feat(auth): ✨ add environment variable-based OAuth credential support with multi-account capability

Introduces a comprehensive environment variable-based credential system for stateless deployments, enabling multiple OAuth accounts per provider without requiring credential files.

Key changes:

- Add env-based credential discovery in CredentialManager with priority over file-based credentials
- Implement numbered credential format (PROVIDER_N_ACCESS_TOKEN) supporting multiple accounts per provider
- Support legacy single-credential format (PROVIDER_ACCESS_TOKEN) for backwards compatibility
- Introduce virtual path system (env://provider/index) for env-based credentials
- Update credential export tool to generate numbered .env files with merge instructions
- Extend env credential support across all OAuth providers (Google OAuth, Antigravity, iFlow, Qwen Code)
- Add Windows launcher script (launcher.bat) with interactive menu system for proxy configuration

The numbered format allows combining multiple credentials in a single .env file:
- ANTIGRAVITY_1_ACCESS_TOKEN, ANTIGRAVITY_1_REFRESH_TOKEN (first account)
- ANTIGRAVITY_2_ACCESS_TOKEN, ANTIGRAVITY_2_REFRESH_TOKEN (second account)
- etc.

This enables containerized and serverless deployments without managing credential files, while maintaining full multi-account rotation capabilities.

launcher.bat

@@ -0,0 +1,293 @@
+@echo off
+:: ================================================================================
+:: Universal Instructions for macOS / Linux Users
+:: ================================================================================
+:: This launcher.bat file is for Windows only.
+:: If you are on macOS or Linux, please use the following Python commands directly
+:: in your terminal.
+::
+:: First, ensure you have Python 3.10 or higher installed.
+::
+:: To run the proxy server (basic command):
+:: export PYTHONPATH=${PYTHONPATH}:$(pwd)/src
+:: python src/proxy_app/main.py --host 0.0.0.0 --port 8000
+::
+:: Note: To enable request logging, add the --enable-request-logging flag to the command.
+::
+:: To add new credentials:
+:: export PYTHONPATH=${PYTHONPATH}:$(pwd)/src
+:: python src/proxy_app/main.py --add-credential
+::
+:: To build the executable (requires PyInstaller):
+:: pip install -r requirements.txt
+:: pip install pyinstaller
+:: python src/proxy_app/build.py
+:: ================================================================================
+
+setlocal enabledelayedexpansion
+
+:: Default Settings
+set "HOST=0.0.0.0"
+set "PORT=8000"
+set "LOGGING=false"
+set "EXECUTION_MODE="
+set "EXE_NAME=proxy_app.exe"
+set "SOURCE_PATH=src\proxy_app\main.py"
+
+:: --- Phase 1: Detection and Mode Selection ---
+set "EXE_EXISTS=false"
+set "SOURCE_EXISTS=false"
+
+if exist "%EXE_NAME%" (
+    set "EXE_EXISTS=true"
+)
+
+if exist "%SOURCE_PATH%" (
+    set "SOURCE_EXISTS=true"
+)
+
+if "%EXE_EXISTS%"=="true" (
+    if "%SOURCE_EXISTS%"=="true" (
+        call :SelectModeMenu
+    ) else (
+        set "EXECUTION_MODE=exe"
+    )
+) else (
+    if "%SOURCE_EXISTS%"=="true" (
+        set "EXECUTION_MODE=source"
+        call :CheckPython
+        if errorlevel 1 goto :eof
+    ) else (
+        call :NoTargetsFound
+    )
+)
+
+if "%EXECUTION_MODE%"=="" (
+    goto :eof
+)
+
+:: --- Phase 2: Main Menu ---
+:MainMenu
+cls
+echo ==================================================
+echo      LLM API Key Proxy Launcher
+echo ==================================================
+echo.
+echo   Current Configuration:
+echo   ----------------------
+echo   - Host IP: %HOST%
+echo   - Port: %PORT%
+echo   - Request Logging: %LOGGING%
+echo   - Execution Mode: %EXECUTION_MODE%
+echo.
+echo   Main Menu:
+echo   ----------
+echo   1. Run Proxy
+echo   2. Configure Proxy
+echo   3. Add Credentials
+if "%EXECUTION_MODE%"=="source" (
+    echo   4. Build Executable
+    echo   5. Exit
+) else (
+    echo   4. Exit
+)
+echo.
+set /p "CHOICE=Enter your choice: "
+
+if "%CHOICE%"=="1" goto :RunProxy
+if "%CHOICE%"=="2" goto :ConfigMenu
+if "%CHOICE%"=="3" goto :AddCredentials
+
+if "%EXECUTION_MODE%"=="source" (
+    if "%CHOICE%"=="4" goto :BuildExecutable
+    if "%CHOICE%"=="5" goto :eof
+) else (
+    if "%CHOICE%"=="4" goto :eof
+)
+
+echo Invalid choice.
+pause
+goto :MainMenu
+
+:: --- Phase 3: Configuration Sub-Menu ---
+:ConfigMenu
+cls
+echo ==================================================
+echo      Configuration Menu
+echo ==================================================
+echo.
+echo   Current Configuration:
+echo   ----------------------
+echo   - Host IP: %HOST%
+echo   - Port: %PORT%
+echo   - Request Logging: %LOGGING%
+echo   - Execution Mode: %EXECUTION_MODE%
+echo.
+echo   Configuration Options:
+echo   ----------------------
+echo   1. Set Host IP
+echo   2. Set Port
+echo   3. Toggle Request Logging
+echo   4. Back to Main Menu
+echo.
+set /p "CHOICE=Enter your choice: "
+
+if "%CHOICE%"=="1" (
+    set /p "NEW_HOST=Enter new Host IP: "
+    if defined NEW_HOST (
+        set "HOST=!NEW_HOST!"
+    )
+    goto :ConfigMenu
+)
+if "%CHOICE%"=="2" (
+    set "NEW_PORT="
+    set /p "NEW_PORT=Enter new Port: "
+    if not defined NEW_PORT goto :ConfigMenu
+    set "IS_NUM=true"
+    for /f "delims=0123456789" %%i in ("!NEW_PORT!") do set "IS_NUM=false"
+    if "!IS_NUM!"=="false" (
+        echo Invalid Port. Please enter numbers only.
+        pause
+    ) else (
+        if !NEW_PORT! GTR 65535 (
+            echo Invalid Port. Port cannot be greater than 65535.
+            pause
+        ) else (
+            set "PORT=!NEW_PORT!"
+        )
+    )
+    goto :ConfigMenu
+)
+if "%CHOICE%"=="3" (
+    if "%LOGGING%"=="true" (
+        set "LOGGING=false"
+    ) else (
+        set "LOGGING=true"
+    )
+    goto :ConfigMenu
+)
+if "%CHOICE%"=="4" goto :MainMenu
+
+echo Invalid choice.
+pause
+goto :ConfigMenu
+
+:: --- Phase 4: Execution ---
+:RunProxy
+cls
+set "ARGS=--host "%HOST%" --port %PORT%"
+if "%LOGGING%"=="true" (
+    set "ARGS=%ARGS% --enable-request-logging"
+)
+echo Starting Proxy...
+echo Arguments: %ARGS%
+echo.
+if "%EXECUTION_MODE%"=="exe" (
+    start "LLM API Proxy" "%EXE_NAME%" %ARGS%
+) else (
+    set "PYTHONPATH=%~dp0src;%PYTHONPATH%"
+    start "LLM API Proxy" python "%SOURCE_PATH%" %ARGS%
+)
+exit /b 0
+
+:AddCredentials
+cls
+echo Launching Credential Tool...
+echo.
+if "%EXECUTION_MODE%"=="exe" (
+    "%EXE_NAME%" --add-credential
+) else (
+    set "PYTHONPATH=%~dp0src;%PYTHONPATH%"
+    python "%SOURCE_PATH%" --add-credential
+)
+pause
+goto :MainMenu
+
+:BuildExecutable
+cls
+echo ==================================================
+echo      Building Executable
+echo ==================================================
+echo.
+echo The build process will start in a new window.
+start "Build Process" cmd /c "pip install -r requirements.txt && pip install pyinstaller && python "src/proxy_app/build.py" && echo Build finished. && pause"
+exit /b
+
+:: --- Helper Functions ---
+
+:SelectModeMenu
+cls
+echo ==================================================
+echo      Execution Mode Selection
+echo ==================================================
+echo.
+echo   Both executable and source code found.
+echo   Please choose which to use:
+echo.
+echo   1. Executable ("%EXE_NAME%")
+echo   2. Source Code ("%SOURCE_PATH%")
+echo.
+set /p "CHOICE=Enter your choice: "
+
+if "%CHOICE%"=="1" (
+    set "EXECUTION_MODE=exe"
+) else if "%CHOICE%"=="2" (
+    call :CheckPython
+    if errorlevel 1 goto :eof
+    set "EXECUTION_MODE=source"
+) else (
+    echo Invalid choice.
+    pause
+    goto :SelectModeMenu
+)
+goto :end_of_function
+
+:CheckPython
+where python >nul 2>nul
+if errorlevel 1 (
+    echo Error: Python is not installed or not in PATH.
+    echo Please install Python and try again.
+    pause
+    exit /b 1
+)
+
+for /f "tokens=1,2" %%a in ('python -c "import sys; print(sys.version_info.major, sys.version_info.minor)"') do (
+    set "PY_MAJOR=%%a"
+    set "PY_MINOR=%%b"
+)
+
+if not "%PY_MAJOR%"=="3" (
+    call :PythonVersionError
+    exit /b 1
+)
+if %PY_MINOR% lss 10 (
+    call :PythonVersionError
+    exit /b 1
+)
+
+exit /b 0
+
+:PythonVersionError
+echo Error: Python 3.10 or higher is required.
+echo Found version: %PY_MAJOR%.%PY_MINOR%
+echo Please upgrade your Python installation.
+pause
+goto :eof
+
+:NoTargetsFound
+cls
+echo ==================================================
+echo      Error
+echo ==================================================
+echo.
+echo   Could not find the executable ("%EXE_NAME%")
+echo   or the source code ("%SOURCE_PATH%").
+echo.
+echo   Please ensure the launcher is in the correct
+echo   directory or that the project has been built.
+echo.
+pause
+goto :eof
+
+:end_of_function
+endlocal

