feat(auth, docs): add label support for Gemini web token management

- Added `label` field to the management API for better token identification.
- Updated request payload and validation logic to include `label` as a required field.
- Adjusted documentation (`MANAGEMENT_API.md`, `MANAGEMENT_API_CN.md`) to reflect changes.

MANAGEMENT_API.md

@@ -664,7 +664,7 @@ These endpoints initiate provider login flows and return a URL to open in a brow
     ```bash
     curl -H 'Authorization: Bearer <MANAGEMENT_KEY>' \
       -H 'Content-Type: application/json' \
-      -d '{"secure_1psid": "<__Secure-1PSID>", "secure_1psidts": "<__Secure-1PSIDTS>"}' \
+      -d '{"secure_1psid": "<__Secure-1PSID>", "secure_1psidts": "<__Secure-1PSIDTS>", "label": "<LABEL>"}' \
       http://localhost:8317/v0/management/gemini-web-token
     ```
   - Response:

MANAGEMENT_API_CN.md

@@ -664,7 +664,7 @@
     ```bash
     curl -H 'Authorization: Bearer <MANAGEMENT_KEY>' \
       -H 'Content-Type: application/json' \
-      -d '{"secure_1psid": "<__Secure-1PSID>", "secure_1psidts": "<__Secure-1PSIDTS>"}' \
+      -d '{"secure_1psid": "<__Secure-1PSID>", "secure_1psidts": "<__Secure-1PSIDTS>", "label": "<LABEL>"}' \
       http://localhost:8317/v0/management/gemini-web-token
     ```
   - 响应：

internal/api/handlers/management/auth_files.go

@@ -689,6 +689,7 @@ func (h *Handler) CreateGeminiWebToken(c *gin.Context) {
 	var payload struct {
 		Secure1PSID   string `json:"secure_1psid"`
 		Secure1PSIDTS string `json:"secure_1psidts"`
+		Label         string `json:"label"`
 	}
 	if err := c.ShouldBindJSON(&payload); err != nil {
 		c.JSON(http.StatusBadRequest, gin.H{"error": "invalid body"})
@@ -696,6 +697,7 @@ func (h *Handler) CreateGeminiWebToken(c *gin.Context) {
 	}
 	payload.Secure1PSID = strings.TrimSpace(payload.Secure1PSID)
 	payload.Secure1PSIDTS = strings.TrimSpace(payload.Secure1PSIDTS)
+	payload.Label = strings.TrimSpace(payload.Label)
 	if payload.Secure1PSID == "" {
 		c.JSON(http.StatusBadRequest, gin.H{"error": "secure_1psid is required"})
 		return
@@ -704,6 +706,10 @@ func (h *Handler) CreateGeminiWebToken(c *gin.Context) {
 		c.JSON(http.StatusBadRequest, gin.H{"error": "secure_1psidts is required"})
 		return
 	}
+	if payload.Label == "" {
+		c.JSON(http.StatusBadRequest, gin.H{"error": "label is required"})
+		return
+	}
 
 	sha := sha256.New()
 	sha.Write([]byte(payload.Secure1PSID))
@@ -713,7 +719,10 @@ func (h *Handler) CreateGeminiWebToken(c *gin.Context) {
 	tokenStorage := &geminiAuth.GeminiWebTokenStorage{
 		Secure1PSID:   payload.Secure1PSID,
 		Secure1PSIDTS: payload.Secure1PSIDTS,
+		Label:         payload.Label,
 	}
+	// Provide a stable label (gemini-web-<hash>) for logging and identification
+	tokenStorage.Label = strings.TrimSuffix(fileName, ".json")
 
 	record := &sdkAuth.TokenRecord{
 		Provider: "gemini-web",

internal/auth/gemini/gemini-web_token.go

@@ -8,6 +8,7 @@ import (
 	"fmt"
 	"os"
 	"path/filepath"
+	"strings"
 	"time"
 
