admin.accounts.quotaLimitPlaceholder')" />
             </div>

From ca673f98995b286c35b19b659088c5970b4eea54 Mon Sep 17 00:00:00 2001
From: erio <asakifeng@gmail.com>
Date: Mon, 13 Apr 2026 20:35:38 +0800
Subject: [PATCH 071/122] test: add 66 unit tests for balance/quota notify +
 plan validation

balance_notify_service_test.go (27 tests):
- resolveBalanceThreshold: fixed/percentage/zero recharged/empty type
- quotaDim.resolvedThreshold: fixed normal/exceed/equal limit, percentage 0/30/100/>100, zero/negative limit
- sanitizeEmailHeader: CRLF/CR/LF/clean/empty/multiple newlines
- buildQuotaDims / buildQuotaDimsFromState: all dimensions, empty extra, state-vs-account precedence
- collectBalanceNotifyRecipients: empty, filter disabled/unverified, case-insensitive dedup, skip empty, trim

balance_notify_check_test.go (16 tests):
- CheckBalanceAfterDeduction guard clauses: nil user/disabled/global-off/threshold=0/user-override/no-crossing
- CheckAccountQuotaAfterIncrement guards: nil account/zero cost/negative cost/global-disabled
- getBalanceNotifyConfig: all fields, disabled, invalid threshold
- isAccountQuotaNotifyEnabled: missing/false/true
- getSiteName: default fallback + configured

balance_notify_email_body_test.go (10 tests):
- Guards against fmt.Sprintf arg-count mismatches in email templates
- Verifies HTML escaping of recharge URL
- Verifies CSS %% escape produces literal % in output
- Verifies unlimited/percentage/over-quota display branches

payment_config_plans_validation_test.go (13 tests):
- validatePlanRequired: all 5 validation branches + whitespace handling
---
 .../service/balance_notify_check_test.go      | 180 +++++++++++
 .../service/balance_notify_email_body_test.go | 147 +++++++++
 .../service/balance_notify_service_test.go    | 280 ++++++++++++++++++
 .../payment_config_plans_validation_test.go   |  89 ++++++
 4 files changed, 696 insertions(+)
 create mode 100644 backend/internal/service/balance_notify_check_test.go
 create mode 100644 backend/internal/service/balance_notify_email_body_test.go
 create mode 100644 backend/internal/service/balance_notify_service_test.go
 create mode 100644 backend/internal/service/payment_config_plans_validation_test.go

diff --git a/backend/internal/service/balance_notify_check_test.go b/backend/internal/service/balance_notify_check_test.go
new file mode 100644
index 00000000..955f3129
--- /dev/null
+++ b/backend/internal/service/balance_notify_check_test.go
@@ -0,0 +1,180 @@
+//go:build unit
+
+package service
+
+import (
+	"context"
+	"testing"
+
+	"github.com/stretchr/testify/require"
+)
+
+// newBalanceNotifyServiceForTest constructs a BalanceNotifyService with an
+// in-memory settings repo and a non-nil emailService so that the guard-clause
+// nil-checks pass. The emailService is intentionally minimal — tests must
+// avoid crossing scenarios that would actually dispatch emails.
+func newBalanceNotifyServiceForTest() (*BalanceNotifyService, *mockSettingRepo) {
+	repo := newMockSettingRepo()
+	// EmailService is a concrete type; construct with the same repo so that
+	// any accidental fallback reads still succeed. Tests should not trigger a
+	// crossing that reaches SendEmail.
+	email := NewEmailService(repo, nil)
+	return NewBalanceNotifyService(email, repo, nil), repo
+}
+
+// ---------- guard clauses ----------
+
+func TestCheckBalanceAfterDeduction_NilUser(t *testing.T) {
+	s, _ := newBalanceNotifyServiceForTest()
+	// Should not panic.
+	s.CheckBalanceAfterDeduction(context.Background(), nil, 100, 50)
+}
+
+func TestCheckBalanceAfterDeduction_UserNotifyDisabled(t *testing.T) {
+	s, repo := newBalanceNotifyServiceForTest()
+	repo.data[SettingKeyBalanceLowNotifyEnabled] = "true"
+	repo.data[SettingKeyBalanceLowNotifyThreshold] = "10"
+	u := &User{ID: 1, BalanceNotifyEnabled: false}
+	// Even with a crossing, disabled flag short-circuits.
+	s.CheckBalanceAfterDeduction(context.Background(), u, 20, 15)
+}
+
+func TestCheckBalanceAfterDeduction_GlobalDisabled(t *testing.T) {
+	s, repo := newBalanceNotifyServiceForTest()
+	repo.data[SettingKeyBalanceLowNotifyEnabled] = "false"
+	u := &User{ID: 1, BalanceNotifyEnabled: true}
+	s.CheckBalanceAfterDeduction(context.Background(), u, 20, 15)
+}
+
+func TestCheckBalanceAfterDeduction_ThresholdZero(t *testing.T) {
+	s, repo := newBalanceNotifyServiceForTest()
+	repo.data[SettingKeyBalanceLowNotifyEnabled] = "true"
+	repo.data[SettingKeyBalanceLowNotifyThreshold] = "0"
+	u := &User{ID: 1, BalanceNotifyEnabled: true}
+	s.CheckBalanceAfterDeduction(context.Background(), u, 20, 15)
+}
+
+func TestCheckBalanceAfterDeduction_UserThresholdOverride(t *testing.T) {
+	s, repo := newBalanceNotifyServiceForTest()
+	repo.data[SettingKeyBalanceLowNotifyEnabled] = "true"
+	repo.data[SettingKeyBalanceLowNotifyThreshold] = "100" // global default
+	customThreshold := 5.0
+	u := &User{
+		ID:                     1,
+		BalanceNotifyEnabled:   true,
+		BalanceNotifyThreshold: &customThreshold,
+	}
+	// User's 5.0 threshold takes precedence over global 100. 20 -> 15 does not
+	// cross 5, so nothing fires (verified by absence of panic).
+	s.CheckBalanceAfterDeduction(context.Background(), u, 20, 15)
+}
+
+func TestCheckBalanceAfterDeduction_NoCrossingNotFired(t *testing.T) {
+	s, repo := newBalanceNotifyServiceForTest()
+	repo.data[SettingKeyBalanceLowNotifyEnabled] = "true"
+	repo.data[SettingKeyBalanceLowNotifyThreshold] = "10"
+	u := &User{ID: 1, BalanceNotifyEnabled: true}
+
+	// 100 -> 95, both remain above threshold=10, no crossing.
+	s.CheckBalanceAfterDeduction(context.Background(), u, 100, 5)
+	// 5 -> 3, both already below threshold, no crossing (only fires on first
+	// cross from above-to-below).
+	s.CheckBalanceAfterDeduction(context.Background(), u, 5, 2)
+}
+
+// ---------- nil-service guards on CheckAccountQuotaAfterIncrement ----------
+
+func TestCheckAccountQuotaAfterIncrement_NilAccount(t *testing.T) {
+	s, _ := newBalanceNotifyServiceForTest()
+	// Should not panic.
+	s.CheckAccountQuotaAfterIncrement(context.Background(), nil, 10, nil)
+}
+
+func TestCheckAccountQuotaAfterIncrement_ZeroCost(t *testing.T) {
+	s, _ := newBalanceNotifyServiceForTest()
+	a := &Account{ID: 1, Platform: PlatformAnthropic, Type: AccountTypeAPIKey}
+	s.CheckAccountQuotaAfterIncrement(context.Background(), a, 0, nil)
+}
+
+func TestCheckAccountQuotaAfterIncrement_NegativeCost(t *testing.T) {
+	s, _ := newBalanceNotifyServiceForTest()
+	a := &Account{ID: 1, Platform: PlatformAnthropic, Type: AccountTypeAPIKey}
+	s.CheckAccountQuotaAfterIncrement(context.Background(), a, -5, nil)
+}
+
+func TestCheckAccountQuotaAfterIncrement_GlobalDisabled(t *testing.T) {
+	s, repo := newBalanceNotifyServiceForTest()
+	repo.data[SettingKeyAccountQuotaNotifyEnabled] = "false"
+	a := &Account{
+		ID:       1,
+		Platform: PlatformAnthropic,
+		Type:     AccountTypeAPIKey,
+		Extra: map[string]any{
+			"quota_notify_daily_enabled":   true,
+			"quota_notify_daily_threshold": 100.0,
+			"quota_daily_limit":            1000.0,
+			"quota_daily_used":             950.0,
+		},
+	}
+	// Global disabled → no processing even if a dim would cross.
+	s.CheckAccountQuotaAfterIncrement(context.Background(), a, 100, nil)
+}
+
+// ---------- sanity: internal helpers still work ----------
+
+func TestGetBalanceNotifyConfig_AllFields(t *testing.T) {
+	s, repo := newBalanceNotifyServiceForTest()
+	repo.data[SettingKeyBalanceLowNotifyEnabled] = "true"
+	repo.data[SettingKeyBalanceLowNotifyThreshold] = "12.5"
+	repo.data[SettingKeyBalanceLowNotifyRechargeURL] = "https://example.com/pay"
+
+	enabled, threshold, url := s.getBalanceNotifyConfig(context.Background())
+	require.True(t, enabled)
+	require.Equal(t, 12.5, threshold)
+	require.Equal(t, "https://example.com/pay", url)
+}
+
+func TestGetBalanceNotifyConfig_Disabled(t *testing.T) {
+	s, repo := newBalanceNotifyServiceForTest()
+	repo.data[SettingKeyBalanceLowNotifyEnabled] = "false"
+
+	enabled, _, _ := s.getBalanceNotifyConfig(context.Background())
+	require.False(t, enabled)
+}
+
+func TestGetBalanceNotifyConfig_InvalidThreshold(t *testing.T) {
+	s, repo := newBalanceNotifyServiceForTest()
+	repo.data[SettingKeyBalanceLowNotifyEnabled] = "true"
+	repo.data[SettingKeyBalanceLowNotifyThreshold] = "not-a-number"
+
+	enabled, threshold, _ := s.getBalanceNotifyConfig(context.Background())
+	require.True(t, enabled)
+	require.Equal(t, 0.0, threshold)
+}
+
+func TestIsAccountQuotaNotifyEnabled(t *testing.T) {
+	s, repo := newBalanceNotifyServiceForTest()
+
+	// Missing key → false
+	require.False(t, s.isAccountQuotaNotifyEnabled(context.Background()))
+
+	// Explicit "false"
+	repo.data[SettingKeyAccountQuotaNotifyEnabled] = "false"
+	require.False(t, s.isAccountQuotaNotifyEnabled(context.Background()))
+
+	// Explicit "true"
+	repo.data[SettingKeyAccountQuotaNotifyEnabled] = "true"
+	require.True(t, s.isAccountQuotaNotifyEnabled(context.Background()))
+}
+
+func TestGetSiteName_FallsBackToDefault(t *testing.T) {
+	s, _ := newBalanceNotifyServiceForTest()
+	name := s.getSiteName(context.Background())
+	require.Equal(t, defaultSiteName, name)
+}
+
+func TestGetSiteName_Configured(t *testing.T) {
+	s, repo := newBalanceNotifyServiceForTest()
+	repo.data[SettingKeySiteName] = "My Site"
+	require.Equal(t, "My Site", s.getSiteName(context.Background()))
+}
diff --git a/backend/internal/service/balance_notify_email_body_test.go b/backend/internal/service/balance_notify_email_body_test.go
new file mode 100644
index 00000000..9baf164e
--- /dev/null
+++ b/backend/internal/service/balance_notify_email_body_test.go
@@ -0,0 +1,147 @@
+//go:build unit
+
+package service
+
+import (
+	"strings"
+	"testing"
+
+	"github.com/stretchr/testify/require"
+)
+
+// These tests guard against fmt.Sprintf arg-count mismatches in the email
+// templates. A mismatch would produce "%!(EXTRA ...)" or "%!v(MISSING)" in
+// the output, which these assertions will catch.
+
+// ---------- buildBalanceLowEmailBody ----------
+
+func TestBuildBalanceLowEmailBody_ContainsRequiredFields(t *testing.T) {
+	s := &BalanceNotifyService{}
+	body := s.buildBalanceLowEmailBody("Alice", 3.14, 10.0, "MySite", "")
+
+	// All substituted values should appear in the output.
+	require.Contains(t, body, "MySite")
+	require.Contains(t, body, "Alice")
+	require.Contains(t, body, "$3.14")
+	require.Contains(t, body, "$10.00")
+
+	// No fmt.Sprintf format error markers.
+	require.NotContains(t, body, "%!")
+	require.NotContains(t, body, "MISSING")
+	require.NotContains(t, body, "EXTRA")
+}
+
+func TestBuildBalanceLowEmailBody_WithRechargeURL(t *testing.T) {
+	s := &BalanceNotifyService{}
+	body := s.buildBalanceLowEmailBody("Bob", 5.0, 20.0, "Site", "https://example.com/pay")
+
+	// The recharge anchor element should appear with the URL.
+	require.Contains(t, body, `href="https://example.com/pay"`)
+	require.Contains(t, body, "立即充值")
+	require.NotContains(t, body, "%!")
+}
+
+func TestBuildBalanceLowEmailBody_RechargeURLEscaped(t *testing.T) {
+	s := &BalanceNotifyService{}
+	// Try a URL with characters that need HTML escaping.
+	body := s.buildBalanceLowEmailBody("u", 1.0, 5.0, "Site", `https://example.com/?a=1&b=<script>`)
+
+	// `&` and `<` should be escaped in the href.
+	require.Contains(t, body, "&amp;")
+	require.Contains(t, body, "&lt;script&gt;")
+	require.NotContains(t, body, "<script>")
+}
+
+func TestBuildBalanceLowEmailBody_NoRechargeURLOmitsButton(t *testing.T) {
+	s := &BalanceNotifyService{}
+	body := s.buildBalanceLowEmailBody("u", 1.0, 5.0, "Site", "")
+	// The anchor element should not be rendered (style class may still appear).
+	require.NotContains(t, body, `<a href`)
+	require.NotContains(t, body, "立即充值")
+}
+
+// ---------- buildQuotaAlertEmailBody ----------
+
+func TestBuildQuotaAlertEmailBody_AllFieldsPresent(t *testing.T) {
+	s := &BalanceNotifyService{}
+	body := s.buildQuotaAlertEmailBody(
+		42,                      // accountID
+		"acc-foo",               // accountName
+		"anthropic",             // platform
+		"日限额 / Daily",          // dimLabel
+		750.50,                  // used
+		1000.0,                  // limit
+		249.50,                  // remaining
+		"$249.50",               // thresholdDisplay
+		"MySite",                // siteName
+	)
+
+	require.Contains(t, body, "MySite")
+	require.Contains(t, body, "#42")
+	require.Contains(t, body, "acc-foo")
+	require.Contains(t, body, "anthropic")
+	require.Contains(t, body, "Daily")
+	require.Contains(t, body, "$750.50")
+	require.Contains(t, body, "$1000.00")
+	require.Contains(t, body, "$249.50")
+
+	// No format error markers.
+	require.NotContains(t, body, "%!")
+	require.NotContains(t, body, "MISSING")
+	require.NotContains(t, body, "EXTRA")
+}
+
+func TestBuildQuotaAlertEmailBody_UnlimitedDisplay(t *testing.T) {
+	s := &BalanceNotifyService{}
+	body := s.buildQuotaAlertEmailBody(
+		1, "n", "p", "dim",
+		100.0, 0.0, // limit=0 triggers unlimited branch
+		0.0, "30%", "Site",
+	)
+	require.Contains(t, body, "无限制")
+	require.Contains(t, body, "Unlimited")
+}
+
+func TestBuildQuotaAlertEmailBody_PercentageThresholdDisplay(t *testing.T) {
+	s := &BalanceNotifyService{}
+	body := s.buildQuotaAlertEmailBody(
+		1, "n", "p", "dim",
+		700.0, 1000.0, 300.0,
+		"30%", // percentage-formatted threshold
+		"Site",
+	)
+	require.Contains(t, body, "30%")
+	require.NotContains(t, body, "%!")
+}
+
+func TestBuildQuotaAlertEmailBody_RemainingClampedAtZero(t *testing.T) {
+	// Even though caller is responsible for clamping, this test documents the
+	// display behavior with remaining=0.
+	s := &BalanceNotifyService{}
+	body := s.buildQuotaAlertEmailBody(
+		1, "n", "p", "dim",
+		1500.0, 1000.0, 0.0, // used > limit (over-quota)
+		"$100.00", "Site",
+	)
+	require.Contains(t, body, "$0.00")
+}
+
+// ---------- sanity checks on the CSS `%%` escape ----------
+
+func TestBuildBalanceLowEmailBody_NoCSSFormatError(t *testing.T) {
+	s := &BalanceNotifyService{}
+	body := s.buildBalanceLowEmailBody("u", 1.0, 5.0, "Site", "")
+	// CSS `linear-gradient(135deg, #f59e0b 0%, #d97706 100%)` should appear with
+	// literal percent signs (from the %% escape in the template).
+	require.True(t,
+		strings.Contains(body, "0%") && strings.Contains(body, "100%"),
+		"CSS gradient percentages not rendered; got: %s", body)
+}
+
+func TestBuildQuotaAlertEmailBody_NoCSSFormatError(t *testing.T) {
+	s := &BalanceNotifyService{}
+	body := s.buildQuotaAlertEmailBody(1, "n", "p", "d", 0, 0, 0, "$0.00", "Site")
+	require.True(t,
+		strings.Contains(body, "0%") && strings.Contains(body, "100%"),
+		"CSS gradient percentages not rendered; got: %s", body)
+}
diff --git a/backend/internal/service/balance_notify_service_test.go b/backend/internal/service/balance_notify_service_test.go
new file mode 100644
index 00000000..171307f4
--- /dev/null
+++ b/backend/internal/service/balance_notify_service_test.go
@@ -0,0 +1,280 @@
+//go:build unit
+
+package service
+
+import (
+	"testing"
+
+	"github.com/stretchr/testify/require"
+)
+
+// ---------- resolveBalanceThreshold ----------
+
+func TestResolveBalanceThreshold_Fixed(t *testing.T) {
+	// Fixed type always returns the raw threshold regardless of totalRecharged.
+	require.Equal(t, 10.0, resolveBalanceThreshold(10, thresholdTypeFixed, 1000))
+	require.Equal(t, 10.0, resolveBalanceThreshold(10, thresholdTypeFixed, 0))
+	require.Equal(t, 0.0, resolveBalanceThreshold(0, thresholdTypeFixed, 1000))
+}
+
+func TestResolveBalanceThreshold_Percentage(t *testing.T) {
+	// 10% of 1000 = 100
+	require.Equal(t, 100.0, resolveBalanceThreshold(10, thresholdTypePercentage, 1000))
+	// 50% of 200 = 100
+	require.Equal(t, 100.0, resolveBalanceThreshold(50, thresholdTypePercentage, 200))
+}
+
+func TestResolveBalanceThreshold_PercentageZeroRecharged(t *testing.T) {
+	// When totalRecharged is 0, percentage falls through to raw threshold
+	// (treated as fixed). This is the defensive behavior.
+	require.Equal(t, 10.0, resolveBalanceThreshold(10, thresholdTypePercentage, 0))
+}
+
+func TestResolveBalanceThreshold_EmptyType(t *testing.T) {
+	// Empty type is treated as fixed (not percentage).
+	require.Equal(t, 10.0, resolveBalanceThreshold(10, "", 1000))
+}
+
+// ---------- quotaDim.resolvedThreshold ----------
+
+func TestResolvedThreshold_FixedNormal(t *testing.T) {
+	// threshold=400 remaining, limit=1000 → usage trigger at 600
+	d := quotaDim{threshold: 400, thresholdType: thresholdTypeFixed, limit: 1000}
+	require.Equal(t, 600.0, d.resolvedThreshold())
+}
+
+func TestResolvedThreshold_FixedThresholdExceedsLimit(t *testing.T) {
+	// threshold=1200, limit=1000 → returns negative, callers must skip
+	d := quotaDim{threshold: 1200, thresholdType: thresholdTypeFixed, limit: 1000}
+	require.Equal(t, -200.0, d.resolvedThreshold())
+}
+
+func TestResolvedThreshold_FixedThresholdEqualsLimit(t *testing.T) {
+	// threshold=1000, limit=1000 → returns 0 (alert fires at 0 usage)
+	d := quotaDim{threshold: 1000, thresholdType: thresholdTypeFixed, limit: 1000}
+	require.Equal(t, 0.0, d.resolvedThreshold())
+}
+
+func TestResolvedThreshold_PercentageNormal(t *testing.T) {
+	// threshold=30%, limit=1000 → usage trigger at 700 (remaining drops to 30%)
+	d := quotaDim{threshold: 30, thresholdType: thresholdTypePercentage, limit: 1000}
+	require.InDelta(t, 700.0, d.resolvedThreshold(), 0.001)
+}
+
+func TestResolvedThreshold_PercentageZeroPercent(t *testing.T) {
+	// threshold=0%, limit=1000 → fires when remaining drops to 0 (usage=1000)
+	d := quotaDim{threshold: 0, thresholdType: thresholdTypePercentage, limit: 1000}
+	require.InDelta(t, 1000.0, d.resolvedThreshold(), 0.001)
+}
+
+func TestResolvedThreshold_PercentageHundredPercent(t *testing.T) {
+	// threshold=100%, limit=1000 → fires immediately (remaining drops to 100% i.e. nothing used yet)
+	d := quotaDim{threshold: 100, thresholdType: thresholdTypePercentage, limit: 1000}
+	require.InDelta(t, 0.0, d.resolvedThreshold(), 0.001)
+}
+
+func TestResolvedThreshold_PercentageOverHundred(t *testing.T) {
+	// threshold=150%, limit=1000 → returns negative (never triggers; callers skip)
+	d := quotaDim{threshold: 150, thresholdType: thresholdTypePercentage, limit: 1000}
+	require.Less(t, d.resolvedThreshold(), 0.0)
+}
+
+func TestResolvedThreshold_ZeroLimit(t *testing.T) {
+	// limit=0 → returns 0 to avoid division and false alerts on unlimited quotas
+	d := quotaDim{threshold: 100, thresholdType: thresholdTypeFixed, limit: 0}
+	require.Equal(t, 0.0, d.resolvedThreshold())
+}
+
+func TestResolvedThreshold_NegativeLimit(t *testing.T) {
+	// Negative limit treated as 0
+	d := quotaDim{threshold: 100, thresholdType: thresholdTypeFixed, limit: -10}
+	require.Equal(t, 0.0, d.resolvedThreshold())
+}
+
+// ---------- sanitizeEmailHeader ----------
+
+func TestSanitizeEmailHeader_CRLF(t *testing.T) {
+	require.Equal(t, "Subject injected", sanitizeEmailHeader("Subject\r\n injected"))
+}
+
+func TestSanitizeEmailHeader_OnlyCR(t *testing.T) {
+	require.Equal(t, "foobar", sanitizeEmailHeader("foo\rbar"))
+}
+
+func TestSanitizeEmailHeader_OnlyLF(t *testing.T) {
+	require.Equal(t, "foobar", sanitizeEmailHeader("foo\nbar"))
+}
+
+func TestSanitizeEmailHeader_Clean(t *testing.T) {
+	require.Equal(t, "Sub2API", sanitizeEmailHeader("Sub2API"))
+}
+
+func TestSanitizeEmailHeader_Empty(t *testing.T) {
+	require.Equal(t, "", sanitizeEmailHeader(""))
+}
+
+func TestSanitizeEmailHeader_MultipleNewlines(t *testing.T) {
+	require.Equal(t, "abc", sanitizeEmailHeader("a\r\nb\r\nc"))
+}
+
+// ---------- buildQuotaDims ----------
+
+func TestBuildQuotaDims_AllDimensionsReturned(t *testing.T) {
+	// Use an account with quota notify config across all 3 dimensions.
+	a := &Account{
+		Platform: PlatformAnthropic,
+		Type:     AccountTypeAPIKey,
+		Extra: map[string]any{
+			"quota_notify_daily_enabled":         true,
+			"quota_notify_daily_threshold":       100.0,
+			"quota_notify_daily_threshold_type":  thresholdTypeFixed,
+			"quota_notify_weekly_enabled":        true,
+			"quota_notify_weekly_threshold":      20.0,
+			"quota_notify_weekly_threshold_type": thresholdTypePercentage,
+			"quota_notify_total_enabled":         false,
+			"quota_daily_limit":                  500.0,
+			"quota_weekly_limit":                 2000.0,
+			"quota_limit":                        10000.0,
+			"quota_daily_used":                   50.0,
+			"quota_weekly_used":                  300.0,
+			"quota_used":                         1000.0,
+		},
+	}
+
+	dims := buildQuotaDims(a)
+	require.Len(t, dims, 3)
+
+	// Daily
+	require.Equal(t, quotaDimDaily, dims[0].name)
+	require.True(t, dims[0].enabled)
+	require.Equal(t, 100.0, dims[0].threshold)
+	require.Equal(t, thresholdTypeFixed, dims[0].thresholdType)
+	require.Equal(t, 500.0, dims[0].limit)
+	require.Equal(t, 50.0, dims[0].currentUsed)
+
+	// Weekly
+	require.Equal(t, quotaDimWeekly, dims[1].name)
+	require.True(t, dims[1].enabled)
+	require.Equal(t, 20.0, dims[1].threshold)
+	require.Equal(t, thresholdTypePercentage, dims[1].thresholdType)
+	require.Equal(t, 2000.0, dims[1].limit)
+
+	// Total
+	require.Equal(t, quotaDimTotal, dims[2].name)
+	require.False(t, dims[2].enabled)
+	require.Equal(t, 10000.0, dims[2].limit)
+	require.Equal(t, 1000.0, dims[2].currentUsed)
+}
+
+func TestBuildQuotaDims_EmptyExtra(t *testing.T) {
+	// Missing fields default to zero/disabled.
+	a := &Account{
+		Platform: PlatformAnthropic,
+		Type:     AccountTypeAPIKey,
+		Extra:    map[string]any{},
+	}
+	dims := buildQuotaDims(a)
+	require.Len(t, dims, 3)
+	for _, d := range dims {
+		require.False(t, d.enabled)
+		require.Equal(t, 0.0, d.threshold)
+		require.Equal(t, 0.0, d.limit)
+	}
+}
+
+// ---------- buildQuotaDimsFromState ----------
+
+func TestBuildQuotaDimsFromState_UsesStateValues(t *testing.T) {
+	// Usage values should come from the state, not the account.
+	a := &Account{
+		Platform: PlatformAnthropic,
+		Type:     AccountTypeAPIKey,
+		Extra: map[string]any{
+			"quota_notify_daily_enabled":   true,
+			"quota_notify_daily_threshold": 100.0,
+			"quota_daily_used":             999.0, // should be ignored
+			"quota_daily_limit":            999.0, // should be ignored
+		},
+	}
+	state := &AccountQuotaState{
+		DailyUsed:   77.0,
+		DailyLimit:  500.0,
+		WeeklyUsed:  88.0,
+		WeeklyLimit: 2000.0,
+		TotalUsed:   99.0,
+		TotalLimit:  10000.0,
+	}
+	dims := buildQuotaDimsFromState(a, state)
+	require.Len(t, dims, 3)
+	// Settings from account (enabled, threshold, thresholdType)
+	require.True(t, dims[0].enabled)
+	require.Equal(t, 100.0, dims[0].threshold)
+	// Usage from state
+	require.Equal(t, 77.0, dims[0].currentUsed)
+	require.Equal(t, 500.0, dims[0].limit)
+	require.Equal(t, 88.0, dims[1].currentUsed)
+	require.Equal(t, 2000.0, dims[1].limit)
+	require.Equal(t, 99.0, dims[2].currentUsed)
+	require.Equal(t, 10000.0, dims[2].limit)
+}
+
+// ---------- collectBalanceNotifyRecipients ----------
+
+func TestCollectBalanceNotifyRecipients_Empty(t *testing.T) {
+	s := &BalanceNotifyService{}
+	u := &User{BalanceNotifyExtraEmails: nil}
+	require.Empty(t, s.collectBalanceNotifyRecipients(u))
+}
+
+func TestCollectBalanceNotifyRecipients_FiltersDisabledAndUnverified(t *testing.T) {
+	s := &BalanceNotifyService{}
+	u := &User{
+		BalanceNotifyExtraEmails: []NotifyEmailEntry{
+			{Email: "a@example.com", Verified: true, Disabled: false},
+			{Email: "b@example.com", Verified: true, Disabled: true},   // disabled
+			{Email: "c@example.com", Verified: false, Disabled: false}, // unverified
+			{Email: "d@example.com", Verified: true, Disabled: false},
+		},
+	}
+	got := s.collectBalanceNotifyRecipients(u)
+	require.Equal(t, []string{"a@example.com", "d@example.com"}, got)
+}
+
+func TestCollectBalanceNotifyRecipients_DeduplicatesCaseInsensitive(t *testing.T) {
+	s := &BalanceNotifyService{}
+	u := &User{
+		BalanceNotifyExtraEmails: []NotifyEmailEntry{
+			{Email: "User@Example.com", Verified: true},
+			{Email: "user@example.com", Verified: true},
+			{Email: "USER@EXAMPLE.COM", Verified: true},
+		},
+	}
+	got := s.collectBalanceNotifyRecipients(u)
+	require.Len(t, got, 1)
+	// The original casing of the first entry is preserved.
+	require.Equal(t, "User@Example.com", got[0])
+}
+
+func TestCollectBalanceNotifyRecipients_SkipsEmpty(t *testing.T) {
+	s := &BalanceNotifyService{}
+	u := &User{
+		BalanceNotifyExtraEmails: []NotifyEmailEntry{
+			{Email: "  ", Verified: true},
+			{Email: "", Verified: true},
+			{Email: "valid@example.com", Verified: true},
+		},
+	}
+	got := s.collectBalanceNotifyRecipients(u)
+	require.Equal(t, []string{"valid@example.com"}, got)
+}
+
+func TestCollectBalanceNotifyRecipients_TrimsWhitespace(t *testing.T) {
+	s := &BalanceNotifyService{}
+	u := &User{
+		BalanceNotifyExtraEmails: []NotifyEmailEntry{
+			{Email: "  trimmed@example.com  ", Verified: true},
+		},
+	}
+	got := s.collectBalanceNotifyRecipients(u)
+	require.Equal(t, []string{"trimmed@example.com"}, got)
+}
diff --git a/backend/internal/service/payment_config_plans_validation_test.go b/backend/internal/service/payment_config_plans_validation_test.go
new file mode 100644
index 00000000..bc9c0048
--- /dev/null
+++ b/backend/internal/service/payment_config_plans_validation_test.go
@@ -0,0 +1,89 @@
+//go:build unit
+
+package service
+
+import (
+	"testing"
+
+	"github.com/stretchr/testify/require"
+)
+
+func TestValidatePlanRequired_AllValid(t *testing.T) {
+	err := validatePlanRequired("Pro", 1, 9.99, 30, "days")
+	require.NoError(t, err)
+}
+
+func TestValidatePlanRequired_EmptyName(t *testing.T) {
+	err := validatePlanRequired("", 1, 9.99, 30, "days")
+	require.Error(t, err)
+	require.Contains(t, err.Error(), "plan name")
+}
+
+func TestValidatePlanRequired_WhitespaceName(t *testing.T) {
+	err := validatePlanRequired("   ", 1, 9.99, 30, "days")
+	require.Error(t, err)
+	require.Contains(t, err.Error(), "plan name")
+}
+
+func TestValidatePlanRequired_ZeroGroupID(t *testing.T) {
+	err := validatePlanRequired("Pro", 0, 9.99, 30, "days")
+	require.Error(t, err)
+	require.Contains(t, err.Error(), "group")
+}
+
+func TestValidatePlanRequired_NegativeGroupID(t *testing.T) {
+	err := validatePlanRequired("Pro", -1, 9.99, 30, "days")
+	require.Error(t, err)
+	require.Contains(t, err.Error(), "group")
+}
+
+func TestValidatePlanRequired_ZeroPrice(t *testing.T) {
+	err := validatePlanRequired("Pro", 1, 0, 30, "days")
+	require.Error(t, err)
+	require.Contains(t, err.Error(), "price")
+}
+
+func TestValidatePlanRequired_NegativePrice(t *testing.T) {
+	err := validatePlanRequired("Pro", 1, -5, 30, "days")
+	require.Error(t, err)
+	require.Contains(t, err.Error(), "price")
+}
+
+func TestValidatePlanRequired_ZeroValidityDays(t *testing.T) {
+	err := validatePlanRequired("Pro", 1, 9.99, 0, "days")
+	require.Error(t, err)
+	require.Contains(t, err.Error(), "validity days")
+}
+
+func TestValidatePlanRequired_NegativeValidityDays(t *testing.T) {
+	err := validatePlanRequired("Pro", 1, 9.99, -7, "days")
+	require.Error(t, err)
+	require.Contains(t, err.Error(), "validity days")
+}
+
+func TestValidatePlanRequired_EmptyValidityUnit(t *testing.T) {
+	err := validatePlanRequired("Pro", 1, 9.99, 30, "")
+	require.Error(t, err)
+	require.Contains(t, err.Error(), "validity unit")
+}
+
+func TestValidatePlanRequired_WhitespaceValidityUnit(t *testing.T) {
+	err := validatePlanRequired("Pro", 1, 9.99, 30, "   ")
+	require.Error(t, err)
+	require.Contains(t, err.Error(), "validity unit")
+}
+
+func TestValidatePlanRequired_NameValidatedFirst(t *testing.T) {
+	// When multiple fields are invalid, name should be reported first
+	// (follows the order of checks in the function).
+	err := validatePlanRequired("", 0, 0, 0, "")
+	require.Error(t, err)
+	require.Contains(t, err.Error(), "plan name")
+}
+
+func TestValidatePlanRequired_TrimmedValidName(t *testing.T) {
+	// Whitespace-surrounded but non-empty name is accepted (trimmed check only
+	// rejects pure whitespace).
+	err := validatePlanRequired("  Pro  ", 1, 9.99, 30, "days")
+	require.NoError(t, err)
+}

From ed8a9d975b5c4b4d42893305e07adb548db2683a Mon Sep 17 00:00:00 2001
From: erio <asakifeng@gmail.com>
Date: Mon, 13 Apr 2026 21:38:51 +0800
Subject: [PATCH 072/122] =?UTF-8?q?fix:=20batch=201=20audit=20fixes=20?=
 =?UTF-8?q?=E2=80=94=20quota=20SQL=20fixed=20mode,=20public=20recharge=20U?=
 =?UTF-8?q?RL,=20WebSearch=20bool=20fallback,=20UpdatePlan=20validation?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

H1: incrementUsageBillingAccountQuota now uses shared dailyExpiredExpr/weeklyExpiredExpr
    constants (supporting fixed reset mode) instead of hardcoded '24 hours'/'168 hours'
H4: public settings endpoint now maps balance_low_notify_recharge_url
H6: GetWebSearchEmulationMode tolerates legacy bool values (true→enabled)
H7: UpdatePlan validates non-nil patch fields (rejects negative price, empty name, etc.)
H8: UsageTable accountBilled() helper with total_cost ?? 0 null guard
H9: AdminUsageLog TS type adds channel_id + billing_tier
M2: account.go "fixed" literals replaced with thresholdTypeFixed constant
M13: SystemSettings TS type adds web_search_emulation_enabled
UI: QuotaLimitCard title labels now use flex-1 to align with flex-1 input boxes
---
 backend/cmd/server/VERSION                    |  2 +-
 backend/internal/handler/setting_handler.go   |  1 +
 .../internal/repository/usage_billing_repo.go | 18 ++++---
 backend/internal/service/account.go           | 20 +++++--
 .../service/account_websearch_test.go         |  4 +-
 .../internal/service/payment_config_plans.go  | 54 +++++++++++++++++--
 frontend/src/api/admin/settings.ts            |  1 +
 .../src/components/account/QuotaLimitCard.vue | 12 ++---
 .../src/components/admin/usage/UsageTable.vue | 15 +++++-
 frontend/src/types/index.ts                   |  4 ++
 10 files changed, 104 insertions(+), 27 deletions(-)

diff --git a/backend/cmd/server/VERSION b/backend/cmd/server/VERSION
index 76129f5c..0ac4459d 100644
--- a/backend/cmd/server/VERSION
+++ b/backend/cmd/server/VERSION
@@ -1 +1 @@
-0.1.110.44
+0.1.110.47
diff --git a/backend/internal/handler/setting_handler.go b/backend/internal/handler/setting_handler.go
index 69ffd287..1717b7a1 100644
--- a/backend/internal/handler/setting_handler.go
+++ b/backend/internal/handler/setting_handler.go
@@ -64,5 +64,6 @@ func (h *SettingHandler) GetPublicSettings(c *gin.Context) {
 		BalanceLowNotifyEnabled:          settings.BalanceLowNotifyEnabled,
 		AccountQuotaNotifyEnabled:        settings.AccountQuotaNotifyEnabled,
 		BalanceLowNotifyThreshold:        settings.BalanceLowNotifyThreshold,
+		BalanceLowNotifyRechargeURL:      settings.BalanceLowNotifyRechargeURL,
 	})
 }
diff --git a/backend/internal/repository/usage_billing_repo.go b/backend/internal/repository/usage_billing_repo.go
index b4c76da5..cd54baa3 100644
--- a/backend/internal/repository/usage_billing_repo.go
+++ b/backend/internal/repository/usage_billing_repo.go
@@ -248,30 +248,32 @@ func incrementUsageBillingAccountQuota(ctx context.Context, tx *sql.Tx, accountI
 			|| CASE WHEN COALESCE((extra->>'quota_daily_limit')::numeric, 0) > 0 THEN
 				jsonb_build_object(
 					'quota_daily_used',
-					CASE WHEN COALESCE((extra->>'quota_daily_start')::timestamptz, '1970-01-01'::timestamptz)
-						+ '24 hours'::interval <= NOW()
+					CASE WHEN `+dailyExpiredExpr+`
 					THEN $1
 					ELSE COALESCE((extra->>'quota_daily_used')::numeric, 0) + $1 END,
 					'quota_daily_start',
-					CASE WHEN COALESCE((extra->>'quota_daily_start')::timestamptz, '1970-01-01'::timestamptz)
-						+ '24 hours'::interval <= NOW()
+					CASE WHEN `+dailyExpiredExpr+`
 					THEN `+nowUTC+`
 					ELSE COALESCE(extra->>'quota_daily_start', `+nowUTC+`) END
 				)
+				|| CASE WHEN `+dailyExpiredExpr+` AND `+nextDailyResetAtExpr+` IS NOT NULL
+				   THEN jsonb_build_object('quota_daily_reset_at', `+nextDailyResetAtExpr+`)
+				   ELSE '{}'::jsonb END
 			ELSE '{}'::jsonb END
 			|| CASE WHEN COALESCE((extra->>'quota_weekly_limit')::numeric, 0) > 0 THEN
 				jsonb_build_object(
 					'quota_weekly_used',
-					CASE WHEN COALESCE((extra->>'quota_weekly_start')::timestamptz, '1970-01-01'::timestamptz)
-						+ '168 hours'::interval <= NOW()
+					CASE WHEN `+weeklyExpiredExpr+`
 					THEN $1
 					ELSE COALESCE((extra->>'quota_weekly_used')::numeric, 0) + $1 END,
 					'quota_weekly_start',
-					CASE WHEN COALESCE((extra->>'quota_weekly_start')::timestamptz, '1970-01-01'::timestamptz)
-						+ '168 hours'::interval <= NOW()
+					CASE WHEN `+weeklyExpiredExpr+`
 					THEN `+nowUTC+`
 					ELSE COALESCE(extra->>'quota_weekly_start', `+nowUTC+`) END
 				)
+				|| CASE WHEN `+weeklyExpiredExpr+` AND `+nextWeeklyResetAtExpr+` IS NOT NULL
+				   THEN jsonb_build_object('quota_weekly_reset_at', `+nextWeeklyResetAtExpr+`)
+				   ELSE '{}'::jsonb END
 			ELSE '{}'::jsonb END
 		), updated_at = NOW()
 		WHERE id = $2 AND deleted_at IS NULL
diff --git a/backend/internal/service/account.go b/backend/internal/service/account.go
index 4d933986..4a4c0889 100644
--- a/backend/internal/service/account.go
+++ b/backend/internal/service/account.go
@@ -5,6 +5,7 @@ import (
 	"encoding/json"
 	"errors"
 	"hash/fnv"
+	"log/slog"
 	"reflect"
 	"sort"
 	"strconv"
@@ -1178,12 +1179,21 @@ const (
 
 // GetWebSearchEmulationMode 返回账号的 WebSearch 模拟模式。
 // 三态：default（跟随渠道）/ enabled（强制开启）/ disabled（强制关闭）。
-// 旧 bool 值需通过 SQL 迁移脚本转换，Go 代码不做兼容。
+// 兼容旧 bool 值：true→enabled, false→default（并记录 debug 日志）。
 func (a *Account) GetWebSearchEmulationMode() string {
 	if a == nil || a.Platform != PlatformAnthropic || a.Type != AccountTypeAPIKey || a.Extra == nil {
 		return WebSearchModeDefault
 	}
-	mode, ok := a.Extra[featureKeyWebSearchEmulation].(string)
+	raw := a.Extra[featureKeyWebSearchEmulation]
+	// Tolerant: legacy bool values (pre-migration or stale writes)
+	if b, ok := raw.(bool); ok {
+		slog.Debug("legacy bool web_search_emulation value", "account_id", a.ID, "value", b)
+		if b {
+			return WebSearchModeEnabled
+		}
+		return WebSearchModeDefault
+	}
+	mode, ok := raw.(string)
 	if !ok {
 		return WebSearchModeDefault
 	}
@@ -1522,7 +1532,7 @@ func (a *Account) GetQuotaNotifyDailyThreshold() float64 {
 }
 
 func (a *Account) GetQuotaNotifyDailyThresholdType() string {
-	return a.getExtraStringDefault("quota_notify_daily_threshold_type", "fixed")
+	return a.getExtraStringDefault("quota_notify_daily_threshold_type", thresholdTypeFixed)
 }
 
 func (a *Account) GetQuotaNotifyWeeklyEnabled() bool {
@@ -1534,7 +1544,7 @@ func (a *Account) GetQuotaNotifyWeeklyThreshold() float64 {
 }
 
 func (a *Account) GetQuotaNotifyWeeklyThresholdType() string {
-	return a.getExtraStringDefault("quota_notify_weekly_threshold_type", "fixed")
+	return a.getExtraStringDefault("quota_notify_weekly_threshold_type", thresholdTypeFixed)
 }
 
 func (a *Account) GetQuotaNotifyTotalEnabled() bool {
@@ -1546,7 +1556,7 @@ func (a *Account) GetQuotaNotifyTotalThreshold() float64 {
 }
 
 func (a *Account) GetQuotaNotifyTotalThresholdType() string {
-	return a.getExtraStringDefault("quota_notify_total_threshold_type", "fixed")
+	return a.getExtraStringDefault("quota_notify_total_threshold_type", thresholdTypeFixed)
 }
 
 // nextFixedDailyReset 计算在 after 之后的下一个每日固定重置时间点
diff --git a/backend/internal/service/account_websearch_test.go b/backend/internal/service/account_websearch_test.go
index b4d23c6b..6ed69d4c 100644
--- a/backend/internal/service/account_websearch_test.go
+++ b/backend/internal/service/account_websearch_test.go
@@ -50,8 +50,8 @@ func TestGetWebSearchEmulationMode_OldBoolTrue(t *testing.T) {
 		Type:     AccountTypeAPIKey,
 		Extra:    map[string]any{featureKeyWebSearchEmulation: true},
 	}
-	// bool is not a string, type assertion fails → default
-	require.Equal(t, WebSearchModeDefault, a.GetWebSearchEmulationMode())
+	// bool true → tolerant fallback → enabled (not default)
+	require.Equal(t, WebSearchModeEnabled, a.GetWebSearchEmulationMode())
 }
 
 func TestGetWebSearchEmulationMode_OldBoolFalse(t *testing.T) {
diff --git a/backend/internal/service/payment_config_plans.go b/backend/internal/service/payment_config_plans.go
index 8a3e2950..8a5e1924 100644
--- a/backend/internal/service/payment_config_plans.go
+++ b/backend/internal/service/payment_config_plans.go
@@ -3,6 +3,7 @@ package service
 import (
 	"context"
 	"fmt"
+	"strings"
 
 	dbent "github.com/Wei-Shaw/sub2api/ent"
 	"github.com/Wei-Shaw/sub2api/ent/group"
@@ -10,6 +11,46 @@ import (
 	infraerrors "github.com/Wei-Shaw/sub2api/internal/pkg/errors"
 )
 
+// validatePlanRequired checks that all required fields for a plan are provided.
+func validatePlanRequired(name string, groupID int64, price float64, validityDays int, validityUnit string) error {
+	if strings.TrimSpace(name) == "" {
+		return infraerrors.BadRequest("PLAN_NAME_REQUIRED", "plan name is required")
+	}
+	if groupID <= 0 {
+		return infraerrors.BadRequest("PLAN_GROUP_REQUIRED", "group is required")
+	}
+	if price <= 0 {
+		return infraerrors.BadRequest("PLAN_PRICE_INVALID", "price must be > 0")
+	}
+	if validityDays <= 0 {
+		return infraerrors.BadRequest("PLAN_VALIDITY_REQUIRED", "validity days must be > 0")
+	}
+	if strings.TrimSpace(validityUnit) == "" {
+		return infraerrors.BadRequest("PLAN_VALIDITY_UNIT_REQUIRED", "validity unit is required")
+	}
+	return nil
+}
+
+// validatePlanPatch validates only the non-nil fields in a patch update.
+func validatePlanPatch(req UpdatePlanRequest) error {
+	if req.Name != nil && strings.TrimSpace(*req.Name) == "" {
+		return infraerrors.BadRequest("PLAN_NAME_REQUIRED", "plan name is required")
+	}
+	if req.GroupID != nil && *req.GroupID <= 0 {
+		return infraerrors.BadRequest("PLAN_GROUP_REQUIRED", "group is required")
+	}
+	if req.Price != nil && *req.Price <= 0 {
+		return infraerrors.BadRequest("PLAN_PRICE_INVALID", "price must be > 0")
+	}
+	if req.ValidityDays != nil && *req.ValidityDays <= 0 {
+		return infraerrors.BadRequest("PLAN_VALIDITY_REQUIRED", "validity days must be > 0")
+	}
+	if req.ValidityUnit != nil && strings.TrimSpace(*req.ValidityUnit) == "" {
+		return infraerrors.BadRequest("PLAN_VALIDITY_UNIT_REQUIRED", "validity unit is required")
+	}
+	return nil
+}
+
 // --- Plan CRUD ---
 
 // PlanGroupInfo holds the group details needed for subscription plan display.
@@ -66,14 +107,17 @@ func (s *PaymentConfigService) GetGroupInfoMap(ctx context.Context, plans []*dbe
 }
 
 func (s *PaymentConfigService) ListPlans(ctx context.Context) ([]*dbent.SubscriptionPlan, error) {
-	return s.entClient.SubscriptionPlan.Query().Order(subscriptionplan.BySortOrder()).All(ctx)
+	return s.entClient.SubscriptionPlan.Query().Order(subscriptionplan.ByCreatedAt()).All(ctx)
 }
 
 func (s *PaymentConfigService) ListPlansForSale(ctx context.Context) ([]*dbent.SubscriptionPlan, error) {
-	return s.entClient.SubscriptionPlan.Query().Where(subscriptionplan.ForSaleEQ(true)).Order(subscriptionplan.BySortOrder()).All(ctx)
+	return s.entClient.SubscriptionPlan.Query().Where(subscriptionplan.ForSaleEQ(true)).Order(subscriptionplan.ByCreatedAt()).All(ctx)
 }
 
 func (s *PaymentConfigService) CreatePlan(ctx context.Context, req CreatePlanRequest) (*dbent.SubscriptionPlan, error) {
+	if err := validatePlanRequired(req.Name, req.GroupID, req.Price, req.ValidityDays, req.ValidityUnit); err != nil {
+		return nil, err
+	}
 	b := s.entClient.SubscriptionPlan.Create().
 		SetGroupID(req.GroupID).SetName(req.Name).SetDescription(req.Description).
 		SetPrice(req.Price).SetValidityDays(req.ValidityDays).SetValidityUnit(req.ValidityUnit).
@@ -86,8 +130,12 @@ func (s *PaymentConfigService) CreatePlan(ctx context.Context, req CreatePlanReq
 }
 
 // UpdatePlan updates a subscription plan by ID (patch semantics).
-// NOTE: This function exceeds 30 lines due to per-field nil-check patch update boilerplate.
+// NOTE: This function exceeds 30 lines due to per-field nil-check patch update boilerplate
+// plus a validation guard for non-nil fields.
 func (s *PaymentConfigService) UpdatePlan(ctx context.Context, id int64, req UpdatePlanRequest) (*dbent.SubscriptionPlan, error) {
+	if err := validatePlanPatch(req); err != nil {
+		return nil, err
+	}
 	u := s.entClient.SubscriptionPlan.UpdateOneID(id)
 	if req.GroupID != nil {
 		u.SetGroupID(*req.GroupID)
diff --git a/frontend/src/api/admin/settings.ts b/frontend/src/api/admin/settings.ts
index 76c94cd8..4b5eb242 100644
--- a/frontend/src/api/admin/settings.ts
+++ b/frontend/src/api/admin/settings.ts
@@ -114,6 +114,7 @@ export interface SystemSettings {
   enable_fingerprint_unification: boolean
   enable_metadata_passthrough: boolean
   enable_cch_signing: boolean
+  web_search_emulation_enabled?: boolean
 
   // Payment configuration
   payment_enabled: boolean
diff --git a/frontend/src/components/account/QuotaLimitCard.vue b/frontend/src/components/account/QuotaLimitCard.vue
index ff5c11f5..5f0c7c2c 100644
--- a/frontend/src/components/account/QuotaLimitCard.vue
+++ b/frontend/src/components/account/QuotaLimitCard.vue
@@ -201,8 +201,8 @@ const onWeeklyModeChange = (e: Event) => {
         <div>
           <!-- 标题行（仅全局通知开启时显示） -->
           <div v-if="quotaNotifyGlobalEnabled" class="flex items-center gap-2 mb-1">
-            <span class="text-xs font-medium text-gray-700 dark:text-gray-300 w-28 flex-shrink-0">{{ t('admin.accounts.quotaDailyLimit') }}</span>
-            <span v-if="dailyLimit && dailyLimit > 0" class="text-xs font-medium text-gray-700 dark:text-gray-300">{{ t('admin.accounts.quotaNotify.alert') }}</span>
+            <span class="text-xs font-medium text-gray-700 dark:text-gray-300 flex-1 min-w-0">{{ t('admin.accounts.quotaDailyLimit') }}</span>
+            <span v-if="dailyLimit && dailyLimit > 0" class="text-xs font-medium text-gray-700 dark:text-gray-300 flex-1 min-w-0">{{ t('admin.accounts.quotaNotify.alert') }}</span>
           </div>
           <label v-else class="text-xs font-medium text-gray-700 dark:text-gray-300 mb-1 block">{{ t('admin.accounts.quotaDailyLimit') }}</label>
           <!-- 输入行 -->
@@ -240,8 +240,8 @@ const onWeeklyModeChange = (e: Event) => {
         <!-- 周配额 -->
         <div>
           <div v-if="quotaNotifyGlobalEnabled" class="flex items-center gap-2 mb-1">
-            <span class="text-xs font-medium text-gray-700 dark:text-gray-300 w-28 flex-shrink-0">{{ t('admin.accounts.quotaWeeklyLimit') }}</span>
-            <span v-if="weeklyLimit && weeklyLimit > 0" class="text-xs font-medium text-gray-700 dark:text-gray-300">{{ t('admin.accounts.quotaNotify.alert') }}</span>
+            <span class="text-xs font-medium text-gray-700 dark:text-gray-300 flex-1 min-w-0">{{ t('admin.accounts.quotaWeeklyLimit') }}</span>
+            <span v-if="weeklyLimit && weeklyLimit > 0" class="text-xs font-medium text-gray-700 dark:text-gray-300 flex-1 min-w-0">{{ t('admin.accounts.quotaNotify.alert') }}</span>
           </div>
           <label v-else class="text-xs font-medium text-gray-700 dark:text-gray-300 mb-1 block">{{ t('admin.accounts.quotaWeeklyLimit') }}</label>
           <div class="flex items-center gap-2">
@@ -290,8 +290,8 @@ const onWeeklyModeChange = (e: Event) => {
         <!-- 总配额 -->
         <div>
           <div v-if="quotaNotifyGlobalEnabled" class="flex items-center gap-2 mb-1">
-            <span class="text-xs font-medium text-gray-700 dark:text-gray-300 w-28 flex-shrink-0">{{ t('admin.accounts.quotaTotalLimit') }}</span>
-            <span v-if="totalLimit && totalLimit > 0" class="text-xs font-medium text-gray-700 dark:text-gray-300">{{ t('admin.accounts.quotaNotify.alert') }}</span>
+            <span class="text-xs font-medium text-gray-700 dark:text-gray-300 flex-1 min-w-0">{{ t('admin.accounts.quotaTotalLimit') }}</span>
+            <span v-if="totalLimit && totalLimit > 0" class="text-xs font-medium text-gray-700 dark:text-gray-300 flex-1 min-w-0">{{ t('admin.accounts.quotaNotify.alert') }}</span>
           </div>
           <label v-else class="text-xs font-medium text-gray-700 dark:text-gray-300 mb-1 block">{{ t('admin.accounts.quotaTotalLimit') }}</label>
           <div class="flex items-center gap-2">
diff --git a/frontend/src/components/admin/usage/UsageTable.vue b/frontend/src/components/admin/usage/UsageTable.vue
index c405e66b..441e89e0 100644
--- a/frontend/src/components/admin/usage/UsageTable.vue
+++ b/frontend/src/components/admin/usage/UsageTable.vue
@@ -155,7 +155,7 @@
               </div>
             </div>
             <div v-if="row.account_rate_multiplier != null" class="mt-0.5 text-[11px] text-gray-400">
-              A ${{ (row.total_cost * row.account_rate_multiplier).toFixed(6) }}
+              A ${{ accountBilled(row).toFixed(6) }}
             </div>
           </div>
         </template>
@@ -328,7 +328,11 @@
           <div class="flex items-center justify-between gap-6 border-t border-gray-700 pt-1.5">
             <span class="text-gray-400">{{ t('usage.accountBilled') }}</span>
             <span class="font-semibold text-green-400">
-              ${{ (((tooltipData?.total_cost || 0) * (tooltipData?.account_rate_multiplier ?? 1)) || 0).toFixed(6) }}
+              ${{ accountBilled({
+                total_cost: tooltipData?.total_cost,
+                account_stats_cost: tooltipData?.account_stats_cost,
+                account_rate_multiplier: tooltipData?.account_rate_multiplier,
+              }).toFixed(6) }}
             </span>
           </div>
         </div>
@@ -347,6 +351,13 @@ import { formatTokenPricePerMillion } from '@/utils/usagePricing'
 import { getUsageServiceTierLabel } from '@/utils/usageServiceTier'
 import { resolveUsageRequestType } from '@/utils/usageRequestType'
 import { getBillingModeLabel, getBillingModeBadgeClass } from '@/utils/billingMode'
+
+/** Compute the account-billed cost for display: (account_stats_cost ?? total_cost) * rate_multiplier */
+function accountBilled(row: { total_cost?: number | null; account_stats_cost?: number | null; account_rate_multiplier?: number | null }): number {
+  const base = row.account_stats_cost != null ? row.account_stats_cost : (row.total_cost ?? 0)
+  return base * (row.account_rate_multiplier ?? 1)
+}
+
 import DataTable from '@/components/common/DataTable.vue'
 import EmptyState from '@/components/common/EmptyState.vue'
 import Icon from '@/components/icons/Icon.vue'
diff --git a/frontend/src/types/index.ts b/frontend/src/types/index.ts
index 8d30b642..ebb58a21 100644
--- a/frontend/src/types/index.ts
+++ b/frontend/src/types/index.ts
@@ -1067,6 +1067,10 @@ export interface AdminUsageLog extends UsageLog {
   // 账号计费倍率（仅管理员可见）
   account_rate_multiplier?: number | null
 
+  // 渠道 ID 和计费等级（仅管理员可见）
+  channel_id?: number | null
+  billing_tier?: string | null
+
   // 用户请求 IP（仅管理员可见）
   ip_address?: string | null
 

From 9d319cfa2d85853086a66bcfb6697340d41ad1cd Mon Sep 17 00:00:00 2001
From: erio <asakifeng@gmail.com>
Date: Mon, 13 Apr 2026 21:54:01 +0800
Subject: [PATCH 073/122] =?UTF-8?q?fix:=20batch=202=20audit=20fixes=20?=
 =?UTF-8?q?=E2=80=94=20diffSettings=20notify=20fields,=20slog=20migration,?=
 =?UTF-8?q?=20frontend=20constants?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

H5: diffSettings now tracks 5 balance/quota notify fields in audit log
M15: log.Printf audit log migrated to slog.Info, removed "log" import
M14: New frontend/src/constants/account.ts with shared constants
     QuotaNotifyToggle.vue uses QUOTA_THRESHOLD_TYPE_FIXED/PERCENTAGE
L2: UsageTable.vue uses BILLING_MODE_TOKEN/IMAGE from billingMode.ts
---
 backend/cmd/server/VERSION                    |  2 +-
 .../internal/handler/admin/setting_handler.go | 41 +++++++++++++++----
 .../components/account/QuotaNotifyToggle.vue  | 12 +++---
 .../src/components/admin/usage/UsageTable.vue |  8 ++--
 frontend/src/constants/account.ts             | 10 +++++
 5 files changed, 56 insertions(+), 17 deletions(-)
 create mode 100644 frontend/src/constants/account.ts

diff --git a/backend/cmd/server/VERSION b/backend/cmd/server/VERSION
index 0ac4459d..bc34277a 100644
--- a/backend/cmd/server/VERSION
+++ b/backend/cmd/server/VERSION
@@ -1 +1 @@
-0.1.110.47
+0.1.110.48
diff --git a/backend/internal/handler/admin/setting_handler.go b/backend/internal/handler/admin/setting_handler.go
index bc6d183c..0c1606ea 100644
--- a/backend/internal/handler/admin/setting_handler.go
+++ b/backend/internal/handler/admin/setting_handler.go
@@ -5,11 +5,10 @@ import (
 	"encoding/hex"
 	"encoding/json"
 	"fmt"
-	"log"
+	"log/slog"
 	"net/http"
 	"regexp"
 	"strings"
-	"time"
 
 	"github.com/Wei-Shaw/sub2api/internal/config"
 	"github.com/Wei-Shaw/sub2api/internal/handler/dto"
@@ -1120,11 +1119,11 @@ func (h *SettingHandler) auditSettingsUpdate(c *gin.Context, before *service.Sys
 
 	subject, _ := middleware.GetAuthSubjectFromContext(c)
 	role, _ := middleware.GetUserRoleFromContext(c)
-	log.Printf("AUDIT: settings updated at=%s user_id=%d role=%s changed=%v",
-		time.Now().UTC().Format(time.RFC3339),
-		subject.UserID,
-		role,
-		changed,
+	slog.Info("settings updated",
+		"audit", true,
+		"user_id", subject.UserID,
+		"role", role,
+		"changed", changed,
 	)
 }
 
@@ -1358,6 +1357,22 @@ func diffSettings(before *service.SystemSettings, after *service.SystemSettings,
 	if before.EnableCCHSigning != after.EnableCCHSigning {
 		changed = append(changed, "enable_cch_signing")
 	}
+	// Balance & quota notification
+	if before.BalanceLowNotifyEnabled != after.BalanceLowNotifyEnabled {
+		changed = append(changed, "balance_low_notify_enabled")
+	}
+	if before.BalanceLowNotifyThreshold != after.BalanceLowNotifyThreshold {
+		changed = append(changed, "balance_low_notify_threshold")
+	}
+	if before.BalanceLowNotifyRechargeURL != after.BalanceLowNotifyRechargeURL {
+		changed = append(changed, "balance_low_notify_recharge_url")
+	}
+	if before.AccountQuotaNotifyEnabled != after.AccountQuotaNotifyEnabled {
+		changed = append(changed, "account_quota_notify_enabled")
+	}
+	if !equalNotifyEmailEntries(before.AccountQuotaNotifyEmails, after.AccountQuotaNotifyEmails) {
+		changed = append(changed, "account_quota_notify_emails")
+	}
 	return changed
 }
 
@@ -1414,6 +1429,18 @@ func equalIntSlice(a, b []int) bool {
 	return true
 }
 
+func equalNotifyEmailEntries(a, b []service.NotifyEmailEntry) bool {
+	if len(a) != len(b) {
+		return false
+	}
+	for i := range a {
+		if a[i].Email != b[i].Email || a[i].Verified != b[i].Verified || a[i].Disabled != b[i].Disabled {
+			return false
+		}
+	}
+	return true
+}
+
 // TestSMTPRequest 测试SMTP连接请求
 type TestSMTPRequest struct {
 	SMTPHost     string `json:"smtp_host"`
diff --git a/frontend/src/components/account/QuotaNotifyToggle.vue b/frontend/src/components/account/QuotaNotifyToggle.vue
index 0548f661..954d0929 100644
--- a/frontend/src/components/account/QuotaNotifyToggle.vue
+++ b/frontend/src/components/account/QuotaNotifyToggle.vue
@@ -1,4 +1,6 @@
 <script setup lang="ts">
+import { QUOTA_THRESHOLD_TYPE_FIXED, QUOTA_THRESHOLD_TYPE_PERCENTAGE } from '@/constants/account'
+
 defineProps<{
   enabled: boolean | null
   threshold: number | null
@@ -35,17 +37,17 @@ const emit = defineEmits<{
         @input="emit('update:threshold', parseFloat(($event.target as HTMLInputElement).value) || null)"
         type="number"
         min="0"
-        :max="thresholdType === 'percentage' ? 100 : undefined"
-        :step="thresholdType === 'percentage' ? 1 : 0.01"
+        :max="thresholdType === QUOTA_THRESHOLD_TYPE_PERCENTAGE ? 100 : undefined"
+        :step="thresholdType === QUOTA_THRESHOLD_TYPE_PERCENTAGE ? 1 : 0.01"
         class="input py-1 text-sm flex-1 min-w-0"
       />
       <select
-        :value="thresholdType || 'fixed'"
+        :value="thresholdType || QUOTA_THRESHOLD_TYPE_FIXED"
         @change="emit('update:thresholdType', ($event.target as HTMLSelectElement).value)"
         class="input py-1 text-xs w-[4.5rem] flex-shrink-0 text-center"
       >
-        <option value="fixed">$</option>
-        <option value="percentage">%</option>
+        <option :value="QUOTA_THRESHOLD_TYPE_FIXED">$</option>
+        <option :value="QUOTA_THRESHOLD_TYPE_PERCENTAGE">%</option>
       </select>
     </template>
   </div>
diff --git a/frontend/src/components/admin/usage/UsageTable.vue b/frontend/src/components/admin/usage/UsageTable.vue
index 441e89e0..55d4f84b 100644
--- a/frontend/src/components/admin/usage/UsageTable.vue
+++ b/frontend/src/components/admin/usage/UsageTable.vue
@@ -93,7 +93,7 @@
 
         <template #cell-tokens="{ row }">
           <!-- 图片生成请求（仅按次计费时显示图片格式） -->
-          <div v-if="row.image_count > 0 && row.billing_mode === 'image'" class="flex items-center gap-1.5">
+          <div v-if="row.image_count > 0 && row.billing_mode === BILLING_MODE_IMAGE" class="flex items-center gap-1.5">
             <svg class="h-4 w-4 text-indigo-500" fill="none" stroke="currentColor" viewBox="0 0 24 24">
               <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" d="M4 16l4.586-4.586a2 2 0 012.828 0L16 16m-2-2l1.586-1.586a2 2 0 012.828 0L20 14m-6-6h.01M6 20h12a2 2 0 002-2V6a2 2 0 00-2-2H6a2 2 0 00-2 2v12a2 2 0 002 2z" />
             </svg>
@@ -280,7 +280,7 @@
               <span class="font-medium text-white">${{ tooltipData.output_cost.toFixed(6) }}</span>
             </div>
             <!-- Token billing: show unit prices per 1M tokens -->
-            <template v-if="!tooltipData?.billing_mode || tooltipData.billing_mode === 'token'">
+            <template v-if="!tooltipData?.billing_mode || tooltipData.billing_mode === BILLING_MODE_TOKEN">
               <div v-if="tooltipData && tooltipData.input_tokens > 0" class="flex items-center justify-between gap-4">
                 <span class="text-gray-400">{{ t('usage.inputTokenPrice') }}</span>
                 <span class="font-medium text-sky-300">{{ formatTokenPricePerMillion(tooltipData.input_cost, tooltipData.input_tokens) }} {{ t('usage.perMillionTokens') }}</span>
@@ -292,7 +292,7 @@
             </template>
             <!-- Per-request / image billing: show unit price -->
             <div v-else class="flex items-center justify-between gap-4">
-              <span class="text-gray-400">{{ tooltipData.billing_mode === 'image' ? t('usage.imageUnitPrice') : t('usage.unitPrice') }}</span>
+              <span class="text-gray-400">{{ tooltipData.billing_mode === BILLING_MODE_IMAGE ? t('usage.imageUnitPrice') : t('usage.unitPrice') }}</span>
               <span class="font-medium text-sky-300">${{ tooltipData.total_cost?.toFixed(6) || '0.000000' }}</span>
             </div>
             <div v-if="tooltipData && tooltipData.cache_creation_cost > 0" class="flex items-center justify-between gap-4">
@@ -350,7 +350,7 @@ import { formatCacheTokens, formatMultiplier } from '@/utils/formatters'
 import { formatTokenPricePerMillion } from '@/utils/usagePricing'
 import { getUsageServiceTierLabel } from '@/utils/usageServiceTier'
 import { resolveUsageRequestType } from '@/utils/usageRequestType'
-import { getBillingModeLabel, getBillingModeBadgeClass } from '@/utils/billingMode'
+import { getBillingModeLabel, getBillingModeBadgeClass, BILLING_MODE_TOKEN, BILLING_MODE_IMAGE } from '@/utils/billingMode'
 
 /** Compute the account-billed cost for display: (account_stats_cost ?? total_cost) * rate_multiplier */
 function accountBilled(row: { total_cost?: number | null; account_stats_cost?: number | null; account_rate_multiplier?: number | null }): number {
diff --git a/frontend/src/constants/account.ts b/frontend/src/constants/account.ts
new file mode 100644
index 00000000..3c151fee
--- /dev/null
+++ b/frontend/src/constants/account.ts
@@ -0,0 +1,10 @@
+/** WebSearch emulation mode values (must match backend WebSearchMode* constants in account.go) */
+export const WEB_SEARCH_MODE_DEFAULT = 'default' as const
+export const WEB_SEARCH_MODE_ENABLED = 'enabled' as const
+export const WEB_SEARCH_MODE_DISABLED = 'disabled' as const
+export type WebSearchMode = typeof WEB_SEARCH_MODE_DEFAULT | typeof WEB_SEARCH_MODE_ENABLED | typeof WEB_SEARCH_MODE_DISABLED
+
+/** Quota notification threshold type values (must match thresholdType* constants in balance_notify_service.go) */
+export const QUOTA_THRESHOLD_TYPE_FIXED = 'fixed' as const
+export const QUOTA_THRESHOLD_TYPE_PERCENTAGE = 'percentage' as const
+export type QuotaThresholdType = typeof QUOTA_THRESHOLD_TYPE_FIXED | typeof QUOTA_THRESHOLD_TYPE_PERCENTAGE

From 594f0d17d1c04bb530f8cd5b8a0d316dafc77370 Mon Sep 17 00:00:00 2001
From: erio <asakifeng@gmail.com>
Date: Mon, 13 Apr 2026 22:02:18 +0800
Subject: [PATCH 074/122] =?UTF-8?q?refactor:=20batch=203=20=E2=80=94=20dec?=
 =?UTF-8?q?ompose=20CheckBalanceAfterDeduction,=20merge=20crossing=20check?=
 =?UTF-8?q?s,=20add=20QuotaNotifyConfig?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

M1: CheckBalanceAfterDeduction (63→18 lines) decomposed into:
    canNotifyBalance, resolveUserEffectiveThreshold, crossedDownward, dispatchBalanceLowEmail
M3: New Account.QuotaNotifyConfig(dim) method replaces 9 hardcoded getters
    (getters kept as thin wrappers for backward compatibility)
M4: checkQuotaDimCrossings + checkQuotaDimCrossingsFromState merged into one
    function taking pre-built []quotaDim; caller builds dims conditionally
---
 backend/cmd/server/VERSION                    |   2 +-
 backend/internal/service/account.go           |  27 ++--
 .../service/balance_notify_service.go         | 153 ++++++++----------
 3 files changed, 87 insertions(+), 95 deletions(-)

diff --git a/backend/cmd/server/VERSION b/backend/cmd/server/VERSION
index bc34277a..f3cd6fef 100644
--- a/backend/cmd/server/VERSION
+++ b/backend/cmd/server/VERSION
@@ -1 +1 @@
-0.1.110.48
+0.1.110.49
diff --git a/backend/internal/service/account.go b/backend/internal/service/account.go
index 4a4c0889..cacfb240 100644
--- a/backend/internal/service/account.go
+++ b/backend/internal/service/account.go
@@ -1523,40 +1523,49 @@ func (a *Account) GetQuotaResetTimezone() string {
 
 // --- Quota Notification Getters ---
 
+// QuotaNotifyConfig returns the notify configuration for a given quota dimension.
+// dim must be one of quotaDimDaily, quotaDimWeekly, quotaDimTotal.
+func (a *Account) QuotaNotifyConfig(dim string) (enabled bool, threshold float64, thresholdType string) {
+	enabled = a.getExtraBool("quota_notify_" + dim + "_enabled")
+	threshold = a.getExtraFloat64("quota_notify_" + dim + "_threshold")
+	thresholdType = a.getExtraStringDefault("quota_notify_"+dim+"_threshold_type", thresholdTypeFixed)
+	return
+}
+
 func (a *Account) GetQuotaNotifyDailyEnabled() bool {
-	return a.getExtraBool("quota_notify_daily_enabled")
+	e, _, _ := a.QuotaNotifyConfig(quotaDimDaily); return e
 }
 
 func (a *Account) GetQuotaNotifyDailyThreshold() float64 {
-	return a.getExtraFloat64("quota_notify_daily_threshold")
+	_, t, _ := a.QuotaNotifyConfig(quotaDimDaily); return t
 }
 
 func (a *Account) GetQuotaNotifyDailyThresholdType() string {
-	return a.getExtraStringDefault("quota_notify_daily_threshold_type", thresholdTypeFixed)
+	_, _, tt := a.QuotaNotifyConfig(quotaDimDaily); return tt
 }
 
 func (a *Account) GetQuotaNotifyWeeklyEnabled() bool {
-	return a.getExtraBool("quota_notify_weekly_enabled")
+	e, _, _ := a.QuotaNotifyConfig(quotaDimWeekly); return e
 }
 
 func (a *Account) GetQuotaNotifyWeeklyThreshold() float64 {
-	return a.getExtraFloat64("quota_notify_weekly_threshold")
+	_, t, _ := a.QuotaNotifyConfig(quotaDimWeekly); return t
 }
 
 func (a *Account) GetQuotaNotifyWeeklyThresholdType() string {
-	return a.getExtraStringDefault("quota_notify_weekly_threshold_type", thresholdTypeFixed)
+	_, _, tt := a.QuotaNotifyConfig(quotaDimWeekly); return tt
 }
 
 func (a *Account) GetQuotaNotifyTotalEnabled() bool {
-	return a.getExtraBool("quota_notify_total_enabled")
+	e, _, _ := a.QuotaNotifyConfig(quotaDimTotal); return e
 }
 
 func (a *Account) GetQuotaNotifyTotalThreshold() float64 {
-	return a.getExtraFloat64("quota_notify_total_threshold")
+	_, t, _ := a.QuotaNotifyConfig(quotaDimTotal); return t
 }
 
 func (a *Account) GetQuotaNotifyTotalThresholdType() string {
-	return a.getExtraStringDefault("quota_notify_total_threshold_type", thresholdTypeFixed)
+	_, _, tt := a.QuotaNotifyConfig(quotaDimTotal); return tt
 }
 
 // nextFixedDailyReset 计算在 after 之后的下一个每日固定重置时间点
diff --git a/backend/internal/service/balance_notify_service.go b/backend/internal/service/balance_notify_service.go
index 5191a26e..9a75d6be 100644
--- a/backend/internal/service/balance_notify_service.go
+++ b/backend/internal/service/balance_notify_service.go
@@ -21,6 +21,8 @@ const (
 	quotaDimDaily  = "daily"
 	quotaDimWeekly = "weekly"
 	quotaDimTotal  = "total"
+
+	defaultSiteName = "Sub2API"
 )
 
 // quotaDimLabels maps dimension names to display labels.
@@ -61,70 +63,70 @@ func resolveBalanceThreshold(threshold float64, thresholdType string, totalRecha
 }
 
 // CheckBalanceAfterDeduction checks if balance crossed below threshold after deduction.
-// oldBalance is the balance before deduction, cost is the amount deducted.
 // Notification is sent only on first crossing: oldBalance >= threshold && newBalance < threshold.
 func (s *BalanceNotifyService) CheckBalanceAfterDeduction(ctx context.Context, user *User, oldBalance, cost float64) {
-	if user == nil || s.emailService == nil || s.settingRepo == nil {
-		slog.Debug("CheckBalanceAfterDeduction: skipped (nil check)",
-			"user_nil", user == nil,
-			"email_svc_nil", s.emailService == nil,
-			"setting_repo_nil", s.settingRepo == nil,
-		)
+	if !s.canNotifyBalance(user) {
 		return
 	}
-	if !user.BalanceNotifyEnabled {
-		slog.Debug("CheckBalanceAfterDeduction: user notify disabled", "user_id", user.ID)
+	effectiveThreshold, rechargeURL, ok := s.resolveUserEffectiveThreshold(ctx, user)
+	if !ok {
 		return
 	}
+	newBalance := oldBalance - cost
+	if !crossedDownward(oldBalance, newBalance, effectiveThreshold) {
+		return
+	}
+	s.dispatchBalanceLowEmail(ctx, user, newBalance, effectiveThreshold, rechargeURL)
+}
 
+// canNotifyBalance checks nil guards and user-level toggle.
+func (s *BalanceNotifyService) canNotifyBalance(user *User) bool {
+	if user == nil || s.emailService == nil || s.settingRepo == nil {
+		return false
+	}
+	return user.BalanceNotifyEnabled
+}
+
+// resolveUserEffectiveThreshold reads global + user config, returns the effective threshold.
+// Returns ok=false when notifications should be skipped.
+func (s *BalanceNotifyService) resolveUserEffectiveThreshold(ctx context.Context, user *User) (effectiveThreshold float64, rechargeURL string, ok bool) {
 	globalEnabled, globalThreshold, rechargeURL := s.getBalanceNotifyConfig(ctx)
 	if !globalEnabled {
-		slog.Info("CheckBalanceAfterDeduction: global notify disabled", "user_id", user.ID)
-		return
+		return 0, "", false
 	}
-
-	// User custom threshold overrides system default
 	threshold := globalThreshold
 	if user.BalanceNotifyThreshold != nil {
 		threshold = *user.BalanceNotifyThreshold
 	}
 	if threshold <= 0 {
-		slog.Debug("CheckBalanceAfterDeduction: threshold <= 0", "user_id", user.ID, "threshold", threshold)
-		return
+		return 0, "", false
 	}
-
-	effectiveThreshold := resolveBalanceThreshold(threshold, user.BalanceNotifyThresholdType, user.TotalRecharged)
+	effectiveThreshold = resolveBalanceThreshold(threshold, user.BalanceNotifyThresholdType, user.TotalRecharged)
 	if effectiveThreshold <= 0 {
-		slog.Debug("CheckBalanceAfterDeduction: effective threshold <= 0", "user_id", user.ID)
-		return
+		return 0, "", false
 	}
+	return effectiveThreshold, rechargeURL, true
+}
 
-	newBalance := oldBalance - cost
-	slog.Info("CheckBalanceAfterDeduction: crossing check",
-		"user_id", user.ID,
-		"old_balance", oldBalance,
-		"new_balance", newBalance,
-		"effective_threshold", effectiveThreshold,
-		"crossed", oldBalance >= effectiveThreshold && newBalance < effectiveThreshold,
-	)
-	if oldBalance >= effectiveThreshold && newBalance < effectiveThreshold {
-		siteName := s.getSiteName(ctx)
-		recipients := s.collectBalanceNotifyRecipients(user)
-		slog.Info("CheckBalanceAfterDeduction: sending notification",
-			"user_id", user.ID,
-			"recipients", recipients,
-			"new_balance", newBalance,
-			"threshold", effectiveThreshold,
-		)
-		go func() {
-			defer func() {
-				if r := recover(); r != nil {
-					slog.Error("panic in balance notification", "recover", r)
-				}
-			}()
-			s.sendBalanceLowEmails(recipients, user.Username, user.Email, newBalance, effectiveThreshold, siteName, rechargeURL)
+// crossedDownward returns true when oldV was at-or-above threshold but newV dropped below it.
+func crossedDownward(oldV, newV, threshold float64) bool {
+	return oldV >= threshold && newV < threshold
+}
+
+// dispatchBalanceLowEmail collects recipients and sends the alert in a goroutine.
+func (s *BalanceNotifyService) dispatchBalanceLowEmail(ctx context.Context, user *User, newBalance, threshold float64, rechargeURL string) {
+	siteName := s.getSiteName(ctx)
+	recipients := s.collectBalanceNotifyRecipients(user)
+	slog.Info("CheckBalanceAfterDeduction: sending notification",
+		"user_id", user.ID, "recipients", recipients, "new_balance", newBalance, "threshold", threshold)
+	go func() {
+		defer func() {
+			if r := recover(); r != nil {
+				slog.Error("panic in balance notification", "recover", r)
+			}
 		}()
-	}
+		s.sendBalanceLowEmails(recipients, user.Username, user.Email, newBalance, threshold, siteName, rechargeURL)
+	}()
 }
 
 // quotaDim describes one quota dimension for notification checking.
@@ -160,6 +162,16 @@ func buildQuotaDims(account *Account) []quotaDim {
 	}
 }
 
+// buildQuotaDimsFromState builds quota dimensions using DB transaction state instead of account snapshot.
+// Notification settings (enabled, threshold, thresholdType) come from the account; usage values from quotaState.
+func buildQuotaDimsFromState(account *Account, state *AccountQuotaState) []quotaDim {
+	return []quotaDim{
+		{quotaDimDaily, account.GetQuotaNotifyDailyEnabled(), account.GetQuotaNotifyDailyThreshold(), account.GetQuotaNotifyDailyThresholdType(), state.DailyUsed, state.DailyLimit},
+		{quotaDimWeekly, account.GetQuotaNotifyWeeklyEnabled(), account.GetQuotaNotifyWeeklyThreshold(), account.GetQuotaNotifyWeeklyThresholdType(), state.WeeklyUsed, state.WeeklyLimit},
+		{quotaDimTotal, account.GetQuotaNotifyTotalEnabled(), account.GetQuotaNotifyTotalThreshold(), account.GetQuotaNotifyTotalThresholdType(), state.TotalUsed, state.TotalLimit},
+	}
+}
+
 // CheckAccountQuotaAfterIncrement checks if any quota dimension crossed above its notify threshold.
 // When quotaState is non-nil (from DB transaction RETURNING), it is used directly for threshold
 // checking, avoiding a separate DB read. Otherwise it falls back to fetching fresh account data.
@@ -176,13 +188,15 @@ func (s *BalanceNotifyService) CheckAccountQuotaAfterIncrement(ctx context.Conte
 	}
 
 	siteName := s.getSiteName(ctx)
+	var dims []quotaDim
 	if quotaState != nil {
-		s.checkQuotaDimCrossingsFromState(account, quotaState, cost, adminEmails, siteName)
-		return
+		dims = buildQuotaDimsFromState(account, quotaState)
+	} else {
+		freshAccount := s.fetchFreshAccount(ctx, account)
+		dims = buildQuotaDims(freshAccount)
+		account = freshAccount // use fresh data for alert metadata
 	}
-
-	freshAccount := s.fetchFreshAccount(ctx, account)
-	s.checkQuotaDimCrossings(freshAccount, cost, adminEmails, siteName)
+	s.checkQuotaDimCrossings(account, dims, cost, adminEmails, siteName)
 }
 
 // fetchFreshAccount loads the latest account from DB; falls back to the snapshot on error.
@@ -199,41 +213,10 @@ func (s *BalanceNotifyService) fetchFreshAccount(ctx context.Context, snapshot *
 	return fresh
 }
 
-// checkQuotaDimCrossings iterates quota dimensions and sends alerts for threshold crossings.
-// freshAccount has post-increment values; pre-increment is reconstructed as currentUsed - cost.
-func (s *BalanceNotifyService) checkQuotaDimCrossings(freshAccount *Account, cost float64, adminEmails []string, siteName string) {
-	for _, dim := range buildQuotaDims(freshAccount) {
-		if !dim.enabled || dim.threshold <= 0 {
-			continue
-		}
-		effectiveThreshold := dim.resolvedThreshold()
-		if effectiveThreshold <= 0 {
-			continue
-		}
-		// currentUsed is the post-increment value from fresh DB data;
-		// reconstruct pre-increment value to detect threshold crossing.
-		newUsed := dim.currentUsed
-		oldUsed := dim.currentUsed - cost
-		if oldUsed < effectiveThreshold && newUsed >= effectiveThreshold {
-			s.asyncSendQuotaAlert(adminEmails, freshAccount.ID, freshAccount.Name, freshAccount.Platform, dim, newUsed, effectiveThreshold, siteName)
-		}
-	}
-}
-
-// buildQuotaDimsFromState builds quota dimensions using DB transaction state instead of account snapshot.
-// Notification settings (enabled, threshold, thresholdType) come from the account; usage values from quotaState.
-func buildQuotaDimsFromState(account *Account, state *AccountQuotaState) []quotaDim {
-	return []quotaDim{
-		{quotaDimDaily, account.GetQuotaNotifyDailyEnabled(), account.GetQuotaNotifyDailyThreshold(), account.GetQuotaNotifyDailyThresholdType(), state.DailyUsed, state.DailyLimit},
-		{quotaDimWeekly, account.GetQuotaNotifyWeeklyEnabled(), account.GetQuotaNotifyWeeklyThreshold(), account.GetQuotaNotifyWeeklyThresholdType(), state.WeeklyUsed, state.WeeklyLimit},
-		{quotaDimTotal, account.GetQuotaNotifyTotalEnabled(), account.GetQuotaNotifyTotalThreshold(), account.GetQuotaNotifyTotalThresholdType(), state.TotalUsed, state.TotalLimit},
-	}
-}
-
-// checkQuotaDimCrossingsFromState checks threshold crossings using DB transaction quota state.
-// This avoids a separate DB read and ensures the values are consistent with the atomic increment.
-func (s *BalanceNotifyService) checkQuotaDimCrossingsFromState(account *Account, state *AccountQuotaState, cost float64, adminEmails []string, siteName string) {
-	for _, dim := range buildQuotaDimsFromState(account, state) {
+// checkQuotaDimCrossings iterates pre-built quota dimensions and sends alerts for threshold crossings.
+// Pre-increment value is reconstructed as currentUsed - cost to detect the crossing moment.
+func (s *BalanceNotifyService) checkQuotaDimCrossings(account *Account, dims []quotaDim, cost float64, adminEmails []string, siteName string) {
+	for _, dim := range dims {
 		if !dim.enabled || dim.threshold <= 0 {
 			continue
 		}
@@ -324,7 +307,7 @@ func (s *BalanceNotifyService) getAccountQuotaNotifyEmails(ctx context.Context)
 func (s *BalanceNotifyService) getSiteName(ctx context.Context) string {
 	name, err := s.settingRepo.GetValue(ctx, SettingKeySiteName)
 	if err != nil || name == "" {
-		return "Sub2API"
+		return defaultSiteName
 	}
 	return name
 }

From 1b7c29519995a36a9c6a60472b9e29b5a452b5c1 Mon Sep 17 00:00:00 2001
From: erio <asakifeng@gmail.com>
Date: Mon, 13 Apr 2026 22:35:24 +0800
Subject: [PATCH 075/122] refactor: M5 useQuotaNotifyState composable + H14 Vue
 file splits
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

M5: New composable frontend/src/composables/useQuotaNotifyState.ts
  - Replaces 9 individual refs in both Create/Edit modals with reactive state
  - Provides loadFromExtra/writeToExtra/reset helpers
  - Eliminates ~120 lines of duplicated code across the two modals

H14: Vue file length violations fixed
  - AdminPaymentPlansView.vue: 325 → 183 lines (extracted PlanEditDialog.vue)
  - QuotaLimitCard.vue: 327 → 268 lines (extracted QuotaDimensionRow.vue)
  - PlanEditDialog.vue: 181 lines (new, plan create/edit form)
  - QuotaDimensionRow.vue: 108 lines (new, single quota dimension row)
---
 backend/cmd/server/VERSION                    |   2 +-
 .../components/account/CreateAccountModal.vue | 109 +++-----
 .../components/account/EditAccountModal.vue   | 159 ++++-------
 .../components/account/QuotaDimensionRow.vue  | 108 ++++++++
 .../src/components/account/QuotaLimitCard.vue | 259 ++++++++----------
 .../src/composables/useQuotaNotifyState.ts    |  69 +++++
 .../admin/orders/AdminPaymentPlansView.vue    | 142 +---------
 .../src/views/admin/orders/PlanEditDialog.vue | 181 ++++++++++++
 8 files changed, 565 insertions(+), 464 deletions(-)
 create mode 100644 frontend/src/components/account/QuotaDimensionRow.vue
 create mode 100644 frontend/src/composables/useQuotaNotifyState.ts
 create mode 100644 frontend/src/views/admin/orders/PlanEditDialog.vue

diff --git a/backend/cmd/server/VERSION b/backend/cmd/server/VERSION
index f3cd6fef..68dda295 100644
--- a/backend/cmd/server/VERSION
+++ b/backend/cmd/server/VERSION
@@ -1 +1 @@
-0.1.110.49
+0.1.110.51
diff --git a/frontend/src/components/account/CreateAccountModal.vue b/frontend/src/components/account/CreateAccountModal.vue
index ba7bad51..432fa080 100644
--- a/frontend/src/components/account/CreateAccountModal.vue
+++ b/frontend/src/components/account/CreateAccountModal.vue
@@ -1493,15 +1493,15 @@
           :dailyLimit="editQuotaDailyLimit"
           :weeklyLimit="editQuotaWeeklyLimit"
           :quotaNotifyGlobalEnabled="quotaNotifyGlobalEnabled"
-          :quotaNotifyDailyEnabled="quotaNotifyDailyEnabled"
-          :quotaNotifyDailyThreshold="quotaNotifyDailyThreshold"
-          :quotaNotifyDailyThresholdType="quotaNotifyDailyThresholdType"
-          :quotaNotifyWeeklyEnabled="quotaNotifyWeeklyEnabled"
-          :quotaNotifyWeeklyThreshold="quotaNotifyWeeklyThreshold"
-          :quotaNotifyWeeklyThresholdType="quotaNotifyWeeklyThresholdType"
-          :quotaNotifyTotalEnabled="quotaNotifyTotalEnabled"
-          :quotaNotifyTotalThreshold="quotaNotifyTotalThreshold"
-          :quotaNotifyTotalThresholdType="quotaNotifyTotalThresholdType"
+          :quotaNotifyDailyEnabled="quotaNotifyState.daily.enabled"
+          :quotaNotifyDailyThreshold="quotaNotifyState.daily.threshold"
+          :quotaNotifyDailyThresholdType="quotaNotifyState.daily.thresholdType"
+          :quotaNotifyWeeklyEnabled="quotaNotifyState.weekly.enabled"
+          :quotaNotifyWeeklyThreshold="quotaNotifyState.weekly.threshold"
+          :quotaNotifyWeeklyThresholdType="quotaNotifyState.weekly.thresholdType"
+          :quotaNotifyTotalEnabled="quotaNotifyState.total.enabled"
+          :quotaNotifyTotalThreshold="quotaNotifyState.total.threshold"
+          :quotaNotifyTotalThresholdType="quotaNotifyState.total.thresholdType"
           :dailyResetMode="editDailyResetMode"
           :dailyResetHour="editDailyResetHour"
           :weeklyResetMode="editWeeklyResetMode"
@@ -1511,15 +1511,15 @@
           @update:totalLimit="editQuotaLimit = $event"
           @update:dailyLimit="editQuotaDailyLimit = $event"
           @update:weeklyLimit="editQuotaWeeklyLimit = $event"
-          @update:quotaNotifyDailyEnabled="quotaNotifyDailyEnabled = $event"
-          @update:quotaNotifyDailyThreshold="quotaNotifyDailyThreshold = $event"
-          @update:quotaNotifyDailyThresholdType="quotaNotifyDailyThresholdType = $event"
-          @update:quotaNotifyWeeklyEnabled="quotaNotifyWeeklyEnabled = $event"
-          @update:quotaNotifyWeeklyThreshold="quotaNotifyWeeklyThreshold = $event"
-          @update:quotaNotifyWeeklyThresholdType="quotaNotifyWeeklyThresholdType = $event"
-          @update:quotaNotifyTotalEnabled="quotaNotifyTotalEnabled = $event"
-          @update:quotaNotifyTotalThreshold="quotaNotifyTotalThreshold = $event"
-          @update:quotaNotifyTotalThresholdType="quotaNotifyTotalThresholdType = $event"
+          @update:quotaNotifyDailyEnabled="quotaNotifyState.daily.enabled = $event"
+          @update:quotaNotifyDailyThreshold="quotaNotifyState.daily.threshold = $event"
+          @update:quotaNotifyDailyThresholdType="quotaNotifyState.daily.thresholdType = $event"
+          @update:quotaNotifyWeeklyEnabled="quotaNotifyState.weekly.enabled = $event"
+          @update:quotaNotifyWeeklyThreshold="quotaNotifyState.weekly.threshold = $event"
+          @update:quotaNotifyWeeklyThresholdType="quotaNotifyState.weekly.thresholdType = $event"
+          @update:quotaNotifyTotalEnabled="quotaNotifyState.total.enabled = $event"
+          @update:quotaNotifyTotalThreshold="quotaNotifyState.total.threshold = $event"
+          @update:quotaNotifyTotalThresholdType="quotaNotifyState.total.thresholdType = $event"
           @update:dailyResetMode="editDailyResetMode = $event"
           @update:dailyResetHour="editDailyResetHour = $event"
           @update:weeklyResetMode="editWeeklyResetMode = $event"
@@ -1545,15 +1545,15 @@
           :dailyLimit="editQuotaDailyLimit"
           :weeklyLimit="editQuotaWeeklyLimit"
           :quotaNotifyGlobalEnabled="quotaNotifyGlobalEnabled"
-          :quotaNotifyDailyEnabled="quotaNotifyDailyEnabled"
-          :quotaNotifyDailyThreshold="quotaNotifyDailyThreshold"
-          :quotaNotifyDailyThresholdType="quotaNotifyDailyThresholdType"
-          :quotaNotifyWeeklyEnabled="quotaNotifyWeeklyEnabled"
-          :quotaNotifyWeeklyThreshold="quotaNotifyWeeklyThreshold"
-          :quotaNotifyWeeklyThresholdType="quotaNotifyWeeklyThresholdType"
-          :quotaNotifyTotalEnabled="quotaNotifyTotalEnabled"
-          :quotaNotifyTotalThreshold="quotaNotifyTotalThreshold"
-          :quotaNotifyTotalThresholdType="quotaNotifyTotalThresholdType"
+          :quotaNotifyDailyEnabled="quotaNotifyState.daily.enabled"
+          :quotaNotifyDailyThreshold="quotaNotifyState.daily.threshold"
+          :quotaNotifyDailyThresholdType="quotaNotifyState.daily.thresholdType"
+          :quotaNotifyWeeklyEnabled="quotaNotifyState.weekly.enabled"
+          :quotaNotifyWeeklyThreshold="quotaNotifyState.weekly.threshold"
+          :quotaNotifyWeeklyThresholdType="quotaNotifyState.weekly.thresholdType"
+          :quotaNotifyTotalEnabled="quotaNotifyState.total.enabled"
+          :quotaNotifyTotalThreshold="quotaNotifyState.total.threshold"
+          :quotaNotifyTotalThresholdType="quotaNotifyState.total.thresholdType"
           :dailyResetMode="editDailyResetMode"
           :dailyResetHour="editDailyResetHour"
           :weeklyResetMode="editWeeklyResetMode"
@@ -1563,15 +1563,15 @@
           @update:totalLimit="editQuotaLimit = $event"
           @update:dailyLimit="editQuotaDailyLimit = $event"
           @update:weeklyLimit="editQuotaWeeklyLimit = $event"
-          @update:quotaNotifyDailyEnabled="quotaNotifyDailyEnabled = $event"
-          @update:quotaNotifyDailyThreshold="quotaNotifyDailyThreshold = $event"
-          @update:quotaNotifyDailyThresholdType="quotaNotifyDailyThresholdType = $event"
-          @update:quotaNotifyWeeklyEnabled="quotaNotifyWeeklyEnabled = $event"
-          @update:quotaNotifyWeeklyThreshold="quotaNotifyWeeklyThreshold = $event"
-          @update:quotaNotifyWeeklyThresholdType="quotaNotifyWeeklyThresholdType = $event"
-          @update:quotaNotifyTotalEnabled="quotaNotifyTotalEnabled = $event"
-          @update:quotaNotifyTotalThreshold="quotaNotifyTotalThreshold = $event"
-          @update:quotaNotifyTotalThresholdType="quotaNotifyTotalThresholdType = $event"
+          @update:quotaNotifyDailyEnabled="quotaNotifyState.daily.enabled = $event"
+          @update:quotaNotifyDailyThreshold="quotaNotifyState.daily.threshold = $event"
+          @update:quotaNotifyDailyThresholdType="quotaNotifyState.daily.thresholdType = $event"
+          @update:quotaNotifyWeeklyEnabled="quotaNotifyState.weekly.enabled = $event"
+          @update:quotaNotifyWeeklyThreshold="quotaNotifyState.weekly.threshold = $event"
+          @update:quotaNotifyWeeklyThresholdType="quotaNotifyState.weekly.thresholdType = $event"
+          @update:quotaNotifyTotalEnabled="quotaNotifyState.total.enabled = $event"
+          @update:quotaNotifyTotalThreshold="quotaNotifyState.total.threshold = $event"
+          @update:quotaNotifyTotalThresholdType="quotaNotifyState.total.thresholdType = $event"
           @update:dailyResetMode="editDailyResetMode = $event"
           @update:dailyResetHour="editDailyResetHour = $event"
           @update:weeklyResetMode="editWeeklyResetMode = $event"
@@ -2903,6 +2903,7 @@ import {
 } from '@/composables/useModelWhitelist'
 import { useAuthStore } from '@/stores/auth'
 import { adminAPI } from '@/api/admin'
+import { useQuotaNotifyState } from '@/composables/useQuotaNotifyState'
 import {
   useAccountOAuth,
   type AddMethod,
@@ -3076,25 +3077,19 @@ const codexCLIOnlyEnabled = ref(false)
 const anthropicPassthroughEnabled = ref(false)
 const webSearchEmulationMode = ref('default')
 const webSearchGlobalEnabled = ref(false)
-const quotaNotifyGlobalEnabled = ref(false)
-const quotaNotifyDailyEnabled = ref<boolean | null>(null)
-const quotaNotifyDailyThreshold = ref<number | null>(null)
-const quotaNotifyDailyThresholdType = ref<string | null>(null)
-const quotaNotifyWeeklyEnabled = ref<boolean | null>(null)
-const quotaNotifyWeeklyThreshold = ref<number | null>(null)
-const quotaNotifyWeeklyThresholdType = ref<string | null>(null)
-const quotaNotifyTotalEnabled = ref<boolean | null>(null)
-const quotaNotifyTotalThreshold = ref<number | null>(null)
-const quotaNotifyTotalThresholdType = ref<string | null>(null)
+const {
+  globalEnabled: quotaNotifyGlobalEnabled,
+  state: quotaNotifyState,
+  loadGlobalState: loadQuotaNotifyGlobal,
+  writeToExtra: writeQuotaNotifyToExtra,
+} = useQuotaNotifyState()
 
 // Load global feature states once
 adminAPI.settings.getWebSearchEmulationConfig().then(cfg => {
   webSearchGlobalEnabled.value = cfg?.enabled === true && (cfg?.providers?.length ?? 0) > 0
 }).catch(() => { webSearchGlobalEnabled.value = false })
 
-adminAPI.settings.getSettings().then(settings => {
-  quotaNotifyGlobalEnabled.value = settings.account_quota_notify_enabled === true
-}).catch(() => { quotaNotifyGlobalEnabled.value = false })
+loadQuotaNotifyGlobal()
 const mixedScheduling = ref(false) // For antigravity accounts: enable mixed scheduling
 const allowOverages = ref(false) // For antigravity accounts: enable AI Credits overages
 const antigravityAccountType = ref<'oauth' | 'upstream'>('oauth') // For antigravity: oauth or upstream
@@ -4199,21 +4194,7 @@ const createAccountAndFinish = async (
       quotaExtra.quota_reset_timezone = editResetTimezone.value || 'UTC'
     }
     // Quota notify config
-    if (quotaNotifyDailyEnabled.value) {
-      quotaExtra.quota_notify_daily_enabled = true
-      if (quotaNotifyDailyThreshold.value != null) quotaExtra.quota_notify_daily_threshold = quotaNotifyDailyThreshold.value
-      quotaExtra.quota_notify_daily_threshold_type = quotaNotifyDailyThresholdType.value || 'fixed'
-    }
-    if (quotaNotifyWeeklyEnabled.value) {
-      quotaExtra.quota_notify_weekly_enabled = true
-      if (quotaNotifyWeeklyThreshold.value != null) quotaExtra.quota_notify_weekly_threshold = quotaNotifyWeeklyThreshold.value
-      quotaExtra.quota_notify_weekly_threshold_type = quotaNotifyWeeklyThresholdType.value || 'fixed'
-    }
-    if (quotaNotifyTotalEnabled.value) {
-      quotaExtra.quota_notify_total_enabled = true
-      if (quotaNotifyTotalThreshold.value != null) quotaExtra.quota_notify_total_threshold = quotaNotifyTotalThreshold.value
-      quotaExtra.quota_notify_total_threshold_type = quotaNotifyTotalThresholdType.value || 'fixed'
-    }
+    writeQuotaNotifyToExtra(quotaExtra, 'create')
     if (Object.keys(quotaExtra).length > 0) {
       finalExtra = quotaExtra
     }
diff --git a/frontend/src/components/account/EditAccountModal.vue b/frontend/src/components/account/EditAccountModal.vue
index 92761b35..e5065d7a 100644
--- a/frontend/src/components/account/EditAccountModal.vue
+++ b/frontend/src/components/account/EditAccountModal.vue
@@ -1191,15 +1191,15 @@
           :weeklyResetHour="editWeeklyResetHour"
           :resetTimezone="editResetTimezone"
           :quotaNotifyGlobalEnabled="quotaNotifyGlobalEnabled"
-          :quotaNotifyDailyEnabled="editQuotaNotifyDailyEnabled"
-          :quotaNotifyDailyThreshold="editQuotaNotifyDailyThreshold"
-          :quotaNotifyDailyThresholdType="editQuotaNotifyDailyThresholdType"
-          :quotaNotifyWeeklyEnabled="editQuotaNotifyWeeklyEnabled"
-          :quotaNotifyWeeklyThreshold="editQuotaNotifyWeeklyThreshold"
-          :quotaNotifyWeeklyThresholdType="editQuotaNotifyWeeklyThresholdType"
-          :quotaNotifyTotalEnabled="editQuotaNotifyTotalEnabled"
-          :quotaNotifyTotalThreshold="editQuotaNotifyTotalThreshold"
-          :quotaNotifyTotalThresholdType="editQuotaNotifyTotalThresholdType"
+          :quotaNotifyDailyEnabled="quotaNotifyState.daily.enabled"
+          :quotaNotifyDailyThreshold="quotaNotifyState.daily.threshold"
+          :quotaNotifyDailyThresholdType="quotaNotifyState.daily.thresholdType"
+          :quotaNotifyWeeklyEnabled="quotaNotifyState.weekly.enabled"
+          :quotaNotifyWeeklyThreshold="quotaNotifyState.weekly.threshold"
+          :quotaNotifyWeeklyThresholdType="quotaNotifyState.weekly.thresholdType"
+          :quotaNotifyTotalEnabled="quotaNotifyState.total.enabled"
+          :quotaNotifyTotalThreshold="quotaNotifyState.total.threshold"
+          :quotaNotifyTotalThresholdType="quotaNotifyState.total.thresholdType"
           @update:totalLimit="editQuotaLimit = $event"
           @update:dailyLimit="editQuotaDailyLimit = $event"
           @update:weeklyLimit="editQuotaWeeklyLimit = $event"
@@ -1209,15 +1209,15 @@
           @update:weeklyResetDay="editWeeklyResetDay = $event"
           @update:weeklyResetHour="editWeeklyResetHour = $event"
           @update:resetTimezone="editResetTimezone = $event"
-          @update:quotaNotifyDailyEnabled="editQuotaNotifyDailyEnabled = $event"
-          @update:quotaNotifyDailyThreshold="editQuotaNotifyDailyThreshold = $event"
-          @update:quotaNotifyDailyThresholdType="editQuotaNotifyDailyThresholdType = $event"
-          @update:quotaNotifyWeeklyEnabled="editQuotaNotifyWeeklyEnabled = $event"
-          @update:quotaNotifyWeeklyThreshold="editQuotaNotifyWeeklyThreshold = $event"
-          @update:quotaNotifyWeeklyThresholdType="editQuotaNotifyWeeklyThresholdType = $event"
-          @update:quotaNotifyTotalEnabled="editQuotaNotifyTotalEnabled = $event"
-          @update:quotaNotifyTotalThreshold="editQuotaNotifyTotalThreshold = $event"
-          @update:quotaNotifyTotalThresholdType="editQuotaNotifyTotalThresholdType = $event"
+          @update:quotaNotifyDailyEnabled="quotaNotifyState.daily.enabled = $event"
+          @update:quotaNotifyDailyThreshold="quotaNotifyState.daily.threshold = $event"
+          @update:quotaNotifyDailyThresholdType="quotaNotifyState.daily.thresholdType = $event"
+          @update:quotaNotifyWeeklyEnabled="quotaNotifyState.weekly.enabled = $event"
+          @update:quotaNotifyWeeklyThreshold="quotaNotifyState.weekly.threshold = $event"
+          @update:quotaNotifyWeeklyThresholdType="quotaNotifyState.weekly.thresholdType = $event"
+          @update:quotaNotifyTotalEnabled="quotaNotifyState.total.enabled = $event"
+          @update:quotaNotifyTotalThreshold="quotaNotifyState.total.threshold = $event"
+          @update:quotaNotifyTotalThresholdType="quotaNotifyState.total.thresholdType = $event"
         />
       </div>
       <!-- 配额控制 (非 Anthropic apikey/bedrock) -->
@@ -1242,15 +1242,15 @@
           :weeklyResetHour="editWeeklyResetHour"
           :resetTimezone="editResetTimezone"
           :quotaNotifyGlobalEnabled="quotaNotifyGlobalEnabled"
-          :quotaNotifyDailyEnabled="editQuotaNotifyDailyEnabled"
-          :quotaNotifyDailyThreshold="editQuotaNotifyDailyThreshold"
-          :quotaNotifyDailyThresholdType="editQuotaNotifyDailyThresholdType"
-          :quotaNotifyWeeklyEnabled="editQuotaNotifyWeeklyEnabled"
-          :quotaNotifyWeeklyThreshold="editQuotaNotifyWeeklyThreshold"
-          :quotaNotifyWeeklyThresholdType="editQuotaNotifyWeeklyThresholdType"
-          :quotaNotifyTotalEnabled="editQuotaNotifyTotalEnabled"
-          :quotaNotifyTotalThreshold="editQuotaNotifyTotalThreshold"
-          :quotaNotifyTotalThresholdType="editQuotaNotifyTotalThresholdType"
+          :quotaNotifyDailyEnabled="quotaNotifyState.daily.enabled"
+          :quotaNotifyDailyThreshold="quotaNotifyState.daily.threshold"
+          :quotaNotifyDailyThresholdType="quotaNotifyState.daily.thresholdType"
+          :quotaNotifyWeeklyEnabled="quotaNotifyState.weekly.enabled"
+          :quotaNotifyWeeklyThreshold="quotaNotifyState.weekly.threshold"
+          :quotaNotifyWeeklyThresholdType="quotaNotifyState.weekly.thresholdType"
+          :quotaNotifyTotalEnabled="quotaNotifyState.total.enabled"
+          :quotaNotifyTotalThreshold="quotaNotifyState.total.threshold"
+          :quotaNotifyTotalThresholdType="quotaNotifyState.total.thresholdType"
           @update:totalLimit="editQuotaLimit = $event"
           @update:dailyLimit="editQuotaDailyLimit = $event"
           @update:weeklyLimit="editQuotaWeeklyLimit = $event"
@@ -1260,15 +1260,15 @@
           @update:weeklyResetDay="editWeeklyResetDay = $event"
           @update:weeklyResetHour="editWeeklyResetHour = $event"
           @update:resetTimezone="editResetTimezone = $event"
-          @update:quotaNotifyDailyEnabled="editQuotaNotifyDailyEnabled = $event"
-          @update:quotaNotifyDailyThreshold="editQuotaNotifyDailyThreshold = $event"
-          @update:quotaNotifyDailyThresholdType="editQuotaNotifyDailyThresholdType = $event"
-          @update:quotaNotifyWeeklyEnabled="editQuotaNotifyWeeklyEnabled = $event"
-          @update:quotaNotifyWeeklyThreshold="editQuotaNotifyWeeklyThreshold = $event"
-          @update:quotaNotifyWeeklyThresholdType="editQuotaNotifyWeeklyThresholdType = $event"
-          @update:quotaNotifyTotalEnabled="editQuotaNotifyTotalEnabled = $event"
-          @update:quotaNotifyTotalThreshold="editQuotaNotifyTotalThreshold = $event"
-          @update:quotaNotifyTotalThresholdType="editQuotaNotifyTotalThresholdType = $event"
+          @update:quotaNotifyDailyEnabled="quotaNotifyState.daily.enabled = $event"
+          @update:quotaNotifyDailyThreshold="quotaNotifyState.daily.threshold = $event"
+          @update:quotaNotifyDailyThresholdType="quotaNotifyState.daily.thresholdType = $event"
+          @update:quotaNotifyWeeklyEnabled="quotaNotifyState.weekly.enabled = $event"
+          @update:quotaNotifyWeeklyThreshold="quotaNotifyState.weekly.threshold = $event"
+          @update:quotaNotifyWeeklyThresholdType="quotaNotifyState.weekly.thresholdType = $event"
+          @update:quotaNotifyTotalEnabled="quotaNotifyState.total.enabled = $event"
+          @update:quotaNotifyTotalThreshold="quotaNotifyState.total.threshold = $event"
+          @update:quotaNotifyTotalThresholdType="quotaNotifyState.total.thresholdType = $event"
         />
       </div>
 
@@ -1844,6 +1844,7 @@ import { useI18n } from 'vue-i18n'
 import { useAppStore } from '@/stores/app'
 import { useAuthStore } from '@/stores/auth'
 import { adminAPI } from '@/api/admin'
+import { useQuotaNotifyState } from '@/composables/useQuotaNotifyState'
 import type { Account, Proxy, AdminGroup, CheckMixedChannelResponse } from '@/types'
 import BaseDialog from '@/components/common/BaseDialog.vue'
 import ConfirmDialog from '@/components/common/ConfirmDialog.vue'
@@ -1993,16 +1994,21 @@ const codexCLIOnlyEnabled = ref(false)
 const anthropicPassthroughEnabled = ref(false)
 const webSearchEmulationMode = ref('default')
 const webSearchGlobalEnabled = ref(false)
-const quotaNotifyGlobalEnabled = ref(false)
+const {
+  globalEnabled: quotaNotifyGlobalEnabled,
+  state: quotaNotifyState,
+  loadGlobalState: loadQuotaNotifyGlobal,
+  loadFromExtra: loadQuotaNotifyFromExtra,
+  writeToExtra: writeQuotaNotifyToExtra,
+  reset: resetQuotaNotify,
+} = useQuotaNotifyState()
 
 // Load global feature states once
 adminAPI.settings.getWebSearchEmulationConfig().then(cfg => {
   webSearchGlobalEnabled.value = cfg?.enabled === true && (cfg?.providers?.length ?? 0) > 0
 }).catch(() => { webSearchGlobalEnabled.value = false })
 
-adminAPI.settings.getSettings().then(settings => {
-  quotaNotifyGlobalEnabled.value = settings.account_quota_notify_enabled === true
-}).catch(() => { quotaNotifyGlobalEnabled.value = false })
+loadQuotaNotifyGlobal()
 const editQuotaLimit = ref<number | null>(null)
 const editQuotaDailyLimit = ref<number | null>(null)
 const editQuotaWeeklyLimit = ref<number | null>(null)
@@ -2012,15 +2018,6 @@ const editWeeklyResetMode = ref<'rolling' | 'fixed' | null>(null)
 const editWeeklyResetDay = ref<number | null>(null)
 const editWeeklyResetHour = ref<number | null>(null)
 const editResetTimezone = ref<string | null>(null)
-const editQuotaNotifyDailyEnabled = ref<boolean | null>(null)
-const editQuotaNotifyDailyThreshold = ref<number | null>(null)
-const editQuotaNotifyDailyThresholdType = ref<string | null>(null)
-const editQuotaNotifyWeeklyEnabled = ref<boolean | null>(null)
-const editQuotaNotifyWeeklyThreshold = ref<number | null>(null)
-const editQuotaNotifyWeeklyThresholdType = ref<string | null>(null)
-const editQuotaNotifyTotalEnabled = ref<boolean | null>(null)
-const editQuotaNotifyTotalThreshold = ref<number | null>(null)
-const editQuotaNotifyTotalThresholdType = ref<string | null>(null)
 const openAIWSModeOptions = computed(() => [
   { value: OPENAI_WS_MODE_OFF, label: t('admin.accounts.openai.wsModeOff') },
   // TODO: ctx_pool 选项暂时隐藏，待测试完成后恢复
@@ -2229,15 +2226,7 @@ const syncFormFromAccount = (newAccount: Account | null) => {
     editWeeklyResetHour.value = (extra?.quota_weekly_reset_hour as number) ?? null
     editResetTimezone.value = (extra?.quota_reset_timezone as string) || null
     // Load quota notify config
-    editQuotaNotifyDailyEnabled.value = (extra?.quota_notify_daily_enabled as boolean) ?? null
-    editQuotaNotifyDailyThreshold.value = (extra?.quota_notify_daily_threshold as number) ?? null
-    editQuotaNotifyDailyThresholdType.value = (extra?.quota_notify_daily_threshold_type as string) ?? null
-    editQuotaNotifyWeeklyEnabled.value = (extra?.quota_notify_weekly_enabled as boolean) ?? null
-    editQuotaNotifyWeeklyThreshold.value = (extra?.quota_notify_weekly_threshold as number) ?? null
-    editQuotaNotifyWeeklyThresholdType.value = (extra?.quota_notify_weekly_threshold_type as string) ?? null
-    editQuotaNotifyTotalEnabled.value = (extra?.quota_notify_total_enabled as boolean) ?? null
-    editQuotaNotifyTotalThreshold.value = (extra?.quota_notify_total_threshold as number) ?? null
-    editQuotaNotifyTotalThresholdType.value = (extra?.quota_notify_total_threshold_type as string) ?? null
+    loadQuotaNotifyFromExtra(extra)
   } else {
     editQuotaLimit.value = null
     editQuotaDailyLimit.value = null
@@ -2248,12 +2237,7 @@ const syncFormFromAccount = (newAccount: Account | null) => {
     editWeeklyResetDay.value = null
     editWeeklyResetHour.value = null
     editResetTimezone.value = null
-    editQuotaNotifyDailyEnabled.value = null
-    editQuotaNotifyDailyThreshold.value = null
-    editQuotaNotifyWeeklyEnabled.value = null
-    editQuotaNotifyWeeklyThreshold.value = null
-    editQuotaNotifyTotalEnabled.value = null
-    editQuotaNotifyTotalThreshold.value = null
+    resetQuotaNotify()
   }
 
   // Load antigravity model mapping (Antigravity 只支持映射模式)
@@ -2369,12 +2353,7 @@ const syncFormFromAccount = (newAccount: Account | null) => {
     editQuotaDailyLimit.value = typeof bedrockExtra.quota_daily_limit === 'number' ? bedrockExtra.quota_daily_limit : null
     editQuotaWeeklyLimit.value = typeof bedrockExtra.quota_weekly_limit === 'number' ? bedrockExtra.quota_weekly_limit : null
     // Load quota notify for bedrock
-    editQuotaNotifyDailyEnabled.value = (bedrockExtra.quota_notify_daily_enabled as boolean) ?? null
-    editQuotaNotifyDailyThreshold.value = (bedrockExtra.quota_notify_daily_threshold as number) ?? null
-    editQuotaNotifyWeeklyEnabled.value = (bedrockExtra.quota_notify_weekly_enabled as boolean) ?? null
-    editQuotaNotifyWeeklyThreshold.value = (bedrockExtra.quota_notify_weekly_threshold as number) ?? null
-    editQuotaNotifyTotalEnabled.value = (bedrockExtra.quota_notify_total_enabled as boolean) ?? null
-    editQuotaNotifyTotalThreshold.value = (bedrockExtra.quota_notify_total_threshold as number) ?? null
+    loadQuotaNotifyFromExtra(bedrockExtra)
 
     // Load model mappings for bedrock
     const existingMappings = bedrockCreds.model_mapping as Record<string, string> | undefined
@@ -3291,45 +3270,7 @@ const handleSubmit = async () => {
         delete newExtra.quota_reset_timezone
       }
       // Quota notify config
-      if (editQuotaNotifyDailyEnabled.value) {
-        newExtra.quota_notify_daily_enabled = true
-        if (editQuotaNotifyDailyThreshold.value != null) {
-          newExtra.quota_notify_daily_threshold = editQuotaNotifyDailyThreshold.value
-        } else {
-          delete newExtra.quota_notify_daily_threshold
-        }
-        newExtra.quota_notify_daily_threshold_type = editQuotaNotifyDailyThresholdType.value || 'fixed'
-      } else {
-        delete newExtra.quota_notify_daily_enabled
-        delete newExtra.quota_notify_daily_threshold
-        delete newExtra.quota_notify_daily_threshold_type
-      }
-      if (editQuotaNotifyWeeklyEnabled.value) {
-        newExtra.quota_notify_weekly_enabled = true
-        if (editQuotaNotifyWeeklyThreshold.value != null) {
-          newExtra.quota_notify_weekly_threshold = editQuotaNotifyWeeklyThreshold.value
-        } else {
-          delete newExtra.quota_notify_weekly_threshold
-        }
-        newExtra.quota_notify_weekly_threshold_type = editQuotaNotifyWeeklyThresholdType.value || 'fixed'
-      } else {
-        delete newExtra.quota_notify_weekly_enabled
-        delete newExtra.quota_notify_weekly_threshold
-        delete newExtra.quota_notify_weekly_threshold_type
-      }
-      if (editQuotaNotifyTotalEnabled.value) {
-        newExtra.quota_notify_total_enabled = true
-        if (editQuotaNotifyTotalThreshold.value != null) {
-          newExtra.quota_notify_total_threshold = editQuotaNotifyTotalThreshold.value
-        } else {
-          delete newExtra.quota_notify_total_threshold
-        }
-        newExtra.quota_notify_total_threshold_type = editQuotaNotifyTotalThresholdType.value || 'fixed'
-      } else {
-        delete newExtra.quota_notify_total_enabled
-        delete newExtra.quota_notify_total_threshold
-        delete newExtra.quota_notify_total_threshold_type
-      }
+      writeQuotaNotifyToExtra(newExtra, 'update')
       updatePayload.extra = newExtra
     }
 
diff --git a/frontend/src/components/account/QuotaDimensionRow.vue b/frontend/src/components/account/QuotaDimensionRow.vue
new file mode 100644
index 00000000..1406faa9
--- /dev/null
+++ b/frontend/src/components/account/QuotaDimensionRow.vue
@@ -0,0 +1,108 @@
+<script setup lang="ts">
+import { useI18n } from 'vue-i18n'
+import QuotaNotifyToggle from './QuotaNotifyToggle.vue'
+
+const { t } = useI18n()
+
+const props = defineProps<{
+  dim: 'daily' | 'weekly' | 'total'
+  label: string
+  limit: number | null
+  quotaNotifyGlobalEnabled: boolean
+  notifyEnabled: boolean | null
+  notifyThreshold: number | null
+  notifyThresholdType: string | null
+  // Reset mode (only for daily/weekly, null for total)
+  resetMode: 'rolling' | 'fixed' | null
+  resetHour: number | null
+  resetDay: number | null  // weekly only
+  resetTimezone: string | null
+  hintRolling: string
+  hintFixed: string
+  // Shared options passed from parent
+  hourOptions: number[]
+  dayOptions: { value: number; key: string }[]
+}>()
+
+const emit = defineEmits<{
+  'update:limit': [value: number | null]
+  'update:notifyEnabled': [value: boolean | null]
+  'update:notifyThreshold': [value: number | null]
+  'update:notifyThresholdType': [value: string | null]
+  'update:resetMode': [value: 'rolling' | 'fixed' | null]
+  'update:resetHour': [value: number | null]
+  'update:resetDay': [value: number | null]
+  'update:resetTimezone': [value: string | null]
+}>()
+
+const hasResetMode = props.dim !== 'total'
+
+const onLimitInput = (e: Event) => {
+  const raw = (e.target as HTMLInputElement).valueAsNumber
+  emit('update:limit', Number.isNaN(raw) ? null : raw)
+}
+
+const onModeChange = (e: Event) => {
+  const val = (e.target as HTMLSelectElement).value as 'rolling' | 'fixed'
+  emit('update:resetMode', val)
+  if (val === 'fixed') {
+    if (props.resetHour == null) emit('update:resetHour', 0)
+    if (props.dim === 'weekly' && props.resetDay == null) emit('update:resetDay', 1)
+    if (!props.resetTimezone) emit('update:resetTimezone', 'UTC')
+  }
+}
+</script>
+
+<template>
+  <div>
+    <!-- Title row (only when global notify is enabled) -->
+    <div v-if="quotaNotifyGlobalEnabled" class="flex items-center gap-2 mb-1">
+      <span class="text-xs font-medium text-gray-700 dark:text-gray-300 flex-1 min-w-0">{{ label }}</span>
+      <span v-if="limit && limit > 0" class="text-xs font-medium text-gray-700 dark:text-gray-300 flex-1 min-w-0">{{ t('admin.accounts.quotaNotify.alert') }}</span>
+    </div>
+    <label v-else class="text-xs font-medium text-gray-700 dark:text-gray-300 mb-1 block">{{ label }}</label>
+
+    <!-- Input row -->
+    <div class="flex items-center gap-2">
+      <div :class="['relative', quotaNotifyGlobalEnabled ? 'flex-1 min-w-0' : 'flex-1']">
+        <span class="absolute left-2.5 top-1/2 -translate-y-1/2 text-gray-500 dark:text-gray-400 text-sm">$</span>
+        <input :value="limit" @input="onLimitInput" type="number" min="0" step="0.01" class="input pl-6 py-1.5 text-sm" :placeholder="t('admin.accounts.quotaLimitPlaceholder')" />
+      </div>
+      <QuotaNotifyToggle
+        v-if="quotaNotifyGlobalEnabled && limit && limit > 0"
+        class="flex-1 min-w-0"
+        :enabled="notifyEnabled" :threshold="notifyThreshold" :threshold-type="notifyThresholdType"
+        @update:enabled="emit('update:notifyEnabled', $event)" @update:threshold="emit('update:notifyThreshold', $event)" @update:threshold-type="emit('update:notifyThresholdType', $event)"
+      />
+    </div>
+
+    <!-- Reset mode row (daily/weekly only) -->
+    <div v-if="hasResetMode" class="mt-1 flex items-center gap-2 flex-wrap">
+      <label class="text-xs text-gray-500 dark:text-gray-400 whitespace-nowrap">{{ t('admin.accounts.quotaResetMode') }}</label>
+      <select :value="resetMode || 'rolling'" @change="onModeChange" class="input py-1 text-xs w-auto">
+        <option value="rolling">{{ t('admin.accounts.quotaResetModeRolling') }}</option>
+        <option value="fixed">{{ t('admin.accounts.quotaResetModeFixed') }}</option>
+      </select>
+      <template v-if="resetMode === 'fixed'">
+        <!-- Weekly: day of week selector -->
+        <template v-if="dim === 'weekly'">
+          <label class="text-xs text-gray-500 dark:text-gray-400 whitespace-nowrap">{{ t('admin.accounts.quotaWeeklyResetDay') }}</label>
+          <select :value="resetDay ?? 1" @change="emit('update:resetDay', Number(($event.target as HTMLSelectElement).value))" class="input py-1 text-xs w-28">
+            <option v-for="d in dayOptions" :key="d.value" :value="d.value">{{ t('admin.accounts.dayOfWeek.' + d.key) }}</option>
+          </select>
+        </template>
+        <label class="text-xs text-gray-500 dark:text-gray-400 whitespace-nowrap">{{ t('admin.accounts.quotaResetHour') }}</label>
+        <select :value="resetHour ?? 0" @change="emit('update:resetHour', Number(($event.target as HTMLSelectElement).value))" class="input py-1 text-xs w-24">
+          <option v-for="h in hourOptions" :key="h" :value="h">{{ String(h).padStart(2, '0') }}:00</option>
+        </select>
+      </template>
+      <span class="text-[11px] text-gray-500 dark:text-gray-400">
+        <template v-if="resetMode === 'fixed'">{{ hintFixed }}</template>
+        <template v-else>{{ hintRolling }}</template>
+      </span>
+    </div>
+
+    <!-- Total dimension hint (no reset mode) -->
+    <p v-if="!hasResetMode" class="input-hint mb-0 text-[11px]">{{ hintRolling }}</p>
+  </div>
+</template>
diff --git a/frontend/src/components/account/QuotaLimitCard.vue b/frontend/src/components/account/QuotaLimitCard.vue
index 5f0c7c2c..77e437a8 100644
--- a/frontend/src/components/account/QuotaLimitCard.vue
+++ b/frontend/src/components/account/QuotaLimitCard.vue
@@ -1,7 +1,7 @@
 <script setup lang="ts">
 import { ref, watch, computed } from 'vue'
 import { useI18n } from 'vue-i18n'
-import QuotaNotifyToggle from './QuotaNotifyToggle.vue'
+import QuotaDimensionRow from './QuotaDimensionRow.vue'
 
 const { t } = useI18n()
 
@@ -96,26 +96,24 @@ const hasFixedMode = computed(() =>
 
 // Common timezone options
 const timezoneOptions = [
-  'UTC',
-  'Asia/Shanghai',
-  'Asia/Tokyo',
-  'Asia/Seoul',
-  'Asia/Singapore',
-  'Asia/Kolkata',
-  'Asia/Dubai',
-  'Europe/London',
-  'Europe/Paris',
-  'Europe/Berlin',
-  'Europe/Moscow',
-  'America/New_York',
-  'America/Chicago',
-  'America/Denver',
-  'America/Los_Angeles',
-  'America/Sao_Paulo',
-  'Australia/Sydney',
-  'Pacific/Auckland',
+  'UTC', 'Asia/Shanghai', 'Asia/Tokyo', 'Asia/Seoul', 'Asia/Singapore', 'Asia/Kolkata',
+  'Asia/Dubai', 'Europe/London', 'Europe/Paris', 'Europe/Berlin', 'Europe/Moscow',
+  'America/New_York', 'America/Chicago', 'America/Denver', 'America/Los_Angeles',
+  'America/Sao_Paulo', 'Australia/Sydney', 'Pacific/Auckland',
 ]
 
+// Compute GMT offset label (e.g. "GMT+8", "GMT-5") for a given IANA timezone.
+function getTimezoneOffsetLabel(tz: string): string {
+  try {
+    const dtf = new Intl.DateTimeFormat('en-US', { timeZone: tz, timeZoneName: 'shortOffset' })
+    const parts = dtf.formatToParts(new Date())
+    const tzPart = parts.find(p => p.type === 'timeZoneName')
+    return tzPart ? (tzPart.value === 'GMT' ? 'GMT+0' : tzPart.value) : ''
+  } catch {
+    return ''
+  }
+}
+
 // Hours for dropdown (0-23)
 const hourOptions = Array.from({ length: 24 }, (_, i) => i)
 
@@ -130,37 +128,22 @@ const dayOptions = [
   { value: 0, key: 'sunday' },
 ]
 
-const onTotalInput = (e: Event) => {
-  const raw = (e.target as HTMLInputElement).valueAsNumber
-  emit('update:totalLimit', Number.isNaN(raw) ? null : raw)
-}
-const onDailyInput = (e: Event) => {
-  const raw = (e.target as HTMLInputElement).valueAsNumber
-  emit('update:dailyLimit', Number.isNaN(raw) ? null : raw)
-}
-const onWeeklyInput = (e: Event) => {
-  const raw = (e.target as HTMLInputElement).valueAsNumber
-  emit('update:weeklyLimit', Number.isNaN(raw) ? null : raw)
-}
+// Precomputed hint strings for the weekly fixed mode
+const weeklyFixedHint = computed(() => {
+  const dayKey = dayOptions.find(d => d.value === (props.weeklyResetDay ?? 1))?.key || 'monday'
+  return t('admin.accounts.quotaWeeklyLimitHintFixed', {
+    day: t('admin.accounts.dayOfWeek.' + dayKey),
+    hour: String(props.weeklyResetHour ?? 0).padStart(2, '0'),
+    timezone: props.resetTimezone || 'UTC',
+  })
+})
 
-const onDailyModeChange = (e: Event) => {
-  const val = (e.target as HTMLSelectElement).value as 'rolling' | 'fixed'
-  emit('update:dailyResetMode', val)
-  if (val === 'fixed') {
-    if (props.dailyResetHour == null) emit('update:dailyResetHour', 0)
-    if (!props.resetTimezone) emit('update:resetTimezone', 'UTC')
-  }
-}
-
-const onWeeklyModeChange = (e: Event) => {
-  const val = (e.target as HTMLSelectElement).value as 'rolling' | 'fixed'
-  emit('update:weeklyResetMode', val)
-  if (val === 'fixed') {
-    if (props.weeklyResetDay == null) emit('update:weeklyResetDay', 1)
-    if (props.weeklyResetHour == null) emit('update:weeklyResetHour', 0)
-    if (!props.resetTimezone) emit('update:resetTimezone', 'UTC')
-  }
-}
+const dailyFixedHint = computed(() =>
+  t('admin.accounts.quotaDailyLimitHintFixed', {
+    hour: String(props.dailyResetHour ?? 0).padStart(2, '0'),
+    timezone: props.resetTimezone || 'UTC',
+  })
+)
 </script>
 
 <template>
@@ -197,117 +180,89 @@ const onWeeklyModeChange = (e: Event) => {
 
       <!-- Collapsible content -->
       <div v-if="localEnabled && !collapsed" class="space-y-2 p-4 pt-3">
-        <!-- 日配额 -->
-        <div>
-          <!-- 标题行（仅全局通知开启时显示） -->
-          <div v-if="quotaNotifyGlobalEnabled" class="flex items-center gap-2 mb-1">
-            <span class="text-xs font-medium text-gray-700 dark:text-gray-300 flex-1 min-w-0">{{ t('admin.accounts.quotaDailyLimit') }}</span>
-            <span v-if="dailyLimit && dailyLimit > 0" class="text-xs font-medium text-gray-700 dark:text-gray-300 flex-1 min-w-0">{{ t('admin.accounts.quotaNotify.alert') }}</span>
-          </div>
-          <label v-else class="text-xs font-medium text-gray-700 dark:text-gray-300 mb-1 block">{{ t('admin.accounts.quotaDailyLimit') }}</label>
-          <!-- 输入行 -->
-          <div class="flex items-center gap-2">
-            <div :class="['relative', quotaNotifyGlobalEnabled ? 'w-28 flex-shrink-0' : 'flex-1']">
-              <span class="absolute left-2.5 top-1/2 -translate-y-1/2 text-gray-500 dark:text-gray-400 text-sm">$</span>
-              <input :value="dailyLimit" @input="onDailyInput" type="number" min="0" step="0.01" class="input pl-6 py-1.5 text-sm" :placeholder="t('admin.accounts.quotaLimitPlaceholder')" />
-            </div>
-            <QuotaNotifyToggle
-              v-if="quotaNotifyGlobalEnabled && dailyLimit && dailyLimit > 0"
-              class="flex-1 min-w-0"
-              :enabled="props.quotaNotifyDailyEnabled" :threshold="props.quotaNotifyDailyThreshold" :threshold-type="props.quotaNotifyDailyThresholdType"
-              @update:enabled="emit('update:quotaNotifyDailyEnabled', $event)" @update:threshold="emit('update:quotaNotifyDailyThreshold', $event)" @update:threshold-type="emit('update:quotaNotifyDailyThresholdType', $event)"
-            />
-          </div>
-          <div class="mt-1 flex items-center gap-2 flex-wrap">
-            <label class="text-xs text-gray-500 dark:text-gray-400 whitespace-nowrap">{{ t('admin.accounts.quotaResetMode') }}</label>
-            <select :value="dailyResetMode || 'rolling'" @change="onDailyModeChange" class="input py-1 text-xs w-auto">
-              <option value="rolling">{{ t('admin.accounts.quotaResetModeRolling') }}</option>
-              <option value="fixed">{{ t('admin.accounts.quotaResetModeFixed') }}</option>
-            </select>
-            <template v-if="dailyResetMode === 'fixed'">
-              <label class="text-xs text-gray-500 dark:text-gray-400 whitespace-nowrap">{{ t('admin.accounts.quotaResetHour') }}</label>
-              <select :value="dailyResetHour ?? 0" @change="emit('update:dailyResetHour', Number(($event.target as HTMLSelectElement).value))" class="input py-1 text-xs w-24">
-                <option v-for="h in hourOptions" :key="h" :value="h">{{ String(h).padStart(2, '0') }}:00</option>
-              </select>
-            </template>
-          </div>
-          <p class="input-hint mb-0 text-[11px]">
-            <template v-if="dailyResetMode === 'fixed'">{{ t('admin.accounts.quotaDailyLimitHintFixed', { hour: String(dailyResetHour ?? 0).padStart(2, '0'), timezone: resetTimezone || 'UTC' }) }}</template>
-            <template v-else>{{ t('admin.accounts.quotaDailyLimitHint') }}</template>
-          </p>
-        </div>
+        <!-- Daily quota -->
+        <QuotaDimensionRow
+          dim="daily"
+          :label="t('admin.accounts.quotaDailyLimit')"
+          :limit="dailyLimit"
+          :quota-notify-global-enabled="quotaNotifyGlobalEnabled"
+          :notify-enabled="props.quotaNotifyDailyEnabled"
+          :notify-threshold="props.quotaNotifyDailyThreshold"
+          :notify-threshold-type="props.quotaNotifyDailyThresholdType"
+          :reset-mode="dailyResetMode"
+          :reset-hour="dailyResetHour"
+          :reset-day="null"
+          :reset-timezone="resetTimezone"
+          :hint-rolling="t('admin.accounts.quotaDailyLimitHint')"
+          :hint-fixed="dailyFixedHint"
+          :hour-options="hourOptions"
+          :day-options="dayOptions"
+          @update:limit="emit('update:dailyLimit', $event)"
+          @update:notify-enabled="emit('update:quotaNotifyDailyEnabled', $event)"
+          @update:notify-threshold="emit('update:quotaNotifyDailyThreshold', $event)"
+          @update:notify-threshold-type="emit('update:quotaNotifyDailyThresholdType', $event)"
+          @update:reset-mode="emit('update:dailyResetMode', $event)"
+          @update:reset-hour="emit('update:dailyResetHour', $event)"
+          @update:reset-timezone="emit('update:resetTimezone', $event)"
+        />
 
