494 Commits

Author	SHA1	Message	Date
win	85ed193ff0	feat(tls): 更新 DoWithTLS 所有调用点至新三模式签名 ... - DoWithTLS 签名变更：(bool/profile) → (TLSMode, profile) - 所有调用方传入 account.GetTLSMode() 以支持 node/utls/off 三模式 - gateway_service.go、gemini_messages_compat、forward_as_* 全部更新 - claude_usage_service 的 ClaudeUsageFetchOptions 新增 TLSMode 字段 - 新增 decompressResponseBody（gzip/brotli/deflate）到 http_upstream.go - 新增 antigravity_privacy_service.go（setAntigravityPrivacy） - admin_service 新增 ForceOpenAIPrivacy/EnsureAntigravityPrivacy/ForceAntigravityPrivacy - antigravity.Client 新增 SetUserSettings/FetchUserInfo API	2026-03-27 22:29:17 +08:00
shaw	574fa9dfbd	feat(tls-fingerprint): 新增 TLS 指纹 Profile 数据库管理及代码质量优化 ... 新增功能： - 新增 TLS 指纹 Profile CRUD 管理（Ent schema + 迁移 + Admin API + 前端管理界面） - 支持账号绑定数据库中的自定义 TLS Profile，或随机选择（profile_id=-1） - HTTPUpstream.DoWithTLS 接口从 bool 改为 *tlsfingerprint.Profile，支持按账号指定 Profile - AccountUsageService 注入 TLSFingerprintProfileService，统一 usage 场景与网关的 Profile 解析逻辑 代码优化： - 删除已被 TLSFingerprintProfileService 完全取代的 registry.go 死代码（418 行） - 提取 3 个 dialer 的重复 TLS 握手逻辑为 performTLSHandshake() 共用函数 - 修复 GetTLSFingerprintProfileID 缺少 json.Number 处理的 bug - gateway_service.Forward 中 ResolveTLSProfile 从重试循环内重复调用改为预解析局部变量 - 删除冗余的 buildClientHelloSpec() 单行 wrapper 和 int64(e.ID) 无效转换 - tls_fingerprint_profile_cache.go 日志从 log.Printf 改为 slog 结构化日志 - dialer_capture_test.go 添加 //go:build integration 标签，防止 CI 失败 - 去重 TestProfileExpectation 类型至共享 test_types_test.go - 修复 9 个测试文件缺少 tlsfingerprint import 的编译错误 - 修复 error_policy_integration_test.go 中 handleError 回调签名被错误替换的问题	2026-03-27 22:00:07 +08:00
win	088a508e60	fix: Gemini CLI 指纹全面修复 ... - User-Agent: GeminiCLI/0.1.5 → GeminiCLI/0.33.1/{model} ({platform}; {arch}) 格式、版本、大小写全部对齐真实 Gemini CLI 0.33.1 - 新增 x-goog-api-client: gl-node/24.13.1 (匹配 google-auth-library DefaultTransporter) - ideType: ANTIGRAVITY → IDE_UNSPECIFIED (修复身份泄露，真实 Gemini CLI 用 IDE_UNSPECIFIED) - Token 交换/刷新: 添加 google-api-nodejs-client UA + x-goog-api-client - 版本号可通过环境变量 GEMINI_CLI_VERSION 覆盖	2026-03-27 13:07:18 +08:00
win	ffe6a5e331	feat: Antigravity 100% 指纹还原 + BoringCrypto TLS ... Antigravity: - Client ID 保留双 ID 支持（二进制确认两个都存在） - Daily URL 去掉 .sandbox 后缀（日志确认） - Redirect URI /callback → /oauth-callback（extension.js 确认） - User-Agent 动态 OS/arch: antigravity/{ver} {os}/{arch} - 新增 x-goog-api-client: gl-go/{goVer} gax-go/v2 grpc-go/1.81.0-dev - googleapis 不再走 Node.js proxy → Go 原生 TLS（匹配真实 BoringCrypto） - 新增 Go 后端心跳服务（每5分钟 loadCodeAssist + fetchAvailableModels） - Dockerfile 切换 BoringCrypto 编译（CGO_ENABLED=1 GOEXPERIMENT=boringcrypto） GeminiCLI: - User-Agent 动态化: GeminiCLI/0.1.5 ({OS}; {ARCH}) - AI Studio 请求补上 User-Agent Claude: - CLI 版本 2.1.84, 包版本 0.74.0, 运行时 v24.3.0 - Token 交换 axios/1.13.6, timeout 15s - proxy.js 仅服务 api.anthropic.com（Claude 专属） 架构变更: - Node.js proxy 仅用于 Claude (api.anthropic.com) - Antigravity (googleapis) 走 Go 原生 HTTP + GOST proxy - TLS 指纹: Go BoringCrypto ≈ 真实 Antigravity BoringCrypto	2026-03-27 02:24:03 +08:00