 	"github.com/router-for-me/CLIProxyAPI/v6/internal/misc"
@@ -20,12 +21,25 @@ type GeminiWebTokenStorage struct {
 	Secure1PSIDTS string `json:"secure_1psidts"`
 	Type          string `json:"type"`
 	LastRefresh   string `json:"last_refresh,omitempty"`
+	// Label is a stable account identifier used for logging, e.g. "gemini-web-<hash>".
+	// It is derived from the auth file name when not explicitly set.
+	Label string `json:"label,omitempty"`
 }
 
 // SaveTokenToFile serializes the Gemini Web token storage to a JSON file.
 func (ts *GeminiWebTokenStorage) SaveTokenToFile(authFilePath string) error {
 	misc.LogSavingCredentials(authFilePath)
 	ts.Type = "gemini-web"
+	// Auto-derive a stable label from the file name if missing.
+	if ts.Label == "" {
+		base := filepath.Base(authFilePath)
+		if strings.HasSuffix(strings.ToLower(base), ".json") {
+			base = strings.TrimSuffix(base, filepath.Ext(base))
+		}
+		if base != "" {
+			ts.Label = base
+		}
+	}
 	if ts.LastRefresh == "" {
 		ts.LastRefresh = time.Now().Format(time.RFC3339)
 	}

internal/cmd/gemini-web_auth.go

@@ -6,42 +6,134 @@ import (
 	"context"
 	"crypto/sha256"
 	"encoding/hex"
+	"encoding/json"
 	"fmt"
+	"net/http"
 	"os"
+	"runtime"
 	"strings"
+	"time"
 
 	"github.com/router-for-me/CLIProxyAPI/v6/internal/auth/gemini"
 	"github.com/router-for-me/CLIProxyAPI/v6/internal/config"
+	"github.com/router-for-me/CLIProxyAPI/v6/internal/util"
 	sdkAuth "github.com/router-for-me/CLIProxyAPI/v6/sdk/auth"
 	log "github.com/sirupsen/logrus"
 )
 
 // DoGeminiWebAuth handles the process of creating a Gemini Web token file.
-// It prompts the user for their cookie values and saves them to a JSON file.
+// New flow:
+//  1. Prompt user to paste the full cookie string.
+//  2. Extract __Secure-1PSID and __Secure-1PSIDTS from the cookie string.
+//  3. Call https://accounts.google.com/ListAccounts with the cookie to obtain email.
+//  4. Save auth file with the same structure, and set Label to the email.
 func DoGeminiWebAuth(cfg *config.Config) {
+	var secure1psid, secure1psidts, email string
+
 	reader := bufio.NewReader(os.Stdin)
+	isMacOS := strings.HasPrefix(runtime.GOOS, "darwin")
+	if !isMacOS {
+		fmt.Print("Paste your full Google Cookie and press Enter: ")
+		rawCookie, _ := reader.ReadString('\n')
+		rawCookie = strings.TrimSpace(rawCookie)
+		if rawCookie == "" {
+			log.Fatal("Cookie cannot be empty")
+			return
+		}
 
-	fmt.Print("Enter your __Secure-1PSID cookie value: ")
-	secure1psid, _ := reader.ReadString('\n')
-	secure1psid = strings.TrimSpace(secure1psid)
+		// Parse K=V cookie pairs separated by ';'
+		cookieMap := make(map[string]string)
+		parts := strings.Split(rawCookie, ";")
+		for _, p := range parts {
+			p = strings.TrimSpace(p)
+			if p == "" {
+				continue
+			}
+			if eq := strings.Index(p, "="); eq > 0 {
+				k := strings.TrimSpace(p[:eq])
+				v := strings.TrimSpace(p[eq+1:])
+				if k != "" {
+					cookieMap[k] = v
+				}
+			}
+		}
+		secure1psid = strings.TrimSpace(cookieMap["__Secure-1PSID"])
+		secure1psidts = strings.TrimSpace(cookieMap["__Secure-1PSIDTS"])
 
