zfc/sub2api
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
2,456 Commits 3 Branches 0 Tags
Commit Graph

1744 Commits

Author SHA1 Message Date
win
e5d78f8e56 refactor: 将自定义代码集中到 antigravity/ 目录和 *_antigravity.go 文件
Some checks failed
CI / test (push) Failing after 39s
Details
CI / golangci-lint (push) Failing after 3s
Details
Security Scan / backend-security (push) Failing after 4s
Details
Security Scan / frontend-security (push) Failing after 3s
Details 
- antigravity/node-tls-proxy/     ← 原 tools/node-tls-proxy
- antigravity/firewall/           ← 原 tools/firewall
- antigravity/maintenance/        ← 原 tools/maintenance
- repository/http_upstream_antigravity.go  ← Node.js 代理 3 个方法(原在 http_upstream.go)
- service/identity_service_antigravity.go  ← ApplyDefaultFingerprintOverrides + NewIdentityServiceWithSalt
- service/account_antigravity.go  ← Gemini TLS 指纹扩展函数

对上游文件 http_upstream.go 的钩子调用精简为 2 处 if 块(共 14 行)
对上游文件 account.go Gemini 分支精简为 1 行函数调用
便于 upstream rebase 时快速识别和保留自定义改动
 2026-03-25 11:37:27 +08:00
win
44539d5b32 feat: Antigravity (googleapis.com) 也走 Node.js TLS 代理,消除 Go 指纹 2026-03-25 11:37:27 +08:00
win
1ccf6613e2 feat: 遥测优化 — 丰富事件 + 双批次 + model 解析 + beta 常量 2026-03-25 11:37:27 +08:00
win
068b0cbc39 revert: 移除 Sora sidecar,还原 sora_sdk_client.go 到原版 2026-03-25 11:37:27 +08:00
win
3c8ffd3efc fix: 双模型审查 Critical 修复 
1. Sora session_key 按 accountID 隔离(消除跨账号指纹关联)
2. 有 per-account 代理的 Sora 账号跳过 sidecar(保持代理 IP)
3. 请求体用 base64 编码传输(防止二进制数据损坏)
4. Node.js 代理 Body 用 GetBody 安全复制(修复重试时 Body 枯竭)
 2026-03-25 11:37:27 +08:00
win
4a92f1903f fix: 架构审查修复 3 个 bug 
1. instanceSalt 空值兼容:salt 为空时保持原始 hash 格式不变
   避免升级后所有 user_id hash 突变触发 Anthropic 检测
2. doViaNodeTLSProxy 克隆请求:不修改原始 req 对象
   修复重试时 URL 已被改写导致请求失败
3. Sora doSoraBackendJSON 漏改:补上 sidecar 路由
 2026-03-25 11:37:27 +08:00
win
99c77c4641 fix: 有 per-account 代理的账号不走 Node.js 代理,防止 IP 变化触发风控 2026-03-25 11:37:27 +08:00
win
4037eebd37 feat: Sora 请求优先走 curl_cffi sidecar(Chrome 指纹绕过 Cloudflare) 2026-03-25 11:37:27 +08:00
win
4bca447e33 fix: Node.js TLS 代理仅拦截 api.anthropic.com,修复 Sora 404 2026-03-25 11:37:27 +08:00
win
f5fdd41aea feat: 实例级隔离 — salt + 指纹版本可配置 
