sub2api

Author	SHA1	Message	Date
win	e938be5f3f	chore: merge upstream Wei-Shaw/sub2api latest (v0.1.130+) Upstream features: bedrock CC compat, email whitelist wildcard, content moderation per-model toggle, redeem code batch update, OIDC verified-email fast path, subscription expiry email, cache hit rate fix, audit dedup, js-cookie security fix, x/net vulnerability fix, OpenAI account cooldown optimization, reverse proxy client IP fix, API key ACL trusted forwarded IP. Local additions preserved: rpmTokenBucketService, quotaFactor scoring, P2C scheduler selection.	2026-05-24 15:54:54 +08:00
github-actions[bot]	63b0631a58	chore: sync VERSION to 0.1.130 [skip ci]	2026-05-23 06:40:10 +00:00
Wesley Liddick	3c5a444802	Merge pull request #2698 from deqiying/fix/log-real-client-ip fix: 修复反代部署下拒绝日志客户端 IP 不准确	2026-05-23 11:08:47 +08:00
shaw	b6c0b40848	fix: update x/net vulnerability dependency	2026-05-23 10:55:44 +08:00
shaw	1e406fed52	fix: optimize OpenAI account cooldown scheduling	2026-05-23 10:18:43 +08:00
deqiying	0af44ce4c2	fix: 修复反代部署下拒绝日志客户端 IP 不准确将 OpenAI codex_cli_only 拒绝诊断日志中的 request_client_ip 改为复用 ip.GetClientIP，与 usage 记录和 access log 的真实客户端 IP 解析逻辑保持一致。保留 request_remote_addr 用于排查底层 Docker/反代 peer 地址，并补充单元测试覆盖反代头与 remote addr 分离的场景。	2026-05-22 23:28:21 +08:00
Wesley Liddick	f59d9a5f8e	Merge pull request #2674 from wucm667/feat/moderation-per-model-toggle feat(risk-control): 内容审计支持按模型生效	2026-05-22 20:10:38 +08:00
Wesley Liddick	301032dc72	Merge pull request #2672 from wucm667/feat/email-whitelist-wildcard-suffix feat(registration): 邮箱白名单支持后缀通配符匹配(*.edu.cn)	2026-05-22 17:33:29 +08:00
Wesley Liddick	a5efb84fa0	Merge pull request #2656 from wucm667/fix/apicompat-developer-role-to-system fix(apicompat): Responses 转 Chat Completions 时 developer role 映射为 system	2026-05-22 17:32:47 +08:00
Wesley Liddick	9f91a8af17	Merge pull request #2662 from touwaeriol/feat/bedrock-cc-compat feat(bedrock): add Claude Code compatibility for AWS Bedrock	2026-05-22 17:32:11 +08:00
Wesley Liddick	a33a294970	Merge pull request #2658 from wucm667/feat/account-test-chat-completions-path feat(account): 测试连接支持 OpenAI-compatible Chat Completions 路径	2026-05-22 17:31:14 +08:00
wucm667	199a5bcc69	fix(risk-control): Agent 工具循环中同一用户消息重复审计去重末尾 role 检查方案：当 messages / input / contents 数组末尾一项不是用户消息（而是 assistant、tool / function_call_output 等）时，直接跳过内容审计，从而避免 Agent 工具循环中同一用户输入被反复审计、计费、写日志。 Fixes #2678	2026-05-22 14:54:06 +08:00
wucm667	0d5c6f7cc7	feat(risk-control): 内容审计支持按模型生效	2026-05-21 21:18:43 +08:00
wucm667	a5b9b68b76	feat(registration): 支持邮箱白名单后缀通配符	2026-05-21 21:02:26 +08:00
wucm667	ca60cede14	feat(account): 支持测试连接 Chat Completions 路径	2026-05-21 16:37:20 +08:00
wucm667	c4d7edba08	fix(apicompat): map developer role to system	2026-05-21 16:37:05 +08:00
shaw	aae20ef437	fix(oidc): harden verified-email fast path	2026-05-21 15:19:29 +08:00
Wesley Liddick	35901a174b	Merge pull request #2655 from ye4241/feat/oidc-trust-verified-email-fast-path feat(oidc): 上游邮箱已验证时跳过 choice 页直接登录注册	2026-05-21 14:47:08 +08:00
shaw	a613a587ba	feat: add subscription expiry email toggle	2026-05-21 14:27:50 +08:00