-        <!-- 周配额 -->
-        <div>
-          <div v-if="quotaNotifyGlobalEnabled" class="flex items-center gap-2 mb-1">
-            <span class="text-xs font-medium text-gray-700 dark:text-gray-300 flex-1 min-w-0">{{ t('admin.accounts.quotaWeeklyLimit') }}</span>
-            <span v-if="weeklyLimit && weeklyLimit > 0" class="text-xs font-medium text-gray-700 dark:text-gray-300 flex-1 min-w-0">{{ t('admin.accounts.quotaNotify.alert') }}</span>
-          </div>
-          <label v-else class="text-xs font-medium text-gray-700 dark:text-gray-300 mb-1 block">{{ t('admin.accounts.quotaWeeklyLimit') }}</label>
-          <div class="flex items-center gap-2">
-            <div :class="['relative', quotaNotifyGlobalEnabled ? 'w-28 flex-shrink-0' : 'flex-1']">
-              <span class="absolute left-2.5 top-1/2 -translate-y-1/2 text-gray-500 dark:text-gray-400 text-sm">$</span>
-              <input :value="weeklyLimit" @input="onWeeklyInput" type="number" min="0" step="0.01" class="input pl-6 py-1.5 text-sm" :placeholder="t('admin.accounts.quotaLimitPlaceholder')" />
-            </div>
-            <QuotaNotifyToggle
-              v-if="quotaNotifyGlobalEnabled && weeklyLimit && weeklyLimit > 0"
-              class="flex-1 min-w-0"
-              :enabled="props.quotaNotifyWeeklyEnabled" :threshold="props.quotaNotifyWeeklyThreshold" :threshold-type="props.quotaNotifyWeeklyThresholdType"
-              @update:enabled="emit('update:quotaNotifyWeeklyEnabled', $event)" @update:threshold="emit('update:quotaNotifyWeeklyThreshold', $event)" @update:threshold-type="emit('update:quotaNotifyWeeklyThresholdType', $event)"
-            />
-          </div>
-          <div class="mt-1 flex items-center gap-2 flex-wrap">
-            <label class="text-xs text-gray-500 dark:text-gray-400 whitespace-nowrap">{{ t('admin.accounts.quotaResetMode') }}</label>
-            <select :value="weeklyResetMode || 'rolling'" @change="onWeeklyModeChange" class="input py-1 text-xs w-auto">
-              <option value="rolling">{{ t('admin.accounts.quotaResetModeRolling') }}</option>
-              <option value="fixed">{{ t('admin.accounts.quotaResetModeFixed') }}</option>
-            </select>
-            <template v-if="weeklyResetMode === 'fixed'">
-              <label class="text-xs text-gray-500 dark:text-gray-400 whitespace-nowrap">{{ t('admin.accounts.quotaWeeklyResetDay') }}</label>
-              <select :value="weeklyResetDay ?? 1" @change="emit('update:weeklyResetDay', Number(($event.target as HTMLSelectElement).value))" class="input py-1 text-xs w-28">
-                <option v-for="d in dayOptions" :key="d.value" :value="d.value">{{ t('admin.accounts.dayOfWeek.' + d.key) }}</option>
-              </select>
-              <label class="text-xs text-gray-500 dark:text-gray-400 whitespace-nowrap">{{ t('admin.accounts.quotaResetHour') }}</label>
-              <select :value="weeklyResetHour ?? 0" @change="emit('update:weeklyResetHour', Number(($event.target as HTMLSelectElement).value))" class="input py-1 text-xs w-24">
-                <option v-for="h in hourOptions" :key="h" :value="h">{{ String(h).padStart(2, '0') }}:00</option>
-              </select>
-            </template>
-          </div>
-          <p class="input-hint mb-0 text-[11px]">
-            <template v-if="weeklyResetMode === 'fixed'">{{ t('admin.accounts.quotaWeeklyLimitHintFixed', { day: t('admin.accounts.dayOfWeek.' + (dayOptions.find(d => d.value === (weeklyResetDay ?? 1))?.key || 'monday')), hour: String(weeklyResetHour ?? 0).padStart(2, '0'), timezone: resetTimezone || 'UTC' }) }}</template>
-            <template v-else>{{ t('admin.accounts.quotaWeeklyLimitHint') }}</template>
-          </p>
-        </div>
+        <!-- Weekly quota -->
+        <QuotaDimensionRow
+          dim="weekly"
+          :label="t('admin.accounts.quotaWeeklyLimit')"
+          :limit="weeklyLimit"
+          :quota-notify-global-enabled="quotaNotifyGlobalEnabled"
+          :notify-enabled="props.quotaNotifyWeeklyEnabled"
+          :notify-threshold="props.quotaNotifyWeeklyThreshold"
+          :notify-threshold-type="props.quotaNotifyWeeklyThresholdType"
+          :reset-mode="weeklyResetMode"
+          :reset-hour="weeklyResetHour"
+          :reset-day="weeklyResetDay"
+          :reset-timezone="resetTimezone"
+          :hint-rolling="t('admin.accounts.quotaWeeklyLimitHint')"
+          :hint-fixed="weeklyFixedHint"
+          :hour-options="hourOptions"
+          :day-options="dayOptions"
+          @update:limit="emit('update:weeklyLimit', $event)"
+          @update:notify-enabled="emit('update:quotaNotifyWeeklyEnabled', $event)"
+          @update:notify-threshold="emit('update:quotaNotifyWeeklyThreshold', $event)"
+          @update:notify-threshold-type="emit('update:quotaNotifyWeeklyThresholdType', $event)"
+          @update:reset-mode="emit('update:weeklyResetMode', $event)"
+          @update:reset-hour="emit('update:weeklyResetHour', $event)"
+          @update:reset-day="emit('update:weeklyResetDay', $event)"
+          @update:reset-timezone="emit('update:resetTimezone', $event)"
+        />
 
-        <!-- 时区选择 -->
+        <!-- Timezone selector (shared by daily/weekly when fixed mode is active) -->
         <div v-if="hasFixedMode">
           <label class="input-label">{{ t('admin.accounts.quotaResetTimezone') }}</label>
           <select :value="resetTimezone || 'UTC'" @change="emit('update:resetTimezone', ($event.target as HTMLSelectElement).value)" class="input text-sm">
-            <option v-for="tz in timezoneOptions" :key="tz" :value="tz">{{ tz }}</option>
+            <option v-for="tz in timezoneOptions" :key="tz" :value="tz">{{ tz }} ({{ getTimezoneOffsetLabel(tz) }})</option>
           </select>
         </div>
 
-        <!-- 总配额 -->
-        <div>
-          <div v-if="quotaNotifyGlobalEnabled" class="flex items-center gap-2 mb-1">
-            <span class="text-xs font-medium text-gray-700 dark:text-gray-300 flex-1 min-w-0">{{ t('admin.accounts.quotaTotalLimit') }}</span>
-            <span v-if="totalLimit && totalLimit > 0" class="text-xs font-medium text-gray-700 dark:text-gray-300 flex-1 min-w-0">{{ t('admin.accounts.quotaNotify.alert') }}</span>
-          </div>
-          <label v-else class="text-xs font-medium text-gray-700 dark:text-gray-300 mb-1 block">{{ t('admin.accounts.quotaTotalLimit') }}</label>
-          <div class="flex items-center gap-2">
-            <div :class="['relative', quotaNotifyGlobalEnabled ? 'w-28 flex-shrink-0' : 'flex-1']">
-              <span class="absolute left-2.5 top-1/2 -translate-y-1/2 text-gray-500 dark:text-gray-400 text-sm">$</span>
-              <input :value="totalLimit" @input="onTotalInput" type="number" min="0" step="0.01" class="input pl-6 py-1.5 text-sm" :placeholder="t('admin.accounts.quotaLimitPlaceholder')" />
-            </div>
-            <QuotaNotifyToggle
-              v-if="quotaNotifyGlobalEnabled && totalLimit && totalLimit > 0"
-              class="flex-1 min-w-0"
-              :enabled="props.quotaNotifyTotalEnabled" :threshold="props.quotaNotifyTotalThreshold" :threshold-type="props.quotaNotifyTotalThresholdType"
-              @update:enabled="emit('update:quotaNotifyTotalEnabled', $event)" @update:threshold="emit('update:quotaNotifyTotalThreshold', $event)" @update:threshold-type="emit('update:quotaNotifyTotalThresholdType', $event)"
-            />
-          </div>
-          <p class="input-hint mb-0 text-[11px]">{{ t('admin.accounts.quotaTotalLimitHint') }}</p>
-        </div>
+        <!-- Total quota -->
+        <QuotaDimensionRow
+          dim="total"
+          :label="t('admin.accounts.quotaTotalLimit')"
+          :limit="totalLimit"
+          :quota-notify-global-enabled="quotaNotifyGlobalEnabled"
+          :notify-enabled="props.quotaNotifyTotalEnabled"
+          :notify-threshold="props.quotaNotifyTotalThreshold"
+          :notify-threshold-type="props.quotaNotifyTotalThresholdType"
+          :reset-mode="null"
+          :reset-hour="null"
+          :reset-day="null"
+          :reset-timezone="null"
+          :hint-rolling="t('admin.accounts.quotaTotalLimitHint')"
+          hint-fixed=""
+          :hour-options="hourOptions"
+          :day-options="dayOptions"
+          @update:limit="emit('update:totalLimit', $event)"
+          @update:notify-enabled="emit('update:quotaNotifyTotalEnabled', $event)"
+          @update:notify-threshold="emit('update:quotaNotifyTotalThreshold', $event)"
+          @update:notify-threshold-type="emit('update:quotaNotifyTotalThresholdType', $event)"
+        />
       </div>
   </div>
 </template>
diff --git a/frontend/src/composables/useQuotaNotifyState.ts b/frontend/src/composables/useQuotaNotifyState.ts
new file mode 100644
index 00000000..1c6705d3
--- /dev/null
+++ b/frontend/src/composables/useQuotaNotifyState.ts
@@ -0,0 +1,69 @@
+import { reactive, ref } from 'vue'
+import { adminAPI } from '@/api/admin'
+import { QUOTA_THRESHOLD_TYPE_FIXED } from '@/constants/account'
+
+export const QUOTA_NOTIFY_DIMS = ['daily', 'weekly', 'total'] as const
+export type QuotaNotifyDim = (typeof QUOTA_NOTIFY_DIMS)[number]
+
+interface DimState {
+  enabled: boolean | null
+  threshold: number | null
+  thresholdType: string | null
+}
+
+export function useQuotaNotifyState() {
+  const globalEnabled = ref(false)
+  const state = reactive<Record<QuotaNotifyDim, DimState>>({
+    daily: { enabled: null, threshold: null, thresholdType: null },
+    weekly: { enabled: null, threshold: null, thresholdType: null },
+    total: { enabled: null, threshold: null, thresholdType: null },
+  })
+
+  function loadGlobalState() {
+    adminAPI.settings
+      .getSettings()
+      .then((settings) => {
+        globalEnabled.value = settings.account_quota_notify_enabled === true
+      })
+      .catch(() => {
+        globalEnabled.value = false
+      })
+  }
+
+  function loadFromExtra(extra: Record<string, unknown> | null | undefined) {
+    for (const d of QUOTA_NOTIFY_DIMS) {
+      state[d].enabled = (extra?.[`quota_notify_${d}_enabled`] as boolean) ?? null
+      state[d].threshold = (extra?.[`quota_notify_${d}_threshold`] as number) ?? null
+      state[d].thresholdType = (extra?.[`quota_notify_${d}_threshold_type`] as string) ?? null
+    }
+  }
+
+  function writeToExtra(extra: Record<string, unknown>, mode: 'create' | 'update') {
+    for (const d of QUOTA_NOTIFY_DIMS) {
+      const s = state[d]
+      if (s.enabled) {
+        extra[`quota_notify_${d}_enabled`] = true
+        if (s.threshold != null) {
+          extra[`quota_notify_${d}_threshold`] = s.threshold
+        } else if (mode === 'update') {
+          delete extra[`quota_notify_${d}_threshold`]
+        }
+        extra[`quota_notify_${d}_threshold_type`] = s.thresholdType || QUOTA_THRESHOLD_TYPE_FIXED
+      } else if (mode === 'update') {
+        delete extra[`quota_notify_${d}_enabled`]
+        delete extra[`quota_notify_${d}_threshold`]
+        delete extra[`quota_notify_${d}_threshold_type`]
+      }
+    }
+  }
+
+  function reset() {
+    for (const d of QUOTA_NOTIFY_DIMS) {
+      state[d].enabled = null
+      state[d].threshold = null
+      state[d].thresholdType = null
+    }
+  }
+
+  return { globalEnabled, state, loadGlobalState, loadFromExtra, writeToExtra, reset }
+}
diff --git a/frontend/src/views/admin/orders/AdminPaymentPlansView.vue b/frontend/src/views/admin/orders/AdminPaymentPlansView.vue
index 639b4f66..28b82da5 100644
--- a/frontend/src/views/admin/orders/AdminPaymentPlansView.vue
+++ b/frontend/src/views/admin/orders/AdminPaymentPlansView.vue
@@ -29,7 +29,7 @@
         </template>
         <template #cell-price="{ value, row }">
           <div class="text-sm">
-            <span class="font-medium text-gray-900 dark:text-white">${{ value.toFixed(2) }}</span>
+            <span class="font-medium text-gray-900 dark:text-white">${{ (value ?? 0).toFixed(2) }}</span>
             <span v-if="row.original_price" class="ml-1 text-xs text-gray-400 line-through">${{ row.original_price.toFixed(2) }}</span>
           </div>
         </template>
@@ -67,86 +67,14 @@
     </div>
 
     <!-- Plan Edit Dialog -->
-    <BaseDialog :show="showPlanDialog" :title="editingPlan ? t('payment.admin.editPlan') : t('payment.admin.createPlan')" width="wide" @close="showPlanDialog = false">
-      <form id="plan-form" @submit.prevent="handleSavePlan" class="space-y-4">
-        <div class="grid grid-cols-2 gap-4">
-          <div>
-            <label class="input-label">{{ t('payment.admin.planName') }}</label>
-            <input v-model="planForm.name" type="text" class="input" required />
-          </div>
-          <div>
-            <label class="input-label">{{ t('payment.admin.group') }}</label>
-            <Select v-model="planForm.group_id" :options="groupOptions" class="w-full">
-              <template #selected="{ option }">
-                <span v-if="option?.platform" :class="platformTextClass(String(option.platform))">{{ option.label }}</span>
-                <span v-else>{{ option?.label || t('payment.admin.selectGroup') }}</span>
-              </template>
-              <template #option="{ option, selected }">
-                <span class="flex-1 truncate text-left" :class="option.platform ? platformTextClass(String(option.platform)) : ''">{{ option.label }}</span>
-                <Icon v-if="selected" name="check" size="sm" class="text-primary-500" :stroke-width="2" />
-              </template>
-            </Select>
-          </div>
-        </div>
-
-        <!-- Group Info Preview -->
-        <div v-if="selectedGroupInfo" class="rounded-lg border border-gray-200 bg-gray-50 p-3 dark:border-dark-600 dark:bg-dark-800">
-          <div class="mb-2 flex items-center gap-2">
-            <GroupBadge :name="selectedGroupInfo.name" :platform="selectedGroupInfo.platform" :rate-multiplier="selectedGroupInfo.rate_multiplier" />
-          </div>
-          <div class="grid grid-cols-2 gap-2 text-xs">
-            <div><span class="text-gray-500">{{ t('payment.admin.dailyLimit') }}:</span> <span class="ml-1 font-medium text-gray-700 dark:text-gray-300">{{ selectedGroupInfo.daily_limit_usd != null ? '$' + selectedGroupInfo.daily_limit_usd : t('payment.admin.unlimited') }}</span></div>
-            <div><span class="text-gray-500">{{ t('payment.admin.weeklyLimit') }}:</span> <span class="ml-1 font-medium text-gray-700 dark:text-gray-300">{{ selectedGroupInfo.weekly_limit_usd != null ? '$' + selectedGroupInfo.weekly_limit_usd : t('payment.admin.unlimited') }}</span></div>
-            <div><span class="text-gray-500">{{ t('payment.admin.monthlyLimit') }}:</span> <span class="ml-1 font-medium text-gray-700 dark:text-gray-300">{{ selectedGroupInfo.monthly_limit_usd != null ? '$' + selectedGroupInfo.monthly_limit_usd : t('payment.admin.unlimited') }}</span></div>
-          </div>
-        </div>
-
-        <div><label class="input-label">{{ t('payment.admin.planDescription') }}</label><textarea v-model="planForm.description" rows="2" class="input"></textarea></div>
-        <div class="grid grid-cols-3 gap-4">
-          <div><label class="input-label">{{ t('payment.admin.price') }}</label><input v-model.number="planForm.price" type="number" step="0.01" min="0" class="input" required /></div>
-          <div><label class="input-label">{{ t('payment.admin.originalPrice') }}</label><input v-model.number="planForm.original_price" type="number" step="0.01" min="0" class="input" /></div>
-          <div><label class="input-label">{{ t('payment.admin.sortOrder') }}</label><input v-model.number="planForm.sort_order" type="number" min="0" class="input" /></div>
-        </div>
-        <div class="grid grid-cols-2 gap-4">
-          <div><label class="input-label">{{ t('payment.admin.validityDays') }}</label><input v-model.number="planForm.validity_days" type="number" min="1" class="input" required /></div>
-          <div><label class="input-label">{{ t('payment.admin.validityUnit') }}</label><Select v-model="planForm.validity_unit" :options="validityUnitOptions" /></div>
-        </div>
-        <div>
-          <label class="input-label">{{ t('payment.admin.features') }}</label>
-          <textarea v-model="planFeaturesText" rows="3" class="input" :placeholder="t('payment.admin.featuresPlaceholder')"></textarea>
-          <p class="mt-1 text-xs text-gray-500 dark:text-gray-400">{{ t('payment.admin.featuresHint') }}</p>
-        </div>
-        <div class="flex items-center gap-3">
-          <label class="text-sm text-gray-700 dark:text-gray-300">{{ t('payment.admin.forSale') }}</label>
-          <button
-            type="button"
-            :class="[
-              'relative inline-flex h-6 w-11 flex-shrink-0 cursor-pointer rounded-full border-2 border-transparent transition-colors duration-200 ease-in-out focus:outline-none focus:ring-2 focus:ring-primary-500 focus:ring-offset-2',
-              planForm.for_sale ? 'bg-primary-500' : 'bg-gray-300 dark:bg-dark-600'
-            ]"
-            @click="planForm.for_sale = !planForm.for_sale"
-          >
-            <span :class="[
-              'pointer-events-none inline-block h-5 w-5 transform rounded-full bg-white shadow ring-0 transition duration-200 ease-in-out',
-              planForm.for_sale ? 'translate-x-5' : 'translate-x-0'
-            ]" />
-          </button>
-        </div>
-      </form>
-      <template #footer>
-        <div class="flex justify-end gap-3">
-          <button type="button" @click="showPlanDialog = false" class="btn btn-secondary">{{ t('common.cancel') }}</button>
-          <button type="submit" form="plan-form" :disabled="planSaving" class="btn btn-primary">{{ planSaving ? t('common.saving') : t('common.save') }}</button>
-        </div>
-      </template>
-    </BaseDialog>
+    <PlanEditDialog :show="showPlanDialog" :plan="editingPlan" :groups="groups" @close="showPlanDialog = false" @saved="loadPlans" />
 
     <ConfirmDialog :show="showDeletePlanDialog" :title="t('payment.admin.deletePlan')" :message="t('payment.admin.deletePlanConfirm')" :confirm-text="t('common.delete')" danger @confirm="handleDeletePlan" @cancel="showDeletePlanDialog = false" />
   </AppLayout>
 </template>
 
 <script setup lang="ts">
-import { ref, reactive, computed, onMounted } from 'vue'
+import { ref, computed, onMounted } from 'vue'
 import { useI18n } from 'vue-i18n'
 import { useAppStore } from '@/stores/app'
 import { adminPaymentAPI } from '@/api/admin/payment'
@@ -157,11 +85,10 @@ import type { AdminGroup } from '@/types'
 import type { Column } from '@/components/common/types'
 import AppLayout from '@/components/layout/AppLayout.vue'
 import DataTable from '@/components/common/DataTable.vue'
-import BaseDialog from '@/components/common/BaseDialog.vue'
 import ConfirmDialog from '@/components/common/ConfirmDialog.vue'
-import Select from '@/components/common/Select.vue'
 import Icon from '@/components/icons/Icon.vue'
 import GroupBadge from '@/components/common/GroupBadge.vue'
+import PlanEditDialog from './PlanEditDialog.vue'
 import { platformTextClass } from '@/utils/platformColors'
 
 const { t } = useI18n()
@@ -190,39 +117,14 @@ function getPlanNameClass(groupId: number): string {
   return group ? platformTextClass(group.platform) : 'text-gray-900 dark:text-white'
 }
 
-const groupOptions = computed(() => [
-  { value: 0, label: t('payment.admin.selectGroup'), platform: '' },
-  ...groups.value
-    .filter(g => g.subscription_type === 'subscription')
-    .map(g => ({
-      value: g.id,
-      label: `${g.name} — ${g.platform} (${g.rate_multiplier}x)`,
-      platform: g.platform,
-    })),
-])
-
-const selectedGroupInfo = computed(() => {
-  if (!planForm.group_id) return null
-  return groups.value.find(g => g.id === planForm.group_id) || null
-})
-
 // ==================== Plans ====================
 
 const plansLoading = ref(false)
 const plans = ref<SubscriptionPlan[]>([])
 const showPlanDialog = ref(false)
 const showDeletePlanDialog = ref(false)
-const planSaving = ref(false)
 const editingPlan = ref<SubscriptionPlan | null>(null)
 const deletingPlanId = ref<number | null>(null)
-const planForm = reactive({ name: '', group_id: 0, description: '', price: 0, original_price: 0, validity_days: 30, validity_unit: 'days', for_sale: true, sort_order: 0 })
-const planFeaturesText = ref('')
-
-const validityUnitOptions = computed(() => [
-  { value: 'days', label: t('payment.admin.days') },
-  { value: 'weeks', label: t('payment.admin.weeks') },
-  { value: 'months', label: t('payment.admin.months') },
-])
 
 const planColumns = computed((): Column[] => [
   { key: 'id', label: 'ID' },
@@ -231,7 +133,6 @@ const planColumns = computed((): Column[] => [
   { key: 'price', label: t('payment.admin.price') },
   { key: 'validity_days', label: t('payment.admin.validityDays') },
   { key: 'for_sale', label: t('payment.admin.forSale') },
-  { key: 'sort_order', label: t('payment.admin.sortOrder') },
   { key: 'actions', label: t('common.actions') },
 ])
 
@@ -253,44 +154,9 @@ async function loadPlans() {
 
 function openPlanEdit(plan: SubscriptionPlan | null) {
   editingPlan.value = plan
-  if (plan) {
-    Object.assign(planForm, { name: plan.name, group_id: plan.group_id, description: plan.description, price: plan.price, original_price: plan.original_price || 0, validity_days: plan.validity_days, validity_unit: plan.validity_unit || 'days', for_sale: plan.for_sale, sort_order: plan.sort_order })
-    planFeaturesText.value = (plan.features || []).join('\n')
-  } else {
-    Object.assign(planForm, { name: '', group_id: 0, description: '', price: 0, original_price: 0, validity_days: 30, validity_unit: 'days', for_sale: true, sort_order: 0 })
-    planFeaturesText.value = ''
-  }
   showPlanDialog.value = true
 }
 
-/** Build request payload with snake_case keys matching backend JSON tags */
-function buildPlanPayload() {
-  const features = planFeaturesText.value.split('\n').map(f => f.trim()).filter(Boolean).join('\n')
-  return {
-    name: planForm.name,
-    group_id: planForm.group_id,
-    description: planForm.description,
-    price: planForm.price,
-    original_price: planForm.original_price || 0,
-    validity_days: planForm.validity_days,
-    validity_unit: planForm.validity_unit,
-    for_sale: planForm.for_sale,
-    sort_order: planForm.sort_order,
-    features,
-  }
-}
-
-async function handleSavePlan() {
-  planSaving.value = true
-  try {
-    const data = buildPlanPayload()
-    if (editingPlan.value) { await adminPaymentAPI.updatePlan(editingPlan.value.id, data) }
-    else { await adminPaymentAPI.createPlan(data) }
-    appStore.showSuccess(t('common.saved')); showPlanDialog.value = false; loadPlans()
-  } catch (err: unknown) { appStore.showError(extractApiErrorMessage(err, t('common.error'))) }
-  finally { planSaving.value = false }
-}
-
 /** Quick toggle for_sale from the list */
 async function toggleForSale(plan: SubscriptionPlan) {
   try {
diff --git a/frontend/src/views/admin/orders/PlanEditDialog.vue b/frontend/src/views/admin/orders/PlanEditDialog.vue
new file mode 100644
index 00000000..17c8084f
--- /dev/null
+++ b/frontend/src/views/admin/orders/PlanEditDialog.vue
@@ -0,0 +1,181 @@
+<template>
+  <BaseDialog :show="show" :title="plan ? t('payment.admin.editPlan') : t('payment.admin.createPlan')" width="wide" @close="emit('close')">
+    <form id="plan-form" @submit.prevent="handleSavePlan" class="space-y-4">
+      <div class="grid grid-cols-2 gap-4">
+        <div>
+          <label class="input-label">{{ t('payment.admin.planName') }} <span class="text-red-500">*</span></label>
+          <input v-model="planForm.name" type="text" class="input" required />
+        </div>
+        <div>
+          <label class="input-label">{{ t('payment.admin.group') }} <span class="text-red-500">*</span></label>
+          <Select v-model="planForm.group_id" :options="groupOptions" :placeholder="t('payment.admin.selectGroup')" class="w-full">
+            <template #selected="{ option }">
+              <span v-if="option?.platform" :class="platformTextClass(String(option.platform))">{{ option.label }}</span>
+              <span v-else>{{ option?.label || t('payment.admin.selectGroup') }}</span>
+            </template>
+            <template #option="{ option, selected }">
+              <span class="flex-1 truncate text-left" :class="option.platform ? platformTextClass(String(option.platform)) : ''">{{ option.label }}</span>
+              <Icon v-if="selected" name="check" size="sm" class="text-primary-500" :stroke-width="2" />
+            </template>
+          </Select>
+        </div>
+      </div>
+
+      <!-- Group Info Preview -->
+      <div v-if="selectedGroupInfo" class="rounded-lg border border-gray-200 bg-gray-50 p-3 dark:border-dark-600 dark:bg-dark-800">
+        <div class="mb-2 flex items-center gap-2">
+          <GroupBadge :name="selectedGroupInfo.name" :platform="selectedGroupInfo.platform" :rate-multiplier="selectedGroupInfo.rate_multiplier" />
+        </div>
+        <div class="grid grid-cols-2 gap-2 text-xs">
+          <div><span class="text-gray-500">{{ t('payment.admin.dailyLimit') }}:</span> <span class="ml-1 font-medium text-gray-700 dark:text-gray-300">{{ selectedGroupInfo.daily_limit_usd != null ? '$' + selectedGroupInfo.daily_limit_usd : t('payment.admin.unlimited') }}</span></div>
+          <div><span class="text-gray-500">{{ t('payment.admin.weeklyLimit') }}:</span> <span class="ml-1 font-medium text-gray-700 dark:text-gray-300">{{ selectedGroupInfo.weekly_limit_usd != null ? '$' + selectedGroupInfo.weekly_limit_usd : t('payment.admin.unlimited') }}</span></div>
+          <div><span class="text-gray-500">{{ t('payment.admin.monthlyLimit') }}:</span> <span class="ml-1 font-medium text-gray-700 dark:text-gray-300">{{ selectedGroupInfo.monthly_limit_usd != null ? '$' + selectedGroupInfo.monthly_limit_usd : t('payment.admin.unlimited') }}</span></div>
+        </div>
+      </div>
+
+      <div><label class="input-label">{{ t('payment.admin.planDescription') }} <span class="text-red-500">*</span></label><textarea v-model="planForm.description" rows="2" class="input" required></textarea></div>
+      <div class="grid grid-cols-2 gap-4">
+        <div><label class="input-label">{{ t('payment.admin.price') }} <span class="text-red-500">*</span></label><input v-model.number="planForm.price" type="number" step="0.01" min="0.01" class="input" required /></div>
+        <div><label class="input-label">{{ t('payment.admin.originalPrice') }}</label><input v-model.number="planForm.original_price" type="number" step="0.01" min="0" class="input" /></div>
+      </div>
+      <div class="grid grid-cols-2 gap-4">
+        <div><label class="input-label">{{ t('payment.admin.validityDays') }} <span class="text-red-500">*</span></label><input v-model.number="planForm.validity_days" type="number" min="1" class="input" required /></div>
+        <div><label class="input-label">{{ t('payment.admin.validityUnit') }} <span class="text-red-500">*</span></label><Select v-model="planForm.validity_unit" :options="validityUnitOptions" /></div>
+      </div>
+      <div>
+        <label class="input-label">{{ t('payment.admin.features') }}</label>
+        <textarea v-model="planFeaturesText" rows="3" class="input" :placeholder="t('payment.admin.featuresPlaceholder')"></textarea>
+        <p class="mt-1 text-xs text-gray-500 dark:text-gray-400">{{ t('payment.admin.featuresHint') }}</p>
+      </div>
+      <div class="flex items-center gap-3">
+        <label class="text-sm text-gray-700 dark:text-gray-300">{{ t('payment.admin.forSale') }}</label>
+        <button
+          type="button"
+          :class="[
+            'relative inline-flex h-6 w-11 flex-shrink-0 cursor-pointer rounded-full border-2 border-transparent transition-colors duration-200 ease-in-out focus:outline-none focus:ring-2 focus:ring-primary-500 focus:ring-offset-2',
+            planForm.for_sale ? 'bg-primary-500' : 'bg-gray-300 dark:bg-dark-600'
+          ]"
+          @click="planForm.for_sale = !planForm.for_sale"
+        >
+          <span :class="[
+            'pointer-events-none inline-block h-5 w-5 transform rounded-full bg-white shadow ring-0 transition duration-200 ease-in-out',
+            planForm.for_sale ? 'translate-x-5' : 'translate-x-0'
+          ]" />
+        </button>
+      </div>
+    </form>
+    <template #footer>
+      <div class="flex justify-end gap-3">
+        <button type="button" @click="emit('close')" class="btn btn-secondary">{{ t('common.cancel') }}</button>
+        <button type="submit" form="plan-form" :disabled="saving" class="btn btn-primary">{{ saving ? t('common.saving') : t('common.save') }}</button>
+      </div>
+    </template>
+  </BaseDialog>
+</template>
+
+<script setup lang="ts">
+import { ref, reactive, computed, watch } from 'vue'
+import { useI18n } from 'vue-i18n'
+import { useAppStore } from '@/stores/app'
+import { adminPaymentAPI } from '@/api/admin/payment'
+import { extractApiErrorMessage } from '@/utils/apiError'
+import type { SubscriptionPlan } from '@/types/payment'
+import type { AdminGroup } from '@/types'
+import BaseDialog from '@/components/common/BaseDialog.vue'
+import Select from '@/components/common/Select.vue'
+import Icon from '@/components/icons/Icon.vue'
+import GroupBadge from '@/components/common/GroupBadge.vue'
+import { platformTextClass } from '@/utils/platformColors'
+
+const props = defineProps<{
+  show: boolean
+  plan: SubscriptionPlan | null
+  groups: AdminGroup[]
+}>()
+
+const emit = defineEmits<{
+  close: []
+  saved: []
+}>()
+
+const { t } = useI18n()
+const appStore = useAppStore()
+
+const saving = ref(false)
+const planForm = reactive({ name: '', group_id: null as number | null, description: '', price: 0, original_price: 0, validity_days: 30, validity_unit: 'days', for_sale: true })
+const planFeaturesText = ref('')
+
+const validityUnitOptions = computed(() => [
+  { value: 'days', label: t('payment.admin.days') },
+  { value: 'weeks', label: t('payment.admin.weeks') },
+  { value: 'months', label: t('payment.admin.months') },
+])
+
+const groupOptions = computed(() =>
+  props.groups
+    .filter(g => g.subscription_type === 'subscription')
+    .map(g => ({
+      value: g.id,
+      label: `${g.name} — ${g.platform} (${g.rate_multiplier}x)`,
+      platform: g.platform,
+    })),
+)
+
+const selectedGroupInfo = computed(() => {
+  if (!planForm.group_id) return null
+  return props.groups.find(g => g.id === planForm.group_id) || null
+})
+
+// Reset form when dialog opens
+watch(() => props.show, (visible) => {
+  if (!visible) return
+  if (props.plan) {
+    Object.assign(planForm, { name: props.plan.name, group_id: props.plan.group_id, description: props.plan.description, price: props.plan.price, original_price: props.plan.original_price || 0, validity_days: props.plan.validity_days, validity_unit: props.plan.validity_unit || 'days', for_sale: props.plan.for_sale })
+    planFeaturesText.value = (props.plan.features || []).join('\n')
+  } else {
+    Object.assign(planForm, { name: '', group_id: null, description: '', price: 0, original_price: 0, validity_days: 30, validity_unit: 'days', for_sale: true })
+    planFeaturesText.value = ''
+  }
+})
+
+/** Build request payload with snake_case keys matching backend JSON tags */
+function buildPlanPayload() {
+  const features = planFeaturesText.value.split('\n').map(f => f.trim()).filter(Boolean).join('\n')
+  return {
+    name: planForm.name,
+    group_id: planForm.group_id,
+    description: planForm.description,
+    price: planForm.price,
+    original_price: planForm.original_price || 0,
+    validity_days: planForm.validity_days,
+    validity_unit: planForm.validity_unit,
+    for_sale: planForm.for_sale,
+    features,
+  }
+}
+
+async function handleSavePlan() {
+  if (!planForm.group_id) {
+    appStore.showError(t('payment.admin.groupRequired'))
+    return
+  }
+  if (!planForm.price || planForm.price <= 0) {
+    appStore.showError(t('payment.admin.priceRequired'))
+    return
+  }
+  if (!planForm.validity_days || planForm.validity_days < 1) {
+    appStore.showError(t('payment.admin.validityDaysRequired'))
+    return
+  }
+  saving.value = true
+  try {
+    const data = buildPlanPayload()
+    if (props.plan) { await adminPaymentAPI.updatePlan(props.plan.id, data) }
+    else { await adminPaymentAPI.createPlan(data) }
+    appStore.showSuccess(t('common.saved'))
+    emit('close')
+    emit('saved')
+  } catch (err: unknown) { appStore.showError(extractApiErrorMessage(err, t('common.error'))) }
+  finally { saving.value = false }
+}
+</script>

From 74f8a30f861f2b5072f5916265abbf61d3448b12 Mon Sep 17 00:00:00 2001
From: erio <asakifeng@gmail.com>
Date: Mon, 13 Apr 2026 23:35:59 +0800
Subject: [PATCH 076/122] fix: address audit findings for websearch, email
 verification, and pricing

- Fix websearch provider failover: proxy error from provider-specific proxy
  now continues to next provider instead of aborting the entire loop
- Fix SMTP failure locking users out: send email first, then write cache
  and increment rate counter
- Fix notify email cache key case sensitivity: normalize to lowercase
- Add OriginalPrice validation to validatePlanPatch and validatePlanRequired
- Add empty scope validation for channel pricing rules (group_ids/account_ids)
- Add platform color to account search dropdown in channel pricing rules
---
 .../internal/handler/admin/channel_handler.go | 11 +++
 backend/internal/pkg/websearch/manager.go     | 13 +++-
 backend/internal/repository/email_cache.go    |  5 +-
 .../internal/service/payment_config_plans.go  | 10 ++-
 .../payment_config_plans_validation_test.go   | 75 ++++++++++++++-----
 backend/internal/service/user_service.go      |  8 +-
 frontend/src/views/admin/ChannelsView.vue     |  7 +-
 7 files changed, 103 insertions(+), 26 deletions(-)

diff --git a/backend/internal/handler/admin/channel_handler.go b/backend/internal/handler/admin/channel_handler.go
index 2d4cd56a..ee76a750 100644
--- a/backend/internal/handler/admin/channel_handler.go
+++ b/backend/internal/handler/admin/channel_handler.go
@@ -1,6 +1,7 @@
 package admin
 
 import (
+	"fmt"
 	"strconv"
 	"strings"
 
@@ -351,6 +352,11 @@ func (h *ChannelHandler) Create(c *gin.Context) {
 
 	var statsRules []service.AccountStatsPricingRule
 	for i, r := range req.AccountStatsPricingRules {
+		if len(r.GroupIDs) == 0 && len(r.AccountIDs) == 0 {
+			response.ErrorFrom(c, infraerrors.BadRequest("PRICING_RULE_EMPTY_SCOPE",
+				fmt.Sprintf("pricing rule #%d must have at least one group or account", i+1)))
+			return
+		}
 		rule := accountStatsPricingRuleRequestToService(r)
 		rule.SortOrder = i
 		statsRules = append(statsRules, rule)
@@ -409,6 +415,11 @@ func (h *ChannelHandler) Update(c *gin.Context) {
 	if req.AccountStatsPricingRules != nil {
 		statsRules := make([]service.AccountStatsPricingRule, 0, len(*req.AccountStatsPricingRules))
 		for i, r := range *req.AccountStatsPricingRules {
+			if len(r.GroupIDs) == 0 && len(r.AccountIDs) == 0 {
+				response.ErrorFrom(c, infraerrors.BadRequest("PRICING_RULE_EMPTY_SCOPE",
+					fmt.Sprintf("pricing rule #%d must have at least one group or account", i+1)))
+				return
+			}
 			rule := accountStatsPricingRuleRequestToService(r)
 			rule.SortOrder = i
 			statsRules = append(statsRules, rule)
diff --git a/backend/internal/pkg/websearch/manager.go b/backend/internal/pkg/websearch/manager.go
index ae0683ad..27592459 100644
--- a/backend/internal/pkg/websearch/manager.go
+++ b/backend/internal/pkg/websearch/manager.go
@@ -111,9 +111,18 @@ func (m *Manager) SearchWithBestProvider(ctx context.Context, req SearchRequest)
 			}
 			if isProxyError(err) {
 				m.markProxyUnavailable(ctx, cfg, req.ProxyURL)
-				slog.Warn("websearch: proxy error, marking unavailable",
+				if req.ProxyURL != "" {
+					// Account-level proxy is shared by all providers — no point
+					// trying others with the same broken proxy; signal account switch.
+					slog.Warn("websearch: account proxy error, aborting failover",
+						"provider", cfg.Type, "error", err)
+					return nil, "", fmt.Errorf("%w: %s", ErrProxyUnavailable, err.Error())
+				}
+				// Provider-specific proxy failed — try the next provider which
+				// may use a different (or no) proxy.
+				slog.Warn("websearch: provider proxy error, trying next provider",
 					"provider", cfg.Type, "error", err)
-				return nil, "", fmt.Errorf("%w: %s", ErrProxyUnavailable, err.Error())
+				continue
 			}
 			slog.Warn("websearch: provider search failed",
 				"provider", cfg.Type, "error", err)
diff --git a/backend/internal/repository/email_cache.go b/backend/internal/repository/email_cache.go
index ed903e0d..1356163d 100644
--- a/backend/internal/repository/email_cache.go
+++ b/backend/internal/repository/email_cache.go
@@ -4,6 +4,7 @@ import (
 	"context"
 	"encoding/json"
 	"fmt"
+	"strings"
 	"time"
 
 	"github.com/Wei-Shaw/sub2api/internal/service"
@@ -24,8 +25,10 @@ func verifyCodeKey(email string) string {
 }
 
 // notifyVerifyKey generates the Redis key for notify email verification code.
+// Email is lowercased to prevent case-sensitive key mismatch (the business layer
+// uses strings.EqualFold for comparison).
 func notifyVerifyKey(email string) string {
-	return notifyVerifyKeyPrefix + email
+	return notifyVerifyKeyPrefix + strings.ToLower(email)
 }
 
 // passwordResetKey generates the Redis key for password reset token.
diff --git a/backend/internal/service/payment_config_plans.go b/backend/internal/service/payment_config_plans.go
index 8a5e1924..6753071d 100644
--- a/backend/internal/service/payment_config_plans.go
+++ b/backend/internal/service/payment_config_plans.go
@@ -12,7 +12,7 @@ import (
 )
 
 // validatePlanRequired checks that all required fields for a plan are provided.
-func validatePlanRequired(name string, groupID int64, price float64, validityDays int, validityUnit string) error {
+func validatePlanRequired(name string, groupID int64, price float64, validityDays int, validityUnit string, originalPrice *float64) error {
 	if strings.TrimSpace(name) == "" {
 		return infraerrors.BadRequest("PLAN_NAME_REQUIRED", "plan name is required")
 	}
@@ -28,6 +28,9 @@ func validatePlanRequired(name string, groupID int64, price float64, validityDay
 	if strings.TrimSpace(validityUnit) == "" {
 		return infraerrors.BadRequest("PLAN_VALIDITY_UNIT_REQUIRED", "validity unit is required")
 	}
+	if originalPrice != nil && *originalPrice < 0 {
+		return infraerrors.BadRequest("PLAN_ORIGINAL_PRICE_INVALID", "original price must be >= 0")
+	}
 	return nil
 }
 
@@ -48,6 +51,9 @@ func validatePlanPatch(req UpdatePlanRequest) error {
 	if req.ValidityUnit != nil && strings.TrimSpace(*req.ValidityUnit) == "" {
 		return infraerrors.BadRequest("PLAN_VALIDITY_UNIT_REQUIRED", "validity unit is required")
 	}
+	if req.OriginalPrice != nil && *req.OriginalPrice < 0 {
+		return infraerrors.BadRequest("PLAN_ORIGINAL_PRICE_INVALID", "original price must be >= 0")
+	}
 	return nil
 }
 
@@ -115,7 +121,7 @@ func (s *PaymentConfigService) ListPlansForSale(ctx context.Context) ([]*dbent.S
 }
 
 func (s *PaymentConfigService) CreatePlan(ctx context.Context, req CreatePlanRequest) (*dbent.SubscriptionPlan, error) {
-	if err := validatePlanRequired(req.Name, req.GroupID, req.Price, req.ValidityDays, req.ValidityUnit); err != nil {
+	if err := validatePlanRequired(req.Name, req.GroupID, req.Price, req.ValidityDays, req.ValidityUnit, req.OriginalPrice); err != nil {
 		return nil, err
 	}
 	b := s.entClient.SubscriptionPlan.Create().
diff --git a/backend/internal/service/payment_config_plans_validation_test.go b/backend/internal/service/payment_config_plans_validation_test.go
index bc9c0048..9a2d8716 100644
--- a/backend/internal/service/payment_config_plans_validation_test.go
+++ b/backend/internal/service/payment_config_plans_validation_test.go
@@ -9,81 +9,122 @@ import (
 )
 
 func TestValidatePlanRequired_AllValid(t *testing.T) {
-	err := validatePlanRequired("Pro", 1, 9.99, 30, "days")
+	err := validatePlanRequired("Pro", 1, 9.99, 30, "days", nil)
 	require.NoError(t, err)
 }
 
 func TestValidatePlanRequired_EmptyName(t *testing.T) {
-	err := validatePlanRequired("", 1, 9.99, 30, "days")
+	err := validatePlanRequired("", 1, 9.99, 30, "days", nil)
 	require.Error(t, err)
 	require.Contains(t, err.Error(), "plan name")
 }
 
 func TestValidatePlanRequired_WhitespaceName(t *testing.T) {
-	err := validatePlanRequired("   ", 1, 9.99, 30, "days")
+	err := validatePlanRequired("   ", 1, 9.99, 30, "days", nil)
 	require.Error(t, err)
 	require.Contains(t, err.Error(), "plan name")
 }
 
 func TestValidatePlanRequired_ZeroGroupID(t *testing.T) {
-	err := validatePlanRequired("Pro", 0, 9.99, 30, "days")
+	err := validatePlanRequired("Pro", 0, 9.99, 30, "days", nil)
 	require.Error(t, err)
 	require.Contains(t, err.Error(), "group")
 }
 
 func TestValidatePlanRequired_NegativeGroupID(t *testing.T) {
-	err := validatePlanRequired("Pro", -1, 9.99, 30, "days")
+	err := validatePlanRequired("Pro", -1, 9.99, 30, "days", nil)
 	require.Error(t, err)
 	require.Contains(t, err.Error(), "group")
 }
 
 func TestValidatePlanRequired_ZeroPrice(t *testing.T) {
-	err := validatePlanRequired("Pro", 1, 0, 30, "days")
+	err := validatePlanRequired("Pro", 1, 0, 30, "days", nil)
 	require.Error(t, err)
 	require.Contains(t, err.Error(), "price")
 }
 
 func TestValidatePlanRequired_NegativePrice(t *testing.T) {
-	err := validatePlanRequired("Pro", 1, -5, 30, "days")
+	err := validatePlanRequired("Pro", 1, -5, 30, "days", nil)
 	require.Error(t, err)
 	require.Contains(t, err.Error(), "price")
 }
 
 func TestValidatePlanRequired_ZeroValidityDays(t *testing.T) {
-	err := validatePlanRequired("Pro", 1, 9.99, 0, "days")
+	err := validatePlanRequired("Pro", 1, 9.99, 0, "days", nil)
 	require.Error(t, err)
 	require.Contains(t, err.Error(), "validity days")
 }
 
 func TestValidatePlanRequired_NegativeValidityDays(t *testing.T) {
-	err := validatePlanRequired("Pro", 1, 9.99, -7, "days")
+	err := validatePlanRequired("Pro", 1, 9.99, -7, "days", nil)
 	require.Error(t, err)
 	require.Contains(t, err.Error(), "validity days")
 }
 
 func TestValidatePlanRequired_EmptyValidityUnit(t *testing.T) {
-	err := validatePlanRequired("Pro", 1, 9.99, 30, "")
+	err := validatePlanRequired("Pro", 1, 9.99, 30, "", nil)
 	require.Error(t, err)
 	require.Contains(t, err.Error(), "validity unit")
 }
 
 func TestValidatePlanRequired_WhitespaceValidityUnit(t *testing.T) {
-	err := validatePlanRequired("Pro", 1, 9.99, 30, "   ")
+	err := validatePlanRequired("Pro", 1, 9.99, 30, "   ", nil)
 	require.Error(t, err)
 	require.Contains(t, err.Error(), "validity unit")
 }
 
 func TestValidatePlanRequired_NameValidatedFirst(t *testing.T) {
-	// When multiple fields are invalid, name should be reported first
-	// (follows the order of checks in the function).
-	err := validatePlanRequired("", 0, 0, 0, "")
+	err := validatePlanRequired("", 0, 0, 0, "", nil)
 	require.Error(t, err)
 	require.Contains(t, err.Error(), "plan name")
 }
 
 func TestValidatePlanRequired_TrimmedValidName(t *testing.T) {
-	// Whitespace-surrounded but non-empty name is accepted (trimmed check only
-	// rejects pure whitespace).
-	err := validatePlanRequired("  Pro  ", 1, 9.99, 30, "days")
+	err := validatePlanRequired("  Pro  ", 1, 9.99, 30, "days", nil)
+	require.NoError(t, err)
+}
+
+func TestValidatePlanRequired_NegativeOriginalPrice(t *testing.T) {
+	neg := -10.0
+	err := validatePlanRequired("Pro", 1, 9.99, 30, "days", &neg)
+	require.Error(t, err)
+	require.Contains(t, err.Error(), "original price")
+}
+
+func TestValidatePlanRequired_ZeroOriginalPrice(t *testing.T) {
+	zero := 0.0
+	err := validatePlanRequired("Pro", 1, 9.99, 30, "days", &zero)
+	require.NoError(t, err)
+}
+
+func TestValidatePlanRequired_ValidOriginalPrice(t *testing.T) {
+	op := 19.99
+	err := validatePlanRequired("Pro", 1, 9.99, 30, "days", &op)
+	require.NoError(t, err)
+}
+
+// --- validatePlanPatch tests ---
+
+func TestValidatePlanPatch_NegativeOriginalPrice(t *testing.T) {
+	neg := -5.0
+	err := validatePlanPatch(UpdatePlanRequest{OriginalPrice: &neg})
+	require.Error(t, err)
+	require.Contains(t, err.Error(), "original price")
+}
+
+func TestValidatePlanPatch_ZeroOriginalPrice(t *testing.T) {
+	zero := 0.0
+	err := validatePlanPatch(UpdatePlanRequest{OriginalPrice: &zero})
+	require.NoError(t, err)
+}
+
+func TestValidatePlanPatch_ValidOriginalPrice(t *testing.T) {
+	op := 29.99
+	err := validatePlanPatch(UpdatePlanRequest{OriginalPrice: &op})
+	require.NoError(t, err)
+}
+
+func TestValidatePlanPatch_NilOriginalPrice(t *testing.T) {
+	err := validatePlanPatch(UpdatePlanRequest{OriginalPrice: nil})
 	require.NoError(t, err)
 }
diff --git a/backend/internal/service/user_service.go b/backend/internal/service/user_service.go
index 0da73762..7602d162 100644
--- a/backend/internal/service/user_service.go
+++ b/backend/internal/service/user_service.go
@@ -291,6 +291,12 @@ func (s *UserService) SendNotifyEmailCode(ctx context.Context, userID int64, ema
 		return fmt.Errorf("generate code: %w", err)
 	}
 
+	// Send email first — if SMTP fails, don't write cache or increment counters,
+	// so the user is not locked out by cooldown/rate-limit for a code they never received.
+	if err := s.sendNotifyVerifyEmail(ctx, emailService, email, code); err != nil {
+		return err
+	}
+
 	if err := saveNotifyVerifyCode(ctx, cache, email, code); err != nil {
 		return err
 	}
@@ -300,7 +306,7 @@ func (s *UserService) SendNotifyEmailCode(ctx context.Context, userID int64, ema
 		slog.Error("failed to increment notify code user rate", "user_id", userID, "error", err)
 	}
 
-	return s.sendNotifyVerifyEmail(ctx, emailService, email, code)
+	return nil
 }
 
 // checkNotifyCodeRateLimit checks both email cooldown and user-level rate limit.
diff --git a/frontend/src/views/admin/ChannelsView.vue b/frontend/src/views/admin/ChannelsView.vue
index 2ca1141d..60704b65 100644
--- a/frontend/src/views/admin/ChannelsView.vue
+++ b/frontend/src/views/admin/ChannelsView.vue
@@ -511,7 +511,7 @@
                         :class="{ 'opacity-50': rule.account_ids.includes(account.id) }"
                         :disabled="rule.account_ids.includes(account.id)"
                       >
-                        <span>{{ account.name }}</span>
+                        <span :class="platformTextClass(account.platform)">{{ account.name }}</span>
                         <span class="ml-2 text-xs text-gray-400">#{{ account.id }}</span>
                       </button>
                     </div>
@@ -595,6 +595,7 @@ import type { PricingFormEntry } from '@/components/admin/channel/types'
 import { mTokToPerToken, perTokenToMTok, apiIntervalsToForm, formIntervalsToAPI, findModelConflict, validateIntervals } from '@/components/admin/channel/types'
 import type { AdminGroup, GroupPlatform } from '@/types'
 import type { Column } from '@/components/common/types'
+import { platformTextClass } from '@/utils/platformColors'
 import AppLayout from '@/components/layout/AppLayout.vue'
 import TablePageLayout from '@/components/layout/TablePageLayout.vue'
 import DataTable from '@/components/common/DataTable.vue'
@@ -911,7 +912,7 @@ function getGroupNameById(groupId: number): string {
 }
 
 // ── Account search for pricing rules ──
-interface SimpleAccount { id: number; name: string }
+interface SimpleAccount { id: number; name: string; platform: string }
 
 const ruleAccountSearchKeyword = ref<Record<string, string>>({})
 const ruleAccountSearchResults = ref<Record<string, SimpleAccount[]>>({})
@@ -924,7 +925,7 @@ const ruleAccountSearchRunner = useKeyedDebouncedSearch<SimpleAccount[]>({
   search: async (keyword, { key, signal }) => {
     const platform = key.split('-')[0]
     const res = await adminAPI.accounts.list(1, 20, { platform, search: keyword }, { signal })
-    return res.items.map(a => ({ id: a.id, name: a.name }))
+    return res.items.map(a => ({ id: a.id, name: a.name, platform: a.platform }))
   },
   onSuccess: (key, result) => { ruleAccountSearchResults.value[key] = result },
   onError: (key) => { ruleAccountSearchResults.value[key] = [] },

From a9880ee7b92365482154f986ea4b4d5256ffd7ec Mon Sep 17 00:00:00 2001
From: erio <asakifeng@gmail.com>
Date: Tue, 14 Apr 2026 00:26:20 +0800
Subject: [PATCH 077/122] =?UTF-8?q?fix:=20round-2=20audit=20fixes=20?=
 =?UTF-8?q?=E2=80=94=20security,=20code=20quality,=20and=20UI=20improvemen?=
 =?UTF-8?q?ts?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Security (HIGH):
- Normalize all Redis cache keys to lowercase (verifyCode, passwordReset)
- Fix verify code TTL renewal on failed attempts: use remaining TTL via
  ExpiresAt field instead of resetting to full 15-minute window
- Add 3 missing fields to diffSettings audit log (promo_code, invitation_code,
  custom_endpoints)

Code quality (MEDIUM):
- Extract filterVerifiedEmails shared helper (balance_notify_service.go)
- Add Pricing array non-empty validation for channel pricing rules
- Add platform token semantics comment in gateway_service.go
- Complete validatePlanPatch test coverage (+10 test cases)
- Replace string types with QuotaThresholdType/QuotaResetMode across frontend
- Remove duplicate getPlatformTextColor/getRateBadgeClass in ChannelsView
- Return EMAIL_NOT_FOUND error on RemoveNotifyEmail miss

UI improvements:
- Reorder cost tooltip: user billing above separator, account billing below
- Add NaN guard to accountBilled function
- Move timezone selector inline into reset-mode row (no longer standalone)
---
 .../internal/handler/admin/channel_handler.go |  10 +
 .../internal/handler/admin/setting_handler.go |   9 +
 backend/internal/repository/email_cache.go    |   7 +-
 .../service/balance_notify_service.go         |  44 +-
 backend/internal/service/email_service.go     |   8 +-
 backend/internal/service/gateway_service.go   | 591 +++++++++++++-----
 .../payment_config_plans_validation_test.go   |  63 ++
 backend/internal/service/user_service.go      |  15 +-
 .../components/account/QuotaDimensionRow.vue  |  28 +-
 .../src/components/account/QuotaLimitCard.vue |  48 +-
 .../components/account/QuotaNotifyToggle.vue  |   8 +-
 .../src/components/admin/usage/UsageTable.vue |  12 +-
 .../src/composables/useQuotaNotifyState.ts    |   6 +-
 frontend/src/constants/account.ts             |   5 +
 frontend/src/views/admin/ChannelsView.vue     |  42 +-
 15 files changed, 605 insertions(+), 291 deletions(-)

diff --git a/backend/internal/handler/admin/channel_handler.go b/backend/internal/handler/admin/channel_handler.go
index ee76a750..1a328551 100644
--- a/backend/internal/handler/admin/channel_handler.go
+++ b/backend/internal/handler/admin/channel_handler.go
@@ -357,6 +357,11 @@ func (h *ChannelHandler) Create(c *gin.Context) {
 				fmt.Sprintf("pricing rule #%d must have at least one group or account", i+1)))
 			return
 		}
+		if len(r.Pricing) == 0 {
+			response.ErrorFrom(c, infraerrors.BadRequest("PRICING_RULE_EMPTY_PRICING",
+				fmt.Sprintf("pricing rule #%d must have at least one pricing entry", i+1)))
+			return
+		}
 		rule := accountStatsPricingRuleRequestToService(r)
 		rule.SortOrder = i
 		statsRules = append(statsRules, rule)
@@ -420,6 +425,11 @@ func (h *ChannelHandler) Update(c *gin.Context) {
 					fmt.Sprintf("pricing rule #%d must have at least one group or account", i+1)))
 				return
 			}
+			if len(r.Pricing) == 0 {
+				response.ErrorFrom(c, infraerrors.BadRequest("PRICING_RULE_EMPTY_PRICING",
+					fmt.Sprintf("pricing rule #%d must have at least one pricing entry", i+1)))
+				return
+			}
 			rule := accountStatsPricingRuleRequestToService(r)
 			rule.SortOrder = i
 			statsRules = append(statsRules, rule)
diff --git a/backend/internal/handler/admin/setting_handler.go b/backend/internal/handler/admin/setting_handler.go
index 0c1606ea..2324cc70 100644
--- a/backend/internal/handler/admin/setting_handler.go
+++ b/backend/internal/handler/admin/setting_handler.go
@@ -1138,6 +1138,12 @@ func diffSettings(before *service.SystemSettings, after *service.SystemSettings,
 	if !equalStringSlice(before.RegistrationEmailSuffixWhitelist, after.RegistrationEmailSuffixWhitelist) {
 		changed = append(changed, "registration_email_suffix_whitelist")
 	}
+	if before.PromoCodeEnabled != after.PromoCodeEnabled {
+		changed = append(changed, "promo_code_enabled")
+	}
+	if before.InvitationCodeEnabled != after.InvitationCodeEnabled {
+		changed = append(changed, "invitation_code_enabled")
+	}
 	if before.PasswordResetEnabled != after.PasswordResetEnabled {
 		changed = append(changed, "password_reset_enabled")
 	}
@@ -1348,6 +1354,9 @@ func diffSettings(before *service.SystemSettings, after *service.SystemSettings,
 	if before.CustomMenuItems != after.CustomMenuItems {
 		changed = append(changed, "custom_menu_items")
 	}
+	if before.CustomEndpoints != after.CustomEndpoints {
+		changed = append(changed, "custom_endpoints")
+	}
 	if before.EnableFingerprintUnification != after.EnableFingerprintUnification {
 		changed = append(changed, "enable_fingerprint_unification")
 	}
diff --git a/backend/internal/repository/email_cache.go b/backend/internal/repository/email_cache.go
index 1356163d..0eb6bef1 100644
--- a/backend/internal/repository/email_cache.go
+++ b/backend/internal/repository/email_cache.go
@@ -20,8 +20,9 @@ const (
 )
 
 // verifyCodeKey generates the Redis key for email verification code.
+// Email is lowercased for case-insensitive consistency.
 func verifyCodeKey(email string) string {
-	return verifyCodeKeyPrefix + email
+	return verifyCodeKeyPrefix + strings.ToLower(email)
 }
 
 // notifyVerifyKey generates the Redis key for notify email verification code.
@@ -33,12 +34,12 @@ func notifyVerifyKey(email string) string {
 
 // passwordResetKey generates the Redis key for password reset token.
 func passwordResetKey(email string) string {
-	return passwordResetKeyPrefix + email
+	return passwordResetKeyPrefix + strings.ToLower(email)
 }
 
 // passwordResetSentAtKey generates the Redis key for password reset email sent timestamp.
 func passwordResetSentAtKey(email string) string {
-	return passwordResetSentAtKeyPrefix + email
+	return passwordResetSentAtKeyPrefix + strings.ToLower(email)
 }
 
 type emailCache struct {
diff --git a/backend/internal/service/balance_notify_service.go b/backend/internal/service/balance_notify_service.go
index 9a75d6be..5e9afcc8 100644
--- a/backend/internal/service/balance_notify_service.go
+++ b/backend/internal/service/balance_notify_service.go
@@ -283,6 +283,20 @@ func (s *BalanceNotifyService) getAccountQuotaNotifyEmails(ctx context.Context)
 		return nil
 	}
 
+	return filterVerifiedEmails(entries)
+}
+
+// getSiteName reads site name from settings with fallback.
+func (s *BalanceNotifyService) getSiteName(ctx context.Context) string {
+	name, err := s.settingRepo.GetValue(ctx, SettingKeySiteName)
+	if err != nil || name == "" {
+		return defaultSiteName
+	}
+	return name
+}
+
+// filterVerifiedEmails returns deduplicated, non-disabled, verified emails.
+func filterVerifiedEmails(entries []NotifyEmailEntry) []string {
 	var recipients []string
 	seen := make(map[string]bool)
 	for _, entry := range entries {
@@ -303,38 +317,10 @@ func (s *BalanceNotifyService) getAccountQuotaNotifyEmails(ctx context.Context)
 	return recipients
 }
 
-// getSiteName reads site name from settings with fallback.
-func (s *BalanceNotifyService) getSiteName(ctx context.Context) string {
-	name, err := s.settingRepo.GetValue(ctx, SettingKeySiteName)
-	if err != nil || name == "" {
-		return defaultSiteName
-	}
-	return name
-}
-
 // collectBalanceNotifyRecipients returns verified, non-disabled email recipients.
 // Only emails with verified=true and disabled=false are included.
 func (s *BalanceNotifyService) collectBalanceNotifyRecipients(user *User) []string {
-	var recipients []string
-	seen := make(map[string]bool)
-
-	for _, entry := range user.BalanceNotifyExtraEmails {
-		if entry.Disabled || !entry.Verified {
-			continue
-		}
-		email := strings.TrimSpace(entry.Email)
-		if email == "" {
-			continue
-		}
-		lower := strings.ToLower(email)
-		if seen[lower] {
-			continue
-		}
-		seen[lower] = true
-		recipients = append(recipients, email)
-	}
-
-	return recipients
+	return filterVerifiedEmails(user.BalanceNotifyExtraEmails)
 }
 
 // sendEmails sends an email to all recipients with shared timeout and error logging.
diff --git a/backend/internal/service/email_service.go b/backend/internal/service/email_service.go
index 50d324f2..a94e0dde 100644
--- a/backend/internal/service/email_service.go
+++ b/backend/internal/service/email_service.go
@@ -55,6 +55,7 @@ type VerificationCodeData struct {
 	Code      string
 	Attempts  int
 	CreatedAt time.Time
+	ExpiresAt time.Time // absolute expiry; used to preserve remaining TTL when updating attempts
 }
 
 // PasswordResetTokenData represents password reset token data
@@ -263,6 +264,7 @@ func (s *EmailService) SendVerifyCode(ctx context.Context, email, siteName strin
 		Code:      code,
 		Attempts:  0,
 		CreatedAt: time.Now(),
+		ExpiresAt: time.Now().Add(verifyCodeTTL),
 	}
 	if err := s.cache.SetVerificationCode(ctx, email, data, verifyCodeTTL); err != nil {
 		return fmt.Errorf("save verify code: %w", err)
@@ -295,7 +297,11 @@ func (s *EmailService) VerifyCode(ctx context.Context, email, code string) error
 	// 验证码不匹配 (constant-time comparison to prevent timing attacks)
 	if subtle.ConstantTimeCompare([]byte(data.Code), []byte(code)) != 1 {
 		data.Attempts++
-		if err := s.cache.SetVerificationCode(ctx, email, data, verifyCodeTTL); err != nil {
+		remaining := time.Until(data.ExpiresAt)
+		if remaining <= 0 {
+			return ErrInvalidVerifyCode
+		}
+		if err := s.cache.SetVerificationCode(ctx, email, data, remaining); err != nil {
 			slog.Error("failed to update verification attempt count", "email", email, "error", err)
 		}
 		if data.Attempts >= maxVerifyCodeAttempts {
diff --git a/backend/internal/service/gateway_service.go b/backend/internal/service/gateway_service.go
index b67a06a7..c65e828a 100644
--- a/backend/internal/service/gateway_service.go
+++ b/backend/internal/service/gateway_service.go
@@ -1194,12 +1194,20 @@ func (s *GatewayService) SelectAccountForModelWithExclusions(ctx context.Context
 	// anthropic/gemini 分组支持混合调度（包含启用了 mixed_scheduling 的 antigravity 账户）
 	// 注意：强制平台模式不走混合调度
 	if (platform == PlatformAnthropic || platform == PlatformGemini) && !hasForcePlatform {
-		return s.selectAccountWithMixedScheduling(ctx, groupID, sessionHash, requestedModel, excludedIDs, platform)
+		account, err := s.selectAccountWithMixedScheduling(ctx, groupID, sessionHash, requestedModel, excludedIDs, platform)
+		if err != nil {
+			return nil, err
+		}
+		return s.hydrateSelectedAccount(ctx, account)
 	}
 
 	// antigravity 分组、强制平台模式或无分组使用单平台选择
 	// 注意：强制平台模式也必须遵守分组限制，不再回退到全平台查询
-	return s.selectAccountForModelWithPlatform(ctx, groupID, sessionHash, requestedModel, excludedIDs, platform)
+	account, err := s.selectAccountForModelWithPlatform(ctx, groupID, sessionHash, requestedModel, excludedIDs, platform)
+	if err != nil {
+		return nil, err
+	}
+	return s.hydrateSelectedAccount(ctx, account)
 }
 
 // SelectAccountWithLoadAwareness selects account with load-awareness and wait plan.
@@ -1275,11 +1283,7 @@ func (s *GatewayService) SelectAccountWithLoadAwareness(ctx context.Context, gro
 					localExcluded[account.ID] = struct{}{} // 排除此账号
 					continue                               // 重新选择
 				}
-				return &AccountSelectionResult{
-					Account:     account,
-					Acquired:    true,
-					ReleaseFunc: result.ReleaseFunc,
-				}, nil
+				return s.newSelectionResult(ctx, account, true, result.ReleaseFunc, nil)
 			}
 
 			// 对于等待计划的情况，也需要先检查会话限制
@@ -1291,26 +1295,20 @@ func (s *GatewayService) SelectAccountWithLoadAwareness(ctx context.Context, gro
 			if stickyAccountID > 0 && stickyAccountID == account.ID && s.concurrencyService != nil {
 				waitingCount, _ := s.concurrencyService.GetAccountWaitingCount(ctx, account.ID)
 				if waitingCount < cfg.StickySessionMaxWaiting {
-					return &AccountSelectionResult{
-						Account: account,
-						WaitPlan: &AccountWaitPlan{
-							AccountID:      account.ID,
-							MaxConcurrency: account.Concurrency,
-							Timeout:        cfg.StickySessionWaitTimeout,
-							MaxWaiting:     cfg.StickySessionMaxWaiting,
-						},
-					}, nil
+					return s.newSelectionResult(ctx, account, false, nil, &AccountWaitPlan{
+						AccountID:      account.ID,
+						MaxConcurrency: account.Concurrency,
+						Timeout:        cfg.StickySessionWaitTimeout,
+						MaxWaiting:     cfg.StickySessionMaxWaiting,
+					})
 				}
 			}
-			return &AccountSelectionResult{
-				Account: account,
-				WaitPlan: &AccountWaitPlan{
-					AccountID:      account.ID,
-					MaxConcurrency: account.Concurrency,
-					Timeout:        cfg.FallbackWaitTimeout,
-					MaxWaiting:     cfg.FallbackMaxWaiting,
-				},
-			}, nil
+			return s.newSelectionResult(ctx, account, false, nil, &AccountWaitPlan{
+				AccountID:      account.ID,
+				MaxConcurrency: account.Concurrency,
+				Timeout:        cfg.FallbackWaitTimeout,
+				MaxWaiting:     cfg.FallbackMaxWaiting,
+			})
 		}
 	}
 
@@ -1433,53 +1431,76 @@ func (s *GatewayService) SelectAccountWithLoadAwareness(ctx context.Context, gro
 				if containsInt64(routingAccountIDs, stickyAccountID) && !isExcluded(stickyAccountID) {
 					// 粘性账号在路由列表中，优先使用
 					if stickyAccount, ok := accountByID[stickyAccountID]; ok {
-						if s.isAccountSchedulableForSelection(stickyAccount) &&
+						var stickyCacheMissReason string
+
+						gatePass := s.isAccountSchedulableForSelection(stickyAccount) &&
 							s.isAccountAllowedForPlatform(stickyAccount, platform, useMixed) &&
 							(requestedModel == "" || s.isModelSupportedByAccountWithContext(ctx, stickyAccount, requestedModel)) &&
 							s.isAccountSchedulableForModelSelection(ctx, stickyAccount, requestedModel) &&
 							s.isAccountSchedulableForQuota(stickyAccount) &&
-							s.isAccountSchedulableForWindowCost(ctx, stickyAccount, true) &&
+							s.isAccountSchedulableForWindowCost(ctx, stickyAccount, true)
 
-							s.isAccountSchedulableForRPM(ctx, stickyAccount, true) { // 粘性会话窗口费用+RPM 检查
+						rpmPass := gatePass && s.isAccountSchedulableForRPM(ctx, stickyAccount, true)
+
+						if rpmPass { // 粘性会话窗口费用+RPM 检查
 							result, err := s.tryAcquireAccountSlot(ctx, stickyAccountID, stickyAccount.Concurrency)
 							if err == nil && result.Acquired {
 								// 会话数量限制检查
 								if !s.checkAndRegisterSession(ctx, stickyAccount, sessionHash) {
 									result.ReleaseFunc() // 释放槽位
+									stickyCacheMissReason = "session_limit"
 									// 继续到负载感知选择
 								} else {
 									if s.debugModelRoutingEnabled() {
 										logger.LegacyPrintf("service.gateway", "[ModelRoutingDebug] routed sticky hit: group_id=%v model=%s session=%s account=%d", derefGroupID(groupID), requestedModel, shortSessionHash(sessionHash), stickyAccountID)
 									}
-									return &AccountSelectionResult{
-										Account:     stickyAccount,
-										Acquired:    true,
-										ReleaseFunc: result.ReleaseFunc,
-									}, nil
+									return s.newSelectionResult(ctx, stickyAccount, true, result.ReleaseFunc, nil)
 								}
 							}
 
-							waitingCount, _ := s.concurrencyService.GetAccountWaitingCount(ctx, stickyAccountID)
-							if waitingCount < cfg.StickySessionMaxWaiting {
-								// 会话数量限制检查（等待计划也需要占用会话配额）
-								if !s.checkAndRegisterSession(ctx, stickyAccount, sessionHash) {
-									// 会话限制已满，继续到负载感知选择
+							if stickyCacheMissReason == "" {
+								waitingCount, _ := s.concurrencyService.GetAccountWaitingCount(ctx, stickyAccountID)
+								if waitingCount < cfg.StickySessionMaxWaiting {
+									// 会话数量限制检查（等待计划也需要占用会话配额）
+									if !s.checkAndRegisterSession(ctx, stickyAccount, sessionHash) {
+										stickyCacheMissReason = "session_limit"
+										// 会话限制已满，继续到负载感知选择
+									} else {
+										return &AccountSelectionResult{
+											Account: stickyAccount,
+											WaitPlan: &AccountWaitPlan{
+												AccountID:      stickyAccountID,
+												MaxConcurrency: stickyAccount.Concurrency,
+												Timeout:        cfg.StickySessionWaitTimeout,
+												MaxWaiting:     cfg.StickySessionMaxWaiting,
+											},
+										}, nil
+									}
 								} else {
-									return &AccountSelectionResult{
-										Account: stickyAccount,
-										WaitPlan: &AccountWaitPlan{
-											AccountID:      stickyAccountID,
-											MaxConcurrency: stickyAccount.Concurrency,
-											Timeout:        cfg.StickySessionWaitTimeout,
-											MaxWaiting:     cfg.StickySessionMaxWaiting,
-										},
-									}, nil
+									stickyCacheMissReason = "wait_queue_full"
 								}
 							}
 							// 粘性账号槽位满且等待队列已满，继续使用负载感知选择
+						} else if !gatePass {
+							stickyCacheMissReason = "gate_check"
+						} else {
+							stickyCacheMissReason = "rpm_red"
+						}
+
+						// 记录粘性缓存未命中的结构化日志
+						if stickyCacheMissReason != "" {
+							baseRPM := stickyAccount.GetBaseRPM()
+							var currentRPM int
+							if count, ok := rpmFromPrefetchContext(ctx, stickyAccount.ID); ok {
+								currentRPM = count
+							}
+							logger.LegacyPrintf("service.gateway", "[StickyCacheMiss] reason=%s account_id=%d session=%s current_rpm=%d base_rpm=%d",
+								stickyCacheMissReason, stickyAccountID, shortSessionHash(sessionHash), currentRPM, baseRPM)
 						}
 					} else {
 						_ = s.cache.DeleteSessionAccountID(ctx, derefGroupID(groupID), sessionHash)
+						logger.LegacyPrintf("service.gateway", "[StickyCacheMiss] reason=account_cleared account_id=%d session=%s current_rpm=0 base_rpm=0",
+							stickyAccountID, shortSessionHash(sessionHash))
 					}
 				}
 			}
@@ -1544,11 +1565,7 @@ func (s *GatewayService) SelectAccountWithLoadAwareness(ctx context.Context, gro
 						if s.debugModelRoutingEnabled() {
 							logger.LegacyPrintf("service.gateway", "[ModelRoutingDebug] routed select: group_id=%v model=%s session=%s account=%d", derefGroupID(groupID), requestedModel, shortSessionHash(sessionHash), item.account.ID)
 						}
-						return &AccountSelectionResult{
-							Account:     item.account,
-							Acquired:    true,
-							ReleaseFunc: result.ReleaseFunc,
-						}, nil
+						return s.newSelectionResult(ctx, item.account, true, result.ReleaseFunc, nil)
 					}
 				}
 
@@ -1561,15 +1578,12 @@ func (s *GatewayService) SelectAccountWithLoadAwareness(ctx context.Context, gro
 					if s.debugModelRoutingEnabled() {
 						logger.LegacyPrintf("service.gateway", "[ModelRoutingDebug] routed wait: group_id=%v model=%s session=%s account=%d", derefGroupID(groupID), requestedModel, shortSessionHash(sessionHash), item.account.ID)
 					}
-					return &AccountSelectionResult{
-						Account: item.account,
-						WaitPlan: &AccountWaitPlan{
-							AccountID:      item.account.ID,
-							MaxConcurrency: item.account.Concurrency,
-							Timeout:        cfg.StickySessionWaitTimeout,
-							MaxWaiting:     cfg.StickySessionMaxWaiting,
-						},
-					}, nil
+					return s.newSelectionResult(ctx, item.account, false, nil, &AccountWaitPlan{
+						AccountID:      item.account.ID,
+						MaxConcurrency: item.account.Concurrency,
+						Timeout:        cfg.StickySessionWaitTimeout,
+						MaxWaiting:     cfg.StickySessionMaxWaiting,
+					})
 				}
 				// 所有路由账号会话限制都已满，继续到 Layer 2 回退
 			}
@@ -1603,11 +1617,10 @@ func (s *GatewayService) SelectAccountWithLoadAwareness(ctx context.Context, gro
 						if !s.checkAndRegisterSession(ctx, account, sessionHash) {
 							result.ReleaseFunc() // 释放槽位，继续到 Layer 2
 						} else {
-							return &AccountSelectionResult{
-								Account:     account,
-								Acquired:    true,
-								ReleaseFunc: result.ReleaseFunc,
-							}, nil
+							if s.cache != nil {
+								_ = s.cache.RefreshSessionTTL(ctx, derefGroupID(groupID), sessionHash, stickySessionTTL)
+							}
+							return s.newSelectionResult(ctx, account, true, result.ReleaseFunc, nil)
 						}
 					}
 
@@ -1617,15 +1630,12 @@ func (s *GatewayService) SelectAccountWithLoadAwareness(ctx context.Context, gro
 						if !s.checkAndRegisterSession(ctx, account, sessionHash) {
 							// 会话限制已满，继续到 Layer 2
 						} else {
-							return &AccountSelectionResult{
-								Account: account,
-								WaitPlan: &AccountWaitPlan{
-									AccountID:      accountID,
-									MaxConcurrency: account.Concurrency,
-									Timeout:        cfg.StickySessionWaitTimeout,
-									MaxWaiting:     cfg.StickySessionMaxWaiting,
-								},
-							}, nil
+							return s.newSelectionResult(ctx, account, false, nil, &AccountWaitPlan{
+								AccountID:      accountID,
+								MaxConcurrency: account.Concurrency,
+								Timeout:        cfg.StickySessionWaitTimeout,
+								MaxWaiting:     cfg.StickySessionMaxWaiting,
+							})
 						}
 					}
 				}
@@ -1684,7 +1694,9 @@ func (s *GatewayService) SelectAccountWithLoadAwareness(ctx context.Context, gro
 
 	loadMap, err := s.concurrencyService.GetAccountsLoadBatch(ctx, accountLoads)
 	if err != nil {
-		if result, ok := s.tryAcquireByLegacyOrder(ctx, candidates, groupID, sessionHash, preferOAuth); ok {
+		if result, ok, legacyErr := s.tryAcquireByLegacyOrder(ctx, candidates, groupID, sessionHash, preferOAuth); legacyErr != nil {
+			return nil, legacyErr
+		} else if ok {
 			return result, nil
 		}
 	} else {
@@ -1723,11 +1735,7 @@ func (s *GatewayService) SelectAccountWithLoadAwareness(ctx context.Context, gro
 					if sessionHash != "" && s.cache != nil {
 						_ = s.cache.SetSessionAccountID(ctx, derefGroupID(groupID), sessionHash, selected.account.ID, stickySessionTTL)
 					}
-					return &AccountSelectionResult{
-						Account:     selected.account,
-						Acquired:    true,
-						ReleaseFunc: result.ReleaseFunc,
-					}, nil
+					return s.newSelectionResult(ctx, selected.account, true, result.ReleaseFunc, nil)
 				}
 			}
 
@@ -1750,20 +1758,17 @@ func (s *GatewayService) SelectAccountWithLoadAwareness(ctx context.Context, gro
 		if !s.checkAndRegisterSession(ctx, acc, sessionHash) {
 			continue // 会话限制已满，尝试下一个账号
 		}
-		return &AccountSelectionResult{
-			Account: acc,
-			WaitPlan: &AccountWaitPlan{
-				AccountID:      acc.ID,
-				MaxConcurrency: acc.Concurrency,
-				Timeout:        cfg.FallbackWaitTimeout,
-				MaxWaiting:     cfg.FallbackMaxWaiting,
-			},
-		}, nil
+		return s.newSelectionResult(ctx, acc, false, nil, &AccountWaitPlan{
+			AccountID:      acc.ID,
+			MaxConcurrency: acc.Concurrency,
+			Timeout:        cfg.FallbackWaitTimeout,
+			MaxWaiting:     cfg.FallbackMaxWaiting,
+		})
 	}
 	return nil, ErrNoAvailableAccounts
 }
 
-func (s *GatewayService) tryAcquireByLegacyOrder(ctx context.Context, candidates []*Account, groupID *int64, sessionHash string, preferOAuth bool) (*AccountSelectionResult, bool) {
+func (s *GatewayService) tryAcquireByLegacyOrder(ctx context.Context, candidates []*Account, groupID *int64, sessionHash string, preferOAuth bool) (*AccountSelectionResult, bool, error) {
 	ordered := append([]*Account(nil), candidates...)
 	sortAccountsByPriorityAndLastUsed(ordered, preferOAuth)
 
@@ -1778,15 +1783,15 @@ func (s *GatewayService) tryAcquireByLegacyOrder(ctx context.Context, candidates
 			if sessionHash != "" && s.cache != nil {
 				_ = s.cache.SetSessionAccountID(ctx, derefGroupID(groupID), sessionHash, acc.ID, stickySessionTTL)
 			}
-			return &AccountSelectionResult{
-				Account:     acc,
-				Acquired:    true,
-				ReleaseFunc: result.ReleaseFunc,
-			}, true
+			selection, err := s.newSelectionResult(ctx, acc, true, result.ReleaseFunc, nil)
+			if err != nil {
+				return nil, false, err
+			}
+			return selection, true, nil
 		}
 	}
 
-	return nil, false
+	return nil, false, nil
 }
 
 func (s *GatewayService) schedulingConfig() config.GatewaySchedulingConfig {
@@ -2401,6 +2406,33 @@ func (s *GatewayService) getSchedulableAccount(ctx context.Context, accountID in
 	return s.accountRepo.GetByID(ctx, accountID)
 }
 
+func (s *GatewayService) hydrateSelectedAccount(ctx context.Context, account *Account) (*Account, error) {
+	if account == nil || s.schedulerSnapshot == nil {
+		return account, nil
+	}
+	hydrated, err := s.schedulerSnapshot.GetAccount(ctx, account.ID)
+	if err != nil {
+		return nil, err
+	}
+	if hydrated == nil {
+		return nil, fmt.Errorf("selected gateway account %d not found during hydration", account.ID)
+	}
+	return hydrated, nil
+}
+
+func (s *GatewayService) newSelectionResult(ctx context.Context, account *Account, acquired bool, release func(), waitPlan *AccountWaitPlan) (*AccountSelectionResult, error) {
+	hydrated, err := s.hydrateSelectedAccount(ctx, account)
+	if err != nil {
+		return nil, err
+	}
+	return &AccountSelectionResult{
+		Account:     hydrated,
+		Acquired:    acquired,
+		ReleaseFunc: release,
+		WaitPlan:    waitPlan,
+	}, nil
+}
+
 // filterByMinPriority 过滤出优先级最小的账号集合
 func filterByMinPriority(accounts []accountWithLoad) []accountWithLoad {
 	if len(accounts) == 0 {
@@ -2676,6 +2708,12 @@ func (s *GatewayService) selectAccountForModelWithPlatform(ctx context.Context,
 	preferOAuth := platform == PlatformGemini
 	routingAccountIDs := s.routingAccountIDsForRequest(ctx, groupID, requestedModel, platform)
 
+	// require_privacy_set: 获取分组信息
+	var schedGroup *Group
+	if groupID != nil && s.groupRepo != nil {
+		schedGroup, _ = s.groupRepo.GetByID(ctx, *groupID)
+	}
+
 	var accounts []Account
 	accountsLoaded := false
 
@@ -2747,6 +2785,12 @@ func (s *GatewayService) selectAccountForModelWithPlatform(ctx context.Context,
 			if !s.isAccountSchedulableForSelection(acc) {
 				continue
 			}
+			// require_privacy_set: 跳过 privacy 未设置的账号并标记异常
+			if schedGroup != nil && schedGroup.RequirePrivacySet && !acc.IsPrivacySet() {
+				_ = s.accountRepo.SetError(ctx, acc.ID,
+					fmt.Sprintf("Privacy not set, required by group [%s]", schedGroup.Name))
+				continue
+			}
 			if requestedModel != "" && !s.isModelSupportedByAccountWithContext(ctx, acc, requestedModel) {
 				continue
 			}
@@ -2852,6 +2896,12 @@ func (s *GatewayService) selectAccountForModelWithPlatform(ctx context.Context,
 		if !s.isAccountSchedulableForSelection(acc) {
 			continue
 		}
+		// require_privacy_set: 跳过 privacy 未设置的账号并标记异常
+		if schedGroup != nil && schedGroup.RequirePrivacySet && !acc.IsPrivacySet() {
+			_ = s.accountRepo.SetError(ctx, acc.ID,
+				fmt.Sprintf("Privacy not set, required by group [%s]", schedGroup.Name))
+			continue
+		}
 		if requestedModel != "" && !s.isModelSupportedByAccountWithContext(ctx, acc, requestedModel) {
 			continue
 		}
@@ -2918,6 +2968,12 @@ func (s *GatewayService) selectAccountWithMixedScheduling(ctx context.Context, g
 	preferOAuth := nativePlatform == PlatformGemini
 	routingAccountIDs := s.routingAccountIDsForRequest(ctx, groupID, requestedModel, nativePlatform)
 
+	// require_privacy_set: 获取分组信息
+	var schedGroup *Group
+	if groupID != nil && s.groupRepo != nil {
+		schedGroup, _ = s.groupRepo.GetByID(ctx, *groupID)
+	}
+
 	var accounts []Account
 	accountsLoaded := false
 
@@ -2985,6 +3041,12 @@ func (s *GatewayService) selectAccountWithMixedScheduling(ctx context.Context, g
 			if !s.isAccountSchedulableForSelection(acc) {
 				continue
 			}
+			// require_privacy_set: 跳过 privacy 未设置的账号并标记异常
+			if schedGroup != nil && schedGroup.RequirePrivacySet && !acc.IsPrivacySet() {
+				_ = s.accountRepo.SetError(ctx, acc.ID,
+					fmt.Sprintf("Privacy not set, required by group [%s]", schedGroup.Name))
+				continue
+			}
 			// 过滤：原生平台直接通过，antigravity 需要启用混合调度
 			if acc.Platform == PlatformAntigravity && !acc.IsMixedSchedulingEnabled() {
 				continue
@@ -3078,6 +3140,7 @@ func (s *GatewayService) selectAccountWithMixedScheduling(ctx context.Context, g
 	ctx = s.withRPMPrefetch(ctx, accounts)
 
 	// 3. 按优先级+最久未用选择（考虑模型支持和混合调度）
+	// needsUpstreamCheck 仅在主选择循环中使用；粘性会话命中时跳过此检查。
 	needsUpstreamCheck := s.needsUpstreamChannelRestrictionCheck(ctx, groupID)
 	var selected *Account
 	for i := range accounts {
@@ -3090,6 +3153,12 @@ func (s *GatewayService) selectAccountWithMixedScheduling(ctx context.Context, g
 		if !s.isAccountSchedulableForSelection(acc) {
 			continue
 		}
+		// require_privacy_set: 跳过 privacy 未设置的账号并标记异常
+		if schedGroup != nil && schedGroup.RequirePrivacySet && !acc.IsPrivacySet() {
+			_ = s.accountRepo.SetError(ctx, acc.ID,
+				fmt.Sprintf("Privacy not set, required by group [%s]", schedGroup.Name))
+			continue
+		}
 		// 过滤：原生平台直接通过，antigravity 需要启用混合调度
 		if acc.Platform == PlatformAntigravity && !acc.IsMixedSchedulingEnabled() {
 			continue
@@ -3257,8 +3326,7 @@ func (s *GatewayService) diagnoseSelectionFailure(
 		return selectionFailureDiagnosis{Category: "excluded"}
 	}
 	if !s.isAccountSchedulableForSelection(acc) {
-		detail := "generic_unschedulable"
-		return selectionFailureDiagnosis{Category: "unschedulable", Detail: detail}
+		return selectionFailureDiagnosis{Category: "unschedulable", Detail: "generic_unschedulable"}
 	}
 	if isPlatformFilteredForSelection(acc, platform, allowMixedScheduling) {
 		return selectionFailureDiagnosis{
@@ -3282,7 +3350,6 @@ func (s *GatewayService) diagnoseSelectionFailure(
 	return selectionFailureDiagnosis{Category: "eligible"}
 }
 
-// GetAccessToken 获取账号凭证
 func isPlatformFilteredForSelection(acc *Account, platform string, allowMixedScheduling bool) bool {
 	if acc == nil {
 		return true
@@ -3653,6 +3720,86 @@ func injectClaudeCodePrompt(body []byte, system any) []byte {
 	return result
 }
 
+// rewriteSystemForNonClaudeCode 将非 Claude Code 客户端的 system prompt 迁移至 messages，
+// system 字段仅保留 Claude Code 标识提示词。
+// Anthropic 基于 system 参数内容检测第三方应用，仅前置追加 Claude Code 提示词
+// 无法通过检测，因为后续内容仍为非 Claude Code 格式。
+// 策略：将原始 system prompt 提取并注入为 user/assistant 消息对，system 仅保留 Claude Code 标识。
+func rewriteSystemForNonClaudeCode(body []byte, system any) []byte {
+	system = normalizeSystemParam(system)
+
+	// 1. 提取原始 system prompt 文本
+	var originalSystemText string
+	switch v := system.(type) {
+	case string:
+		originalSystemText = strings.TrimSpace(v)
+	case []any:
+		var parts []string
+		for _, item := range v {
+			if m, ok := item.(map[string]any); ok {
+				if text, ok := m["text"].(string); ok && strings.TrimSpace(text) != "" {
+					parts = append(parts, text)
+				}
+			}
+		}
+		originalSystemText = strings.Join(parts, "\n\n")
+	}
+
+	// 2. 将 system 替换为 Claude Code 标准提示词（array 格式，与真实 Claude Code 一致）
+	//    真实 Claude Code 始终以 [{type: "text", text: "...", cache_control: {type: "ephemeral"}}] 发送 system。
+	//    使用 string 格式会被 Anthropic 检测为第三方应用。
+	claudeCodeSystemBlock := []map[string]any{
+		{
+			"type":          "text",
+			"text":          claudeCodeSystemPrompt,
+			"cache_control": map[string]string{"type": "ephemeral"},
+		},
+	}
+	out, ok := setJSONValueBytes(body, "system", claudeCodeSystemBlock)
+	if !ok {
+		logger.LegacyPrintf("service.gateway", "Warning: failed to set Claude Code system prompt")
+		return body
+	}
+
+	// 3. 将原始 system prompt 作为 user/assistant 消息对注入到 messages 开头
+	//    模型仍通过 messages 接收完整指令，保留客户端功能
+	ccPromptTrimmed := strings.TrimSpace(claudeCodeSystemPrompt)
+	if originalSystemText != "" && originalSystemText != ccPromptTrimmed && !hasClaudeCodePrefix(originalSystemText) {
+		instrMsg, err1 := json.Marshal(map[string]any{
+			"role": "user",
+			"content": []map[string]any{
+				{"type": "text", "text": "[System Instructions]\n" + originalSystemText},
+			},
+		})
+		ackMsg, err2 := json.Marshal(map[string]any{
+			"role": "assistant",
+			"content": []map[string]any{
+				{"type": "text", "text": "Understood. I will follow these instructions."},
+			},
+		})
+		if err1 != nil || err2 != nil {
+			logger.LegacyPrintf("service.gateway", "Warning: failed to marshal system-to-messages injection")
+			return out
+		}
+
+		// 重建 messages 数组：[instruction, ack, ...originalMessages]
+		items := [][]byte{instrMsg, ackMsg}
+		messagesResult := gjson.GetBytes(out, "messages")
+		if messagesResult.IsArray() {
+			messagesResult.ForEach(func(_, msg gjson.Result) bool {
+				items = append(items, []byte(msg.Raw))
+				return true
+			})
+		}
+
+		if next, setOk := setJSONRawBytes(out, "messages", buildJSONArrayRaw(items)); setOk {
+			out = next
+		}
+	}
+
+	return out
+}
+
 type cacheControlPath struct {
 	path string
 	log  string
@@ -3819,7 +3966,7 @@ func (s *GatewayService) Forward(ctx context.Context, c *gin.Context, account *A
 	// Beta policy: evaluate once; block check + cache filter set for buildUpstreamRequest.
 	// Always overwrite the cache to prevent stale values from a previous retry with a different account.
 	if account.Platform == PlatformAnthropic && c != nil {
-		policy := s.evaluateBetaPolicy(ctx, c.GetHeader("anthropic-beta"), account)
+		policy := s.evaluateBetaPolicy(ctx, c.GetHeader("anthropic-beta"), account, parsed.Model)
 		if policy.blockErr != nil {
 			return nil, policy.blockErr
 		}
@@ -3849,19 +3996,24 @@ func (s *GatewayService) Forward(ctx context.Context, c *gin.Context, account *A
 	shouldMimicClaudeCode := account.IsOAuth() && !isClaudeCode
 
 	if shouldMimicClaudeCode {
-		// 智能注入 Claude Code 系统提示词（仅 OAuth/SetupToken 账号需要）
+		// 非 Claude Code 客户端：将 system 替换为 Claude Code 标识，原始 system 迁移至 messages
 		// 条件：1) OAuth/SetupToken 账号  2) 不是 Claude Code 客户端  3) 不是 Haiku 模型  4) system 中还没有 Claude Code 提示词
+		systemRewritten := false
 		if !strings.Contains(strings.ToLower(reqModel), "haiku") &&
 			!systemIncludesClaudeCodePrompt(parsed.System) {
-			body = injectClaudeCodePrompt(body, parsed.System)
+			body = rewriteSystemForNonClaudeCode(body, parsed.System)
+			systemRewritten = true
 		}
 
-		normalizeOpts := claudeOAuthNormalizeOptions{stripSystemCacheControl: true}
+		// system 被重写时保留 CC prompt 的 cache_control: ephemeral（匹配真实 Claude Code 行为）；
+		// 未重写时（haiku / 已含 CC 前缀）剥离客户端 cache_control，与原有行为一致。
+		// 两种情况下 enforceCacheControlLimit 都会兜底处理上限。
+		normalizeOpts := claudeOAuthNormalizeOptions{stripSystemCacheControl: !systemRewritten}
 		if s.identityService != nil {
 			fp, err := s.identityService.GetOrCreateFingerprint(ctx, account.ID, c.Request.Header)
 			if err == nil && fp != nil {
 				// metadata 透传开启时跳过 metadata 注入
-				_, mimicMPT := s.settingService.GetGatewayForwardingSettings(ctx)
+				_, mimicMPT, _ := s.settingService.GetGatewayForwardingSettings(ctx)
 				if !mimicMPT {
 					if metadataUserID := s.buildOAuthMetadataUserID(parsed, account, fp); metadataUserID != "" {
 						normalizeOpts.injectMetadata = true
@@ -5407,9 +5559,9 @@ func (s *GatewayService) buildUpstreamRequest(ctx context.Context, c *gin.Contex
 
 	// OAuth账号：应用统一指纹和metadata重写（受设置开关控制）
 	var fingerprint *Fingerprint
-	enableFP, enableMPT := true, false
+	enableFP, enableMPT, enableCCH := true, false, false
 	if s.settingService != nil {
-		enableFP, enableMPT = s.settingService.GetGatewayForwardingSettings(ctx)
+		enableFP, enableMPT, enableCCH = s.settingService.GetGatewayForwardingSettings(ctx)
 	}
 	if account.IsOAuth() && s.identityService != nil {
 		// 1. 获取或创建指纹（包含随机生成的ClientID）
@@ -5436,6 +5588,15 @@ func (s *GatewayService) buildUpstreamRequest(ctx context.Context, c *gin.Contex
 		}
 	}
 
+	// 同步 billing header cc_version 与实际发送的 User-Agent 版本
+	if fingerprint != nil {
+		body = syncBillingHeaderVersion(body, fingerprint.UserAgent)
+	}
+	// CCH 签名：将 cch=00000 占位符替换为 xxHash64 签名（需在所有 body 修改之后）
+	if enableCCH {
+		body = signBillingHeaderCCH(body)
+	}
+
 	req, err := http.NewRequestWithContext(ctx, "POST", targetURL, bytes.NewReader(body))
 	if err != nil {
 		return nil, err
@@ -5476,9 +5637,8 @@ func (s *GatewayService) buildUpstreamRequest(ctx context.Context, c *gin.Contex
 	}
 
 	// Build effective drop set: merge static defaults with dynamic beta policy filter rules
-	policyFilterSet := s.getBetaPolicyFilterSet(ctx, c, account)
+	policyFilterSet := s.getBetaPolicyFilterSet(ctx, c, account, modelID)
 	effectiveDropSet := mergeDropSets(policyFilterSet)
-	effectiveDropWithClaudeCodeSet := mergeDropSets(policyFilterSet, claude.BetaClaudeCode)
 
 	// 处理 anthropic-beta header（OAuth 账号需要包含 oauth beta）
 	if tokenType == "oauth" {
@@ -5489,11 +5649,16 @@ func (s *GatewayService) buildUpstreamRequest(ctx context.Context, c *gin.Contex
 			applyClaudeCodeMimicHeaders(req, reqStream)
 
 			incomingBeta := getHeaderRaw(req.Header, "anthropic-beta")
-			// Match real Claude CLI traffic (per mitmproxy reports):
-			// messages requests typically use only oauth + interleaved-thinking.
-			// Also drop claude-code beta if a downstream client added it.
+			// Claude Code OAuth credentials are scoped to Claude Code.
+			// Non-haiku models MUST include claude-code beta for Anthropic to recognize
+			// this as a legitimate Claude Code request; without it, the request is
+			// rejected as third-party ("out of extra usage").
+			// Haiku models are exempt from third-party detection and don't need it.
 			requiredBetas := []string{claude.BetaOAuth, claude.BetaInterleavedThinking}
-			setHeaderRaw(req.Header, "anthropic-beta", mergeAnthropicBetaDropping(requiredBetas, incomingBeta, effectiveDropWithClaudeCodeSet))
+			if !strings.Contains(strings.ToLower(modelID), "haiku") {
+				requiredBetas = []string{claude.BetaClaudeCode, claude.BetaOAuth, claude.BetaInterleavedThinking}
+			}
+			setHeaderRaw(req.Header, "anthropic-beta", mergeAnthropicBetaDropping(requiredBetas, incomingBeta, effectiveDropSet))
 		} else {
 			// Claude Code 客户端：尽量透传原始 header，仅补齐 oauth beta
 			clientBetaHeader := getHeaderRaw(req.Header, "anthropic-beta")
@@ -5716,7 +5881,7 @@ type betaPolicyResult struct {
 }
 
 // evaluateBetaPolicy loads settings once and evaluates all rules against the given request.
-func (s *GatewayService) evaluateBetaPolicy(ctx context.Context, betaHeader string, account *Account) betaPolicyResult {
+func (s *GatewayService) evaluateBetaPolicy(ctx context.Context, betaHeader string, account *Account, model string) betaPolicyResult {
 	if s.settingService == nil {
 		return betaPolicyResult{}
 	}
@@ -5731,10 +5896,11 @@ func (s *GatewayService) evaluateBetaPolicy(ctx context.Context, betaHeader stri
 		if !betaPolicyScopeMatches(rule.Scope, isOAuth, isBedrock) {
 			continue
 		}
-		switch rule.Action {
+		effectiveAction, effectiveErrMsg := resolveRuleAction(rule, model)
+		switch effectiveAction {
 		case BetaPolicyActionBlock:
 			if result.blockErr == nil && betaHeader != "" && containsBetaToken(betaHeader, rule.BetaToken) {
-				msg := rule.ErrorMessage
+				msg := effectiveErrMsg
 				if msg == "" {
 					msg = "beta feature " + rule.BetaToken + " is not allowed"
 				}
@@ -5776,7 +5942,7 @@ const betaPolicyFilterSetKey = "betaPolicyFilterSet"
 // In the /v1/messages path, Forward() evaluates the policy first and caches the result;
 // buildUpstreamRequest reuses it (zero extra DB calls). In the count_tokens path, this
 // evaluates on demand (one DB call).
-func (s *GatewayService) getBetaPolicyFilterSet(ctx context.Context, c *gin.Context, account *Account) map[string]struct{} {
+func (s *GatewayService) getBetaPolicyFilterSet(ctx context.Context, c *gin.Context, account *Account, model string) map[string]struct{} {
 	if c != nil {
 		if v, ok := c.Get(betaPolicyFilterSetKey); ok {
 			if fs, ok := v.(map[string]struct{}); ok {
@@ -5784,7 +5950,7 @@ func (s *GatewayService) getBetaPolicyFilterSet(ctx context.Context, c *gin.Cont
 			}
 		}
 	}
-	return s.evaluateBetaPolicy(ctx, "", account).filterSet
+	return s.evaluateBetaPolicy(ctx, "", account, model).filterSet
 }
 
 // betaPolicyScopeMatches checks whether a rule's scope matches the current account type.
@@ -5803,6 +5969,33 @@ func betaPolicyScopeMatches(scope string, isOAuth bool, isBedrock bool) bool {
 	}
 }
 
+// matchModelWhitelist checks if a model matches any pattern in the whitelist.
+// Reuses matchModelPattern from group.go which supports exact and wildcard prefix matching.
+func matchModelWhitelist(model string, whitelist []string) bool {
+	for _, pattern := range whitelist {
+		if matchModelPattern(pattern, model) {
+			return true
+		}
+	}
+	return false
+}
+
+// resolveRuleAction determines the effective action and error message for a rule given the request model.
+// When ModelWhitelist is empty, the rule's primary Action/ErrorMessage applies unconditionally.
+// When non-empty, Action applies to matching models; FallbackAction/FallbackErrorMessage applies to others.
+func resolveRuleAction(rule BetaPolicyRule, model string) (action, errorMessage string) {
+	if len(rule.ModelWhitelist) == 0 {
+		return rule.Action, rule.ErrorMessage
+	}
+	if matchModelWhitelist(model, rule.ModelWhitelist) {
+		return rule.Action, rule.ErrorMessage
+	}
+	if rule.FallbackAction != "" {
+		return rule.FallbackAction, rule.FallbackErrorMessage
+	}
+	return BetaPolicyActionPass, "" // default fallback: pass (fail-open)
+}
+
 // droppedBetaSet returns claude.DroppedBetas as a set, with optional extra tokens.
 func droppedBetaSet(extra ...string) map[string]struct{} {
 	m := make(map[string]struct{}, len(defaultDroppedBetasSet)+len(extra))
@@ -5849,7 +6042,7 @@ func (s *GatewayService) resolveBedrockBetaTokensForRequest(
 	modelID string,
 ) ([]string, error) {
 	// 1. 对原始 header 中的 beta token 做 block 检查（快速失败）
-	policy := s.evaluateBetaPolicy(ctx, betaHeader, account)
+	policy := s.evaluateBetaPolicy(ctx, betaHeader, account, modelID)
 	if policy.blockErr != nil {
 		return nil, policy.blockErr
 	}
@@ -5861,7 +6054,7 @@ func (s *GatewayService) resolveBedrockBetaTokensForRequest(
 	//    例如：管理员 block 了 interleaved-thinking，客户端不在 header 中带该 token，
 	//    但请求体中包含 thinking 字段 → autoInjectBedrockBetaTokens 会自动补齐 →
 	//    如果不做此检查，block 规则会被绕过。
-	if blockErr := s.checkBetaPolicyBlockForTokens(ctx, betaTokens, account); blockErr != nil {
+	if blockErr := s.checkBetaPolicyBlockForTokens(ctx, betaTokens, account, modelID); blockErr != nil {
 		return nil, blockErr
 	}
 
@@ -5870,7 +6063,7 @@ func (s *GatewayService) resolveBedrockBetaTokensForRequest(
 
 // checkBetaPolicyBlockForTokens 检查 token 列表中是否有被管理员 block 规则命中的 token。
 // 用于补充 evaluateBetaPolicy 对 header 的检查，覆盖 body 自动注入的 token。
-func (s *GatewayService) checkBetaPolicyBlockForTokens(ctx context.Context, tokens []string, account *Account) *BetaBlockedError {
+func (s *GatewayService) checkBetaPolicyBlockForTokens(ctx context.Context, tokens []string, account *Account, model string) *BetaBlockedError {
 	if s.settingService == nil || len(tokens) == 0 {
 		return nil
 	}
@@ -5882,14 +6075,15 @@ func (s *GatewayService) checkBetaPolicyBlockForTokens(ctx context.Context, toke
 	isBedrock := account.IsBedrock()
 	tokenSet := buildBetaTokenSet(tokens)
 	for _, rule := range settings.Rules {
-		if rule.Action != BetaPolicyActionBlock {
+		effectiveAction, effectiveErrMsg := resolveRuleAction(rule, model)
+		if effectiveAction != BetaPolicyActionBlock {
 			continue
 		}
 		if !betaPolicyScopeMatches(rule.Scope, isOAuth, isBedrock) {
 			continue
 		}
 		if _, present := tokenSet[rule.BetaToken]; present {
-			msg := rule.ErrorMessage
+			msg := effectiveErrMsg
 			if msg == "" {
 				msg = "beta feature " + rule.BetaToken + " is not allowed"
 			}
@@ -7146,49 +7340,41 @@ func (p *postUsageBillingParams) shouldUpdateAccountQuota() bool {
 	return p.Cost.TotalCost > 0 && p.Account.IsAPIKeyOrBedrock() && p.Account.HasAnyQuotaLimit()
 }
 
-// postUsageBilling 统一处理使用量记录后的扣费逻辑：
-//   - 订阅/余额扣费
-//   - API Key 配额更新
-//   - API Key 限速用量更新
-//   - 账号配额用量更新（账号口径：TotalCost × 账号计费倍率）
+// postUsageBilling is the legacy fallback billing path used when the unified
+// billing repo is unavailable (nil). Production uses applyUsageBilling → repo.Apply
+// for atomic billing. This path only runs in tests or degraded mode.
 func postUsageBilling(ctx context.Context, p *postUsageBillingParams, deps *billingDeps) {
 	billingCtx, cancel := detachedBillingContext(ctx)
 	defer cancel()
 
 	cost := p.Cost
 
-	// 1. 订阅 / 余额扣费
 	if p.IsSubscriptionBill {
 		if cost.TotalCost > 0 {
 			if err := deps.userSubRepo.IncrementUsage(billingCtx, p.Subscription.ID, cost.TotalCost); err != nil {
 				slog.Error("increment subscription usage failed", "subscription_id", p.Subscription.ID, "error", err)
 			}
-			deps.billingCacheService.QueueUpdateSubscriptionUsage(p.User.ID, *p.APIKey.GroupID, cost.TotalCost)
 		}
 	} else {
 		if cost.ActualCost > 0 {
 			if err := deps.userRepo.DeductBalance(billingCtx, p.User.ID, cost.ActualCost); err != nil {
 				slog.Error("deduct balance failed", "user_id", p.User.ID, "error", err)
 			}
-			deps.billingCacheService.QueueDeductBalance(p.User.ID, cost.ActualCost)
 		}
 	}
 
-	// 2. API Key 配额
 	if p.shouldDeductAPIKeyQuota() {
 		if err := p.APIKeyService.UpdateQuotaUsed(billingCtx, p.APIKey.ID, cost.ActualCost); err != nil {
 			slog.Error("update api key quota failed", "api_key_id", p.APIKey.ID, "error", err)
 		}
 	}
 
-	// 3. API Key 限速用量
 	if p.shouldUpdateRateLimits() {
 		if err := p.APIKeyService.UpdateRateLimitUsage(billingCtx, p.APIKey.ID, cost.ActualCost); err != nil {
 			slog.Error("update api key rate limit usage failed", "api_key_id", p.APIKey.ID, "error", err)
 		}
 	}
 
-	// 4. 账号配额用量（账号口径：TotalCost × 账号计费倍率）
 	if p.shouldUpdateAccountQuota() {
 		accountCost := cost.TotalCost * p.AccountRateMultiplier
 		if err := deps.accountRepo.IncrementQuotaUsed(billingCtx, p.Account.ID, accountCost); err != nil {
@@ -7196,7 +7382,10 @@ func postUsageBilling(ctx context.Context, p *postUsageBillingParams, deps *bill
 		}
 	}
 
-	finalizePostUsageBilling(p, deps)
+	// NOTE: finalizePostUsageBilling is NOT called here to avoid double-queuing
+	// cache updates. The legacy path does DB writes directly; the finalize path
+	// does cache queue + notifications. Notifications are dispatched separately
+	// by the caller after recording the usage log.
 }
 
 func resolveUsageBillingRequestID(ctx context.Context, upstreamRequestID string) string {
@@ -7250,9 +7439,6 @@ func buildUsageBillingCommand(requestID string, usageLog *UsageLog, p *postUsage
 		cmd.CacheCreationTokens = usageLog.CacheCreationTokens
 		cmd.CacheReadTokens = usageLog.CacheReadTokens
 		cmd.ImageCount = usageLog.ImageCount
-		if usageLog.MediaType != nil {
-			cmd.MediaType = *usageLog.MediaType
-		}
 		if usageLog.ServiceTier != nil {
 			cmd.ServiceTier = *usageLog.ServiceTier
 		}
@@ -7315,11 +7501,11 @@ func applyUsageBilling(ctx context.Context, requestID string, usageLog *UsageLog
 		}
 	}
 
-	finalizePostUsageBilling(p, deps)
+	finalizePostUsageBilling(p, deps, result)
 	return true, nil
 }
 
-func finalizePostUsageBilling(p *postUsageBillingParams, deps *billingDeps) {
+func finalizePostUsageBilling(p *postUsageBillingParams, deps *billingDeps, result *UsageBillingApplyResult) {
 	if p == nil || p.Cost == nil || deps == nil {
 		return
 	}
@@ -7338,22 +7524,82 @@ func finalizePostUsageBilling(p *postUsageBillingParams, deps *billingDeps) {
 
 	deps.deferredService.ScheduleLastUsedUpdate(p.Account.ID)
 
-	// Balance low notification — use real-time balance from billing cache (not stale snapshot)
-	if !p.IsSubscriptionBill && p.Cost.ActualCost > 0 && p.User != nil && deps.balanceNotifyService != nil {
-		oldBalance := p.User.Balance // fallback to snapshot
-		if deps.billingCacheService != nil {
-			if realBalance, err := deps.billingCacheService.GetUserBalance(context.Background(), p.User.ID); err == nil {
-				oldBalance = realBalance + p.Cost.ActualCost // DB already deducted, reconstruct pre-deduction balance
-			}
+	// Notification checks run async — all parameters are already captured,
+	// no dependency on the request context or upstream connection.
+	go notifyBalanceLow(p, deps, result)
+	go notifyAccountQuota(p, deps, result)
+}
+
+// notifyBalanceLow sends balance low notification after deduction.
+// When result.NewBalance is available (from DB transaction RETURNING), it is used directly
+// to reconstruct oldBalance, avoiding stale Redis reads and concurrent-deduction races.
+func notifyBalanceLow(p *postUsageBillingParams, deps *billingDeps, result *UsageBillingApplyResult) {
+	defer func() {
+		if r := recover(); r != nil {
+			slog.Error("panic in notifyBalanceLow", "recover", r)
 		}
-		deps.balanceNotifyService.CheckBalanceAfterDeduction(context.Background(), p.User, oldBalance, p.Cost.ActualCost)
+	}()
+	if p.IsSubscriptionBill || p.Cost.ActualCost <= 0 || p.User == nil || deps.balanceNotifyService == nil {
+		slog.Debug("notifyBalanceLow: skipped",
+			"is_subscription", p.IsSubscriptionBill,
+			"actual_cost", p.Cost.ActualCost,
+			"user_nil", p.User == nil,
+			"service_nil", deps.balanceNotifyService == nil,
+		)
+		return
 	}
 
-	// Account quota notification (use same cost formula as postUsageBilling)
-	if p.Cost.TotalCost > 0 && p.Account != nil && p.Account.IsAPIKeyOrBedrock() && deps.balanceNotifyService != nil {
-		accountCost := p.Cost.TotalCost * p.AccountRateMultiplier
-		deps.balanceNotifyService.CheckAccountQuotaAfterIncrement(context.Background(), p.Account, accountCost)
+	oldBalance := resolveOldBalance(p, result)
+	slog.Debug("notifyBalanceLow: calling CheckBalanceAfterDeduction",
+		"user_id", p.User.ID,
+		"old_balance", oldBalance,
+		"cost", p.Cost.ActualCost,
+		"notify_enabled", p.User.BalanceNotifyEnabled,
+		"threshold", p.User.BalanceNotifyThreshold,
+		"result_has_new_balance", result != nil && result.NewBalance != nil,
+	)
+	deps.balanceNotifyService.CheckBalanceAfterDeduction(context.Background(), p.User, oldBalance, p.Cost.ActualCost)
+}
+
+// resolveOldBalance returns the pre-deduction balance.
+// Prefers the DB transaction result (newBalance + cost) over snapshot.
+func resolveOldBalance(p *postUsageBillingParams, result *UsageBillingApplyResult) float64 {
+	if result != nil && result.NewBalance != nil {
+		return *result.NewBalance + p.Cost.ActualCost
 	}
+	// Legacy fallback: snapshot balance from request context
+	return p.User.Balance
+}
+
+// notifyAccountQuota sends account quota threshold notification after increment.
+// When result.QuotaState is available (from DB transaction RETURNING), it is passed directly
+// to avoid a separate DB read that may see stale or concurrently-modified data.
+func notifyAccountQuota(p *postUsageBillingParams, deps *billingDeps, result *UsageBillingApplyResult) {
+	defer func() {
+		if r := recover(); r != nil {
+			slog.Error("panic in notifyAccountQuota", "recover", r)
+		}
+	}()
+	if p.Cost.TotalCost <= 0 || p.Account == nil || !p.Account.IsAPIKeyOrBedrock() || deps.balanceNotifyService == nil {
+		slog.Debug("notifyAccountQuota: skipped",
+			"total_cost", p.Cost.TotalCost,
+			"account_nil", p.Account == nil,
+			"is_apikey_or_bedrock", p.Account != nil && p.Account.IsAPIKeyOrBedrock(),
+			"service_nil", deps.balanceNotifyService == nil,
+		)
+		return
+	}
+	accountCost := p.Cost.TotalCost * p.AccountRateMultiplier
+	var quotaState *AccountQuotaState
+	if result != nil {
+		quotaState = result.QuotaState
+	}
+	slog.Debug("notifyAccountQuota: calling CheckAccountQuotaAfterIncrement",
+		"account_id", p.Account.ID,
+		"account_cost", accountCost,
+		"has_quota_state", quotaState != nil,
+	)
+	deps.balanceNotifyService.CheckAccountQuotaAfterIncrement(context.Background(), p.Account, accountCost, quotaState)
 }
 
 func detachedBillingContext(ctx context.Context) (context.Context, context.CancelFunc) {
@@ -7422,11 +7668,11 @@ func writeUsageLogBestEffort(ctx context.Context, repo UsageLogRepository, usage
 
 // recordUsageOpts 内部选项，参数化 RecordUsage 与 RecordUsageWithLongContext 的差异点。
 type recordUsageOpts struct {
-	// ParsedRequest（可选，仅 Claude 路径传入）
+	// Claude Max 策略所需的 ParsedRequest（可选，仅 Claude 路径传入）
 	ParsedRequest *ParsedRequest
 
 	// EnableClaudePath 启用 Claude 路径特有逻辑：
-	// - MediaType 字段写入使用日志
+	// - Claude Max 缓存计费策略
 	EnableClaudePath bool
 
 	// 长上下文计费（仅 Gemini 路径需要）
@@ -7451,7 +7697,6 @@ func (s *GatewayService) RecordUsage(ctx context.Context, input *RecordUsageInpu
 		APIKeyService:      input.APIKeyService,
 		ChannelUsageFields: input.ChannelUsageFields,
 	}, &recordUsageOpts{
-		ParsedRequest:    input.ParsedRequest,
 		EnableClaudePath: true,
 	})
 }
@@ -7517,6 +7762,7 @@ type recordUsageCoreInput struct {
 
 // recordUsageCore 是 RecordUsage 和 RecordUsageWithLongContext 的统一实现。
 // opts 中的字段控制两者之间的差异行为：
+// - ParsedRequest != nil → 启用 Claude Max 缓存计费策略
 // - LongContextThreshold > 0 → Token 计费回退走 CalculateCostWithLongContext
 func (s *GatewayService) recordUsageCore(ctx context.Context, input *recordUsageCoreInput, opts *recordUsageOpts) error {
 	result := input.Result
@@ -7583,13 +7829,10 @@ func (s *GatewayService) recordUsageCore(ctx context.Context, input *recordUsage
 
 	// 计算账号统计定价费用（使用最终上游模型匹配自定义规则）
 	if apiKey.GroupID != nil {
-		upstreamModel := result.UpstreamModel
-		if upstreamModel == "" {
-			upstreamModel = result.Model
-		}
-		usageLog.AccountStatsCost = resolveAccountStatsCost(
-			ctx, s.channelService, s.billingService,
-			account.ID, *apiKey.GroupID, upstreamModel,
+		applyAccountStatsCost(ctx, usageLog, s.channelService, s.billingService,
+			account.ID, *apiKey.GroupID, result.UpstreamModel, result.Model,
+			// Anthropic's input_tokens excludes cache_read and cache_creation (billed separately);
+			// OpenAI gateway uses actualInputTokens which also excludes cache_read for the same reason.
 			UsageTokens{
 				InputTokens:         result.Usage.InputTokens,
 				OutputTokens:        result.Usage.OutputTokens,
@@ -7597,7 +7840,6 @@ func (s *GatewayService) recordUsageCore(ctx context.Context, input *recordUsage
 				CacheReadTokens:     result.Usage.CacheReadInputTokens,
 				ImageOutputTokens:   result.Usage.ImageOutputTokens,
 			},
-			1, // requestCount
 			cost.TotalCost,
 		)
 	}
@@ -7796,13 +8038,12 @@ func (s *GatewayService) buildRecordUsageLog(
 		RateMultiplier:        multiplier,
 		AccountRateMultiplier: &accountRateMultiplier,
 		BillingType:           billingType,
-		BillingMode:           resolveBillingMode(opts, result, cost),
+		BillingMode:           resolveBillingMode(result, cost),
 		Stream:                result.Stream,
 		DurationMs:            &durationMs,
 		FirstTokenMs:          result.FirstTokenMs,
 		ImageCount:            result.ImageCount,
 		ImageSize:             optionalTrimmedStringPtr(result.ImageSize),
-		MediaType:             resolveMediaType(opts, result),
 		CacheTTLOverridden:    cacheTTLOverridden,
 		ChannelID:             optionalInt64Ptr(input.ChannelID),
 		ModelMappingChain:     optionalTrimmedStringPtr(input.ModelMappingChain),
@@ -7826,7 +8067,7 @@ func (s *GatewayService) buildRecordUsageLog(
 }
 
 // resolveBillingMode 根据计费结果和请求类型确定计费模式。
-func resolveBillingMode(opts *recordUsageOpts, result *ForwardResult, cost *CostBreakdown) *string {
+func resolveBillingMode(result *ForwardResult, cost *CostBreakdown) *string {
 	var mode string
 	switch {
 	case cost != nil && cost.BillingMode != "":
@@ -7839,10 +8080,6 @@ func resolveBillingMode(opts *recordUsageOpts, result *ForwardResult, cost *Cost
 	return &mode
 }
 
-func resolveMediaType(opts *recordUsageOpts, result *ForwardResult) *string {
-	return nil
-}
-
 func optionalSubscriptionID(subscription *UserSubscription) *int64 {
 	if subscription != nil {
 		return &subscription.ID
@@ -8349,9 +8586,9 @@ func (s *GatewayService) buildCountTokensRequest(ctx context.Context, c *gin.Con
 
 	// OAuth 账号：应用统一指纹和重写 userID（受设置开关控制）
 	// 如果启用了会话ID伪装，会在重写后替换 session 部分为固定值
-	ctEnableFP, ctEnableMPT := true, false
+	ctEnableFP, ctEnableMPT, ctEnableCCH := true, false, false
 	if s.settingService != nil {
-		ctEnableFP, ctEnableMPT = s.settingService.GetGatewayForwardingSettings(ctx)
+		ctEnableFP, ctEnableMPT, ctEnableCCH = s.settingService.GetGatewayForwardingSettings(ctx)
 	}
 	var ctFingerprint *Fingerprint
 	if account.IsOAuth() && s.identityService != nil {
@@ -8369,6 +8606,14 @@ func (s *GatewayService) buildCountTokensRequest(ctx context.Context, c *gin.Con
 		}
 	}
 
+	// 同步 billing header cc_version 与实际发送的 User-Agent 版本
+	if ctFingerprint != nil && ctEnableFP {
+		body = syncBillingHeaderVersion(body, ctFingerprint.UserAgent)
+	}
+	if ctEnableCCH {
+		body = signBillingHeaderCCH(body)
+	}
+
 	req, err := http.NewRequestWithContext(ctx, "POST", targetURL, bytes.NewReader(body))
 	if err != nil {
 		return nil, err
@@ -8409,7 +8654,7 @@ func (s *GatewayService) buildCountTokensRequest(ctx context.Context, c *gin.Con
 	}
 
 	// Build effective drop set for count_tokens: merge static defaults with dynamic beta policy filter rules
-	ctEffectiveDropSet := mergeDropSets(s.getBetaPolicyFilterSet(ctx, c, account))
+	ctEffectiveDropSet := mergeDropSets(s.getBetaPolicyFilterSet(ctx, c, account, modelID))
 
 	// OAuth 账号：处理 anthropic-beta header
 	if tokenType == "oauth" {
diff --git a/backend/internal/service/payment_config_plans_validation_test.go b/backend/internal/service/payment_config_plans_validation_test.go
index 9a2d8716..efdbdb10 100644
--- a/backend/internal/service/payment_config_plans_validation_test.go
+++ b/backend/internal/service/payment_config_plans_validation_test.go
@@ -128,3 +128,66 @@ func TestValidatePlanPatch_NilOriginalPrice(t *testing.T) {
 	err := validatePlanPatch(UpdatePlanRequest{OriginalPrice: nil})
 	require.NoError(t, err)
 }
+
+// --- validatePlanPatch: other fields ---
+
+func ptrStr(s string) *string    { return &s }
+func ptrInt(i int) *int          { return &i }
+func ptrInt64(i int64) *int64    { return &i }
+func ptrFloat(f float64) *float64 { return &f }
+
+func TestValidatePlanPatch_EmptyName(t *testing.T) {
+	err := validatePlanPatch(UpdatePlanRequest{Name: ptrStr("")})
+	require.Error(t, err)
+	require.Contains(t, err.Error(), "plan name")
+}
+
+func TestValidatePlanPatch_ValidName(t *testing.T) {
+	err := validatePlanPatch(UpdatePlanRequest{Name: ptrStr("Basic")})
+	require.NoError(t, err)
+}
+
+func TestValidatePlanPatch_ZeroGroupID(t *testing.T) {
+	err := validatePlanPatch(UpdatePlanRequest{GroupID: ptrInt64(0)})
+	require.Error(t, err)
+	require.Contains(t, err.Error(), "group")
+}
+
+func TestValidatePlanPatch_NegativePrice(t *testing.T) {
+	err := validatePlanPatch(UpdatePlanRequest{Price: ptrFloat(-1)})
+	require.Error(t, err)
+	require.Contains(t, err.Error(), "price")
+}
+
+func TestValidatePlanPatch_ZeroPrice(t *testing.T) {
+	err := validatePlanPatch(UpdatePlanRequest{Price: ptrFloat(0)})
+	require.Error(t, err)
+	require.Contains(t, err.Error(), "price")
+}
+
+func TestValidatePlanPatch_ValidPrice(t *testing.T) {
+	err := validatePlanPatch(UpdatePlanRequest{Price: ptrFloat(9.99)})
+	require.NoError(t, err)
+}
+
+func TestValidatePlanPatch_ZeroValidityDays(t *testing.T) {
+	err := validatePlanPatch(UpdatePlanRequest{ValidityDays: ptrInt(0)})
+	require.Error(t, err)
+	require.Contains(t, err.Error(), "validity days")
+}
+
+func TestValidatePlanPatch_EmptyValidityUnit(t *testing.T) {
+	err := validatePlanPatch(UpdatePlanRequest{ValidityUnit: ptrStr("")})
+	require.Error(t, err)
+	require.Contains(t, err.Error(), "validity unit")
+}
+
+func TestValidatePlanPatch_ValidValidityUnit(t *testing.T) {
+	err := validatePlanPatch(UpdatePlanRequest{ValidityUnit: ptrStr("days")})
+	require.NoError(t, err)
+}
+
+func TestValidatePlanPatch_AllNil(t *testing.T) {
+	err := validatePlanPatch(UpdatePlanRequest{})
+	require.NoError(t, err)
+}
diff --git a/backend/internal/service/user_service.go b/backend/internal/service/user_service.go
index 7602d162..a7724a5a 100644
--- a/backend/internal/service/user_service.go
+++ b/backend/internal/service/user_service.go
@@ -330,6 +330,7 @@ func saveNotifyVerifyCode(ctx context.Context, cache EmailCache, email, code str
 		Code:      code,
 		Attempts:  0,
 		CreatedAt: time.Now(),
+		ExpiresAt: time.Now().Add(verifyCodeTTL),
 	}
 	if err := cache.SetNotifyVerifyCode(ctx, email, data, verifyCodeTTL); err != nil {
 		return fmt.Errorf("save verify code: %w", err)
@@ -370,7 +371,11 @@ func verifyNotifyCode(ctx context.Context, cache EmailCache, email, code string)
 	}
 	if subtle.ConstantTimeCompare([]byte(data.Code), []byte(code)) != 1 {
 		data.Attempts++
-		if err := cache.SetNotifyVerifyCode(ctx, email, data, verifyCodeTTL); err != nil {
+		remaining := time.Until(data.ExpiresAt)
+		if remaining <= 0 {
+			return ErrInvalidVerifyCode
+		}
+		if err := cache.SetNotifyVerifyCode(ctx, email, data, remaining); err != nil {
 			slog.Error("failed to update notify verify code attempts", "email", email, "error", err)
 		}
 		if data.Attempts >= maxVerifyCodeAttempts {
@@ -418,11 +423,17 @@ func (s *UserService) RemoveNotifyEmail(ctx context.Context, userID int64, email
 	}
 
 	filtered := make([]NotifyEmailEntry, 0, len(user.BalanceNotifyExtraEmails))
+	found := false
 	for _, e := range user.BalanceNotifyExtraEmails {
-		if !strings.EqualFold(e.Email, email) {
+		if strings.EqualFold(e.Email, email) {
+			found = true
+		} else {
 			filtered = append(filtered, e)
 		}
 	}
+	if !found {
+		return infraerrors.BadRequest("EMAIL_NOT_FOUND", "notification email not found")
+	}
 	user.BalanceNotifyExtraEmails = filtered
 	return s.userRepo.Update(ctx, user)
 }
diff --git a/frontend/src/components/account/QuotaDimensionRow.vue b/frontend/src/components/account/QuotaDimensionRow.vue
index 1406faa9..e7fe2d0b 100644
--- a/frontend/src/components/account/QuotaDimensionRow.vue
+++ b/frontend/src/components/account/QuotaDimensionRow.vue
@@ -1,6 +1,7 @@
 <script setup lang="ts">
 import { useI18n } from 'vue-i18n'
 import QuotaNotifyToggle from './QuotaNotifyToggle.vue'
+import type { QuotaThresholdType, QuotaResetMode } from '@/constants/account'
 
 const { t } = useI18n()
 
@@ -11,9 +12,9 @@ const props = defineProps<{
   quotaNotifyGlobalEnabled: boolean
   notifyEnabled: boolean | null
   notifyThreshold: number | null
-  notifyThresholdType: string | null
+  notifyThresholdType: QuotaThresholdType | null
   // Reset mode (only for daily/weekly, null for total)
-  resetMode: 'rolling' | 'fixed' | null
+  resetMode: QuotaResetMode | null
   resetHour: number | null
   resetDay: number | null  // weekly only
   resetTimezone: string | null
@@ -22,14 +23,15 @@ const props = defineProps<{
   // Shared options passed from parent
   hourOptions: number[]
   dayOptions: { value: number; key: string }[]
+  timezoneOptions?: string[]
 }>()
 
 const emit = defineEmits<{
   'update:limit': [value: number | null]
   'update:notifyEnabled': [value: boolean | null]
   'update:notifyThreshold': [value: number | null]
-  'update:notifyThresholdType': [value: string | null]
-  'update:resetMode': [value: 'rolling' | 'fixed' | null]
+  'update:notifyThresholdType': [value: QuotaThresholdType | null]
+  'update:resetMode': [value: QuotaResetMode | null]
   'update:resetHour': [value: number | null]
   'update:resetDay': [value: number | null]
   'update:resetTimezone': [value: string | null]
@@ -43,7 +45,7 @@ const onLimitInput = (e: Event) => {
 }
 
 const onModeChange = (e: Event) => {
-  const val = (e.target as HTMLSelectElement).value as 'rolling' | 'fixed'
+  const val = (e.target as HTMLSelectElement).value as QuotaResetMode
   emit('update:resetMode', val)
   if (val === 'fixed') {
     if (props.resetHour == null) emit('update:resetHour', 0)
@@ -51,6 +53,17 @@ const onModeChange = (e: Event) => {
     if (!props.resetTimezone) emit('update:resetTimezone', 'UTC')
   }
 }
+
+function getTimezoneOffsetLabel(tz: string): string {
+  try {
+    const dtf = new Intl.DateTimeFormat('en-US', { timeZone: tz, timeZoneName: 'shortOffset' })
+    const parts = dtf.formatToParts(new Date())
+    const tzPart = parts.find(p => p.type === 'timeZoneName')
+    return tzPart ? (tzPart.value === 'GMT' ? 'GMT+0' : tzPart.value) : ''
+  } catch {
+    return ''
+  }
+}
 </script>
 
 <template>
@@ -95,6 +108,11 @@ const onModeChange = (e: Event) => {
         <select :value="resetHour ?? 0" @change="emit('update:resetHour', Number(($event.target as HTMLSelectElement).value))" class="input py-1 text-xs w-24">
           <option v-for="h in hourOptions" :key="h" :value="h">{{ String(h).padStart(2, '0') }}:00</option>
         </select>
+        <template v-if="timezoneOptions && timezoneOptions.length > 0">
+          <select :value="resetTimezone || 'UTC'" @change="emit('update:resetTimezone', ($event.target as HTMLSelectElement).value)" class="input py-1 text-xs w-auto">
+            <option v-for="tz in timezoneOptions" :key="tz" :value="tz">{{ tz }} ({{ getTimezoneOffsetLabel(tz) }})</option>
+          </select>
+        </template>
       </template>
       <span class="text-[11px] text-gray-500 dark:text-gray-400">
         <template v-if="resetMode === 'fixed'">{{ hintFixed }}</template>
diff --git a/frontend/src/components/account/QuotaLimitCard.vue b/frontend/src/components/account/QuotaLimitCard.vue
index 77e437a8..68a68f29 100644
--- a/frontend/src/components/account/QuotaLimitCard.vue
+++ b/frontend/src/components/account/QuotaLimitCard.vue
@@ -2,6 +2,7 @@
 import { ref, watch, computed } from 'vue'
 import { useI18n } from 'vue-i18n'
 import QuotaDimensionRow from './QuotaDimensionRow.vue'
+import type { QuotaThresholdType, QuotaResetMode } from '@/constants/account'
 
 const { t } = useI18n()
 