+		// Build HTTP client with proxy settings respected.
+		httpClient := &http.Client{Timeout: 15 * time.Second}
+		httpClient = util.SetProxy(cfg, httpClient)
+
+		// Request ListAccounts to extract email as label (use POST per upstream behavior).
+		req, err := http.NewRequest(http.MethodPost, "https://accounts.google.com/ListAccounts", nil)
+		if err != nil {
+			fmt.Printf("Failed to create request: %v\n", err)
+			return
+		}
+		req.Header.Set("Cookie", rawCookie)
+		req.Header.Set("Accept", "application/json, text/plain, */*")
+		req.Header.Set("User-Agent", "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36")
+		req.Header.Set("Origin", "https://accounts.google.com")
+		req.Header.Set("Content-Type", "application/x-www-form-urlencoded;charset=UTF-8")
+
+		resp, err := httpClient.Do(req)
+
+		if err != nil {
+			fmt.Printf("Request to ListAccounts failed: %v\n", err)
+		} else {
+			defer func() {
+				_ = resp.Body.Close()
+			}()
+			if resp.StatusCode != http.StatusOK {
+				fmt.Printf("ListAccounts returned status code: %d\n", resp.StatusCode)
+			} else {
+				var payload []any
+				if err = json.NewDecoder(resp.Body).Decode(&payload); err != nil {
+					fmt.Printf("Failed to parse ListAccounts response: %v\n", err)
+				} else {
+					// Expected structure like: ["gaia.l.a.r", [["gaia.l.a",1,"Name","email@example.com", ... ]]]
+					if len(payload) >= 2 {
+						if accounts, ok := payload[1].([]any); ok && len(accounts) >= 1 {
+							if first, ok1 := accounts[0].([]any); ok1 && len(first) >= 4 {
+								if em, ok2 := first[3].(string); ok2 {
+									email = strings.TrimSpace(em)
+								}
+							}
+						}
+					}
+					if email == "" {
+						fmt.Println("Failed to parse email from ListAccounts response")
+					}
+				}
+			}
+		}
+	}
+
+	// Fallback: prompt user to input missing values
 	if secure1psid == "" {
-		log.Fatal("The __Secure-1PSID value cannot be empty.")
-		return
+		if !isMacOS {
+			fmt.Print("Cookie missing __Secure-1PSID. ")
+		}
+		fmt.Print("Enter __Secure-1PSID: ")
+		v, _ := reader.ReadString('\n')
+		secure1psid = strings.TrimSpace(v)
 	}
-
-	fmt.Print("Enter your __Secure-1PSIDTS cookie value: ")
-	secure1psidts, _ := reader.ReadString('\n')
-	secure1psidts = strings.TrimSpace(secure1psidts)
-
 	if secure1psidts == "" {
-		fmt.Println("The __Secure-1PSIDTS value cannot be empty.")
+		if !isMacOS {
+			fmt.Print("Cookie missing __Secure-1PSID. ")
+		}
+		fmt.Print("Enter __Secure-1PSIDTS: ")
+		v, _ := reader.ReadString('\n')
+		secure1psidts = strings.TrimSpace(v)
+	}
+	if secure1psid == "" || secure1psidts == "" {
+		log.Fatal("__Secure-1PSID and __Secure-1PSIDTS cannot be empty")
 		return
 	}
-
-	tokenStorage := &gemini.GeminiWebTokenStorage{
-		Secure1PSID:   secure1psid,
-		Secure1PSIDTS: secure1psidts,
+	if isMacOS {
+		fmt.Print("Enter your account email: ")
+		v, _ := reader.ReadString('\n')
+		email = strings.TrimSpace(v)
 	}
 
 	// Generate a filename based on the SHA256 hash of the PSID
@@ -49,6 +141,26 @@ func DoGeminiWebAuth(cfg *config.Config) {
 	hasher.Write([]byte(secure1psid))
 	hash := hex.EncodeToString(hasher.Sum(nil))
 	fileName := fmt.Sprintf("gemini-web-%s.json", hash[:16])
+
+	// Decide label: prefer email; fallback prompt then file name without .json
+	defaultLabel := strings.TrimSuffix(fileName, ".json")
+	label := email
+	if label == "" {
+		fmt.Printf("Enter label for this auth (default: %s): ", defaultLabel)
+		v, _ := reader.ReadString('\n')
+		v = strings.TrimSpace(v)
+		if v != "" {
+			label = v
+		} else {
+			label = defaultLabel
+		}
+	}
+
+	tokenStorage := &gemini.GeminiWebTokenStorage{
+		Secure1PSID:   secure1psid,
+		Secure1PSIDTS: secure1psidts,
+		Label:         label,
+	}
 	record := &sdkAuth.TokenRecord{
 		Provider: "gemini-web",
 		FileName: fileName,

