Merge upstream/main (auto-sync feat/copilot)

- d2c5f27 feat(logging): add request_id handling in HomeAppLogForwarder and tests
- 86cb9c1 feat(signature): upgrade provider signature checks
- aee7a5f feat: intercept incompatible signature replay
- e9dafc7 fix(openai): dedupe response websocket input item IDs
- 034d2b6 Merge pull request router-for-me#3615 from sususu98/codex/signature-intercept-on-pr
- 96b6f7e Merge pull request router-for-me#3612 from router-for-me/log
- fc0615b test(oauth): ensure missing auth directories are created and callback payloads are validated
- 55901f0 Merge pull request router-for-me#3620 from iBenzene/fix/responses-input-id-dedupe

Author: github-actions[bot]

internal/api/handlers/management/oauth_callback.go

@@ -7,6 +7,7 @@ import (
 	"strings"
 
 	"github.com/gin-gonic/gin"
+	log "github.com/sirupsen/logrus"
 )
 
 type oauthCallbackRequest struct {
@@ -97,6 +98,7 @@ func (h *Handler) PostOAuthCallback(c *gin.Context) {
 			c.JSON(http.StatusConflict, gin.H{"status": "error", "error": "oauth flow is not pending"})
 			return
 		}
+		log.WithError(errWrite).Error("failed to persist oauth callback")
 		c.JSON(http.StatusInternalServerError, gin.H{"status": "error", "error": "failed to persist oauth callback"})
 		return
 	}

internal/api/handlers/management/oauth_callback_test.go

@@ -0,0 +1,82 @@
+package management
+
+import (
+	"encoding/json"
+	"net/http"
+	"net/http/httptest"
+	"os"
+	"path/filepath"
+	"strings"
+	"testing"
+
+	"github.com/gin-gonic/gin"
+	"github.com/router-for-me/CLIProxyAPI/v7/internal/config"
+)
+
+func TestPostOAuthCallbackCreatesMissingAuthDir(t *testing.T) {
+	gin.SetMode(gin.TestMode)
+
+	authDir := filepath.Join(t.TempDir(), "missing-auth")
+	state := "test-antigravity-state"
+	RegisterOAuthSession(state, "antigravity")
+	defer CompleteOAuthSession(state)
+
+	h := NewHandlerWithoutConfigFilePath(&config.Config{AuthDir: authDir}, nil)
+	router := gin.New()
+	router.POST("/v0/management/oauth-callback", h.PostOAuthCallback)
+
+	body := `{"provider":"antigravity","redirect_url":"http://localhost:59788/oauth-callback?state=test-antigravity-state&code=test-code"}`
+	req := httptest.NewRequest(http.MethodPost, "/v0/management/oauth-callback", strings.NewReader(body))
+	req.Header.Set("Content-Type", "application/json")
+	w := httptest.NewRecorder()
+
+	router.ServeHTTP(w, req)
+
+	if w.Code != http.StatusOK {
+		t.Fatalf("expected status %d, got %d with body %s", http.StatusOK, w.Code, w.Body.String())
+	}
+
+	callbackPath := filepath.Join(authDir, ".oauth-antigravity-"+state+".oauth")
+	data, errRead := os.ReadFile(callbackPath)
+	if errRead != nil {
+		t.Fatalf("expected callback file to be written: %v", errRead)
+	}
+
+	var payload oauthCallbackFilePayload
+	if errUnmarshal := json.Unmarshal(data, &payload); errUnmarshal != nil {
+		t.Fatalf("failed to decode callback payload: %v", errUnmarshal)
+	}
+	if payload.State != state || payload.Code != "test-code" || payload.Error != "" {
+		t.Fatalf("unexpected callback payload: %+v", payload)
+	}
+}
+
+func TestWriteOAuthCallbackFileForPendingSessionCreatesMissingAuthDirForCallbackProviders(t *testing.T) {
+	providers := []string{"anthropic", "codex", "gemini", "antigravity", "xai"}
+	for _, provider := range providers {
+		t.Run(provider, func(t *testing.T) {
+			authDir := filepath.Join(t.TempDir(), "missing-auth")
+			state := provider + "-state"
+			RegisterOAuthSession(state, provider)
+			defer CompleteOAuthSession(state)
+
+			path, errWrite := WriteOAuthCallbackFileForPendingSession(authDir, provider, state, "code-"+provider, "")
+			if errWrite != nil {
+				t.Fatalf("expected callback file write to succeed: %v", errWrite)
+			}
+
+			data, errRead := os.ReadFile(path)
+			if errRead != nil {
+				t.Fatalf("expected callback file to be written: %v", errRead)
+			}
+
+			var payload oauthCallbackFilePayload
+			if errUnmarshal := json.Unmarshal(data, &payload); errUnmarshal != nil {
+				t.Fatalf("failed to decode callback payload: %v", errUnmarshal)
+			}
+			if payload.State != state || payload.Code != "code-"+provider || payload.Error != "" {
+				t.Fatalf("unexpected callback payload: %+v", payload)
+			}
+		})
+	}
+}