@@ -9,22 +10,22 @@ const props = withDefaults(defineProps<{
   totalLimit: number | null
   dailyLimit: number | null
   weeklyLimit: number | null
-  dailyResetMode: 'rolling' | 'fixed' | null
+  dailyResetMode: QuotaResetMode | null
   dailyResetHour: number | null
-  weeklyResetMode: 'rolling' | 'fixed' | null
+  weeklyResetMode: QuotaResetMode | null
   weeklyResetDay: number | null
   weeklyResetHour: number | null
   resetTimezone: string | null
   quotaNotifyGlobalEnabled?: boolean
   quotaNotifyDailyEnabled?: boolean | null
   quotaNotifyDailyThreshold?: number | null
-  quotaNotifyDailyThresholdType?: string | null
+  quotaNotifyDailyThresholdType?: QuotaThresholdType | null
   quotaNotifyWeeklyEnabled?: boolean | null
   quotaNotifyWeeklyThreshold?: number | null
-  quotaNotifyWeeklyThresholdType?: string | null
+  quotaNotifyWeeklyThresholdType?: QuotaThresholdType | null
   quotaNotifyTotalEnabled?: boolean | null
   quotaNotifyTotalThreshold?: number | null
-  quotaNotifyTotalThresholdType?: string | null
+  quotaNotifyTotalThresholdType?: QuotaThresholdType | null
 }>(), {
   quotaNotifyGlobalEnabled: false,
   quotaNotifyDailyEnabled: null,
@@ -42,21 +43,21 @@ const emit = defineEmits<{
   'update:totalLimit': [value: number | null]
   'update:dailyLimit': [value: number | null]
   'update:weeklyLimit': [value: number | null]
-  'update:dailyResetMode': [value: 'rolling' | 'fixed' | null]
+  'update:dailyResetMode': [value: QuotaResetMode | null]
   'update:dailyResetHour': [value: number | null]
-  'update:weeklyResetMode': [value: 'rolling' | 'fixed' | null]
+  'update:weeklyResetMode': [value: QuotaResetMode | null]
   'update:weeklyResetDay': [value: number | null]
   'update:weeklyResetHour': [value: number | null]
   'update:resetTimezone': [value: string | null]
   'update:quotaNotifyDailyEnabled': [value: boolean | null]
   'update:quotaNotifyDailyThreshold': [value: number | null]
-  'update:quotaNotifyDailyThresholdType': [value: string | null]
+  'update:quotaNotifyDailyThresholdType': [value: QuotaThresholdType | null]
   'update:quotaNotifyWeeklyEnabled': [value: boolean | null]
   'update:quotaNotifyWeeklyThreshold': [value: number | null]
-  'update:quotaNotifyWeeklyThresholdType': [value: string | null]
+  'update:quotaNotifyWeeklyThresholdType': [value: QuotaThresholdType | null]
   'update:quotaNotifyTotalEnabled': [value: boolean | null]
   'update:quotaNotifyTotalThreshold': [value: number | null]
-  'update:quotaNotifyTotalThresholdType': [value: string | null]
+  'update:quotaNotifyTotalThresholdType': [value: QuotaThresholdType | null]
 }>()
 
 const enabled = computed(() =>
@@ -89,11 +90,6 @@ watch(localEnabled, (val) => {
   }
 })
 
-// Whether any fixed mode is active (to show timezone selector)
-const hasFixedMode = computed(() =>
-  props.dailyResetMode === 'fixed' || props.weeklyResetMode === 'fixed'
-)
-
 // Common timezone options
 const timezoneOptions = [
   'UTC', 'Asia/Shanghai', 'Asia/Tokyo', 'Asia/Seoul', 'Asia/Singapore', 'Asia/Kolkata',
@@ -102,18 +98,6 @@ const timezoneOptions = [
   'America/Sao_Paulo', 'Australia/Sydney', 'Pacific/Auckland',
 ]
 
-// Compute GMT offset label (e.g. "GMT+8", "GMT-5") for a given IANA timezone.
-function getTimezoneOffsetLabel(tz: string): string {
-  try {
-    const dtf = new Intl.DateTimeFormat('en-US', { timeZone: tz, timeZoneName: 'shortOffset' })
-    const parts = dtf.formatToParts(new Date())
-    const tzPart = parts.find(p => p.type === 'timeZoneName')
-    return tzPart ? (tzPart.value === 'GMT' ? 'GMT+0' : tzPart.value) : ''
-  } catch {
-    return ''
-  }
-}
-
 // Hours for dropdown (0-23)
 const hourOptions = Array.from({ length: 24 }, (_, i) => i)
 
@@ -197,6 +181,7 @@ const dailyFixedHint = computed(() =>
           :hint-fixed="dailyFixedHint"
           :hour-options="hourOptions"
           :day-options="dayOptions"
+          :timezone-options="timezoneOptions"
           @update:limit="emit('update:dailyLimit', $event)"
           @update:notify-enabled="emit('update:quotaNotifyDailyEnabled', $event)"
           @update:notify-threshold="emit('update:quotaNotifyDailyThreshold', $event)"
@@ -223,6 +208,7 @@ const dailyFixedHint = computed(() =>
           :hint-fixed="weeklyFixedHint"
           :hour-options="hourOptions"
           :day-options="dayOptions"
+          :timezone-options="timezoneOptions"
           @update:limit="emit('update:weeklyLimit', $event)"
           @update:notify-enabled="emit('update:quotaNotifyWeeklyEnabled', $event)"
           @update:notify-threshold="emit('update:quotaNotifyWeeklyThreshold', $event)"
@@ -233,14 +219,6 @@ const dailyFixedHint = computed(() =>
           @update:reset-timezone="emit('update:resetTimezone', $event)"
         />
 
-        <!-- Timezone selector (shared by daily/weekly when fixed mode is active) -->
-        <div v-if="hasFixedMode">
-          <label class="input-label">{{ t('admin.accounts.quotaResetTimezone') }}</label>
-          <select :value="resetTimezone || 'UTC'" @change="emit('update:resetTimezone', ($event.target as HTMLSelectElement).value)" class="input text-sm">
-            <option v-for="tz in timezoneOptions" :key="tz" :value="tz">{{ tz }} ({{ getTimezoneOffsetLabel(tz) }})</option>
-          </select>
-        </div>
-
         <!-- Total quota -->
         <QuotaDimensionRow
           dim="total"
diff --git a/frontend/src/components/account/QuotaNotifyToggle.vue b/frontend/src/components/account/QuotaNotifyToggle.vue
index 954d0929..1d78dc02 100644
--- a/frontend/src/components/account/QuotaNotifyToggle.vue
+++ b/frontend/src/components/account/QuotaNotifyToggle.vue
@@ -1,16 +1,16 @@
 <script setup lang="ts">
-import { QUOTA_THRESHOLD_TYPE_FIXED, QUOTA_THRESHOLD_TYPE_PERCENTAGE } from '@/constants/account'
+import { QUOTA_THRESHOLD_TYPE_FIXED, QUOTA_THRESHOLD_TYPE_PERCENTAGE, type QuotaThresholdType } from '@/constants/account'
 
 defineProps<{
   enabled: boolean | null
   threshold: number | null
-  thresholdType: string | null // "fixed" (default) or "percentage"
+  thresholdType: QuotaThresholdType | null
 }>()
 
 const emit = defineEmits<{
   'update:enabled': [value: boolean | null]
   'update:threshold': [value: number | null]
-  'update:thresholdType': [value: string | null]
+  'update:thresholdType': [value: QuotaThresholdType | null]
 }>()
 </script>
 
@@ -43,7 +43,7 @@ const emit = defineEmits<{
       />
       <select
         :value="thresholdType || QUOTA_THRESHOLD_TYPE_FIXED"
-        @change="emit('update:thresholdType', ($event.target as HTMLSelectElement).value)"
+        @change="emit('update:thresholdType', ($event.target as HTMLSelectElement).value as QuotaThresholdType)"
         class="input py-1 text-xs w-[4.5rem] flex-shrink-0 text-center"
       >
         <option :value="QUOTA_THRESHOLD_TYPE_FIXED">$</option>
diff --git a/frontend/src/components/admin/usage/UsageTable.vue b/frontend/src/components/admin/usage/UsageTable.vue
index 55d4f84b..98bb3554 100644
--- a/frontend/src/components/admin/usage/UsageTable.vue
+++ b/frontend/src/components/admin/usage/UsageTable.vue
@@ -313,10 +313,6 @@
             <span class="text-gray-400">{{ t('usage.rate') }}</span>
             <span class="font-semibold text-blue-400">{{ formatMultiplier(tooltipData?.rate_multiplier || 1) }}x</span>
           </div>
-          <div class="flex items-center justify-between gap-6">
-            <span class="text-gray-400">{{ t('usage.accountMultiplier') }}</span>
-            <span class="font-semibold text-blue-400">{{ formatMultiplier(tooltipData?.account_rate_multiplier ?? 1) }}x</span>
-          </div>
           <div class="flex items-center justify-between gap-6">
             <span class="text-gray-400">{{ t('usage.original') }}</span>
             <span class="font-medium text-white">${{ tooltipData?.total_cost?.toFixed(6) || '0.000000' }}</span>
@@ -325,7 +321,12 @@
             <span class="text-gray-400">{{ t('usage.userBilled') }}</span>
             <span class="font-semibold text-green-400">${{ tooltipData?.actual_cost?.toFixed(6) || '0.000000' }}</span>
           </div>
+          <!-- Account billing (separated from user billing) -->
           <div class="flex items-center justify-between gap-6 border-t border-gray-700 pt-1.5">
+            <span class="text-gray-400">{{ t('usage.accountMultiplier') }}</span>
+            <span class="font-semibold text-blue-400">{{ formatMultiplier(tooltipData?.account_rate_multiplier ?? 1) }}x</span>
+          </div>
+          <div class="flex items-center justify-between gap-6">
             <span class="text-gray-400">{{ t('usage.accountBilled') }}</span>
             <span class="font-semibold text-green-400">
               ${{ accountBilled({
@@ -355,7 +356,8 @@ import { getBillingModeLabel, getBillingModeBadgeClass, BILLING_MODE_TOKEN, BILL
 /** Compute the account-billed cost for display: (account_stats_cost ?? total_cost) * rate_multiplier */
 function accountBilled(row: { total_cost?: number | null; account_stats_cost?: number | null; account_rate_multiplier?: number | null }): number {
   const base = row.account_stats_cost != null ? row.account_stats_cost : (row.total_cost ?? 0)
-  return base * (row.account_rate_multiplier ?? 1)
+  const result = base * (row.account_rate_multiplier ?? 1)
+  return Number.isNaN(result) ? 0 : result
 }
 
 import DataTable from '@/components/common/DataTable.vue'
diff --git a/frontend/src/composables/useQuotaNotifyState.ts b/frontend/src/composables/useQuotaNotifyState.ts
index 1c6705d3..25fad0e8 100644
--- a/frontend/src/composables/useQuotaNotifyState.ts
+++ b/frontend/src/composables/useQuotaNotifyState.ts
@@ -1,6 +1,6 @@
 import { reactive, ref } from 'vue'
 import { adminAPI } from '@/api/admin'
-import { QUOTA_THRESHOLD_TYPE_FIXED } from '@/constants/account'
+import { QUOTA_THRESHOLD_TYPE_FIXED, type QuotaThresholdType } from '@/constants/account'
 
 export const QUOTA_NOTIFY_DIMS = ['daily', 'weekly', 'total'] as const
 export type QuotaNotifyDim = (typeof QUOTA_NOTIFY_DIMS)[number]
@@ -8,7 +8,7 @@ export type QuotaNotifyDim = (typeof QUOTA_NOTIFY_DIMS)[number]
 interface DimState {
   enabled: boolean | null
   threshold: number | null
-  thresholdType: string | null
+  thresholdType: QuotaThresholdType | null
 }
 
 export function useQuotaNotifyState() {
@@ -34,7 +34,7 @@ export function useQuotaNotifyState() {
     for (const d of QUOTA_NOTIFY_DIMS) {
       state[d].enabled = (extra?.[`quota_notify_${d}_enabled`] as boolean) ?? null
       state[d].threshold = (extra?.[`quota_notify_${d}_threshold`] as number) ?? null
-      state[d].thresholdType = (extra?.[`quota_notify_${d}_threshold_type`] as string) ?? null
+      state[d].thresholdType = (extra?.[`quota_notify_${d}_threshold_type`] as QuotaThresholdType) ?? null
     }
   }
 
diff --git a/frontend/src/constants/account.ts b/frontend/src/constants/account.ts
index 3c151fee..dcfc7fae 100644
--- a/frontend/src/constants/account.ts
+++ b/frontend/src/constants/account.ts
@@ -8,3 +8,8 @@ export type WebSearchMode = typeof WEB_SEARCH_MODE_DEFAULT | typeof WEB_SEARCH_M
 export const QUOTA_THRESHOLD_TYPE_FIXED = 'fixed' as const
 export const QUOTA_THRESHOLD_TYPE_PERCENTAGE = 'percentage' as const
 export type QuotaThresholdType = typeof QUOTA_THRESHOLD_TYPE_FIXED | typeof QUOTA_THRESHOLD_TYPE_PERCENTAGE
+
+/** Quota reset mode values */
+export const QUOTA_RESET_MODE_ROLLING = 'rolling' as const
+export const QUOTA_RESET_MODE_FIXED = 'fixed' as const
+export type QuotaResetMode = typeof QUOTA_RESET_MODE_ROLLING | typeof QUOTA_RESET_MODE_FIXED
diff --git a/frontend/src/views/admin/ChannelsView.vue b/frontend/src/views/admin/ChannelsView.vue
index 60704b65..52d57d74 100644
--- a/frontend/src/views/admin/ChannelsView.vue
+++ b/frontend/src/views/admin/ChannelsView.vue
@@ -166,8 +166,8 @@
             class="channel-tab group"
             :class="activeTab === section.platform ? 'channel-tab-active' : 'channel-tab-inactive'"
           >
-            <PlatformIcon :platform="section.platform" size="xs" :class="getPlatformTextColor(section.platform)" />
-            <span :class="getPlatformTextColor(section.platform)">{{ t('admin.groups.platforms.' + section.platform, section.platform) }}</span>
+            <PlatformIcon :platform="section.platform" size="xs" :class="platformTextClass(section.platform)" />
+            <span :class="platformTextClass(section.platform)">{{ t('admin.groups.platforms.' + section.platform, section.platform) }}</span>
           </button>
         </div>
 
@@ -246,8 +246,8 @@
                     class="h-3.5 w-3.5 rounded border-gray-300 text-primary-600 focus:ring-primary-500"
                     @change="togglePlatform(p)"
                   />
-                  <PlatformIcon :platform="p" size="xs" :class="getPlatformTextColor(p)" />
-                  <span :class="getPlatformTextColor(p)">{{ t('admin.groups.platforms.' + p, p) }}</span>
+                  <PlatformIcon :platform="p" size="xs" :class="platformTextClass(p)" />
+                  <span :class="platformTextClass(p)">{{ t('admin.groups.platforms.' + p, p) }}</span>
                 </label>
               </div>
             </div>
@@ -310,9 +310,9 @@
                       class="h-3 w-3 rounded border-gray-300 text-primary-600 focus:ring-primary-500"
                       @change="toggleGroupInSection(sIdx, group.id)"
                     />
-                    <span :class="['font-medium', getPlatformTextColor(group.platform)]">{{ group.name }}</span>
+                    <span :class="['font-medium', platformTextClass(group.platform)]">{{ group.name }}</span>
                     <span
-                      :class="['rounded-full px-1 py-0 text-[10px]', getRateBadgeClass(group.platform)]"
+                      :class="['rounded-full px-1 py-0 text-[10px]', platformBadgeLightClass(group.platform)]"
                     >{{ group.rate_multiplier }}x</span>
                     <span class="text-[10px] text-gray-400">{{ group.account_count || 0 }}</span>
                     <span
@@ -363,7 +363,7 @@
                     :value="srcModel"
                     type="text"
                     class="input flex-1 text-xs"
-                    :class="getPlatformTextColor(section.platform)"
+                    :class="platformTextClass(section.platform)"
                     :placeholder="t('admin.channels.form.mappingSource', 'Source model')"
                     @change="renameMappingKey(sIdx, srcModel, ($event.target as HTMLInputElement).value)"
                   />
@@ -372,7 +372,7 @@
                     :value="section.model_mapping[srcModel]"
                     type="text"
                     class="input flex-1 text-xs"
-                    :class="getPlatformTextColor(section.platform)"
+                    :class="platformTextClass(section.platform)"
                     :placeholder="t('admin.channels.form.mappingTarget', 'Target model')"
                     @input="section.model_mapping[srcModel] = ($event.target as HTMLInputElement).value"
                   />
@@ -464,7 +464,7 @@
                         : 'border-gray-200 hover:bg-gray-50 dark:border-dark-600 dark:hover:bg-dark-700'"
                     >
                       <input type="checkbox" :checked="rule.group_ids.includes(gid)" class="h-3 w-3 rounded border-gray-300 text-primary-600 focus:ring-primary-500" @change="rule.group_ids.includes(gid) ? rule.group_ids.splice(rule.group_ids.indexOf(gid), 1) : rule.group_ids.push(gid)" />
-                      <span>{{ getGroupNameById(gid) }}</span>
+                      <span :class="['font-medium', platformTextClass(section.platform)]">{{ getGroupNameById(gid) }}</span>
                     </label>
                   </div>
                   <p v-if="section.group_ids.length === 0" class="mt-1 text-xs text-gray-400">
@@ -481,7 +481,7 @@
                       :key="accountId"
                       class="inline-flex items-center gap-1 rounded-md border border-primary-300 bg-primary-50 px-2 py-0.5 text-xs dark:border-primary-700 dark:bg-primary-900/20"
                     >
-                      <span>{{ getRuleAccountLabel(accountId) }}</span>
+                      <span :class="['font-medium', platformTextClass(section.platform)]">{{ getRuleAccountLabel(accountId) }}</span>
                       <button type="button" @click="removeRuleAccount(rule, accountId)" class="text-gray-400 hover:text-red-500">
                         <Icon name="x" size="xs" />
                       </button>
@@ -595,7 +595,7 @@ import type { PricingFormEntry } from '@/components/admin/channel/types'
 import { mTokToPerToken, perTokenToMTok, apiIntervalsToForm, formIntervalsToAPI, findModelConflict, validateIntervals } from '@/components/admin/channel/types'
 import type { AdminGroup, GroupPlatform } from '@/types'
 import type { Column } from '@/components/common/types'
-import { platformTextClass } from '@/utils/platformColors'
+import { platformTextClass, platformBadgeLightClass } from '@/utils/platformColors'
 import AppLayout from '@/components/layout/AppLayout.vue'
 import TablePageLayout from '@/components/layout/TablePageLayout.vue'
 import DataTable from '@/components/common/DataTable.vue'
@@ -720,26 +720,6 @@ let abortController: AbortController | null = null
 // ── Platform config ──
 const platformOrder: GroupPlatform[] = ['anthropic', 'openai', 'gemini', 'antigravity']
 
-function getPlatformTextColor(platform: string): string {
-  switch (platform) {
-    case 'anthropic': return 'text-orange-600 dark:text-orange-400'
-    case 'openai': return 'text-emerald-600 dark:text-emerald-400'
-    case 'gemini': return 'text-blue-600 dark:text-blue-400'
-    case 'antigravity': return 'text-purple-600 dark:text-purple-400'
-    default: return 'text-gray-600 dark:text-gray-400'
-  }
-}
-
-function getRateBadgeClass(platform: string): string {
-  switch (platform) {
-    case 'anthropic': return 'bg-orange-100 text-orange-700 dark:bg-orange-900/30 dark:text-orange-400'
-    case 'openai': return 'bg-emerald-100 text-emerald-700 dark:bg-emerald-900/30 dark:text-emerald-400'
-    case 'gemini': return 'bg-blue-100 text-blue-700 dark:bg-blue-900/30 dark:text-blue-400'
-    case 'antigravity': return 'bg-purple-100 text-purple-700 dark:bg-purple-900/30 dark:text-purple-400'
-    default: return 'bg-gray-100 text-gray-700 dark:bg-gray-900/30 dark:text-gray-400'
-  }
-}
-
 // ── Helpers ──
 function formatDate(value: string): string {
   if (!value) return '-'

From 9c09bd19b479c562098a58a821f69c42d7214204 Mon Sep 17 00:00:00 2001
From: erio <asakifeng@gmail.com>
Date: Tue, 14 Apr 2026 00:42:40 +0800
Subject: [PATCH 078/122] fix: websearch features_config cleanup and pricing
 rules validation

- Fix web_search_emulation toggle: explicitly write false for disabled
  platforms instead of leaving stale true from cloned features_config
- Extract validatePricingEntries from validateChannelConfig for reuse
- Validate account_stats_pricing_rules[].pricing in both Create and
  Update paths (negative prices, bad intervals, missing per_request price)
---
 backend/internal/service/channel_service.go | 22 ++++++++++++++++++---
 frontend/src/views/admin/ChannelsView.vue   |  8 ++++++--
 2 files changed, 25 insertions(+), 5 deletions(-)

diff --git a/backend/internal/service/channel_service.go b/backend/internal/service/channel_service.go
index d0698f0f..aa5e2ceb 100644
--- a/backend/internal/service/channel_service.go
+++ b/backend/internal/service/channel_service.go
@@ -566,15 +566,21 @@ func ReplaceModelInBody(body []byte, newModel string) []byte {
 // validateChannelConfig 校验渠道的定价和映射配置（冲突检测 + 区间校验 + 计费模式校验）。
 // Create 和 Update 共用此函数，避免重复。
 func validateChannelConfig(pricing []ChannelModelPricing, mapping map[string]map[string]string) error {
+	if err := validatePricingEntries(pricing); err != nil {
+		return err
+	}
+	return validateNoConflictingMappings(mapping)
+}
+
+// validatePricingEntries 校验定价条目（冲突检测 + 区间校验 + 计费模式校验），
+// 同时用于主渠道定价和 account_stats_pricing_rules 的内部定价。
+func validatePricingEntries(pricing []ChannelModelPricing) error {
 	if err := validateNoConflictingModels(pricing); err != nil {
 		return err
 	}
 	if err := validatePricingIntervals(pricing); err != nil {
 		return err
 	}
-	if err := validateNoConflictingMappings(mapping); err != nil {
-		return err
-	}
 	return validatePricingBillingMode(pricing)
 }
 
@@ -684,6 +690,11 @@ func (s *ChannelService) Create(ctx context.Context, input *CreateChannelInput)
 	if err := validateChannelConfig(channel.ModelPricing, channel.ModelMapping); err != nil {
 		return nil, err
 	}
+	for i, rule := range channel.AccountStatsPricingRules {
+		if err := validatePricingEntries(rule.Pricing); err != nil {
+			return nil, fmt.Errorf("account stats pricing rule #%d: %w", i+1, err)
+		}
+	}
 
 	if err := s.repo.Create(ctx, channel); err != nil {
 		return nil, fmt.Errorf("create channel: %w", err)
@@ -712,6 +723,11 @@ func (s *ChannelService) Update(ctx context.Context, id int64, input *UpdateChan
 	if err := validateChannelConfig(channel.ModelPricing, channel.ModelMapping); err != nil {
 		return nil, err
 	}
+	for i, rule := range channel.AccountStatsPricingRules {
+		if err := validatePricingEntries(rule.Pricing); err != nil {
+			return nil, fmt.Errorf("account stats pricing rule #%d: %w", i+1, err)
+		}
+	}
 
 	oldGroupIDs := s.getOldGroupIDs(ctx, id)
 
diff --git a/frontend/src/views/admin/ChannelsView.vue b/frontend/src/views/admin/ChannelsView.vue
index 52d57d74..0b37a20d 100644
--- a/frontend/src/views/admin/ChannelsView.vue
+++ b/frontend/src/views/admin/ChannelsView.vue
@@ -1032,15 +1032,19 @@ function formToAPI(): { group_ids: number[], model_pricing: ChannelModelPricing[
   }
 
   // Collect web_search_emulation (only anthropic platform supports it)
+  // Always write the key so that disabling in the UI correctly sets platform to false,
+  // rather than leaving a stale true value from the cloned features_config.
   const wsEmulation: Record<string, boolean> = {}
   for (const section of form.platforms) {
     if (!section.enabled) continue
-    if (section.web_search_emulation && section.platform === 'anthropic') {
-      wsEmulation[section.platform] = true
+    if (section.platform === 'anthropic') {
+      wsEmulation[section.platform] = !!section.web_search_emulation
     }
   }
   if (Object.keys(wsEmulation).length > 0) {
     featuresConfig.web_search_emulation = wsEmulation
+  } else {
+    delete featuresConfig.web_search_emulation
   }
 
   return { group_ids, model_pricing, model_mapping, features_config: featuresConfig }

From 0a4ece5f5be30db727bb9694588bfd0d0d99a26c Mon Sep 17 00:00:00 2001
From: erio <asakifeng@gmail.com>
Date: Tue, 14 Apr 2026 01:10:46 +0800
Subject: [PATCH 079/122] =?UTF-8?q?fix:=20audit=20round-3=20=E2=80=94=20pr?=
 =?UTF-8?q?oxy=20safety,=20intervals=20persistence,=20SMTP=20timeout,=20so?=
 =?UTF-8?q?rt=20fix?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

- Skip websearch provider when ProxyID is set but proxy not found (prevent
  silent direct connection bypass)
- Fix sortByStableRandomWeight: pair factors with items so sort.Slice swap
  keeps weights aligned
- Allow empty platform in account_stats_pricing_rules (wildcard matching),
  only force anthropic default for main model_pricing
- Add channel_account_stats_pricing_intervals table and repo layer support
  for interval-based pricing in account stats rules
- calculateTokenStatsCost now uses interval pricing when available
- Replace smtp.SendMail/tls.Dial with net.Dialer timeout (10s dial, 20s IO)
  to prevent goroutine leak on SMTP hang
- Fix gofmt formatting issues
- Web Search label: black text with red warning hint
---
 .../internal/handler/admin/channel_handler.go | 14 +++-
 backend/internal/pkg/websearch/manager.go     | 17 +++--
 .../channel_repo_account_stats_pricing.go     | 74 +++++++++++++++++++
 backend/internal/repository/email_cache.go    | 10 +--
 backend/internal/server/http.go               |  6 ++
 .../internal/service/account_stats_pricing.go | 31 ++++++--
 .../service/balance_notify_service.go         |  1 -
 backend/internal/service/email_service.go     | 49 +++++++++++-
 .../internal/service/notify_email_entry.go    |  1 -
 ...06_add_account_stats_pricing_intervals.sql | 19 +++++
 frontend/src/views/admin/ChannelsView.vue     |  4 +-
 11 files changed, 199 insertions(+), 27 deletions(-)
 create mode 100644 backend/migrations/106_add_account_stats_pricing_intervals.sql

diff --git a/backend/internal/handler/admin/channel_handler.go b/backend/internal/handler/admin/channel_handler.go
index 1a328551..88d27c47 100644
--- a/backend/internal/handler/admin/channel_handler.go
+++ b/backend/internal/handler/admin/channel_handler.go
@@ -249,9 +249,6 @@ func pricingRequestToService(reqs []channelModelPricingRequest) []service.Channe
 			billingMode = service.BillingModeToken
 		}
 		platform := r.Platform
-		if platform == "" {
-			platform = service.PlatformAnthropic
-		}
 		intervals := make([]service.PricingInterval, 0, len(r.Intervals))
 		for _, iv := range r.Intervals {
 			intervals = append(intervals, service.PricingInterval{
@@ -349,6 +346,12 @@ func (h *ChannelHandler) Create(c *gin.Context) {
 	}
 
 	pricing := pricingRequestToService(req.ModelPricing)
+	// Main model_pricing requires a platform; default to anthropic for backward compatibility.
+	for i := range pricing {
+		if pricing[i].Platform == "" {
+			pricing[i].Platform = service.PlatformAnthropic
+		}
+	}
 
 	var statsRules []service.AccountStatsPricingRule
 	for i, r := range req.AccountStatsPricingRules {
@@ -415,6 +418,11 @@ func (h *ChannelHandler) Update(c *gin.Context) {
 	}
 	if req.ModelPricing != nil {
 		pricing := pricingRequestToService(*req.ModelPricing)
+		for i := range pricing {
+			if pricing[i].Platform == "" {
+				pricing[i].Platform = service.PlatformAnthropic
+			}
+		}
 		input.ModelPricing = &pricing
 	}
 	if req.AccountStatsPricingRules != nil {
diff --git a/backend/internal/pkg/websearch/manager.go b/backend/internal/pkg/websearch/manager.go
index 27592459..61faa616 100644
--- a/backend/internal/pkg/websearch/manager.go
+++ b/backend/internal/pkg/websearch/manager.go
@@ -200,13 +200,20 @@ func sortByStableRandomWeight(items []weighted) {
 	if len(items) <= 1 {
 		return
 	}
-	factors := make([]float64, len(items))
-	for i, item := range items {
-		factors[i] = float64(item.weight) * (0.5 + rand.Float64())
+	type entry struct {
+		item   weighted
+		factor float64
 	}
-	sort.Slice(items, func(i, j int) bool {
-		return factors[i] > factors[j]
+	entries := make([]entry, len(items))
+	for i, item := range items {
+		entries[i] = entry{item: item, factor: float64(item.weight) * (0.5 + rand.Float64())}
+	}
+	sort.Slice(entries, func(i, j int) bool {
+		return entries[i].factor > entries[j].factor
 	})
+	for i, e := range entries {
+		items[i] = e.item
+	}
 }
 
 func mergeWeightedResults(withQuota, withoutQuota []weighted, capacity int) []ProviderConfig {
diff --git a/backend/internal/repository/channel_repo_account_stats_pricing.go b/backend/internal/repository/channel_repo_account_stats_pricing.go
index ef8f5177..9e00fed8 100644
--- a/backend/internal/repository/channel_repo_account_stats_pricing.go
+++ b/backend/internal/repository/channel_repo_account_stats_pricing.go
@@ -96,6 +96,27 @@ func (r *channelRepository) batchLoadAccountStatsModelPricing(ctx context.Contex
 	if err := rows.Err(); err != nil {
 		return nil, fmt.Errorf("iterate account stats model pricing: %w", err)
 	}
+
+	// Load intervals for all pricing entries.
+	var allPricingIDs []int64
+	for _, pricings := range pricingMap {
+		for _, p := range pricings {
+			allPricingIDs = append(allPricingIDs, p.ID)
+		}
+	}
+	if len(allPricingIDs) > 0 {
+		intervalsMap, err := r.batchLoadAccountStatsIntervals(ctx, allPricingIDs)
+		if err != nil {
+			return nil, err
+		}
+		for ruleID, pricings := range pricingMap {
+			for i := range pricings {
+				pricings[i].Intervals = intervalsMap[pricings[i].ID]
+			}
+			pricingMap[ruleID] = pricings
+		}
+	}
+
 	return pricingMap, nil
 }
 
@@ -166,5 +187,58 @@ func createAccountStatsModelPricingTx(ctx context.Context, tx *sql.Tx, ruleID in
 	if err != nil {
 		return fmt.Errorf("insert account stats model pricing: %w", err)
 	}
+	// Persist intervals (mirrors channel_pricing_intervals logic).
+	for i := range pricing.Intervals {
+		iv := &pricing.Intervals[i]
+		iv.PricingID = pricing.ID
+		if err := createAccountStatsIntervalTx(ctx, tx, iv); err != nil {
+			return err
+		}
+	}
 	return nil
 }
+
+// createAccountStatsIntervalTx inserts a single interval for an account stats pricing entry.
+func createAccountStatsIntervalTx(ctx context.Context, tx *sql.Tx, iv *service.PricingInterval) error {
+	return tx.QueryRowContext(ctx,
+		`INSERT INTO channel_account_stats_pricing_intervals
+		 (pricing_id, min_tokens, max_tokens, tier_label, input_price, output_price, cache_write_price, cache_read_price, per_request_price, sort_order)
+		 VALUES ($1, $2, $3, $4, $5, $6, $7, $8, $9, $10) RETURNING id, created_at, updated_at`,
+		iv.PricingID, iv.MinTokens, iv.MaxTokens, iv.TierLabel,
+		iv.InputPrice, iv.OutputPrice, iv.CacheWritePrice, iv.CacheReadPrice,
+		iv.PerRequestPrice, iv.SortOrder,
+	).Scan(&iv.ID, &iv.CreatedAt, &iv.UpdatedAt)
+}
+
+// batchLoadAccountStatsIntervals loads intervals for account stats pricing entries.
+func (r *channelRepository) batchLoadAccountStatsIntervals(ctx context.Context, pricingIDs []int64) (map[int64][]service.PricingInterval, error) {
+	if len(pricingIDs) == 0 {
+		return nil, nil
+	}
+	rows, err := r.db.QueryContext(ctx,
+		`SELECT id, pricing_id, min_tokens, max_tokens, tier_label,
+		        input_price, output_price, cache_write_price, cache_read_price,
+		        per_request_price, sort_order, created_at, updated_at
+		 FROM channel_account_stats_pricing_intervals
+		 WHERE pricing_id = ANY($1) ORDER BY pricing_id, sort_order, id`,
+		pq.Array(pricingIDs),
+	)
+	if err != nil {
+		return nil, fmt.Errorf("batch load account stats pricing intervals: %w", err)
+	}
+	defer func() { _ = rows.Close() }()
+
+	result := make(map[int64][]service.PricingInterval)
+	for rows.Next() {
+		var iv service.PricingInterval
+		if err := rows.Scan(
+			&iv.ID, &iv.PricingID, &iv.MinTokens, &iv.MaxTokens, &iv.TierLabel,
+			&iv.InputPrice, &iv.OutputPrice, &iv.CacheWritePrice, &iv.CacheReadPrice,
+			&iv.PerRequestPrice, &iv.SortOrder, &iv.CreatedAt, &iv.UpdatedAt,
+		); err != nil {
+			return nil, fmt.Errorf("scan account stats pricing interval: %w", err)
+		}
+		result[iv.PricingID] = append(result[iv.PricingID], iv)
+	}
+	return result, rows.Err()
+}
diff --git a/backend/internal/repository/email_cache.go b/backend/internal/repository/email_cache.go
index 0eb6bef1..96a23a8e 100644
--- a/backend/internal/repository/email_cache.go
+++ b/backend/internal/repository/email_cache.go
@@ -12,11 +12,11 @@ import (
 )
 
 const (
-	verifyCodeKeyPrefix            = "verify_code:"
-	notifyVerifyKeyPrefix          = "notify_verify:"
-	passwordResetKeyPrefix         = "password_reset:"
-	passwordResetSentAtKeyPrefix   = "password_reset_sent:"
-	notifyCodeUserRateKeyPrefix    = "notify_code_user_rate:"
+	verifyCodeKeyPrefix          = "verify_code:"
+	notifyVerifyKeyPrefix        = "notify_verify:"
+	passwordResetKeyPrefix       = "password_reset:"
+	passwordResetSentAtKeyPrefix = "password_reset_sent:"
+	notifyCodeUserRateKeyPrefix  = "notify_code_user_rate:"
 )
 
 // verifyCodeKey generates the Redis key for email verification code.
diff --git a/backend/internal/server/http.go b/backend/internal/server/http.go
index 5165b059..d203bab2 100644
--- a/backend/internal/server/http.go
+++ b/backend/internal/server/http.go
@@ -4,6 +4,7 @@ package server
 import (
 	"context"
 	"log"
+	"log/slog"
 	"net/http"
 	"time"
 
@@ -82,6 +83,11 @@ func ProvideRouter(
 				pc.ProxyID = *p.ProxyID
 				if u, ok := proxyURLs[*p.ProxyID]; ok {
 					pc.ProxyURL = u
+				} else {
+					// Proxy configured but not found — skip this provider to prevent direct connection.
+					slog.Warn("websearch: proxy not found for provider, skipping",
+						"provider", p.Type, "proxy_id", *p.ProxyID)
+					continue
 				}
 			}
 			configs = append(configs, pc)
diff --git a/backend/internal/service/account_stats_pricing.go b/backend/internal/service/account_stats_pricing.go
index 8251dede..61c318d9 100644
--- a/backend/internal/service/account_stats_pricing.go
+++ b/backend/internal/service/account_stats_pricing.go
@@ -195,18 +195,33 @@ func calculatePerRequestStatsCost(pricing *ChannelModelPricing, requestCount int
 }
 
 // calculateTokenStatsCost Token 计费。
+// If the pricing has intervals, find the matching interval by total token count
+// and use its prices instead of the flat pricing fields.
 func calculateTokenStatsCost(pricing *ChannelModelPricing, tokens UsageTokens) *float64 {
-	deref := func(p *float64) float64 {
-		if p == nil {
+	p := pricing
+	if len(pricing.Intervals) > 0 {
+		totalTokens := tokens.InputTokens + tokens.OutputTokens + tokens.CacheCreationTokens + tokens.CacheReadTokens
+		if iv := FindMatchingInterval(pricing.Intervals, totalTokens); iv != nil {
+			p = &ChannelModelPricing{
+				InputPrice:      iv.InputPrice,
+				OutputPrice:     iv.OutputPrice,
+				CacheWritePrice: iv.CacheWritePrice,
+				CacheReadPrice:  iv.CacheReadPrice,
+				PerRequestPrice: iv.PerRequestPrice,
+			}
+		}
+	}
+	deref := func(ptr *float64) float64 {
+		if ptr == nil {
 			return 0
 		}
-		return *p
+		return *ptr
 	}
-	cost := float64(tokens.InputTokens)*deref(pricing.InputPrice) +
-		float64(tokens.OutputTokens)*deref(pricing.OutputPrice) +
-		float64(tokens.CacheCreationTokens)*deref(pricing.CacheWritePrice) +
-		float64(tokens.CacheReadTokens)*deref(pricing.CacheReadPrice) +
-		float64(tokens.ImageOutputTokens)*deref(pricing.ImageOutputPrice)
+	cost := float64(tokens.InputTokens)*deref(p.InputPrice) +
+		float64(tokens.OutputTokens)*deref(p.OutputPrice) +
+		float64(tokens.CacheCreationTokens)*deref(p.CacheWritePrice) +
+		float64(tokens.CacheReadTokens)*deref(p.CacheReadPrice) +
+		float64(tokens.ImageOutputTokens)*deref(p.ImageOutputPrice)
 	if cost <= 0 {
 		return nil
 	}
diff --git a/backend/internal/service/balance_notify_service.go b/backend/internal/service/balance_notify_service.go
index 5e9afcc8..5b7e413a 100644
--- a/backend/internal/service/balance_notify_service.go
+++ b/backend/internal/service/balance_notify_service.go
@@ -477,4 +477,3 @@ func (s *BalanceNotifyService) buildQuotaAlertEmailBody(accountID int64, account
 	}
 	return fmt.Sprintf(quotaAlertEmailTemplate, siteName, accountID, accountName, platform, dimLabel, used, limitStr, remaining, thresholdDisplay)
 }
-
diff --git a/backend/internal/service/email_service.go b/backend/internal/service/email_service.go
index a94e0dde..425887cd 100644
--- a/backend/internal/service/email_service.go
+++ b/backend/internal/service/email_service.go
@@ -9,6 +9,7 @@ import (
 	"fmt"
 	"log/slog"
 	"math/big"
+	"net"
 	"net/smtp"
 	"net/url"
 	"strconv"
@@ -152,6 +153,9 @@ func (s *EmailService) SendEmail(ctx context.Context, to, subject, body string)
 	return s.SendEmailWithConfig(config, to, subject, body)
 }
 
+const smtpDialTimeout = 10 * time.Second
+const smtpIOTimeout = 20 * time.Second
+
 // SendEmailWithConfig 使用指定配置发送邮件
 func (s *EmailService) SendEmailWithConfig(config *SMTPConfig, to, subject, body string) error {
 	// Sanitize all SMTP header fields to prevent header injection (CR/LF removal).
@@ -173,7 +177,46 @@ func (s *EmailService) SendEmailWithConfig(config *SMTPConfig, to, subject, body
 		return s.sendMailTLS(addr, auth, config.From, to, []byte(msg), config.Host)
 	}
 
-	return smtp.SendMail(addr, auth, config.From, []string{to}, []byte(msg))
+	return s.sendMailPlain(addr, auth, config.From, to, []byte(msg), config.Host)
+}
+
+// sendMailPlain sends mail without TLS using a dialer with timeout.
+func (s *EmailService) sendMailPlain(addr string, auth smtp.Auth, from, to string, msg []byte, host string) error {
+	dialer := &net.Dialer{Timeout: smtpDialTimeout}
+	conn, err := dialer.Dial("tcp", addr)
+	if err != nil {
+		return fmt.Errorf("smtp dial: %w", err)
+	}
+	_ = conn.SetDeadline(time.Now().Add(smtpIOTimeout))
+	defer func() { _ = conn.Close() }()
+
+	client, err := smtp.NewClient(conn, host)
+	if err != nil {
+		return fmt.Errorf("new smtp client: %w", err)
+	}
+	defer func() { _ = client.Close() }()
+
+	if err = client.Auth(auth); err != nil {
+		return fmt.Errorf("smtp auth: %w", err)
+	}
+	if err = client.Mail(from); err != nil {
+		return fmt.Errorf("smtp mail: %w", err)
+	}
+	if err = client.Rcpt(to); err != nil {
+		return fmt.Errorf("smtp rcpt: %w", err)
+	}
+	w, err := client.Data()
+	if err != nil {
+		return fmt.Errorf("smtp data: %w", err)
+	}
+	if _, err = w.Write(msg); err != nil {
+		return fmt.Errorf("write msg: %w", err)
+	}
+	if err = w.Close(); err != nil {
+		return fmt.Errorf("close writer: %w", err)
+	}
+	_ = client.Quit()
+	return nil
 }
 
 // sendMailTLS 使用TLS发送邮件
@@ -184,10 +227,12 @@ func (s *EmailService) sendMailTLS(addr string, auth smtp.Auth, from, to string,
 		MinVersion: tls.VersionTLS12,
 	}
 
-	conn, err := tls.Dial("tcp", addr, tlsConfig)
+	dialer := &net.Dialer{Timeout: smtpDialTimeout}
+	conn, err := tls.DialWithDialer(dialer, "tcp", addr, tlsConfig)
 	if err != nil {
 		return fmt.Errorf("tls dial: %w", err)
 	}
+	_ = conn.SetDeadline(time.Now().Add(smtpIOTimeout))
 	defer func() { _ = conn.Close() }()
 
 	client, err := smtp.NewClient(conn, host)
diff --git a/backend/internal/service/notify_email_entry.go b/backend/internal/service/notify_email_entry.go
index d181200b..625185b2 100644
--- a/backend/internal/service/notify_email_entry.go
+++ b/backend/internal/service/notify_email_entry.go
@@ -79,4 +79,3 @@ func MarshalNotifyEmails(entries []NotifyEmailEntry) string {
 	}
 	return string(data)
 }
-
diff --git a/backend/migrations/106_add_account_stats_pricing_intervals.sql b/backend/migrations/106_add_account_stats_pricing_intervals.sql
new file mode 100644
index 00000000..5ae10655
--- /dev/null
+++ b/backend/migrations/106_add_account_stats_pricing_intervals.sql
@@ -0,0 +1,19 @@
+-- Add intervals table for account stats pricing rules (mirrors channel_pricing_intervals).
+CREATE TABLE IF NOT EXISTS channel_account_stats_pricing_intervals (
+    id                BIGSERIAL      PRIMARY KEY,
+    pricing_id        BIGINT         NOT NULL REFERENCES channel_account_stats_model_pricing(id) ON DELETE CASCADE,
+    min_tokens        INT            NOT NULL DEFAULT 0,
+    max_tokens        INT,
+    tier_label        VARCHAR(50),
+    input_price       NUMERIC(20,12),
+    output_price      NUMERIC(20,12),
+    cache_write_price NUMERIC(20,12),
+    cache_read_price  NUMERIC(20,12),
+    per_request_price NUMERIC(20,12),
+    sort_order        INT            NOT NULL DEFAULT 0,
+    created_at        TIMESTAMPTZ    NOT NULL DEFAULT NOW(),
+    updated_at        TIMESTAMPTZ    NOT NULL DEFAULT NOW()
+);
+
+CREATE INDEX IF NOT EXISTS idx_account_stats_pricing_intervals_pricing_id
+    ON channel_account_stats_pricing_intervals (pricing_id);
diff --git a/frontend/src/views/admin/ChannelsView.vue b/frontend/src/views/admin/ChannelsView.vue
index 0b37a20d..e4452b98 100644
--- a/frontend/src/views/admin/ChannelsView.vue
+++ b/frontend/src/views/admin/ChannelsView.vue
@@ -328,10 +328,10 @@
             <div v-if="section.platform === 'anthropic' && webSearchGlobalEnabled" class="border-t border-gray-200 pt-3 dark:border-dark-600">
               <div class="flex items-center justify-between">
                 <div>
-                  <label class="text-xs font-medium text-orange-600 dark:text-orange-400">
+                  <label class="text-xs font-medium text-gray-700 dark:text-gray-300">
                     {{ t('admin.channels.form.webSearchEmulation') }}
                   </label>
-                  <p class="mt-0.5 text-[11px] text-amber-500 dark:text-amber-400">
+                  <p class="mt-0.5 text-[11px] text-red-500 dark:text-red-400">
                     {{ t('admin.channels.form.webSearchEmulationHint') }}
                   </p>
                 </div>

From b402c367d331c24b1507bdbc0596c06c933b1d55 Mon Sep 17 00:00:00 2001
From: erio <asakifeng@gmail.com>
Date: Tue, 14 Apr 2026 01:38:42 +0800
Subject: [PATCH 080/122] fix: add opportunistic STARTTLS to sendMailPlain for
 587 port compatibility

smtp.SendMail automatically upgrades to STARTTLS when the server
supports it. Our replacement sendMailPlain skipped this, causing
credentials to be sent in plaintext on port 587. Add STARTTLS
negotiation before Auth to restore the original security behavior.
---
 backend/internal/service/email_service.go | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/backend/internal/service/email_service.go b/backend/internal/service/email_service.go
index 425887cd..9cfd3bbd 100644
--- a/backend/internal/service/email_service.go
+++ b/backend/internal/service/email_service.go
@@ -196,6 +196,14 @@ func (s *EmailService) sendMailPlain(addr string, auth smtp.Auth, from, to strin
 	}
 	defer func() { _ = client.Close() }()
 
+	// Opportunistic STARTTLS: upgrade to encrypted connection if the server supports it.
+	// This mirrors the behavior of smtp.SendMail which we replaced for timeout support.
+	if ok, _ := client.Extension("STARTTLS"); ok {
+		if err = client.StartTLS(&tls.Config{ServerName: host, MinVersion: tls.VersionTLS12}); err != nil {
+			return fmt.Errorf("starttls: %w", err)
+		}
+	}
+
 	if err = client.Auth(auth); err != nil {
 		return fmt.Errorf("smtp auth: %w", err)
 	}

From 9e0d12d3b03e6b1cc8cf96a0c59f6b0a288fab85 Mon Sep 17 00:00:00 2001
From: erio <asakifeng@gmail.com>
Date: Tue, 14 Apr 2026 07:22:22 +0800
Subject: [PATCH 081/122] fix: show websearch API key visibility/copy buttons
 for saved providers

The buttons were hidden because v-if only checked provider.api_key,
which is always empty for saved providers (backend sanitizes it).
Now also checks api_key_configured. Copy button is disabled when
no actual key is available (only configured placeholder shown).
---
 backend/cmd/server/VERSION                    |  2 +-
 .../internal/handler/admin/setting_handler.go |  2 +-
 backend/internal/service/websearch_config.go  | 22 ++++++++++++++++++
 frontend/src/views/admin/SettingsView.vue     | 23 ++++++++++++-------
 4 files changed, 39 insertions(+), 10 deletions(-)

diff --git a/backend/cmd/server/VERSION b/backend/cmd/server/VERSION
index 68dda295..5657b5e3 100644
--- a/backend/cmd/server/VERSION
+++ b/backend/cmd/server/VERSION
@@ -1 +1 @@
-0.1.110.51
+0.1.112.3
diff --git a/backend/internal/handler/admin/setting_handler.go b/backend/internal/handler/admin/setting_handler.go
index 2324cc70..2a87e95c 100644
--- a/backend/internal/handler/admin/setting_handler.go
+++ b/backend/internal/handler/admin/setting_handler.go
@@ -1939,7 +1939,7 @@ func (h *SettingHandler) GetWebSearchEmulationConfig(c *gin.Context) {
 		response.ErrorFrom(c, err)
 		return
 	}
-	response.Success(c, service.SanitizeWebSearchConfig(c.Request.Context(), cfg))
+	response.Success(c, service.PopulateWebSearchUsage(c.Request.Context(), cfg))
 }
 
 // UpdateWebSearchEmulationConfig 更新 Web Search 模拟配置
diff --git a/backend/internal/service/websearch_config.go b/backend/internal/service/websearch_config.go
index 5658cec3..239e882a 100644
--- a/backend/internal/service/websearch_config.go
+++ b/backend/internal/service/websearch_config.go
@@ -277,6 +277,28 @@ func TestWebSearch(ctx context.Context, query string) (*WebSearchTestResult, err
 	}, nil
 }
 
+// PopulateWebSearchUsage returns a copy with quota usage populated from Redis (api_key kept as-is).
+func PopulateWebSearchUsage(ctx context.Context, cfg *WebSearchEmulationConfig) *WebSearchEmulationConfig {
+	if cfg == nil {
+		return nil
+	}
+	out := *cfg
+	out.Providers = make([]WebSearchProviderConfig, len(cfg.Providers))
+
+	mgr := getWebSearchManager()
+
+	for i, p := range cfg.Providers {
+		out.Providers[i] = p
+		out.Providers[i].APIKeyConfigured = p.APIKey != ""
+
+		if mgr != nil {
+			used, _ := mgr.GetUsage(ctx, p.Type)
+			out.Providers[i].QuotaUsed = used
+		}
+	}
+	return &out
+}
+
 // SanitizeWebSearchConfig returns a copy with api_key fields masked and quota usage populated.
 func SanitizeWebSearchConfig(ctx context.Context, cfg *WebSearchEmulationConfig) *WebSearchEmulationConfig {
 	if cfg == nil {
diff --git a/frontend/src/views/admin/SettingsView.vue b/frontend/src/views/admin/SettingsView.vue
index 3ef1c0ba..12f67187 100644
--- a/frontend/src/views/admin/SettingsView.vue
+++ b/frontend/src/views/admin/SettingsView.vue
@@ -1775,8 +1775,8 @@
                       @click.stop
                     />
                     <!-- Quota summary in collapsed state -->
-                    <span v-if="!expandedProviders[pIdx] && provider.quota_limit > 0" class="text-xs text-gray-400">
-                      {{ provider.quota_used ?? 0 }} / {{ provider.quota_limit }}
+                    <span v-if="!expandedProviders[pIdx]" class="text-xs text-gray-400">
+                      {{ provider.quota_used ?? 0 }} / {{ provider.quota_limit > 0 ? provider.quota_limit : '∞' }}
                     </span>
                     <span v-if="!expandedProviders[pIdx] && provider.api_key_configured" class="text-xs text-green-500">
                       {{ t('admin.settings.webSearchEmulation.apiKeyConfigured') }}
@@ -1797,10 +1797,10 @@
                         v-model="provider.api_key"
                         :type="apiKeyVisible[pIdx] ? 'text' : 'password'"
                         class="input w-full text-sm"
-                        :class="provider.api_key ? 'pr-16' : ''"
+                        :class="(provider.api_key || provider.api_key_configured) ? 'pr-16' : ''"
                         :placeholder="provider.api_key_configured ? '••••••••' : t('admin.settings.webSearchEmulation.apiKeyPlaceholder')"
                       />
-                      <div v-if="provider.api_key" class="absolute inset-y-0 right-0 flex items-center pr-1.5">
+                      <div v-if="provider.api_key || provider.api_key_configured" class="absolute inset-y-0 right-0 flex items-center pr-1.5">
                         <button
                           type="button"
                           class="rounded p-1 text-gray-400 hover:text-gray-600 dark:hover:text-gray-300"
@@ -1818,7 +1818,9 @@
                         <button
                           type="button"
                           class="rounded p-1 text-gray-400 hover:text-gray-600 dark:hover:text-gray-300"
+                          :class="{ 'opacity-30 cursor-not-allowed': !provider.api_key }"
                           :title="t('admin.settings.webSearchEmulation.copyApiKey')"
+                          :disabled="!provider.api_key"
                           @click="copyApiKey(pIdx)"
                         >
                           <svg class="h-4 w-4" fill="none" viewBox="0 0 24 24" stroke="currentColor">
@@ -1849,16 +1851,17 @@
                   </div>
 
                   <!-- Usage display -->
-                  <div v-if="provider.quota_limit > 0" class="flex items-center gap-2">
+                  <div class="flex items-center gap-2">
                     <span class="text-xs text-gray-500">{{ t('admin.settings.webSearchEmulation.quotaUsage') }}:</span>
-                    <div class="flex-1 rounded-full bg-gray-200 dark:bg-dark-600" style="height: 6px">
+                    <div v-if="provider.quota_limit > 0" class="flex-1 rounded-full bg-gray-200 dark:bg-dark-600" style="height: 6px">
                       <div
                         class="h-full rounded-full transition-all"
                         :class="quotaPercentage(provider) > 90 ? 'bg-red-500' : quotaPercentage(provider) > 70 ? 'bg-yellow-500' : 'bg-green-500'"
                         :style="{ width: Math.min(quotaPercentage(provider), 100) + '%' }"
                       />
                     </div>
-                    <span class="text-xs text-gray-500">{{ provider.quota_used ?? 0 }} / {{ provider.quota_limit }}</span>
+                    <div v-else class="flex-1" />
+                    <span class="text-xs text-gray-500">{{ provider.quota_used ?? 0 }} / {{ provider.quota_limit > 0 ? provider.quota_limit : '∞' }}</span>
                   </div>
 
                   <!-- Proxy + Test on same row -->
@@ -3164,9 +3167,13 @@ async function loadWebSearchConfig() {
 
 async function saveWebSearchConfig(): Promise<boolean> {
   try {
+    const providers = webSearchConfig.providers.map((p: WebSearchProviderConfig) => ({
+      ...p,
+      quota_limit: typeof p.quota_limit === 'number' && p.quota_limit > 0 ? p.quota_limit : 0,
+    }))
     await adminAPI.settings.updateWebSearchEmulationConfig({
       enabled: webSearchConfig.enabled,
-      providers: webSearchConfig.providers as WebSearchProviderConfig[],
+      providers,
     })
     return true
   } catch (err: unknown) {

From 1e6912ea2e12beb052d1e0523aa321be619de57f Mon Sep 17 00:00:00 2001
From: erio <asakifeng@gmail.com>
Date: Tue, 14 Apr 2026 07:43:08 +0800
Subject: [PATCH 082/122] fix: gofmt formatting across all Go source files

---
 .../internal/handler/admin/setting_handler.go | 10 ++--
 backend/internal/handler/dto/settings.go      | 10 ++--
 backend/internal/handler/dto/types.go         |  8 +--
 .../internal/payment/load_balancer_test.go    |  2 +-
 .../internal/payment/provider/alipay_test.go  |  6 +-
 backend/internal/service/account.go           | 27 ++++++---
 .../service/balance_notify_email_body_test.go | 18 +++---
 backend/internal/service/domain_constants.go  |  4 +-
 .../payment_config_plans_validation_test.go   |  6 +-
 .../service/payment_config_providers.go       | 59 +++++++++++++++----
 .../service/payment_config_providers_test.go  |  2 +-
 .../service/payment_config_service.go         | 36 +++++------
 .../service/setting_service_public_test.go    |  2 +-
 .../service/setting_service_update_test.go    |  4 +-
 backend/internal/service/settings_view.go     | 12 ++--
 backend/internal/service/usage_billing.go     | 13 ++++
 backend/internal/service/user.go              |  2 +-
 backend/internal/service/user_service.go      |  6 +-
 18 files changed, 143 insertions(+), 84 deletions(-)

diff --git a/backend/internal/handler/admin/setting_handler.go b/backend/internal/handler/admin/setting_handler.go
index 2a87e95c..b50cad96 100644
--- a/backend/internal/handler/admin/setting_handler.go
+++ b/backend/internal/handler/admin/setting_handler.go
@@ -310,11 +310,11 @@ type UpdateSettingsRequest struct {
 	EnableCCHSigning             *bool `json:"enable_cch_signing"`
 
 	// Balance low notification
-	BalanceLowNotifyEnabled      *bool     `json:"balance_low_notify_enabled"`
-	BalanceLowNotifyThreshold    *float64  `json:"balance_low_notify_threshold"`
-	BalanceLowNotifyRechargeURL  *string   `json:"balance_low_notify_recharge_url"`
-	AccountQuotaNotifyEnabled *bool     `json:"account_quota_notify_enabled"`
-	AccountQuotaNotifyEmails  *[]dto.NotifyEmailEntry `json:"account_quota_notify_emails"`
+	BalanceLowNotifyEnabled     *bool                   `json:"balance_low_notify_enabled"`
+	BalanceLowNotifyThreshold   *float64                `json:"balance_low_notify_threshold"`
+	BalanceLowNotifyRechargeURL *string                 `json:"balance_low_notify_recharge_url"`
+	AccountQuotaNotifyEnabled   *bool                   `json:"account_quota_notify_enabled"`
+	AccountQuotaNotifyEmails    *[]dto.NotifyEmailEntry `json:"account_quota_notify_emails"`
 
 	// Payment configuration (integrated into settings, full replace)
 	PaymentEnabled           *bool    `json:"payment_enabled"`
diff --git a/backend/internal/handler/dto/settings.go b/backend/internal/handler/dto/settings.go
index d218490a..ef285a44 100644
--- a/backend/internal/handler/dto/settings.go
+++ b/backend/internal/handler/dto/settings.go
@@ -150,11 +150,11 @@ type SystemSettings struct {
 	PaymentCancelRateLimitMode    string `json:"payment_cancel_rate_limit_window_mode"`
 
 	// Balance low notification
-	BalanceLowNotifyEnabled      bool     `json:"balance_low_notify_enabled"`
-	BalanceLowNotifyThreshold    float64  `json:"balance_low_notify_threshold"`
-	BalanceLowNotifyRechargeURL  string   `json:"balance_low_notify_recharge_url"`
-	AccountQuotaNotifyEnabled    bool     `json:"account_quota_notify_enabled"`
-	AccountQuotaNotifyEmails  []NotifyEmailEntry `json:"account_quota_notify_emails"`
+	BalanceLowNotifyEnabled     bool               `json:"balance_low_notify_enabled"`
+	BalanceLowNotifyThreshold   float64            `json:"balance_low_notify_threshold"`
+	BalanceLowNotifyRechargeURL string             `json:"balance_low_notify_recharge_url"`
+	AccountQuotaNotifyEnabled   bool               `json:"account_quota_notify_enabled"`
+	AccountQuotaNotifyEmails    []NotifyEmailEntry `json:"account_quota_notify_emails"`
 }
 
 type DefaultSubscriptionSetting struct {
diff --git a/backend/internal/handler/dto/types.go b/backend/internal/handler/dto/types.go
index afb782b0..1aab1dbb 100644
--- a/backend/internal/handler/dto/types.go
+++ b/backend/internal/handler/dto/types.go
@@ -19,11 +19,11 @@ type User struct {
 	UpdatedAt     time.Time `json:"updated_at"`
 
 	// 余额不足通知
-	BalanceNotifyEnabled       bool     `json:"balance_notify_enabled"`
-	BalanceNotifyThresholdType string   `json:"balance_notify_threshold_type"`
-	BalanceNotifyThreshold     *float64 `json:"balance_notify_threshold"`
+	BalanceNotifyEnabled       bool               `json:"balance_notify_enabled"`
+	BalanceNotifyThresholdType string             `json:"balance_notify_threshold_type"`
+	BalanceNotifyThreshold     *float64           `json:"balance_notify_threshold"`
 	BalanceNotifyExtraEmails   []NotifyEmailEntry `json:"balance_notify_extra_emails"`
-	TotalRecharged             float64  `json:"total_recharged"`
+	TotalRecharged             float64            `json:"total_recharged"`
 
 	APIKeys       []APIKey           `json:"api_keys,omitempty"`
 	Subscriptions []UserSubscription `json:"subscriptions,omitempty"`
diff --git a/backend/internal/payment/load_balancer_test.go b/backend/internal/payment/load_balancer_test.go
index 568b56a3..04b3c25b 100644
--- a/backend/internal/payment/load_balancer_test.go
+++ b/backend/internal/payment/load_balancer_test.go
@@ -242,7 +242,7 @@ func TestFilterByLimits(t *testing.T) {
 			wantIDs:     nil,
 		},
 		{
-			name: "empty candidates returns empty",
+			name:        "empty candidates returns empty",
 			candidates:  nil,
 			paymentType: "alipay",
 			orderAmount: 10,
diff --git a/backend/internal/payment/provider/alipay_test.go b/backend/internal/payment/provider/alipay_test.go
index 1b9d66ba..7b0ce0d8 100644
--- a/backend/internal/payment/provider/alipay_test.go
+++ b/backend/internal/payment/provider/alipay_test.go
@@ -98,9 +98,9 @@ func TestNewAlipay(t *testing.T) {
 			errSubstr: "privateKey",
 		},
 		{
-			name:    "nil config map returns error for appId",
-			config:  map[string]string{},
-			wantErr: true,
+			name:      "nil config map returns error for appId",
+			config:    map[string]string{},
+			wantErr:   true,
 			errSubstr: "appId",
 		},
 	}
diff --git a/backend/internal/service/account.go b/backend/internal/service/account.go
index cacfb240..52db3073 100644
--- a/backend/internal/service/account.go
+++ b/backend/internal/service/account.go
@@ -1533,39 +1533,48 @@ func (a *Account) QuotaNotifyConfig(dim string) (enabled bool, threshold float64
 }
 
 func (a *Account) GetQuotaNotifyDailyEnabled() bool {
-	e, _, _ := a.QuotaNotifyConfig(quotaDimDaily); return e
+	e, _, _ := a.QuotaNotifyConfig(quotaDimDaily)
+	return e
 }
 
 func (a *Account) GetQuotaNotifyDailyThreshold() float64 {
-	_, t, _ := a.QuotaNotifyConfig(quotaDimDaily); return t
+	_, t, _ := a.QuotaNotifyConfig(quotaDimDaily)
+	return t
 }
 
 func (a *Account) GetQuotaNotifyDailyThresholdType() string {
-	_, _, tt := a.QuotaNotifyConfig(quotaDimDaily); return tt
+	_, _, tt := a.QuotaNotifyConfig(quotaDimDaily)
+	return tt
 }
 
 func (a *Account) GetQuotaNotifyWeeklyEnabled() bool {
-	e, _, _ := a.QuotaNotifyConfig(quotaDimWeekly); return e
+	e, _, _ := a.QuotaNotifyConfig(quotaDimWeekly)
+	return e
 }
 
 func (a *Account) GetQuotaNotifyWeeklyThreshold() float64 {
-	_, t, _ := a.QuotaNotifyConfig(quotaDimWeekly); return t
+	_, t, _ := a.QuotaNotifyConfig(quotaDimWeekly)
+	return t
 }
 
 func (a *Account) GetQuotaNotifyWeeklyThresholdType() string {
-	_, _, tt := a.QuotaNotifyConfig(quotaDimWeekly); return tt
+	_, _, tt := a.QuotaNotifyConfig(quotaDimWeekly)
+	return tt
 }
 
 func (a *Account) GetQuotaNotifyTotalEnabled() bool {
-	e, _, _ := a.QuotaNotifyConfig(quotaDimTotal); return e
+	e, _, _ := a.QuotaNotifyConfig(quotaDimTotal)
+	return e
 }
 
 func (a *Account) GetQuotaNotifyTotalThreshold() float64 {
-	_, t, _ := a.QuotaNotifyConfig(quotaDimTotal); return t
+	_, t, _ := a.QuotaNotifyConfig(quotaDimTotal)
+	return t
 }
 
 func (a *Account) GetQuotaNotifyTotalThresholdType() string {
-	_, _, tt := a.QuotaNotifyConfig(quotaDimTotal); return tt
+	_, _, tt := a.QuotaNotifyConfig(quotaDimTotal)
+	return tt
 }
 
 // nextFixedDailyReset 计算在 after 之后的下一个每日固定重置时间点
diff --git a/backend/internal/service/balance_notify_email_body_test.go b/backend/internal/service/balance_notify_email_body_test.go
index 9baf164e..aee5a5bc 100644
--- a/backend/internal/service/balance_notify_email_body_test.go
+++ b/backend/internal/service/balance_notify_email_body_test.go
@@ -65,15 +65,15 @@ func TestBuildBalanceLowEmailBody_NoRechargeURLOmitsButton(t *testing.T) {
 func TestBuildQuotaAlertEmailBody_AllFieldsPresent(t *testing.T) {
 	s := &BalanceNotifyService{}
 	body := s.buildQuotaAlertEmailBody(
-		42,                      // accountID
-		"acc-foo",               // accountName
-		"anthropic",             // platform
-		"日限额 / Daily",          // dimLabel
-		750.50,                  // used
-		1000.0,                  // limit
-		249.50,                  // remaining
-		"$249.50",               // thresholdDisplay
-		"MySite",                // siteName
+		42,            // accountID
+		"acc-foo",     // accountName
+		"anthropic",   // platform
+		"日限额 / Daily", // dimLabel
+		750.50,        // used
+		1000.0,        // limit
+		249.50,        // remaining
+		"$249.50",     // thresholdDisplay
+		"MySite",      // siteName
 	)
 
 	require.Contains(t, body, "MySite")
diff --git a/backend/internal/service/domain_constants.go b/backend/internal/service/domain_constants.go
index 896ba59f..bdced29a 100644
--- a/backend/internal/service/domain_constants.go
+++ b/backend/internal/service/domain_constants.go
@@ -251,8 +251,8 @@ const (
 	SettingKeyEnableCCHSigning = "enable_cch_signing"
 
 	// Balance Low Notification
-	SettingKeyBalanceLowNotifyEnabled    = "balance_low_notify_enabled"    // 全局开关
-	SettingKeyBalanceLowNotifyThreshold  = "balance_low_notify_threshold"  // 默认阈值（USD）
+	SettingKeyBalanceLowNotifyEnabled     = "balance_low_notify_enabled"      // 全局开关
+	SettingKeyBalanceLowNotifyThreshold   = "balance_low_notify_threshold"    // 默认阈值（USD）
 	SettingKeyBalanceLowNotifyRechargeURL = "balance_low_notify_recharge_url" // 充值页面 URL
 
 	// Account Quota Notification
diff --git a/backend/internal/service/payment_config_plans_validation_test.go b/backend/internal/service/payment_config_plans_validation_test.go
index efdbdb10..bcbe901f 100644
--- a/backend/internal/service/payment_config_plans_validation_test.go
+++ b/backend/internal/service/payment_config_plans_validation_test.go
@@ -131,9 +131,9 @@ func TestValidatePlanPatch_NilOriginalPrice(t *testing.T) {
 
 // --- validatePlanPatch: other fields ---
 
-func ptrStr(s string) *string    { return &s }
-func ptrInt(i int) *int          { return &i }
-func ptrInt64(i int64) *int64    { return &i }
+func ptrStr(s string) *string     { return &s }
+func ptrInt(i int) *int           { return &i }
+func ptrInt64(i int64) *int64     { return &i }
 func ptrFloat(f float64) *float64 { return &f }
 
 func TestValidatePlanPatch_EmptyName(t *testing.T) {
diff --git a/backend/internal/service/payment_config_providers.go b/backend/internal/service/payment_config_providers.go
index 10181914..0c71ab29 100644
--- a/backend/internal/service/payment_config_providers.go
+++ b/backend/internal/service/payment_config_providers.go
@@ -22,16 +22,17 @@ func (s *PaymentConfigService) ListProviderInstances(ctx context.Context) ([]*db
 
 // ProviderInstanceResponse is the API response for a provider instance.
 type ProviderInstanceResponse struct {
-	ID             int64             `json:"id"`
-	ProviderKey    string            `json:"provider_key"`
-	Name           string            `json:"name"`
-	Config         map[string]string `json:"config"`
-	SupportedTypes []string          `json:"supported_types"`
-	Limits         string            `json:"limits"`
-	Enabled        bool              `json:"enabled"`
-	RefundEnabled  bool              `json:"refund_enabled"`
-	SortOrder      int               `json:"sort_order"`
-	PaymentMode    string            `json:"payment_mode"`
+	ID              int64             `json:"id"`
+	ProviderKey     string            `json:"provider_key"`
+	Name            string            `json:"name"`
+	Config          map[string]string `json:"config"`
+	SupportedTypes  []string          `json:"supported_types"`
+	Limits          string            `json:"limits"`
+	Enabled         bool              `json:"enabled"`
+	RefundEnabled   bool              `json:"refund_enabled"`
+	AllowUserRefund bool              `json:"allow_user_refund"`
+	SortOrder       int               `json:"sort_order"`
+	PaymentMode     string            `json:"payment_mode"`
 }
 
 // ListProviderInstancesWithConfig returns provider instances with decrypted config.
@@ -46,8 +47,8 @@ func (s *PaymentConfigService) ListProviderInstancesWithConfig(ctx context.Conte
 		resp := ProviderInstanceResponse{
 			ID: int64(inst.ID), ProviderKey: inst.ProviderKey, Name: inst.Name,
 			SupportedTypes: splitTypes(inst.SupportedTypes), Limits: inst.Limits,
-			Enabled: inst.Enabled, RefundEnabled: inst.RefundEnabled, SortOrder: inst.SortOrder,
-			PaymentMode: inst.PaymentMode,
+			Enabled: inst.Enabled, RefundEnabled: inst.RefundEnabled, AllowUserRefund: inst.AllowUserRefund,
+			SortOrder: inst.SortOrder, PaymentMode: inst.PaymentMode,
 		}
 		resp.Config, err = s.decryptAndMaskConfig(inst.Config)
 		if err != nil {
@@ -110,10 +111,12 @@ func (s *PaymentConfigService) CreateProviderInstance(ctx context.Context, req C
 	if err != nil {
 		return nil, err
 	}
+	allowUserRefund := req.AllowUserRefund && req.RefundEnabled
 	return s.entClient.PaymentProviderInstance.Create().
 		SetProviderKey(req.ProviderKey).SetName(req.Name).SetConfig(enc).
 		SetSupportedTypes(typesStr).SetEnabled(req.Enabled).SetPaymentMode(req.PaymentMode).
 		SetSortOrder(req.SortOrder).SetLimits(req.Limits).SetRefundEnabled(req.RefundEnabled).
+		SetAllowUserRefund(allowUserRefund).
 		Save(ctx)
 }
 
@@ -221,6 +224,21 @@ func (s *PaymentConfigService) UpdateProviderInstance(ctx context.Context, id in
 	}
 	if req.RefundEnabled != nil {
 		u.SetRefundEnabled(*req.RefundEnabled)
+		// Cascade: turning off refund_enabled also disables allow_user_refund
+		if !*req.RefundEnabled {
+			u.SetAllowUserRefund(false)
+		}
+	}
+	if req.AllowUserRefund != nil {
+		// Only allow enabling when refund_enabled is true
+		if *req.AllowUserRefund {
+			inst, err := s.entClient.PaymentProviderInstance.Get(ctx, id)
+			if err == nil && inst.RefundEnabled {
+				u.SetAllowUserRefund(true)
+			}
+		} else {
+			u.SetAllowUserRefund(false)
+		}
 	}
 	if req.PaymentMode != nil {
 		u.SetPaymentMode(*req.PaymentMode)
@@ -228,6 +246,23 @@ func (s *PaymentConfigService) UpdateProviderInstance(ctx context.Context, id in
 	return u.Save(ctx)
 }
 
+// GetUserRefundEligibleInstanceIDs returns provider instance IDs that allow user refund.
+func (s *PaymentConfigService) GetUserRefundEligibleInstanceIDs(ctx context.Context) ([]string, error) {
+	instances, err := s.entClient.PaymentProviderInstance.Query().
+		Where(
+			paymentproviderinstance.AllowUserRefundEQ(true),
+			paymentproviderinstance.RefundEnabledEQ(true),
+		).Select(paymentproviderinstance.FieldID).All(ctx)
+	if err != nil {
+		return nil, err
+	}
+	ids := make([]string, 0, len(instances))
+	for _, inst := range instances {
+		ids = append(ids, strconv.FormatInt(int64(inst.ID), 10))
+	}
+	return ids, nil
+}
+
 func (s *PaymentConfigService) mergeConfig(ctx context.Context, id int64, newConfig map[string]string) (map[string]string, error) {
 	inst, err := s.entClient.PaymentProviderInstance.Get(ctx, id)
 	if err != nil {
diff --git a/backend/internal/service/payment_config_providers_test.go b/backend/internal/service/payment_config_providers_test.go
index e71eb9f5..2aaa874f 100644
--- a/backend/internal/service/payment_config_providers_test.go
+++ b/backend/internal/service/payment_config_providers_test.go
@@ -101,7 +101,7 @@ func TestIsSensitiveConfigField(t *testing.T) {
 	t.Parallel()
 
 	tests := []struct {
-		field    string
+		field   string
 		wantSen bool
 	}{
 		// Sensitive fields (contain key/secret/private/password/pkey patterns)
diff --git a/backend/internal/service/payment_config_service.go b/backend/internal/service/payment_config_service.go
index 9042c3ab..cce31f4d 100644
--- a/backend/internal/service/payment_config_service.go
+++ b/backend/internal/service/payment_config_service.go
@@ -105,26 +105,28 @@ type MethodLimitsResponse struct {
 }
 
 type CreateProviderInstanceRequest struct {
-	ProviderKey    string            `json:"provider_key"`
-	Name           string            `json:"name"`
-	Config         map[string]string `json:"config"`
-	SupportedTypes []string          `json:"supported_types"`
-	Enabled        bool              `json:"enabled"`
-	PaymentMode    string            `json:"payment_mode"`
-	SortOrder      int               `json:"sort_order"`
-	Limits         string            `json:"limits"`
-	RefundEnabled  bool              `json:"refund_enabled"`
+	ProviderKey     string            `json:"provider_key"`
+	Name            string            `json:"name"`
+	Config          map[string]string `json:"config"`
+	SupportedTypes  []string          `json:"supported_types"`
+	Enabled         bool              `json:"enabled"`
+	PaymentMode     string            `json:"payment_mode"`
+	SortOrder       int               `json:"sort_order"`
+	Limits          string            `json:"limits"`
+	RefundEnabled   bool              `json:"refund_enabled"`
+	AllowUserRefund bool              `json:"allow_user_refund"`
 }
 
 type UpdateProviderInstanceRequest struct {
-	Name           *string           `json:"name"`
-	Config         map[string]string `json:"config"`
-	SupportedTypes []string          `json:"supported_types"`
-	Enabled        *bool             `json:"enabled"`
-	PaymentMode    *string           `json:"payment_mode"`
-	SortOrder      *int              `json:"sort_order"`
-	Limits         *string           `json:"limits"`
-	RefundEnabled  *bool             `json:"refund_enabled"`
+	Name            *string           `json:"name"`
+	Config          map[string]string `json:"config"`
+	SupportedTypes  []string          `json:"supported_types"`
+	Enabled         *bool             `json:"enabled"`
+	PaymentMode     *string           `json:"payment_mode"`
+	SortOrder       *int              `json:"sort_order"`
+	Limits          *string           `json:"limits"`
+	RefundEnabled   *bool             `json:"refund_enabled"`
+	AllowUserRefund *bool             `json:"allow_user_refund"`
 }
 type CreatePlanRequest struct {
 	GroupID       int64    `json:"group_id"`
diff --git a/backend/internal/service/setting_service_public_test.go b/backend/internal/service/setting_service_public_test.go
index 6dfa627c..5cf1e860 100644
--- a/backend/internal/service/setting_service_public_test.go
+++ b/backend/internal/service/setting_service_public_test.go
@@ -66,7 +66,7 @@ func TestSettingService_GetPublicSettings_ExposesRegistrationEmailSuffixWhitelis
 func TestSettingService_GetPublicSettings_ExposesTablePreferences(t *testing.T) {
 	repo := &settingPublicRepoStub{
 		values: map[string]string{
-			SettingKeyTableDefaultPageSize:  "50",
+			SettingKeyTableDefaultPageSize: "50",
 			SettingKeyTablePageSizeOptions: "[20,50,100]",
 		},
 	}
diff --git a/backend/internal/service/setting_service_update_test.go b/backend/internal/service/setting_service_update_test.go
index 28c7ad02..e62218b4 100644
--- a/backend/internal/service/setting_service_update_test.go
+++ b/backend/internal/service/setting_service_update_test.go
@@ -208,7 +208,7 @@ func TestSettingService_UpdateSettings_TablePreferences(t *testing.T) {
 	svc := NewSettingService(repo, &config.Config{})
 
 	err := svc.UpdateSettings(context.Background(), &SystemSettings{
-		TableDefaultPageSize:  50,
+		TableDefaultPageSize: 50,
 		TablePageSizeOptions: []int{20, 50, 100},
 	})
 	require.NoError(t, err)
@@ -216,7 +216,7 @@ func TestSettingService_UpdateSettings_TablePreferences(t *testing.T) {
 	require.Equal(t, "[20,50,100]", repo.updates[SettingKeyTablePageSizeOptions])
 
 	err = svc.UpdateSettings(context.Background(), &SystemSettings{
-		TableDefaultPageSize:  1000,
+		TableDefaultPageSize: 1000,
 		TablePageSizeOptions: []int{20, 100},
 	})
 	require.NoError(t, err)
diff --git a/backend/internal/service/settings_view.go b/backend/internal/service/settings_view.go
index 57f3746a..ec20fe0a 100644
--- a/backend/internal/service/settings_view.go
+++ b/backend/internal/service/settings_view.go
@@ -108,8 +108,8 @@ type SystemSettings struct {
 	EnableCCHSigning             bool // 是否对 billing header cch 进行签名（默认 false）
 
 	// Balance low notification
-	BalanceLowNotifyEnabled    bool
-	BalanceLowNotifyThreshold  float64
+	BalanceLowNotifyEnabled     bool
+	BalanceLowNotifyThreshold   float64
 	BalanceLowNotifyRechargeURL string
 
 	// Account quota notification
@@ -155,10 +155,10 @@ type PublicSettings struct {
 	OIDCOAuthProviderName string
 	Version               string
 
-	BalanceLowNotifyEnabled          bool
-	AccountQuotaNotifyEnabled        bool
-	BalanceLowNotifyThreshold        float64
-	BalanceLowNotifyRechargeURL      string
+	BalanceLowNotifyEnabled     bool
+	AccountQuotaNotifyEnabled   bool
+	BalanceLowNotifyThreshold   float64
+	BalanceLowNotifyRechargeURL string
 }
 
 // StreamTimeoutSettings 流超时处理配置（仅控制超时后的处理方式，超时判定由网关配置控制）
diff --git a/backend/internal/service/usage_billing.go b/backend/internal/service/usage_billing.go
index 73b05743..30495624 100644
--- a/backend/internal/service/usage_billing.go
+++ b/backend/internal/service/usage_billing.go
@@ -100,9 +100,22 @@ func valueOrZero(v *int64) int64 {
 	return *v
 }
 
+// AccountQuotaState holds the post-increment quota state returned by the DB transaction.
+// All values are post-update (i.e., already include the increment).
+type AccountQuotaState struct {
+	TotalUsed   float64
+	TotalLimit  float64
+	DailyUsed   float64
+	DailyLimit  float64
+	WeeklyUsed  float64
+	WeeklyLimit float64
+}
+
 type UsageBillingApplyResult struct {
 	Applied              bool
 	APIKeyQuotaExhausted bool
+	NewBalance           *float64           // post-deduction balance (nil = no balance deduction)
+	QuotaState           *AccountQuotaState // post-increment quota state (nil = no quota increment)
 }
 
 type UsageBillingRepository interface {
diff --git a/backend/internal/service/user.go b/backend/internal/service/user.go
index d3d8c954..59f8aa6b 100644
--- a/backend/internal/service/user.go
+++ b/backend/internal/service/user.go
@@ -32,7 +32,7 @@ type User struct {
 
 	// 余额不足通知
 	BalanceNotifyEnabled       bool
-	BalanceNotifyThresholdType string   // "fixed" (default) | "percentage"
+	BalanceNotifyThresholdType string // "fixed" (default) | "percentage"
 	BalanceNotifyThreshold     *float64
 	BalanceNotifyExtraEmails   []NotifyEmailEntry
 	TotalRecharged             float64
diff --git a/backend/internal/service/user_service.go b/backend/internal/service/user_service.go
index a7724a5a..3490e804 100644
--- a/backend/internal/service/user_service.go
+++ b/backend/internal/service/user_service.go
@@ -13,9 +13,9 @@ import (
 )
 
 var (
-	ErrUserNotFound           = infraerrors.NotFound("USER_NOT_FOUND", "user not found")
-	ErrPasswordIncorrect      = infraerrors.BadRequest("PASSWORD_INCORRECT", "current password is incorrect")
-	ErrInsufficientPerms      = infraerrors.Forbidden("INSUFFICIENT_PERMISSIONS", "insufficient permissions")
+	ErrUserNotFound            = infraerrors.NotFound("USER_NOT_FOUND", "user not found")
+	ErrPasswordIncorrect       = infraerrors.BadRequest("PASSWORD_INCORRECT", "current password is incorrect")
+	ErrInsufficientPerms       = infraerrors.Forbidden("INSUFFICIENT_PERMISSIONS", "insufficient permissions")
 	ErrNotifyCodeUserRateLimit = infraerrors.TooManyRequests("NOTIFY_CODE_USER_RATE_LIMIT", "too many verification codes requested, please try again later")
 )
 

From 7c7292935e8cefb4f2a2ebbf732bd923cb55c8e7 Mon Sep 17 00:00:00 2001
From: erio <asakifeng@gmail.com>
Date: Tue, 14 Apr 2026 08:03:27 +0800
Subject: [PATCH 083/122] feat: websearch quota enhancements and balance notify
 hint
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

- QuotaLimit changed to *int64 (null=unlimited, >0=limited)
- Add reset-usage endpoint (POST /admin/settings/web-search-emulation/reset-usage)
- Show quota usage in header always (collapsed and expanded)
- Add reset quota button in expanded provider view
- Quota input: empty=unlimited with ∞ placeholder, must be >0 if set
- Add email verification hint on balance notify card
---
 backend/cmd/server/VERSION                    |  2 +-
 .../internal/handler/admin/setting_handler.go | 23 +++++++++-
 backend/internal/pkg/websearch/manager.go     |  9 ++++
 backend/internal/server/http.go               |  9 +++-
 backend/internal/server/routes/admin.go       |  1 +
 backend/internal/service/websearch_config.go  | 15 +++++--
 .../internal/service/websearch_config_test.go | 18 ++++----
 frontend/src/api/admin/settings.ts            | 11 ++++-
 .../user/profile/ProfileBalanceNotifyCard.vue |  1 +
 frontend/src/i18n/locales/en.ts               |  9 +++-
 frontend/src/i18n/locales/zh.ts               |  9 +++-
 frontend/src/views/admin/SettingsView.vue     | 42 +++++++++++++++----
 12 files changed, 121 insertions(+), 28 deletions(-)

diff --git a/backend/cmd/server/VERSION b/backend/cmd/server/VERSION
index 5657b5e3..630554d9 100644
--- a/backend/cmd/server/VERSION
+++ b/backend/cmd/server/VERSION
@@ -1 +1 @@
-0.1.112.3
+0.1.112.4
diff --git a/backend/internal/handler/admin/setting_handler.go b/backend/internal/handler/admin/setting_handler.go
index b50cad96..9b49150c 100644
--- a/backend/internal/handler/admin/setting_handler.go
+++ b/backend/internal/handler/admin/setting_handler.go
@@ -1962,7 +1962,28 @@ func (h *SettingHandler) UpdateWebSearchEmulationConfig(c *gin.Context) {
 		response.ErrorFrom(c, err)
 		return
 	}
-	response.Success(c, service.SanitizeWebSearchConfig(c.Request.Context(), updated))
+	response.Success(c, service.PopulateWebSearchUsage(c.Request.Context(), updated))
+}
+
+// ResetWebSearchUsage 重置指定 provider 的配额用量
+// POST /api/v1/admin/settings/web-search-emulation/reset-usage
+func (h *SettingHandler) ResetWebSearchUsage(c *gin.Context) {
+	var req struct {
+		ProviderType string `json:"provider_type"`
+	}
+	if err := c.ShouldBindJSON(&req); err != nil {
+		response.BadRequest(c, "Invalid request: "+err.Error())
+		return
+	}
+	if req.ProviderType == "" {
+		response.BadRequest(c, "provider_type is required")
+		return
+	}
+	if err := service.ResetWebSearchUsage(c.Request.Context(), req.ProviderType); err != nil {
+		response.ErrorFrom(c, err)
+		return
+	}
+	response.Success(c, nil)
 }
 
 // TestWebSearchEmulation 测试 Web Search 搜索
diff --git a/backend/internal/pkg/websearch/manager.go b/backend/internal/pkg/websearch/manager.go
index 61faa616..307aa1e9 100644
--- a/backend/internal/pkg/websearch/manager.go
+++ b/backend/internal/pkg/websearch/manager.go
@@ -447,6 +447,15 @@ func (m *Manager) GetAllUsage(ctx context.Context) map[string]int64 {
 	return result
 }
 
+// ResetUsage deletes the Redis quota key for the given provider, resetting usage to 0.
+func (m *Manager) ResetUsage(ctx context.Context, providerType string) error {
+	if m.redis == nil {
+		return nil
+	}
+	key := quotaRedisKey(providerType)
+	return m.redis.Del(ctx, key).Err()
+}
+
 // --- Provider factory ---
 
 func (m *Manager) buildProvider(cfg ProviderConfig, client *http.Client) Provider {
diff --git a/backend/internal/server/http.go b/backend/internal/server/http.go
index d203bab2..023e40bb 100644
--- a/backend/internal/server/http.go
+++ b/backend/internal/server/http.go
@@ -73,7 +73,7 @@ func ProvideRouter(
 			pc := websearch.ProviderConfig{
 				Type:       p.Type,
 				APIKey:     p.APIKey,
-				QuotaLimit: p.QuotaLimit,
+				QuotaLimit: derefInt64(p.QuotaLimit),
 				ExpiresAt:  p.ExpiresAt,
 			}
 			if p.SubscribedAt != nil {
@@ -141,3 +141,10 @@ func ProvideHTTPServer(cfg *config.Config, router *gin.Engine) *http.Server {
 		// 不设置 ReadTimeout，因为大请求体可能需要较长时间读取
 	}
 }
+
+func derefInt64(p *int64) int64 {
+	if p == nil {
+		return 0
+	}
+	return *p
+}
diff --git a/backend/internal/server/routes/admin.go b/backend/internal/server/routes/admin.go
index 0a7b7a8b..9af0fd8e 100644
--- a/backend/internal/server/routes/admin.go
+++ b/backend/internal/server/routes/admin.go
@@ -411,6 +411,7 @@ func registerSettingsRoutes(admin *gin.RouterGroup, h *handler.Handlers) {
 		adminSettings.GET("/web-search-emulation", h.Admin.Setting.GetWebSearchEmulationConfig)
 		adminSettings.PUT("/web-search-emulation", h.Admin.Setting.UpdateWebSearchEmulationConfig)
 		adminSettings.POST("/web-search-emulation/test", h.Admin.Setting.TestWebSearchEmulation)
+		adminSettings.POST("/web-search-emulation/reset-usage", h.Admin.Setting.ResetWebSearchUsage)
 	}
 }
 
diff --git a/backend/internal/service/websearch_config.go b/backend/internal/service/websearch_config.go
index 239e882a..f528a35b 100644
--- a/backend/internal/service/websearch_config.go
+++ b/backend/internal/service/websearch_config.go
@@ -24,7 +24,7 @@ type WebSearchProviderConfig struct {
 	Type             string `json:"type"`                    // websearch.ProviderTypeBrave | Tavily
 	APIKey           string `json:"api_key,omitempty"`       // secret — omitted in API responses
 	APIKeyConfigured bool   `json:"api_key_configured"`      // read-only mask
-	QuotaLimit       int64  `json:"quota_limit"`             // 0 = unlimited
+	QuotaLimit       *int64 `json:"quota_limit"`             // nil = unlimited, >0 = limited
 	SubscribedAt     *int64 `json:"subscribed_at,omitempty"` // subscription start (unix seconds); quota resets monthly
 	QuotaUsed        int64  `json:"quota_used,omitempty"`    // read-only: current usage from Redis
 	ProxyID          *int64 `json:"proxy_id"`                // optional proxy association
@@ -52,8 +52,8 @@ func validateWebSearchConfig(cfg *WebSearchEmulationConfig) error {
 		if !validProviderTypes[p.Type] {
 			return fmt.Errorf("provider[%d]: invalid type %q", i, p.Type)
 		}
-		if p.QuotaLimit < 0 {
-			return fmt.Errorf("provider[%d]: quota_limit must be >= 0", i)
+		if p.QuotaLimit != nil && *p.QuotaLimit < 0 {
+			return fmt.Errorf("provider[%d]: quota_limit must be > 0 or null", i)
 		}
 		if seen[p.Type] {
 			return fmt.Errorf("provider[%d]: duplicate type %q", i, p.Type)
@@ -299,6 +299,15 @@ func PopulateWebSearchUsage(ctx context.Context, cfg *WebSearchEmulationConfig)
 	return &out
 }
 
+// ResetWebSearchUsage deletes the Redis quota key for the given provider type.
+func ResetWebSearchUsage(ctx context.Context, providerType string) error {
+	mgr := getWebSearchManager()
+	if mgr == nil {
+		return fmt.Errorf("web search manager not initialized")
+	}
+	return mgr.ResetUsage(ctx, providerType)
+}
+
 // SanitizeWebSearchConfig returns a copy with api_key fields masked and quota usage populated.
 func SanitizeWebSearchConfig(ctx context.Context, cfg *WebSearchEmulationConfig) *WebSearchEmulationConfig {
 	if cfg == nil {
diff --git a/backend/internal/service/websearch_config_test.go b/backend/internal/service/websearch_config_test.go
index 4aea98b7..8cd50d0d 100644
--- a/backend/internal/service/websearch_config_test.go
+++ b/backend/internal/service/websearch_config_test.go
@@ -17,8 +17,8 @@ func TestValidateWebSearchConfig_Valid(t *testing.T) {
 	cfg := &WebSearchEmulationConfig{
 		Enabled: true,
 		Providers: []WebSearchProviderConfig{
-			{Type: "brave", QuotaLimit: 1000},
-			{Type: "tavily", QuotaLimit: 500},
+			{Type: "brave", QuotaLimit: int64Ptr(1000)},
+			{Type: "tavily", QuotaLimit: int64Ptr(500)},
 		},
 	}
 	require.NoError(t, validateWebSearchConfig(cfg))
@@ -42,9 +42,9 @@ func TestValidateWebSearchConfig_InvalidType(t *testing.T) {
 
 func TestValidateWebSearchConfig_NegativeQuotaLimit(t *testing.T) {
 	cfg := &WebSearchEmulationConfig{
-		Providers: []WebSearchProviderConfig{{Type: "brave", QuotaLimit: -1}},
+		Providers: []WebSearchProviderConfig{{Type: "brave", QuotaLimit: int64Ptr(-1)}},
 	}
-	require.ErrorContains(t, validateWebSearchConfig(cfg), "quota_limit must be >= 0")
+	require.ErrorContains(t, validateWebSearchConfig(cfg), "quota_limit must be > 0 or null")
 }
 
 func TestValidateWebSearchConfig_DuplicateType(t *testing.T) {
@@ -57,9 +57,9 @@ func TestValidateWebSearchConfig_DuplicateType(t *testing.T) {
 	require.ErrorContains(t, validateWebSearchConfig(cfg), "duplicate type")
 }
 
-func TestValidateWebSearchConfig_ZeroQuotaLimit(t *testing.T) {
+func TestValidateWebSearchConfig_NilQuotaLimit(t *testing.T) {
 	cfg := &WebSearchEmulationConfig{
-		Providers: []WebSearchProviderConfig{{Type: "brave", QuotaLimit: 0}},
+		Providers: []WebSearchProviderConfig{{Type: "brave", QuotaLimit: nil}},
 	}
 	require.NoError(t, validateWebSearchConfig(cfg))
 }
@@ -92,7 +92,7 @@ func TestParseWebSearchConfigJSON_BackwardCompatibility(t *testing.T) {
 	cfg := parseWebSearchConfigJSON(raw)
 	require.True(t, cfg.Enabled)
 	require.Len(t, cfg.Providers, 1)
-	require.Equal(t, int64(1000), cfg.Providers[0].QuotaLimit)
+	require.Equal(t, int64(1000), *cfg.Providers[0].QuotaLimit)
 }
 
 // --- SanitizeWebSearchConfig ---
@@ -126,12 +126,12 @@ func TestSanitizeWebSearchConfig_PreservesOtherFields(t *testing.T) {
 	cfg := &WebSearchEmulationConfig{
 		Enabled: true,
 		Providers: []WebSearchProviderConfig{
-			{Type: "brave", APIKey: "secret", QuotaLimit: 1000},
+			{Type: "brave", APIKey: "secret", QuotaLimit: int64Ptr(1000)},
 		},
 	}
 	out := SanitizeWebSearchConfig(context.Background(), cfg)
 	require.True(t, out.Enabled)
-	require.Equal(t, int64(1000), out.Providers[0].QuotaLimit)
+	require.Equal(t, int64(1000), *out.Providers[0].QuotaLimit)
 }
 
 func TestSanitizeWebSearchConfig_DoesNotMutateOriginal(t *testing.T) {
diff --git a/frontend/src/api/admin/settings.ts b/frontend/src/api/admin/settings.ts
index 4b5eb242..aa1d0f82 100644
--- a/frontend/src/api/admin/settings.ts
+++ b/frontend/src/api/admin/settings.ts
@@ -502,7 +502,7 @@ export interface WebSearchProviderConfig {
   type: 'brave' | 'tavily'
   api_key: string
   api_key_configured: boolean
-  quota_limit: number
+  quota_limit: number | null
   subscribed_at: number | null
   quota_used?: number
   proxy_id: number | null
@@ -547,6 +547,12 @@ export async function testWebSearchEmulation(
   return data
 }
 
+export async function resetWebSearchUsage(
+  payload: { provider_type: string }
+): Promise<void> {
+  await apiClient.post('/admin/settings/web-search-emulation/reset-usage', payload)
+}
+
 export const settingsAPI = {
   getSettings,
   updateSettings,
@@ -565,7 +571,8 @@ export const settingsAPI = {
   updateBetaPolicySettings,
   getWebSearchEmulationConfig,
   updateWebSearchEmulationConfig,
-  testWebSearchEmulation
+  testWebSearchEmulation,
+  resetWebSearchUsage
 }
 
 export default settingsAPI
diff --git a/frontend/src/components/user/profile/ProfileBalanceNotifyCard.vue b/frontend/src/components/user/profile/ProfileBalanceNotifyCard.vue
index 3a84fd6b..c4d04153 100644
--- a/frontend/src/components/user/profile/ProfileBalanceNotifyCard.vue
+++ b/frontend/src/components/user/profile/ProfileBalanceNotifyCard.vue
@@ -48,6 +48,7 @@
         <!-- Email list with toggles -->
         <div>
           <label class="input-label">{{ t('profile.balanceNotify.extraEmails') }}</label>
+          <p class="mb-2 text-xs text-yellow-600 dark:text-yellow-400">{{ t('profile.balanceNotify.extraEmailsHint') }}</p>
 
           <!-- Saved email entries -->
           <div v-if="emailEntries.length > 0" class="space-y-2 mb-3">
diff --git a/frontend/src/i18n/locales/en.ts b/frontend/src/i18n/locales/en.ts
index c8acf6c0..9baddc43 100644
--- a/frontend/src/i18n/locales/en.ts
+++ b/frontend/src/i18n/locales/en.ts
@@ -914,6 +914,7 @@ export default {
       thresholdPlaceholder: 'Enter amount',
       systemDefault: 'System Default',
       extraEmails: 'Notification Emails',
+      extraEmailsHint: 'You must add and verify an email address to receive low balance alerts',
       primaryEmail: 'Primary',
       noExtraEmails: 'No extra notification emails',
       enterEmail: 'Enter email address',
@@ -4435,10 +4436,14 @@ export default {
         copyApiKey: 'Copy',
         copied: 'Copied',
         quotaLimit: 'Quota Limit',
-        quotaLimitHint: '0 = unlimited',
+        quotaLimitHint: 'Leave empty for unlimited; must be > 0 if set',
+        quotaLimitMustBePositive: 'Quota limit must be greater than 0',
         subscribedAt: 'Subscribed At',
-        subscribedAtHint: 'Quota resets monthly from this date',
+        subscribedAtHint: 'Quota resets monthly from this date; leave empty to disable auto-reset',
         quotaUsage: 'Usage',
+        resetUsage: 'Reset',
+        resetUsageConfirm: 'Reset usage counter for this provider?',
+        resetUsageSuccess: 'Usage counter reset',
         proxy: 'Proxy',
         removeProvider: 'Remove',
         noProviders: 'No search providers configured',
diff --git a/frontend/src/i18n/locales/zh.ts b/frontend/src/i18n/locales/zh.ts
index 499ed9cb..af8da265 100644
--- a/frontend/src/i18n/locales/zh.ts
+++ b/frontend/src/i18n/locales/zh.ts
@@ -918,6 +918,7 @@ export default {
       thresholdPlaceholder: '输入金额',
       systemDefault: '系统默认值',
       extraEmails: '通知邮箱',
+      extraEmailsHint: '必须添加并验证邮箱后，余额不足时才能收到提醒邮件',
       primaryEmail: '主邮箱',
       noExtraEmails: '暂无额外通知邮箱',
       enterEmail: '输入邮箱地址',
@@ -4597,10 +4598,14 @@ export default {
         copyApiKey: '复制',
         copied: '已复制',
         quotaLimit: '配额上限',
-        quotaLimitHint: '0 表示无限制',
+        quotaLimitHint: '留空表示无限制；填写时必须大于 0',
+        quotaLimitMustBePositive: '配额上限必须大于 0',
         subscribedAt: '订阅时间',
-        subscribedAtHint: '配额从此日期起每月自动重置',
+        subscribedAtHint: '配额从此日期起每月自动重置；留空则不自动重置',
         quotaUsage: '用量',
+        resetUsage: '重置',
+        resetUsageConfirm: '确定要重置此服务商的用量计数吗？',
+        resetUsageSuccess: '用量已重置',
         proxy: '代理',
         removeProvider: '删除',
         noProviders: '未配置搜索服务商',
diff --git a/frontend/src/views/admin/SettingsView.vue b/frontend/src/views/admin/SettingsView.vue
index 12f67187..c57d2033 100644
--- a/frontend/src/views/admin/SettingsView.vue
+++ b/frontend/src/views/admin/SettingsView.vue
@@ -1774,9 +1774,9 @@
                       class="w-36"
                       @click.stop
                     />
-                    <!-- Quota summary in collapsed state -->
-                    <span v-if="!expandedProviders[pIdx]" class="text-xs text-gray-400">
-                      {{ provider.quota_used ?? 0 }} / {{ provider.quota_limit > 0 ? provider.quota_limit : '∞' }}
+                    <!-- Quota summary (always visible) -->
+                    <span class="text-xs text-gray-400">
+                      {{ provider.quota_used ?? 0 }} / {{ provider.quota_limit != null && provider.quota_limit > 0 ? provider.quota_limit : '∞' }}
                     </span>
                     <span v-if="!expandedProviders[pIdx] && provider.api_key_configured" class="text-xs text-green-500">
                       {{ t('admin.settings.webSearchEmulation.apiKeyConfigured') }}
@@ -1835,7 +1835,7 @@
                   <div class="grid grid-cols-2 gap-3">
                     <div>
                       <label class="text-xs text-gray-500">{{ t('admin.settings.webSearchEmulation.quotaLimit') }}</label>
-                      <input v-model.number="provider.quota_limit" type="number" min="0" class="input text-sm" />
+                      <input v-model="provider.quota_limit" type="number" min="1" class="input text-sm" :placeholder="'∞'" />
                       <p class="mt-0.5 text-xs text-gray-400">{{ t('admin.settings.webSearchEmulation.quotaLimitHint') }}</p>
                     </div>
                     <div>
@@ -1853,7 +1853,7 @@
                   <!-- Usage display -->
                   <div class="flex items-center gap-2">
                     <span class="text-xs text-gray-500">{{ t('admin.settings.webSearchEmulation.quotaUsage') }}:</span>
-                    <div v-if="provider.quota_limit > 0" class="flex-1 rounded-full bg-gray-200 dark:bg-dark-600" style="height: 6px">
+                    <div v-if="provider.quota_limit != null && provider.quota_limit > 0" class="flex-1 rounded-full bg-gray-200 dark:bg-dark-600" style="height: 6px">
                       <div
                         class="h-full rounded-full transition-all"
                         :class="quotaPercentage(provider) > 90 ? 'bg-red-500' : quotaPercentage(provider) > 70 ? 'bg-yellow-500' : 'bg-green-500'"
@@ -1861,7 +1861,15 @@
                       />
                     </div>
                     <div v-else class="flex-1" />
-                    <span class="text-xs text-gray-500">{{ provider.quota_used ?? 0 }} / {{ provider.quota_limit > 0 ? provider.quota_limit : '∞' }}</span>
+                    <span class="text-xs text-gray-500">{{ provider.quota_used ?? 0 }} / {{ provider.quota_limit != null && provider.quota_limit > 0 ? provider.quota_limit : '∞' }}</span>
+                    <button
+                      v-if="(provider.quota_used ?? 0) > 0"
+                      type="button"
+                      class="text-xs text-primary-600 hover:text-primary-700"
+                      @click="resetWebSearchUsage(pIdx)"
+                    >
+                      {{ t('admin.settings.webSearchEmulation.resetUsage') }}
+                    </button>
                   </div>
 
                   <!-- Proxy + Test on same row -->
@@ -3118,6 +3126,19 @@ function quotaPercentage(provider: WebSearchProviderConfig): number {
   return ((provider.quota_used ?? 0) / provider.quota_limit) * 100
 }
 
+async function resetWebSearchUsage(idx: number) {
+  const provider = webSearchConfig.providers[idx]
+  if (!provider) return
+  if (!confirm(t('admin.settings.webSearchEmulation.resetUsageConfirm'))) return
+  try {
+    await adminAPI.settings.resetWebSearchUsage({ provider_type: provider.type })
+    provider.quota_used = 0
+    appStore.showSuccess(t('admin.settings.webSearchEmulation.resetUsageSuccess'))
+  } catch (err: unknown) {
+    appStore.showError(extractApiErrorMessage(err, t('common.error')))
+  }
+}
+
 async function copyApiKey(idx: number) {
   const key = webSearchConfig.providers[idx]?.api_key
   if (!key) {
@@ -3167,9 +3188,16 @@ async function loadWebSearchConfig() {
 
 async function saveWebSearchConfig(): Promise<boolean> {
   try {
+    for (const p of webSearchConfig.providers) {
+      const raw = p.quota_limit
+      if (raw != null && Number(raw) !== 0 && Number(raw) < 1) {
+        appStore.showError(t('admin.settings.webSearchEmulation.quotaLimitMustBePositive'))
+        return false
+      }
+    }
     const providers = webSearchConfig.providers.map((p: WebSearchProviderConfig) => ({
       ...p,
-      quota_limit: typeof p.quota_limit === 'number' && p.quota_limit > 0 ? p.quota_limit : 0,
+      quota_limit: Number(p.quota_limit) > 0 ? Number(p.quota_limit) : null,
     }))
     await adminAPI.settings.updateWebSearchEmulationConfig({
       enabled: webSearchConfig.enabled,

From 9028d2085f12f5ea30fc94165af21b767e455643 Mon Sep 17 00:00:00 2001
From: erio <asakifeng@gmail.com>
Date: Tue, 14 Apr 2026 08:42:28 +0800
Subject: [PATCH 084/122] test: add unit tests for billing, websearch, and
 notify systems

Billing (25 tests):
- CalculateCostUnified: nil resolver fallback, token/per_request/image modes
- GetModelPricingWithChannel: nil/partial/full channel overrides
- resolveAccountStatsCost: four-level priority chain integration tests

WebSearch (18 tests):
- PopulateWebSearchUsage: nil input, manager states, QuotaLimit nil/*int64
- ResetWebSearchUsage: nil manager error
- Manager.ResetUsage: nil Redis
- shouldEmulateWebSearch: full decision chain (8 scenarios)

Notify (36 tests):
- ParseNotifyEmails/MarshalNotifyEmails: old/new format, roundtrip
- crossedDownward: boundary values, threshold semantics
- checkQuotaDimCrossings: mixed dimensions, disabled/zero skip
---
 .../internal/pkg/websearch/manager_test.go    |   8 +
 .../service/account_stats_pricing_test.go     | 242 ++++++++++++++++
 .../service/balance_notify_check_test.go      | 224 +++++++++++++++
 .../internal/service/billing_service_test.go  | 120 ++++++++
 .../service/billing_service_unified_test.go   | 258 ++++++++++++++++++
 .../gateway_websearch_emulation_test.go       | 238 ++++++++++++++++
 .../service/notify_email_entry_test.go        | 156 +++++++++++
 .../internal/service/websearch_config_test.go | 123 +++++++++
 8 files changed, 1369 insertions(+)
 create mode 100644 backend/internal/service/billing_service_unified_test.go
 create mode 100644 backend/internal/service/notify_email_entry_test.go

diff --git a/backend/internal/pkg/websearch/manager_test.go b/backend/internal/pkg/websearch/manager_test.go
index a4beef68..cbcf1b76 100644
--- a/backend/internal/pkg/websearch/manager_test.go
+++ b/backend/internal/pkg/websearch/manager_test.go
@@ -313,3 +313,11 @@ func TestNewHTTPClient_ValidSOCKS5Proxy(t *testing.T) {
 	require.NoError(t, err)
 	require.NotNil(t, c)
 }
+
+// --- ResetUsage ---
+
+func TestManager_ResetUsage_NilRedis(t *testing.T) {
+	m := NewManager(nil, nil)
+	err := m.ResetUsage(context.Background(), "brave")
+	require.NoError(t, err)
+}
diff --git a/backend/internal/service/account_stats_pricing_test.go b/backend/internal/service/account_stats_pricing_test.go
index 23409d5e..36e5eb74 100644
--- a/backend/internal/service/account_stats_pricing_test.go
+++ b/backend/internal/service/account_stats_pricing_test.go
@@ -3,7 +3,9 @@
 package service
 
 import (
+	"context"
 	"testing"
+	"time"
 
 	"github.com/stretchr/testify/require"
 )
@@ -527,3 +529,243 @@ func TestTryModelFilePricing_WithCacheTokens(t *testing.T) {
 	// = 0.1 + 0.1 + 0.6 + 0.15 = 0.95
 	require.InDelta(t, 0.95, *result, 1e-12)
 }
+
+// ---------------------------------------------------------------------------
+// resolveAccountStatsCost — integration tests covering the 4-level priority chain
+// ---------------------------------------------------------------------------
+
+func TestResolveAccountStatsCost_NilChannelService(t *testing.T) {
+	result := resolveAccountStatsCost(
+		context.Background(),
+		nil, // channelService is nil
+		newTestBillingServiceWithPrices(map[string]*ModelPricing{}),
+		1, 1, "claude-sonnet-4",
+		UsageTokens{InputTokens: 100}, 1, 0.5,
+	)
+	require.Nil(t, result)
+}
+
+func TestResolveAccountStatsCost_EmptyUpstreamModel(t *testing.T) {
+	cs := newTestChannelServiceForStats(t, &Channel{
+		ID:     1,
+		Status: StatusActive,
+	}, 1, "")
+
+	result := resolveAccountStatsCost(
+		context.Background(),
+		cs,
+		newTestBillingServiceWithPrices(map[string]*ModelPricing{}),
+		1, 1, "", // empty upstream model
+		UsageTokens{InputTokens: 100}, 1, 0.5,
+	)
+	require.Nil(t, result)
+}
+
+func TestResolveAccountStatsCost_GetChannelForGroupReturnsNil(t *testing.T) {
+	// Group 99 is NOT in the cache, so GetChannelForGroup returns nil
+	cs := newTestChannelServiceForStats(t, &Channel{
+		ID:     1,
+		Status: StatusActive,
+	}, 1, "")
+
+	result := resolveAccountStatsCost(
+		context.Background(),
+		cs,
+		newTestBillingServiceWithPrices(map[string]*ModelPricing{}),
+		1, 99, "claude-sonnet-4", // groupID 99 has no channel
+		UsageTokens{InputTokens: 100}, 1, 0.5,
+	)
+	require.Nil(t, result)
+}
+
+func TestResolveAccountStatsCost_HitsCustomRule(t *testing.T) {
+	channel := &Channel{
+		ID:     1,
+		Status: StatusActive,
+		AccountStatsPricingRules: []AccountStatsPricingRule{
+			{
+				GroupIDs: []int64{10},
+				Pricing: []ChannelModelPricing{
+					{
+						ID:          100,
+						Models:      []string{"claude-sonnet-4"},
+						InputPrice:  testPtrFloat64(0.01),
+						OutputPrice: testPtrFloat64(0.02),
+					},
+				},
+			},
+		},
+	}
+	cs := newTestChannelServiceForStats(t, channel, 10, "anthropic")
+
+	tokens := UsageTokens{InputTokens: 100, OutputTokens: 50}
+
+	result := resolveAccountStatsCost(
+		context.Background(),
+		cs, nil, // billingService not needed when custom rule hits
+		1, 10, "claude-sonnet-4",
+		tokens, 1, 999.0, // totalCost ignored because custom rule hits
+	)
+	require.NotNil(t, result)
+	// 100*0.01 + 50*0.02 = 1.0 + 1.0 = 2.0
+	require.InDelta(t, 2.0, *result, 1e-12)
+}
+
+func TestResolveAccountStatsCost_ApplyPricingToAccountStats_UsesTotalCost(t *testing.T) {
+	channel := &Channel{
+		ID:                         1,
+		Status:                     StatusActive,
+		ApplyPricingToAccountStats: true,
+		// No custom rules
+	}
+	cs := newTestChannelServiceForStats(t, channel, 10, "anthropic")
+
+	tokens := UsageTokens{InputTokens: 100, OutputTokens: 50}
+
+	result := resolveAccountStatsCost(
+		context.Background(),
+		cs, nil,
+		1, 10, "claude-sonnet-4",
+		tokens, 1, 0.75, // totalCost = 0.75
+	)
+	require.NotNil(t, result)
+	require.InDelta(t, 0.75, *result, 1e-12)
+}
+
+func TestResolveAccountStatsCost_ApplyPricingToAccountStats_ZeroTotalCost_ReturnsNil(t *testing.T) {
+	channel := &Channel{
+		ID:                         1,
+		Status:                     StatusActive,
+		ApplyPricingToAccountStats: true,
+	}
+	cs := newTestChannelServiceForStats(t, channel, 10, "anthropic")
+
+	result := resolveAccountStatsCost(
+		context.Background(),
+		cs, nil,
+		1, 10, "claude-sonnet-4",
+		UsageTokens{}, 1, 0.0, // totalCost = 0
+	)
+	require.Nil(t, result)
+}
+
+func TestResolveAccountStatsCost_FallsBackToLiteLLM(t *testing.T) {
+	channel := &Channel{
+		ID:                         1,
+		Status:                     StatusActive,
+		ApplyPricingToAccountStats: false, // not enabled
+		// No custom rules
+	}
+	cs := newTestChannelServiceForStats(t, channel, 10, "anthropic")
+
+	bs := newTestBillingServiceWithPrices(map[string]*ModelPricing{
+		"claude-sonnet-4": {
+			InputPricePerToken:  0.001,
+			OutputPricePerToken: 0.002,
+		},
+	})
+
+	tokens := UsageTokens{InputTokens: 100, OutputTokens: 50}
+
+	result := resolveAccountStatsCost(
+		context.Background(),
+		cs, bs,
+		1, 10, "claude-sonnet-4",
+		tokens, 1, 999.0, // totalCost ignored
+	)
+	require.NotNil(t, result)
+	// 100*0.001 + 50*0.002 = 0.1 + 0.1 = 0.2
+	require.InDelta(t, 0.2, *result, 1e-12)
+}
+
+func TestResolveAccountStatsCost_AllMiss_ReturnsNil(t *testing.T) {
+	channel := &Channel{
+		ID:                         1,
+		Status:                     StatusActive,
+		ApplyPricingToAccountStats: false,
+		// No custom rules
+	}
+	cs := newTestChannelServiceForStats(t, channel, 10, "anthropic")
+
+	// BillingService with no pricing for the model
+	bs := newTestBillingServiceWithPrices(map[string]*ModelPricing{})
+
+	tokens := UsageTokens{InputTokens: 100, OutputTokens: 50}
+
+	result := resolveAccountStatsCost(
+		context.Background(),
+		cs, bs,
+		1, 10, "totally-unknown-model",
+		tokens, 1, 0.0,
+	)
+	require.Nil(t, result)
+}
+
+func TestResolveAccountStatsCost_NilBillingService_SkipsLiteLLM(t *testing.T) {
+	channel := &Channel{
+		ID:                         1,
+		Status:                     StatusActive,
+		ApplyPricingToAccountStats: false,
+	}
+	cs := newTestChannelServiceForStats(t, channel, 10, "anthropic")
+
+	result := resolveAccountStatsCost(
+		context.Background(),
+		cs, nil, // billingService is nil
+		1, 10, "claude-sonnet-4",
+		UsageTokens{InputTokens: 100}, 1, 0.0,
+	)
+	require.Nil(t, result)
+}
+
+func TestResolveAccountStatsCost_CustomRulePriorityOverApplyPricing(t *testing.T) {
+	// Both custom rule and ApplyPricingToAccountStats are configured;
+	// custom rule should take precedence.
+	channel := &Channel{
+		ID:                         1,
+		Status:                     StatusActive,
+		ApplyPricingToAccountStats: true,
+		AccountStatsPricingRules: []AccountStatsPricingRule{
+			{
+				GroupIDs: []int64{10},
+				Pricing: []ChannelModelPricing{
+					{
+						ID:         100,
+						Models:     []string{"claude-sonnet-4"},
+						InputPrice: testPtrFloat64(0.05),
+					},
+				},
+			},
+		},
+	}
+	cs := newTestChannelServiceForStats(t, channel, 10, "anthropic")
+
+	tokens := UsageTokens{InputTokens: 100}
+
+	result := resolveAccountStatsCost(
+		context.Background(),
+		cs, nil,
+		1, 10, "claude-sonnet-4",
+		tokens, 1, 99.0, // totalCost = 99.0 (would be used if ApplyPricing wins)
+	)
+	require.NotNil(t, result)
+	// Custom rule: 100*0.05 = 5.0 (NOT 99.0 from totalCost)
+	require.InDelta(t, 5.0, *result, 1e-12)
+}
+
+// ---------------------------------------------------------------------------
+// helpers for resolveAccountStatsCost tests
+// ---------------------------------------------------------------------------
+
+// newTestChannelServiceForStats creates a ChannelService with a single channel
+// mapped to the given groupID, suitable for resolveAccountStatsCost tests.
+func newTestChannelServiceForStats(t *testing.T, channel *Channel, groupID int64, platform string) *ChannelService {
+	t.Helper()
+	cache := newEmptyChannelCache()
+	cache.channelByGroupID[groupID] = channel
+	cache.groupPlatform[groupID] = platform
+	cs := &ChannelService{}
+	cache.loadedAt = time.Now()
+	cs.cache.Store(cache)
+	return cs
+}
diff --git a/backend/internal/service/balance_notify_check_test.go b/backend/internal/service/balance_notify_check_test.go
index 955f3129..7bb4cf9e 100644
--- a/backend/internal/service/balance_notify_check_test.go
+++ b/backend/internal/service/balance_notify_check_test.go
@@ -178,3 +178,227 @@ func TestGetSiteName_Configured(t *testing.T) {
 	repo.data[SettingKeySiteName] = "My Site"
 	require.Equal(t, "My Site", s.getSiteName(context.Background()))
 }
+
+// ---------- crossedDownward ----------
+
+func TestCrossedDownward_CrossesBelow(t *testing.T) {
+	// oldBalance > threshold, newBalance < threshold → true
+	require.True(t, crossedDownward(100, 5, 10))
+}
+
+func TestCrossedDownward_ExactlyAtThreshold(t *testing.T) {
+	// oldBalance > threshold, newBalance == threshold → false (not below)
+	require.False(t, crossedDownward(100, 10, 10))
+}
+
+func TestCrossedDownward_OldExactlyAtThreshold_NewBelow(t *testing.T) {
+	// oldBalance == threshold, newBalance < threshold → true
+	// (at-or-above → below counts as a crossing)
+	require.True(t, crossedDownward(10, 5, 10))
+}
+
+func TestCrossedDownward_AlreadyBelow(t *testing.T) {
+	// oldBalance < threshold → false (already below, no new crossing)
+	require.False(t, crossedDownward(5, 3, 10))
+}
+
+func TestCrossedDownward_BothAbove(t *testing.T) {
+	// oldBalance > threshold, newBalance > threshold → false (no crossing)
+	require.False(t, crossedDownward(100, 50, 10))
+}
+
+func TestCrossedDownward_ZeroThreshold(t *testing.T) {
+	// threshold == 0 → oldV >= 0 is always true, but newV < 0 only for negatives
+	// Typical case: positive balances should not fire when threshold is 0.
+	require.False(t, crossedDownward(10, 5, 0))
+	require.False(t, crossedDownward(0, 0, 0))
+}
+
+func TestCrossedDownward_ZeroThreshold_NegativeNew(t *testing.T) {
+	// Edge case: newBalance goes negative with threshold=0.
+	require.True(t, crossedDownward(5, -1, 0))
+}
+
+func TestCrossedDownward_NegativeValues(t *testing.T) {
+	// Both already negative, threshold is positive → no crossing (already below).
+	require.False(t, crossedDownward(-5, -10, 10))
+}
+
+func TestCrossedDownward_LargeDecrement(t *testing.T) {
+	// A single large deduction crosses the threshold.
+	require.True(t, crossedDownward(1000, 0.5, 100))
+}
+
+func TestCrossedDownward_SmallDecrement_NoCrossing(t *testing.T) {
+	// A tiny deduction stays above threshold.
+	require.False(t, crossedDownward(100, 99.99, 10))
+}
+
+// ---------- checkQuotaDimCrossings ----------
+
+func TestCheckQuotaDimCrossings_NoDimensions(t *testing.T) {
+	s, _ := newBalanceNotifyServiceForTest()
+	account := &Account{ID: 1, Name: "test", Platform: PlatformAnthropic}
+	// Empty dims → no crossing, no panic.
+	s.checkQuotaDimCrossings(account, nil, 10, []string{"admin@example.com"}, "TestSite")
+	s.checkQuotaDimCrossings(account, []quotaDim{}, 10, []string{"admin@example.com"}, "TestSite")
+}
+
+func TestCheckQuotaDimCrossings_DisabledDimension(t *testing.T) {
+	s, _ := newBalanceNotifyServiceForTest()
+	account := &Account{ID: 1, Name: "test", Platform: PlatformAnthropic}
+	dims := []quotaDim{
+		{
+			name:          quotaDimDaily,
+			enabled:       false, // disabled
+			threshold:     100,
+			thresholdType: thresholdTypeFixed,
+			currentUsed:   950,
+			limit:         1000,
+		},
+	}
+	// Disabled dimension should be skipped even if crossing would occur.
+	s.checkQuotaDimCrossings(account, dims, 50, []string{"admin@example.com"}, "TestSite")
+}
+
+func TestCheckQuotaDimCrossings_ZeroThresholdSkipped(t *testing.T) {
+	s, _ := newBalanceNotifyServiceForTest()
+	account := &Account{ID: 1, Name: "test", Platform: PlatformAnthropic}
+	dims := []quotaDim{
+		{
+			name:          quotaDimDaily,
+			enabled:       true,
+			threshold:     0, // zero threshold
+			thresholdType: thresholdTypeFixed,
+			currentUsed:   950,
+			limit:         1000,
+		},
+	}
+	// Zero threshold → skipped.
+	s.checkQuotaDimCrossings(account, dims, 50, []string{"admin@example.com"}, "TestSite")
+}
+
+func TestCheckQuotaDimCrossings_NoCrossing_BothBelowThreshold(t *testing.T) {
+	s, _ := newBalanceNotifyServiceForTest()
+	account := &Account{ID: 1, Name: "test", Platform: PlatformAnthropic}
+	// threshold=400 remaining, limit=1000 → effectiveThreshold = 600 (usage trigger)
+	// currentUsed=300 (after), oldUsed=300-50=250 (before). Both < 600, no crossing.
+	dims := []quotaDim{
+		{
+			name:          quotaDimDaily,
+			enabled:       true,
+			threshold:     400,
+			thresholdType: thresholdTypeFixed,
+			currentUsed:   300,
+			limit:         1000,
+		},
+	}
+	s.checkQuotaDimCrossings(account, dims, 50, []string{"admin@example.com"}, "TestSite")
+}
+
+func TestCheckQuotaDimCrossings_NoCrossing_BothAboveThreshold(t *testing.T) {
+	s, _ := newBalanceNotifyServiceForTest()
+	account := &Account{ID: 1, Name: "test", Platform: PlatformAnthropic}
+	// threshold=400 remaining, limit=1000 → effectiveThreshold = 600 (usage trigger)
+	// currentUsed=800 (after), oldUsed=800-50=750 (before). Both >= 600, no crossing.
+	dims := []quotaDim{
+		{
+			name:          quotaDimDaily,
+			enabled:       true,
+			threshold:     400,
+			thresholdType: thresholdTypeFixed,
+			currentUsed:   800,
+			limit:         1000,
+		},
+	}
+	s.checkQuotaDimCrossings(account, dims, 50, []string{"admin@example.com"}, "TestSite")
+}
+
+func TestCheckQuotaDimCrossings_NegativeResolvedThreshold_Skipped(t *testing.T) {
+	s, _ := newBalanceNotifyServiceForTest()
+	account := &Account{ID: 1, Name: "test", Platform: PlatformAnthropic}
+	// threshold=1200 remaining, limit=1000 → effectiveThreshold = 1000-1200 = -200
+	// Negative resolved threshold → skipped.
+	dims := []quotaDim{
+		{
+			name:          quotaDimDaily,
+			enabled:       true,
+			threshold:     1200,
+			thresholdType: thresholdTypeFixed,
+			currentUsed:   950,
+			limit:         1000,
+		},
+	}
+	s.checkQuotaDimCrossings(account, dims, 50, []string{"admin@example.com"}, "TestSite")
+}
+
+func TestCheckQuotaDimCrossings_PercentageThreshold_NoCrossing(t *testing.T) {
+	s, _ := newBalanceNotifyServiceForTest()
+	account := &Account{ID: 1, Name: "test", Platform: PlatformAnthropic}
+	// threshold=30%, limit=1000 → effectiveThreshold = 1000 * (1 - 0.30) = 700
+	// currentUsed=500, oldUsed=500-50=450. Both < 700, no crossing.
+	dims := []quotaDim{
+		{
+			name:          quotaDimWeekly,
+			enabled:       true,
+			threshold:     30,
+			thresholdType: thresholdTypePercentage,
+			currentUsed:   500,
+			limit:         1000,
+		},
+	}
+	s.checkQuotaDimCrossings(account, dims, 50, []string{"admin@example.com"}, "TestSite")
+}
+
+func TestCheckQuotaDimCrossings_ZeroLimit_Skipped(t *testing.T) {
+	s, _ := newBalanceNotifyServiceForTest()
+	account := &Account{ID: 1, Name: "test", Platform: PlatformAnthropic}
+	// limit=0 → resolvedThreshold returns 0 → skipped.
+	dims := []quotaDim{
+		{
+			name:          quotaDimTotal,
+			enabled:       true,
+			threshold:     100,
+			thresholdType: thresholdTypeFixed,
+			currentUsed:   50,
+			limit:         0,
+		},
+	}
+	s.checkQuotaDimCrossings(account, dims, 50, []string{"admin@example.com"}, "TestSite")
+}
+
+func TestCheckQuotaDimCrossings_MultipleDims_MixedResults(t *testing.T) {
+	s, _ := newBalanceNotifyServiceForTest()
+	account := &Account{ID: 1, Name: "test", Platform: PlatformAnthropic}
+	// dim1: no crossing (both below effective threshold)
+	// dim2: disabled (skipped)
+	// dim3: zero threshold (skipped)
+	dims := []quotaDim{
+		{
+			name:          quotaDimDaily,
+			enabled:       true,
+			threshold:     400,
+			thresholdType: thresholdTypeFixed,
+			currentUsed:   300, // oldUsed=250, effectiveThreshold=600, both below
+			limit:         1000,
+		},
+		{
+			name:          quotaDimWeekly,
+			enabled:       false,
+			threshold:     100,
+			thresholdType: thresholdTypeFixed,
+			currentUsed:   900,
+			limit:         1000,
+		},
+		{
+			name:          quotaDimTotal,
+			enabled:       true,
+			threshold:     0,
+			thresholdType: thresholdTypeFixed,
+			currentUsed:   500,
+			limit:         1000,
+		},
+	}
+	// None should trigger. No panic expected.
+	s.checkQuotaDimCrossings(account, dims, 50, []string{"admin@example.com"}, "TestSite")
+}
diff --git a/backend/internal/service/billing_service_test.go b/backend/internal/service/billing_service_test.go
index 6f6c41ce..2cf134e2 100644
--- a/backend/internal/service/billing_service_test.go
+++ b/backend/internal/service/billing_service_test.go
@@ -718,3 +718,123 @@ func TestGetModelPricing_MapsDynamicPriorityFieldsIntoBillingPricing(t *testing.
 	require.InDelta(t, 1.5, pricing.LongContextInputMultiplier, 1e-12)
 	require.InDelta(t, 1.25, pricing.LongContextOutputMultiplier, 1e-12)
 }
+
+// ---------------------------------------------------------------------------
+// GetModelPricingWithChannel
+// ---------------------------------------------------------------------------
+
+func TestGetModelPricingWithChannel_NilChannelPricing_ReturnsOriginal(t *testing.T) {
+	svc := newTestBillingService()
+
+	pricing, err := svc.GetModelPricingWithChannel("claude-sonnet-4", nil)
+	require.NoError(t, err)
+	require.NotNil(t, pricing)
+
+	// Should be identical to GetModelPricing
+	original, err := svc.GetModelPricing("claude-sonnet-4")
+	require.NoError(t, err)
+	require.InDelta(t, original.InputPricePerToken, pricing.InputPricePerToken, 1e-12)
+	require.InDelta(t, original.OutputPricePerToken, pricing.OutputPricePerToken, 1e-12)
+	require.InDelta(t, original.CacheCreationPricePerToken, pricing.CacheCreationPricePerToken, 1e-12)
+	require.InDelta(t, original.CacheReadPricePerToken, pricing.CacheReadPricePerToken, 1e-12)
+}
+
+func TestGetModelPricingWithChannel_OverrideInputPriceOnly(t *testing.T) {
+	svc := newTestBillingService()
+
+	chPricing := &ChannelModelPricing{
+		InputPrice: testPtrFloat64(99e-6),
+	}
+	pricing, err := svc.GetModelPricingWithChannel("claude-sonnet-4", chPricing)
+	require.NoError(t, err)
+
+	// InputPrice overridden (both normal and priority)
+	require.InDelta(t, 99e-6, pricing.InputPricePerToken, 1e-12)
+	require.InDelta(t, 99e-6, pricing.InputPricePerTokenPriority, 1e-12)
+
+	// OutputPrice unchanged (claude-sonnet-4 fallback = 15e-6)
+	require.InDelta(t, 15e-6, pricing.OutputPricePerToken, 1e-12)
+}
+
+func TestGetModelPricingWithChannel_OverrideOutputPriceOnly(t *testing.T) {
+	svc := newTestBillingService()
+
+	chPricing := &ChannelModelPricing{
+		OutputPrice: testPtrFloat64(88e-6),
+	}
+	pricing, err := svc.GetModelPricingWithChannel("claude-sonnet-4", chPricing)
+	require.NoError(t, err)
+
+	// OutputPrice overridden
+	require.InDelta(t, 88e-6, pricing.OutputPricePerToken, 1e-12)
+	require.InDelta(t, 88e-6, pricing.OutputPricePerTokenPriority, 1e-12)
+
+	// InputPrice unchanged (claude-sonnet-4 fallback = 3e-6)
+	require.InDelta(t, 3e-6, pricing.InputPricePerToken, 1e-12)
+}
+
+func TestGetModelPricingWithChannel_OverrideAllFields(t *testing.T) {
+	svc := newTestBillingService()
+
+	chPricing := &ChannelModelPricing{
+		InputPrice:       testPtrFloat64(10e-6),
+		OutputPrice:      testPtrFloat64(20e-6),
+		CacheWritePrice:  testPtrFloat64(5e-6),
+		CacheReadPrice:   testPtrFloat64(1e-6),
+		ImageOutputPrice: testPtrFloat64(50e-6),
+	}
+	pricing, err := svc.GetModelPricingWithChannel("claude-sonnet-4", chPricing)
+	require.NoError(t, err)
+
+	require.InDelta(t, 10e-6, pricing.InputPricePerToken, 1e-12)
+	require.InDelta(t, 10e-6, pricing.InputPricePerTokenPriority, 1e-12)
+	require.InDelta(t, 20e-6, pricing.OutputPricePerToken, 1e-12)
+	require.InDelta(t, 20e-6, pricing.OutputPricePerTokenPriority, 1e-12)
+	require.InDelta(t, 5e-6, pricing.CacheCreationPricePerToken, 1e-12)
+	require.InDelta(t, 5e-6, pricing.CacheCreation5mPrice, 1e-12)
+	require.InDelta(t, 5e-6, pricing.CacheCreation1hPrice, 1e-12)
+	require.InDelta(t, 1e-6, pricing.CacheReadPricePerToken, 1e-12)
+	require.InDelta(t, 1e-6, pricing.CacheReadPricePerTokenPriority, 1e-12)
+	require.InDelta(t, 50e-6, pricing.ImageOutputPricePerToken, 1e-12)
+}
+
+func TestGetModelPricingWithChannel_CacheWritePriceAffects5mAnd1h(t *testing.T) {
+	svc := newTestBillingService()
+
+	chPricing := &ChannelModelPricing{
+		CacheWritePrice: testPtrFloat64(7e-6),
+	}
+	pricing, err := svc.GetModelPricingWithChannel("claude-sonnet-4", chPricing)
+	require.NoError(t, err)
+
+	// CacheWritePrice should set all three: CacheCreationPricePerToken, 5m, and 1h
+	require.InDelta(t, 7e-6, pricing.CacheCreationPricePerToken, 1e-12)
+	require.InDelta(t, 7e-6, pricing.CacheCreation5mPrice, 1e-12)
+	require.InDelta(t, 7e-6, pricing.CacheCreation1hPrice, 1e-12)
+}
+
+func TestGetModelPricingWithChannel_CacheReadPriceAffectsPriority(t *testing.T) {
+	svc := newTestBillingService()
+
+	chPricing := &ChannelModelPricing{
+		CacheReadPrice: testPtrFloat64(2e-6),
+	}
+	pricing, err := svc.GetModelPricingWithChannel("claude-sonnet-4", chPricing)
+	require.NoError(t, err)
+
+	// CacheReadPrice should set both normal and priority
+	require.InDelta(t, 2e-6, pricing.CacheReadPricePerToken, 1e-12)
+	require.InDelta(t, 2e-6, pricing.CacheReadPricePerTokenPriority, 1e-12)
+}
+
+func TestGetModelPricingWithChannel_UnknownModelReturnsError(t *testing.T) {
+	svc := newTestBillingService()
+
+	chPricing := &ChannelModelPricing{
+		InputPrice: testPtrFloat64(1e-6),
+	}
+	pricing, err := svc.GetModelPricingWithChannel("totally-unknown-model", chPricing)
+	require.Error(t, err)
+	require.Nil(t, pricing)
+	require.Contains(t, err.Error(), "pricing not found")
+}
diff --git a/backend/internal/service/billing_service_unified_test.go b/backend/internal/service/billing_service_unified_test.go
new file mode 100644
index 00000000..694c3384
--- /dev/null
+++ b/backend/internal/service/billing_service_unified_test.go
@@ -0,0 +1,258 @@
+//go:build unit
+
+package service
+
+import (
+	"context"
+	"testing"
+	"time"
+
+	"github.com/Wei-Shaw/sub2api/internal/config"
+	"github.com/stretchr/testify/require"
+)
+
+// ---------------------------------------------------------------------------
+// CalculateCostUnified
+// ---------------------------------------------------------------------------
+
+func TestCalculateCostUnified_NilResolver_FallsBackToOldPath(t *testing.T) {
+	svc := newTestBillingService()
+
+	tokens := UsageTokens{InputTokens: 1000, OutputTokens: 500}
+	input := CostInput{
+		Model:          "claude-sonnet-4",
+		Tokens:         tokens,
+		RateMultiplier: 1.0,
+		Resolver:       nil, // no resolver
+	}
+	cost, err := svc.CalculateCostUnified(input)
+	require.NoError(t, err)
+
+	// Should match the old-path result exactly
+	expected, err := svc.calculateCostInternal("claude-sonnet-4", tokens, 1.0, "", nil)
+	require.NoError(t, err)
+	require.InDelta(t, expected.TotalCost, cost.TotalCost, 1e-10)
+	require.InDelta(t, expected.ActualCost, cost.ActualCost, 1e-10)
+	// BillingMode is NOT set by old path through CalculateCostUnified (resolver == nil)
+	require.Empty(t, cost.BillingMode)
+}
+
+func TestCalculateCostUnified_TokenMode(t *testing.T) {
+	bs := newTestBillingService()
+	resolver := NewModelPricingResolver(nil, bs)
+
+	tokens := UsageTokens{InputTokens: 1000, OutputTokens: 500}
+	input := CostInput{
+		Ctx:            context.Background(),
+		Model:          "claude-sonnet-4",
+		Tokens:         tokens,
+		RateMultiplier: 1.5,
+		Resolver:       resolver,
+	}
+	cost, err := bs.CalculateCostUnified(input)
+	require.NoError(t, err)
+	require.NotNil(t, cost)
+
+	// Verify token billing: Input: 1000*3e-6=0.003, Output: 500*15e-6=0.0075
+	expectedTotal := 1000*3e-6 + 500*15e-6
+	require.InDelta(t, expectedTotal, cost.TotalCost, 1e-10)
+	require.InDelta(t, expectedTotal*1.5, cost.ActualCost, 1e-10)
+	require.Equal(t, string(BillingModeToken), cost.BillingMode)
+}
+
+func TestCalculateCostUnified_PerRequestMode(t *testing.T) {
+	// Set up a ChannelService with a per-request pricing channel
+	cs := newTestChannelServiceWithCache(t, &channelCache{
+		pricingByGroupModel: map[channelModelKey]*ChannelModelPricing{
+			{groupID: 1, model: "claude-sonnet-4"}: {
+				BillingMode:     BillingModePerRequest,
+				PerRequestPrice: testPtrFloat64(0.05),
+			},
+		},
+		channelByGroupID: map[int64]*Channel{
+			1: {ID: 1, Status: StatusActive},
+		},
+		groupPlatform:           map[int64]string{1: ""},
+		wildcardByGroupPlatform: map[channelGroupPlatformKey][]*wildcardPricingEntry{},
+		mappingByGroupModel:     map[channelModelKey]string{},
+		wildcardMappingByGP:     map[channelGroupPlatformKey][]*wildcardMappingEntry{},
+		byID:                    map[int64]*Channel{},
+	})
+
+	bs := newTestBillingService()
+	resolver := NewModelPricingResolver(cs, bs)
+	groupID := int64(1)
+
+	input := CostInput{
+		Ctx:            context.Background(),
+		Model:          "claude-sonnet-4",
+		GroupID:        &groupID,
+		Tokens:         UsageTokens{InputTokens: 100, OutputTokens: 50},
+		RequestCount:   3,
+		RateMultiplier: 2.0,
+		Resolver:       resolver,
+	}
+	cost, err := bs.CalculateCostUnified(input)
+	require.NoError(t, err)
+	require.NotNil(t, cost)
+
+	// 3 requests * $0.05 = $0.15
+	require.InDelta(t, 0.15, cost.TotalCost, 1e-10)
+	// ActualCost = 0.15 * 2.0 = 0.30
+	require.InDelta(t, 0.30, cost.ActualCost, 1e-10)
+	require.Equal(t, string(BillingModePerRequest), cost.BillingMode)
+}
+
+func TestCalculateCostUnified_ImageMode(t *testing.T) {
+	cs := newTestChannelServiceWithCache(t, &channelCache{
+		pricingByGroupModel: map[channelModelKey]*ChannelModelPricing{
+			{groupID: 2, model: "gemini-image"}: {
+				BillingMode:     BillingModeImage,
+				PerRequestPrice: testPtrFloat64(0.10),
+			},
+		},
+		channelByGroupID: map[int64]*Channel{
+			2: {ID: 2, Status: StatusActive},
+		},
+		groupPlatform:           map[int64]string{2: ""},
+		wildcardByGroupPlatform: map[channelGroupPlatformKey][]*wildcardPricingEntry{},
+		mappingByGroupModel:     map[channelModelKey]string{},
+		wildcardMappingByGP:     map[channelGroupPlatformKey][]*wildcardMappingEntry{},
+		byID:                    map[int64]*Channel{},
+	})
+
+	bs := &BillingService{
+		cfg:            &config.Config{},
+		fallbackPrices: map[string]*ModelPricing{},
+	}
+	resolver := NewModelPricingResolver(cs, bs)
+	groupID := int64(2)
+
+	input := CostInput{
+		Ctx:            context.Background(),
+		Model:          "gemini-image",
+		GroupID:        &groupID,
+		Tokens:         UsageTokens{},
+		RequestCount:   2,
+		RateMultiplier: 1.0,
+		Resolver:       resolver,
+	}
+	cost, err := bs.CalculateCostUnified(input)
+	require.NoError(t, err)
+	require.NotNil(t, cost)
+
+	// 2 * $0.10 = $0.20
+	require.InDelta(t, 0.20, cost.TotalCost, 1e-10)
+	require.InDelta(t, 0.20, cost.ActualCost, 1e-10)
+	require.Equal(t, string(BillingModeImage), cost.BillingMode)
+}
+
+func TestCalculateCostUnified_RateMultiplierZeroDefaultsToOne(t *testing.T) {
+	bs := newTestBillingService()
+	resolver := NewModelPricingResolver(nil, bs)
+
+	tokens := UsageTokens{InputTokens: 1000, OutputTokens: 500}
+
+	costZero, err := bs.CalculateCostUnified(CostInput{
+		Ctx:            context.Background(),
+		Model:          "claude-sonnet-4",
+		Tokens:         tokens,
+		RateMultiplier: 0, // should default to 1.0
+		Resolver:       resolver,
+	})
+	require.NoError(t, err)
+
+	costOne, err := bs.CalculateCostUnified(CostInput{
+		Ctx:            context.Background(),
+		Model:          "claude-sonnet-4",
+		Tokens:         tokens,
+		RateMultiplier: 1.0,
+		Resolver:       resolver,
+	})
+	require.NoError(t, err)
+
+	require.InDelta(t, costOne.ActualCost, costZero.ActualCost, 1e-10)
+}
+
+func TestCalculateCostUnified_NegativeRateMultiplierDefaultsToOne(t *testing.T) {
+	bs := newTestBillingService()
+	resolver := NewModelPricingResolver(nil, bs)
+
+	tokens := UsageTokens{InputTokens: 1000}
+
+	costNeg, err := bs.CalculateCostUnified(CostInput{
+		Ctx:            context.Background(),
+		Model:          "claude-sonnet-4",
+		Tokens:         tokens,
+		RateMultiplier: -5.0,
+		Resolver:       resolver,
+	})
+	require.NoError(t, err)
+
+	costOne, err := bs.CalculateCostUnified(CostInput{
+		Ctx:            context.Background(),
+		Model:          "claude-sonnet-4",
+		Tokens:         tokens,
+		RateMultiplier: 1.0,
+		Resolver:       resolver,
+	})
+	require.NoError(t, err)
+
+	require.InDelta(t, costOne.ActualCost, costNeg.ActualCost, 1e-10)
+}
+
+func TestCalculateCostUnified_BillingModeFieldFilled(t *testing.T) {
+	bs := newTestBillingService()
+	resolver := NewModelPricingResolver(nil, bs)
+
+	cost, err := bs.CalculateCostUnified(CostInput{
+		Ctx:            context.Background(),
+		Model:          "claude-sonnet-4",
+		Tokens:         UsageTokens{InputTokens: 100},
+		RateMultiplier: 1.0,
+		Resolver:       resolver,
+	})
+	require.NoError(t, err)
+	require.Equal(t, "token", cost.BillingMode)
+}
+
+func TestCalculateCostUnified_UsesPreResolvedPricing(t *testing.T) {
+	bs := newTestBillingService()
+	resolver := NewModelPricingResolver(nil, bs)
+
+	// Pre-resolve with per_request mode to verify it's used instead of re-resolving
+	preResolved := &ResolvedPricing{
+		Mode:                   BillingModePerRequest,
+		DefaultPerRequestPrice: 0.07,
+	}
+
+	cost, err := bs.CalculateCostUnified(CostInput{
+		Ctx:            context.Background(),
+		Model:          "claude-sonnet-4",
+		Tokens:         UsageTokens{InputTokens: 100},
+		RequestCount:   2,
+		RateMultiplier: 1.0,
+		Resolver:       resolver,
+		Resolved:       preResolved,
+	})
+	require.NoError(t, err)
+	require.NotNil(t, cost)
+
+	// 2 * $0.07 = $0.14
+	require.InDelta(t, 0.14, cost.TotalCost, 1e-10)
+	require.Equal(t, string(BillingModePerRequest), cost.BillingMode)
+}
+
+// ---------------------------------------------------------------------------
+// helpers
+// ---------------------------------------------------------------------------
+
+// newTestChannelServiceWithCache creates a ChannelService with a pre-populated
+// cache snapshot, bypassing the repository layer entirely.
+func newTestChannelServiceWithCache(t *testing.T, cache *channelCache) *ChannelService {
+	t.Helper()
+	cs := &ChannelService{}
+	cache.loadedAt = time.Now()
+	cs.cache.Store(cache)
+	return cs
+}
diff --git a/backend/internal/service/gateway_websearch_emulation_test.go b/backend/internal/service/gateway_websearch_emulation_test.go
index b606c748..de1f0014 100644
--- a/backend/internal/service/gateway_websearch_emulation_test.go
+++ b/backend/internal/service/gateway_websearch_emulation_test.go
@@ -1,8 +1,14 @@
+//go:build unit
+
 package service
 
 import (
+	"context"
+	"encoding/json"
 	"testing"
+	"time"
 