ye4241	55554adc18	chore(oidc): 回应 Copilot review - ProviderType 从 identity.ProviderType 取（不再硬编码） - fast-path 日志改用 infraerrors.Reason(err) 避免泄露 PII / 降噪	2026-05-21 13:32:20 +08:00
ye4241	39fe7aa0eb	feat(oidc): 上游邮箱已验证时跳过 choice 页直接登录注册当前 OIDC 首次登录无条件创建 choose_account_action_required 的 pending session，即使 force_email_on_third_party_signup 关闭，前端仍然会强制弹出"创建账号 / 绑定已有账号"的二选一界面，并展示内部合成邮箱（oidc-xxx@oidc-connect.invalid），用户体验差。本次复用已存在的 LoginOrRegisterVerifiedEmailOAuth 路径（原本仅供 github/google 使用），在以下条件全部满足时跳过 choice 页，直接信任上游身份完成注册/登录： - force_email_on_third_party_signup = false - 邀请码模式未启用 - 上游声明 email_verified = true 且 compat_email 非空 - 本地不存在同邮箱已有账号失败时（如邮箱后缀不在白名单、注册关闭等）自动回退到现有 choice 流程，行为完全向后兼容。测试覆盖： - TestTryOIDCVerifiedEmailFastPathCreatesUserAndIdentity - TestTryOIDCVerifiedEmailFastPathSkippedWhenInvitationCodeRequired - TestTryOIDCVerifiedEmailFastPathSkippedWhenForceEmailEnabled	2026-05-21 13:32:20 +08:00
erio	fe1c6c958b	feat(bedrock): add Claude Code compatibility for AWS Bedrock - Export ApplyBedrockCCCompat() in GatewayService, called after channel model mapping to ensure mapped model ID is used for Opus 4.7+ detection - Add sanitizeBedrockCCFields(): remove service_tier/interface_geo/ context_management, inject max_tokens/anthropic_version defaults - Add sanitizeBedrockCCBetaTokens(): filter anthropic_beta to keep only Bedrock-supported tokens, reusing autoInjectBedrockBetaTokens and filterBedrockBetaTokens for consistent rules - Remove unsupported beta tokens (interleaved-thinking, context-management) from whitelist based on AWS official docs - Simplify IsBedrockCCCompatEnabled() to check boolean toggle directly, applying CC compat to all accounts regardless of platform - Add unit tests for IsBedrockCCCompatEnabled (8 cases), sanitizeBedrockCCFields (8 cases), sanitizeBedrockCCBetaTokens (7 cases) - Update bedrock beta policy tests for removed auto-injection	2026-05-21 11:46:24 +08:00
Wesley Liddick	bd3d4d9a24	Merge pull request #2399 from gaoren002/fix/openai-image-upstream-errors fix(openai): surface image moderation errors	2026-05-21 11:31:22 +08:00
Wesley Liddick	a60a349ecf	Merge pull request #2375 from gaoren002/fix/account-delete-scheduler-cache fix: clear scheduler cache when deleting accounts	2026-05-21 11:31:05 +08:00
Wesley Liddick	131d4b3050	Merge pull request #2374 from gaoren002/fix/openai-refresh-token-reused fix: mark reused refresh tokens non-retryable and unschedule errored accounts	2026-05-21 11:30:52 +08:00
Wesley Liddick	eda04c6129	Merge pull request #2615 from wucm667/feat/redeem-code-batch-update feat(redeem): 兑换码支持批量修改	2026-05-21 10:39:46 +08:00
Wesley Liddick	b106192ee2	Merge pull request #2648 from DaydreamCoding/fix/user-provider-default-grants-check fix(auth): user_provider_default_grants 加入 github/google/dingtalk	2026-05-21 10:38:34 +08:00
Wesley Liddick	d3c4e50753	Merge pull request #2645 from lyen1688/fix/trusted-forwarded-ip-acl PR：为 API Key IP 白/黑名单增加可配置的反代真实 IP 判断	2026-05-21 10:34:28 +08:00
DaydreamCoding	4bfb707ff3	fix(auth): user_provider_default_grants 加入 github/google/dingtalk migration 135/136 把 github、google、dingtalk 加到 users / auth_identities / auth_identity_channels / pending_auth_sessions 的 check 约束时，漏改 user_provider_default_grants。一旦管理员开启 grant_on_first_bind，OAuth 首次绑定就会在 INSERT user_provider_default_grants 时撞约束，触发 500。	2026-05-21 00:48:38 +08:00
