feat(translator): add usage metadata mapping for Gemini responses

- Implemented mapping for input, output, and total token usage in Gemini OpenAI response processing.
- Ensured compatibility with existing response structure even when specific token details are unavailable.

MANAGEMENT_API.md

@@ -95,7 +95,7 @@ If a plaintext key is detected in the config at startup, it will be bcrypt‑has
       ```
     - Response:
       ```json
-      {"debug":true,"proxy-url":"","api-keys":["1...5","JS...W"],"quota-exceeded":{"switch-project":true,"switch-preview-model":true},"generative-language-api-key":["AI...01", "AI...02", "AI...03"],"request-log":true,"request-retry":3,"claude-api-key":[{"api-key":"cr...56","base-url":"https://example.com/api"},{"api-key":"cr...e3","base-url":"http://example.com:3000/api"},{"api-key":"sk-...q2","base-url":"https://example.com"}],"codex-api-key":[{"api-key":"sk...01","base-url":"https://example/v1"}],"openai-compatibility":[{"name":"openrouter","base-url":"https://openrouter.ai/api/v1","api-keys":["sk...01"],"models":[{"name":"moonshotai/kimi-k2:free","alias":"kimi-k2"}]},{"name":"iflow","base-url":"https://apis.iflow.cn/v1","api-keys":["sk...7e"],"models":[{"name":"deepseek-v3.1","alias":"deepseek-v3.1"},{"name":"glm-4.5","alias":"glm-4.5"},{"name":"kimi-k2","alias":"kimi-k2"}]}],"allow-localhost-unauthenticated":true}
+      {"debug":true,"proxy-url":"","api-keys":["1...5","JS...W"],"quota-exceeded":{"switch-project":true,"switch-preview-model":true},"generative-language-api-key":["AI...01", "AI...02", "AI...03"],"request-log":true,"request-retry":3,"claude-api-key":[{"api-key":"cr...56","base-url":"https://example.com/api"},{"api-key":"cr...e3","base-url":"http://example.com:3000/api"},{"api-key":"sk-...q2","base-url":"https://example.com"}],"codex-api-key":[{"api-key":"sk...01","base-url":"https://example/v1"}],"openai-compatibility":[{"name":"openrouter","base-url":"https://openrouter.ai/api/v1","api-keys":["sk...01"],"models":[{"name":"moonshotai/kimi-k2:free","alias":"kimi-k2"}]},{"name":"iflow","base-url":"https://apis.iflow.cn/v1","api-keys":["sk...7e"],"models":[{"name":"deepseek-v3.1","alias":"deepseek-v3.1"},{"name":"glm-4.5","alias":"glm-4.5"},{"name":"kimi-k2","alias":"kimi-k2"}]}]}
       ```
 
 ### Debug
@@ -428,29 +428,6 @@ These endpoints update the inline `config-api-key` provider inside the `auth.pro
     { "status": "ok" }
     ```
 
-### Allow Localhost Unauthenticated
-- GET `/allow-localhost-unauthenticated` — Get boolean
-  - Request:
-    ```bash
-    curl -H 'Authorization: Bearer <MANAGEMENT_KEY>' http://localhost:8317/v0/management/allow-localhost-unauthenticated
-    ```
-  - Response:
-    ```json
-    { "allow-localhost-unauthenticated": false }
-    ```
-- PUT/PATCH `/allow-localhost-unauthenticated` — Set boolean
-  - Request:
-    ```bash
-    curl -X PUT -H 'Content-Type: application/json' \
-    -H 'Authorization: Bearer <MANAGEMENT_KEY>' \
-      -d '{"value":true}' \
-      http://localhost:8317/v0/management/allow-localhost-unauthenticated
-    ```
-  - Response:
-    ```json
-    { "status": "ok" }
-    ```
-
 ### Claude API KEY (object array)
 - GET `/claude-api-key` — List all
   - Request:
@@ -664,7 +641,7 @@ These endpoints initiate provider login flows and return a URL to open in a brow
     ```bash
     curl -H 'Authorization: Bearer <MANAGEMENT_KEY>' \
       -H 'Content-Type: application/json' \
-      -d '{"secure_1psid": "<__Secure-1PSID>", "secure_1psidts": "<__Secure-1PSIDTS>"}' \
+      -d '{"secure_1psid": "<__Secure-1PSID>", "secure_1psidts": "<__Secure-1PSIDTS>", "label": "<LABEL>"}' \
       http://localhost:8317/v0/management/gemini-web-token
     ```
   - Response:

MANAGEMENT_API_CN.md

@@ -95,7 +95,7 @@
       ```
     - 响应:
       ```json
-      {"debug":true,"proxy-url":"","api-keys":["1...5","JS...W"],"quota-exceeded":{"switch-project":true,"switch-preview-model":true},"generative-language-api-key":["AI...01", "AI...02", "AI...03"],"request-log":true,"request-retry":3,"claude-api-key":[{"api-key":"cr...56","base-url":"https://example.com/api"},{"api-key":"cr...e3","base-url":"http://example.com:3000/api"},{"api-key":"sk-...q2","base-url":"https://example.com"}],"codex-api-key":[{"api-key":"sk...01","base-url":"https://example/v1"}],"openai-compatibility":[{"name":"openrouter","base-url":"https://openrouter.ai/api/v1","api-keys":["sk...01"],"models":[{"name":"moonshotai/kimi-k2:free","alias":"kimi-k2"}]},{"name":"iflow","base-url":"https://apis.iflow.cn/v1","api-keys":["sk...7e"],"models":[{"name":"deepseek-v3.1","alias":"deepseek-v3.1"},{"name":"glm-4.5","alias":"glm-4.5"},{"name":"kimi-k2","alias":"kimi-k2"}]}],"allow-localhost-unauthenticated":true}
+      {"debug":true,"proxy-url":"","api-keys":["1...5","JS...W"],"quota-exceeded":{"switch-project":true,"switch-preview-model":true},"generative-language-api-key":["AI...01", "AI...02", "AI...03"],"request-log":true,"request-retry":3,"claude-api-key":[{"api-key":"cr...56","base-url":"https://example.com/api"},{"api-key":"cr...e3","base-url":"http://example.com:3000/api"},{"api-key":"sk-...q2","base-url":"https://example.com"}],"codex-api-key":[{"api-key":"sk...01","base-url":"https://example/v1"}],"openai-compatibility":[{"name":"openrouter","base-url":"https://openrouter.ai/api/v1","api-keys":["sk...01"],"models":[{"name":"moonshotai/kimi-k2:free","alias":"kimi-k2"}]},{"name":"iflow","base-url":"https://apis.iflow.cn/v1","api-keys":["sk...7e"],"models":[{"name":"deepseek-v3.1","alias":"deepseek-v3.1"},{"name":"glm-4.5","alias":"glm-4.5"},{"name":"kimi-k2","alias":"kimi-k2"}]}]}
       ```
 
 ### Debug
@@ -428,29 +428,6 @@
     { "status": "ok" }
     ```
 
-### 允许本地未认证访问
-- GET `/allow-localhost-unauthenticated` — 获取布尔值
-  - 请求：
-    ```bash
-    curl -H 'Authorization: Bearer <MANAGEMENT_KEY>' http://localhost:8317/v0/management/allow-localhost-unauthenticated
-    ```
-  - 响应：
-    ```json
-    { "allow-localhost-unauthenticated": false }
-    ```
-- PUT/PATCH `/allow-localhost-unauthenticated` — 设置布尔值
-  - 请求：
-    ```bash
-    curl -X PUT -H 'Content-Type: application/json' \
-    -H 'Authorization: Bearer <MANAGEMENT_KEY>' \
-      -d '{"value":true}' \
-      http://localhost:8317/v0/management/allow-localhost-unauthenticated
-    ```
-  - 响应：
-    ```json
-    { "status": "ok" }
-    ```
-
 ### Claude API KEY（对象数组）
 - GET `/claude-api-key` — 列出全部
   - 请求：
@@ -664,7 +641,7 @@
     ```bash
     curl -H 'Authorization: Bearer <MANAGEMENT_KEY>' \
       -H 'Content-Type: application/json' \
-      -d '{"secure_1psid": "<__Secure-1PSID>", "secure_1psidts": "<__Secure-1PSIDTS>"}' \
+      -d '{"secure_1psid": "<__Secure-1PSID>", "secure_1psidts": "<__Secure-1PSIDTS>", "label": "<LABEL>"}' \
       http://localhost:8317/v0/management/gemini-web-token
     ```
   - 响应：

README.md

@@ -62,6 +62,16 @@ The first Chinese provider has now been added: [Qwen Code](https://github.com/Qw
 
 ## Usage
 
+### GUI Client & Official WebUI
+
+#### [EasyCLI](https://github.com/router-for-me/EasyCLI)
+
+A cross-platform desktop GUI client for CLIProxyAPI. 
+
+#### [Cli-Proxy-API-Management-Center](https://github.com/router-for-me/Cli-Proxy-API-Management-Center)
+
+A web-based management center for CLIProxyAPI.  
+
 ### Authentication
 
 You can authenticate for Gemini, OpenAI, and/or Claude. All can coexist in the same `auth-dir` and will be load balanced.
@@ -270,6 +280,8 @@ The server uses a YAML configuration file (`config.yaml`) located in the project
 | `quota-exceeded.switch-project`         | boolean  | true               | Whether to automatically switch to another project when a quota is exceeded.                                                                                                              |
 | `quota-exceeded.switch-preview-model`   | boolean  | true               | Whether to automatically switch to a preview model when a quota is exceeded.                                                                                                              |
 | `debug`                                 | boolean  | false              | Enable debug mode for verbose logging.                                                                                                                                                    |
+| `logging-to-file`                       | boolean  | true               | Write application logs to rotating files instead of stdout. Set to `false` to log to stdout/stderr.                                                                                      |
+| `usage-statistics-enabled`              | boolean  | true               | Enable in-memory usage aggregation for management APIs. Disable to drop all collected usage metrics.                                                                                    |
 | `auth`                                  | object   | {}                 | Request authentication configuration.                                                                                                                                                     |
 | `auth.providers`                        | object[] | []                 | Authentication providers. Includes built-in `config-api-key` for inline keys.                                                                                                             |
 | `auth.providers.*.name`                 | string   | ""                 | Provider instance name.                                                                                                                                                                   |
@@ -319,6 +331,12 @@ auth-dir: "~/.cli-proxy-api"
 # Enable debug logging
 debug: false
 
+# When true, write application logs to rotating files instead of stdout
+logging-to-file: true
+
+# When false, disable in-memory usage statistics aggregation
+usage-statistics-enabled: true
+
 # Proxy URL. Supports socks5/http/https protocols. Example: socks5://user:pass@192.168.1.1:1080/
 proxy-url: ""
 
@@ -626,8 +644,11 @@ see [MANAGEMENT_API.md](MANAGEMENT_API.md)
 
 ## SDK Docs
 
-- Usage: `docs/sdk-usage.md` (中文: `docs/sdk-usage_CN.md`)
-- Advanced (executors & translators): `docs/sdk-advanced.md` (中文: `docs/sdk-advanced_CN.md`)
+- Usage: [docs/sdk-usage.md](docs/sdk-usage.md)
+- Advanced (executors & translators): [docs/sdk-advanced.md](docs/sdk-advanced.md)
+- Access: [docs/sdk-access.md](docs/sdk-access.md)
+- Watcher: [docs/sdk-watcher.md](docs/sdk-watcher.md)
+- Custom Provider Example: `examples/custom-provider`
 
 ## Contributing
 

README_CN.md

@@ -75,6 +75,16 @@
 
 ## 使用方法
 
+### 图形客户端与官方 WebUI
+
+#### [EasyCLI](https://github.com/router-for-me/EasyCLI)
+
+CLIProxyAPI 的跨平台桌面图形客户端。
+
+#### [Cli-Proxy-API-Management-Center](https://github.com/router-for-me/Cli-Proxy-API-Management-Center)
+
+CLIProxyAPI 的基于 Web 的管理中心。
+
 ### 身份验证
 
 您可以分别为 Gemini、OpenAI 和 Claude 进行身份验证，三者可同时存在于同一个 `auth-dir` 中并参与负载均衡。
@@ -282,6 +292,8 @@ console.log(await claudeResponse.json());
 | `quota-exceeded.switch-project`         | boolean  | true               | 当配额超限时，是否自动切换到另一个项目。                                                |
 | `quota-exceeded.switch-preview-model`   | boolean  | true               | 当配额超限时，是否自动切换到预览模型。                                                 |
 | `debug`                                 | boolean  | false              | 启用调试模式以获取详细日志。                                                      |
+| `logging-to-file`                       | boolean  | true               | 是否将应用日志写入滚动文件；设为 false 时输出到 stdout/stderr。                           |
+| `usage-statistics-enabled`              | boolean  | true               | 是否启用内存中的使用统计；设为 false 时直接丢弃所有统计数据。                               |
 | `auth`                                  | object   | {}                 | 请求鉴权配置。                                                                  |
 | `auth.providers`                        | object[] | []                 | 鉴权提供方列表，内置 `config-api-key` 支持内联密钥。                             |
 | `auth.providers.*.name`                 | string   | ""                 | 提供方实例名称。                                                                |
@@ -330,6 +342,12 @@ auth-dir: "~/.cli-proxy-api"
 # 启用调试日志
 debug: false
 
+# 为 true 时将应用日志写入滚动文件而不是 stdout
+logging-to-file: true
+
+# 为 false 时禁用内存中的使用统计并直接丢弃所有数据
+usage-statistics-enabled: true
+
 # 代理URL。支持socks5/http/https协议。例如：socks5://user:pass@192.168.1.1:1080/
 proxy-url: ""
 
@@ -635,8 +653,10 @@ docker run --rm -p 8317:8317 -v /path/to/your/config.yaml:/CLIProxyAPI/config.ya
 
 ## SDK 文档
 
-- 使用文档：`docs/sdk-usage_CN.md`（English: `docs/sdk-usage.md`）
-- 高级（执行器与翻译器）：`docs/sdk-advanced_CN.md`（English: `docs/sdk-advanced.md`）
+- 使用文档：[docs/sdk-usage_CN.md](docs/sdk-usage_CN.md)
+- 高级（执行器与翻译器）：[docs/sdk-advanced_CN.md](docs/sdk-advanced_CN.md)
+- 认证: [docs/sdk-access_CN.md](docs/sdk-access_CN.md)
+- 凭据加载/更新: [docs/sdk-watcher_CN.md](docs/sdk-watcher_CN.md)
 - 自定义 Provider 示例：`examples/custom-provider`
 
 ## 贡献

cmd/server/main.go

@@ -4,106 +4,31 @@
 package main
 
 import (
-	"bytes"
 	"flag"
 	"fmt"
-	"io"
 	"os"
 	"path/filepath"
 	"strings"
 
-	"github.com/gin-gonic/gin"
 	"github.com/router-for-me/CLIProxyAPI/v6/internal/cmd"
 	"github.com/router-for-me/CLIProxyAPI/v6/internal/config"
+	"github.com/router-for-me/CLIProxyAPI/v6/internal/logging"
 	_ "github.com/router-for-me/CLIProxyAPI/v6/internal/translator"
+	"github.com/router-for-me/CLIProxyAPI/v6/internal/usage"
 	"github.com/router-for-me/CLIProxyAPI/v6/internal/util"
 	sdkAuth "github.com/router-for-me/CLIProxyAPI/v6/sdk/auth"
 	log "github.com/sirupsen/logrus"
-	"gopkg.in/natefinch/lumberjack.v2"
 )
 
 var (
-	Version        = "dev"
-	Commit         = "none"
-	BuildDate      = "unknown"
-	logWriter      *lumberjack.Logger
-	ginInfoWriter  *io.PipeWriter
-	ginErrorWriter *io.PipeWriter
+	Version   = "dev"
+	Commit    = "none"
+	BuildDate = "unknown"
 )
 