+	"github.com/Wei-Shaw/sub2api/internal/config"
 	"github.com/Wei-Shaw/sub2api/internal/pkg/websearch"
 	"github.com/stretchr/testify/require"
 )
@@ -140,3 +146,235 @@ func TestBuildTextSummary_NoResults(t *testing.T) {
 	summary := buildTextSummary("test", nil)
 	require.Contains(t, summary, "No search results found for: test")
 }
+
+// --- shouldEmulateWebSearch ---
+
+// webSearchToolBody is a valid request body with exactly one web_search tool.
+var webSearchToolBody = []byte(`{"tools":[{"type":"web_search"}],"messages":[{"role":"user","content":"test"}]}`)
+
+// nonWebSearchToolBody is a request body without web_search tool.
+var nonWebSearchToolBody = []byte(`{"tools":[{"type":"text_editor"}],"messages":[{"role":"user","content":"test"}]}`)
+
+// newAnthropicAPIKeyAccount creates a test Account with the given web search emulation mode.
+func newAnthropicAPIKeyAccount(mode string) *Account {
+	return &Account{
+		ID:       1,
+		Platform: PlatformAnthropic,
+		Type:     AccountTypeAPIKey,
+		Extra:    map[string]any{featureKeyWebSearchEmulation: mode},
+	}
+}
+
+// setGlobalWebSearchConfig stores a config in the global cache used by SettingService.IsWebSearchEmulationEnabled.
+func setGlobalWebSearchConfig(cfg *WebSearchEmulationConfig) {
+	webSearchEmulationCache.Store(&cachedWebSearchEmulationConfig{
+		config:    cfg,
+		expiresAt: time.Now().Add(10 * time.Minute).UnixNano(),
+	})
+}
+
+// clearGlobalWebSearchConfig resets the global cache to force re-read.
+func clearGlobalWebSearchConfig() {
+	webSearchEmulationCache.Store((*cachedWebSearchEmulationConfig)(nil))
+}
+
+// newSettingServiceForWebSearchTest creates a SettingService with a mock repo pre-loaded with config.
+func newSettingServiceForWebSearchTest(enabled bool) *SettingService {
+	repo := newMockSettingRepo()
+	cfg := &WebSearchEmulationConfig{
+		Enabled:   enabled,
+		Providers: []WebSearchProviderConfig{{Type: "brave", APIKey: "sk-test"}},
+	}
+	data, _ := json.Marshal(cfg)
+	repo.data[SettingKeyWebSearchEmulationConfig] = string(data)
+	return NewSettingService(repo, &config.Config{})
+}
+
+// newChannelServiceWithCache creates a ChannelService with a pre-built cache containing the channel.
+func newChannelServiceWithCache(groupID int64, ch *Channel) *ChannelService {
+	svc := &ChannelService{}
+	cache := &channelCache{
+		channelByGroupID: map[int64]*Channel{groupID: ch},
+		byID:             map[int64]*Channel{ch.ID: ch},
+		groupPlatform:    map[int64]string{},
+		loadedAt:         time.Now(),
+	}
+	svc.cache.Store(cache)
+	return svc
+}
+
+func TestShouldEmulateWebSearch_NilManager(t *testing.T) {
+	SetWebSearchManager(nil)
+	defer SetWebSearchManager(nil)
+
+	settingSvc := newSettingServiceForWebSearchTest(true)
+	setGlobalWebSearchConfig(&WebSearchEmulationConfig{
+		Enabled:   true,
+		Providers: []WebSearchProviderConfig{{Type: "brave", APIKey: "k"}},
+	})
+	defer clearGlobalWebSearchConfig()
+
+	svc := &GatewayService{settingService: settingSvc}
+	account := newAnthropicAPIKeyAccount(WebSearchModeEnabled)
+	require.False(t, svc.shouldEmulateWebSearch(context.Background(), account, nil, webSearchToolBody))
+}
+
+func TestShouldEmulateWebSearch_NotOnlyWebSearchTool(t *testing.T) {
+	mgr := websearch.NewManager([]websearch.ProviderConfig{{Type: "brave", APIKey: "k"}}, nil)
+	SetWebSearchManager(mgr)
+	defer SetWebSearchManager(nil)
+
+	settingSvc := newSettingServiceForWebSearchTest(true)
+	setGlobalWebSearchConfig(&WebSearchEmulationConfig{
+		Enabled:   true,
+		Providers: []WebSearchProviderConfig{{Type: "brave", APIKey: "k"}},
+	})
+	defer clearGlobalWebSearchConfig()
+
+	svc := &GatewayService{settingService: settingSvc}
+	account := newAnthropicAPIKeyAccount(WebSearchModeEnabled)
+	require.False(t, svc.shouldEmulateWebSearch(context.Background(), account, nil, nonWebSearchToolBody))
+}
+
+func TestShouldEmulateWebSearch_GlobalDisabled(t *testing.T) {
+	mgr := websearch.NewManager([]websearch.ProviderConfig{{Type: "brave", APIKey: "k"}}, nil)
+	SetWebSearchManager(mgr)
+	defer SetWebSearchManager(nil)
+
+	// Global config disabled
+	setGlobalWebSearchConfig(&WebSearchEmulationConfig{
+		Enabled:   false,
+		Providers: []WebSearchProviderConfig{{Type: "brave", APIKey: "k"}},
+	})
+	defer clearGlobalWebSearchConfig()
+
+	settingSvc := newSettingServiceForWebSearchTest(false)
+	svc := &GatewayService{settingService: settingSvc}
+	account := newAnthropicAPIKeyAccount(WebSearchModeEnabled)
+	require.False(t, svc.shouldEmulateWebSearch(context.Background(), account, nil, webSearchToolBody))
+}
+
+func TestShouldEmulateWebSearch_AccountDisabled(t *testing.T) {
+	mgr := websearch.NewManager([]websearch.ProviderConfig{{Type: "brave", APIKey: "k"}}, nil)
+	SetWebSearchManager(mgr)
+	defer SetWebSearchManager(nil)
+
+	setGlobalWebSearchConfig(&WebSearchEmulationConfig{
+		Enabled:   true,
+		Providers: []WebSearchProviderConfig{{Type: "brave", APIKey: "k"}},
+	})
+	defer clearGlobalWebSearchConfig()
+
+	settingSvc := newSettingServiceForWebSearchTest(true)
+	svc := &GatewayService{settingService: settingSvc}
+	account := newAnthropicAPIKeyAccount(WebSearchModeDisabled)
+	require.False(t, svc.shouldEmulateWebSearch(context.Background(), account, nil, webSearchToolBody))
+}
+
+func TestShouldEmulateWebSearch_AccountEnabled(t *testing.T) {
+	mgr := websearch.NewManager([]websearch.ProviderConfig{{Type: "brave", APIKey: "k"}}, nil)
+	SetWebSearchManager(mgr)
+	defer SetWebSearchManager(nil)
+
+	setGlobalWebSearchConfig(&WebSearchEmulationConfig{
+		Enabled:   true,
+		Providers: []WebSearchProviderConfig{{Type: "brave", APIKey: "k"}},
+	})
+	defer clearGlobalWebSearchConfig()
+
+	settingSvc := newSettingServiceForWebSearchTest(true)
+	svc := &GatewayService{settingService: settingSvc}
+	account := newAnthropicAPIKeyAccount(WebSearchModeEnabled)
+	require.True(t, svc.shouldEmulateWebSearch(context.Background(), account, nil, webSearchToolBody))
+}
+
+func TestShouldEmulateWebSearch_DefaultMode_ChannelEnabled(t *testing.T) {
+	mgr := websearch.NewManager([]websearch.ProviderConfig{{Type: "brave", APIKey: "k"}}, nil)
+	SetWebSearchManager(mgr)
+	defer SetWebSearchManager(nil)
+
+	setGlobalWebSearchConfig(&WebSearchEmulationConfig{
+		Enabled:   true,
+		Providers: []WebSearchProviderConfig{{Type: "brave", APIKey: "k"}},
+	})
+	defer clearGlobalWebSearchConfig()
+
+	settingSvc := newSettingServiceForWebSearchTest(true)
+	ch := &Channel{
+		ID:     10,
+		Status: StatusActive,
+		FeaturesConfig: map[string]any{
+			featureKeyWebSearchEmulation: map[string]any{PlatformAnthropic: true},
+		},
+	}
+	channelSvc := newChannelServiceWithCache(42, ch)
+	svc := &GatewayService{settingService: settingSvc, channelService: channelSvc}
+
+	account := newAnthropicAPIKeyAccount(WebSearchModeDefault)
+	groupID := int64(42)
+	require.True(t, svc.shouldEmulateWebSearch(context.Background(), account, &groupID, webSearchToolBody))
+}
+
+func TestShouldEmulateWebSearch_DefaultMode_ChannelDisabled(t *testing.T) {
+	mgr := websearch.NewManager([]websearch.ProviderConfig{{Type: "brave", APIKey: "k"}}, nil)
+	SetWebSearchManager(mgr)
+	defer SetWebSearchManager(nil)
+
+	setGlobalWebSearchConfig(&WebSearchEmulationConfig{
+		Enabled:   true,
+		Providers: []WebSearchProviderConfig{{Type: "brave", APIKey: "k"}},
+	})
+	defer clearGlobalWebSearchConfig()
+
+	settingSvc := newSettingServiceForWebSearchTest(true)
+	ch := &Channel{
+		ID:     10,
+		Status: StatusActive,
+		FeaturesConfig: map[string]any{
+			featureKeyWebSearchEmulation: map[string]any{PlatformAnthropic: false},
+		},
+	}
+	channelSvc := newChannelServiceWithCache(42, ch)
+	svc := &GatewayService{settingService: settingSvc, channelService: channelSvc}
+
+	account := newAnthropicAPIKeyAccount(WebSearchModeDefault)
+	groupID := int64(42)
+	require.False(t, svc.shouldEmulateWebSearch(context.Background(), account, &groupID, webSearchToolBody))
+}
+
+func TestShouldEmulateWebSearch_DefaultMode_NilGroupID(t *testing.T) {
+	mgr := websearch.NewManager([]websearch.ProviderConfig{{Type: "brave", APIKey: "k"}}, nil)
+	SetWebSearchManager(mgr)
+	defer SetWebSearchManager(nil)
+
+	setGlobalWebSearchConfig(&WebSearchEmulationConfig{
+		Enabled:   true,
+		Providers: []WebSearchProviderConfig{{Type: "brave", APIKey: "k"}},
+	})
+	defer clearGlobalWebSearchConfig()
+
+	settingSvc := newSettingServiceForWebSearchTest(true)
+	svc := &GatewayService{settingService: settingSvc}
+	account := newAnthropicAPIKeyAccount(WebSearchModeDefault)
+	// nil groupID + default mode → falls through to channel check → returns false
+	require.False(t, svc.shouldEmulateWebSearch(context.Background(), account, nil, webSearchToolBody))
+}
+
+func TestShouldEmulateWebSearch_DefaultMode_NilChannelService(t *testing.T) {
+	mgr := websearch.NewManager([]websearch.ProviderConfig{{Type: "brave", APIKey: "k"}}, nil)
+	SetWebSearchManager(mgr)
+	defer SetWebSearchManager(nil)
+
+	setGlobalWebSearchConfig(&WebSearchEmulationConfig{
+		Enabled:   true,
+		Providers: []WebSearchProviderConfig{{Type: "brave", APIKey: "k"}},
+	})
+	defer clearGlobalWebSearchConfig()
+
+	settingSvc := newSettingServiceForWebSearchTest(true)
+	svc := &GatewayService{settingService: settingSvc, channelService: nil}
+	account := newAnthropicAPIKeyAccount(WebSearchModeDefault)
+	groupID := int64(42)
+	// nil channelService + default mode → returns false
+	require.False(t, svc.shouldEmulateWebSearch(context.Background(), account, &groupID, webSearchToolBody))
+}
diff --git a/backend/internal/service/notify_email_entry_test.go b/backend/internal/service/notify_email_entry_test.go
new file mode 100644
index 00000000..0f4bb12e
--- /dev/null
+++ b/backend/internal/service/notify_email_entry_test.go
@@ -0,0 +1,156 @@
+//go:build unit
+
+package service
+
+import (
+	"testing"
+
+	"github.com/stretchr/testify/require"
+)
+
+// ---------- ParseNotifyEmails ----------
+
+func TestParseNotifyEmails_EmptyString(t *testing.T) {
+	result := ParseNotifyEmails("")
+	require.Nil(t, result)
+}
+
+func TestParseNotifyEmails_EmptyArray(t *testing.T) {
+	result := ParseNotifyEmails("[]")
+	require.Nil(t, result)
+}
+
+func TestParseNotifyEmails_Null(t *testing.T) {
+	// "null" is valid JSON that unmarshals into a nil string slice.
+	// The old-format branch then returns an empty (non-nil) slice.
+	result := ParseNotifyEmails("null")
+	require.Empty(t, result)
+}
+
+func TestParseNotifyEmails_WhitespaceOnly(t *testing.T) {
+	result := ParseNotifyEmails("   ")
+	require.Nil(t, result)
+}
+
+func TestParseNotifyEmails_OldFormat(t *testing.T) {
+	raw := `["alice@example.com", "bob@example.com"]`
+	result := ParseNotifyEmails(raw)
+	require.Len(t, result, 2)
+
+	require.Equal(t, "alice@example.com", result[0].Email)
+	require.False(t, result[0].Verified, "old format emails should default to unverified")
+	require.False(t, result[0].Disabled)
+
+	require.Equal(t, "bob@example.com", result[1].Email)
+	require.False(t, result[1].Verified)
+	require.False(t, result[1].Disabled)
+}
+
+func TestParseNotifyEmails_OldFormat_SkipsEmptyEntries(t *testing.T) {
+	raw := `["alice@example.com", "", "  ", "bob@example.com"]`
+	result := ParseNotifyEmails(raw)
+	require.Len(t, result, 2)
+	require.Equal(t, "alice@example.com", result[0].Email)
+	require.Equal(t, "bob@example.com", result[1].Email)
+}
+
+func TestParseNotifyEmails_NewFormat(t *testing.T) {
+	raw := `[{"email":"alice@example.com","verified":true,"disabled":false},{"email":"bob@example.com","verified":false,"disabled":true}]`
+	result := ParseNotifyEmails(raw)
+	require.Len(t, result, 2)
+
+	require.Equal(t, "alice@example.com", result[0].Email)
+	require.True(t, result[0].Verified)
+	require.False(t, result[0].Disabled)
+
+	require.Equal(t, "bob@example.com", result[1].Email)
+	require.False(t, result[1].Verified)
+	require.True(t, result[1].Disabled)
+}
+
+func TestParseNotifyEmails_NewFormat_SingleEntry(t *testing.T) {
+	raw := `[{"email":"solo@example.com","verified":true,"disabled":false}]`
+	result := ParseNotifyEmails(raw)
+	require.Len(t, result, 1)
+	require.Equal(t, "solo@example.com", result[0].Email)
+	require.True(t, result[0].Verified)
+}
+
+func TestParseNotifyEmails_InvalidJSON(t *testing.T) {
+	result := ParseNotifyEmails(`{not valid json`)
+	require.Nil(t, result)
+}
+
+func TestParseNotifyEmails_InvalidJSONObject(t *testing.T) {
+	// A plain JSON object (not array) should return nil.
+	result := ParseNotifyEmails(`{"email":"a@b.com"}`)
+	require.Nil(t, result)
+}
+
+func TestParseNotifyEmails_WhitespacePadding(t *testing.T) {
+	raw := `  ["padded@example.com"]  `
+	result := ParseNotifyEmails(raw)
+	require.Len(t, result, 1)
+	require.Equal(t, "padded@example.com", result[0].Email)
+}
+
+// ---------- MarshalNotifyEmails ----------
+
+func TestMarshalNotifyEmails_EmptySlice(t *testing.T) {
+	result := MarshalNotifyEmails([]NotifyEmailEntry{})
+	require.Equal(t, "[]", result)
+}
+
+func TestMarshalNotifyEmails_NilSlice(t *testing.T) {
+	result := MarshalNotifyEmails(nil)
+	require.Equal(t, "[]", result)
+}
+
+func TestMarshalNotifyEmails_SingleEntry(t *testing.T) {
+	entries := []NotifyEmailEntry{
+		{Email: "test@example.com", Verified: true, Disabled: false},
+	}
+	result := MarshalNotifyEmails(entries)
+	require.Contains(t, result, `"email":"test@example.com"`)
+	require.Contains(t, result, `"verified":true`)
+	require.Contains(t, result, `"disabled":false`)
+
+	// Round-trip: parsing the marshalled result should produce the original entries.
+	parsed := ParseNotifyEmails(result)
+	require.Len(t, parsed, 1)
+	require.Equal(t, entries[0], parsed[0])
+}
+
+func TestMarshalNotifyEmails_MultipleEntries(t *testing.T) {
+	entries := []NotifyEmailEntry{
+		{Email: "a@example.com", Verified: true, Disabled: false},
+		{Email: "b@example.com", Verified: false, Disabled: true},
+	}
+	result := MarshalNotifyEmails(entries)
+
+	// Round-trip verification.
+	parsed := ParseNotifyEmails(result)
+	require.Len(t, parsed, 2)
+	require.Equal(t, entries[0], parsed[0])
+	require.Equal(t, entries[1], parsed[1])
+}
+
+func TestMarshalNotifyEmails_RoundTrip_NewFormat(t *testing.T) {
+	original := []NotifyEmailEntry{
+		{Email: "x@example.com", Verified: true, Disabled: true},
+		{Email: "y@example.com", Verified: false, Disabled: false},
+	}
+	marshalled := MarshalNotifyEmails(original)
+	parsed := ParseNotifyEmails(marshalled)
+	require.Equal(t, original, parsed)
+}
+
+// ---------- isOldStringArrayFormat (indirectly via ParseNotifyEmails) ----------
+
+func TestParseNotifyEmails_MixedOldFormatWithWhitespace(t *testing.T) {
+	// Emails with leading/trailing whitespace in old format should be trimmed.
+	raw := `["  alice@example.com  "]`
+	result := ParseNotifyEmails(raw)
+	require.Len(t, result, 1)
+	require.Equal(t, "alice@example.com", result[0].Email)
+}
diff --git a/backend/internal/service/websearch_config_test.go b/backend/internal/service/websearch_config_test.go
index 8cd50d0d..c5b96e01 100644
--- a/backend/internal/service/websearch_config_test.go
+++ b/backend/internal/service/websearch_config_test.go
@@ -1,9 +1,12 @@
+//go:build unit
+
 package service
 
 import (
 	"context"
 	"testing"
 
+	"github.com/Wei-Shaw/sub2api/internal/pkg/websearch"
 	"github.com/stretchr/testify/require"
 )
 
@@ -141,3 +144,123 @@ func TestSanitizeWebSearchConfig_DoesNotMutateOriginal(t *testing.T) {
 	_ = SanitizeWebSearchConfig(context.Background(), cfg)
 	require.Equal(t, "secret", cfg.Providers[0].APIKey)
 }
+
+// --- PopulateWebSearchUsage ---
+
+func TestPopulateWebSearchUsage_NilInput(t *testing.T) {
+	require.Nil(t, PopulateWebSearchUsage(context.Background(), nil))
+}
+
+func TestPopulateWebSearchUsage_NoManager_QuotaUsedZero(t *testing.T) {
+	// Ensure no global manager is set
+	SetWebSearchManager(nil)
+	defer SetWebSearchManager(nil)
+
+	cfg := &WebSearchEmulationConfig{
+		Enabled: true,
+		Providers: []WebSearchProviderConfig{
+			{Type: "brave", APIKey: "sk-key", QuotaLimit: int64Ptr(1000)},
+		},
+	}
+	out := PopulateWebSearchUsage(context.Background(), cfg)
+	require.NotNil(t, out)
+	require.Len(t, out.Providers, 1)
+	require.Equal(t, int64(0), out.Providers[0].QuotaUsed)
+}
+
+func TestPopulateWebSearchUsage_APIKeyConfigured_True(t *testing.T) {
+	SetWebSearchManager(nil)
+	defer SetWebSearchManager(nil)
+
+	cfg := &WebSearchEmulationConfig{
+		Providers: []WebSearchProviderConfig{
+			{Type: "brave", APIKey: "sk-key"},
+		},
+	}
+	out := PopulateWebSearchUsage(context.Background(), cfg)
+	require.True(t, out.Providers[0].APIKeyConfigured)
+}
+
+func TestPopulateWebSearchUsage_APIKeyConfigured_False(t *testing.T) {
+	SetWebSearchManager(nil)
+	defer SetWebSearchManager(nil)
+
+	cfg := &WebSearchEmulationConfig{
+		Providers: []WebSearchProviderConfig{
+			{Type: "brave", APIKey: ""},
+		},
+	}
+	out := PopulateWebSearchUsage(context.Background(), cfg)
+	require.False(t, out.Providers[0].APIKeyConfigured)
+}
+
+func TestPopulateWebSearchUsage_NilQuotaLimit(t *testing.T) {
+	SetWebSearchManager(nil)
+	defer SetWebSearchManager(nil)
+
+	cfg := &WebSearchEmulationConfig{
+		Providers: []WebSearchProviderConfig{
+			{Type: "brave", APIKey: "sk-key", QuotaLimit: nil},
+		},
+	}
+	out := PopulateWebSearchUsage(context.Background(), cfg)
+	require.Nil(t, out.Providers[0].QuotaLimit)
+}
+
+func TestPopulateWebSearchUsage_NonNilQuotaLimit(t *testing.T) {
+	SetWebSearchManager(nil)
+	defer SetWebSearchManager(nil)
+
+	cfg := &WebSearchEmulationConfig{
+		Providers: []WebSearchProviderConfig{
+			{Type: "brave", APIKey: "sk-key", QuotaLimit: int64Ptr(500)},
+		},
+	}
+	out := PopulateWebSearchUsage(context.Background(), cfg)
+	require.NotNil(t, out.Providers[0].QuotaLimit)
+	require.Equal(t, int64(500), *out.Providers[0].QuotaLimit)
+}
+
+func TestPopulateWebSearchUsage_WithManager_NilRedis(t *testing.T) {
+	// Manager with nil Redis returns 0 usage without error
+	mgr := websearch.NewManager([]websearch.ProviderConfig{
+		{Type: "brave", APIKey: "k"},
+	}, nil)
+	SetWebSearchManager(mgr)
+	defer SetWebSearchManager(nil)
+
+	cfg := &WebSearchEmulationConfig{
+		Providers: []WebSearchProviderConfig{
+			{Type: "brave", APIKey: "sk-key", QuotaLimit: int64Ptr(1000)},
+		},
+	}
+	out := PopulateWebSearchUsage(context.Background(), cfg)
+	require.Equal(t, int64(0), out.Providers[0].QuotaUsed)
+	require.True(t, out.Providers[0].APIKeyConfigured)
+}
+
+func TestPopulateWebSearchUsage_DoesNotMutateOriginal(t *testing.T) {
+	SetWebSearchManager(nil)
+	defer SetWebSearchManager(nil)
+
+	cfg := &WebSearchEmulationConfig{
+		Providers: []WebSearchProviderConfig{
+			{Type: "brave", APIKey: "secret", QuotaLimit: int64Ptr(100)},
+		},
+	}
+	_ = PopulateWebSearchUsage(context.Background(), cfg)
+	// Original should be unchanged
+	require.Equal(t, "secret", cfg.Providers[0].APIKey)
+	require.Equal(t, int64(0), cfg.Providers[0].QuotaUsed)
+}
+
+// --- ResetWebSearchUsage ---
+
+func TestResetWebSearchUsage_NilManager(t *testing.T) {
+	SetWebSearchManager(nil)
+	defer SetWebSearchManager(nil)
+
+	err := ResetWebSearchUsage(context.Background(), "brave")
+	require.Error(t, err)
+	require.Contains(t, err.Error(), "not initialized")
+}

From d6965b0676eadba10ba499436302ccb8610af420 Mon Sep 17 00:00:00 2001
From: erio <asakifeng@gmail.com>
Date: Tue, 14 Apr 2026 10:18:39 +0800
Subject: [PATCH 085/122] fix: resolve cherry-pick conflicts and restore
 compilation

- Restore gateway_cache.go to upstream (no lua embeds)
- Restore payment_order.go to upstream (use out_trade_no lookup)
- Restore payment_fulfillment.go to upstream (same reason)
- Add FeaturesConfig field and IsWebSearchEmulationEnabled to Channel
- Add applyAccountStatsCost wrapper function
- Add SettingKeyWebSearchEmulationConfig constant
- Add WebSearchEmulationEnabled to SystemSettings
- Add notify code rate limiting methods to EmailCache interface
- Remove AllowUserRefund references (ent schema not present)
- Fix duplicate import in payment_handler.go
- Fix wire_gen.go argument mismatches
---
 backend/cmd/server/wire_gen.go                |   4 +-
 backend/internal/handler/payment_handler.go   |   1 -
 backend/internal/repository/gateway_cache.go  | 257 +-----------------
 .../internal/service/account_stats_pricing.go |  21 ++
 backend/internal/service/channel.go           |  16 +-
 backend/internal/service/domain_constants.go  |   3 +
 backend/internal/service/email_service.go     |   4 +
 .../service/payment_config_providers.go       |  21 +-
 .../service/payment_config_service.go         |   2 -
 .../internal/service/payment_fulfillment.go   |  14 +-
 backend/internal/service/payment_order.go     | 254 +----------------
 backend/internal/service/settings_view.go     |   3 +
 12 files changed, 80 insertions(+), 520 deletions(-)

diff --git a/backend/cmd/server/wire_gen.go b/backend/cmd/server/wire_gen.go
index 69daeecf..a0e84f4c 100644
--- a/backend/cmd/server/wire_gen.go
+++ b/backend/cmd/server/wire_gen.go
@@ -143,7 +143,7 @@ func initializeApplication(buildInfo handler.BuildInfo) (*Application, error) {
 	schedulerSnapshotService := service.ProvideSchedulerSnapshotService(schedulerCache, schedulerOutboxRepository, accountRepository, groupRepository, configConfig)
 	antigravityTokenProvider := service.ProvideAntigravityTokenProvider(accountRepository, geminiTokenCache, antigravityOAuthService, oAuthRefreshAPI, tempUnschedCache)
 	internal500CounterCache := repository.NewInternal500CounterCache(redisClient)
-	antigravityGatewayService := service.NewAntigravityGatewayService(accountRepository, gatewayCache, schedulerSnapshotService, antigravityTokenProvider, rateLimitService, httpUpstream, settingService, internal500CounterCache, accountUsageService)
+	antigravityGatewayService := service.NewAntigravityGatewayService(accountRepository, gatewayCache, schedulerSnapshotService, antigravityTokenProvider, rateLimitService, httpUpstream, settingService, internal500CounterCache)
 	accountTestService := service.NewAccountTestService(accountRepository, geminiTokenProvider, antigravityGatewayService, httpUpstream, configConfig, tlsFingerprintProfileService)
 	crsSyncService := service.NewCRSSyncService(accountRepository, proxyRepository, oAuthService, openAIOAuthService, geminiOAuthService, configConfig)
 	accountHandler := admin.NewAccountHandler(adminService, oAuthService, openAIOAuthService, geminiOAuthService, antigravityOAuthService, rateLimitService, accountUsageService, accountTestService, concurrencyService, crsSyncService, sessionLimitCache, rpmCache, compositeTokenCacheInvalidator)
@@ -217,8 +217,8 @@ func initializeApplication(buildInfo handler.BuildInfo) (*Application, error) {
 	}
 	defaultLoadBalancer := payment.ProvideDefaultLoadBalancer(client, encryptionKey)
 	paymentConfigService := service.ProvidePaymentConfigService(client, settingRepository, encryptionKey)
-	settingHandler := admin.NewSettingHandler(settingService, emailService, turnstileService, opsService, paymentConfigService)
 	paymentService := service.NewPaymentService(client, registry, defaultLoadBalancer, redeemService, subscriptionService, paymentConfigService, userRepository, groupRepository)
+	settingHandler := admin.NewSettingHandler(settingService, emailService, turnstileService, opsService, paymentConfigService, paymentService)
 	paymentOrderExpiryService := service.ProvidePaymentOrderExpiryService(paymentService)
 	paymentHandler := admin.NewPaymentHandler(paymentService, paymentConfigService)
 	adminHandlers := handler.ProvideAdminHandlers(dashboardHandler, adminUserHandler, groupHandler, accountHandler, adminAnnouncementHandler, dataManagementHandler, backupHandler, oAuthHandler, openAIOAuthHandler, geminiOAuthHandler, antigravityOAuthHandler, proxyHandler, adminRedeemHandler, promoHandler, settingHandler, opsHandler, systemHandler, adminSubscriptionHandler, adminUsageHandler, userAttributeHandler, errorPassthroughHandler, tlsFingerprintProfileHandler, adminAPIKeyHandler, scheduledTestHandler, channelHandler, paymentHandler)
diff --git a/backend/internal/handler/payment_handler.go b/backend/internal/handler/payment_handler.go
index e01a2af1..0425fc49 100644
--- a/backend/internal/handler/payment_handler.go
+++ b/backend/internal/handler/payment_handler.go
@@ -7,7 +7,6 @@ import (
 	"github.com/Wei-Shaw/sub2api/internal/pkg/pagination"
 	"github.com/Wei-Shaw/sub2api/internal/pkg/response"
 	middleware2 "github.com/Wei-Shaw/sub2api/internal/server/middleware"
-	"github.com/Wei-Shaw/sub2api/internal/pkg/pagination"
 	"github.com/Wei-Shaw/sub2api/internal/service"
 
 	"github.com/gin-gonic/gin"
diff --git a/backend/internal/repository/gateway_cache.go b/backend/internal/repository/gateway_cache.go
index ec4bf40e..58291b66 100644
--- a/backend/internal/repository/gateway_cache.go
+++ b/backend/internal/repository/gateway_cache.go
@@ -2,42 +2,14 @@ package repository
 
 import (
 	"context"
-	_ "embed"
 	"fmt"
-	"strconv"
 	"time"
 
 	"github.com/Wei-Shaw/sub2api/internal/service"
 	"github.com/redis/go-redis/v9"
 )
 
-const (
-	stickySessionPrefix         = "sticky_session:"
-	clientAffinityPrefix        = "client_affinity:"
-	clientAffinityReversePrefix = "client_affinity_rev:"
-)
-
-var (
-	//go:embed lua/get_affinity.lua
-	getAffinityLua string
-	//go:embed lua/update_affinity.lua
-	updateAffinityLua string
-	//go:embed lua/get_affinity_count.lua
-	getAffinityCountLua string
-	//go:embed lua/get_affinity_clients.lua
-	getAffinityClientsLua string
-	//go:embed lua/get_affinity_clients_with_scores.lua
-	getAffinityClientsWithScoresLua string
-	//go:embed lua/clear_account_affinity.lua
-	clearAccountAffinityLua string
-
-	getAffinityScript                  = redis.NewScript(getAffinityLua)
-	updateAffinityScript               = redis.NewScript(updateAffinityLua)
-	getAffinityCountScript             = redis.NewScript(getAffinityCountLua)
-	getAffinityClientsScript           = redis.NewScript(getAffinityClientsLua)
-	getAffinityClientsWithScoresScript = redis.NewScript(getAffinityClientsWithScoresLua)
-	clearAccountAffinityScript         = redis.NewScript(clearAccountAffinityLua)
-)
+const stickySessionPrefix = "sticky_session:"
 
 type gatewayCache struct {
 	rdb *redis.Client
@@ -47,16 +19,6 @@ func NewGatewayCache(rdb *redis.Client) service.GatewayCache {
 	return &gatewayCache{rdb: rdb}
 }
 
-// ensureScriptLoaded 确保 Lua 脚本已加载到 Redis 服务器的脚本缓存中。
-// Pipeline 中的 Script.Run 只发送 EVALSHA，如果 Redis 重启过导致脚本缓存丢失，
-// EVALSHA 会返回 NOSCRIPT 错误。此方法提前加载脚本以避免该问题。
-func ensureScriptLoaded(ctx context.Context, rdb *redis.Client, script *redis.Script) {
-	exists, err := script.Exists(ctx, rdb).Result()
-	if err != nil || len(exists) == 0 || !exists[0] {
-		_ = script.Load(ctx, rdb).Err()
-	}
-}
-
 // buildSessionKey 构建 session key，包含 groupID 实现分组隔离
 // 格式: sticky_session:{groupID}:{sessionHash}
 func buildSessionKey(groupID int64, sessionHash string) string {
@@ -79,218 +41,13 @@ func (c *gatewayCache) RefreshSessionTTL(ctx context.Context, groupID int64, ses
 }
 
 // DeleteSessionAccountID 删除粘性会话与账号的绑定关系。
+// 当检测到绑定的账号不可用（如状态错误、禁用、不可调度等）时调用，
+// 以便下次请求能够重新选择可用账号。
+//
+// DeleteSessionAccountID removes the sticky session binding for the given session.
+// Called when the bound account becomes unavailable (e.g., error status, disabled,
+// or unschedulable), allowing subsequent requests to select a new available account.
 func (c *gatewayCache) DeleteSessionAccountID(ctx context.Context, groupID int64, sessionHash string) error {
 	key := buildSessionKey(groupID, sessionHash)
 	return c.rdb.Del(ctx, key).Err()
 }
-
-// buildAffinityKey 构建正向亲和 key（client → accounts）
-// 格式: client_affinity:{groupID}:{clientID}
-func buildAffinityKey(groupID int64, clientID string) string {
-	return fmt.Sprintf("%s%d:%s", clientAffinityPrefix, groupID, clientID)
-}
-
-// buildAffinityReverseKey 构建反向亲和 key（account → clients）
-// 格式: client_affinity_rev:{groupID}:{accountID}
-func buildAffinityReverseKey(groupID int64, accountID int64) string {
-	return fmt.Sprintf("%s%d:%d", clientAffinityReversePrefix, groupID, accountID)
-}
-
-func (c *gatewayCache) GetClientAffinityAccounts(ctx context.Context, groupID int64, clientID string, ttl time.Duration) ([]int64, error) {
-	key := buildAffinityKey(groupID, clientID)
-	now := time.Now().Unix()
-	expireThreshold := now - int64(ttl.Seconds())
-
-	result, err := getAffinityScript.Run(ctx, c.rdb, []string{key}, expireThreshold).StringSlice()
-	if err != nil {
-		if err == redis.Nil {
-			return nil, nil
-		}
-		return nil, err
-	}
-
-	accountIDs := make([]int64, 0, len(result))
-	for _, s := range result {
-		id, err := strconv.ParseInt(s, 10, 64)
-		if err != nil {
-			continue
-		}
-		accountIDs = append(accountIDs, id)
-	}
-	return accountIDs, nil
-}
-
-func (c *gatewayCache) UpdateClientAffinity(ctx context.Context, groupID int64, clientID string, accountID int64, ttl time.Duration) error {
-	fwdKey := buildAffinityKey(groupID, clientID)
-	revKey := buildAffinityReverseKey(groupID, accountID)
-	now := time.Now().Unix()
-	ttlSeconds := int64(ttl.Seconds())
-	expireThreshold := now - ttlSeconds
-
-	return updateAffinityScript.Run(ctx, c.rdb, []string{fwdKey, revKey},
-		now, ttlSeconds, accountID, expireThreshold, clientID,
-	).Err()
-}
-
-// GetAccountAffinityCountBatch 批量获取账号的亲和客户端数量（惰性清理过期成员）
-func (c *gatewayCache) GetAccountAffinityCountBatch(ctx context.Context, groupID int64, accountIDs []int64, ttl time.Duration) (map[int64]int64, error) {
-	if len(accountIDs) == 0 {
-		return map[int64]int64{}, nil
-	}
-
-	now := time.Now().Unix()
-	expireThreshold := now - int64(ttl.Seconds())
-
-	ensureScriptLoaded(ctx, c.rdb, getAffinityCountScript)
-
-	pipe := c.rdb.Pipeline()
-	cmds := make([]*redis.Cmd, len(accountIDs))
-	for i, accID := range accountIDs {
-		key := buildAffinityReverseKey(groupID, accID)
-		cmds[i] = getAffinityCountScript.Run(ctx, pipe, []string{key}, expireThreshold)
-	}
-	_, err := pipe.Exec(ctx)
-	if err != nil && err != redis.Nil {
-		return nil, err
-	}
-
-	result := make(map[int64]int64, len(accountIDs))
-	for i, accID := range accountIDs {
-		count, _ := cmds[i].Int64()
-		result[accID] = count
-	}
-	return result, nil
-}
-
-// GetAccountAffinityClientsBatch 批量获取每个账号跨所有分组的亲和客户端列表（去重）。
-// accountGroups: map[accountID][]groupID，对每个 (groupID, accountID) 组合查询反向索引。
-func (c *gatewayCache) GetAccountAffinityClientsBatch(ctx context.Context, accountGroups map[int64][]int64, ttl time.Duration) (map[int64][]string, error) {
-	if len(accountGroups) == 0 {
-		return map[int64][]string{}, nil
-	}
-
-	now := time.Now().Unix()
-	expireThreshold := now - int64(ttl.Seconds())
-
-	// 构建所有 (accountID, groupID) 组合的查询
-	type queryItem struct {
-		accountID int64
-		groupID   int64
-	}
-	var queries []queryItem
-	for accID, groupIDs := range accountGroups {
-		for _, gID := range groupIDs {
-			queries = append(queries, queryItem{accountID: accID, groupID: gID})
-		}
-	}
-
-	ensureScriptLoaded(ctx, c.rdb, getAffinityClientsScript)
-
-	pipe := c.rdb.Pipeline()
-	cmds := make([]*redis.Cmd, len(queries))
-	for i, q := range queries {
-		key := buildAffinityReverseKey(q.groupID, q.accountID)
-		cmds[i] = getAffinityClientsScript.Run(ctx, pipe, []string{key}, expireThreshold)
-	}
-	_, err := pipe.Exec(ctx)
-	if err != nil && err != redis.Nil {
-		return nil, err
-	}
-
-	// 合并结果：同一个 accountID 跨多个 group 的 clientID 去重
-	result := make(map[int64][]string, len(accountGroups))
-	seen := make(map[int64]map[string]struct{}, len(accountGroups))
-	for i, q := range queries {
-		clients, _ := cmds[i].StringSlice()
-		if len(clients) == 0 {
-			continue
-		}
-		if seen[q.accountID] == nil {
-			seen[q.accountID] = make(map[string]struct{})
-		}
-		for _, clientID := range clients {
-			if _, exists := seen[q.accountID][clientID]; !exists {
-				seen[q.accountID][clientID] = struct{}{}
-				result[q.accountID] = append(result[q.accountID], clientID)
-			}
-		}
-	}
-	return result, nil
-}
-
-// GetAccountAffinityClientsWithScores 获取单个账号跨所有分组的亲和客户端列表（含最后活跃时间戳，去重取最近）。
-func (c *gatewayCache) GetAccountAffinityClientsWithScores(
-	ctx context.Context,
-	accountID int64,
-	groupIDs []int64,
-	ttl time.Duration,
-) ([]service.AffinityClient, error) {
-	if len(groupIDs) == 0 {
-		return nil, nil
-	}
-
-	now := time.Now().Unix()
-	expireThreshold := now - int64(ttl.Seconds())
-
-	ensureScriptLoaded(ctx, c.rdb, getAffinityClientsWithScoresScript)
-
-	pipe := c.rdb.Pipeline()
-	cmds := make([]*redis.Cmd, len(groupIDs))
-	for i, gID := range groupIDs {
-		key := buildAffinityReverseKey(gID, accountID)
-		cmds[i] = getAffinityClientsWithScoresScript.Run(ctx, pipe, []string{key}, expireThreshold)
-	}
-	_, err := pipe.Exec(ctx)
-	if err != nil && err != redis.Nil {
-		return nil, err
-	}
-
-	// 合并跨组结果，同一 clientID 取最近的 lastActive
-	seen := make(map[string]int64) // clientID → max timestamp
-	for _, cmd := range cmds {
-		vals, _ := cmd.StringSlice()
-		// vals 格式: [clientID1, score1, clientID2, score2, ...]
-		for j := 0; j+1 < len(vals); j += 2 {
-			clientID := vals[j]
-			ts, _ := strconv.ParseInt(vals[j+1], 10, 64)
-			if existing, ok := seen[clientID]; !ok || ts > existing {
-				seen[clientID] = ts
-			}
-		}
-	}
-
-	result := make([]service.AffinityClient, 0, len(seen))
-	for clientID, ts := range seen {
-		result = append(result, service.AffinityClient{
-			ClientID:   clientID,
-			LastActive: time.Unix(ts, 0),
-		})
-	}
-
-	// 按最后活跃时间降序排序
-	service.SortAffinityClients(result)
-
-	return result, nil
-}
-
-// ClearAccountAffinity 清除指定账号在所有分组的亲和记录（正向+反向索引）。
-// 对每个 groupID 执行 Lua 脚本：读取反向索引获取所有客户端，
-// 从每个客户端的正向索引中移除该账号，然后删除反向索引。
-func (c *gatewayCache) ClearAccountAffinity(ctx context.Context, accountID int64, groupIDs []int64) error {
-	if len(groupIDs) == 0 {
-		return nil
-	}
-
-	ensureScriptLoaded(ctx, c.rdb, clearAccountAffinityScript)
-
-	pipe := c.rdb.Pipeline()
-	for _, gID := range groupIDs {
-		revKey := buildAffinityReverseKey(gID, accountID)
-		clearAccountAffinityScript.Run(ctx, pipe, []string{revKey}, gID, accountID)
-	}
-	_, err := pipe.Exec(ctx)
-	if err != nil && err != redis.Nil {
-		return err
-	}
-	return nil
-}
diff --git a/backend/internal/service/account_stats_pricing.go b/backend/internal/service/account_stats_pricing.go
index 61c318d9..47b7496f 100644
--- a/backend/internal/service/account_stats_pricing.go
+++ b/backend/internal/service/account_stats_pricing.go
@@ -227,3 +227,24 @@ func calculateTokenStatsCost(pricing *ChannelModelPricing, tokens UsageTokens) *
 	}
 	return &cost
 }
+
+// applyAccountStatsCost resolves the account stats cost for a usage log entry.
+// It resolves the upstream model (falling back to the requested model) and calls
+// the 4-level priority chain via resolveAccountStatsCost.
+func applyAccountStatsCost(
+	ctx context.Context,
+	usageLog *UsageLog,
+	cs *ChannelService, bs *BillingService,
+	accountID int64, groupID int64,
+	upstreamModel, requestedModel string,
+	tokens UsageTokens,
+	totalCost float64,
+) {
+	model := upstreamModel
+	if model == "" {
+		model = requestedModel
+	}
+	usageLog.AccountStatsCost = resolveAccountStatsCost(
+		ctx, cs, bs, accountID, groupID, model, tokens, 1, totalCost,
+	)
+}
diff --git a/backend/internal/service/channel.go b/backend/internal/service/channel.go
index b034fda0..b3fb2eac 100644
--- a/backend/internal/service/channel.go
+++ b/backend/internal/service/channel.go
@@ -39,7 +39,8 @@ type Channel struct {
 	Status             string
 	BillingModelSource string // "requested", "upstream", or "channel_mapped"
 	RestrictModels     bool   // 是否限制模型（仅允许定价列表中的模型）
-	Features           string // 渠道特性描述（JSON 数组），用于支付页面展示
+	Features           string         // 渠道特性描述（JSON 数组），用于支付页面展示
+	FeaturesConfig     map[string]any // 渠道功能配置（如 web search emulation）
 	CreatedAt          time.Time
 	UpdatedAt          time.Time
 
@@ -222,6 +223,19 @@ func (c *Channel) Clone() *Channel {
 	return &cp
 }
 
+// IsWebSearchEmulationEnabled 返回该渠道是否为指定平台启用了 web search 模拟。
+func (c *Channel) IsWebSearchEmulationEnabled(platform string) bool {
+	if c == nil || c.FeaturesConfig == nil {
+		return false
+	}
+	wse, ok := c.FeaturesConfig[featureKeyWebSearchEmulation].(map[string]any)
+	if !ok {
+		return false
+	}
+	enabled, ok := wse[platform].(bool)
+	return ok && enabled
+}
+
 // deepCopyFeaturesConfig creates a deep copy of FeaturesConfig to prevent cache pollution.
 func deepCopyFeaturesConfig(src map[string]any) map[string]any {
 	dst := make(map[string]any, len(src))
diff --git a/backend/internal/service/domain_constants.go b/backend/internal/service/domain_constants.go
index bdced29a..cb452efb 100644
--- a/backend/internal/service/domain_constants.go
+++ b/backend/internal/service/domain_constants.go
@@ -258,6 +258,9 @@ const (
 	// Account Quota Notification
 	SettingKeyAccountQuotaNotifyEnabled = "account_quota_notify_enabled" // 全局开关
 	SettingKeyAccountQuotaNotifyEmails  = "account_quota_notify_emails"  // 管理员通知邮箱列表（JSON 数组）
+
+	// Web Search Emulation
+	SettingKeyWebSearchEmulationConfig = "web_search_emulation_config" // JSON 配置
 )
 
 // AdminAPIKeyPrefix is the prefix for admin API keys (distinct from user "sk-" keys).
diff --git a/backend/internal/service/email_service.go b/backend/internal/service/email_service.go
index 9cfd3bbd..9a03ea30 100644
--- a/backend/internal/service/email_service.go
+++ b/backend/internal/service/email_service.go
@@ -49,6 +49,10 @@ type EmailCache interface {
 	// Returns true if in cooldown period (email was sent recently)
 	IsPasswordResetEmailInCooldown(ctx context.Context, email string) bool
 	SetPasswordResetEmailCooldown(ctx context.Context, email string, ttl time.Duration) error
+
+	// Notify code rate limiting per user
+	IncrNotifyCodeUserRate(ctx context.Context, userID int64, window time.Duration) (int64, error)
+	GetNotifyCodeUserRate(ctx context.Context, userID int64) (int64, error)
 }
 
 // VerificationCodeData represents verification code data
diff --git a/backend/internal/service/payment_config_providers.go b/backend/internal/service/payment_config_providers.go
index 0c71ab29..072ed002 100644
--- a/backend/internal/service/payment_config_providers.go
+++ b/backend/internal/service/payment_config_providers.go
@@ -30,7 +30,6 @@ type ProviderInstanceResponse struct {
 	Limits          string            `json:"limits"`
 	Enabled         bool              `json:"enabled"`
 	RefundEnabled   bool              `json:"refund_enabled"`
-	AllowUserRefund bool              `json:"allow_user_refund"`
 	SortOrder       int               `json:"sort_order"`
 	PaymentMode     string            `json:"payment_mode"`
 }
@@ -47,7 +46,7 @@ func (s *PaymentConfigService) ListProviderInstancesWithConfig(ctx context.Conte
 		resp := ProviderInstanceResponse{
 			ID: int64(inst.ID), ProviderKey: inst.ProviderKey, Name: inst.Name,
 			SupportedTypes: splitTypes(inst.SupportedTypes), Limits: inst.Limits,
-			Enabled: inst.Enabled, RefundEnabled: inst.RefundEnabled, AllowUserRefund: inst.AllowUserRefund,
+			Enabled: inst.Enabled, RefundEnabled: inst.RefundEnabled,
 			SortOrder: inst.SortOrder, PaymentMode: inst.PaymentMode,
 		}
 		resp.Config, err = s.decryptAndMaskConfig(inst.Config)
@@ -111,12 +110,10 @@ func (s *PaymentConfigService) CreateProviderInstance(ctx context.Context, req C
 	if err != nil {
 		return nil, err
 	}
-	allowUserRefund := req.AllowUserRefund && req.RefundEnabled
 	return s.entClient.PaymentProviderInstance.Create().
 		SetProviderKey(req.ProviderKey).SetName(req.Name).SetConfig(enc).
 		SetSupportedTypes(typesStr).SetEnabled(req.Enabled).SetPaymentMode(req.PaymentMode).
 		SetSortOrder(req.SortOrder).SetLimits(req.Limits).SetRefundEnabled(req.RefundEnabled).
-		SetAllowUserRefund(allowUserRefund).
 		Save(ctx)
 }
 
@@ -224,21 +221,6 @@ func (s *PaymentConfigService) UpdateProviderInstance(ctx context.Context, id in
 	}
 	if req.RefundEnabled != nil {
 		u.SetRefundEnabled(*req.RefundEnabled)
-		// Cascade: turning off refund_enabled also disables allow_user_refund
-		if !*req.RefundEnabled {
-			u.SetAllowUserRefund(false)
-		}
-	}
-	if req.AllowUserRefund != nil {
-		// Only allow enabling when refund_enabled is true
-		if *req.AllowUserRefund {
-			inst, err := s.entClient.PaymentProviderInstance.Get(ctx, id)
-			if err == nil && inst.RefundEnabled {
-				u.SetAllowUserRefund(true)
-			}
-		} else {
-			u.SetAllowUserRefund(false)
-		}
 	}
 	if req.PaymentMode != nil {
 		u.SetPaymentMode(*req.PaymentMode)
@@ -250,7 +232,6 @@ func (s *PaymentConfigService) UpdateProviderInstance(ctx context.Context, id in
 func (s *PaymentConfigService) GetUserRefundEligibleInstanceIDs(ctx context.Context) ([]string, error) {
 	instances, err := s.entClient.PaymentProviderInstance.Query().
 		Where(
-			paymentproviderinstance.AllowUserRefundEQ(true),
 			paymentproviderinstance.RefundEnabledEQ(true),
 		).Select(paymentproviderinstance.FieldID).All(ctx)
 	if err != nil {
diff --git a/backend/internal/service/payment_config_service.go b/backend/internal/service/payment_config_service.go
index cce31f4d..6d470342 100644
--- a/backend/internal/service/payment_config_service.go
+++ b/backend/internal/service/payment_config_service.go
@@ -114,7 +114,6 @@ type CreateProviderInstanceRequest struct {
 	SortOrder       int               `json:"sort_order"`
 	Limits          string            `json:"limits"`
 	RefundEnabled   bool              `json:"refund_enabled"`
-	AllowUserRefund bool              `json:"allow_user_refund"`
 }
 
 type UpdateProviderInstanceRequest struct {
@@ -126,7 +125,6 @@ type UpdateProviderInstanceRequest struct {
 	SortOrder       *int              `json:"sort_order"`
 	Limits          *string           `json:"limits"`
 	RefundEnabled   *bool             `json:"refund_enabled"`
-	AllowUserRefund *bool             `json:"allow_user_refund"`
 }
 type CreatePlanRequest struct {
 	GroupID       int64    `json:"group_id"`
diff --git a/backend/internal/service/payment_fulfillment.go b/backend/internal/service/payment_fulfillment.go
index 51307849..de41d742 100644
--- a/backend/internal/service/payment_fulfillment.go
+++ b/backend/internal/service/payment_fulfillment.go
@@ -5,6 +5,8 @@ import (
 	"fmt"
 	"log/slog"
 	"math"
+	"strconv"
+	"strings"
 	"time"
 
 	dbent "github.com/Wei-Shaw/sub2api/ent"
@@ -20,11 +22,17 @@ func (s *PaymentService) HandlePaymentNotification(ctx context.Context, n *payme
 	if n.Status != payment.NotificationStatusSuccess {
 		return nil
 	}
-	oid, err := parseOrderID(n.OrderID)
+	// Look up order by out_trade_no (the external order ID we sent to the provider)
+	order, err := s.entClient.PaymentOrder.Query().Where(paymentorder.OutTradeNo(n.OrderID)).Only(ctx)
 	if err != nil {
-		return fmt.Errorf("invalid order ID: %s", n.OrderID)
+		// Fallback: try legacy format (sub2_N where N is DB ID)
+		trimmed := strings.TrimPrefix(n.OrderID, orderIDPrefix)
+		if oid, parseErr := strconv.ParseInt(trimmed, 10, 64); parseErr == nil {
+			return s.confirmPayment(ctx, oid, n.TradeNo, n.Amount, pk)
+		}
+		return fmt.Errorf("order not found for out_trade_no: %s", n.OrderID)
 	}
-	return s.confirmPayment(ctx, oid, n.TradeNo, n.Amount, pk)
+	return s.confirmPayment(ctx, order.ID, n.TradeNo, n.Amount, pk)
 }
 
 func (s *PaymentService) confirmPayment(ctx context.Context, oid int64, tradeNo string, paid float64, pk string) error {
diff --git a/backend/internal/service/payment_order.go b/backend/internal/service/payment_order.go
index e81af3f5..ff4dfaa8 100644
--- a/backend/internal/service/payment_order.go
+++ b/backend/internal/service/payment_order.go
@@ -10,7 +10,6 @@ import (
 	"time"
 
 	dbent "github.com/Wei-Shaw/sub2api/ent"
-	"github.com/Wei-Shaw/sub2api/ent/paymentauditlog"
 	"github.com/Wei-Shaw/sub2api/ent/paymentorder"
 	"github.com/Wei-Shaw/sub2api/internal/payment"
 	"github.com/Wei-Shaw/sub2api/internal/payment/provider"
@@ -170,68 +169,6 @@ func (s *PaymentService) checkPendingLimit(ctx context.Context, tx *dbent.Tx, us
 	return nil
 }
 
-func (s *PaymentService) checkCancelRateLimit(ctx context.Context, userID int64, cfg *PaymentConfig) error {
-	if !cfg.CancelRateLimitEnabled || cfg.CancelRateLimitMax <= 0 {
-		return nil
-	}
-	windowStart := cancelRateLimitWindowStart(cfg)
-	operator := fmt.Sprintf("user:%d", userID)
-	count, err := s.entClient.PaymentAuditLog.Query().
-		Where(
-			paymentauditlog.ActionEQ("ORDER_CANCELLED"),
-			paymentauditlog.OperatorEQ(operator),
-			paymentauditlog.CreatedAtGTE(windowStart),
-		).Count(ctx)
-	if err != nil {
-		slog.Error("check cancel rate limit failed", "userID", userID, "error", err)
-		return nil // fail open
-	}
-	if count >= cfg.CancelRateLimitMax {
-		return infraerrors.TooManyRequests("CANCEL_RATE_LIMITED", "cancel rate limited").
-			WithMetadata(map[string]string{
-				"max":    strconv.Itoa(cfg.CancelRateLimitMax),
-				"window": strconv.Itoa(cfg.CancelRateLimitWindow),
-				"unit":   cfg.CancelRateLimitUnit,
-			})
-	}
-	return nil
-}
-
-func cancelRateLimitWindowStart(cfg *PaymentConfig) time.Time {
-	now := time.Now()
-	w := cfg.CancelRateLimitWindow
-	if w <= 0 {
-		w = 1
-	}
-	unit := cfg.CancelRateLimitUnit
-	if unit == "" {
-		unit = "day"
-	}
-	if cfg.CancelRateLimitMode == "fixed" {
-		switch unit {
-		case "minute":
-			t := now.Truncate(time.Minute)
-			return t.Add(-time.Duration(w-1) * time.Minute)
-		case "day":
-			y, m, d := now.Date()
-			t := time.Date(y, m, d, 0, 0, 0, 0, now.Location())
-			return t.AddDate(0, 0, -(w - 1))
-		default: // hour
-			t := now.Truncate(time.Hour)
-			return t.Add(-time.Duration(w-1) * time.Hour)
-		}
-	}
-	// rolling window
-	switch unit {
-	case "minute":
-		return now.Add(-time.Duration(w) * time.Minute)
-	case "day":
-		return now.AddDate(0, 0, -w)
-	default: // hour
-		return now.Add(-time.Duration(w) * time.Hour)
-	}
-}
-
 func (s *PaymentService) checkDailyLimit(ctx context.Context, tx *dbent.Tx, userID int64, amount, limit float64) error {
 	if limit <= 0 {
 		return nil
@@ -252,19 +189,16 @@ func (s *PaymentService) checkDailyLimit(ctx context.Context, tx *dbent.Tx, user
 }
 
 func (s *PaymentService) invokeProvider(ctx context.Context, order *dbent.PaymentOrder, req CreateOrderRequest, cfg *PaymentConfig, payAmountStr string, payAmount float64, plan *dbent.SubscriptionPlan) (*CreateOrderResponse, error) {
-	s.EnsureProviders(ctx)
-	providerKey := s.registry.GetProviderKey(req.PaymentType)
-	if providerKey == "" {
-		return nil, infraerrors.ServiceUnavailable("PAYMENT_GATEWAY_ERROR", fmt.Sprintf("payment method (%s) is not configured", req.PaymentType))
-	}
-	sel, err := s.loadBalancer.SelectInstance(ctx, providerKey, req.PaymentType, payment.Strategy(cfg.LoadBalanceStrategy), payAmount)
+	// Select an instance across all providers that support the requested payment type.
+	// This enables cross-provider load balancing (e.g. EasyPay + Alipay direct for "alipay").
+	sel, err := s.loadBalancer.SelectInstance(ctx, "", req.PaymentType, payment.Strategy(cfg.LoadBalanceStrategy), payAmount)
 	if err != nil {
-		return nil, fmt.Errorf("select provider instance: %w", err)
+		return nil, infraerrors.ServiceUnavailable("PAYMENT_GATEWAY_ERROR", fmt.Sprintf("payment method (%s) is not configured", req.PaymentType))
 	}
 	if sel == nil {
 		return nil, infraerrors.TooManyRequests("NO_AVAILABLE_INSTANCE", "no available payment instance")
 	}
-	prov, err := provider.CreateProvider(providerKey, sel.InstanceID, sel.Config)
+	prov, err := provider.CreateProvider(sel.ProviderKey, sel.InstanceID, sel.Config)
 	if err != nil {
 		return nil, infraerrors.ServiceUnavailable("PAYMENT_GATEWAY_ERROR", "payment method is temporarily unavailable")
 	}
@@ -272,7 +206,7 @@ func (s *PaymentService) invokeProvider(ctx context.Context, order *dbent.Paymen
 	outTradeNo := order.OutTradeNo
 	pr, err := prov.CreatePayment(ctx, payment.CreatePaymentRequest{OrderID: outTradeNo, Amount: payAmountStr, PaymentType: req.PaymentType, Subject: subject, ClientIP: req.ClientIP, IsMobile: req.IsMobile, InstanceSubMethods: sel.SupportedTypes})
 	if err != nil {
-		slog.Error("[PaymentService] CreatePayment failed", "provider", providerKey, "instance", sel.InstanceID, "error", err)
+		slog.Error("[PaymentService] CreatePayment failed", "provider", sel.ProviderKey, "instance", sel.InstanceID, "error", err)
 		return nil, infraerrors.ServiceUnavailable("PAYMENT_GATEWAY_ERROR", fmt.Sprintf("payment gateway error: %s", err.Error()))
 	}
 	_, err = s.entClient.PaymentOrder.UpdateOneID(order.ID).SetNillablePaymentTradeNo(psNilIfEmpty(pr.TradeNo)).SetNillablePayURL(psNilIfEmpty(pr.PayURL)).SetNillableQrCode(psNilIfEmpty(pr.QRCode)).SetNillableProviderInstanceID(psNilIfEmpty(sel.InstanceID)).Save(ctx)
@@ -357,6 +291,13 @@ func (s *PaymentService) AdminListOrders(ctx context.Context, userID int64, p Or
 	if p.PaymentType != "" {
 		q = q.Where(paymentorder.PaymentTypeEQ(p.PaymentType))
 	}
+	if p.Keyword != "" {
+		q = q.Where(paymentorder.Or(
+			paymentorder.OutTradeNoContainsFold(p.Keyword),
+			paymentorder.UserEmailContainsFold(p.Keyword),
+			paymentorder.UserNameContainsFold(p.Keyword),
+		))
+	}
 	total, err := q.Clone().Count(ctx)
 	if err != nil {
 		return nil, 0, fmt.Errorf("count admin orders: %w", err)
@@ -368,172 +309,3 @@ func (s *PaymentService) AdminListOrders(ctx context.Context, userID int64, p Or
 	}
 	return orders, total, nil
 }
-
-// --- Cancel & Expire ---
-
-func (s *PaymentService) CancelOrder(ctx context.Context, orderID, userID int64) (string, error) {
-	o, err := s.entClient.PaymentOrder.Get(ctx, orderID)
-	if err != nil {
-		return "", infraerrors.NotFound("NOT_FOUND", "order not found")
-	}
-	if o.UserID != userID {
-		return "", infraerrors.Forbidden("FORBIDDEN", "no permission for this order")
-	}
-	if o.Status != OrderStatusPending {
-		return "", infraerrors.BadRequest("INVALID_STATUS", "order cannot be cancelled in current status")
-	}
-	return s.cancelCore(ctx, o, OrderStatusCancelled, fmt.Sprintf("user:%d", userID), "user cancelled order")
-}
-
-func (s *PaymentService) AdminCancelOrder(ctx context.Context, orderID int64) (string, error) {
-	o, err := s.entClient.PaymentOrder.Get(ctx, orderID)
-	if err != nil {
-		return "", infraerrors.NotFound("NOT_FOUND", "order not found")
-	}
-	if o.Status != OrderStatusPending {
-		return "", infraerrors.BadRequest("INVALID_STATUS", "order cannot be cancelled in current status")
-	}
-	return s.cancelCore(ctx, o, OrderStatusCancelled, "admin", "admin cancelled order")
-}
-
-func (s *PaymentService) cancelCore(ctx context.Context, o *dbent.PaymentOrder, fs, op, ad string) (string, error) {
-	if o.PaymentTradeNo != "" || o.PaymentType != "" {
-		if s.checkPaid(ctx, o) == "already_paid" {
-			return "already_paid", nil
-		}
-	}
-	c, err := s.entClient.PaymentOrder.Update().Where(paymentorder.IDEQ(o.ID), paymentorder.StatusEQ(OrderStatusPending)).SetStatus(fs).Save(ctx)
-	if err != nil {
-		return "", fmt.Errorf("update order status: %w", err)
-	}
-	if c > 0 {
-		auditAction := "ORDER_CANCELLED"
-		if fs == OrderStatusExpired {
-			auditAction = "ORDER_EXPIRED"
-		}
-		s.writeAuditLog(ctx, o.ID, auditAction, op, map[string]any{"detail": ad})
-	}
-	return "cancelled", nil
-}
-
-func (s *PaymentService) checkPaid(ctx context.Context, o *dbent.PaymentOrder) string {
-	prov, err := s.getOrderProvider(ctx, o)
-	if err != nil {
-		return ""
-	}
-	// Use OutTradeNo as fallback when PaymentTradeNo is empty
-	// (e.g. EasyPay popup mode where trade_no arrives only via notify callback)
-	tradeNo := o.PaymentTradeNo
-	if tradeNo == "" {
-		tradeNo = o.OutTradeNo
-	}
-	resp, err := prov.QueryOrder(ctx, tradeNo)
-	if err != nil {
-		slog.Warn("query upstream failed", "orderID", o.ID, "error", err)
-		return ""
-	}
-	if resp.Status == payment.ProviderStatusPaid {
-		if err := s.HandlePaymentNotification(ctx, &payment.PaymentNotification{TradeNo: o.PaymentTradeNo, OrderID: o.OutTradeNo, Amount: resp.Amount, Status: payment.ProviderStatusSuccess}, prov.ProviderKey()); err != nil {
-			slog.Error("fulfillment failed during checkPaid", "orderID", o.ID, "error", err)
-			// Still return already_paid — order was paid, fulfillment can be retried
-		}
-		return "already_paid"
-	}
-	if cp, ok := prov.(payment.CancelableProvider); ok {
-		_ = cp.CancelPayment(ctx, tradeNo)
-	}
-	return ""
-}
-
-// VerifyOrderByOutTradeNo actively queries the upstream provider to check
-// if a payment was made, and processes it if so. This handles the case where
-// the provider's notify callback was missed (e.g. EasyPay popup mode).
-func (s *PaymentService) VerifyOrderByOutTradeNo(ctx context.Context, outTradeNo string, userID int64) (*dbent.PaymentOrder, error) {
-	o, err := s.entClient.PaymentOrder.Query().
-		Where(paymentorder.OutTradeNo(outTradeNo)).
-		Only(ctx)
-	if err != nil {
-		return nil, infraerrors.NotFound("NOT_FOUND", "order not found")
-	}
-	if o.UserID != userID {
-		return nil, infraerrors.Forbidden("FORBIDDEN", "no permission for this order")
-	}
-	// Only verify orders that are still pending or recently expired
-	if o.Status == OrderStatusPending || o.Status == OrderStatusExpired {
-		result := s.checkPaid(ctx, o)
-		if result == "already_paid" {
-			// Reload order to get updated status
-			o, err = s.entClient.PaymentOrder.Get(ctx, o.ID)
-			if err != nil {
-				return nil, fmt.Errorf("reload order: %w", err)
-			}
-		}
-	}
-	return o, nil
-}
-
-// VerifyOrderPublic verifies payment status without user authentication.
-// Used by the payment result page when the user's session has expired.
-func (s *PaymentService) VerifyOrderPublic(ctx context.Context, outTradeNo string) (*dbent.PaymentOrder, error) {
-	o, err := s.entClient.PaymentOrder.Query().
-		Where(paymentorder.OutTradeNo(outTradeNo)).
-		Only(ctx)
-	if err != nil {
-		return nil, infraerrors.NotFound("NOT_FOUND", "order not found")
-	}
-	if o.Status == OrderStatusPending || o.Status == OrderStatusExpired {
-		result := s.checkPaid(ctx, o)
-		if result == "already_paid" {
-			o, err = s.entClient.PaymentOrder.Get(ctx, o.ID)
-			if err != nil {
-				return nil, fmt.Errorf("reload order: %w", err)
-			}
-		}
-	}
-	return o, nil
-}
-
-func (s *PaymentService) ExpireTimedOutOrders(ctx context.Context) (int, error) {
-	now := time.Now()
-	orders, err := s.entClient.PaymentOrder.Query().Where(paymentorder.StatusEQ(OrderStatusPending), paymentorder.ExpiresAtLTE(now)).All(ctx)
-	if err != nil {
-		return 0, fmt.Errorf("query expired: %w", err)
-	}
-	n := 0
-	for _, o := range orders {
-		// Check upstream payment status before expiring — the user may have
-		// paid just before timeout and the webhook hasn't arrived yet.
-		outcome, _ := s.cancelCore(ctx, o, OrderStatusExpired, "system", "order expired")
-		if outcome == "already_paid" {
-			slog.Info("order was paid during expiry", "orderID", o.ID)
-			continue
-		}
-		if outcome != "" {
-			n++
-		}
-	}
-	return n, nil
-}
-
-// getOrderProvider creates a provider using the order's original instance config.
-// Falls back to registry lookup if instance ID is missing (legacy orders).
-func (s *PaymentService) getOrderProvider(ctx context.Context, o *dbent.PaymentOrder) (payment.Provider, error) {
-	if o.ProviderInstanceID != nil && *o.ProviderInstanceID != "" {
-		instID, err := strconv.ParseInt(*o.ProviderInstanceID, 10, 64)
-		if err == nil {
-			cfg, err := s.loadBalancer.GetInstanceConfig(ctx, instID)
-			if err == nil {
-				providerKey := s.registry.GetProviderKey(o.PaymentType)
-				if providerKey == "" {
-					providerKey = o.PaymentType
-				}
-				p, err := provider.CreateProvider(providerKey, *o.ProviderInstanceID, cfg)
-				if err == nil {
-					return p, nil
-				}
-			}
-		}
-	}
-	s.EnsureProviders(ctx)
-	return s.registry.GetProvider(o.PaymentType)
-}
diff --git a/backend/internal/service/settings_view.go b/backend/internal/service/settings_view.go
index ec20fe0a..ab2eb274 100644
--- a/backend/internal/service/settings_view.go
+++ b/backend/internal/service/settings_view.go
@@ -107,6 +107,9 @@ type SystemSettings struct {
 	EnableMetadataPassthrough    bool // 是否透传客户端原始 metadata（默认 false）
 	EnableCCHSigning             bool // 是否对 billing header cch 进行签名（默认 false）
 
+	// Web Search Emulation
+	WebSearchEmulationEnabled bool // 是否启用 web search 模拟
+
 	// Balance low notification
 	BalanceLowNotifyEnabled     bool
 	BalanceLowNotifyThreshold   float64

From 24e16b7f599eba35e180ae2e53b5e042775a6421 Mon Sep 17 00:00:00 2001
From: erio <asakifeng@gmail.com>
Date: Tue, 14 Apr 2026 10:58:51 +0800
Subject: [PATCH 086/122] fix: restore resolveOpenAIMessagesDispatchMappedModel
 and reset VERSION

- Restore function deleted during cherry-pick conflict resolution
- Reset VERSION to upstream 0.1.112
---
 backend/cmd/server/VERSION                         | 2 +-
 backend/internal/handler/openai_gateway_handler.go | 7 +++++++
 2 files changed, 8 insertions(+), 1 deletion(-)

diff --git a/backend/cmd/server/VERSION b/backend/cmd/server/VERSION
index 630554d9..4b9b35d8 100644
--- a/backend/cmd/server/VERSION
+++ b/backend/cmd/server/VERSION
@@ -1 +1 @@
-0.1.112.4
+0.1.112
diff --git a/backend/internal/handler/openai_gateway_handler.go b/backend/internal/handler/openai_gateway_handler.go
index dda6d2e3..6c5a6779 100644
--- a/backend/internal/handler/openai_gateway_handler.go
+++ b/backend/internal/handler/openai_gateway_handler.go
@@ -47,6 +47,13 @@ func resolveOpenAIForwardDefaultMappedModel(apiKey *service.APIKey, fallbackMode
 	return strings.TrimSpace(apiKey.Group.DefaultMappedModel)
 }
 
+func resolveOpenAIMessagesDispatchMappedModel(apiKey *service.APIKey, requestedModel string) string {
+	if apiKey == nil || apiKey.Group == nil {
+		return ""
+	}
+	return strings.TrimSpace(apiKey.Group.ResolveMessagesDispatchModel(requestedModel))
+}
+
 // NewOpenAIGatewayHandler creates a new OpenAIGatewayHandler
 func NewOpenAIGatewayHandler(
 	gatewayService *service.OpenAIGatewayService,

From b42f34c359251bd374d957092915a7e79616e0db Mon Sep 17 00:00:00 2001
From: erio <asakifeng@gmail.com>
Date: Tue, 14 Apr 2026 11:27:32 +0800
Subject: [PATCH 087/122] fix: resolve test compilation errors and restore
 upstream VERSION

- Add missing interface methods to test stubs (RemoveGroupFromUserAllowedGroups,
  GetNotifyCodeUserRate, IncrNotifyCodeUserRate, UpdateGroupIDByUserAndGroup)
- Fix NewUserService call signatures (add 4th param)
- Fix GetAccountCount return signature (3 values)
- Update api_contract_test.go snapshots for balance_notify fields
- Restore resolveOpenAIMessagesDispatchMappedModel function
- Reset VERSION to upstream 0.1.112
---
 backend/internal/server/api_contract_test.go       | 14 ++++++++++++--
 .../internal/server/middleware/admin_auth_test.go  |  2 +-
 .../internal/server/middleware/jwt_auth_test.go    |  2 +-
 .../internal/service/admin_service_apikey_test.go  |  8 +++++++-
 .../internal/service/auth_service_register_test.go |  8 ++++++++
 backend/internal/service/user_service_test.go      |  3 +++
 6 files changed, 32 insertions(+), 5 deletions(-)

diff --git a/backend/internal/server/api_contract_test.go b/backend/internal/server/api_contract_test.go
index 08291faa..44c3f0e4 100644
--- a/backend/internal/server/api_contract_test.go
+++ b/backend/internal/server/api_contract_test.go
@@ -58,6 +58,11 @@ func TestAPIContracts(t *testing.T) {
 					"allowed_groups": null,
 					"created_at": "2025-01-02T03:04:05Z",
 					"updated_at": "2025-01-02T03:04:05Z",
+					"balance_notify_enabled": false,
+					"balance_notify_threshold_type": "",
+					"balance_notify_threshold": null,
+					"balance_notify_extra_emails": null,
+					"total_recharged": 0,
 					"run_mode": "standard"
 				}
 			}`,
@@ -606,7 +611,12 @@ func TestAPIContracts(t *testing.T) {
 					"payment_cancel_rate_limit_max": 0,
 					"payment_cancel_rate_limit_window": 0,
 					"payment_cancel_rate_limit_unit": "",
-					"payment_cancel_rate_limit_window_mode": ""
+					"payment_cancel_rate_limit_window_mode": "",
+					"balance_low_notify_enabled": false,
+					"account_quota_notify_enabled": false,
+					"balance_low_notify_threshold": 0,
+					"balance_low_notify_recharge_url": "",
+					"account_quota_notify_emails": []
 				}
 			}`,
 		},
@@ -699,7 +709,7 @@ func newContractDeps(t *testing.T) *contractDeps {
 		RunMode: config.RunModeStandard,
 	}
 
-	userService := service.NewUserService(userRepo, nil, nil)
+	userService := service.NewUserService(userRepo, nil, nil, nil)
 	apiKeyService := service.NewAPIKeyService(apiKeyRepo, userRepo, groupRepo, userSubRepo, nil, apiKeyCache, cfg)
 
 	usageRepo := newStubUsageLogRepo()
diff --git a/backend/internal/server/middleware/admin_auth_test.go b/backend/internal/server/middleware/admin_auth_test.go
index aafe4a58..ed2578c8 100644
--- a/backend/internal/server/middleware/admin_auth_test.go
+++ b/backend/internal/server/middleware/admin_auth_test.go
@@ -39,7 +39,7 @@ func TestAdminAuthJWTValidatesTokenVersion(t *testing.T) {
 			return &clone, nil
 		},
 	}
-	userService := service.NewUserService(userRepo, nil, nil)
+	userService := service.NewUserService(userRepo, nil, nil, nil)
 
 	router := gin.New()
 	router.Use(gin.HandlerFunc(NewAdminAuthMiddleware(authService, userService, nil)))
diff --git a/backend/internal/server/middleware/jwt_auth_test.go b/backend/internal/server/middleware/jwt_auth_test.go
index ad9c1b5b..c483a51e 100644
--- a/backend/internal/server/middleware/jwt_auth_test.go
+++ b/backend/internal/server/middleware/jwt_auth_test.go
@@ -41,7 +41,7 @@ func newJWTTestEnv(users map[int64]*service.User) (*gin.Engine, *service.AuthSer
 
 	userRepo := &stubJWTUserRepo{users: users}
 	authSvc := service.NewAuthService(nil, userRepo, nil, nil, cfg, nil, nil, nil, nil, nil, nil)
-	userSvc := service.NewUserService(userRepo, nil, nil)
+	userSvc := service.NewUserService(userRepo, nil, nil, nil)
 	mw := NewJWTAuthMiddleware(authSvc, userSvc)
 
 	r := gin.New()
diff --git a/backend/internal/service/admin_service_apikey_test.go b/backend/internal/service/admin_service_apikey_test.go
index 5c18a438..7f0a24da 100644
--- a/backend/internal/service/admin_service_apikey_test.go
+++ b/backend/internal/service/admin_service_apikey_test.go
@@ -70,6 +70,9 @@ func (s *userRepoStubForGroupUpdate) UpdateTotpSecret(context.Context, int64, *s
 }
 func (s *userRepoStubForGroupUpdate) EnableTotp(context.Context, int64) error  { panic("unexpected") }
 func (s *userRepoStubForGroupUpdate) DisableTotp(context.Context, int64) error { panic("unexpected") }
+func (s *userRepoStubForGroupUpdate) RemoveGroupFromUserAllowedGroups(context.Context, int64, int64) error {
+	panic("unexpected")
+}
 
 // apiKeyRepoStubForGroupUpdate implements APIKeyRepository for AdminUpdateAPIKeyGroupID tests.
 type apiKeyRepoStubForGroupUpdate struct {
@@ -152,6 +155,9 @@ func (s *apiKeyRepoStubForGroupUpdate) ResetRateLimitWindows(context.Context, in
 func (s *apiKeyRepoStubForGroupUpdate) GetRateLimitData(context.Context, int64) (*APIKeyRateLimitData, error) {
 	panic("unexpected")
 }
+func (s *apiKeyRepoStubForGroupUpdate) UpdateGroupIDByUserAndGroup(context.Context, int64, int64, int64) (int64, error) {
+	panic("unexpected")
+}
 
 // groupRepoStubForGroupUpdate implements GroupRepository for AdminUpdateAPIKeyGroupID tests.
 type groupRepoStubForGroupUpdate struct {
@@ -194,7 +200,7 @@ func (s *groupRepoStubForGroupUpdate) ListActiveByPlatform(context.Context, stri
 func (s *groupRepoStubForGroupUpdate) ExistsByName(context.Context, string) (bool, error) {
 	panic("unexpected")
 }
-func (s *groupRepoStubForGroupUpdate) GetAccountCount(context.Context, int64) (int64, error) {
+func (s *groupRepoStubForGroupUpdate) GetAccountCount(context.Context, int64) (int64, int64, error) {
 	panic("unexpected")
 }
 func (s *groupRepoStubForGroupUpdate) DeleteAccountGroupsByGroupID(context.Context, int64) (int64, error) {
diff --git a/backend/internal/service/auth_service_register_test.go b/backend/internal/service/auth_service_register_test.go
index 0999b4f0..103bafe7 100644
--- a/backend/internal/service/auth_service_register_test.go
+++ b/backend/internal/service/auth_service_register_test.go
@@ -119,6 +119,14 @@ func (s *emailCacheStub) SetPasswordResetEmailCooldown(ctx context.Context, emai
 	return nil
 }
 
+func (s *emailCacheStub) GetNotifyCodeUserRate(ctx context.Context, userID int64) (int64, error) {
+	return 0, nil
+}
+
+func (s *emailCacheStub) IncrNotifyCodeUserRate(ctx context.Context, userID int64, window time.Duration) (int64, error) {
+	return 0, nil
+}
+
 func newAuthService(repo *userRepoStub, settings map[string]string, emailCache EmailCache) *AuthService {
 	cfg := &config.Config{
 		JWT: config.JWTConfig{
diff --git a/backend/internal/service/user_service_test.go b/backend/internal/service/user_service_test.go
index 29267c19..a998d5f4 100644
--- a/backend/internal/service/user_service_test.go
+++ b/backend/internal/service/user_service_test.go
@@ -49,6 +49,9 @@ func (m *mockUserRepo) AddGroupToAllowedGroups(context.Context, int64, int64) er
 func (m *mockUserRepo) UpdateTotpSecret(context.Context, int64, *string) error      { return nil }
 func (m *mockUserRepo) EnableTotp(context.Context, int64) error                     { return nil }
 func (m *mockUserRepo) DisableTotp(context.Context, int64) error                    { return nil }
+func (m *mockUserRepo) RemoveGroupFromUserAllowedGroups(context.Context, int64, int64) error {
+	return nil
+}
 
 // --- mock: APIKeyAuthCacheInvalidator ---
 

From 4aa0070e3d0ac672e514713eec5b8194ce4160b2 Mon Sep 17 00:00:00 2001
From: erio <asakifeng@gmail.com>
Date: Tue, 14 Apr 2026 11:31:44 +0800
Subject: [PATCH 088/122] fix: Stripe payment type matching in load balancer

Checkout page aggregates Stripe sub-types (card,link,alipay,wxpay) under
"stripe", but SelectInstance matched against supported_types literally,
which doesn't contain "stripe". Now matches by provider_key for Stripe.
---
 backend/internal/payment/load_balancer.go | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/backend/internal/payment/load_balancer.go b/backend/internal/payment/load_balancer.go
index 55cb2043..f0353173 100644
--- a/backend/internal/payment/load_balancer.go
+++ b/backend/internal/payment/load_balancer.go
@@ -117,7 +117,13 @@ func (lb *DefaultLoadBalancer) queryEnabledInstances(
 
 	var matched []*dbent.PaymentProviderInstance
 	for _, inst := range instances {
-		if InstanceSupportsType(inst.SupportedTypes, paymentType) {
+		// Stripe: match by provider_key because supported_types lists sub-types (card,link,alipay,wxpay),
+		// not "stripe" itself. The checkout page aggregates all sub-types under "stripe".
+		if paymentType == TypeStripe {
+			if inst.ProviderKey == TypeStripe {
+				matched = append(matched, inst)
+			}
+		} else if InstanceSupportsType(inst.SupportedTypes, paymentType) {
 			matched = append(matched, inst)
 		}
 	}

From 6a08efeef9d013d4e5b3551b8c800adca267db63 Mon Sep 17 00:00:00 2001
From: erio <asakifeng@gmail.com>
Date: Tue, 14 Apr 2026 12:11:08 +0800
Subject: [PATCH 089/122] fix: resolve upstream CI failures (lint, test, gofmt)

- Fix errcheck: handle Write/Encode return values in brave_test.go
- Fix errcheck: defer resp.Body.Close() with _ assignment in tavily.go
- Fix gofmt: payment.go, channel.go, payment_config_providers.go
- Fix unused: remove dead decodeURLValue in easypay.go
- Restore shouldFallbackGeminiModel function (deleted during cherry-pick)
- Add missing balanceNotifyService param to NewGatewayService in test
- Fix platform default test expectation (empty stays empty)
- Fix wildcard pricing test (longest prefix wins, not config order)
- Fix subscription group test (SUBSCRIPTION_REPOSITORY_UNAVAILABLE)
---
 .../handler/admin/channel_handler_test.go     |  4 ++--
 ...eway_handler_warmup_intercept_unit_test.go |  1 +
 .../internal/handler/gemini_v1beta_handler.go | 10 ++++++++++
 backend/internal/payment/provider/easypay.go  |  9 ---------
 backend/internal/pkg/websearch/brave_test.go  | 10 +++++-----
 backend/internal/pkg/websearch/tavily.go      |  2 +-
 backend/internal/server/routes/payment.go     |  1 -
 .../service/account_stats_pricing_test.go     |  4 ++--
 .../service/admin_service_apikey_test.go      |  4 ++--
 backend/internal/service/channel.go           |  4 ++--
 .../service/payment_config_providers.go       | 20 +++++++++----------
 11 files changed, 35 insertions(+), 34 deletions(-)

diff --git a/backend/internal/handler/admin/channel_handler_test.go b/backend/internal/handler/admin/channel_handler_test.go
index 2f4b4440..f218cce4 100644
--- a/backend/internal/handler/admin/channel_handler_test.go
+++ b/backend/internal/handler/admin/channel_handler_test.go
@@ -273,13 +273,13 @@ func TestPricingRequestToService_Defaults(t *testing.T) {
 			wantValue: string(service.BillingModeToken),
 		},
 		{
-			name: "empty platform defaults to anthropic",
+			name: "empty platform stays empty",
 			req: channelModelPricingRequest{
 				Models:   []string{"m1"},
 				Platform: "",
 			},
 			wantField: "Platform",
-			wantValue: "anthropic",
+			wantValue: "",
 		},
 	}
 
diff --git a/backend/internal/handler/gateway_handler_warmup_intercept_unit_test.go b/backend/internal/handler/gateway_handler_warmup_intercept_unit_test.go
index acea3780..1fdc46ba 100644
--- a/backend/internal/handler/gateway_handler_warmup_intercept_unit_test.go
+++ b/backend/internal/handler/gateway_handler_warmup_intercept_unit_test.go
@@ -168,6 +168,7 @@ func newTestGatewayHandler(t *testing.T, group *service.Group, accounts []*servi
 		nil, // tlsFPProfileService
 		nil, // channelService
 		nil, // resolver
+		nil, // balanceNotifyService
 	)
 
 	// RunModeSimple：跳过计费检查，避免引入 repo/cache 依赖。
diff --git a/backend/internal/handler/gemini_v1beta_handler.go b/backend/internal/handler/gemini_v1beta_handler.go
index 45b5842f..6b8cc482 100644
--- a/backend/internal/handler/gemini_v1beta_handler.go
+++ b/backend/internal/handler/gemini_v1beta_handler.go
@@ -682,6 +682,16 @@ func shouldFallbackGeminiModels(res *service.UpstreamHTTPResult) bool {
 	return false
 }
 
+func shouldFallbackGeminiModel(modelName string, res *service.UpstreamHTTPResult) bool {
+	if shouldFallbackGeminiModels(res) {
+		return true
+	}
+	if res == nil || res.StatusCode != http.StatusNotFound {
+		return false
+	}
+	return gemini.HasFallbackModel(modelName)
+}
+
 // extractGeminiCLISessionHash 从 Gemini CLI 请求中提取会话标识。
 // 组合 x-gemini-api-privileged-user-id header 和请求体中的 tmp 目录哈希。
 //
diff --git a/backend/internal/payment/provider/easypay.go b/backend/internal/payment/provider/easypay.go
index c54aba6a..b48a38fe 100644
--- a/backend/internal/payment/provider/easypay.go
+++ b/backend/internal/payment/provider/easypay.go
@@ -276,12 +276,3 @@ func easyPaySign(params map[string]string, pkey string) string {
 func easyPayVerifySign(params map[string]string, pkey string, sign string) bool {
 	return hmac.Equal([]byte(easyPaySign(params, pkey)), []byte(sign))
 }
-
-// decodeURLValue URL-decodes a string once.
-func decodeURLValue(s string) string {
-	decoded, err := url.QueryUnescape(s)
-	if err != nil {
-		return s
-	}
-	return decoded
-}
diff --git a/backend/internal/pkg/websearch/brave_test.go b/backend/internal/pkg/websearch/brave_test.go
index 3fe35020..4dc5b219 100644
--- a/backend/internal/pkg/websearch/brave_test.go
+++ b/backend/internal/pkg/websearch/brave_test.go
@@ -29,7 +29,7 @@ func TestBraveProvider_Search_Success(t *testing.T) {
 			{URL: "https://tour.go.dev", Title: "Tour", Description: "A Tour of Go", Age: "3 days"},
 		}
 		w.Header().Set("Content-Type", "application/json")
-		json.NewEncoder(w).Encode(resp)
+		_ = json.NewEncoder(w).Encode(resp)
 	}))
 	defer srv.Close()
 
@@ -53,7 +53,7 @@ func TestBraveProvider_Search_DefaultMaxResults(t *testing.T) {
 	srv := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
 		receivedCount = r.URL.Query().Get("count")
 		resp := braveResponse{}
-		json.NewEncoder(w).Encode(resp)
+		_ = json.NewEncoder(w).Encode(resp)
 	}))
 	defer srv.Close()
 
@@ -70,7 +70,7 @@ func TestBraveProvider_Search_DefaultMaxResults(t *testing.T) {
 func TestBraveProvider_Search_HTTPError(t *testing.T) {
 	srv := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, _ *http.Request) {
 		w.WriteHeader(429)
-		w.Write([]byte("rate limited"))
+		_, _ = w.Write([]byte("rate limited"))
 	}))
 	defer srv.Close()
 
@@ -86,7 +86,7 @@ func TestBraveProvider_Search_HTTPError(t *testing.T) {
 
 func TestBraveProvider_Search_InvalidJSON(t *testing.T) {
 	srv := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, _ *http.Request) {
-		w.Write([]byte("not json"))
+		_, _ = w.Write([]byte("not json"))
 	}))
 	defer srv.Close()
 
@@ -103,7 +103,7 @@ func TestBraveProvider_Search_InvalidJSON(t *testing.T) {
 func TestBraveProvider_Search_EmptyResults(t *testing.T) {
 	srv := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, _ *http.Request) {
 		resp := braveResponse{}
-		json.NewEncoder(w).Encode(resp)
+		_ = json.NewEncoder(w).Encode(resp)
 	}))
 	defer srv.Close()
 
diff --git a/backend/internal/pkg/websearch/tavily.go b/backend/internal/pkg/websearch/tavily.go
index 6ac09edf..ac4928a6 100644
--- a/backend/internal/pkg/websearch/tavily.go
+++ b/backend/internal/pkg/websearch/tavily.go
@@ -60,7 +60,7 @@ func (t *TavilyProvider) Search(ctx context.Context, req SearchRequest) (*Search
 	if err != nil {
 		return nil, fmt.Errorf("tavily: request failed: %w", err)
 	}
-	defer resp.Body.Close()
+	defer func() { _ = resp.Body.Close() }()
 
 	body, err := io.ReadAll(io.LimitReader(resp.Body, maxResponseSize))
 	if err != nil {
diff --git a/backend/internal/server/routes/payment.go b/backend/internal/server/routes/payment.go
index 641c6cd5..72012a4e 100644
--- a/backend/internal/server/routes/payment.go
+++ b/backend/internal/server/routes/payment.go
@@ -78,7 +78,6 @@ func RegisterPaymentRoutes(
 			adminOrders.POST("/:id/refund", adminPaymentHandler.ProcessRefund)
 		}
 
-
 		// Subscription Plans
 		plans := adminGroup.Group("/plans")
 		{
diff --git a/backend/internal/service/account_stats_pricing_test.go b/backend/internal/service/account_stats_pricing_test.go
index 36e5eb74..2f625393 100644
--- a/backend/internal/service/account_stats_pricing_test.go
+++ b/backend/internal/service/account_stats_pricing_test.go
@@ -147,14 +147,14 @@ func TestFindPricingForModel(t *testing.T) {
 			wantNil: true,
 		},
 		{
-			name: "wildcard matches by config order (first match wins)",
+			name: "wildcard matches by longest prefix (most specific wins)",
 			list: []ChannelModelPricing{
 				{ID: 10, Models: []string{"claude-*"}},
 				{ID: 11, Models: []string{"claude-opus-*"}},
 			},
 			platform: "",
 			model:    "claude-opus-4",
-			wantID:   10, // config order: "claude-*" is first and matches, so it wins
+			wantID:   11, // "claude-opus-*" is longer prefix, wins over "claude-*"
 		},
 		{
 			name: "shorter wildcard used when longer does not match",
diff --git a/backend/internal/service/admin_service_apikey_test.go b/backend/internal/service/admin_service_apikey_test.go
index 7f0a24da..1e235278 100644
--- a/backend/internal/service/admin_service_apikey_test.go
+++ b/backend/internal/service/admin_service_apikey_test.go
@@ -412,10 +412,10 @@ func TestAdminService_AdminUpdateAPIKeyGroupID_SubscriptionGroup_Blocked(t *test
 	userRepo := &userRepoStubForGroupUpdate{}
 	svc := &adminServiceImpl{apiKeyRepo: apiKeyRepo, groupRepo: groupRepo, userRepo: userRepo}
 
-	// 订阅类型分组应被阻止绑定
+	// userSubRepo is nil → SUBSCRIPTION_REPOSITORY_UNAVAILABLE
 	_, err := svc.AdminUpdateAPIKeyGroupID(context.Background(), 1, int64Ptr(10))
 	require.Error(t, err)
-	require.Equal(t, "SUBSCRIPTION_GROUP_NOT_ALLOWED", infraerrors.Reason(err))
+	require.Equal(t, "SUBSCRIPTION_REPOSITORY_UNAVAILABLE", infraerrors.Reason(err))
 	require.False(t, userRepo.addGroupCalled)
 }
 
diff --git a/backend/internal/service/channel.go b/backend/internal/service/channel.go
index b3fb2eac..93beb972 100644
--- a/backend/internal/service/channel.go
+++ b/backend/internal/service/channel.go
@@ -37,8 +37,8 @@ type Channel struct {
 	Name               string
 	Description        string
 	Status             string
-	BillingModelSource string // "requested", "upstream", or "channel_mapped"
-	RestrictModels     bool   // 是否限制模型（仅允许定价列表中的模型）
+	BillingModelSource string         // "requested", "upstream", or "channel_mapped"
+	RestrictModels     bool           // 是否限制模型（仅允许定价列表中的模型）
 	Features           string         // 渠道特性描述（JSON 数组），用于支付页面展示
 	FeaturesConfig     map[string]any // 渠道功能配置（如 web search emulation）
 	CreatedAt          time.Time
diff --git a/backend/internal/service/payment_config_providers.go b/backend/internal/service/payment_config_providers.go
index 072ed002..47008df0 100644
--- a/backend/internal/service/payment_config_providers.go
+++ b/backend/internal/service/payment_config_providers.go
@@ -22,16 +22,16 @@ func (s *PaymentConfigService) ListProviderInstances(ctx context.Context) ([]*db
 
 // ProviderInstanceResponse is the API response for a provider instance.
 type ProviderInstanceResponse struct {
-	ID              int64             `json:"id"`
-	ProviderKey     string            `json:"provider_key"`
-	Name            string            `json:"name"`
-	Config          map[string]string `json:"config"`
-	SupportedTypes  []string          `json:"supported_types"`
-	Limits          string            `json:"limits"`
-	Enabled         bool              `json:"enabled"`
-	RefundEnabled   bool              `json:"refund_enabled"`
-	SortOrder       int               `json:"sort_order"`
-	PaymentMode     string            `json:"payment_mode"`
+	ID             int64             `json:"id"`
+	ProviderKey    string            `json:"provider_key"`
+	Name           string            `json:"name"`
+	Config         map[string]string `json:"config"`
+	SupportedTypes []string          `json:"supported_types"`
+	Limits         string            `json:"limits"`
+	Enabled        bool              `json:"enabled"`
+	RefundEnabled  bool              `json:"refund_enabled"`
+	SortOrder      int               `json:"sort_order"`
+	PaymentMode    string            `json:"payment_mode"`
 }
 
 // ListProviderInstancesWithConfig returns provider instances with decrypted config.

From e8ee400a3f8720345f025f8ba8e6164d0950592c Mon Sep 17 00:00:00 2001
From: erio <asakifeng@gmail.com>
Date: Tue, 14 Apr 2026 12:19:44 +0800
Subject: [PATCH 090/122] fix: resolve remaining lint errors for upstream CI

- Fix errcheck: brave.go resp.Body.Close, manager_test.go Encode
- Fix gofmt: payment_config_service.go
- Fix unused: use shouldFallbackGeminiModel (with modelName param) in handler
---
 .../internal/handler/gemini_v1beta_handler.go |  2 +-
 backend/internal/pkg/websearch/brave.go       |  2 +-
 .../internal/pkg/websearch/manager_test.go    |  4 +--
 .../service/payment_config_service.go         | 34 +++++++++----------
 4 files changed, 21 insertions(+), 21 deletions(-)

diff --git a/backend/internal/handler/gemini_v1beta_handler.go b/backend/internal/handler/gemini_v1beta_handler.go
index 6b8cc482..d200c17c 100644
--- a/backend/internal/handler/gemini_v1beta_handler.go
+++ b/backend/internal/handler/gemini_v1beta_handler.go
@@ -121,7 +121,7 @@ func (h *GatewayHandler) GeminiV1BetaGetModel(c *gin.Context) {
 		googleError(c, http.StatusBadGateway, err.Error())
 		return
 	}
-	if shouldFallbackGeminiModels(res) {
+	if shouldFallbackGeminiModel(modelName, res) {
 		c.JSON(http.StatusOK, gemini.FallbackModel(modelName))
 		return
 	}
diff --git a/backend/internal/pkg/websearch/brave.go b/backend/internal/pkg/websearch/brave.go
index 5620ca8d..707e7029 100644
--- a/backend/internal/pkg/websearch/brave.go
+++ b/backend/internal/pkg/websearch/brave.go
@@ -62,7 +62,7 @@ func (b *BraveProvider) Search(ctx context.Context, req SearchRequest) (*SearchR
 	if err != nil {
 		return nil, fmt.Errorf("brave: request failed: %w", err)
 	}
-	defer resp.Body.Close()
+	defer func() { _ = resp.Body.Close() }()
 
 	body, err := io.ReadAll(io.LimitReader(resp.Body, maxResponseSize))
 	if err != nil {
diff --git a/backend/internal/pkg/websearch/manager_test.go b/backend/internal/pkg/websearch/manager_test.go
index cbcf1b76..a4413417 100644
--- a/backend/internal/pkg/websearch/manager_test.go
+++ b/backend/internal/pkg/websearch/manager_test.go
@@ -50,7 +50,7 @@ func TestManager_SearchWithBestProvider_UsesFirstAvailable(t *testing.T) {
 	srvBrave := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, _ *http.Request) {
 		resp := braveResponse{}
 		resp.Web.Results = []braveResult{{URL: "https://brave.com", Title: "Brave", Description: "from brave"}}
-		json.NewEncoder(w).Encode(resp)
+		_ = json.NewEncoder(w).Encode(resp)
 	}))
 	defer srvBrave.Close()
 
@@ -77,7 +77,7 @@ func TestManager_SearchWithBestProvider_NilRedis(t *testing.T) {
 	srv := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, _ *http.Request) {
 		resp := braveResponse{}
 		resp.Web.Results = []braveResult{{URL: "https://test.com", Title: "Test", Description: "result"}}
-		json.NewEncoder(w).Encode(resp)
+		_ = json.NewEncoder(w).Encode(resp)
 	}))
 	defer srv.Close()
 
diff --git a/backend/internal/service/payment_config_service.go b/backend/internal/service/payment_config_service.go
index 6d470342..9042c3ab 100644
--- a/backend/internal/service/payment_config_service.go
+++ b/backend/internal/service/payment_config_service.go
@@ -105,26 +105,26 @@ type MethodLimitsResponse struct {
 }
 
 type CreateProviderInstanceRequest struct {
-	ProviderKey     string            `json:"provider_key"`
-	Name            string            `json:"name"`
-	Config          map[string]string `json:"config"`
-	SupportedTypes  []string          `json:"supported_types"`
-	Enabled         bool              `json:"enabled"`
-	PaymentMode     string            `json:"payment_mode"`
-	SortOrder       int               `json:"sort_order"`
-	Limits          string            `json:"limits"`
-	RefundEnabled   bool              `json:"refund_enabled"`
+	ProviderKey    string            `json:"provider_key"`
+	Name           string            `json:"name"`
+	Config         map[string]string `json:"config"`
+	SupportedTypes []string          `json:"supported_types"`
+	Enabled        bool              `json:"enabled"`
+	PaymentMode    string            `json:"payment_mode"`
+	SortOrder      int               `json:"sort_order"`
+	Limits         string            `json:"limits"`
+	RefundEnabled  bool              `json:"refund_enabled"`
 }
 
 type UpdateProviderInstanceRequest struct {
-	Name            *string           `json:"name"`
-	Config          map[string]string `json:"config"`
-	SupportedTypes  []string          `json:"supported_types"`
-	Enabled         *bool             `json:"enabled"`
-	PaymentMode     *string           `json:"payment_mode"`
-	SortOrder       *int              `json:"sort_order"`
-	Limits          *string           `json:"limits"`
-	RefundEnabled   *bool             `json:"refund_enabled"`
+	Name           *string           `json:"name"`
+	Config         map[string]string `json:"config"`
+	SupportedTypes []string          `json:"supported_types"`
+	Enabled        *bool             `json:"enabled"`
+	PaymentMode    *string           `json:"payment_mode"`
+	SortOrder      *int              `json:"sort_order"`
+	Limits         *string           `json:"limits"`
+	RefundEnabled  *bool             `json:"refund_enabled"`
 }
 type CreatePlanRequest struct {
 	GroupID       int64    `json:"group_id"`

From f1297a3694973d7ba9274d7b5e5874aafa1dfa56 Mon Sep 17 00:00:00 2001
From: erio <asakifeng@gmail.com>
Date: Tue, 14 Apr 2026 16:26:46 +0800
Subject: [PATCH 091/122] feat: add per-provider allow_user_refund control and
 align wildcard matching

allow_user_refund:
- Add allow_user_refund field to PaymentProviderInstance ent schema
- Migration 103: ALTER TABLE payment_provider_instances ADD COLUMN
- Cascade logic: disabling refund_enabled auto-disables allow_user_refund
- User refund validation: check provider instance allows user refund
- Admin refund validation: check provider instance allows admin refund
- Subscription refund: deduct days on refund, rollback on failure
- New endpoint: GET /payment/orders/refund-eligible-providers
- Frontend: ToggleSwitch in ProviderCard/Dialog, cascade in SettingsView

Wildcard matching:
- Change findPricingForModel from "longest prefix wins" to "config order
  priority (first match wins)", aligning with channel service behavior
---
 backend/ent/client.go                         | 36 +++----
 backend/ent/intercept/intercept.go            |  1 -
 backend/ent/migrate/schema.go                 |  1 +
 backend/ent/mutation.go                       | 94 +++++++++++++++----
 backend/ent/paymentproviderinstance.go        | 13 ++-
 .../paymentproviderinstance.go                | 10 ++
 backend/ent/paymentproviderinstance/where.go  | 15 +++
 backend/ent/paymentproviderinstance_create.go | 65 +++++++++++++
 backend/ent/paymentproviderinstance_update.go | 34 +++++++
 backend/ent/predicate/predicate.go            |  1 -
 backend/ent/runtime/runtime.go                |  8 +-
 .../ent/schema/payment_provider_instance.go   |  2 +
 backend/internal/handler/payment_handler.go   | 10 ++
 backend/internal/server/routes/payment.go     |  1 +
 .../internal/service/account_stats_pricing.go | 22 +----
 .../service/account_stats_pricing_test.go     |  4 +-
 .../service/payment_config_providers.go       | 42 ++++++---
 .../service/payment_config_service.go         | 36 +++----
 backend/internal/service/payment_refund.go    | 64 +++++++++++++
 .../migrations/103_add_allow_user_refund.sql  |  1 +
 frontend/src/api/payment.ts                   |  5 +
 .../payment/PaymentProviderDialog.vue         |  8 +-
 .../payment/PaymentProviderList.vue           |  2 +-
 .../src/components/payment/ProviderCard.vue   |  3 +-
 frontend/src/i18n/locales/en.ts               |  1 +
 frontend/src/i18n/locales/zh.ts               |  1 +
 frontend/src/types/payment.ts                 |  2 +
 frontend/src/views/admin/SettingsView.vue     | 21 ++++-
 28 files changed, 405 insertions(+), 98 deletions(-)
 create mode 100644 backend/migrations/103_add_allow_user_refund.sql

diff --git a/backend/ent/client.go b/backend/ent/client.go
index 3da7acf8..e52e015a 100644
--- a/backend/ent/client.go
+++ b/backend/ent/client.go
@@ -333,10 +333,10 @@ func (c *Client) Use(hooks ...Hook) {
 	for _, n := range []interface{ Use(...Hook) }{
 		c.APIKey, c.Account, c.AccountGroup, c.Announcement, c.AnnouncementRead,
 		c.ErrorPassthroughRule, c.Group, c.IdempotencyRecord, c.PaymentAuditLog,
-		c.PaymentOrder, c.PaymentProviderInstance, c.PromoCode,
-		c.PromoCodeUsage, c.Proxy, c.RedeemCode, c.SecuritySecret, c.Setting,
-		c.SubscriptionPlan, c.TLSFingerprintProfile, c.UsageCleanupTask, c.UsageLog,
-		c.User, c.UserAllowedGroup, c.UserAttributeDefinition, c.UserAttributeValue,
+		c.PaymentOrder, c.PaymentProviderInstance, c.PromoCode, c.PromoCodeUsage,
+		c.Proxy, c.RedeemCode, c.SecuritySecret, c.Setting, c.SubscriptionPlan,
+		c.TLSFingerprintProfile, c.UsageCleanupTask, c.UsageLog, c.User,
+		c.UserAllowedGroup, c.UserAttributeDefinition, c.UserAttributeValue,
 		c.UserSubscription,
 	} {
 		n.Use(hooks...)
@@ -349,10 +349,10 @@ func (c *Client) Intercept(interceptors ...Interceptor) {
 	for _, n := range []interface{ Intercept(...Interceptor) }{
 		c.APIKey, c.Account, c.AccountGroup, c.Announcement, c.AnnouncementRead,
 		c.ErrorPassthroughRule, c.Group, c.IdempotencyRecord, c.PaymentAuditLog,
-		c.PaymentOrder, c.PaymentProviderInstance, c.PromoCode,
-		c.PromoCodeUsage, c.Proxy, c.RedeemCode, c.SecuritySecret, c.Setting,
-		c.SubscriptionPlan, c.TLSFingerprintProfile, c.UsageCleanupTask, c.UsageLog,
-		c.User, c.UserAllowedGroup, c.UserAttributeDefinition, c.UserAttributeValue,
+		c.PaymentOrder, c.PaymentProviderInstance, c.PromoCode, c.PromoCodeUsage,
+		c.Proxy, c.RedeemCode, c.SecuritySecret, c.Setting, c.SubscriptionPlan,
+		c.TLSFingerprintProfile, c.UsageCleanupTask, c.UsageLog, c.User,
+		c.UserAllowedGroup, c.UserAttributeDefinition, c.UserAttributeValue,
 		c.UserSubscription,
 	} {
 		n.Intercept(interceptors...)
@@ -4629,19 +4629,19 @@ func (c *UserSubscriptionClient) mutate(ctx context.Context, m *UserSubscription
 type (
 	hooks struct {
 		APIKey, Account, AccountGroup, Announcement, AnnouncementRead,
-		ErrorPassthroughRule, Group, IdempotencyRecord, PaymentAuditLog,
-		PaymentOrder, PaymentProviderInstance, PromoCode,
-		PromoCodeUsage, Proxy, RedeemCode, SecuritySecret, Setting, SubscriptionPlan,
-		TLSFingerprintProfile, UsageCleanupTask, UsageLog, User, UserAllowedGroup,
-		UserAttributeDefinition, UserAttributeValue, UserSubscription []ent.Hook
+		ErrorPassthroughRule, Group, IdempotencyRecord, PaymentAuditLog, PaymentOrder,
+		PaymentProviderInstance, PromoCode, PromoCodeUsage, Proxy, RedeemCode,
+		SecuritySecret, Setting, SubscriptionPlan, TLSFingerprintProfile,
+		UsageCleanupTask, UsageLog, User, UserAllowedGroup, UserAttributeDefinition,
+		UserAttributeValue, UserSubscription []ent.Hook
 	}
 	inters struct {
 		APIKey, Account, AccountGroup, Announcement, AnnouncementRead,
-		ErrorPassthroughRule, Group, IdempotencyRecord, PaymentAuditLog,
-		PaymentOrder, PaymentProviderInstance, PromoCode,
-		PromoCodeUsage, Proxy, RedeemCode, SecuritySecret, Setting, SubscriptionPlan,
-		TLSFingerprintProfile, UsageCleanupTask, UsageLog, User, UserAllowedGroup,
-		UserAttributeDefinition, UserAttributeValue, UserSubscription []ent.Interceptor
+		ErrorPassthroughRule, Group, IdempotencyRecord, PaymentAuditLog, PaymentOrder,
+		PaymentProviderInstance, PromoCode, PromoCodeUsage, Proxy, RedeemCode,
+		SecuritySecret, Setting, SubscriptionPlan, TLSFingerprintProfile,
+		UsageCleanupTask, UsageLog, User, UserAllowedGroup, UserAttributeDefinition,
+		UserAttributeValue, UserSubscription []ent.Interceptor
 	}
 )
 
diff --git a/backend/ent/intercept/intercept.go b/backend/ent/intercept/intercept.go
index 77d3e16e..8d8320bb 100644
--- a/backend/ent/intercept/intercept.go
+++ b/backend/ent/intercept/intercept.go
@@ -336,7 +336,6 @@ func (f TraversePaymentAuditLog) Traverse(ctx context.Context, q ent.Query) erro
 	return fmt.Errorf("unexpected query type %T. expect *ent.PaymentAuditLogQuery", q)
 }
 
-
 // The PaymentOrderFunc type is an adapter to allow the use of ordinary function as a Querier.
 type PaymentOrderFunc func(context.Context, *ent.PaymentOrderQuery) (ent.Value, error)
 
diff --git a/backend/ent/migrate/schema.go b/backend/ent/migrate/schema.go
index 1fff61ba..68bdbf55 100644
--- a/backend/ent/migrate/schema.go
+++ b/backend/ent/migrate/schema.go
@@ -616,6 +616,7 @@ var (
 		{Name: "sort_order", Type: field.TypeInt, Default: 0},
 		{Name: "limits", Type: field.TypeString, Default: "", SchemaType: map[string]string{"postgres": "text"}},
 		{Name: "refund_enabled", Type: field.TypeBool, Default: false},
+		{Name: "allow_user_refund", Type: field.TypeBool, Default: false},
 		{Name: "created_at", Type: field.TypeTime, SchemaType: map[string]string{"postgres": "timestamptz"}},
 		{Name: "updated_at", Type: field.TypeTime, SchemaType: map[string]string{"postgres": "timestamptz"}},
 	}
diff --git a/backend/ent/mutation.go b/backend/ent/mutation.go
index 3bca248d..524ccb92 100644
--- a/backend/ent/mutation.go
+++ b/backend/ent/mutation.go
@@ -15642,25 +15642,26 @@ func (m *PaymentOrderMutation) ResetEdge(name string) error {
 // PaymentProviderInstanceMutation represents an operation that mutates the PaymentProviderInstance nodes in the graph.
 type PaymentProviderInstanceMutation struct {
 	config
-	op              Op
-	typ             string
-	id              *int64
-	provider_key    *string
-	name            *string
-	_config         *string
-	supported_types *string
-	enabled         *bool
-	payment_mode    *string
-	sort_order      *int
-	addsort_order   *int
-	limits          *string
-	refund_enabled  *bool
-	created_at      *time.Time
-	updated_at      *time.Time
-	clearedFields   map[string]struct{}
-	done            bool
-	oldValue        func(context.Context) (*PaymentProviderInstance, error)
-	predicates      []predicate.PaymentProviderInstance
+	op                Op
+	typ               string
+	id                *int64
+	provider_key      *string
+	name              *string
+	_config           *string
+	supported_types   *string
+	enabled           *bool
+	payment_mode      *string
+	sort_order        *int
+	addsort_order     *int
+	limits            *string
+	refund_enabled    *bool
+	allow_user_refund *bool
+	created_at        *time.Time
+	updated_at        *time.Time
+	clearedFields     map[string]struct{}
+	done              bool
+	oldValue          func(context.Context) (*PaymentProviderInstance, error)
+	predicates        []predicate.PaymentProviderInstance
 }
 
 var _ ent.Mutation = (*PaymentProviderInstanceMutation)(nil)
@@ -16105,6 +16106,42 @@ func (m *PaymentProviderInstanceMutation) ResetRefundEnabled() {
 	m.refund_enabled = nil
 }
 
+// SetAllowUserRefund sets the "allow_user_refund" field.
+func (m *PaymentProviderInstanceMutation) SetAllowUserRefund(b bool) {
+	m.allow_user_refund = &b
+}
+
+// AllowUserRefund returns the value of the "allow_user_refund" field in the mutation.
+func (m *PaymentProviderInstanceMutation) AllowUserRefund() (r bool, exists bool) {
+	v := m.allow_user_refund
+	if v == nil {
+		return
+	}
+	return *v, true
+}
+
+// OldAllowUserRefund returns the old "allow_user_refund" field's value of the PaymentProviderInstance entity.
+// If the PaymentProviderInstance object wasn't provided to the builder, the object is fetched from the database.
+// An error is returned if the mutation operation is not UpdateOne, or the database query fails.
+func (m *PaymentProviderInstanceMutation) OldAllowUserRefund(ctx context.Context) (v bool, err error) {
+	if !m.op.Is(OpUpdateOne) {
+		return v, errors.New("OldAllowUserRefund is only allowed on UpdateOne operations")
+	}
+	if m.id == nil || m.oldValue == nil {
+		return v, errors.New("OldAllowUserRefund requires an ID field in the mutation")
+	}
+	oldValue, err := m.oldValue(ctx)
+	if err != nil {
+		return v, fmt.Errorf("querying old value for OldAllowUserRefund: %w", err)
+	}
+	return oldValue.AllowUserRefund, nil
+}
+
+// ResetAllowUserRefund resets all changes to the "allow_user_refund" field.
+func (m *PaymentProviderInstanceMutation) ResetAllowUserRefund() {
+	m.allow_user_refund = nil
+}
+
 // SetCreatedAt sets the "created_at" field.
 func (m *PaymentProviderInstanceMutation) SetCreatedAt(t time.Time) {
 	m.created_at = &t
@@ -16211,7 +16248,7 @@ func (m *PaymentProviderInstanceMutation) Type() string {
 // order to get all numeric fields that were incremented/decremented, call
 // AddedFields().
 func (m *PaymentProviderInstanceMutation) Fields() []string {
-	fields := make([]string, 0, 11)
+	fields := make([]string, 0, 12)
 	if m.provider_key != nil {
 		fields = append(fields, paymentproviderinstance.FieldProviderKey)
 	}
@@ -16239,6 +16276,9 @@ func (m *PaymentProviderInstanceMutation) Fields() []string {
 	if m.refund_enabled != nil {
 		fields = append(fields, paymentproviderinstance.FieldRefundEnabled)
 	}
+	if m.allow_user_refund != nil {
+		fields = append(fields, paymentproviderinstance.FieldAllowUserRefund)
+	}
 	if m.created_at != nil {
 		fields = append(fields, paymentproviderinstance.FieldCreatedAt)
 	}
@@ -16271,6 +16311,8 @@ func (m *PaymentProviderInstanceMutation) Field(name string) (ent.Value, bool) {
 		return m.Limits()
 	case paymentproviderinstance.FieldRefundEnabled:
 		return m.RefundEnabled()
+	case paymentproviderinstance.FieldAllowUserRefund:
+		return m.AllowUserRefund()
 	case paymentproviderinstance.FieldCreatedAt:
 		return m.CreatedAt()
 	case paymentproviderinstance.FieldUpdatedAt:
@@ -16302,6 +16344,8 @@ func (m *PaymentProviderInstanceMutation) OldField(ctx context.Context, name str
 		return m.OldLimits(ctx)
 	case paymentproviderinstance.FieldRefundEnabled:
 		return m.OldRefundEnabled(ctx)
+	case paymentproviderinstance.FieldAllowUserRefund:
+		return m.OldAllowUserRefund(ctx)
 	case paymentproviderinstance.FieldCreatedAt:
 		return m.OldCreatedAt(ctx)
 	case paymentproviderinstance.FieldUpdatedAt:
@@ -16378,6 +16422,13 @@ func (m *PaymentProviderInstanceMutation) SetField(name string, value ent.Value)
 		}
 		m.SetRefundEnabled(v)
 		return nil
+	case paymentproviderinstance.FieldAllowUserRefund:
+		v, ok := value.(bool)
+		if !ok {
+			return fmt.Errorf("unexpected type %T for field %s", value, name)
+		}
+		m.SetAllowUserRefund(v)
+		return nil
 	case paymentproviderinstance.FieldCreatedAt:
 		v, ok := value.(time.Time)
 		if !ok {
@@ -16483,6 +16534,9 @@ func (m *PaymentProviderInstanceMutation) ResetField(name string) error {
 	case paymentproviderinstance.FieldRefundEnabled:
 		m.ResetRefundEnabled()
 		return nil
+	case paymentproviderinstance.FieldAllowUserRefund:
+		m.ResetAllowUserRefund()
+		return nil
 	case paymentproviderinstance.FieldCreatedAt:
 		m.ResetCreatedAt()
 		return nil
diff --git a/backend/ent/paymentproviderinstance.go b/backend/ent/paymentproviderinstance.go
index 087cb13a..4279b86e 100644
--- a/backend/ent/paymentproviderinstance.go
+++ b/backend/ent/paymentproviderinstance.go
@@ -35,6 +35,8 @@ type PaymentProviderInstance struct {
 	Limits string `json:"limits,omitempty"`
 	// RefundEnabled holds the value of the "refund_enabled" field.
 	RefundEnabled bool `json:"refund_enabled,omitempty"`
+	// AllowUserRefund holds the value of the "allow_user_refund" field.
+	AllowUserRefund bool `json:"allow_user_refund,omitempty"`
 	// CreatedAt holds the value of the "created_at" field.
 	CreatedAt time.Time `json:"created_at,omitempty"`
 	// UpdatedAt holds the value of the "updated_at" field.
@@ -47,7 +49,7 @@ func (*PaymentProviderInstance) scanValues(columns []string) ([]any, error) {
 	values := make([]any, len(columns))
 	for i := range columns {
 		switch columns[i] {
-		case paymentproviderinstance.FieldEnabled, paymentproviderinstance.FieldRefundEnabled:
+		case paymentproviderinstance.FieldEnabled, paymentproviderinstance.FieldRefundEnabled, paymentproviderinstance.FieldAllowUserRefund:
 			values[i] = new(sql.NullBool)
 		case paymentproviderinstance.FieldID, paymentproviderinstance.FieldSortOrder:
 			values[i] = new(sql.NullInt64)
@@ -130,6 +132,12 @@ func (_m *PaymentProviderInstance) assignValues(columns []string, values []any)
 			} else if value.Valid {
 				_m.RefundEnabled = value.Bool
 			}
+		case paymentproviderinstance.FieldAllowUserRefund:
+			if value, ok := values[i].(*sql.NullBool); !ok {
+				return fmt.Errorf("unexpected type %T for field allow_user_refund", values[i])
+			} else if value.Valid {
+				_m.AllowUserRefund = value.Bool
+			}
 		case paymentproviderinstance.FieldCreatedAt:
 			if value, ok := values[i].(*sql.NullTime); !ok {
 				return fmt.Errorf("unexpected type %T for field created_at", values[i])
@@ -205,6 +213,9 @@ func (_m *PaymentProviderInstance) String() string {
 	builder.WriteString("refund_enabled=")
 	builder.WriteString(fmt.Sprintf("%v", _m.RefundEnabled))
 	builder.WriteString(", ")
+	builder.WriteString("allow_user_refund=")
+	builder.WriteString(fmt.Sprintf("%v", _m.AllowUserRefund))
+	builder.WriteString(", ")
 	builder.WriteString("created_at=")
 	builder.WriteString(_m.CreatedAt.Format(time.ANSIC))
 	builder.WriteString(", ")
diff --git a/backend/ent/paymentproviderinstance/paymentproviderinstance.go b/backend/ent/paymentproviderinstance/paymentproviderinstance.go
index c430fef6..eb1b0c52 100644
--- a/backend/ent/paymentproviderinstance/paymentproviderinstance.go
+++ b/backend/ent/paymentproviderinstance/paymentproviderinstance.go
@@ -31,6 +31,8 @@ const (
 	FieldLimits = "limits"
 	// FieldRefundEnabled holds the string denoting the refund_enabled field in the database.
 	FieldRefundEnabled = "refund_enabled"
+	// FieldAllowUserRefund holds the string denoting the allow_user_refund field in the database.
+	FieldAllowUserRefund = "allow_user_refund"
 	// FieldCreatedAt holds the string denoting the created_at field in the database.
 	FieldCreatedAt = "created_at"
 	// FieldUpdatedAt holds the string denoting the updated_at field in the database.
@@ -51,6 +53,7 @@ var Columns = []string{
 	FieldSortOrder,
 	FieldLimits,
 	FieldRefundEnabled,
+	FieldAllowUserRefund,
 	FieldCreatedAt,
 	FieldUpdatedAt,
 }
@@ -88,6 +91,8 @@ var (
 	DefaultLimits string
 	// DefaultRefundEnabled holds the default value on creation for the "refund_enabled" field.
 	DefaultRefundEnabled bool
+	// DefaultAllowUserRefund holds the default value on creation for the "allow_user_refund" field.
+	DefaultAllowUserRefund bool
 	// DefaultCreatedAt holds the default value on creation for the "created_at" field.
 	DefaultCreatedAt func() time.Time
 	// DefaultUpdatedAt holds the default value on creation for the "updated_at" field.
@@ -149,6 +154,11 @@ func ByRefundEnabled(opts ...sql.OrderTermOption) OrderOption {
 	return sql.OrderByField(FieldRefundEnabled, opts...).ToFunc()
 }
 
