fix(vertex): audit fixes for Vertex Service Account feature (#1977)

- Security: force token_uri to Google default, preventing SSRF via crafted service account JSON
- Dedup: extract shared getVertexServiceAccountAccessToken() to eliminate ~35 lines of duplication between ClaudeTokenProvider and GeminiTokenProvider
- Fix: apply model mapping + Vertex model ID normalization in forward_as_responses and forward_as_chat_completions paths
- Fix: exclude service_account from AI Studio endpoint selection (Vertex cannot serve generativelanguage.googleapis.com)
- Feature: add model restriction/mapping UI for service_account in EditAccountModal
- Dedup: extract VERTEX_LOCATION_OPTIONS to shared constants
- i18n: replace all hardcoded Chinese strings in Vertex UI with translation keys

frontend/src/i18n/locales/en.ts

@@ -2815,6 +2815,26 @@ export default {
       claudeConsole: 'Claude Console',
       bedrockLabel: 'AWS Bedrock',
       bedrockDesc: 'SigV4 / API Key',
+      vertexLabel: 'Vertex',
+      vertexDesc: 'Service Account',
+      vertexAnthropicHint: 'Use a Google Cloud Service Account JSON to call Anthropic Claude via Vertex AI. It is recommended to configure model mapping to map client Claude model names to Vertex model IDs.',
+      vertexGeminiHint: 'Use a Google Cloud Service Account JSON to access Vertex AI Gemini. It is recommended to place Vertex accounts in a separate group to avoid mixing with AI Studio/Gemini OAuth on the same models.',
+      vertexSaJsonLabel: 'Service Account JSON',
+      vertexSaJsonLoaded: 'Service Account JSON loaded',
+      vertexSaJsonDrop: 'Drop Service Account JSON here',
+      vertexSaJsonKeyHidden: 'Key content is not displayed in the form.',
+      vertexSaJsonDropHint: 'Drag a .json file here, or click the button to select one.',
+      vertexSaJsonSelectBtn: 'Select JSON',
+      vertexSaJsonUploadHint: 'After uploading or dropping a JSON file, the project_id will be auto-extracted. Key content is only used for account creation.',
+      vertexSaJsonEditHint: 'Service Account JSON is not shown on the edit page; to change the JSON, delete the account and recreate it.',
+      vertexProjectIdPlaceholder: 'Auto-extracted from JSON',
+      vertexLocationHint: 'Available locations vary by Vertex model. Select the default endpoint location for this account.',
+      vertexLocationRequired: 'Please enter a Vertex location',
+      vertexSaJsonMissingFields: 'Service Account JSON is missing project_id, client_email, or private_key',
+      vertexSaJsonMissingProjectId: 'Service Account JSON is missing project_id',
+      vertexSaJsonMissingClientEmail: 'Service Account JSON is missing client_email',
+      vertexSaJsonInvalid: 'Service Account JSON format is invalid',
+      vertexSaJsonRequired: 'Please upload a Service Account JSON',
       oauthSetupToken: 'OAuth / Setup Token',
       addMethod: 'Add Method',
       setupTokenLongLived: 'Setup Token (Long-lived)',

frontend/src/i18n/locales/zh.ts

@@ -2963,6 +2963,26 @@ export default {
       claudeConsole: 'Claude Console',
       bedrockLabel: 'AWS Bedrock',
       bedrockDesc: 'SigV4 / API Key',
+      vertexLabel: 'Vertex',
+      vertexDesc: 'Service Account',
+      vertexAnthropicHint: '使用 Google Cloud Service Account JSON 通过 Vertex AI 调用 Anthropic Claude。建议配置模型映射，将客户端 Claude 模型名映射到 Vertex 模型 ID。',
+      vertexGeminiHint: '使用 Google Cloud Service Account JSON 访问 Vertex AI Gemini。建议将 Vertex 账号放入独立分组，避免和 AI Studio/Gemini OAuth 同模型混调。',
+      vertexSaJsonLabel: 'Service Account JSON',
+      vertexSaJsonLoaded: '已读取 Service Account JSON',
+      vertexSaJsonDrop: '拖入 Service Account JSON',
+      vertexSaJsonKeyHidden: '密钥内容不会在表单中显示。',
+      vertexSaJsonDropHint: '把 .json 文件拖到这里，或点击按钮选择文件。',
+      vertexSaJsonSelectBtn: '选择 JSON',
+      vertexSaJsonUploadHint: '上传或拖入 JSON 后会自动读取 project_id，密钥内容仅用于创建账号提交。',
+      vertexSaJsonEditHint: 'Service Account JSON 不在编辑页显示；需要更换 JSON 时请删除账号后重新创建。',
+      vertexProjectIdPlaceholder: '从 JSON 自动读取',
+      vertexLocationHint: '不同 Vertex 模型可用 location 可能不同，这里选择账号默认 endpoint location。',
+      vertexLocationRequired: '请填写 Vertex location',
+      vertexSaJsonMissingFields: 'Service Account JSON 缺少 project_id、client_email 或 private_key',
+      vertexSaJsonMissingProjectId: 'Service Account JSON 缺少 project_id',
+      vertexSaJsonMissingClientEmail: 'Service Account JSON 缺少 client_email',
+      vertexSaJsonInvalid: 'Service Account JSON 格式无效',
+      vertexSaJsonRequired: '请上传 Service Account JSON',
       oauthSetupToken: 'OAuth / Setup Token',
       addMethod: '添加方式',
       setupTokenLongLived: 'Setup Token（长期有效）',