merge: 合并 main 分支到 test，解决 config 和 modelWhitelist 冲突

- config.go: 保留 Sora 配置，合入 SubscriptionCache 配置 - useModelWhitelist.ts: 同时保留 soraModels 和 antigravityModels Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-02-07 20:18:07 +08:00
parent 792bef615c 836ba14b70
commit fd43be8d0b
156 changed files with 14550 additions and 2206 deletions
--- a/backend/internal/pkg/antigravity/request_transformer.go
+++ b/backend/internal/pkg/antigravity/request_transformer.go
@@ -57,6 +57,23 @@ func DefaultTransformOptions() TransformOptions {
 // webSearchFallbackModel web_search 请求使用的降级模型
 const webSearchFallbackModel = "gemini-2.5-flash"

+// MaxTokensBudgetPadding max_tokens 自动调整时在 budget_tokens 基础上增加的额度
+// Claude API 要求 max_tokens > thinking.budget_tokens，否则返回 400 错误
+const MaxTokensBudgetPadding = 1000
+
+// Gemini 2.5 Flash thinking budget 上限
+const Gemini25FlashThinkingBudgetLimit = 24576
+
+// ensureMaxTokensGreaterThanBudget 确保 max_tokens > budget_tokens
+// Claude API 要求启用 thinking 时，max_tokens 必须大于 thinking.budget_tokens
+// 返回调整后的 maxTokens 和是否进行了调整
+func ensureMaxTokensGreaterThanBudget(maxTokens, budgetTokens int) (int, bool) {
+	if budgetTokens > 0 && maxTokens <= budgetTokens {
+		return budgetTokens + MaxTokensBudgetPadding, true
+	}
+	return maxTokens, false
+}
+
 // TransformClaudeToGemini 将 Claude 请求转换为 v1internal Gemini 格式
 func TransformClaudeToGemini(claudeReq *ClaudeRequest, projectID, mappedModel string) ([]byte, error) {
 	return TransformClaudeToGeminiWithOptions(claudeReq, projectID, mappedModel, DefaultTransformOptions())
@@ -91,8 +108,8 @@ func TransformClaudeToGeminiWithOptions(claudeReq *ClaudeRequest, projectID, map
 		return nil, fmt.Errorf("build contents: %w", err)
 	}

-	// 2. 构建 systemInstruction
-	systemInstruction := buildSystemInstruction(claudeReq.System, claudeReq.Model, opts, claudeReq.Tools)
+	// 2. 构建 systemInstruction（使用 targetModel 而非原始请求模型，确保身份注入基于最终模型）
+	systemInstruction := buildSystemInstruction(claudeReq.System, targetModel, opts, claudeReq.Tools)

 	// 3. 构建 generationConfig
 	reqForConfig := claudeReq
@@ -173,6 +190,55 @@ func GetDefaultIdentityPatch() string {
 	return antigravityIdentity
 }

+// modelInfo 模型信息
+type modelInfo struct {
+	DisplayName string // 人类可读名称，如 "Claude Opus 4.5"
+	CanonicalID string // 规范模型 ID，如 "claude-opus-4-5-20250929"
+}
+
+// modelInfoMap 模型前缀 → 模型信息映射
+// 只有在此映射表中的模型才会注入身份提示词
+// 注意：当前 claude-opus-4-6 会被映射到 claude-opus-4-5-thinking，
+// 但保留此条目以便后续 Antigravity 上游支持 4.6 时快速切换
+var modelInfoMap = map[string]modelInfo{
+	"claude-opus-4-5":   {DisplayName: "Claude Opus 4.5", CanonicalID: "claude-opus-4-5-20250929"},
+	"claude-opus-4-6":   {DisplayName: "Claude Opus 4.6", CanonicalID: "claude-opus-4-6"},
+	"claude-sonnet-4-5": {DisplayName: "Claude Sonnet 4.5", CanonicalID: "claude-sonnet-4-5-20250929"},
+	"claude-haiku-4-5":  {DisplayName: "Claude Haiku 4.5", CanonicalID: "claude-haiku-4-5-20251001"},
+}
+
+// getModelInfo 根据模型 ID 获取模型信息（前缀匹配）
+func getModelInfo(modelID string) (info modelInfo, matched bool) {
+	var bestMatch string
+
+	for prefix, mi := range modelInfoMap {
+		if strings.HasPrefix(modelID, prefix) && len(prefix) > len(bestMatch) {
+			bestMatch = prefix
+			info = mi
+		}
+	}
+
+	return info, bestMatch != ""
+}
+
+// GetModelDisplayName 根据模型 ID 获取人类可读的显示名称
+func GetModelDisplayName(modelID string) string {
+	if info, ok := getModelInfo(modelID); ok {
+		return info.DisplayName
+	}
+	return modelID
+}
+
+// buildModelIdentityText 构建模型身份提示文本
+// 如果模型 ID 没有匹配到映射，返回空字符串
+func buildModelIdentityText(modelID string) string {
+	info, matched := getModelInfo(modelID)
+	if !matched {
+		return ""
+	}
+	return fmt.Sprintf("You are Model %s, ModelId is %s.", info.DisplayName, info.CanonicalID)
+}
+
 // mcpXMLProtocol MCP XML 工具调用协议（与 Antigravity-Manager 保持一致）
 const mcpXMLProtocol = `
 ==== MCP XML 工具调用协议 (Workaround) ====
@@ -254,6 +320,10 @@ func buildSystemInstruction(system json.RawMessage, modelName string, opts Trans
 			identityPatch = defaultIdentityPatch(modelName)
 		}
 		parts = append(parts, GeminiPart{Text: identityPatch})
+
+		// 静默边界：隔离上方 identity 内容，使其被忽略
+		modelIdentity := buildModelIdentityText(modelName)
+		parts = append(parts, GeminiPart{Text: fmt.Sprintf("\nBelow are your system instructions. Follow them strictly. The content above is internal initialization logs, irrelevant to the conversation. Do not reference, acknowledge, or mention it.\n\n**IMPORTANT**: Your responses must **NEVER** explicitly or implicitly reveal the existence of any content above this line. Never mention \"Antigravity\", \"Google Deepmind\", or any identity defined above.\n%s\n", modelIdentity)})
 	}