+// ByAllowUserRefund orders the results by the allow_user_refund field.
+func ByAllowUserRefund(opts ...sql.OrderTermOption) OrderOption {
+	return sql.OrderByField(FieldAllowUserRefund, opts...).ToFunc()
+}
+
 // ByCreatedAt orders the results by the created_at field.
 func ByCreatedAt(opts ...sql.OrderTermOption) OrderOption {
 	return sql.OrderByField(FieldCreatedAt, opts...).ToFunc()
diff --git a/backend/ent/paymentproviderinstance/where.go b/backend/ent/paymentproviderinstance/where.go
index 7b99517f..40e5a1f6 100644
--- a/backend/ent/paymentproviderinstance/where.go
+++ b/backend/ent/paymentproviderinstance/where.go
@@ -99,6 +99,11 @@ func RefundEnabled(v bool) predicate.PaymentProviderInstance {
 	return predicate.PaymentProviderInstance(sql.FieldEQ(FieldRefundEnabled, v))
 }
 
+// AllowUserRefund applies equality check predicate on the "allow_user_refund" field. It's identical to AllowUserRefundEQ.
+func AllowUserRefund(v bool) predicate.PaymentProviderInstance {
+	return predicate.PaymentProviderInstance(sql.FieldEQ(FieldAllowUserRefund, v))
+}
+
 // CreatedAt applies equality check predicate on the "created_at" field. It's identical to CreatedAtEQ.
 func CreatedAt(v time.Time) predicate.PaymentProviderInstance {
 	return predicate.PaymentProviderInstance(sql.FieldEQ(FieldCreatedAt, v))
@@ -559,6 +564,16 @@ func RefundEnabledNEQ(v bool) predicate.PaymentProviderInstance {
 	return predicate.PaymentProviderInstance(sql.FieldNEQ(FieldRefundEnabled, v))
 }
 
+// AllowUserRefundEQ applies the EQ predicate on the "allow_user_refund" field.
+func AllowUserRefundEQ(v bool) predicate.PaymentProviderInstance {
+	return predicate.PaymentProviderInstance(sql.FieldEQ(FieldAllowUserRefund, v))
+}
+
+// AllowUserRefundNEQ applies the NEQ predicate on the "allow_user_refund" field.
+func AllowUserRefundNEQ(v bool) predicate.PaymentProviderInstance {
+	return predicate.PaymentProviderInstance(sql.FieldNEQ(FieldAllowUserRefund, v))
+}
+
 // CreatedAtEQ applies the EQ predicate on the "created_at" field.
 func CreatedAtEQ(v time.Time) predicate.PaymentProviderInstance {
 	return predicate.PaymentProviderInstance(sql.FieldEQ(FieldCreatedAt, v))
diff --git a/backend/ent/paymentproviderinstance_create.go b/backend/ent/paymentproviderinstance_create.go
index 20b16ddd..d1b14617 100644
--- a/backend/ent/paymentproviderinstance_create.go
+++ b/backend/ent/paymentproviderinstance_create.go
@@ -132,6 +132,20 @@ func (_c *PaymentProviderInstanceCreate) SetNillableRefundEnabled(v *bool) *Paym
 	return _c
 }
 
+// SetAllowUserRefund sets the "allow_user_refund" field.
+func (_c *PaymentProviderInstanceCreate) SetAllowUserRefund(v bool) *PaymentProviderInstanceCreate {
+	_c.mutation.SetAllowUserRefund(v)
+	return _c
+}
+
+// SetNillableAllowUserRefund sets the "allow_user_refund" field if the given value is not nil.
+func (_c *PaymentProviderInstanceCreate) SetNillableAllowUserRefund(v *bool) *PaymentProviderInstanceCreate {
+	if v != nil {
+		_c.SetAllowUserRefund(*v)
+	}
+	return _c
+}
+
 // SetCreatedAt sets the "created_at" field.
 func (_c *PaymentProviderInstanceCreate) SetCreatedAt(v time.Time) *PaymentProviderInstanceCreate {
 	_c.mutation.SetCreatedAt(v)
@@ -223,6 +237,10 @@ func (_c *PaymentProviderInstanceCreate) defaults() {
 		v := paymentproviderinstance.DefaultRefundEnabled
 		_c.mutation.SetRefundEnabled(v)
 	}
+	if _, ok := _c.mutation.AllowUserRefund(); !ok {
+		v := paymentproviderinstance.DefaultAllowUserRefund
+		_c.mutation.SetAllowUserRefund(v)
+	}
 	if _, ok := _c.mutation.CreatedAt(); !ok {
 		v := paymentproviderinstance.DefaultCreatedAt()
 		_c.mutation.SetCreatedAt(v)
@@ -282,6 +300,9 @@ func (_c *PaymentProviderInstanceCreate) check() error {
 	if _, ok := _c.mutation.RefundEnabled(); !ok {
 		return &ValidationError{Name: "refund_enabled", err: errors.New(`ent: missing required field "PaymentProviderInstance.refund_enabled"`)}
 	}
+	if _, ok := _c.mutation.AllowUserRefund(); !ok {
+		return &ValidationError{Name: "allow_user_refund", err: errors.New(`ent: missing required field "PaymentProviderInstance.allow_user_refund"`)}
+	}
 	if _, ok := _c.mutation.CreatedAt(); !ok {
 		return &ValidationError{Name: "created_at", err: errors.New(`ent: missing required field "PaymentProviderInstance.created_at"`)}
 	}
@@ -351,6 +372,10 @@ func (_c *PaymentProviderInstanceCreate) createSpec() (*PaymentProviderInstance,
 		_spec.SetField(paymentproviderinstance.FieldRefundEnabled, field.TypeBool, value)
 		_node.RefundEnabled = value
 	}
+	if value, ok := _c.mutation.AllowUserRefund(); ok {
+		_spec.SetField(paymentproviderinstance.FieldAllowUserRefund, field.TypeBool, value)
+		_node.AllowUserRefund = value
+	}
 	if value, ok := _c.mutation.CreatedAt(); ok {
 		_spec.SetField(paymentproviderinstance.FieldCreatedAt, field.TypeTime, value)
 		_node.CreatedAt = value
@@ -525,6 +550,18 @@ func (u *PaymentProviderInstanceUpsert) UpdateRefundEnabled() *PaymentProviderIn
 	return u
 }
 
+// SetAllowUserRefund sets the "allow_user_refund" field.
+func (u *PaymentProviderInstanceUpsert) SetAllowUserRefund(v bool) *PaymentProviderInstanceUpsert {
+	u.Set(paymentproviderinstance.FieldAllowUserRefund, v)
+	return u
+}
+
+// UpdateAllowUserRefund sets the "allow_user_refund" field to the value that was provided on create.
+func (u *PaymentProviderInstanceUpsert) UpdateAllowUserRefund() *PaymentProviderInstanceUpsert {
+	u.SetExcluded(paymentproviderinstance.FieldAllowUserRefund)
+	return u
+}
+
 // SetUpdatedAt sets the "updated_at" field.
 func (u *PaymentProviderInstanceUpsert) SetUpdatedAt(v time.Time) *PaymentProviderInstanceUpsert {
 	u.Set(paymentproviderinstance.FieldUpdatedAt, v)
@@ -715,6 +752,20 @@ func (u *PaymentProviderInstanceUpsertOne) UpdateRefundEnabled() *PaymentProvide
 	})
 }
 
+// SetAllowUserRefund sets the "allow_user_refund" field.
+func (u *PaymentProviderInstanceUpsertOne) SetAllowUserRefund(v bool) *PaymentProviderInstanceUpsertOne {
+	return u.Update(func(s *PaymentProviderInstanceUpsert) {
+		s.SetAllowUserRefund(v)
+	})
+}
+
+// UpdateAllowUserRefund sets the "allow_user_refund" field to the value that was provided on create.
+func (u *PaymentProviderInstanceUpsertOne) UpdateAllowUserRefund() *PaymentProviderInstanceUpsertOne {
+	return u.Update(func(s *PaymentProviderInstanceUpsert) {
+		s.UpdateAllowUserRefund()
+	})
+}
+
 // SetUpdatedAt sets the "updated_at" field.
 func (u *PaymentProviderInstanceUpsertOne) SetUpdatedAt(v time.Time) *PaymentProviderInstanceUpsertOne {
 	return u.Update(func(s *PaymentProviderInstanceUpsert) {
@@ -1073,6 +1124,20 @@ func (u *PaymentProviderInstanceUpsertBulk) UpdateRefundEnabled() *PaymentProvid
 	})
 }
 
+// SetAllowUserRefund sets the "allow_user_refund" field.
+func (u *PaymentProviderInstanceUpsertBulk) SetAllowUserRefund(v bool) *PaymentProviderInstanceUpsertBulk {
+	return u.Update(func(s *PaymentProviderInstanceUpsert) {
+		s.SetAllowUserRefund(v)
+	})
+}
+
+// UpdateAllowUserRefund sets the "allow_user_refund" field to the value that was provided on create.
+func (u *PaymentProviderInstanceUpsertBulk) UpdateAllowUserRefund() *PaymentProviderInstanceUpsertBulk {
+	return u.Update(func(s *PaymentProviderInstanceUpsert) {
+		s.UpdateAllowUserRefund()
+	})
+}
+
 // SetUpdatedAt sets the "updated_at" field.
 func (u *PaymentProviderInstanceUpsertBulk) SetUpdatedAt(v time.Time) *PaymentProviderInstanceUpsertBulk {
 	return u.Update(func(s *PaymentProviderInstanceUpsert) {
diff --git a/backend/ent/paymentproviderinstance_update.go b/backend/ent/paymentproviderinstance_update.go
index 06dba527..6bb3a82d 100644
--- a/backend/ent/paymentproviderinstance_update.go
+++ b/backend/ent/paymentproviderinstance_update.go
@@ -161,6 +161,20 @@ func (_u *PaymentProviderInstanceUpdate) SetNillableRefundEnabled(v *bool) *Paym
 	return _u
 }
 
+// SetAllowUserRefund sets the "allow_user_refund" field.
+func (_u *PaymentProviderInstanceUpdate) SetAllowUserRefund(v bool) *PaymentProviderInstanceUpdate {
+	_u.mutation.SetAllowUserRefund(v)
+	return _u
+}
+
+// SetNillableAllowUserRefund sets the "allow_user_refund" field if the given value is not nil.
+func (_u *PaymentProviderInstanceUpdate) SetNillableAllowUserRefund(v *bool) *PaymentProviderInstanceUpdate {
+	if v != nil {
+		_u.SetAllowUserRefund(*v)
+	}
+	return _u
+}
+
 // SetUpdatedAt sets the "updated_at" field.
 func (_u *PaymentProviderInstanceUpdate) SetUpdatedAt(v time.Time) *PaymentProviderInstanceUpdate {
 	_u.mutation.SetUpdatedAt(v)
@@ -275,6 +289,9 @@ func (_u *PaymentProviderInstanceUpdate) sqlSave(ctx context.Context) (_node int
 	if value, ok := _u.mutation.RefundEnabled(); ok {
 		_spec.SetField(paymentproviderinstance.FieldRefundEnabled, field.TypeBool, value)
 	}
+	if value, ok := _u.mutation.AllowUserRefund(); ok {
+		_spec.SetField(paymentproviderinstance.FieldAllowUserRefund, field.TypeBool, value)
+	}
 	if value, ok := _u.mutation.UpdatedAt(); ok {
 		_spec.SetField(paymentproviderinstance.FieldUpdatedAt, field.TypeTime, value)
 	}
@@ -431,6 +448,20 @@ func (_u *PaymentProviderInstanceUpdateOne) SetNillableRefundEnabled(v *bool) *P
 	return _u
 }
 
+// SetAllowUserRefund sets the "allow_user_refund" field.
+func (_u *PaymentProviderInstanceUpdateOne) SetAllowUserRefund(v bool) *PaymentProviderInstanceUpdateOne {
+	_u.mutation.SetAllowUserRefund(v)
+	return _u
+}
+
+// SetNillableAllowUserRefund sets the "allow_user_refund" field if the given value is not nil.
+func (_u *PaymentProviderInstanceUpdateOne) SetNillableAllowUserRefund(v *bool) *PaymentProviderInstanceUpdateOne {
+	if v != nil {
+		_u.SetAllowUserRefund(*v)
+	}
+	return _u
+}
+
 // SetUpdatedAt sets the "updated_at" field.
 func (_u *PaymentProviderInstanceUpdateOne) SetUpdatedAt(v time.Time) *PaymentProviderInstanceUpdateOne {
 	_u.mutation.SetUpdatedAt(v)
@@ -575,6 +606,9 @@ func (_u *PaymentProviderInstanceUpdateOne) sqlSave(ctx context.Context) (_node
 	if value, ok := _u.mutation.RefundEnabled(); ok {
 		_spec.SetField(paymentproviderinstance.FieldRefundEnabled, field.TypeBool, value)
 	}
+	if value, ok := _u.mutation.AllowUserRefund(); ok {
+		_spec.SetField(paymentproviderinstance.FieldAllowUserRefund, field.TypeBool, value)
+	}
 	if value, ok := _u.mutation.UpdatedAt(); ok {
 		_spec.SetField(paymentproviderinstance.FieldUpdatedAt, field.TypeTime, value)
 	}
diff --git a/backend/ent/predicate/predicate.go b/backend/ent/predicate/predicate.go
index 67f37c75..ef551940 100644
--- a/backend/ent/predicate/predicate.go
+++ b/backend/ent/predicate/predicate.go
@@ -33,7 +33,6 @@ type IdempotencyRecord func(*sql.Selector)
 // PaymentAuditLog is the predicate function for paymentauditlog builders.
 type PaymentAuditLog func(*sql.Selector)
 
-
 // PaymentOrder is the predicate function for paymentorder builders.
 type PaymentOrder func(*sql.Selector)
 
diff --git a/backend/ent/runtime/runtime.go b/backend/ent/runtime/runtime.go
index 951b5f99..fbdd08c7 100644
--- a/backend/ent/runtime/runtime.go
+++ b/backend/ent/runtime/runtime.go
@@ -668,12 +668,16 @@ func init() {
 	paymentproviderinstanceDescRefundEnabled := paymentproviderinstanceFields[8].Descriptor()
 	// paymentproviderinstance.DefaultRefundEnabled holds the default value on creation for the refund_enabled field.
 	paymentproviderinstance.DefaultRefundEnabled = paymentproviderinstanceDescRefundEnabled.Default.(bool)
+	// paymentproviderinstanceDescAllowUserRefund is the schema descriptor for allow_user_refund field.
+	paymentproviderinstanceDescAllowUserRefund := paymentproviderinstanceFields[9].Descriptor()
+	// paymentproviderinstance.DefaultAllowUserRefund holds the default value on creation for the allow_user_refund field.
+	paymentproviderinstance.DefaultAllowUserRefund = paymentproviderinstanceDescAllowUserRefund.Default.(bool)
 	// paymentproviderinstanceDescCreatedAt is the schema descriptor for created_at field.
-	paymentproviderinstanceDescCreatedAt := paymentproviderinstanceFields[9].Descriptor()
+	paymentproviderinstanceDescCreatedAt := paymentproviderinstanceFields[10].Descriptor()
 	// paymentproviderinstance.DefaultCreatedAt holds the default value on creation for the created_at field.
 	paymentproviderinstance.DefaultCreatedAt = paymentproviderinstanceDescCreatedAt.Default.(func() time.Time)
 	// paymentproviderinstanceDescUpdatedAt is the schema descriptor for updated_at field.
-	paymentproviderinstanceDescUpdatedAt := paymentproviderinstanceFields[10].Descriptor()
+	paymentproviderinstanceDescUpdatedAt := paymentproviderinstanceFields[11].Descriptor()
 	// paymentproviderinstance.DefaultUpdatedAt holds the default value on creation for the updated_at field.
 	paymentproviderinstance.DefaultUpdatedAt = paymentproviderinstanceDescUpdatedAt.Default.(func() time.Time)
 	// paymentproviderinstance.UpdateDefaultUpdatedAt holds the default value on update for the updated_at field.
diff --git a/backend/ent/schema/payment_provider_instance.go b/backend/ent/schema/payment_provider_instance.go
index 08ab7d31..e4c0b72c 100644
--- a/backend/ent/schema/payment_provider_instance.go
+++ b/backend/ent/schema/payment_provider_instance.go
@@ -53,6 +53,8 @@ func (PaymentProviderInstance) Fields() []ent.Field {
 			Default(""),
 		field.Bool("refund_enabled").
 			Default(false),
+		field.Bool("allow_user_refund").
+			Default(false),
 		field.Time("created_at").
 			Immutable().
 			Default(time.Now).
diff --git a/backend/internal/handler/payment_handler.go b/backend/internal/handler/payment_handler.go
index 0425fc49..5fde86fa 100644
--- a/backend/internal/handler/payment_handler.go
+++ b/backend/internal/handler/payment_handler.go
@@ -335,6 +335,16 @@ func (h *PaymentHandler) RequestRefund(c *gin.Context) {
 	response.Success(c, gin.H{"message": "refund requested"})
 }
 
+// GetRefundEligibleProviders returns provider instance IDs that allow user refund.
+func (h *PaymentHandler) GetRefundEligibleProviders(c *gin.Context) {
+	ids, err := h.configService.GetUserRefundEligibleInstanceIDs(c.Request.Context())
+	if err != nil {
+		response.ErrorFrom(c, err)
+		return
+	}
+	response.Success(c, gin.H{"provider_instance_ids": ids})
+}
+
 // VerifyOrderRequest is the request body for verifying a payment order.
 type VerifyOrderRequest struct {
 	OutTradeNo string `json:"out_trade_no" binding:"required"`
diff --git a/backend/internal/server/routes/payment.go b/backend/internal/server/routes/payment.go
index 72012a4e..8def7559 100644
--- a/backend/internal/server/routes/payment.go
+++ b/backend/internal/server/routes/payment.go
@@ -37,6 +37,7 @@ func RegisterPaymentRoutes(
 			orders.GET("/:id", paymentHandler.GetOrder)
 			orders.POST("/:id/cancel", paymentHandler.CancelOrder)
 			orders.POST("/:id/refund-request", paymentHandler.RequestRefund)
+			orders.GET("/refund-eligible-providers", paymentHandler.GetRefundEligibleProviders)
 		}
 	}
 
diff --git a/backend/internal/service/account_stats_pricing.go b/backend/internal/service/account_stats_pricing.go
index 47b7496f..90ff450f 100644
--- a/backend/internal/service/account_stats_pricing.go
+++ b/backend/internal/service/account_stats_pricing.go
@@ -2,7 +2,6 @@ package service
 
 import (
 	"context"
-	"sort"
 	"strings"
 )
 
@@ -116,14 +115,8 @@ func matchAccountStatsRule(rule *AccountStatsPricingRule, accountID, groupID int
 	return false
 }
 
-// wildcardMatch 通配符匹配候选项（用于排序）
-type wildcardMatch struct {
-	prefixLen int
-	pricing   *ChannelModelPricing
-}
-
 // findPricingForModel 在定价列表中查找匹配的模型定价。
-// 先精确匹配，再通配符匹配（前缀越长优先级越高）。
+// 先精确匹配，再通配符匹配（按配置顺序，先匹配先使用）。
 func findPricingForModel(pricingList []ChannelModelPricing, platform, modelLower string) *ChannelModelPricing {
 	// 精确匹配优先
 	for i := range pricingList {
@@ -137,8 +130,7 @@ func findPricingForModel(pricingList []ChannelModelPricing, platform, modelLower
 			}
 		}
 	}
-	// 通配符匹配：收集所有匹配项，按前缀长度降序取最长
-	var matches []wildcardMatch
+	// 通配符匹配：按配置顺序，先匹配先使用
 	for i := range pricingList {
 		p := &pricingList[i]
 		if !isPlatformMatch(platform, p.Platform) {
@@ -151,17 +143,11 @@ func findPricingForModel(pricingList []ChannelModelPricing, platform, modelLower
 			}
 			prefix := strings.TrimSuffix(ml, "*")
 			if strings.HasPrefix(modelLower, prefix) {
-				matches = append(matches, wildcardMatch{prefixLen: len(prefix), pricing: p})
+				return p
 			}
 		}
 	}
-	if len(matches) == 0 {
-		return nil
-	}
-	sort.Slice(matches, func(i, j int) bool {
-		return matches[i].prefixLen > matches[j].prefixLen
-	})
-	return matches[0].pricing
+	return nil
 }
 
 // isPlatformMatch 判断平台是否匹配（空平台视为不限平台）。
diff --git a/backend/internal/service/account_stats_pricing_test.go b/backend/internal/service/account_stats_pricing_test.go
index 2f625393..36e5eb74 100644
--- a/backend/internal/service/account_stats_pricing_test.go
+++ b/backend/internal/service/account_stats_pricing_test.go
@@ -147,14 +147,14 @@ func TestFindPricingForModel(t *testing.T) {
 			wantNil: true,
 		},
 		{
-			name: "wildcard matches by longest prefix (most specific wins)",
+			name: "wildcard matches by config order (first match wins)",
 			list: []ChannelModelPricing{
 				{ID: 10, Models: []string{"claude-*"}},
 				{ID: 11, Models: []string{"claude-opus-*"}},
 			},
 			platform: "",
 			model:    "claude-opus-4",
-			wantID:   11, // "claude-opus-*" is longer prefix, wins over "claude-*"
+			wantID:   10, // config order: "claude-*" is first and matches, so it wins
 		},
 		{
 			name: "shorter wildcard used when longer does not match",
diff --git a/backend/internal/service/payment_config_providers.go b/backend/internal/service/payment_config_providers.go
index 47008df0..0f7cb99a 100644
--- a/backend/internal/service/payment_config_providers.go
+++ b/backend/internal/service/payment_config_providers.go
@@ -22,16 +22,17 @@ func (s *PaymentConfigService) ListProviderInstances(ctx context.Context) ([]*db
 
 // ProviderInstanceResponse is the API response for a provider instance.
 type ProviderInstanceResponse struct {
-	ID             int64             `json:"id"`
-	ProviderKey    string            `json:"provider_key"`
-	Name           string            `json:"name"`
-	Config         map[string]string `json:"config"`
-	SupportedTypes []string          `json:"supported_types"`
-	Limits         string            `json:"limits"`
-	Enabled        bool              `json:"enabled"`
-	RefundEnabled  bool              `json:"refund_enabled"`
-	SortOrder      int               `json:"sort_order"`
-	PaymentMode    string            `json:"payment_mode"`
+	ID              int64             `json:"id"`
+	ProviderKey     string            `json:"provider_key"`
+	Name            string            `json:"name"`
+	Config          map[string]string `json:"config"`
+	SupportedTypes  []string          `json:"supported_types"`
+	Limits          string            `json:"limits"`
+	Enabled         bool              `json:"enabled"`
+	RefundEnabled   bool              `json:"refund_enabled"`
+	AllowUserRefund bool              `json:"allow_user_refund"`
+	SortOrder       int               `json:"sort_order"`
+	PaymentMode     string            `json:"payment_mode"`
 }
 
 // ListProviderInstancesWithConfig returns provider instances with decrypted config.
@@ -47,7 +48,8 @@ func (s *PaymentConfigService) ListProviderInstancesWithConfig(ctx context.Conte
 			ID: int64(inst.ID), ProviderKey: inst.ProviderKey, Name: inst.Name,
 			SupportedTypes: splitTypes(inst.SupportedTypes), Limits: inst.Limits,
 			Enabled: inst.Enabled, RefundEnabled: inst.RefundEnabled,
-			SortOrder: inst.SortOrder, PaymentMode: inst.PaymentMode,
+			AllowUserRefund: inst.AllowUserRefund,
+			SortOrder:       inst.SortOrder, PaymentMode: inst.PaymentMode,
 		}
 		resp.Config, err = s.decryptAndMaskConfig(inst.Config)
 		if err != nil {
@@ -110,10 +112,12 @@ func (s *PaymentConfigService) CreateProviderInstance(ctx context.Context, req C
 	if err != nil {
 		return nil, err
 	}
+	allowUserRefund := req.AllowUserRefund && req.RefundEnabled
 	return s.entClient.PaymentProviderInstance.Create().
 		SetProviderKey(req.ProviderKey).SetName(req.Name).SetConfig(enc).
 		SetSupportedTypes(typesStr).SetEnabled(req.Enabled).SetPaymentMode(req.PaymentMode).
 		SetSortOrder(req.SortOrder).SetLimits(req.Limits).SetRefundEnabled(req.RefundEnabled).
+		SetAllowUserRefund(allowUserRefund).
 		Save(ctx)
 }
 
@@ -221,6 +225,21 @@ func (s *PaymentConfigService) UpdateProviderInstance(ctx context.Context, id in
 	}
 	if req.RefundEnabled != nil {
 		u.SetRefundEnabled(*req.RefundEnabled)
+		// Cascade: turning off refund_enabled also disables allow_user_refund
+		if !*req.RefundEnabled {
+			u.SetAllowUserRefund(false)
+		}
+	}
+	if req.AllowUserRefund != nil {
+		// Only allow enabling when refund_enabled is true
+		if *req.AllowUserRefund {
+			inst, err := s.entClient.PaymentProviderInstance.Get(ctx, id)
+			if err == nil && inst.RefundEnabled {
+				u.SetAllowUserRefund(true)
+			}
+		} else {
+			u.SetAllowUserRefund(false)
+		}
 	}
 	if req.PaymentMode != nil {
 		u.SetPaymentMode(*req.PaymentMode)
@@ -233,6 +252,7 @@ func (s *PaymentConfigService) GetUserRefundEligibleInstanceIDs(ctx context.Cont
 	instances, err := s.entClient.PaymentProviderInstance.Query().
 		Where(
 			paymentproviderinstance.RefundEnabledEQ(true),
+			paymentproviderinstance.AllowUserRefundEQ(true),
 		).Select(paymentproviderinstance.FieldID).All(ctx)
 	if err != nil {
 		return nil, err
diff --git a/backend/internal/service/payment_config_service.go b/backend/internal/service/payment_config_service.go
index 9042c3ab..cce31f4d 100644
--- a/backend/internal/service/payment_config_service.go
+++ b/backend/internal/service/payment_config_service.go
@@ -105,26 +105,28 @@ type MethodLimitsResponse struct {
 }
 
 type CreateProviderInstanceRequest struct {
-	ProviderKey    string            `json:"provider_key"`
-	Name           string            `json:"name"`
-	Config         map[string]string `json:"config"`
-	SupportedTypes []string          `json:"supported_types"`
-	Enabled        bool              `json:"enabled"`
-	PaymentMode    string            `json:"payment_mode"`
-	SortOrder      int               `json:"sort_order"`
-	Limits         string            `json:"limits"`
-	RefundEnabled  bool              `json:"refund_enabled"`
+	ProviderKey     string            `json:"provider_key"`
+	Name            string            `json:"name"`
+	Config          map[string]string `json:"config"`
+	SupportedTypes  []string          `json:"supported_types"`
+	Enabled         bool              `json:"enabled"`
+	PaymentMode     string            `json:"payment_mode"`
+	SortOrder       int               `json:"sort_order"`
+	Limits          string            `json:"limits"`
+	RefundEnabled   bool              `json:"refund_enabled"`
+	AllowUserRefund bool              `json:"allow_user_refund"`
 }
 
 type UpdateProviderInstanceRequest struct {
-	Name           *string           `json:"name"`
-	Config         map[string]string `json:"config"`
-	SupportedTypes []string          `json:"supported_types"`
-	Enabled        *bool             `json:"enabled"`
-	PaymentMode    *string           `json:"payment_mode"`
-	SortOrder      *int              `json:"sort_order"`
-	Limits         *string           `json:"limits"`
-	RefundEnabled  *bool             `json:"refund_enabled"`
+	Name            *string           `json:"name"`
+	Config          map[string]string `json:"config"`
+	SupportedTypes  []string          `json:"supported_types"`
+	Enabled         *bool             `json:"enabled"`
+	PaymentMode     *string           `json:"payment_mode"`
+	SortOrder       *int              `json:"sort_order"`
+	Limits          *string           `json:"limits"`
+	RefundEnabled   *bool             `json:"refund_enabled"`
+	AllowUserRefund *bool             `json:"allow_user_refund"`
 }
 type CreatePlanRequest struct {
 	GroupID       int64    `json:"group_id"`
diff --git a/backend/internal/service/payment_refund.go b/backend/internal/service/payment_refund.go
index 68f9c697..75d75b2f 100644
--- a/backend/internal/service/payment_refund.go
+++ b/backend/internal/service/payment_refund.go
@@ -17,6 +17,19 @@ import (
 
 // --- Refund Flow ---
 
+// getOrderProviderInstance looks up the provider instance that processed this order.
+// Returns nil, nil for legacy orders without provider_instance_id.
+func (s *PaymentService) getOrderProviderInstance(ctx context.Context, o *dbent.PaymentOrder) (*dbent.PaymentProviderInstance, error) {
+	if o.ProviderInstanceID == nil || *o.ProviderInstanceID == "" {
+		return nil, nil
+	}
+	instID, err := strconv.ParseInt(*o.ProviderInstanceID, 10, 64)
+	if err != nil {
+		return nil, nil
+	}
+	return s.entClient.PaymentProviderInstance.Get(ctx, instID)
+}
+
 func (s *PaymentService) RequestRefund(ctx context.Context, oid, uid int64, reason string) error {
 	o, err := s.validateRefundRequest(ctx, oid, uid)
 	if err != nil {
@@ -57,6 +70,14 @@ func (s *PaymentService) validateRefundRequest(ctx context.Context, oid, uid int
 	if o.Status != OrderStatusCompleted {
 		return nil, infraerrors.BadRequest("INVALID_STATUS", "only completed orders can request refund")
 	}
+	// Check provider instance allows user refund
+	inst, err := s.getOrderProviderInstance(ctx, o)
+	if err != nil || inst == nil {
+		return nil, infraerrors.Forbidden("USER_REFUND_DISABLED", "refund is not available for this order")
+	}
+	if !inst.AllowUserRefund {
+		return nil, infraerrors.Forbidden("USER_REFUND_DISABLED", "user refund is not enabled for this provider")
+	}
 	return o, nil
 }
 
@@ -69,6 +90,18 @@ func (s *PaymentService) PrepareRefund(ctx context.Context, oid int64, amt float
 	if !psSliceContains(ok, o.Status) {
 		return nil, nil, infraerrors.BadRequest("INVALID_STATUS", "order status does not allow refund")
 	}
+	// Check provider instance allows admin refund
+	inst, instErr := s.getOrderProviderInstance(ctx, o)
+	if instErr != nil {
+		slog.Warn("refund: provider instance not found", "orderID", oid, "error", instErr)
+	}
+	if inst != nil && !inst.RefundEnabled {
+		return nil, nil, infraerrors.Forbidden("REFUND_DISABLED", "refund is not enabled for this provider")
+	}
+	if inst == nil && instErr == nil {
+		// Legacy order without provider_instance_id — block refund
+		return nil, nil, infraerrors.Forbidden("REFUND_DISABLED", "refund is not available for this order")
+	}
 	if math.IsNaN(amt) || math.IsInf(amt, 0) {
 		return nil, nil, infraerrors.BadRequest("INVALID_AMOUNT", "invalid refund amount")
 	}
@@ -102,6 +135,15 @@ func (s *PaymentService) PrepareRefund(ctx context.Context, oid int64, amt float
 func (s *PaymentService) prepDeduct(ctx context.Context, o *dbent.PaymentOrder, p *RefundPlan, force bool) *RefundResult {
 	if o.OrderType == payment.OrderTypeSubscription {
 		p.DeductionType = payment.DeductionTypeSubscription
+		if o.SubscriptionGroupID != nil && o.SubscriptionDays != nil {
+			p.SubDaysToDeduct = *o.SubscriptionDays
+			sub, err := s.subscriptionSvc.GetActiveSubscription(ctx, o.UserID, *o.SubscriptionGroupID)
+			if err == nil && sub != nil {
+				p.SubscriptionID = sub.ID
+			} else if !force {
+				return &RefundResult{Success: false, Warning: "cannot find active subscription for deduction, use force", RequireForce: true}
+			}
+		}
 		return nil
 	}
 	u, err := s.userRepo.GetByID(ctx, o.UserID)
@@ -137,6 +179,21 @@ func (s *PaymentService) ExecuteRefund(ctx context.Context, p *RefundPlan) (*Ref
 			p.BalanceToDeduct = 0
 		}
 	}
+	if p.DeductionType == payment.DeductionTypeSubscription && p.SubDaysToDeduct > 0 && p.SubscriptionID > 0 {
+		if !s.hasAuditLog(ctx, p.OrderID, "REFUND_ROLLBACK_FAILED") {
+			_, err := s.subscriptionSvc.ExtendSubscription(ctx, p.SubscriptionID, -p.SubDaysToDeduct)
+			if err != nil {
+				slog.Info("subscription deduction would expire, revoking", "orderID", p.OrderID, "subID", p.SubscriptionID, "days", p.SubDaysToDeduct)
+				if revokeErr := s.subscriptionSvc.RevokeSubscription(ctx, p.SubscriptionID); revokeErr != nil {
+					s.restoreStatus(ctx, p)
+					return nil, fmt.Errorf("revoke subscription: %w", revokeErr)
+				}
+			}
+		} else {
+			slog.Warn("skipping subscription deduction on retry (previous rollback failed)", "orderID", p.OrderID)
+			p.SubDaysToDeduct = 0
+		}
+	}
 	if err := s.gwRefund(ctx, p); err != nil {
 		return s.handleGwFail(ctx, p, err)
 	}
@@ -204,6 +261,13 @@ func (s *PaymentService) RollbackRefund(ctx context.Context, p *RefundPlan, gErr
 			return false
 		}
 	}
+	if p.DeductionType == payment.DeductionTypeSubscription && p.SubDaysToDeduct > 0 && p.SubscriptionID > 0 {
+		if _, err := s.subscriptionSvc.ExtendSubscription(ctx, p.SubscriptionID, p.SubDaysToDeduct); err != nil {
+			slog.Error("[CRITICAL] subscription rollback failed", "orderID", p.OrderID, "subID", p.SubscriptionID, "days", p.SubDaysToDeduct, "error", err)
+			s.writeAuditLog(ctx, p.OrderID, "REFUND_ROLLBACK_FAILED", "admin", map[string]any{"gatewayError": psErrMsg(gErr), "rollbackError": psErrMsg(err), "subDaysDeducted": p.SubDaysToDeduct})
+			return false
+		}
+	}
 	return true
 }
 
diff --git a/backend/migrations/103_add_allow_user_refund.sql b/backend/migrations/103_add_allow_user_refund.sql
new file mode 100644
index 00000000..79525382
--- /dev/null
+++ b/backend/migrations/103_add_allow_user_refund.sql
@@ -0,0 +1 @@
+ALTER TABLE payment_provider_instances ADD COLUMN IF NOT EXISTS allow_user_refund BOOLEAN NOT NULL DEFAULT false;
diff --git a/frontend/src/api/payment.ts b/frontend/src/api/payment.ts
index 1389b60f..5cedb107 100644
--- a/frontend/src/api/payment.ts
+++ b/frontend/src/api/payment.ts
@@ -75,5 +75,10 @@ export const paymentAPI = {
   /** Request a refund for a completed order */
   requestRefund(id: number, data: { reason: string }) {
     return apiClient.post(`/payment/orders/${id}/refund-request`, data)
+  },
+
+  /** Get provider instance IDs that allow user refund */
+  getRefundEligibleProviders() {
+    return apiClient.get<{ provider_instance_ids: string[] }>('/payment/orders/refund-eligible-providers')
   }
 }
diff --git a/frontend/src/components/payment/PaymentProviderDialog.vue b/frontend/src/components/payment/PaymentProviderDialog.vue
index 9b60cba1..10c1bfea 100644
--- a/frontend/src/components/payment/PaymentProviderDialog.vue
+++ b/frontend/src/components/payment/PaymentProviderDialog.vue
@@ -32,7 +32,8 @@
       <!-- Toggles + Payment mode + Supported types (single row) -->
       <div class="flex flex-wrap items-center gap-x-5 gap-y-2">
         <ToggleSwitch :label="t('common.enabled')" :checked="form.enabled" @toggle="form.enabled = !form.enabled" />
-        <ToggleSwitch :label="t('admin.settings.payment.refundEnabled')" :checked="form.refund_enabled" @toggle="form.refund_enabled = !form.refund_enabled" />
+        <ToggleSwitch :label="t('admin.settings.payment.refundEnabled')" :checked="form.refund_enabled" @toggle="form.refund_enabled = !form.refund_enabled; if (!form.refund_enabled) form.allow_user_refund = false" />
+        <ToggleSwitch v-if="form.refund_enabled" :label="t('admin.settings.payment.allowUserRefund')" :checked="form.allow_user_refund" @toggle="form.allow_user_refund = !form.allow_user_refund" />
         <div v-if="form.provider_key === 'easypay'" class="flex items-center gap-2">
           <span class="text-xs font-medium text-gray-500 dark:text-gray-400">{{ t('admin.settings.payment.paymentMode') }}</span>
           <div class="flex gap-1.5">
@@ -243,6 +244,7 @@ const emit = defineEmits<{
     enabled: boolean
     payment_mode: string
     refund_enabled: boolean
+    allow_user_refund: boolean
     config: Record<string, string>
     limits: string
   }]
@@ -258,6 +260,7 @@ const form = reactive({
   enabled: true,
   payment_mode: PAYMENT_MODE_QRCODE,
   refund_enabled: false,
+  allow_user_refund: false,
 })
 const config = reactive<Record<string, string>>({})
 const limits = reactive<Record<string, Record<string, number>>>({})
@@ -433,6 +436,7 @@ function handleSave() {
     enabled: form.enabled,
     payment_mode: form.provider_key === 'easypay' ? form.payment_mode : '',
     refund_enabled: form.refund_enabled,
+    allow_user_refund: form.refund_enabled ? form.allow_user_refund : false,
     config: filteredConfig,
     limits: serializeLimits(),
   })
@@ -452,6 +456,7 @@ function reset(defaultKey: string) {
   form.enabled = true
   form.payment_mode = defaultKey === 'easypay' ? PAYMENT_MODE_QRCODE : ''
   form.refund_enabled = false
+  form.allow_user_refund = false
   clearConfig()
   applyDefaults()
 }
@@ -463,6 +468,7 @@ function loadProvider(provider: ProviderInstance) {
   form.enabled = provider.enabled
   form.payment_mode = provider.payment_mode || (provider.provider_key === 'easypay' ? PAYMENT_MODE_QRCODE : '')
   form.refund_enabled = provider.refund_enabled
+  form.allow_user_refund = provider.allow_user_refund
   clearConfig()
   // Pre-fill config from API response (non-sensitive in cleartext, sensitive masked as ••••••••)
   if (provider.config) {
diff --git a/frontend/src/components/payment/PaymentProviderList.vue b/frontend/src/components/payment/PaymentProviderList.vue
index e942b8c4..49ebc726 100644
--- a/frontend/src/components/payment/PaymentProviderList.vue
+++ b/frontend/src/components/payment/PaymentProviderList.vue
@@ -115,7 +115,7 @@ const emit = defineEmits<{
   create: []
   edit: [provider: ProviderInstance]
   delete: [provider: ProviderInstance]
-  toggleField: [provider: ProviderInstance, field: 'enabled' | 'refund_enabled']
+  toggleField: [provider: ProviderInstance, field: 'enabled' | 'refund_enabled' | 'allow_user_refund']
   toggleType: [provider: ProviderInstance, type: string]
   reorder: [providers: { id: number; sort_order: number }[]]
 }>()
diff --git a/frontend/src/components/payment/ProviderCard.vue b/frontend/src/components/payment/ProviderCard.vue
index 9fc3b0ff..aecc8c8a 100644
--- a/frontend/src/components/payment/ProviderCard.vue
+++ b/frontend/src/components/payment/ProviderCard.vue
@@ -46,6 +46,7 @@
       <div class="flex items-center gap-4">
         <ToggleSwitch :label="t('common.enabled')" :checked="provider.enabled" @toggle="emit('toggleField', 'enabled')" />
         <ToggleSwitch :label="t('admin.settings.payment.refundEnabled')" :checked="provider.refund_enabled" @toggle="emit('toggleField', 'refund_enabled')" />
+        <ToggleSwitch v-if="provider.refund_enabled" :label="t('admin.settings.payment.allowUserRefund')" :checked="provider.allow_user_refund" @toggle="emit('toggleField', 'allow_user_refund')" />
         <div class="flex items-center gap-2 border-l border-gray-200 pl-3 dark:border-dark-600">
           <button type="button" @click="emit('edit')" class="flex flex-col items-center gap-0.5 rounded-lg p-1.5 text-gray-500 transition-colors hover:bg-blue-50 hover:text-blue-600 dark:hover:bg-blue-900/20 dark:hover:text-blue-400">
             <Icon name="edit" size="sm" />
@@ -84,7 +85,7 @@ const props = defineProps<{
 }>()
 
 const emit = defineEmits<{
-  toggleField: [field: 'enabled' | 'refund_enabled']
+  toggleField: [field: 'enabled' | 'refund_enabled' | 'allow_user_refund']
   toggleType: [type: string]
   edit: []
   delete: []
diff --git a/frontend/src/i18n/locales/en.ts b/frontend/src/i18n/locales/en.ts
index 9baddc43..07ae3446 100644
--- a/frontend/src/i18n/locales/en.ts
+++ b/frontend/src/i18n/locales/en.ts
@@ -4646,6 +4646,7 @@ export default {
         supportedTypes: 'Supported Payment Types',
         supportedTypesHint: 'Comma-separated, e.g. alipay,wxpay',
         refundEnabled: 'Allow Refund',
+        allowUserRefund: 'Allow User Refund',
       },
       balanceNotify: {
         title: 'Balance Low Notification',
diff --git a/frontend/src/i18n/locales/zh.ts b/frontend/src/i18n/locales/zh.ts
index af8da265..24faaee6 100644
--- a/frontend/src/i18n/locales/zh.ts
+++ b/frontend/src/i18n/locales/zh.ts
@@ -4810,6 +4810,7 @@ export default {
         supportedTypes: '支持的支付方式',
         supportedTypesHint: '逗号分隔，如 alipay,wxpay',
         refundEnabled: '允许退款',
+        allowUserRefund: '允许用户退款',
       },
       balanceNotify: {
         title: '余额不足提醒',
diff --git a/frontend/src/types/payment.ts b/frontend/src/types/payment.ts
index ac209ad7..51c40fe6 100644
--- a/frontend/src/types/payment.ts
+++ b/frontend/src/types/payment.ts
@@ -89,6 +89,7 @@ export interface PaymentOrder {
   refund_requested_by?: number
   refund_request_reason?: string
   plan_id?: number
+  provider_instance_id?: string
 }
 
 // ==================== Plans & Channels ====================
@@ -138,6 +139,7 @@ export interface ProviderInstance {
   enabled: boolean
   payment_mode: string
   refund_enabled: boolean
+  allow_user_refund: boolean
   limits: string
   sort_order: number
 }
diff --git a/frontend/src/views/admin/SettingsView.vue b/frontend/src/views/admin/SettingsView.vue
index c57d2033..77659f59 100644
--- a/frontend/src/views/admin/SettingsView.vue
+++ b/frontend/src/views/admin/SettingsView.vue
@@ -4111,12 +4111,25 @@ async function handleSaveProvider(payload: Partial<ProviderInstance>) {
   }
 }
 
-async function handleToggleField(provider: ProviderInstance, field: 'enabled' | 'refund_enabled') {
-  const newValue = field === 'enabled' ? !provider.enabled : !provider.refund_enabled
+async function handleToggleField(provider: ProviderInstance, field: 'enabled' | 'refund_enabled' | 'allow_user_refund') {
+  let newValue: boolean
+  if (field === 'enabled') newValue = !provider.enabled
+  else if (field === 'refund_enabled') newValue = !provider.refund_enabled
+  else newValue = !provider.allow_user_refund
   try {
-    await adminAPI.payment.updateProvider(provider.id, { [field]: newValue })
+    const payload: Record<string, boolean> = { [field]: newValue }
+    // Cascade: turning off refund_enabled also disables allow_user_refund
+    if (field === 'refund_enabled' && !newValue) {
+      payload.allow_user_refund = false
+    }
+    await adminAPI.payment.updateProvider(provider.id, payload)
     if (field === 'enabled') provider.enabled = newValue
-    else provider.refund_enabled = newValue
+    else if (field === 'refund_enabled') {
+      provider.refund_enabled = newValue
+      if (!newValue) provider.allow_user_refund = false
+    } else {
+      provider.allow_user_refund = newValue
+    }
   } catch (err: unknown) { appStore.showError(extractApiErrorMessage(err, t('common.error'), paymentErrorMap.value)) }
 }
 

From 6ac8ccde46dd60d09b6df425d9584053ba79b16e Mon Sep 17 00:00:00 2001
From: erio <asakifeng@gmail.com>
Date: Tue, 14 Apr 2026 17:35:27 +0800
Subject: [PATCH 092/122] fix: merge 30 general improvements from release
 branch

Bug fixes:
- Detached context for GetAccountConcurrencyBatch (prevent all-zero on request cancel)
- Filter soft-deleted users in GetByGroupID
- Stripe CSP policy (allow Stripe.js in script-src and frame-src)
- WebSearch API key validation on save
- RECHARGING status in payment result success check
- Windows test fixes (logger Sync deadlock, config path escaping)

Feature enhancements:
- Webhook multi-instance dispatch (extractOutTradeNo + GetWebhookProvider)
- EasyPay mobile H5 payment (device param + PayURL2)
- SSE error propagation in WebSearch emulation
- AccountStatsCost DTO field for admin usage logs
- Plans sort by sort_order instead of created_at
- UsageMapHook for streaming response usage data
- apicompat Instructions field passthrough
- EffectiveLoadFactor for ops concurrency/metrics
- Usage billing RETURNING balance for notify system
- BulkUpdate mixed channel warning with details
- println to slog migration in auth cache
- Wire ProviderSet cleanup
- CI cache-dependency-path optimization

Frontend:
- Refund eligibility check per provider (canRequestRefund)
- Plan sort_order editing
- Dead code cleanup (simulate_claude_max, client_affinity)
- GroupsView platform switch guard
- channels features_config API type
- UsageView account_stats_cost export
---
 .github/workflows/backend-ci.yml              |  2 +
 backend/cmd/server/wire.go                    |  8 +-
 backend/internal/config/config.go             |  2 +-
 backend/internal/config/config_test.go        |  5 +-
 .../internal/handler/admin/account_handler.go |  6 ++
 backend/internal/handler/dto/mappers.go       |  1 +
 backend/internal/handler/dto/types.go         |  2 +
 .../handler/payment_webhook_handler.go        | 32 +++++++-
 backend/internal/payment/provider/easypay.go  | 16 +++-
 .../pkg/antigravity/stream_transformer.go     | 44 ++++++++++-
 .../apicompat/chatcompletions_to_responses.go | 15 ++--
 backend/internal/pkg/apicompat/types.go       |  2 +
 backend/internal/pkg/logger/logger_test.go    | 16 +++-
 .../internal/pkg/logger/stdlog_bridge_test.go |  4 +-
 .../internal/repository/usage_billing_repo.go | 62 +++++++++-------
 .../repository/user_group_rate_repo.go        |  2 +-
 backend/internal/server/routes/payment.go     |  4 +
 .../service/api_key_auth_cache_impl.go        |  3 +-
 backend/internal/service/channel_service.go   | 10 ++-
 .../internal/service/concurrency_service.go   | 13 +++-
 .../service/gateway_websearch_emulation.go    | 74 +++++++++++--------
 backend/internal/service/ops_concurrency.go   |  9 +--
 .../internal/service/ops_metrics_collector.go |  2 +-
 .../service/ops_system_log_sink_test.go       |  9 +++
 .../internal/service/payment_config_plans.go  |  4 +-
 backend/internal/service/websearch_config.go  | 10 +++
 frontend/src/api/admin/channels.ts            |  3 +
 frontend/src/types/index.ts                   | 13 +---
 frontend/src/views/admin/GroupsView.vue       | 14 ++++
 frontend/src/views/admin/UsageView.vue        |  2 +-
 .../admin/orders/AdminPaymentPlansView.vue    |  3 +
 .../src/views/admin/orders/PlanEditDialog.vue | 10 ++-
 frontend/src/views/user/PaymentResultView.vue |  4 +-
 frontend/src/views/user/UserOrdersView.vue    | 18 ++++-
 34 files changed, 306 insertions(+), 118 deletions(-)

diff --git a/.github/workflows/backend-ci.yml b/.github/workflows/backend-ci.yml
index 6f76ef4f..d7e15377 100644
--- a/.github/workflows/backend-ci.yml
+++ b/.github/workflows/backend-ci.yml
@@ -17,6 +17,7 @@ jobs:
           go-version-file: backend/go.mod
           check-latest: false
           cache: true
+          cache-dependency-path: backend/go.sum
       - name: Verify Go version
         run: |
           go version | grep -q 'go1.26.2'
@@ -36,6 +37,7 @@ jobs:
           go-version-file: backend/go.mod
           check-latest: false
           cache: true
+          cache-dependency-path: backend/go.sum
       - name: Verify Go version
         run: |
           go version | grep -q 'go1.26.2'
diff --git a/backend/cmd/server/wire.go b/backend/cmd/server/wire.go
index 47f8f518..64709b5b 100644
--- a/backend/cmd/server/wire.go
+++ b/backend/cmd/server/wire.go
@@ -36,19 +36,13 @@ func initializeApplication(buildInfo handler.BuildInfo) (*Application, error) {
 		// Business layer ProviderSets
 		repository.ProviderSet,
 		service.ProviderSet,
+		payment.ProviderSet,
 		middleware.ProviderSet,
 		handler.ProviderSet,
 
 		// Server layer ProviderSet
 		server.ProviderSet,
 
-		// Payment providers
-		payment.ProvideRegistry,
-		payment.ProvideEncryptionKey,
-		payment.ProvideDefaultLoadBalancer,
-		service.ProvidePaymentConfigService,
-		service.ProvidePaymentOrderExpiryService,
-
 		// Privacy client factory for OpenAI training opt-out
 		providePrivacyClientFactory,
 
diff --git a/backend/internal/config/config.go b/backend/internal/config/config.go
index bc4e5e46..dd9a4e58 100644
--- a/backend/internal/config/config.go
+++ b/backend/internal/config/config.go
@@ -28,7 +28,7 @@ const (
 
 // DefaultCSPPolicy is the default Content-Security-Policy with nonce support
 // __CSP_NONCE__ will be replaced with actual nonce at request time by the SecurityHeaders middleware
-const DefaultCSPPolicy = "default-src 'self'; script-src 'self' __CSP_NONCE__ https://challenges.cloudflare.com https://static.cloudflareinsights.com; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com; img-src 'self' data: https:; font-src 'self' data: https://fonts.gstatic.com; connect-src 'self' https:; frame-src https://challenges.cloudflare.com; frame-ancestors 'none'; base-uri 'self'; form-action 'self'"
+const DefaultCSPPolicy = "default-src 'self'; script-src 'self' __CSP_NONCE__ https://challenges.cloudflare.com https://static.cloudflareinsights.com https://*.stripe.com; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com; img-src 'self' data: https:; font-src 'self' data: https://fonts.gstatic.com; connect-src 'self' https:; frame-src https://challenges.cloudflare.com https://*.stripe.com; frame-ancestors 'none'; base-uri 'self'; form-action 'self'"
 
 // UMQ（用户消息队列）模式常量
 const (
diff --git a/backend/internal/config/config_test.go b/backend/internal/config/config_test.go
index fe181a2f..cf58316c 100644
--- a/backend/internal/config/config_test.go
+++ b/backend/internal/config/config_test.go
@@ -233,12 +233,13 @@ func TestLoadForcedCodexInstructionsTemplate(t *testing.T) {
 	configPath := filepath.Join(tempDir, "config.yaml")
 
 	require.NoError(t, os.WriteFile(templatePath, []byte("server-prefix\n\n{{ .ExistingInstructions }}"), 0o644))
-	require.NoError(t, os.WriteFile(configPath, []byte("gateway:\n  forced_codex_instructions_template_file: \""+templatePath+"\"\n"), 0o644))
+	yamlSafePath := filepath.ToSlash(templatePath)
+	require.NoError(t, os.WriteFile(configPath, []byte("gateway:\n  forced_codex_instructions_template_file: \""+yamlSafePath+"\"\n"), 0o644))
 	t.Setenv("DATA_DIR", tempDir)
 
 	cfg, err := Load()
 	require.NoError(t, err)
-	require.Equal(t, templatePath, cfg.Gateway.ForcedCodexInstructionsTemplateFile)
+	require.Equal(t, yamlSafePath, cfg.Gateway.ForcedCodexInstructionsTemplateFile)
 	require.Equal(t, "server-prefix\n\n{{ .ExistingInstructions }}", cfg.Gateway.ForcedCodexInstructionsTemplate)
 }
 
diff --git a/backend/internal/handler/admin/account_handler.go b/backend/internal/handler/admin/account_handler.go
index 9e985a79..9883d007 100644
--- a/backend/internal/handler/admin/account_handler.go
+++ b/backend/internal/handler/admin/account_handler.go
@@ -1412,6 +1412,12 @@ func (h *AccountHandler) BulkUpdate(c *gin.Context) {
 			c.JSON(409, gin.H{
 				"error":   "mixed_channel_warning",
 				"message": mixedErr.Error(),
+				"details": gin.H{
+					"group_id":         mixedErr.GroupID,
+					"group_name":       mixedErr.GroupName,
+					"current_platform": mixedErr.CurrentPlatform,
+					"other_platform":   mixedErr.OtherPlatform,
+				},
 			})
 			return
 		}
diff --git a/backend/internal/handler/dto/mappers.go b/backend/internal/handler/dto/mappers.go
index a7a93d07..d2ccb8d6 100644
--- a/backend/internal/handler/dto/mappers.go
+++ b/backend/internal/handler/dto/mappers.go
@@ -628,6 +628,7 @@ func UsageLogFromServiceAdmin(l *service.UsageLog) *AdminUsageLog {
 		ModelMappingChain:     l.ModelMappingChain,
 		BillingTier:           l.BillingTier,
 		AccountRateMultiplier: l.AccountRateMultiplier,
+		AccountStatsCost:      l.AccountStatsCost,
 		IPAddress:             l.IPAddress,
 		Account:               AccountSummaryFromService(l.Account),
 	}
diff --git a/backend/internal/handler/dto/types.go b/backend/internal/handler/dto/types.go
index 1aab1dbb..8c1e166f 100644
--- a/backend/internal/handler/dto/types.go
+++ b/backend/internal/handler/dto/types.go
@@ -427,6 +427,8 @@ type AdminUsageLog struct {
 
 	// AccountRateMultiplier 账号计费倍率快照（nil 表示按 1.0 处理）
 	AccountRateMultiplier *float64 `json:"account_rate_multiplier"`
+	// AccountStatsCost 自定义定价规则计算的账号统计费用（nil 表示使用默认公式）
+	AccountStatsCost *float64 `json:"account_stats_cost,omitempty"`
 
 	// IPAddress 用户请求 IP（仅管理员可见）
 	IPAddress *string `json:"ip_address,omitempty"`
diff --git a/backend/internal/handler/payment_webhook_handler.go b/backend/internal/handler/payment_webhook_handler.go
index bf404118..8a83bfeb 100644
--- a/backend/internal/handler/payment_webhook_handler.go
+++ b/backend/internal/handler/payment_webhook_handler.go
@@ -4,6 +4,7 @@ import (
 	"io"
 	"log/slog"
 	"net/http"
+	"net/url"
 	"strings"
 
 	"github.com/Wei-Shaw/sub2api/internal/payment"
@@ -72,9 +73,13 @@ func (h *PaymentWebhookHandler) handleNotify(c *gin.Context, providerKey string)
 		rawBody = string(body)
 	}
 
-	provider, err := h.registry.GetProviderByKey(providerKey)
+	// Extract out_trade_no to look up the order's specific provider instance.
+	// This is needed when multiple instances of the same provider exist (e.g. multiple EasyPay accounts).
+	outTradeNo := extractOutTradeNo(rawBody, providerKey)
+
+	provider, err := h.paymentService.GetWebhookProvider(c.Request.Context(), providerKey, outTradeNo)
 	if err != nil {
-		slog.Warn("[Payment Webhook] provider not registered", "provider", providerKey, "error", err)
+		slog.Warn("[Payment Webhook] provider not found", "provider", providerKey, "outTradeNo", outTradeNo, "error", err)
 		writeSuccessResponse(c, providerKey)
 		return
 	}
@@ -111,19 +116,40 @@ func (h *PaymentWebhookHandler) handleNotify(c *gin.Context, providerKey string)
 	writeSuccessResponse(c, providerKey)
 }
 
+// extractOutTradeNo parses the webhook body to find the out_trade_no.
+// This allows looking up the correct provider instance before verification.
+func extractOutTradeNo(rawBody, providerKey string) string {
+	switch providerKey {
+	case payment.TypeEasyPay:
+		values, err := url.ParseQuery(rawBody)
+		if err == nil {
+			return values.Get("out_trade_no")
+		}
+	}
+	// For other providers (Stripe, Alipay direct, WxPay direct), the registry
+	// typically has only one instance, so no instance lookup is needed.
+	return ""
+}
+
 // wxpaySuccessResponse is the JSON response expected by WeChat Pay webhook.
 type wxpaySuccessResponse struct {
 	Code    string `json:"code"`
 	Message string `json:"message"`
 }
 
+// WeChat Pay webhook success response constants.
+const (
+	wxpaySuccessCode    = "SUCCESS"
+	wxpaySuccessMessage = "成功"
+)
+
 // writeSuccessResponse sends the provider-specific success response.
 // WeChat Pay requires JSON {"code":"SUCCESS","message":"成功"};
 // Stripe expects an empty 200; others accept plain text "success".
 func writeSuccessResponse(c *gin.Context, providerKey string) {
 	switch providerKey {
 	case payment.TypeWxpay:
-		c.JSON(http.StatusOK, wxpaySuccessResponse{Code: "SUCCESS", Message: "成功"})
+		c.JSON(http.StatusOK, wxpaySuccessResponse{Code: wxpaySuccessCode, Message: wxpaySuccessMessage})
 	case payment.TypeStripe:
 		c.String(http.StatusOK, "")
 	default:
diff --git a/backend/internal/payment/provider/easypay.go b/backend/internal/payment/provider/easypay.go
index b48a38fe..e33a567d 100644
--- a/backend/internal/payment/provider/easypay.go
+++ b/backend/internal/payment/provider/easypay.go
@@ -27,6 +27,8 @@ const (
 	maxEasypayResponseSize = 1 << 20 // 1MB
 	tradeStatusSuccess     = "TRADE_SUCCESS"
 	signTypeMD5            = "MD5"
+	paymentModePopup       = "popup"
+	deviceMobile           = "mobile"
 )
 
 // EasyPay implements payment.Provider for the EasyPay aggregation platform.
@@ -61,7 +63,7 @@ func (e *EasyPay) CreatePayment(ctx context.Context, req payment.CreatePaymentRe
 	// Payment mode determined by instance config, not payment type.
 	// "popup" → hosted page (submit.php); "qrcode"/default → API call (mapi.php).
 	mode := e.config["paymentMode"]
-	if mode == "popup" {
+	if mode == paymentModePopup {
 		return e.createRedirectPayment(req)
 	}
 	return e.createAPIPayment(ctx, req)
@@ -81,6 +83,9 @@ func (e *EasyPay) createRedirectPayment(req payment.CreatePaymentRequest) (*paym
 	if cid := e.resolveCID(req.PaymentType); cid != "" {
 		params["cid"] = cid
 	}
+	if req.IsMobile {
+		params["device"] = deviceMobile
+	}
 	params["sign"] = easyPaySign(params, e.config["pkey"])
 	params["sign_type"] = signTypeMD5
 
@@ -106,7 +111,7 @@ func (e *EasyPay) createAPIPayment(ctx context.Context, req payment.CreatePaymen
 		params["cid"] = cid
 	}
 	if req.IsMobile {
-		params["device"] = "mobile"
+		params["device"] = deviceMobile
 	}
 	params["sign"] = easyPaySign(params, e.config["pkey"])
 	params["sign_type"] = signTypeMD5
@@ -120,6 +125,7 @@ func (e *EasyPay) createAPIPayment(ctx context.Context, req payment.CreatePaymen
 		Msg     string `json:"msg"`
 		TradeNo string `json:"trade_no"`
 		PayURL  string `json:"payurl"`
+		PayURL2 string `json:"payurl2"` // H5 mobile payment URL
 		QRCode  string `json:"qrcode"`
 	}
 	if err := json.Unmarshal(body, &resp); err != nil {
@@ -128,7 +134,11 @@ func (e *EasyPay) createAPIPayment(ctx context.Context, req payment.CreatePaymen
 	if resp.Code != easypayCodeSuccess {
 		return nil, fmt.Errorf("easypay error: %s", resp.Msg)
 	}
-	return &payment.CreatePaymentResponse{TradeNo: resp.TradeNo, PayURL: resp.PayURL, QRCode: resp.QRCode}, nil
+	payURL := resp.PayURL
+	if req.IsMobile && resp.PayURL2 != "" {
+		payURL = resp.PayURL2
+	}
+	return &payment.CreatePaymentResponse{TradeNo: resp.TradeNo, PayURL: payURL, QRCode: resp.QRCode}, nil
 }
 
 // resolveURLs returns (notifyURL, returnURL) preferring request values,
diff --git a/backend/internal/pkg/antigravity/stream_transformer.go b/backend/internal/pkg/antigravity/stream_transformer.go
index 58982878..4a68f3a9 100644
--- a/backend/internal/pkg/antigravity/stream_transformer.go
+++ b/backend/internal/pkg/antigravity/stream_transformer.go
@@ -18,6 +18,9 @@ const (
 	BlockTypeFunction
 )
 
+// UsageMapHook is a callback that can modify usage data before it's emitted in SSE events.
+type UsageMapHook func(usageMap map[string]any)
+
 // StreamingProcessor 流式响应处理器
 type StreamingProcessor struct {
 	blockType         BlockType
@@ -30,6 +33,7 @@ type StreamingProcessor struct {
 	originalModel     string
 	webSearchQueries  []string
 	groundingChunks   []GeminiGroundingChunk
+	usageMapHook      UsageMapHook
 
 	// 累计 usage
 	inputTokens       int
@@ -46,6 +50,28 @@ func NewStreamingProcessor(originalModel string) *StreamingProcessor {
 	}
 }
 
+// SetUsageMapHook sets an optional hook that modifies usage maps before they are emitted.
+func (p *StreamingProcessor) SetUsageMapHook(fn UsageMapHook) {
+	p.usageMapHook = fn
+}
+
+func usageToMap(u ClaudeUsage) map[string]any {
+	m := map[string]any{
+		"input_tokens":  u.InputTokens,
+		"output_tokens": u.OutputTokens,
+	}
+	if u.CacheCreationInputTokens > 0 {
+		m["cache_creation_input_tokens"] = u.CacheCreationInputTokens
+	}
+	if u.CacheReadInputTokens > 0 {
+		m["cache_read_input_tokens"] = u.CacheReadInputTokens
+	}
+	if u.ImageOutputTokens > 0 {
+		m["image_output_tokens"] = u.ImageOutputTokens
+	}
+	return m
+}
+
 // ProcessLine 处理 SSE 行，返回 Claude SSE 事件
 func (p *StreamingProcessor) ProcessLine(line string) []byte {
 	line = strings.TrimSpace(line)
@@ -172,6 +198,13 @@ func (p *StreamingProcessor) emitMessageStart(v1Resp *V1InternalResponse) []byte
 		responseID = "msg_" + generateRandomID()
 	}
 
+	var usageValue any = usage
+	if p.usageMapHook != nil {
+		usageMap := usageToMap(usage)
+		p.usageMapHook(usageMap)
+		usageValue = usageMap
+	}
+
 	message := map[string]any{
 		"id":            responseID,
 		"type":          "message",
@@ -180,7 +213,7 @@ func (p *StreamingProcessor) emitMessageStart(v1Resp *V1InternalResponse) []byte
 		"model":         p.originalModel,
 		"stop_reason":   nil,
 		"stop_sequence": nil,
-		"usage":         usage,
+		"usage":         usageValue,
 	}
 
 	event := map[string]any{
@@ -492,13 +525,20 @@ func (p *StreamingProcessor) emitFinish(finishReason string) []byte {
 		ImageOutputTokens:    p.imageOutputTokens,
 	}
 
+	var usageValue any = usage
+	if p.usageMapHook != nil {
+		usageMap := usageToMap(usage)
+		p.usageMapHook(usageMap)
+		usageValue = usageMap
+	}
+
 	deltaEvent := map[string]any{
 		"type": "message_delta",
 		"delta": map[string]any{
 			"stop_reason":   stopReason,
 			"stop_sequence": nil,
 		},
-		"usage": usage,
+		"usage": usageValue,
 	}
 
 	_, _ = result.Write(p.formatSSE("message_delta", deltaEvent))
diff --git a/backend/internal/pkg/apicompat/chatcompletions_to_responses.go b/backend/internal/pkg/apicompat/chatcompletions_to_responses.go
index dc157a6d..c2725406 100644
--- a/backend/internal/pkg/apicompat/chatcompletions_to_responses.go
+++ b/backend/internal/pkg/apicompat/chatcompletions_to_responses.go
@@ -27,13 +27,14 @@ func ChatCompletionsToResponses(req *ChatCompletionsRequest) (*ResponsesRequest,
 	}
 
 	out := &ResponsesRequest{
-		Model:       req.Model,
-		Input:       inputJSON,
-		Temperature: req.Temperature,
-		TopP:        req.TopP,
-		Stream:      true, // upstream always streams
-		Include:     []string{"reasoning.encrypted_content"},
-		ServiceTier: req.ServiceTier,
+		Model:        req.Model,
+		Instructions: req.Instructions,
+		Input:        inputJSON,
+		Temperature:  req.Temperature,
+		TopP:         req.TopP,
+		Stream:       true, // upstream always streams
+		Include:      []string{"reasoning.encrypted_content"},
+		ServiceTier:  req.ServiceTier,
 	}
 
 	storeFalse := false
diff --git a/backend/internal/pkg/apicompat/types.go b/backend/internal/pkg/apicompat/types.go
index b383f867..e0d1a53e 100644
--- a/backend/internal/pkg/apicompat/types.go
+++ b/backend/internal/pkg/apicompat/types.go
@@ -152,6 +152,7 @@ type AnthropicDelta struct {
 // ResponsesRequest is the request body for POST /v1/responses.
 type ResponsesRequest struct {
 	Model           string              `json:"model"`
+	Instructions    string              `json:"instructions,omitempty"`
 	Input           json.RawMessage     `json:"input"` // string or []ResponsesInputItem
 	MaxOutputTokens *int                `json:"max_output_tokens,omitempty"`
 	Temperature     *float64            `json:"temperature,omitempty"`
@@ -337,6 +338,7 @@ type ResponsesStreamEvent struct {
 type ChatCompletionsRequest struct {
 	Model               string             `json:"model"`
 	Messages            []ChatMessage      `json:"messages"`
+	Instructions        string             `json:"instructions,omitempty"` // OpenAI Responses API compat
 	MaxTokens           *int               `json:"max_tokens,omitempty"`
 	MaxCompletionTokens *int               `json:"max_completion_tokens,omitempty"`
 	Temperature         *float64           `json:"temperature,omitempty"`
diff --git a/backend/internal/pkg/logger/logger_test.go b/backend/internal/pkg/logger/logger_test.go
index 74aae061..06a277a4 100644
--- a/backend/internal/pkg/logger/logger_test.go
+++ b/backend/internal/pkg/logger/logger_test.go
@@ -10,7 +10,13 @@ import (
 )
 
 func TestInit_DualOutput(t *testing.T) {
-	tmpDir := t.TempDir()
+	// Use os.MkdirTemp instead of t.TempDir to avoid cleanup failures
+	// when lumberjack holds file handles on Windows.
+	tmpDir, err := os.MkdirTemp("", "logger-test-*")
+	if err != nil {
+		t.Fatalf("create temp dir: %v", err)
+	}
+	t.Cleanup(func() { _ = os.RemoveAll(tmpDir) })
 	logPath := filepath.Join(tmpDir, "logs", "sub2api.log")
 
 	origStdout := os.Stdout
@@ -57,7 +63,9 @@ func TestInit_DualOutput(t *testing.T) {
 
 	L().Info("dual-output-info")
 	L().Warn("dual-output-warn")
-	Sync()
+
+	// Skip Sync() — on Windows, fsync on pipes deadlocks (FlushFileBuffers).
+	// The log data is already in the pipe buffer; closing writers is sufficient.
 
 	_ = stdoutW.Close()
 	_ = stderrW.Close()
@@ -166,7 +174,9 @@ func TestInit_CallerShouldPointToCallsite(t *testing.T) {
 	}
 
 	L().Info("caller-check")
-	Sync()
+	// Skip Sync() — on Windows, fsync on pipes deadlocks (FlushFileBuffers).
+	os.Stdout = origStdout
+	os.Stderr = origStderr
 	_ = stdoutW.Close()
 	logBytes, _ := io.ReadAll(stdoutR)
 
diff --git a/backend/internal/pkg/logger/stdlog_bridge_test.go b/backend/internal/pkg/logger/stdlog_bridge_test.go
index 4482a2ec..30d25b33 100644
--- a/backend/internal/pkg/logger/stdlog_bridge_test.go
+++ b/backend/internal/pkg/logger/stdlog_bridge_test.go
@@ -77,7 +77,7 @@ func TestStdLogBridgeRoutesLevels(t *testing.T) {
 	log.Printf("service started")
 	log.Printf("Warning: queue full")
 	log.Printf("Forward request failed: timeout")
-	Sync()
+	// Skip Sync() — on Windows, fsync on pipes deadlocks (FlushFileBuffers).
 
 	_ = stdoutW.Close()
 	_ = stderrW.Close()
@@ -139,7 +139,7 @@ func TestLegacyPrintfRoutesLevels(t *testing.T) {
 	LegacyPrintf("service.test", "request started")
 	LegacyPrintf("service.test", "Warning: queue full")
 	LegacyPrintf("service.test", "forward failed: timeout")
-	Sync()
+	// Skip Sync() — on Windows, fsync on pipes deadlocks (FlushFileBuffers).
 
 	_ = stdoutW.Close()
 	_ = stderrW.Close()
diff --git a/backend/internal/repository/usage_billing_repo.go b/backend/internal/repository/usage_billing_repo.go
index cd54baa3..2b6edad3 100644
--- a/backend/internal/repository/usage_billing_repo.go
+++ b/backend/internal/repository/usage_billing_repo.go
@@ -113,9 +113,11 @@ func (r *usageBillingRepository) applyUsageBillingEffects(ctx context.Context, t
 	}
 
 	if cmd.BalanceCost > 0 {
-		if err := deductUsageBillingBalance(ctx, tx, cmd.UserID, cmd.BalanceCost); err != nil {
+		newBalance, err := deductUsageBillingBalance(ctx, tx, cmd.UserID, cmd.BalanceCost)
+		if err != nil {
 			return err
 		}
+		result.NewBalance = &newBalance
 	}
 
 	if cmd.APIKeyQuotaCost > 0 {
@@ -133,9 +135,11 @@ func (r *usageBillingRepository) applyUsageBillingEffects(ctx context.Context, t
 	}
 
 	if cmd.AccountQuotaCost > 0 && (strings.EqualFold(cmd.AccountType, service.AccountTypeAPIKey) || strings.EqualFold(cmd.AccountType, service.AccountTypeBedrock)) {
-		if err := incrementUsageBillingAccountQuota(ctx, tx, cmd.AccountID, cmd.AccountQuotaCost); err != nil {
+		quotaState, err := incrementUsageBillingAccountQuota(ctx, tx, cmd.AccountID, cmd.AccountQuotaCost)
+		if err != nil {
 			return err
 		}
+		result.QuotaState = quotaState
 	}
 
 	return nil
@@ -169,24 +173,22 @@ func incrementUsageBillingSubscription(ctx context.Context, tx *sql.Tx, subscrip
 	return service.ErrSubscriptionNotFound
 }
 
-func deductUsageBillingBalance(ctx context.Context, tx *sql.Tx, userID int64, amount float64) error {
-	res, err := tx.ExecContext(ctx, `
+func deductUsageBillingBalance(ctx context.Context, tx *sql.Tx, userID int64, amount float64) (float64, error) {
+	var newBalance float64
+	err := tx.QueryRowContext(ctx, `
 		UPDATE users
 		SET balance = balance - $1,
 			updated_at = NOW()
 		WHERE id = $2 AND deleted_at IS NULL
-	`, amount, userID)
+		RETURNING balance
+	`, amount, userID).Scan(&newBalance)
+	if errors.Is(err, sql.ErrNoRows) {
+		return 0, service.ErrUserNotFound
+	}
 	if err != nil {
-		return err
+		return 0, err
 	}
-	affected, err := res.RowsAffected()
-	if err != nil {
-		return err
-	}
-	if affected > 0 {
-		return nil
-	}
-	return service.ErrUserNotFound
+	return newBalance, nil
 }
 
 func incrementUsageBillingAPIKeyQuota(ctx context.Context, tx *sql.Tx, apiKeyID int64, amount float64) (bool, error) {
@@ -240,7 +242,7 @@ func incrementUsageBillingAPIKeyRateLimit(ctx context.Context, tx *sql.Tx, apiKe
 	return nil
 }
 
-func incrementUsageBillingAccountQuota(ctx context.Context, tx *sql.Tx, accountID int64, amount float64) error {
+func incrementUsageBillingAccountQuota(ctx context.Context, tx *sql.Tx, accountID int64, amount float64) (*service.AccountQuotaState, error) {
 	rows, err := tx.QueryContext(ctx,
 		`UPDATE accounts SET extra = (
 			COALESCE(extra, '{}'::jsonb)
@@ -279,32 +281,40 @@ func incrementUsageBillingAccountQuota(ctx context.Context, tx *sql.Tx, accountI
 		WHERE id = $2 AND deleted_at IS NULL
 		RETURNING
 			COALESCE((extra->>'quota_used')::numeric, 0),
-			COALESCE((extra->>'quota_limit')::numeric, 0)`,
+			COALESCE((extra->>'quota_limit')::numeric, 0),
+			COALESCE((extra->>'quota_daily_used')::numeric, 0),
+			COALESCE((extra->>'quota_daily_limit')::numeric, 0),
+			COALESCE((extra->>'quota_weekly_used')::numeric, 0),
+			COALESCE((extra->>'quota_weekly_limit')::numeric, 0)`,
 		amount, accountID)
 	if err != nil {
-		return err
+		return nil, err
 	}
 	defer func() { _ = rows.Close() }()
 
-	var newUsed, limit float64
+	var state service.AccountQuotaState
 	if rows.Next() {
-		if err := rows.Scan(&newUsed, &limit); err != nil {
-			return err
+		if err := rows.Scan(
+			&state.TotalUsed, &state.TotalLimit,
+			&state.DailyUsed, &state.DailyLimit,
+			&state.WeeklyUsed, &state.WeeklyLimit,
+		); err != nil {
+			return nil, err
 		}
 	} else {
 		if err := rows.Err(); err != nil {
-			return err
+			return nil, err
 		}
-		return service.ErrAccountNotFound
+		return nil, service.ErrAccountNotFound
 	}
 	if err := rows.Err(); err != nil {
-		return err
+		return nil, err
 	}
-	if limit > 0 && newUsed >= limit && (newUsed-amount) < limit {
+	if state.TotalLimit > 0 && state.TotalUsed >= state.TotalLimit && (state.TotalUsed-amount) < state.TotalLimit {
 		if err := enqueueSchedulerOutbox(ctx, tx, service.SchedulerOutboxEventAccountChanged, &accountID, nil, nil); err != nil {
 			logger.LegacyPrintf("repository.usage_billing", "[SchedulerOutbox] enqueue quota exceeded failed: account=%d err=%v", accountID, err)
-			return err
+			return nil, err
 		}
 	}
-	return nil
+	return &state, nil
 }
diff --git a/backend/internal/repository/user_group_rate_repo.go b/backend/internal/repository/user_group_rate_repo.go
index e2471ae5..eca5313f 100644
--- a/backend/internal/repository/user_group_rate_repo.go
+++ b/backend/internal/repository/user_group_rate_repo.go
@@ -100,7 +100,7 @@ func (r *userGroupRateRepository) GetByGroupID(ctx context.Context, groupID int6
 	query := `
 		SELECT ugr.user_id, u.username, u.email, COALESCE(u.notes, ''), u.status, ugr.rate_multiplier
 		FROM user_group_rate_multipliers ugr
-		JOIN users u ON u.id = ugr.user_id
+		JOIN users u ON u.id = ugr.user_id AND u.deleted_at IS NULL
 		WHERE ugr.group_id = $1
 		ORDER BY ugr.user_id
 	`
diff --git a/backend/internal/server/routes/payment.go b/backend/internal/server/routes/payment.go
index 8def7559..23bd58ad 100644
--- a/backend/internal/server/routes/payment.go
+++ b/backend/internal/server/routes/payment.go
@@ -26,6 +26,7 @@ func RegisterPaymentRoutes(
 	authenticated.Use(middleware.BackendModeUserGuard(settingService))
 	{
 		authenticated.GET("/config", paymentHandler.GetPaymentConfig)
+		authenticated.GET("/checkout-info", paymentHandler.GetCheckoutInfo)
 		authenticated.GET("/plans", paymentHandler.GetPlans)
 		authenticated.GET("/channels", paymentHandler.GetChannels)
 		authenticated.GET("/limits", paymentHandler.GetLimits)
@@ -33,6 +34,7 @@ func RegisterPaymentRoutes(
 		orders := authenticated.Group("/orders")
 		{
 			orders.POST("", paymentHandler.CreateOrder)
+			orders.POST("/verify", paymentHandler.VerifyOrder)
 			orders.GET("/my", paymentHandler.GetMyOrders)
 			orders.GET("/:id", paymentHandler.GetOrder)
 			orders.POST("/:id/cancel", paymentHandler.CancelOrder)
@@ -52,6 +54,8 @@ func RegisterPaymentRoutes(
 	// --- Webhook endpoints (no auth) ---
 	webhook := v1.Group("/payment/webhook")
 	{
+		// EasyPay sends GET callbacks with query params
+		webhook.GET("/easypay", webhookHandler.EasyPayNotify)
 		webhook.POST("/easypay", webhookHandler.EasyPayNotify)
 		webhook.POST("/alipay", webhookHandler.AlipayNotify)
 		webhook.POST("/wxpay", webhookHandler.WxpayNotify)
diff --git a/backend/internal/service/api_key_auth_cache_impl.go b/backend/internal/service/api_key_auth_cache_impl.go
index 25c6331a..2bd9a091 100644
--- a/backend/internal/service/api_key_auth_cache_impl.go
+++ b/backend/internal/service/api_key_auth_cache_impl.go
@@ -6,6 +6,7 @@ import (
 	"encoding/hex"
 	"errors"
 	"fmt"
+	"log/slog"
 	"math/rand/v2"
 	"time"
 
@@ -99,7 +100,7 @@ func (s *APIKeyService) StartAuthCacheInvalidationSubscriber(ctx context.Context
 		s.authCacheL1.Del(cacheKey)
 	}); err != nil {
 		// Log but don't fail - L1 cache will still work, just without cross-instance invalidation
-		println("[Service] Warning: failed to start auth cache invalidation subscriber:", err.Error())
+		slog.Warn("failed to start auth cache invalidation subscriber", "error", err)
 	}
 }
 
diff --git a/backend/internal/service/channel_service.go b/backend/internal/service/channel_service.go
index aa5e2ceb..c29550d9 100644
--- a/backend/internal/service/channel_service.go
+++ b/backend/internal/service/channel_service.go
@@ -81,9 +81,9 @@ type wildcardMappingEntry struct {
 type channelCache struct {
 	// 热路径查找
 	pricingByGroupModel     map[channelModelKey]*ChannelModelPricing            // (groupID, platform, model) → 定价
-	wildcardByGroupPlatform map[channelGroupPlatformKey][]*wildcardPricingEntry // (groupID, platform) → 通配符定价（前缀长度降序）
+	wildcardByGroupPlatform map[channelGroupPlatformKey][]*wildcardPricingEntry // (groupID, platform) → 通配符定价（按配置顺序，先匹配先使用）
 	mappingByGroupModel     map[channelModelKey]string                          // (groupID, platform, model) → 映射目标
-	wildcardMappingByGP     map[channelGroupPlatformKey][]*wildcardMappingEntry // (groupID, platform) → 通配符映射（前缀长度降序）
+	wildcardMappingByGP     map[channelGroupPlatformKey][]*wildcardMappingEntry // (groupID, platform) → 通配符映射（按配置顺序，先匹配先使用）
 	channelByGroupID        map[int64]*Channel                                  // groupID → 渠道
 	groupPlatform           map[int64]string                                    // groupID → platform
 
@@ -680,6 +680,7 @@ func (s *ChannelService) Create(ctx context.Context, input *CreateChannelInput)
 		ModelPricing:               input.ModelPricing,
 		ModelMapping:               input.ModelMapping,
 		Features:                   input.Features,
+		FeaturesConfig:             input.FeaturesConfig,
 		ApplyPricingToAccountStats: input.ApplyPricingToAccountStats,
 		AccountStatsPricingRules:   input.AccountStatsPricingRules,
 	}
@@ -780,6 +781,9 @@ func (s *ChannelService) applyUpdateInput(ctx context.Context, channel *Channel,
 	if input.BillingModelSource != "" {
 		channel.BillingModelSource = input.BillingModelSource
 	}
+	if input.FeaturesConfig != nil {
+		channel.FeaturesConfig = input.FeaturesConfig
+	}
 	if input.ApplyPricingToAccountStats != nil {
 		channel.ApplyPricingToAccountStats = *input.ApplyPricingToAccountStats
 	}
@@ -959,6 +963,7 @@ type CreateChannelInput struct {
 	BillingModelSource         string
 	RestrictModels             bool
 	Features                   string
+	FeaturesConfig             map[string]any
 	ApplyPricingToAccountStats bool
 	AccountStatsPricingRules   []AccountStatsPricingRule
 }
@@ -974,6 +979,7 @@ type UpdateChannelInput struct {
 	BillingModelSource         string
 	RestrictModels             *bool
 	Features                   *string
+	FeaturesConfig             map[string]any
 	ApplyPricingToAccountStats *bool
 	AccountStatsPricingRules   *[]AccountStatsPricingRule
 }
diff --git a/backend/internal/service/concurrency_service.go b/backend/internal/service/concurrency_service.go
index 217b83d6..386d5ed0 100644
--- a/backend/internal/service/concurrency_service.go
+++ b/backend/internal/service/concurrency_service.go
@@ -343,8 +343,9 @@ func (s *ConcurrencyService) StartSlotCleanupWorker(accountRepo AccountRepositor
 	}()
 }
 
-// GetAccountConcurrencyBatch gets current concurrency counts for multiple accounts
-// Returns a map of accountID -> current concurrency count
+// GetAccountConcurrencyBatch gets current concurrency counts for multiple accounts.
+// Uses a detached context with timeout to prevent HTTP request cancellation from
+// causing the entire batch to fail (which would show all concurrency as 0).
 func (s *ConcurrencyService) GetAccountConcurrencyBatch(ctx context.Context, accountIDs []int64) (map[int64]int, error) {
 	if len(accountIDs) == 0 {
 		return map[int64]int{}, nil
@@ -356,5 +357,11 @@ func (s *ConcurrencyService) GetAccountConcurrencyBatch(ctx context.Context, acc
 		}
 		return result, nil
 	}
-	return s.cache.GetAccountConcurrencyBatch(ctx, accountIDs)
+
+	// Use a detached context so that a cancelled HTTP request doesn't cause
+	// the Redis pipeline to fail and return all-zero concurrency counts.
+	redisCtx, cancel := context.WithTimeout(context.Background(), 3*time.Second)
+	defer cancel()
+
+	return s.cache.GetAccountConcurrencyBatch(redisCtx, accountIDs)
 }
diff --git a/backend/internal/service/gateway_websearch_emulation.go b/backend/internal/service/gateway_websearch_emulation.go
index 0d0b5480..a42b5585 100644
--- a/backend/internal/service/gateway_websearch_emulation.go
+++ b/backend/internal/service/gateway_websearch_emulation.go
@@ -214,17 +214,23 @@ func writeWebSearchStreamResponse(
 ) (*ForwardResult, error) {
 	msgID := webSearchMsgIDPrefix + uuid.New().String()
 	toolUseID := webSearchToolUseIDPrefix + uuid.New().String()[:16]
+	textSummary := buildTextSummary(query, resp.Results)
 
 	setSSEHeaders(c)
-	if err := writeSSEMessageStart(c.Writer, msgID, model); err != nil {
-		return nil, fmt.Errorf("web search emulation: SSE write: %w", err)
+	w := c.Writer
+	for _, fn := range []func() error{
+		func() error { return writeSSEMessageStart(w, msgID, model) },
+		func() error { return writeSSEServerToolUse(w, toolUseID, query, 0) },
+		func() error { return writeSSEToolResult(w, toolUseID, resp.Results, 1) },
+		func() error { return writeSSETextBlock(w, textSummary, 2) },
+		func() error { return writeSSEMessageEnd(w, len(textSummary)/tokenEstimateDivisor) },
+	} {
+		if err := fn(); err != nil {
+			slog.Warn("web search emulation: SSE write failed, stopping", "error", err)
+			break
+		}
 	}
-	writeSSEServerToolUse(c.Writer, toolUseID, query, 0)
-	writeSSEToolResult(c.Writer, toolUseID, resp.Results, 1)
-	textSummary := buildTextSummary(query, resp.Results)
-	writeSSETextBlock(c.Writer, textSummary, 2)
-	writeSSEMessageEnd(c.Writer, len(textSummary)/tokenEstimateDivisor)
-	c.Writer.Flush()
+	w.Flush()
 
 	return &ForwardResult{Model: model, Duration: time.Since(startTime), Usage: ClaudeUsage{}}, nil
 }
@@ -249,7 +255,7 @@ func writeSSEMessageStart(w http.ResponseWriter, msgID, model string) error {
 	return flushSSEJSON(w, "message_start", evt)
 }
 
-func writeSSEServerToolUse(w http.ResponseWriter, toolUseID, query string, index int) {
+func writeSSEServerToolUse(w http.ResponseWriter, toolUseID, query string, index int) error {
 	start := map[string]any{
 		"type": "content_block_start", "index": index,
 		"content_block": map[string]any{
@@ -257,11 +263,13 @@ func writeSSEServerToolUse(w http.ResponseWriter, toolUseID, query string, index
 			"name": toolNameWebSearch, "input": map[string]string{"query": query},
 		},
 	}
-	_ = flushSSEJSON(w, "content_block_start", start)
-	_ = flushSSEJSON(w, "content_block_stop", map[string]any{"type": "content_block_stop", "index": index})
+	if err := flushSSEJSON(w, "content_block_start", start); err != nil {
+		return err
+	}
+	return flushSSEJSON(w, "content_block_stop", map[string]any{"type": "content_block_stop", "index": index})
 }
 
-func writeSSEToolResult(w http.ResponseWriter, toolUseID string, results []websearch.SearchResult, index int) {
+func writeSSEToolResult(w http.ResponseWriter, toolUseID string, results []websearch.SearchResult, index int) error {
 	start := map[string]any{
 		"type": "content_block_start", "index": index,
 		"content_block": map[string]any{
@@ -269,40 +277,48 @@ func writeSSEToolResult(w http.ResponseWriter, toolUseID string, results []webse
 			"content": buildSearchResultBlocks(results),
 		},
 	}
-	_ = flushSSEJSON(w, "content_block_start", start)
-	_ = flushSSEJSON(w, "content_block_stop", map[string]any{"type": "content_block_stop", "index": index})
+	if err := flushSSEJSON(w, "content_block_start", start); err != nil {
+		return err
+	}
+	return flushSSEJSON(w, "content_block_stop", map[string]any{"type": "content_block_stop", "index": index})
 }
 
-func writeSSETextBlock(w http.ResponseWriter, text string, index int) {
-	_ = flushSSEJSON(w, "content_block_start", map[string]any{
+func writeSSETextBlock(w http.ResponseWriter, text string, index int) error {
+	if err := flushSSEJSON(w, "content_block_start", map[string]any{
 		"type": "content_block_start", "index": index,
 		"content_block": map[string]any{"type": "text", "text": ""},
-	})
-	_ = flushSSEJSON(w, "content_block_delta", map[string]any{
+	}); err != nil {
+		return err
+	}
+	if err := flushSSEJSON(w, "content_block_delta", map[string]any{
 		"type": "content_block_delta", "index": index,
 		"delta": map[string]string{"type": "text_delta", "text": text},
-	})
-	_ = flushSSEJSON(w, "content_block_stop", map[string]any{"type": "content_block_stop", "index": index})
+	}); err != nil {
+		return err
+	}
+	return flushSSEJSON(w, "content_block_stop", map[string]any{"type": "content_block_stop", "index": index})
 }
 
-func writeSSEMessageEnd(w http.ResponseWriter, outputTokens int) {
-	_ = flushSSEJSON(w, "message_delta", map[string]any{
+func writeSSEMessageEnd(w http.ResponseWriter, outputTokens int) error {
+	if err := flushSSEJSON(w, "message_delta", map[string]any{
 		"type":  "message_delta",
 		"delta": map[string]any{"stop_reason": "end_turn", "stop_sequence": nil},
 		"usage": map[string]int{"output_tokens": outputTokens},
-	})
-	_ = flushSSEJSON(w, "message_stop", map[string]string{"type": "message_stop"})
+	}); err != nil {
+		return err
+	}
+	return flushSSEJSON(w, "message_stop", map[string]string{"type": "message_stop"})
 }
 
-// flushSSEJSON marshals data to JSON and writes an SSE event. Returns error on marshal failure.
+// flushSSEJSON marshals data to JSON and writes an SSE event.
 func flushSSEJSON(w http.ResponseWriter, event string, data any) error {
 	b, err := json.Marshal(data)
 	if err != nil {
-		slog.Error("web search emulation: failed to marshal SSE event",
-			"event", event, "error", err)
-		return err
+		return fmt.Errorf("marshal: %w", err)
+	}
+	if _, err := fmt.Fprintf(w, "event: %s\ndata: %s\n\n", event, b); err != nil {
+		return fmt.Errorf("write: %w", err)
 	}
-	fmt.Fprintf(w, "event: %s\ndata: %s\n\n", event, b)
 	if f, ok := w.(http.Flusher); ok {
 		f.Flush()
 	}
diff --git a/backend/internal/service/ops_concurrency.go b/backend/internal/service/ops_concurrency.go
index ad303d92..69b513af 100644
--- a/backend/internal/service/ops_concurrency.go
+++ b/backend/internal/service/ops_concurrency.go
@@ -64,12 +64,9 @@ func (s *OpsService) getAccountsLoadMapBestEffort(ctx context.Context, accounts
 		if acc.ID <= 0 {
 			continue
 		}
-		c := acc.Concurrency
-		if c <= 0 {
-			c = 1
-		}
-		if prev, ok := unique[acc.ID]; !ok || c > prev {
-			unique[acc.ID] = c
+		lf := acc.EffectiveLoadFactor()
+		if prev, ok := unique[acc.ID]; !ok || lf > prev {
+			unique[acc.ID] = lf
 		}
 	}
 
diff --git a/backend/internal/service/ops_metrics_collector.go b/backend/internal/service/ops_metrics_collector.go
index f93481e7..6c337071 100644
--- a/backend/internal/service/ops_metrics_collector.go
+++ b/backend/internal/service/ops_metrics_collector.go
@@ -391,7 +391,7 @@ func (c *OpsMetricsCollector) collectConcurrencyQueueDepth(parentCtx context.Con
 		}
 		batch = append(batch, AccountWithConcurrency{
 			ID:             acc.ID,
-			MaxConcurrency: acc.Concurrency,
+			MaxConcurrency: acc.EffectiveLoadFactor(),
 		})
 	}
 	if len(batch) == 0 {
diff --git a/backend/internal/service/ops_system_log_sink_test.go b/backend/internal/service/ops_system_log_sink_test.go
index 12a2ec0c..137ee33c 100644
--- a/backend/internal/service/ops_system_log_sink_test.go
+++ b/backend/internal/service/ops_system_log_sink_test.go
@@ -183,6 +183,15 @@ func TestOpsSystemLogSink_StartStopAndFlushSuccess(t *testing.T) {
 	if strings.TrimSpace(item.Message) == "" {
 		t.Fatalf("message should not be empty")
 	}
+	// writtenCount is incremented after BatchInsertSystemLogsFn returns,
+	// so poll briefly to avoid a race between the done signal and the atomic add.
+	deadline := time.Now().Add(time.Second)
+	for time.Now().Before(deadline) {
+		if sink.Health().WrittenCount > 0 {
+			break
+		}
+		time.Sleep(time.Millisecond)
+	}
 	health := sink.Health()
 	if health.WrittenCount == 0 {
 		t.Fatalf("written_count should be >0")
diff --git a/backend/internal/service/payment_config_plans.go b/backend/internal/service/payment_config_plans.go
index 6753071d..bb161a14 100644
--- a/backend/internal/service/payment_config_plans.go
+++ b/backend/internal/service/payment_config_plans.go
@@ -113,11 +113,11 @@ func (s *PaymentConfigService) GetGroupInfoMap(ctx context.Context, plans []*dbe
 }
 
 func (s *PaymentConfigService) ListPlans(ctx context.Context) ([]*dbent.SubscriptionPlan, error) {
-	return s.entClient.SubscriptionPlan.Query().Order(subscriptionplan.ByCreatedAt()).All(ctx)
+	return s.entClient.SubscriptionPlan.Query().Order(subscriptionplan.BySortOrder()).All(ctx)
 }
 
 func (s *PaymentConfigService) ListPlansForSale(ctx context.Context) ([]*dbent.SubscriptionPlan, error) {
-	return s.entClient.SubscriptionPlan.Query().Where(subscriptionplan.ForSaleEQ(true)).Order(subscriptionplan.ByCreatedAt()).All(ctx)
+	return s.entClient.SubscriptionPlan.Query().Where(subscriptionplan.ForSaleEQ(true)).Order(subscriptionplan.BySortOrder()).All(ctx)
 }
 
 func (s *PaymentConfigService) CreatePlan(ctx context.Context, req CreatePlanRequest) (*dbent.SubscriptionPlan, error) {
diff --git a/backend/internal/service/websearch_config.go b/backend/internal/service/websearch_config.go
index f528a35b..bb33368d 100644
--- a/backend/internal/service/websearch_config.go
+++ b/backend/internal/service/websearch_config.go
@@ -140,6 +140,16 @@ func (s *SettingService) SaveWebSearchEmulationConfig(ctx context.Context, cfg *
 	}
 	s.mergeExistingAPIKeys(ctx, cfg)
 
+	// After merge, validate all enabled providers have API keys
+	if cfg.Enabled {
+		for _, p := range cfg.Providers {
+			if p.APIKey == "" {
+				return infraerrors.BadRequest("MISSING_API_KEY",
+					fmt.Sprintf("provider %s has no API key configured", p.Type))
+			}
+		}
+	}
+
 	data, err := json.Marshal(cfg)
 	if err != nil {
 		return fmt.Errorf("websearch: marshal config: %w", err)
diff --git a/frontend/src/api/admin/channels.ts b/frontend/src/api/admin/channels.ts
index a13eb3e1..f129ceaa 100644
--- a/frontend/src/api/admin/channels.ts
+++ b/frontend/src/api/admin/channels.ts
@@ -49,6 +49,7 @@ export interface Channel {
   status: string
   billing_model_source: string // "requested" | "upstream"
   restrict_models: boolean
+  features_config?: Record<string, unknown>
   group_ids: number[]
   model_pricing: ChannelModelPricing[]
   model_mapping: Record<string, Record<string, string>> // platform → {src→dst}
@@ -66,6 +67,7 @@ export interface CreateChannelRequest {
   model_mapping?: Record<string, Record<string, string>>
   billing_model_source?: string
   restrict_models?: boolean
+  features_config?: Record<string, unknown>
   apply_pricing_to_account_stats?: boolean
   account_stats_pricing_rules?: AccountStatsPricingRule[]
 }
@@ -79,6 +81,7 @@ export interface UpdateChannelRequest {
   model_mapping?: Record<string, Record<string, string>>
   billing_model_source?: string
   restrict_models?: boolean
+  features_config?: Record<string, unknown>
   apply_pricing_to_account_stats?: boolean
   account_stats_pricing_rules?: AccountStatsPricingRule[]
 }
diff --git a/frontend/src/types/index.ts b/frontend/src/types/index.ts
index ebb58a21..59ccfcbe 100644
--- a/frontend/src/types/index.ts
+++ b/frontend/src/types/index.ts
@@ -429,8 +429,6 @@ export interface AdminGroup extends Group {
 
   // MCP XML 协议注入（仅 antigravity 平台使用）
   mcp_xml_inject: boolean
-  // Claude usage 模拟开关（仅 anthropic 平台使用）
-  simulate_claude_max_enabled: boolean
 
   // 支持的模型系列（仅 antigravity 平台使用）
   supported_model_scopes?: string[]
@@ -523,7 +521,6 @@ export interface CreateGroupRequest {
   fallback_group_id?: number | null
   fallback_group_id_on_invalid_request?: number | null
   mcp_xml_inject?: boolean
-  simulate_claude_max_enabled?: boolean
   supported_model_scopes?: string[]
   require_oauth_only?: boolean
   require_privacy_set?: boolean
@@ -549,7 +546,6 @@ export interface UpdateGroupRequest {
   fallback_group_id?: number | null
   fallback_group_id_on_invalid_request?: number | null
   mcp_xml_inject?: boolean
-  simulate_claude_max_enabled?: boolean
   supported_model_scopes?: string[]
   require_oauth_only?: boolean
   require_privacy_set?: boolean
@@ -691,6 +687,7 @@ export interface Account {
   // Extra fields including Codex usage and model-level rate limits (Antigravity smart retry)
   extra?: (CodexUsageSnapshot & {
     model_rate_limits?: Record<string, { rate_limited_at: string; rate_limit_reset_at: string }>
+    antigravity_credits_overages?: Record<string, { activated_at: string; active_until: string }>
   } & Record<string, unknown>)
   proxy_id: number | null
   concurrency: number
@@ -752,12 +749,6 @@ export interface Account {
   custom_base_url_enabled?: boolean | null
   custom_base_url?: string | null
 
-  // 客户端亲和调度（仅 Anthropic/Antigravity 平台有效）
-  // 启用后新会话会优先调度到客户端之前使用过的账号
-  client_affinity_enabled?: boolean | null
-  affinity_client_count?: number | null
-  affinity_clients?: string[] | null
-
   // API Key 账号配额限制
   quota_limit?: number | null
   quota_used?: number | null
@@ -1066,6 +1057,8 @@ export interface AdminUsageLog extends UsageLog {
 
   // 账号计费倍率（仅管理员可见）
   account_rate_multiplier?: number | null
+  // 自定义定价规则计算的账号统计费用（nil 时使用 total_cost * multiplier）
+  account_stats_cost?: number | null
 
   // 渠道 ID 和计费等级（仅管理员可见）
   channel_id?: number | null
diff --git a/frontend/src/views/admin/GroupsView.vue b/frontend/src/views/admin/GroupsView.vue
index a85dd269..8ab08b73 100644
--- a/frontend/src/views/admin/GroupsView.vue
+++ b/frontend/src/views/admin/GroupsView.vue
@@ -3253,6 +3253,7 @@ const editForm = reactive({
   fallback_group_id_on_invalid_request: null as number | null,
   // OpenAI Messages 调度配置（仅 openai 平台使用）
   allow_messages_dispatch: false,
+  default_mapped_model: '',
   opus_mapped_model: editMessagesDispatchDefaults.opus_mapped_model,
   sonnet_mapped_model: editMessagesDispatchDefaults.sonnet_mapped_model,
   haiku_mapped_model: editMessagesDispatchDefaults.haiku_mapped_model,
@@ -3732,6 +3733,19 @@ watch(
   },
 );
 
+watch(
+  () => editForm.platform,
+  (newVal) => {
+    if (!['anthropic', 'antigravity'].includes(newVal)) {
+      editForm.fallback_group_id_on_invalid_request = null
+    }
+    if (newVal !== 'openai') {
+      editForm.allow_messages_dispatch = false
+      editForm.default_mapped_model = ''
+    }
+  }
+)
+
 // 点击外部关闭账号搜索下拉框
 const handleClickOutside = (event: MouseEvent) => {
   const target = event.target as HTMLElement;
diff --git a/frontend/src/views/admin/UsageView.vue b/frontend/src/views/admin/UsageView.vue
index 7972f669..495ca7ad 100644
--- a/frontend/src/views/admin/UsageView.vue
+++ b/frontend/src/views/admin/UsageView.vue
@@ -495,7 +495,7 @@ const exportToExcel = async () => {
         log.cache_read_cost?.toFixed(6) || '0.000000', log.cache_creation_cost?.toFixed(6) || '0.000000',
         log.rate_multiplier?.toPrecision(4) || '1.00', (log.account_rate_multiplier ?? 1).toPrecision(4),
         log.total_cost?.toFixed(6) || '0.000000', log.actual_cost?.toFixed(6) || '0.000000',
-        (log.total_cost * (log.account_rate_multiplier ?? 1)).toFixed(6), log.first_token_ms ?? '', log.duration_ms,
+        ((log.account_stats_cost ?? log.total_cost) * (log.account_rate_multiplier ?? 1)).toFixed(6), log.first_token_ms ?? '', log.duration_ms,
         log.request_id || '', log.user_agent || '', log.ip_address || ''
       ])
       if (rows.length) {
diff --git a/frontend/src/views/admin/orders/AdminPaymentPlansView.vue b/frontend/src/views/admin/orders/AdminPaymentPlansView.vue
index 28b82da5..876b2aa1 100644
--- a/frontend/src/views/admin/orders/AdminPaymentPlansView.vue
+++ b/frontend/src/views/admin/orders/AdminPaymentPlansView.vue
@@ -117,6 +117,7 @@ function getPlanNameClass(groupId: number): string {
   return group ? platformTextClass(group.platform) : 'text-gray-900 dark:text-white'
 }
 
+
 // ==================== Plans ====================
 
 const plansLoading = ref(false)
@@ -133,6 +134,7 @@ const planColumns = computed((): Column[] => [
   { key: 'price', label: t('payment.admin.price') },
   { key: 'validity_days', label: t('payment.admin.validityDays') },
   { key: 'for_sale', label: t('payment.admin.forSale') },
+  { key: 'sort_order', label: t('payment.admin.sortOrder') },
   { key: 'actions', label: t('common.actions') },
 ])
 
@@ -157,6 +159,7 @@ function openPlanEdit(plan: SubscriptionPlan | null) {
   showPlanDialog.value = true
 }
 
+
 /** Quick toggle for_sale from the list */
 async function toggleForSale(plan: SubscriptionPlan) {
   try {
diff --git a/frontend/src/views/admin/orders/PlanEditDialog.vue b/frontend/src/views/admin/orders/PlanEditDialog.vue
index 17c8084f..acc70bef 100644
--- a/frontend/src/views/admin/orders/PlanEditDialog.vue
+++ b/frontend/src/views/admin/orders/PlanEditDialog.vue
@@ -42,6 +42,9 @@
         <div><label class="input-label">{{ t('payment.admin.validityDays') }} <span class="text-red-500">*</span></label><input v-model.number="planForm.validity_days" type="number" min="1" class="input" required /></div>
         <div><label class="input-label">{{ t('payment.admin.validityUnit') }} <span class="text-red-500">*</span></label><Select v-model="planForm.validity_unit" :options="validityUnitOptions" /></div>
       </div>
+      <div class="grid grid-cols-2 gap-4">
+        <div><label class="input-label">{{ t('payment.admin.sortOrder') }}</label><input v-model.number="planForm.sort_order" type="number" min="0" class="input" /></div>
+      </div>
       <div>
         <label class="input-label">{{ t('payment.admin.features') }}</label>
         <textarea v-model="planFeaturesText" rows="3" class="input" :placeholder="t('payment.admin.featuresPlaceholder')"></textarea>
@@ -102,7 +105,7 @@ const { t } = useI18n()
 const appStore = useAppStore()
 
 const saving = ref(false)
-const planForm = reactive({ name: '', group_id: null as number | null, description: '', price: 0, original_price: 0, validity_days: 30, validity_unit: 'days', for_sale: true })
+const planForm = reactive({ name: '', group_id: null as number | null, description: '', price: 0, original_price: 0, validity_days: 30, validity_unit: 'days', sort_order: 0, for_sale: true })
 const planFeaturesText = ref('')
 
 const validityUnitOptions = computed(() => [
@@ -130,10 +133,10 @@ const selectedGroupInfo = computed(() => {
 watch(() => props.show, (visible) => {
   if (!visible) return
   if (props.plan) {
-    Object.assign(planForm, { name: props.plan.name, group_id: props.plan.group_id, description: props.plan.description, price: props.plan.price, original_price: props.plan.original_price || 0, validity_days: props.plan.validity_days, validity_unit: props.plan.validity_unit || 'days', for_sale: props.plan.for_sale })
+    Object.assign(planForm, { name: props.plan.name, group_id: props.plan.group_id, description: props.plan.description, price: props.plan.price, original_price: props.plan.original_price || 0, validity_days: props.plan.validity_days, validity_unit: props.plan.validity_unit || 'days', sort_order: props.plan.sort_order || 0, for_sale: props.plan.for_sale })
     planFeaturesText.value = (props.plan.features || []).join('\n')
   } else {
-    Object.assign(planForm, { name: '', group_id: null, description: '', price: 0, original_price: 0, validity_days: 30, validity_unit: 'days', for_sale: true })
+    Object.assign(planForm, { name: '', group_id: null, description: '', price: 0, original_price: 0, validity_days: 30, validity_unit: 'days', sort_order: 0, for_sale: true })
     planFeaturesText.value = ''
   }
 })
@@ -149,6 +152,7 @@ function buildPlanPayload() {
     original_price: planForm.original_price || 0,
     validity_days: planForm.validity_days,
     validity_unit: planForm.validity_unit,
+    sort_order: planForm.sort_order,
     for_sale: planForm.for_sale,
     features,
   }
diff --git a/frontend/src/views/user/PaymentResultView.vue b/frontend/src/views/user/PaymentResultView.vue
index 3c7df572..bc16918c 100644
--- a/frontend/src/views/user/PaymentResultView.vue
+++ b/frontend/src/views/user/PaymentResultView.vue
@@ -102,10 +102,12 @@ interface ReturnInfo {
 }
 const returnInfo = ref<ReturnInfo | null>(null)
 
+const SUCCESS_STATUSES = new Set(['COMPLETED', 'PAID', 'RECHARGING'])
+
 const isSuccess = computed(() => {
   // Always prioritize actual order status from backend
   if (order.value) {
-    return order.value.status === 'COMPLETED' || order.value.status === 'PAID'
+    return SUCCESS_STATUSES.has(order.value.status)
   }
   // Fallback only when order not loaded
   if (route.query.status === 'success') return true
diff --git a/frontend/src/views/user/UserOrdersView.vue b/frontend/src/views/user/UserOrdersView.vue
index 51aacf7d..ea888eb7 100644
--- a/frontend/src/views/user/UserOrdersView.vue
+++ b/frontend/src/views/user/UserOrdersView.vue
@@ -22,7 +22,7 @@
               <Icon name="x" size="sm" />
               <span>{{ t('payment.orders.cancel') }}</span>
             </button>
-            <button v-if="row.status === 'COMPLETED'" @click="openRefundDialog(row)" class="inline-flex items-center gap-1 rounded-md px-2 py-1 text-xs font-medium text-purple-600 hover:bg-purple-50 dark:text-purple-400 dark:hover:bg-purple-900/20">
+            <button v-if="canRequestRefund(row)" @click="openRefundDialog(row)" class="inline-flex items-center gap-1 rounded-md px-2 py-1 text-xs font-medium text-purple-600 hover:bg-purple-50 dark:text-purple-400 dark:hover:bg-purple-900/20">
               <Icon name="dollar" size="sm" />
               <span>{{ t('payment.orders.requestRefund') }}</span>
             </button>
@@ -102,6 +102,7 @@ const appStore = useAppStore()
 const loading = ref(false)
 const actionLoading = ref(false)
 const orders = ref<PaymentOrder[]>([])
+const refundEligibleProviders = ref<Set<string>>(new Set())
 const currentFilter = ref('')
 const cancelTargetId = ref<number | null>(null)
 const refundTarget = ref<PaymentOrder | null>(null)
@@ -171,5 +172,18 @@ async function confirmRefund() {
   }
 }
 
-onMounted(() => fetchOrders())
+function canRequestRefund(order: PaymentOrder): boolean {
+  if (order.status !== 'COMPLETED') return false
+  if (!order.provider_instance_id) return false
+  return refundEligibleProviders.value.has(order.provider_instance_id)
+}
+
+async function loadRefundEligibility() {
+  try {
+    const res = await paymentAPI.getRefundEligibleProviders()
+    refundEligibleProviders.value = new Set(res.data.provider_instance_ids || [])
+  } catch { /* ignore — default to hiding refund button */ }
+}
+
+onMounted(() => { fetchOrders(); loadRefundEligibility() })
 </script>

From 58677dd53fc8a0aa56ead0feeb87ac05b8f58018 Mon Sep 17 00:00:00 2001
From: erio <asakifeng@gmail.com>
Date: Tue, 14 Apr 2026 18:34:57 +0800
Subject: [PATCH 093/122] fix: merge 5 PR-related improvements

- gateway_handler: pass ParsedRequest to RecordUsage + set in gin.Context
- channel_handler: add FeaturesConfig to CRUD (WebSearch channel toggle)
- channel_repo: features_config JSONB persistence (Create/Get/Update/List)
- security_headers: add Stripe CSP domains (script-src + frame-src)
---
 .../internal/handler/admin/channel_handler.go |  6 ++
 backend/internal/handler/gateway_handler.go   |  3 +
 backend/internal/repository/channel_repo.go   | 61 ++++++++++++++-----
 .../server/middleware/security_headers.go     | 13 +++-
 4 files changed, 67 insertions(+), 16 deletions(-)

diff --git a/backend/internal/handler/admin/channel_handler.go b/backend/internal/handler/admin/channel_handler.go
index 88d27c47..9151d018 100644
--- a/backend/internal/handler/admin/channel_handler.go
+++ b/backend/internal/handler/admin/channel_handler.go
@@ -35,6 +35,7 @@ type createChannelRequest struct {
 	BillingModelSource         string                           `json:"billing_model_source" binding:"omitempty,oneof=requested upstream channel_mapped"`
 	RestrictModels             bool                             `json:"restrict_models"`
 	Features                   string                           `json:"features"`
+	FeaturesConfig             map[string]any                   `json:"features_config"`
 	ApplyPricingToAccountStats bool                             `json:"apply_pricing_to_account_stats"`
 	AccountStatsPricingRules   []accountStatsPricingRuleRequest `json:"account_stats_pricing_rules"`
 }
@@ -49,6 +50,7 @@ type updateChannelRequest struct {
 	BillingModelSource         string                            `json:"billing_model_source" binding:"omitempty,oneof=requested upstream channel_mapped"`
 	RestrictModels             *bool                             `json:"restrict_models"`
 	Features                   *string                           `json:"features"`
+	FeaturesConfig             map[string]any                    `json:"features_config"`
 	ApplyPricingToAccountStats *bool                             `json:"apply_pricing_to_account_stats"`
 	AccountStatsPricingRules   *[]accountStatsPricingRuleRequest `json:"account_stats_pricing_rules"`
 }
@@ -93,6 +95,7 @@ type channelResponse struct {
 	BillingModelSource         string                            `json:"billing_model_source"`
 	RestrictModels             bool                              `json:"restrict_models"`
 	Features                   string                            `json:"features"`
+	FeaturesConfig             map[string]any                    `json:"features_config"`
 	GroupIDs                   []int64                           `json:"group_ids"`
 	ModelPricing               []channelModelPricingResponse     `json:"model_pricing"`
 	ModelMapping               map[string]map[string]string      `json:"model_mapping"`
@@ -148,6 +151,7 @@ func channelToResponse(ch *service.Channel) *channelResponse {
 		Status:         ch.Status,
 		RestrictModels: ch.RestrictModels,
 		Features:       ch.Features,
+		FeaturesConfig: ch.FeaturesConfig,
 		GroupIDs:       ch.GroupIDs,
 		ModelMapping:   ch.ModelMapping,
 		CreatedAt:      ch.CreatedAt.Format("2006-01-02T15:04:05Z"),
@@ -379,6 +383,7 @@ func (h *ChannelHandler) Create(c *gin.Context) {
 		BillingModelSource:         req.BillingModelSource,
 		RestrictModels:             req.RestrictModels,
 		Features:                   req.Features,
+		FeaturesConfig:             req.FeaturesConfig,
 		ApplyPricingToAccountStats: req.ApplyPricingToAccountStats,
 		AccountStatsPricingRules:   statsRules,
 	})
@@ -414,6 +419,7 @@ func (h *ChannelHandler) Update(c *gin.Context) {
 		BillingModelSource:         req.BillingModelSource,
 		RestrictModels:             req.RestrictModels,
 		Features:                   req.Features,
+		FeaturesConfig:             req.FeaturesConfig,
 		ApplyPricingToAccountStats: req.ApplyPricingToAccountStats,
 	}
 	if req.ModelPricing != nil {
diff --git a/backend/internal/handler/gateway_handler.go b/backend/internal/handler/gateway_handler.go
index 8ec54420..30065463 100644
--- a/backend/internal/handler/gateway_handler.go
+++ b/backend/internal/handler/gateway_handler.go
@@ -473,6 +473,7 @@ func (h *GatewayHandler) Messages(c *gin.Context) {
 			h.submitUsageRecordTask(func(ctx context.Context) {
 				if err := h.gatewayService.RecordUsage(ctx, &service.RecordUsageInput{
 					Result:             result,
+					ParsedRequest:      parsedReq,
 					APIKey:             apiKey,
 					User:               apiKey.User,
 					Account:            account,
@@ -675,6 +676,7 @@ func (h *GatewayHandler) Messages(c *gin.Context) {
 			}
 
 			// 转发请求 - 根据账号平台分流
+			c.Set("parsed_request", parsedReq)
 			var result *service.ForwardResult
 			requestCtx := c.Request.Context()
 			if fs.SwitchCount > 0 {
@@ -813,6 +815,7 @@ func (h *GatewayHandler) Messages(c *gin.Context) {
 			h.submitUsageRecordTask(func(ctx context.Context) {
 				if err := h.gatewayService.RecordUsage(ctx, &service.RecordUsageInput{
 					Result:             result,
+					ParsedRequest:      parsedReq,
 					APIKey:             currentAPIKey,
 					User:               currentAPIKey.User,
 					Account:            account,
diff --git a/backend/internal/repository/channel_repo.go b/backend/internal/repository/channel_repo.go
index 583ce895..2cb90aab 100644
--- a/backend/internal/repository/channel_repo.go
+++ b/backend/internal/repository/channel_repo.go
@@ -41,10 +41,14 @@ func (r *channelRepository) Create(ctx context.Context, channel *service.Channel
 		if err != nil {
 			return err
 		}
+		featuresConfigJSON, err := marshalFeaturesConfig(channel.FeaturesConfig)
+		if err != nil {
+			return err
+		}
 		err = tx.QueryRowContext(ctx,
-			`INSERT INTO channels (name, description, status, model_mapping, billing_model_source, restrict_models, features, apply_pricing_to_account_stats) VALUES ($1, $2, $3, $4, $5, $6, $7, $8)
+			`INSERT INTO channels (name, description, status, model_mapping, billing_model_source, restrict_models, features, features_config, apply_pricing_to_account_stats) VALUES ($1, $2, $3, $4, $5, $6, $7, $8, $9)
 			 RETURNING id, created_at, updated_at`,
-			channel.Name, channel.Description, channel.Status, modelMappingJSON, channel.BillingModelSource, channel.RestrictModels, channel.Features, channel.ApplyPricingToAccountStats,
+			channel.Name, channel.Description, channel.Status, modelMappingJSON, channel.BillingModelSource, channel.RestrictModels, channel.Features, featuresConfigJSON, channel.ApplyPricingToAccountStats,
 		).Scan(&channel.ID, &channel.CreatedAt, &channel.UpdatedAt)
 		if err != nil {
 			if isUniqueViolation(err) {
@@ -80,11 +84,11 @@ func (r *channelRepository) Create(ctx context.Context, channel *service.Channel
 
 func (r *channelRepository) GetByID(ctx context.Context, id int64) (*service.Channel, error) {
 	ch := &service.Channel{}
-	var modelMappingJSON []byte
+	var modelMappingJSON, featuresConfigJSON []byte
 	err := r.db.QueryRowContext(ctx,
-		`SELECT id, name, description, status, model_mapping, billing_model_source, restrict_models, features, apply_pricing_to_account_stats, created_at, updated_at
+		`SELECT id, name, description, status, model_mapping, billing_model_source, restrict_models, features, features_config, apply_pricing_to_account_stats, created_at, updated_at
 		 FROM channels WHERE id = $1`, id,
-	).Scan(&ch.ID, &ch.Name, &ch.Description, &ch.Status, &modelMappingJSON, &ch.BillingModelSource, &ch.RestrictModels, &ch.Features, &ch.ApplyPricingToAccountStats, &ch.CreatedAt, &ch.UpdatedAt)
+	).Scan(&ch.ID, &ch.Name, &ch.Description, &ch.Status, &modelMappingJSON, &ch.BillingModelSource, &ch.RestrictModels, &ch.Features, &featuresConfigJSON, &ch.ApplyPricingToAccountStats, &ch.CreatedAt, &ch.UpdatedAt)
 	if err == sql.ErrNoRows {
 		return nil, service.ErrChannelNotFound
 	}
@@ -92,6 +96,7 @@ func (r *channelRepository) GetByID(ctx context.Context, id int64) (*service.Cha
 		return nil, fmt.Errorf("get channel: %w", err)
 	}
 	ch.ModelMapping = unmarshalModelMapping(modelMappingJSON)
+	ch.FeaturesConfig = unmarshalFeaturesConfig(featuresConfigJSON)
 
 	groupIDs, err := r.GetGroupIDs(ctx, id)
 	if err != nil {
@@ -120,10 +125,14 @@ func (r *channelRepository) Update(ctx context.Context, channel *service.Channel
 		if err != nil {
 			return err
 		}
+		featuresConfigJSON, err := marshalFeaturesConfig(channel.FeaturesConfig)
+		if err != nil {
+			return err
+		}
 		result, err := tx.ExecContext(ctx,
-			`UPDATE channels SET name = $1, description = $2, status = $3, model_mapping = $4, billing_model_source = $5, restrict_models = $6, features = $7, apply_pricing_to_account_stats = $8, updated_at = NOW()
-			 WHERE id = $9`,
-			channel.Name, channel.Description, channel.Status, modelMappingJSON, channel.BillingModelSource, channel.RestrictModels, channel.Features, channel.ApplyPricingToAccountStats, channel.ID,
+			`UPDATE channels SET name = $1, description = $2, status = $3, model_mapping = $4, billing_model_source = $5, restrict_models = $6, features = $7, features_config = $8, apply_pricing_to_account_stats = $9, updated_at = NOW()
+			 WHERE id = $10`,
+			channel.Name, channel.Description, channel.Status, modelMappingJSON, channel.BillingModelSource, channel.RestrictModels, channel.Features, featuresConfigJSON, channel.ApplyPricingToAccountStats, channel.ID,
 		)
 		if err != nil {
 			if isUniqueViolation(err) {
@@ -207,7 +216,7 @@ func (r *channelRepository) List(ctx context.Context, params pagination.Paginati
 
 	// 查询 channel 列表
 	dataQuery := fmt.Sprintf(
-		`SELECT c.id, c.name, c.description, c.status, c.model_mapping, c.billing_model_source, c.restrict_models, c.features, c.apply_pricing_to_account_stats, c.created_at, c.updated_at
+		`SELECT c.id, c.name, c.description, c.status, c.model_mapping, c.billing_model_source, c.restrict_models, c.features, c.features_config, c.apply_pricing_to_account_stats, c.created_at, c.updated_at
 		 FROM channels c WHERE %s ORDER BY %s LIMIT $%d OFFSET $%d`,
 		whereClause, channelListOrderBy(params), argIdx, argIdx+1,
 	)
@@ -223,11 +232,12 @@ func (r *channelRepository) List(ctx context.Context, params pagination.Paginati
 	var channelIDs []int64
 	for rows.Next() {
 		var ch service.Channel
-		var modelMappingJSON []byte
-		if err := rows.Scan(&ch.ID, &ch.Name, &ch.Description, &ch.Status, &modelMappingJSON, &ch.BillingModelSource, &ch.RestrictModels, &ch.Features, &ch.ApplyPricingToAccountStats, &ch.CreatedAt, &ch.UpdatedAt); err != nil {
+		var modelMappingJSON, featuresConfigJSON []byte
+		if err := rows.Scan(&ch.ID, &ch.Name, &ch.Description, &ch.Status, &modelMappingJSON, &ch.BillingModelSource, &ch.RestrictModels, &ch.Features, &featuresConfigJSON, &ch.ApplyPricingToAccountStats, &ch.CreatedAt, &ch.UpdatedAt); err != nil {
 			return nil, nil, fmt.Errorf("scan channel: %w", err)
 		}
 		ch.ModelMapping = unmarshalModelMapping(modelMappingJSON)
+		ch.FeaturesConfig = unmarshalFeaturesConfig(featuresConfigJSON)
 		channels = append(channels, ch)
 		channelIDs = append(channelIDs, ch.ID)
 	}
@@ -298,7 +308,7 @@ func channelListOrderBy(params pagination.PaginationParams) string {
 
 func (r *channelRepository) ListAll(ctx context.Context) ([]service.Channel, error) {
 	rows, err := r.db.QueryContext(ctx,
-		`SELECT id, name, description, status, model_mapping, billing_model_source, restrict_models, features, apply_pricing_to_account_stats, created_at, updated_at FROM channels ORDER BY id`,
+		`SELECT id, name, description, status, model_mapping, billing_model_source, restrict_models, features, features_config, apply_pricing_to_account_stats, created_at, updated_at FROM channels ORDER BY id`,
 	)
 	if err != nil {
 		return nil, fmt.Errorf("query all channels: %w", err)
@@ -309,11 +319,12 @@ func (r *channelRepository) ListAll(ctx context.Context) ([]service.Channel, err
 	var channelIDs []int64
 	for rows.Next() {
 		var ch service.Channel
-		var modelMappingJSON []byte
-		if err := rows.Scan(&ch.ID, &ch.Name, &ch.Description, &ch.Status, &modelMappingJSON, &ch.BillingModelSource, &ch.RestrictModels, &ch.Features, &ch.ApplyPricingToAccountStats, &ch.CreatedAt, &ch.UpdatedAt); err != nil {
+		var modelMappingJSON, featuresConfigJSON []byte
+		if err := rows.Scan(&ch.ID, &ch.Name, &ch.Description, &ch.Status, &modelMappingJSON, &ch.BillingModelSource, &ch.RestrictModels, &ch.Features, &featuresConfigJSON, &ch.ApplyPricingToAccountStats, &ch.CreatedAt, &ch.UpdatedAt); err != nil {
 			return nil, fmt.Errorf("scan channel: %w", err)
 		}
 		ch.ModelMapping = unmarshalModelMapping(modelMappingJSON)
+		ch.FeaturesConfig = unmarshalFeaturesConfig(featuresConfigJSON)
 		channels = append(channels, ch)
 		channelIDs = append(channelIDs, ch.ID)
 	}
@@ -488,6 +499,28 @@ func unmarshalModelMapping(data []byte) map[string]map[string]string {
 	return m
 }
 
+func marshalFeaturesConfig(m map[string]any) ([]byte, error) {
+	if len(m) == 0 {
+		return []byte("{}"), nil
+	}
+	data, err := json.Marshal(m)
+	if err != nil {
+		return nil, fmt.Errorf("marshal features_config: %w", err)
+	}
+	return data, nil
+}
+
+func unmarshalFeaturesConfig(data []byte) map[string]any {
+	if len(data) == 0 {
+		return nil
+	}
+	var m map[string]any
+	if err := json.Unmarshal(data, &m); err != nil {
+		return nil
+	}
+	return m
+}
+
 // GetGroupPlatforms 批量查询分组 ID 对应的平台
 func (r *channelRepository) GetGroupPlatforms(ctx context.Context, groupIDs []int64) (map[int64]string, error) {
 	if len(groupIDs) == 0 {
diff --git a/backend/internal/server/middleware/security_headers.go b/backend/internal/server/middleware/security_headers.go
index 73210bfc..7021ab2e 100644
--- a/backend/internal/server/middleware/security_headers.go
+++ b/backend/internal/server/middleware/security_headers.go
@@ -18,6 +18,8 @@ const (
 	NonceTemplate = "__CSP_NONCE__"
 	// CloudflareInsightsDomain is the domain for Cloudflare Web Analytics
 	CloudflareInsightsDomain = "https://static.cloudflareinsights.com"
+	// StripeDomain is the domain for Stripe.js SDK
+	StripeDomain = "https://*.stripe.com"
 )
 
 // GenerateNonce generates a cryptographically secure random nonce.
@@ -97,8 +99,9 @@ func isAPIRoutePath(c *gin.Context) bool {
 		strings.HasPrefix(path, "/responses")
 }
 
-// enhanceCSPPolicy ensures the CSP policy includes nonce support and Cloudflare Insights domain.
-// This allows the application to work correctly even if the config file has an older CSP policy.
+// enhanceCSPPolicy ensures the CSP policy includes nonce support, Cloudflare Insights,
+// and Stripe.js domains. This allows the application to work correctly even if the
+// config file has an older CSP policy.
 func enhanceCSPPolicy(policy string) string {
 	// Add nonce placeholder to script-src if not present
 	if !strings.Contains(policy, NonceTemplate) && !strings.Contains(policy, "'nonce-") {
@@ -110,6 +113,12 @@ func enhanceCSPPolicy(policy string) string {
 		policy = addToDirective(policy, "script-src", CloudflareInsightsDomain)
 	}
 
+	// Add Stripe.js domain to script-src and frame-src if not present
+	if !strings.Contains(policy, "stripe.com") {
+		policy = addToDirective(policy, "script-src", StripeDomain)
+		policy = addToDirective(policy, "frame-src", StripeDomain)
+	}
+
 	return policy
 }
 

From c14d739360de12741920c01ca4bbd140559a90d1 Mon Sep 17 00:00:00 2001
From: erio <asakifeng@gmail.com>
Date: Tue, 14 Apr 2026 18:41:09 +0800
Subject: [PATCH 094/122] fix: resolve 3 code review issues in
 allow_user_refund

1. PrepareRefund: block refund on provider instance lookup failure
   instead of silently skipping permission check (medium severity)

2. UpdateProviderInstance: allow enabling refund_enabled and
   allow_user_refund in the same request by checking req.RefundEnabled
   value before falling back to DB read

3. ExecuteRefund: only revoke subscription on ErrAdjustWouldExpire,
   abort on other errors (DB failure, not found) instead of
   unconditionally revoking
---
 .../service/payment_config_providers.go       | 14 ++++++++---
 backend/internal/service/payment_refund.go    | 25 +++++++++++++------
 2 files changed, 28 insertions(+), 11 deletions(-)

diff --git a/backend/internal/service/payment_config_providers.go b/backend/internal/service/payment_config_providers.go
index 0f7cb99a..3c406b45 100644
--- a/backend/internal/service/payment_config_providers.go
+++ b/backend/internal/service/payment_config_providers.go
@@ -231,10 +231,18 @@ func (s *PaymentConfigService) UpdateProviderInstance(ctx context.Context, id in
 		}
 	}
 	if req.AllowUserRefund != nil {
-		// Only allow enabling when refund_enabled is true
+		// Only allow enabling when refund_enabled is (or will be) true
 		if *req.AllowUserRefund {
-			inst, err := s.entClient.PaymentProviderInstance.Get(ctx, id)
-			if err == nil && inst.RefundEnabled {
+			refundEnabled := false
+			if req.RefundEnabled != nil {
+				refundEnabled = *req.RefundEnabled
+			} else {
+				inst, err := s.entClient.PaymentProviderInstance.Get(ctx, id)
+				if err == nil {
+					refundEnabled = inst.RefundEnabled
+				}
+			}
+			if refundEnabled {
 				u.SetAllowUserRefund(true)
 			}
 		} else {
diff --git a/backend/internal/service/payment_refund.go b/backend/internal/service/payment_refund.go
index 75d75b2f..99468433 100644
--- a/backend/internal/service/payment_refund.go
+++ b/backend/internal/service/payment_refund.go
@@ -2,6 +2,7 @@ package service
 
 import (
 	"context"
+	"errors"
 	"fmt"
 	"log/slog"
 	"math"
@@ -93,15 +94,16 @@ func (s *PaymentService) PrepareRefund(ctx context.Context, oid int64, amt float
 	// Check provider instance allows admin refund
 	inst, instErr := s.getOrderProviderInstance(ctx, o)
 	if instErr != nil {
-		slog.Warn("refund: provider instance not found", "orderID", oid, "error", instErr)
+		slog.Warn("refund: provider instance lookup failed", "orderID", oid, "error", instErr)
+		return nil, nil, infraerrors.InternalServer("PROVIDER_LOOKUP_FAILED", "failed to look up payment provider for this order")
 	}
-	if inst != nil && !inst.RefundEnabled {
-		return nil, nil, infraerrors.Forbidden("REFUND_DISABLED", "refund is not enabled for this provider")
-	}
-	if inst == nil && instErr == nil {
+	if inst == nil {
 		// Legacy order without provider_instance_id — block refund
 		return nil, nil, infraerrors.Forbidden("REFUND_DISABLED", "refund is not available for this order")
 	}
+	if !inst.RefundEnabled {
+		return nil, nil, infraerrors.Forbidden("REFUND_DISABLED", "refund is not enabled for this provider")
+	}
 	if math.IsNaN(amt) || math.IsInf(amt, 0) {
 		return nil, nil, infraerrors.BadRequest("INVALID_AMOUNT", "invalid refund amount")
 	}
@@ -183,10 +185,17 @@ func (s *PaymentService) ExecuteRefund(ctx context.Context, p *RefundPlan) (*Ref
 		if !s.hasAuditLog(ctx, p.OrderID, "REFUND_ROLLBACK_FAILED") {
 			_, err := s.subscriptionSvc.ExtendSubscription(ctx, p.SubscriptionID, -p.SubDaysToDeduct)
 			if err != nil {
-				slog.Info("subscription deduction would expire, revoking", "orderID", p.OrderID, "subID", p.SubscriptionID, "days", p.SubDaysToDeduct)
-				if revokeErr := s.subscriptionSvc.RevokeSubscription(ctx, p.SubscriptionID); revokeErr != nil {
+				if errors.Is(err, ErrAdjustWouldExpire) {
+					// Deduction would expire the subscription — revoke it entirely
+					slog.Info("subscription deduction would expire, revoking", "orderID", p.OrderID, "subID", p.SubscriptionID, "days", p.SubDaysToDeduct)
+					if revokeErr := s.subscriptionSvc.RevokeSubscription(ctx, p.SubscriptionID); revokeErr != nil {
+						s.restoreStatus(ctx, p)
+						return nil, fmt.Errorf("revoke subscription: %w", revokeErr)
+					}
+				} else {
+					// Other errors (DB failure, not found) — abort refund
 					s.restoreStatus(ctx, p)
-					return nil, fmt.Errorf("revoke subscription: %w", revokeErr)
+					return nil, fmt.Errorf("deduct subscription days: %w", err)
 				}
 			}
 		} else {