lyen1688	1d2445ff52	修复 API Key ACL 开关的 CI 校验	2026-05-20 23:51:39 +08:00
lyen1688	08c8c67df7	为 API Key ACL 增加反代真实 IP 开关	2026-05-20 22:51:46 +08:00
win	82bc1e199f	chore: remove unused real-time log stream / request event bus 删除 fork 独有的实时日志相关功能（上游 Wei-Shaw/sub2api 不存在）： A. OpsLogBroadcaster + SSE 日志流（前端有用但用户不需要）: - backend/internal/service/ops_log_broadcaster{,_test}.go - backend/internal/handler/ops_log_stream_middleware.go - backend/internal/handler/admin/ops_log_stream_handler.go - backend/internal/server/routes/admin.go: GET /admin/ops/logs/{stream,recent} - backend/internal/server/routes/{gateway,windsurf_gateway}.go: opsLogStream middleware - backend/internal/service/wire.go: ProvideOpsLogBroadcaster - frontend/src/views/admin/ops/OpsLogStreamView.vue - frontend/src/api/admin/ops.ts: subscribeOpsLogStream, getRecentOpsLogs, OpsLogEntry/OpsLogFilter/OpsLogRecentResponse 类型 - frontend/src/router/index.ts: AdminOpsLogStream 路由 - frontend/src/components/layout/AppSidebar.vue: 侧边栏入口 - frontend/src/i18n/locales/{en,zh}.ts: nav.opsLogStream + admin.ops.logStream 全部文案 B. RequestEventBus + WS 请求事件流（前端零调用 dead code）: - backend/internal/service/request_event_bus{,_test}.go - backend/internal/handler/admin/ops_ws_requests_handler.go - backend/internal/server/routes/admin.go: GET /admin/ops/ws/requests - backend/internal/handler/gateway_handler.go: RequestEventBus 字段/参数 + reqStartTime + reqEventAccountID/reqEventStatus 跟踪 + defer Publish - backend/internal/service/wire.go: NewRequestEventBus - backend/internal/handler/admin/ops_handler.go: OpsHandler 中 requestEventBus + logBroadcaster 字段,简化 NewOpsHandler 签名保留: - /admin/ops/ws/qps (前端 QPS 监控仍在用) - /admin/ops/realtime-traffic (前端在用) - OpsErrorLoggerMiddleware (与本次无关) 签名变更: - NewOpsHandler(opsService) — 移除 requestEventBus, logBroadcaster - NewGatewayHandler(...): 移除 requestEventBus 末位参数 - ProvideRouter / SetupRouter / registerRoutes / RegisterGatewayRoutes / RegisterWindsurfGatewayRoutes: 移除 opsLogBroadcaster 参数 - 同步更新 wire_gen.go + 测试调用点验证: - 后端 go build/vet 通过 - 前端 pnpm run build 通过 (9.48s) - 测试: 2 个 baseline 既存失败 (TestProxyImportData..., TestWindsurfTierAccessService_Snapshot_HappyPath) 与本次无关	2026-05-20 22:43:20 +08:00
Wesley Liddick	e5d6f1727f	Merge pull request #2641 from Arron196/fix/channel-monitor-responses-reasoning fix(channel-monitor): 兼容 Responses reasoning 输出	2026-05-20 22:36:46 +08:00
Wesley Liddick	f2d072ffc7	Merge pull request #2643 from Arron196/fix/ops-sla-local-client-errors fix(ops): 排除本地客户端限制错误的 SLA 计数	2026-05-20 22:36:02 +08:00
win	502d57652f	chore: merge upstream Wei-Shaw/sub2api v0.1.130-fix Upstream 改动 (PR #2636): - fix(gateway): retry on "thinking block must contain thinking" upstream error 跨模型切换时,其他模型回过的 assistant 历史里有 type=thinking 但缺 thinking 文本,送给开启 extended thinking 的 Claude 会被拒,通过 signature error 重试机制可恢复。修改文件: backend/internal/service/gateway_service.go (+9), gateway_request_test.go (+31 测试)	2026-05-20 22:06:26 +08:00