-// LogFormatter defines a custom log format for logrus.
-// This formatter adds timestamp, log level, and source location information
-// to each log entry for better debugging and monitoring.
-type LogFormatter struct {
-}
-
-// Format renders a single log entry with custom formatting.
-// It includes timestamp, log level, source file and line number, and the log message.
-func (m *LogFormatter) Format(entry *log.Entry) ([]byte, error) {
-	var b *bytes.Buffer
-	if entry.Buffer != nil {
-		b = entry.Buffer
-	} else {
-		b = &bytes.Buffer{}
-	}
-
-	timestamp := entry.Time.Format("2006-01-02 15:04:05")
-	var newLog string
-	// Ensure message doesn't carry trailing newlines; formatter appends one.
-	msg := strings.TrimRight(entry.Message, "\r\n")
-	// Customize the log format to include timestamp, level, caller file/line, and message.
-	newLog = fmt.Sprintf("[%s] [%s] [%s:%d] %s\n", timestamp, entry.Level, filepath.Base(entry.Caller.File), entry.Caller.Line, msg)
-
-	b.WriteString(newLog)
-	return b.Bytes(), nil
-}
-
-// init initializes the logger configuration.
-// It sets up the custom log formatter, enables caller reporting,
-// and configures the log output destination.
+// init initializes the shared logger setup.
 func init() {
-	logDir := "logs"
-	if err := os.MkdirAll(logDir, 0755); err != nil {
-		_, _ = fmt.Fprintf(os.Stderr, "failed to create log directory: %v\n", err)
-		os.Exit(1)
-	}
-
-	logWriter = &lumberjack.Logger{
-		Filename:   filepath.Join(logDir, "main.log"),
-		MaxSize:    10,
-		MaxBackups: 0,
-		MaxAge:     0,
-		Compress:   false,
-	}
-
-	log.SetOutput(logWriter)
-	// Enable reporting the caller function's file and line number.
-	log.SetReportCaller(true)
-	// Set the custom log formatter.
-	log.SetFormatter(&LogFormatter{})
-
-	ginInfoWriter = log.StandardLogger().Writer()
-	gin.DefaultWriter = ginInfoWriter
-	ginErrorWriter = log.StandardLogger().WriterLevel(log.ErrorLevel)
-	gin.DefaultErrorWriter = ginErrorWriter
-	gin.DebugPrintFunc = func(format string, values ...interface{}) {
-		// Trim trailing newlines from Gin's formatted messages to avoid blank lines.
-		// Gin's debug prints usually include a trailing "\n"; our formatter also appends one.
-		// Removing it here ensures a single newline per entry.
-		format = strings.TrimRight(format, "\r\n")
-		log.StandardLogger().Infof(format, values...)
-	}
-	log.RegisterExitHandler(func() {
-		if logWriter != nil {
-			_ = logWriter.Close()
-		}
-		if ginInfoWriter != nil {
-			_ = ginInfoWriter.Close()
-		}
-		if ginErrorWriter != nil {
-			_ = ginErrorWriter.Close()
-		}
-	})
+	logging.SetupBaseLogger()
 }
 
 // main is the entry point of the application.
@@ -111,7 +36,6 @@ func init() {
 // service based on the provided flags (login, codex-login, or server mode).
 func main() {
 	fmt.Printf("CLIProxyAPI Version: %s, Commit: %s, BuiltAt: %s\n", Version, Commit, BuildDate)
-	log.Infof("CLIProxyAPI Version: %s, Commit: %s, BuiltAt: %s", Version, Commit, BuildDate)
 
 	// Command-line flags to control the application's behavior.
 	var login bool
@@ -188,6 +112,13 @@ func main() {
 	if err != nil {
 		log.Fatalf("failed to load config: %v", err)
 	}
+	usage.SetStatisticsEnabled(cfg.UsageStatisticsEnabled)
+
+	if err = logging.ConfigureLogOutput(cfg.LoggingToFile); err != nil {
+		log.Fatalf("failed to configure log output: %v", err)
+	}
+
+	log.Infof("CLIProxyAPI Version: %s, Commit: %s, BuiltAt: %s", Version, Commit, BuildDate)
 
 	// Set the log level based on the configuration.
 	util.SetLogLevel(cfg)

config.example.yaml

@@ -18,6 +18,12 @@ auth-dir: "~/.cli-proxy-api"
 # Enable debug logging
 debug: false
 
+# When true, write application logs to rotating files instead of stdout
+logging-to-file: true
+
+# When false, disable in-memory usage statistics aggregation
+usage-statistics-enabled: true
+
 # Proxy URL. Supports socks5/http/https protocols. Example: socks5://user:pass@192.168.1.1:1080/
 proxy-url: ""
 

internal/api/handlers/management/auth_files.go

@@ -359,7 +359,7 @@ func (h *Handler) saveTokenRecord(ctx context.Context, record *sdkAuth.TokenReco
 func (h *Handler) RequestAnthropicToken(c *gin.Context) {
 	ctx := context.Background()
 
-	log.Info("Initializing Claude authentication...")
+	fmt.Println("Initializing Claude authentication...")
 
 	// Generate PKCE codes
 	pkceCodes, err := claude.GeneratePKCECodes()
@@ -407,7 +407,7 @@ func (h *Handler) RequestAnthropicToken(c *gin.Context) {
 			}
 		}
 
-		log.Info("Waiting for authentication callback...")
+		fmt.Println("Waiting for authentication callback...")
 		// Wait up to 5 minutes
 		resultMap, errWait := waitForFile(waitFile, 5*time.Minute)
 		if errWait != nil {
@@ -509,11 +509,11 @@ func (h *Handler) RequestAnthropicToken(c *gin.Context) {
 			return
 		}
 
-		log.Infof("Authentication successful! Token saved to %s", savedPath)
+		fmt.Printf("Authentication successful! Token saved to %s\n", savedPath)
 		if bundle.APIKey != "" {
-			log.Info("API key obtained and saved")
+			fmt.Println("API key obtained and saved")
 		}
-		log.Info("You can now use Claude services through this CLI")
+		fmt.Println("You can now use Claude services through this CLI")
 		delete(oauthStatus, state)
 	}()
 
@@ -527,7 +527,7 @@ func (h *Handler) RequestGeminiCLIToken(c *gin.Context) {
 	// Optional project ID from query
 	projectID := c.Query("project_id")
 
-	log.Info("Initializing Google authentication...")
+	fmt.Println("Initializing Google authentication...")
 
 	// OAuth2 configuration (mirrors internal/auth/gemini)
 	conf := &oauth2.Config{
@@ -549,7 +549,7 @@ func (h *Handler) RequestGeminiCLIToken(c *gin.Context) {
 	go func() {
 		// Wait for callback file written by server route
 		waitFile := filepath.Join(h.cfg.AuthDir, fmt.Sprintf(".oauth-gemini-%s.oauth", state))
-		log.Info("Waiting for authentication callback...")
+		fmt.Println("Waiting for authentication callback...")
 		deadline := time.Now().Add(5 * time.Minute)
 		var authCode string
 		for {
@@ -618,9 +618,9 @@ func (h *Handler) RequestGeminiCLIToken(c *gin.Context) {
 
 		email := gjson.GetBytes(bodyBytes, "email").String()
 		if email != "" {
-			log.Infof("Authenticated user email: %s", email)
+			fmt.Printf("Authenticated user email: %s\n", email)
 		} else {
-			log.Info("Failed to get user email from token")
+			fmt.Println("Failed to get user email from token")
 			oauthStatus[state] = "Failed to get user email from token"
 		}
 
@@ -657,7 +657,7 @@ func (h *Handler) RequestGeminiCLIToken(c *gin.Context) {
 			oauthStatus[state] = "Failed to get authenticated client"
 			return
 		}
-		log.Info("Authentication successful.")
+		fmt.Println("Authentication successful.")
 
 		record := &sdkAuth.TokenRecord{
 			Provider: "gemini",
@@ -676,7 +676,7 @@ func (h *Handler) RequestGeminiCLIToken(c *gin.Context) {
 		}
 
 		delete(oauthStatus, state)
-		log.Infof("You can now use Gemini CLI services through this CLI; token saved to %s", savedPath)
+		fmt.Printf("You can now use Gemini CLI services through this CLI; token saved to %s\n", savedPath)
 	}()
 
 	oauthStatus[state] = ""
@@ -689,6 +689,7 @@ func (h *Handler) CreateGeminiWebToken(c *gin.Context) {
 	var payload struct {
 		Secure1PSID   string `json:"secure_1psid"`
 		Secure1PSIDTS string `json:"secure_1psidts"`
+		Label         string `json:"label"`
 	}
 	if err := c.ShouldBindJSON(&payload); err != nil {
 		c.JSON(http.StatusBadRequest, gin.H{"error": "invalid body"})
@@ -696,6 +697,7 @@ func (h *Handler) CreateGeminiWebToken(c *gin.Context) {
 	}
 	payload.Secure1PSID = strings.TrimSpace(payload.Secure1PSID)
 	payload.Secure1PSIDTS = strings.TrimSpace(payload.Secure1PSIDTS)
+	payload.Label = strings.TrimSpace(payload.Label)
 	if payload.Secure1PSID == "" {
 		c.JSON(http.StatusBadRequest, gin.H{"error": "secure_1psid is required"})
 		return
@@ -704,6 +706,10 @@ func (h *Handler) CreateGeminiWebToken(c *gin.Context) {
 		c.JSON(http.StatusBadRequest, gin.H{"error": "secure_1psidts is required"})
 		return
 	}
+	if payload.Label == "" {
+		c.JSON(http.StatusBadRequest, gin.H{"error": "label is required"})
+		return
+	}
 
 	sha := sha256.New()
 	sha.Write([]byte(payload.Secure1PSID))
@@ -713,6 +719,7 @@ func (h *Handler) CreateGeminiWebToken(c *gin.Context) {
 	tokenStorage := &geminiAuth.GeminiWebTokenStorage{
 		Secure1PSID:   payload.Secure1PSID,
 		Secure1PSIDTS: payload.Secure1PSIDTS,
+		Label:         payload.Label,
 	}
 	// Provide a stable label (gemini-web-<hash>) for logging and identification
 	tokenStorage.Label = strings.TrimSuffix(fileName, ".json")
@@ -730,14 +737,14 @@ func (h *Handler) CreateGeminiWebToken(c *gin.Context) {
 		return
 	}
 
-	log.Infof("Successfully saved Gemini Web token to: %s", savedPath)
+	fmt.Printf("Successfully saved Gemini Web token to: %s\n", savedPath)
 	c.JSON(http.StatusOK, gin.H{"status": "ok", "file": filepath.Base(savedPath)})
 }
 
 func (h *Handler) RequestCodexToken(c *gin.Context) {
 	ctx := context.Background()
 
-	log.Info("Initializing Codex authentication...")
+	fmt.Println("Initializing Codex authentication...")
 
 	// Generate PKCE codes
 	pkceCodes, err := codex.GeneratePKCECodes()
@@ -877,11 +884,11 @@ func (h *Handler) RequestCodexToken(c *gin.Context) {
 			log.Fatalf("Failed to save authentication tokens: %v", errSave)
 			return
 		}
-		log.Infof("Authentication successful! Token saved to %s", savedPath)
+		fmt.Printf("Authentication successful! Token saved to %s\n", savedPath)
 		if bundle.APIKey != "" {
-			log.Info("API key obtained and saved")
+			fmt.Println("API key obtained and saved")
 		}
-		log.Info("You can now use Codex services through this CLI")
+		fmt.Println("You can now use Codex services through this CLI")
 		delete(oauthStatus, state)
 	}()
 
@@ -892,7 +899,7 @@ func (h *Handler) RequestCodexToken(c *gin.Context) {
 func (h *Handler) RequestQwenToken(c *gin.Context) {
 	ctx := context.Background()
 
-	log.Info("Initializing Qwen authentication...")
+	fmt.Println("Initializing Qwen authentication...")
 
 	state := fmt.Sprintf("gem-%d", time.Now().UnixNano())
 	// Initialize Qwen auth service
@@ -907,7 +914,7 @@ func (h *Handler) RequestQwenToken(c *gin.Context) {
 	authURL := deviceFlow.VerificationURIComplete
 
 	go func() {
-		log.Info("Waiting for authentication...")
+		fmt.Println("Waiting for authentication...")
 		tokenData, errPollForToken := qwenAuth.PollForToken(deviceFlow.DeviceCode, deviceFlow.CodeVerifier)
 		if errPollForToken != nil {
 			oauthStatus[state] = "Authentication failed"
@@ -932,8 +939,8 @@ func (h *Handler) RequestQwenToken(c *gin.Context) {
 			return
 		}
 
-		log.Infof("Authentication successful! Token saved to %s", savedPath)
-		log.Info("You can now use Qwen services through this CLI")
+		fmt.Printf("Authentication successful! Token saved to %s\n", savedPath)
+		fmt.Println("You can now use Qwen services through this CLI")
 		delete(oauthStatus, state)
 	}()
 

internal/api/handlers/management/config_basic.go

@@ -12,6 +12,22 @@ func (h *Handler) GetConfig(c *gin.Context) {
 func (h *Handler) GetDebug(c *gin.Context) { c.JSON(200, gin.H{"debug": h.cfg.Debug}) }
 func (h *Handler) PutDebug(c *gin.Context) { h.updateBoolField(c, func(v bool) { h.cfg.Debug = v }) }
 
+// UsageStatisticsEnabled
+func (h *Handler) GetUsageStatisticsEnabled(c *gin.Context) {
+	c.JSON(200, gin.H{"usage-statistics-enabled": h.cfg.UsageStatisticsEnabled})
+}
+func (h *Handler) PutUsageStatisticsEnabled(c *gin.Context) {
+	h.updateBoolField(c, func(v bool) { h.cfg.UsageStatisticsEnabled = v })
+}
+
+// UsageStatisticsEnabled
+func (h *Handler) GetLoggingToFile(c *gin.Context) {
+	c.JSON(200, gin.H{"logging-to-file": h.cfg.LoggingToFile})
+}
+func (h *Handler) PutLoggingToFile(c *gin.Context) {
+	h.updateBoolField(c, func(v bool) { h.cfg.LoggingToFile = v })
+}
+
 // Request log
 func (h *Handler) GetRequestLog(c *gin.Context) { c.JSON(200, gin.H{"request-log": h.cfg.RequestLog}) }
 func (h *Handler) PutRequestLog(c *gin.Context) {

internal/api/server.go

@@ -6,12 +6,14 @@ package api
 
 import (
 	"context"
+	"crypto/subtle"
 	"errors"
 	"fmt"
 	"net/http"
 	"os"
 	"path/filepath"
 	"strings"
+	"time"
 
 	"github.com/gin-gonic/gin"
 	"github.com/router-for-me/CLIProxyAPI/v6/internal/api/handlers"
@@ -22,6 +24,7 @@ import (
 	"github.com/router-for-me/CLIProxyAPI/v6/internal/api/middleware"
 	"github.com/router-for-me/CLIProxyAPI/v6/internal/config"
 	"github.com/router-for-me/CLIProxyAPI/v6/internal/logging"
+	"github.com/router-for-me/CLIProxyAPI/v6/internal/usage"
 	"github.com/router-for-me/CLIProxyAPI/v6/internal/util"
 	sdkaccess "github.com/router-for-me/CLIProxyAPI/v6/sdk/access"
 	"github.com/router-for-me/CLIProxyAPI/v6/sdk/cliproxy/auth"
@@ -34,6 +37,9 @@ type serverOptionConfig struct {
 	routerConfigurator   func(*gin.Engine, *handlers.BaseAPIHandler, *config.Config)
 	requestLoggerFactory func(*config.Config, string) logging.RequestLogger
 	localPassword        string
+	keepAliveEnabled     bool
+	keepAliveTimeout     time.Duration
+	keepAliveOnTimeout   func()
 }
 
 // ServerOption customises HTTP server construction.
@@ -71,6 +77,18 @@ func WithLocalManagementPassword(password string) ServerOption {
 	}
 }
 