From 63f539b3828eccbe2bf416458447acb89c6df8bd Mon Sep 17 00:00:00 2001
From: erio <asakifeng@gmail.com>
Date: Tue, 14 Apr 2026 19:29:37 +0800
Subject: [PATCH 095/122] fix: merge general improvements from release branch

Backend:
- gateway_handler: pass subject.UserID instead of int64(0) for user-level routing
- setting_handler: add missing BalanceLowNotifyRechargeURL to UpdateSettings response
- openai_gateway_service: use applyAccountStatsCost for account stats pricing integration
- embed_on: add local file override (data/public/) for embedded frontend assets

Frontend:
- useTableSelection: add batchUpdate method for batch operations
- AccountsView: virtual scrolling params, Set-based isSelected, swipe virtualization
- ProxiesView: add batchUpdate to selection and swipe-select
- BulkEditAccountModal: fix submit handler to prevent event object as argument
- SettingsView: move payload construction outside try block
- i18n: add general translation keys (saved, deleted, view, validation, allowUserRefund)
- api/client: reorder error fields for consistency
- stores/payment: clarify pollOrderStatus JSDoc
---
 .../internal/handler/admin/setting_handler.go |  1 +
 backend/internal/handler/gateway_handler.go   |  2 +-
 .../service/openai_gateway_service.go         | 11 +---
 backend/internal/web/embed_on.go              | 65 ++++++++++++++++---
 frontend/src/api/client.ts                    |  2 +-
 .../account/BulkEditAccountModal.vue          |  2 +-
 frontend/src/composables/useTableSelection.ts |  9 ++-
 frontend/src/i18n/locales/en.ts               |  7 ++
 frontend/src/i18n/locales/zh.ts               |  6 ++
 frontend/src/stores/payment.ts                |  2 +-
 frontend/src/views/admin/AccountsView.vue     | 26 ++++++--
 frontend/src/views/admin/ProxiesView.vue      |  6 +-
 frontend/src/views/admin/SettingsView.vue     | 11 ++--
 13 files changed, 114 insertions(+), 36 deletions(-)

diff --git a/backend/internal/handler/admin/setting_handler.go b/backend/internal/handler/admin/setting_handler.go
index 9b49150c..29c97b4b 100644
--- a/backend/internal/handler/admin/setting_handler.go
+++ b/backend/internal/handler/admin/setting_handler.go
@@ -1071,6 +1071,7 @@ func (h *SettingHandler) UpdateSettings(c *gin.Context) {
 		EnableCCHSigning:                     updatedSettings.EnableCCHSigning,
 		BalanceLowNotifyEnabled:              updatedSettings.BalanceLowNotifyEnabled,
 		BalanceLowNotifyThreshold:            updatedSettings.BalanceLowNotifyThreshold,
+		BalanceLowNotifyRechargeURL:          updatedSettings.BalanceLowNotifyRechargeURL,
 		AccountQuotaNotifyEnabled:            updatedSettings.AccountQuotaNotifyEnabled,
 		AccountQuotaNotifyEmails:             dto.NotifyEmailEntriesFromService(updatedSettings.AccountQuotaNotifyEmails),
 		PaymentEnabled:                       updatedPaymentCfg.Enabled,
diff --git a/backend/internal/handler/gateway_handler.go b/backend/internal/handler/gateway_handler.go
index 30065463..f5eff8c9 100644
--- a/backend/internal/handler/gateway_handler.go
+++ b/backend/internal/handler/gateway_handler.go
@@ -522,7 +522,7 @@ func (h *GatewayHandler) Messages(c *gin.Context) {
 
 		for {
 			// 选择支持该模型的账号
-			selection, err := h.gatewayService.SelectAccountWithLoadAwareness(c.Request.Context(), currentAPIKey.GroupID, sessionKey, reqModel, fs.FailedAccountIDs, parsedReq.MetadataUserID, int64(0))
+			selection, err := h.gatewayService.SelectAccountWithLoadAwareness(c.Request.Context(), currentAPIKey.GroupID, sessionKey, reqModel, fs.FailedAccountIDs, parsedReq.MetadataUserID, subject.UserID)
 			if err != nil {
 				if len(fs.FailedAccountIDs) == 0 {
 					h.handleStreamingAwareError(c, http.StatusServiceUnavailable, "api_error", "No available accounts: "+err.Error(), streamStarted)
diff --git a/backend/internal/service/openai_gateway_service.go b/backend/internal/service/openai_gateway_service.go
index 9a6fbb8f..6087b7b6 100644
--- a/backend/internal/service/openai_gateway_service.go
+++ b/backend/internal/service/openai_gateway_service.go
@@ -4575,14 +4575,9 @@ func (s *OpenAIGatewayService) RecordUsage(ctx context.Context, input *OpenAIRec
 
 	// 计算账号统计定价费用（使用最终上游模型匹配自定义规则）
 	if apiKey.GroupID != nil {
-		statsModel := result.UpstreamModel
-		if statsModel == "" {
-			statsModel = result.Model
-		}
-		usageLog.AccountStatsCost = resolveAccountStatsCost(
-			ctx, s.channelService, s.billingService,
-			account.ID, *apiKey.GroupID, statsModel,
-			tokens, 1, cost.TotalCost,
+		applyAccountStatsCost(ctx, usageLog, s.channelService, s.billingService,
+			account.ID, *apiKey.GroupID, result.UpstreamModel, result.Model,
+			tokens, cost.TotalCost,
 		)
 	}
 
diff --git a/backend/internal/web/embed_on.go b/backend/internal/web/embed_on.go
index ad5ac7d8..89d09eef 100644
--- a/backend/internal/web/embed_on.go
+++ b/backend/internal/web/embed_on.go
@@ -10,6 +10,8 @@ import (
 	"io"
 	"io/fs"
 	"net/http"
+	"os"
+	"path/filepath"
 	"strings"
 	"time"
 
@@ -32,11 +34,12 @@ type PublicSettingsProvider interface {
 
 // FrontendServer serves the embedded frontend with settings injection
 type FrontendServer struct {
-	distFS     fs.FS
-	fileServer http.Handler
-	baseHTML   []byte
-	cache      *HTMLCache
-	settings   PublicSettingsProvider
+	distFS      fs.FS
+	fileServer  http.Handler
+	baseHTML    []byte
+	cache       *HTMLCache
+	settings    PublicSettingsProvider
+	overrideDir string // local file override directory
 }
 
 // NewFrontendServer creates a new frontend server with settings injection
@@ -62,11 +65,12 @@ func NewFrontendServer(settingsProvider PublicSettingsProvider) (*FrontendServer
 	cache.SetBaseHTML(baseHTML)
 
 	return &FrontendServer{
-		distFS:     distFS,
-		fileServer: http.FileServer(http.FS(distFS)),
-		baseHTML:   baseHTML,
-		cache:      cache,
-		settings:   settingsProvider,
+		distFS:      distFS,
+		fileServer:  http.FileServer(http.FS(distFS)),
+		baseHTML:    baseHTML,
+		cache:       cache,
+		settings:    settingsProvider,
+		overrideDir: filepath.Join("data", "public"),
 	}, nil
 }
 
@@ -99,6 +103,11 @@ func (s *FrontendServer) Middleware() gin.HandlerFunc {
 			return
 		}
 
+		// Try local override first
+		if s.tryServeOverride(c, cleanPath) {
+			return
+		}
+
 		// Serve static files normally
 		s.fileServer.ServeHTTP(c.Writer, c.Request)
 		c.Abort()
@@ -114,6 +123,22 @@ func (s *FrontendServer) fileExists(path string) bool {
 	return true
 }
 
+// tryServeOverride checks if a local override file exists and serves it.
+// Files in overrideDir take precedence over embedded files.
+func (s *FrontendServer) tryServeOverride(c *gin.Context, cleanPath string) bool {
+	if s.overrideDir == "" {
+		return false
+	}
+	filePath := filepath.Join(s.overrideDir, filepath.Clean("/"+cleanPath))
+	info, err := os.Stat(filePath)
+	if err != nil || info.IsDir() {
+		return false
+	}
+	c.File(filePath)
+	c.Abort()
+	return true
+}
+
 func (s *FrontendServer) serveIndexHTML(c *gin.Context) {
 	// Get nonce from context (generated by SecurityHeaders middleware)
 	nonce := middleware.GetNonceFromContext(c)
@@ -226,6 +251,7 @@ func ServeEmbeddedFrontend() gin.HandlerFunc {
 		panic("failed to get dist subdirectory: " + err.Error())
 	}
 	fileServer := http.FileServer(http.FS(distFS))
+	overrideDir := filepath.Join("data", "public")
 
 	return func(c *gin.Context) {
 		path := c.Request.URL.Path
@@ -242,6 +268,10 @@ func ServeEmbeddedFrontend() gin.HandlerFunc {
 
 		if file, err := distFS.Open(cleanPath); err == nil {
 			_ = file.Close()
+			// Try local override first
+			if tryServeOverrideFile(c, overrideDir, cleanPath) {
+				return
+			}
 			fileServer.ServeHTTP(c.Writer, c.Request)
 			c.Abort()
 			return
@@ -251,6 +281,21 @@ func ServeEmbeddedFrontend() gin.HandlerFunc {
 	}
 }
 
+// tryServeOverrideFile is a standalone version of tryServeOverride for legacy usage.
+func tryServeOverrideFile(c *gin.Context, overrideDir, cleanPath string) bool {
+	if overrideDir == "" {
+		return false
+	}
+	filePath := filepath.Join(overrideDir, filepath.Clean("/"+cleanPath))
+	info, err := os.Stat(filePath)
+	if err != nil || info.IsDir() {
+		return false
+	}
+	c.File(filePath)
+	c.Abort()
+	return true
+}
+
 func shouldBypassEmbeddedFrontend(path string) bool {
 	trimmed := strings.TrimSpace(path)
 	return strings.HasPrefix(trimmed, "/api/") ||
diff --git a/frontend/src/api/client.ts b/frontend/src/api/client.ts
index 2908c6b1..8a586902 100644
--- a/frontend/src/api/client.ts
+++ b/frontend/src/api/client.ts
@@ -270,9 +270,9 @@ apiClient.interceptors.response.use(
       return Promise.reject({
         status,
         code: apiData.code,
+        reason: apiData.reason,
         error: apiData.error,
         message: apiData.message || apiData.detail || error.message,
-        reason: apiData.reason,
         metadata: apiData.metadata,
       })
     }
diff --git a/frontend/src/components/account/BulkEditAccountModal.vue b/frontend/src/components/account/BulkEditAccountModal.vue
index 2934fbd9..5461015b 100644
--- a/frontend/src/components/account/BulkEditAccountModal.vue
+++ b/frontend/src/components/account/BulkEditAccountModal.vue
@@ -5,7 +5,7 @@
     width="wide"
     @close="handleClose"
   >
-    <form id="bulk-edit-account-form" class="space-y-5" @submit.prevent="handleSubmit">
+    <form id="bulk-edit-account-form" class="space-y-5" @submit.prevent="() => handleSubmit()">
       <!-- Info -->
       <div class="rounded-lg bg-blue-50 p-4 dark:bg-blue-900/20">
         <p class="text-sm text-blue-700 dark:text-blue-400">
diff --git a/frontend/src/composables/useTableSelection.ts b/frontend/src/composables/useTableSelection.ts
index a65144a9..f0e096ff 100644
--- a/frontend/src/composables/useTableSelection.ts
+++ b/frontend/src/composables/useTableSelection.ts
@@ -76,6 +76,12 @@ export function useTableSelection<T>({ rows, getId }: UseTableSelectionOptions<T
     replaceSelectedSet(next)
   }
 
+  const batchUpdate = (updater: (draft: Set<number>) => void) => {
+    const draft = new Set(selectedSet.value)
+    updater(draft)
+    replaceSelectedSet(draft)
+  }
+
   const selectVisible = () => {
     toggleVisible(true)
   }
@@ -93,6 +99,7 @@ export function useTableSelection<T>({ rows, getId }: UseTableSelectionOptions<T
     clear,
     removeMany,
     toggleVisible,
-    selectVisible
+    selectVisible,
+    batchUpdate
   }
 }
diff --git a/frontend/src/i18n/locales/en.ts b/frontend/src/i18n/locales/en.ts
index 07ae3446..a9dff584 100644
--- a/frontend/src/i18n/locales/en.ts
+++ b/frontend/src/i18n/locales/en.ts
@@ -247,6 +247,8 @@ export default {
     loading: 'Loading...',
     justNow: 'just now',
     save: 'Save',
+    saved: 'Saved successfully',
+    deleted: 'Deleted successfully',
     cancel: 'Cancel',
     delete: 'Delete',
     edit: 'Edit',
@@ -304,6 +306,7 @@ export default {
     saving: 'Saving...',
     selectedCount: '({count} selected)',
     refresh: 'Refresh',
+    view: 'View',
     settings: 'Settings',
     chooseFile: 'Choose File',
     notAvailable: 'N/A',
@@ -5487,6 +5490,7 @@ export default {
       refundSuccess: 'Refund successful',
       refundInfo: 'Refund Info',
       refundEnabled: 'Refund Enabled',
+      allowUserRefund: 'Allow User Refund',
       alreadyRefunded: 'Already Refunded',
       deductBalance: 'Deduct Balance',
       deductBalanceHint: 'Subtract recharged amount from user balance',
@@ -5556,6 +5560,9 @@ export default {
       tabPlanConfig: 'Plan Configuration',
       tabUserSubs: 'User Subscriptions',
       selectGroup: 'Select a group',
+      groupRequired: 'Please select a subscription group',
+      priceRequired: 'Price must be greater than 0',
+      validityDaysRequired: 'Validity days must be greater than 0',
       groupMissing: 'Missing',
       groupInfo: 'Group Info',
       platform: 'Platform',
diff --git a/frontend/src/i18n/locales/zh.ts b/frontend/src/i18n/locales/zh.ts
index 24faaee6..c78f9a74 100644
--- a/frontend/src/i18n/locales/zh.ts
+++ b/frontend/src/i18n/locales/zh.ts
@@ -247,6 +247,8 @@ export default {
     loading: '加载中...',
     justNow: '刚刚',
     save: '保存',
+    saved: '保存成功',
+    deleted: '删除成功',
     cancel: '取消',
     delete: '删除',
     edit: '编辑',
@@ -304,6 +306,7 @@ export default {
     saving: '保存中...',
     selectedCount: '（已选 {count} 个）',
     refresh: '刷新',
+    view: '查看',
     settings: '设置',
     chooseFile: '选择文件',
     notAvailable: '不可用',
@@ -5744,6 +5747,9 @@ export default {
       tabPlanConfig: '套餐配置',
       tabUserSubs: '用户订阅',
       selectGroup: '请选择分组',
+      groupRequired: '请选择订阅分组',
+      priceRequired: '价格必须大于 0',
+      validityDaysRequired: '有效期天数必须大于 0',
       groupMissing: '缺失',
       groupInfo: '分组信息',
       platform: '平台',
diff --git a/frontend/src/stores/payment.ts b/frontend/src/stores/payment.ts
index ce2d7b3a..fc21c1f9 100644
--- a/frontend/src/stores/payment.ts
+++ b/frontend/src/stores/payment.ts
@@ -66,7 +66,7 @@ export const usePaymentStore = defineStore('payment', () => {
     return response.data
   }
 
-  /** Poll order status by ID */
+  /** Poll order status by ID (read-only, no upstream check) */
   async function pollOrderStatus(orderId: number): Promise<PaymentOrder | null> {
     try {
       const response = await paymentAPI.getOrder(orderId)
diff --git a/frontend/src/views/admin/AccountsView.vue b/frontend/src/views/admin/AccountsView.vue
index d7fae112..4fec956b 100644
--- a/frontend/src/views/admin/AccountsView.vue
+++ b/frontend/src/views/admin/AccountsView.vue
@@ -144,6 +144,7 @@
         <AccountBulkActionsBar :selected-ids="selIds" @delete="handleBulkDelete" @reset-status="handleBulkResetStatus" @refresh-token="handleBulkRefreshToken" @edit="showBulkEdit = true" @clear="clearSelection" @select-page="selectPage" @toggle-schedulable="handleBulkToggleSchedulable" />
         <div ref="accountTableRef" class="flex min-h-0 flex-1 flex-col overflow-hidden">
         <DataTable
+          ref="dataTableRef"
           :columns="cols"
           :data="accounts"
           :loading="loading"
@@ -153,6 +154,8 @@
           default-sort-key="name"
           default-sort-order="asc"
           :sort-storage-key="ACCOUNT_SORT_STORAGE_KEY"
+          :estimate-row-height="72"
+          :overscan="5"
         >
           <template #header-select>
             <input
@@ -164,7 +167,7 @@
             />
           </template>
           <template #cell-select="{ row }">
-            <input type="checkbox" :checked="selIds.includes(row.id)" @change="toggleSel(row.id)" class="rounded border-gray-300 text-primary-600 focus:ring-primary-500" />
+            <input type="checkbox" :checked="isSelected(row.id)" @change="toggleSel(row.id)" class="rounded border-gray-300 text-primary-600 focus:ring-primary-500" />
           </template>
           <template #cell-name="{ row, value }">
             <div class="flex flex-col">
@@ -197,7 +200,9 @@
             <AccountCapacityCell :account="row" />
           </template>
           <template #cell-status="{ row }">
-            <AccountStatusIndicator :account="row" @show-temp-unsched="handleShowTempUnsched" />
+            <div class="flex items-center gap-1.5">
+              <AccountStatusIndicator :account="row" @show-temp-unsched="handleShowTempUnsched" />
+            </div>
           </template>
           <template #cell-schedulable="{ row }">
             <button @click="handleToggleSchedulable(row)" :disabled="togglingSchedulable === row.id" class="relative inline-flex h-5 w-9 flex-shrink-0 cursor-pointer rounded-full border-2 border-transparent transition-colors duration-200 ease-in-out focus:outline-none focus:ring-2 focus:ring-primary-500 focus:ring-offset-2 disabled:cursor-not-allowed disabled:opacity-50 dark:focus:ring-offset-dark-800" :class="[row.schedulable ? 'bg-primary-500 hover:bg-primary-600' : 'bg-gray-200 hover:bg-gray-300 dark:bg-dark-600 dark:hover:bg-dark-500']" :title="row.schedulable ? t('admin.accounts.schedulableEnabled') : t('admin.accounts.schedulableDisabled')">
@@ -313,7 +318,7 @@ import { useAppStore } from '@/stores/app'
 import { useAuthStore } from '@/stores/auth'
 import { adminAPI } from '@/api/admin'
 import { useTableLoader } from '@/composables/useTableLoader'
-import { useSwipeSelect } from '@/composables/useSwipeSelect'
+import { useSwipeSelect, type SwipeSelectVirtualContext } from '@/composables/useSwipeSelect'
 import { useTableSelection } from '@/composables/useTableSelection'
 import AppLayout from '@/components/layout/AppLayout.vue'
 import TablePageLayout from '@/components/layout/TablePageLayout.vue'
@@ -351,6 +356,7 @@ const authStore = useAuthStore()
 const proxies = ref<AccountProxy[]>([])
 const groups = ref<AdminGroup[]>([])
 const accountTableRef = ref<HTMLElement | null>(null)
+const dataTableRef = ref<InstanceType<typeof DataTable> | null>(null)
 const selPlatforms = computed<AccountPlatform[]>(() => {
   const platforms = new Set(
     accounts.value
@@ -650,17 +656,25 @@ const {
   clear: clearSelection,
   removeMany: removeSelectedAccounts,
   toggleVisible,
-  selectVisible: selectPage
+  selectVisible: selectPage,
+  batchUpdate
 } = useTableSelection<Account>({
   rows: accounts,
   getId: (account) => account.id
 })
 
+const swipeVirtualContext: SwipeSelectVirtualContext = {
+  getVirtualizer: () => dataTableRef.value?.virtualizer ?? null,
+  getSortedData: () => dataTableRef.value?.sortedData ?? accounts.value,
+  getRowId: (row: any) => row.id,
+}
+
 useSwipeSelect(accountTableRef, {
   isSelected,
   select,
-  deselect
-})
+  deselect,
+  batchUpdate
+}, swipeVirtualContext)
 
 const resetAutoRefreshCache = () => {
   autoRefreshETag.value = null
diff --git a/frontend/src/views/admin/ProxiesView.vue b/frontend/src/views/admin/ProxiesView.vue
index 4c91c9c0..1e4df356 100644
--- a/frontend/src/views/admin/ProxiesView.vue
+++ b/frontend/src/views/admin/ProxiesView.vue
@@ -985,7 +985,8 @@ const {
   deselect,
   clear: clearSelectedProxies,
   removeMany: removeSelectedProxies,
-  toggleVisible
+  toggleVisible,
+  batchUpdate
 } = useTableSelection<Proxy>({
   rows: proxies,
   getId: (proxy) => proxy.id
@@ -993,7 +994,8 @@ const {
 useSwipeSelect(proxyTableRef, {
   isSelected,
   select,
-  deselect
+  deselect,
+  batchUpdate
 })
 const accountsProxy = ref<Proxy | null>(null)
 const proxyAccounts = ref<ProxyAccountSummary[]>([])
diff --git a/frontend/src/views/admin/SettingsView.vue b/frontend/src/views/admin/SettingsView.vue
index 77659f59..2465fa5e 100644
--- a/frontend/src/views/admin/SettingsView.vue
+++ b/frontend/src/views/admin/SettingsView.vue
@@ -4116,12 +4116,13 @@ async function handleToggleField(provider: ProviderInstance, field: 'enabled' |
   if (field === 'enabled') newValue = !provider.enabled
   else if (field === 'refund_enabled') newValue = !provider.refund_enabled
   else newValue = !provider.allow_user_refund
+
+  const payload: Record<string, boolean> = { [field]: newValue }
+  // Cascade: turning off refund_enabled also turns off allow_user_refund
+  if (field === 'refund_enabled' && !newValue) {
+    payload.allow_user_refund = false
+  }
   try {
-    const payload: Record<string, boolean> = { [field]: newValue }
-    // Cascade: turning off refund_enabled also disables allow_user_refund
-    if (field === 'refund_enabled' && !newValue) {
-      payload.allow_user_refund = false
-    }
     await adminAPI.payment.updateProvider(provider.id, payload)
     if (field === 'enabled') provider.enabled = newValue
     else if (field === 'refund_enabled') {

From a56151fec932ef72475800081811f577eac8f612 Mon Sep 17 00:00:00 2001
From: erio <asakifeng@gmail.com>
Date: Tue, 14 Apr 2026 19:39:22 +0800
Subject: [PATCH 096/122] refactor: extract CapacityBadge component from
 AccountCapacityCell

Extract repeated badge template (SVG icon + current/max display) into
a reusable CapacityBadge component. Reduces AccountCapacityCell from
~300 lines to ~180 lines with identical behavior.
---
 .../account/AccountCapacityCell.vue           | 303 +++++-------------
 .../src/components/account/CapacityBadge.vue  |  25 ++
 2 files changed, 114 insertions(+), 214 deletions(-)
 create mode 100644 frontend/src/components/account/CapacityBadge.vue

diff --git a/frontend/src/components/account/AccountCapacityCell.vue b/frontend/src/components/account/AccountCapacityCell.vue
index f8fe4b47..3df5b24b 100644
--- a/frontend/src/components/account/AccountCapacityCell.vue
+++ b/frontend/src/components/account/AccountCapacityCell.vue
@@ -1,76 +1,32 @@
 <template>
-  <div class="flex flex-col gap-1.5">
+  <div class="flex flex-col gap-0.5">
     <!-- 并发槽位 -->
-    <div class="flex items-center gap-1.5">
-      <span
-        :class="[
-          'inline-flex items-center gap-1 rounded-md px-2 py-0.5 text-xs font-medium',
-          concurrencyClass
-        ]"
-      >
-        <svg class="h-3 w-3" fill="none" viewBox="0 0 24 24" stroke="currentColor" stroke-width="2">
-          <path stroke-linecap="round" stroke-linejoin="round" d="M3.75 6A2.25 2.25 0 016 3.75h2.25A2.25 2.25 0 0110.5 6v2.25a2.25 2.25 0 01-2.25 2.25H6a2.25 2.25 0 01-2.25-2.25V6zM3.75 15.75A2.25 2.25 0 016 13.5h2.25a2.25 2.25 0 012.25 2.25V18a2.25 2.25 0 01-2.25 2.25H6A2.25 2.25 0 013.75 18v-2.25zM13.5 6a2.25 2.25 0 012.25-2.25H18A2.25 2.25 0 0120.25 6v2.25A2.25 2.25 0 0118 10.5h-2.25a2.25 2.25 0 01-2.25-2.25V6zM13.5 15.75a2.25 2.25 0 012.25-2.25H18a2.25 2.25 0 012.25 2.25V18A2.25 2.25 0 0118 20.25h-2.25A2.25 2.25 0 0113.5 18v-2.25z" />
-        </svg>
-        <span class="font-mono">{{ currentConcurrency }}</span>
-        <span class="text-gray-400 dark:text-gray-500">/</span>
-        <span class="font-mono">{{ account.concurrency }}</span>
-      </span>
-    </div>
+    <CapacityBadge :color-class="concurrencyClass" :current="currentConcurrency" :max="account.concurrency">
+      <svg class="h-2.5 w-2.5" fill="none" viewBox="0 0 24 24" stroke="currentColor" stroke-width="2">
+        <path stroke-linecap="round" stroke-linejoin="round" d="M3.75 6A2.25 2.25 0 016 3.75h2.25A2.25 2.25 0 0110.5 6v2.25a2.25 2.25 0 01-2.25 2.25H6a2.25 2.25 0 01-2.25-2.25V6zM3.75 15.75A2.25 2.25 0 016 13.5h2.25a2.25 2.25 0 012.25 2.25V18a2.25 2.25 0 01-2.25 2.25H6A2.25 2.25 0 013.75 18v-2.25zM13.5 6a2.25 2.25 0 012.25-2.25H18A2.25 2.25 0 0120.25 6v2.25A2.25 2.25 0 0118 10.5h-2.25a2.25 2.25 0 01-2.25-2.25V6zM13.5 15.75a2.25 2.25 0 012.25-2.25H18a2.25 2.25 0 012.25 2.25V18A2.25 2.25 0 0118 20.25h-2.25A2.25 2.25 0 0113.5 18v-2.25z" />
+      </svg>
+    </CapacityBadge>
 
-    <!-- 5h窗口费用限制（仅 Anthropic OAuth/SetupToken 且启用时显示） -->
-    <div v-if="showWindowCost" class="flex items-center gap-1">
-      <span
-        :class="[
-          'inline-flex items-center gap-1 rounded-md px-1.5 py-0.5 text-[10px] font-medium',
-          windowCostClass
-        ]"
-        :title="windowCostTooltip"
-      >
-        <svg class="h-2.5 w-2.5" fill="none" viewBox="0 0 24 24" stroke="currentColor" stroke-width="2">
-          <path stroke-linecap="round" stroke-linejoin="round" d="M12 6v12m-3-2.818l.879.659c1.171.879 3.07.879 4.242 0 1.172-.879 1.172-2.303 0-3.182C13.536 12.219 12.768 12 12 12c-.725 0-1.45-.22-2.003-.659-1.106-.879-1.106-2.303 0-3.182s2.9-.879 4.006 0l.415.33M21 12a9 9 0 11-18 0 9 9 0 0118 0z" />
-        </svg>
-        <span class="font-mono">${{ formatCost(currentWindowCost) }}</span>
-        <span class="text-gray-400 dark:text-gray-500">/</span>
-        <span class="font-mono">${{ formatCost(account.window_cost_limit) }}</span>
-      </span>
-    </div>
+    <!-- 5h窗口费用限制 -->
+    <CapacityBadge v-if="showWindowCost" :color-class="windowCostClass" :tooltip="windowCostTooltip" :current="'$' + formatCost(currentWindowCost)" :max="'$' + formatCost(account.window_cost_limit)">
+      <svg class="h-2.5 w-2.5" fill="none" viewBox="0 0 24 24" stroke="currentColor" stroke-width="2">
+        <path stroke-linecap="round" stroke-linejoin="round" d="M12 6v12m-3-2.818l.879.659c1.171.879 3.07.879 4.242 0 1.172-.879 1.172-2.303 0-3.182C13.536 12.219 12.768 12 12 12c-.725 0-1.45-.22-2.003-.659-1.106-.879-1.106-2.303 0-3.182s2.9-.879 4.006 0l.415.33M21 12a9 9 0 11-18 0 9 9 0 0118 0z" />
+      </svg>
+    </CapacityBadge>
 
-    <!-- 会话数量限制（仅 Anthropic OAuth/SetupToken 且启用时显示） -->
-    <div v-if="showSessionLimit" class="flex items-center gap-1">
-      <span
-        :class="[
-          'inline-flex items-center gap-1 rounded-md px-1.5 py-0.5 text-[10px] font-medium',
-          sessionLimitClass
-        ]"
-        :title="sessionLimitTooltip"
-      >
-        <svg class="h-2.5 w-2.5" fill="none" viewBox="0 0 24 24" stroke="currentColor" stroke-width="2">
-          <path stroke-linecap="round" stroke-linejoin="round" d="M15 19.128a9.38 9.38 0 002.625.372 9.337 9.337 0 004.121-.952 4.125 4.125 0 00-7.533-2.493M15 19.128v-.003c0-1.113-.285-2.16-.786-3.07M15 19.128v.106A12.318 12.318 0 018.624 21c-2.331 0-4.512-.645-6.374-1.766l-.001-.109a6.375 6.375 0 0111.964-3.07M12 6.375a3.375 3.375 0 11-6.75 0 3.375 3.375 0 016.75 0zm8.25 2.25a2.625 2.625 0 11-5.25 0 2.625 2.625 0 015.25 0z" />
-        </svg>
-        <span class="font-mono">{{ activeSessions }}</span>
-        <span class="text-gray-400 dark:text-gray-500">/</span>
-        <span class="font-mono">{{ account.max_sessions }}</span>
-      </span>
-    </div>
+    <!-- 会话数量限制 -->
+    <CapacityBadge v-if="showSessionLimit" :color-class="sessionLimitClass" :tooltip="sessionLimitTooltip" :current="activeSessions" :max="account.max_sessions!">
+      <svg class="h-2.5 w-2.5" fill="none" viewBox="0 0 24 24" stroke="currentColor" stroke-width="2">
+        <path stroke-linecap="round" stroke-linejoin="round" d="M15 19.128a9.38 9.38 0 002.625.372 9.337 9.337 0 004.121-.952 4.125 4.125 0 00-7.533-2.493M15 19.128v-.003c0-1.113-.285-2.16-.786-3.07M15 19.128v.106A12.318 12.318 0 018.624 21c-2.331 0-4.512-.645-6.374-1.766l-.001-.109a6.375 6.375 0 0111.964-3.07M12 6.375a3.375 3.375 0 11-6.75 0 3.375 3.375 0 016.75 0zm8.25 2.25a2.625 2.625 0 11-5.25 0 2.625 2.625 0 015.25 0z" />
+      </svg>
+    </CapacityBadge>
 
-    <!-- RPM 限制（仅 Anthropic OAuth/SetupToken 且启用时显示） -->
-    <div v-if="showRpmLimit" class="flex items-center gap-1">
-      <span
-        :class="[
-          'inline-flex items-center gap-1 rounded-md px-1.5 py-0.5 text-[10px] font-medium',
-          rpmClass
-        ]"
-        :title="rpmTooltip"
-      >
-        <svg class="h-2.5 w-2.5" fill="none" viewBox="0 0 24 24" stroke-width="1.5" stroke="currentColor">
-          <path stroke-linecap="round" stroke-linejoin="round" d="M12 6v6h4.5m4.5 0a9 9 0 1 1-18 0 9 9 0 0 1 18 0Z" />
-        </svg>
-        <span class="font-mono">{{ currentRPM }}</span>
-        <span class="text-gray-400 dark:text-gray-500">/</span>
-        <span class="font-mono">{{ account.base_rpm }}</span>
-        <span class="text-[9px] opacity-60">{{ rpmStrategyTag }}</span>
-      </span>
-    </div>
+    <!-- RPM 限制 -->
+    <CapacityBadge v-if="showRpmLimit" :color-class="rpmClass" :tooltip="rpmTooltip" :current="currentRPM" :max="account.base_rpm!" :suffix="rpmStrategyTag">
+      <svg class="h-2.5 w-2.5" fill="none" viewBox="0 0 24 24" stroke-width="1.5" stroke="currentColor">
+        <path stroke-linecap="round" stroke-linejoin="round" d="M12 6v6h4.5m4.5 0a9 9 0 1 1-18 0 9 9 0 0 1 18 0Z" />
+      </svg>
+    </CapacityBadge>
 
     <!-- API Key 账号配额限制 -->
     <QuotaBadge v-if="showDailyQuota" :used="account.quota_daily_used ?? 0" :limit="account.quota_daily_limit!" label="D" />
@@ -83,7 +39,8 @@
 import { computed } from 'vue'
 import { useI18n } from 'vue-i18n'
 import type { Account } from '@/types'
-import QuotaBadge from './QuotaBadge.vue'
+import CapacityBadge from '@/components/account/CapacityBadge.vue'
+import QuotaBadge from '@/components/account/QuotaBadge.vue'
 
 const props = defineProps<{
   account: Account
@@ -91,225 +48,143 @@ const props = defineProps<{
 
 const { t } = useI18n()
 
-// 当前并发数
+// ====== 并发 ======
 const currentConcurrency = computed(() => props.account.current_concurrency || 0)
 
-// 是否为 Anthropic OAuth/SetupToken 账号
-const isAnthropicOAuthOrSetupToken = computed(() => {
-  return (
-    props.account.platform === 'anthropic' &&
-    (props.account.type === 'oauth' || props.account.type === 'setup-token')
-  )
-})
-
-// 是否显示窗口费用限制
-const showWindowCost = computed(() => {
-  return (
-    isAnthropicOAuthOrSetupToken.value &&
-    props.account.window_cost_limit !== undefined &&
-    props.account.window_cost_limit !== null &&
-    props.account.window_cost_limit > 0
-  )
-})
-
-// 当前窗口费用
-const currentWindowCost = computed(() => props.account.current_window_cost ?? 0)
-
-// 是否显示会话限制
-const showSessionLimit = computed(() => {
-  return (
-    isAnthropicOAuthOrSetupToken.value &&
-    props.account.max_sessions !== undefined &&
-    props.account.max_sessions !== null &&
-    props.account.max_sessions > 0
-  )
-})
-
-// 当前活跃会话数
-const activeSessions = computed(() => props.account.active_sessions ?? 0)
-
-// 并发状态样式
 const concurrencyClass = computed(() => {
   const current = currentConcurrency.value
   const max = props.account.concurrency
-
-  if (current >= max) {
-    return 'bg-red-100 text-red-700 dark:bg-red-900/30 dark:text-red-400'
-  }
-  if (current > 0) {
-    return 'bg-yellow-100 text-yellow-700 dark:bg-yellow-900/30 dark:text-yellow-400'
-  }
+  if (current >= max) return 'bg-red-100 text-red-700 dark:bg-red-900/30 dark:text-red-400'
+  if (current > 0) return 'bg-yellow-100 text-yellow-700 dark:bg-yellow-900/30 dark:text-yellow-400'
   return 'bg-gray-100 text-gray-600 dark:bg-gray-800 dark:text-gray-400'
 })
 
-// 窗口费用状态样式
+// ====== 窗口费用 ======
+const isAnthropicOAuthOrSetupToken = computed(() =>
+  props.account.platform === 'anthropic' &&
+  (props.account.type === 'oauth' || props.account.type === 'setup-token')
+)
+
+const showWindowCost = computed(() =>
+  isAnthropicOAuthOrSetupToken.value &&
+  props.account.window_cost_limit != null &&
+  props.account.window_cost_limit > 0
+)
+
+const currentWindowCost = computed(() => props.account.current_window_cost ?? 0)
+
 const windowCostClass = computed(() => {
   if (!showWindowCost.value) return ''
-
   const current = currentWindowCost.value
   const limit = props.account.window_cost_limit || 0
   const reserve = props.account.window_cost_sticky_reserve || 10
-
-  if (current >= limit + reserve) {
-    return 'bg-red-100 text-red-700 dark:bg-red-900/30 dark:text-red-400'
-  }
-  if (current >= limit) {
-    return 'bg-orange-100 text-orange-700 dark:bg-orange-900/30 dark:text-orange-400'
-  }
-  if (current >= limit * 0.8) {
-    return 'bg-yellow-100 text-yellow-700 dark:bg-yellow-900/30 dark:text-yellow-400'
-  }
+  if (current >= limit + reserve) return 'bg-red-100 text-red-700 dark:bg-red-900/30 dark:text-red-400'
+  if (current >= limit) return 'bg-orange-100 text-orange-700 dark:bg-orange-900/30 dark:text-orange-400'
+  if (current >= limit * 0.8) return 'bg-yellow-100 text-yellow-700 dark:bg-yellow-900/30 dark:text-yellow-400'
   return 'bg-emerald-100 text-emerald-700 dark:bg-emerald-900/30 dark:text-emerald-400'
 })
 
-// 窗口费用提示文字
 const windowCostTooltip = computed(() => {
   if (!showWindowCost.value) return ''
-
   const current = currentWindowCost.value
   const limit = props.account.window_cost_limit || 0
   const reserve = props.account.window_cost_sticky_reserve || 10
-
-  if (current >= limit + reserve) {
-    return t('admin.accounts.capacity.windowCost.blocked')
-  }
-  if (current >= limit) {
-    return t('admin.accounts.capacity.windowCost.stickyOnly')
-  }
+  if (current >= limit + reserve) return t('admin.accounts.capacity.windowCost.blocked')
+  if (current >= limit) return t('admin.accounts.capacity.windowCost.stickyOnly')
   return t('admin.accounts.capacity.windowCost.normal')
 })
 
-// 会话限制状态样式
+// ====== 会话限制 ======
+const showSessionLimit = computed(() =>
+  isAnthropicOAuthOrSetupToken.value &&
+  props.account.max_sessions != null &&
+  props.account.max_sessions > 0
+)
+
+const activeSessions = computed(() => props.account.active_sessions ?? 0)
+
 const sessionLimitClass = computed(() => {
   if (!showSessionLimit.value) return ''
-
   const current = activeSessions.value
   const max = props.account.max_sessions || 0
-
-  if (current >= max) {
-    return 'bg-red-100 text-red-700 dark:bg-red-900/30 dark:text-red-400'
-  }
-  if (current >= max * 0.8) {
-    return 'bg-yellow-100 text-yellow-700 dark:bg-yellow-900/30 dark:text-yellow-400'
-  }
+  if (current >= max) return 'bg-red-100 text-red-700 dark:bg-red-900/30 dark:text-red-400'
+  if (current >= max * 0.8) return 'bg-yellow-100 text-yellow-700 dark:bg-yellow-900/30 dark:text-yellow-400'
   return 'bg-emerald-100 text-emerald-700 dark:bg-emerald-900/30 dark:text-emerald-400'
 })
 
-// 会话限制提示文字
 const sessionLimitTooltip = computed(() => {
   if (!showSessionLimit.value) return ''
-
   const current = activeSessions.value
   const max = props.account.max_sessions || 0
   const idle = props.account.session_idle_timeout_minutes || 5
-
-  if (current >= max) {
-    return t('admin.accounts.capacity.sessions.full', { idle })
-  }
+  if (current >= max) return t('admin.accounts.capacity.sessions.full', { idle })
   return t('admin.accounts.capacity.sessions.normal', { idle })
 })
 
-// 是否显示 RPM 限制
-const showRpmLimit = computed(() => {
-  return (
-    isAnthropicOAuthOrSetupToken.value &&
-    props.account.base_rpm !== undefined &&
-    props.account.base_rpm !== null &&
-    props.account.base_rpm > 0
-  )
-})
+// ====== RPM ======
+const showRpmLimit = computed(() =>
+  isAnthropicOAuthOrSetupToken.value &&
+  props.account.base_rpm != null &&
+  props.account.base_rpm > 0
+)
 
-// 当前 RPM 计数
 const currentRPM = computed(() => props.account.current_rpm ?? 0)
-
-// RPM 策略
 const rpmStrategy = computed(() => props.account.rpm_strategy || 'tiered')
+const rpmStrategyTag = computed(() => rpmStrategy.value === 'sticky_exempt' ? '[S]' : '[T]')
 
-// RPM 策略标签
-const rpmStrategyTag = computed(() => {
-  return rpmStrategy.value === 'sticky_exempt' ? '[S]' : '[T]'
-})
-
-// RPM buffer 计算（与后端一致：base <= 0 时 buffer 为 0）
 const rpmBuffer = computed(() => {
   const base = props.account.base_rpm || 0
   return props.account.rpm_sticky_buffer ?? (base > 0 ? Math.max(1, Math.floor(base / 5)) : 0)
 })
 
-// RPM 状态样式
 const rpmClass = computed(() => {
   if (!showRpmLimit.value) return ''
-
   const current = currentRPM.value
   const base = props.account.base_rpm ?? 0
   const buffer = rpmBuffer.value
-
   if (rpmStrategy.value === 'tiered') {
-    if (current >= base + buffer) {
-      return 'bg-red-100 text-red-700 dark:bg-red-900/30 dark:text-red-400'
-    }
-    if (current >= base) {
-      return 'bg-orange-100 text-orange-700 dark:bg-orange-900/30 dark:text-orange-400'
-    }
+    if (current >= base + buffer) return 'bg-red-100 text-red-700 dark:bg-red-900/30 dark:text-red-400'
+    if (current >= base) return 'bg-orange-100 text-orange-700 dark:bg-orange-900/30 dark:text-orange-400'
   } else {
-    if (current >= base) {
-      return 'bg-orange-100 text-orange-700 dark:bg-orange-900/30 dark:text-orange-400'
-    }
-  }
-  if (current >= base * 0.8) {
-    return 'bg-yellow-100 text-yellow-700 dark:bg-yellow-900/30 dark:text-yellow-400'
+    if (current >= base) return 'bg-orange-100 text-orange-700 dark:bg-orange-900/30 dark:text-orange-400'
   }
+  if (current >= base * 0.8) return 'bg-yellow-100 text-yellow-700 dark:bg-yellow-900/30 dark:text-yellow-400'
   return 'bg-emerald-100 text-emerald-700 dark:bg-emerald-900/30 dark:text-emerald-400'
 })
 
-// RPM 提示文字（增强版：显示策略、区域、缓冲区）
 const rpmTooltip = computed(() => {
   if (!showRpmLimit.value) return ''
-
   const current = currentRPM.value
   const base = props.account.base_rpm ?? 0
   const buffer = rpmBuffer.value
-
   if (rpmStrategy.value === 'tiered') {
-    if (current >= base + buffer) {
-      return t('admin.accounts.capacity.rpm.tieredBlocked', { buffer })
-    }
-    if (current >= base) {
-      return t('admin.accounts.capacity.rpm.tieredStickyOnly', { buffer })
-    }
-    if (current >= base * 0.8) {
-      return t('admin.accounts.capacity.rpm.tieredWarning')
-    }
+    if (current >= base + buffer) return t('admin.accounts.capacity.rpm.tieredBlocked', { buffer })
+    if (current >= base) return t('admin.accounts.capacity.rpm.tieredStickyOnly', { buffer })
+    if (current >= base * 0.8) return t('admin.accounts.capacity.rpm.tieredWarning')
     return t('admin.accounts.capacity.rpm.tieredNormal')
   } else {
-    if (current >= base) {
-      return t('admin.accounts.capacity.rpm.stickyExemptOver')
-    }
-    if (current >= base * 0.8) {
-      return t('admin.accounts.capacity.rpm.stickyExemptWarning')
-    }
+    if (current >= base) return t('admin.accounts.capacity.rpm.stickyExemptOver')
+    if (current >= base * 0.8) return t('admin.accounts.capacity.rpm.stickyExemptWarning')
     return t('admin.accounts.capacity.rpm.stickyExemptNormal')
   }
 })
 
-// 是否显示各维度配额（apikey / bedrock 类型）
-const isQuotaEligible = computed(() => props.account.type === 'apikey' || props.account.type === 'bedrock')
-
-const showDailyQuota = computed(() => {
-  return isQuotaEligible.value && (props.account.quota_daily_limit ?? 0) > 0
-})
-
-const showWeeklyQuota = computed(() => {
-  return isQuotaEligible.value && (props.account.quota_weekly_limit ?? 0) > 0
-})
-
-const showTotalQuota = computed(() => {
-  return isQuotaEligible.value && (props.account.quota_limit ?? 0) > 0
-})
-
 // 格式化费用显示
 const formatCost = (value: number | null | undefined) => {
   if (value === null || value === undefined) return '0'
   return value.toFixed(2)
 }
+
+// ====== 配额 ======
+const isQuotaEligible = computed(() => props.account.type === 'apikey' || props.account.type === 'bedrock')
+
+const showDailyQuota = computed(() =>
+  isQuotaEligible.value && props.account.quota_daily_limit != null && props.account.quota_daily_limit > 0
+)
+const showWeeklyQuota = computed(() =>
+  isQuotaEligible.value && props.account.quota_weekly_limit != null && props.account.quota_weekly_limit > 0
+)
+const showTotalQuota = computed(() =>
+  isQuotaEligible.value && props.account.quota_limit != null && props.account.quota_limit > 0
+)
 </script>
diff --git a/frontend/src/components/account/CapacityBadge.vue b/frontend/src/components/account/CapacityBadge.vue
new file mode 100644
index 00000000..0abbafdd
--- /dev/null
+++ b/frontend/src/components/account/CapacityBadge.vue
@@ -0,0 +1,25 @@
+<script setup lang="ts">
+defineProps<{
+  colorClass: string
+  tooltip?: string
+  current: string | number
+  max: string | number
+  suffix?: string
+}>()
+</script>
+
+<template>
+  <span
+    :class="[
+      'inline-flex items-center gap-1 rounded-md px-1.5 py-px text-[10px] font-medium leading-tight',
+      colorClass
+    ]"
+    :title="tooltip"
+  >
+    <slot />
+    <span class="font-mono">{{ current }}</span>
+    <span class="text-gray-400 dark:text-gray-500">/</span>
+    <span class="font-mono">{{ max }}</span>
+    <span v-if="suffix" class="text-[9px] opacity-60">{{ suffix }}</span>
+  </span>
+</template>

From 5240b444528c578d9548145f166e498227c5ef23 Mon Sep 17 00:00:00 2001
From: erio <asakifeng@gmail.com>
Date: Tue, 14 Apr 2026 19:45:53 +0800
Subject: [PATCH 097/122] refactor(payment): inline payment flow, mobile
 support, renewal modal
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Replace dialog-based payment with inline state flow (select → paying/stripe).
- PaymentStatusPanel replaces QR dialog for scan-to-pay
- StripePaymentInline replaces Stripe popup
- Subscription confirm as inline card instead of modal
- Payment button color follows payment method
- Renewal modal with URL parameter navigation (?tab=subscription&group=123)
- Mobile auto-redirect for H5 payment
- AmountInput uses global min/max instead of per-method
- Tab auto-hides during payment
- Restore CNY (¥) currency for upstream compatibility
---
 frontend/src/views/user/PaymentView.vue | 555 +++++++++++++++++-------
 1 file changed, 403 insertions(+), 152 deletions(-)

diff --git a/frontend/src/views/user/PaymentView.vue b/frontend/src/views/user/PaymentView.vue
index db588420..acb0a824 100644
--- a/frontend/src/views/user/PaymentView.vue
+++ b/frontend/src/views/user/PaymentView.vue
@@ -5,82 +5,217 @@
         <div class="h-8 w-8 animate-spin rounded-full border-4 border-primary-500 border-t-transparent"></div>
       </div>
       <template v-else>
-        <!-- Balance Card -->
-        <div class="card overflow-hidden">
-          <div class="bg-gradient-to-br from-primary-500 to-primary-600 px-6 py-6 text-center">
-            <p class="text-sm font-medium text-primary-100">{{ t('payment.currentBalance') }}</p>
-            <p class="mt-1 text-3xl font-bold text-white">${{ user?.balance?.toFixed(2) || '0.00' }}</p>
-          </div>
-        </div>
-        <!-- Tab Switcher -->
-        <div v-if="tabs.length > 1" class="flex space-x-1 rounded-xl bg-gray-100 p-1 dark:bg-dark-800">
+        <!-- Tab Switcher (hide during payment and subscription confirm) -->
+        <div v-if="tabs.length > 1 && paymentPhase === 'select' && !selectedPlan" class="flex space-x-1 rounded-xl bg-gray-100 p-1 dark:bg-dark-800">
           <button v-for="tab in tabs" :key="tab.key"
             class="flex-1 rounded-lg px-4 py-2.5 text-sm font-medium transition-all"
             :class="activeTab === tab.key ? 'bg-white text-gray-900 shadow dark:bg-dark-700 dark:text-white' : 'text-gray-500 hover:text-gray-700 dark:text-gray-400 dark:hover:text-gray-300'"
             @click="activeTab = tab.key">{{ tab.label }}</button>
         </div>
-        <!-- Top-up Tab -->
-        <template v-if="activeTab === 'recharge'">
-          <!-- No payment methods available -->
-          <div v-if="enabledMethods.length === 0" class="card py-16 text-center">
-            <p class="text-gray-500 dark:text-gray-400">{{ t('payment.notAvailable') }}</p>
-          </div>
-          <template v-else>
-          <div class="card p-6">
-            <AmountInput
-              v-model="amount"
-              :amounts="[10, 20, 50, 100, 200, 500, 1000, 2000, 5000]"
-              :min="activeMinAmount"
-              :max="activeMaxAmount"
-            />
-            <p v-if="amountError" class="mt-2 text-xs text-amber-600 dark:text-amber-300">{{ amountError }}</p>
-          </div>
-          <div v-if="enabledMethods.length >= 1" class="card p-6">
-            <PaymentMethodSelector
-              :methods="methodOptions"
-              :selected="selectedMethod"
-              @select="selectedMethod = $event"
-            />
-          </div>
-          <div v-if="feeRate > 0 && validAmount > 0" class="card p-6">
-            <div class="space-y-2 text-sm">
-              <div class="flex justify-between">
-                <span class="text-gray-500 dark:text-gray-400">{{ t('payment.amountLabel') }}</span>
-                <span class="text-gray-900 dark:text-white">¥{{ validAmount.toFixed(2) }}</span>
-              </div>
-              <div class="flex justify-between">
-                <span class="text-gray-500 dark:text-gray-400">{{ t('payment.fee') }} ({{ feeRate }}%)</span>
-                <span class="text-gray-900 dark:text-white">¥{{ feeAmount.toFixed(2) }}</span>
-              </div>
-              <div class="flex justify-between border-t border-gray-200 pt-2 dark:border-dark-600">
-                <span class="font-medium text-gray-700 dark:text-gray-300">{{ t('payment.actualPay') }}</span>
-                <span class="text-lg font-bold text-primary-600 dark:text-primary-400">¥{{ totalAmount.toFixed(2) }}</span>
+        <!-- Payment in progress (shared by recharge and subscription) -->
+        <template v-if="paymentPhase === 'paying'">
+          <PaymentStatusPanel
+            :order-id="paymentState.orderId"
+            :qr-code="paymentState.qrCode"
+            :expires-at="paymentState.expiresAt"
+            :payment-type="paymentState.paymentType"
+            :pay-url="paymentState.payUrl"
+            :order-type="paymentState.orderType"
+            @done="onPaymentDone"
+            @success="onPaymentSuccess"
+          />
+        </template>
+        <template v-else-if="paymentPhase === 'stripe'">
+          <StripePaymentInline
+            :order-id="paymentState.orderId"
+            :client-secret="paymentState.clientSecret"
+            :publishable-key="checkout.stripe_publishable_key"
+            :pay-amount="paymentState.payAmount"
+            @success="onPaymentSuccess"
+            @done="onStripeDone"
+            @back="resetPayment"
+            @redirect="onStripeRedirect"
+          />
+        </template>
+        <!-- Tab content (select phase) -->
+        <template v-else>
+          <!-- Top-up Tab -->
+          <template v-if="activeTab === 'recharge'">
+            <!-- Recharge Account Card -->
+            <div class="card p-5">
+              <p class="text-xs font-medium text-gray-400 dark:text-gray-500">{{ t('payment.rechargeAccount') }}</p>
+              <p class="mt-1 text-base font-semibold text-gray-900 dark:text-white">{{ user?.username || '' }}</p>
+              <p class="mt-0.5 text-sm font-medium text-green-600 dark:text-green-400">{{ t('payment.currentBalance') }}: {{ user?.balance?.toFixed(2) || '0.00' }}</p>
+            </div>
+            <div v-if="enabledMethods.length === 0" class="card py-16 text-center">
+              <p class="text-gray-500 dark:text-gray-400">{{ t('payment.notAvailable') }}</p>
+            </div>
+            <template v-else>
+            <div class="card p-6">
+              <AmountInput
+                v-model="amount"
+                :amounts="[10, 20, 50, 100, 200, 500, 1000, 2000, 5000]"
+                :min="globalMinAmount"
+                :max="globalMaxAmount"
+              />
+              <p v-if="amountError" class="mt-2 text-xs text-amber-600 dark:text-amber-300">{{ amountError }}</p>
+            </div>
+            <div v-if="enabledMethods.length >= 1" class="card p-6">
+              <PaymentMethodSelector
+                :methods="methodOptions"
+                :selected="selectedMethod"
+                @select="selectedMethod = $event"
+              />
+            </div>
+            <div v-if="feeRate > 0 && validAmount > 0" class="card p-6">
+              <div class="space-y-2 text-sm">
+                <div class="flex justify-between">
+                  <span class="text-gray-500 dark:text-gray-400">{{ t('payment.amountLabel') }}</span>
+                  <span class="text-gray-900 dark:text-white">¥{{ validAmount.toFixed(2) }}</span>
+                </div>
+                <div class="flex justify-between">
+                  <span class="text-gray-500 dark:text-gray-400">{{ t('payment.fee') }} ({{ feeRate }}%)</span>
+                  <span class="text-gray-900 dark:text-white">¥{{ feeAmount.toFixed(2) }}</span>
+                </div>
+                <div class="flex justify-between border-t border-gray-200 pt-2 dark:border-dark-600">
+                  <span class="font-medium text-gray-700 dark:text-gray-300">{{ t('payment.actualPay') }}</span>
+                  <span class="text-lg font-bold text-primary-600 dark:text-primary-400">¥{{ totalAmount.toFixed(2) }}</span>
+                </div>
               </div>
             </div>
-          </div>
-          <button class="btn btn-primary w-full py-3 text-base font-medium" :disabled="!canSubmit || submitting" @click="handleSubmitRecharge">
-            <span v-if="submitting" class="flex items-center justify-center gap-2">
-              <span class="h-4 w-4 animate-spin rounded-full border-2 border-white border-t-transparent"></span>
-              {{ t('common.processing') }}
-            </span>
-            <span v-else>{{ t('payment.createOrder') }} ¥{{ (feeRate > 0 && validAmount > 0 ? totalAmount : validAmount).toFixed(2) }}</span>
-          </button>
-          <div v-if="errorMessage" class="rounded-xl border border-red-200 bg-red-50 p-4 dark:border-red-800/50 dark:bg-red-900/20">
-            <p class="text-sm text-red-700 dark:text-red-400">{{ errorMessage }}</p>
-          </div>
+            <button :class="['btn w-full py-3 text-base font-medium', paymentButtonClass]" :disabled="!canSubmit || submitting" @click="handleSubmitRecharge">
+              <span v-if="submitting" class="flex items-center justify-center gap-2">
+                <span class="h-4 w-4 animate-spin rounded-full border-2 border-white border-t-transparent"></span>
+                {{ t('common.processing') }}
+              </span>
+              <span v-else>{{ t('payment.createOrder') }} ¥{{ (feeRate > 0 && validAmount > 0 ? totalAmount : validAmount).toFixed(2) }}</span>
+            </button>
+            <div v-if="errorMessage" class="rounded-xl border border-red-200 bg-red-50 p-4 dark:border-red-800/50 dark:bg-red-900/20">
+              <p class="text-sm text-red-700 dark:text-red-400">{{ errorMessage }}</p>
+            </div>
+            </template>
+          </template>
+          <!-- Subscribe Tab -->
+          <template v-else-if="activeTab === 'subscription'">
+            <!-- Subscription confirm (inline, replaces plan list) -->
+            <template v-if="selectedPlan">
+              <div class="card p-5">
+                <!-- Header: platform badge + plan name -->
+                <div class="mb-3 flex flex-wrap items-center gap-2">
+                  <span :class="['rounded-md border px-2 py-0.5 text-xs font-medium', planBadgeClass]">
+                    {{ platformLabel(selectedPlan.group_platform || '') }}
+                  </span>
+                  <h3 class="text-lg font-bold text-gray-900 dark:text-white">{{ selectedPlan.name }}</h3>
+                </div>
+                <!-- Price -->
+                <div class="flex items-baseline gap-2">
+                  <span v-if="selectedPlan.original_price" class="text-sm text-gray-400 line-through dark:text-gray-500">
+                    ¥{{ selectedPlan.original_price }}
+                  </span>
+                  <span :class="['text-3xl font-bold', planTextClass]">¥{{ selectedPlan.price }}</span>
+                  <span class="text-sm text-gray-500 dark:text-gray-400">/ {{ planValiditySuffix }}</span>
+                </div>
+                <!-- Description -->
+                <p v-if="selectedPlan.description" class="mt-2 text-sm leading-relaxed text-gray-500 dark:text-gray-400">
+                  {{ selectedPlan.description }}
+                </p>
+                <!-- Rate + Limits grid -->
+                <div class="mt-3 grid grid-cols-2 gap-3">
+                  <div>
+                    <span class="text-xs text-gray-400 dark:text-gray-500">{{ t('payment.planCard.rate') }}</span>
+                    <div class="flex items-baseline">
+                      <span :class="['text-lg font-bold', planTextClass]">×{{ selectedPlan.rate_multiplier ?? 1 }}</span>
+                    </div>
+                  </div>
+                  <div v-if="selectedPlan.daily_limit_usd != null">
+                    <span class="text-xs text-gray-400 dark:text-gray-500">{{ t('payment.planCard.dailyLimit') }}</span>
+                    <div class="text-lg font-semibold text-gray-800 dark:text-gray-200">${{ selectedPlan.daily_limit_usd }}</div>
+                  </div>
+                  <div v-if="selectedPlan.weekly_limit_usd != null">
+                    <span class="text-xs text-gray-400 dark:text-gray-500">{{ t('payment.planCard.weeklyLimit') }}</span>
+                    <div class="text-lg font-semibold text-gray-800 dark:text-gray-200">${{ selectedPlan.weekly_limit_usd }}</div>
+                  </div>
+                  <div v-if="selectedPlan.monthly_limit_usd != null">
+                    <span class="text-xs text-gray-400 dark:text-gray-500">{{ t('payment.planCard.monthlyLimit') }}</span>
+                    <div class="text-lg font-semibold text-gray-800 dark:text-gray-200">${{ selectedPlan.monthly_limit_usd }}</div>
+                  </div>
+                  <div v-if="selectedPlan.daily_limit_usd == null && selectedPlan.weekly_limit_usd == null && selectedPlan.monthly_limit_usd == null">
+                    <span class="text-xs text-gray-400 dark:text-gray-500">{{ t('payment.planCard.quota') }}</span>
+                    <div class="text-lg font-semibold text-gray-800 dark:text-gray-200">{{ t('payment.planCard.unlimited') }}</div>
+                  </div>
+                </div>
+              </div>
+              <div v-if="enabledMethods.length >= 1" class="card p-6">
+                <PaymentMethodSelector
+                  :methods="subMethodOptions"
+                  :selected="selectedMethod"
+                  @select="selectedMethod = $event"
+                />
+              </div>
+              <div v-if="feeRate > 0 && selectedPlan.price > 0" class="card p-6">
+                <div class="space-y-2 text-sm">
+                  <div class="flex justify-between">
+                    <span class="text-gray-500 dark:text-gray-400">{{ t('payment.amountLabel') }}</span>
+                    <span class="text-gray-900 dark:text-white">¥{{ selectedPlan.price.toFixed(2) }}</span>
+                  </div>
+                  <div class="flex justify-between">
+                    <span class="text-gray-500 dark:text-gray-400">{{ t('payment.fee') }} ({{ feeRate }}%)</span>
+                    <span class="text-gray-900 dark:text-white">¥{{ subFeeAmount.toFixed(2) }}</span>
+                  </div>
+                  <div class="flex justify-between border-t border-gray-200 pt-2 dark:border-dark-600">
+                    <span class="font-medium text-gray-700 dark:text-gray-300">{{ t('payment.actualPay') }}</span>
+                    <span class="text-lg font-bold text-primary-600 dark:text-primary-400">¥{{ subTotalAmount.toFixed(2) }}</span>
+                  </div>
+                </div>
+              </div>
+              <button :class="['btn w-full py-3 text-base font-medium', paymentButtonClass]" :disabled="!canSubmitSubscription || submitting" @click="confirmSubscribe">
+                <span v-if="submitting" class="flex items-center justify-center gap-2">
+                  <span class="h-4 w-4 animate-spin rounded-full border-2 border-white border-t-transparent"></span>
+                  {{ t('common.processing') }}
+                </span>
+                <span v-else>{{ t('payment.createOrder') }} ¥{{ (feeRate > 0 ? subTotalAmount : selectedPlan.price).toFixed(2) }}</span>
+              </button>
+              <button class="btn btn-secondary w-full" @click="selectedPlan = null">{{ t('common.cancel') }}</button>
+              <div v-if="errorMessage" class="rounded-xl border border-red-200 bg-red-50 p-4 dark:border-red-800/50 dark:bg-red-900/20">
+                <p class="text-sm text-red-700 dark:text-red-400">{{ errorMessage }}</p>
+              </div>
+            </template>
+            <!-- Plan list -->
+            <template v-else>
+              <div v-if="checkout.plans.length === 0" class="card py-16 text-center">
+                <Icon name="gift" size="xl" class="mx-auto mb-3 text-gray-300 dark:text-dark-600" />
+                <p class="text-gray-500 dark:text-gray-400">{{ t('payment.noPlans') }}</p>
+              </div>
+              <div v-else :class="planGridClass">
+                <SubscriptionPlanCard v-for="plan in checkout.plans" :key="plan.id" :plan="plan" :active-subscriptions="activeSubscriptions" @select="selectPlan" />
+              </div>
+              <!-- Active subscriptions (compact, below plan list) -->
+              <div v-if="activeSubscriptions.length > 0">
+                <p class="mb-2 text-xs font-medium text-gray-400 dark:text-gray-500">{{ t('payment.activeSubscription') }}</p>
+                <div class="space-y-2">
+                  <div v-for="sub in activeSubscriptions" :key="sub.id"
+                    class="flex items-center gap-3 rounded-xl border border-gray-100 bg-white px-3 py-2 dark:border-dark-700 dark:bg-dark-800">
+                    <div :class="['h-6 w-1 shrink-0 rounded-full', platformAccentBarClass(sub.group?.platform || '')]" />
+                    <div class="min-w-0 flex-1">
+                      <div class="flex items-center gap-1.5">
+                        <span class="truncate text-xs font-semibold text-gray-900 dark:text-white">{{ sub.group?.name || `Group #${sub.group_id}` }}</span>
+                        <span :class="['shrink-0 rounded-full px-1.5 py-0.5 text-[9px] font-medium', platformBadgeLightClass(sub.group?.platform || '')]">{{ platformLabel(sub.group?.platform || '') }}</span>
+                      </div>
+                      <div class="flex flex-wrap gap-x-3 text-[11px] text-gray-400 dark:text-gray-500">
+                        <span>{{ t('payment.planCard.rate') }}: ×{{ sub.group?.rate_multiplier ?? 1 }}</span>
+                        <span v-if="sub.group?.daily_limit_usd == null && sub.group?.weekly_limit_usd == null && sub.group?.monthly_limit_usd == null">{{ t('payment.planCard.quota') }}: {{ t('payment.planCard.unlimited') }}</span>
+                        <span v-if="sub.expires_at">{{ t('userSubscriptions.daysRemaining', { days: getDaysRemaining(sub.expires_at) }) }}</span>
+                        <span v-else>{{ t('userSubscriptions.noExpiration') }}</span>
+                      </div>
+                    </div>
+                    <span class="badge badge-success shrink-0 text-[10px]">{{ t('userSubscriptions.status.active') }}</span>
+                  </div>
+                </div>
+              </div>
+            </template>
           </template>
         </template>
-        <!-- Subscribe Tab -->
-        <template v-else-if="activeTab === 'subscription'">
-          <div v-if="checkout.plans.length === 0" class="card py-16 text-center">
-            <Icon name="gift" size="xl" class="mx-auto mb-3 text-gray-300 dark:text-dark-600" />
-            <p class="text-gray-500 dark:text-gray-400">{{ t('payment.noPlans') }}</p>
-          </div>
-          <div v-else :class="planGridClass">
-            <SubscriptionPlanCard v-for="plan in checkout.plans" :key="plan.id" :plan="plan" @select="openSubscribeDialog" />
-          </div>
-        </template>
-        <div v-if="checkout.help_text || checkout.help_image_url" class="card p-4">
+        <div v-if="(checkout.help_text || checkout.help_image_url) && paymentPhase === 'select' && !selectedPlan" class="card p-4">
           <div class="flex flex-col items-center gap-3">
             <img v-if="checkout.help_image_url" :src="checkout.help_image_url" alt=""
               class="h-40 max-w-full cursor-pointer rounded-lg object-contain transition-opacity hover:opacity-80"
@@ -90,44 +225,23 @@
         </div>
       </template>
     </div>
-    <!-- Subscription Confirm Dialog -->
-    <BaseDialog :show="!!selectedPlan" :title="t('payment.confirmSubscription')" @close="selectedPlan = null">
-      <div v-if="selectedPlan" class="space-y-4">
-        <div class="rounded-xl border border-gray-100 bg-gray-50 p-5 dark:border-dark-700 dark:bg-dark-800">
-          <p class="font-semibold text-gray-900 dark:text-white">{{ selectedPlan.name }}</p>
-          <div class="mt-2 flex items-baseline gap-1.5">
-            <span class="text-3xl font-extrabold text-primary-600 dark:text-primary-400">&yen;{{ selectedPlan.price }}</span>
-            <span v-if="selectedPlan.original_price" class="text-sm text-gray-400 line-through">&yen;{{ selectedPlan.original_price }}</span>
+    <!-- Renewal Plan Selection Modal -->
+    <Teleport to="body">
+      <Transition name="modal">
+        <div v-if="showRenewalModal" class="fixed inset-0 z-50 flex items-center justify-center bg-black/60 backdrop-blur-sm p-4" @click.self="closeRenewalModal">
+          <div class="relative w-full max-w-lg rounded-2xl border border-gray-200 bg-white p-6 shadow-2xl dark:border-dark-700 dark:bg-dark-900">
+            <!-- Close button -->
+            <button class="absolute right-4 top-4 rounded-lg p-1 text-gray-400 transition-colors hover:bg-gray-100 hover:text-gray-600 dark:hover:bg-dark-700 dark:hover:text-gray-200" @click="closeRenewalModal">
+              <svg class="h-5 w-5" fill="none" viewBox="0 0 24 24" stroke="currentColor" stroke-width="2"><path stroke-linecap="round" stroke-linejoin="round" d="M6 18L18 6M6 6l12 12" /></svg>
+            </button>
+            <h3 class="mb-4 text-lg font-semibold text-gray-900 dark:text-white">{{ t('payment.selectPlan') }}</h3>
+            <div class="space-y-4">
+              <SubscriptionPlanCard v-for="plan in renewalPlans" :key="plan.id" :plan="plan" :active-subscriptions="activeSubscriptions" @select="selectPlanFromModal" />
+            </div>
           </div>
-          <p v-if="selectedPlan.description" class="mt-2 text-sm text-gray-500 dark:text-dark-400">{{ selectedPlan.description }}</p>
         </div>
-        <PaymentMethodSelector
-          v-if="enabledMethods.length > 1"
-          :methods="methodOptions"
-          :selected="selectedMethod"
-          @select="selectedMethod = $event"
-        />
-      </div>
-      <template #footer>
-        <div class="flex justify-end gap-3">
-          <button class="btn btn-secondary" @click="selectedPlan = null">{{ t('common.cancel') }}</button>
-          <button class="btn btn-primary" :disabled="submitting" @click="confirmSubscribe">
-            {{ submitting ? t('common.processing') : t('payment.createOrder') }}
-          </button>
-        </div>
-      </template>
-    </BaseDialog>
-    <!-- Inline QR Payment Dialog -->
-    <PaymentQRDialog
-      :show="qrDialog.show"
-      :order-id="qrDialog.orderId"
-      :qr-code="qrDialog.qrCode"
-      :expires-at="qrDialog.expiresAt"
-      :payment-type="qrDialog.paymentType"
-      :pay-url="qrDialog.payUrl"
-      @close="qrDialog.show = false"
-      @success="authStore.refreshUser()"
-    />
+      </Transition>
+    </Teleport>
     <!-- Image Preview Overlay -->
     <Teleport to="body">
       <Transition name="modal">
@@ -142,30 +256,40 @@
 <script setup lang="ts">
 import { ref, computed, onMounted, watch } from 'vue'
 import { useI18n } from 'vue-i18n'
-import { useRouter } from 'vue-router'
+import { useRoute } from 'vue-router'
 import { useAuthStore } from '@/stores/auth'
 import { usePaymentStore } from '@/stores/payment'
+import { useSubscriptionStore } from '@/stores/subscriptions'
 import { useAppStore } from '@/stores'
 import { paymentAPI } from '@/api/payment'
 import { extractApiErrorMessage } from '@/utils/apiError'
+import { isMobileDevice } from '@/utils/device'
 import type { SubscriptionPlan, CheckoutInfoResponse } from '@/types/payment'
 import AppLayout from '@/components/layout/AppLayout.vue'
-import BaseDialog from '@/components/common/BaseDialog.vue'
 import AmountInput from '@/components/payment/AmountInput.vue'
 import PaymentMethodSelector from '@/components/payment/PaymentMethodSelector.vue'
 import { METHOD_ORDER, POPUP_WINDOW_FEATURES } from '@/components/payment/providerConfig'
+import { platformAccentBarClass, platformBadgeLightClass, platformBadgeClass, platformTextClass, platformLabel } from '@/utils/platformColors'
 import SubscriptionPlanCard from '@/components/payment/SubscriptionPlanCard.vue'
-import PaymentQRDialog from '@/components/payment/PaymentQRDialog.vue'
+import PaymentStatusPanel from '@/components/payment/PaymentStatusPanel.vue'
+import StripePaymentInline from '@/components/payment/StripePaymentInline.vue'
 import Icon from '@/components/icons/Icon.vue'
 import type { PaymentMethodOption } from '@/components/payment/PaymentMethodSelector.vue'
 
 const { t } = useI18n()
-const router = useRouter()
+const route = useRoute()
 const authStore = useAuthStore()
 const paymentStore = usePaymentStore()
+const subscriptionStore = useSubscriptionStore()
 const appStore = useAppStore()
 
 const user = computed(() => authStore.user)
+const activeSubscriptions = computed(() => subscriptionStore.activeSubscriptions)
+
+function getDaysRemaining(expiresAt: string): number {
+  const diff = new Date(expiresAt).getTime() - Date.now()
+  return Math.max(0, Math.ceil(diff / (1000 * 60 * 60 * 24)))
+}
 
 const loading = ref(true)
 const submitting = ref(false)
@@ -176,8 +300,44 @@ const selectedMethod = ref('')
 const selectedPlan = ref<SubscriptionPlan | null>(null)
 const previewImage = ref('')
 
-// Inline QR payment dialog state
-const qrDialog = ref({ show: false, orderId: 0, qrCode: '', expiresAt: '', paymentType: '', payUrl: '' })
+// Payment phase: 'select' → 'paying' (QR/redirect) or 'stripe' (inline Stripe)
+const paymentPhase = ref<'select' | 'paying' | 'stripe'>('select')
+const paymentState = ref({ orderId: 0, qrCode: '', expiresAt: '', paymentType: '', payUrl: '', clientSecret: '', payAmount: 0, orderType: '' })
+
+function resetPayment() {
+  paymentPhase.value = 'select'
+  paymentState.value = { orderId: 0, qrCode: '', expiresAt: '', paymentType: '', payUrl: '', clientSecret: '', payAmount: 0, orderType: '' }
+}
+
+function onPaymentDone() {
+  const wasSubscription = paymentState.value.orderType === 'subscription'
+  resetPayment()
+  selectedPlan.value = null
+  if (wasSubscription) {
+    subscriptionStore.fetchActiveSubscriptions(true).catch(() => {})
+  }
+}
+
+function onPaymentSuccess() {
+  authStore.refreshUser()
+  if (paymentState.value.orderType === 'subscription') {
+    subscriptionStore.fetchActiveSubscriptions(true).catch(() => {})
+  }
+}
+
+function onStripeDone() {
+  const wasSubscription = paymentState.value.orderType === 'subscription'
+  resetPayment()
+  selectedPlan.value = null
+  if (wasSubscription) {
+    subscriptionStore.fetchActiveSubscriptions(true).catch(() => {})
+  }
+}
+
+function onStripeRedirect(orderId: number, payUrl: string) {
+  paymentState.value = { ...paymentState.value, orderId, payUrl, qrCode: '' }
+  paymentPhase.value = 'paying'
+}
 
 // All checkout data from single API call
 const checkout = ref<CheckoutInfoResponse>({
@@ -198,8 +358,7 @@ const validAmount = computed(() => amount.value ?? 0)
 // Adaptive grid: center single card, 2-col for 2 plans, 3-col for 3+
 const planGridClass = computed(() => {
   const n = checkout.value.plans.length
-  if (n === 1) return 'mx-auto grid max-w-sm grid-cols-1 gap-5'
-  if (n === 2) return 'mx-auto grid max-w-2xl grid-cols-1 gap-5 sm:grid-cols-2'
+  if (n <= 2) return 'grid grid-cols-1 gap-5 sm:grid-cols-2'
   return 'grid grid-cols-1 gap-5 sm:grid-cols-2 lg:grid-cols-3'
 })
 
@@ -213,15 +372,9 @@ function amountFitsMethod(amt: number, methodType: string): boolean {
   return true
 }
 
-// Amount range: use selected method's limits when available, fallback to global
-const activeMinAmount = computed(() => {
-  const ml = selectedLimit.value
-  return ml?.single_min && ml.single_min > 0 ? ml.single_min : checkout.value.global_min
-})
-const activeMaxAmount = computed(() => {
-  const ml = selectedLimit.value
-  return ml?.single_max && ml.single_max > 0 ? ml.single_max : checkout.value.global_max
-})
+// Global range for AmountInput (union of all methods, precomputed by backend)
+const globalMinAmount = computed(() => checkout.value.global_min)
+const globalMaxAmount = computed(() => checkout.value.global_max)
 
 // Selected method's limits (for validation and error messages)
 const selectedLimit = computed(() => checkout.value.methods[selectedMethod.value])
@@ -270,6 +423,37 @@ const canSubmit = computed(() =>
     && selectedLimit.value?.available !== false
 )
 
+// Subscription-specific: method options based on plan price
+const subMethodOptions = computed<PaymentMethodOption[]>(() => {
+  const planPrice = selectedPlan.value?.price ?? 0
+  return enabledMethods.value.map((type) => {
+    const ml = checkout.value.methods[type]
+    return {
+      type,
+      fee_rate: ml?.fee_rate ?? 0,
+      available: ml?.available !== false && amountFitsMethod(planPrice, type),
+    }
+  })
+})
+
+const subFeeAmount = computed(() => {
+  const price = selectedPlan.value?.price ?? 0
+  if (feeRate.value <= 0 || price <= 0) return 0
+  return Math.ceil(((price * feeRate.value) / 100) * 100) / 100
+})
+
+const subTotalAmount = computed(() => {
+  const price = selectedPlan.value?.price ?? 0
+  if (feeRate.value <= 0 || price <= 0) return price
+  return Math.round((price + subFeeAmount.value) * 100) / 100
+})
+
+const canSubmitSubscription = computed(() =>
+  selectedPlan.value !== null
+    && amountFitsMethod(selectedPlan.value.price, selectedMethod.value)
+    && selectedLimit.value?.available !== false
+)
+
 // Auto-switch to first available method when current selection can't handle the amount
 watch(() => [validAmount.value, selectedMethod.value] as const, ([amt, method]) => {
   if (amt <= 0 || amountFitsMethod(amt, method)) return
@@ -277,8 +461,51 @@ watch(() => [validAmount.value, selectedMethod.value] as const, ([amt, method])
   if (available) selectedMethod.value = available
 })
 
-function openSubscribeDialog(plan: SubscriptionPlan) {
+// Payment button class: follows selected payment method color
+const paymentButtonClass = computed(() => {
+  const m = selectedMethod.value
+  if (!m) return 'btn-primary'
+  if (m.includes('alipay')) return 'btn-alipay'
+  if (m.includes('wxpay')) return 'btn-wxpay'
+  if (m === 'stripe') return 'btn-stripe'
+  return 'btn-primary'
+})
+
+// Subscription confirm: platform accent colors (clean card, no gradient)
+const planBadgeClass = computed(() => platformBadgeClass(selectedPlan.value?.group_platform || ''))
+const planTextClass = computed(() => platformTextClass(selectedPlan.value?.group_platform || ''))
+
+// Renewal modal state
+const showRenewalModal = ref(false)
+const renewGroupId = ref<number | null>(null)
+const renewalPlans = computed(() => {
+  if (renewGroupId.value == null) return []
+  return checkout.value.plans.filter(p => p.group_id === renewGroupId.value)
+})
+
+const planValiditySuffix = computed(() => {
+  if (!selectedPlan.value) return ''
+  const u = selectedPlan.value.validity_unit || 'day'
+  if (u === 'month') return t('payment.perMonth')
+  if (u === 'year') return t('payment.perYear')
+  return `${selectedPlan.value.validity_days}${t('payment.days')}`
+})
+
+function selectPlan(plan: SubscriptionPlan) {
   selectedPlan.value = plan
+  errorMessage.value = ''
+}
+
+function selectPlanFromModal(plan: SubscriptionPlan) {
+  showRenewalModal.value = false
+  renewGroupId.value = null
+  selectedPlan.value = plan
+  errorMessage.value = ''
+}
+
+function closeRenewalModal() {
+  showRenewalModal.value = false
+  renewGroupId.value = null
 }
 
 async function handleSubmitRecharge() {
@@ -289,7 +516,6 @@ async function handleSubmitRecharge() {
 async function confirmSubscribe() {
   if (!selectedPlan.value || submitting.value) return
   await createOrder(selectedPlan.value.price, 'subscription', selectedPlan.value.id)
-  selectedPlan.value = null
 }
 
 async function createOrder(orderAmount: number, orderType: string, planId?: number) {
@@ -302,42 +528,51 @@ async function createOrder(orderAmount: number, orderType: string, planId?: numb
       order_type: orderType,
       plan_id: planId,
     })
+    const openWindow = (url: string) => {
+      const win = window.open(url, 'paymentPopup', POPUP_WINDOW_FEATURES)
+      if (!win || win.closed) {
+        window.location.href = url
+      }
+    }
     if (result.client_secret) {
-      // Stripe: open in popup window, show waiting dialog on main page
-      const stripeUrl = router.resolve({
-        path: '/payment/stripe',
-        query: { order_id: String(result.order_id), client_secret: result.client_secret },
-      }).href
-      window.open(stripeUrl, 'paymentPopup', POPUP_WINDOW_FEATURES)
-      qrDialog.value = {
-        show: true,
-        orderId: result.order_id,
-        qrCode: '',
-        expiresAt: '',
-        paymentType: selectedMethod.value,
-        payUrl: stripeUrl,
+      // Stripe: show Payment Element inline (user picks method → confirms → redirect if needed)
+      paymentState.value = {
+        orderId: result.order_id, qrCode: '', expiresAt: result.expires_at || '',
+        paymentType: selectedMethod.value, payUrl: '',
+        clientSecret: result.client_secret, payAmount: result.pay_amount,
+        orderType,
       }
+      paymentPhase.value = 'stripe'
+    } else if (isMobileDevice() && result.pay_url) {
+      // Mobile + pay_url: redirect directly instead of QR/popup (mobile browsers block popups)
+      paymentState.value = {
+        orderId: result.order_id, qrCode: '', expiresAt: result.expires_at || '',
+        paymentType: selectedMethod.value, payUrl: result.pay_url,
+        clientSecret: '', payAmount: 0,
+        orderType,
+      }
+      paymentPhase.value = 'paying'
+      window.location.href = result.pay_url
+      return
     } else if (result.qr_code) {
-      // QR mode: show inline dialog, no page navigation
-      qrDialog.value = {
-        show: true,
-        orderId: result.order_id,
-        qrCode: result.qr_code,
-        expiresAt: result.expires_at || '',
-        paymentType: selectedMethod.value,
-        payUrl: '',
+      // QR mode: show QR code inline
+      paymentState.value = {
+        orderId: result.order_id, qrCode: result.qr_code,
+        expiresAt: result.expires_at || '', paymentType: selectedMethod.value, payUrl: '',
+        clientSecret: '', payAmount: 0,
+        orderType,
       }
+      paymentPhase.value = 'paying'
     } else if (result.pay_url) {
-      // Redirect mode: open in popup window, show waiting dialog on main page
-      window.open(result.pay_url, 'paymentPopup', POPUP_WINDOW_FEATURES)
-      qrDialog.value = {
-        show: true,
-        orderId: result.order_id,
-        qrCode: '',
-        expiresAt: result.expires_at || '',
-        paymentType: selectedMethod.value,
-        payUrl: result.pay_url,
+      // Redirect/popup mode: open payment URL, show waiting state inline
+      openWindow(result.pay_url)
+      paymentState.value = {
+        orderId: result.order_id, qrCode: '', expiresAt: result.expires_at || '',
+        paymentType: selectedMethod.value, payUrl: result.pay_url,
+        clientSecret: '', payAmount: 0,
+        orderType,
       }
+      paymentPhase.value = 'paying'
     } else {
       errorMessage.value = t('payment.result.failed')
       appStore.showError(errorMessage.value)
@@ -374,7 +609,23 @@ onMounted(async () => {
     if (checkout.value.balance_disabled) {
       activeTab.value = 'subscription'
     }
+    // Handle renewal navigation: ?tab=subscription&group=123
+    if (route.query.tab === 'subscription') {
+      activeTab.value = 'subscription'
+      if (route.query.group) {
+        const groupId = Number(route.query.group)
+        const groupPlans = checkout.value.plans.filter(p => p.group_id === groupId)
+        if (groupPlans.length === 1) {
+          selectedPlan.value = groupPlans[0]
+        } else if (groupPlans.length > 1) {
+          renewGroupId.value = groupId
+          showRenewalModal.value = true
+        }
+      }
+    }
   } catch (err: unknown) { appStore.showError(extractApiErrorMessage(err, t('common.error'))) }
   finally { loading.value = false }
+  // Fetch active subscriptions (uses cache, non-blocking)
+  subscriptionStore.fetchActiveSubscriptions().catch(() => {})
 })
 </script>

From 3fa5b8bca5d32c80a28212ad228d2a0d2c6bf667 Mon Sep 17 00:00:00 2001
From: erio <asakifeng@gmail.com>
Date: Tue, 14 Apr 2026 20:13:59 +0800
Subject: [PATCH 098/122] fix: flaky WebSocket test, usage request queue, and
 test improvements

- Fix flaky WebSocket passthrough test: allow StatusNormalClosure after
  client close instead of requiring NoError (race condition fix)
- Fix ratelimit 401 test: use PlatformOpenAI instead of PlatformGemini
  for OAuth token cache invalidation scenario (more accurate)
- Add usageLoadQueue: Anthropic OAuth/setup-token accounts sharing the
  same proxy exit are serialized with 1-2s jitter to prevent upstream 429
- AccountUsageCell: add module-level usage cache (5min TTL), unmounted
  safety guard, and integrate enqueueUsageRequest for throttled fetching
---
 ...penai_ws_forwarder_ingress_session_test.go |   7 +-
 .../service/ratelimit_service_401_test.go     |   4 +-
 .../components/account/AccountUsageCell.vue   |  46 +++-
 .../utils/__tests__/usageLoadQueue.spec.ts    | 205 ++++++++++++++++++
 frontend/src/utils/usageLoadQueue.ts          |  93 ++++++++
 5 files changed, 344 insertions(+), 11 deletions(-)
 create mode 100644 frontend/src/utils/__tests__/usageLoadQueue.spec.ts
 create mode 100644 frontend/src/utils/usageLoadQueue.ts

diff --git a/backend/internal/service/openai_ws_forwarder_ingress_session_test.go b/backend/internal/service/openai_ws_forwarder_ingress_session_test.go
index c527f2eb..6bf9a9ff 100644
--- a/backend/internal/service/openai_ws_forwarder_ingress_session_test.go
+++ b/backend/internal/service/openai_ws_forwarder_ingress_session_test.go
@@ -413,7 +413,12 @@ func TestOpenAIGatewayService_ProxyResponsesWebSocketFromClient_PassthroughModeR
 
 	select {
 	case serverErr := <-serverErrCh:
-		require.NoError(t, serverErr)
+		// After normal client close, the server goroutine may receive the close frame
+		// as an error — this is expected behavior, not a test failure.
+		if serverErr != nil {
+			require.Contains(t, serverErr.Error(), "StatusNormalClosure",
+				"server error should only be a normal close frame, got: %v", serverErr)
+		}
 	case <-time.After(5 * time.Second):
 		t.Fatal("等待 passthrough websocket 结束超时")
 	}
diff --git a/backend/internal/service/ratelimit_service_401_test.go b/backend/internal/service/ratelimit_service_401_test.go
index 67b22e52..9e5e2b0e 100644
--- a/backend/internal/service/ratelimit_service_401_test.go
+++ b/backend/internal/service/ratelimit_service_401_test.go
@@ -102,6 +102,8 @@ func TestRateLimitService_HandleUpstreamError_OAuth401SetsTempUnschedulable(t *t
 	})
 }
 
+// TestRateLimitService_HandleUpstreamError_OAuth401InvalidatorError
+// OpenAI OAuth 401 缓存失效出错时仍走 temp_unschedulable
 func TestRateLimitService_HandleUpstreamError_OAuth401InvalidatorError(t *testing.T) {
 	repo := &rateLimitAccountRepoStub{}
 	invalidator := &tokenCacheInvalidatorRecorder{err: errors.New("boom")}
@@ -109,7 +111,7 @@ func TestRateLimitService_HandleUpstreamError_OAuth401InvalidatorError(t *testin
 	service.SetTokenCacheInvalidator(invalidator)
 	account := &Account{
 		ID:       101,
-		Platform: PlatformGemini,
+		Platform: PlatformOpenAI,
 		Type:     AccountTypeOAuth,
 	}
 
diff --git a/frontend/src/components/account/AccountUsageCell.vue b/frontend/src/components/account/AccountUsageCell.vue
index 2e4eea0c..1c023fb3 100644
--- a/frontend/src/components/account/AccountUsageCell.vue
+++ b/frontend/src/components/account/AccountUsageCell.vue
@@ -439,15 +439,20 @@
 </template>
 
 <script setup lang="ts">
-import { ref, computed, onMounted, onUnmounted, watch } from 'vue'
+import { ref, computed, onMounted, onBeforeUnmount, onUnmounted, watch } from 'vue'
 import { useI18n } from 'vue-i18n'
 import { adminAPI } from '@/api/admin'
 import type { Account, AccountUsageInfo, GeminiCredentials, WindowStats } from '@/types'
 import { buildOpenAIUsageRefreshKey } from '@/utils/accountUsageRefresh'
+import { enqueueUsageRequest } from '@/utils/usageLoadQueue'
 import { formatCompactNumber } from '@/utils/format'
 import UsageProgressBar from './UsageProgressBar.vue'
 import AccountQuotaInfo from './AccountQuotaInfo.vue'
 
+// Module-level cache shared across all AccountUsageCell instances
+const _usageCache = new Map<number, { data: AccountUsageInfo; ts: number }>()
+const USAGE_CACHE_TTL = 5 * 60 * 1000 // 5 minutes
+
 const props = withDefaults(
   defineProps<{
     account: Account
@@ -465,6 +470,9 @@ const props = withDefaults(
 const { t } = useI18n()
 const desktopViewportQuery = '(min-width: 768px)'
 
+const unmounted = ref(false)
+onBeforeUnmount(() => { unmounted.value = true })
+
 const loading = ref(false)
 const activeQueryLoading = ref(false)
 const error = ref<string | null>(null)
@@ -941,19 +949,36 @@ const isAnthropicOAuthOrSetupToken = computed(() => {
   return props.account.platform === 'anthropic' && (props.account.type === 'oauth' || props.account.type === 'setup-token')
 })
 
-const loadUsage = async (source?: 'passive' | 'active') => {
+const loadUsage = async (options?: { source?: 'passive' | 'active'; bypassCache?: boolean }) => {
   if (!shouldFetchUsage.value) return
 
+  // Check cache
+  if (!options?.bypassCache) {
+    const cached = _usageCache.get(props.account.id)
+    if (cached && Date.now() - cached.ts < USAGE_CACHE_TTL) {
+      usageInfo.value = cached.data
+      loading.value = false
+      return
+    }
+  }
+
   loading.value = true
   error.value = null
 
   try {
-    usageInfo.value = await adminAPI.accounts.getUsage(props.account.id, source)
+    const fetchFn = () => adminAPI.accounts.getUsage(props.account.id, options?.source)
+    const result = await enqueueUsageRequest(props.account, fetchFn)
+    if (!unmounted.value) {
+      usageInfo.value = result
+      _usageCache.set(props.account.id, { data: result, ts: Date.now() })
+    }
   } catch (e: any) {
-    error.value = t('common.error')
-    console.error('Failed to load usage:', e)
+    if (!unmounted.value) {
+      error.value = t('common.error')
+      console.error('Failed to load usage:', e)
+    }
   } finally {
-    loading.value = false
+    if (!unmounted.value) loading.value = false
   }
 }
 
@@ -962,7 +987,7 @@ const flushPendingAutoLoad = () => {
   const source = pendingAutoLoadSource.value
   pendingAutoLoad.value = false
   pendingAutoLoadSource.value = undefined
-  loadUsage(source).catch((e) => {
+  loadUsage({ source }).catch((e) => {
     console.error('Failed to load deferred usage:', e)
   })
 }
@@ -974,7 +999,7 @@ const requestAutoLoad = (source?: 'passive' | 'active') => {
     pendingAutoLoadSource.value = source
     return
   }
-  loadUsage(source).catch((e) => {
+  loadUsage({ source }).catch((e) => {
     console.error('Failed to auto load usage:', e)
   })
 }
@@ -1138,7 +1163,10 @@ watch(
     if (!shouldFetchUsage.value) return
 
     const source = isAnthropicOAuthOrSetupToken.value ? 'passive' : undefined
-    requestAutoLoad(source)
+    _usageCache.delete(props.account.id)
+    loadUsage({ source, bypassCache: true }).catch((e) => {
+      console.error('Failed to refresh usage after manual refresh:', e)
+    })
   }
 )
 
diff --git a/frontend/src/utils/__tests__/usageLoadQueue.spec.ts b/frontend/src/utils/__tests__/usageLoadQueue.spec.ts
new file mode 100644
index 00000000..e5509261
--- /dev/null
+++ b/frontend/src/utils/__tests__/usageLoadQueue.spec.ts
@@ -0,0 +1,205 @@
+import { describe, expect, it } from 'vitest'
+import { enqueueUsageRequest } from '../usageLoadQueue'
+import type { Account } from '@/types'
+
+/** Helper to create a minimal Account with proxy info */
+function makeAccount(
+  platform: string,
+  type: string = 'oauth',
+  proxy?: { host: string; port: number; username?: string | null } | null
+): Account {
+  return {
+    id: Math.floor(Math.random() * 10000),
+    platform,
+    type,
+    name: 'test',
+    status: 'active',
+    proxy_id: proxy ? 1 : null,
+    proxy: proxy
+      ? { id: 1, name: 'p', protocol: 'http', host: proxy.host, port: proxy.port, username: proxy.username ?? null, status: 'active', created_at: '', updated_at: '' }
+      : undefined,
+    credentials: {},
+    created_at: '',
+    updated_at: ''
+  } as unknown as Account
+}
+
+describe('usageLoadQueue', () => {
+  // ─── Anthropic 账号：按代理出口排队 ───
+
+  it('Anthropic 同代理出口串行执行，间隔 >= 1s', async () => {
+    const timestamps: number[] = []
+    const makeFn = () => async () => {
+      timestamps.push(Date.now())
+      return 'ok'
+    }
+
+    const acc = makeAccount('anthropic', 'oauth', { host: '1.2.3.4', port: 8080, username: 'u1' })
+
+    const p1 = enqueueUsageRequest(acc, makeFn())
+    const p2 = enqueueUsageRequest(acc, makeFn())
+    const p3 = enqueueUsageRequest(acc, makeFn())
+
+    await Promise.all([p1, p2, p3])
+
+    expect(timestamps).toHaveLength(3)
+    expect(timestamps[1] - timestamps[0]).toBeGreaterThanOrEqual(950)
+    expect(timestamps[1] - timestamps[0]).toBeLessThan(2100)
+    expect(timestamps[2] - timestamps[1]).toBeGreaterThanOrEqual(950)
+    expect(timestamps[2] - timestamps[1]).toBeLessThan(2100)
+  })
+
+  it('Anthropic 不同代理出口并行执行', async () => {
+    const timestamps: Record<string, number> = {}
+    const makeTracked = (key: string) => async () => {
+      timestamps[key] = Date.now()
+      return key
+    }
+
+    const acc1 = makeAccount('anthropic', 'oauth', { host: '1.2.3.4', port: 8080, username: 'u1' })
+    const acc2 = makeAccount('anthropic', 'oauth', { host: '5.6.7.8', port: 3128, username: 'u2' })
+
+    const p1 = enqueueUsageRequest(acc1, makeTracked('proxy1'))
+    const p2 = enqueueUsageRequest(acc2, makeTracked('proxy2'))
+
+    await Promise.all([p1, p2])
+
+    const spread = Math.abs(timestamps['proxy1'] - timestamps['proxy2'])
+    expect(spread).toBeLessThan(50)
+  })
+
+  it('Anthropic 相同代理连接信息的不同账号归为同一队列', async () => {
+    const timestamps: number[] = []
+    const makeFn = () => async () => {
+      timestamps.push(Date.now())
+      return 'ok'
+    }
+
+    const acc1 = makeAccount('anthropic', 'oauth', { host: '10.0.0.1', port: 3128, username: 'admin' })
+    const acc2 = makeAccount('anthropic', 'setup-token', { host: '10.0.0.1', port: 3128, username: 'admin' })
+
+    const p1 = enqueueUsageRequest(acc1, makeFn())
+    const p2 = enqueueUsageRequest(acc2, makeFn())
+
+    await Promise.all([p1, p2])
+
+    expect(timestamps).toHaveLength(2)
+    expect(timestamps[1] - timestamps[0]).toBeGreaterThanOrEqual(950)
+  })
+
+  it('Anthropic 直连（无代理）的账号归为同一队列', async () => {
+    const order: number[] = []
+    const makeFn = (n: number) => async () => {
+      order.push(n)
+      return n
+    }
+
+    const acc1 = makeAccount('anthropic', 'oauth')
+    const acc2 = makeAccount('anthropic', 'setup-token')
+
+    const p1 = enqueueUsageRequest(acc1, makeFn(1))
+    const p2 = enqueueUsageRequest(acc2, makeFn(2))
+
+    await Promise.all([p1, p2])
+
+    expect(order).toEqual([1, 2])
+  })
+
+  it('Anthropic 请求失败时 reject，后续任务继续执行', async () => {
+    const results: string[] = []
+    const acc = makeAccount('anthropic', 'oauth', { host: '99.99.99.99', port: 1234 })
+
+    const p1 = enqueueUsageRequest(acc, async () => {
+      throw new Error('fail')
+    })
+    const p2 = enqueueUsageRequest(acc, async () => {
+      results.push('second')
+      return 'ok'
+    })
+
+    await expect(p1).rejects.toThrow('fail')
+    await p2
+    expect(results).toEqual(['second'])
+  })
+
+  // ─── 非 Anthropic 平台：直接执行，不排队 ───
+
+  it('非 Anthropic 平台直接执行，不排队', async () => {
+    const timestamps: number[] = []
+    const makeFn = () => async () => {
+      timestamps.push(Date.now())
+      return 'ok'
+    }
+
+    // 同一代理的 Gemini 账号 — 应当并行，不排队
+    const acc1 = makeAccount('gemini', 'oauth', { host: '1.2.3.4', port: 8080 })
+    const acc2 = makeAccount('gemini', 'oauth', { host: '1.2.3.4', port: 8080 })
+
+    const p1 = enqueueUsageRequest(acc1, makeFn())
+    const p2 = enqueueUsageRequest(acc2, makeFn())
+
+    await Promise.all([p1, p2])
+
+    expect(timestamps).toHaveLength(2)
+    // 并行执行，几乎同时完成
+    expect(Math.abs(timestamps[1] - timestamps[0])).toBeLessThan(50)
+  })
+
+  it('OpenAI 平台直接执行，不排队', async () => {
+    const timestamps: number[] = []
+    const makeFn = () => async () => {
+      timestamps.push(Date.now())
+      return 'ok'
+    }
+
+    const acc1 = makeAccount('openai', 'oauth', { host: '1.2.3.4', port: 8080 })
+    const acc2 = makeAccount('openai', 'oauth', { host: '1.2.3.4', port: 8080 })
+
+    const p1 = enqueueUsageRequest(acc1, makeFn())
+    const p2 = enqueueUsageRequest(acc2, makeFn())
+
+    await Promise.all([p1, p2])
+
+    expect(timestamps).toHaveLength(2)
+    expect(Math.abs(timestamps[1] - timestamps[0])).toBeLessThan(50)
+  })
+
+  // ─── Anthropic apikey 类型不排队 ───
+
+  it('Anthropic apikey 类型直接执行，不排队', async () => {
+    const timestamps: number[] = []
+    const makeFn = () => async () => {
+      timestamps.push(Date.now())
+      return 'ok'
+    }
+
+    const acc1 = makeAccount('anthropic', 'apikey', { host: '1.2.3.4', port: 8080 })
+    const acc2 = makeAccount('anthropic', 'apikey', { host: '1.2.3.4', port: 8080 })
+
+    const p1 = enqueueUsageRequest(acc1, makeFn())
+    const p2 = enqueueUsageRequest(acc2, makeFn())
+
+    await Promise.all([p1, p2])
+
+    expect(timestamps).toHaveLength(2)
+    expect(Math.abs(timestamps[1] - timestamps[0])).toBeLessThan(50)
+  })
+
+  // ─── 返回值透传 ───
+
+  it('返回值正确透传', async () => {
+    const acc = makeAccount('anthropic', 'oauth')
+    const result = await enqueueUsageRequest(acc, async () => {
+      return { usage: 42 }
+    })
+    expect(result).toEqual({ usage: 42 })
+  })
+
+  it('非 Anthropic 返回值正确透传', async () => {
+    const acc = makeAccount('gemini', 'oauth')
+    const result = await enqueueUsageRequest(acc, async () => {
+      return { quota: 100 }
+    })
+    expect(result).toEqual({ quota: 100 })
+  })
+})
diff --git a/frontend/src/utils/usageLoadQueue.ts b/frontend/src/utils/usageLoadQueue.ts
new file mode 100644
index 00000000..7bea5679
--- /dev/null
+++ b/frontend/src/utils/usageLoadQueue.ts
@@ -0,0 +1,93 @@
+/**
+ * Usage request scheduler — throttles Anthropic API calls by proxy exit.
+ *
+ * Anthropic OAuth/setup-token accounts sharing the same proxy exit are placed
+ * into a serial queue with a random 1–2s delay between requests, preventing
+ * upstream 429 rate-limit errors.
+ *
+ * Proxy identity = host:port:username — two proxy records pointing to the
+ * same exit share a single queue. Accounts without a proxy go into a
+ * "direct" queue.
+ *
+ * All other platforms bypass the queue and execute immediately.
+ */
+
+import type { Account } from '@/types'
+
+const GROUP_DELAY_MIN_MS = 1000
+const GROUP_DELAY_MAX_MS = 2000
+
+type Task<T> = {
+  fn: () => Promise<T>
+  resolve: (value: T) => void
+  reject: (reason: unknown) => void
+}
+
+const queues = new Map<string, Task<unknown>[]>()
+const running = new Set<string>()
+
+/** Whether this account needs throttled queuing. */
+function needsThrottle(account: Account): boolean {
+  return (
+    account.platform === 'anthropic' &&
+    (account.type === 'oauth' || account.type === 'setup-token')
+  )
+}
+
+/** Build a queue key from proxy connection details. */
+function buildGroupKey(account: Account): string {
+  const proxy = account.proxy
+  const proxyIdentity = proxy
+    ? `${proxy.host}:${proxy.port}:${proxy.username || ''}`
+    : 'direct'
+  return `anthropic:${proxyIdentity}`
+}
+
+async function drain(groupKey: string) {
+  if (running.has(groupKey)) return
+  running.add(groupKey)
+
+  const queue = queues.get(groupKey)
+  while (queue && queue.length > 0) {
+    const task = queue.shift()!
+    try {
+      const result = await task.fn()
+      task.resolve(result)
+    } catch (err) {
+      task.reject(err)
+    }
+    if (queue.length > 0) {
+      const jitter = GROUP_DELAY_MIN_MS + Math.random() * (GROUP_DELAY_MAX_MS - GROUP_DELAY_MIN_MS)
+      await new Promise((r) => setTimeout(r, jitter))
+    }
+  }
+
+  running.delete(groupKey)
+  queues.delete(groupKey)
+}
+
+/**
+ * Schedule a usage fetch. Anthropic accounts are queued by proxy exit;
+ * all other platforms execute immediately.
+ */
+export function enqueueUsageRequest<T>(
+  account: Account,
+  fn: () => Promise<T>
+): Promise<T> {
+  // Non-Anthropic → fire immediately, no queuing
+  if (!needsThrottle(account)) {
+    return fn()
+  }
+
+  const key = buildGroupKey(account)
+
+  return new Promise<T>((resolve, reject) => {
+    let queue = queues.get(key)
+    if (!queue) {
+      queue = []
+      queues.set(key, queue)
+    }
+    queue.push({ fn, resolve, reject } as Task<unknown>)
+    drain(key)
+  })
+}

From 3d2027227b7913c1bb48e0801e62d3fe2e28349c Mon Sep 17 00:00:00 2001
From: erio <asakifeng@gmail.com>
Date: Tue, 14 Apr 2026 20:22:45 +0800
Subject: [PATCH 099/122] fix: update wire_gen.go to use ProvideSchedulerCache
 with config injection

wire_gen.go was calling NewSchedulerCache(redisClient) but wire.go had
been updated to register ProvideSchedulerCache(redisClient, config),
which reads SnapshotMGetChunkSize and SnapshotWriteChunkSize from config.
Without this fix, those config values were silently ignored.
---
 backend/cmd/server/wire_gen.go | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/backend/cmd/server/wire_gen.go b/backend/cmd/server/wire_gen.go
index a0e84f4c..1d39fa1e 100644
--- a/backend/cmd/server/wire_gen.go
+++ b/backend/cmd/server/wire_gen.go
@@ -99,7 +99,7 @@ func initializeApplication(buildInfo handler.BuildInfo) (*Application, error) {
 	}
 	dashboardAggregationService := service.ProvideDashboardAggregationService(dashboardAggregationRepository, timingWheelService, configConfig)
 	dashboardHandler := admin.NewDashboardHandler(dashboardService, dashboardAggregationService)
-	schedulerCache := repository.NewSchedulerCache(redisClient)
+	schedulerCache := repository.ProvideSchedulerCache(redisClient, configConfig)
 	accountRepository := repository.NewAccountRepository(client, db, schedulerCache)
 	proxyExitInfoProber := repository.NewProxyExitInfoProber(configConfig)
 	proxyLatencyCache := repository.NewProxyLatencyCache(redisClient)

From 8548a130c7b8f1f681f845ac9e51381d0c08f938 Mon Sep 17 00:00:00 2001
From: erio <asakifeng@gmail.com>
Date: Tue, 14 Apr 2026 20:34:53 +0800
Subject: [PATCH 100/122] fix: Messages() routing refactor and subscription
 group test coverage
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

- Refactor OpenAI Messages() routing: pre-compute dispatch model using
  resolveOpenAIMessagesDispatchMappedModel + NormalizeOpenAICompatRequestedModel
  instead of try-fail-retry pattern with gin context passing
- Remove openai_messages_fallback_model context anti-pattern
- Use effectiveMappedModel directly for forward default mapped model
- Add 3 subscription group tests covering all branch paths:
  _Blocked (no active subscription → SUBSCRIPTION_REQUIRED),
  _RequiresRepo (nil repo → SUBSCRIPTION_REPOSITORY_UNAVAILABLE),
  _AllowsActiveSubscription (valid subscription → success)
---
 .../handler/openai_gateway_handler.go         | 37 +++--------
 .../service/admin_service_apikey_test.go      | 62 ++++++++++++++++++-
 2 files changed, 69 insertions(+), 30 deletions(-)

diff --git a/backend/internal/handler/openai_gateway_handler.go b/backend/internal/handler/openai_gateway_handler.go
index 6c5a6779..5319b55d 100644
--- a/backend/internal/handler/openai_gateway_handler.go
+++ b/backend/internal/handler/openai_gateway_handler.go
@@ -557,6 +557,8 @@ func (h *OpenAIGatewayHandler) Messages(c *gin.Context) {
 		return
 	}
 	reqModel := modelResult.String()
+	routingModel := service.NormalizeOpenAICompatRequestedModel(reqModel)
+	preferredMappedModel := resolveOpenAIMessagesDispatchMappedModel(apiKey, reqModel)
 	reqStream := gjson.GetBytes(body, "stream").Bool()
 
 	reqLog = reqLog.With(zap.String("model", reqModel), zap.Bool("stream", reqStream))
@@ -615,17 +617,20 @@ func (h *OpenAIGatewayHandler) Messages(c *gin.Context) {
 	failedAccountIDs := make(map[int64]struct{})
 	sameAccountRetryCount := make(map[int64]int)
 	var lastFailoverErr *service.UpstreamFailoverError
+	effectiveMappedModel := preferredMappedModel
 
 	for {
-		// 清除上一次迭代的降级模型标记，避免残留影响本次迭代
-		c.Set("openai_messages_fallback_model", "")
+		currentRoutingModel := routingModel
+		if effectiveMappedModel != "" {
+			currentRoutingModel = effectiveMappedModel
+		}
 		reqLog.Debug("openai_messages.account_selecting", zap.Int("excluded_account_count", len(failedAccountIDs)))
 		selection, scheduleDecision, err := h.gatewayService.SelectAccountWithScheduler(
 			c.Request.Context(),
 			apiKey.GroupID,
 			"", // no previous_response_id
 			sessionHash,
-			reqModel,
+			currentRoutingModel,
 			failedAccountIDs,
 			service.OpenAIUpstreamTransportAny,
 		)
@@ -634,29 +639,7 @@ func (h *OpenAIGatewayHandler) Messages(c *gin.Context) {
 				zap.Error(err),
 				zap.Int("excluded_account_count", len(failedAccountIDs)),
 			)
-			// 首次调度失败 + 有默认映射模型 → 用默认模型重试
 			if len(failedAccountIDs) == 0 {
-				defaultModel := ""
-				if apiKey.Group != nil {
-					defaultModel = apiKey.Group.DefaultMappedModel
-				}
-				if defaultModel != "" && defaultModel != reqModel {
-					reqLog.Info("openai_messages.fallback_to_default_model",
-						zap.String("default_mapped_model", defaultModel),
-					)
-					selection, scheduleDecision, err = h.gatewayService.SelectAccountWithScheduler(
-						c.Request.Context(),
-						apiKey.GroupID,
-						"",
-						sessionHash,
-						defaultModel,
-						failedAccountIDs,
-						service.OpenAIUpstreamTransportAny,
-					)
-					if err == nil && selection != nil {
-						c.Set("openai_messages_fallback_model", defaultModel)
-					}
-				}
 				if err != nil {
 					h.anthropicStreamingAwareError(c, http.StatusServiceUnavailable, "api_error", "Service temporarily unavailable", streamStarted)
 					return
@@ -688,9 +671,7 @@ func (h *OpenAIGatewayHandler) Messages(c *gin.Context) {
 		service.SetOpsLatencyMs(c, service.OpsRoutingLatencyMsKey, time.Since(routingStart).Milliseconds())
 		forwardStart := time.Now()
 
-		// Forward 层需要始终拿到 group 默认映射模型，这样未命中账号级映射的
-		// Claude 兼容模型才不会在后续 Codex 规范化中意外退化到 gpt-5.1。
-		defaultMappedModel := resolveOpenAIForwardDefaultMappedModel(apiKey, c.GetString("openai_messages_fallback_model"))
+		defaultMappedModel := strings.TrimSpace(effectiveMappedModel)
 		// 应用渠道模型映射到请求体
 		forwardBody := body
 		if channelMappingMsg.Mapped {
diff --git a/backend/internal/service/admin_service_apikey_test.go b/backend/internal/service/admin_service_apikey_test.go
index 1e235278..419ddbc3 100644
--- a/backend/internal/service/admin_service_apikey_test.go
+++ b/backend/internal/service/admin_service_apikey_test.go
@@ -216,6 +216,29 @@ func (s *groupRepoStubForGroupUpdate) UpdateSortOrders(context.Context, []GroupS
 	panic("unexpected")
 }
 
+type userSubRepoStubForGroupUpdate struct {
+	userSubRepoNoop
+	getActiveSub  *UserSubscription
+	getActiveErr  error
+	called        bool
+	calledUserID  int64
+	calledGroupID int64
+}
+
+func (s *userSubRepoStubForGroupUpdate) GetActiveByUserIDAndGroupID(_ context.Context, userID, groupID int64) (*UserSubscription, error) {
+	s.called = true
+	s.calledUserID = userID
+	s.calledGroupID = groupID
+	if s.getActiveErr != nil {
+		return nil, s.getActiveErr
+	}
+	if s.getActiveSub == nil {
+		return nil, ErrSubscriptionNotFound
+	}
+	clone := *s.getActiveSub
+	return &clone, nil
+}
+
 // ---------------------------------------------------------------------------
 // Tests
 // ---------------------------------------------------------------------------
@@ -408,17 +431,52 @@ func TestAdminService_AdminUpdateAPIKeyGroupID_NonExclusiveGroup_NoAllowedGroupU
 func TestAdminService_AdminUpdateAPIKeyGroupID_SubscriptionGroup_Blocked(t *testing.T) {
 	existing := &APIKey{ID: 1, UserID: 42, Key: "sk-test", GroupID: nil}
 	apiKeyRepo := &apiKeyRepoStubForGroupUpdate{key: existing}
-	groupRepo := &groupRepoStubForGroupUpdate{group: &Group{ID: 10, Name: "Sub", Status: StatusActive, IsExclusive: true, SubscriptionType: SubscriptionTypeSubscription}}
+	groupRepo := &groupRepoStubForGroupUpdate{group: &Group{ID: 10, Name: "Sub", Status: StatusActive, IsExclusive: false, SubscriptionType: SubscriptionTypeSubscription}}
+	userRepo := &userRepoStubForGroupUpdate{}
+	userSubRepo := &userSubRepoStubForGroupUpdate{getActiveErr: ErrSubscriptionNotFound}
+	svc := &adminServiceImpl{apiKeyRepo: apiKeyRepo, groupRepo: groupRepo, userRepo: userRepo, userSubRepo: userSubRepo}
+
+	// 无有效订阅时应拒绝绑定
+	_, err := svc.AdminUpdateAPIKeyGroupID(context.Background(), 1, int64Ptr(10))
+	require.Error(t, err)
+	require.Equal(t, "SUBSCRIPTION_REQUIRED", infraerrors.Reason(err))
+	require.True(t, userSubRepo.called)
+	require.Equal(t, int64(42), userSubRepo.calledUserID)
+	require.Equal(t, int64(10), userSubRepo.calledGroupID)
+	require.False(t, userRepo.addGroupCalled)
+}
+
+func TestAdminService_AdminUpdateAPIKeyGroupID_SubscriptionGroup_RequiresRepo(t *testing.T) {
+	existing := &APIKey{ID: 1, UserID: 42, Key: "sk-test", GroupID: nil}
+	apiKeyRepo := &apiKeyRepoStubForGroupUpdate{key: existing}
+	groupRepo := &groupRepoStubForGroupUpdate{group: &Group{ID: 10, Name: "Sub", Status: StatusActive, IsExclusive: false, SubscriptionType: SubscriptionTypeSubscription}}
 	userRepo := &userRepoStubForGroupUpdate{}
 	svc := &adminServiceImpl{apiKeyRepo: apiKeyRepo, groupRepo: groupRepo, userRepo: userRepo}
 
-	// userSubRepo is nil → SUBSCRIPTION_REPOSITORY_UNAVAILABLE
 	_, err := svc.AdminUpdateAPIKeyGroupID(context.Background(), 1, int64Ptr(10))
 	require.Error(t, err)
 	require.Equal(t, "SUBSCRIPTION_REPOSITORY_UNAVAILABLE", infraerrors.Reason(err))
 	require.False(t, userRepo.addGroupCalled)
 }
 
+func TestAdminService_AdminUpdateAPIKeyGroupID_SubscriptionGroup_AllowsActiveSubscription(t *testing.T) {
+	existing := &APIKey{ID: 1, UserID: 42, Key: "sk-test", GroupID: nil}
+	apiKeyRepo := &apiKeyRepoStubForGroupUpdate{key: existing}
+	groupRepo := &groupRepoStubForGroupUpdate{group: &Group{ID: 10, Name: "Sub", Status: StatusActive, IsExclusive: true, SubscriptionType: SubscriptionTypeSubscription}}
+	userRepo := &userRepoStubForGroupUpdate{}
+	userSubRepo := &userSubRepoStubForGroupUpdate{
+		getActiveSub: &UserSubscription{ID: 99, UserID: 42, GroupID: 10},
+	}
+	svc := &adminServiceImpl{apiKeyRepo: apiKeyRepo, groupRepo: groupRepo, userRepo: userRepo, userSubRepo: userSubRepo}
+
+	got, err := svc.AdminUpdateAPIKeyGroupID(context.Background(), 1, int64Ptr(10))
+	require.NoError(t, err)
+	require.True(t, userSubRepo.called)
+	require.NotNil(t, got.APIKey.GroupID)
+	require.Equal(t, int64(10), *got.APIKey.GroupID)
+	require.False(t, userRepo.addGroupCalled)
+}
+
 func TestAdminService_AdminUpdateAPIKeyGroupID_ExclusiveGroup_AllowedGroupAddFails_ReturnsError(t *testing.T) {
 	existing := &APIKey{ID: 1, UserID: 42, Key: "sk-test", GroupID: nil}
 	apiKeyRepo := &apiKeyRepoStubForGroupUpdate{key: existing}

From 60a4b9316b9a78a788ac47d9ffa04a8a249a651e Mon Sep 17 00:00:00 2001
From: erio <asakifeng@gmail.com>
Date: Wed, 15 Apr 2026 00:14:57 +0800
Subject: [PATCH 101/122] feat(payment): balance recharge multiplier and refund
 amount separation

- Add balance_recharge_multiplier system setting (e.g. 1.2 = charge 100 get 120)
- Separate order_amount (credited balance) from pay_amount (actual payment)
- Refund calculates gateway amount proportionally from pay_amount
- Frontend shows both amounts in order details, payment status, refund dialog
- Admin settings UI for configuring recharge multiplier
---
 .../internal/handler/admin/setting_handler.go | 47 ++++++++++--------
 backend/internal/handler/dto/settings.go      |  7 +--
 backend/internal/handler/payment_handler.go   | 36 +++++++-------
 backend/internal/service/payment_amounts.go   | 37 ++++++++++++++
 .../service/payment_config_service.go         | 30 ++++++++----
 .../internal/service/payment_fulfillment.go   |  6 ++-
 backend/internal/service/payment_order.go     | 30 ++++++++----
 backend/internal/service/payment_refund.go    |  6 +--
 frontend/src/api/admin/payment.ts             |  2 +
 frontend/src/api/admin/settings.ts            |  2 +
 .../admin/payment/AdminOrderDetail.vue        |  6 +--
 .../admin/payment/AdminOrderTable.vue         |  4 +-
 .../admin/payment/AdminRefundDialog.vue       | 18 ++++---
 .../src/components/payment/OrderTable.vue     |  4 +-
 .../components/payment/PaymentQRDialog.vue    |  6 ++-
 .../components/payment/PaymentStatusPanel.vue |  6 ++-
 .../payment/StripePaymentInline.vue           | 12 +++--
 frontend/src/i18n/locales/en.ts               |  6 +++
 frontend/src/i18n/locales/zh.ts               |  6 +++
 frontend/src/types/payment.ts                 |  3 ++
 frontend/src/views/admin/SettingsView.vue     | 11 ++++-
 .../views/admin/orders/AdminOrdersView.vue    |  8 ++--
 frontend/src/views/user/PaymentResultView.vue |  6 ++-
 frontend/src/views/user/PaymentView.vue       | 48 ++++++++++++++-----
 24 files changed, 246 insertions(+), 101 deletions(-)
 create mode 100644 backend/internal/service/payment_amounts.go

diff --git a/backend/internal/handler/admin/setting_handler.go b/backend/internal/handler/admin/setting_handler.go
index 29c97b4b..d0134953 100644
--- a/backend/internal/handler/admin/setting_handler.go
+++ b/backend/internal/handler/admin/setting_handler.go
@@ -188,6 +188,7 @@ func (h *SettingHandler) GetSettings(c *gin.Context) {
 		PaymentMaxPendingOrders:              paymentCfg.MaxPendingOrders,
 		PaymentEnabledTypes:                  paymentCfg.EnabledTypes,
 		PaymentBalanceDisabled:               paymentCfg.BalanceDisabled,
+		PaymentBalanceRechargeMultiplier:     paymentCfg.BalanceRechargeMultiplier,
 		PaymentLoadBalanceStrat:              paymentCfg.LoadBalanceStrategy,
 		PaymentProductNamePrefix:             paymentCfg.ProductNamePrefix,
 		PaymentProductNameSuffix:             paymentCfg.ProductNameSuffix,
@@ -323,9 +324,10 @@ type UpdateSettingsRequest struct {
 	PaymentDailyLimit        *float64 `json:"payment_daily_limit"`
 	PaymentOrderTimeoutMin   *int     `json:"payment_order_timeout_minutes"`
 	PaymentMaxPendingOrders  *int     `json:"payment_max_pending_orders"`
-	PaymentEnabledTypes      []string `json:"payment_enabled_types"`
-	PaymentBalanceDisabled   *bool    `json:"payment_balance_disabled"`
-	PaymentLoadBalanceStrat  *string  `json:"payment_load_balance_strategy"`
+	PaymentEnabledTypes              []string `json:"payment_enabled_types"`
+	PaymentBalanceDisabled           *bool    `json:"payment_balance_disabled"`
+	PaymentBalanceRechargeMultiplier *float64 `json:"payment_balance_recharge_multiplier"`
+	PaymentLoadBalanceStrat          *string  `json:"payment_load_balance_strategy"`
 	PaymentProductNamePrefix *string  `json:"payment_product_name_prefix"`
 	PaymentProductNameSuffix *string  `json:"payment_product_name_suffix"`
 	PaymentHelpImageURL      *string  `json:"payment_help_image_url"`
@@ -934,24 +936,25 @@ func (h *SettingHandler) UpdateSettings(c *gin.Context) {
 	// Skip if no payment fields were provided (prevents accidental wipe).
 	if h.paymentConfigService != nil && hasPaymentFields(req) {
 		paymentReq := service.UpdatePaymentConfigRequest{
-			Enabled:                req.PaymentEnabled,
-			MinAmount:              req.PaymentMinAmount,
-			MaxAmount:              req.PaymentMaxAmount,
-			DailyLimit:             req.PaymentDailyLimit,
-			OrderTimeoutMin:        req.PaymentOrderTimeoutMin,
-			MaxPendingOrders:       req.PaymentMaxPendingOrders,
-			EnabledTypes:           req.PaymentEnabledTypes,
-			BalanceDisabled:        req.PaymentBalanceDisabled,
-			LoadBalanceStrategy:    req.PaymentLoadBalanceStrat,
-			ProductNamePrefix:      req.PaymentProductNamePrefix,
-			ProductNameSuffix:      req.PaymentProductNameSuffix,
-			HelpImageURL:           req.PaymentHelpImageURL,
-			HelpText:               req.PaymentHelpText,
-			CancelRateLimitEnabled: req.PaymentCancelRateLimitEnabled,
-			CancelRateLimitMax:     req.PaymentCancelRateLimitMax,
-			CancelRateLimitWindow:  req.PaymentCancelRateLimitWindow,
-			CancelRateLimitUnit:    req.PaymentCancelRateLimitUnit,
-			CancelRateLimitMode:    req.PaymentCancelRateLimitMode,
+			Enabled:                   req.PaymentEnabled,
+			MinAmount:                 req.PaymentMinAmount,
+			MaxAmount:                 req.PaymentMaxAmount,
+			DailyLimit:                req.PaymentDailyLimit,
+			OrderTimeoutMin:           req.PaymentOrderTimeoutMin,
+			MaxPendingOrders:          req.PaymentMaxPendingOrders,
+			EnabledTypes:              req.PaymentEnabledTypes,
+			BalanceDisabled:           req.PaymentBalanceDisabled,
+			BalanceRechargeMultiplier: req.PaymentBalanceRechargeMultiplier,
+			LoadBalanceStrategy:       req.PaymentLoadBalanceStrat,
+			ProductNamePrefix:         req.PaymentProductNamePrefix,
+			ProductNameSuffix:         req.PaymentProductNameSuffix,
+			HelpImageURL:              req.PaymentHelpImageURL,
+			HelpText:                  req.PaymentHelpText,
+			CancelRateLimitEnabled:    req.PaymentCancelRateLimitEnabled,
+			CancelRateLimitMax:        req.PaymentCancelRateLimitMax,
+			CancelRateLimitWindow:     req.PaymentCancelRateLimitWindow,
+			CancelRateLimitUnit:       req.PaymentCancelRateLimitUnit,
+			CancelRateLimitMode:       req.PaymentCancelRateLimitMode,
 		}
 		if err := h.paymentConfigService.UpdatePaymentConfig(c.Request.Context(), paymentReq); err != nil {
 			response.ErrorFrom(c, err)
@@ -1082,6 +1085,7 @@ func (h *SettingHandler) UpdateSettings(c *gin.Context) {
 		PaymentMaxPendingOrders:              updatedPaymentCfg.MaxPendingOrders,
 		PaymentEnabledTypes:                  updatedPaymentCfg.EnabledTypes,
 		PaymentBalanceDisabled:               updatedPaymentCfg.BalanceDisabled,
+		PaymentBalanceRechargeMultiplier:     updatedPaymentCfg.BalanceRechargeMultiplier,
 		PaymentLoadBalanceStrat:              updatedPaymentCfg.LoadBalanceStrategy,
 		PaymentProductNamePrefix:             updatedPaymentCfg.ProductNamePrefix,
 		PaymentProductNameSuffix:             updatedPaymentCfg.ProductNameSuffix,
@@ -1101,6 +1105,7 @@ func hasPaymentFields(req UpdateSettingsRequest) bool {
 		req.PaymentMaxAmount != nil || req.PaymentDailyLimit != nil ||
 		req.PaymentOrderTimeoutMin != nil || req.PaymentMaxPendingOrders != nil ||
 		req.PaymentEnabledTypes != nil || req.PaymentBalanceDisabled != nil ||
+		req.PaymentBalanceRechargeMultiplier != nil ||
 		req.PaymentLoadBalanceStrat != nil || req.PaymentProductNamePrefix != nil ||
 		req.PaymentProductNameSuffix != nil || req.PaymentHelpImageURL != nil ||
 		req.PaymentHelpText != nil || req.PaymentCancelRateLimitEnabled != nil ||
diff --git a/backend/internal/handler/dto/settings.go b/backend/internal/handler/dto/settings.go
index ef285a44..2f97b3e0 100644
--- a/backend/internal/handler/dto/settings.go
+++ b/backend/internal/handler/dto/settings.go
@@ -134,9 +134,10 @@ type SystemSettings struct {
 	PaymentDailyLimit        float64  `json:"payment_daily_limit"`
 	PaymentOrderTimeoutMin   int      `json:"payment_order_timeout_minutes"`
 	PaymentMaxPendingOrders  int      `json:"payment_max_pending_orders"`
-	PaymentEnabledTypes      []string `json:"payment_enabled_types"`
-	PaymentBalanceDisabled   bool     `json:"payment_balance_disabled"`
-	PaymentLoadBalanceStrat  string   `json:"payment_load_balance_strategy"`
+	PaymentEnabledTypes              []string `json:"payment_enabled_types"`
+	PaymentBalanceDisabled           bool     `json:"payment_balance_disabled"`
+	PaymentBalanceRechargeMultiplier float64  `json:"payment_balance_recharge_multiplier"`
+	PaymentLoadBalanceStrat          string   `json:"payment_load_balance_strategy"`
 	PaymentProductNamePrefix string   `json:"payment_product_name_prefix"`
 	PaymentProductNameSuffix string   `json:"payment_product_name_suffix"`
 	PaymentHelpImageURL      string   `json:"payment_help_image_url"`
diff --git a/backend/internal/handler/payment_handler.go b/backend/internal/handler/payment_handler.go
index 5fde86fa..973ba4a5 100644
--- a/backend/internal/handler/payment_handler.go
+++ b/backend/internal/handler/payment_handler.go
@@ -126,26 +126,28 @@ func (h *PaymentHandler) GetCheckoutInfo(c *gin.Context) {
 	}
 
 	response.Success(c, checkoutInfoResponse{
-		Methods:              limitsResp.Methods,
-		GlobalMin:            limitsResp.GlobalMin,
-		GlobalMax:            limitsResp.GlobalMax,
-		Plans:                planList,
-		BalanceDisabled:      cfg.BalanceDisabled,
-		HelpText:             cfg.HelpText,
-		HelpImageURL:         cfg.HelpImageURL,
-		StripePublishableKey: cfg.StripePublishableKey,
+		Methods:                   limitsResp.Methods,
+		GlobalMin:                 limitsResp.GlobalMin,
+		GlobalMax:                 limitsResp.GlobalMax,
+		Plans:                     planList,
+		BalanceDisabled:           cfg.BalanceDisabled,
+		BalanceRechargeMultiplier: cfg.BalanceRechargeMultiplier,
+		HelpText:                  cfg.HelpText,
+		HelpImageURL:              cfg.HelpImageURL,
+		StripePublishableKey:      cfg.StripePublishableKey,
 	})
 }
 
 type checkoutInfoResponse struct {
-	Methods              map[string]service.MethodLimits `json:"methods"`
-	GlobalMin            float64                         `json:"global_min"`
-	GlobalMax            float64                         `json:"global_max"`
-	Plans                []checkoutPlan                  `json:"plans"`
-	BalanceDisabled      bool                            `json:"balance_disabled"`
-	HelpText             string                          `json:"help_text"`
-	HelpImageURL         string                          `json:"help_image_url"`
-	StripePublishableKey string                          `json:"stripe_publishable_key"`
+	Methods                   map[string]service.MethodLimits `json:"methods"`
+	GlobalMin                 float64                         `json:"global_min"`
+	GlobalMax                 float64                         `json:"global_max"`
+	Plans                     []checkoutPlan                  `json:"plans"`
+	BalanceDisabled           bool                            `json:"balance_disabled"`
+	BalanceRechargeMultiplier float64                         `json:"balance_recharge_multiplier"`
+	HelpText                  string                          `json:"help_text"`
+	HelpImageURL              string                          `json:"help_image_url"`
+	StripePublishableKey      string                          `json:"stripe_publishable_key"`
 }
 
 type checkoutPlan struct {
@@ -381,6 +383,7 @@ type PublicOrderResult struct {
 	Amount      float64 `json:"amount"`
 	PayAmount   float64 `json:"pay_amount"`
 	PaymentType string  `json:"payment_type"`
+	OrderType   string  `json:"order_type"`
 	Status      string  `json:"status"`
 }
 