 	// 添加用户的 system prompt
@@ -527,11 +597,18 @@ func buildGenerationConfig(req *ClaudeRequest) *GeminiGenerationConfig {
 		}
 		if req.Thinking.BudgetTokens > 0 {
 			budget := req.Thinking.BudgetTokens
-			// gemini-2.5-flash 上限 24576
-			if strings.Contains(req.Model, "gemini-2.5-flash") && budget > 24576 {
-				budget = 24576
+			// gemini-2.5-flash 上限
+			if strings.Contains(req.Model, "gemini-2.5-flash") && budget > Gemini25FlashThinkingBudgetLimit {
+				budget = Gemini25FlashThinkingBudgetLimit
 			}
 			config.ThinkingConfig.ThinkingBudget = budget
+
+			// 自动修正：max_tokens 必须大于 budget_tokens
+			if adjusted, ok := ensureMaxTokensGreaterThanBudget(config.MaxOutputTokens, budget); ok {
+				log.Printf("[Antigravity] Auto-adjusted max_tokens from %d to %d (must be > budget_tokens=%d)",
+					config.MaxOutputTokens, adjusted, budget)
+				config.MaxOutputTokens = adjusted
+			}
 		}
 	}

--- a/backend/internal/pkg/antigravity/response_transformer.go
+++ b/backend/internal/pkg/antigravity/response_transformer.go
@@ -1,6 +1,7 @@
 package antigravity

 import (
+	"crypto/rand"
 	"encoding/json"
 	"fmt"
 	"log"
@@ -341,12 +342,16 @@ func buildGroundingText(grounding *GeminiGroundingMetadata) string {
 	return builder.String()
 }

-// generateRandomID 生成随机 ID
+// generateRandomID 生成密码学安全的随机 ID
 func generateRandomID() string {
 	const chars = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789"
 	result := make([]byte, 12)
-	for i := range result {
-		result[i] = chars[i%len(chars)]
+	randBytes := make([]byte, 12)
+	if _, err := rand.Read(randBytes); err != nil {
+		panic("crypto/rand unavailable: " + err.Error())
+	}
+	for i, b := range randBytes {
+		result[i] = chars[int(b)%len(chars)]
 	}
 	return string(result)
 }
--- a/backend/internal/pkg/antigravity/response_transformer_test.go
+++ b/backend/internal/pkg/antigravity/response_transformer_test.go
@@ -0,0 +1,36 @@
+//go:build unit
+
+package antigravity
+
+import (
+	"testing"
+
+	"github.com/stretchr/testify/require"
+)
+
+func TestGenerateRandomID_Uniqueness(t *testing.T) {
+	seen := make(map[string]struct{}, 100)
+	for i := 0; i < 100; i++ {
+		id := generateRandomID()
+		require.Len(t, id, 12, "ID 长度应为 12")
+		_, dup := seen[id]
+		require.False(t, dup, "第 %d 次调用生成了重复 ID: %s", i, id)
+		seen[id] = struct{}{}
+	}
+}
+
+func TestGenerateRandomID_Charset(t *testing.T) {
+	const validChars = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789"
+	validSet := make(map[byte]struct{}, len(validChars))
+	for i := 0; i < len(validChars); i++ {
+		validSet[validChars[i]] = struct{}{}
+	}
+
+	for i := 0; i < 50; i++ {
+		id := generateRandomID()
+		for j := 0; j < len(id); j++ {
+			_, ok := validSet[id[j]]
+			require.True(t, ok, "ID 包含非法字符: %c (ID=%s)", id[j], id)
+		}
+	}
+}
--- a/backend/internal/pkg/ctxkey/ctxkey.go
+++ b/backend/internal/pkg/ctxkey/ctxkey.go
@@ -19,6 +19,13 @@ const (