+// WithKeepAliveEndpoint enables a keep-alive endpoint with the provided timeout and callback.
+func WithKeepAliveEndpoint(timeout time.Duration, onTimeout func()) ServerOption {
+	return func(cfg *serverOptionConfig) {
+		if timeout <= 0 || onTimeout == nil {
+			return
+		}
+		cfg.keepAliveEnabled = true
+		cfg.keepAliveTimeout = timeout
+		cfg.keepAliveOnTimeout = onTimeout
+	}
+}
+
 // WithRequestLoggerFactory customises request logger creation.
 func WithRequestLoggerFactory(factory func(*config.Config, string) logging.RequestLogger) ServerOption {
 	return func(cfg *serverOptionConfig) {
@@ -105,6 +123,14 @@ type Server struct {
 
 	// management handler
 	mgmt *managementHandlers.Handler
+
+	localPassword string
+
+	keepAliveEnabled   bool
+	keepAliveTimeout   time.Duration
+	keepAliveOnTimeout func()
+	keepAliveHeartbeat chan struct{}
+	keepAliveStop      chan struct{}
 }
 
 // NewServer creates and initializes a new API server instance.
@@ -168,12 +194,13 @@ func NewServer(cfg *config.Config, authManager *auth.Manager, accessManager *sdk
 		loggerToggle:   toggle,
 		configFilePath: configFilePath,
 	}
-	s.applyAccessConfig(cfg)
+	s.applyAccessConfig(nil, cfg)
 	// Initialize management handler
 	s.mgmt = managementHandlers.NewHandler(cfg, configFilePath, authManager)
 	if optionState.localPassword != "" {
 		s.mgmt.SetLocalPassword(optionState.localPassword)
 	}
+	s.localPassword = optionState.localPassword
 
 	// Setup routes
 	s.setupRoutes()
@@ -181,6 +208,10 @@ func NewServer(cfg *config.Config, authManager *auth.Manager, accessManager *sdk
 		optionState.routerConfigurator(engine, s.handlers, cfg)
 	}
 
+	if optionState.keepAliveEnabled {
+		s.enableKeepAlive(optionState.keepAliveTimeout, optionState.keepAliveOnTimeout)
+	}
+
 	// Create HTTP server
 	s.server = &http.Server{
 		Addr:    fmt.Sprintf(":%d", cfg.Port),
@@ -287,6 +318,14 @@ func (s *Server) setupRoutes() {
 			mgmt.PUT("/debug", s.mgmt.PutDebug)
 			mgmt.PATCH("/debug", s.mgmt.PutDebug)
 
+			mgmt.GET("/logging-to-file", s.mgmt.GetLoggingToFile)
+			mgmt.PUT("/logging-to-file", s.mgmt.PutLoggingToFile)
+			mgmt.PATCH("/logging-to-file", s.mgmt.PutLoggingToFile)
+
+			mgmt.GET("/usage-statistics-enabled", s.mgmt.GetUsageStatisticsEnabled)
+			mgmt.PUT("/usage-statistics-enabled", s.mgmt.PutUsageStatisticsEnabled)
+			mgmt.PATCH("/usage-statistics-enabled", s.mgmt.PutUsageStatisticsEnabled)
+
 			mgmt.GET("/proxy-url", s.mgmt.GetProxyURL)
 			mgmt.PUT("/proxy-url", s.mgmt.PutProxyURL)
 			mgmt.PATCH("/proxy-url", s.mgmt.PutProxyURL)
@@ -348,6 +387,84 @@ func (s *Server) setupRoutes() {
 	}
 }
 
+func (s *Server) enableKeepAlive(timeout time.Duration, onTimeout func()) {
+	if timeout <= 0 || onTimeout == nil {
+		return
+	}
+
+	s.keepAliveEnabled = true
+	s.keepAliveTimeout = timeout
+	s.keepAliveOnTimeout = onTimeout
+	s.keepAliveHeartbeat = make(chan struct{}, 1)
+	s.keepAliveStop = make(chan struct{}, 1)
+
+	s.engine.GET("/keep-alive", s.handleKeepAlive)
+
+	go s.watchKeepAlive()
+}
+
+func (s *Server) handleKeepAlive(c *gin.Context) {
+	if s.localPassword != "" {
+		provided := strings.TrimSpace(c.GetHeader("Authorization"))
+		if provided != "" {
+			parts := strings.SplitN(provided, " ", 2)
+			if len(parts) == 2 && strings.EqualFold(parts[0], "bearer") {
+				provided = parts[1]
+			}
+		}
+		if provided == "" {
+			provided = strings.TrimSpace(c.GetHeader("X-Local-Password"))
+		}
+		if subtle.ConstantTimeCompare([]byte(provided), []byte(s.localPassword)) != 1 {
+			c.AbortWithStatusJSON(http.StatusUnauthorized, gin.H{"error": "invalid password"})
+			return
+		}
+	}
+
+	s.signalKeepAlive()
+	c.JSON(http.StatusOK, gin.H{"status": "ok"})
+}
+
+func (s *Server) signalKeepAlive() {
+	if !s.keepAliveEnabled {
+		return
+	}
+	select {
+	case s.keepAliveHeartbeat <- struct{}{}:
+	default:
+	}
+}
+
+func (s *Server) watchKeepAlive() {
+	if !s.keepAliveEnabled {
+		return
+	}
+
+	timer := time.NewTimer(s.keepAliveTimeout)
+	defer timer.Stop()
+
+	for {
+		select {
+		case <-timer.C:
+			log.Warnf("keep-alive endpoint idle for %s, shutting down", s.keepAliveTimeout)
+			if s.keepAliveOnTimeout != nil {
+				s.keepAliveOnTimeout()
+			}
+			return
+		case <-s.keepAliveHeartbeat:
+			if !timer.Stop() {
+				select {
+				case <-timer.C:
+				default:
+				}
+			}
+			timer.Reset(s.keepAliveTimeout)
+		case <-s.keepAliveStop:
+			return
+		}
+	}
+}
+
 // unifiedModelsHandler creates a unified handler for the /v1/models endpoint
 // that routes to different handlers based on the User-Agent header.
 // If User-Agent starts with "claude-cli", it routes to Claude handler,
@@ -394,6 +511,13 @@ func (s *Server) Start() error {
 func (s *Server) Stop(ctx context.Context) error {
 	log.Debug("Stopping API server...")
 
+	if s.keepAliveEnabled {
+		select {
+		case s.keepAliveStop <- struct{}{}:
+		default:
+		}
+	}
+
 	// Shutdown the HTTP server.
 	if err := s.server.Shutdown(ctx); err != nil {
 		return fmt.Errorf("failed to shutdown HTTP server: %v", err)
@@ -423,16 +547,23 @@ func corsMiddleware() gin.HandlerFunc {
 	}
 }
 
-func (s *Server) applyAccessConfig(cfg *config.Config) {
-	if s == nil || s.accessManager == nil {
+func (s *Server) applyAccessConfig(oldCfg, newCfg *config.Config) {
+	if s == nil || s.accessManager == nil || newCfg == nil {
 		return
 	}
-	providers, err := sdkaccess.BuildProviders(cfg)
+	existing := s.accessManager.Providers()
+	providers, added, updated, removed, err := sdkaccess.ReconcileProviders(oldCfg, newCfg, existing)
 	if err != nil {
-		log.Errorf("failed to update request auth providers: %v", err)
+		log.Errorf("failed to reconcile request auth providers: %v", err)
 		return
 	}
 	s.accessManager.SetProviders(providers)
+	if len(added)+len(updated)+len(removed) > 0 {
+		log.Debugf("auth providers reconciled (added=%d updated=%d removed=%d)", len(added), len(updated), len(removed))
+		log.Debugf("auth provider changes details - added=%v updated=%v removed=%v", added, updated, removed)
+	} else {
+		log.Debug("auth providers unchanged after config update")
+	}
 }
 
 // UpdateClients updates the server's client list and configuration.
@@ -442,29 +573,60 @@ func (s *Server) applyAccessConfig(cfg *config.Config) {
 //   - clients: The new slice of AI service clients
 //   - cfg: The new application configuration
 func (s *Server) UpdateClients(cfg *config.Config) {
+	oldCfg := s.cfg
+
 	// Update request logger enabled state if it has changed
-	if s.requestLogger != nil && s.cfg.RequestLog != cfg.RequestLog {
+	previousRequestLog := false
+	if oldCfg != nil {
+		previousRequestLog = oldCfg.RequestLog
+	}
+	if s.requestLogger != nil && (oldCfg == nil || previousRequestLog != cfg.RequestLog) {
 		if s.loggerToggle != nil {
 			s.loggerToggle(cfg.RequestLog)
 		} else if toggler, ok := s.requestLogger.(interface{ SetEnabled(bool) }); ok {
 			toggler.SetEnabled(cfg.RequestLog)
 		}
-		log.Debugf("request logging updated from %t to %t", s.cfg.RequestLog, cfg.RequestLog)
+		if oldCfg != nil {
+			log.Debugf("request logging updated from %t to %t", previousRequestLog, cfg.RequestLog)
+		} else {
+			log.Debugf("request logging toggled to %t", cfg.RequestLog)
+		}
+	}
+
+	if oldCfg != nil && oldCfg.LoggingToFile != cfg.LoggingToFile {
+		if err := logging.ConfigureLogOutput(cfg.LoggingToFile); err != nil {
+			log.Errorf("failed to reconfigure log output: %v", err)
+		} else {
+			log.Debugf("logging_to_file updated from %t to %t", oldCfg.LoggingToFile, cfg.LoggingToFile)
+		}
+	}
+
+	if oldCfg == nil || oldCfg.UsageStatisticsEnabled != cfg.UsageStatisticsEnabled {
+		usage.SetStatisticsEnabled(cfg.UsageStatisticsEnabled)
+		if oldCfg != nil {
+			log.Debugf("usage_statistics_enabled updated from %t to %t", oldCfg.UsageStatisticsEnabled, cfg.UsageStatisticsEnabled)
+		} else {
+			log.Debugf("usage_statistics_enabled toggled to %t", cfg.UsageStatisticsEnabled)
+		}
 	}
 
 	// Update log level dynamically when debug flag changes
-	if s.cfg.Debug != cfg.Debug {
+	if oldCfg == nil || oldCfg.Debug != cfg.Debug {
 		util.SetLogLevel(cfg)
-		log.Debugf("debug mode updated from %t to %t", s.cfg.Debug, cfg.Debug)
+		if oldCfg != nil {
+			log.Debugf("debug mode updated from %t to %t", oldCfg.Debug, cfg.Debug)
+		} else {
+			log.Debugf("debug mode toggled to %t", cfg.Debug)
+		}
 	}
 
+	s.applyAccessConfig(oldCfg, cfg)
 	s.cfg = cfg
 	s.handlers.UpdateClients(cfg)
 	if s.mgmt != nil {
 		s.mgmt.SetConfig(cfg)
 		s.mgmt.SetAuthManager(s.handlers.AuthManager)
 	}
-	s.applyAccessConfig(cfg)
 
 	// Count client sources from configuration and auth directory
 	authFiles := util.CountAuthFiles(cfg.AuthDir)
@@ -477,7 +639,7 @@ func (s *Server) UpdateClients(cfg *config.Config) {
 	}
 
 	total := authFiles + glAPIKeyCount + claudeAPIKeyCount + codexAPIKeyCount + openAICompatCount
-	log.Infof("server clients and configuration updated: %d clients (%d auth files + %d GL API keys + %d Claude API keys + %d Codex keys + %d OpenAI-compat)",
+	fmt.Printf("server clients and configuration updated: %d clients (%d auth files + %d GL API keys + %d Claude API keys + %d Codex keys + %d OpenAI-compat)\n",
 		total,
 		authFiles,
 		glAPIKeyCount,

internal/auth/gemini/gemini_auth.go

@@ -107,7 +107,7 @@ func (g *GeminiAuth) GetAuthenticatedClient(ctx context.Context, ts *GeminiToken
 
 	// If no token is found in storage, initiate the web-based OAuth flow.
 	if ts.Token == nil {
-		log.Info("Could not load token from file, starting OAuth flow.")
+		fmt.Printf("Could not load token from file, starting OAuth flow.\n")
 		token, err = g.getTokenFromWeb(ctx, conf, noBrowser...)
 		if err != nil {
 			return nil, fmt.Errorf("failed to get token from web: %w", err)
@@ -169,9 +169,9 @@ func (g *GeminiAuth) createTokenStorage(ctx context.Context, config *oauth2.Conf
 
 	emailResult := gjson.GetBytes(bodyBytes, "email")
 	if emailResult.Exists() && emailResult.Type == gjson.String {
-		log.Infof("Authenticated user email: %s", emailResult.String())
+		fmt.Printf("Authenticated user email: %s\n", emailResult.String())
 	} else {
-		log.Info("Failed to get user email from token")
+		fmt.Println("Failed to get user email from token")
 	}
 
 	var ifToken map[string]any
@@ -246,19 +246,19 @@ func (g *GeminiAuth) getTokenFromWeb(ctx context.Context, config *oauth2.Config,
 	authURL := config.AuthCodeURL("state-token", oauth2.AccessTypeOffline, oauth2.SetAuthURLParam("prompt", "consent"))
 
 	if len(noBrowser) == 1 && !noBrowser[0] {
-		log.Info("Opening browser for authentication...")
+		fmt.Println("Opening browser for authentication...")
 
 		// Check if browser is available
 		if !browser.IsAvailable() {
 			log.Warn("No browser available on this system")
 			util.PrintSSHTunnelInstructions(8085)
-			log.Infof("Please manually open this URL in your browser:\n\n%s\n", authURL)
+			fmt.Printf("Please manually open this URL in your browser:\n\n%s\n", authURL)
 		} else {
 			if err := browser.OpenURL(authURL); err != nil {
 				authErr := codex.NewAuthenticationError(codex.ErrBrowserOpenFailed, err)
 				log.Warn(codex.GetUserFriendlyMessage(authErr))
 				util.PrintSSHTunnelInstructions(8085)
-				log.Infof("Please manually open this URL in your browser:\n\n%s\n", authURL)
+				fmt.Printf("Please manually open this URL in your browser:\n\n%s\n", authURL)
 
 				// Log platform info for debugging
 				platformInfo := browser.GetPlatformInfo()
@@ -269,10 +269,10 @@ func (g *GeminiAuth) getTokenFromWeb(ctx context.Context, config *oauth2.Config,
 		}
 	} else {
 		util.PrintSSHTunnelInstructions(8085)
-		log.Infof("Please open this URL in your browser:\n\n%s\n", authURL)
+		fmt.Printf("Please open this URL in your browser:\n\n%s\n", authURL)
 	}
 
-	log.Info("Waiting for authentication callback...")
+	fmt.Println("Waiting for authentication callback...")
 
