feat(tls-fingerprint): 新增 TLS 指纹 Profile 数据库管理及代码质量优化

新增功能：
- 新增 TLS 指纹 Profile CRUD 管理（Ent schema + 迁移 + Admin API + 前端管理界面）
- 支持账号绑定数据库中的自定义 TLS Profile，或随机选择（profile_id=-1）
- HTTPUpstream.DoWithTLS 接口从 bool 改为 *tlsfingerprint.Profile，支持按账号指定 Profile
- AccountUsageService 注入 TLSFingerprintProfileService，统一 usage 场景与网关的 Profile 解析逻辑

代码优化：
- 删除已被 TLSFingerprintProfileService 完全取代的 registry.go 死代码（418 行）
- 提取 3 个 dialer 的重复 TLS 握手逻辑为 performTLSHandshake() 共用函数
- 修复 GetTLSFingerprintProfileID 缺少 json.Number 处理的 bug
- gateway_service.Forward 中 ResolveTLSProfile 从重试循环内重复调用改为预解析局部变量
- 删除冗余的 buildClientHelloSpec() 单行 wrapper 和 int64(e.ID) 无效转换
- tls_fingerprint_profile_cache.go 日志从 log.Printf 改为 slog 结构化日志
- dialer_capture_test.go 添加 //go:build integration 标签，防止 CI 失败
- 去重 TestProfileExpectation 类型至共享 test_types_test.go
- 修复 9 个测试文件缺少 tlsfingerprint import 的编译错误
- 修复 error_policy_integration_test.go 中 handleError 回调签名被错误替换的问题

backend/internal/repository/claude_usage_service.go

@@ -68,10 +68,9 @@ func (s *claudeUsageService) FetchUsageWithOptions(ctx context.Context, opts *se
 
 	var resp *http.Response
 
-	// 如果启用 TLS 指纹且有 HTTPUpstream，使用 DoWithTLS
-	if opts.EnableTLSFingerprint && s.httpUpstream != nil {
-		// accountConcurrency 传 0 使用默认连接池配置，usage 请求不需要特殊的并发设置
-		resp, err = s.httpUpstream.DoWithTLS(req, opts.ProxyURL, opts.AccountID, 0, true)
+	// 如果有 TLS Profile 且有 HTTPUpstream，使用 DoWithTLS
+	if opts.TLSProfile != nil && s.httpUpstream != nil {
+		resp, err = s.httpUpstream.DoWithTLS(req, opts.ProxyURL, opts.AccountID, 0, opts.TLSProfile)
 		if err != nil {
 			return nil, fmt.Errorf("request with TLS fingerprint failed: %w", err)
 		}

backend/internal/repository/http_upstream.go

@@ -161,26 +161,14 @@ func (s *httpUpstreamService) Do(req *http.Request, proxyURL string, accountID i
 }
 
 // DoWithTLS 执行带 TLS 指纹伪装的 HTTP 请求
-// 根据 enableTLSFingerprint 参数决定是否使用 TLS 指纹
 //
-// 参数:
-//   - req: HTTP 请求对象
-//   - proxyURL: 代理地址，空字符串表示直连
-//   - accountID: 账户 ID，用于账户级隔离和 TLS 指纹模板选择
-//   - accountConcurrency: 账户并发限制，用于动态调整连接池大小
-//   - enableTLSFingerprint: 是否启用 TLS 指纹伪装
-//
-// TLS 指纹说明:
-//   - 当 enableTLSFingerprint=true 时，使用 utls 库模拟 Claude CLI 的 TLS 指纹
-//   - 指纹模板根据 accountID % len(profiles) 自动选择
-//   - 支持直连、HTTP/HTTPS 代理、SOCKS5 代理三种场景
-func (s *httpUpstreamService) DoWithTLS(req *http.Request, proxyURL string, accountID int64, accountConcurrency int, enableTLSFingerprint bool) (*http.Response, error) {
-	// 如果未启用 TLS 指纹，直接使用标准请求路径
-	if !enableTLSFingerprint {
+// profile 为 nil 时不启用 TLS 指纹，行为与 Do 方法相同。
+// profile 非 nil 时使用指定的 Profile 进行 TLS 指纹伪装。
+func (s *httpUpstreamService) DoWithTLS(req *http.Request, proxyURL string, accountID int64, accountConcurrency int, profile *tlsfingerprint.Profile) (*http.Response, error) {
+	if profile == nil {
 		return s.Do(req, proxyURL, accountID, accountConcurrency)
 	}
 