internal/provider/gemini-web/client.go

@@ -9,8 +9,6 @@ import (
 	"net/http"
 	"net/http/cookiejar"
 	"net/url"
-	"os"
-	"path/filepath"
 	"regexp"
 	"strings"
 	"time"
@@ -97,8 +95,12 @@ func getAccessToken(baseCookies map[string]string, proxy string, verbose bool, i
 	{
 		client := newHTTPClient(httpOptions{ProxyURL: proxy, Insecure: insecure, FollowRedirects: true})
 		req, _ := http.NewRequest(http.MethodGet, EndpointGoogle, nil)
-		resp, _ := client.Do(req)
-		if resp != nil {
+		resp, err := client.Do(req)
+		if err != nil {
+			if verbose {
+				log.Debugf("priming google cookies failed: %v", err)
+			}
+		} else if resp != nil {
 			if u, err := url.Parse(EndpointGoogle); err == nil {
 				for _, c := range client.Jar.Cookies(u) {
 					extraCookies[c.Name] = c.Value
@@ -122,19 +124,6 @@ func getAccessToken(baseCookies map[string]string, proxy string, verbose bool, i
 		}
 	}
 
-	cacheDir := "temp"
-	_ = os.MkdirAll(cacheDir, 0o755)
-	if v1, ok1 := baseCookies["__Secure-1PSID"]; ok1 {
-		cacheFile := filepath.Join(cacheDir, ".cached_1psidts_"+v1+".txt")
-		if b, err := os.ReadFile(cacheFile); err == nil {
-			cv := strings.TrimSpace(string(b))
-			if cv != "" {
-				merged := map[string]string{"__Secure-1PSID": v1, "__Secure-1PSIDTS": cv}
-				trySets = append(trySets, merged)
-			}
-		}
-	}
-
 	if len(extraCookies) > 0 {
 		trySets = append(trySets, extraCookies)
 	}
@@ -172,18 +161,10 @@ func rotate1PSIDTS(cookies map[string]string, proxy string, insecure bool) (stri
 		return "", &AuthError{Msg: "__Secure-1PSID missing"}
 	}
 
-	tr := &http.Transport{}
-	if proxy != "" {
-		if pu, err := url.Parse(proxy); err == nil {
-			tr.Proxy = http.ProxyURL(pu)
-		}
-	}
-	if insecure {
-		tr.TLSClientConfig = &tls.Config{InsecureSkipVerify: true}
-	}
-	client := &http.Client{Transport: tr, Timeout: 60 * time.Second}
+	// Reuse shared HTTP client helper for consistency.
+	client := newHTTPClient(httpOptions{ProxyURL: proxy, Insecure: insecure, FollowRedirects: true})
 
-	req, _ := http.NewRequest(http.MethodPost, EndpointRotateCookies, io.NopCloser(stringsReader("[000,\"-0000000000000000000\"]")))
+	req, _ := http.NewRequest(http.MethodPost, EndpointRotateCookies, strings.NewReader("[000,\"-0000000000000000000\"]"))
 	applyHeaders(req, HeadersRotateCookies)
 	applyCookies(req, cookies)
 
@@ -207,25 +188,18 @@ func rotate1PSIDTS(cookies map[string]string, proxy string, insecure bool) (stri
 			return c.Value, nil
 		}
 	}
+	// Fallback: check cookie jar in case the Set-Cookie was on a redirect hop
+	if u, err := url.Parse(EndpointRotateCookies); err == nil && client.Jar != nil {
+		for _, c := range client.Jar.Cookies(u) {
+			if c.Name == "__Secure-1PSIDTS" && c.Value != "" {
+				return c.Value, nil
+			}
+		}
+	}
 	return "", nil
 }
 