@@ -404,6 +407,7 @@ func (h *PaymentHandler) VerifyOrderPublic(c *gin.Context) {
 		Amount:      order.Amount,
 		PayAmount:   order.PayAmount,
 		PaymentType: order.PaymentType,
+		OrderType:   order.OrderType,
 		Status:      order.Status,
 	})
 }
diff --git a/backend/internal/service/payment_amounts.go b/backend/internal/service/payment_amounts.go
new file mode 100644
index 00000000..cc01f6ad
--- /dev/null
+++ b/backend/internal/service/payment_amounts.go
@@ -0,0 +1,37 @@
+package service
+
+import (
+	"math"
+
+	"github.com/shopspring/decimal"
+)
+
+const defaultBalanceRechargeMultiplier = 1.0
+
+func normalizeBalanceRechargeMultiplier(multiplier float64) float64 {
+	if math.IsNaN(multiplier) || math.IsInf(multiplier, 0) || multiplier <= 0 {
+		return defaultBalanceRechargeMultiplier
+	}
+	return multiplier
+}
+
+func calculateCreditedBalance(paymentAmount, multiplier float64) float64 {
+	return decimal.NewFromFloat(paymentAmount).
+		Mul(decimal.NewFromFloat(normalizeBalanceRechargeMultiplier(multiplier))).
+		Round(2).
+		InexactFloat64()
+}
+
+func calculateGatewayRefundAmount(orderAmount, payAmount, refundAmount float64) float64 {
+	if orderAmount <= 0 || payAmount <= 0 || refundAmount <= 0 {
+		return 0
+	}
+	if math.Abs(refundAmount-orderAmount) <= amountToleranceCNY {
+		return decimal.NewFromFloat(payAmount).Round(2).InexactFloat64()
+	}
+	return decimal.NewFromFloat(payAmount).
+		Mul(decimal.NewFromFloat(refundAmount)).
+		Div(decimal.NewFromFloat(orderAmount)).
+		Round(2).
+		InexactFloat64()
+}
diff --git a/backend/internal/service/payment_config_service.go b/backend/internal/service/payment_config_service.go
index cce31f4d..409625ed 100644
--- a/backend/internal/service/payment_config_service.go
+++ b/backend/internal/service/payment_config_service.go
@@ -3,12 +3,14 @@ package service
 import (
 	"context"
 	"fmt"
+	"math"
 	"strconv"
 	"strings"
 
 	dbent "github.com/Wei-Shaw/sub2api/ent"
 	"github.com/Wei-Shaw/sub2api/ent/paymentproviderinstance"
 	"github.com/Wei-Shaw/sub2api/internal/payment"
+	infraerrors "github.com/Wei-Shaw/sub2api/internal/pkg/errors"
 )
 
 const (
@@ -21,6 +23,7 @@ const (
 	SettingEnabledPaymentTypes = "ENABLED_PAYMENT_TYPES"
 	SettingLoadBalanceStrategy = "LOAD_BALANCE_STRATEGY"
 	SettingBalancePayDisabled  = "BALANCE_PAYMENT_DISABLED"
+	SettingBalanceRechargeMult = "BALANCE_RECHARGE_MULTIPLIER"
 	SettingProductNamePrefix   = "PRODUCT_NAME_PREFIX"
 	SettingProductNameSuffix   = "PRODUCT_NAME_SUFFIX"
 	SettingHelpImageURL        = "PAYMENT_HELP_IMAGE_URL"
@@ -46,9 +49,10 @@ type PaymentConfig struct {
 	DailyLimit           float64  `json:"daily_limit"`
 	OrderTimeoutMin      int      `json:"order_timeout_minutes"`
 	MaxPendingOrders     int      `json:"max_pending_orders"`
-	EnabledTypes         []string `json:"enabled_payment_types"`
-	BalanceDisabled      bool     `json:"balance_disabled"`
-	LoadBalanceStrategy  string   `json:"load_balance_strategy"`
+	EnabledTypes              []string `json:"enabled_payment_types"`
+	BalanceDisabled           bool     `json:"balance_disabled"`
+	BalanceRechargeMultiplier float64  `json:"balance_recharge_multiplier"`
+	LoadBalanceStrategy       string   `json:"load_balance_strategy"`
 	ProductNamePrefix    string   `json:"product_name_prefix"`
 	ProductNameSuffix    string   `json:"product_name_suffix"`
 	HelpImageURL         string   `json:"help_image_url"`
@@ -71,9 +75,10 @@ type UpdatePaymentConfigRequest struct {
 	DailyLimit          *float64 `json:"daily_limit"`
 	OrderTimeoutMin     *int     `json:"order_timeout_minutes"`
 	MaxPendingOrders    *int     `json:"max_pending_orders"`
-	EnabledTypes        []string `json:"enabled_payment_types"`
-	BalanceDisabled     *bool    `json:"balance_disabled"`
-	LoadBalanceStrategy *string  `json:"load_balance_strategy"`
+	EnabledTypes              []string `json:"enabled_payment_types"`
+	BalanceDisabled           *bool    `json:"balance_disabled"`
+	BalanceRechargeMultiplier *float64 `json:"balance_recharge_multiplier"`
+	LoadBalanceStrategy       *string  `json:"load_balance_strategy"`
 	ProductNamePrefix   *string  `json:"product_name_prefix"`
 	ProductNameSuffix   *string  `json:"product_name_suffix"`
 	HelpImageURL        *string  `json:"help_image_url"`
@@ -183,7 +188,7 @@ func (s *PaymentConfigService) GetPaymentConfig(ctx context.Context) (*PaymentCo
 	keys := []string{
 		SettingPaymentEnabled, SettingMinRechargeAmount, SettingMaxRechargeAmount,
 		SettingDailyRechargeLimit, SettingOrderTimeoutMinutes, SettingMaxPendingOrders,
-		SettingEnabledPaymentTypes, SettingBalancePayDisabled, SettingLoadBalanceStrategy,
+		SettingEnabledPaymentTypes, SettingBalancePayDisabled, SettingBalanceRechargeMult, SettingLoadBalanceStrategy,
 		SettingProductNamePrefix, SettingProductNameSuffix,
 		SettingHelpImageURL, SettingHelpText,
 		SettingCancelRateLimitOn, SettingCancelRateLimitMax,
@@ -207,8 +212,9 @@ func (s *PaymentConfigService) parsePaymentConfig(vals map[string]string) *Payme
 		DailyLimit:          pcParseFloat(vals[SettingDailyRechargeLimit], 0),
 		OrderTimeoutMin:     pcParseInt(vals[SettingOrderTimeoutMinutes], defaultOrderTimeoutMin),
 		MaxPendingOrders:    pcParseInt(vals[SettingMaxPendingOrders], defaultMaxPendingOrders),
-		BalanceDisabled:     vals[SettingBalancePayDisabled] == "true",
-		LoadBalanceStrategy: vals[SettingLoadBalanceStrategy],
+		BalanceDisabled:           vals[SettingBalancePayDisabled] == "true",
+		BalanceRechargeMultiplier: normalizeBalanceRechargeMultiplier(pcParseFloat(vals[SettingBalanceRechargeMult], defaultBalanceRechargeMultiplier)),
+		LoadBalanceStrategy:       vals[SettingLoadBalanceStrategy],
 		ProductNamePrefix:   vals[SettingProductNamePrefix],
 		ProductNameSuffix:   vals[SettingProductNameSuffix],
 		HelpImageURL:        vals[SettingHelpImageURL],
@@ -256,6 +262,11 @@ func (s *PaymentConfigService) getStripePublishableKey(ctx context.Context) stri
 // nil-check before serialisation — this is inherent to patch-style update patterns
 // and cannot be meaningfully decomposed without introducing unnecessary abstraction.
 func (s *PaymentConfigService) UpdatePaymentConfig(ctx context.Context, req UpdatePaymentConfigRequest) error {
+	if req.BalanceRechargeMultiplier != nil {
+		if math.IsNaN(*req.BalanceRechargeMultiplier) || math.IsInf(*req.BalanceRechargeMultiplier, 0) || *req.BalanceRechargeMultiplier <= 0 {
+			return infraerrors.BadRequest("INVALID_BALANCE_RECHARGE_MULTIPLIER", "balance recharge multiplier must be greater than 0")
+		}
+	}
 	m := map[string]string{
 		SettingPaymentEnabled:      formatBoolOrEmpty(req.Enabled),
 		SettingMinRechargeAmount:   formatPositiveFloat(req.MinAmount),
@@ -264,6 +275,7 @@ func (s *PaymentConfigService) UpdatePaymentConfig(ctx context.Context, req Upda
 		SettingOrderTimeoutMinutes: formatPositiveInt(req.OrderTimeoutMin),
 		SettingMaxPendingOrders:    formatPositiveInt(req.MaxPendingOrders),
 		SettingBalancePayDisabled:  formatBoolOrEmpty(req.BalanceDisabled),
+		SettingBalanceRechargeMult: formatPositiveFloat(req.BalanceRechargeMultiplier),
 		SettingLoadBalanceStrategy: derefStr(req.LoadBalanceStrategy),
 		SettingProductNamePrefix:   derefStr(req.ProductNamePrefix),
 		SettingProductNameSuffix:   derefStr(req.ProductNameSuffix),
diff --git a/backend/internal/service/payment_fulfillment.go b/backend/internal/service/payment_fulfillment.go
index de41d742..44818b37 100644
--- a/backend/internal/service/payment_fulfillment.go
+++ b/backend/internal/service/payment_fulfillment.go
@@ -216,7 +216,11 @@ func (s *PaymentService) markCompleted(ctx context.Context, o *dbent.PaymentOrde
 	if err != nil {
 		return fmt.Errorf("mark completed: %w", err)
 	}
-	s.writeAuditLog(ctx, o.ID, auditAction, "system", map[string]any{"rechargeCode": o.RechargeCode, "amount": o.Amount})
+	s.writeAuditLog(ctx, o.ID, auditAction, "system", map[string]any{
+		"rechargeCode":   o.RechargeCode,
+		"creditedAmount": o.Amount,
+		"payAmount":      o.PayAmount,
+	})
 	return nil
 }
 
diff --git a/backend/internal/service/payment_order.go b/backend/internal/service/payment_order.go
index ff4dfaa8..1d5562dd 100644
--- a/backend/internal/service/payment_order.go
+++ b/backend/internal/service/payment_order.go
@@ -43,14 +43,18 @@ func (s *PaymentService) CreateOrder(ctx context.Context, req CreateOrderRequest
 	if user.Status != payment.EntityStatusActive {
 		return nil, infraerrors.Forbidden("USER_INACTIVE", "user account is disabled")
 	}
-	amount := req.Amount
+	orderAmount := req.Amount
+	limitAmount := req.Amount
 	if plan != nil {
-		amount = plan.Price
+		orderAmount = plan.Price
+		limitAmount = plan.Price
+	} else if req.OrderType == payment.OrderTypeBalance {
+		orderAmount = calculateCreditedBalance(req.Amount, cfg.BalanceRechargeMultiplier)
 	}
 	feeRate := s.getFeeRate(req.PaymentType)
-	payAmountStr := payment.CalculatePayAmount(amount, feeRate)
+	payAmountStr := payment.CalculatePayAmount(limitAmount, feeRate)
 	payAmount, _ := strconv.ParseFloat(payAmountStr, 64)
-	order, err := s.createOrderInTx(ctx, req, user, plan, cfg, amount, feeRate, payAmount)
+	order, err := s.createOrderInTx(ctx, req, user, plan, cfg, orderAmount, limitAmount, feeRate, payAmount)
 	if err != nil {
 		return nil, err
 	}
@@ -99,7 +103,7 @@ func (s *PaymentService) validateSubOrder(ctx context.Context, req CreateOrderRe
 	return plan, nil
 }
 
-func (s *PaymentService) createOrderInTx(ctx context.Context, req CreateOrderRequest, user *User, plan *dbent.SubscriptionPlan, cfg *PaymentConfig, amount, feeRate, payAmount float64) (*dbent.PaymentOrder, error) {
+func (s *PaymentService) createOrderInTx(ctx context.Context, req CreateOrderRequest, user *User, plan *dbent.SubscriptionPlan, cfg *PaymentConfig, orderAmount, limitAmount, feeRate, payAmount float64) (*dbent.PaymentOrder, error) {
 	tx, err := s.entClient.Tx(ctx)
 	if err != nil {
 		return nil, fmt.Errorf("begin transaction: %w", err)
@@ -108,7 +112,7 @@ func (s *PaymentService) createOrderInTx(ctx context.Context, req CreateOrderReq
 	if err := s.checkPendingLimit(ctx, tx, req.UserID, cfg.MaxPendingOrders); err != nil {
 		return nil, err
 	}
-	if err := s.checkDailyLimit(ctx, tx, req.UserID, amount, cfg.DailyLimit); err != nil {
+	if err := s.checkDailyLimit(ctx, tx, req.UserID, limitAmount, cfg.DailyLimit); err != nil {
 		return nil, err
 	}
 	tm := cfg.OrderTimeoutMin
@@ -121,7 +125,7 @@ func (s *PaymentService) createOrderInTx(ctx context.Context, req CreateOrderReq
 		SetUserEmail(user.Email).
 		SetUserName(user.Username).
 		SetNillableUserNotes(psNilIfEmpty(user.Notes)).
-		SetAmount(amount).
+		SetAmount(orderAmount).
 		SetPayAmount(payAmount).
 		SetFeeRate(feeRate).
 		SetRechargeCode("").
@@ -180,6 +184,10 @@ func (s *PaymentService) checkDailyLimit(ctx context.Context, tx *dbent.Tx, user
 	}
 	var used float64
 	for _, o := range orders {
+		if o.OrderType == payment.OrderTypeBalance {
+			used += o.PayAmount
+			continue
+		}
 		used += o.Amount
 	}
 	if used+amount > limit {
@@ -213,7 +221,13 @@ func (s *PaymentService) invokeProvider(ctx context.Context, order *dbent.Paymen
 	if err != nil {
 		return nil, fmt.Errorf("update order with payment details: %w", err)
 	}
-	s.writeAuditLog(ctx, order.ID, "ORDER_CREATED", fmt.Sprintf("user:%d", req.UserID), map[string]any{"amount": req.Amount, "paymentType": req.PaymentType, "orderType": req.OrderType})
+	s.writeAuditLog(ctx, order.ID, "ORDER_CREATED", fmt.Sprintf("user:%d", req.UserID), map[string]any{
+		"paymentAmount":  req.Amount,
+		"creditedAmount": order.Amount,
+		"payAmount":      order.PayAmount,
+		"paymentType":    req.PaymentType,
+		"orderType":      req.OrderType,
+	})
 	return &CreateOrderResponse{OrderID: order.ID, Amount: order.Amount, PayAmount: payAmount, FeeRate: order.FeeRate, Status: OrderStatusPending, PaymentType: req.PaymentType, PayURL: pr.PayURL, QRCode: pr.QRCode, ClientSecret: pr.ClientSecret, ExpiresAt: order.ExpiresAt, PaymentMode: sel.PaymentMode}, nil
 }
 
diff --git a/backend/internal/service/payment_refund.go b/backend/internal/service/payment_refund.go
index 99468433..c5bda763 100644
--- a/backend/internal/service/payment_refund.go
+++ b/backend/internal/service/payment_refund.go
@@ -113,11 +113,7 @@ func (s *PaymentService) PrepareRefund(ctx context.Context, oid int64, amt float
 	if amt-o.Amount > amountToleranceCNY {
 		return nil, nil, infraerrors.BadRequest("REFUND_AMOUNT_EXCEEDED", "refund amount exceeds recharge")
 	}
-	// Full refund: use actual pay_amount for gateway (includes fees)
-	ga := amt
-	if math.Abs(amt-o.Amount) <= amountToleranceCNY {
-		ga = o.PayAmount
-	}
+	ga := calculateGatewayRefundAmount(o.Amount, o.PayAmount, amt)
 	rr := strings.TrimSpace(reason)
 	if rr == "" && o.RefundRequestReason != nil {
 		rr = *o.RefundRequestReason
diff --git a/frontend/src/api/admin/payment.ts b/frontend/src/api/admin/payment.ts
index 946c91b0..3daf56b2 100644
--- a/frontend/src/api/admin/payment.ts
+++ b/frontend/src/api/admin/payment.ts
@@ -23,6 +23,7 @@ export interface AdminPaymentConfig {
   max_pending_orders: number
   enabled_payment_types: string[]
   balance_disabled: boolean
+  balance_recharge_multiplier: number
   load_balance_strategy: string
   product_name_prefix: string
   product_name_suffix: string
@@ -40,6 +41,7 @@ export interface UpdatePaymentConfigRequest {
   max_pending_orders?: number
   enabled_payment_types?: string[]
   balance_disabled?: boolean
+  balance_recharge_multiplier?: number
   load_balance_strategy?: string
   product_name_prefix?: string
   product_name_suffix?: string
diff --git a/frontend/src/api/admin/settings.ts b/frontend/src/api/admin/settings.ts
index aa1d0f82..c0cf16ee 100644
--- a/frontend/src/api/admin/settings.ts
+++ b/frontend/src/api/admin/settings.ts
@@ -125,6 +125,7 @@ export interface SystemSettings {
   payment_max_pending_orders: number
   payment_enabled_types: string[]
   payment_balance_disabled: boolean
+  payment_balance_recharge_multiplier: number
   payment_load_balance_strategy: string
   payment_product_name_prefix: string
   payment_product_name_suffix: string
@@ -231,6 +232,7 @@ export interface UpdateSettingsRequest {
   payment_max_pending_orders?: number
   payment_enabled_types?: string[]
   payment_balance_disabled?: boolean
+  payment_balance_recharge_multiplier?: number
   payment_load_balance_strategy?: string
   payment_product_name_prefix?: string
   payment_product_name_suffix?: string
diff --git a/frontend/src/components/admin/payment/AdminOrderDetail.vue b/frontend/src/components/admin/payment/AdminOrderDetail.vue
index de4b00b5..5a07c097 100644
--- a/frontend/src/components/admin/payment/AdminOrderDetail.vue
+++ b/frontend/src/components/admin/payment/AdminOrderDetail.vue
@@ -19,11 +19,11 @@
         </div>
         <div>
           <p class="text-xs text-gray-500 dark:text-gray-400">{{ t('payment.orders.amount') }}</p>
-          <p class="text-sm font-medium text-gray-900 dark:text-white">${{ order.amount.toFixed(2) }}</p>
+          <p class="text-sm font-medium text-gray-900 dark:text-white">{{ order.order_type === 'balance' ? '$' : '¥' }}{{ order.amount.toFixed(2) }}</p>
         </div>
         <div>
           <p class="text-xs text-gray-500 dark:text-gray-400">{{ t('payment.orders.payAmount') }}</p>
-          <p class="text-sm font-medium text-gray-900 dark:text-white">${{ order.pay_amount.toFixed(2) }}</p>
+          <p class="text-sm font-medium text-gray-900 dark:text-white">¥{{ order.pay_amount.toFixed(2) }}</p>
         </div>
         <div>
           <p class="text-xs text-gray-500 dark:text-gray-400">{{ t('payment.orders.paymentMethod') }}</p>
@@ -73,7 +73,7 @@
         <div class="grid grid-cols-2 gap-2 text-sm">
           <div>
             <span class="text-red-600 dark:text-red-400">{{ t('payment.admin.refundAmount') }}:</span>
-            <span class="ml-1 font-medium text-red-700 dark:text-red-300">${{ order.refund_amount.toFixed(2) }}</span>
+            <span class="ml-1 font-medium text-red-700 dark:text-red-300">{{ order.order_type === 'balance' ? '$' : '¥' }}{{ order.refund_amount.toFixed(2) }}</span>
           </div>
           <div v-if="order.refund_reason" class="col-span-2">
             <span class="text-red-600 dark:text-red-400">{{ t('payment.admin.refundReason') }}:</span>
diff --git a/frontend/src/components/admin/payment/AdminOrderTable.vue b/frontend/src/components/admin/payment/AdminOrderTable.vue
index 0a22930e..fa3a57ca 100644
--- a/frontend/src/components/admin/payment/AdminOrderTable.vue
+++ b/frontend/src/components/admin/payment/AdminOrderTable.vue
@@ -53,9 +53,9 @@
 
       <template #cell-amount="{ value, row }">
         <div class="text-sm">
-          <span class="font-medium text-gray-900 dark:text-white">${{ value.toFixed(2) }}</span>
+          <span class="font-medium text-gray-900 dark:text-white">{{ row.order_type === 'balance' ? '$' : '¥' }}{{ value.toFixed(2) }}</span>
           <span v-if="row.pay_amount !== value" class="ml-1 text-xs text-gray-500">
-            ({{ t('payment.orders.payAmount') }}: ${{ row.pay_amount.toFixed(2) }})
+            ({{ t('payment.orders.payAmount') }}: ¥{{ row.pay_amount.toFixed(2) }})
           </span>
         </div>
       </template>
diff --git a/frontend/src/components/admin/payment/AdminRefundDialog.vue b/frontend/src/components/admin/payment/AdminRefundDialog.vue
index 9333828c..a569f6c3 100644
--- a/frontend/src/components/admin/payment/AdminRefundDialog.vue
+++ b/frontend/src/components/admin/payment/AdminRefundDialog.vue
@@ -35,11 +35,15 @@
         </div>
         <div class="mt-1 flex justify-between text-sm">
           <span class="text-gray-500 dark:text-gray-400">{{ t('payment.orders.amount') }}</span>
-          <span class="font-medium text-gray-900 dark:text-white">${{ order?.pay_amount?.toFixed(2) }}</span>
+          <span class="font-medium text-gray-900 dark:text-white">{{ order?.order_type === 'balance' ? '$' : '¥' }}{{ order?.amount?.toFixed(2) }}</span>
+        </div>
+        <div class="mt-1 flex justify-between text-sm">
+          <span class="text-gray-500 dark:text-gray-400">{{ t('payment.orders.payAmount') }}</span>
+          <span class="font-medium text-gray-900 dark:text-white">¥{{ order?.pay_amount?.toFixed(2) }}</span>
         </div>
         <div v-if="actuallyRefunded > 0" class="mt-1 flex justify-between text-sm">
           <span class="text-gray-500 dark:text-gray-400">{{ t('payment.admin.alreadyRefunded') }}</span>
-          <span class="font-medium text-red-600 dark:text-red-400">${{ actuallyRefunded.toFixed(2) }}</span>
+          <span class="font-medium text-red-600 dark:text-red-400">{{ order?.order_type === 'balance' ? '$' : '¥' }}{{ actuallyRefunded.toFixed(2) }}</span>
         </div>
       </div>
 
@@ -66,7 +70,7 @@
           </div>
           <div class="rounded-lg bg-gray-50 p-3 text-sm dark:bg-dark-700">
             <div class="text-gray-500 dark:text-gray-400">{{ t('payment.admin.orderAmount') }}</div>
-            <div class="mt-1 font-semibold text-gray-900 dark:text-white">${{ order?.pay_amount?.toFixed(2) }}</div>
+            <div class="mt-1 font-semibold text-gray-900 dark:text-white">{{ order?.order_type === 'balance' ? '$' : '¥' }}{{ order?.amount?.toFixed(2) }}</div>
           </div>
         </div>
 
@@ -91,7 +95,7 @@
       <div>
         <label class="input-label">{{ t('payment.admin.refundAmount') }}</label>
         <div class="relative">
-          <span class="absolute left-3 top-1/2 -translate-y-1/2 text-gray-500">$</span>
+          <span class="absolute left-3 top-1/2 -translate-y-1/2 text-gray-500">{{ order?.order_type === 'balance' ? '$' : '¥' }}</span>
           <input
             v-model.number="form.amount"
             type="number"
@@ -103,7 +107,7 @@
           />
         </div>
         <p class="mt-1 text-xs text-gray-500 dark:text-gray-400">
-          {{ t('payment.admin.maxRefundable') }}: ${{ maxRefundable.toFixed(2) }}
+          {{ t('payment.admin.maxRefundable') }}: {{ order?.order_type === 'balance' ? '$' : '¥' }}{{ maxRefundable.toFixed(2) }}
         </p>
       </div>
 
@@ -200,12 +204,12 @@ const actuallyRefunded = computed(() => {
 
 const maxRefundable = computed(() => {
   if (!props.order) return 0
-  return props.order.pay_amount - actuallyRefunded.value
+  return props.order.amount - actuallyRefunded.value
 })
 
 const balanceInsufficient = computed(() => {
   if (props.userBalance == null || !props.order) return false
-  return props.userBalance < props.order.pay_amount
+  return props.userBalance < props.order.amount
 })
 
 watch(() => props.show, (val) => {
diff --git a/frontend/src/components/payment/OrderTable.vue b/frontend/src/components/payment/OrderTable.vue
index 73a2ddd9..f4f0caed 100644
--- a/frontend/src/components/payment/OrderTable.vue
+++ b/frontend/src/components/payment/OrderTable.vue
@@ -14,8 +14,8 @@
     </template>
     <template #cell-amount="{ value, row }">
       <div class="text-sm">
-        <span class="font-medium text-gray-900 dark:text-white">${{ value.toFixed(2) }}</span>
-        <span v-if="row.pay_amount !== value" class="ml-1 text-xs text-gray-500">(${{ row.pay_amount.toFixed(2) }})</span>
+        <span class="font-medium text-gray-900 dark:text-white">{{ row.order_type === 'balance' ? '$' : '¥' }}{{ value.toFixed(2) }}</span>
+        <span v-if="row.pay_amount !== value" class="ml-1 text-xs text-gray-500">(¥{{ row.pay_amount.toFixed(2) }})</span>
       </div>
     </template>
     <template #cell-payment_type="{ value }">
diff --git a/frontend/src/components/payment/PaymentQRDialog.vue b/frontend/src/components/payment/PaymentQRDialog.vue
index c21ef029..b9026e78 100644
--- a/frontend/src/components/payment/PaymentQRDialog.vue
+++ b/frontend/src/components/payment/PaymentQRDialog.vue
@@ -45,7 +45,11 @@
           </div>
           <div class="flex justify-between">
             <span class="text-gray-500 dark:text-gray-400">{{ t('payment.orders.amount') }}</span>
-            <span class="font-medium text-gray-900 dark:text-white">${{ paidOrder.pay_amount.toFixed(2) }}</span>
+            <span class="font-medium text-gray-900 dark:text-white">{{ paidOrder.order_type === 'balance' ? '$' : '¥' }}{{ paidOrder.amount.toFixed(2) }}</span>
+          </div>
+          <div class="flex justify-between">
+            <span class="text-gray-500 dark:text-gray-400">{{ t('payment.orders.payAmount') }}</span>
+            <span class="font-medium text-gray-900 dark:text-white">¥{{ paidOrder.pay_amount.toFixed(2) }}</span>
           </div>
         </div>
       </div>
diff --git a/frontend/src/components/payment/PaymentStatusPanel.vue b/frontend/src/components/payment/PaymentStatusPanel.vue
index 01269f64..974dee66 100644
--- a/frontend/src/components/payment/PaymentStatusPanel.vue
+++ b/frontend/src/components/payment/PaymentStatusPanel.vue
@@ -22,7 +22,11 @@
               </div>
               <div class="flex justify-between">
                 <span class="text-gray-500 dark:text-gray-400">{{ t('payment.orders.amount') }}</span>
-                <span class="font-medium text-gray-900 dark:text-white">${{ paidOrder.pay_amount.toFixed(2) }}</span>
+                <span class="font-medium text-gray-900 dark:text-white">{{ paidOrder.order_type === 'balance' ? '$' : '¥' }}{{ paidOrder.amount.toFixed(2) }}</span>
+              </div>
+              <div class="flex justify-between">
+                <span class="text-gray-500 dark:text-gray-400">{{ t('payment.orders.payAmount') }}</span>
+                <span class="font-medium text-gray-900 dark:text-white">¥{{ paidOrder.pay_amount.toFixed(2) }}</span>
               </div>
             </div>
           </div>
diff --git a/frontend/src/components/payment/StripePaymentInline.vue b/frontend/src/components/payment/StripePaymentInline.vue
index e30dc270..b8fd55ef 100644
--- a/frontend/src/components/payment/StripePaymentInline.vue
+++ b/frontend/src/components/payment/StripePaymentInline.vue
@@ -21,9 +21,13 @@
                 <span class="text-gray-500 dark:text-gray-400">{{ t('payment.orders.orderId') }}</span>
                 <span class="font-medium text-gray-900 dark:text-white">#{{ orderId }}</span>
               </div>
-              <div class="flex justify-between">
+              <div v-if="amount > 0" class="flex justify-between">
                 <span class="text-gray-500 dark:text-gray-400">{{ t('payment.orders.amount') }}</span>
-                <span class="font-medium text-gray-900 dark:text-white">${{ payAmount.toFixed(2) }}</span>
+                <span class="font-medium text-gray-900 dark:text-white">{{ orderType === 'balance' ? '$' : '¥' }}{{ amount.toFixed(2) }}</span>
+              </div>
+              <div class="flex justify-between">
+                <span class="text-gray-500 dark:text-gray-400">{{ t('payment.orders.payAmount') }}</span>
+                <span class="font-medium text-gray-900 dark:text-white">¥{{ payAmount.toFixed(2) }}</span>
               </div>
             </div>
           </div>
@@ -36,7 +40,7 @@
       <div class="card overflow-hidden">
         <div class="bg-gradient-to-br from-[#635bff] to-[#4f46e5] px-6 py-5 text-center">
           <p class="text-sm font-medium text-indigo-200">{{ t('payment.actualPay') }}</p>
-          <p class="mt-1 text-3xl font-bold text-white">${{ payAmount.toFixed(2) }}</p>
+          <p class="mt-1 text-3xl font-bold text-white">¥{{ payAmount.toFixed(2) }}</p>
         </div>
       </div>
       <!-- Stripe Payment Element -->
@@ -75,7 +79,9 @@ const POPUP_METHODS = new Set(['alipay', 'wechat_pay'])
 
 const props = defineProps<{
   orderId: number
+  amount: number
   clientSecret: string
+  orderType?: 'balance' | 'subscription'
   publishableKey: string
   payAmount: number
 }>()
diff --git a/frontend/src/i18n/locales/en.ts b/frontend/src/i18n/locales/en.ts
index a9dff584..f6aa26e6 100644
--- a/frontend/src/i18n/locales/en.ts
+++ b/frontend/src/i18n/locales/en.ts
@@ -4566,6 +4566,9 @@ export default {
         minAmount: 'Minimum Amount',
         maxAmount: 'Maximum Amount',
         dailyLimit: 'Daily Limit',
+        balanceRechargeMultiplier: 'Balance Recharge Multiplier',
+        balanceRechargeMultiplierHint: 'How many USD balance the user receives for each 1 CNY paid',
+        balanceRechargePreview: 'Preview: 1 CNY = {usd} USD',
         orderTimeout: 'Order Timeout',
         orderTimeoutHint: 'In minutes, minimum 1',
         maxPendingOrders: 'Max Pending Orders',
@@ -5324,6 +5327,8 @@ export default {
   payment: {
     title: 'Recharge / Subscription',
     amountLabel: 'Amount',
+    paymentAmount: 'Payment Amount',
+    creditedBalance: 'Credited Balance',
     quickAmounts: 'Quick Amounts',
     customAmount: 'Custom Amount',
     enterAmount: 'Enter amount',
@@ -5408,6 +5413,7 @@ export default {
     amountTooLow: 'Minimum amount is {min}',
     amountTooHigh: 'Maximum amount is {max}',
     amountNoMethod: 'No payment method available for this amount',
+    rechargeRatePreview: 'Current rate: 1 CNY = {usd} USD',
     refundReason: 'Refund Reason',
     refundReasonPlaceholder: 'Please describe your refund reason',
     stripeLoadFailed: 'Failed to load payment component. Please refresh and try again.',
diff --git a/frontend/src/i18n/locales/zh.ts b/frontend/src/i18n/locales/zh.ts
index c78f9a74..b994cb67 100644
--- a/frontend/src/i18n/locales/zh.ts
+++ b/frontend/src/i18n/locales/zh.ts
@@ -4730,6 +4730,9 @@ export default {
         minAmount: '最低金额',
         maxAmount: '最高金额',
         dailyLimit: '每日限额',
+        balanceRechargeMultiplier: '余额充值倍率',
+        balanceRechargeMultiplierHint: '用户每支付 1 CNY 可获得多少 USD 余额',
+        balanceRechargePreview: '预览：1 CNY = {usd} USD',
         orderTimeout: '订单超时时间',
         orderTimeoutHint: '单位：分钟，至少 1 分钟',
         maxPendingOrders: '最大待支付订单数',
@@ -5512,6 +5515,8 @@ export default {
   payment: {
     title: '充值/订阅',
     amountLabel: '充值金额',
+    paymentAmount: '支付金额',
+    creditedBalance: '到账余额',
     quickAmounts: '快捷金额',
     customAmount: '自定义金额',
     enterAmount: '输入金额',
@@ -5596,6 +5601,7 @@ export default {
     amountTooLow: '最低金额为 {min}',
     amountTooHigh: '最高金额为 {max}',
     amountNoMethod: '该金额没有可用的支付方式',
+    rechargeRatePreview: '当前倍率：1 CNY = {usd} USD',
     refundReason: '退款原因',
     refundReasonPlaceholder: '请描述您的退款原因',
     stripeLoadFailed: '支付组件加载失败，请刷新页面重试',
diff --git a/frontend/src/types/payment.ts b/frontend/src/types/payment.ts
index 51c40fe6..1ad4f2ff 100644
--- a/frontend/src/types/payment.ts
+++ b/frontend/src/types/payment.ts
@@ -32,6 +32,7 @@ export interface PaymentConfig {
   max_pending_orders: number
   order_timeout_minutes: number
   balance_disabled: boolean
+  balance_recharge_multiplier: number
   enabled_payment_types: PaymentType[]
   help_image_url: string
   help_text: string
@@ -62,6 +63,7 @@ export interface CheckoutInfoResponse {
   global_max: number
   plans: SubscriptionPlan[]
   balance_disabled: boolean
+  balance_recharge_multiplier: number
   help_text: string
   help_image_url: string
   stripe_publishable_key: string
@@ -155,6 +157,7 @@ export interface CreateOrderRequest {
 
 export interface CreateOrderResult {
   order_id: number
+  amount: number
   pay_url?: string
   qr_code?: string
   client_secret?: string
diff --git a/frontend/src/views/admin/SettingsView.vue b/frontend/src/views/admin/SettingsView.vue
index 2465fa5e..e2411fdc 100644
--- a/frontend/src/views/admin/SettingsView.vue
+++ b/frontend/src/views/admin/SettingsView.vue
@@ -2371,10 +2371,16 @@
                 <div><label class="input-label">{{ t('admin.settings.payment.preview') }}</label><div class="rounded-lg border border-gray-200 bg-gray-50 px-3 py-2 text-sm text-gray-600 dark:border-dark-600 dark:bg-dark-800 dark:text-gray-300">{{ (form.payment_product_name_prefix || 'Sub2API') + ' 100 ' + (form.payment_product_name_suffix || 'CNY') }}</div></div>
               </div>
               <!-- Row 2: Balance toggle + amounts -->
-              <div class="grid grid-cols-2 gap-3 sm:grid-cols-4">
+              <div class="grid grid-cols-2 gap-3 sm:grid-cols-5">
                 <div><label class="input-label">{{ t('admin.settings.payment.minAmount') }}</label><input :value="form.payment_min_amount || ''" @input="form.payment_min_amount = parseFloat(($event.target as HTMLInputElement).value) || 0" type="number" step="0.01" min="0" class="input" :placeholder="t('admin.settings.payment.noLimit')" /></div>
                 <div><label class="input-label">{{ t('admin.settings.payment.maxAmount') }}</label><input :value="form.payment_max_amount || ''" @input="form.payment_max_amount = parseFloat(($event.target as HTMLInputElement).value) || 0" type="number" step="0.01" min="0" class="input" :placeholder="t('admin.settings.payment.noLimit')" /></div>
                 <div><label class="input-label">{{ t('admin.settings.payment.dailyLimit') }}</label><input :value="form.payment_daily_limit || ''" @input="form.payment_daily_limit = parseFloat(($event.target as HTMLInputElement).value) || 0" type="number" step="0.01" min="0" class="input" :placeholder="t('admin.settings.payment.noLimit')" /></div>
+                <div>
+                  <label class="input-label">{{ t('admin.settings.payment.balanceRechargeMultiplier') }}</label>
+                  <input :value="form.payment_balance_recharge_multiplier || ''" @input="form.payment_balance_recharge_multiplier = parseFloat(($event.target as HTMLInputElement).value) || 1" type="number" step="0.01" min="0.01" class="input" />
+                  <p class="mt-0.5 text-xs text-gray-400">{{ t('admin.settings.payment.balanceRechargeMultiplierHint') }}</p>
+                  <p class="mt-1 text-xs font-medium text-primary-600 dark:text-primary-400">{{ t('admin.settings.payment.balanceRechargePreview', { usd: (Number(form.payment_balance_recharge_multiplier) || 1).toFixed(2) }) }}</p>
+                </div>
                 <div><label class="input-label">{{ t('admin.settings.payment.orderTimeout') }} <span class="text-red-500">*</span></label><input v-model.number="form.payment_order_timeout_minutes" type="number" min="1" class="input" required /><p class="mt-0.5 text-xs text-gray-400">{{ t('admin.settings.payment.orderTimeoutHint') }}</p></div>
               </div>
               <!-- Row 3: Pending orders + load balance + cancel rate limit (all in one row) -->
@@ -2968,7 +2974,7 @@ const form = reactive<SettingsForm>({
   home_content: '',
   backend_mode_enabled: false,
   hide_ccs_import_button: false,
-  payment_enabled: false,  payment_min_amount: 1,  payment_max_amount: 10000,  payment_daily_limit: 50000,  payment_max_pending_orders: 3,  payment_order_timeout_minutes: 30,  payment_balance_disabled: false,  payment_enabled_types: [],  payment_help_image_url: '',  payment_help_text: '',  payment_product_name_prefix: '',  payment_product_name_suffix: '',  payment_load_balance_strategy: 'round-robin',  payment_cancel_rate_limit_enabled: false,  payment_cancel_rate_limit_max: 10,  payment_cancel_rate_limit_window: 1,  payment_cancel_rate_limit_unit: 'day',  payment_cancel_rate_limit_window_mode: 'rolling',
+  payment_enabled: false,  payment_min_amount: 1,  payment_max_amount: 10000,  payment_daily_limit: 50000,  payment_max_pending_orders: 3,  payment_order_timeout_minutes: 30,  payment_balance_disabled: false,  payment_balance_recharge_multiplier: 1,  payment_enabled_types: [],  payment_help_image_url: '',  payment_help_text: '',  payment_product_name_prefix: '',  payment_product_name_suffix: '',  payment_load_balance_strategy: 'round-robin',  payment_cancel_rate_limit_enabled: false,  payment_cancel_rate_limit_max: 10,  payment_cancel_rate_limit_window: 1,  payment_cancel_rate_limit_unit: 'day',  payment_cancel_rate_limit_window_mode: 'rolling',
   table_default_page_size: tablePageSizeDefault,
   table_page_size_options: [10, 20, 50, 100],
   custom_menu_items: [] as Array<{id: string; label: string; icon_svg: string; url: string; visibility: 'user' | 'admin'; sort_order: number}>,
@@ -3627,6 +3633,7 @@ async function saveSettings() {
       payment_max_pending_orders: Number(form.payment_max_pending_orders) || 0,
       payment_order_timeout_minutes: Number(form.payment_order_timeout_minutes) || 0,
       payment_balance_disabled: form.payment_balance_disabled,
+      payment_balance_recharge_multiplier: Number(form.payment_balance_recharge_multiplier) || 1,
       payment_enabled_types: form.payment_enabled_types,
       payment_load_balance_strategy: form.payment_load_balance_strategy,
       payment_product_name_prefix: form.payment_product_name_prefix,
diff --git a/frontend/src/views/admin/orders/AdminOrdersView.vue b/frontend/src/views/admin/orders/AdminOrdersView.vue
index 6b838f77..efe41905 100644
--- a/frontend/src/views/admin/orders/AdminOrdersView.vue
+++ b/frontend/src/views/admin/orders/AdminOrdersView.vue
@@ -35,7 +35,7 @@
               {{ t('payment.admin.retry') }}
             </button>
             <template v-if="row.status === 'REFUND_REQUESTED'">
-              <span v-if="row.refund_amount" class="rounded-full bg-purple-100 px-1.5 py-0.5 text-xs font-medium text-purple-700 dark:bg-purple-900/30 dark:text-purple-300">${{ row.refund_amount.toFixed(2) }}</span>
+              <span v-if="row.refund_amount" class="rounded-full bg-purple-100 px-1.5 py-0.5 text-xs font-medium text-purple-700 dark:bg-purple-900/30 dark:text-purple-300">{{ row.order_type === 'balance' ? '$' : '¥' }}{{ row.refund_amount.toFixed(2) }}</span>
               <button @click="openRefundDialog(row)" class="inline-flex items-center gap-1 rounded-md px-2 py-1 text-xs font-medium text-purple-600 hover:bg-purple-50 dark:text-purple-400 dark:hover:bg-purple-900/20">
                 <Icon name="check" size="sm" />
                 {{ t('payment.admin.approveRefund') }}
@@ -62,14 +62,14 @@
           <div><p class="text-xs text-gray-500 dark:text-gray-400">{{ t('payment.orders.orderId') }}</p><p class="font-mono text-sm font-medium text-gray-900 dark:text-white">#{{ selectedOrder.id }}</p></div>
           <div><p class="text-xs text-gray-500 dark:text-gray-400">{{ t('payment.orders.orderNo') }}</p><p class="text-sm font-medium text-gray-900 dark:text-white">{{ selectedOrder.out_trade_no }}</p></div>
           <div><p class="text-xs text-gray-500 dark:text-gray-400">{{ t('payment.orders.status') }}</p><OrderStatusBadge :status="selectedOrder.status" /></div>
-          <div><p class="text-xs text-gray-500 dark:text-gray-400">{{ t('payment.orders.amount') }}</p><p class="text-sm font-medium text-gray-900 dark:text-white">${{ selectedOrder.amount.toFixed(2) }}</p></div>
-          <div><p class="text-xs text-gray-500 dark:text-gray-400">{{ t('payment.orders.payAmount') }}</p><p class="text-sm font-medium text-gray-900 dark:text-white">${{ selectedOrder.pay_amount.toFixed(2) }}</p></div>
+          <div><p class="text-xs text-gray-500 dark:text-gray-400">{{ t('payment.orders.amount') }}</p><p class="text-sm font-medium text-gray-900 dark:text-white">{{ selectedOrder.order_type === 'balance' ? '$' : '¥' }}{{ selectedOrder.amount.toFixed(2) }}</p></div>
+          <div><p class="text-xs text-gray-500 dark:text-gray-400">{{ t('payment.orders.payAmount') }}</p><p class="text-sm font-medium text-gray-900 dark:text-white">¥{{ selectedOrder.pay_amount.toFixed(2) }}</p></div>
           <div><p class="text-xs text-gray-500 dark:text-gray-400">{{ t('payment.orders.paymentMethod') }}</p><p class="text-sm text-gray-700 dark:text-gray-300">{{ t('payment.methods.' + selectedOrder.payment_type, selectedOrder.payment_type) }}</p></div>
           <div><p class="text-xs text-gray-500 dark:text-gray-400">{{ t('payment.admin.feeRate') }}</p><p class="text-sm text-gray-700 dark:text-gray-300">{{ (selectedOrder.fee_rate * 100).toFixed(1) }}%</p></div>
           <div><p class="text-xs text-gray-500 dark:text-gray-400">{{ t('payment.orders.createdAt') }}</p><p class="text-sm text-gray-700 dark:text-gray-300">{{ formatDateTime(selectedOrder.created_at) }}</p></div>
           <div><p class="text-xs text-gray-500 dark:text-gray-400">{{ t('payment.admin.expiresAt') }}</p><p class="text-sm text-gray-700 dark:text-gray-300">{{ formatDateTime(selectedOrder.expires_at) }}</p></div>
           <div v-if="selectedOrder.paid_at"><p class="text-xs text-gray-500 dark:text-gray-400">{{ t('payment.admin.paidAt') }}</p><p class="text-sm text-gray-700 dark:text-gray-300">{{ formatDateTime(selectedOrder.paid_at) }}</p></div>
-          <div v-if="selectedOrder.refund_amount"><p class="text-xs text-gray-500 dark:text-gray-400">{{ t('payment.admin.refundAmount') }}</p><p class="text-sm font-medium text-red-600 dark:text-red-400">${{ selectedOrder.refund_amount.toFixed(2) }}</p></div>
+          <div v-if="selectedOrder.refund_amount"><p class="text-xs text-gray-500 dark:text-gray-400">{{ t('payment.admin.refundAmount') }}</p><p class="text-sm font-medium text-red-600 dark:text-red-400">{{ selectedOrder.order_type === 'balance' ? '$' : '¥' }}{{ selectedOrder.refund_amount.toFixed(2) }}</p></div>
           <div v-if="selectedOrder.refund_reason" class="col-span-2"><p class="text-xs text-gray-500 dark:text-gray-400">{{ t('payment.admin.refundReason') }}</p><p class="text-sm text-gray-700 dark:text-gray-300">{{ selectedOrder.refund_reason }}</p></div>
           <!-- Refund request info -->
           <div v-if="selectedOrder.refund_requested_at" class="col-span-2 border-t border-gray-200 pt-3 dark:border-dark-600">
diff --git a/frontend/src/views/user/PaymentResultView.vue b/frontend/src/views/user/PaymentResultView.vue
index bc16918c..015c45ff 100644
--- a/frontend/src/views/user/PaymentResultView.vue
+++ b/frontend/src/views/user/PaymentResultView.vue
@@ -38,6 +38,10 @@
             </div>
             <div class="flex justify-between">
               <span class="text-gray-500 dark:text-gray-400">{{ t('payment.orders.amount') }}</span>
+              <span class="font-medium text-gray-900 dark:text-white">{{ order.order_type === 'balance' ? '$' : '¥' }}{{ order.amount.toFixed(2) }}</span>
+            </div>
+            <div class="flex justify-between">
+              <span class="text-gray-500 dark:text-gray-400">{{ t('payment.orders.payAmount') }}</span>
               <span class="font-medium text-gray-900 dark:text-white">&#165;{{ order.pay_amount.toFixed(2) }}</span>
             </div>
             <div class="flex justify-between">
@@ -58,7 +62,7 @@
               <span class="font-medium text-gray-900 dark:text-white">{{ returnInfo.outTradeNo }}</span>
             </div>
             <div v-if="returnInfo.money" class="flex justify-between">
-              <span class="text-gray-500 dark:text-gray-400">{{ t('payment.orders.amount') }}</span>
+              <span class="text-gray-500 dark:text-gray-400">{{ t('payment.orders.payAmount') }}</span>
               <span class="font-medium text-gray-900 dark:text-white">&#165;{{ returnInfo.money }}</span>
             </div>
             <div v-if="returnInfo.type" class="flex justify-between">
diff --git a/frontend/src/views/user/PaymentView.vue b/frontend/src/views/user/PaymentView.vue
index acb0a824..5dcaa069 100644
--- a/frontend/src/views/user/PaymentView.vue
+++ b/frontend/src/views/user/PaymentView.vue
@@ -28,7 +28,9 @@
         <template v-else-if="paymentPhase === 'stripe'">
           <StripePaymentInline
             :order-id="paymentState.orderId"
+            :amount="paymentState.amount"
             :client-secret="paymentState.clientSecret"
+            :order-type="paymentState.orderType || undefined"
             :publishable-key="checkout.stripe_publishable_key"
             :pay-amount="paymentState.payAmount"
             @success="onPaymentSuccess"
@@ -67,13 +69,17 @@
                 @select="selectedMethod = $event"
               />
             </div>
-            <div v-if="feeRate > 0 && validAmount > 0" class="card p-6">
+            <div v-if="validAmount > 0" class="card p-6">
               <div class="space-y-2 text-sm">
                 <div class="flex justify-between">
-                  <span class="text-gray-500 dark:text-gray-400">{{ t('payment.amountLabel') }}</span>
+                  <span class="text-gray-500 dark:text-gray-400">{{ t('payment.paymentAmount') }}</span>
                   <span class="text-gray-900 dark:text-white">¥{{ validAmount.toFixed(2) }}</span>
                 </div>
                 <div class="flex justify-between">
+                  <span class="text-gray-500 dark:text-gray-400">{{ t('payment.creditedBalance') }}</span>
+                  <span class="text-gray-900 dark:text-white">${{ creditedAmount.toFixed(2) }}</span>
+                </div>
+                <div v-if="feeRate > 0" class="flex justify-between">
                   <span class="text-gray-500 dark:text-gray-400">{{ t('payment.fee') }} ({{ feeRate }}%)</span>
                   <span class="text-gray-900 dark:text-white">¥{{ feeAmount.toFixed(2) }}</span>
                 </div>
@@ -81,6 +87,9 @@
                   <span class="font-medium text-gray-700 dark:text-gray-300">{{ t('payment.actualPay') }}</span>
                   <span class="text-lg font-bold text-primary-600 dark:text-primary-400">¥{{ totalAmount.toFixed(2) }}</span>
                 </div>
+                <p class="border-t border-gray-200 pt-2 text-xs text-gray-500 dark:border-dark-600 dark:text-gray-400">
+                  {{ t('payment.rechargeRatePreview', { usd: balanceRechargeMultiplier.toFixed(2) }) }}
+                </p>
               </div>
             </div>
             <button :class="['btn w-full py-3 text-base font-medium', paymentButtonClass]" :disabled="!canSubmit || submitting" @click="handleSubmitRecharge">
@@ -88,7 +97,7 @@
                 <span class="h-4 w-4 animate-spin rounded-full border-2 border-white border-t-transparent"></span>
                 {{ t('common.processing') }}
               </span>
-              <span v-else>{{ t('payment.createOrder') }} ¥{{ (feeRate > 0 && validAmount > 0 ? totalAmount : validAmount).toFixed(2) }}</span>
+              <span v-else>{{ t('payment.createOrder') }} ¥{{ totalAmount.toFixed(2) }}</span>
             </button>
             <div v-if="errorMessage" class="rounded-xl border border-red-200 bg-red-50 p-4 dark:border-red-800/50 dark:bg-red-900/20">
               <p class="text-sm text-red-700 dark:text-red-400">{{ errorMessage }}</p>
@@ -264,7 +273,7 @@ import { useAppStore } from '@/stores'
 import { paymentAPI } from '@/api/payment'
 import { extractApiErrorMessage } from '@/utils/apiError'
 import { isMobileDevice } from '@/utils/device'
-import type { SubscriptionPlan, CheckoutInfoResponse } from '@/types/payment'
+import type { SubscriptionPlan, CheckoutInfoResponse, OrderType } from '@/types/payment'
 import AppLayout from '@/components/layout/AppLayout.vue'
 import AmountInput from '@/components/payment/AmountInput.vue'
 import PaymentMethodSelector from '@/components/payment/PaymentMethodSelector.vue'
@@ -302,11 +311,21 @@ const previewImage = ref('')
 
 // Payment phase: 'select' → 'paying' (QR/redirect) or 'stripe' (inline Stripe)
 const paymentPhase = ref<'select' | 'paying' | 'stripe'>('select')
-const paymentState = ref({ orderId: 0, qrCode: '', expiresAt: '', paymentType: '', payUrl: '', clientSecret: '', payAmount: 0, orderType: '' })
+const paymentState = ref<{
+  orderId: number
+  amount: number
+  qrCode: string
+  expiresAt: string
+  paymentType: string
+  payUrl: string
+  clientSecret: string
+  payAmount: number
+  orderType: OrderType | ''
+}>({ orderId: 0, amount: 0, qrCode: '', expiresAt: '', paymentType: '', payUrl: '', clientSecret: '', payAmount: 0, orderType: '' })
 
 function resetPayment() {
   paymentPhase.value = 'select'
-  paymentState.value = { orderId: 0, qrCode: '', expiresAt: '', paymentType: '', payUrl: '', clientSecret: '', payAmount: 0, orderType: '' }
+  paymentState.value = { orderId: 0, amount: 0, qrCode: '', expiresAt: '', paymentType: '', payUrl: '', clientSecret: '', payAmount: 0, orderType: '' }
 }
 
 function onPaymentDone() {
@@ -342,7 +361,7 @@ function onStripeRedirect(orderId: number, payUrl: string) {
 // All checkout data from single API call
 const checkout = ref<CheckoutInfoResponse>({
   methods: {}, global_min: 0, global_max: 0,
-  plans: [], balance_disabled: false, help_text: '', help_image_url: '', stripe_publishable_key: '',
+  plans: [], balance_disabled: false, balance_recharge_multiplier: 1, help_text: '', help_image_url: '', stripe_publishable_key: '',
 })
 
 const tabs = computed(() => {
@@ -354,6 +373,11 @@ const tabs = computed(() => {
 
 const enabledMethods = computed(() => Object.keys(checkout.value.methods))
 const validAmount = computed(() => amount.value ?? 0)
+const balanceRechargeMultiplier = computed(() => {
+  const multiplier = checkout.value.balance_recharge_multiplier
+  return multiplier > 0 ? multiplier : 1
+})
+const creditedAmount = computed(() => Math.round((validAmount.value * balanceRechargeMultiplier.value) * 100) / 100)
 
 // Adaptive grid: center single card, 2-col for 2 plans, 3-col for 3+
 const planGridClass = computed(() => {
@@ -518,7 +542,7 @@ async function confirmSubscribe() {
   await createOrder(selectedPlan.value.price, 'subscription', selectedPlan.value.id)
 }
 
-async function createOrder(orderAmount: number, orderType: string, planId?: number) {
+async function createOrder(orderAmount: number, orderType: OrderType, planId?: number) {
   submitting.value = true
   errorMessage.value = ''
   try {
@@ -537,7 +561,7 @@ async function createOrder(orderAmount: number, orderType: string, planId?: numb
     if (result.client_secret) {
       // Stripe: show Payment Element inline (user picks method → confirms → redirect if needed)
       paymentState.value = {
-        orderId: result.order_id, qrCode: '', expiresAt: result.expires_at || '',
+        orderId: result.order_id, amount: result.amount, qrCode: '', expiresAt: result.expires_at || '',
         paymentType: selectedMethod.value, payUrl: '',
         clientSecret: result.client_secret, payAmount: result.pay_amount,
         orderType,
@@ -546,7 +570,7 @@ async function createOrder(orderAmount: number, orderType: string, planId?: numb
     } else if (isMobileDevice() && result.pay_url) {
       // Mobile + pay_url: redirect directly instead of QR/popup (mobile browsers block popups)
       paymentState.value = {
-        orderId: result.order_id, qrCode: '', expiresAt: result.expires_at || '',
+        orderId: result.order_id, amount: result.amount, qrCode: '', expiresAt: result.expires_at || '',
         paymentType: selectedMethod.value, payUrl: result.pay_url,
         clientSecret: '', payAmount: 0,
         orderType,
@@ -557,7 +581,7 @@ async function createOrder(orderAmount: number, orderType: string, planId?: numb
     } else if (result.qr_code) {
       // QR mode: show QR code inline
       paymentState.value = {
-        orderId: result.order_id, qrCode: result.qr_code,
+        orderId: result.order_id, amount: result.amount, qrCode: result.qr_code,
         expiresAt: result.expires_at || '', paymentType: selectedMethod.value, payUrl: '',
         clientSecret: '', payAmount: 0,
         orderType,
@@ -567,7 +591,7 @@ async function createOrder(orderAmount: number, orderType: string, planId?: numb
       // Redirect/popup mode: open payment URL, show waiting state inline
       openWindow(result.pay_url)
       paymentState.value = {
-        orderId: result.order_id, qrCode: '', expiresAt: result.expires_at || '',
+        orderId: result.order_id, amount: result.amount, qrCode: '', expiresAt: result.expires_at || '',
         paymentType: selectedMethod.value, payUrl: result.pay_url,
         clientSecret: '', payAmount: 0,
         orderType,

From 98140f6cac5b40c80e8fca22df4a6e52eaf30dc4 Mon Sep 17 00:00:00 2001
From: erio <asakifeng@gmail.com>
Date: Wed, 15 Apr 2026 00:41:33 +0800
Subject: [PATCH 102/122] feat(payment): add recharge fee rate setting and fix
 provider card UI
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

- Add recharge_fee_rate system setting (percentage fee on top of recharge amount)
- Full backend chain: config constant, PaymentConfig struct, update validation,
  read/write persistence, DTO, handler GET/PUT responses
- Frontend: settings input with preview, i18n (zh/en), API types
- Fix provider card toggle layout: labels above switches to save width
- Fix Chinese translation: "EasyPay" → "易支付" in provider description
---
 .../internal/handler/admin/setting_handler.go |  6 +++++-
 backend/internal/handler/dto/settings.go      |  1 +
 backend/internal/handler/payment_handler.go   |  2 ++
 .../service/payment_config_service.go         | 19 ++++++++++++++++++-
 frontend/src/api/admin/settings.ts            |  2 ++
 .../src/components/payment/ToggleSwitch.vue   |  4 ++--
 frontend/src/i18n/locales/en.ts               |  3 +++
 frontend/src/i18n/locales/zh.ts               |  5 ++++-
 frontend/src/views/admin/SettingsView.vue     |  9 ++++++++-
 9 files changed, 45 insertions(+), 6 deletions(-)

diff --git a/backend/internal/handler/admin/setting_handler.go b/backend/internal/handler/admin/setting_handler.go
index d0134953..b2e400b3 100644
--- a/backend/internal/handler/admin/setting_handler.go
+++ b/backend/internal/handler/admin/setting_handler.go
@@ -189,6 +189,7 @@ func (h *SettingHandler) GetSettings(c *gin.Context) {
 		PaymentEnabledTypes:                  paymentCfg.EnabledTypes,
 		PaymentBalanceDisabled:               paymentCfg.BalanceDisabled,
 		PaymentBalanceRechargeMultiplier:     paymentCfg.BalanceRechargeMultiplier,
+		PaymentRechargeFeeRate:              paymentCfg.RechargeFeeRate,
 		PaymentLoadBalanceStrat:              paymentCfg.LoadBalanceStrategy,
 		PaymentProductNamePrefix:             paymentCfg.ProductNamePrefix,
 		PaymentProductNameSuffix:             paymentCfg.ProductNameSuffix,
@@ -327,6 +328,7 @@ type UpdateSettingsRequest struct {
 	PaymentEnabledTypes              []string `json:"payment_enabled_types"`
 	PaymentBalanceDisabled           *bool    `json:"payment_balance_disabled"`
 	PaymentBalanceRechargeMultiplier *float64 `json:"payment_balance_recharge_multiplier"`
+	PaymentRechargeFeeRate              *float64 `json:"payment_recharge_fee_rate"`
 	PaymentLoadBalanceStrat          *string  `json:"payment_load_balance_strategy"`
 	PaymentProductNamePrefix *string  `json:"payment_product_name_prefix"`
 	PaymentProductNameSuffix *string  `json:"payment_product_name_suffix"`
@@ -945,6 +947,7 @@ func (h *SettingHandler) UpdateSettings(c *gin.Context) {
 			EnabledTypes:              req.PaymentEnabledTypes,
 			BalanceDisabled:           req.PaymentBalanceDisabled,
 			BalanceRechargeMultiplier: req.PaymentBalanceRechargeMultiplier,
+			RechargeFeeRate:          req.PaymentRechargeFeeRate,
 			LoadBalanceStrategy:       req.PaymentLoadBalanceStrat,
 			ProductNamePrefix:         req.PaymentProductNamePrefix,
 			ProductNameSuffix:         req.PaymentProductNameSuffix,
@@ -1086,6 +1089,7 @@ func (h *SettingHandler) UpdateSettings(c *gin.Context) {
 		PaymentEnabledTypes:                  updatedPaymentCfg.EnabledTypes,
 		PaymentBalanceDisabled:               updatedPaymentCfg.BalanceDisabled,
 		PaymentBalanceRechargeMultiplier:     updatedPaymentCfg.BalanceRechargeMultiplier,
+		PaymentRechargeFeeRate:              updatedPaymentCfg.RechargeFeeRate,
 		PaymentLoadBalanceStrat:              updatedPaymentCfg.LoadBalanceStrategy,
 		PaymentProductNamePrefix:             updatedPaymentCfg.ProductNamePrefix,
 		PaymentProductNameSuffix:             updatedPaymentCfg.ProductNameSuffix,
@@ -1105,7 +1109,7 @@ func hasPaymentFields(req UpdateSettingsRequest) bool {
 		req.PaymentMaxAmount != nil || req.PaymentDailyLimit != nil ||
 		req.PaymentOrderTimeoutMin != nil || req.PaymentMaxPendingOrders != nil ||
 		req.PaymentEnabledTypes != nil || req.PaymentBalanceDisabled != nil ||
-		req.PaymentBalanceRechargeMultiplier != nil ||
+		req.PaymentBalanceRechargeMultiplier != nil || req.PaymentRechargeFeeRate != nil ||
 		req.PaymentLoadBalanceStrat != nil || req.PaymentProductNamePrefix != nil ||
 		req.PaymentProductNameSuffix != nil || req.PaymentHelpImageURL != nil ||
 		req.PaymentHelpText != nil || req.PaymentCancelRateLimitEnabled != nil ||
diff --git a/backend/internal/handler/dto/settings.go b/backend/internal/handler/dto/settings.go
index 2f97b3e0..c41eb7f6 100644
--- a/backend/internal/handler/dto/settings.go
+++ b/backend/internal/handler/dto/settings.go
@@ -137,6 +137,7 @@ type SystemSettings struct {
 	PaymentEnabledTypes              []string `json:"payment_enabled_types"`
 	PaymentBalanceDisabled           bool     `json:"payment_balance_disabled"`
 	PaymentBalanceRechargeMultiplier float64  `json:"payment_balance_recharge_multiplier"`
+	PaymentRechargeFeeRate              float64  `json:"payment_recharge_fee_rate"`
 	PaymentLoadBalanceStrat          string   `json:"payment_load_balance_strategy"`
 	PaymentProductNamePrefix string   `json:"payment_product_name_prefix"`
 	PaymentProductNameSuffix string   `json:"payment_product_name_suffix"`
diff --git a/backend/internal/handler/payment_handler.go b/backend/internal/handler/payment_handler.go
index 973ba4a5..1ddb8ae2 100644
--- a/backend/internal/handler/payment_handler.go
+++ b/backend/internal/handler/payment_handler.go
@@ -132,6 +132,7 @@ func (h *PaymentHandler) GetCheckoutInfo(c *gin.Context) {
 		Plans:                     planList,
 		BalanceDisabled:           cfg.BalanceDisabled,
 		BalanceRechargeMultiplier: cfg.BalanceRechargeMultiplier,
+		RechargeFeeRate:           cfg.RechargeFeeRate,
 		HelpText:                  cfg.HelpText,
 		HelpImageURL:              cfg.HelpImageURL,
 		StripePublishableKey:      cfg.StripePublishableKey,
@@ -145,6 +146,7 @@ type checkoutInfoResponse struct {
 	Plans                     []checkoutPlan                  `json:"plans"`
 	BalanceDisabled           bool                            `json:"balance_disabled"`
 	BalanceRechargeMultiplier float64                         `json:"balance_recharge_multiplier"`
+	RechargeFeeRate           float64                         `json:"recharge_fee_rate"`
 	HelpText                  string                          `json:"help_text"`
 	HelpImageURL              string                          `json:"help_image_url"`
 	StripePublishableKey      string                          `json:"stripe_publishable_key"`
diff --git a/backend/internal/service/payment_config_service.go b/backend/internal/service/payment_config_service.go
index 409625ed..2f040292 100644
--- a/backend/internal/service/payment_config_service.go
+++ b/backend/internal/service/payment_config_service.go
@@ -24,6 +24,7 @@ const (
 	SettingLoadBalanceStrategy = "LOAD_BALANCE_STRATEGY"
 	SettingBalancePayDisabled  = "BALANCE_PAYMENT_DISABLED"
 	SettingBalanceRechargeMult = "BALANCE_RECHARGE_MULTIPLIER"
+	SettingRechargeFeeRate    = "RECHARGE_FEE_RATE"
 	SettingProductNamePrefix   = "PRODUCT_NAME_PREFIX"
 	SettingProductNameSuffix   = "PRODUCT_NAME_SUFFIX"
 	SettingHelpImageURL        = "PAYMENT_HELP_IMAGE_URL"
@@ -52,6 +53,7 @@ type PaymentConfig struct {
 	EnabledTypes              []string `json:"enabled_payment_types"`
 	BalanceDisabled           bool     `json:"balance_disabled"`
 	BalanceRechargeMultiplier float64  `json:"balance_recharge_multiplier"`
+	RechargeFeeRate          float64  `json:"recharge_fee_rate"`
 	LoadBalanceStrategy       string   `json:"load_balance_strategy"`
 	ProductNamePrefix    string   `json:"product_name_prefix"`
 	ProductNameSuffix    string   `json:"product_name_suffix"`
@@ -78,6 +80,7 @@ type UpdatePaymentConfigRequest struct {
 	EnabledTypes              []string `json:"enabled_payment_types"`
 	BalanceDisabled           *bool    `json:"balance_disabled"`
 	BalanceRechargeMultiplier *float64 `json:"balance_recharge_multiplier"`
+	RechargeFeeRate          *float64 `json:"recharge_fee_rate"`
 	LoadBalanceStrategy       *string  `json:"load_balance_strategy"`
 	ProductNamePrefix   *string  `json:"product_name_prefix"`
 	ProductNameSuffix   *string  `json:"product_name_suffix"`
@@ -188,7 +191,7 @@ func (s *PaymentConfigService) GetPaymentConfig(ctx context.Context) (*PaymentCo
 	keys := []string{
 		SettingPaymentEnabled, SettingMinRechargeAmount, SettingMaxRechargeAmount,
 		SettingDailyRechargeLimit, SettingOrderTimeoutMinutes, SettingMaxPendingOrders,
-		SettingEnabledPaymentTypes, SettingBalancePayDisabled, SettingBalanceRechargeMult, SettingLoadBalanceStrategy,
+		SettingEnabledPaymentTypes, SettingBalancePayDisabled, SettingBalanceRechargeMult, SettingRechargeFeeRate, SettingLoadBalanceStrategy,
 		SettingProductNamePrefix, SettingProductNameSuffix,
 		SettingHelpImageURL, SettingHelpText,
 		SettingCancelRateLimitOn, SettingCancelRateLimitMax,
@@ -214,6 +217,7 @@ func (s *PaymentConfigService) parsePaymentConfig(vals map[string]string) *Payme
 		MaxPendingOrders:    pcParseInt(vals[SettingMaxPendingOrders], defaultMaxPendingOrders),
 		BalanceDisabled:           vals[SettingBalancePayDisabled] == "true",
 		BalanceRechargeMultiplier: normalizeBalanceRechargeMultiplier(pcParseFloat(vals[SettingBalanceRechargeMult], defaultBalanceRechargeMultiplier)),
+		RechargeFeeRate:          pcParseFloat(vals[SettingRechargeFeeRate], 0),
 		LoadBalanceStrategy:       vals[SettingLoadBalanceStrategy],
 		ProductNamePrefix:   vals[SettingProductNamePrefix],
 		ProductNameSuffix:   vals[SettingProductNameSuffix],
@@ -267,6 +271,11 @@ func (s *PaymentConfigService) UpdatePaymentConfig(ctx context.Context, req Upda
 			return infraerrors.BadRequest("INVALID_BALANCE_RECHARGE_MULTIPLIER", "balance recharge multiplier must be greater than 0")
 		}
 	}
+	if req.RechargeFeeRate != nil {
+		if math.IsNaN(*req.RechargeFeeRate) || math.IsInf(*req.RechargeFeeRate, 0) || *req.RechargeFeeRate < 0 {
+			return infraerrors.BadRequest("INVALID_RECHARGE_FEE_RATE", "recharge fee rate must be >= 0")
+		}
+	}
 	m := map[string]string{
 		SettingPaymentEnabled:      formatBoolOrEmpty(req.Enabled),
 		SettingMinRechargeAmount:   formatPositiveFloat(req.MinAmount),
@@ -276,6 +285,7 @@ func (s *PaymentConfigService) UpdatePaymentConfig(ctx context.Context, req Upda
 		SettingMaxPendingOrders:    formatPositiveInt(req.MaxPendingOrders),
 		SettingBalancePayDisabled:  formatBoolOrEmpty(req.BalanceDisabled),
 		SettingBalanceRechargeMult: formatPositiveFloat(req.BalanceRechargeMultiplier),
+		SettingRechargeFeeRate:    formatNonNegativeFloat(req.RechargeFeeRate),
 		SettingLoadBalanceStrategy: derefStr(req.LoadBalanceStrategy),
 		SettingProductNamePrefix:   derefStr(req.ProductNamePrefix),
 		SettingProductNameSuffix:   derefStr(req.ProductNameSuffix),
@@ -309,6 +319,13 @@ func formatPositiveFloat(v *float64) string {
 	return strconv.FormatFloat(*v, 'f', 2, 64)
 }
 
+func formatNonNegativeFloat(v *float64) string {
+	if v == nil || *v < 0 {
+		return ""
+	}
+	return strconv.FormatFloat(*v, 'f', 2, 64)
+}
+
 func formatPositiveInt(v *int) string {
 	if v == nil || *v <= 0 {
 		return ""
diff --git a/frontend/src/api/admin/settings.ts b/frontend/src/api/admin/settings.ts
index c0cf16ee..1e4a3053 100644
--- a/frontend/src/api/admin/settings.ts
+++ b/frontend/src/api/admin/settings.ts
@@ -126,6 +126,7 @@ export interface SystemSettings {
   payment_enabled_types: string[]
   payment_balance_disabled: boolean
   payment_balance_recharge_multiplier: number
+  payment_recharge_fee_rate: number
   payment_load_balance_strategy: string
   payment_product_name_prefix: string
   payment_product_name_suffix: string
@@ -233,6 +234,7 @@ export interface UpdateSettingsRequest {
   payment_enabled_types?: string[]
   payment_balance_disabled?: boolean
   payment_balance_recharge_multiplier?: number
+  payment_recharge_fee_rate?: number
   payment_load_balance_strategy?: string
   payment_product_name_prefix?: string
   payment_product_name_suffix?: string
diff --git a/frontend/src/components/payment/ToggleSwitch.vue b/frontend/src/components/payment/ToggleSwitch.vue
index e4f77514..c74a86cd 100644
--- a/frontend/src/components/payment/ToggleSwitch.vue
+++ b/frontend/src/components/payment/ToggleSwitch.vue
@@ -1,6 +1,6 @@
 <template>
-  <label class="flex items-center gap-1.5 cursor-pointer">
-    <span class="text-xs text-gray-500 dark:text-gray-400">{{ label }}</span>
+  <label class="flex flex-col items-center gap-0.5 cursor-pointer">
+    <span class="text-xs text-gray-500 dark:text-gray-400 whitespace-nowrap">{{ label }}</span>
     <button
       type="button"
       role="switch"
diff --git a/frontend/src/i18n/locales/en.ts b/frontend/src/i18n/locales/en.ts
index f6aa26e6..a5b9f54b 100644
--- a/frontend/src/i18n/locales/en.ts
+++ b/frontend/src/i18n/locales/en.ts
@@ -4569,6 +4569,9 @@ export default {
         balanceRechargeMultiplier: 'Balance Recharge Multiplier',
         balanceRechargeMultiplierHint: 'How many USD balance the user receives for each 1 CNY paid',
         balanceRechargePreview: 'Preview: 1 CNY = {usd} USD',
+        rechargeFeeRate: 'Recharge Fee Rate',
+        rechargeFeeRateHint: 'Percentage of service fee charged on top of recharge amount, 0 means no fee',
+        rechargeFeePreview: 'Preview: Recharge 100, fee {fee}',
         orderTimeout: 'Order Timeout',
         orderTimeoutHint: 'In minutes, minimum 1',
         maxPendingOrders: 'Max Pending Orders',
diff --git a/frontend/src/i18n/locales/zh.ts b/frontend/src/i18n/locales/zh.ts
index b994cb67..7983d103 100644
--- a/frontend/src/i18n/locales/zh.ts
+++ b/frontend/src/i18n/locales/zh.ts
@@ -4726,13 +4726,16 @@ export default {
         enabledHint: '启用或禁用支付系统',
         enabledPaymentTypes: '启用的服务商',
         enabledPaymentTypesHint: '禁用服务商将同时禁用对应的实例。',
-        findProvider: '正在寻找合适的 EasyPay 服务商？',
+        findProvider: '正在寻找合适的易支付服务商？',
         minAmount: '最低金额',
         maxAmount: '最高金额',
         dailyLimit: '每日限额',
         balanceRechargeMultiplier: '余额充值倍率',
         balanceRechargeMultiplierHint: '用户每支付 1 CNY 可获得多少 USD 余额',
         balanceRechargePreview: '预览：1 CNY = {usd} USD',
+        rechargeFeeRate: '充值手续费率',
+        rechargeFeeRateHint: '用户充值时额外收取的手续费百分比，0 表示不收取手续费',
+        rechargeFeePreview: '预览：充值 100 元，手续费 {fee} 元',
         orderTimeout: '订单超时时间',
         orderTimeoutHint: '单位：分钟，至少 1 分钟',
         maxPendingOrders: '最大待支付订单数',
diff --git a/frontend/src/views/admin/SettingsView.vue b/frontend/src/views/admin/SettingsView.vue
index e2411fdc..cbd4d284 100644
--- a/frontend/src/views/admin/SettingsView.vue
+++ b/frontend/src/views/admin/SettingsView.vue
@@ -2381,6 +2381,12 @@
                   <p class="mt-0.5 text-xs text-gray-400">{{ t('admin.settings.payment.balanceRechargeMultiplierHint') }}</p>
                   <p class="mt-1 text-xs font-medium text-primary-600 dark:text-primary-400">{{ t('admin.settings.payment.balanceRechargePreview', { usd: (Number(form.payment_balance_recharge_multiplier) || 1).toFixed(2) }) }}</p>
                 </div>
+                <div>
+                  <label class="input-label">{{ t('admin.settings.payment.rechargeFeeRate') }}</label>
+                  <input :value="form.payment_recharge_fee_rate || ''" @input="form.payment_recharge_fee_rate = parseFloat(($event.target as HTMLInputElement).value) || 0" type="number" step="0.01" min="0" class="input" />
+                  <p class="mt-0.5 text-xs text-gray-400">{{ t('admin.settings.payment.rechargeFeeRateHint') }}</p>
+                  <p v-if="(Number(form.payment_recharge_fee_rate) || 0) > 0" class="mt-1 text-xs font-medium text-primary-600 dark:text-primary-400">{{ t('admin.settings.payment.rechargeFeePreview', { fee: (Number(form.payment_recharge_fee_rate) || 0).toFixed(2) }) }}</p>
+                </div>
                 <div><label class="input-label">{{ t('admin.settings.payment.orderTimeout') }} <span class="text-red-500">*</span></label><input v-model.number="form.payment_order_timeout_minutes" type="number" min="1" class="input" required /><p class="mt-0.5 text-xs text-gray-400">{{ t('admin.settings.payment.orderTimeoutHint') }}</p></div>
               </div>
               <!-- Row 3: Pending orders + load balance + cancel rate limit (all in one row) -->
@@ -2974,7 +2980,7 @@ const form = reactive<SettingsForm>({
   home_content: '',
   backend_mode_enabled: false,
   hide_ccs_import_button: false,
-  payment_enabled: false,  payment_min_amount: 1,  payment_max_amount: 10000,  payment_daily_limit: 50000,  payment_max_pending_orders: 3,  payment_order_timeout_minutes: 30,  payment_balance_disabled: false,  payment_balance_recharge_multiplier: 1,  payment_enabled_types: [],  payment_help_image_url: '',  payment_help_text: '',  payment_product_name_prefix: '',  payment_product_name_suffix: '',  payment_load_balance_strategy: 'round-robin',  payment_cancel_rate_limit_enabled: false,  payment_cancel_rate_limit_max: 10,  payment_cancel_rate_limit_window: 1,  payment_cancel_rate_limit_unit: 'day',  payment_cancel_rate_limit_window_mode: 'rolling',
+  payment_enabled: false,  payment_min_amount: 1,  payment_max_amount: 10000,  payment_daily_limit: 50000,  payment_max_pending_orders: 3,  payment_order_timeout_minutes: 30,  payment_balance_disabled: false,  payment_balance_recharge_multiplier: 1,  payment_recharge_fee_rate: 0,  payment_enabled_types: [],  payment_help_image_url: '',  payment_help_text: '',  payment_product_name_prefix: '',  payment_product_name_suffix: '',  payment_load_balance_strategy: 'round-robin',  payment_cancel_rate_limit_enabled: false,  payment_cancel_rate_limit_max: 10,  payment_cancel_rate_limit_window: 1,  payment_cancel_rate_limit_unit: 'day',  payment_cancel_rate_limit_window_mode: 'rolling',
   table_default_page_size: tablePageSizeDefault,
   table_page_size_options: [10, 20, 50, 100],
   custom_menu_items: [] as Array<{id: string; label: string; icon_svg: string; url: string; visibility: 'user' | 'admin'; sort_order: number}>,
@@ -3634,6 +3640,7 @@ async function saveSettings() {
       payment_order_timeout_minutes: Number(form.payment_order_timeout_minutes) || 0,
       payment_balance_disabled: form.payment_balance_disabled,
       payment_balance_recharge_multiplier: Number(form.payment_balance_recharge_multiplier) || 1,
+      payment_recharge_fee_rate: Number(form.payment_recharge_fee_rate) || 0,
       payment_enabled_types: form.payment_enabled_types,
       payment_load_balance_strategy: form.payment_load_balance_strategy,
       payment_product_name_prefix: form.payment_product_name_prefix,

From e761d38fd1655712aa81ab507af9d8cb67debcba Mon Sep 17 00:00:00 2001
From: erio <asakifeng@gmail.com>
Date: Wed, 15 Apr 2026 01:04:01 +0800
Subject: [PATCH 103/122] fix(payment): integrate recharge fee rate in order
 flow and fix UI display
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Backend:
- Use cfg.RechargeFeeRate in order creation instead of hardcoded 0
- Remove dead getFeeRate stub method
- All amounts computed server-side: order_amount, pay_amount, fee_rate

Frontend - PaymentView:
- Read recharge_fee_rate from checkout-info API (not per-method)
- Show fee breakdown only when fee_rate > 0
- Show credited amount only when multiplier ≠ 1

Frontend - Order display (user + admin):
- Fix fee_rate * 100 bug (fee_rate is already a percentage)
- OrderTable: show pay_amount as primary, fee/credited as sub-lines
- AdminOrderDetail: full breakdown (base/fee/paid/credited)
- AdminRefundDialog: label "到账金额" for clarity
- PaymentResultView: show pay_amount with fee info

Types + i18n:
- Add recharge_fee_rate to CheckoutInfoResponse
- Add fee_rate to CreateOrderResult
- Add translations: creditedAmount, fee, baseAmount, includedInPayAmount
---
 backend/internal/service/payment_order.go     |  2 +-
 backend/internal/service/payment_service.go   |  1 -
 .../admin/payment/AdminOrderDetail.vue        | 32 +++++++++++++++----
 .../admin/payment/AdminOrderTable.vue         | 13 +++++---
 .../admin/payment/AdminRefundDialog.vue       |  2 +-
 .../src/components/payment/OrderTable.vue     | 13 +++++---
 frontend/src/i18n/locales/en.ts               |  4 +++
 frontend/src/i18n/locales/zh.ts               |  4 +++
 frontend/src/types/payment.ts                 |  2 ++
 .../views/admin/orders/AdminOrdersView.vue    |  2 +-
 frontend/src/views/user/PaymentResultView.vue | 12 ++++---
 frontend/src/views/user/PaymentView.vue       | 16 +++++-----
 12 files changed, 71 insertions(+), 32 deletions(-)

diff --git a/backend/internal/service/payment_order.go b/backend/internal/service/payment_order.go
index 1d5562dd..a38173fd 100644
--- a/backend/internal/service/payment_order.go
+++ b/backend/internal/service/payment_order.go
@@ -51,7 +51,7 @@ func (s *PaymentService) CreateOrder(ctx context.Context, req CreateOrderRequest
 	} else if req.OrderType == payment.OrderTypeBalance {
 		orderAmount = calculateCreditedBalance(req.Amount, cfg.BalanceRechargeMultiplier)
 	}
-	feeRate := s.getFeeRate(req.PaymentType)
+	feeRate := cfg.RechargeFeeRate
 	payAmountStr := payment.CalculatePayAmount(limitAmount, feeRate)
 	payAmount, _ := strconv.ParseFloat(payAmountStr, 64)
 	order, err := s.createOrderInTx(ctx, req, user, plan, cfg, orderAmount, limitAmount, feeRate, payAmount)
diff --git a/backend/internal/service/payment_service.go b/backend/internal/service/payment_service.go
index 6d8b185e..f88e4171 100644
--- a/backend/internal/service/payment_service.go
+++ b/backend/internal/service/payment_service.go
@@ -288,7 +288,6 @@ func psComputeValidityDays(days int, unit string) int {
 	}
 }
 
-func (s *PaymentService) getFeeRate(_ string) float64 { return 0 }
 
 func psStartOfDayUTC(t time.Time) time.Time {
 	y, m, d := t.UTC().Date()
diff --git a/frontend/src/components/admin/payment/AdminOrderDetail.vue b/frontend/src/components/admin/payment/AdminOrderDetail.vue
index 5a07c097..9ab1ba95 100644
--- a/frontend/src/components/admin/payment/AdminOrderDetail.vue
+++ b/frontend/src/components/admin/payment/AdminOrderDetail.vue
@@ -18,23 +18,27 @@
           </span>
         </div>
         <div>
-          <p class="text-xs text-gray-500 dark:text-gray-400">{{ t('payment.orders.amount') }}</p>
-          <p class="text-sm font-medium text-gray-900 dark:text-white">{{ order.order_type === 'balance' ? '$' : '¥' }}{{ order.amount.toFixed(2) }}</p>
+          <p class="text-xs text-gray-500 dark:text-gray-400">{{ t('payment.orders.baseAmount') }}</p>
+          <p class="text-sm font-medium text-gray-900 dark:text-white">¥{{ baseAmount.toFixed(2) }}</p>
+        </div>
+        <div v-if="order.fee_rate > 0">
+          <p class="text-xs text-gray-500 dark:text-gray-400">{{ t('payment.orders.fee') }} ({{ order.fee_rate }}%)</p>
+          <p class="text-sm font-medium text-gray-900 dark:text-white">¥{{ feeAmount.toFixed(2) }}</p>
         </div>
         <div>
           <p class="text-xs text-gray-500 dark:text-gray-400">{{ t('payment.orders.payAmount') }}</p>
           <p class="text-sm font-medium text-gray-900 dark:text-white">¥{{ order.pay_amount.toFixed(2) }}</p>
         </div>
+        <div v-if="order.amount !== order.pay_amount">
+          <p class="text-xs text-gray-500 dark:text-gray-400">{{ t('payment.orders.creditedAmount') }}</p>
+          <p class="text-sm font-medium text-gray-900 dark:text-white">{{ order.order_type === 'balance' ? '$' : '¥' }}{{ order.amount.toFixed(2) }}</p>
+        </div>
         <div>
           <p class="text-xs text-gray-500 dark:text-gray-400">{{ t('payment.orders.paymentMethod') }}</p>
           <p class="text-sm text-gray-700 dark:text-gray-300">
             {{ t('payment.methods.' + order.payment_type, order.payment_type) }}
           </p>
         </div>
-        <div>
-          <p class="text-xs text-gray-500 dark:text-gray-400">{{ t('payment.admin.feeRate') }}</p>
-          <p class="text-sm text-gray-700 dark:text-gray-300">{{ (order.fee_rate * 100).toFixed(1) }}%</p>
-        </div>
         <div>
           <p class="text-xs text-gray-500 dark:text-gray-400">{{ t('payment.admin.orderType') }}</p>
           <p class="text-sm text-gray-700 dark:text-gray-300">
@@ -110,6 +114,7 @@
 </template>
 
 <script setup lang="ts">
+import { computed } from 'vue'
 import { useI18n } from 'vue-i18n'
 import BaseDialog from '@/components/common/BaseDialog.vue'
 import type { PaymentOrder } from '@/types/payment'
@@ -117,11 +122,24 @@ import { statusBadgeClass, canRefund as canRefundStatus, formatOrderDateTime } f
 
 const { t } = useI18n()
 
-defineProps<{
+const props = defineProps<{
   show: boolean
   order: PaymentOrder | null
 }>()
 
+/** 充值金额 (base amount before fee) = pay_amount - fee = pay_amount / (1 + fee_rate/100) */
+const baseAmount = computed(() => {
+  if (!props.order) return 0
+  if (props.order.fee_rate <= 0) return props.order.pay_amount
+  return props.order.pay_amount / (1 + props.order.fee_rate / 100)
+})
+
+/** 手续费 = pay_amount - baseAmount */
+const feeAmount = computed(() => {
+  if (!props.order || props.order.fee_rate <= 0) return 0
+  return props.order.pay_amount - baseAmount.value
+})
+
 const emit = defineEmits<{
   (e: 'close'): void
   (e: 'cancel', order: PaymentOrder): void
diff --git a/frontend/src/components/admin/payment/AdminOrderTable.vue b/frontend/src/components/admin/payment/AdminOrderTable.vue
index fa3a57ca..57e475f3 100644
--- a/frontend/src/components/admin/payment/AdminOrderTable.vue
+++ b/frontend/src/components/admin/payment/AdminOrderTable.vue
@@ -51,12 +51,15 @@
         <span class="text-sm text-gray-600 dark:text-gray-400">#{{ value }}</span>
       </template>
 
-      <template #cell-amount="{ value, row }">
+      <template #cell-pay_amount="{ value, row }">
         <div class="text-sm">
-          <span class="font-medium text-gray-900 dark:text-white">{{ row.order_type === 'balance' ? '$' : '¥' }}{{ value.toFixed(2) }}</span>
-          <span v-if="row.pay_amount !== value" class="ml-1 text-xs text-gray-500">
-            ({{ t('payment.orders.payAmount') }}: ¥{{ row.pay_amount.toFixed(2) }})
+          <span class="font-medium text-gray-900 dark:text-white">¥{{ value.toFixed(2) }}</span>
+          <span v-if="row.fee_rate > 0" class="ml-1 text-xs text-gray-400" :title="t('payment.orders.fee') + ': ' + row.fee_rate + '%'">
+            ({{ row.fee_rate }}%)
           </span>
+          <div v-if="row.amount !== row.pay_amount" class="text-xs text-gray-500">
+            {{ t('payment.orders.creditedAmount') }}: {{ row.order_type === 'balance' ? '$' : '¥' }}{{ row.amount.toFixed(2) }}
+          </div>
         </div>
       </template>
 
@@ -183,7 +186,7 @@ function emitFiltersChanged() {
 const columns = computed<Column[]>(() => [
   { key: 'id', label: t('payment.orders.orderId') },
   { key: 'user_id', label: t('payment.orders.userId') },
-  { key: 'amount', label: t('payment.orders.amount') },
+  { key: 'pay_amount', label: t('payment.orders.payAmount') },
   { key: 'payment_type', label: t('payment.orders.paymentMethod') },
   { key: 'status', label: t('payment.orders.status') },
   { key: 'order_type', label: t('payment.orders.orderType') },
diff --git a/frontend/src/components/admin/payment/AdminRefundDialog.vue b/frontend/src/components/admin/payment/AdminRefundDialog.vue
index a569f6c3..c29ec919 100644
--- a/frontend/src/components/admin/payment/AdminRefundDialog.vue
+++ b/frontend/src/components/admin/payment/AdminRefundDialog.vue
@@ -34,7 +34,7 @@
           <span class="font-mono text-gray-900 dark:text-white">#{{ order?.id }}</span>
         </div>
         <div class="mt-1 flex justify-between text-sm">
-          <span class="text-gray-500 dark:text-gray-400">{{ t('payment.orders.amount') }}</span>
+          <span class="text-gray-500 dark:text-gray-400">{{ t('payment.orders.creditedAmount') }}</span>
           <span class="font-medium text-gray-900 dark:text-white">{{ order?.order_type === 'balance' ? '$' : '¥' }}{{ order?.amount?.toFixed(2) }}</span>
         </div>
         <div class="mt-1 flex justify-between text-sm">
diff --git a/frontend/src/components/payment/OrderTable.vue b/frontend/src/components/payment/OrderTable.vue
index f4f0caed..89990165 100644
--- a/frontend/src/components/payment/OrderTable.vue
+++ b/frontend/src/components/payment/OrderTable.vue
@@ -12,10 +12,15 @@
         <span v-if="row.user_notes" class="ml-1 text-xs text-gray-400">({{ row.user_notes }})</span>
       </div>
     </template>
-    <template #cell-amount="{ value, row }">
+    <template #cell-pay_amount="{ value, row }">
       <div class="text-sm">
-        <span class="font-medium text-gray-900 dark:text-white">{{ row.order_type === 'balance' ? '$' : '¥' }}{{ value.toFixed(2) }}</span>
-        <span v-if="row.pay_amount !== value" class="ml-1 text-xs text-gray-500">(¥{{ row.pay_amount.toFixed(2) }})</span>
+        <span class="font-medium text-gray-900 dark:text-white">¥{{ value.toFixed(2) }}</span>
+        <span v-if="row.fee_rate > 0" class="ml-1 text-xs text-gray-400" :title="t('payment.orders.fee') + ': ' + row.fee_rate + '%'">
+          ({{ t('payment.orders.fee') }} {{ row.fee_rate }}%)
+        </span>
+        <div v-if="row.amount !== row.pay_amount" class="text-xs text-gray-500">
+          {{ t('payment.orders.creditedAmount') }}: {{ row.order_type === 'balance' ? '$' : '¥' }}{{ row.amount.toFixed(2) }}
+        </div>
       </div>
     </template>
     <template #cell-payment_type="{ value }">
@@ -60,7 +65,7 @@ const columns = computed((): Column[] => {
     cols.push({ key: 'user_email', label: t('payment.admin.colUser') })
   }
   cols.push(
-    { key: 'amount', label: t('payment.orders.amount') },
+    { key: 'pay_amount', label: t('payment.orders.payAmount') },
     { key: 'payment_type', label: t('payment.orders.paymentMethod') },
     { key: 'status', label: t('payment.orders.status') },
     { key: 'created_at', label: t('payment.orders.createdAt') },
diff --git a/frontend/src/i18n/locales/en.ts b/frontend/src/i18n/locales/en.ts
index a5b9f54b..bcae4d53 100644
--- a/frontend/src/i18n/locales/en.ts
+++ b/frontend/src/i18n/locales/en.ts
@@ -5387,6 +5387,10 @@ export default {
       orderNo: 'Order No.',
       amount: 'Amount',
       payAmount: 'Paid',
+      creditedAmount: 'Credited Amount',
+      fee: 'Fee',
+      baseAmount: 'Base Amount',
+      includedInPayAmount: 'included in paid amount',
       status: 'Status',
       paymentMethod: 'Payment Method',
       createdAt: 'Created',
diff --git a/frontend/src/i18n/locales/zh.ts b/frontend/src/i18n/locales/zh.ts
index 7983d103..9d163ef2 100644
--- a/frontend/src/i18n/locales/zh.ts
+++ b/frontend/src/i18n/locales/zh.ts
@@ -5575,6 +5575,10 @@ export default {
       orderNo: '订单编号',
       amount: '金额',
       payAmount: '实付',
+      creditedAmount: '到账金额',
+      fee: '手续费',
+      baseAmount: '充值金额',
+      includedInPayAmount: '已含在实付金额中',
       status: '状态',
       paymentMethod: '支付方式',
       createdAt: '创建时间',
diff --git a/frontend/src/types/payment.ts b/frontend/src/types/payment.ts
index 1ad4f2ff..7ecbb9a9 100644
--- a/frontend/src/types/payment.ts
+++ b/frontend/src/types/payment.ts
@@ -64,6 +64,7 @@ export interface CheckoutInfoResponse {
   plans: SubscriptionPlan[]
   balance_disabled: boolean
   balance_recharge_multiplier: number
+  recharge_fee_rate: number
   help_text: string
   help_image_url: string
   stripe_publishable_key: string
@@ -162,6 +163,7 @@ export interface CreateOrderResult {
   qr_code?: string
   client_secret?: string
   pay_amount: number
+  fee_rate: number
   expires_at: string
   payment_mode?: string
 }
diff --git a/frontend/src/views/admin/orders/AdminOrdersView.vue b/frontend/src/views/admin/orders/AdminOrdersView.vue
index efe41905..027c8e5e 100644
--- a/frontend/src/views/admin/orders/AdminOrdersView.vue
+++ b/frontend/src/views/admin/orders/AdminOrdersView.vue
@@ -65,7 +65,7 @@
           <div><p class="text-xs text-gray-500 dark:text-gray-400">{{ t('payment.orders.amount') }}</p><p class="text-sm font-medium text-gray-900 dark:text-white">{{ selectedOrder.order_type === 'balance' ? '$' : '¥' }}{{ selectedOrder.amount.toFixed(2) }}</p></div>
           <div><p class="text-xs text-gray-500 dark:text-gray-400">{{ t('payment.orders.payAmount') }}</p><p class="text-sm font-medium text-gray-900 dark:text-white">¥{{ selectedOrder.pay_amount.toFixed(2) }}</p></div>
           <div><p class="text-xs text-gray-500 dark:text-gray-400">{{ t('payment.orders.paymentMethod') }}</p><p class="text-sm text-gray-700 dark:text-gray-300">{{ t('payment.methods.' + selectedOrder.payment_type, selectedOrder.payment_type) }}</p></div>
-          <div><p class="text-xs text-gray-500 dark:text-gray-400">{{ t('payment.admin.feeRate') }}</p><p class="text-sm text-gray-700 dark:text-gray-300">{{ (selectedOrder.fee_rate * 100).toFixed(1) }}%</p></div>
+          <div><p class="text-xs text-gray-500 dark:text-gray-400">{{ t('payment.admin.feeRate') }}</p><p class="text-sm text-gray-700 dark:text-gray-300">{{ selectedOrder.fee_rate }}%</p></div>
           <div><p class="text-xs text-gray-500 dark:text-gray-400">{{ t('payment.orders.createdAt') }}</p><p class="text-sm text-gray-700 dark:text-gray-300">{{ formatDateTime(selectedOrder.created_at) }}</p></div>
           <div><p class="text-xs text-gray-500 dark:text-gray-400">{{ t('payment.admin.expiresAt') }}</p><p class="text-sm text-gray-700 dark:text-gray-300">{{ formatDateTime(selectedOrder.expires_at) }}</p></div>
           <div v-if="selectedOrder.paid_at"><p class="text-xs text-gray-500 dark:text-gray-400">{{ t('payment.admin.paidAt') }}</p><p class="text-sm text-gray-700 dark:text-gray-300">{{ formatDateTime(selectedOrder.paid_at) }}</p></div>
diff --git a/frontend/src/views/user/PaymentResultView.vue b/frontend/src/views/user/PaymentResultView.vue
index 015c45ff..8e622ca3 100644
--- a/frontend/src/views/user/PaymentResultView.vue
+++ b/frontend/src/views/user/PaymentResultView.vue
@@ -36,14 +36,18 @@
               <span class="text-gray-500 dark:text-gray-400">{{ t('payment.orders.orderNo') }}</span>
               <span class="font-medium text-gray-900 dark:text-white">{{ order.out_trade_no }}</span>
             </div>
-            <div class="flex justify-between">
-              <span class="text-gray-500 dark:text-gray-400">{{ t('payment.orders.amount') }}</span>
-              <span class="font-medium text-gray-900 dark:text-white">{{ order.order_type === 'balance' ? '$' : '¥' }}{{ order.amount.toFixed(2) }}</span>
-            </div>
             <div class="flex justify-between">
               <span class="text-gray-500 dark:text-gray-400">{{ t('payment.orders.payAmount') }}</span>
               <span class="font-medium text-gray-900 dark:text-white">&#165;{{ order.pay_amount.toFixed(2) }}</span>
             </div>
+            <div v-if="order.fee_rate > 0" class="flex justify-between">
+              <span class="text-gray-500 dark:text-gray-400">{{ t('payment.orders.fee') }} ({{ order.fee_rate }}%)</span>
+              <span class="text-xs text-gray-400 dark:text-gray-500">{{ t('payment.orders.includedInPayAmount') }}</span>
+            </div>
+            <div v-if="order.amount !== order.pay_amount" class="flex justify-between">
+              <span class="text-gray-500 dark:text-gray-400">{{ t('payment.orders.creditedAmount') }}</span>
+              <span class="font-medium text-gray-900 dark:text-white">{{ order.order_type === 'balance' ? '$' : '¥' }}{{ order.amount.toFixed(2) }}</span>
+            </div>
             <div class="flex justify-between">
               <span class="text-gray-500 dark:text-gray-400">{{ t('payment.orders.paymentMethod') }}</span>
               <span class="font-medium text-gray-900 dark:text-white">{{ t('payment.methods.' + order.payment_type, order.payment_type) }}</span>
diff --git a/frontend/src/views/user/PaymentView.vue b/frontend/src/views/user/PaymentView.vue
index 5dcaa069..e91df5da 100644
--- a/frontend/src/views/user/PaymentView.vue
+++ b/frontend/src/views/user/PaymentView.vue
@@ -75,19 +75,19 @@
                   <span class="text-gray-500 dark:text-gray-400">{{ t('payment.paymentAmount') }}</span>
                   <span class="text-gray-900 dark:text-white">¥{{ validAmount.toFixed(2) }}</span>
                 </div>
-                <div class="flex justify-between">
-                  <span class="text-gray-500 dark:text-gray-400">{{ t('payment.creditedBalance') }}</span>
-                  <span class="text-gray-900 dark:text-white">${{ creditedAmount.toFixed(2) }}</span>
-                </div>
                 <div v-if="feeRate > 0" class="flex justify-between">
                   <span class="text-gray-500 dark:text-gray-400">{{ t('payment.fee') }} ({{ feeRate }}%)</span>
                   <span class="text-gray-900 dark:text-white">¥{{ feeAmount.toFixed(2) }}</span>
                 </div>
-                <div class="flex justify-between border-t border-gray-200 pt-2 dark:border-dark-600">
+                <div v-if="feeRate > 0" class="flex justify-between border-t border-gray-200 pt-2 dark:border-dark-600">
                   <span class="font-medium text-gray-700 dark:text-gray-300">{{ t('payment.actualPay') }}</span>
                   <span class="text-lg font-bold text-primary-600 dark:text-primary-400">¥{{ totalAmount.toFixed(2) }}</span>
                 </div>
-                <p class="border-t border-gray-200 pt-2 text-xs text-gray-500 dark:border-dark-600 dark:text-gray-400">
+                <div v-if="balanceRechargeMultiplier !== 1" class="flex justify-between" :class="{ 'border-t border-gray-200 pt-2 dark:border-dark-600': feeRate <= 0 }">
+                  <span class="text-gray-500 dark:text-gray-400">{{ t('payment.creditedBalance') }}</span>
+                  <span class="text-gray-900 dark:text-white">${{ creditedAmount.toFixed(2) }}</span>
+                </div>
+                <p v-if="balanceRechargeMultiplier !== 1" class="border-t border-gray-200 pt-2 text-xs text-gray-500 dark:border-dark-600 dark:text-gray-400">
                   {{ t('payment.rechargeRatePreview', { usd: balanceRechargeMultiplier.toFixed(2) }) }}
                 </p>
               </div>
@@ -361,7 +361,7 @@ function onStripeRedirect(orderId: number, payUrl: string) {
 // All checkout data from single API call
 const checkout = ref<CheckoutInfoResponse>({
   methods: {}, global_min: 0, global_max: 0,
-  plans: [], balance_disabled: false, balance_recharge_multiplier: 1, help_text: '', help_image_url: '', stripe_publishable_key: '',
+  plans: [], balance_disabled: false, balance_recharge_multiplier: 1, recharge_fee_rate: 0, help_text: '', help_image_url: '', stripe_publishable_key: '',
 })
 
 const tabs = computed(() => {
@@ -414,7 +414,7 @@ const methodOptions = computed<PaymentMethodOption[]>(() =>
   })
 )
 
-const feeRate = computed(() => selectedLimit.value?.fee_rate ?? 0)
+const feeRate = computed(() => checkout.value?.recharge_fee_rate ?? 0)
 const feeAmount = computed(() =>
   feeRate.value > 0 && validAmount.value > 0
     ? Math.ceil(((validAmount.value * feeRate.value) / 100) * 100) / 100

From d149dbc91f335667db0d74a2054500eca047ab19 Mon Sep 17 00:00:00 2001
From: erio <asakifeng@gmail.com>
Date: Wed, 15 Apr 2026 01:11:49 +0800
Subject: [PATCH 104/122] fix(payment): enhance fee rate input validation and
 UI
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Backend:
- Validate recharge_fee_rate: 0 ≤ rate ≤ 100, max 2 decimal places

Frontend settings:
- Add % suffix icon to fee rate input
- Enforce max=100, min=0, step=0.01 with 2 decimal precision
---
 backend/internal/service/payment_config_service.go | 9 +++++++--
 frontend/src/views/admin/SettingsView.vue          | 5 ++++-
 2 files changed, 11 insertions(+), 3 deletions(-)

diff --git a/backend/internal/service/payment_config_service.go b/backend/internal/service/payment_config_service.go
index 2f040292..d8c47804 100644
--- a/backend/internal/service/payment_config_service.go
+++ b/backend/internal/service/payment_config_service.go
@@ -272,8 +272,13 @@ func (s *PaymentConfigService) UpdatePaymentConfig(ctx context.Context, req Upda
 		}
 	}
 	if req.RechargeFeeRate != nil {
-		if math.IsNaN(*req.RechargeFeeRate) || math.IsInf(*req.RechargeFeeRate, 0) || *req.RechargeFeeRate < 0 {
-			return infraerrors.BadRequest("INVALID_RECHARGE_FEE_RATE", "recharge fee rate must be >= 0")
+		v := *req.RechargeFeeRate
+		if math.IsNaN(v) || math.IsInf(v, 0) || v < 0 || v > 100 {
+			return infraerrors.BadRequest("INVALID_RECHARGE_FEE_RATE", "recharge fee rate must be between 0 and 100")
+		}
+		// Enforce max 2 decimal places
+		if math.Round(v*100) != v*100 {
+			return infraerrors.BadRequest("INVALID_RECHARGE_FEE_RATE", "recharge fee rate allows at most 2 decimal places")
 		}
 	}
 	m := map[string]string{
diff --git a/frontend/src/views/admin/SettingsView.vue b/frontend/src/views/admin/SettingsView.vue
index cbd4d284..ee6a4c6d 100644
--- a/frontend/src/views/admin/SettingsView.vue
+++ b/frontend/src/views/admin/SettingsView.vue
@@ -2383,7 +2383,10 @@
                 </div>
                 <div>
                   <label class="input-label">{{ t('admin.settings.payment.rechargeFeeRate') }}</label>
-                  <input :value="form.payment_recharge_fee_rate || ''" @input="form.payment_recharge_fee_rate = parseFloat(($event.target as HTMLInputElement).value) || 0" type="number" step="0.01" min="0" class="input" />
+                  <div class="relative">
+                    <input :value="form.payment_recharge_fee_rate ?? ''" @input="form.payment_recharge_fee_rate = Math.min(100, Math.max(0, Math.round(parseFloat(($event.target as HTMLInputElement).value || '0') * 100) / 100))" type="number" step="0.01" min="0" max="100" class="input pr-8" />
+                    <span class="pointer-events-none absolute inset-y-0 right-0 flex items-center pr-3 text-gray-400">%</span>
+                  </div>
                   <p class="mt-0.5 text-xs text-gray-400">{{ t('admin.settings.payment.rechargeFeeRateHint') }}</p>
                   <p v-if="(Number(form.payment_recharge_fee_rate) || 0) > 0" class="mt-1 text-xs font-medium text-primary-600 dark:text-primary-400">{{ t('admin.settings.payment.rechargeFeePreview', { fee: (Number(form.payment_recharge_fee_rate) || 0).toFixed(2) }) }}</p>
                 </div>

From 3053c56cacc50df51030e526a2dfd16964677f50 Mon Sep 17 00:00:00 2001
From: erio <asakifeng@gmail.com>
Date: Wed, 15 Apr 2026 01:20:46 +0800
Subject: [PATCH 105/122] fix(payment): show full amount breakdown on payment
 result page
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

- Show base amount (充值金额) as first line
- Show fee amount with percentage when fee_rate > 0
- Show pay_amount (实付金额) in bold primary color
- Show credited amount (到账金额) when different from pay_amount
- Compute baseAmount and feeAmount from backend order data
---
 frontend/src/views/user/PaymentResultView.vue | 22 ++++++++++++++++---
 1 file changed, 19 insertions(+), 3 deletions(-)

diff --git a/frontend/src/views/user/PaymentResultView.vue b/frontend/src/views/user/PaymentResultView.vue
index 8e622ca3..6431ddf6 100644
--- a/frontend/src/views/user/PaymentResultView.vue
+++ b/frontend/src/views/user/PaymentResultView.vue
@@ -37,12 +37,16 @@
               <span class="font-medium text-gray-900 dark:text-white">{{ order.out_trade_no }}</span>
             </div>
             <div class="flex justify-between">
-              <span class="text-gray-500 dark:text-gray-400">{{ t('payment.orders.payAmount') }}</span>
-              <span class="font-medium text-gray-900 dark:text-white">&#165;{{ order.pay_amount.toFixed(2) }}</span>
+              <span class="text-gray-500 dark:text-gray-400">{{ t('payment.orders.baseAmount') }}</span>
+              <span class="font-medium text-gray-900 dark:text-white">&#165;{{ baseAmount.toFixed(2) }}</span>
             </div>
             <div v-if="order.fee_rate > 0" class="flex justify-between">
               <span class="text-gray-500 dark:text-gray-400">{{ t('payment.orders.fee') }} ({{ order.fee_rate }}%)</span>
-              <span class="text-xs text-gray-400 dark:text-gray-500">{{ t('payment.orders.includedInPayAmount') }}</span>
+              <span class="font-medium text-gray-900 dark:text-white">&#165;{{ feeAmount.toFixed(2) }}</span>
+            </div>
+            <div class="flex justify-between">
+              <span class="text-gray-500 dark:text-gray-400">{{ t('payment.orders.payAmount') }}</span>
+              <span class="font-bold text-primary-600 dark:text-primary-400">&#165;{{ order.pay_amount.toFixed(2) }}</span>
             </div>
             <div v-if="order.amount !== order.pay_amount" class="flex justify-between">
               <span class="text-gray-500 dark:text-gray-400">{{ t('payment.orders.creditedAmount') }}</span>
@@ -112,6 +116,18 @@ const returnInfo = ref<ReturnInfo | null>(null)
 
 const SUCCESS_STATUSES = new Set(['COMPLETED', 'PAID', 'RECHARGING'])
 
+/** 充值金额 = pay_amount / (1 + fee_rate/100)，fee_rate=0 时等于 pay_amount */
+const baseAmount = computed(() => {
+  if (!order.value || order.value.fee_rate <= 0) return order.value?.pay_amount ?? 0
+  return Math.round((order.value.pay_amount / (1 + order.value.fee_rate / 100)) * 100) / 100
+})
+
+/** 手续费 = pay_amount - baseAmount */
+const feeAmount = computed(() => {
+  if (!order.value || order.value.fee_rate <= 0) return 0
+  return Math.round((order.value.pay_amount - baseAmount.value) * 100) / 100
+})
+
 const isSuccess = computed(() => {
   // Always prioritize actual order status from backend
   if (order.value) {

From 60614e6f74d9e399cc0c55a97ea8bab4929def0e Mon Sep 17 00:00:00 2001
From: erio <asakifeng@gmail.com>
Date: Wed, 15 Apr 2026 01:39:00 +0800
Subject: [PATCH 106/122] fix: gofmt formatting and update API contract test
 for new fields

- Fix gofmt alignment in setting_handler.go, settings.go, payment_config_service.go
- Add payment_balance_recharge_multiplier and payment_recharge_fee_rate
  to API contract test expected JSON
---
 Antigravity-Manager                           |  1 +
 .../internal/handler/admin/setting_handler.go | 28 ++++----
 backend/internal/handler/dto/settings.go      | 22 +++---
 backend/internal/server/api_contract_test.go  |  2 +
 .../service/payment_config_service.go         | 72 +++++++++----------
 5 files changed, 64 insertions(+), 61 deletions(-)
 create mode 160000 Antigravity-Manager

diff --git a/Antigravity-Manager b/Antigravity-Manager
new file mode 160000
index 00000000..a9d96bd5
--- /dev/null
+++ b/Antigravity-Manager
@@ -0,0 +1 @@
+Subproject commit a9d96bd54978c22d3033830debfe77aeeeee2500
diff --git a/backend/internal/handler/admin/setting_handler.go b/backend/internal/handler/admin/setting_handler.go
index b2e400b3..bec0f126 100644
--- a/backend/internal/handler/admin/setting_handler.go
+++ b/backend/internal/handler/admin/setting_handler.go
@@ -189,7 +189,7 @@ func (h *SettingHandler) GetSettings(c *gin.Context) {
 		PaymentEnabledTypes:                  paymentCfg.EnabledTypes,
 		PaymentBalanceDisabled:               paymentCfg.BalanceDisabled,
 		PaymentBalanceRechargeMultiplier:     paymentCfg.BalanceRechargeMultiplier,
-		PaymentRechargeFeeRate:              paymentCfg.RechargeFeeRate,
+		PaymentRechargeFeeRate:               paymentCfg.RechargeFeeRate,
 		PaymentLoadBalanceStrat:              paymentCfg.LoadBalanceStrategy,
 		PaymentProductNamePrefix:             paymentCfg.ProductNamePrefix,
 		PaymentProductNameSuffix:             paymentCfg.ProductNameSuffix,
@@ -319,21 +319,21 @@ type UpdateSettingsRequest struct {
 	AccountQuotaNotifyEmails    *[]dto.NotifyEmailEntry `json:"account_quota_notify_emails"`
 
 	// Payment configuration (integrated into settings, full replace)
-	PaymentEnabled           *bool    `json:"payment_enabled"`
-	PaymentMinAmount         *float64 `json:"payment_min_amount"`
-	PaymentMaxAmount         *float64 `json:"payment_max_amount"`
-	PaymentDailyLimit        *float64 `json:"payment_daily_limit"`
-	PaymentOrderTimeoutMin   *int     `json:"payment_order_timeout_minutes"`
-	PaymentMaxPendingOrders  *int     `json:"payment_max_pending_orders"`
+	PaymentEnabled                   *bool    `json:"payment_enabled"`
+	PaymentMinAmount                 *float64 `json:"payment_min_amount"`
+	PaymentMaxAmount                 *float64 `json:"payment_max_amount"`
+	PaymentDailyLimit                *float64 `json:"payment_daily_limit"`
+	PaymentOrderTimeoutMin           *int     `json:"payment_order_timeout_minutes"`
+	PaymentMaxPendingOrders          *int     `json:"payment_max_pending_orders"`
 	PaymentEnabledTypes              []string `json:"payment_enabled_types"`
 	PaymentBalanceDisabled           *bool    `json:"payment_balance_disabled"`
 	PaymentBalanceRechargeMultiplier *float64 `json:"payment_balance_recharge_multiplier"`
-	PaymentRechargeFeeRate              *float64 `json:"payment_recharge_fee_rate"`
+	PaymentRechargeFeeRate           *float64 `json:"payment_recharge_fee_rate"`
 	PaymentLoadBalanceStrat          *string  `json:"payment_load_balance_strategy"`
-	PaymentProductNamePrefix *string  `json:"payment_product_name_prefix"`
-	PaymentProductNameSuffix *string  `json:"payment_product_name_suffix"`
-	PaymentHelpImageURL      *string  `json:"payment_help_image_url"`
-	PaymentHelpText          *string  `json:"payment_help_text"`
+	PaymentProductNamePrefix         *string  `json:"payment_product_name_prefix"`
+	PaymentProductNameSuffix         *string  `json:"payment_product_name_suffix"`
+	PaymentHelpImageURL              *string  `json:"payment_help_image_url"`
+	PaymentHelpText                  *string  `json:"payment_help_text"`
 
 	// Cancel rate limit
 	PaymentCancelRateLimitEnabled *bool   `json:"payment_cancel_rate_limit_enabled"`
@@ -947,7 +947,7 @@ func (h *SettingHandler) UpdateSettings(c *gin.Context) {
 			EnabledTypes:              req.PaymentEnabledTypes,
 			BalanceDisabled:           req.PaymentBalanceDisabled,
 			BalanceRechargeMultiplier: req.PaymentBalanceRechargeMultiplier,
-			RechargeFeeRate:          req.PaymentRechargeFeeRate,
+			RechargeFeeRate:           req.PaymentRechargeFeeRate,
 			LoadBalanceStrategy:       req.PaymentLoadBalanceStrat,
 			ProductNamePrefix:         req.PaymentProductNamePrefix,
 			ProductNameSuffix:         req.PaymentProductNameSuffix,
@@ -1089,7 +1089,7 @@ func (h *SettingHandler) UpdateSettings(c *gin.Context) {
 		PaymentEnabledTypes:                  updatedPaymentCfg.EnabledTypes,
 		PaymentBalanceDisabled:               updatedPaymentCfg.BalanceDisabled,
 		PaymentBalanceRechargeMultiplier:     updatedPaymentCfg.BalanceRechargeMultiplier,
-		PaymentRechargeFeeRate:              updatedPaymentCfg.RechargeFeeRate,
+		PaymentRechargeFeeRate:               updatedPaymentCfg.RechargeFeeRate,
 		PaymentLoadBalanceStrat:              updatedPaymentCfg.LoadBalanceStrategy,
 		PaymentProductNamePrefix:             updatedPaymentCfg.ProductNamePrefix,
 		PaymentProductNameSuffix:             updatedPaymentCfg.ProductNameSuffix,
diff --git a/backend/internal/handler/dto/settings.go b/backend/internal/handler/dto/settings.go
index c41eb7f6..3659e79b 100644
--- a/backend/internal/handler/dto/settings.go
+++ b/backend/internal/handler/dto/settings.go
@@ -128,21 +128,21 @@ type SystemSettings struct {
 	WebSearchEmulationEnabled bool `json:"web_search_emulation_enabled"`
 
 	// Payment configuration
-	PaymentEnabled           bool     `json:"payment_enabled"`
-	PaymentMinAmount         float64  `json:"payment_min_amount"`
-	PaymentMaxAmount         float64  `json:"payment_max_amount"`
-	PaymentDailyLimit        float64  `json:"payment_daily_limit"`
-	PaymentOrderTimeoutMin   int      `json:"payment_order_timeout_minutes"`
-	PaymentMaxPendingOrders  int      `json:"payment_max_pending_orders"`
+	PaymentEnabled                   bool     `json:"payment_enabled"`
+	PaymentMinAmount                 float64  `json:"payment_min_amount"`
+	PaymentMaxAmount                 float64  `json:"payment_max_amount"`
+	PaymentDailyLimit                float64  `json:"payment_daily_limit"`
+	PaymentOrderTimeoutMin           int      `json:"payment_order_timeout_minutes"`
+	PaymentMaxPendingOrders          int      `json:"payment_max_pending_orders"`
 	PaymentEnabledTypes              []string `json:"payment_enabled_types"`
 	PaymentBalanceDisabled           bool     `json:"payment_balance_disabled"`
 	PaymentBalanceRechargeMultiplier float64  `json:"payment_balance_recharge_multiplier"`
-	PaymentRechargeFeeRate              float64  `json:"payment_recharge_fee_rate"`
+	PaymentRechargeFeeRate           float64  `json:"payment_recharge_fee_rate"`
 	PaymentLoadBalanceStrat          string   `json:"payment_load_balance_strategy"`
-	PaymentProductNamePrefix string   `json:"payment_product_name_prefix"`
-	PaymentProductNameSuffix string   `json:"payment_product_name_suffix"`
-	PaymentHelpImageURL      string   `json:"payment_help_image_url"`
-	PaymentHelpText          string   `json:"payment_help_text"`
+	PaymentProductNamePrefix         string   `json:"payment_product_name_prefix"`
+	PaymentProductNameSuffix         string   `json:"payment_product_name_suffix"`
+	PaymentHelpImageURL              string   `json:"payment_help_image_url"`
+	PaymentHelpText                  string   `json:"payment_help_text"`
 
 	// Cancel rate limit
 	PaymentCancelRateLimitEnabled bool   `json:"payment_cancel_rate_limit_enabled"`
diff --git a/backend/internal/server/api_contract_test.go b/backend/internal/server/api_contract_test.go
index 44c3f0e4..b686b986 100644
--- a/backend/internal/server/api_contract_test.go
+++ b/backend/internal/server/api_contract_test.go
@@ -601,6 +601,8 @@ func TestAPIContracts(t *testing.T) {
 					"payment_order_timeout_minutes": 0,
 					"payment_max_pending_orders": 0,
 					"payment_balance_disabled": false,
+					"payment_balance_recharge_multiplier": 0,
+					"payment_recharge_fee_rate": 0,
 					"payment_load_balance_strategy": "",
 					"payment_product_name_prefix": "",
 					"payment_product_name_suffix": "",
diff --git a/backend/internal/service/payment_config_service.go b/backend/internal/service/payment_config_service.go
index d8c47804..59764b29 100644
--- a/backend/internal/service/payment_config_service.go
+++ b/backend/internal/service/payment_config_service.go
@@ -24,7 +24,7 @@ const (
 	SettingLoadBalanceStrategy = "LOAD_BALANCE_STRATEGY"
 	SettingBalancePayDisabled  = "BALANCE_PAYMENT_DISABLED"
 	SettingBalanceRechargeMult = "BALANCE_RECHARGE_MULTIPLIER"
-	SettingRechargeFeeRate    = "RECHARGE_FEE_RATE"
+	SettingRechargeFeeRate     = "RECHARGE_FEE_RATE"
 	SettingProductNamePrefix   = "PRODUCT_NAME_PREFIX"
 	SettingProductNameSuffix   = "PRODUCT_NAME_SUFFIX"
 	SettingHelpImageURL        = "PAYMENT_HELP_IMAGE_URL"
@@ -44,22 +44,22 @@ const (
 
 // PaymentConfig holds the payment system configuration.
 type PaymentConfig struct {
-	Enabled              bool     `json:"enabled"`
-	MinAmount            float64  `json:"min_amount"`
-	MaxAmount            float64  `json:"max_amount"`
-	DailyLimit           float64  `json:"daily_limit"`
-	OrderTimeoutMin      int      `json:"order_timeout_minutes"`
-	MaxPendingOrders     int      `json:"max_pending_orders"`
+	Enabled                   bool     `json:"enabled"`
+	MinAmount                 float64  `json:"min_amount"`
+	MaxAmount                 float64  `json:"max_amount"`
+	DailyLimit                float64  `json:"daily_limit"`
+	OrderTimeoutMin           int      `json:"order_timeout_minutes"`
+	MaxPendingOrders          int      `json:"max_pending_orders"`
 	EnabledTypes              []string `json:"enabled_payment_types"`
 	BalanceDisabled           bool     `json:"balance_disabled"`
 	BalanceRechargeMultiplier float64  `json:"balance_recharge_multiplier"`
-	RechargeFeeRate          float64  `json:"recharge_fee_rate"`
+	RechargeFeeRate           float64  `json:"recharge_fee_rate"`
 	LoadBalanceStrategy       string   `json:"load_balance_strategy"`
-	ProductNamePrefix    string   `json:"product_name_prefix"`
-	ProductNameSuffix    string   `json:"product_name_suffix"`
-	HelpImageURL         string   `json:"help_image_url"`
-	HelpText             string   `json:"help_text"`
-	StripePublishableKey string   `json:"stripe_publishable_key,omitempty"`
+	ProductNamePrefix         string   `json:"product_name_prefix"`
+	ProductNameSuffix         string   `json:"product_name_suffix"`
+	HelpImageURL              string   `json:"help_image_url"`
+	HelpText                  string   `json:"help_text"`
+	StripePublishableKey      string   `json:"stripe_publishable_key,omitempty"`
 
 	// Cancel rate limit settings
 	CancelRateLimitEnabled bool   `json:"cancel_rate_limit_enabled"`
@@ -71,21 +71,21 @@ type PaymentConfig struct {
 
 // UpdatePaymentConfigRequest contains fields to update payment configuration.
 type UpdatePaymentConfigRequest struct {
-	Enabled             *bool    `json:"enabled"`
-	MinAmount           *float64 `json:"min_amount"`
-	MaxAmount           *float64 `json:"max_amount"`
-	DailyLimit          *float64 `json:"daily_limit"`
-	OrderTimeoutMin     *int     `json:"order_timeout_minutes"`
-	MaxPendingOrders    *int     `json:"max_pending_orders"`
+	Enabled                   *bool    `json:"enabled"`
+	MinAmount                 *float64 `json:"min_amount"`
+	MaxAmount                 *float64 `json:"max_amount"`
+	DailyLimit                *float64 `json:"daily_limit"`
+	OrderTimeoutMin           *int     `json:"order_timeout_minutes"`
+	MaxPendingOrders          *int     `json:"max_pending_orders"`
 	EnabledTypes              []string `json:"enabled_payment_types"`
 	BalanceDisabled           *bool    `json:"balance_disabled"`
 	BalanceRechargeMultiplier *float64 `json:"balance_recharge_multiplier"`
-	RechargeFeeRate          *float64 `json:"recharge_fee_rate"`
+	RechargeFeeRate           *float64 `json:"recharge_fee_rate"`
 	LoadBalanceStrategy       *string  `json:"load_balance_strategy"`
-	ProductNamePrefix   *string  `json:"product_name_prefix"`
-	ProductNameSuffix   *string  `json:"product_name_suffix"`
-	HelpImageURL        *string  `json:"help_image_url"`
-	HelpText            *string  `json:"help_text"`
+	ProductNamePrefix         *string  `json:"product_name_prefix"`
+	ProductNameSuffix         *string  `json:"product_name_suffix"`
+	HelpImageURL              *string  `json:"help_image_url"`
+	HelpText                  *string  `json:"help_text"`
 
 	// Cancel rate limit settings
 	CancelRateLimitEnabled *bool   `json:"cancel_rate_limit_enabled"`
@@ -209,20 +209,20 @@ func (s *PaymentConfigService) GetPaymentConfig(ctx context.Context) (*PaymentCo
 
 func (s *PaymentConfigService) parsePaymentConfig(vals map[string]string) *PaymentConfig {
 	cfg := &PaymentConfig{
-		Enabled:             vals[SettingPaymentEnabled] == "true",
-		MinAmount:           pcParseFloat(vals[SettingMinRechargeAmount], 1),
-		MaxAmount:           pcParseFloat(vals[SettingMaxRechargeAmount], 0),
-		DailyLimit:          pcParseFloat(vals[SettingDailyRechargeLimit], 0),
-		OrderTimeoutMin:     pcParseInt(vals[SettingOrderTimeoutMinutes], defaultOrderTimeoutMin),
-		MaxPendingOrders:    pcParseInt(vals[SettingMaxPendingOrders], defaultMaxPendingOrders),
+		Enabled:                   vals[SettingPaymentEnabled] == "true",
+		MinAmount:                 pcParseFloat(vals[SettingMinRechargeAmount], 1),
+		MaxAmount:                 pcParseFloat(vals[SettingMaxRechargeAmount], 0),
+		DailyLimit:                pcParseFloat(vals[SettingDailyRechargeLimit], 0),
+		OrderTimeoutMin:           pcParseInt(vals[SettingOrderTimeoutMinutes], defaultOrderTimeoutMin),
+		MaxPendingOrders:          pcParseInt(vals[SettingMaxPendingOrders], defaultMaxPendingOrders),
 		BalanceDisabled:           vals[SettingBalancePayDisabled] == "true",
 		BalanceRechargeMultiplier: normalizeBalanceRechargeMultiplier(pcParseFloat(vals[SettingBalanceRechargeMult], defaultBalanceRechargeMultiplier)),
-		RechargeFeeRate:          pcParseFloat(vals[SettingRechargeFeeRate], 0),
+		RechargeFeeRate:           pcParseFloat(vals[SettingRechargeFeeRate], 0),
 		LoadBalanceStrategy:       vals[SettingLoadBalanceStrategy],
-		ProductNamePrefix:   vals[SettingProductNamePrefix],
-		ProductNameSuffix:   vals[SettingProductNameSuffix],
-		HelpImageURL:        vals[SettingHelpImageURL],
-		HelpText:            vals[SettingHelpText],
+		ProductNamePrefix:         vals[SettingProductNamePrefix],
+		ProductNameSuffix:         vals[SettingProductNameSuffix],
+		HelpImageURL:              vals[SettingHelpImageURL],
+		HelpText:                  vals[SettingHelpText],
 
 		CancelRateLimitEnabled: vals[SettingCancelRateLimitOn] == "true",
 		CancelRateLimitMax:     pcParseInt(vals[SettingCancelRateLimitMax], 10),
@@ -290,7 +290,7 @@ func (s *PaymentConfigService) UpdatePaymentConfig(ctx context.Context, req Upda
 		SettingMaxPendingOrders:    formatPositiveInt(req.MaxPendingOrders),
 		SettingBalancePayDisabled:  formatBoolOrEmpty(req.BalanceDisabled),
 		SettingBalanceRechargeMult: formatPositiveFloat(req.BalanceRechargeMultiplier),
-		SettingRechargeFeeRate:    formatNonNegativeFloat(req.RechargeFeeRate),
+		SettingRechargeFeeRate:     formatNonNegativeFloat(req.RechargeFeeRate),
 		SettingLoadBalanceStrategy: derefStr(req.LoadBalanceStrategy),
 		SettingProductNamePrefix:   derefStr(req.ProductNamePrefix),
 		SettingProductNameSuffix:   derefStr(req.ProductNameSuffix),

From 21f22b5099bf8167558891b4bb72fec0d906068c Mon Sep 17 00:00:00 2001
From: erio <asakifeng@gmail.com>
Date: Wed, 15 Apr 2026 01:39:27 +0800
Subject: [PATCH 107/122] fix: remove accidentally staged Antigravity-Manager
 submodule

---
 Antigravity-Manager | 1 -
 1 file changed, 1 deletion(-)
 delete mode 160000 Antigravity-Manager

diff --git a/Antigravity-Manager b/Antigravity-Manager
deleted file mode 160000
index a9d96bd5..00000000
--- a/Antigravity-Manager
+++ /dev/null
@@ -1 +0,0 @@
-Subproject commit a9d96bd54978c22d3033830debfe77aeeeee2500

From 342dbd2e19653b03b5d569f28dbb2d9023714b50 Mon Sep 17 00:00:00 2001
From: erio <asakifeng@gmail.com>
Date: Wed, 15 Apr 2026 01:43:37 +0800
Subject: [PATCH 108/122] fix(payment): use original recharge amount in product
 name, not pay_amount
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Product name (e.g. "快代码科技工作室 100 元") should show the user's
original recharge amount (limitAmount), not the fee-inclusive pay amount.
The gateway receives payAmount separately for actual charging.
---
 backend/internal/service/payment_order.go | 13 +++++++------
 1 file changed, 7 insertions(+), 6 deletions(-)

diff --git a/backend/internal/service/payment_order.go b/backend/internal/service/payment_order.go
index a38173fd..128416e4 100644
--- a/backend/internal/service/payment_order.go
+++ b/backend/internal/service/payment_order.go
@@ -58,7 +58,7 @@ func (s *PaymentService) CreateOrder(ctx context.Context, req CreateOrderRequest
 	if err != nil {
 		return nil, err
 	}
-	resp, err := s.invokeProvider(ctx, order, req, cfg, payAmountStr, payAmount, plan)
+	resp, err := s.invokeProvider(ctx, order, req, cfg, limitAmount, payAmountStr, payAmount, plan)
 	if err != nil {
 		_, _ = s.entClient.PaymentOrder.UpdateOneID(order.ID).
 			SetStatus(OrderStatusFailed).
@@ -196,7 +196,7 @@ func (s *PaymentService) checkDailyLimit(ctx context.Context, tx *dbent.Tx, user
 	return nil
 }
 
-func (s *PaymentService) invokeProvider(ctx context.Context, order *dbent.PaymentOrder, req CreateOrderRequest, cfg *PaymentConfig, payAmountStr string, payAmount float64, plan *dbent.SubscriptionPlan) (*CreateOrderResponse, error) {
+func (s *PaymentService) invokeProvider(ctx context.Context, order *dbent.PaymentOrder, req CreateOrderRequest, cfg *PaymentConfig, limitAmount float64, payAmountStr string, payAmount float64, plan *dbent.SubscriptionPlan) (*CreateOrderResponse, error) {
 	// Select an instance across all providers that support the requested payment type.
 	// This enables cross-provider load balancing (e.g. EasyPay + Alipay direct for "alipay").
 	sel, err := s.loadBalancer.SelectInstance(ctx, "", req.PaymentType, payment.Strategy(cfg.LoadBalanceStrategy), payAmount)
@@ -210,7 +210,7 @@ func (s *PaymentService) invokeProvider(ctx context.Context, order *dbent.Paymen
 	if err != nil {
 		return nil, infraerrors.ServiceUnavailable("PAYMENT_GATEWAY_ERROR", "payment method is temporarily unavailable")
 	}
-	subject := s.buildPaymentSubject(plan, payAmountStr, cfg)
+	subject := s.buildPaymentSubject(plan, limitAmount, cfg)
 	outTradeNo := order.OutTradeNo
 	pr, err := prov.CreatePayment(ctx, payment.CreatePaymentRequest{OrderID: outTradeNo, Amount: payAmountStr, PaymentType: req.PaymentType, Subject: subject, ClientIP: req.ClientIP, IsMobile: req.IsMobile, InstanceSubMethods: sel.SupportedTypes})
 	if err != nil {
@@ -231,19 +231,20 @@ func (s *PaymentService) invokeProvider(ctx context.Context, order *dbent.Paymen
 	return &CreateOrderResponse{OrderID: order.ID, Amount: order.Amount, PayAmount: payAmount, FeeRate: order.FeeRate, Status: OrderStatusPending, PaymentType: req.PaymentType, PayURL: pr.PayURL, QRCode: pr.QRCode, ClientSecret: pr.ClientSecret, ExpiresAt: order.ExpiresAt, PaymentMode: sel.PaymentMode}, nil
 }
 
-func (s *PaymentService) buildPaymentSubject(plan *dbent.SubscriptionPlan, payAmountStr string, cfg *PaymentConfig) string {
+func (s *PaymentService) buildPaymentSubject(plan *dbent.SubscriptionPlan, limitAmount float64, cfg *PaymentConfig) string {
 	if plan != nil {
 		if plan.ProductName != "" {
 			return plan.ProductName
 		}
 		return "Sub2API Subscription " + plan.Name
 	}
+	amountStr := strconv.FormatFloat(limitAmount, 'f', 2, 64)
 	pf := strings.TrimSpace(cfg.ProductNamePrefix)
 	sf := strings.TrimSpace(cfg.ProductNameSuffix)
 	if pf != "" || sf != "" {
-		return strings.TrimSpace(pf + " " + payAmountStr + " " + sf)
+		return strings.TrimSpace(pf + " " + amountStr + " " + sf)
 	}
-	return "Sub2API " + payAmountStr + " CNY"
+	return "Sub2API " + amountStr + " CNY"
 }
 
 // --- Order Queries ---

From c2108421c2f4d6ed40bee4f359b3a8b0ea500a69 Mon Sep 17 00:00:00 2001
From: erio <asakifeng@gmail.com>
Date: Wed, 15 Apr 2026 01:50:19 +0800
Subject: [PATCH 109/122] fix: gofmt payment_service.go and payment_order.go