win	8c6e578a84	feat: IP管理代理与 node-tls-proxy 指纹伪装共存 ... - Do()/DoWithTLS() 移除 proxyURL=="" 条件，绑了代理也走 node-tls-proxy - doViaNodeTLSProxy 通过 X-Upstream-Proxy header 传递账号代理给 node-tls-proxy - node-tls-proxy 支持 per-request 动态上游代理，优先 X-Upstream-Proxy，回退全局 UPSTREAM_PROXY - 效果：IP管理 = 落地机网络，账号绑代理后指纹伪装仍然生效	2026-03-26 14:00:17 +08:00
win	e5d78f8e56	refactor: 将自定义代码集中到 antigravity/ 目录和 *_antigravity.go 文件 ... - antigravity/node-tls-proxy/ ← 原 tools/node-tls-proxy - antigravity/firewall/ ← 原 tools/firewall - antigravity/maintenance/ ← 原 tools/maintenance - repository/http_upstream_antigravity.go ← Node.js 代理 3 个方法（原在 http_upstream.go） - service/identity_service_antigravity.go ← ApplyDefaultFingerprintOverrides + NewIdentityServiceWithSalt - service/account_antigravity.go ← Gemini TLS 指纹扩展函数 对上游文件 http_upstream.go 的钩子调用精简为 2 处 if 块（共 14 行） 对上游文件 account.go Gemini 分支精简为 1 行函数调用 便于 upstream rebase 时快速识别和保留自定义改动	2026-03-25 11:37:27 +08:00
win	44539d5b32	feat: Antigravity (googleapis.com) 也走 Node.js TLS 代理，消除 Go 指纹	2026-03-25 11:37:27 +08:00
win	3c8ffd3efc	fix: 双模型审查 Critical 修复 ... 1. Sora session_key 按 accountID 隔离（消除跨账号指纹关联） 2. 有 per-account 代理的 Sora 账号跳过 sidecar（保持代理 IP） 3. 请求体用 base64 编码传输（防止二进制数据损坏） 4. Node.js 代理 Body 用 GetBody 安全复制（修复重试时 Body 枯竭）	2026-03-25 11:37:27 +08:00
win	4a92f1903f	fix: 架构审查修复 3 个 bug ... 1. instanceSalt 空值兼容：salt 为空时保持原始 hash 格式不变 避免升级后所有 user_id hash 突变触发 Anthropic 检测 2. doViaNodeTLSProxy 克隆请求：不修改原始 req 对象 修复重试时 URL 已被改写导致请求失败 3. Sora doSoraBackendJSON 漏改：补上 sidecar 路由	2026-03-25 11:37:27 +08:00
win	99c77c4641	fix: 有 per-account 代理的账号不走 Node.js 代理，防止 IP 变化触发风控	2026-03-25 11:37:27 +08:00
win	4bca447e33	fix: Node.js TLS 代理仅拦截 api.anthropic.com，修复 Sora 404	2026-03-25 11:37:27 +08:00
win	d38b672d54	fix: Node.js TLS 代理仅拦截 Anthropic 请求（DoWithTLS 路径） ... - Do() 去掉 Node.js 代理拦截，Antigravity/Google 请求走原路径 - 只有 DoWithTLS 且 enableTLSFingerprint=true 时走 Node.js 代理 - 按平台分治：Anthropic → Node.js 原生 TLS，Google → 原有 uTLS/直连	2026-03-25 11:37:27 +08:00
win	0086cfdfe8	fix: Node.js TLS 代理对所有 HTTPS 上游生效，去掉域名白名单 ... - 移除 proxy_hosts 白名单限制和 shouldRouteViaNodeProxy - 所有 HTTPS 上游请求统一走 Node.js 代理 - 通过 X-Forwarded-Host 动态识别目标主机 - Anthropic / Gemini / 任意上游自动适配 - 移除诊断日志（已定位问题）	2026-03-25 11:37:27 +08:00
win	cb035e4637	diag: 在 DoWithTLS 路径也添加诊断日志	2026-03-25 11:37:27 +08:00
win	47fba12a75	fix: Node.js TLS 代理按 proxy_hosts 白名单过滤 + 诊断日志 ... - 新增 proxy_hosts 配置：可配置需要走 Node.js 代理的主机列表 - 默认仅代理 api.anthropic.com，Gemini/Sora 走原路径 - 添加 warn 级别诊断日志，输出请求的 scheme/host/hostname/should_route - 用于定位 Anthropic 请求未命中 Node.js 代理的原因	2026-03-25 11:37:27 +08:00
