Merge pull request #116 from router-for-me/log

fix(management,config,watcher): treat empty base-url as removal; improve config change logs

internal/api/handlers/management/config_lists.go

@@ -227,7 +227,14 @@ func (h *Handler) PutOpenAICompat(c *gin.Context) {
 	for i := range arr {
 		normalizeOpenAICompatibilityEntry(&arr[i])
 	}
-	h.cfg.OpenAICompatibility = arr
+	// Filter out providers with empty base-url -> remove provider entirely
+	filtered := make([]config.OpenAICompatibility, 0, len(arr))
+	for i := range arr {
+		if strings.TrimSpace(arr[i].BaseURL) != "" {
+			filtered = append(filtered, arr[i])
+		}
+	}
+	h.cfg.OpenAICompatibility = filtered
 	h.persist(c)
 }
 func (h *Handler) PatchOpenAICompat(c *gin.Context) {
@@ -241,6 +248,32 @@ func (h *Handler) PatchOpenAICompat(c *gin.Context) {
 		return
 	}
 	normalizeOpenAICompatibilityEntry(body.Value)
+	// If base-url becomes empty, delete the provider instead of updating
+	if strings.TrimSpace(body.Value.BaseURL) == "" {
+		if body.Index != nil && *body.Index >= 0 && *body.Index < len(h.cfg.OpenAICompatibility) {
+			h.cfg.OpenAICompatibility = append(h.cfg.OpenAICompatibility[:*body.Index], h.cfg.OpenAICompatibility[*body.Index+1:]...)
+			h.persist(c)
+			return
+		}
+		if body.Name != nil {
+			out := make([]config.OpenAICompatibility, 0, len(h.cfg.OpenAICompatibility))
+			removed := false
+			for i := range h.cfg.OpenAICompatibility {
+				if !removed && h.cfg.OpenAICompatibility[i].Name == *body.Name {
+					removed = true
+					continue
+				}
+				out = append(out, h.cfg.OpenAICompatibility[i])
+			}
+			if removed {
+				h.cfg.OpenAICompatibility = out
+				h.persist(c)
+				return
+			}
+		}
+		c.JSON(404, gin.H{"error": "item not found"})
+		return
+	}
 	if body.Index != nil && *body.Index >= 0 && *body.Index < len(h.cfg.OpenAICompatibility) {
 		h.cfg.OpenAICompatibility[*body.Index] = *body.Value
 		h.persist(c)
@@ -302,7 +335,17 @@ func (h *Handler) PutCodexKeys(c *gin.Context) {
 		}
 		arr = obj.Items
 	}
-	h.cfg.CodexKey = arr
+	// Filter out codex entries with empty base-url (treat as removed)
+	filtered := make([]config.CodexKey, 0, len(arr))
+	for i := range arr {
+		entry := arr[i]
+		entry.BaseURL = strings.TrimSpace(entry.BaseURL)
+		if entry.BaseURL == "" {
+			continue
+		}
+		filtered = append(filtered, entry)
+	}
+	h.cfg.CodexKey = filtered
 	h.persist(c)
 }
 func (h *Handler) PatchCodexKey(c *gin.Context) {
@@ -315,19 +358,44 @@ func (h *Handler) PatchCodexKey(c *gin.Context) {
 		c.JSON(400, gin.H{"error": "invalid body"})
 		return
 	}
-	if body.Index != nil && *body.Index >= 0 && *body.Index < len(h.cfg.CodexKey) {
-		h.cfg.CodexKey[*body.Index] = *body.Value
-		h.persist(c)
-		return
-	}
-	if body.Match != nil {
-		for i := range h.cfg.CodexKey {
-			if h.cfg.CodexKey[i].APIKey == *body.Match {
-				h.cfg.CodexKey[i] = *body.Value
+	// If base-url becomes empty, delete instead of update
+	if strings.TrimSpace(body.Value.BaseURL) == "" {
+		if body.Index != nil && *body.Index >= 0 && *body.Index < len(h.cfg.CodexKey) {
+			h.cfg.CodexKey = append(h.cfg.CodexKey[:*body.Index], h.cfg.CodexKey[*body.Index+1:]...)
+			h.persist(c)
+			return
+		}
+		if body.Match != nil {
+			out := make([]config.CodexKey, 0, len(h.cfg.CodexKey))
+			removed := false
+			for i := range h.cfg.CodexKey {
+				if !removed && h.cfg.CodexKey[i].APIKey == *body.Match {
+					removed = true
+					continue
+				}
+				out = append(out, h.cfg.CodexKey[i])
+			}
+			if removed {
+				h.cfg.CodexKey = out
 				h.persist(c)
 				return
 			}
 		}
+	} else {
+		if body.Index != nil && *body.Index >= 0 && *body.Index < len(h.cfg.CodexKey) {
+			h.cfg.CodexKey[*body.Index] = *body.Value
+			h.persist(c)
+			return
+		}
+		if body.Match != nil {
+			for i := range h.cfg.CodexKey {
+				if h.cfg.CodexKey[i].APIKey == *body.Match {
+					h.cfg.CodexKey[i] = *body.Value
+					h.persist(c)
+					return
+				}
+			}
+		}
 	}
 	c.JSON(404, gin.H{"error": "item not found"})
 }
@@ -359,6 +427,8 @@ func normalizeOpenAICompatibilityEntry(entry *config.OpenAICompatibility) {
 	if entry == nil {
 		return
 	}
+	// Trim base-url; empty base-url indicates provider should be removed by sanitization
+	entry.BaseURL = strings.TrimSpace(entry.BaseURL)
 	existing := make(map[string]struct{}, len(entry.APIKeyEntries))
 	for i := range entry.APIKeyEntries {
 		trimmed := strings.TrimSpace(entry.APIKeyEntries[i].APIKey)