benjamin	69305a6091	fix(ops): 排除本地客户端限制错误的 SLA 计数 Ultraworked with [Sisyphus](https://github.com/code-yeongyu/oh-my-openagent) Co-authored-by: Sisyphus <clio-agent@sisyphuslabs.ai>	2026-05-20 22:01:33 +08:00
erio	4fd21994c5	feat(bedrock): add Claude Code compatibility transformations for Bedrock accounts Add channel-level Bedrock CC compatibility toggle (similar to web_search_emulation) that fixes 4 types of Bedrock 400 errors seen with Claude Code: 1. thinking.type "enabled" → "adaptive" for Opus 4.7+ (only supports adaptive) 2. Add default budget_tokens when missing for older models 3. Replace illegal characters in tool_use IDs to match Bedrock's ^[a-zA-Z0-9_-]+$ pattern 4. anthropic_version / invalid beta flag (already handled elsewhere) Transformations run in Forward() before any forwarding path, so both native Bedrock accounts and apikey passthrough accounts pointing to Bedrock relays benefit. Includes channel-level toggle UI and unit tests.	2026-05-20 21:47:38 +08:00
benjamin	d3d5843b9d	fix(channel-monitor): 兼容 Responses reasoning 输出 Ultraworked with [Sisyphus](https://github.com/code-yeongyu/oh-my-openagent) Co-authored-by: Sisyphus <clio-agent@sisyphuslabs.ai>	2026-05-20 21:19:06 +08:00
name	8211aa7066	fix: retry on "thinking block must contain thinking" upstream error Some clients reuse assistant history from other models when switching to claude with extended thinking enabled. If a prior thinking block lacks the thinking text field, upstream returns: messages.X.content.Y.thinking: each thinking block must contain thinking Add this pattern to isThinkingBlockSignatureError so the existing FilterThinkingBlocksForRetry retry path triggers and rewrites/drops the offending blocks.	2026-05-20 18:46:50 +08:00
win	4e3ba04717	chore: merge upstream Wei-Shaw/sub2api v0.1.129 Upstream 改动 (2 commits): - ci: 限制 CLA workflow 只在 upstream 仓库运行 (Wei-Shaw/sub2api), 避免 fork 触发 CLA 检查 - chore: VERSION 0.1.128 -> 0.1.129 无代码变更,无冲突,直接 fast-forward 风格 merge。	2026-05-20 18:07:13 +08:00
win	92433656f5	chore: merge upstream Wei-Shaw/sub2api v0.1.128 — keep fork customizations Upstream 新功能 (34 commits, ~main..origin/main): - feat(email): 通知邮件模板服务、模板编辑器、订阅/余额提醒邮件 - feat(notification): NotificationEmailService 注入到 Balance/Payment/Setting - feat(payment): 支付成功通知邮件 - feat(usage): 用户 API Key 用量页支持按日明细 - feat(openai-gateway): Codex OAuth 浏览器 UA 自动改写规避 Cloudflare 质询 - feat(admin): 邮件模板管理接口 - fix(auth): 停用/删除分组后阻断 API Key - fix(group): 修正分组账号可用计数口径 - fix(openai): /v1/responses respect force chat completions, images n 参数透传 - test(repository): AES Encryptor 单元测试 - chore: VERSION 0.1.128 冲突解决 (backend/cmd/server/wire_gen.go): - 引入 upstream 新 wire providers: notificationEmailService, ProvidePaymentService(10 args), ProvideAdminSettingHandler(8 args) - 保留 fork 独有依赖: rpmTokenBucketService (RPM 平滑), NewOpsHandler 3 参数版本 (requestEventBus, opsLogBroadcaster) - ProvideBalanceNotifyService 接受 4 参数 (含 notificationEmailService) 修复 session-id helper 设计 (claude_code_session_id.go): - 发现: TestGatewayService_AnthropicOAuth_InjectsClaudeCodeSessionHeaderFromMetadata 在 OAuth + mimicClaudeCode=false 场景失败 - 重新审视设计原则: OAuth 凭证本身就是 Claude Code 客户端,可信任 metadata 派生 session_id;不应受 mimicClaudeCode 标志阻止 - 修复: metadata 派生只看 tokenType=="oauth";UUID 兜底仍需 oauth && mimic - 更新测试: OAuthNonMimicDerivesFromMetadata 取代原 IgnoresMetadata 所有 fork 独有功能保留: - Claude Code 2.1.145 mimicry bundle (上个 commit 引入) - RPM token bucket smoothing (commit 95814974) - Windsurf/Antigravity/Omniroute 定制 - claudemask/ 校验包 (upstream 已删除,我们仍在 gateway_service 中使用) 不在范围: - 不修复 baseline 既存的 2 个测试失败 (TestProxyImportData..., TestWindsurfTierAccessService_Snapshot_HappyPath) - 与 merge 无关	2026-05-20 17:50:44 +08:00