win	45c90b22eb	fix: Node.js TLS 代理按主机白名单过滤，Gemini 走原路径 ... - 新增 proxy_hosts 配置：白名单内的主机走 Node.js 代理 - 默认仅代理 api.anthropic.com - Gemini/Sora 等非 Anthropic 请求自动走原有 uTLS 路径 - 解决 Gemini 请求经 Node.js 代理后 socket hang up 的问题	2026-03-25 11:37:27 +08:00
win	5de1618e08	fix: Node.js TLS 代理动态识别上游主机 ... - Go: 通过 X-Forwarded-Host 传递原始目标主机给 Node.js 代理 - Node.js: 读取 X-Forwarded-Host 动态连接到正确的上游主机 - 所有 HTTPS 上游请求统一走代理，不再固定绑定 api.anthropic.com - Gemini/Sora 等不同上游自动识别，无需手动配置	2026-03-25 11:37:27 +08:00
win	71a068c193	fix: Node.js TLS 代理对所有 HTTPS 上游请求生效 ... Do() 方法新增 Node.js 代理检查，不再依赖账号级 TLS 指纹开关。 当 node_tls_proxy.enabled=true 时，所有 HTTPS 上游请求统一走 Node.js 代理，确保 JA3/JA4 指纹一致。	2026-03-25 11:37:26 +08:00
win	8cac4269aa	feat: Node.js TLS 指纹代理 + 网络隔离防泄露 ... - 新增 Node.js TLS Forward Proxy (tools/node-tls-proxy/) 原生 Node.js TLS 栈发起上游 HTTPS，JA3/JA4 天然匹配 Claude CLI SSE 流式透传，支持上游 HTTP CONNECT 代理 零依赖，Node.js 24.13.0 锁定版本 - Go 集成 (config.go + http_upstream.go) 新增 NodeTLSProxyConfig 配置 DoWithTLS 优先走 Node.js 代理模式，URL 重写 https→http://localhost:3456 - Docker 网络隔离 (docker-compose.tls-proxy.yml) sub2api 容器仅 internal 网络，物理隔离外网 node-tls-proxy 唯一出站通道，IPv6 内核级禁用 - iptables 防泄露脚本 (tools/firewall/) QUIC/UDP 443 全局 DROP，仅 nodeproxy 用户可出站 TCP 443 - 镜像切换为 zfc931912343/ 仓库	2026-03-25 11:37:26 +08:00
Wesley Liddick	c7137dffa8	Merge pull request #1218 from LvyuanW/openai-runtime-recheck ... fix(openai): prevent rescheduling rate-limited accounts	2026-03-24 15:21:18 +08:00
Wesley Liddick	68d7ec9155	Merge pull request #1220 from weak-fox/feat/account-privacy-mode-filter ... feat: 管理员账号列表支持按 Privacy 状态筛选	2026-03-24 15:18:30 +08:00
weak-fox	4838ab74b3	feat(admin): add account privacy mode filter	2026-03-23 10:16:52 +08:00
Wang Lvyuan	ad7c10727a	fix(account): preserve runtime state during credentials-only updates	2026-03-23 03:49:28 +08:00
Ethan0x0000	a2418c6040	feat(ops): adapt repository INSERT/SELECT + add setOpsEndpointContext in error logger middleware	2026-03-21 23:38:00 +08:00
Ethan0x0000	9259dcb6f5	test(repo): cover requested model repository semantics ... Ultraworked with [Sisyphus](https://github.com/code-yeongyu/oh-my-openagent) Co-authored-by: Sisyphus <clio-agent@sisyphuslabs.ai>	2026-03-21 01:23:20 +08:00
Ethan0x0000	7ef933c7cf	feat(repo): persist requested model in usage log queries ... Ultraworked with [Sisyphus](https://github.com/code-yeongyu/oh-my-openagent) Co-authored-by: Sisyphus <clio-agent@sisyphuslabs.ai>	2026-03-21 01:22:49 +08:00
Wesley Liddick	9a88df7f28	Merge pull request #1167 from touwaeriol/pr/proxy-fast-fail ... fix(antigravity): fast-fail on proxy unavailable, temp-unschedule account	2026-03-20 09:12:39 +08:00