internal/auth/iflow/iflow_auth.go

@@ -138,6 +138,7 @@ func (ia *IFlowAuth) doTokenRequest(ctx context.Context, req *http.Request) (*IF
 	}
 
 	if tokenResp.AccessToken == "" {
+		log.Debug(string(body))
 		return nil, fmt.Errorf("iflow token: missing access token in response")
 	}
 

internal/config/config.go

@@ -8,6 +8,7 @@ import (
 	"errors"
 	"fmt"
 	"os"
+	"strings"
 	"syscall"
 
 	"github.com/router-for-me/CLIProxyAPI/v6/sdk/config"
@@ -207,10 +208,55 @@ func LoadConfigOptional(configFile string, optional bool) (*Config, error) {
 	// Sync request authentication providers with inline API keys for backwards compatibility.
 	syncInlineAccessProvider(&cfg)
 
+	// Sanitize OpenAI compatibility providers: drop entries without base-url
+	sanitizeOpenAICompatibility(&cfg)
+
+	// Sanitize Codex keys: drop entries without base-url
+	sanitizeCodexKeys(&cfg)
+
 	// Return the populated configuration struct.
 	return &cfg, nil
 }
 
+// sanitizeOpenAICompatibility removes OpenAI-compatibility provider entries that are
+// not actionable, specifically those missing a BaseURL. It trims whitespace before
+// evaluation and preserves the relative order of remaining entries.
+func sanitizeOpenAICompatibility(cfg *Config) {
+	if cfg == nil || len(cfg.OpenAICompatibility) == 0 {
+		return
+	}
+	out := make([]OpenAICompatibility, 0, len(cfg.OpenAICompatibility))
+	for i := range cfg.OpenAICompatibility {
+		e := cfg.OpenAICompatibility[i]
+		e.Name = strings.TrimSpace(e.Name)
+		e.BaseURL = strings.TrimSpace(e.BaseURL)
+		if e.BaseURL == "" {
+			// Skip providers with no base-url; treated as removed
+			continue
+		}
+		out = append(out, e)
+	}
+	cfg.OpenAICompatibility = out
+}
+
+// sanitizeCodexKeys removes Codex API key entries missing a BaseURL.
+// It trims whitespace and preserves order for remaining entries.
+func sanitizeCodexKeys(cfg *Config) {
+	if cfg == nil || len(cfg.CodexKey) == 0 {
+		return
+	}
+	out := make([]CodexKey, 0, len(cfg.CodexKey))
+	for i := range cfg.CodexKey {
+		e := cfg.CodexKey[i]
+		e.BaseURL = strings.TrimSpace(e.BaseURL)
+		if e.BaseURL == "" {
+			continue
+		}
+		out = append(out, e)
+	}
+	cfg.CodexKey = out
+}
+
 func syncInlineAccessProvider(cfg *Config) {
 	if cfg == nil {
 		return

internal/translator/openai/gemini/openai_gemini_request.go

@@ -9,6 +9,7 @@ import (
 	"bytes"
 	"crypto/rand"
 	"encoding/json"
+	"fmt"
 	"math/big"
 	"strings"
 
