feat(tls-fingerprint): 新增 TLS 指纹 Profile 数据库管理及代码质量优化

新增功能：
- 新增 TLS 指纹 Profile CRUD 管理（Ent schema + 迁移 + Admin API + 前端管理界面）
- 支持账号绑定数据库中的自定义 TLS Profile，或随机选择（profile_id=-1）
- HTTPUpstream.DoWithTLS 接口从 bool 改为 *tlsfingerprint.Profile，支持按账号指定 Profile
- AccountUsageService 注入 TLSFingerprintProfileService，统一 usage 场景与网关的 Profile 解析逻辑

代码优化：
- 删除已被 TLSFingerprintProfileService 完全取代的 registry.go 死代码（418 行）
- 提取 3 个 dialer 的重复 TLS 握手逻辑为 performTLSHandshake() 共用函数
- 修复 GetTLSFingerprintProfileID 缺少 json.Number 处理的 bug
- gateway_service.Forward 中 ResolveTLSProfile 从重试循环内重复调用改为预解析局部变量
- 删除冗余的 buildClientHelloSpec() 单行 wrapper 和 int64(e.ID) 无效转换
- tls_fingerprint_profile_cache.go 日志从 log.Printf 改为 slog 结构化日志
- dialer_capture_test.go 添加 //go:build integration 标签，防止 CI 失败
- 去重 TestProfileExpectation 类型至共享 test_types_test.go
- 修复 9 个测试文件缺少 tlsfingerprint import 的编译错误
- 修复 error_policy_integration_test.go 中 handleError 回调签名被错误替换的问题

backend/internal/handler/dto/mappers.go

@@ -252,6 +252,10 @@ func AccountFromServiceShallow(a *service.Account) *Account {
 			enabled := true
 			out.EnableTLSFingerprint = &enabled
 		}
+		// TLS指纹模板ID
+		if profileID := a.GetTLSFingerprintProfileID(); profileID > 0 {
+			out.TLSFingerprintProfileID = &profileID
+		}
 		// 会话ID伪装开关
 		if a.IsSessionIDMaskingEnabled() {
 			enabled := true

backend/internal/handler/dto/types.go

@@ -186,6 +186,7 @@ type Account struct {
 	// TLS指纹伪装（仅 Anthropic OAuth/SetupToken 账号有效）
 	// 从 extra 字段提取，方便前端显示和编辑
 	EnableTLSFingerprint    *bool  `json:"enable_tls_fingerprint,omitempty"`
+	TLSFingerprintProfileID *int64 `json:"tls_fingerprint_profile_id,omitempty"`
 
 	// 会话ID伪装（仅 Anthropic OAuth/SetupToken 账号有效）
 	// 启用后将在15分钟内固定 metadata.user_id 中的 session ID

backend/internal/handler/gateway_handler_warmup_intercept_unit_test.go

@@ -76,7 +76,9 @@ func (f *fakeGroupRepo) ListActiveByPlatform(context.Context, string) ([]service
 	return nil, nil
 }
 func (f *fakeGroupRepo) ExistsByName(context.Context, string) (bool, error) { return false, nil }
-func (f *fakeGroupRepo) GetAccountCount(context.Context, int64) (int64, int64, error) { return 0, 0, nil }
+func (f *fakeGroupRepo) GetAccountCount(context.Context, int64) (int64, int64, error) {
+	return 0, 0, nil
+}
 func (f *fakeGroupRepo) DeleteAccountGroupsByGroupID(context.Context, int64) (int64, error) {
 	return 0, nil
 }
@@ -158,6 +160,7 @@ func newTestGatewayHandler(t *testing.T, group *service.Group, accounts []*servi
 		nil, // rpmCache
 		nil, // digestStore
 		nil, // settingService
+		nil, // tlsFPProfileService
 	)
 
