feat(openai): Mobile RT 补全 plan_type、精确匹配账号、刷新时自动设置隐私

1. accounts/check 补全 plan_type：当 id_token 缺少 plan_type（如 Mobile RT），
   自动调用 accounts/check 端点获取订阅类型
2. orgID 精确匹配账号：从 JWT 提取 poid 匹配正确账号，避免 Go map
   遍历顺序随机导致 plan_type 不稳定
3. RT 刷新时设置隐私：调用 disableOpenAITraining 关闭训练数据共享，
   结果存入 extra.privacy_mode，后续跳过重复设置

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

backend/cmd/server/wire_gen.go

@@ -114,6 +114,7 @@ func initializeApplication(buildInfo handler.BuildInfo) (*Application, error) {
 	oAuthService := service.NewOAuthService(proxyRepository, claudeOAuthClient)
 	openAIOAuthClient := repository.NewOpenAIOAuthClient()
 	openAIOAuthService := service.NewOpenAIOAuthService(proxyRepository, openAIOAuthClient)
+	openAIOAuthService.SetPrivacyClientFactory(privacyClientFactory)
 	geminiOAuthClient := repository.NewGeminiOAuthClient(configConfig)
 	geminiCliCodeAssistClient := repository.NewGeminiCliCodeAssistClient()
 	driveClient := repository.NewGeminiDriveClient()

backend/internal/pkg/openai/oauth.go

@@ -270,6 +270,7 @@ type OpenAIAuthClaims struct {
 	ChatGPTUserID    string              `json:"chatgpt_user_id"`
 	ChatGPTPlanType  string              `json:"chatgpt_plan_type"`
 	UserID           string              `json:"user_id"`
+	POID             string              `json:"poid"` // organization ID in access_token JWT
 	Organizations    []OrganizationClaim `json:"organizations"`
 }
 

backend/internal/service/openai_oauth_service.go

@@ -29,9 +29,10 @@ type soraSessionChunk struct {
 
 // OpenAIOAuthService handles OpenAI OAuth authentication flows
 type OpenAIOAuthService struct {
-	sessionStore *openai.SessionStore
+	sessionStore         *openai.SessionStore
-	proxyRepo    ProxyRepository
+	proxyRepo            ProxyRepository
-	oauthClient  OpenAIOAuthClient
+	oauthClient          OpenAIOAuthClient
+	privacyClientFactory PrivacyClientFactory // 用于调用 chatgpt.com/backend-api（ImpersonateChrome）
 }
 
 // NewOpenAIOAuthService creates a new OpenAI OAuth service
@@ -43,6 +44,12 @@ func NewOpenAIOAuthService(proxyRepo ProxyRepository, oauthClient OpenAIOAuthCli
 	}
 }
 
+// SetPrivacyClientFactory 注入 ImpersonateChrome 客户端工厂，
+// 用于调用 chatgpt.com/backend-api 获取账号信息（plan_type 等）。
+func (s *OpenAIOAuthService) SetPrivacyClientFactory(factory PrivacyClientFactory) {
+	s.privacyClientFactory = factory
+}
+
 // OpenAIAuthURLResult contains the authorization URL and session info
 type OpenAIAuthURLResult struct {
 	AuthURL   string `json:"auth_url"`
@@ -131,6 +138,7 @@ type OpenAITokenInfo struct {
 	ChatGPTUserID    string `json:"chatgpt_user_id,omitempty"`
 	OrganizationID   string `json:"organization_id,omitempty"`
 	PlanType         string `json:"plan_type,omitempty"`
+	PrivacyMode      string `json:"privacy_mode,omitempty"`
 }
 
 // ExchangeCode exchanges authorization code for tokens
@@ -251,6 +259,30 @@ func (s *OpenAIOAuthService) RefreshTokenWithClientID(ctx context.Context, refre
 		tokenInfo.PlanType = userInfo.PlanType
 	}
 
+	// id_token 中缺少 plan_type 时（如 Mobile RT），尝试通过 ChatGPT backend-api 补全
+	if tokenInfo.PlanType == "" && tokenInfo.AccessToken != "" && s.privacyClientFactory != nil {
+		// 从 access_token JWT 中提取 orgID（poid），用于匹配正确的账号
+		orgID := tokenInfo.OrganizationID
+		if orgID == "" {
+			if atClaims, err := openai.DecodeIDToken(tokenInfo.AccessToken); err == nil && atClaims.OpenAIAuth != nil {
+				orgID = atClaims.OpenAIAuth.POID
+			}
+		}
+		if info := fetchChatGPTAccountInfo(ctx, s.privacyClientFactory, tokenInfo.AccessToken, proxyURL, orgID); info != nil {
+			if tokenInfo.PlanType == "" && info.PlanType != "" {
+				tokenInfo.PlanType = info.PlanType
+			}
+			if tokenInfo.Email == "" && info.Email != "" {
+				tokenInfo.Email = info.Email
+			}
+		}
+	}
+
+	// 尝试设置隐私（关闭训练数据共享），best-effort
+	if tokenInfo.AccessToken != "" && s.privacyClientFactory != nil {
+		tokenInfo.PrivacyMode = disableOpenAITraining(ctx, s.privacyClientFactory, tokenInfo.AccessToken, proxyURL)
+	}
+
 	return tokenInfo, nil
 }
 

backend/internal/service/openai_privacy_service.go

@@ -69,6 +69,139 @@ func disableOpenAITraining(ctx context.Context, clientFactory PrivacyClientFacto
 	return PrivacyModeTrainingOff
 }
 