erio	528ff5d28c	fix(antigravity): fast-fail on proxy unavailable, temp-unschedule account ... ## Problem When a proxy is unreachable, token refresh retries up to 4 times with 30s timeout each, causing requests to hang for ~2 minutes before failing with a generic 502 error. The failed account is not marked, so subsequent requests keep hitting it. ## Changes ### Proxy connection fast-fail - Set TCP dial timeout to 5s and TLS handshake timeout to 5s on antigravity client, so proxy connectivity issues fail within 5s instead of 30s - Reduce overall HTTP client timeout from 30s to 10s - Export `IsConnectionError` for service-layer use - Detect proxy connection errors in `RefreshToken` and return immediately with "proxy unavailable" error (no retries) ### Token refresh temp-unschedulable - Add 8s context timeout for token refresh on request path - Mark account as temp-unschedulable for 10min when refresh fails (both background `TokenRefreshService` and request-path `GetAccessToken`) - Sync temp-unschedulable state to Redis cache for immediate scheduler effect - Inject `TempUnschedCache` into `AntigravityTokenProvider` ### Account failover - Return `UpstreamFailoverError` on `GetAccessToken` failure in `Forward`/`ForwardGemini` to trigger handler-level account switch instead of returning 502 directly ### Proxy probe alignment - Apply same 5s dial/TLS timeout to shared `httpclient` pool - Reduce proxy probe timeout from 30s to 10s	2026-03-19 23:48:37 +08:00
QTom	ba7d2aecbb	feat(admin): 用户管理新增分组列、分组筛选与专属分组一键替换 ... - 新增分组列：展示用户的专属/公开分组，支持 hover 查看详情 - 新增分组筛选：下拉选择或模糊搜索分组名过滤用户 - 专属分组替换：点击专属分组弹出操作菜单，选择目标分组后 自动授予新分组权限、迁移绑定的 Key、移除旧分组权限 - 后端新增 POST /admin/users/:id/replace-group 端点，事务内 完成分组替换并失效认证缓存	2026-03-19 22:27:55 +08:00
Wesley Liddick	dc447ccebe	Merge pull request #1153 from hging/main ... feat: add ungrouped filter to account	2026-03-19 21:55:28 +08:00
shaw	525cdb8830	feat: Anthropic 账号被动用量采样，页面默认展示被动数据 ... 从上游 /v1/messages 响应头被动采集 5h/7d utilization 并存储到 Account.Extra，页面加载时直接读取本地数据而非调用外部 Usage API。 用户可点击"查询"按钮主动拉取最新数据，主动查询结果自动回写被动缓存。 后端: - UpdateSessionWindow 合并采集 5h + 7d headers 为单次 DB 写入 - 新增 GetPassiveUsage 从 Extra 构建 UsageInfo (复用 estimateSetupTokenUsage) - GetUsage 主动查询后 syncActiveToPassive 回写被动缓存 - passive_usage_ 前缀注册为 scheduler-neutral 前端: - Anthropic 账号 mount/refresh 默认 source=passive - 新增"被动采样"标签和"查询"按钮 (带 loading 动画)	2026-03-19 17:42:59 +08:00
Hg	8027531d07	feat: add ungrouped filter to account	2026-03-19 15:42:21 +08:00
Ethan0x0000	cfaac12af1	Merge upstream/main into pr/upstream-model-tracking ... Ultraworked with [Sisyphus](https://github.com/code-yeongyu/oh-my-openagent) Co-authored-by: Sisyphus <clio-agent@sisyphuslabs.ai>	2026-03-18 14:16:50 +08:00
Wesley Liddick	6c02076333	Merge pull request #1106 from geminiwen/feat/subscription-platform-filter ... feat: add platform type filter to subscription management	2026-03-18 11:32:35 +08:00