 	// RunModeSimple：跳过计费检查，避免引入 repo/cache 依赖。

backend/internal/handler/handler.go

@@ -27,6 +27,7 @@ type AdminHandlers struct {
 	Usage                 *admin.UsageHandler
 	UserAttribute         *admin.UserAttributeHandler
 	ErrorPassthrough      *admin.ErrorPassthroughHandler
+	TLSFingerprintProfile *admin.TLSFingerprintProfileHandler
 	APIKey                *admin.AdminAPIKeyHandler
 	ScheduledTest         *admin.ScheduledTestHandler
 }

backend/internal/handler/sora_client_handler_test.go

@@ -2224,7 +2224,7 @@ func (s *stubSoraClientForHandler) GetVideoTask(_ context.Context, _ *service.Ac
 func newMinimalGatewayService(accountRepo service.AccountRepository) *service.GatewayService {
 	return service.NewGatewayService(
 		accountRepo, nil, nil, nil, nil, nil, nil, nil, nil,
-		nil, nil, nil, nil, nil, nil, nil, nil, nil, nil, nil, nil, nil,
+		nil, nil, nil, nil, nil, nil, nil, nil, nil, nil, nil, nil, nil, nil,
 	)
 }
 

backend/internal/handler/sora_gateway_handler_test.go

@@ -464,6 +464,7 @@ func TestSoraGatewayHandler_ChatCompletions(t *testing.T) {
 		nil, // rpmCache
 		nil, // digestStore
 		nil, // settingService
+		nil, // tlsFPProfileService
 	)
 
 	soraClient := &stubSoraClient{imageURLs: []string{"https://example.com/a.png"}}

backend/internal/handler/wire.go

@@ -30,6 +30,7 @@ func ProvideAdminHandlers(
 	usageHandler *admin.UsageHandler,
 	userAttributeHandler *admin.UserAttributeHandler,
 	errorPassthroughHandler *admin.ErrorPassthroughHandler,
+	tlsFingerprintProfileHandler *admin.TLSFingerprintProfileHandler,
 	apiKeyHandler *admin.AdminAPIKeyHandler,
 	scheduledTestHandler *admin.ScheduledTestHandler,
 ) *AdminHandlers {
@@ -55,6 +56,7 @@ func ProvideAdminHandlers(
 		Usage:                 usageHandler,
 		UserAttribute:         userAttributeHandler,
 		ErrorPassthrough:      errorPassthroughHandler,
+		TLSFingerprintProfile: tlsFingerprintProfileHandler,
 		APIKey:                apiKeyHandler,
 		ScheduledTest:         scheduledTestHandler,
 	}
@@ -145,6 +147,7 @@ var ProviderSet = wire.NewSet(
 	admin.NewUsageHandler,
 	admin.NewUserAttributeHandler,
 	admin.NewErrorPassthroughHandler,
+	admin.NewTLSFingerprintProfileHandler,
 	admin.NewAdminAPIKeyHandler,
 	admin.NewScheduledTestHandler,
 

