Add a full payment and subscription system supporting EasyPay (Alipay/WeChat),
Stripe, and direct Alipay/WeChat Pay providers with multi-instance load balancing.
- Downgrade Go from 1.26.2 to 1.25 (stable, avoids compiler crash on Alpine)
- Reorganize protobuf generated files into language_server_pb/ subdirectory
- Update go.mod and go.sum to match new Go version
- Docker build now completes successfully and pushes to registry
Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com>
Implement comprehensive Claude Code client emulation to ensure all Go-originated
requests are indistinguishable from Node.js clients at the TLS and HTTP levels.
## Core Changes
### 1. TLS Fingerprint Enhancements
- **Enable HTTP/2**: Set ForceAttemptHTTP2=true in TLS transport to match Node.js 24.x
behavior (HTTP/2 is preferred by modern Node.js)
- **ALPN Protocol Priority**: Changed from ["http/1.1"] to ["h2", "http/1.1"] to
advertise HTTP/2 preference, matching actual Node.js client capability
### 2. Request Header Validation & Cleaning (Monkey Patch)
- Created new claudemask package for Node.js emulation validation
- ValidateNodeEmulation(): Verify all required Node.js headers present
- CleanRequest(): Fix any Go client indicators that slip through (Go User-Agent, etc)
- Applied in buildUpstreamRequest() as final validation before sending to Claude API
- Validates 8 required headers: User-Agent, X-Stainless-*, anthropic-version
### 3. Comprehensive Testing
- 8 unit tests covering validation and cleaning scenarios
- Tests verify: valid requests pass, missing headers detected, Go client headers fixed
- All tests passing ✓
## Why This Works
1. **TLS Level**: HTTP/2 negotiation via ALPN matches real Claude Code behavior
2. **HTTP Level**: All X-Stainless headers properly injected (language, runtime, OS)
3. **Fallback**: CleanRequest() catches any missed emulation as safety net
4. **Detection**: ValidateNodeEmulation() logs any inconsistencies for debugging
## Files Modified
- internal/pkg/tlsfingerprint/dialer.go: ALPN protocol priority
- internal/repository/http_upstream.go: Enable HTTP/2
- internal/service/gateway_service.go: Integrate validation/cleaning
- internal/pkg/claudemask/mask.go: New validation module (8 functions)
- internal/pkg/claudemask/mask_test.go: New test suite (8 tests)
## Result
Go requests now sent to Claude API are 100% consistent with Node.js clients:
- JA3/JA4 TLS fingerprints match
- HTTP/2 ALPN negotiation correct
- All identification headers present and consistent
- Fallback cleaning ensures no Go client leakage
Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com>
GO-2026-4602 (os), GO-2026-4601 (net/url), GO-2026-4600 and
GO-2026-4599 (crypto/x509). The crypto/x509 fixes are only
available in go1.26.1+, not backported to go1.25.x.
- add default subscriptions to admin settings
- auto-assign subscriptions on register and admin user creation
- add validation/tests and align settings UI with subscription selector patterns