-type constReader struct {
-	s string
-	i int
-}
-
-func (r *constReader) Read(p []byte) (int, error) {
-	if r.i >= len(r.s) {
-		return 0, io.EOF
-	}
-	n := copy(p, r.s[r.i:])
-	r.i += n
-	return n, nil
-}
-
-func stringsReader(s string) io.Reader { return &constReader{s: s} }
-
+// MaskToken28 masks a sensitive token for safe logging. Keep middle partially visible.
 func MaskToken28(s string) string {
 	n := len(s)
 	if n == 0 {
@@ -318,7 +292,7 @@ func (c *GeminiClient) Close(delaySec float64) {
 	c.Running = false
 }
 
-// ensureRunning mirrors the Python decorator behavior and retries on APIError.
+// ensureRunning mirrors the decorator behavior and retries on APIError.
 func (c *GeminiClient) ensureRunning() error {
 	if c.Running {
 		return nil
@@ -431,21 +405,10 @@ func (c *GeminiClient) generateOnce(prompt string, files []string, model Model,
 	form.Set("f.req", string(outerJSON))
 
 	req, _ := http.NewRequest(http.MethodPost, EndpointGenerate, strings.NewReader(form.Encode()))
-	// headers
-	for k, v := range HeadersGemini {
-		for _, vv := range v {
-			req.Header.Add(k, vv)
-		}
-	}
-	for k, v := range model.ModelHeader {
-		for _, vv := range v {
-			req.Header.Add(k, vv)
-		}
-	}
+	applyHeaders(req, HeadersGemini)
+	applyHeaders(req, model.ModelHeader)
 	req.Header.Set("Content-Type", "application/x-www-form-urlencoded;charset=utf-8")
-	for k, v := range c.Cookies {
-		req.AddCookie(&http.Cookie{Name: k, Value: v})
-	}
+	applyCookies(req, c.Cookies)
 
 	resp, err := c.httpClient.Do(req)
 	if err != nil {
@@ -456,7 +419,7 @@ func (c *GeminiClient) generateOnce(prompt string, files []string, model Model,
 	}()
 
 	if resp.StatusCode == 429 {
-		// Surface 429 as TemporarilyBlocked to match Python behavior
+		// Surface 429 as TemporarilyBlocked to match reference behavior
 		c.Close(0)
 		return empty, &TemporarilyBlocked{GeminiError{Msg: "Too many requests. IP temporarily blocked."}}
 	}
@@ -536,7 +499,7 @@ func (c *GeminiClient) generateOnce(prompt string, files []string, model Model,
 				}
 			}
 		}
-		// Parse nested error code to align with Python mapping
+		// Parse nested error code to align with error mapping
 		var top []any
 		// Prefer lastTop from fallback scan; otherwise try parts[2]
 		if len(lastTop) > 0 {
@@ -559,7 +522,7 @@ func (c *GeminiClient) generateOnce(prompt string, files []string, model Model,
 			}
 		}
 		// Debug("Invalid response: control frames only; no body found")
-		// Close the client to force re-initialization on next request (parity with Python client behavior)
+		// Close the client to force re-initialization on next request (parity with reference client behavior)
 		c.Close(0)
 		return empty, &APIError{Msg: "Failed to generate contents. Invalid response data received."}
 	}
@@ -782,7 +745,7 @@ func (c *GeminiClient) generateOnce(prompt string, files []string, model Model,
 }
 