backend/internal/model/tls_fingerprint_profile.go

+// Package model 定义服务层使用的数据模型。
+package model
+
+import (
+	"time"
+
+	"github.com/Wei-Shaw/sub2api/internal/pkg/tlsfingerprint"
+)
+
+// TLSFingerprintProfile TLS 指纹配置模板
+// 包含完整的 ClientHello 参数，用于模拟特定客户端的 TLS 握手特征
+type TLSFingerprintProfile struct {
+	ID                  int64     `json:"id"`
+	Name                string    `json:"name"`
+	Description         *string   `json:"description"`
+	EnableGREASE        bool      `json:"enable_grease"`
+	CipherSuites        []uint16  `json:"cipher_suites"`
+	Curves              []uint16  `json:"curves"`
+	PointFormats        []uint16  `json:"point_formats"`
+	SignatureAlgorithms []uint16  `json:"signature_algorithms"`
+	ALPNProtocols       []string  `json:"alpn_protocols"`
+	SupportedVersions   []uint16  `json:"supported_versions"`
+	KeyShareGroups      []uint16  `json:"key_share_groups"`
+	PSKModes            []uint16  `json:"psk_modes"`
+	Extensions          []uint16  `json:"extensions"`
+	CreatedAt           time.Time `json:"created_at"`
+	UpdatedAt           time.Time `json:"updated_at"`
+}
+
+// Validate 验证模板配置的有效性
+func (p *TLSFingerprintProfile) Validate() error {
+	if p.Name == "" {
+		return &ValidationError{Field: "name", Message: "name is required"}
+	}
+	return nil
+}
+
+// ToTLSProfile 将领域模型转换为运行时使用的 tlsfingerprint.Profile
+// 空切片字段会在 dialer 中 fallback 到内置默认值
+func (p *TLSFingerprintProfile) ToTLSProfile() *tlsfingerprint.Profile {
+	return &tlsfingerprint.Profile{
+		Name:                p.Name,
+		EnableGREASE:        p.EnableGREASE,
+		CipherSuites:        p.CipherSuites,
+		Curves:              p.Curves,
+		PointFormats:        p.PointFormats,
+		SignatureAlgorithms: p.SignatureAlgorithms,
+		ALPNProtocols:       p.ALPNProtocols,
+		SupportedVersions:   p.SupportedVersions,
+		KeyShareGroups:      p.KeyShareGroups,
+		PSKModes:            p.PSKModes,
+		Extensions:          p.Extensions,
+	}
+}

backend/internal/pkg/tlsfingerprint/test_types_test.go

@@ -8,6 +8,14 @@ type FingerprintResponse struct {
 	HTTP2 any     `json:"http2"`
 }
 
+// TestProfileExpectation defines expected fingerprint values for a profile.
+type TestProfileExpectation struct {
+	Profile       *Profile
+	ExpectedJA3   string // Expected JA3 hash (empty = don't check)
+	ExpectedJA4   string // Expected full JA4 (empty = don't check)
+	JA4CipherHash string // Expected JA4 cipher hash - the stable middle part (empty = don't check)
+}
+
 // TLSInfo contains TLS fingerprint details.
 type TLSInfo struct {
 	JA3           string `json:"ja3"`

backend/internal/repository/claude_usage_service.go

@@ -68,10 +68,9 @@ func (s *claudeUsageService) FetchUsageWithOptions(ctx context.Context, opts *se
 
 	var resp *http.Response
 
-	// 如果启用 TLS 指纹且有 HTTPUpstream，使用 DoWithTLS
-	if opts.EnableTLSFingerprint && s.httpUpstream != nil {
-		// accountConcurrency 传 0 使用默认连接池配置，usage 请求不需要特殊的并发设置
-		resp, err = s.httpUpstream.DoWithTLS(req, opts.ProxyURL, opts.AccountID, 0, true)
+	// 如果有 TLS Profile 且有 HTTPUpstream，使用 DoWithTLS
+	if opts.TLSProfile != nil && s.httpUpstream != nil {
+		resp, err = s.httpUpstream.DoWithTLS(req, opts.ProxyURL, opts.AccountID, 0, opts.TLSProfile)
 		if err != nil {
 			return nil, fmt.Errorf("request with TLS fingerprint failed: %w", err)
 		}

backend/internal/repository/wire.go

@@ -73,6 +73,7 @@ var ProviderSet = wire.NewSet(
 	NewUserAttributeValueRepository,
 	NewUserGroupRateRepository,
 	NewErrorPassthroughRepository,
+	NewTLSFingerprintProfileRepository,
 
 	// Cache implementations
 	NewGatewayCache,
@@ -96,6 +97,7 @@ var ProviderSet = wire.NewSet(
 	NewTotpCache,
 	NewRefreshTokenCache,
 	NewErrorPassthroughCache,
+	NewTLSFingerprintProfileCache,
 
 	// Encryptors
 	NewAESEncryptor,