@@ -100,14 +101,40 @@ func ConvertGeminiRequestToOpenAI(modelName string, inputRawJSON []byte, stream
 				"content": "",
 			}
 
-			var contentParts []string
+			var textBuilder strings.Builder
+			var aggregatedParts []interface{}
+			onlyTextContent := true
 			var toolCalls []interface{}
 
 			if parts.Exists() && parts.IsArray() {
 				parts.ForEach(func(_, part gjson.Result) bool {
 					// Handle text parts
 					if text := part.Get("text"); text.Exists() {
-						contentParts = append(contentParts, text.String())
+						formattedText := text.String()
+						textBuilder.WriteString(formattedText)
+						aggregatedParts = append(aggregatedParts, map[string]interface{}{
+							"type": "text",
+							"text": formattedText,
+						})
+					}
+
+					// Handle inline data (e.g., images)
+					if inlineData := part.Get("inlineData"); inlineData.Exists() {
+						onlyTextContent = false
+
+						mimeType := inlineData.Get("mimeType").String()
+						if mimeType == "" {
+							mimeType = "application/octet-stream"
+						}
+						data := inlineData.Get("data").String()
+						imageURL := fmt.Sprintf("data:%s;base64,%s", mimeType, data)
+
+						aggregatedParts = append(aggregatedParts, map[string]interface{}{
+							"type": "image_url",
+							"image_url": map[string]interface{}{
+								"url": imageURL,
+							},
+						})
 					}
 
 					// Handle function calls (Gemini) -> tool calls (OpenAI)
@@ -175,8 +202,12 @@ func ConvertGeminiRequestToOpenAI(modelName string, inputRawJSON []byte, stream
 			}
 
 			// Set content
-			if len(contentParts) > 0 {
-				msg["content"] = strings.Join(contentParts, "")
+			if len(aggregatedParts) > 0 {
+				if onlyTextContent {
+					msg["content"] = textBuilder.String()
+				} else {
+					msg["content"] = aggregatedParts
+				}
 			}
 
 			// Set tool calls if any

internal/watcher/watcher.go

@@ -20,19 +20,13 @@ import (
 	"time"
 
 	"github.com/fsnotify/fsnotify"
-	// "github.com/router-for-me/CLIProxyAPI/v6/internal/auth/claude"
-	// "github.com/router-for-me/CLIProxyAPI/v6/internal/auth/codex"
-	// "github.com/router-for-me/CLIProxyAPI/v6/internal/auth/gemini"
-	// "github.com/router-for-me/CLIProxyAPI/v6/internal/auth/qwen"
-	// "github.com/router-for-me/CLIProxyAPI/v6/internal/client"
 	"github.com/router-for-me/CLIProxyAPI/v6/internal/config"
-	// "github.com/router-for-me/CLIProxyAPI/v6/internal/interfaces"
+	"gopkg.in/yaml.v3"
 