 // extractErrorCode attempts to navigate the known nested error structure and fetch the integer code.
-// Mirrors Python path: response_json[0][5][2][0][1][0]
+// Mirrors reference path: response_json[0][5][2][0][1][0]
 func extractErrorCode(top []any) (int, bool) {
 	if len(top) == 0 {
 		return 0, false

internal/provider/gemini-web/media.go

@@ -2,7 +2,6 @@ package geminiwebapi
 
 import (
 	"bytes"
-	"crypto/tls"
 	"encoding/base64"
 	"encoding/json"
 	"errors"
@@ -11,8 +10,6 @@ import (
 	"math"
 	"mime/multipart"
 	"net/http"
-	"net/http/cookiejar"
-	"net/url"
 	"os"
 	"path/filepath"
 	"regexp"
@@ -55,7 +52,7 @@ func (i Image) Save(path string, filename string, cookies map[string]string, ver
 			filename = q[0]
 		}
 	}
-	// Regex validation (align with Python: ^(.*\.\w+)) to extract name with extension.
+	// Regex validation (pattern: ^(.*\.\w+)) to extract name with extension.
 	if filename != "" {
 		re := regexp.MustCompile(`^(.*\.\w+)`)
 		if m := re.FindStringSubmatch(filename); len(m) >= 2 {
@@ -69,20 +66,11 @@ func (i Image) Save(path string, filename string, cookies map[string]string, ver
 			}
 		}
 	}
-	// Build client with cookie jar so cookies persist across redirects.
-	tr := &http.Transport{}
-	if i.Proxy != "" {
-		if pu, err := url.Parse(i.Proxy); err == nil {
-			tr.Proxy = http.ProxyURL(pu)
-		}
-	}
-	if insecure {
-		tr.TLSClientConfig = &tls.Config{InsecureSkipVerify: true}
-	}
-	jar, _ := cookiejar.New(nil)
-	client := &http.Client{Transport: tr, Timeout: 120 * time.Second, Jar: jar}
+	// Build client using shared helper to keep proxy/TLS behavior consistent.
+	client := newHTTPClient(httpOptions{ProxyURL: i.Proxy, Insecure: insecure, FollowRedirects: true})
+	client.Timeout = 120 * time.Second
 
-	// Helper to set raw Cookie header using provided cookies (to mirror Python client behavior).
+	// Helper to set raw Cookie header using provided cookies (parity with the reference client behavior).
 	buildCookieHeader := func(m map[string]string) string {
 		if len(m) == 0 {
 			return ""
@@ -352,23 +340,11 @@ func uploadFile(path string, proxy string, insecure bool) (string, error) {
 	}
 	_ = mw.Close()
 
-	tr := &http.Transport{}
-	if proxy != "" {
-		if pu, errParse := url.Parse(proxy); errParse == nil {
-			tr.Proxy = http.ProxyURL(pu)
-		}
-	}
-	if insecure {
-		tr.TLSClientConfig = &tls.Config{InsecureSkipVerify: true}
-	}
-	client := &http.Client{Transport: tr, Timeout: 300 * time.Second}
+	client := newHTTPClient(httpOptions{ProxyURL: proxy, Insecure: insecure, FollowRedirects: true})
+	client.Timeout = 300 * time.Second
 
 	req, _ := http.NewRequest(http.MethodPost, EndpointUpload, &buf)
-	for k, v := range HeadersUpload {
-		for _, vv := range v {
-			req.Header.Add(k, vv)
-		}
-	}
+	applyHeaders(req, HeadersUpload)
 	req.Header.Set("Content-Type", mw.FormDataContentType())
 	req.Header.Set("Accept", "*/*")
 	req.Header.Set("Connection", "keep-alive")

internal/provider/gemini-web/state.go

@@ -21,6 +21,7 @@ import (
 	"github.com/router-for-me/CLIProxyAPI/v6/internal/interfaces"
 	"github.com/router-for-me/CLIProxyAPI/v6/internal/translator/translator"
 	cliproxyexecutor "github.com/router-for-me/CLIProxyAPI/v6/sdk/cliproxy/executor"
+	log "github.com/sirupsen/logrus"
 	"github.com/tidwall/gjson"
 	"github.com/tidwall/sjson"
 	bolt "go.etcd.io/bbolt"
@@ -97,33 +98,27 @@ func (s *GeminiWebState) Label() string {
 }
 
 func (s *GeminiWebState) loadConversationCaches() {
-	if path := s.convStorePath(); path != "" {
-		if store, err := LoadConvStore(path); err == nil {
-			s.convStore = store
-		}
+	path := s.convPath()
+	if path == "" {
+		return
 	}
-	if path := s.convDataPath(); path != "" {
-		if items, index, err := LoadConvData(path); err == nil {
-			s.convData = items
-			s.convIndex = index
-		}
+	if store, err := LoadConvStore(path); err == nil {
+		s.convStore = store
+	}
+	if items, index, err := LoadConvData(path); err == nil {
+		s.convData = items
+		s.convIndex = index
 	}
 }
 