src/rotator_library/credential_manager.py

@@ -1,8 +1,9 @@
 import os
+import re
 import shutil
 import logging
 from pathlib import Path
-from typing import Dict, List, Optional
+from typing import Dict, List, Optional, Set
 
 lib_logger = logging.getLogger('rotator_library')
 
@@ -18,19 +19,96 @@ DEFAULT_OAUTH_DIRS = {
     # Add other providers like 'claude' here if they have a standard CLI path
 }
 
+# OAuth providers that support environment variable-based credentials
+# Maps provider name to the ENV_PREFIX used by the provider
+ENV_OAUTH_PROVIDERS = {
+    "gemini_cli": "GEMINI_CLI",
+    "antigravity": "ANTIGRAVITY",
+    "qwen_code": "QWEN_CODE",
+    "iflow": "IFLOW",
+}
+
+
 class CredentialManager:
     """
     Discovers OAuth credential files from standard locations, copies them locally,
     and updates the configuration to use the local paths.
+    
+    Also discovers environment variable-based OAuth credentials for stateless deployments.
+    Supports two env var formats:
+    
+    1. Single credential (legacy): PROVIDER_ACCESS_TOKEN, PROVIDER_REFRESH_TOKEN
+    2. Multiple credentials (numbered): PROVIDER_1_ACCESS_TOKEN, PROVIDER_2_ACCESS_TOKEN, etc.
+    
+    When env-based credentials are detected, virtual paths like "env://provider/1" are created.
     """
     def __init__(self, env_vars: Dict[str, str]):
         self.env_vars = env_vars
 
+    def _discover_env_oauth_credentials(self) -> Dict[str, List[str]]:
+        """
+        Discover OAuth credentials defined via environment variables.
+        
+        Supports two formats:
+        1. Single credential: ANTIGRAVITY_ACCESS_TOKEN + ANTIGRAVITY_REFRESH_TOKEN
+        2. Multiple credentials: ANTIGRAVITY_1_ACCESS_TOKEN + ANTIGRAVITY_1_REFRESH_TOKEN, etc.
+        
+        Returns:
+            Dict mapping provider name to list of virtual paths (e.g., "env://antigravity/1")
+        """
+        env_credentials: Dict[str, Set[str]] = {}
+        
+        for provider, env_prefix in ENV_OAUTH_PROVIDERS.items():
+            found_indices: Set[str] = set()
+            
+            # Check for numbered credentials (PROVIDER_N_ACCESS_TOKEN pattern)
+            # Pattern: ANTIGRAVITY_1_ACCESS_TOKEN, ANTIGRAVITY_2_ACCESS_TOKEN, etc.
+            numbered_pattern = re.compile(rf"^{env_prefix}_(\d+)_ACCESS_TOKEN$")
+            
+            for key in self.env_vars.keys():
+                match = numbered_pattern.match(key)
+                if match:
+                    index = match.group(1)
+                    # Verify refresh token also exists
+                    refresh_key = f"{env_prefix}_{index}_REFRESH_TOKEN"
+                    if refresh_key in self.env_vars and self.env_vars[refresh_key]:
+                        found_indices.add(index)
+            
+            # Check for legacy single credential (PROVIDER_ACCESS_TOKEN pattern)
+            # Only use this if no numbered credentials exist
+            if not found_indices:
+                access_key = f"{env_prefix}_ACCESS_TOKEN"
+                refresh_key = f"{env_prefix}_REFRESH_TOKEN"
+                if (access_key in self.env_vars and self.env_vars[access_key] and
+                    refresh_key in self.env_vars and self.env_vars[refresh_key]):
+                    # Use "0" as the index for legacy single credential
+                    found_indices.add("0")
+            
+            if found_indices:
+                env_credentials[provider] = found_indices
+                lib_logger.info(f"Found {len(found_indices)} env-based credential(s) for {provider}")
+        
+        # Convert to virtual paths
+        result: Dict[str, List[str]] = {}
+        for provider, indices in env_credentials.items():
+            # Sort indices numerically for consistent ordering
+            sorted_indices = sorted(indices, key=lambda x: int(x))
+            result[provider] = [f"env://{provider}/{idx}" for idx in sorted_indices]
+        
+        return result
+
     def discover_and_prepare(self) -> Dict[str, List[str]]:
         lib_logger.info("Starting automated OAuth credential discovery...")
         final_config = {}
 