internal/api/handlers/management/oauth_sessions.go

@@ -269,6 +269,9 @@ func WriteOAuthCallbackFile(authDir, provider, state, code, errorMessage string)
 
 	fileName := fmt.Sprintf(".oauth-%s-%s.oauth", canonicalProvider, state)
 	filePath := filepath.Join(authDir, fileName)
+	if err := os.MkdirAll(authDir, 0o700); err != nil {
+		return "", fmt.Errorf("create oauth callback dir: %w", err)
+	}
 	payload := oauthCallbackFilePayload{
 		Code:  strings.TrimSpace(code),
 		State: strings.TrimSpace(state),

internal/logging/home_app_log_forwarder.go

@@ -24,6 +24,7 @@ type homeAppLogPayload struct {
 	Line      string `json:"line"`
 	Level     string `json:"level,omitempty"`
 	Timestamp string `json:"timestamp,omitempty"`
+	RequestID string `json:"request_id,omitempty"`
 }
 
 var currentHomeAppLogClient = func() homeAppLogClient {
@@ -92,6 +93,7 @@ func (f *HomeAppLogForwarder) Fire(entry *log.Entry) error {
 		Line:      line,
 		Level:     entry.Level.String(),
 		Timestamp: entry.Time.Format(time.RFC3339Nano),
+		RequestID: appLogRequestID(entry),
 	}
 	select {
 	case f.queue <- payload:
@@ -100,6 +102,18 @@ func (f *HomeAppLogForwarder) Fire(entry *log.Entry) error {
 	return nil
 }
 
+func appLogRequestID(entry *log.Entry) string {
+	if entry == nil {
+		return ""
+	}
+	requestID, _ := entry.Data["request_id"].(string)
+	requestID = strings.TrimSpace(requestID)
+	if requestID == "--------" {
+		return ""
+	}
+	return requestID
+}
+
 func (f *HomeAppLogForwarder) formatEntry(entry *log.Entry) (string, error) {
 	formatter := f.formatter
 	if formatter == nil {

internal/logging/home_app_log_forwarder_test.go

@@ -72,6 +72,7 @@ func TestHomeAppLogForwarder_ForwardsFormattedLogWhenHomeHealthy(t *testing.T) {
 	entry.Time = time.Date(2026, 5, 29, 8, 0, 0, 0, time.Local)
 	entry.Level = log.DebugLevel
 	entry.Message = "debug details"
+	entry.Data["request_id"] = "req-app-1"
 