 	"github.com/router-for-me/CLIProxyAPI/v6/internal/util"
 	sdkAuth "github.com/router-for-me/CLIProxyAPI/v6/sdk/auth"
 	coreauth "github.com/router-for-me/CLIProxyAPI/v6/sdk/cliproxy/auth"
 	log "github.com/sirupsen/logrus"
-	// "github.com/tidwall/gjson"
 )
 
 // gitCommitter captures the subset of git-backed token store capabilities used by the watcher.
@@ -59,6 +53,7 @@ type Watcher struct {
 	pendingOrder   []string
 	dispatchCancel context.CancelFunc
 	gitCommitter   gitCommitter
+	oldConfigYaml  []byte
 }
 
 type stableIDGenerator struct {
@@ -174,6 +169,7 @@ func (w *Watcher) SetConfig(cfg *config.Config) {
 	w.clientsMutex.Lock()
 	defer w.clientsMutex.Unlock()
 	w.config = cfg
+	w.oldConfigYaml, _ = yaml.Marshal(cfg)
 }
 
 // SetAuthUpdateQueue sets the queue used to emit auth updates.
@@ -528,7 +524,9 @@ func (w *Watcher) reloadConfig() bool {
 	}
 
 	w.clientsMutex.Lock()
-	oldConfig := w.config
+	var oldConfig *config.Config
+	_ = yaml.Unmarshal(w.oldConfigYaml, &oldConfig)
+	w.oldConfigYaml, _ = yaml.Marshal(newConfig)
 	w.config = newConfig
 	w.clientsMutex.Unlock()
 
@@ -540,71 +538,16 @@ func (w *Watcher) reloadConfig() bool {
 		log.Debugf("log level updated - debug mode changed from %t to %t", oldConfig.Debug, newConfig.Debug)
 	}
 