-        # Extract OAuth paths from environment variables first
+        # PHASE 1: Discover environment variable-based OAuth credentials
+        # These take priority for stateless deployments
+        env_oauth_creds = self._discover_env_oauth_credentials()
+        for provider, virtual_paths in env_oauth_creds.items():
+            lib_logger.info(f"Using {len(virtual_paths)} env-based credential(s) for {provider}")
+            final_config[provider] = virtual_paths
+
+        # Extract OAuth file paths from environment variables
         env_oauth_paths = {}
         for key, value in self.env_vars.items():
             if "_OAUTH_" in key:
@@ -40,7 +118,13 @@ class CredentialManager:
                 if value: # Only consider non-empty values
                     env_oauth_paths[provider].append(value)
 
+        # PHASE 2: Discover file-based OAuth credentials
         for provider, default_dir in DEFAULT_OAUTH_DIRS.items():
+            # Skip if already discovered from environment variables
+            if provider in final_config:
+                lib_logger.debug(f"Skipping file discovery for {provider} - using env-based credentials")
+                continue
+            
             # Check for existing local credentials first. If found, use them and skip discovery.
             local_provider_creds = sorted(list(OAUTH_BASE_DIR.glob(f"{provider}_oauth_*.json")))
             if local_provider_creds:

src/rotator_library/credential_tool.py

@@ -36,6 +36,77 @@ def _ensure_providers_loaded():
         _provider_plugins = pp
     return _provider_factory, _provider_plugins
 
+
+def _get_credential_number_from_filename(filename: str) -> int:
+    """
+    Extract credential number from filename like 'provider_oauth_1.json' -> 1
+    """
+    match = re.search(r'_oauth_(\d+)\.json$', filename)
+    if match:
+        return int(match.group(1))
+    return 1
+
+
+def _build_env_export_content(
+    provider_prefix: str,
+    cred_number: int,
+    creds: dict,
+    email: str,
+    extra_fields: dict = None,
+    include_client_creds: bool = True
+) -> tuple[list[str], str]:
+    """
+    Build .env content for OAuth credential export with numbered format.
+    Exports all fields from the JSON file as a 1-to-1 mirror.
+    
+    Args:
+        provider_prefix: Environment variable prefix (e.g., "ANTIGRAVITY", "GEMINI_CLI")
+        cred_number: Credential number for this export (1, 2, 3, etc.)
+        creds: The credential dictionary loaded from JSON
+        email: User email for comments
+        extra_fields: Optional dict of additional fields to include
+        include_client_creds: Whether to include client_id/secret (Google OAuth providers)
+    
+    Returns:
+        Tuple of (env_lines list, numbered_prefix string for display)
+    """
+    # Use numbered format: PROVIDER_N_ACCESS_TOKEN
+    numbered_prefix = f"{provider_prefix}_{cred_number}"
+    
+    env_lines = [
+        f"# {provider_prefix} Credential #{cred_number} for: {email}",
+        f"# Exported from: {provider_prefix.lower()}_oauth_{cred_number}.json",
+        f"# Generated at: {time.strftime('%Y-%m-%d %H:%M:%S')}",
+        f"# ",
+        f"# To combine multiple credentials into one .env file, copy these lines",
+        f"# and ensure each credential has a unique number (1, 2, 3, etc.)",
+        "",
+        f"{numbered_prefix}_ACCESS_TOKEN={creds.get('access_token', '')}",
+        f"{numbered_prefix}_REFRESH_TOKEN={creds.get('refresh_token', '')}",
+        f"{numbered_prefix}_SCOPE={creds.get('scope', '')}",
+        f"{numbered_prefix}_TOKEN_TYPE={creds.get('token_type', 'Bearer')}",
+        f"{numbered_prefix}_ID_TOKEN={creds.get('id_token', '')}",
+        f"{numbered_prefix}_EXPIRY_DATE={creds.get('expiry_date', 0)}",
+    ]
+    
+    if include_client_creds:
+        env_lines.extend([
+            f"{numbered_prefix}_CLIENT_ID={creds.get('client_id', '')}",
+            f"{numbered_prefix}_CLIENT_SECRET={creds.get('client_secret', '')}",
+            f"{numbered_prefix}_TOKEN_URI={creds.get('token_uri', 'https://oauth2.googleapis.com/token')}",
+            f"{numbered_prefix}_UNIVERSE_DOMAIN={creds.get('universe_domain', 'googleapis.com')}",
+        ])
+    
+    env_lines.append(f"{numbered_prefix}_EMAIL={email}")
+    
+    # Add extra provider-specific fields
+    if extra_fields:
+        for key, value in extra_fields.items():
+            if value:  # Only add non-empty values
+                env_lines.append(f"{numbered_prefix}_{key}={value}")
+    
+    return env_lines, numbered_prefix
+
 def ensure_env_defaults():
     """
     Ensures the .env file exists and contains essential default values like PROXY_API_KEY.
@@ -256,12 +327,12 @@ async def setup_new_credential(provider_name: str):
 async def export_gemini_cli_to_env():
     """
     Export a Gemini CLI credential JSON file to .env format.
-    Generates one .env file per credential.
+    Uses numbered format (GEMINI_CLI_1_*, GEMINI_CLI_2_*) for multiple credential support.
     """
     console.print(Panel("[bold cyan]Export Gemini CLI Credential to .env[/bold cyan]", expand=False))
 
     # Find all gemini_cli credentials
-    gemini_cli_files = list(OAUTH_BASE_DIR.glob("gemini_cli_oauth_*.json"))
+    gemini_cli_files = sorted(list(OAUTH_BASE_DIR.glob("gemini_cli_oauth_*.json")))
 
     if not gemini_cli_files:
         console.print(Panel("No Gemini CLI credentials found. Please add one first using 'Add OAuth Credential'.",
@@ -304,34 +375,30 @@ async def export_gemini_cli_to_env():
             project_id = creds.get("_proxy_metadata", {}).get("project_id", "")
             tier = creds.get("_proxy_metadata", {}).get("tier", "")
 
-            # Generate .env file name
+            # Get credential number from filename
+            cred_number = _get_credential_number_from_filename(cred_file.name)
+
+            # Generate .env file name with credential number
             safe_email = email.replace("@", "_at_").replace(".", "_")
-            env_filename = f"gemini_cli_{safe_email}.env"
+            env_filename = f"gemini_cli_{cred_number}_{safe_email}.env"
             env_filepath = OAUTH_BASE_DIR / env_filename
 