-	// TLS 指纹已启用，记录调试日志
 	targetHost := ""
 	if req != nil && req.URL != nil {
 		targetHost = req.URL.Host
@@ -189,46 +177,28 @@ func (s *httpUpstreamService) DoWithTLS(req *http.Request, proxyURL string, acco
 	if proxyURL != "" {
 		proxyInfo = proxyURL
 	}
-	slog.Debug("tls_fingerprint_enabled", "account_id", accountID, "target", targetHost, "proxy", proxyInfo)
+	slog.Debug("tls_fingerprint_enabled", "account_id", accountID, "target", targetHost, "proxy", proxyInfo, "profile", profile.Name)
 
 	if err := s.validateRequestHost(req); err != nil {
 		return nil, err
 	}
 
-	// 获取 TLS 指纹 Profile
-	registry := tlsfingerprint.GlobalRegistry()
-	profile := registry.GetProfileByAccountID(accountID)
-	if profile == nil {
-		// 如果获取不到 profile，回退到普通请求
-		slog.Debug("tls_fingerprint_no_profile", "account_id", accountID, "fallback", "standard_request")
-		return s.Do(req, proxyURL, accountID, accountConcurrency)
-	}
-
-	slog.Debug("tls_fingerprint_using_profile", "account_id", accountID, "profile", profile.Name, "grease", profile.EnableGREASE)
-
-	// 获取或创建带 TLS 指纹的客户端
 	entry, err := s.acquireClientWithTLS(proxyURL, accountID, accountConcurrency, profile)
 	if err != nil {
 		slog.Debug("tls_fingerprint_acquire_client_failed", "account_id", accountID, "error", err)
 		return nil, err
 	}
 
-	// 执行请求
 	resp, err := entry.client.Do(req)
 	if err != nil {
-		// 请求失败，立即减少计数
 		atomic.AddInt64(&entry.inFlight, -1)
 		atomic.StoreInt64(&entry.lastUsed, time.Now().UnixNano())
 		slog.Debug("tls_fingerprint_request_failed", "account_id", accountID, "error", err)
 		return nil, err
 	}
 
-	slog.Debug("tls_fingerprint_request_success", "account_id", accountID, "status", resp.StatusCode)
-
-	// 如果上游返回了压缩内容，解压后再交给业务层
 	decompressResponseBody(resp)
 
-	// 包装响应体，在关闭时自动减少计数并更新时间戳
 	resp.Body = wrapTrackedBody(resp.Body, func() {
 		atomic.AddInt64(&entry.inFlight, -1)
 		atomic.StoreInt64(&entry.lastUsed, time.Now().UnixNano())