-	// Log configuration changes in debug mode
+	// Log configuration changes in debug mode, only when there are material diffs
 	if oldConfig != nil {
-		log.Debugf("config changes detected:")
-		if oldConfig.Port != newConfig.Port {
-			log.Debugf("  port: %d -> %d", oldConfig.Port, newConfig.Port)
-		}
-		if oldConfig.AuthDir != newConfig.AuthDir {
-			log.Debugf("  auth-dir: %s -> %s", oldConfig.AuthDir, newConfig.AuthDir)
-		}
-		if oldConfig.Debug != newConfig.Debug {
-			log.Debugf("  debug: %t -> %t", oldConfig.Debug, newConfig.Debug)
-		}
-		if oldConfig.ProxyURL != newConfig.ProxyURL {
-			log.Debugf("  proxy-url: %s -> %s", oldConfig.ProxyURL, newConfig.ProxyURL)
-		}
-		if oldConfig.RequestLog != newConfig.RequestLog {
-			log.Debugf("  request-log: %t -> %t", oldConfig.RequestLog, newConfig.RequestLog)
-		}
-		if oldConfig.RequestRetry != newConfig.RequestRetry {
-			log.Debugf("  request-retry: %d -> %d", oldConfig.RequestRetry, newConfig.RequestRetry)
-		}
-		if len(oldConfig.APIKeys) != len(newConfig.APIKeys) {
-			log.Debugf("  api-keys count: %d -> %d", len(oldConfig.APIKeys), len(newConfig.APIKeys))
-		}
-		if len(oldConfig.GlAPIKey) != len(newConfig.GlAPIKey) {
-			log.Debugf("  generative-language-api-key count: %d -> %d", len(oldConfig.GlAPIKey), len(newConfig.GlAPIKey))
-		}
-		if len(oldConfig.ClaudeKey) != len(newConfig.ClaudeKey) {
-			log.Debugf("  claude-api-key count: %d -> %d", len(oldConfig.ClaudeKey), len(newConfig.ClaudeKey))
-		}
-		if len(oldConfig.CodexKey) != len(newConfig.CodexKey) {
-			log.Debugf("  codex-api-key count: %d -> %d", len(oldConfig.CodexKey), len(newConfig.CodexKey))
-		}
-		if oldConfig.RemoteManagement.AllowRemote != newConfig.RemoteManagement.AllowRemote {
-			log.Debugf("  remote-management.allow-remote: %t -> %t", oldConfig.RemoteManagement.AllowRemote, newConfig.RemoteManagement.AllowRemote)
-		}
-		if oldConfig.RemoteManagement.SecretKey != newConfig.RemoteManagement.SecretKey {
-			switch {
-			case oldConfig.RemoteManagement.SecretKey == "" && newConfig.RemoteManagement.SecretKey != "":
-				log.Debug("  remote-management.secret-key: created")
-			case oldConfig.RemoteManagement.SecretKey != "" && newConfig.RemoteManagement.SecretKey == "":
-				log.Debug("  remote-management.secret-key: deleted")
-			default:
-				log.Debug("  remote-management.secret-key: updated")
-			}
-			if newConfig.RemoteManagement.SecretKey == "" {
-				log.Info("management routes will be disabled after secret key removal")
-			} else {
-				log.Info("management routes will be enabled after secret key update")
-			}
-		}
-		if oldConfig.RemoteManagement.DisableControlPanel != newConfig.RemoteManagement.DisableControlPanel {
-			log.Debugf("  remote-management.disable-control-panel: %t -> %t", oldConfig.RemoteManagement.DisableControlPanel, newConfig.RemoteManagement.DisableControlPanel)
-		}
-		if oldConfig.LoggingToFile != newConfig.LoggingToFile {
-			log.Debugf("  logging-to-file: %t -> %t", oldConfig.LoggingToFile, newConfig.LoggingToFile)
-		}
-		if oldConfig.UsageStatisticsEnabled != newConfig.UsageStatisticsEnabled {
-			log.Debugf("  usage-statistics-enabled: %t -> %t", oldConfig.UsageStatisticsEnabled, newConfig.UsageStatisticsEnabled)
-		}
-		if changes := diffOpenAICompatibility(oldConfig.OpenAICompatibility, newConfig.OpenAICompatibility); len(changes) > 0 {
-			log.Debugf("  openai-compatibility:")
-			for _, change := range changes {
-				log.Debugf("    %s", change)
+		details := buildConfigChangeDetails(oldConfig, newConfig)
+		if len(details) > 0 {
+			log.Debugf("config changes detected:")
+			for _, d := range details {
+				log.Debugf("  %s", d)
 			}
+		} else {
+			log.Debugf("no material config field changes detected")
 		}
 	}
 