-            # Build .env content
-            env_lines = [
-                f"# Gemini CLI Credential for: {email}",
-                f"# Generated from: {cred_file.name}",
-                f"# Generated at: {time.strftime('%Y-%m-%d %H:%M:%S')}",
-                "",
-                f"GEMINI_CLI_ACCESS_TOKEN={creds.get('access_token', '')}",
-                f"GEMINI_CLI_REFRESH_TOKEN={creds.get('refresh_token', '')}",
-                f"GEMINI_CLI_EXPIRY_DATE={creds.get('expiry_date', 0)}",
-                f"GEMINI_CLI_CLIENT_ID={creds.get('client_id', '')}",
-                f"GEMINI_CLI_CLIENT_SECRET={creds.get('client_secret', '')}",
-                f"GEMINI_CLI_TOKEN_URI={creds.get('token_uri', 'https://oauth2.googleapis.com/token')}",
-                f"GEMINI_CLI_UNIVERSE_DOMAIN={creds.get('universe_domain', 'googleapis.com')}",
-                f"GEMINI_CLI_EMAIL={email}",
-            ]
-
-            # Add project_id if present
+            # Build extra fields
+            extra_fields = {}
             if project_id:
-                env_lines.append(f"GEMINI_CLI_PROJECT_ID={project_id}")
-            
-            # Add tier if present
+                extra_fields["PROJECT_ID"] = project_id
             if tier:
-                env_lines.append(f"GEMINI_CLI_TIER={tier}")
+                extra_fields["TIER"] = tier
+
+            # Build .env content using helper
+            env_lines, numbered_prefix = _build_env_export_content(
+                provider_prefix="GEMINI_CLI",
+                cred_number=cred_number,
+                creds=creds,
+                email=email,
+                extra_fields=extra_fields,
+                include_client_creds=True
+            )
 
             # Write to .env file
             with open(env_filepath, 'w') as f:
@@ -339,11 +406,14 @@ async def export_gemini_cli_to_env():
 
             success_text = Text.from_markup(
                 f"Successfully exported credential to [bold yellow]'{env_filepath}'[/bold yellow]\n\n"
-                f"To use this credential:\n"
-                f"1. Copy [bold yellow]{env_filepath.name}[/bold yellow] to your deployment environment\n"
-                f"2. Load the variables: [bold cyan]export $(cat {env_filepath.name} | grep -v '^#' | xargs)[/bold cyan]\n"
-                f"3. Or source it: [bold cyan]source {env_filepath.name}[/bold cyan]\n"
-                f"4. The Gemini CLI provider will automatically use these environment variables"
+                f"[bold]Environment variable prefix:[/bold] [cyan]{numbered_prefix}_*[/cyan]\n\n"
+                f"[bold]To use this credential:[/bold]\n"
+                f"1. Copy the contents to your main .env file, OR\n"
+                f"2. Source it: [bold cyan]source {env_filepath.name}[/bold cyan] (Linux/Mac)\n"
+                f"3. Or on Windows: [bold cyan]Get-Content {env_filepath.name} | ForEach-Object {{ $_ -replace '^([^#].*)$', 'set $1' }} | cmd[/bold cyan]\n\n"
+                f"[bold]To combine multiple credentials:[/bold]\n"
+                f"Copy lines from multiple .env files into one file.\n"
+                f"Each credential uses a unique number ({numbered_prefix}_*)."
             )
             console.print(Panel(success_text, style="bold green", title="Success"))
         else:
@@ -403,22 +473,30 @@ async def export_qwen_code_to_env():
             # Extract metadata
             email = creds.get("_proxy_metadata", {}).get("email", "unknown")
 
-            # Generate .env file name
+            # Get credential number from filename
+            cred_number = _get_credential_number_from_filename(cred_file.name)
+
+            # Generate .env file name with credential number
             safe_email = email.replace("@", "_at_").replace(".", "_")
-            env_filename = f"qwen_code_{safe_email}.env"
+            env_filename = f"qwen_code_{cred_number}_{safe_email}.env"
             env_filepath = OAUTH_BASE_DIR / env_filename
 
-            # Build .env content
+            # Use numbered format: QWEN_CODE_N_*
+            numbered_prefix = f"QWEN_CODE_{cred_number}"
+
+            # Build .env content (Qwen has different structure)
             env_lines = [
-                f"# Qwen Code Credential for: {email}",
-                f"# Generated from: {cred_file.name}",
+                f"# QWEN_CODE Credential #{cred_number} for: {email}",
                 f"# Generated at: {time.strftime('%Y-%m-%d %H:%M:%S')}",
+                f"# ",
+                f"# To combine multiple credentials into one .env file, copy these lines",
+                f"# and ensure each credential has a unique number (1, 2, 3, etc.)",
                 "",
-                f"QWEN_CODE_ACCESS_TOKEN={creds.get('access_token', '')}",
-                f"QWEN_CODE_REFRESH_TOKEN={creds.get('refresh_token', '')}",
-                f"QWEN_CODE_EXPIRY_DATE={creds.get('expiry_date', 0)}",
-                f"QWEN_CODE_RESOURCE_URL={creds.get('resource_url', 'https://portal.qwen.ai/v1')}",
-                f"QWEN_CODE_EMAIL={email}",
+                f"{numbered_prefix}_ACCESS_TOKEN={creds.get('access_token', '')}",
+                f"{numbered_prefix}_REFRESH_TOKEN={creds.get('refresh_token', '')}",
+                f"{numbered_prefix}_EXPIRY_DATE={creds.get('expiry_date', 0)}",
+                f"{numbered_prefix}_RESOURCE_URL={creds.get('resource_url', 'https://portal.qwen.ai/v1')}",
+                f"{numbered_prefix}_EMAIL={email}",
             ]
 
             # Write to .env file
@@ -427,11 +505,13 @@ async def export_qwen_code_to_env():
 
             success_text = Text.from_markup(
                 f"Successfully exported credential to [bold yellow]'{env_filepath}'[/bold yellow]\n\n"
-                f"To use this credential:\n"
-                f"1. Copy [bold yellow]{env_filepath.name}[/bold yellow] to your deployment environment\n"
-                f"2. Load the variables: [bold cyan]export $(cat {env_filepath.name} | grep -v '^#' | xargs)[/bold cyan]\n"
-                f"3. Or source it: [bold cyan]source {env_filepath.name}[/bold cyan]\n"
-                f"4. The Qwen Code provider will automatically use these environment variables"
+                f"[bold]Environment variable prefix:[/bold] [cyan]{numbered_prefix}_*[/cyan]\n\n"
+                f"[bold]To use this credential:[/bold]\n"
+                f"1. Copy the contents to your main .env file, OR\n"
+                f"2. Source it: [bold cyan]source {env_filepath.name}[/bold cyan] (Linux/Mac)\n\n"
+                f"[bold]To combine multiple credentials:[/bold]\n"
+                f"Copy lines from multiple .env files into one file.\n"
+                f"Each credential uses a unique number ({numbered_prefix}_*)."
             )
             console.print(Panel(success_text, style="bold green", title="Success"))
         else:
@@ -445,12 +525,12 @@ async def export_qwen_code_to_env():
 async def export_iflow_to_env():
     """
     Export an iFlow credential JSON file to .env format.
-    Generates one .env file per credential.
+    Uses numbered format (IFLOW_1_*, IFLOW_2_*) for multiple credential support.
     """
     console.print(Panel("[bold cyan]Export iFlow Credential to .env[/bold cyan]", expand=False))
 
     # Find all iflow credentials
-    iflow_files = list(OAUTH_BASE_DIR.glob("iflow_oauth_*.json"))
+    iflow_files = sorted(list(OAUTH_BASE_DIR.glob("iflow_oauth_*.json")))
 
     if not iflow_files:
         console.print(Panel("No iFlow credentials found. Please add one first using 'Add OAuth Credential'.",
@@ -491,25 +571,32 @@ async def export_iflow_to_env():
             # Extract metadata
             email = creds.get("_proxy_metadata", {}).get("email", "unknown")
 