backend/internal/repository/tls_fingerprint_profile_cache.go

@@ -0,0 +1,122 @@
+package repository
+
+import (
+	"context"
+	"encoding/json"
+	"log/slog"
+	"sync"
+	"time"
+
+	"github.com/Wei-Shaw/sub2api/internal/model"
+	"github.com/Wei-Shaw/sub2api/internal/service"
+	"github.com/redis/go-redis/v9"
+)
+
+const (
+	tlsFPProfileCacheKey  = "tls_fingerprint_profiles"
+	tlsFPProfilePubSubKey = "tls_fingerprint_profiles_updated"
+	tlsFPProfileCacheTTL  = 24 * time.Hour
+)
+
+type tlsFingerprintProfileCache struct {
+	rdb        *redis.Client
+	localCache []*model.TLSFingerprintProfile
+	localMu    sync.RWMutex
+}
+
+// NewTLSFingerprintProfileCache 创建 TLS 指纹模板缓存
+func NewTLSFingerprintProfileCache(rdb *redis.Client) service.TLSFingerprintProfileCache {
+	return &tlsFingerprintProfileCache{
+		rdb: rdb,
+	}
+}
+
+// Get 从缓存获取模板列表
+func (c *tlsFingerprintProfileCache) Get(ctx context.Context) ([]*model.TLSFingerprintProfile, bool) {
+	c.localMu.RLock()
+	if c.localCache != nil {
+		profiles := c.localCache
+		c.localMu.RUnlock()
+		return profiles, true
+	}
+	c.localMu.RUnlock()
+
+	data, err := c.rdb.Get(ctx, tlsFPProfileCacheKey).Bytes()
+	if err != nil {
+		if err != redis.Nil {
+			slog.Warn("tls_fp_profile_cache_get_failed", "error", err)
+		}
+		return nil, false
+	}
+
+	var profiles []*model.TLSFingerprintProfile
+	if err := json.Unmarshal(data, &profiles); err != nil {
+		slog.Warn("tls_fp_profile_cache_unmarshal_failed", "error", err)
+		return nil, false
+	}
+
+	c.localMu.Lock()
+	c.localCache = profiles
+	c.localMu.Unlock()
+
+	return profiles, true
+}
+
+// Set 设置缓存
+func (c *tlsFingerprintProfileCache) Set(ctx context.Context, profiles []*model.TLSFingerprintProfile) error {
+	data, err := json.Marshal(profiles)
+	if err != nil {
+		return err
+	}
+
+	if err := c.rdb.Set(ctx, tlsFPProfileCacheKey, data, tlsFPProfileCacheTTL).Err(); err != nil {
+		return err
+	}
+
+	c.localMu.Lock()
+	c.localCache = profiles
+	c.localMu.Unlock()
+
+	return nil
+}
+
+// Invalidate 使缓存失效
+func (c *tlsFingerprintProfileCache) Invalidate(ctx context.Context) error {
+	c.localMu.Lock()
+	c.localCache = nil
+	c.localMu.Unlock()
+
+	return c.rdb.Del(ctx, tlsFPProfileCacheKey).Err()
+}
+
+// NotifyUpdate 通知其他实例刷新缓存
+func (c *tlsFingerprintProfileCache) NotifyUpdate(ctx context.Context) error {
+	return c.rdb.Publish(ctx, tlsFPProfilePubSubKey, "refresh").Err()
+}
+
+// SubscribeUpdates 订阅缓存更新通知
+func (c *tlsFingerprintProfileCache) SubscribeUpdates(ctx context.Context, handler func()) {
+	go func() {
+		sub := c.rdb.Subscribe(ctx, tlsFPProfilePubSubKey)
+		defer func() { _ = sub.Close() }()
+
+		ch := sub.Channel()
+		for {
+			select {
+			case <-ctx.Done():
+				slog.Debug("tls_fp_profile_cache_subscriber_stopped", "reason", "context_done")
+				return
+			case msg := <-ch:
+				if msg == nil {
+					slog.Warn("tls_fp_profile_cache_subscriber_stopped", "reason", "channel_closed")
+					return
+				}
+				c.localMu.Lock()
+				c.localCache = nil
+				c.localMu.Unlock()
+
+				handler()
+			}
+		}
+	}()
+}