@@ -1209,3 +1152,138 @@ func openAICompatKey(entry config.OpenAICompatibility, index int) (string, strin
 	}
 	return fmt.Sprintf("index:%d", index), fmt.Sprintf("entry-%d", index+1)
 }
+
+// buildConfigChangeDetails computes a redacted, human-readable list of config changes.
+// It avoids printing secrets (like API keys) and focuses on structural or non-sensitive fields.
+func buildConfigChangeDetails(oldCfg, newCfg *config.Config) []string {
+	changes := make([]string, 0, 16)
+	if oldCfg == nil || newCfg == nil {
+		return changes
+	}
+
+	// Simple scalars
+	if oldCfg.Port != newCfg.Port {
+		changes = append(changes, fmt.Sprintf("port: %d -> %d", oldCfg.Port, newCfg.Port))
+	}
+	if oldCfg.AuthDir != newCfg.AuthDir {
+		changes = append(changes, fmt.Sprintf("auth-dir: %s -> %s", oldCfg.AuthDir, newCfg.AuthDir))
+	}
+	if oldCfg.Debug != newCfg.Debug {
+		changes = append(changes, fmt.Sprintf("debug: %t -> %t", oldCfg.Debug, newCfg.Debug))
+	}
+	if oldCfg.LoggingToFile != newCfg.LoggingToFile {
+		changes = append(changes, fmt.Sprintf("logging-to-file: %t -> %t", oldCfg.LoggingToFile, newCfg.LoggingToFile))
+	}
+	if oldCfg.UsageStatisticsEnabled != newCfg.UsageStatisticsEnabled {
+		changes = append(changes, fmt.Sprintf("usage-statistics-enabled: %t -> %t", oldCfg.UsageStatisticsEnabled, newCfg.UsageStatisticsEnabled))
+	}
+	if oldCfg.RequestLog != newCfg.RequestLog {
+		changes = append(changes, fmt.Sprintf("request-log: %t -> %t", oldCfg.RequestLog, newCfg.RequestLog))
+	}
+	if oldCfg.RequestRetry != newCfg.RequestRetry {
+		changes = append(changes, fmt.Sprintf("request-retry: %d -> %d", oldCfg.RequestRetry, newCfg.RequestRetry))
+	}
+	if oldCfg.ProxyURL != newCfg.ProxyURL {
+		changes = append(changes, fmt.Sprintf("proxy-url: %s -> %s", oldCfg.ProxyURL, newCfg.ProxyURL))
+	}
+
+	// Quota-exceeded behavior
+	if oldCfg.QuotaExceeded.SwitchProject != newCfg.QuotaExceeded.SwitchProject {
+		changes = append(changes, fmt.Sprintf("quota-exceeded.switch-project: %t -> %t", oldCfg.QuotaExceeded.SwitchProject, newCfg.QuotaExceeded.SwitchProject))
+	}
+	if oldCfg.QuotaExceeded.SwitchPreviewModel != newCfg.QuotaExceeded.SwitchPreviewModel {
+		changes = append(changes, fmt.Sprintf("quota-exceeded.switch-preview-model: %t -> %t", oldCfg.QuotaExceeded.SwitchPreviewModel, newCfg.QuotaExceeded.SwitchPreviewModel))
+	}
+
+	// API keys (redacted) and counts
+	if len(oldCfg.APIKeys) != len(newCfg.APIKeys) {
+		changes = append(changes, fmt.Sprintf("api-keys count: %d -> %d", len(oldCfg.APIKeys), len(newCfg.APIKeys)))
+	} else if !reflect.DeepEqual(trimStrings(oldCfg.APIKeys), trimStrings(newCfg.APIKeys)) {
+		changes = append(changes, "api-keys: values updated (count unchanged, redacted)")
+	}
+	if len(oldCfg.GlAPIKey) != len(newCfg.GlAPIKey) {
+		changes = append(changes, fmt.Sprintf("generative-language-api-key count: %d -> %d", len(oldCfg.GlAPIKey), len(newCfg.GlAPIKey)))
+	} else if !reflect.DeepEqual(trimStrings(oldCfg.GlAPIKey), trimStrings(newCfg.GlAPIKey)) {
+		changes = append(changes, "generative-language-api-key: values updated (count unchanged, redacted)")
+	}
+
+	// Claude keys (do not print key material)
+	if len(oldCfg.ClaudeKey) != len(newCfg.ClaudeKey) {
+		changes = append(changes, fmt.Sprintf("claude-api-key count: %d -> %d", len(oldCfg.ClaudeKey), len(newCfg.ClaudeKey)))