-            # Generate .env file name
+            # Get credential number from filename
+            cred_number = _get_credential_number_from_filename(cred_file.name)
+
+            # Generate .env file name with credential number
             safe_email = email.replace("@", "_at_").replace(".", "_")
-            env_filename = f"iflow_{safe_email}.env"
+            env_filename = f"iflow_{cred_number}_{safe_email}.env"
             env_filepath = OAUTH_BASE_DIR / env_filename
 
-            # Build .env content
-            # IMPORTANT: iFlow requires BOTH OAuth tokens AND the API key for API requests
+            # Use numbered format: IFLOW_N_*
+            numbered_prefix = f"IFLOW_{cred_number}"
+
+            # Build .env content (iFlow has different structure with API key)
             env_lines = [
-                f"# iFlow Credential for: {email}",
-                f"# Generated from: {cred_file.name}",
+                f"# IFLOW Credential #{cred_number} for: {email}",
                 f"# Generated at: {time.strftime('%Y-%m-%d %H:%M:%S')}",
+                f"# ",
+                f"# To combine multiple credentials into one .env file, copy these lines",
+                f"# and ensure each credential has a unique number (1, 2, 3, etc.)",
                 "",
-                f"IFLOW_ACCESS_TOKEN={creds.get('access_token', '')}",
-                f"IFLOW_REFRESH_TOKEN={creds.get('refresh_token', '')}",
-                f"IFLOW_API_KEY={creds.get('api_key', '')}",
-                f"IFLOW_EXPIRY_DATE={creds.get('expiry_date', '')}",
-                f"IFLOW_EMAIL={email}",
-                f"IFLOW_TOKEN_TYPE={creds.get('token_type', 'Bearer')}",
-                f"IFLOW_SCOPE={creds.get('scope', 'read write')}",
+                f"{numbered_prefix}_ACCESS_TOKEN={creds.get('access_token', '')}",
+                f"{numbered_prefix}_REFRESH_TOKEN={creds.get('refresh_token', '')}",
+                f"{numbered_prefix}_API_KEY={creds.get('api_key', '')}",
+                f"{numbered_prefix}_EXPIRY_DATE={creds.get('expiry_date', '')}",
+                f"{numbered_prefix}_EMAIL={email}",
+                f"{numbered_prefix}_TOKEN_TYPE={creds.get('token_type', 'Bearer')}",
+                f"{numbered_prefix}_SCOPE={creds.get('scope', 'read write')}",
             ]
 
             # Write to .env file
@@ -518,11 +605,13 @@ async def export_iflow_to_env():
 
             success_text = Text.from_markup(
                 f"Successfully exported credential to [bold yellow]'{env_filepath}'[/bold yellow]\n\n"
-                f"To use this credential:\n"
-                f"1. Copy [bold yellow]{env_filepath.name}[/bold yellow] to your deployment environment\n"
-                f"2. Load the variables: [bold cyan]export $(cat {env_filepath.name} | grep -v '^#' | xargs)[/bold cyan]\n"
-                f"3. Or source it: [bold cyan]source {env_filepath.name}[/bold cyan]\n"
-                f"4. The iFlow provider will automatically use these environment variables"
+                f"[bold]Environment variable prefix:[/bold] [cyan]{numbered_prefix}_*[/cyan]\n\n"
+                f"[bold]To use this credential:[/bold]\n"
+                f"1. Copy the contents to your main .env file, OR\n"
+                f"2. Source it: [bold cyan]source {env_filepath.name}[/bold cyan] (Linux/Mac)\n\n"
+                f"[bold]To combine multiple credentials:[/bold]\n"
+                f"Copy lines from multiple .env files into one file.\n"
+                f"Each credential uses a unique number ({numbered_prefix}_*)."
             )
             console.print(Panel(success_text, style="bold green", title="Success"))
         else:
@@ -536,12 +625,12 @@ async def export_iflow_to_env():
 async def export_antigravity_to_env():
     """
     Export an Antigravity credential JSON file to .env format.
-    Generates one .env file per credential.
+    Uses numbered format (ANTIGRAVITY_1_*, ANTIGRAVITY_2_*) for multiple credential support.
     """
     console.print(Panel("[bold cyan]Export Antigravity Credential to .env[/bold cyan]", expand=False))
 
     # Find all antigravity credentials
-    antigravity_files = list(OAUTH_BASE_DIR.glob("antigravity_oauth_*.json"))
+    antigravity_files = sorted(list(OAUTH_BASE_DIR.glob("antigravity_oauth_*.json")))
 
     if not antigravity_files:
         console.print(Panel("No Antigravity credentials found. Please add one first using 'Add OAuth Credential'.",
@@ -582,26 +671,23 @@ async def export_antigravity_to_env():
             # Extract metadata
             email = creds.get("_proxy_metadata", {}).get("email", "unknown")
 
-            # Generate .env file name
+            # Get credential number from filename
+            cred_number = _get_credential_number_from_filename(cred_file.name)
+
+            # Generate .env file name with credential number
             safe_email = email.replace("@", "_at_").replace(".", "_")
-            env_filename = f"antigravity_{safe_email}.env"
+            env_filename = f"antigravity_{cred_number}_{safe_email}.env"
             env_filepath = OAUTH_BASE_DIR / env_filename
 
-            # Build .env content
-            env_lines = [
-                f"# Antigravity Credential for: {email}",
-                f"# Generated from: {cred_file.name}",
-                f"# Generated at: {time.strftime('%Y-%m-%d %H:%M:%S')}",
-                "",
-                f"ANTIGRAVITY_ACCESS_TOKEN={creds.get('access_token', '')}",
-                f"ANTIGRAVITY_REFRESH_TOKEN={creds.get('refresh_token', '')}",
-                f"ANTIGRAVITY_EXPIRY_DATE={creds.get('expiry_date', 0)}",
-                f"ANTIGRAVITY_CLIENT_ID={creds.get('client_id', '')}",
-                f"ANTIGRAVITY_CLIENT_SECRET={creds.get('client_secret', '')}",
-                f"ANTIGRAVITY_TOKEN_URI={creds.get('token_uri', 'https://oauth2.googleapis.com/token')}",
-                f"ANTIGRAVITY_UNIVERSE_DOMAIN={creds.get('universe_domain', 'googleapis.com')}",
-                f"ANTIGRAVITY_EMAIL={email}",
-            ]
+            # Build .env content using helper
+            env_lines, numbered_prefix = _build_env_export_content(
+                provider_prefix="ANTIGRAVITY",
+                cred_number=cred_number,
+                creds=creds,
+                email=email,
+                extra_fields=None,
+                include_client_creds=True
+            )
 