backend/internal/repository/tls_fingerprint_profile_repo.go

@@ -0,0 +1,213 @@
+package repository
+
+import (
+	"context"
+
+	"github.com/Wei-Shaw/sub2api/ent"
+	"github.com/Wei-Shaw/sub2api/ent/tlsfingerprintprofile"
+	"github.com/Wei-Shaw/sub2api/internal/model"
+	"github.com/Wei-Shaw/sub2api/internal/service"
+)
+
+type tlsFingerprintProfileRepository struct {
+	client *ent.Client
+}
+
+// NewTLSFingerprintProfileRepository 创建 TLS 指纹模板仓库
+func NewTLSFingerprintProfileRepository(client *ent.Client) service.TLSFingerprintProfileRepository {
+	return &tlsFingerprintProfileRepository{client: client}
+}
+
+// List 获取所有模板
+func (r *tlsFingerprintProfileRepository) List(ctx context.Context) ([]*model.TLSFingerprintProfile, error) {
+	profiles, err := r.client.TLSFingerprintProfile.Query().
+		Order(ent.Asc(tlsfingerprintprofile.FieldName)).
+		All(ctx)
+	if err != nil {
+		return nil, err
+	}
+
+	result := make([]*model.TLSFingerprintProfile, len(profiles))
+	for i, p := range profiles {
+		result[i] = r.toModel(p)
+	}
+	return result, nil
+}
+
+// GetByID 根据 ID 获取模板
+func (r *tlsFingerprintProfileRepository) GetByID(ctx context.Context, id int64) (*model.TLSFingerprintProfile, error) {
+	p, err := r.client.TLSFingerprintProfile.Get(ctx, id)
+	if err != nil {
+		if ent.IsNotFound(err) {
+			return nil, nil
+		}
+		return nil, err
+	}
+	return r.toModel(p), nil
+}
+
+// Create 创建模板
+func (r *tlsFingerprintProfileRepository) Create(ctx context.Context, p *model.TLSFingerprintProfile) (*model.TLSFingerprintProfile, error) {
+	builder := r.client.TLSFingerprintProfile.Create().
+		SetName(p.Name).
+		SetEnableGrease(p.EnableGREASE)
+
+	if p.Description != nil {
+		builder.SetDescription(*p.Description)
+	}
+	if len(p.CipherSuites) > 0 {
+		builder.SetCipherSuites(p.CipherSuites)
+	}
+	if len(p.Curves) > 0 {
+		builder.SetCurves(p.Curves)
+	}
+	if len(p.PointFormats) > 0 {
+		builder.SetPointFormats(p.PointFormats)
+	}
+	if len(p.SignatureAlgorithms) > 0 {
+		builder.SetSignatureAlgorithms(p.SignatureAlgorithms)
+	}
+	if len(p.ALPNProtocols) > 0 {
+		builder.SetAlpnProtocols(p.ALPNProtocols)
+	}
+	if len(p.SupportedVersions) > 0 {
+		builder.SetSupportedVersions(p.SupportedVersions)
+	}
+	if len(p.KeyShareGroups) > 0 {
+		builder.SetKeyShareGroups(p.KeyShareGroups)
+	}
+	if len(p.PSKModes) > 0 {
+		builder.SetPskModes(p.PSKModes)
+	}
+	if len(p.Extensions) > 0 {
+		builder.SetExtensions(p.Extensions)
+	}
+
+	created, err := builder.Save(ctx)
+	if err != nil {
+		return nil, err
+	}
+	return r.toModel(created), nil
+}
+
+// Update 更新模板
+func (r *tlsFingerprintProfileRepository) Update(ctx context.Context, p *model.TLSFingerprintProfile) (*model.TLSFingerprintProfile, error) {
+	builder := r.client.TLSFingerprintProfile.UpdateOneID(p.ID).
+		SetName(p.Name).
+		SetEnableGrease(p.EnableGREASE)
+
+	if p.Description != nil {
+		builder.SetDescription(*p.Description)
+	} else {
+		builder.ClearDescription()
+	}
+
+	if len(p.CipherSuites) > 0 {
+		builder.SetCipherSuites(p.CipherSuites)
+	} else {
+		builder.ClearCipherSuites()
+	}