 	// Wait for the authorization code or an error.
 	var authCode string
@@ -296,6 +296,6 @@ func (g *GeminiAuth) getTokenFromWeb(ctx context.Context, config *oauth2.Config,
 		return nil, fmt.Errorf("failed to exchange token: %w", err)
 	}
 
-	log.Info("Authentication successful.")
+	fmt.Println("Authentication successful.")
 	return token, nil
 }

internal/auth/qwen/qwen_auth.go

@@ -260,7 +260,7 @@ func (qa *QwenAuth) PollForToken(deviceCode, codeVerifier string) (*QwenTokenDat
 					switch errorType {
 					case "authorization_pending":
 						// User has not yet approved the authorization request. Continue polling.
-						log.Infof("Polling attempt %d/%d...\n", attempt+1, maxAttempts)
+						fmt.Printf("Polling attempt %d/%d...\n\n", attempt+1, maxAttempts)
 						time.Sleep(pollInterval)
 						continue
 					case "slow_down":
@@ -269,7 +269,7 @@ func (qa *QwenAuth) PollForToken(deviceCode, codeVerifier string) (*QwenTokenDat
 						if pollInterval > 10*time.Second {
 							pollInterval = 10 * time.Second
 						}
-						log.Infof("Server requested to slow down, increasing poll interval to %v\n", pollInterval)
+						fmt.Printf("Server requested to slow down, increasing poll interval to %v\n\n", pollInterval)
 						time.Sleep(pollInterval)
 						continue
 					case "expired_token":

internal/browser/browser.go

@@ -21,7 +21,7 @@ import (
 // Returns:
 //   - An error if the URL cannot be opened, otherwise nil.
 func OpenURL(url string) error {
-	log.Infof("Attempting to open URL in browser: %s", url)
+	fmt.Printf("Attempting to open URL in browser: %s\n", url)
 
 	// Try using the open-golang library first
 	err := open.Run(url)

internal/cmd/gemini-web_auth.go

@@ -6,42 +6,146 @@ import (
 	"context"
 	"crypto/sha256"
 	"encoding/hex"
+	"encoding/json"
 	"fmt"
+	"net/http"
 	"os"
+	"runtime"
 	"strings"
+	"time"
 
 	"github.com/router-for-me/CLIProxyAPI/v6/internal/auth/gemini"
 	"github.com/router-for-me/CLIProxyAPI/v6/internal/config"
+	"github.com/router-for-me/CLIProxyAPI/v6/internal/util"
 	sdkAuth "github.com/router-for-me/CLIProxyAPI/v6/sdk/auth"
-	log "github.com/sirupsen/logrus"
 )
 
+// banner prints a simple ASCII banner for clarity without ANSI colors.
+func banner(title string) {
+	line := strings.Repeat("=", len(title)+8)
+	fmt.Println(line)
+	fmt.Println("=== " + title + " ===")
+	fmt.Println(line)
+}
+
 // DoGeminiWebAuth handles the process of creating a Gemini Web token file.
-// It prompts the user for their cookie values and saves them to a JSON file.
+// New flow:
+//  1. Prompt user to paste the full cookie string.
+//  2. Extract __Secure-1PSID and __Secure-1PSIDTS from the cookie string.
+//  3. Call https://accounts.google.com/ListAccounts with the cookie to obtain email.
+//  4. Save auth file with the same structure, and set Label to the email.
 func DoGeminiWebAuth(cfg *config.Config) {
+	var secure1psid, secure1psidts, email string
+
 	reader := bufio.NewReader(os.Stdin)
+	isMacOS := strings.HasPrefix(runtime.GOOS, "darwin")
+	cookieProvided := false
+	banner("Gemini Web Cookie Sign-in")
+	if !isMacOS {
+		// NOTE: Provide extra guidance for macOS users or anyone unsure about retrieving cookies.
+		fmt.Println("--- Cookie Input ---")
+		fmt.Println(">> Paste your full Google Cookie and press Enter")
+		fmt.Println("Tip: If you are on macOS, or don't know how to get the cookie, just press Enter and follow the prompts.")
+		fmt.Print("Cookie: ")
+		rawCookie, _ := reader.ReadString('\n')
+		rawCookie = strings.TrimSpace(rawCookie)
+		if rawCookie == "" {
+			// Skip cookie-based parsing; fall back to manual field prompts.
+			fmt.Println("==> No cookie provided. Proceeding with manual input.")
+		} else {
+			cookieProvided = true
+			// Parse K=V cookie pairs separated by ';'
+			cookieMap := make(map[string]string)
+			parts := strings.Split(rawCookie, ";")
+			for _, p := range parts {
+				p = strings.TrimSpace(p)
+				if p == "" {
+					continue
+				}
+				if eq := strings.Index(p, "="); eq > 0 {
+					k := strings.TrimSpace(p[:eq])
+					v := strings.TrimSpace(p[eq+1:])
+					if k != "" {
+						cookieMap[k] = v
+					}
+				}
+			}
+			secure1psid = strings.TrimSpace(cookieMap["__Secure-1PSID"])
+			secure1psidts = strings.TrimSpace(cookieMap["__Secure-1PSIDTS"])
 
-	fmt.Print("Enter your __Secure-1PSID cookie value: ")
-	secure1psid, _ := reader.ReadString('\n')
-	secure1psid = strings.TrimSpace(secure1psid)
+			// Build HTTP client with proxy settings respected.
+			httpClient := &http.Client{Timeout: 15 * time.Second}
+			httpClient = util.SetProxy(cfg, httpClient)
 
+			// Request ListAccounts to extract email as label (use POST per upstream behavior).
+			req, err := http.NewRequest(http.MethodPost, "https://accounts.google.com/ListAccounts", nil)
+			if err != nil {
+				fmt.Println("!! Failed to create request:", err)
+			} else {
+				req.Header.Set("Cookie", rawCookie)
+				req.Header.Set("Accept", "application/json, text/plain, */*")
+				req.Header.Set("User-Agent", "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36")
+				req.Header.Set("Origin", "https://accounts.google.com")
+				req.Header.Set("Content-Type", "application/x-www-form-urlencoded;charset=UTF-8")
+
+				resp, err := httpClient.Do(req)
+				if err != nil {
+					fmt.Println("!! Request to ListAccounts failed:", err)
+				} else {
+					defer func() { _ = resp.Body.Close() }()
+					if resp.StatusCode != http.StatusOK {
+						fmt.Printf("!! ListAccounts returned status code: %d\n", resp.StatusCode)
+					} else {
+						var payload []any
+						if err = json.NewDecoder(resp.Body).Decode(&payload); err != nil {
+							fmt.Println("!! Failed to parse ListAccounts response:", err)
+						} else {
+							// Expected structure like: ["gaia.l.a.r", [["gaia.l.a",1,"Name","email@example.com", ... ]]]
+							if len(payload) >= 2 {
+								if accounts, ok := payload[1].([]any); ok && len(accounts) >= 1 {
+									if first, ok1 := accounts[0].([]any); ok1 && len(first) >= 4 {
+										if em, ok2 := first[3].(string); ok2 {
+											email = strings.TrimSpace(em)
+										}
+									}
+								}
+							}
+							if email == "" {
+								fmt.Println("!! Failed to parse email from ListAccounts response")
+							}
+						}
+					}
+				}
+			}
+		}
+	}
+
+	// Fallback: prompt user to input missing values
 	if secure1psid == "" {
-		log.Fatal("The __Secure-1PSID value cannot be empty.")
-		return
+		if cookieProvided && !isMacOS {
+			fmt.Println("!! Cookie missing __Secure-1PSID.")
+		}
+		fmt.Print("Enter __Secure-1PSID: ")
+		v, _ := reader.ReadString('\n')
+		secure1psid = strings.TrimSpace(v)
 	}
-
-	fmt.Print("Enter your __Secure-1PSIDTS cookie value: ")
-	secure1psidts, _ := reader.ReadString('\n')
-	secure1psidts = strings.TrimSpace(secure1psidts)
-
 	if secure1psidts == "" {
-		fmt.Println("The __Secure-1PSIDTS value cannot be empty.")
+		if cookieProvided && !isMacOS {
+			fmt.Println("!! Cookie missing __Secure-1PSIDTS.")
+		}
+		fmt.Print("Enter __Secure-1PSIDTS: ")
+		v, _ := reader.ReadString('\n')
+		secure1psidts = strings.TrimSpace(v)
+	}
+	if secure1psid == "" || secure1psidts == "" {
+		// Use print instead of logger to avoid log redirection.
+		fmt.Println("!! __Secure-1PSID and __Secure-1PSIDTS cannot be empty")
 		return
 	}
-
-	tokenStorage := &gemini.GeminiWebTokenStorage{
-		Secure1PSID:   secure1psid,
-		Secure1PSIDTS: secure1psidts,
+	if isMacOS {
+		fmt.Print("Enter your account email: ")
+		v, _ := reader.ReadString('\n')
+		email = strings.TrimSpace(v)
 	}
 
 	// Generate a filename based on the SHA256 hash of the PSID
@@ -49,9 +153,25 @@ func DoGeminiWebAuth(cfg *config.Config) {
 	hasher.Write([]byte(secure1psid))
 	hash := hex.EncodeToString(hasher.Sum(nil))
 	fileName := fmt.Sprintf("gemini-web-%s.json", hash[:16])
-	// Set a stable label for logging, e.g. gemini-web-<hash>
-	if tokenStorage != nil {
-		tokenStorage.Label = strings.TrimSuffix(fileName, ".json")
+
+	// Decide label: prefer email; fallback prompt then file name without .json
+	defaultLabel := strings.TrimSuffix(fileName, ".json")
+	label := email
+	if label == "" {
+		fmt.Print(fmt.Sprintf("Enter label for this auth (default: %s): ", defaultLabel))
+		v, _ := reader.ReadString('\n')
+		v = strings.TrimSpace(v)
+		if v != "" {
+			label = v
+		} else {
+			label = defaultLabel
+		}
+	}
+
+	tokenStorage := &gemini.GeminiWebTokenStorage{
+		Secure1PSID:   secure1psid,
+		Secure1PSIDTS: secure1psidts,
+		Label:         label,
 	}
 	record := &sdkAuth.TokenRecord{
 		Provider: "gemini-web",
@@ -61,9 +181,10 @@ func DoGeminiWebAuth(cfg *config.Config) {
 	store := sdkAuth.GetTokenStore()
 	savedPath, err := store.Save(context.Background(), cfg, record)
 	if err != nil {
-		fmt.Printf("Failed to save Gemini Web token to file: %v\n", err)
+		fmt.Println("!! Failed to save Gemini Web token to file:", err)
 		return
 	}
 
-	fmt.Printf("Successfully saved Gemini Web token to: %s\n", savedPath)
+	fmt.Println("==> Successfully saved Gemini Web token!")
+	fmt.Println("==> Saved to:", savedPath)
 }

internal/cmd/login.go

@@ -62,8 +62,8 @@ func DoLogin(cfg *config.Config, projectID string, options *LoginOptions) {
 	}
 
 	if savedPath != "" {
-		log.Infof("Authentication saved to %s", savedPath)
+		fmt.Printf("Authentication saved to %s\n", savedPath)
 	}
 
-	log.Info("Gemini authentication successful!")
+	fmt.Println("Gemini authentication successful!")
 }

internal/cmd/run.go

@@ -8,7 +8,9 @@ import (
 	"errors"
 	"os/signal"
 	"syscall"
+	"time"
 
+	"github.com/router-for-me/CLIProxyAPI/v6/internal/api"
 	"github.com/router-for-me/CLIProxyAPI/v6/internal/config"
 	"github.com/router-for-me/CLIProxyAPI/v6/sdk/cliproxy"
 	log "github.com/sirupsen/logrus"
@@ -23,19 +25,30 @@ import (
 //   - configPath: The path to the configuration file
 //   - localPassword: Optional password accepted for local management requests
 func StartService(cfg *config.Config, configPath string, localPassword string) {
-	service, err := cliproxy.NewBuilder().
+	builder := cliproxy.NewBuilder().
 		WithConfig(cfg).
 		WithConfigPath(configPath).
-		WithLocalManagementPassword(localPassword).
-		Build()
+		WithLocalManagementPassword(localPassword)
+
+	ctxSignal, cancel := signal.NotifyContext(context.Background(), syscall.SIGINT, syscall.SIGTERM)
+	defer cancel()
+
+	runCtx := ctxSignal
+	if localPassword != "" {
+		var keepAliveCancel context.CancelFunc
+		runCtx, keepAliveCancel = context.WithCancel(ctxSignal)
+		builder = builder.WithServerOptions(api.WithKeepAliveEndpoint(10*time.Second, func() {
+			log.Warn("keep-alive endpoint idle for 10s, shutting down")
+			keepAliveCancel()
+		}))
+	}
+
+	service, err := builder.Build()
 	if err != nil {
 		log.Fatalf("failed to build proxy service: %v", err)
 	}
 
-	ctx, cancel := signal.NotifyContext(context.Background(), syscall.SIGINT, syscall.SIGTERM)
-	defer cancel()
-
-	err = service.Run(ctx)
+	err = service.Run(runCtx)
 	if err != nil && !errors.Is(err, context.Canceled) {
 		log.Fatalf("proxy service exited with error: %v", err)
 	}

internal/config/config.go

@@ -23,6 +23,12 @@ type Config struct {
 	// Debug enables or disables debug-level logging and other debug features.
 	Debug bool `yaml:"debug" json:"debug"`
 
+	// LoggingToFile controls whether application logs are written to rotating files or stdout.
+	LoggingToFile bool `yaml:"logging-to-file" json:"logging-to-file"`
+
+	// UsageStatisticsEnabled toggles in-memory usage aggregation; when false, usage data is discarded.
+	UsageStatisticsEnabled bool `yaml:"usage-statistics-enabled" json:"usage-statistics-enabled"`
+
 	// ProxyURL is the URL of an optional proxy server to use for outbound requests.
 	ProxyURL string `yaml:"proxy-url" json:"proxy-url"`
 
@@ -202,6 +208,8 @@ func LoadConfig(configFile string) (*Config, error) {
 	// Unmarshal the YAML data into the Config struct.
 	var config Config
 	// Set defaults before unmarshal so that absent keys keep defaults.
+	config.LoggingToFile = true
+	config.UsageStatisticsEnabled = true
 	config.GeminiWeb.Context = true
 	if err = yaml.Unmarshal(data, &config); err != nil {
 		return nil, fmt.Errorf("failed to parse config file: %w", err)

internal/logging/global_logger.go

@@ -0,0 +1,117 @@
+package logging
+
+import (
+	"bytes"
+	"fmt"
+	"io"
+	"os"
+	"path/filepath"
+	"strings"
+	"sync"
+
+	"github.com/gin-gonic/gin"
+	log "github.com/sirupsen/logrus"
+	"gopkg.in/natefinch/lumberjack.v2"
+)
+
+var (
+	setupOnce      sync.Once
+	writerMu       sync.Mutex
+	logWriter      *lumberjack.Logger
+	ginInfoWriter  *io.PipeWriter
+	ginErrorWriter *io.PipeWriter
+)
+
+// LogFormatter defines a custom log format for logrus.
+// This formatter adds timestamp, level, and source location to each log entry.
+type LogFormatter struct{}
+
+// Format renders a single log entry with custom formatting.
+func (m *LogFormatter) Format(entry *log.Entry) ([]byte, error) {
+	var buffer *bytes.Buffer
+	if entry.Buffer != nil {
+		buffer = entry.Buffer
+	} else {
+		buffer = &bytes.Buffer{}
+	}
+
+	timestamp := entry.Time.Format("2006-01-02 15:04:05")
+	message := strings.TrimRight(entry.Message, "\r\n")
+	formatted := fmt.Sprintf("[%s] [%s] [%s:%d] %s\n", timestamp, entry.Level, filepath.Base(entry.Caller.File), entry.Caller.Line, message)
+	buffer.WriteString(formatted)
+
+	return buffer.Bytes(), nil
+}
+
+// SetupBaseLogger configures the shared logrus instance and Gin writers.
+// It is safe to call multiple times; initialization happens only once.
+func SetupBaseLogger() {
+	setupOnce.Do(func() {
+		log.SetOutput(os.Stdout)
+		log.SetReportCaller(true)
+		log.SetFormatter(&LogFormatter{})
+
+		ginInfoWriter = log.StandardLogger().Writer()
+		gin.DefaultWriter = ginInfoWriter
+		ginErrorWriter = log.StandardLogger().WriterLevel(log.ErrorLevel)
+		gin.DefaultErrorWriter = ginErrorWriter
+		gin.DebugPrintFunc = func(format string, values ...interface{}) {
+			format = strings.TrimRight(format, "\r\n")
+			log.StandardLogger().Infof(format, values...)
+		}
+
+		log.RegisterExitHandler(closeLogOutputs)
+	})
+}
+
+// ConfigureLogOutput switches the global log destination between rotating files and stdout.
+func ConfigureLogOutput(loggingToFile bool) error {
+	SetupBaseLogger()
+
+	writerMu.Lock()
+	defer writerMu.Unlock()
+
+	if loggingToFile {
+		const logDir = "logs"
+		if err := os.MkdirAll(logDir, 0o755); err != nil {
+			return fmt.Errorf("logging: failed to create log directory: %w", err)
+		}
+		if logWriter != nil {
+			_ = logWriter.Close()
+		}
+		logWriter = &lumberjack.Logger{
+			Filename:   filepath.Join(logDir, "main.log"),
+			MaxSize:    10,
+			MaxBackups: 0,
+			MaxAge:     0,
+			Compress:   false,
+		}
+		log.SetOutput(logWriter)
+		return nil
+	}
+
+	if logWriter != nil {
+		_ = logWriter.Close()
+		logWriter = nil
+	}
+	log.SetOutput(os.Stdout)
+	return nil
+}
+
+func closeLogOutputs() {
+	writerMu.Lock()
+	defer writerMu.Unlock()
+
+	if logWriter != nil {
+		_ = logWriter.Close()
+		logWriter = nil
+	}
+	if ginInfoWriter != nil {
+		_ = ginInfoWriter.Close()
+		ginInfoWriter = nil
+	}
+	if ginErrorWriter != nil {
+		_ = ginErrorWriter.Close()
+		ginErrorWriter = nil
+	}
+}

internal/misc/credentials.go

@@ -1,12 +1,14 @@
 package misc
 
 import (
+	"fmt"
 	"path/filepath"
 	"strings"
 
 	log "github.com/sirupsen/logrus"
 )
 