             # Write to .env file
             with open(env_filepath, 'w') as f:
@@ -609,11 +695,14 @@ async def export_antigravity_to_env():
 
             success_text = Text.from_markup(
                 f"Successfully exported credential to [bold yellow]'{env_filepath}'[/bold yellow]\n\n"
-                f"To use this credential:\n"
-                f"1. Copy [bold yellow]{env_filepath.name}[/bold yellow] to your deployment environment\n"
-                f"2. Load the variables: [bold cyan]export $(cat {env_filepath.name} | grep -v '^#' | xargs)[/bold cyan]\n"
-                f"3. Or source it: [bold cyan]source {env_filepath.name}[/bold cyan]\n"
-                f"4. The Antigravity provider will automatically use these environment variables"
+                f"[bold]Environment variable prefix:[/bold] [cyan]{numbered_prefix}_*[/cyan]\n\n"
+                f"[bold]To use this credential:[/bold]\n"
+                f"1. Copy the contents to your main .env file, OR\n"
+                f"2. Source it: [bold cyan]source {env_filepath.name}[/bold cyan] (Linux/Mac)\n"
+                f"3. Or on Windows: [bold cyan]Get-Content {env_filepath.name} | ForEach-Object {{ $_ -replace '^([^#].*)$', 'set $1' }} | cmd[/bold cyan]\n\n"
+                f"[bold]To combine multiple credentials:[/bold]\n"
+                f"Copy lines from multiple .env files into one file.\n"
+                f"Each credential uses a unique number ({numbered_prefix}_*)."
             )
             console.print(Panel(success_text, style="bold green", title="Success"))
         else:

src/rotator_library/providers/google_oauth_base.py

@@ -77,64 +77,103 @@ class GoogleOAuthBase:
         self._queue_tracking_lock = asyncio.Lock()  # Protects queue sets
         self._queue_processor_task: Optional[asyncio.Task] = None  # Background worker task
 
-    def _load_from_env(self) -> Optional[Dict[str, Any]]:
+    def _parse_env_credential_path(self, path: str) -> Optional[str]:
+        """
+        Parse a virtual env:// path and return the credential index.
+        
+        Supported formats:
+        - "env://provider/0" - Legacy single credential (no index in env var names)
+        - "env://provider/1" - First numbered credential (PROVIDER_1_ACCESS_TOKEN)
+        - "env://provider/2" - Second numbered credential, etc.
+        
+        Returns:
+            The credential index as string ("0" for legacy, "1", "2", etc. for numbered)
+            or None if path is not an env:// path
+        """
+        if not path.startswith("env://"):
+            return None
+        
+        # Parse: env://provider/index
+        parts = path[6:].split("/")  # Remove "env://" prefix
+        if len(parts) >= 2:
+            return parts[1]  # Return the index
+        return "0"  # Default to legacy format
+
+    def _load_from_env(self, credential_index: Optional[str] = None) -> Optional[Dict[str, Any]]:
         """
         Load OAuth credentials from environment variables for stateless deployments.
 
-        Expected environment variables:
-        - {ENV_PREFIX}_ACCESS_TOKEN (required)
-        - {ENV_PREFIX}_REFRESH_TOKEN (required)
-        - {ENV_PREFIX}_EXPIRY_DATE (optional, defaults to 0)
-        - {ENV_PREFIX}_CLIENT_ID (optional, uses default)
-        - {ENV_PREFIX}_CLIENT_SECRET (optional, uses default)
-        - {ENV_PREFIX}_TOKEN_URI (optional, uses default)
-        - {ENV_PREFIX}_UNIVERSE_DOMAIN (optional, defaults to googleapis.com)
-        - {ENV_PREFIX}_EMAIL (optional, defaults to "env-user")
-        - {ENV_PREFIX}_PROJECT_ID (optional)
-        - {ENV_PREFIX}_TIER (optional)
+        Supports two formats:
+        1. Legacy (credential_index="0" or None): PROVIDER_ACCESS_TOKEN
+        2. Numbered (credential_index="1", "2", etc.): PROVIDER_1_ACCESS_TOKEN, PROVIDER_2_ACCESS_TOKEN
+
+        Expected environment variables (for numbered format with index N):
+        - {ENV_PREFIX}_{N}_ACCESS_TOKEN (required)
+        - {ENV_PREFIX}_{N}_REFRESH_TOKEN (required)
+        - {ENV_PREFIX}_{N}_EXPIRY_DATE (optional, defaults to 0)
+        - {ENV_PREFIX}_{N}_CLIENT_ID (optional, uses default)
+        - {ENV_PREFIX}_{N}_CLIENT_SECRET (optional, uses default)
+        - {ENV_PREFIX}_{N}_TOKEN_URI (optional, uses default)
+        - {ENV_PREFIX}_{N}_UNIVERSE_DOMAIN (optional, defaults to googleapis.com)
+        - {ENV_PREFIX}_{N}_EMAIL (optional, defaults to "env-user-{N}")
+        - {ENV_PREFIX}_{N}_PROJECT_ID (optional)
+        - {ENV_PREFIX}_{N}_TIER (optional)
+
+        For legacy format (index="0" or None), omit the _{N}_ part.
 
         Returns:
             Dict with credential structure if env vars present, None otherwise
         """
-        access_token = os.getenv(f"{self.ENV_PREFIX}_ACCESS_TOKEN")
-        refresh_token = os.getenv(f"{self.ENV_PREFIX}_REFRESH_TOKEN")
+        # Determine the env var prefix based on credential index
+        if credential_index and credential_index != "0":
+            # Numbered format: PROVIDER_N_ACCESS_TOKEN
+            prefix = f"{self.ENV_PREFIX}_{credential_index}"
+            default_email = f"env-user-{credential_index}"
+        else:
+            # Legacy format: PROVIDER_ACCESS_TOKEN
+            prefix = self.ENV_PREFIX
+            default_email = "env-user"
+        
+        access_token = os.getenv(f"{prefix}_ACCESS_TOKEN")
+        refresh_token = os.getenv(f"{prefix}_REFRESH_TOKEN")
 
         # Both access and refresh tokens are required
         if not (access_token and refresh_token):
             return None
 
-        lib_logger.debug(f"Loading {self.ENV_PREFIX} credentials from environment variables")
+        lib_logger.debug(f"Loading {prefix} credentials from environment variables")
 
         # Parse expiry_date as float, default to 0 if not present
-        expiry_str = os.getenv(f"{self.ENV_PREFIX}_EXPIRY_DATE", "0")
+        expiry_str = os.getenv(f"{prefix}_EXPIRY_DATE", "0")
         try:
             expiry_date = float(expiry_str)
         except ValueError:
-            lib_logger.warning(f"Invalid {self.ENV_PREFIX}_EXPIRY_DATE value: {expiry_str}, using 0")
+            lib_logger.warning(f"Invalid {prefix}_EXPIRY_DATE value: {expiry_str}, using 0")
             expiry_date = 0
 
         creds = {
             "access_token": access_token,
             "refresh_token": refresh_token,
             "expiry_date": expiry_date,
-            "client_id": os.getenv(f"{self.ENV_PREFIX}_CLIENT_ID", self.CLIENT_ID),
-            "client_secret": os.getenv(f"{self.ENV_PREFIX}_CLIENT_SECRET", self.CLIENT_SECRET),
-            "token_uri": os.getenv(f"{self.ENV_PREFIX}_TOKEN_URI", self.TOKEN_URI),
-            "universe_domain": os.getenv(f"{self.ENV_PREFIX}_UNIVERSE_DOMAIN", "googleapis.com"),
+            "client_id": os.getenv(f"{prefix}_CLIENT_ID", self.CLIENT_ID),
+            "client_secret": os.getenv(f"{prefix}_CLIENT_SECRET", self.CLIENT_SECRET),
+            "token_uri": os.getenv(f"{prefix}_TOKEN_URI", self.TOKEN_URI),
+            "universe_domain": os.getenv(f"{prefix}_UNIVERSE_DOMAIN", "googleapis.com"),
             "_proxy_metadata": {
-                "email": os.getenv(f"{self.ENV_PREFIX}_EMAIL", "env-user"),
+                "email": os.getenv(f"{prefix}_EMAIL", default_email),
                 "last_check_timestamp": time.time(),
-                "loaded_from_env": True  # Flag to indicate env-based credentials
+                "loaded_from_env": True,  # Flag to indicate env-based credentials
+                "env_credential_index": credential_index or "0"  # Track which env credential this is
             }
         }
 