 	if errFire := forwarder.Fire(entry); errFire != nil {
 		t.Fatalf("Fire error: %v", errFire)
@@ -92,14 +93,29 @@ func TestHomeAppLogForwarder_ForwardsFormattedLogWhenHomeHealthy(t *testing.T) {
 	if got.Level != "debug" {
 		t.Fatalf("level = %q, want debug", got.Level)
 	}
+	if got.RequestID != "req-app-1" {
+		t.Fatalf("request_id = %q, want req-app-1", got.RequestID)
+	}
 	if !strings.Contains(got.Line, "debug details") {
 		t.Fatalf("line %q missing log message", got.Line)
 	}
+	if !strings.Contains(got.Line, "[req-app-1]") {
+		t.Fatalf("line %q missing matching request id", got.Line)
+	}
 	if strings.TrimSpace(got.Timestamp) == "" {
 		t.Fatal("timestamp empty, want non-empty")
 	}
 }
 
+func TestHomeAppLogForwarder_OmitsPlaceholderRequestID(t *testing.T) {
+	entry := log.NewEntry(log.StandardLogger())
+	entry.Data["request_id"] = "--------"
+
+	if got := appLogRequestID(entry); got != "" {
+		t.Fatalf("request id = %q, want empty for placeholder", got)
+	}
+}
+
 func TestHomeAppLogForwarder_SkipsWhenHomeHeartbeatIsDown(t *testing.T) {
 	original := currentHomeAppLogClient
 	defer func() {

internal/runtime/executor/antigravity_executor.go

@@ -245,7 +245,9 @@ func validateAntigravityRequestSignatures(from sdktranslator.Format, rawJSON []b
 		return rawJSON, nil
 	}
 	// Always strip thinking blocks with invalid signatures (empty or non-Claude-format).
+	before := countClaudeThinkingBlocks(rawJSON)
 	rawJSON = antigravityclaude.StripEmptySignatureThinkingBlocks(rawJSON)
+	logAntigravitySignatureStrip(before, countClaudeThinkingBlocks(rawJSON), "prefix_cleanup", "empty_or_non_claude_signature")
 	if cache.SignatureCacheEnabled() {
 		return rawJSON, nil
 	}
@@ -254,12 +256,51 @@ func validateAntigravityRequestSignatures(from sdktranslator.Format, rawJSON []b
 		// by dropping unsigned thinking blocks silently (no 400).
 		return rawJSON, nil
 	}
-	if err := antigravityclaude.ValidateClaudeBypassSignatures(rawJSON); err != nil {
-		return rawJSON, statusErr{code: http.StatusBadRequest, msg: err.Error()}
-	}
+	before = countClaudeThinkingBlocks(rawJSON)
+	rawJSON = antigravityclaude.StripInvalidBypassSignatureThinkingBlocks(rawJSON)
+	logAntigravitySignatureStrip(before, countClaudeThinkingBlocks(rawJSON), "strict_bypass", "invalid_antigravity_claude_signature")
 	return rawJSON, nil
 }
 
+func countClaudeThinkingBlocks(rawJSON []byte) int {
+	messages := gjson.GetBytes(rawJSON, "messages")
+	if !messages.IsArray() {
+		return 0
+	}
+
+	count := 0
+	messages.ForEach(func(_, message gjson.Result) bool {
+		content := message.Get("content")
+		if !content.IsArray() {
+			return true
+		}
+		content.ForEach(func(_, part gjson.Result) bool {
+			if part.Get("type").String() == "thinking" {
+				count++
+			}
+			return true
+		})
+		return true
+	})
+	return count
+}
+
+func logAntigravitySignatureStrip(before, after int, stage, reason string) {
+	removed := before - after
+	if removed <= 0 {
+		return
+	}
+	log.WithFields(log.Fields{
+		"component":       "signature_sanitizer",
+		"executor":        "antigravity",
+		"target_provider": "claude",
+		"action":          "drop_thinking_blocks",
+		"stage":           stage,
+		"reason":          reason,
+		"count":           removed,
+	}).Debug("antigravity executor: dropped Claude thinking blocks with invalid signatures")
+}
+
 // Identifier returns the executor identifier.
 func (e *AntigravityExecutor) Identifier() string { return antigravityAuthType }