- 新增 gateway.instance_salt: 不同 sub2api 实例对相同输入产生不同 hash
  影响 user_id 重写和 session hash,防止跨实例指纹关联
- 新增 gateway.fingerprint_defaults: CLI 版本号/SDK 版本/OS/Arch 可配置
  每个实例可设不同值,与其他 sub2api 部署区分
- constants.go + identity_service.go 支持启动时覆盖默认指纹
- wire_gen.go 启动时读取配置并应用覆盖
 2026-03-25 11:37:27 +08:00
win
f68dc13a1a fix: 更新 Claude CLI 指纹版本 2.1.22→2.1.81, SDK 0.70.0→0.80.0 2026-03-25 11:37:27 +08:00
win
d38b672d54 fix: Node.js TLS 代理仅拦截 Anthropic 请求(DoWithTLS 路径) 
- Do() 去掉 Node.js 代理拦截,Antigravity/Google 请求走原路径
- 只有 DoWithTLS 且 enableTLSFingerprint=true 时走 Node.js 代理
- 按平台分治:Anthropic → Node.js 原生 TLS,Google → 原有 uTLS/直连
 2026-03-25 11:37:27 +08:00
win
0086cfdfe8 fix: Node.js TLS 代理对所有 HTTPS 上游生效,去掉域名白名单 
- 移除 proxy_hosts 白名单限制和 shouldRouteViaNodeProxy
- 所有 HTTPS 上游请求统一走 Node.js 代理
- 通过 X-Forwarded-Host 动态识别目标主机
- Anthropic / Gemini / 任意上游自动适配
- 移除诊断日志(已定位问题)
 2026-03-25 11:37:27 +08:00
win
cb035e4637 diag: 在 DoWithTLS 路径也添加诊断日志 2026-03-25 11:37:27 +08:00
win
47fba12a75 fix: Node.js TLS 代理按 proxy_hosts 白名单过滤 + 诊断日志 
- 新增 proxy_hosts 配置:可配置需要走 Node.js 代理的主机列表
- 默认仅代理 api.anthropic.com,Gemini/Sora 走原路径
- 添加 warn 级别诊断日志,输出请求的 scheme/host/hostname/should_route
- 用于定位 Anthropic 请求未命中 Node.js 代理的原因
 2026-03-25 11:37:27 +08:00
win
45c90b22eb fix: Node.js TLS 代理按主机白名单过滤,Gemini 走原路径 
- 新增 proxy_hosts 配置:白名单内的主机走 Node.js 代理
- 默认仅代理 api.anthropic.com
- Gemini/Sora 等非 Anthropic 请求自动走原有 uTLS 路径
- 解决 Gemini 请求经 Node.js 代理后 socket hang up 的问题
 2026-03-25 11:37:27 +08:00
win
5de1618e08 fix: Node.js TLS 代理动态识别上游主机 
- Go: 通过 X-Forwarded-Host 传递原始目标主机给 Node.js 代理
- Node.js: 读取 X-Forwarded-Host 动态连接到正确的上游主机
- 所有 HTTPS 上游请求统一走代理,不再固定绑定 api.anthropic.com
- Gemini/Sora 等不同上游自动识别,无需手动配置
 2026-03-25 11:37:27 +08:00
win
71a068c193 fix: Node.js TLS 代理对所有 HTTPS 上游请求生效 
Do() 方法新增 Node.js 代理检查,不再依赖账号级 TLS 指纹开关。
当 node_tls_proxy.enabled=true 时,所有 HTTPS 上游请求统一走
Node.js 代理,确保 JA3/JA4 指纹一致。
 2026-03-25 11:37:26 +08:00
win
8cac4269aa feat: Node.js TLS 指纹代理 + 网络隔离防泄露 
- 新增 Node.js TLS Forward Proxy (tools/node-tls-proxy/)
  原生 Node.js TLS 栈发起上游 HTTPS,JA3/JA4 天然匹配 Claude CLI
  SSE 流式透传,支持上游 HTTP CONNECT 代理
  零依赖,Node.js 24.13.0 锁定版本