         # Add project_id if provided
-        project_id = os.getenv(f"{self.ENV_PREFIX}_PROJECT_ID")
+        project_id = os.getenv(f"{prefix}_PROJECT_ID")
         if project_id:
             creds["_proxy_metadata"]["project_id"] = project_id
         
         # Add tier if provided
-        tier = os.getenv(f"{self.ENV_PREFIX}_TIER")
+        tier = os.getenv(f"{prefix}_TIER")
         if tier:
             creds["_proxy_metadata"]["tier"] = tier
 
@@ -148,7 +187,19 @@ class GoogleOAuthBase:
             if path in self._credentials_cache:
                 return self._credentials_cache[path]
 
-            # First, try loading from environment variables
+            # Check if this is a virtual env:// path
+            credential_index = self._parse_env_credential_path(path)
+            if credential_index is not None:
+                # Load from environment variables with specific index
+                env_creds = self._load_from_env(credential_index)
+                if env_creds:
+                    lib_logger.info(f"Using {self.ENV_PREFIX} credentials from environment variables (index: {credential_index})")
+                    self._credentials_cache[path] = env_creds
+                    return env_creds
+                else:
+                    raise IOError(f"Environment variables for {self.ENV_PREFIX} credential index {credential_index} not found")
+
+            # For file paths, first try loading from legacy env vars (for backwards compatibility)
             env_creds = self._load_from_env()
             if env_creds:
                 lib_logger.info(f"Using {self.ENV_PREFIX} credentials from environment variables")
@@ -170,6 +221,8 @@ class GoogleOAuthBase:
                 raise IOError(f"{self.ENV_PREFIX} OAuth credential file not found at '{path}'")
             except Exception as e:
                 raise IOError(f"Failed to load {self.ENV_PREFIX} OAuth credentials from '{path}': {e}")
+            except Exception as e:
+                raise IOError(f"Failed to load {self.ENV_PREFIX} OAuth credentials from '{path}': {e}")
 
     async def _save_credentials(self, path: str, creds: Dict[str, Any]):
         # Don't save to file if credentials were loaded from environment

src/rotator_library/providers/iflow_auth_base.py

@@ -158,47 +158,79 @@ class IFlowAuthBase:
         self._queue_tracking_lock = asyncio.Lock()  # Protects queue sets
         self._queue_processor_task: Optional[asyncio.Task] = None  # Background worker task
 
-    def _load_from_env(self) -> Optional[Dict[str, Any]]:
+    def _parse_env_credential_path(self, path: str) -> Optional[str]:
+        """
+        Parse a virtual env:// path and return the credential index.
+        
+        Supported formats:
+        - "env://provider/0" - Legacy single credential (no index in env var names)
+        - "env://provider/1" - First numbered credential (IFLOW_1_ACCESS_TOKEN)
+        
+        Returns:
+            The credential index as string, or None if path is not an env:// path
+        """
+        if not path.startswith("env://"):
+            return None
+        
+        parts = path[6:].split("/")
+        if len(parts) >= 2:
+            return parts[1]
+        return "0"
+
+    def _load_from_env(self, credential_index: Optional[str] = None) -> Optional[Dict[str, Any]]:
         """
         Load OAuth credentials from environment variables for stateless deployments.
 
-        Expected environment variables:
-        - IFLOW_ACCESS_TOKEN (required)
-        - IFLOW_REFRESH_TOKEN (required)
-        - IFLOW_API_KEY (required - critical for iFlow!)
-        - IFLOW_EXPIRY_DATE (optional, defaults to empty string)
-        - IFLOW_EMAIL (optional, defaults to "env-user")
-        - IFLOW_TOKEN_TYPE (optional, defaults to "Bearer")
-        - IFLOW_SCOPE (optional, defaults to "read write")
+        Supports two formats:
+        1. Legacy (credential_index="0" or None): IFLOW_ACCESS_TOKEN
+        2. Numbered (credential_index="1", "2", etc.): IFLOW_1_ACCESS_TOKEN, etc.
+
+        Expected environment variables (for numbered format with index N):
+        - IFLOW_{N}_ACCESS_TOKEN (required)
+        - IFLOW_{N}_REFRESH_TOKEN (required)
+        - IFLOW_{N}_API_KEY (required - critical for iFlow!)
+        - IFLOW_{N}_EXPIRY_DATE (optional, defaults to empty string)
+        - IFLOW_{N}_EMAIL (optional, defaults to "env-user-{N}")
+        - IFLOW_{N}_TOKEN_TYPE (optional, defaults to "Bearer")
+        - IFLOW_{N}_SCOPE (optional, defaults to "read write")
 
         Returns:
             Dict with credential structure if env vars present, None otherwise
         """
-        access_token = os.getenv("IFLOW_ACCESS_TOKEN")
-        refresh_token = os.getenv("IFLOW_REFRESH_TOKEN")
-        api_key = os.getenv("IFLOW_API_KEY")
+        # Determine the env var prefix based on credential index
+        if credential_index and credential_index != "0":
+            prefix = f"IFLOW_{credential_index}"
+            default_email = f"env-user-{credential_index}"
+        else:
+            prefix = "IFLOW"
+            default_email = "env-user"
+        
+        access_token = os.getenv(f"{prefix}_ACCESS_TOKEN")
+        refresh_token = os.getenv(f"{prefix}_REFRESH_TOKEN")
+        api_key = os.getenv(f"{prefix}_API_KEY")
 
         # All three are required for iFlow
         if not (access_token and refresh_token and api_key):
             return None
 
-        lib_logger.debug("Loading iFlow credentials from environment variables")
+        lib_logger.debug(f"Loading iFlow credentials from environment variables (prefix: {prefix})")
 
         # Parse expiry_date as string (ISO 8601 format)
-        expiry_str = os.getenv("IFLOW_EXPIRY_DATE", "")
+        expiry_str = os.getenv(f"{prefix}_EXPIRY_DATE", "")
 
         creds = {
             "access_token": access_token,
             "refresh_token": refresh_token,
             "api_key": api_key,  # Critical for iFlow!
             "expiry_date": expiry_str,
-            "email": os.getenv("IFLOW_EMAIL", "env-user"),
-            "token_type": os.getenv("IFLOW_TOKEN_TYPE", "Bearer"),
-            "scope": os.getenv("IFLOW_SCOPE", "read write"),
+            "email": os.getenv(f"{prefix}_EMAIL", default_email),
+            "token_type": os.getenv(f"{prefix}_TOKEN_TYPE", "Bearer"),
+            "scope": os.getenv(f"{prefix}_SCOPE", "read write"),
             "_proxy_metadata": {
-                "email": os.getenv("IFLOW_EMAIL", "env-user"),
+                "email": os.getenv(f"{prefix}_EMAIL", default_email),
                 "last_check_timestamp": time.time(),
-                "loaded_from_env": True  # Flag to indicate env-based credentials
+                "loaded_from_env": True,
+                "env_credential_index": credential_index or "0"
             }
         }
 