+// Separator used to visually group related log lines.
 var credentialSeparator = strings.Repeat("-", 70)
 
 // LogSavingCredentials emits a consistent log message when persisting auth material.
@@ -15,10 +17,10 @@ func LogSavingCredentials(path string) {
 		return
 	}
 	// Use filepath.Clean so logs remain stable even if callers pass redundant separators.
-	log.Infof("Saving credentials to %s", filepath.Clean(path))
+	fmt.Printf("Saving credentials to %s\n", filepath.Clean(path))
 }
 
 // LogCredentialSeparator adds a visual separator to group auth/key processing logs.
 func LogCredentialSeparator() {
-	log.Info(credentialSeparator)
+	log.Debug(credentialSeparator)
 }

internal/provider/gemini-web/client.go

@@ -9,8 +9,6 @@ import (
 	"net/http"
 	"net/http/cookiejar"
 	"net/url"
-	"os"
-	"path/filepath"
 	"regexp"
 	"strings"
 	"time"
@@ -126,19 +124,6 @@ func getAccessToken(baseCookies map[string]string, proxy string, verbose bool, i
 		}
 	}
 
-	cacheDir := "temp"
-	_ = os.MkdirAll(cacheDir, 0o755)
-	if v1, ok1 := baseCookies["__Secure-1PSID"]; ok1 {
-		cacheFile := filepath.Join(cacheDir, ".cached_1psidts_"+v1+".txt")
-		if b, err := os.ReadFile(cacheFile); err == nil {
-			cv := strings.TrimSpace(string(b))
-			if cv != "" {
-				merged := map[string]string{"__Secure-1PSID": v1, "__Secure-1PSIDTS": cv}
-				trySets = append(trySets, merged)
-			}
-		}
-	}
-
 	if len(extraCookies) > 0 {
 		trySets = append(trySets, extraCookies)
 	}
@@ -162,7 +147,7 @@ func getAccessToken(baseCookies map[string]string, proxy string, verbose bool, i
 		if len(matches) >= 2 {
 			token := matches[1]
 			if verbose {
-				log.Infof("Gemini access token acquired.")
+				fmt.Println("Gemini access token acquired.")
 			}
 			return token, mergedCookies, nil
 		}
@@ -295,7 +280,7 @@ func (c *GeminiClient) Init(timeoutSec float64, verbose bool) error {
 
 	c.Timeout = time.Duration(timeoutSec * float64(time.Second))
 	if verbose {
-		log.Infof("Gemini client initialized successfully.")
+		fmt.Println("Gemini client initialized successfully.")
 	}
 	return nil
 }
@@ -307,7 +292,7 @@ func (c *GeminiClient) Close(delaySec float64) {
 	c.Running = false
 }
 
-// ensureRunning mirrors the Python decorator behavior and retries on APIError.
+// ensureRunning mirrors the decorator behavior and retries on APIError.
 func (c *GeminiClient) ensureRunning() error {
 	if c.Running {
 		return nil
@@ -434,7 +419,7 @@ func (c *GeminiClient) generateOnce(prompt string, files []string, model Model,
 	}()
 
 	if resp.StatusCode == 429 {
-		// Surface 429 as TemporarilyBlocked to match Python behavior
+		// Surface 429 as TemporarilyBlocked to match reference behavior
 		c.Close(0)
 		return empty, &TemporarilyBlocked{GeminiError{Msg: "Too many requests. IP temporarily blocked."}}
 	}
@@ -514,7 +499,7 @@ func (c *GeminiClient) generateOnce(prompt string, files []string, model Model,
 				}
 			}
 		}
-		// Parse nested error code to align with Python mapping
+		// Parse nested error code to align with error mapping
 		var top []any
 		// Prefer lastTop from fallback scan; otherwise try parts[2]
 		if len(lastTop) > 0 {
@@ -537,7 +522,7 @@ func (c *GeminiClient) generateOnce(prompt string, files []string, model Model,
 			}
 		}
 		// Debug("Invalid response: control frames only; no body found")
-		// Close the client to force re-initialization on next request (parity with Python client behavior)
+		// Close the client to force re-initialization on next request (parity with reference client behavior)
 		c.Close(0)
 		return empty, &APIError{Msg: "Failed to generate contents. Invalid response data received."}
 	}
@@ -760,7 +745,7 @@ func (c *GeminiClient) generateOnce(prompt string, files []string, model Model,
 }
 
 // extractErrorCode attempts to navigate the known nested error structure and fetch the integer code.
-// Mirrors Python path: response_json[0][5][2][0][1][0]
+// Mirrors reference path: response_json[0][5][2][0][1][0]
 func extractErrorCode(top []any) (int, bool) {
 	if len(top) == 0 {
 		return 0, false

internal/provider/gemini-web/media.go

@@ -52,7 +52,7 @@ func (i Image) Save(path string, filename string, cookies map[string]string, ver
 			filename = q[0]
 		}
 	}
-	// Regex validation (align with Python: ^(.*\.\w+)) to extract name with extension.
+	// Regex validation (pattern: ^(.*\.\w+)) to extract name with extension.
 	if filename != "" {
 		re := regexp.MustCompile(`^(.*\.\w+)`)
 		if m := re.FindStringSubmatch(filename); len(m) >= 2 {
@@ -70,7 +70,7 @@ func (i Image) Save(path string, filename string, cookies map[string]string, ver
 	client := newHTTPClient(httpOptions{ProxyURL: i.Proxy, Insecure: insecure, FollowRedirects: true})
 	client.Timeout = 120 * time.Second
 
-	// Helper to set raw Cookie header using provided cookies (to mirror Python client behavior).
+	// Helper to set raw Cookie header using provided cookies (parity with the reference client behavior).
 	buildCookieHeader := func(m map[string]string) string {
 		if len(m) == 0 {
 			return ""
@@ -136,7 +136,7 @@ func (i Image) Save(path string, filename string, cookies map[string]string, ver
 		return "", err
 	}
 	if verbose {
-		log.Infof("Image saved as %s", dest)
+		fmt.Printf("Image saved as %s\n", dest)
 	}
 	abspath, _ := filepath.Abs(dest)
 	return abspath, nil

internal/provider/gemini-web/state.go

@@ -98,16 +98,16 @@ func (s *GeminiWebState) Label() string {
 }
 
 func (s *GeminiWebState) loadConversationCaches() {
-	if path := s.convPath(); path != "" {
-		if store, err := LoadConvStore(path); err == nil {
-			s.convStore = store
-		}
+	path := s.convPath()
+	if path == "" {
+		return
 	}
-	if path := s.convPath(); path != "" {
-		if items, index, err := LoadConvData(path); err == nil {
-			s.convData = items
-			s.convIndex = index
-		}
+	if store, err := LoadConvStore(path); err == nil {
+		s.convStore = store
+	}
+	if items, index, err := LoadConvData(path); err == nil {
+		s.convData = items
+		s.convIndex = index
 	}
 }
 

internal/registry/model_registry.go

@@ -9,6 +9,7 @@ import (
 	"sync"
 	"time"
 
+	misc "github.com/router-for-me/CLIProxyAPI/v6/internal/misc"
 	log "github.com/sirupsen/logrus"
 )
 
@@ -100,54 +101,265 @@ func (r *ModelRegistry) RegisterClient(clientID, clientProvider string, models [
 	r.mutex.Lock()
 	defer r.mutex.Unlock()
 
-	// Remove any existing registration for this client
-	r.unregisterClientInternal(clientID)
-
 	provider := strings.ToLower(clientProvider)
-	modelIDs := make([]string, 0, len(models))
+	uniqueModelIDs := make([]string, 0, len(models))
+	rawModelIDs := make([]string, 0, len(models))
+	newModels := make(map[string]*ModelInfo, len(models))
+	newCounts := make(map[string]int, len(models))
+	for _, model := range models {
+		if model == nil || model.ID == "" {
+			continue
+		}
+		rawModelIDs = append(rawModelIDs, model.ID)
+		newCounts[model.ID]++
+		if _, exists := newModels[model.ID]; exists {
+			continue
+		}
+		newModels[model.ID] = model
+		uniqueModelIDs = append(uniqueModelIDs, model.ID)
+	}
+
+	if len(uniqueModelIDs) == 0 {
+		// No models supplied; unregister existing client state if present.
+		r.unregisterClientInternal(clientID)
+		delete(r.clientModels, clientID)
+		delete(r.clientProviders, clientID)
+		misc.LogCredentialSeparator()
+		return
+	}
+
 	now := time.Now()
 
-	for _, model := range models {
-		modelIDs = append(modelIDs, model.ID)
-
-		if existing, exists := r.models[model.ID]; exists {
-			// Model already exists, increment count
-			existing.Count++
-			existing.LastUpdated = now
-			if existing.SuspendedClients == nil {
-				existing.SuspendedClients = make(map[string]string)
-			}
-			if provider != "" {
-				if existing.Providers == nil {
-					existing.Providers = make(map[string]int)
-				}
-				existing.Providers[provider]++
-			}
-			log.Debugf("Incremented count for model %s, now %d clients", model.ID, existing.Count)
+	oldModels, hadExisting := r.clientModels[clientID]
+	oldProvider, _ := r.clientProviders[clientID]
+	providerChanged := oldProvider != provider
+	if !hadExisting {
+		// Pure addition path.
+		for _, modelID := range rawModelIDs {
+			model := newModels[modelID]
+			r.addModelRegistration(modelID, provider, model, now)
+		}
+		r.clientModels[clientID] = append([]string(nil), rawModelIDs...)
+		if provider != "" {
+			r.clientProviders[clientID] = provider
 		} else {
-			// New model, create registration
-			registration := &ModelRegistration{
-				Info:                 model,
-				Count:                1,
-				LastUpdated:          now,
-				QuotaExceededClients: make(map[string]*time.Time),
-				SuspendedClients:     make(map[string]string),
-			}
-			if provider != "" {
-				registration.Providers = map[string]int{provider: 1}
-			}
-			r.models[model.ID] = registration
-			log.Debugf("Registered new model %s from provider %s", model.ID, clientProvider)
+			delete(r.clientProviders, clientID)
+		}
+		log.Debugf("Registered client %s from provider %s with %d models", clientID, clientProvider, len(rawModelIDs))
+		misc.LogCredentialSeparator()
+		return
+	}
+
+	oldCounts := make(map[string]int, len(oldModels))
+	for _, id := range oldModels {
+		oldCounts[id]++
+	}
+
+	added := make([]string, 0)
+	for _, id := range uniqueModelIDs {
+		if oldCounts[id] == 0 {
+			added = append(added, id)
 		}
 	}
 
-	r.clientModels[clientID] = modelIDs
+	removed := make([]string, 0)
+	for id := range oldCounts {
+		if newCounts[id] == 0 {
+			removed = append(removed, id)
+		}
+	}
+
+	// Handle provider change for overlapping models before modifications.
+	if providerChanged && oldProvider != "" {
+		for id, newCount := range newCounts {
+			if newCount == 0 {
+				continue
+			}
+			oldCount := oldCounts[id]
+			if oldCount == 0 {
+				continue
+			}
+			toRemove := newCount
+			if oldCount < toRemove {
+				toRemove = oldCount
+			}
+			if reg, ok := r.models[id]; ok && reg.Providers != nil {
+				if count, okProv := reg.Providers[oldProvider]; okProv {
+					if count <= toRemove {
+						delete(reg.Providers, oldProvider)
+					} else {
+						reg.Providers[oldProvider] = count - toRemove
+					}
+				}
+			}
+		}
+	}
+
+	// Apply removals first to keep counters accurate.
+	for _, id := range removed {
+		oldCount := oldCounts[id]
+		for i := 0; i < oldCount; i++ {
+			r.removeModelRegistration(clientID, id, oldProvider, now)
+		}
+	}
+
+	for id, oldCount := range oldCounts {
+		newCount := newCounts[id]
+		if newCount == 0 || oldCount <= newCount {
+			continue
+		}
+		overage := oldCount - newCount
+		for i := 0; i < overage; i++ {
+			r.removeModelRegistration(clientID, id, oldProvider, now)
+		}
+	}
+
+	// Apply additions.
+	for id, newCount := range newCounts {
+		oldCount := oldCounts[id]
+		if newCount <= oldCount {
+			continue
+		}
+		model := newModels[id]
+		diff := newCount - oldCount
+		for i := 0; i < diff; i++ {
+			r.addModelRegistration(id, provider, model, now)
+		}
+	}
+
+	// Update metadata for models that remain associated with the client.
+	addedSet := make(map[string]struct{}, len(added))
+	for _, id := range added {
+		addedSet[id] = struct{}{}
+	}
+	for _, id := range uniqueModelIDs {
+		model := newModels[id]
+		if reg, ok := r.models[id]; ok {
+			reg.Info = cloneModelInfo(model)
+			reg.LastUpdated = now
+			if reg.QuotaExceededClients != nil {
+				delete(reg.QuotaExceededClients, clientID)
+			}
+			if reg.SuspendedClients != nil {
+				delete(reg.SuspendedClients, clientID)
+			}
+			if providerChanged && provider != "" {
+				if _, newlyAdded := addedSet[id]; newlyAdded {
+					continue
+				}
+				overlapCount := newCounts[id]
+				if oldCount := oldCounts[id]; oldCount < overlapCount {
+					overlapCount = oldCount
+				}
+				if overlapCount <= 0 {
+					continue
+				}
+				if reg.Providers == nil {
+					reg.Providers = make(map[string]int)
+				}
+				reg.Providers[provider] += overlapCount
+			}
+		}
+	}
+
+	// Update client bookkeeping.
+	if len(rawModelIDs) > 0 {
+		r.clientModels[clientID] = append([]string(nil), rawModelIDs...)
+	}
 	if provider != "" {
 		r.clientProviders[clientID] = provider
 	} else {
 		delete(r.clientProviders, clientID)
 	}
-	log.Debugf("Registered client %s from provider %s with %d models", clientID, clientProvider, len(models))
+
+	if len(added) == 0 && len(removed) == 0 && !providerChanged {
+		// Only metadata (e.g., display name) changed; skip separator when no log output.
+		return
+	}
+
+	log.Debugf("Reconciled client %s (provider %s) models: +%d, -%d", clientID, provider, len(added), len(removed))
+	misc.LogCredentialSeparator()
+}
+
+func (r *ModelRegistry) addModelRegistration(modelID, provider string, model *ModelInfo, now time.Time) {
+	if model == nil || modelID == "" {
+		return
+	}
+	if existing, exists := r.models[modelID]; exists {
+		existing.Count++
+		existing.LastUpdated = now
+		existing.Info = cloneModelInfo(model)
+		if existing.SuspendedClients == nil {
+			existing.SuspendedClients = make(map[string]string)
+		}
+		if provider != "" {
+			if existing.Providers == nil {
+				existing.Providers = make(map[string]int)
+			}
+			existing.Providers[provider]++
+		}
+		log.Debugf("Incremented count for model %s, now %d clients", modelID, existing.Count)
+		return
+	}
+
+	registration := &ModelRegistration{
+		Info:                 cloneModelInfo(model),
+		Count:                1,
+		LastUpdated:          now,
+		QuotaExceededClients: make(map[string]*time.Time),
+		SuspendedClients:     make(map[string]string),
+	}
+	if provider != "" {
+		registration.Providers = map[string]int{provider: 1}
+	}
+	r.models[modelID] = registration
+	log.Debugf("Registered new model %s from provider %s", modelID, provider)
+}
+
+func (r *ModelRegistry) removeModelRegistration(clientID, modelID, provider string, now time.Time) {
+	registration, exists := r.models[modelID]
+	if !exists {
+		return
+	}
+	registration.Count--
+	registration.LastUpdated = now
+	if registration.QuotaExceededClients != nil {
+		delete(registration.QuotaExceededClients, clientID)
+	}
+	if registration.SuspendedClients != nil {
+		delete(registration.SuspendedClients, clientID)
+	}
+	if registration.Count < 0 {
+		registration.Count = 0
+	}
+	if provider != "" && registration.Providers != nil {
+		if count, ok := registration.Providers[provider]; ok {
+			if count <= 1 {
+				delete(registration.Providers, provider)
+			} else {
+				registration.Providers[provider] = count - 1
+			}
+		}
+	}
+	log.Debugf("Decremented count for model %s, now %d clients", modelID, registration.Count)
+	if registration.Count <= 0 {
+		delete(r.models, modelID)
+		log.Debugf("Removed model %s as no clients remain", modelID)
+	}
+}
+
+func cloneModelInfo(model *ModelInfo) *ModelInfo {
+	if model == nil {
+		return nil
+	}
+	copy := *model
+	if len(model.SupportedGenerationMethods) > 0 {
+		copy.SupportedGenerationMethods = append([]string(nil), model.SupportedGenerationMethods...)
+	}
+	if len(model.SupportedParameters) > 0 {
+		copy.SupportedParameters = append([]string(nil), model.SupportedParameters...)
+	}
+	return &copy
 }
 