- Go 集成 (config.go + http_upstream.go)
  新增 NodeTLSProxyConfig 配置
  DoWithTLS 优先走 Node.js 代理模式,URL 重写 https→http://localhost:3456

- Docker 网络隔离 (docker-compose.tls-proxy.yml)
  sub2api 容器仅 internal 网络,物理隔离外网
  node-tls-proxy 唯一出站通道,IPv6 内核级禁用

- iptables 防泄露脚本 (tools/firewall/)
  QUIC/UDP 443 全局 DROP,仅 nodeproxy 用户可出站 TCP 443

- 镜像切换为 zfc931912343/ 仓库
 2026-03-25 11:37:26 +08:00
Wesley Liddick
4b1ffc23f5
Merge pull request #1240 from Zqysl/qingyu/fix-openai-passthrough-429-rate-limits 
fix(openai): persist passthrough 429 rate limits
 2026-03-24 19:02:40 +08:00
Wesley Liddick
c7137dffa8
Merge pull request #1218 from LvyuanW/openai-runtime-recheck 
fix(openai): prevent rescheduling rate-limited accounts
 2026-03-24 15:21:18 +08:00
Wesley Liddick
8e834fd9f5
Merge pull request #1204 from Eilen6316/fix/smtp-config-stability-and-refresh-test 
fix(settings): prevent SMTP config overwrite and stabilize SMTP test after refresh
 2026-03-24 15:19:24 +08:00
Wesley Liddick
02046744eb
Merge pull request #1212 from alfadb/fix/filter-empty-text-blocks-nested 
fix(gateway): 修复 tool_result 嵌套内容中空 text block 导致上游 400 错误
 2026-03-24 15:19:01 +08:00
Wesley Liddick
68d7ec9155
Merge pull request #1220 from weak-fox/feat/account-privacy-mode-filter 
feat: 管理员账号列表支持按 Privacy 状态筛选
 2026-03-24 15:18:30 +08:00
Wesley Liddick
5f41b74707
Merge pull request #1242 from Ethan0x0000/feat/anthropic-openai-endpoint-compat 
支持 Anthropic Responses / Chat Completions 兼容端点并完善会话一致性与错误可观测性
 2026-03-24 15:16:26 +08:00
QTom
91b1d812ce feat(openai): Mobile RT 补全 plan_type、精确匹配账号、刷新时自动设置隐私 
1. accounts/check 补全 plan_type:当 id_token 缺少 plan_type(如 Mobile RT),
   自动调用 accounts/check 端点获取订阅类型
2. orgID 精确匹配账号:从 JWT 提取 poid 匹配正确账号,避免 Go map
   遍历顺序随机导致 plan_type 不稳定
3. RT 刷新时设置隐私:调用 disableOpenAITraining 关闭训练数据共享,
   结果存入 extra.privacy_mode,后续跳过重复设置

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
 2026-03-24 14:50:03 +08:00
shaw
995bee143a feat: 支持自定义端点配置与展示 2026-03-24 10:22:08 +08:00
Ethan0x0000
f10e56be7e refactor(test): improve type assertions in ops endpoint context tests 2026-03-24 09:52:56 +08:00
Ethan0x0000
2f8e10db46 fix(service): preserve anthropic usage fields across compat endpoints 
Ultraworked with [Sisyphus](https://github.com/code-yeongyu/oh-my-openagent)

Co-authored-by: Sisyphus <clio-agent@sisyphuslabs.ai>
 2026-03-24 09:32:34 +08:00
Ethan0x0000
5418e15e63 fix(service): normalize user agent for gemini session reuse 
Ultraworked with [Sisyphus](https://github.com/code-yeongyu/oh-my-openagent)

Co-authored-by: Sisyphus <clio-agent@sisyphuslabs.ai>
 2026-03-24 09:32:01 +08:00
Ethan0x0000
bcf84cc153 fix(service): normalize user agent for sticky session hashes 
Ultraworked with [Sisyphus](https://github.com/code-yeongyu/oh-my-openagent)

Co-authored-by: Sisyphus <clio-agent@sisyphuslabs.ai>
 2026-03-24 09:31:32 +08:00
qingyuzhang
ce8520c9e6 fix(openai): persist passthrough 429 rate limits 2026-03-24 01:48:25 +08:00
Ethan0x0000
d927c0e45f feat(routes): add platform-based routing split for /v1/responses and /v1/chat/completions 
Mirror the existing /v1/messages platform split pattern:
- OpenAI groups → OpenAIGateway handlers (existing, unchanged)
- Non-OpenAI groups → Gateway handlers (new Anthropic-upstream path)

Updated both /v1 prefixed routes and non-prefixed alias routes
(/responses, /chat/completions). WebSocket route (/v1/responses GET)
remains OpenAI-only as Anthropic has no WebSocket equivalent.
 2026-03-23 16:24:47 +08:00
Ethan0x0000
31660c4c5f feat(handler): add Responses/ChatCompletions handlers on GatewayHandler 
New HTTP handlers for Anthropic platform groups accepting OpenAI-format
endpoints:

- GatewayHandler.Responses: /v1/responses for non-OpenAI groups
- GatewayHandler.ChatCompletions: /v1/chat/completions for non-OpenAI groups

Both handlers include:
- Claude Code only restriction (403 reject when claude_code_only enabled,
  since these endpoints are never Claude Code clients)
- Full auth → billing → user/account concurrency → failover loop
- Ops error/endpoint context propagation
- Async usage recording via worker pool

Error responses use each endpoint's native format (Responses API format
for /v1/responses, CC format for /v1/chat/completions).
 2026-03-23 16:24:35 +08:00
Ethan0x0000
4321adab71 feat(service): add ForwardAsResponses/ForwardAsChatCompletions on GatewayService 
New forwarding methods on GatewayService for Anthropic platform groups:

- ForwardAsResponses: accept Responses body → convert to Anthropic →
  forward to upstream → convert response back to Responses format.
  Supports both streaming (SSE event-by-event conversion) and buffered
  (accumulate then convert) response modes.
- ForwardAsChatCompletions: chain CC→Responses→Anthropic for request,
  Anthropic→Responses→CC for response. Streaming uses dual state machine
  chain with [DONE] marker.