@@ -227,11 +259,21 @@ class IFlowAuthBase:
             if path in self._credentials_cache:
                 return self._credentials_cache[path]
 
-            # First, try loading from environment variables
+            # Check if this is a virtual env:// path
+            credential_index = self._parse_env_credential_path(path)
+            if credential_index is not None:
+                env_creds = self._load_from_env(credential_index)
+                if env_creds:
+                    lib_logger.info(f"Using iFlow credentials from environment variables (index: {credential_index})")
+                    self._credentials_cache[path] = env_creds
+                    return env_creds
+                else:
+                    raise IOError(f"Environment variables for iFlow credential index {credential_index} not found")
+
+            # For file paths, try loading from legacy env vars first
             env_creds = self._load_from_env()
             if env_creds:
                 lib_logger.info("Using iFlow credentials from environment variables")
-                # Cache env-based credentials using the path as key
                 self._credentials_cache[path] = env_creds
                 return env_creds
 

src/rotator_library/providers/qwen_auth_base.py

@@ -47,46 +47,78 @@ class QwenAuthBase:
         self._queue_tracking_lock = asyncio.Lock()  # Protects queue sets
         self._queue_processor_task: Optional[asyncio.Task] = None  # Background worker task
 
-    def _load_from_env(self) -> Optional[Dict[str, Any]]:
+    def _parse_env_credential_path(self, path: str) -> Optional[str]:
+        """
+        Parse a virtual env:// path and return the credential index.
+        
+        Supported formats:
+        - "env://provider/0" - Legacy single credential (no index in env var names)
+        - "env://provider/1" - First numbered credential (QWEN_CODE_1_ACCESS_TOKEN)
+        
+        Returns:
+            The credential index as string, or None if path is not an env:// path
+        """
+        if not path.startswith("env://"):
+            return None
+        
+        parts = path[6:].split("/")
+        if len(parts) >= 2:
+            return parts[1]
+        return "0"
+
+    def _load_from_env(self, credential_index: Optional[str] = None) -> Optional[Dict[str, Any]]:
         """
         Load OAuth credentials from environment variables for stateless deployments.
 
-        Expected environment variables:
-        - QWEN_CODE_ACCESS_TOKEN (required)
-        - QWEN_CODE_REFRESH_TOKEN (required)
-        - QWEN_CODE_EXPIRY_DATE (optional, defaults to 0)
-        - QWEN_CODE_RESOURCE_URL (optional, defaults to https://portal.qwen.ai/v1)
-        - QWEN_CODE_EMAIL (optional, defaults to "env-user")
+        Supports two formats:
+        1. Legacy (credential_index="0" or None): QWEN_CODE_ACCESS_TOKEN
+        2. Numbered (credential_index="1", "2", etc.): QWEN_CODE_1_ACCESS_TOKEN, etc.
+
+        Expected environment variables (for numbered format with index N):
+        - QWEN_CODE_{N}_ACCESS_TOKEN (required)
+        - QWEN_CODE_{N}_REFRESH_TOKEN (required)
+        - QWEN_CODE_{N}_EXPIRY_DATE (optional, defaults to 0)
+        - QWEN_CODE_{N}_RESOURCE_URL (optional, defaults to https://portal.qwen.ai/v1)
+        - QWEN_CODE_{N}_EMAIL (optional, defaults to "env-user-{N}")
 
         Returns:
             Dict with credential structure if env vars present, None otherwise
         """
-        access_token = os.getenv("QWEN_CODE_ACCESS_TOKEN")
-        refresh_token = os.getenv("QWEN_CODE_REFRESH_TOKEN")
+        # Determine the env var prefix based on credential index
+        if credential_index and credential_index != "0":
+            prefix = f"QWEN_CODE_{credential_index}"
+            default_email = f"env-user-{credential_index}"
+        else:
+            prefix = "QWEN_CODE"
+            default_email = "env-user"
+        
+        access_token = os.getenv(f"{prefix}_ACCESS_TOKEN")
+        refresh_token = os.getenv(f"{prefix}_REFRESH_TOKEN")
 
         # Both access and refresh tokens are required
         if not (access_token and refresh_token):
             return None
 
-        lib_logger.debug("Loading Qwen Code credentials from environment variables")
+        lib_logger.debug(f"Loading Qwen Code credentials from environment variables (prefix: {prefix})")
 
         # Parse expiry_date as float, default to 0 if not present
-        expiry_str = os.getenv("QWEN_CODE_EXPIRY_DATE", "0")
+        expiry_str = os.getenv(f"{prefix}_EXPIRY_DATE", "0")
         try:
             expiry_date = float(expiry_str)
         except ValueError:
-            lib_logger.warning(f"Invalid QWEN_CODE_EXPIRY_DATE value: {expiry_str}, using 0")
+            lib_logger.warning(f"Invalid {prefix}_EXPIRY_DATE value: {expiry_str}, using 0")
             expiry_date = 0
 
         creds = {
             "access_token": access_token,
             "refresh_token": refresh_token,
             "expiry_date": expiry_date,
-            "resource_url": os.getenv("QWEN_CODE_RESOURCE_URL", "https://portal.qwen.ai/v1"),
+            "resource_url": os.getenv(f"{prefix}_RESOURCE_URL", "https://portal.qwen.ai/v1"),
             "_proxy_metadata": {
-                "email": os.getenv("QWEN_CODE_EMAIL", "env-user"),
+                "email": os.getenv(f"{prefix}_EMAIL", default_email),
                 "last_check_timestamp": time.time(),
-                "loaded_from_env": True  # Flag to indicate env-based credentials
+                "loaded_from_env": True,
+                "env_credential_index": credential_index or "0"
             }
         }
 
@@ -115,11 +147,21 @@ class QwenAuthBase:
             if path in self._credentials_cache:
                 return self._credentials_cache[path]
 
-            # First, try loading from environment variables
+            # Check if this is a virtual env:// path
+            credential_index = self._parse_env_credential_path(path)
+            if credential_index is not None:
+                env_creds = self._load_from_env(credential_index)
+                if env_creds:
+                    lib_logger.info(f"Using Qwen Code credentials from environment variables (index: {credential_index})")
+                    self._credentials_cache[path] = env_creds
+                    return env_creds
+                else:
+                    raise IOError(f"Environment variables for Qwen Code credential index {credential_index} not found")
+
+            # For file paths, try loading from legacy env vars first
             env_creds = self._load_from_env()
             if env_creds:
                 lib_logger.info("Using Qwen Code credentials from environment variables")
-                # Cache env-based credentials using the path as key
                 self._credentials_cache[path] = env_creds
                 return env_creds
 

todo.md

@@ -0,0 +1,7 @@
+~~Refine claude injection to inject even if we have correct thinking - to force it to think if we made ultrathink prompt. If last msg is tool use and you prompt - it never thinks again.~~ Maybe done
+
+Anthropic translation and anthropic compatible endpoint.
+
+Refine for deployment.
+
+