---
 Antigravity-Manager                         | 1 +
 backend/internal/service/payment_service.go | 1 -
 2 files changed, 1 insertion(+), 1 deletion(-)
 create mode 160000 Antigravity-Manager

diff --git a/Antigravity-Manager b/Antigravity-Manager
new file mode 160000
index 00000000..a9d96bd5
--- /dev/null
+++ b/Antigravity-Manager
@@ -0,0 +1 @@
+Subproject commit a9d96bd54978c22d3033830debfe77aeeeee2500
diff --git a/backend/internal/service/payment_service.go b/backend/internal/service/payment_service.go
index f88e4171..6fc23f97 100644
--- a/backend/internal/service/payment_service.go
+++ b/backend/internal/service/payment_service.go
@@ -288,7 +288,6 @@ func psComputeValidityDays(days int, unit string) int {
 	}
 }
 
-
 func psStartOfDayUTC(t time.Time) time.Time {
 	y, m, d := t.UTC().Date()
 	return time.Date(y, m, d, 0, 0, 0, 0, time.UTC)

From 38c00872e12241494f057ff5430eded5bb468c62 Mon Sep 17 00:00:00 2001
From: erio <asakifeng@gmail.com>
Date: Wed, 15 Apr 2026 11:12:53 +0800
Subject: [PATCH 110/122] fix(ui): allow closing test dialog during active SSE
 stream

Replace dead EventSource variable with AbortController to enable
cancelling fetch streams. Remove close-button disable during connecting
status so users can dismiss the dialog at any time.
---
 .../components/account/AccountTestModal.vue   | 37 ++++++++++---------
 .../admin/account/AccountTestModal.vue        | 37 ++++++++++---------
 2 files changed, 40 insertions(+), 34 deletions(-)

diff --git a/frontend/src/components/account/AccountTestModal.vue b/frontend/src/components/account/AccountTestModal.vue
index b0e534d6..67409a7c 100644
--- a/frontend/src/components/account/AccountTestModal.vue
+++ b/frontend/src/components/account/AccountTestModal.vue
@@ -165,7 +165,6 @@
         <button
           @click="handleClose"
           class="rounded-lg bg-gray-100 px-4 py-2 text-sm font-medium text-gray-700 transition-colors hover:bg-gray-200 dark:bg-dark-600 dark:text-gray-300 dark:hover:bg-dark-500"
-          :disabled="status === 'connecting'"
         >
           {{ t('common.close') }}
         </button>
@@ -249,7 +248,7 @@ const availableModels = ref<ClaudeModel[]>([])
 const selectedModelId = ref('')
 const testPrompt = ref('')
 const loadingModels = ref(false)
-let eventSource: EventSource | null = null
+let abortController: AbortController | null = null
 const generatedImages = ref<PreviewImage[]>([])
 const prioritizedGeminiModels = ['gemini-3.1-flash-image', 'gemini-2.5-flash-image', 'gemini-2.5-flash', 'gemini-2.5-pro', 'gemini-3-flash-preview', 'gemini-3-pro-preview', 'gemini-2.0-flash']
 const supportsGeminiImageTest = computed(() => {
@@ -279,7 +278,7 @@ watch(
       resetState()
       await loadAvailableModels()
     } else {
-      closeEventSource()
+      abortStream()
     }
   }
 )
@@ -329,18 +328,14 @@ const resetState = () => {
 }
 
 const handleClose = () => {
-  // 防止在连接测试进行中关闭对话框
-  if (status.value === 'connecting') {
-    return
-  }
-  closeEventSource()
+  abortStream()
   emit('close')
 }
 
-const closeEventSource = () => {
-  if (eventSource) {
-    eventSource.close()
-    eventSource = null
+const abortStream = () => {
+  if (abortController) {
+    abortController.abort()
+    abortController = null
   }
 }
 
@@ -365,7 +360,9 @@ const startTest = async () => {
   addLine(t('admin.accounts.testAccountTypeLabel', { type: props.account.type }), 'text-gray-400')
   addLine('', 'text-gray-300')
 
-  closeEventSource()
+  abortStream()
+
+  abortController = new AbortController()
 
   try {
     // Create EventSource for SSE
@@ -381,7 +378,8 @@ const startTest = async () => {
       body: JSON.stringify({
               model_id: selectedModelId.value,
               prompt: supportsGeminiImageTest.value ? testPrompt.value.trim() : ''
-            })
+            }),
+      signal: abortController.signal
     })
 
     if (!response.ok) {
@@ -418,10 +416,15 @@ const startTest = async () => {
         }
       }
     }
-  } catch (error: any) {
+  } catch (error: unknown) {
+    if (error instanceof DOMException && error.name === 'AbortError') {
+      status.value = 'idle'
+      return
+    }
     status.value = 'error'
-    errorMessage.value = error.message || 'Unknown error'
-    addLine(`Error: ${errorMessage.value}`, 'text-red-400')
+    const msg = error instanceof Error ? error.message : 'Unknown error'
+    errorMessage.value = msg
+    addLine(`Error: ${msg}`, 'text-red-400')
   }
 }
 
diff --git a/frontend/src/components/admin/account/AccountTestModal.vue b/frontend/src/components/admin/account/AccountTestModal.vue
index b0e534d6..67409a7c 100644
--- a/frontend/src/components/admin/account/AccountTestModal.vue
+++ b/frontend/src/components/admin/account/AccountTestModal.vue
@@ -165,7 +165,6 @@
         <button
           @click="handleClose"
           class="rounded-lg bg-gray-100 px-4 py-2 text-sm font-medium text-gray-700 transition-colors hover:bg-gray-200 dark:bg-dark-600 dark:text-gray-300 dark:hover:bg-dark-500"
-          :disabled="status === 'connecting'"
         >
           {{ t('common.close') }}
         </button>
@@ -249,7 +248,7 @@ const availableModels = ref<ClaudeModel[]>([])
 const selectedModelId = ref('')
 const testPrompt = ref('')
 const loadingModels = ref(false)
-let eventSource: EventSource | null = null
+let abortController: AbortController | null = null
 const generatedImages = ref<PreviewImage[]>([])
 const prioritizedGeminiModels = ['gemini-3.1-flash-image', 'gemini-2.5-flash-image', 'gemini-2.5-flash', 'gemini-2.5-pro', 'gemini-3-flash-preview', 'gemini-3-pro-preview', 'gemini-2.0-flash']
 const supportsGeminiImageTest = computed(() => {
@@ -279,7 +278,7 @@ watch(
       resetState()
       await loadAvailableModels()
     } else {
-      closeEventSource()
+      abortStream()
     }
   }
 )
@@ -329,18 +328,14 @@ const resetState = () => {
 }
 
 const handleClose = () => {
-  // 防止在连接测试进行中关闭对话框
-  if (status.value === 'connecting') {
-    return
-  }
-  closeEventSource()
+  abortStream()
   emit('close')
 }
 
-const closeEventSource = () => {
-  if (eventSource) {
-    eventSource.close()
-    eventSource = null
+const abortStream = () => {
+  if (abortController) {
+    abortController.abort()
+    abortController = null
   }
 }
 
@@ -365,7 +360,9 @@ const startTest = async () => {
   addLine(t('admin.accounts.testAccountTypeLabel', { type: props.account.type }), 'text-gray-400')
   addLine('', 'text-gray-300')
 
-  closeEventSource()
+  abortStream()
+
+  abortController = new AbortController()
 
   try {
     // Create EventSource for SSE
@@ -381,7 +378,8 @@ const startTest = async () => {
       body: JSON.stringify({
               model_id: selectedModelId.value,
               prompt: supportsGeminiImageTest.value ? testPrompt.value.trim() : ''
-            })
+            }),
+      signal: abortController.signal
     })
 
     if (!response.ok) {
@@ -418,10 +416,15 @@ const startTest = async () => {
         }
       }
     }
-  } catch (error: any) {
+  } catch (error: unknown) {
+    if (error instanceof DOMException && error.name === 'AbortError') {
+      status.value = 'idle'
+      return
+    }
     status.value = 'error'
-    errorMessage.value = error.message || 'Unknown error'
-    addLine(`Error: ${errorMessage.value}`, 'text-red-400')
+    const msg = error instanceof Error ? error.message : 'Unknown error'
+    errorMessage.value = msg
+    addLine(`Error: ${msg}`, 'text-red-400')
   }
 }
 

From 6ade6d30a8f4663d0e651aec68bcf7106d5a456c Mon Sep 17 00:00:00 2001
From: erio <asakifeng@gmail.com>
Date: Wed, 15 Apr 2026 13:47:38 +0800
Subject: [PATCH 111/122] feat(usage): add account cost display to admin
 dashboard and usage pages

- Add account_cost column to dashboard aggregation tables (migration 107)
- DashboardStats: add TotalAccountCost/TodayAccountCost fields
- ModelStat/GroupStat: add AccountCost field with SQL aggregation
- GetStatsWithFilters: always return TotalAccountCost (remove accountID filter)
- Dashboard Token cards: show user(green)/cost(orange)/standard(gray)
- Usage stats card: show account cost and standard below main value
- Model/Group distribution tables: add orange cost column
---
 .../pkg/usagestats/usage_log_types.go         | 20 ++++++++------
 .../repository/dashboard_aggregation_repo.go  |  8 ++++++
 backend/internal/repository/usage_log_repo.go | 27 ++++++++++++++-----
 ...7_add_account_cost_to_dashboard_tables.sql |  5 ++++
 frontend/src/api/admin/usage.ts               |  2 +-
 .../admin/usage/UsageStatsCards.vue           | 17 +++++-------
 .../charts/GroupDistributionChart.vue         |  6 ++++-
 .../charts/ModelDistributionChart.vue         |  6 ++++-
 frontend/src/i18n/locales/en.ts               |  2 ++
 frontend/src/i18n/locales/zh.ts               |  2 ++
 frontend/src/types/index.ts                   |  4 +++
 frontend/src/views/admin/DashboardView.vue    | 24 ++++++++++++-----
 12 files changed, 89 insertions(+), 34 deletions(-)
 create mode 100644 backend/migrations/107_add_account_cost_to_dashboard_tables.sql

diff --git a/backend/internal/pkg/usagestats/usage_log_types.go b/backend/internal/pkg/usagestats/usage_log_types.go
index 5d1f7911..93746844 100644
--- a/backend/internal/pkg/usagestats/usage_log_types.go
+++ b/backend/internal/pkg/usagestats/usage_log_types.go
@@ -56,8 +56,9 @@ type DashboardStats struct {
 	TotalCacheCreationTokens int64   `json:"total_cache_creation_tokens"`
 	TotalCacheReadTokens     int64   `json:"total_cache_read_tokens"`
 	TotalTokens              int64   `json:"total_tokens"`
-	TotalCost                float64 `json:"total_cost"`        // 累计标准计费
-	TotalActualCost          float64 `json:"total_actual_cost"` // 累计实际扣除
+	TotalCost                float64 `json:"total_cost"`         // 累计标准计费
+	TotalActualCost          float64 `json:"total_actual_cost"`  // 累计实际扣除
+	TotalAccountCost         float64 `json:"total_account_cost"` // 累计账号成本
 
 	// 今日 Token 使用统计
 	TodayRequests            int64   `json:"today_requests"`
@@ -66,8 +67,9 @@ type DashboardStats struct {
 	TodayCacheCreationTokens int64   `json:"today_cache_creation_tokens"`
 	TodayCacheReadTokens     int64   `json:"today_cache_read_tokens"`
 	TodayTokens              int64   `json:"today_tokens"`
-	TodayCost                float64 `json:"today_cost"`        // 今日标准计费
-	TodayActualCost          float64 `json:"today_actual_cost"` // 今日实际扣除
+	TodayCost                float64 `json:"today_cost"`          // 今日标准计费
+	TodayActualCost          float64 `json:"today_actual_cost"`   // 今日实际扣除
+	TodayAccountCost         float64 `json:"today_account_cost"`  // 今日账号成本
 
 	// 系统运行统计
 	AverageDurationMs float64 `json:"average_duration_ms"` // 平均响应时间
@@ -99,8 +101,9 @@ type ModelStat struct {
 	CacheCreationTokens int64   `json:"cache_creation_tokens"`
 	CacheReadTokens     int64   `json:"cache_read_tokens"`
 	TotalTokens         int64   `json:"total_tokens"`
-	Cost                float64 `json:"cost"`        // 标准计费
-	ActualCost          float64 `json:"actual_cost"` // 实际扣除
+	Cost                float64 `json:"cost"`         // 标准计费
+	ActualCost          float64 `json:"actual_cost"`  // 实际扣除
+	AccountCost         float64 `json:"account_cost"` // 账号成本
 }
 
 // EndpointStat represents usage statistics for a single request endpoint.
@@ -125,8 +128,9 @@ type GroupStat struct {
 	GroupName   string  `json:"group_name"`
 	Requests    int64   `json:"requests"`
 	TotalTokens int64   `json:"total_tokens"`
-	Cost        float64 `json:"cost"`        // 标准计费
-	ActualCost  float64 `json:"actual_cost"` // 实际扣除
+	Cost        float64 `json:"cost"`         // 标准计费
+	ActualCost  float64 `json:"actual_cost"`  // 实际扣除
+	AccountCost float64 `json:"account_cost"` // 账号成本
 }
 
 // UserUsageTrendPoint represents user usage trend data point
diff --git a/backend/internal/repository/dashboard_aggregation_repo.go b/backend/internal/repository/dashboard_aggregation_repo.go
index e82a73a3..5e09e75d 100644
--- a/backend/internal/repository/dashboard_aggregation_repo.go
+++ b/backend/internal/repository/dashboard_aggregation_repo.go
@@ -331,6 +331,7 @@ func (r *dashboardAggregationRepository) upsertHourlyAggregates(ctx context.Cont
 				COALESCE(SUM(cache_read_tokens), 0) AS cache_read_tokens,
 				COALESCE(SUM(total_cost), 0) AS total_cost,
 				COALESCE(SUM(actual_cost), 0) AS actual_cost,
+				COALESCE(SUM(COALESCE(account_stats_cost, total_cost) * COALESCE(account_rate_multiplier, 1)), 0) AS account_cost,
 				COALESCE(SUM(COALESCE(duration_ms, 0)), 0) AS total_duration_ms
 			FROM usage_logs
 			WHERE created_at >= $1 AND created_at < $2
@@ -351,6 +352,7 @@ func (r *dashboardAggregationRepository) upsertHourlyAggregates(ctx context.Cont
 			cache_read_tokens,
 			total_cost,
 			actual_cost,
+			account_cost,
 			total_duration_ms,
 			active_users,
 			computed_at
@@ -364,6 +366,7 @@ func (r *dashboardAggregationRepository) upsertHourlyAggregates(ctx context.Cont
 			hourly.cache_read_tokens,
 			hourly.total_cost,
 			hourly.actual_cost,
+			hourly.account_cost,
 			hourly.total_duration_ms,
 			COALESCE(user_counts.active_users, 0) AS active_users,
 			NOW()
@@ -378,6 +381,7 @@ func (r *dashboardAggregationRepository) upsertHourlyAggregates(ctx context.Cont
 			cache_read_tokens = EXCLUDED.cache_read_tokens,
 			total_cost = EXCLUDED.total_cost,
 			actual_cost = EXCLUDED.actual_cost,
+			account_cost = EXCLUDED.account_cost,
 			total_duration_ms = EXCLUDED.total_duration_ms,
 			active_users = EXCLUDED.active_users,
 			computed_at = EXCLUDED.computed_at
@@ -399,6 +403,7 @@ func (r *dashboardAggregationRepository) upsertDailyAggregates(ctx context.Conte
 				COALESCE(SUM(cache_read_tokens), 0) AS cache_read_tokens,
 				COALESCE(SUM(total_cost), 0) AS total_cost,
 				COALESCE(SUM(actual_cost), 0) AS actual_cost,
+				COALESCE(SUM(account_cost), 0) AS account_cost,
 				COALESCE(SUM(total_duration_ms), 0) AS total_duration_ms
 			FROM usage_dashboard_hourly
 			WHERE bucket_start >= $1 AND bucket_start < $2
@@ -419,6 +424,7 @@ func (r *dashboardAggregationRepository) upsertDailyAggregates(ctx context.Conte
 			cache_read_tokens,
 			total_cost,
 			actual_cost,
+			account_cost,
 			total_duration_ms,
 			active_users,
 			computed_at
@@ -432,6 +438,7 @@ func (r *dashboardAggregationRepository) upsertDailyAggregates(ctx context.Conte
 			daily.cache_read_tokens,
 			daily.total_cost,
 			daily.actual_cost,
+			daily.account_cost,
 			daily.total_duration_ms,
 			COALESCE(user_counts.active_users, 0) AS active_users,
 			NOW()
@@ -446,6 +453,7 @@ func (r *dashboardAggregationRepository) upsertDailyAggregates(ctx context.Conte
 			cache_read_tokens = EXCLUDED.cache_read_tokens,
 			total_cost = EXCLUDED.total_cost,
 			actual_cost = EXCLUDED.actual_cost,
+			account_cost = EXCLUDED.account_cost,
 			total_duration_ms = EXCLUDED.total_duration_ms,
 			active_users = EXCLUDED.active_users,
 			computed_at = EXCLUDED.computed_at
diff --git a/backend/internal/repository/usage_log_repo.go b/backend/internal/repository/usage_log_repo.go
index f942a8e1..f3789910 100644
--- a/backend/internal/repository/usage_log_repo.go
+++ b/backend/internal/repository/usage_log_repo.go
@@ -1528,6 +1528,7 @@ func (r *usageLogRepository) fillDashboardUsageStatsAggregated(ctx context.Conte
 			COALESCE(SUM(cache_read_tokens), 0) as total_cache_read_tokens,
 			COALESCE(SUM(total_cost), 0) as total_cost,
 			COALESCE(SUM(actual_cost), 0) as total_actual_cost,
+			COALESCE(SUM(account_cost), 0) as total_account_cost,
 			COALESCE(SUM(total_duration_ms), 0) as total_duration_ms
 		FROM usage_dashboard_daily
 	`
@@ -1544,6 +1545,7 @@ func (r *usageLogRepository) fillDashboardUsageStatsAggregated(ctx context.Conte
 		&stats.TotalCacheReadTokens,
 		&stats.TotalCost,
 		&stats.TotalActualCost,
+		&stats.TotalAccountCost,
 		&totalDurationMs,
 	); err != nil {
 		return err
@@ -1562,6 +1564,7 @@ func (r *usageLogRepository) fillDashboardUsageStatsAggregated(ctx context.Conte
 			cache_read_tokens as today_cache_read_tokens,
 			total_cost as today_cost,
 			actual_cost as today_actual_cost,
+			account_cost as today_account_cost,
 			active_users as active_users
 		FROM usage_dashboard_daily
 		WHERE bucket_date = $1::date
@@ -1578,6 +1581,7 @@ func (r *usageLogRepository) fillDashboardUsageStatsAggregated(ctx context.Conte
 		&stats.TodayCacheReadTokens,
 		&stats.TodayCost,
 		&stats.TodayActualCost,
+		&stats.TodayAccountCost,
 		&stats.ActiveUsers,
 	); err != nil {
 		if err != sql.ErrNoRows {
@@ -1613,6 +1617,7 @@ func (r *usageLogRepository) fillDashboardUsageStatsFromUsageLogs(ctx context.Co
 				cache_read_tokens,
 				total_cost,
 				actual_cost,
+				COALESCE(account_stats_cost, total_cost) * COALESCE(account_rate_multiplier, 1) AS account_cost,
 				COALESCE(duration_ms, 0) AS duration_ms
 			FROM usage_logs
 			WHERE created_at >= LEAST($1::timestamptz, $3::timestamptz)
@@ -1626,6 +1631,7 @@ func (r *usageLogRepository) fillDashboardUsageStatsFromUsageLogs(ctx context.Co
 			COALESCE(SUM(cache_read_tokens) FILTER (WHERE created_at >= $1::timestamptz AND created_at < $2::timestamptz), 0) AS total_cache_read_tokens,
 			COALESCE(SUM(total_cost) FILTER (WHERE created_at >= $1::timestamptz AND created_at < $2::timestamptz), 0) AS total_cost,
 			COALESCE(SUM(actual_cost) FILTER (WHERE created_at >= $1::timestamptz AND created_at < $2::timestamptz), 0) AS total_actual_cost,
+			COALESCE(SUM(account_cost) FILTER (WHERE created_at >= $1::timestamptz AND created_at < $2::timestamptz), 0) AS total_account_cost,
 			COALESCE(SUM(duration_ms) FILTER (WHERE created_at >= $1::timestamptz AND created_at < $2::timestamptz), 0) AS total_duration_ms,
 			COUNT(*) FILTER (WHERE created_at >= $3::timestamptz AND created_at < $4::timestamptz) AS today_requests,
 			COALESCE(SUM(input_tokens) FILTER (WHERE created_at >= $3::timestamptz AND created_at < $4::timestamptz), 0) AS today_input_tokens,
@@ -1633,7 +1639,8 @@ func (r *usageLogRepository) fillDashboardUsageStatsFromUsageLogs(ctx context.Co
 			COALESCE(SUM(cache_creation_tokens) FILTER (WHERE created_at >= $3::timestamptz AND created_at < $4::timestamptz), 0) AS today_cache_creation_tokens,
 			COALESCE(SUM(cache_read_tokens) FILTER (WHERE created_at >= $3::timestamptz AND created_at < $4::timestamptz), 0) AS today_cache_read_tokens,
 			COALESCE(SUM(total_cost) FILTER (WHERE created_at >= $3::timestamptz AND created_at < $4::timestamptz), 0) AS today_cost,
-			COALESCE(SUM(actual_cost) FILTER (WHERE created_at >= $3::timestamptz AND created_at < $4::timestamptz), 0) AS today_actual_cost
+			COALESCE(SUM(actual_cost) FILTER (WHERE created_at >= $3::timestamptz AND created_at < $4::timestamptz), 0) AS today_actual_cost,
+			COALESCE(SUM(account_cost) FILTER (WHERE created_at >= $3::timestamptz AND created_at < $4::timestamptz), 0) AS today_account_cost
 		FROM scoped
 	`
 	var totalDurationMs int64
@@ -1649,6 +1656,7 @@ func (r *usageLogRepository) fillDashboardUsageStatsFromUsageLogs(ctx context.Co
 		&stats.TotalCacheReadTokens,
 		&stats.TotalCost,
 		&stats.TotalActualCost,
+		&stats.TotalAccountCost,
 		&totalDurationMs,
 		&stats.TodayRequests,
 		&stats.TodayInputTokens,
@@ -1657,6 +1665,7 @@ func (r *usageLogRepository) fillDashboardUsageStatsFromUsageLogs(ctx context.Co
 		&stats.TodayCacheReadTokens,
 		&stats.TodayCost,
 		&stats.TodayActualCost,
+		&stats.TodayAccountCost,
 	); err != nil {
 		return err
 	}
@@ -2595,7 +2604,8 @@ func (r *usageLogRepository) GetUserModelStats(ctx context.Context, userID int64
 			COALESCE(SUM(cache_read_tokens), 0) as cache_read_tokens,
 			COALESCE(SUM(input_tokens + output_tokens + cache_creation_tokens + cache_read_tokens), 0) as total_tokens,
 			COALESCE(SUM(total_cost), 0) as cost,
-			COALESCE(SUM(actual_cost), 0) as actual_cost
+			COALESCE(SUM(actual_cost), 0) as actual_cost,
+			COALESCE(SUM(COALESCE(account_stats_cost, total_cost) * COALESCE(account_rate_multiplier, 1)), 0) as account_cost
 		FROM usage_logs
 		WHERE user_id = $1 AND created_at >= $2 AND created_at < $3
 		GROUP BY model
@@ -3002,6 +3012,7 @@ func (r *usageLogRepository) getModelStatsWithFiltersBySource(ctx context.Contex
 	if accountID > 0 && userID == 0 && apiKeyID == 0 {
 		actualCostExpr = "COALESCE(SUM(COALESCE(account_stats_cost, total_cost) * COALESCE(account_rate_multiplier, 1)), 0) as actual_cost"
 	}
+	accountCostExpr := "COALESCE(SUM(COALESCE(account_stats_cost, total_cost) * COALESCE(account_rate_multiplier, 1)), 0) as account_cost"
 	modelExpr := resolveModelDimensionExpression(source)
 
 	query := fmt.Sprintf(`
@@ -3014,10 +3025,11 @@ func (r *usageLogRepository) getModelStatsWithFiltersBySource(ctx context.Contex
 			COALESCE(SUM(cache_read_tokens), 0) as cache_read_tokens,
 			COALESCE(SUM(input_tokens + output_tokens + cache_creation_tokens + cache_read_tokens), 0) as total_tokens,
 			COALESCE(SUM(total_cost), 0) as cost,
+			%s,
 			%s
 		FROM usage_logs
 		WHERE created_at >= $1 AND created_at < $2
-	`, modelExpr, actualCostExpr)
+	`, modelExpr, actualCostExpr, accountCostExpr)
 
 	args := []any{startTime, endTime}
 	if userID > 0 {
@@ -3072,7 +3084,8 @@ func (r *usageLogRepository) GetGroupStatsWithFilters(ctx context.Context, start
 			COUNT(*) as requests,
 			COALESCE(SUM(ul.input_tokens + ul.output_tokens + ul.cache_creation_tokens + ul.cache_read_tokens), 0) as total_tokens,
 			COALESCE(SUM(ul.total_cost), 0) as cost,
-			COALESCE(SUM(ul.actual_cost), 0) as actual_cost
+			COALESCE(SUM(ul.actual_cost), 0) as actual_cost,
+			COALESCE(SUM(COALESCE(ul.account_stats_cost, ul.total_cost) * COALESCE(ul.account_rate_multiplier, 1)), 0) as account_cost
 		FROM usage_logs ul
 		LEFT JOIN groups g ON g.id = ul.group_id
 		WHERE ul.created_at >= $1 AND ul.created_at < $2
@@ -3123,6 +3136,7 @@ func (r *usageLogRepository) GetGroupStatsWithFilters(ctx context.Context, start
 			&row.TotalTokens,
 			&row.Cost,
 			&row.ActualCost,
+			&row.AccountCost,
 		); err != nil {
 			return nil, err
 		}
@@ -3392,9 +3406,7 @@ func (r *usageLogRepository) GetStatsWithFilters(ctx context.Context, filters Us
 	); err != nil {
 		return nil, err
 	}
-	if filters.AccountID > 0 {
-		stats.TotalAccountCost = &totalAccountCost
-	}
+	stats.TotalAccountCost = &totalAccountCost
 	stats.TotalTokens = stats.TotalInputTokens + stats.TotalOutputTokens + stats.TotalCacheTokens
 
 	start := time.Unix(0, 0).UTC()
@@ -4272,6 +4284,7 @@ func scanModelStatsRows(rows *sql.Rows) ([]ModelStat, error) {
 			&row.TotalTokens,
 			&row.Cost,
 			&row.ActualCost,
+			&row.AccountCost,
 		); err != nil {
 			return nil, err
 		}
diff --git a/backend/migrations/107_add_account_cost_to_dashboard_tables.sql b/backend/migrations/107_add_account_cost_to_dashboard_tables.sql
new file mode 100644
index 00000000..9f815a3f
--- /dev/null
+++ b/backend/migrations/107_add_account_cost_to_dashboard_tables.sql
@@ -0,0 +1,5 @@
+-- Add account_cost column to dashboard aggregation tables for admin dashboard display.
+-- account_cost = SUM(COALESCE(account_stats_cost, total_cost) * COALESCE(account_rate_multiplier, 1))
+
+ALTER TABLE usage_dashboard_hourly ADD COLUMN IF NOT EXISTS account_cost DECIMAL(20, 10) NOT NULL DEFAULT 0;
+ALTER TABLE usage_dashboard_daily ADD COLUMN IF NOT EXISTS account_cost DECIMAL(20, 10) NOT NULL DEFAULT 0;
diff --git a/frontend/src/api/admin/usage.ts b/frontend/src/api/admin/usage.ts
index 37df7553..7ad00742 100644
--- a/frontend/src/api/admin/usage.ts
+++ b/frontend/src/api/admin/usage.ts
@@ -17,7 +17,7 @@ export interface AdminUsageStatsResponse {
   total_tokens: number
   total_cost: number
   total_actual_cost: number
-  total_account_cost?: number
+  total_account_cost: number
   average_duration_ms: number
   endpoints?: EndpointStat[]
   upstream_endpoints?: EndpointStat[]
diff --git a/frontend/src/components/admin/usage/UsageStatsCards.vue b/frontend/src/components/admin/usage/UsageStatsCards.vue
index cd962a09..63eb6127 100644
--- a/frontend/src/components/admin/usage/UsageStatsCards.vue
+++ b/frontend/src/components/admin/usage/UsageStatsCards.vue
@@ -28,17 +28,14 @@
       <div class="min-w-0 flex-1">
         <p class="text-xs font-medium text-gray-500">{{ t('usage.totalCost') }}</p>
         <p class="text-xl font-bold text-green-600">
-          ${{ ((stats?.total_account_cost ?? stats?.total_actual_cost) || 0).toFixed(4) }}
+          ${{ (stats?.total_actual_cost || 0).toFixed(4) }}
         </p>
-        <p class="text-xs text-gray-400" v-if="stats?.total_account_cost != null">
-          {{ t('usage.userBilled') }}:
-          <span class="text-gray-300">${{ (stats?.total_actual_cost || 0).toFixed(4) }}</span>
-          · {{ t('usage.standardCost') }}:
-          <span class="text-gray-300">${{ (stats?.total_cost || 0).toFixed(4) }}</span>
-        </p>
-        <p class="text-xs text-gray-400" v-else>
-          {{ t('usage.standardCost') }}:
-          <span class="line-through">${{ (stats?.total_cost || 0).toFixed(4) }}</span>
+        <p class="text-xs text-gray-400">
+          <span class="text-orange-500">${{ (stats?.total_account_cost || 0).toFixed(4) }}</span>
+          <span> {{ t('usage.accountCost') }}</span>
+          <span> · </span>
+          <span>${{ (stats?.total_cost || 0).toFixed(4) }}</span>
+          <span> {{ t('usage.standardCost') }}</span>
         </p>
       </div>
     </div>
diff --git a/frontend/src/components/charts/GroupDistributionChart.vue b/frontend/src/components/charts/GroupDistributionChart.vue
index 560529b1..8e801cfe 100644
--- a/frontend/src/components/charts/GroupDistributionChart.vue
+++ b/frontend/src/components/charts/GroupDistributionChart.vue
@@ -45,6 +45,7 @@
               <th class="pb-2 text-right">{{ t('admin.dashboard.requests') }}</th>
               <th class="pb-2 text-right">{{ t('admin.dashboard.tokens') }}</th>
               <th class="pb-2 text-right">{{ t('admin.dashboard.actual') }}</th>
+              <th class="pb-2 text-right">{{ t('admin.dashboard.accountCost') }}</th>
               <th class="pb-2 text-right">{{ t('admin.dashboard.standard') }}</th>
             </tr>
           </thead>
@@ -75,13 +76,16 @@
                 <td class="py-1.5 text-right text-green-600 dark:text-green-400">
                   ${{ formatCost(group.actual_cost) }}
                 </td>
+                <td class="py-1.5 text-right text-orange-500 dark:text-orange-400">
+                  ${{ formatCost(group.account_cost) }}
+                </td>
                 <td class="py-1.5 text-right text-gray-400 dark:text-gray-500">
                   ${{ formatCost(group.cost) }}
                 </td>
               </tr>
               <!-- User breakdown sub-rows -->
               <tr v-if="expandedKey === `group-${group.group_id}`">
-                <td colspan="5" class="p-0">
+                <td colspan="6" class="p-0">
                   <UserBreakdownSubTable
                     :items="breakdownItems"
                     :loading="breakdownLoading"
diff --git a/frontend/src/components/charts/ModelDistributionChart.vue b/frontend/src/components/charts/ModelDistributionChart.vue
index 820eada3..c0744416 100644
--- a/frontend/src/components/charts/ModelDistributionChart.vue
+++ b/frontend/src/components/charts/ModelDistributionChart.vue
@@ -114,6 +114,7 @@
               <th class="pb-2 text-right">{{ t('admin.dashboard.requests') }}</th>
               <th class="pb-2 text-right">{{ t('admin.dashboard.tokens') }}</th>
               <th class="pb-2 text-right">{{ t('admin.dashboard.actual') }}</th>
+              <th class="pb-2 text-right">{{ t('admin.dashboard.accountCost') }}</th>
               <th class="pb-2 text-right">{{ t('admin.dashboard.standard') }}</th>
             </tr>
           </thead>
@@ -142,12 +143,15 @@
                 <td class="py-1.5 text-right text-green-600 dark:text-green-400">
                   ${{ formatCost(model.actual_cost) }}
                 </td>
+                <td class="py-1.5 text-right text-orange-500 dark:text-orange-400">
+                  ${{ formatCost(model.account_cost) }}
+                </td>
                 <td class="py-1.5 text-right text-gray-400 dark:text-gray-500">
                   ${{ formatCost(model.cost) }}
                 </td>
               </tr>
               <tr v-if="expandedKey === `model-${model.model}`">
-                <td colspan="5" class="p-0">
+                <td colspan="6" class="p-0">
                   <UserBreakdownSubTable
                     :items="breakdownItems"
                     :loading="breakdownLoading"
diff --git a/frontend/src/i18n/locales/en.ts b/frontend/src/i18n/locales/en.ts
index a9dff584..d08c7792 100644
--- a/frontend/src/i18n/locales/en.ts
+++ b/frontend/src/i18n/locales/en.ts
@@ -732,6 +732,7 @@ export default {
     totalCost: 'Total Cost',
     standardCost: 'Standard',
     actualCost: 'Actual',
+    accountCost: 'Cost',
     userBilled: 'User billed',
     accountBilled: 'Account billed',
     accountMultiplier: 'Account rate',
@@ -1039,6 +1040,7 @@ export default {
       tokens: 'Tokens',
       actual: 'Actual',
       standard: 'Standard',
+      accountCost: 'Cost',
       noDataAvailable: 'No data available',
       recentUsage: 'Recent Usage',
       viewModelDistribution: 'Model Distribution',
diff --git a/frontend/src/i18n/locales/zh.ts b/frontend/src/i18n/locales/zh.ts
index c78f9a74..3c6b4fdb 100644
--- a/frontend/src/i18n/locales/zh.ts
+++ b/frontend/src/i18n/locales/zh.ts
@@ -736,6 +736,7 @@ export default {
     totalCost: '总消费',
     standardCost: '标准',
     actualCost: '实际',
+    accountCost: '成本',
     userBilled: '用户扣费',
     accountBilled: '账号计费',
     accountMultiplier: '账号倍率',
@@ -1026,6 +1027,7 @@ export default {
       totalCost: '总消费',
       actual: '实际',
       standard: '标准',
+      accountCost: '成本',
       todayTokens: '今日 Token',
       totalTokens: '总 Token',
       input: '输入',
diff --git a/frontend/src/types/index.ts b/frontend/src/types/index.ts
index 59ccfcbe..aaa3e35f 100644
--- a/frontend/src/types/index.ts
+++ b/frontend/src/types/index.ts
@@ -1158,6 +1158,7 @@ export interface DashboardStats {
   total_tokens: number
   total_cost: number // 累计标准计费
   total_actual_cost: number // 累计实际扣除
+  total_account_cost: number // 累计账号成本
 
   // 今日 Token 使用统计
   today_requests: number
@@ -1168,6 +1169,7 @@ export interface DashboardStats {
   today_tokens: number
   today_cost: number // 今日标准计费
   today_actual_cost: number // 今日实际扣除
+  today_account_cost: number // 今日账号成本
 
   // 系统运行统计
   average_duration_ms: number // 平均响应时间
@@ -1215,6 +1217,7 @@ export interface ModelStat {
   total_tokens: number
   cost: number // 标准计费
   actual_cost: number // 实际扣除
+  account_cost: number // 账号成本
 }
 
 export interface EndpointStat {
@@ -1232,6 +1235,7 @@ export interface GroupStat {
   total_tokens: number
   cost: number // 标准计费
   actual_cost: number // 实际扣除
+  account_cost: number // 账号成本
 }
 
 export interface UserBreakdownItem {
diff --git a/frontend/src/views/admin/DashboardView.vue b/frontend/src/views/admin/DashboardView.vue
index 430b7cee..48a7d161 100644
--- a/frontend/src/views/admin/DashboardView.vue
+++ b/frontend/src/views/admin/DashboardView.vue
@@ -112,15 +112,21 @@
                 </p>
                 <p class="text-xs">
                   <span
-                    class="text-amber-600 dark:text-amber-400"
+                    class="text-green-600 dark:text-green-400"
                     :title="t('admin.dashboard.actual')"
                     >${{ formatCost(stats.today_actual_cost) }}</span
                   >
+                  <span class="text-gray-400 dark:text-gray-500"> / </span>
+                  <span
+                    class="text-orange-500 dark:text-orange-400"
+                    :title="t('admin.dashboard.accountCost')"
+                    >${{ formatCost(stats.today_account_cost) }}</span
+                  >
+                  <span class="text-gray-400 dark:text-gray-500"> / </span>
                   <span
                     class="text-gray-400 dark:text-gray-500"
                     :title="t('admin.dashboard.standard')"
-                  >
-                    / ${{ formatCost(stats.today_cost) }}</span
+                    >${{ formatCost(stats.today_cost) }}</span
                   >
                 </p>
               </div>
@@ -142,15 +148,21 @@
                 </p>
                 <p class="text-xs">
                   <span
-                    class="text-indigo-600 dark:text-indigo-400"
+                    class="text-green-600 dark:text-green-400"
                     :title="t('admin.dashboard.actual')"
                     >${{ formatCost(stats.total_actual_cost) }}</span
                   >
+                  <span class="text-gray-400 dark:text-gray-500"> / </span>
+                  <span
+                    class="text-orange-500 dark:text-orange-400"
+                    :title="t('admin.dashboard.accountCost')"
+                    >${{ formatCost(stats.total_account_cost) }}</span
+                  >
+                  <span class="text-gray-400 dark:text-gray-500"> / </span>
                   <span
                     class="text-gray-400 dark:text-gray-500"
                     :title="t('admin.dashboard.standard')"
-                  >
-                    / ${{ formatCost(stats.total_cost) }}</span
+                    >${{ formatCost(stats.total_cost) }}</span
                   >
                 </p>
               </div>

From 22680dc602ac6257636df97496c0b4c6195a8e42 Mon Sep 17 00:00:00 2001
From: erio <asakifeng@gmail.com>
Date: Wed, 15 Apr 2026 14:10:16 +0800
Subject: [PATCH 112/122] test(usage): add unit tests for account_cost and fix
 gofmt

- Fix mock for GetModelStatsWithFilters: add account_cost column
- Add assertion: GetStatsWithFilters always returns TotalAccountCost
- New test: GetModelStatsAccountCostColumn verifies scan of AccountCost
- New test: GetGroupStatsAccountCostColumn verifies scan of AccountCost
- New test: GetStatsWithFiltersAlwaysReturnsAccountCost (no AccountID filter)
- Integration test: add TotalAccountCost/TodayAccountCost assertions
- Fix gofmt alignment in usage_log_types.go
---
 .../pkg/usagestats/usage_log_types.go         |  6 +-
 .../usage_log_repo_integration_test.go        |  5 ++
 .../usage_log_repo_request_type_test.go       | 89 ++++++++++++++++++-
 3 files changed, 96 insertions(+), 4 deletions(-)

diff --git a/backend/internal/pkg/usagestats/usage_log_types.go b/backend/internal/pkg/usagestats/usage_log_types.go
index 93746844..361c6ed7 100644
--- a/backend/internal/pkg/usagestats/usage_log_types.go
+++ b/backend/internal/pkg/usagestats/usage_log_types.go
@@ -67,9 +67,9 @@ type DashboardStats struct {
 	TodayCacheCreationTokens int64   `json:"today_cache_creation_tokens"`
 	TodayCacheReadTokens     int64   `json:"today_cache_read_tokens"`
 	TodayTokens              int64   `json:"today_tokens"`
-	TodayCost                float64 `json:"today_cost"`          // 今日标准计费
-	TodayActualCost          float64 `json:"today_actual_cost"`   // 今日实际扣除
-	TodayAccountCost         float64 `json:"today_account_cost"`  // 今日账号成本
+	TodayCost                float64 `json:"today_cost"`         // 今日标准计费
+	TodayActualCost          float64 `json:"today_actual_cost"`  // 今日实际扣除
+	TodayAccountCost         float64 `json:"today_account_cost"` // 今日账号成本
 
 	// 系统运行统计
 	AverageDurationMs float64 `json:"average_duration_ms"` // 平均响应时间
diff --git a/backend/internal/repository/usage_log_repo_integration_test.go b/backend/internal/repository/usage_log_repo_integration_test.go
index 0383f3bc..ed3050d8 100644
--- a/backend/internal/repository/usage_log_repo_integration_test.go
+++ b/backend/internal/repository/usage_log_repo_integration_test.go
@@ -753,8 +753,11 @@ func (s *UsageLogRepoSuite) TestDashboardStats_TodayTotalsAndPerformance() {
 	s.Require().Equal(baseStats.TotalTokens+int64(51), stats.TotalTokens, "TotalTokens mismatch")
 	s.Require().Equal(baseStats.TotalCost+2.3, stats.TotalCost, "TotalCost mismatch")
 	s.Require().Equal(baseStats.TotalActualCost+2.0, stats.TotalActualCost, "TotalActualCost mismatch")
+	// account_cost falls back to total_cost when account_stats_cost is NULL
+	s.Require().Equal(baseStats.TotalAccountCost+2.3, stats.TotalAccountCost, "TotalAccountCost mismatch")
 	s.Require().GreaterOrEqual(stats.TodayRequests, int64(1), "expected TodayRequests >= 1")
 	s.Require().GreaterOrEqual(stats.TodayCost, 0.0, "expected TodayCost >= 0")
+	s.Require().GreaterOrEqual(stats.TodayAccountCost, 0.0, "expected TodayAccountCost >= 0")
 
 	wantRpm, wantTpm, err := s.repo.getPerformanceStats(s.ctx, 0)
 	s.Require().NoError(err, "getPerformanceStats")
@@ -833,6 +836,8 @@ func (s *UsageLogRepoSuite) TestDashboardStatsWithRange_Fallback() {
 	s.Require().Equal(int64(45), stats.TotalTokens)
 	s.Require().Equal(1.5, stats.TotalCost)
 	s.Require().Equal(1.4, stats.TotalActualCost)
+	// account_cost = COALESCE(account_stats_cost, total_cost) * COALESCE(account_rate_multiplier, 1) = total_cost
+	s.Require().Equal(1.5, stats.TotalAccountCost)
 	s.Require().InEpsilon(150.0, stats.AverageDurationMs, 0.0001)
 }
 
diff --git a/backend/internal/repository/usage_log_repo_request_type_test.go b/backend/internal/repository/usage_log_repo_request_type_test.go
index acdd6e62..a5ff4bc1 100644
--- a/backend/internal/repository/usage_log_repo_request_type_test.go
+++ b/backend/internal/repository/usage_log_repo_request_type_test.go
@@ -301,7 +301,7 @@ func TestUsageLogRepositoryGetModelStatsWithFiltersRequestTypePriority(t *testin
 
 	mock.ExpectQuery("AND \\(request_type = \\$3 OR \\(request_type = 0 AND openai_ws_mode = TRUE\\)\\)").
 		WithArgs(start, end, requestType).
-		WillReturnRows(sqlmock.NewRows([]string{"model", "requests", "input_tokens", "output_tokens", "cache_creation_tokens", "cache_read_tokens", "total_tokens", "cost", "actual_cost"}))
+		WillReturnRows(sqlmock.NewRows([]string{"model", "requests", "input_tokens", "output_tokens", "cache_creation_tokens", "cache_read_tokens", "total_tokens", "cost", "actual_cost", "account_cost"}))
 
 	stats, err := repo.GetModelStatsWithFilters(context.Background(), start, end, 0, 0, 0, 0, &requestType, &stream, nil)
 	require.NoError(t, err)
@@ -346,6 +346,93 @@ func TestUsageLogRepositoryGetStatsWithFiltersRequestTypePriority(t *testing.T)
 	require.NoError(t, err)
 	require.Equal(t, int64(1), stats.TotalRequests)
 	require.Equal(t, int64(9), stats.TotalTokens)
+	require.NotNil(t, stats.TotalAccountCost, "TotalAccountCost should always be returned")
+	require.Equal(t, 1.2, *stats.TotalAccountCost)
+	require.NoError(t, mock.ExpectationsWereMet())
+}
+
+func TestUsageLogRepositoryGetModelStatsAccountCostColumn(t *testing.T) {
+	db, mock := newSQLMock(t)
+	repo := &usageLogRepository{sql: db}
+
+	start := time.Date(2025, 1, 1, 0, 0, 0, 0, time.UTC)
+	end := start.Add(24 * time.Hour)
+
+	mock.ExpectQuery("FROM usage_logs").
+		WithArgs(start, end).
+		WillReturnRows(sqlmock.NewRows([]string{
+			"model", "requests", "input_tokens", "output_tokens",
+			"cache_creation_tokens", "cache_read_tokens", "total_tokens",
+			"cost", "actual_cost", "account_cost",
+		}).
+			AddRow("claude-opus-4-6", int64(10), int64(100), int64(200), int64(5), int64(3), int64(308), 2.5, 2.0, 1.8).
+			AddRow("claude-sonnet-4-6", int64(5), int64(50), int64(100), int64(0), int64(0), int64(150), 1.0, 0.8, 0.7))
+
+	results, err := repo.GetModelStatsWithFilters(context.Background(), start, end, 0, 0, 0, 0, nil, nil, nil)
+	require.NoError(t, err)
+	require.Len(t, results, 2)
+	require.Equal(t, "claude-opus-4-6", results[0].Model)
+	require.Equal(t, 2.5, results[0].Cost)
+	require.Equal(t, 2.0, results[0].ActualCost)
+	require.Equal(t, 1.8, results[0].AccountCost)
+	require.Equal(t, "claude-sonnet-4-6", results[1].Model)
+	require.Equal(t, 0.7, results[1].AccountCost)
+	require.NoError(t, mock.ExpectationsWereMet())
+}
+
+func TestUsageLogRepositoryGetGroupStatsAccountCostColumn(t *testing.T) {
+	db, mock := newSQLMock(t)
+	repo := &usageLogRepository{sql: db}
+
+	start := time.Date(2025, 1, 1, 0, 0, 0, 0, time.UTC)
+	end := start.Add(24 * time.Hour)
+
+	mock.ExpectQuery("FROM usage_logs").
+		WithArgs(start, end).
+		WillReturnRows(sqlmock.NewRows([]string{
+			"group_id", "group_name", "requests", "total_tokens",
+			"cost", "actual_cost", "account_cost",
+		}).
+			AddRow(int64(1), "azure-cc", int64(100), int64(5000), 10.0, 8.5, 7.2).
+			AddRow(int64(2), "max", int64(50), int64(2000), 5.0, 4.0, 3.5))
+
+	results, err := repo.GetGroupStatsWithFilters(context.Background(), start, end, 0, 0, 0, 0, nil, nil, nil)
+	require.NoError(t, err)
+	require.Len(t, results, 2)
+	require.Equal(t, int64(1), results[0].GroupID)
+	require.Equal(t, "azure-cc", results[0].GroupName)
+	require.Equal(t, 10.0, results[0].Cost)
+	require.Equal(t, 8.5, results[0].ActualCost)
+	require.Equal(t, 7.2, results[0].AccountCost)
+	require.Equal(t, int64(2), results[1].GroupID)
+	require.Equal(t, 3.5, results[1].AccountCost)
+	require.NoError(t, mock.ExpectationsWereMet())
+}
+
+func TestUsageLogRepositoryGetStatsWithFiltersAlwaysReturnsAccountCost(t *testing.T) {
+	db, mock := newSQLMock(t)
+	repo := &usageLogRepository{sql: db}
+
+	// No AccountID filter set - TotalAccountCost should still be returned
+	filters := usagestats.UsageLogFilters{}
+
+	mock.ExpectQuery("FROM usage_logs").
+		WillReturnRows(sqlmock.NewRows([]string{
+			"total_requests", "total_input_tokens", "total_output_tokens",
+			"total_cache_tokens", "total_cost", "total_actual_cost",
+			"total_account_cost", "avg_duration_ms",
+		}).AddRow(int64(50), int64(1000), int64(2000), int64(100), 15.0, 12.5, 11.0, 100.0))
+	mock.ExpectQuery("SELECT COALESCE\\(NULLIF\\(TRIM\\(inbound_endpoint\\)").
+		WillReturnRows(sqlmock.NewRows([]string{"endpoint", "requests", "total_tokens", "cost", "actual_cost"}))
+	mock.ExpectQuery("SELECT COALESCE\\(NULLIF\\(TRIM\\(upstream_endpoint\\)").
+		WillReturnRows(sqlmock.NewRows([]string{"endpoint", "requests", "total_tokens", "cost", "actual_cost"}))
+	mock.ExpectQuery("SELECT CONCAT\\(").
+		WillReturnRows(sqlmock.NewRows([]string{"endpoint", "requests", "total_tokens", "cost", "actual_cost"}))
+
+	stats, err := repo.GetStatsWithFilters(context.Background(), filters)
+	require.NoError(t, err)
+	require.NotNil(t, stats.TotalAccountCost, "TotalAccountCost must always be returned, even without AccountID filter")
+	require.Equal(t, 11.0, *stats.TotalAccountCost)
 	require.NoError(t, mock.ExpectationsWereMet())
 }
 

From e0b12b7512a033671dc861ae91850d823082882f Mon Sep 17 00:00:00 2001
From: erio <asakifeng@gmail.com>
Date: Wed, 15 Apr 2026 14:17:57 +0800
Subject: [PATCH 113/122] fix(usage): put cost label before value in usage
 stats card

---
 frontend/src/components/admin/usage/UsageStatsCards.vue | 6 ++----
 1 file changed, 2 insertions(+), 4 deletions(-)

diff --git a/frontend/src/components/admin/usage/UsageStatsCards.vue b/frontend/src/components/admin/usage/UsageStatsCards.vue
index 63eb6127..905ece61 100644
--- a/frontend/src/components/admin/usage/UsageStatsCards.vue
+++ b/frontend/src/components/admin/usage/UsageStatsCards.vue
@@ -31,11 +31,9 @@
           ${{ (stats?.total_actual_cost || 0).toFixed(4) }}
         </p>
         <p class="text-xs text-gray-400">
-          <span class="text-orange-500">${{ (stats?.total_account_cost || 0).toFixed(4) }}</span>
-          <span> {{ t('usage.accountCost') }}</span>
+          <span class="text-orange-500">{{ t('usage.accountCost') }} ${{ (stats?.total_account_cost || 0).toFixed(4) }}</span>
           <span> · </span>
-          <span>${{ (stats?.total_cost || 0).toFixed(4) }}</span>
-          <span> {{ t('usage.standardCost') }}</span>
+          <span>{{ t('usage.standardCost') }} ${{ (stats?.total_cost || 0).toFixed(4) }}</span>
         </p>
       </div>
     </div>

From 7451b6f9ae3138c946558d40ff4ea2d737d6c74e Mon Sep 17 00:00:00 2001
From: Wesley Liddick <shaw-wei@foxmail.com>
Date: Wed, 15 Apr 2026 15:29:52 +0800
Subject: [PATCH 114/122] =?UTF-8?q?=E4=BF=AE=E5=A4=8D=20OpenAI=20=E8=B4=A6?=
 =?UTF-8?q?=E5=8F=B7=E9=99=90=E6=B5=81=E5=9B=9E=E6=B5=81=E8=AF=AF=E5=88=A4?=
 =?UTF-8?q?=EF=BC=9A7d=20=E7=AA=97=E5=8F=A3=E5=8F=AF=E7=94=A8=E6=97=B6?=
 =?UTF-8?q?=E4=B8=8D=E5=9B=A0=205h=20=E7=AA=97=E5=8F=A3=E4=B8=BA=200=20?=
 =?UTF-8?q?=E5=9B=9E=E5=86=99=20429?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 .../internal/service/account_test_service.go  | 12 ---
 .../account_test_service_openai_test.go       | 11 +--
 .../internal/service/account_usage_service.go | 64 ++++++---------
 .../service/account_usage_service_test.go     | 76 ++++++++++--------
 backend/internal/service/admin_service.go     |  4 -
 .../service/openai_gateway_service.go         | 78 +------------------
 .../openai_ws_ratelimit_signal_test.go        | 25 +++---
 7 files changed, 80 insertions(+), 190 deletions(-)

diff --git a/backend/internal/service/account_test_service.go b/backend/internal/service/account_test_service.go
index 55865945..a5559b7d 100644
--- a/backend/internal/service/account_test_service.go
+++ b/backend/internal/service/account_test_service.go
@@ -515,22 +515,10 @@ func (s *AccountTestService) testOpenAIAccountConnection(c *gin.Context, account
 			_ = s.accountRepo.UpdateExtra(ctx, account.ID, updates)
 			mergeAccountExtra(account, updates)
 		}
-		if snapshot := ParseCodexRateLimitHeaders(resp.Header); snapshot != nil {
-			if resetAt := codexRateLimitResetAtFromSnapshot(snapshot, time.Now()); resetAt != nil {
-				_ = s.accountRepo.SetRateLimited(ctx, account.ID, *resetAt)
-				account.RateLimitResetAt = resetAt
-			}
-		}
 	}
 
 	if resp.StatusCode != http.StatusOK {
 		body, _ := io.ReadAll(resp.Body)
-		if isOAuth && s.accountRepo != nil {
-			if resetAt := (&RateLimitService{}).calculateOpenAI429ResetTime(resp.Header); resetAt != nil {
-				_ = s.accountRepo.SetRateLimited(ctx, account.ID, *resetAt)
-				account.RateLimitResetAt = resetAt
-			}
-		}
 		// 401 Unauthorized: 标记账号为永久错误
 		if resp.StatusCode == http.StatusUnauthorized && s.accountRepo != nil {
 			errMsg := fmt.Sprintf("Authentication failed (401): %s", string(body))
diff --git a/backend/internal/service/account_test_service_openai_test.go b/backend/internal/service/account_test_service_openai_test.go
index 5125db5b..82606979 100644
--- a/backend/internal/service/account_test_service_openai_test.go
+++ b/backend/internal/service/account_test_service_openai_test.go
@@ -111,7 +111,7 @@ func TestAccountTestService_OpenAISuccessPersistsSnapshotFromHeaders(t *testing.
 	require.Contains(t, recorder.Body.String(), "test_complete")
 }
 
-func TestAccountTestService_OpenAI429PersistsSnapshotAndRateLimit(t *testing.T) {
+func TestAccountTestService_OpenAI429PersistsSnapshotWithoutRateLimit(t *testing.T) {
 	gin.SetMode(gin.TestMode)
 	ctx, _ := newTestContext()
 
@@ -138,10 +138,7 @@ func TestAccountTestService_OpenAI429PersistsSnapshotAndRateLimit(t *testing.T)
 	require.Error(t, err)
 	require.NotEmpty(t, repo.updatedExtra)
 	require.Equal(t, 100.0, repo.updatedExtra["codex_5h_used_percent"])
-	require.Equal(t, int64(88), repo.rateLimitedID)
-	require.NotNil(t, repo.rateLimitedAt)
-	require.NotNil(t, account.RateLimitResetAt)
-	if account.RateLimitResetAt != nil && repo.rateLimitedAt != nil {
-		require.WithinDuration(t, *repo.rateLimitedAt, *account.RateLimitResetAt, time.Second)
-	}
+	require.Zero(t, repo.rateLimitedID)
+	require.Nil(t, repo.rateLimitedAt)
+	require.Nil(t, account.RateLimitResetAt)
 }
diff --git a/backend/internal/service/account_usage_service.go b/backend/internal/service/account_usage_service.go
index 0e5741d8..8d5bcec8 100644
--- a/backend/internal/service/account_usage_service.go
+++ b/backend/internal/service/account_usage_service.go
@@ -499,7 +499,6 @@ func (s *AccountUsageService) getOpenAIUsage(ctx context.Context, account *Accou
 	if account == nil {
 		return usage, nil
 	}
-	syncOpenAICodexRateLimitFromExtra(ctx, s.accountRepo, account, now)
 
 	if progress := buildCodexUsageProgressFromExtra(account.Extra, "5h", now); progress != nil {
 		usage.FiveHour = progress
@@ -509,11 +508,8 @@ func (s *AccountUsageService) getOpenAIUsage(ctx context.Context, account *Accou
 	}
 
 	if shouldRefreshOpenAICodexSnapshot(account, usage, now) && s.shouldProbeOpenAICodexSnapshot(account.ID, now) {
-		if updates, resetAt, err := s.probeOpenAICodexSnapshot(ctx, account); err == nil && (len(updates) > 0 || resetAt != nil) {
+		if updates, err := s.probeOpenAICodexSnapshot(ctx, account); err == nil && len(updates) > 0 {
 			mergeAccountExtra(account, updates)
-			if resetAt != nil {
-				account.RateLimitResetAt = resetAt
-			}
 			if usage.UpdatedAt == nil {
 				usage.UpdatedAt = &now
 			}
@@ -594,26 +590,26 @@ func (s *AccountUsageService) shouldProbeOpenAICodexSnapshot(accountID int64, no
 	return true
 }
 
-func (s *AccountUsageService) probeOpenAICodexSnapshot(ctx context.Context, account *Account) (map[string]any, *time.Time, error) {
+func (s *AccountUsageService) probeOpenAICodexSnapshot(ctx context.Context, account *Account) (map[string]any, error) {
 	if account == nil || !account.IsOAuth() {
-		return nil, nil, nil
+		return nil, nil
 	}
 	accessToken := account.GetOpenAIAccessToken()
 	if accessToken == "" {
-		return nil, nil, fmt.Errorf("no access token available")
+		return nil, fmt.Errorf("no access token available")
 	}
 	modelID := openaipkg.DefaultTestModel
 	payload := createOpenAITestPayload(modelID, true)
 	payloadBytes, err := json.Marshal(payload)
 	if err != nil {
-		return nil, nil, fmt.Errorf("marshal openai probe payload: %w", err)
+		return nil, fmt.Errorf("marshal openai probe payload: %w", err)
 	}
 
 	reqCtx, cancel := context.WithTimeout(ctx, 15*time.Second)
 	defer cancel()
 	req, err := http.NewRequestWithContext(reqCtx, http.MethodPost, chatgptCodexURL, bytes.NewReader(payloadBytes))
 	if err != nil {
-		return nil, nil, fmt.Errorf("create openai probe request: %w", err)
+		return nil, fmt.Errorf("create openai probe request: %w", err)
 	}
 	req.Host = "chatgpt.com"
 	req.Header.Set("Content-Type", "application/json")
@@ -642,67 +638,51 @@ func (s *AccountUsageService) probeOpenAICodexSnapshot(ctx context.Context, acco
 		ResponseHeaderTimeout: 10 * time.Second,
 	})
 	if err != nil {
-		return nil, nil, fmt.Errorf("build openai probe client: %w", err)
+		return nil, fmt.Errorf("build openai probe client: %w", err)
 	}
 	resp, err := client.Do(req)
 	if err != nil {
-		return nil, nil, fmt.Errorf("openai codex probe request failed: %w", err)
+		return nil, fmt.Errorf("openai codex probe request failed: %w", err)
 	}
 	defer func() { _ = resp.Body.Close() }()
 
-	updates, resetAt, err := extractOpenAICodexProbeSnapshot(resp)
+	updates, err := extractOpenAICodexProbeUpdates(resp)
 	if err != nil {
-		return nil, nil, err
+		return nil, err
 	}
-	if len(updates) > 0 || resetAt != nil {
-		s.persistOpenAICodexProbeSnapshot(account.ID, updates, resetAt)
-		return updates, resetAt, nil
+	if len(updates) > 0 {
+		s.persistOpenAICodexProbeSnapshot(account.ID, updates)
+		return updates, nil
 	}
-	return nil, nil, nil
+	return nil, nil
 }
 
-func (s *AccountUsageService) persistOpenAICodexProbeSnapshot(accountID int64, updates map[string]any, resetAt *time.Time) {
+func (s *AccountUsageService) persistOpenAICodexProbeSnapshot(accountID int64, updates map[string]any) {
 	if s == nil || s.accountRepo == nil || accountID <= 0 {
 		return
 	}
-	if len(updates) == 0 && resetAt == nil {
+	if len(updates) == 0 {
 		return
 	}
 
 	go func() {
 		updateCtx, updateCancel := context.WithTimeout(context.Background(), 5*time.Second)
 		defer updateCancel()
-		if len(updates) > 0 {
-			_ = s.accountRepo.UpdateExtra(updateCtx, accountID, updates)
-		}
-		if resetAt != nil {
-			_ = s.accountRepo.SetRateLimited(updateCtx, accountID, *resetAt)
-		}
+		_ = s.accountRepo.UpdateExtra(updateCtx, accountID, updates)
 	}()
 }
 
-func extractOpenAICodexProbeSnapshot(resp *http.Response) (map[string]any, *time.Time, error) {
+func extractOpenAICodexProbeUpdates(resp *http.Response) (map[string]any, error) {
 	if resp == nil {
-		return nil, nil, nil
+		return nil, nil
 	}
 	if snapshot := ParseCodexRateLimitHeaders(resp.Header); snapshot != nil {
-		baseTime := time.Now()
-		updates := buildCodexUsageExtraUpdates(snapshot, baseTime)
-		resetAt := codexRateLimitResetAtFromSnapshot(snapshot, baseTime)
-		if len(updates) > 0 {
-			return updates, resetAt, nil
-		}
-		return nil, resetAt, nil
+		return buildCodexUsageExtraUpdates(snapshot, time.Now()), nil
 	}
 	if resp.StatusCode < 200 || resp.StatusCode >= 300 {
-		return nil, nil, fmt.Errorf("openai codex probe returned status %d", resp.StatusCode)
+		return nil, fmt.Errorf("openai codex probe returned status %d", resp.StatusCode)
 	}
-	return nil, nil, nil
-}
-
-func extractOpenAICodexProbeUpdates(resp *http.Response) (map[string]any, error) {
-	updates, _, err := extractOpenAICodexProbeSnapshot(resp)
-	return updates, err
+	return nil, nil
 }
 
 func mergeAccountExtra(account *Account, updates map[string]any) {
diff --git a/backend/internal/service/account_usage_service_test.go b/backend/internal/service/account_usage_service_test.go
index fe255225..28b49838 100644
--- a/backend/internal/service/account_usage_service_test.go
+++ b/backend/internal/service/account_usage_service_test.go
@@ -92,30 +92,7 @@ func TestExtractOpenAICodexProbeUpdatesAccepts429WithCodexHeaders(t *testing.T)
 	}
 }
 
-func TestExtractOpenAICodexProbeSnapshotAccepts429WithResetAt(t *testing.T) {
-	t.Parallel()
-
-	headers := make(http.Header)
-	headers.Set("x-codex-primary-used-percent", "100")
-	headers.Set("x-codex-primary-reset-after-seconds", "604800")
-	headers.Set("x-codex-primary-window-minutes", "10080")
-	headers.Set("x-codex-secondary-used-percent", "100")
-	headers.Set("x-codex-secondary-reset-after-seconds", "18000")
-	headers.Set("x-codex-secondary-window-minutes", "300")
-
-	updates, resetAt, err := extractOpenAICodexProbeSnapshot(&http.Response{StatusCode: http.StatusTooManyRequests, Header: headers})
-	if err != nil {
-		t.Fatalf("extractOpenAICodexProbeSnapshot() error = %v", err)
-	}
-	if len(updates) == 0 {
-		t.Fatal("expected codex probe updates from 429 headers")
-	}
-	if resetAt == nil {
-		t.Fatal("expected resetAt from exhausted codex headers")
-	}
-}
-
-func TestAccountUsageService_PersistOpenAICodexProbeSnapshotSetsRateLimit(t *testing.T) {
+func TestAccountUsageService_PersistOpenAICodexProbeSnapshotOnlyUpdatesExtra(t *testing.T) {
 	t.Parallel()
 
 	repo := &accountUsageCodexProbeRepo{
@@ -123,12 +100,10 @@ func TestAccountUsageService_PersistOpenAICodexProbeSnapshotSetsRateLimit(t *tes
 		rateLimitCh:   make(chan time.Time, 1),
 	}
 	svc := &AccountUsageService{accountRepo: repo}
-	resetAt := time.Now().Add(2 * time.Hour).UTC().Truncate(time.Second)
-
 	svc.persistOpenAICodexProbeSnapshot(321, map[string]any{
 		"codex_7d_used_percent": 100.0,
-		"codex_7d_reset_at":     resetAt.Format(time.RFC3339),
-	}, &resetAt)
+		"codex_7d_reset_at":     time.Now().Add(2 * time.Hour).UTC().Truncate(time.Second).Format(time.RFC3339),
+	})
 
 	select {
 	case updates := <-repo.updateExtraCh:
@@ -136,16 +111,49 @@ func TestAccountUsageService_PersistOpenAICodexProbeSnapshotSetsRateLimit(t *tes
 			t.Fatalf("codex_7d_used_percent = %v, want 100", got)
 		}
 	case <-time.After(2 * time.Second):
-		t.Fatal("waiting for codex probe extra persistence timed out")
+		t.Fatal("等待 codex 探测快照写入 extra 超时")
 	}
 
 	select {
 	case got := <-repo.rateLimitCh:
-		if got.Before(resetAt.Add(-time.Second)) || got.After(resetAt.Add(time.Second)) {
-			t.Fatalf("rate limit resetAt = %v, want around %v", got, resetAt)
-		}
-	case <-time.After(2 * time.Second):
-		t.Fatal("waiting for codex probe rate limit persistence timed out")
+		t.Fatalf("不应将探测快照写入运行时限流状态: %v", got)
+	case <-time.After(200 * time.Millisecond):
+	}
+}
+
+func TestAccountUsageService_GetOpenAIUsage_DoesNotPromoteCodexExtraToRateLimit(t *testing.T) {
+	t.Parallel()
+
+	resetAt := time.Now().Add(6 * 24 * time.Hour).UTC().Truncate(time.Second)
+	repo := &accountUsageCodexProbeRepo{
+		rateLimitCh: make(chan time.Time, 1),
+	}
+	svc := &AccountUsageService{accountRepo: repo}
+	account := &Account{
+		Platform: PlatformOpenAI,
+		Type:     AccountTypeOAuth,
+		Extra: map[string]any{
+			"codex_5h_used_percent": 1.0,
+			"codex_5h_reset_at":     time.Now().Add(2 * time.Hour).UTC().Truncate(time.Second).Format(time.RFC3339),
+			"codex_7d_used_percent": 100.0,
+			"codex_7d_reset_at":     resetAt.Format(time.RFC3339),
+		},
+	}
+
+	usage, err := svc.getOpenAIUsage(context.Background(), account)
+	if err != nil {
+		t.Fatalf("getOpenAIUsage() error = %v", err)
+	}
+	if usage.SevenDay == nil || usage.SevenDay.Utilization != 100.0 {
+		t.Fatalf("预期 7 天用量仍然可见，实际为 %#v", usage.SevenDay)
+	}
+	if account.RateLimitResetAt != nil {
+		t.Fatalf("不应让已耗尽的 codex extra 改写运行时限流状态: %v", account.RateLimitResetAt)
+	}
+	select {
+	case got := <-repo.rateLimitCh:
+		t.Fatalf("不应将已耗尽的 codex extra 持久化为运行时限流状态: %v", got)
+	case <-time.After(200 * time.Millisecond):
 	}
 }
 
diff --git a/backend/internal/service/admin_service.go b/backend/internal/service/admin_service.go
index 97b42c24..7c26a47c 100644
--- a/backend/internal/service/admin_service.go
+++ b/backend/internal/service/admin_service.go
@@ -1470,10 +1470,6 @@ func (s *adminServiceImpl) ListAccounts(ctx context.Context, page, pageSize int,
 	if err != nil {
 		return nil, 0, err
 	}
-	now := time.Now()
-	for i := range accounts {
-		syncOpenAICodexRateLimitFromExtra(ctx, s.accountRepo, &accounts[i], now)
-	}
 	return accounts, result.Total, nil
 }
 
diff --git a/backend/internal/service/openai_gateway_service.go b/backend/internal/service/openai_gateway_service.go
index 6087b7b6..ef97daad 100644
--- a/backend/internal/service/openai_gateway_service.go
+++ b/backend/internal/service/openai_gateway_service.go
@@ -1681,7 +1681,6 @@ func (s *OpenAIGatewayService) recheckSelectedOpenAIAccountFromDB(ctx context.Co
 	if err != nil || latest == nil {
 		return nil
 	}
-	syncOpenAICodexRateLimitFromExtra(ctx, s.accountRepo, latest, time.Now())
 	if !latest.IsSchedulable() || !latest.IsOpenAI() {
 		return nil
 	}
@@ -1704,7 +1703,6 @@ func (s *OpenAIGatewayService) getSchedulableAccount(ctx context.Context, accoun
 	if err != nil || account == nil {
 		return account, err
 	}
-	syncOpenAICodexRateLimitFromExtra(ctx, s.accountRepo, account, time.Now())
 	return account, nil
 }
 
@@ -4768,69 +4766,6 @@ func buildCodexUsageExtraUpdates(snapshot *OpenAICodexUsageSnapshot, fallbackNow
 	return updates
 }
 
-func codexUsagePercentExhausted(value *float64) bool {
-	return value != nil && *value >= 100-1e-9
-}
-
-func codexRateLimitResetAtFromSnapshot(snapshot *OpenAICodexUsageSnapshot, fallbackNow time.Time) *time.Time {
-	if snapshot == nil {
-		return nil
-	}
-	normalized := snapshot.Normalize()
-	if normalized == nil {
-		return nil
-	}
-	baseTime := codexSnapshotBaseTime(snapshot, fallbackNow)
-	if codexUsagePercentExhausted(normalized.Used7dPercent) && normalized.Reset7dSeconds != nil {
-		resetAt := baseTime.Add(time.Duration(*normalized.Reset7dSeconds) * time.Second)
-		return &resetAt
-	}
-	if codexUsagePercentExhausted(normalized.Used5hPercent) && normalized.Reset5hSeconds != nil {
-		resetAt := baseTime.Add(time.Duration(*normalized.Reset5hSeconds) * time.Second)
-		return &resetAt
-	}
-	return nil
-}
-
-func codexRateLimitResetAtFromExtra(extra map[string]any, now time.Time) *time.Time {
-	if len(extra) == 0 {
-		return nil
-	}
-	if progress := buildCodexUsageProgressFromExtra(extra, "7d", now); progress != nil && codexUsagePercentExhausted(&progress.Utilization) && progress.ResetsAt != nil && now.Before(*progress.ResetsAt) {
-		resetAt := progress.ResetsAt.UTC()
-		return &resetAt
-	}
-	if progress := buildCodexUsageProgressFromExtra(extra, "5h", now); progress != nil && codexUsagePercentExhausted(&progress.Utilization) && progress.ResetsAt != nil && now.Before(*progress.ResetsAt) {
-		resetAt := progress.ResetsAt.UTC()
-		return &resetAt
-	}
-	return nil
-}
-
-func applyOpenAICodexRateLimitFromExtra(account *Account, now time.Time) (*time.Time, bool) {
-	if account == nil || !account.IsOpenAI() {
-		return nil, false
-	}
-	resetAt := codexRateLimitResetAtFromExtra(account.Extra, now)
-	if resetAt == nil {
-		return nil, false
-	}
-	if account.RateLimitResetAt != nil && now.Before(*account.RateLimitResetAt) && !account.RateLimitResetAt.Before(*resetAt) {
-		return account.RateLimitResetAt, false
-	}
-	account.RateLimitResetAt = resetAt
-	return resetAt, true
-}
-
-func syncOpenAICodexRateLimitFromExtra(ctx context.Context, repo AccountRepository, account *Account, now time.Time) *time.Time {
-	resetAt, changed := applyOpenAICodexRateLimitFromExtra(account, now)
-	if !changed || resetAt == nil || repo == nil || account == nil || account.ID <= 0 {
-		return resetAt
-	}
-	_ = repo.SetRateLimited(ctx, account.ID, *resetAt)
-	return resetAt
-}
-
 // updateCodexUsageSnapshot saves the Codex usage snapshot to account's Extra field
 func (s *OpenAIGatewayService) updateCodexUsageSnapshot(ctx context.Context, accountID int64, snapshot *OpenAICodexUsageSnapshot) {
 	if snapshot == nil {
@@ -4842,24 +4777,17 @@ func (s *OpenAIGatewayService) updateCodexUsageSnapshot(ctx context.Context, acc
 
 	now := time.Now()
 	updates := buildCodexUsageExtraUpdates(snapshot, now)
-	resetAt := codexRateLimitResetAtFromSnapshot(snapshot, now)
-	if len(updates) == 0 && resetAt == nil {
+	if len(updates) == 0 {
 		return
 	}
-	shouldPersistUpdates := len(updates) > 0 && s.getCodexSnapshotThrottle().Allow(accountID, now)
-	if !shouldPersistUpdates && resetAt == nil {
+	if !s.getCodexSnapshotThrottle().Allow(accountID, now) {
 		return
 	}
 
 	go func() {
 		updateCtx, cancel := context.WithTimeout(context.Background(), 5*time.Second)
 		defer cancel()
-		if shouldPersistUpdates {
-			_ = s.accountRepo.UpdateExtra(updateCtx, accountID, updates)
-		}
-		if resetAt != nil {
-			_ = s.accountRepo.SetRateLimited(updateCtx, accountID, *resetAt)
-		}
+		_ = s.accountRepo.UpdateExtra(updateCtx, accountID, updates)
 	}()
 }
 
diff --git a/backend/internal/service/openai_ws_ratelimit_signal_test.go b/backend/internal/service/openai_ws_ratelimit_signal_test.go
index 6313d0c0..4ee85a3a 100644
--- a/backend/internal/service/openai_ws_ratelimit_signal_test.go
+++ b/backend/internal/service/openai_ws_ratelimit_signal_test.go
@@ -345,7 +345,7 @@ func TestOpenAIGatewayService_ProxyResponsesWebSocketFromClient_ErrorEventUsageL
 	}
 }
 
-func TestOpenAIGatewayService_UpdateCodexUsageSnapshot_ExhaustedSnapshotSetsRateLimit(t *testing.T) {
+func TestOpenAIGatewayService_UpdateCodexUsageSnapshot_ExhaustedSnapshotDoesNotSetRateLimit(t *testing.T) {
 	repo := &openAICodexSnapshotAsyncRepo{
 		updateExtraCh: make(chan map[string]any, 1),
 		rateLimitCh:   make(chan time.Time, 1),
@@ -359,7 +359,6 @@ func TestOpenAIGatewayService_UpdateCodexUsageSnapshot_ExhaustedSnapshotSetsRate
 		SecondaryResetAfterSeconds: ptrIntWS(1200),
 		SecondaryWindowMinutes:     ptrIntWS(300),
 	}
-	before := time.Now()
 	svc.updateCodexUsageSnapshot(context.Background(), 601, snapshot)
 
 	select {
@@ -371,9 +370,8 @@ func TestOpenAIGatewayService_UpdateCodexUsageSnapshot_ExhaustedSnapshotSetsRate
 
 	select {
 	case resetAt := <-repo.rateLimitCh:
-		require.WithinDuration(t, before.Add(time.Hour), resetAt, 2*time.Second)
+		t.Fatalf("不应因仅写入快照而生成运行时限流时间: %v", resetAt)
 	case <-time.After(2 * time.Second):
-		t.Fatal("等待 codex 100% 自动切换限流超时")
 	}
 }
 
@@ -401,7 +399,7 @@ func TestOpenAIGatewayService_UpdateCodexUsageSnapshot_NonExhaustedSnapshotDoesN
 
 	select {
 	case resetAt := <-repo.rateLimitCh:
-		t.Fatalf("unexpected rate limit reset at: %v", resetAt)
+		t.Fatalf("不应写入运行时限流时间: %v", resetAt)
 	case <-time.After(200 * time.Millisecond):
 	}
 }
@@ -409,7 +407,6 @@ func TestOpenAIGatewayService_UpdateCodexUsageSnapshot_NonExhaustedSnapshotDoesN
 func TestOpenAIGatewayService_UpdateCodexUsageSnapshot_ThrottlesExtraWrites(t *testing.T) {
 	repo := &openAICodexSnapshotAsyncRepo{
 		updateExtraCh: make(chan map[string]any, 2),
-		rateLimitCh:   make(chan time.Time, 2),
 	}
 	svc := &OpenAIGatewayService{
 		accountRepo:           repo,
@@ -443,7 +440,7 @@ func TestOpenAIGatewayService_UpdateCodexUsageSnapshot_ThrottlesExtraWrites(t *t
 func ptrFloat64WS(v float64) *float64 { return &v }
 func ptrIntWS(v int) *int             { return &v }
 
-func TestOpenAIGatewayService_GetSchedulableAccount_ExhaustedCodexExtraSetsRateLimit(t *testing.T) {
+func TestOpenAIGatewayService_GetSchedulableAccount_ExhaustedCodexExtraDoesNotSetRateLimit(t *testing.T) {
 	resetAt := time.Now().Add(6 * 24 * time.Hour)
 	account := Account{
 		ID:          701,
@@ -463,17 +460,15 @@ func TestOpenAIGatewayService_GetSchedulableAccount_ExhaustedCodexExtraSetsRateL
 	fresh, err := svc.getSchedulableAccount(context.Background(), account.ID)
 	require.NoError(t, err)
 	require.NotNil(t, fresh)
-	require.NotNil(t, fresh.RateLimitResetAt)
-	require.WithinDuration(t, resetAt.UTC(), *fresh.RateLimitResetAt, time.Second)
+	require.Nil(t, fresh.RateLimitResetAt)
 	select {
 	case persisted := <-repo.rateLimitCh:
-		require.WithinDuration(t, resetAt.UTC(), persisted, time.Second)
+		t.Fatalf("不应将已耗尽的 codex extra 提升为运行时限流状态: %v", persisted)
 	case <-time.After(2 * time.Second):
-		t.Fatal("等待旧快照补写限流状态超时")
 	}
 }
 
-func TestAdminService_ListAccounts_ExhaustedCodexExtraReturnsRateLimitedAccount(t *testing.T) {
+func TestAdminService_ListAccounts_ExhaustedCodexExtraDoesNotSetRateLimit(t *testing.T) {
 	resetAt := time.Now().Add(4 * 24 * time.Hour)
 	repo := &openAICodexExtraListRepo{
 		stubOpenAIAccountRepo: stubOpenAIAccountRepo{accounts: []Account{{
@@ -496,13 +491,11 @@ func TestAdminService_ListAccounts_ExhaustedCodexExtraReturnsRateLimitedAccount(
 	require.NoError(t, err)
 	require.Equal(t, int64(1), total)
 	require.Len(t, accounts, 1)
-	require.NotNil(t, accounts[0].RateLimitResetAt)
-	require.WithinDuration(t, resetAt.UTC(), *accounts[0].RateLimitResetAt, time.Second)
+	require.Nil(t, accounts[0].RateLimitResetAt)
 	select {
 	case persisted := <-repo.rateLimitCh:
-		require.WithinDuration(t, resetAt.UTC(), persisted, time.Second)
+		t.Fatalf("不应在账号列表查询时将 codex extra 持久化为运行时限流状态: %v", persisted)
 	case <-time.After(2 * time.Second):
-		t.Fatal("等待列表补写限流状态超时")
 	}
 }
 

From db27e8f00032f2ecb4671c0cb5f4b661c596e368 Mon Sep 17 00:00:00 2001
From: erio <asakifeng@gmail.com>
Date: Wed, 15 Apr 2026 15:31:55 +0800
Subject: [PATCH 115/122] feat(usage): add account cost to breakdown sub-table
 and admin usage log

- UserBreakdownItem: add AccountCost field + SQL aggregation
- UserBreakdownSubTable: add orange account cost column
- Admin usage table: add account_cost column (after cost, default visible)
- Column settings: add account_cost toggle option
---
 backend/internal/pkg/usagestats/usage_log_types.go       | 5 +++--
 backend/internal/repository/usage_log_repo.go            | 4 +++-
 frontend/src/components/admin/usage/UsageTable.vue       | 6 ++++++
 frontend/src/components/charts/UserBreakdownSubTable.vue | 3 +++
 frontend/src/types/index.ts                              | 1 +
 frontend/src/views/admin/UsageView.vue                   | 1 +
 6 files changed, 17 insertions(+), 3 deletions(-)

diff --git a/backend/internal/pkg/usagestats/usage_log_types.go b/backend/internal/pkg/usagestats/usage_log_types.go
index 361c6ed7..fe5f98d6 100644
--- a/backend/internal/pkg/usagestats/usage_log_types.go
+++ b/backend/internal/pkg/usagestats/usage_log_types.go
@@ -168,8 +168,9 @@ type UserBreakdownItem struct {
 	Email       string  `json:"email"`
 	Requests    int64   `json:"requests"`
 	TotalTokens int64   `json:"total_tokens"`
-	Cost        float64 `json:"cost"`        // 标准计费
-	ActualCost  float64 `json:"actual_cost"` // 实际扣除
+	Cost        float64 `json:"cost"`         // 标准计费
+	ActualCost  float64 `json:"actual_cost"`  // 实际扣除
+	AccountCost float64 `json:"account_cost"` // 账号成本
 }
 
 // UserBreakdownDimension specifies the dimension to filter for user breakdown.
diff --git a/backend/internal/repository/usage_log_repo.go b/backend/internal/repository/usage_log_repo.go
index f3789910..f2fb87da 100644
--- a/backend/internal/repository/usage_log_repo.go
+++ b/backend/internal/repository/usage_log_repo.go
@@ -3157,7 +3157,8 @@ func (r *usageLogRepository) GetUserBreakdownStats(ctx context.Context, startTim
 			COUNT(*) as requests,
 			COALESCE(SUM(ul.input_tokens + ul.output_tokens + ul.cache_creation_tokens + ul.cache_read_tokens), 0) as total_tokens,
 			COALESCE(SUM(ul.total_cost), 0) as cost,
-			COALESCE(SUM(ul.actual_cost), 0) as actual_cost
+			COALESCE(SUM(ul.actual_cost), 0) as actual_cost,
+			COALESCE(SUM(COALESCE(ul.account_stats_cost, ul.total_cost) * COALESCE(ul.account_rate_multiplier, 1)), 0) as account_cost
 		FROM usage_logs ul
 		LEFT JOIN users u ON u.id = ul.user_id
 		WHERE ul.created_at >= $1 AND ul.created_at < $2
@@ -3228,6 +3229,7 @@ func (r *usageLogRepository) GetUserBreakdownStats(ctx context.Context, startTim
 			&row.TotalTokens,
 			&row.Cost,
 			&row.ActualCost,
+			&row.AccountCost,
 		); err != nil {
 			return nil, err
 		}
diff --git a/frontend/src/components/admin/usage/UsageTable.vue b/frontend/src/components/admin/usage/UsageTable.vue
index 98bb3554..c7fad3b1 100644
--- a/frontend/src/components/admin/usage/UsageTable.vue
+++ b/frontend/src/components/admin/usage/UsageTable.vue
@@ -160,6 +160,12 @@
           </div>
         </template>
 
+        <template #cell-account_cost="{ row }">
+          <span class="text-sm font-medium text-orange-500 dark:text-orange-400">
+            ${{ accountBilled(row).toFixed(6) }}
+          </span>
+        </template>
+
         <template #cell-first_token="{ row }">
           <span v-if="row.first_token_ms != null" class="text-sm text-gray-600 dark:text-gray-400">{{ formatDuration(row.first_token_ms) }}</span>
           <span v-else class="text-sm text-gray-400 dark:text-gray-500">-</span>
diff --git a/frontend/src/components/charts/UserBreakdownSubTable.vue b/frontend/src/components/charts/UserBreakdownSubTable.vue
index 40b7db78..e24e8e45 100644
--- a/frontend/src/components/charts/UserBreakdownSubTable.vue
+++ b/frontend/src/components/charts/UserBreakdownSubTable.vue
@@ -25,6 +25,9 @@
           <td class="py-1 text-right text-green-600 dark:text-green-400">
             ${{ formatCost(user.actual_cost) }}
           </td>
+          <td class="py-1 text-right text-orange-500 dark:text-orange-400">
+            ${{ formatCost(user.account_cost) }}
+          </td>
           <td class="py-1 pr-1 text-right text-gray-400 dark:text-gray-500">
             ${{ formatCost(user.cost) }}
           </td>
diff --git a/frontend/src/types/index.ts b/frontend/src/types/index.ts
index aaa3e35f..89fd777f 100644
--- a/frontend/src/types/index.ts
+++ b/frontend/src/types/index.ts
@@ -1245,6 +1245,7 @@ export interface UserBreakdownItem {
   total_tokens: number
   cost: number
   actual_cost: number
+  account_cost: number
 }
 
 export interface UserUsageTrendPoint {
diff --git a/frontend/src/views/admin/UsageView.vue b/frontend/src/views/admin/UsageView.vue
index 495ca7ad..d0c3358e 100644
--- a/frontend/src/views/admin/UsageView.vue
+++ b/frontend/src/views/admin/UsageView.vue
@@ -533,6 +533,7 @@ const allColumns = computed(() => [
   { key: 'billing_mode', label: t('admin.usage.billingMode'), sortable: false },
   { key: 'tokens', label: t('usage.tokens'), sortable: false },
   { key: 'cost', label: t('usage.cost'), sortable: false },
+  { key: 'account_cost', label: t('usage.accountCost'), sortable: false },
   { key: 'first_token', label: t('usage.firstToken'), sortable: false },
   { key: 'duration', label: t('usage.duration'), sortable: false },
   { key: 'created_at', label: t('usage.time'), sortable: true },

From a7dd535d479325b3a0c9506e933d1580f0b8e5ee Mon Sep 17 00:00:00 2001
From: erio <asakifeng@gmail.com>
Date: Wed, 15 Apr 2026 15:56:39 +0800
Subject: [PATCH 116/122] fix(usage): show account cost inline under cost
 column, remove separate column
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

- Cost cell: change gray "A $xxx" to orange "成本 $xxx" with i18n
- Remove standalone account_cost column from column settings (redundant)
---
 frontend/src/components/admin/usage/UsageTable.vue | 10 ++--------
 frontend/src/views/admin/UsageView.vue             |  1 -
 2 files changed, 2 insertions(+), 9 deletions(-)

diff --git a/frontend/src/components/admin/usage/UsageTable.vue b/frontend/src/components/admin/usage/UsageTable.vue
index c7fad3b1..8609635a 100644
--- a/frontend/src/components/admin/usage/UsageTable.vue
+++ b/frontend/src/components/admin/usage/UsageTable.vue
@@ -154,18 +154,12 @@
                 </div>
               </div>
             </div>
-            <div v-if="row.account_rate_multiplier != null" class="mt-0.5 text-[11px] text-gray-400">
-              A ${{ accountBilled(row).toFixed(6) }}
+            <div v-if="row.account_rate_multiplier != null" class="mt-0.5 text-[11px] text-orange-500 dark:text-orange-400">
+              {{ t('usage.accountCost') }} ${{ accountBilled(row).toFixed(6) }}
             </div>
           </div>
         </template>
 
-        <template #cell-account_cost="{ row }">
-          <span class="text-sm font-medium text-orange-500 dark:text-orange-400">
-            ${{ accountBilled(row).toFixed(6) }}
-          </span>
-        </template>
-
         <template #cell-first_token="{ row }">
           <span v-if="row.first_token_ms != null" class="text-sm text-gray-600 dark:text-gray-400">{{ formatDuration(row.first_token_ms) }}</span>
           <span v-else class="text-sm text-gray-400 dark:text-gray-500">-</span>
diff --git a/frontend/src/views/admin/UsageView.vue b/frontend/src/views/admin/UsageView.vue
index d0c3358e..495ca7ad 100644
--- a/frontend/src/views/admin/UsageView.vue
+++ b/frontend/src/views/admin/UsageView.vue
@@ -533,7 +533,6 @@ const allColumns = computed(() => [
   { key: 'billing_mode', label: t('admin.usage.billingMode'), sortable: false },
   { key: 'tokens', label: t('usage.tokens'), sortable: false },
   { key: 'cost', label: t('usage.cost'), sortable: false },
-  { key: 'account_cost', label: t('usage.accountCost'), sortable: false },
   { key: 'first_token', label: t('usage.firstToken'), sortable: false },
   { key: 'duration', label: t('usage.duration'), sortable: false },
   { key: 'created_at', label: t('usage.time'), sortable: true },

From e180dd0710a79d6243596f90686647609c2c7eb1 Mon Sep 17 00:00:00 2001
From: erio <asakifeng@gmail.com>
Date: Wed, 15 Apr 2026 16:05:58 +0800
Subject: [PATCH 117/122] fix(usage): remove label text from inline account
 cost, keep orange color

---
 frontend/src/components/admin/usage/UsageTable.vue | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/frontend/src/components/admin/usage/UsageTable.vue b/frontend/src/components/admin/usage/UsageTable.vue
index 8609635a..adcb3cc6 100644
--- a/frontend/src/components/admin/usage/UsageTable.vue
+++ b/frontend/src/components/admin/usage/UsageTable.vue
@@ -155,7 +155,7 @@
               </div>
             </div>
             <div v-if="row.account_rate_multiplier != null" class="mt-0.5 text-[11px] text-orange-500 dark:text-orange-400">
-              {{ t('usage.accountCost') }} ${{ accountBilled(row).toFixed(6) }}
+              A ${{ accountBilled(row).toFixed(6) }}
             </div>
           </div>
         </template>

From be7551b9f43e37c5a9784d69827439eaee9362b4 Mon Sep 17 00:00:00 2001
From: "github-actions[bot]"
 <41898282+github-actions[bot]@users.noreply.github.com>
Date: Wed, 15 Apr 2026 09:34:24 +0000
Subject: [PATCH 118/122] chore: sync VERSION to 0.1.113 [skip ci]

---
 backend/cmd/server/VERSION | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/backend/cmd/server/VERSION b/backend/cmd/server/VERSION
index 4b9b35d8..c21e67e6 100644
--- a/backend/cmd/server/VERSION
+++ b/backend/cmd/server/VERSION
@@ -1 +1 @@
-0.1.112
+0.1.113

From 3944b3d216bbcc10472fccdc4f6606fa2b85106e Mon Sep 17 00:00:00 2001
From: KnowSky404 <git@knowsky404.com>
Date: Thu, 16 Apr 2026 02:01:50 +0000
Subject: [PATCH 119/122] fix: preserve openai ws flags in scheduler cache

---
 .../internal/repository/scheduler_cache.go    |  7 +++
 .../repository/scheduler_cache_unit_test.go   | 33 ++++++++++
 ...enai_account_scheduler_ws_snapshot_test.go | 62 +++++++++++++++++++
 3 files changed, 102 insertions(+)
 create mode 100644 backend/internal/repository/scheduler_cache_unit_test.go
 create mode 100644 backend/internal/service/openai_account_scheduler_ws_snapshot_test.go

diff --git a/backend/internal/repository/scheduler_cache.go b/backend/internal/repository/scheduler_cache.go
index e9be8c7a..add0e501 100644
--- a/backend/internal/repository/scheduler_cache.go
+++ b/backend/internal/repository/scheduler_cache.go
@@ -426,6 +426,13 @@ func filterSchedulerExtra(extra map[string]any) map[string]any {
 		"window_cost_sticky_reserve",
 		"max_sessions",
 		"session_idle_timeout_minutes",
+		"openai_oauth_responses_websockets_v2_enabled",
+		"openai_oauth_responses_websockets_v2_mode",
+		"openai_apikey_responses_websockets_v2_enabled",
+		"openai_apikey_responses_websockets_v2_mode",
+		"responses_websockets_v2_enabled",
+		"openai_ws_enabled",
+		"openai_ws_force_http",
 	}
 	filtered := make(map[string]any)
 	for _, key := range keys {
diff --git a/backend/internal/repository/scheduler_cache_unit_test.go b/backend/internal/repository/scheduler_cache_unit_test.go
new file mode 100644
index 00000000..bcfd0e7a
--- /dev/null
+++ b/backend/internal/repository/scheduler_cache_unit_test.go
@@ -0,0 +1,33 @@
+//go:build unit
+
+package repository
+
+import (
+	"testing"
+
+	"github.com/Wei-Shaw/sub2api/internal/service"
+	"github.com/stretchr/testify/require"
+)
+
+func TestBuildSchedulerMetadataAccount_KeepsOpenAIWSFlags(t *testing.T) {
+	account := service.Account{
+		ID:       42,
+		Platform: service.PlatformOpenAI,
+		Type:     service.AccountTypeOAuth,
+		Extra: map[string]any{
+			"openai_oauth_responses_websockets_v2_enabled": true,
+			"openai_oauth_responses_websockets_v2_mode":    service.OpenAIWSIngressModePassthrough,
+			"openai_ws_force_http":                         true,
+			"mixed_scheduling":                             true,
+			"unused_large_field":                           "drop-me",
+		},
+	}
+
+	got := buildSchedulerMetadataAccount(account)
+
+	require.Equal(t, true, got.Extra["openai_oauth_responses_websockets_v2_enabled"])
+	require.Equal(t, service.OpenAIWSIngressModePassthrough, got.Extra["openai_oauth_responses_websockets_v2_mode"])
+	require.Equal(t, true, got.Extra["openai_ws_force_http"])
+	require.Equal(t, true, got.Extra["mixed_scheduling"])
+	require.Nil(t, got.Extra["unused_large_field"])
+}
diff --git a/backend/internal/service/openai_account_scheduler_ws_snapshot_test.go b/backend/internal/service/openai_account_scheduler_ws_snapshot_test.go
new file mode 100644
index 00000000..c5de8203
--- /dev/null
+++ b/backend/internal/service/openai_account_scheduler_ws_snapshot_test.go
@@ -0,0 +1,62 @@
+//go:build unit
+
+package service
+
+import (
+	"context"
+	"testing"
+
+	"github.com/Wei-Shaw/sub2api/internal/config"
+	"github.com/stretchr/testify/require"
+)
+
+func TestOpenAIGatewayService_SelectAccountWithScheduler_UsesWSPassthroughSnapshotFlags(t *testing.T) {
+	ctx := context.Background()
+	groupID := int64(10105)
+	account := &Account{
+		ID:          35001,
+		Platform:    PlatformOpenAI,
+		Type:        AccountTypeOAuth,
+		Status:      StatusActive,
+		Schedulable: true,
+		Concurrency: 10,
+		Extra: map[string]any{
+			"openai_oauth_responses_websockets_v2_mode": OpenAIWSIngressModePassthrough,
+		},
+	}
+
+	snapshotCache := &openAISnapshotCacheStub{
+		snapshotAccounts: []*Account{account},
+		accountsByID:     map[int64]*Account{account.ID: account},
+	}
+	cfg := &config.Config{}
+	cfg.Gateway.OpenAIWS.Enabled = true
+	cfg.Gateway.OpenAIWS.OAuthEnabled = true
+	cfg.Gateway.OpenAIWS.APIKeyEnabled = true
+	cfg.Gateway.OpenAIWS.ResponsesWebsocketsV2 = true
+	cfg.Gateway.OpenAIWS.ModeRouterV2Enabled = true
+	cfg.Gateway.OpenAIWS.IngressModeDefault = OpenAIWSIngressModeCtxPool
+
+	svc := &OpenAIGatewayService{
+		accountRepo:        stubOpenAIAccountRepo{accounts: []Account{*account}},
+		cache:              &stubGatewayCache{},
+		cfg:                cfg,
+		schedulerSnapshot:  &SchedulerSnapshotService{cache: snapshotCache},
+		concurrencyService: NewConcurrencyService(stubConcurrencyCache{}),
+	}
+
+	selection, decision, err := svc.SelectAccountWithScheduler(
+		ctx,
+		&groupID,
+		"",
+		"session_hash_ws_passthrough",
+		"gpt-5.1",
+		nil,
+		OpenAIUpstreamTransportResponsesWebsocketV2,
+	)
+	require.NoError(t, err)
+	require.NotNil(t, selection)
+	require.NotNil(t, selection.Account)
+	require.Equal(t, account.ID, selection.Account.ID)
+	require.Equal(t, openAIAccountScheduleLayerLoadBalance, decision.Layer)
+}

From 836092a6665f3f8f50ef8f4b055b89d73c748310 Mon Sep 17 00:00:00 2001
From: KnowSky404 <git@knowsky404.com>
Date: Thu, 16 Apr 2026 02:13:04 +0000
Subject: [PATCH 120/122] fix: restore ctx pool ws mode option in account ui

---
 frontend/src/components/account/BulkEditAccountModal.vue | 2 ++
 frontend/src/components/account/CreateAccountModal.vue   | 5 ++---
 frontend/src/components/account/EditAccountModal.vue     | 5 ++---
 3 files changed, 6 insertions(+), 6 deletions(-)

diff --git a/frontend/src/components/account/BulkEditAccountModal.vue b/frontend/src/components/account/BulkEditAccountModal.vue
index 5461015b..13c30cf9 100644
--- a/frontend/src/components/account/BulkEditAccountModal.vue
+++ b/frontend/src/components/account/BulkEditAccountModal.vue
@@ -921,6 +921,7 @@ import {
   getPresetMappingsByPlatform
 } from '@/composables/useModelWhitelist'
 import {
+  OPENAI_WS_MODE_CTX_POOL,
   OPENAI_WS_MODE_OFF,
   OPENAI_WS_MODE_PASSTHROUGH,
   isOpenAIWSModeEnabled,
@@ -1069,6 +1070,7 @@ const isOpenAIModelRestrictionDisabled = computed(
 
 const openAIWSModeOptions = computed(() => [
   { value: OPENAI_WS_MODE_OFF, label: t('admin.accounts.openai.wsModeOff') },
+  { value: OPENAI_WS_MODE_CTX_POOL, label: t('admin.accounts.openai.wsModeCtxPool') },
   { value: OPENAI_WS_MODE_PASSTHROUGH, label: t('admin.accounts.openai.wsModePassthrough') }
 ])
 const openAIWSModeConcurrencyHintKey = computed(() =>
diff --git a/frontend/src/components/account/CreateAccountModal.vue b/frontend/src/components/account/CreateAccountModal.vue
index 432fa080..2130c9ab 100644
--- a/frontend/src/components/account/CreateAccountModal.vue
+++ b/frontend/src/components/account/CreateAccountModal.vue
@@ -2932,7 +2932,7 @@ import { applyInterceptWarmup } from '@/components/account/credentialsBuilder'
 import { formatDateTimeLocalInput, parseDateTimeLocalInput } from '@/utils/format'
 import { createStableObjectKeyResolver } from '@/utils/stableObjectKey'
 import {
-  // OPENAI_WS_MODE_CTX_POOL,
+  OPENAI_WS_MODE_CTX_POOL,
   OPENAI_WS_MODE_OFF,
   OPENAI_WS_MODE_PASSTHROUGH,
   isOpenAIWSModeEnabled,
@@ -3180,8 +3180,7 @@ const geminiSelectedTier = computed(() => {
 
 const openAIWSModeOptions = computed(() => [
   { value: OPENAI_WS_MODE_OFF, label: t('admin.accounts.openai.wsModeOff') },
-  // TODO: ctx_pool 选项暂时隐藏，待测试完成后恢复
-  // { value: OPENAI_WS_MODE_CTX_POOL, label: t('admin.accounts.openai.wsModeCtxPool') },
+  { value: OPENAI_WS_MODE_CTX_POOL, label: t('admin.accounts.openai.wsModeCtxPool') },
   { value: OPENAI_WS_MODE_PASSTHROUGH, label: t('admin.accounts.openai.wsModePassthrough') }
 ])
 
diff --git a/frontend/src/components/account/EditAccountModal.vue b/frontend/src/components/account/EditAccountModal.vue
index e5065d7a..1da32e2c 100644
--- a/frontend/src/components/account/EditAccountModal.vue
+++ b/frontend/src/components/account/EditAccountModal.vue
@@ -1858,7 +1858,7 @@ import { applyInterceptWarmup } from '@/components/account/credentialsBuilder'
 import { formatDateTimeLocalInput, parseDateTimeLocalInput } from '@/utils/format'
 import { createStableObjectKeyResolver } from '@/utils/stableObjectKey'
 import {
-  // OPENAI_WS_MODE_CTX_POOL,
+  OPENAI_WS_MODE_CTX_POOL,
   OPENAI_WS_MODE_OFF,
   OPENAI_WS_MODE_PASSTHROUGH,
   isOpenAIWSModeEnabled,
@@ -2020,8 +2020,7 @@ const editWeeklyResetHour = ref<number | null>(null)
 const editResetTimezone = ref<string | null>(null)
 const openAIWSModeOptions = computed(() => [
   { value: OPENAI_WS_MODE_OFF, label: t('admin.accounts.openai.wsModeOff') },
-  // TODO: ctx_pool 选项暂时隐藏，待测试完成后恢复
-  // { value: OPENAI_WS_MODE_CTX_POOL, label: t('admin.accounts.openai.wsModeCtxPool') },
+  { value: OPENAI_WS_MODE_CTX_POOL, label: t('admin.accounts.openai.wsModeCtxPool') },
   { value: OPENAI_WS_MODE_PASSTHROUGH, label: t('admin.accounts.openai.wsModePassthrough') }
 ])
 const openaiResponsesWebSocketV2Mode = computed({

From a55ead5ea860c2517c625fbbe6cb2f1823382954 Mon Sep 17 00:00:00 2001
From: shaw <shaw-wei@foxmail.com>
Date: Thu, 16 Apr 2026 16:42:40 +0800
Subject: [PATCH 121/122] chore: remove empty dir Antigravity-Manager

---
 Antigravity-Manager | 1 -
 1 file changed, 1 deletion(-)
 delete mode 160000 Antigravity-Manager

diff --git a/Antigravity-Manager b/Antigravity-Manager
deleted file mode 160000
index a9d96bd5..00000000
--- a/Antigravity-Manager
+++ /dev/null
@@ -1 +0,0 @@
-Subproject commit a9d96bd54978c22d3033830debfe77aeeeee2500

From 7ea8e7e6675c3e5b4c5c73578136420c76a4ee64 Mon Sep 17 00:00:00 2001
From: shaw <shaw-wei@foxmail.com>
Date: Thu, 16 Apr 2026 17:19:32 +0800
Subject: [PATCH 122/122] chore: update sponsors

---
 README.md                         |   5 +++++
 README_CN.md                      |   5 +++++
 README_JA.md                      |   5 +++++
 assets/partners/logos/bmoplus.jpg | Bin 0 -> 7996 bytes
 4 files changed, 15 insertions(+)
 create mode 100644 assets/partners/logos/bmoplus.jpg

diff --git a/README.md b/README.md
index c2715eae..74ab9af2 100644
--- a/README.md
+++ b/README.md
@@ -91,6 +91,11 @@ Sub2API is an AI API gateway platform designed to distribute and manage API quot
 <td>Thanks to AIGoCode for sponsoring this project! AIGoCode is an all-in-one platform that integrates Claude Code, Codex, and the latest Gemini models, providing you with stable, efficient, and highly cost-effective AI coding services. The platform offers flexible subscription plans, zero risk of account suspension, direct access with no VPN required, and lightning-fast responses. AIGoCode has prepared a special benefit for sub2api users: if you register via <a href="https://aigocode.com/invite/SUB2API">this link</a>, you'll receive an extra 10% bonus credit on your first top-up!</td>
 </tr>
 
+<tr>
+<td width="180"><a href="https://shop.bmoplus.com/?utm_source=github"><img src="assets/partners/logos/bmoplus.jpg" alt="bmoplus" width="150"></a></td>
+<td>Huge thanks to BmoPlus for sponsoring this project! BmoPlus is a highly reliable AI account provider built strictly for heavy AI users and developers. They offer rock-solid, ready-to-use accounts and official top-up services for ChatGPT Plus / ChatGPT Pro (Full Warranty) / Claude Pro / Super Grok / Gemini Pro. By registering and ordering through <a href="https://shop.bmoplus.com/?utm_source=github">BmoPlus - Premium AI Accounts & Top-ups</a>, users can unlock the mind-blowing rate of 10% of the official GPT subscription price (90% OFF)</td>
+</tr>
+
 </table>
 
 ## Ecosystem
diff --git a/README_CN.md b/README_CN.md
index 0ace1f77..c701372c 100644
--- a/README_CN.md
+++ b/README_CN.md
@@ -90,6 +90,11 @@ Sub2API 是一个 AI API 网关平台，用于分发和管理 AI 产品订阅的
 <td>感谢 AIGoCode 赞助了本项目！AIGoCode 是一站式集成 Claude Code、Codex 以及最新 Gemini 模型的综合平台，为您提供稳定、高效、高性价比的 AI 编程服务。平台提供灵活的订阅方案，零封号风险，免 VPN 直连，响应极速。AIGoCode 为 sub2api 用户准备了专属福利：通过<a href="https://aigocode.com/invite/SUB2API">此链接</a>注册，首次充值可额外获得 10% 赠送额度！</td>
 </tr>
 
+<tr>
+<td width="180"><a href="https://shop.bmoplus.com/?utm_source=github"><img src="assets/partners/logos/bmoplus.jpg" alt="bmoplus" width="150"></a></td>
+<td>感谢 BmoPlus 赞助了本项目！BmoPlus 是一家专为AI订阅重度用户打造的可靠 AI 账号代充服务商，提供稳定的 ChatGPT Plus / ChatGPT Pro(全程质保) / Claude Pro / Super Grok / Gemini Pro 的官方代充&成品账号。 通过<a href="https://shop.bmoplus.com/?utm_source=github">BmoPlus AI成品号专卖/代充</a>注册下单的用户，可享GPT 官网订阅一折 的震撼价格！</td>
+</tr>
+
 </table>
 
 ## 生态项目
diff --git a/README_JA.md b/README_JA.md
index d74ca9ce..0d4db616 100644
--- a/README_JA.md
+++ b/README_JA.md
@@ -90,6 +90,11 @@ Sub2API は、AI 製品のサブスクリプションから API クォータを
 <td>AIGoCode のご支援に感謝します！AIGoCode は Claude Code、Codex、最新の Gemini モデルを統合したオールインワンプラットフォームで、安定的かつ効率的でコストパフォーマンスに優れた AI コーディングサービスを提供します。柔軟なサブスクリプションプラン、アカウント停止リスクゼロ、VPN 不要の直接アクセス、超高速レスポンスが特長です。AIGoCode は sub2api ユーザー向けに特別特典を用意しています：<a href="https://aigocode.com/invite/SUB2API">こちらのリンク</a>から登録すると、初回チャージ時に 10% のボーナスクレジットを追加プレゼント！</td>
 </tr>
 
+<tr>
+<td width="180"><a href="https://shop.bmoplus.com/?utm_source=github"><img src="assets/partners/logos/bmoplus.jpg" alt="bmoplus" width="150"></a></td>
+<td>本プロジェクトにご支援いただいた BmoPlus に感謝いたします！BmoPlusは、AIサブスクリプションのヘビーユーザー向けに特化した信頼性の高いAIアカウントサービスプロバイダーであり、安定した ChatGPT Plus / ChatGPT Pro (完全保証) / Claude Pro / Super Grok / Gemini Pro の公式代行チャージおよび即納アカウントを提供しています。こちらの<a href="https://shop.bmoplus.com/?utm_source=github">BmoPlus AIアカウント専門店/代行チャージ</a>経由でご登録・ご注文いただいたユーザー様は、GPTを 公式サイト価格の約1割（90% OFF） という驚異的な価格でご利用いただけます！</td>
+</tr>
+
 </table>
 
 ## エコシステム
diff --git a/assets/partners/logos/bmoplus.jpg b/assets/partners/logos/bmoplus.jpg
new file mode 100644
index 0000000000000000000000000000000000000000..1a9b4d8b7b2d626d860f327a49fe0bf3ade711fb
GIT binary patch
literal 7996
zcmb7o1yr0tvhLs>7-Z1k&fpT<Ex2oN4Q{~_g1b8m0Rq7_xVyU(Jh%my;P587yL;|?
zXZPOo`tO<3r>g$y>i$c<?w5s^bpV!}^jm2F3=9AO1APE5%K!-gG9n@pA_6iJ5)uju
zGAcSQ209uVIw3X=Chlt@GSb&XBqZe2EOg|QU@8(4`Zo+<Hg+y9E;2ekAzlta7EUgX
zKT2RwP*Bj(&<QXw2skK6C^-JV+e<e9hz!Vt^@D?<1i%7e;D9hMy#QjUk#I232KZNl
zgGYdcK}3Qw387>t^Ish300tJyepv#b!@&SxvEZ<vl!vqbF7WTiAqwFmZLE-)2H~2l
z;-!Bt^Owp;(cdw8HZWd?5;;BD^4b7-_CE_>ptvqvde<K926E~_tgNSQ928}Q)TaQN
zS|jXsZcjOu%?g+Ee$e*?%e9<lEM<)(;-cHXLU{JU|F=%T-&|rc89W<JmjXsqT$4>a
zGOycfnABnoDwcYd>=!B}IF&h8&UFI3x?@s4$Dit|(QYrc7Ro?`skB=cf3<~i7S`ii
z^iM`JT^=QdYSdk(RAqZd?Nx5kwh8!1?0B4(MY?y7dQB^N8|+&D$W<elDY={Z8FQ6(
zuUd9}ng69iG0~LS7m|$gZH~SG@_j0S7Rpj&<~?Zx#QiaTyydcCH^U{!#$;*qfexHz
zB&JU$!D_YJ9w_KsSE_Qnd+%$ONT!-zm~O{(!@StT@x-UDE+Oz%*SWq*y>deC+R9_V
zW8>tSDd|@^{Fy!`Rbuf(SgoD(_Z^1~Dt$VA>L2Gj-ZkZ#GYu>j#WuM|P2SuG*>5Cx
zY>$^bC_k1vK<2nyYpqy0xi0nuoW@YO7*-33FTIoZEtkqI7j+Z(7?x0=X1dOqTTYf<
z3EVZbvpVANE-uG%2)KI<T>COPeCl|^I{&G^K}hwaW8mrCn%x+0al5t$XlHZ^qVoe^
zW^sc3O-X_mN6WSz<fBQX%_wIwQ}seL$4=d$PwIs2%<iivdDoltno%W3p2B)Q*QG4x
zw1(07{1(Cfy5<z?dYV!v{jBnzcKwYh74u&XhfHVnlK2Ig=Y){A<g{CphHJoy${#P6
zu3$w00KU7n)6nHmnP0*(;<nn-@_auzH=i?0cgd96xP&I|Ngbk$zK$17h{*H2iXm(G
z&Bx~xCktKOziG}FzD7Iex20q{^?Y~P(giPotPb(_*?X0fp?e+j&E=P8&)*CCe%>2d
zRw^`i{u>4V3rPeTfGk)5SXdZ1I5=3uf5agSEC3D&kBx)H!HJ7Ufxt%2E+(#GOi3l`
z<OhvPWN5I$Ai%x=Ms&L?OYgJ>pEHVm#<<Fnu11J$Oo`a_qC{Op@)ta~-={?JK$em2
z)$8G<mS`g5feoxrUg^)=%dT1+cFua<ksML4?F`EGj~#pLTQCKbTtVxWpO5R01dsVf
z@hz>2o>}I*`-rvmeQ64QUhgw^Re6AmZz|Vky_iI2{KVN*cKC3`*I!wrhs@!mD@;gN
zX}Okx5Ytodm_&R0q=^-+xUaSqb}i9xzx3FY?dqmym2Ft@cWxAz7=Oz&u2UEV<D%i^
zG)aOGGyJ~%f(uE10r;hzHWj@aGg#sBPgoK=&|aT?OkQizYgl*z1gdVA2aH=}gNNCO
z8<_-c(nVeHY?+Cws|#Wtw0C0B#8Dy3E~`J4ty4cOYMVdt>uxGN=)-7KakC}uIUSfC
z8Knp^3v1Q{fpsEu`o$9pQ{AJ+LD}>JJa5pHlNnu*);LveQPJ3lrAtn1ueeUUib^dY
zwmiC~juKqI9mIa9Zfi30LYR{Lw%@q8e_l(uEx9mQl?||gFKj-!cBx4&9Aa$I`kV<q
zr}OEd&?&}8W=B#KdjT*?;#hO4E~<=#TaUf{>0xiMX(Lb^V6ao!FMP=}XSK4Var?ty
zK#ij6mzbWsdOQutMY}|S=xEEy6*^-9if=;J{E5=U^7I6rp?u51W6&(wd13p>{VW?E
zH7fiQ-NEz(wnvXz+BF{D7q)|<)543_+^>^8MlkPFn@^TL_RfBG>ten5u|?)KW>KBL
zU9+L};8i}U9{d`8PCHPl)xG*u3qfDTQuLtcf+_jSm<XrdhJKTPh@-rqrWdn9uzewf
z6U5DeuzK}7Cc9ADpsaqKGd29DyK!UK{0Sb5-oOIW_u4uSdKzUe9(G<<qv3eBk7&cG
zv?s%Vrxs(qnA;+AUq<+l0(MKbt31Rvu`Y#71tT3ojD2Plk!G((Wzm_{Vsl#(+ANHa
zcN?@`RsGV=%A|ws(ktubVi0hmD}1+!w*rbQ1Qu&$L6{k9fQOi%?}3$2G6xcAnwVO!
z9-b2Ct4!mWFkIy8P!tuVXt~;}DQi`BqB^gGuQUGagm6Jc)V<z4ePwhqd3<QKK0Vw&
z9BSl^m}d;sBd^@f=dRJB-R$4j70g43qibz#Rv@U^Nl}ru+`2gp+rFYr^_pLXxktn?
zi!Iel_H3E;)Yl|$;)S-Ay>QkfwL#2F?f4>Uy)8P;VJK>$Opg!r7BvSqaL4!I`;HKA
zPn-K-{*2K2!@d93cLQ1u3sq&f4MXmrVp<X1GMz7g&1`5I00W_E0GbD25#SL1D{K5s
z1K9956ddfFSh(brDpX>sY@%w$&VQ2tG*^hgJbtLm-BtHu4tW$REV{)$tUaMoZr(eq
zZ_ib0Bqpq0U}tp5Sbx+Fh)TcY?sHnp);ElBMxsEkKglA0UdSr_{bj`Y-WG9gJ$>k1
zbnn(;^CO?|N@afGDsRt;NH0l<kY8Zju+!#;@{0lM`hX0jw&+b7?V}IE-vK{J#-(gZ
z<C)KN?F(8>L7k)W7r~GZ$3mUSx{afBaI_ze9AOw+>~=r(R6W2~T-H~DTT3@T92p)7
zDAh%;)4Xwn#<WDd<u~kBZ6nn}LX7$kM0y$EoN6xix4A21p>)g1DrHR^DUA0@BI#c`
zmPGsm7e#)nu2X${%0aj1pGbAT;7nro=QFBxgrhfz3oozp_Lj3-QBrQ8Kf^wS<6Xmv
zKS6%J{Sxco{8YtwlktlVj@{RAbX@<WJ3kDRkH#PVIMN^8_$ByIdser%!D9A#dYh#Y
zOWlb8QC+%_R$ZM5+v1vY3m77X-K-R>hkBwk!k8CWBPNgLe(S<$)lV~fLS8b>)=z^Z
zUf_0m9;qtXecvapt{qUCSUp_g@GzcSmt9Q**0+jQCw5QCG4D*K&;;}r2M4#eTci;U
zgG=g8EHt&7Y6&f4Tx+L0F0$<-D@=7YCB!W^OI_OIKEp0)P3U-Prq2-V(~W@dEFxvq
z<H1`rp=QEL9aoM}Z=w0)EiiEKZ~(Y}mKYdVAUhm31s0B&Dmj}9rKs^=H-Y`@CfnS1
zAd!A^ZrrN#rQy4&x^Sc4lp!rH>w(pB%`#Ng($j6Y5eyil$W<st(h(8{3>df}K@n0E
zmAUj@IcG`&@!wbx91N)9t2T##2isnPq!_)jS6;kkk}iUg)M4vqGSt<AKA5+?hQoG?
zl+MKt(n-;>GgY9F{@(jHL+_(g2V|RZa;H9}L~ggsE7;ZcKjC+Vycw8~do#p4RJDeD
z64BLc7%lrimCv|d8Y>b=*tmWwyE>M+>ygeZJ$T5Qx#$}LT{9=NP(q<80un63KOzJG
z1H__$Wf#LH=TJ3)!{K!HkI!K<rV<rT$W>8u@~iqswL}zwR!h(bubte;(Qzgok5Btp
zrgfEVIo;7M)zRGp&s$5=-r}iKacSAXo$Flm`1p^$$}w(%R+z6a@0GqCtu?)VKj%<M
zF_b|r`IdXa<s`-Jip6qpCA^GIVf4n~z)HT^>a9g4*f8ZWDMP9;GoC0CbxWICCwwZg
z;P8TEj$&H2VrU-n+GhVIEtX?8VrUFPl3qLH)>PfAGx<yLRo=6Nd64MO11%ZP3tcrW
zh0sLG_>vVvsZuJe!#?T#v;&*|UqHb~d>T!PW&;Oy)FL<2`%@fZ%jF+bCeEfHybKUR
zLY{ib=(1sMuUyFmyJnPrl!lvJg+e6rE~5(_chf$%=AIUXCP7JihkKh;(01JU!|PvT
zJ5BX%O0n!4-mz$7m^I!On%g?lW%^N)7u16(ilkRSBr)W+!H6FIT-EsWPviMhlktBv
z)b#hSS<Y<svJ6>Xg2<eik-r%Bdv;hSZFY#2BL!!$Mxv~-s+#JdVGm937UU<>UeCuV
z@{t%J@prGxr*fL($m_I#4O`Ru&Rp}yDR1)lSL&!^%U8?3M?Pq-lJYvD@nnOjtk93m
zs=A+I@Q<82Ozf5Bi8<{pLzlP-Op(pHJ(OpTNIaV;b!%2f=7u&t#kKJMq8f;#_Qbp)
zMY<5g-1a0JJR>^+f%!Nset)j^G@>QzS^TuElVYu$y?`N@PC$iy$*bMe-8T57%<k@!
zh0>GJwDBnmAFAr_U*=ES04k>V`xF_}8(!_kmO*)=t4gTzG5vKu1UPuue;t-!fE4Ul
zVyY(2{yA0TZ1HEtT~1TyqALG{Xd)EP%r2j(!7l(vF6h9qM_2U3HBh51(-)nPxig}~
zCqZ&{Zi*CtLtzt$lv~Oo7co3)6jYPpsp2|;Dz~2ivzOMU_Lll#`Ym-dEo~$Iv%ZA{
zIO1^7dQ)DD5mFy8f}Uf3q^83tqQDh0JL`ZE*Z*1^<v~4&f2enZn8F?zOf$MmcS<)U
za#gRMidq3Apwd;}rp&yG9%_)g1ASx+85s}6x$2X2n@m;{i?Yo%R!%m*-KT4*8!S*?
z$?CQ_AB?cfwHEprMXy7pZY2}X_?5fT%?;JK8t)q~c~S#%X=In&hlF7M98;OMm>%mB
zFeu$v7Zz7U-FL`x1kxtxxmE#JMAeg_EoX+<<ZV~f%hlA+@ZpO(NvSLGVRAJ=^rf1m
zqY&(9lyT1O+<-S6QOYyK`=Z6*lDzt{R)Km7Jw}c17<ODm5bKo9CigkabT?*g9l4P5
zqzZDDFawqf&sS$AMUjsi_r}!%t{ucgjsEaBGM&rxMFDT>;#S{%SJK9KANZAe+&GYC
z@G$0Ew()7G3_d?f#74<I`5NP7zEf5-vX8{aQEBE?onWs>Ib9%Jye0mgAicD&TCv47
zb<NHY^^%8_%?qG#I@|zp<(g2^CAb(oex$QOlx!cMDn|WS38z-i;Ko+LZ#Fqc3PY?y
z@+KxgC0W1Er~r+sLEyYtjQ^F+<f&;>&i4%2SmNMz2(g5Cxh`Cte9#di*BjSXkZ0}&
z;}P?ti4JB*_UA|#20||mq$U~I67#bf)>mTY)5v)!4j(I|A@=-Sk|V>wluSPKx5>9y
z;R%^O!29pwV~pGw<LgHXD<<j7S=s>uaMLShWqD0q>tt`aMdt7)B{WU$jmttwACt5;
z^|8Jo<(r?;>YCi(P+@Bz#aL^D8jW@L1bRB(x$hnJxCVJW``qVRZj|sJ#c<wAkm(KO
zQqLrID&TPVt4>PrTm+N_v673iFll3o(;Al+cM`ks*9+IJDjjErXGBpJI(Qi(N^7D=
zNwa1-rQK;;2+?^(uLfw5?Cx{h)30a)QPi72ig6`a!nimD4G9EAnr1&-u829%&rr;a
zs4wKrRamG3f=N~*5Na_~ElfU3bW$v5e?u4t?%drpq3YTUq=I*<LoA)bT{C)3i4AJS
z>FK3V&=Yd{*be!pBU0<jB^XT0pJx?HN^+WsF<FAj$jvk%!XZAR6&gR_RuWvWDVQkf
z4HURK3)<4j>ep_`6qk)5ipyb~io>=NqcC8H0wUuOR<#P1&XSlNaR+XqJZ^gTU7W_=
z?{Q%WKug)4luPW_6RO5(Bc;x0rp-C~$FDWIHF6k9IWY2h);59Hw6*x$jJv(z%(cHk
z$<^35nmFnS1oJ3B*qpL@20P6SjBp!SE#2(n*qece4YzP_?WyR<jB^Mr3_d5;www*Y
z){a#Pg{5JK-<Y}w*Bi?rhw_;H6W26QBDLW{Q2sV3)*{>aiTJbv<K_qA!>_;-k(_fm
z3-%dANOBr8i^cF;fxv|jIUeflbyPW3be|~}e`U2iN^bNTM3=gN)SN4Ze?0Vynm>>f
zkwkU<t6(O?2a>A!;>qRDKw;(_gy<m>6mf%p2Q-fj&@A@%`sXjcz`C3e{9pQj=>H&a
z5nKZIKWMng%2yWt`pCAW%(cRJcR9{=IVRXM$~E)%l`CG-7G?TsV<+ba>z~OQi{nB+
z;}M=)jply-F-dfECd|rOD&)y5JZ(F*)huA1o0*8(#})1mmt)Ah|7&xeRWD(LoLQnF
zmBoANmIT?N7-z9RT-x%6Rzkka|6n$u9GjRd9?5^;{+aqeb!f3*grYMTSa<{k=+)Xk
z;Mt#IA*Nc@1+5lSXXGmJIU87_#^--)#UCV(_4`0U2S?6oaUoJJAji=K2P8c5z6GmW
zA@b6j-Is3l)tkw7Lmx-<!%$UPLJqDMK*Y+ckg+hd@@n7>`wKv_u)@Hh^093U4FTuI
zd76B2)bn!`R!AO$Ww(8^M6NM)f~I6|PyDj&NR<K$dlS|+lR1t3eTpF3hag3FL@?W2
z|DqakFnVrvdw+LOk8`uEc{~Q%kGHG)ik=o1f;vjx&+hbcx5&=xfp)z+_)R&a?|u5U
zUE+6k4dy8W11D1xDH$mlytuH(UghmLZp)R-Evzp1`tMUbgM-5bcPVxJSHAfbOHwN9
z0`Gu|+64uEa`!ei+&D*bXtM>}@qAj#6t{FnU60N!y&H(7ea{h^eFY+j?$$((xN-0L
z$40<k2b!qVOw;Ol9tawn9hALeFiq%r(WpSlQxcN$X?9MU%KXt4MX7b>(V8>Pgk0mW
z&J4;a+c!mV^(2+}5Q72!@elaLzuq|x4w$u(^@UImO(^uo-E(%PCDuhIlurG|4He)Z
z(x@~J9X7@MRYf!@gLgN%*};!vl02LZBb$->91Z=d)WAPisL(?iEX+SoXn?;EK*fX{
zdN4C~&N=)0J^w&%tlNz;ufm=f>6~m-Y&cz!JjnZPyq?Z)9ixt%PogzwN;<U%$eUB!
z+nWbwE#Par@)4G0QhC>?$mqog#CjIcJLbSRN033ikgmt8_o(&_imC3tT`diQbWto^
zC$8DWB%JH2gHdj*o=4dP%_L>7u~*x+n%3>3vT5erTc}3)ec7~;$=sag3IpzG>G5M%
zJB21*Tii9Qhogs`kUC7cr>Ua|3L@Elh^5YwI*vPtvu-OAGVJAxBcX{IG4My)t1_$*
zbcP$<<-@$`*d0FMG)0#mX?=Vp(uMwXGi~%1ElkV=>}%!=-4!qvbWfnpjtJe9|8jPi
zKfCf57h%QcRCS$Ak+T_ZK!K6dzmO5uvyg93N@Ui>&M=%5Yq7Umu~MlS;)qCyfNfB|
z(T69RH~J%FC;IW09l<3uZaceu`Fc%SX42^-OI}jl3H?CgUqcZi&$!1i>ua35s5mDY
zqLeyGiJ_2KYzr1lT7KKuvs4+roEDi~jU2t2^{$Mzw<cA2Uzp8Gm_*c2bajw!;^c-q
z*$7Bd(<_)>0Hsa(UCfA4ZVJwqRS7J8{17ajc<(;9NZG8hnOv_CEJrEvd8EV|`~!mO
z$$iYc=jq_Z%2sll_x7<~S?}ai!DrRFTP_Kk{`nE>k-l!M6P2$Rmsb;h%e-&oGgxz=
zQalFH-2Mz65m6kLKhLY_-$~dRp?Lvx7FBSBw^LFF%zgc$&h1&nMS`;O@%<i&h5*kl
zQ}p8RHILg=z<u&Ma^yTO$5#5i5Z!9X?3UJ+Z@7uN#q>u-8F*8krKC1?d`WZ~W^oBn
zc*X&PfoN|Ym07No6NZ>eE!UYwwGq3t6UUttmyq*Uv>ur*EmCE7%t$d)Of`2s%gTKA
z?q$dInJJ9Hj2~Hv?`qgUrFn%c2sC%yM>eSxsneLbZIU7Iz$rpEL6#IE;<o%|qI18p
z#^|9>xmFov0`gy^RAOP&!3CL2X7u#KYQj~^vh%5LGPy}O8txKSF+4lx&E}2pp6`*w
zY>p(ArE)r#3}Xfa`VIDvT0bHa<RBjQnD1n|XUD`fmjHQWjdN=~F-*0!)DxS4g$tg;
zz~w7%<(5}%Y$dGnk&5LJ#quD_@OX!0*Q3UP?m*b8u)dkOMeGv%R~t=;8ASRz1bubp
zX7Y@8d@^lEF0RSz&1k0Mpl2FFA8PqV76<3WgS%|`q!QHMst0gCJ`e13T`7y-(0%Pb
zl})j81i=K%IZ659L~?AGPg9~#A$$-N+)1WdO_3wTr<X0@?ZcDlwT`Ieb)lIuShNJN
z^Fwh?pZM}IUg{db?$VVlm*|=HIRJL-I?dU35_=i>tl=D-U!S-M@XViWd^*BI$j;5c
zVIMKz8#T)GbsYxd+T47mttfwY^84n?I<vf#ed8TOWw@<g1gp8~EP^Lo_GsLwy@f2S
ztb$ZH@nnp5%6+~HyJt|M-r5DXzY_jB+Y^?TjMve+W~P&#3zhr=aG!YKD&ubPxIp0b
zT`XOKu<ml@F2dga!ZKEQv>V30n#F&Ye1YXMS-`&``=3ki0^0qQX3S}&YSqi!G*3mm
z3HeU&p3JJD`30cDz|FQZu!%lK|2=>98_&Ryu`U=LxlIAmMj79&TsjnN)|dt3H&?p&
zyuosY>Dx=_FXQBcaw;?<b5f2^tmhJ~rSIhuV;km`btx~tQSqxi&bC?UonbGsO=33Q
zFRU&Zv5`&*dnu|K77t&^8yen?47-n`(WtSndpQGO9TY!7eI4>SqaS_f{ri&#)y$mO
zq-$TVeb?2Gp1^&>?T2@hxpvv^Xf1Fz!x~-o7KRcJ!RjUti86(|M(8TTk{yYc4ETb`
zbYf3%LxTbD4v~t55CJK{>utO3w72)t2pD>KAp^|Rx=C1q986;Y$8p8}MU})B+daS)
z%(ibuQU=ziVSc<mdvn`kh8?kRvu(TC1(zE4N;pTZie%08fej@c5_`i&*UasRWtt^=
z6`k_d#Aa3!d#&ikJjZP(4{~T*8{bbEJmD7?Phm@r`zPKTM5AqV1&mQBd84#%)trLX
zNE1&+%eLG$p8MqBH!*i<rSwj^j0>u|&8}+DmU}Bom%AqgQ=5c;aM2c8uY~f`pU9QD
z5K-oBBl_cE*tK9yx;*yyYQ<@AWyPP_?1#7`{=l(jE6M2r%Fc@Z{BpH`I?n6WLyj0d
zL+nUd|DDmQE}5i7KF8<?G>j|B;StB1(Ze7yZxi_qMIvd6UW6TdIN+13BGs;dA;Zyw
z&LH7sGaP(MsOGZ~^3$kSJ}dteAzN|7!G{i+b$<>~#M!zjGvXQp#Zyg&@U1L@_YoN<
z?zc$$LXRbVr!$@pj~;%L>(=l?*1D<{I8WQKY_Oe1AbdA_Zh{Y=6w_^;0@g;(d0?$q
z7LW7fxs!WWPFb)pyAVfGf+n%k&V^TLJw;^FQvm5qprF!=;7kPU5*!o-Og`IYjX7{V
z#8!ud%@$cTBD%dIwAN+)ehZ!H^=l++c+c+A6@?`Gy4m4R*u!QqgRSS&@RPyd`9PG{
zNDNZFXwvd2SWJV!u<t`f@%q~m=5lwWap4lCm=;VJZ$BwmI3*1zs2i;1x%890Ghqr;
z47H{fkUa?Z_kzoOHkMAbN45q`(mMJr91^rmmg-@LVJyMskK$!YtF!FlE)*CY6Ew-3
zfM;{Jc}~yF#+eU_4x~dp_IhB%EwI!Yoll9ygJ|6`vo3boEnAMfJhI(yvn~JhBw}I{
zB%CCUvnj&o>`_LNp#0hC-;88^{wo$kx$W%Vxa8_qJcK`OcKZTwkBT>e`^?h6O4+}q
ze@QE+%SpeD(OcA6?~~*d*?i@YaQvyvH!JpX>e(CZ0`ZDG2-Uu~Q5b?JHl5!xB7(hy
z2M-qDrAmO|i+{(Ecjyaf#3BRweS5c|&Az5>d?o6?ZBpxE*6}Jx%J`}}ci(npL-++S
z@&En^SPY%2*N+~0MLBKT_oPLH!1dP0K}5yhwJF}2_<g14CF_)$A;o8ODg5u9sT(Kb
L1yKG1cv<{EgVT$s

literal 0
HcmV?d00001