Gemini Wen	1ac7219a92	fix: add missing platform parameter to List calls in integration tests ... Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>	2026-03-18 10:35:03 +08:00
QTom	d4cc9871c4	feat(admin): 分组管理新增容量列（并发/会话/RPM 实时聚合） ... 复用 GroupCapacityService，在 admin 分组列表中添加容量列， 显示每个分组的实时并发/会话/RPM 使用量和上限。 Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>	2026-03-18 10:06:35 +08:00
QTom	961c30e7c0	feat(admin): 分组管理列表新增用量列与账号数分类 ... 分组管理列表增强： 1. 今日/累计用量列： - 新增独立端点 GET /admin/groups/usage-summary - 一次查询返回所有分组的今日费用和累计费用（actual_cost） - 前端异步加载后合并显示在分组列表中 2. 账号数区分可用/限流/总量： - 将账号数列从单一总量改为 badge 内多行展示 - 可用: active + schedulable 的账号数（绿色） - 限流: rate_limit/overload/temp_unschedulable 的账号数（橙色，无限流时隐藏） - 总量: 全部关联账号数 Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>	2026-03-18 10:06:35 +08:00
Gemini Wen	50a3c7fa0b	feat: add platform type filter to subscription management page ... Add a platform filter dropdown to the admin subscriptions view, allowing filtering subscriptions by platform (Anthropic, OpenAI, Gemini, etc.) through the group association. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>	2026-03-18 09:23:19 +08:00
Ethan0x0000	eeff451bc5	test(backend): add tests for upstream model tracking and model source filtering ... Cover IsValidModelSource/NormalizeModelSource, resolveModelDimensionExpression SQL expressions, invalid model_source 400 responses on both GetModelStats and GetUserBreakdown, upstream_model in scan/insert SQL mock expectations, and updated passthrough/billing test signatures.	2026-03-17 19:26:30 +08:00
Ethan0x0000	7134266acf	feat(dashboard): add model source dimension to stats queries ... Support querying model statistics by 'requested', 'upstream', or 'mapping' dimension. Add resolveModelDimensionExpression for safe SQL expression generation, IsValidModelSource whitelist validator, and NormalizeModelSource fallback. Repository persists and scans upstream_model in all insert/select paths.	2026-03-17 19:25:52 +08:00
Wesley Liddick	6cf77040e7	Merge pull request #1075 from touwaeriol/feat/dashboard-user-breakdown ... feat(dashboard): add per-user drill-down for distribution charts	2026-03-17 09:25:43 +08:00
erio	e0286e5085	test(dashboard): add unit tests for user-breakdown API ... Handler tests (9 cases): group_id/model/endpoint filters, default endpoint_type, custom limit, limit clamping, response format, empty result, no-filter pass-through. Repository test: resolveEndpointColumn mapping for inbound/upstream/path.	2026-03-17 00:47:33 +08:00