 // UnregisterClient removes a client and decrements counts for its models
@@ -207,6 +419,8 @@ func (r *ModelRegistry) unregisterClientInternal(clientID string) {
 		delete(r.clientProviders, clientID)
 	}
 	log.Debugf("Unregistered client %s", clientID)
+	// Separator line after completing client unregistration (after the summary line)
+	misc.LogCredentialSeparator()
 }
 
 // SetModelQuotaExceeded marks a model as quota exceeded for a specific client

internal/runtime/executor/codex_executor.go

@@ -54,8 +54,6 @@ func (e *CodexExecutor) Execute(ctx context.Context, auth *cliproxyauth.Auth, re
 	if util.InArray([]string{"gpt-5", "gpt-5-minimal", "gpt-5-low", "gpt-5-medium", "gpt-5-high"}, req.Model) {
 		body, _ = sjson.SetBytes(body, "model", "gpt-5")
 		switch req.Model {
-		case "gpt-5":
-			body, _ = sjson.DeleteBytes(body, "reasoning.effort")
 		case "gpt-5-minimal":
 			body, _ = sjson.SetBytes(body, "reasoning.effort", "minimal")
 		case "gpt-5-low":
@@ -68,8 +66,6 @@ func (e *CodexExecutor) Execute(ctx context.Context, auth *cliproxyauth.Auth, re
 	} else if util.InArray([]string{"gpt-5-codex", "gpt-5-codex-low", "gpt-5-codex-medium", "gpt-5-codex-high"}, req.Model) {
 		body, _ = sjson.SetBytes(body, "model", "gpt-5-codex")
 		switch req.Model {
-		case "gpt-5-codex":
-			body, _ = sjson.DeleteBytes(body, "reasoning.effort")
 		case "gpt-5-codex-low":
 			body, _ = sjson.SetBytes(body, "reasoning.effort", "low")
 		case "gpt-5-codex-medium":
@@ -147,8 +143,6 @@ func (e *CodexExecutor) ExecuteStream(ctx context.Context, auth *cliproxyauth.Au
 	if util.InArray([]string{"gpt-5", "gpt-5-minimal", "gpt-5-low", "gpt-5-medium", "gpt-5-high"}, req.Model) {
 		body, _ = sjson.SetBytes(body, "model", "gpt-5")
 		switch req.Model {
-		case "gpt-5":
-			body, _ = sjson.DeleteBytes(body, "reasoning.effort")
 		case "gpt-5-minimal":
 			body, _ = sjson.SetBytes(body, "reasoning.effort", "minimal")
 		case "gpt-5-low":
@@ -161,8 +155,6 @@ func (e *CodexExecutor) ExecuteStream(ctx context.Context, auth *cliproxyauth.Au
 	} else if util.InArray([]string{"gpt-5-codex", "gpt-5-codex-low", "gpt-5-codex-medium", "gpt-5-codex-high"}, req.Model) {
 		body, _ = sjson.SetBytes(body, "model", "gpt-5-codex")
 		switch req.Model {
-		case "gpt-5-codex":
-			body, _ = sjson.DeleteBytes(body, "reasoning.effort")
 		case "gpt-5-codex-low":
 			body, _ = sjson.SetBytes(body, "reasoning.effort", "low")
 		case "gpt-5-codex-medium":

internal/translator/claude/gemini/claude_gemini_request.go

@@ -8,15 +8,24 @@ package gemini
 import (
 	"bytes"
 	"crypto/rand"
+	"crypto/sha256"
+	"encoding/hex"
 	"fmt"
 	"math/big"
 	"strings"
 
+	"github.com/google/uuid"
 	"github.com/router-for-me/CLIProxyAPI/v6/internal/util"
 	"github.com/tidwall/gjson"
 	"github.com/tidwall/sjson"
 )
 
+var (
+	user    = ""
+	account = ""
+	session = ""
+)
+
 // ConvertGeminiRequestToClaude parses and transforms a Gemini API request into Claude Code API format.
 // It extracts the model name, system instruction, message contents, and tool declarations
 // from the raw JSON request and returns them in the format expected by the Claude Code API.
@@ -37,8 +46,23 @@ import (
 //   - []byte: The transformed request data in Claude Code API format
 func ConvertGeminiRequestToClaude(modelName string, inputRawJSON []byte, stream bool) []byte {
 	rawJSON := bytes.Clone(inputRawJSON)
-	// Base Claude Code API template with default max_tokens value
-	out := `{"model":"","max_tokens":32000,"messages":[]}`
+
+	if account == "" {
+		u, _ := uuid.NewRandom()
+		account = u.String()
+	}
+	if session == "" {
+		u, _ := uuid.NewRandom()
+		session = u.String()
+	}
+	if user == "" {
+		sum := sha256.Sum256([]byte(account + session))
+		user = hex.EncodeToString(sum[:])
+	}
+	userID := fmt.Sprintf("user_%s_account_%s_session_%s", user, account, session)
+
+	// Base Claude message payload
+	out := fmt.Sprintf(`{"model":"","max_tokens":32000,"messages":[],"metadata":{"user_id":"%s"}}`, userID)
 
 	root := gjson.ParseBytes(rawJSON)
 

internal/translator/claude/openai/chat-completions/claude_openai_request.go

@@ -8,14 +8,24 @@ package chat_completions
 import (
 	"bytes"
 	"crypto/rand"
+	"crypto/sha256"
+	"encoding/hex"
 	"encoding/json"
+	"fmt"
 	"math/big"
 	"strings"
 
+	"github.com/google/uuid"
 	"github.com/tidwall/gjson"
 	"github.com/tidwall/sjson"
 )
 
+var (
+	user    = ""
+	account = ""
+	session = ""
+)
+
 // ConvertOpenAIRequestToClaude parses and transforms an OpenAI Chat Completions API request into Claude Code API format.
 // It extracts the model name, system instruction, message contents, and tool declarations
 // from the raw JSON request and returns them in the format expected by the Claude Code API.
@@ -36,8 +46,22 @@ import (
 func ConvertOpenAIRequestToClaude(modelName string, inputRawJSON []byte, stream bool) []byte {
 	rawJSON := bytes.Clone(inputRawJSON)
 
+	if account == "" {
+		u, _ := uuid.NewRandom()
+		account = u.String()
+	}
+	if session == "" {
+		u, _ := uuid.NewRandom()
+		session = u.String()
+	}
+	if user == "" {
+		sum := sha256.Sum256([]byte(account + session))
+		user = hex.EncodeToString(sum[:])
+	}
+	userID := fmt.Sprintf("user_%s_account_%s_session_%s", user, account, session)
+
 	// Base Claude Code API template with default max_tokens value
-	out := `{"model":"","max_tokens":32000,"messages":[]}`
+	out := fmt.Sprintf(`{"model":"","max_tokens":32000,"messages":[],"metadata":{"user_id":"%s"}}`, userID)
 
 	root := gjson.ParseBytes(rawJSON)
 

internal/translator/claude/openai/responses/claude_openai-responses_request.go

@@ -3,13 +3,23 @@ package responses
 import (
 	"bytes"
 	"crypto/rand"
+	"crypto/sha256"
+	"encoding/hex"
+	"fmt"
 	"math/big"
 	"strings"
 
+	"github.com/google/uuid"
 	"github.com/tidwall/gjson"
 	"github.com/tidwall/sjson"
 )
 
+var (
+	user    = ""
+	account = ""
+	session = ""
+)
+
 // ConvertOpenAIResponsesRequestToClaude transforms an OpenAI Responses API request
 // into a Claude Messages API request using only gjson/sjson for JSON handling.
 // It supports:
@@ -23,8 +33,22 @@ import (
 func ConvertOpenAIResponsesRequestToClaude(modelName string, inputRawJSON []byte, stream bool) []byte {
 	rawJSON := bytes.Clone(inputRawJSON)
 
+	if account == "" {
+		u, _ := uuid.NewRandom()
+		account = u.String()
+	}
+	if session == "" {
+		u, _ := uuid.NewRandom()
+		session = u.String()
+	}
+	if user == "" {
+		sum := sha256.Sum256([]byte(account + session))
+		user = hex.EncodeToString(sum[:])
+	}
+	userID := fmt.Sprintf("user_%s_account_%s_session_%s", user, account, session)
+
 	// Base Claude message payload
-	out := `{"model":"","max_tokens":32000,"messages":[]}`
+	out := fmt.Sprintf(`{"model":"","max_tokens":32000,"messages":[],"metadata":{"user_id":"%s"}}`, userID)
 
 	root := gjson.ParseBytes(rawJSON)
 

internal/translator/gemini-cli/openai/chat-completions/cli_openai_request.go

@@ -25,7 +25,6 @@ import (
 // Returns:
 //   - []byte: The transformed request data in Gemini CLI API format
 func ConvertOpenAIRequestToGeminiCLI(modelName string, inputRawJSON []byte, _ bool) []byte {
-	log.Debug("ConvertOpenAIRequestToGeminiCLI")
 	rawJSON := bytes.Clone(inputRawJSON)
 	// Base envelope
 	out := []byte(`{"project":"","request":{"contents":[],"generationConfig":{"thinkingConfig":{"include_thoughts":true}}},"model":"gemini-2.5-pro"}`)

internal/translator/gemini/openai/responses/gemini_openai-responses_response.go

@@ -414,6 +414,25 @@ func ConvertGeminiResponseToOpenAIResponses(_ context.Context, modelName string,
 			completed, _ = sjson.Set(completed, "response.output", outputs)
 		}
 
+		// usage mapping
+		if um := root.Get("usageMetadata"); um.Exists() {
+			// input tokens = prompt + thoughts
+			input := um.Get("promptTokenCount").Int() + um.Get("thoughtsTokenCount").Int()
+			completed, _ = sjson.Set(completed, "response.usage.input_tokens", input)
+			// cached_tokens not provided by Gemini; default to 0 for structure compatibility
+			completed, _ = sjson.Set(completed, "response.usage.input_tokens_details.cached_tokens", 0)
+			// output tokens
+			if v := um.Get("candidatesTokenCount"); v.Exists() {
+				completed, _ = sjson.Set(completed, "response.usage.output_tokens", v.Int())
+			}
+			if v := um.Get("thoughtsTokenCount"); v.Exists() {
+				completed, _ = sjson.Set(completed, "response.usage.output_tokens_details.reasoning_tokens", v.Int())
+			}
+			if v := um.Get("totalTokenCount"); v.Exists() {
+				completed, _ = sjson.Set(completed, "response.usage.total_tokens", v.Int())
+			}
+		}
+
 		out = append(out, emitEvent("response.completed", completed))
 	}
 

internal/usage/logger_plugin.go

@@ -7,13 +7,17 @@ import (
 	"context"
 	"fmt"
 	"sync"
+	"sync/atomic"
 	"time"
 
 	"github.com/gin-gonic/gin"
 	coreusage "github.com/router-for-me/CLIProxyAPI/v6/sdk/cliproxy/usage"
 )
 
+var statisticsEnabled atomic.Bool
+
 func init() {
+	statisticsEnabled.Store(true)
 	coreusage.RegisterPlugin(NewLoggerPlugin())
 }
 
@@ -36,12 +40,21 @@ func NewLoggerPlugin() *LoggerPlugin { return &LoggerPlugin{stats: defaultReques
 //   - ctx: The context for the usage record
 //   - record: The usage record to aggregate
 func (p *LoggerPlugin) HandleUsage(ctx context.Context, record coreusage.Record) {
+	if !statisticsEnabled.Load() {
+		return
+	}
 	if p == nil || p.stats == nil {
 		return
 	}
 	p.stats.Record(ctx, record)
 }
 
+// SetStatisticsEnabled toggles whether in-memory statistics are recorded.
+func SetStatisticsEnabled(enabled bool) { statisticsEnabled.Store(enabled) }
+
+// StatisticsEnabled reports the current recording state.
+func StatisticsEnabled() bool { return statisticsEnabled.Load() }
+
 // RequestStatistics maintains aggregated request metrics in memory.
 type RequestStatistics struct {
 	mu sync.RWMutex
@@ -138,6 +151,9 @@ func (s *RequestStatistics) Record(ctx context.Context, record coreusage.Record)
 	if s == nil {
 		return
 	}
+	if !statisticsEnabled.Load() {
+		return
+	}
 	timestamp := record.RequestedAt
 	if timestamp.IsZero() {
 		timestamp = time.Now()

internal/util/ssh_helper.go

@@ -120,7 +120,7 @@ func GetIPAddress() string {
 func PrintSSHTunnelInstructions(port int) {
 	ipAddress := GetIPAddress()
 	border := "================================================================================"
-	log.Infof("To authenticate from a remote machine, an SSH tunnel may be required.")
+	fmt.Println("To authenticate from a remote machine, an SSH tunnel may be required.")
 	fmt.Println(border)
 	fmt.Println("  Run one of the following commands on your local machine (NOT the server):")
 	fmt.Println()

internal/watcher/watcher.go

@@ -52,6 +52,39 @@ type Watcher struct {
 	dispatchCancel context.CancelFunc
 }
 
+type stableIDGenerator struct {
+	counters map[string]int
+}
+
+func newStableIDGenerator() *stableIDGenerator {
+	return &stableIDGenerator{counters: make(map[string]int)}
+}
+
+func (g *stableIDGenerator) next(kind string, parts ...string) (string, string) {
+	if g == nil {
+		return kind + ":000000000000", "000000000000"
+	}
+	hasher := sha256.New()
+	hasher.Write([]byte(kind))
+	for _, part := range parts {
+		trimmed := strings.TrimSpace(part)
+		hasher.Write([]byte{0})
+		hasher.Write([]byte(trimmed))
+	}
+	digest := hex.EncodeToString(hasher.Sum(nil))
+	if len(digest) < 12 {
+		digest = fmt.Sprintf("%012s", digest)
+	}
+	short := digest[:12]
+	key := kind + ":" + short
+	index := g.counters[key]
+	g.counters[key] = index + 1
+	if index > 0 {
+		short = fmt.Sprintf("%s-%d", short, index)
+	}
+	return fmt.Sprintf("%s:%s", kind, short), short
+}
+
 // AuthUpdateAction represents the type of change detected in auth sources.
 type AuthUpdateAction string
 
@@ -320,6 +353,20 @@ func normalizeAuth(a *coreauth.Auth) *coreauth.Auth {
 	return clone
 }
 