+	if len(p.Curves) > 0 {
+		builder.SetCurves(p.Curves)
+	} else {
+		builder.ClearCurves()
+	}
+	if len(p.PointFormats) > 0 {
+		builder.SetPointFormats(p.PointFormats)
+	} else {
+		builder.ClearPointFormats()
+	}
+	if len(p.SignatureAlgorithms) > 0 {
+		builder.SetSignatureAlgorithms(p.SignatureAlgorithms)
+	} else {
+		builder.ClearSignatureAlgorithms()
+	}
+	if len(p.ALPNProtocols) > 0 {
+		builder.SetAlpnProtocols(p.ALPNProtocols)
+	} else {
+		builder.ClearAlpnProtocols()
+	}
+	if len(p.SupportedVersions) > 0 {
+		builder.SetSupportedVersions(p.SupportedVersions)
+	} else {
+		builder.ClearSupportedVersions()
+	}
+	if len(p.KeyShareGroups) > 0 {
+		builder.SetKeyShareGroups(p.KeyShareGroups)
+	} else {
+		builder.ClearKeyShareGroups()
+	}
+	if len(p.PSKModes) > 0 {
+		builder.SetPskModes(p.PSKModes)
+	} else {
+		builder.ClearPskModes()
+	}
+	if len(p.Extensions) > 0 {
+		builder.SetExtensions(p.Extensions)
+	} else {
+		builder.ClearExtensions()
+	}
+
+	updated, err := builder.Save(ctx)
+	if err != nil {
+		return nil, err
+	}
+	return r.toModel(updated), nil
+}
+
+// Delete 删除模板
+func (r *tlsFingerprintProfileRepository) Delete(ctx context.Context, id int64) error {
+	return r.client.TLSFingerprintProfile.DeleteOneID(id).Exec(ctx)
+}
+
+// toModel 将 Ent 实体转换为服务模型
+func (r *tlsFingerprintProfileRepository) toModel(e *ent.TLSFingerprintProfile) *model.TLSFingerprintProfile {
+	p := &model.TLSFingerprintProfile{
+		ID:                  e.ID,
+		Name:                e.Name,
+		Description:         e.Description,
+		EnableGREASE:        e.EnableGrease,
+		CipherSuites:        e.CipherSuites,
+		Curves:              e.Curves,
+		PointFormats:        e.PointFormats,
+		SignatureAlgorithms: e.SignatureAlgorithms,
+		ALPNProtocols:       e.AlpnProtocols,
+		SupportedVersions:   e.SupportedVersions,
+		KeyShareGroups:      e.KeyShareGroups,
+		PSKModes:            e.PskModes,
+		Extensions:          e.Extensions,
+		CreatedAt:           e.CreatedAt,
+		UpdatedAt:           e.UpdatedAt,
+	}
+
+	// 确保切片不为 nil
+	if p.CipherSuites == nil {
+		p.CipherSuites = []uint16{}
+	}
+	if p.Curves == nil {
+		p.Curves = []uint16{}
+	}
+	if p.PointFormats == nil {
+		p.PointFormats = []uint16{}
+	}
+	if p.SignatureAlgorithms == nil {
+		p.SignatureAlgorithms = []uint16{}
+	}
+	if p.ALPNProtocols == nil {
+		p.ALPNProtocols = []string{}
+	}
+	if p.SupportedVersions == nil {
+		p.SupportedVersions = []uint16{}
+	}
+	if p.KeyShareGroups == nil {
+		p.KeyShareGroups = []uint16{}
+	}
+	if p.PSKModes == nil {
+		p.PSKModes = []uint16{}
+	}
+	if p.Extensions == nil {
+		p.Extensions = []uint16{}
+	}
+
+	return p
+}

backend/internal/repository/wire.go

@@ -73,6 +73,7 @@ var ProviderSet = wire.NewSet(
 	NewUserAttributeValueRepository,
 	NewUserGroupRateRepository,
 	NewErrorPassthroughRepository,
+	NewTLSFingerprintProfileRepository,
 
 	// Cache implementations
 	NewGatewayCache,
@@ -96,6 +97,7 @@ var ProviderSet = wire.NewSet(
 	NewTotpCache,
 	NewRefreshTokenCache,
 	NewErrorPassthroughCache,
+	NewTLSFingerprintProfileCache,
 
 	// Encryptors
 	NewAESEncryptor,