+// ChatGPTAccountInfo 从 chatgpt.com/backend-api/accounts/check 获取的账号信息
+type ChatGPTAccountInfo struct {
+	PlanType string
+	Email    string
+}
+
+const chatGPTAccountsCheckURL = "https://chatgpt.com/backend-api/accounts/check/v4-2023-04-27"
+
+// fetchChatGPTAccountInfo calls ChatGPT backend-api to get account info (plan_type, etc.).
+// Used as fallback when id_token doesn't contain these fields (e.g., Mobile RT).
+// orgID is used to match the correct account when multiple accounts exist (e.g., personal + team).
+// Returns nil on any failure (best-effort, non-blocking).
+func fetchChatGPTAccountInfo(ctx context.Context, clientFactory PrivacyClientFactory, accessToken, proxyURL, orgID string) *ChatGPTAccountInfo {
+	if accessToken == "" || clientFactory == nil {
+		return nil
+	}
+
+	ctx, cancel := context.WithTimeout(ctx, 15*time.Second)
+	defer cancel()
+
+	client, err := clientFactory(proxyURL)
+	if err != nil {
+		slog.Debug("chatgpt_account_check_client_error", "error", err.Error())
+		return nil
+	}
+
+	var result map[string]any
+	resp, err := client.R().
+		SetContext(ctx).
+		SetHeader("Authorization", "Bearer "+accessToken).
+		SetHeader("Origin", "https://chatgpt.com").
+		SetHeader("Referer", "https://chatgpt.com/").
+		SetHeader("Accept", "application/json").
+		SetSuccessResult(&result).
+		Get(chatGPTAccountsCheckURL)
+
+	if err != nil {
+		slog.Debug("chatgpt_account_check_request_error", "error", err.Error())
+		return nil
+	}
+
+	if !resp.IsSuccessState() {
+		slog.Debug("chatgpt_account_check_failed", "status", resp.StatusCode, "body", truncate(resp.String(), 200))
+		return nil
+	}
+
+	info := &ChatGPTAccountInfo{}
+
+	accounts, ok := result["accounts"].(map[string]any)
+	if !ok {
+		slog.Debug("chatgpt_account_check_no_accounts", "body", truncate(resp.String(), 300))
+		return nil
+	}
+
+	// 优先匹配 orgID 对应的账号（access_token JWT 中的 poid）
+	if orgID != "" {
+		if matched := extractPlanFromAccount(accounts, orgID); matched != "" {
+			info.PlanType = matched
+		}
+	}
+
+	// 未匹配到时，遍历所有账号：优先 is_default，次选非 free
+	if info.PlanType == "" {
+		var defaultPlan, paidPlan, anyPlan string
+		for _, acctRaw := range accounts {
+			acct, ok := acctRaw.(map[string]any)
+			if !ok {
+				continue
+			}
+			planType := extractPlanType(acct)
+			if planType == "" {
+				continue
+			}
+			if anyPlan == "" {
+				anyPlan = planType
+			}
+			if account, ok := acct["account"].(map[string]any); ok {
+				if isDefault, _ := account["is_default"].(bool); isDefault {
+					defaultPlan = planType
+				}
+			}
+			if !strings.EqualFold(planType, "free") && paidPlan == "" {
+				paidPlan = planType
+			}
+		}
+		// 优先级：default > 非 free > 任意
+		switch {
+		case defaultPlan != "":
+			info.PlanType = defaultPlan
+		case paidPlan != "":
+			info.PlanType = paidPlan
+		default:
+			info.PlanType = anyPlan
+		}
+	}
+
+	if info.PlanType == "" {
+		slog.Debug("chatgpt_account_check_no_plan_type", "body", truncate(resp.String(), 300))
+		return nil
+	}
+
+	slog.Info("chatgpt_account_check_success", "plan_type", info.PlanType, "org_id", orgID)
+	return info
+}
+
+// extractPlanFromAccount 从 accounts map 中按 key（account_id）精确匹配并提取 plan_type
+func extractPlanFromAccount(accounts map[string]any, accountKey string) string {
+	acctRaw, ok := accounts[accountKey]
+	if !ok {
+		return ""
+	}
+	acct, ok := acctRaw.(map[string]any)
+	if !ok {
+		return ""
+	}
+	return extractPlanType(acct)
+}
+
+// extractPlanType 从单个 account 对象中提取 plan_type
+func extractPlanType(acct map[string]any) string {
+	if account, ok := acct["account"].(map[string]any); ok {
+		if planType, ok := account["plan_type"].(string); ok && planType != "" {
+			return planType
+		}
+	}
+	if entitlement, ok := acct["entitlement"].(map[string]any); ok {
+		if subPlan, ok := entitlement["subscription_plan"].(string); ok && subPlan != "" {
+			return subPlan
+		}
+	}
+	return ""
+}
+
 func truncate(s string, n int) string {
 	if len(s) <= n {
 		return s

frontend/src/composables/useOpenAIOAuth.ts

@@ -14,6 +14,7 @@ export interface OpenAITokenInfo {
   email?: string
   name?: string
   plan_type?: string
+  privacy_mode?: string
   // OpenAI specific IDs (extracted from ID Token)
   chatgpt_account_id?: string
   chatgpt_user_id?: string
@@ -231,6 +232,9 @@ export function useOpenAIOAuth(options?: UseOpenAIOAuthOptions) {
     if (tokenInfo.name) {
       extra.name = tokenInfo.name
     }
+    if (tokenInfo.privacy_mode) {
+      extra.privacy_mode = tokenInfo.privacy_mode
+    }
     return Object.keys(extra).length > 0 ? extra : undefined
   }