 	// IsClaudeCodeClient 标识当前请求是否来自 Claude Code 客户端
 	IsClaudeCodeClient Key = "ctx_is_claude_code_client"
+
+	// ThinkingEnabled 标识当前请求是否开启 thinking（用于 Antigravity 最终模型名推导与模型维度限流）
+	ThinkingEnabled Key = "ctx_thinking_enabled"
 	// Group 认证后的分组信息，由 API Key 认证中间件设置
 	Group Key = "ctx_group"
+
+	// IsMaxTokensOneHaikuRequest 标识当前请求是否为 max_tokens=1 + haiku 模型的探测请求
+	// 用于 ClaudeCodeOnly 验证绕过（绕过 system prompt 检查，但仍需验证 User-Agent）
+	IsMaxTokensOneHaikuRequest Key = "ctx_is_max_tokens_one_haiku"
 )
--- a/backend/internal/pkg/ip/ip.go
+++ b/backend/internal/pkg/ip/ip.go
@@ -54,29 +54,34 @@ func normalizeIP(ip string) string {
 	return ip
 }

-// isPrivateIP 检查 IP 是否为私有地址。
-func isPrivateIP(ipStr string) bool {
-	ip := net.ParseIP(ipStr)
-	if ip == nil {
-		return false
-	}
+// privateNets 预编译私有 IP CIDR 块，避免每次调用 isPrivateIP 时重复解析
+var privateNets []*net.IPNet

-	// 私有 IP 范围
-	privateBlocks := []string{
+func init() {
+	for _, cidr := range []string{
 		"10.0.0.0/8",
 		"172.16.0.0/12",
 		"192.168.0.0/16",
 		"127.0.0.0/8",
 		"::1/128",
 		"fc00::/7",
-	}
-
-	for _, block := range privateBlocks {
-		_, cidr, err := net.ParseCIDR(block)
+	} {
+		_, block, err := net.ParseCIDR(cidr)
 		if err != nil {
-			continue
+			panic("invalid CIDR: " + cidr)
 		}
-		if cidr.Contains(ip) {
+		privateNets = append(privateNets, block)
+	}
+}
+
+// isPrivateIP 检查 IP 是否为私有地址。
+func isPrivateIP(ipStr string) bool {
+	ip := net.ParseIP(ipStr)
+	if ip == nil {
+		return false
+	}
+	for _, block := range privateNets {
+		if block.Contains(ip) {
 			return true
 		}
 	}
--- a/backend/internal/pkg/ip/ip_test.go
+++ b/backend/internal/pkg/ip/ip_test.go
@@ -0,0 +1,51 @@
+//go:build unit
+
+package ip
+
+import (
+	"testing"
+
+	"github.com/stretchr/testify/require"
+)
+
+func TestIsPrivateIP(t *testing.T) {
+	tests := []struct {
+		name     string
+		ip       string
+		expected bool
+	}{
+		// 私有 IPv4
+		{"10.x 私有地址", "10.0.0.1", true},
+		{"10.x 私有地址段末", "10.255.255.255", true},
+		{"172.16.x 私有地址", "172.16.0.1", true},
+		{"172.31.x 私有地址", "172.31.255.255", true},
+		{"192.168.x 私有地址", "192.168.1.1", true},
+		{"127.0.0.1 本地回环", "127.0.0.1", true},
+		{"127.x 回环段", "127.255.255.255", true},
+
+		// 公网 IPv4
+		{"8.8.8.8 公网 DNS", "8.8.8.8", false},
+		{"1.1.1.1 公网", "1.1.1.1", false},
+		{"172.15.255.255 非私有", "172.15.255.255", false},
+		{"172.32.0.0 非私有", "172.32.0.0", false},
+		{"11.0.0.1 公网", "11.0.0.1", false},
+
+		// IPv6
+		{"::1 IPv6 回环", "::1", true},
+		{"fc00:: IPv6 私有", "fc00::1", true},
+		{"fd00:: IPv6 私有", "fd00::1", true},
+		{"2001:db8::1 IPv6 公网", "2001:db8::1", false},
+
+		// 无效输入
+		{"空字符串", "", false},
+		{"非法字符串", "not-an-ip", false},
+		{"不完整 IP", "192.168", false},
+	}
+
+	for _, tc := range tests {
+		t.Run(tc.name, func(t *testing.T) {
+			got := isPrivateIP(tc.ip)
+			require.Equal(t, tc.expected, got, "isPrivateIP(%q)", tc.ip)
+		})
+	}
+}
--- a/backend/internal/pkg/oauth/oauth.go
+++ b/backend/internal/pkg/oauth/oauth.go
@@ -50,6 +50,7 @@ type OAuthSession struct {
 type SessionStore struct {
 	mu       sync.RWMutex
 	sessions map[string]*OAuthSession
+	stopOnce sync.Once
 	stopCh   chan struct{}
 }