gaoren002	202aab8e63	fix(accounts): unschedule errored accounts	2026-05-20 09:24:51 +00:00
gaoren002	49b415e333	fix: mark reused refresh tokens non-retryable	2026-05-20 09:24:51 +00:00
gaoren002	60f6602b81	fix: clear scheduler cache when deleting accounts	2026-05-20 09:24:29 +00:00
gaoren002	888cd8092d	fix(openai): surface image moderation errors	2026-05-20 09:19:20 +00:00
win	0fefedf9cd	feat(claude-mimic): upgrade Claude Code mimicry to 2.1.145 via bundle abstraction 反编译本地 Claude Code 2.1.145 二进制 (Bun 1.3.14 打包, @anthropic-ai/sdk@0.94.0 嵌入) 提取真实指纹,系统性升级 mimicry。核心改动: - 新增 ClaudeCodeBundle struct 作为单一事实源,DefaultBundle 描述当前伪装目标的完整快照 (CLIVersion/SDKVersion/RuntimeVersion/OS/Arch) - DefaultCLIVersion/DefaultStainlessPackageVersion/CLICurrentVersion/ DefaultHeaders 全部派生自 DefaultBundle,消除三处 (2.1.92, 2.1.104, 0.70.0, 0.81.0) 版本分裂 - CLI 版本 2.1.92/2.1.104 -> 2.1.145 - SDK 版本 0.70.0/0.81.0 -> 0.94.0 - 新增 12 个 2.1.145 反编译确认的 anthropic-beta token: advanced-tool-use, tool-search-tool, mcp-servers, mcp-client, mid-conversation-system, afk-mode, cache-diagnosis, context-hint, environments, managed-agents, skills, compact - FullClaudeCodeMimicryBetas() 从 7 个 token 升级到 21 个 ordered list - 修正 BetaTokenEfficientTools 错日期 (2026-03-28 -> 2025-02-19) - 从默认 beta header 移除已 GA 的 BetaFineGrainedToolStreaming / BetaTokenEfficientTools (常量保留供客户端显式 merge) - claudemask.RequiredNodeHeaders 加 X-Claude-Code-Session-Id 强制新增 ensureClaudeCodeSessionID helper (claude_code_session_id.go): - 真实 CLI 在 SDK 内强制 X-Claude-Code-Session-Id:y_(),缺失被判第三方 - OAuth mimic 路径: metadata.user_id 派生 -> canonical UUID 写入 -> 兜底 uuid.NewString() - API key passthrough 路径: 不从 body 派生,保护客户端原始语义 - 所有路径均对客户端传入的非法 UUID 执行删除 (避免恶意值上游透传) - 所有写入 header 的 session-id 都通过 uuid.Parse 校验测试: - 新增 14 个 ensureClaudeCodeSessionID 单元测试,含恶意 UUID 注入拒绝 + API key 路径隔离 + canonical 形式校验 - 新增 3 个 bundle 派生一致性测试 - mask_test 加 session-id 缺失校验 case - 老 UA 断言 2.1.104 -> 2.1.145 不在范围: - TLS 指纹 (utls 已处理) - Bun.hash vs xxHash64 算法验证 (需 golden vectors,独立项目) References: - VERSION:2.1.145 BUILD_TIME:2026-05-19T01:36:35Z GIT_SHA:daa4c3755d45ab0cf97bb41db8c03bd2dfd2ff5f	2026-05-20 17:18:47 +08:00
github-actions[bot]	771e0ca973	chore: sync VERSION to 0.1.129 [skip ci]	2026-05-20 09:11:41 +00:00
Wesley Liddick	51f72186a5	Merge pull request #2613 from wucm667/feat/api-key-usage-daily-detail feat(usage): 用户 API Key 用量页支持按日明细	2026-05-20 16:55:42 +08:00
Wesley Liddick	a6db05c824	Merge pull request #2612 from wucm667/fix/group-status-key-auth-block fix(auth): 停用/删除分组后阻断已发放 API Key 的请求	2026-05-20 16:55:08 +08:00
Wesley Liddick	655e157658	Merge pull request #2611 from wucm667/test/repo-aes-encryptor test(repository): 补充 AES Encryptor 单元测试	2026-05-20 16:54:33 +08:00

1 2 3 4 5 ...

2663 Commits