+// computeOpenAICompatModelsHash returns a stable hash for the compatibility models so that
+// changes to the model list trigger auth updates during hot reload.
+func computeOpenAICompatModelsHash(models []config.OpenAICompatibilityModel) string {
+	if len(models) == 0 {
+		return ""
+	}
+	data, err := json.Marshal(models)
+	if err != nil || len(data) == 0 {
+		return ""
+	}
+	sum := sha256.Sum256(data)
+	return hex.EncodeToString(sum[:])
+}
+
 // SetClients sets the file-based clients.
 // SetClients removed
 // SetAPIKeyClients removed
@@ -380,7 +427,7 @@ func (w *Watcher) handleEvent(event fsnotify.Event) {
 			log.Debugf("config file content unchanged (hash match), skipping reload")
 			return
 		}
-		log.Infof("config file changed, reloading: %s", w.configPath)
+		fmt.Printf("config file changed, reloading: %s\n", w.configPath)
 		if w.reloadConfig() {
 			w.clientsMutex.Lock()
 			w.lastConfigHash = newHash
@@ -390,7 +437,7 @@ func (w *Watcher) handleEvent(event fsnotify.Event) {
 	}
 
 	// Handle auth directory changes incrementally (.json only)
-	log.Infof("auth file changed (%s): %s, processing incrementally", event.Op.String(), filepath.Base(event.Name))
+	fmt.Printf("auth file changed (%s): %s, processing incrementally\n", event.Op.String(), filepath.Base(event.Name))
 	if event.Op&fsnotify.Create == fsnotify.Create || event.Op&fsnotify.Write == fsnotify.Write {
 		w.addOrUpdateClient(event.Name)
 	} else if event.Op&fsnotify.Remove == fsnotify.Remove {
@@ -477,6 +524,12 @@ func (w *Watcher) reloadConfig() bool {
 		if oldConfig.RemoteManagement.AllowRemote != newConfig.RemoteManagement.AllowRemote {
 			log.Debugf("  remote-management.allow-remote: %t -> %t", oldConfig.RemoteManagement.AllowRemote, newConfig.RemoteManagement.AllowRemote)
 		}
+		if oldConfig.LoggingToFile != newConfig.LoggingToFile {
+			log.Debugf("  logging-to-file: %t -> %t", oldConfig.LoggingToFile, newConfig.LoggingToFile)
+		}
+		if oldConfig.UsageStatisticsEnabled != newConfig.UsageStatisticsEnabled {
+			log.Debugf("  usage-statistics-enabled: %t -> %t", oldConfig.UsageStatisticsEnabled, newConfig.UsageStatisticsEnabled)
+		}
 	}
 
 	log.Infof("config successfully reloaded, triggering client reload")
@@ -533,10 +586,15 @@ func (w *Watcher) reloadClients() {
 
 	totalNewClients := authFileCount + glAPIKeyCount + claudeAPIKeyCount + codexAPIKeyCount + openAICompatCount
 
+	// Ensure consumers observe the new configuration before auth updates dispatch.
+	if w.reloadCallback != nil {
+		log.Debugf("triggering server update callback before auth refresh")
+		w.reloadCallback(cfg)
+	}
+
 	w.refreshAuthState()
 
-	log.Infof("full client reload complete - old: %d clients, new: %d clients (%d auth files + %d GL API keys + %d Claude API keys + %d Codex keys + %d OpenAI-compat)",
-		0,
+	log.Infof("full client load complete - %d clients (%d auth files + %d GL API keys + %d Claude API keys + %d Codex keys + %d OpenAI-compat)",
 		totalNewClients,
 		authFileCount,
 		glAPIKeyCount,
@@ -544,12 +602,6 @@ func (w *Watcher) reloadClients() {
 		codexAPIKeyCount,
 		openAICompatCount,
 	)
-
-	// Trigger the callback to update the server
-	if w.reloadCallback != nil {
-		log.Debugf("triggering server update callback")
-		w.reloadCallback(cfg)
-	}
 }
 
 // createClientFromFile creates a single client instance from a given token file path.
@@ -621,6 +673,7 @@ func (w *Watcher) removeClient(path string) {
 func (w *Watcher) SnapshotCoreAuths() []*coreauth.Auth {
 	out := make([]*coreauth.Auth, 0, 32)
 	now := time.Now()
+	idGen := newStableIDGenerator()
 	// Also synthesize auth entries for OpenAI-compatibility providers directly from config
 	w.clientsMutex.RLock()
 	cfg := w.config
@@ -628,14 +681,18 @@ func (w *Watcher) SnapshotCoreAuths() []*coreauth.Auth {
 	if cfg != nil {
 		// Gemini official API keys -> synthesize auths
 		for i := range cfg.GlAPIKey {
-			k := cfg.GlAPIKey[i]
+			k := strings.TrimSpace(cfg.GlAPIKey[i])
+			if k == "" {
+				continue
+			}
+			id, token := idGen.next("gemini:apikey", k)
 			a := &coreauth.Auth{
-				ID:       fmt.Sprintf("gemini:apikey:%d", i),
+				ID:       id,
 				Provider: "gemini",
 				Label:    "gemini-apikey",
 				Status:   coreauth.StatusActive,
 				Attributes: map[string]string{
-					"source":  fmt.Sprintf("config:gemini#%d", i),
+					"source":  fmt.Sprintf("config:gemini[%s]", token),
 					"api_key": k,
 				},
 				CreatedAt: now,
@@ -646,15 +703,20 @@ func (w *Watcher) SnapshotCoreAuths() []*coreauth.Auth {
 		// Claude API keys -> synthesize auths
 		for i := range cfg.ClaudeKey {
 			ck := cfg.ClaudeKey[i]
+			key := strings.TrimSpace(ck.APIKey)
+			if key == "" {
+				continue
+			}
+			id, token := idGen.next("claude:apikey", key, ck.BaseURL)
 			attrs := map[string]string{
-				"source":  fmt.Sprintf("config:claude#%d", i),
-				"api_key": ck.APIKey,
+				"source":  fmt.Sprintf("config:claude[%s]", token),
+				"api_key": key,
 			}
 			if ck.BaseURL != "" {
 				attrs["base_url"] = ck.BaseURL
 			}
 			a := &coreauth.Auth{
-				ID:         fmt.Sprintf("claude:apikey:%d", i),
+				ID:         id,
 				Provider:   "claude",
 				Label:      "claude-apikey",
 				Status:     coreauth.StatusActive,
@@ -667,15 +729,20 @@ func (w *Watcher) SnapshotCoreAuths() []*coreauth.Auth {
 		// Codex API keys -> synthesize auths
 		for i := range cfg.CodexKey {
 			ck := cfg.CodexKey[i]
+			key := strings.TrimSpace(ck.APIKey)
+			if key == "" {
+				continue
+			}
+			id, token := idGen.next("codex:apikey", key, ck.BaseURL)
 			attrs := map[string]string{
-				"source":  fmt.Sprintf("config:codex#%d", i),
-				"api_key": ck.APIKey,
+				"source":  fmt.Sprintf("config:codex[%s]", token),
+				"api_key": key,
 			}
 			if ck.BaseURL != "" {
 				attrs["base_url"] = ck.BaseURL
 			}
 			a := &coreauth.Auth{
-				ID:         fmt.Sprintf("codex:apikey:%d", i),
+				ID:         id,
 				Provider:   "codex",
 				Label:      "codex-apikey",
 				Status:     coreauth.StatusActive,
@@ -691,23 +758,32 @@ func (w *Watcher) SnapshotCoreAuths() []*coreauth.Auth {
 			if providerName == "" {
 				providerName = "openai-compatibility"
 			}
-			base := compat.BaseURL
+			base := strings.TrimSpace(compat.BaseURL)
 			for j := range compat.APIKeys {
-				key := compat.APIKeys[j]
+				key := strings.TrimSpace(compat.APIKeys[j])
+				if key == "" {
+					continue
+				}
+				idKind := fmt.Sprintf("openai-compatibility:%s", providerName)
+				id, token := idGen.next(idKind, key, base)
+				attrs := map[string]string{
+					"source":       fmt.Sprintf("config:%s[%s]", providerName, token),
+					"base_url":     base,
+					"api_key":      key,
+					"compat_name":  compat.Name,
+					"provider_key": providerName,
+				}
+				if hash := computeOpenAICompatModelsHash(compat.Models); hash != "" {
+					attrs["models_hash"] = hash
+				}
 				a := &coreauth.Auth{
-					ID:       fmt.Sprintf("openai-compatibility:%s:%d", compat.Name, j),
-					Provider: providerName,
-					Label:    compat.Name,
-					Status:   coreauth.StatusActive,
-					Attributes: map[string]string{
-						"source":       fmt.Sprintf("config:%s#%d", compat.Name, j),
-						"base_url":     base,
-						"api_key":      key,
-						"compat_name":  compat.Name,
-						"provider_key": providerName,
-					},
-					CreatedAt: now,
-					UpdatedAt: now,
+					ID:         id,
+					Provider:   providerName,
+					Label:      compat.Name,
+					Status:     coreauth.StatusActive,
+					Attributes: attrs,
+					CreatedAt:  now,
+					UpdatedAt:  now,
 				}
 				out = append(out, a)
 			}

sdk/access/reconcile.go

@@ -0,0 +1,252 @@
+package access
+
+import (
+	"reflect"
+	"sort"
+	"strings"
+
+	"github.com/router-for-me/CLIProxyAPI/v6/internal/config"
+)
+
+// ReconcileProviders builds the desired provider list by reusing existing providers when possible
+// and creating or removing providers only when their configuration changed. It returns the final
+// ordered provider slice along with the identifiers of providers that were added, updated, or
+// removed compared to the previous configuration.
+func ReconcileProviders(oldCfg, newCfg *config.Config, existing []Provider) (result []Provider, added, updated, removed []string, err error) {
+	if newCfg == nil {
+		return nil, nil, nil, nil, nil
+	}
+
+	existingMap := make(map[string]Provider, len(existing))
+	for _, provider := range existing {
+		if provider == nil {
+			continue
+		}
+		existingMap[provider.Identifier()] = provider
+	}
+
+	oldCfgMap := accessProviderMap(oldCfg)
+	newEntries := collectProviderEntries(newCfg)
+
+	result = make([]Provider, 0, len(newEntries))
+	finalIDs := make(map[string]struct{}, len(newEntries))
+
+	isInlineProvider := func(id string) bool {
+		return strings.EqualFold(id, config.DefaultAccessProviderName)
+	}
+	appendChange := func(list *[]string, id string) {
+		if isInlineProvider(id) {
+			return
+		}
+		*list = append(*list, id)
+	}
+
+	for _, providerCfg := range newEntries {
+		key := providerIdentifier(providerCfg)
+		if key == "" {
+			continue
+		}
+
+		if oldCfgProvider, ok := oldCfgMap[key]; ok {
+			isAliased := oldCfgProvider == providerCfg
+			if !isAliased && providerConfigEqual(oldCfgProvider, providerCfg) {
+				if existingProvider, okExisting := existingMap[key]; okExisting {
+					result = append(result, existingProvider)
+					finalIDs[key] = struct{}{}
+					continue
+				}
+			}
+		}
+
+		provider, buildErr := buildProvider(providerCfg, newCfg)
+		if buildErr != nil {
+			return nil, nil, nil, nil, buildErr
+		}
+		if _, ok := oldCfgMap[key]; ok {
+			if _, existed := existingMap[key]; existed {
+				appendChange(&updated, key)
+			} else {
+				appendChange(&added, key)
+			}
+		} else {
+			appendChange(&added, key)
+		}
+		result = append(result, provider)
+		finalIDs[key] = struct{}{}
+	}
+
+	if len(result) == 0 && len(newCfg.APIKeys) > 0 {
+		config.SyncInlineAPIKeys(newCfg, newCfg.APIKeys)
+		if providerCfg := newCfg.ConfigAPIKeyProvider(); providerCfg != nil {
+			key := providerIdentifier(providerCfg)
+			if key != "" {
+				if oldCfgProvider, ok := oldCfgMap[key]; ok {
+					isAliased := oldCfgProvider == providerCfg
+					if !isAliased && providerConfigEqual(oldCfgProvider, providerCfg) {
+						if existingProvider, okExisting := existingMap[key]; okExisting {
+							result = append(result, existingProvider)
+						} else {
+							provider, buildErr := buildProvider(providerCfg, newCfg)
+							if buildErr != nil {
+								return nil, nil, nil, nil, buildErr
+							}
+							if _, existed := existingMap[key]; existed {
+								appendChange(&updated, key)
+							} else {
+								appendChange(&added, key)
+							}
+							result = append(result, provider)
+						}
+					} else {
+						provider, buildErr := buildProvider(providerCfg, newCfg)
+						if buildErr != nil {
+							return nil, nil, nil, nil, buildErr
+						}
+						if _, existed := existingMap[key]; existed {
+							appendChange(&updated, key)
+						} else {
+							appendChange(&added, key)
+						}
+						result = append(result, provider)
+					}
+				} else {
+					provider, buildErr := buildProvider(providerCfg, newCfg)
+					if buildErr != nil {
+						return nil, nil, nil, nil, buildErr
+					}
+					appendChange(&added, key)
+					result = append(result, provider)
+				}
+				finalIDs[key] = struct{}{}
+			}
+		}
+	}
+
+	removedSet := make(map[string]struct{})
+	for id := range existingMap {
+		if _, ok := finalIDs[id]; !ok {
+			if isInlineProvider(id) {
+				continue
+			}
+			removedSet[id] = struct{}{}
+		}
+	}
+
+	removed = make([]string, 0, len(removedSet))
+	for id := range removedSet {
+		removed = append(removed, id)
+	}
+
+	sort.Strings(added)
+	sort.Strings(updated)
+	sort.Strings(removed)
+
+	return result, added, updated, removed, nil
+}
+
+func accessProviderMap(cfg *config.Config) map[string]*config.AccessProvider {
+	result := make(map[string]*config.AccessProvider)
+	if cfg == nil {
+		return result
+	}
+	for i := range cfg.Access.Providers {
+		providerCfg := &cfg.Access.Providers[i]
+		if providerCfg.Type == "" {
+			continue
+		}
+		key := providerIdentifier(providerCfg)
+		if key == "" {
+			continue
+		}
+		result[key] = providerCfg
+	}
+	if len(result) == 0 && len(cfg.APIKeys) > 0 {
+		if provider := cfg.ConfigAPIKeyProvider(); provider != nil {
+			if key := providerIdentifier(provider); key != "" {
+				result[key] = provider
+			}
+		}
+	}
+	return result
+}
+
+func collectProviderEntries(cfg *config.Config) []*config.AccessProvider {
+	entries := make([]*config.AccessProvider, 0, len(cfg.Access.Providers))
+	if cfg == nil {
+		return entries
+	}
+	for i := range cfg.Access.Providers {
+		providerCfg := &cfg.Access.Providers[i]
+		if providerCfg.Type == "" {
+			continue
+		}
+		if key := providerIdentifier(providerCfg); key != "" {
+			entries = append(entries, providerCfg)
+		}
+	}
+	return entries
+}
+
+func providerIdentifier(provider *config.AccessProvider) string {
+	if provider == nil {
+		return ""
+	}
+	if name := strings.TrimSpace(provider.Name); name != "" {
+		return name
+	}
+	typ := strings.TrimSpace(provider.Type)
+	if typ == "" {
+		return ""
+	}
+	if strings.EqualFold(typ, config.AccessProviderTypeConfigAPIKey) {
+		return config.DefaultAccessProviderName
+	}
+	return typ
+}
+
+func providerConfigEqual(a, b *config.AccessProvider) bool {
+	if a == nil || b == nil {
+		return a == nil && b == nil
+	}
+	if !strings.EqualFold(strings.TrimSpace(a.Type), strings.TrimSpace(b.Type)) {
+		return false
+	}
+	if strings.TrimSpace(a.SDK) != strings.TrimSpace(b.SDK) {
+		return false
+	}
+	if !stringSetEqual(a.APIKeys, b.APIKeys) {
+		return false
+	}
+	if len(a.Config) != len(b.Config) {
+		return false
+	}
+	if len(a.Config) > 0 && !reflect.DeepEqual(a.Config, b.Config) {
+		return false
+	}
+	return true
+}
+
+func stringSetEqual(a, b []string) bool {
+	if len(a) != len(b) {
+		return false
+	}
+	if len(a) == 0 {
+		return true
+	}
+	seen := make(map[string]int, len(a))
+	for _, val := range a {
+		seen[val]++
+	}
+	for _, val := range b {
+		count := seen[val]
+		if count == 0 {
+			return false
+		}
+		if count == 1 {
+			delete(seen, val)
+		} else {
+			seen[val] = count - 1
+		}
+	}
+	return len(seen) == 0
+}

sdk/auth/claude.go

@@ -80,22 +80,22 @@ func (a *ClaudeAuthenticator) Login(ctx context.Context, cfg *config.Config, opt
 	state = returnedState
 
 	if !opts.NoBrowser {
-		log.Info("Opening browser for Claude authentication")
+		fmt.Println("Opening browser for Claude authentication")
 		if !browser.IsAvailable() {
 			log.Warn("No browser available; please open the URL manually")
 			util.PrintSSHTunnelInstructions(a.CallbackPort)
-			log.Infof("Visit the following URL to continue authentication:\n%s", authURL)
+			fmt.Printf("Visit the following URL to continue authentication:\n%s\n", authURL)
 		} else if err = browser.OpenURL(authURL); err != nil {
 			log.Warnf("Failed to open browser automatically: %v", err)
 			util.PrintSSHTunnelInstructions(a.CallbackPort)
-			log.Infof("Visit the following URL to continue authentication:\n%s", authURL)
+			fmt.Printf("Visit the following URL to continue authentication:\n%s\n", authURL)
 		}
 	} else {
 		util.PrintSSHTunnelInstructions(a.CallbackPort)
-		log.Infof("Visit the following URL to continue authentication:\n%s", authURL)
+		fmt.Printf("Visit the following URL to continue authentication:\n%s\n", authURL)
 	}
 