erio	4b41e898a4	feat(dashboard): add per-user drill-down for group, model, and endpoint distributions ... Click on a group name, model name, or endpoint name in the distribution tables to expand and show per-user usage breakdown (requests, tokens, actual cost, standard cost). Backend: new GET /admin/dashboard/user-breakdown API with group_id, model, endpoint, endpoint_type filters. Frontend: clickable rows with expand/collapse sub-table in all three distribution charts.	2026-03-17 00:47:20 +08:00
QTom	c1fab7f8d8	feat(backup): 备份/恢复异步化，解决 504 超时 ... POST /backups 和 POST /backups/:id/restore 改为异步：立即返回 HTTP 202， 后台 goroutine 独立执行 pg_dump → gzip → S3 上传，前端每 2s 轮询状态。 后端: - 新增 StartBackup/StartRestore 方法，后台 goroutine 不依赖 HTTP 连接 - Graceful shutdown 等待活跃操作完成，启动时清理孤立 running 记录 - BackupRecord 新增 progress/restore_status 字段支持进度和恢复状态追踪 前端: - 创建备份/恢复后轮询 GET /backups/:id 直到完成或失败 - 标签页切换暂停/恢复轮询，组件卸载清理定时器 - 正确处理 409（备份进行中）和轮询超时 Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>	2026-03-16 20:22:10 +08:00
erio	67c0506290	fix(billing): add window expiration check to Redis rate limit Lua script ... The updateRateLimitUsageScript Lua script previously performed unconditional HINCRBYFLOAT on all usage counters without checking whether the rate limit window had expired. This caused usage to accumulate across window boundaries in Redis while the DB correctly reset on expiration, leading to incorrect 429 rate limiting that could persist for up to 24 hours. The Lua script now checks each window timestamp before incrementing: - If the window has expired, usage is reset to the current cost and the window timestamp is updated (matching DB-side semantics) - If the window is still valid, usage is accumulated normally This also resolves the async race condition where stale HINCRBYFLOAT tasks from the worker queue could pollute a freshly rebuilt cache after invalidation, since the script now self-corrects expired windows. Closes #1049	2026-03-16 13:39:50 +08:00
Wesley Liddick	94e067a2e2	Merge pull request #1040 from 0xObjc/codex/fix-user-spending-ranking-others ... fix(admin): polish spending ranking and usage defaults	2026-03-16 09:19:46 +08:00
Peter	8147866c09	fix(admin): polish spending ranking and usage defaults	2026-03-16 00:17:47 +08:00
Ethan0x0000	c637e6cf31	fix: use half-open date ranges for DST-safe usage queries ... Replace t.Add(24*time.Hour - time.Nanosecond) with t.AddDate(0, 0, 1) and use SQL < instead of <= for end-of-day boundaries. This avoids edge-case misses around DST transitions. Ultraworked with [Sisyphus](https://github.com/code-yeongyu/oh-my-opencode) Co-authored-by: Sisyphus <clio-agent@sisyphuslabs.ai>	2026-03-15 22:13:12 +08:00
Wesley Liddick	3084330d0c	Merge pull request #1019 from Ethan0x0000/feat/usage-endpoint-distribution ... feat: add endpoint metadata and usage endpoint distribution insights	2026-03-15 16:42:03 +08:00
Ethan0x0000	eefab15958	feat: 完善使用记录端点可观测性与分布统计 ... 将入站、上游与路径三类端点分布统一到使用记录页的一致化卡片交互中，并补齐端点元数据与统计链路，提升排障与流量分析效率。	2026-03-15 11:26:42 +08:00