-func (s *GeminiWebState) convStorePath() string {
+// convPath returns the BoltDB file path used for both account metadata and conversation data.
+func (s *GeminiWebState) convPath() string {
 	base := s.storagePath
 	if base == "" {
-		base = s.accountID + ".json"
+		// Use accountID directly as base name; ConvBoltPath will append .bolt.
+		base = s.accountID
 	}
-	return ConvStorePath(base)
-}
-
-func (s *GeminiWebState) convDataPath() string {
-	base := s.storagePath
-	if base == "" {
-		base = s.accountID + ".json"
-	}
-	return ConvDataPath(base)
+	return ConvBoltPath(base)
 }
 
 func (s *GeminiWebState) GetRequestMutex() *sync.Mutex { return &s.reqMu }
@@ -174,6 +169,8 @@ func (s *GeminiWebState) Refresh(ctx context.Context) error {
 			s.client.Cookies["__Secure-1PSIDTS"] = newTS
 		}
 		s.tokenMu.Unlock()
+		// Detailed debug log: provider and account.
+		log.Debugf("gemini web account %s rotated 1PSIDTS: %s", s.accountID, MaskToken28(newTS))
 	}
 	s.lastRefresh = time.Now()
 	return nil
@@ -405,7 +402,7 @@ func (s *GeminiWebState) persistConversation(modelName string, prep *geminiWebPr
 			storeSnapshot[k] = cp
 		}
 		s.convMu.Unlock()
-		_ = SaveConvStore(s.convStorePath(), storeSnapshot)
+		_ = SaveConvStore(s.convPath(), storeSnapshot)
 	}
 
 	if !s.useReusableContext() {
@@ -433,7 +430,7 @@ func (s *GeminiWebState) persistConversation(modelName string, prep *geminiWebPr
 		indexSnapshot[k] = v
 	}
 	s.convMu.Unlock()
-	_ = SaveConvData(s.convDataPath(), dataSnapshot, indexSnapshot)
+	_ = SaveConvData(s.convPath(), dataSnapshot, indexSnapshot)
 }
 
 func (s *GeminiWebState) addAPIResponseData(ctx context.Context, line []byte) {
@@ -570,19 +567,9 @@ func HashConversation(clientID, model string, msgs []StoredMessage) string {
 	return Sha256Hex(b.String())
 }
 
-// ConvStorePath returns the path for account-level metadata persistence based on token file path.
-func ConvStorePath(tokenFilePath string) string {
-	wd, err := os.Getwd()
-	if err != nil || wd == "" {
-		wd = "."
-	}
-	convDir := filepath.Join(wd, "conv")
-	base := strings.TrimSuffix(filepath.Base(tokenFilePath), filepath.Ext(tokenFilePath))
-	return filepath.Join(convDir, base+".bolt")
-}
-
-// ConvDataPath returns the path for full conversation persistence based on token file path.
-func ConvDataPath(tokenFilePath string) string {
+// ConvBoltPath returns the BoltDB file path used for both account metadata and conversation data.
+// Different logical datasets are kept in separate buckets within this single DB file.
+func ConvBoltPath(tokenFilePath string) string {
 	wd, err := os.Getwd()
 	if err != nil || wd == "" {
 		wd = "."