-	log.Info("Waiting for Claude authentication callback...")
+	fmt.Println("Waiting for Claude authentication callback...")
 
 	result, err := oauthServer.WaitForCallback(5 * time.Minute)
 	if err != nil {
@@ -131,9 +131,9 @@ func (a *ClaudeAuthenticator) Login(ctx context.Context, cfg *config.Config, opt
 		"email": tokenStorage.Email,
 	}
 
-	log.Info("Claude authentication successful")
+	fmt.Println("Claude authentication successful")
 	if authBundle.APIKey != "" {
-		log.Info("Claude API key obtained and stored")
+		fmt.Println("Claude API key obtained and stored")
 	}
 
 	return &TokenRecord{

sdk/auth/codex.go

@@ -79,22 +79,22 @@ func (a *CodexAuthenticator) Login(ctx context.Context, cfg *config.Config, opts
 	}
 
 	if !opts.NoBrowser {
-		log.Info("Opening browser for Codex authentication")
+		fmt.Println("Opening browser for Codex authentication")
 		if !browser.IsAvailable() {
 			log.Warn("No browser available; please open the URL manually")
 			util.PrintSSHTunnelInstructions(a.CallbackPort)
-			log.Infof("Visit the following URL to continue authentication:\n%s", authURL)
+			fmt.Printf("Visit the following URL to continue authentication:\n%s\n", authURL)
 		} else if err = browser.OpenURL(authURL); err != nil {
 			log.Warnf("Failed to open browser automatically: %v", err)
 			util.PrintSSHTunnelInstructions(a.CallbackPort)
-			log.Infof("Visit the following URL to continue authentication:\n%s", authURL)
+			fmt.Printf("Visit the following URL to continue authentication:\n%s\n", authURL)
 		}
 	} else {
 		util.PrintSSHTunnelInstructions(a.CallbackPort)
-		log.Infof("Visit the following URL to continue authentication:\n%s", authURL)
+		fmt.Printf("Visit the following URL to continue authentication:\n%s\n", authURL)
 	}
 
-	log.Info("Waiting for Codex authentication callback...")
+	fmt.Println("Waiting for Codex authentication callback...")
 
 	result, err := oauthServer.WaitForCallback(5 * time.Minute)
 	if err != nil {
@@ -130,9 +130,9 @@ func (a *CodexAuthenticator) Login(ctx context.Context, cfg *config.Config, opts
 		"email": tokenStorage.Email,
 	}
 
-	log.Info("Codex authentication successful")
+	fmt.Println("Codex authentication successful")
 	if authBundle.APIKey != "" {
-		log.Info("Codex API key obtained and stored")
+		fmt.Println("Codex API key obtained and stored")
 	}
 
 	return &TokenRecord{

sdk/auth/gemini.go

@@ -8,7 +8,6 @@ import (
 	"github.com/router-for-me/CLIProxyAPI/v6/internal/auth/gemini"
 	// legacy client removed
 	"github.com/router-for-me/CLIProxyAPI/v6/internal/config"
-	log "github.com/sirupsen/logrus"
 )
 
 // GeminiAuthenticator implements the login flow for Google Gemini CLI accounts.
@@ -57,7 +56,7 @@ func (a *GeminiAuthenticator) Login(ctx context.Context, cfg *config.Config, opt
 		"project_id": ts.ProjectID,
 	}
 
-	log.Info("Gemini authentication successful")
+	fmt.Println("Gemini authentication successful")
 
 	return &TokenRecord{
 		Provider: a.Provider(),

sdk/auth/qwen.go

@@ -51,19 +51,19 @@ func (a *QwenAuthenticator) Login(ctx context.Context, cfg *config.Config, opts
 	authURL := deviceFlow.VerificationURIComplete
 
 	if !opts.NoBrowser {
-		log.Info("Opening browser for Qwen authentication")
+		fmt.Println("Opening browser for Qwen authentication")
 		if !browser.IsAvailable() {
 			log.Warn("No browser available; please open the URL manually")
-			log.Infof("Visit the following URL to continue authentication:\n%s", authURL)
+			fmt.Printf("Visit the following URL to continue authentication:\n%s\n", authURL)
 		} else if err = browser.OpenURL(authURL); err != nil {
 			log.Warnf("Failed to open browser automatically: %v", err)
-			log.Infof("Visit the following URL to continue authentication:\n%s", authURL)
+			fmt.Printf("Visit the following URL to continue authentication:\n%s\n", authURL)
 		}
 	} else {
-		log.Infof("Visit the following URL to continue authentication:\n%s", authURL)
+		fmt.Printf("Visit the following URL to continue authentication:\n%s\n", authURL)
 	}
 
-	log.Info("Waiting for Qwen authentication...")
+	fmt.Println("Waiting for Qwen authentication...")
 
 	tokenData, err := authSvc.PollForToken(deviceFlow.DeviceCode, deviceFlow.CodeVerifier)
 	if err != nil {
@@ -101,7 +101,7 @@ func (a *QwenAuthenticator) Login(ctx context.Context, cfg *config.Config, opts
 		"email": tokenStorage.Email,
 	}
 
-	log.Info("Qwen authentication successful")
+	fmt.Println("Qwen authentication successful")
 
 	return &TokenRecord{
 		Provider: a.Provider(),

sdk/cliproxy/auth/selector.go

@@ -2,6 +2,7 @@ package auth
 
 import (
 	"context"
+	"sort"
 	"sync"
 	"time"
 
@@ -36,6 +37,10 @@ func (s *RoundRobinSelector) Pick(ctx context.Context, provider, model string, o
 	if len(available) == 0 {
 		return nil, &Error{Code: "auth_unavailable", Message: "no auth available"}
 	}
+	// Make round-robin deterministic even if caller's candidate order is unstable.
+	if len(available) > 1 {
+		sort.Slice(available, func(i, j int) bool { return available[i].ID < available[j].ID })
+	}
 	key := provider + ":" + model
 	s.mu.Lock()
 	index := s.cursors[key]
@@ -57,21 +62,32 @@ func isAuthBlockedForModel(auth *Auth, model string, now time.Time) bool {
 	if auth.Disabled || auth.Status == StatusDisabled {
 		return true
 	}
-	if model != "" && len(auth.ModelStates) > 0 {
-		if state, ok := auth.ModelStates[model]; ok && state != nil {
-			if state.Status == StatusDisabled {
-				return true
-			}
-			if state.Unavailable {
-				if state.NextRetryAfter.IsZero() {
-					return false
-				}
-				if state.NextRetryAfter.After(now) {
+	// If a specific model is requested, prefer its per-model state over any aggregated
+	// auth-level unavailable flag. This prevents a failure on one model (e.g., 429 quota)
+	// from blocking other models of the same provider that have no errors.
+	if model != "" {
+		if len(auth.ModelStates) > 0 {
+			if state, ok := auth.ModelStates[model]; ok && state != nil {
+				if state.Status == StatusDisabled {
 					return true
 				}
+				if state.Unavailable {
+					if state.NextRetryAfter.IsZero() {
+						return false
+					}
+					if state.NextRetryAfter.After(now) {
+						return true
+					}
+				}
+				// Explicit state exists and is not blocking.
+				return false
 			}
 		}
+		// No explicit state for this model; do not block based on aggregated
+		// auth-level unavailable status. Allow trying this model.
+		return false
 	}
+	// No specific model context: fall back to auth-level unavailable window.
 	if auth.Unavailable && auth.NextRetryAfter.After(now) {
 		return true
 	}

sdk/cliproxy/auth/types.go

@@ -128,6 +128,7 @@ func (a *Auth) AccountInfo() (string, string) {
 	if a == nil {
 		return "", ""
 	}
+	// For Gemini Web, prefer explicit cookie label for stability.
 	if strings.ToLower(a.Provider) == "gemini-web" {
 		// Prefer explicit label written into auth file (e.g., gemini-web-<hash>)
 		if a.Metadata != nil {
@@ -145,6 +146,22 @@ func (a *Auth) AccountInfo() (string, string) {
 			}
 		}
 	}
+	// For Gemini CLI, include project ID in the OAuth account info if present.
+	if strings.ToLower(a.Provider) == "gemini-cli" {
+		if a.Metadata != nil {
+			email, _ := a.Metadata["email"].(string)
+			email = strings.TrimSpace(email)
+			if email != "" {
+				if p, ok := a.Metadata["project_id"].(string); ok {
+					p = strings.TrimSpace(p)
+					if p != "" {
+						return "oauth", email + " (" + p + ")"
+					}
+				}
+				return "oauth", email
+			}
+		}
+	}
 	if a.Metadata != nil {
 		if v, ok := a.Metadata["email"].(string); ok {
 			return "oauth", v

sdk/cliproxy/service.go

@@ -18,7 +18,6 @@ import (
 	"github.com/router-for-me/CLIProxyAPI/v6/internal/registry"
 	"github.com/router-for-me/CLIProxyAPI/v6/internal/runtime/executor"
 	_ "github.com/router-for-me/CLIProxyAPI/v6/internal/usage"
-	"github.com/router-for-me/CLIProxyAPI/v6/internal/util"
 	"github.com/router-for-me/CLIProxyAPI/v6/internal/watcher"
 	sdkaccess "github.com/router-for-me/CLIProxyAPI/v6/sdk/access"
 	_ "github.com/router-for-me/CLIProxyAPI/v6/sdk/access/providers/configapikey"
@@ -111,12 +110,23 @@ func (s *Service) refreshAccessProviders(cfg *config.Config) {
 	if s == nil || s.accessManager == nil || cfg == nil {
 		return
 	}
-	providers, err := sdkaccess.BuildProviders(cfg)
+	s.cfgMu.RLock()
+	oldCfg := s.cfg
+	s.cfgMu.RUnlock()
+
+	existing := s.accessManager.Providers()
+	providers, added, updated, removed, err := sdkaccess.ReconcileProviders(oldCfg, cfg, existing)
 	if err != nil {
-		log.Errorf("failed to rebuild request auth providers: %v", err)
+		log.Errorf("failed to reconcile request auth providers: %v", err)
 		return
 	}
 	s.accessManager.SetProviders(providers)
+	if len(added)+len(updated)+len(removed) > 0 {
+		log.Debugf("auth providers reconciled (added=%d updated=%d removed=%d)", len(added), len(updated), len(removed))
+		log.Debugf("auth provider changes details - added=%v updated=%v removed=%v", added, updated, removed)
+	} else {
+		log.Debug("auth providers unchanged after config reload")
+	}
 }
 
 func (s *Service) ensureAuthUpdateQueue(ctx context.Context) {
@@ -331,7 +341,7 @@ func (s *Service) Run(ctx context.Context) error {
 	}()
 
 	time.Sleep(100 * time.Millisecond)
-	log.Info("API server started successfully")
+	fmt.Println("API server started successfully")
 
 	if s.hooks.OnAfterStart != nil {
 		s.hooks.OnAfterStart(s)
@@ -382,17 +392,6 @@ func (s *Service) Run(ctx context.Context) error {
 		log.Infof("core auth auto-refresh started (interval=%s)", interval)
 	}
 
-	authFileCount := util.CountAuthFiles(s.cfg.AuthDir)
-	totalNewClients := authFileCount + apiKeyResult.GeminiKeyCount + apiKeyResult.ClaudeKeyCount + apiKeyResult.CodexKeyCount + apiKeyResult.OpenAICompatCount
-	log.Infof("full client load complete - %d clients (%d auth files + %d GL API keys + %d Claude API keys + %d Codex keys + %d OpenAI-compat)",
-		totalNewClients,
-		authFileCount,
-		apiKeyResult.GeminiKeyCount,
-		apiKeyResult.ClaudeKeyCount,
-		apiKeyResult.CodexKeyCount,
-		apiKeyResult.OpenAICompatCount,
-	)
-
 	select {
 	case <-ctx.Done():
 		log.Debug("service context cancelled, shutting down...")
@@ -509,22 +508,35 @@ func (s *Service) registerModelsForAuth(a *coreauth.Auth) {
 		if s.cfg != nil {
 			providerKey := provider
 			compatName := strings.TrimSpace(a.Provider)
+			isCompatAuth := false
 			if strings.EqualFold(providerKey, "openai-compatibility") {
+				isCompatAuth = true
 				if a.Attributes != nil {
 					if v := strings.TrimSpace(a.Attributes["compat_name"]); v != "" {
 						compatName = v
 					}
 					if v := strings.TrimSpace(a.Attributes["provider_key"]); v != "" {
 						providerKey = strings.ToLower(v)
+						isCompatAuth = true
 					}
 				}
 				if providerKey == "openai-compatibility" && compatName != "" {
 					providerKey = strings.ToLower(compatName)
 				}
+			} else if a.Attributes != nil {
+				if v := strings.TrimSpace(a.Attributes["compat_name"]); v != "" {
+					compatName = v
+					isCompatAuth = true
+				}
+				if v := strings.TrimSpace(a.Attributes["provider_key"]); v != "" {
+					providerKey = strings.ToLower(v)
+					isCompatAuth = true
+				}
 			}
 			for i := range s.cfg.OpenAICompatibility {
 				compat := &s.cfg.OpenAICompatibility[i]
 				if strings.EqualFold(compat.Name, compatName) {
+					isCompatAuth = true
 					// Convert compatibility models to registry models
 					ms := make([]*ModelInfo, 0, len(compat.Models))
 					for j := range compat.Models {
@@ -544,10 +556,18 @@ func (s *Service) registerModelsForAuth(a *coreauth.Auth) {
 							providerKey = "openai-compatibility"
 						}
 						GlobalModelRegistry().RegisterClient(a.ID, providerKey, ms)
+					} else {
+						// Ensure stale registrations are cleared when model list becomes empty.
+						GlobalModelRegistry().UnregisterClient(a.ID)
 					}
 					return
 				}
 			}
+			if isCompatAuth {
+				// No matching provider found or models removed entirely; drop any prior registration.
+				GlobalModelRegistry().UnregisterClient(a.ID)
+				return
+			}
 		}
 	}
 	if len(models) > 0 {