+	} else {
+		for i := range oldCfg.ClaudeKey {
+			if i >= len(newCfg.ClaudeKey) {
+				break
+			}
+			o := oldCfg.ClaudeKey[i]
+			n := newCfg.ClaudeKey[i]
+			if strings.TrimSpace(o.BaseURL) != strings.TrimSpace(n.BaseURL) {
+				changes = append(changes, fmt.Sprintf("claude[%d].base-url: %s -> %s", i, strings.TrimSpace(o.BaseURL), strings.TrimSpace(n.BaseURL)))
+			}
+			if strings.TrimSpace(o.ProxyURL) != strings.TrimSpace(n.ProxyURL) {
+				changes = append(changes, fmt.Sprintf("claude[%d].proxy-url: %s -> %s", i, strings.TrimSpace(o.ProxyURL), strings.TrimSpace(n.ProxyURL)))
+			}
+			if strings.TrimSpace(o.APIKey) != strings.TrimSpace(n.APIKey) {
+				changes = append(changes, fmt.Sprintf("claude[%d].api-key: updated", i))
+			}
+		}
+	}
+
+	// Codex keys (do not print key material)
+	if len(oldCfg.CodexKey) != len(newCfg.CodexKey) {
+		changes = append(changes, fmt.Sprintf("codex-api-key count: %d -> %d", len(oldCfg.CodexKey), len(newCfg.CodexKey)))
+	} else {
+		for i := range oldCfg.CodexKey {
+			if i >= len(newCfg.CodexKey) {
+				break
+			}
+			o := oldCfg.CodexKey[i]
+			n := newCfg.CodexKey[i]
+			if strings.TrimSpace(o.BaseURL) != strings.TrimSpace(n.BaseURL) {
+				changes = append(changes, fmt.Sprintf("codex[%d].base-url: %s -> %s", i, strings.TrimSpace(o.BaseURL), strings.TrimSpace(n.BaseURL)))
+			}
+			if strings.TrimSpace(o.ProxyURL) != strings.TrimSpace(n.ProxyURL) {
+				changes = append(changes, fmt.Sprintf("codex[%d].proxy-url: %s -> %s", i, strings.TrimSpace(o.ProxyURL), strings.TrimSpace(n.ProxyURL)))
+			}
+			if strings.TrimSpace(o.APIKey) != strings.TrimSpace(n.APIKey) {
+				changes = append(changes, fmt.Sprintf("codex[%d].api-key: updated", i))
+			}
+		}
+	}
+
+	// Remote management (never print the key)
+	if oldCfg.RemoteManagement.AllowRemote != newCfg.RemoteManagement.AllowRemote {
+		changes = append(changes, fmt.Sprintf("remote-management.allow-remote: %t -> %t", oldCfg.RemoteManagement.AllowRemote, newCfg.RemoteManagement.AllowRemote))
+	}
+	if oldCfg.RemoteManagement.DisableControlPanel != newCfg.RemoteManagement.DisableControlPanel {
+		changes = append(changes, fmt.Sprintf("remote-management.disable-control-panel: %t -> %t", oldCfg.RemoteManagement.DisableControlPanel, newCfg.RemoteManagement.DisableControlPanel))
+	}
+	if oldCfg.RemoteManagement.SecretKey != newCfg.RemoteManagement.SecretKey {
+		switch {
+		case oldCfg.RemoteManagement.SecretKey == "" && newCfg.RemoteManagement.SecretKey != "":
+			changes = append(changes, "remote-management.secret-key: created")
+		case oldCfg.RemoteManagement.SecretKey != "" && newCfg.RemoteManagement.SecretKey == "":
+			changes = append(changes, "remote-management.secret-key: deleted")
+		default:
+			changes = append(changes, "remote-management.secret-key: updated")
+		}
+	}
+
+	// OpenAI compatibility providers (summarized)
+	if compat := diffOpenAICompatibility(oldCfg.OpenAICompatibility, newCfg.OpenAICompatibility); len(compat) > 0 {
+		changes = append(changes, "openai-compatibility:")
+		for _, c := range compat {
+			changes = append(changes, "  "+c)
+		}
+	}
+
+	return changes
+}
+
+func trimStrings(in []string) []string {
+	out := make([]string, len(in))
+	for i := range in {
+		out[i] = strings.TrimSpace(in[i])
+	}
+	return out
+}