sdk/cliproxy/auth/manager.go

@@ -286,7 +286,8 @@ func (m *Manager) executeWithProvider(ctx context.Context, provider string, req
 		} else if accountType == "oauth" {
 			log.Debugf("Use OAuth %s for model %s", accountInfo, req.Model)
 		} else if accountType == "cookie" {
-			log.Debugf("Use Cookie %s for model %s", util.HideAPIKey(accountInfo), req.Model)
+			// Only Gemini Web uses cookie; print stable account label as-is.
+			log.Debugf("Use Cookie %s for model %s", accountInfo, req.Model)
 		}
 
 		tried[auth.ID] = struct{}{}
@@ -333,7 +334,7 @@ func (m *Manager) executeCountWithProvider(ctx context.Context, provider string,
 		} else if accountType == "oauth" {
 			log.Debugf("Use OAuth %s for model %s", accountInfo, req.Model)
 		} else if accountType == "cookie" {
-			log.Debugf("Use Cookie %s for model %s", util.HideAPIKey(accountInfo), req.Model)
+			log.Debugf("Use Cookie %s for model %s", accountInfo, req.Model)
 		}
 
 		tried[auth.ID] = struct{}{}
@@ -380,7 +381,7 @@ func (m *Manager) executeStreamWithProvider(ctx context.Context, provider string
 		} else if accountType == "oauth" {
 			log.Debugf("Use OAuth %s for model %s", accountInfo, req.Model)
 		} else if accountType == "cookie" {
-			log.Debugf("Use Cookie %s for model %s", util.HideAPIKey(accountInfo), req.Model)
+			log.Debugf("Use Cookie %s for model %s", accountInfo, req.Model)
 		}
 
 		tried[auth.ID] = struct{}{}

sdk/cliproxy/auth/selector.go

@@ -57,21 +57,32 @@ func isAuthBlockedForModel(auth *Auth, model string, now time.Time) bool {
 	if auth.Disabled || auth.Status == StatusDisabled {
 		return true
 	}
-	if model != "" && len(auth.ModelStates) > 0 {
-		if state, ok := auth.ModelStates[model]; ok && state != nil {
-			if state.Status == StatusDisabled {
-				return true
-			}
-			if state.Unavailable {
-				if state.NextRetryAfter.IsZero() {
-					return false
-				}
-				if state.NextRetryAfter.After(now) {
+	// If a specific model is requested, prefer its per-model state over any aggregated
+	// auth-level unavailable flag. This prevents a failure on one model (e.g., 429 quota)
+	// from blocking other models of the same provider that have no errors.
+	if model != "" {
+		if len(auth.ModelStates) > 0 {
+			if state, ok := auth.ModelStates[model]; ok && state != nil {
+				if state.Status == StatusDisabled {
 					return true
 				}
+				if state.Unavailable {
+					if state.NextRetryAfter.IsZero() {
+						return false
+					}
+					if state.NextRetryAfter.After(now) {
+						return true
+					}
+				}
+				// Explicit state exists and is not blocking.
+				return false
 			}
 		}
+		// No explicit state for this model; do not block based on aggregated
+		// auth-level unavailable status. Allow trying this model.
+		return false
 	}
+	// No specific model context: fall back to auth-level unavailable window.
 	if auth.Unavailable && auth.NextRetryAfter.After(now) {
 		return true
 	}

sdk/cliproxy/auth/types.go

@@ -129,6 +129,13 @@ func (a *Auth) AccountInfo() (string, string) {
 		return "", ""
 	}
 	if strings.ToLower(a.Provider) == "gemini-web" {
+		// Prefer explicit label written into auth file (e.g., gemini-web-<hash>)
+		if a.Metadata != nil {
+			if v, ok := a.Metadata["label"].(string); ok && strings.TrimSpace(v) != "" {
+				return "cookie", strings.TrimSpace(v)
+			}
+		}
+		// Minimal fallback to cookie value for backward compatibility
 		if a.Metadata != nil {
 			if v, ok := a.Metadata["secure_1psid"].(string); ok && v != "" {
 				return "cookie", v
@@ -137,14 +144,6 @@ func (a *Auth) AccountInfo() (string, string) {
 				return "cookie", v
 			}
 		}
-		if a.Attributes != nil {
-			if v := a.Attributes["secure_1psid"]; v != "" {
-				return "cookie", v
-			}
-			if v := a.Attributes["api_key"]; v != "" {
-				return "cookie", v
-			}
-		}
 	}
 	if a.Metadata != nil {
 		if v, ok := a.Metadata["email"].(string); ok {