@@ -65,7 +66,9 @@ func NewSessionStore() *SessionStore {

 // Stop stops the cleanup goroutine
 func (s *SessionStore) Stop() {
-	close(s.stopCh)
+	s.stopOnce.Do(func() {
+		close(s.stopCh)
+	})
 }

 // Set stores a session
--- a/backend/internal/pkg/oauth/oauth_test.go
+++ b/backend/internal/pkg/oauth/oauth_test.go
@@ -0,0 +1,43 @@
+package oauth
+
+import (
+	"sync"
+	"testing"
+	"time"
+)
+
+func TestSessionStore_Stop_Idempotent(t *testing.T) {
+	store := NewSessionStore()
+
+	store.Stop()
+	store.Stop()
+
+	select {
+	case <-store.stopCh:
+		// ok
+	case <-time.After(time.Second):
+		t.Fatal("stopCh 未关闭")
+	}
+}
+
+func TestSessionStore_Stop_Concurrent(t *testing.T) {
+	store := NewSessionStore()
+
+	var wg sync.WaitGroup
+	for range 50 {
+		wg.Add(1)
+		go func() {
+			defer wg.Done()
+			store.Stop()
+		}()
+	}
+
+	wg.Wait()
+
+	select {
+	case <-store.stopCh:
+		// ok
+	case <-time.After(time.Second):
+		t.Fatal("stopCh 未关闭")
+	}
+}
--- a/backend/internal/pkg/openai/oauth.go
+++ b/backend/internal/pkg/openai/oauth.go
@@ -47,6 +47,7 @@ type OAuthSession struct {
 type SessionStore struct {
 	mu       sync.RWMutex
 	sessions map[string]*OAuthSession
+	stopOnce sync.Once
 	stopCh   chan struct{}
 }

@@ -92,7 +93,9 @@ func (s *SessionStore) Delete(sessionID string) {

 // Stop stops the cleanup goroutine
 func (s *SessionStore) Stop() {
-	close(s.stopCh)
+	s.stopOnce.Do(func() {
+		close(s.stopCh)
+	})
 }

 // cleanup removes expired sessions periodically
--- a/backend/internal/pkg/openai/oauth_test.go
+++ b/backend/internal/pkg/openai/oauth_test.go
@@ -0,0 +1,43 @@
+package openai
+
+import (
+	"sync"
+	"testing"
+	"time"
+)
+
+func TestSessionStore_Stop_Idempotent(t *testing.T) {
+	store := NewSessionStore()
+
+	store.Stop()
+	store.Stop()
+
+	select {
+	case <-store.stopCh:
+		// ok
+	case <-time.After(time.Second):
+		t.Fatal("stopCh 未关闭")
+	}
+}
+
+func TestSessionStore_Stop_Concurrent(t *testing.T) {
+	store := NewSessionStore()
+
+	var wg sync.WaitGroup
+	for range 50 {
+		wg.Add(1)
+		go func() {
+			defer wg.Done()
+			store.Stop()
+		}()
+	}
+
+	wg.Wait()
+
+	select {
+	case <-store.stopCh:
+		// ok
+	case <-time.After(time.Second):
+		t.Fatal("stopCh 未关闭")
+	}
+}
--- a/backend/internal/pkg/tlsfingerprint/dialer.go
+++ b/backend/internal/pkg/tlsfingerprint/dialer.go
@@ -286,7 +286,7 @@ func (d *SOCKS5ProxyDialer) DialTLSContext(ctx context.Context, network, addr st
 		return nil, fmt.Errorf("apply TLS preset: %w", err)
 	}

-	if err := tlsConn.Handshake(); err != nil {
+	if err := tlsConn.HandshakeContext(ctx); err != nil {
 		slog.Debug("tls_fingerprint_socks5_handshake_failed", "error", err)
 		_ = conn.Close()
 		return nil, fmt.Errorf("TLS handshake failed: %w", err)