Both methods reuse existing GatewayService infrastructure:
buildUpstreamRequest, Claude Code mimicry, cache control enforcement,
model mapping, and return UpstreamFailoverError for handler-level retry.
 2026-03-23 16:24:22 +08:00
Ethan0x0000
68f151f5c0 feat(apicompat): add Responses↔Anthropic bidirectional format conversion 
Add reverse-direction converters for Anthropic platform groups to accept
OpenAI-format requests:

- ResponsesToAnthropicRequest: Responses API input → Anthropic Messages
  request with system extraction, tool/toolChoice mapping, reasoning
  effort conversion, image data URI↔base64, and consecutive role merging
- AnthropicToResponsesResponse: Anthropic response → Responses response
  with content block→output item mapping, usage, stop_reason→status
- AnthropicEventToResponsesEvents: stateful SSE stream converter
  (Anthropic streaming protocol → Responses streaming protocol)
- FinalizeAnthropicResponsesStream: synthetic termination for
  incomplete streams
 2026-03-23 16:24:09 +08:00
weak-fox
4838ab74b3 feat(admin): add account privacy mode filter 2026-03-23 10:16:52 +08:00
Wang Lvyuan
fef9259aaa fix(openai): recheck runtime state from db before final account selection 2026-03-23 03:50:03 +08:00
Wang Lvyuan
ad7c10727a fix(account): preserve runtime state during credentials-only updates 2026-03-23 03:49:28 +08:00
alfadb
70a9d0d3a2 fix(gateway): strip empty text blocks from nested tool_result content 
Empty text blocks inside tool_result.content were not being filtered,
causing upstream 400 errors: 'text content blocks must be non-empty'.

Changes:
- Add stripEmptyTextBlocksFromSlice helper for recursive content filtering
- FilterThinkingBlocksForRetry now recurses into tool_result nested content
- Add StripEmptyTextBlocks pre-filter on initial request path to avoid
  unnecessary 400+retry round-trips
- Add unit tests for nested empty text block scenarios
 2026-03-22 17:26:44 +08:00
Ethan0x0000
7cd3824863 test(ops): add tests for setOpsEndpointContext and safeUpstreamURL 2026-03-21 23:49:50 +08:00
Ethan0x0000
db9021f9c1 feat(ops): propagate endpoint/request-type context in handlers; add UpstreamURL to upstream error events 2026-03-21 23:47:39 +08:00
Ethan0x0000
a2418c6040 feat(ops): adapt repository INSERT/SELECT + add setOpsEndpointContext in error logger middleware 2026-03-21 23:38:00 +08:00
Eilen6316
1fb29d59b7 fix(settings): prevent SMTP config overwrite and stabilize test after refresh 2026-03-21 23:36:30 +08:00
Ethan0x0000
8c4a217f03 feat(ops): add endpoint/model/request_type fields to error log structs + safeUpstreamURL 2026-03-21 23:30:13 +08:00
mutuyihao
4feacf2213 fix(apicompat): support array content for system and tool messages 2026-03-21 15:34:28 +08:00
Wesley Liddick
186e36752d
Merge pull request #1194 from Ethan0x0000/feat/requested-upstream-model-semantics 
feat(usage): 统一使用记录中的请求模型与上游模型语义
 2026-03-21 14:02:10 +08:00
Wesley Liddick
421728a985
Merge pull request #1193 from xilu0/worktree-fix-thinking-block-log-level 
fix: correct log levels for thinking block signature retry flow
 2026-03-21 13:57:30 +08:00
Ethan0x0000
27948c777e fix(dto): fallback to legacy model in usage mapping 
Ultraworked with [Sisyphus](https://github.com/code-yeongyu/oh-my-openagent)

Co-authored-by: Sisyphus <clio-agent@sisyphuslabs.ai>
 2026-03-21 11:10:40 +08:00
Dave King
c64ed46d05 fix: correct log levels for thinking block signature retry flow 
LegacyPrintf uses inferStdLogLevel() to infer log level from message
text. Any message containing the word "error" is classified as ERROR
level, causing the entire signature-retry recovery flow (which succeeds)
to produce spurious ERROR log entries.

Changes:
- Remove noisy [SignatureCheck] debug logs inside isThinkingBlockSignatureError
  that were logging every detected signature check as ERROR
- Change retry-start log to WARN level via [warn] prefix
- Change retry-success log to INFO level by removing "error" from message

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
 2026-03-21 00:38:07 +00:00