From dad970f739dee09d7e9693e93a86eb6fa9017909 Mon Sep 17 00:00:00 2001
From: win <win@windeMacBook-Pro.local>
Date: Fri, 10 Apr 2026 23:13:21 +0800
Subject: [PATCH] fix: Enable TLS fingerprint routing for Antigravity API
 requests

**Bug Fix**: TLS fingerprint routing was disabled by default
- isTLSFingerprintRoutingEnabled() was checking NodeTLSProxy.Enabled (default: false)
- Should check TLSFingerprint.Enabled (default: true)
- This caused all Antigravity requests to lack proper TLS fingerprinting

**Changes**:
- Use correct config flag: s.cfg.Gateway.TLSFingerprint.Enabled
- Add cloudcode-pa.googleapis.com and daily sandbox variant to default routing list
- Requests now properly emulate Claude CLI (Node.js 24.x) TLS fingerprint

**Impact**:
- Antigravity API requests now use JA3/JA4 fingerprinting to avoid 503 monitoring blocks
- Proper TLS handshake matching real Claude IDE behavior
- Fixes 'context deadline exceeded' and intermittent 503 errors

Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com>
---
 .../repository/http_upstream_antigravity.go      | 16 +++++++++++-----
 1 file changed, 11 insertions(+), 5 deletions(-)

diff --git a/backend/internal/repository/http_upstream_antigravity.go b/backend/internal/repository/http_upstream_antigravity.go
index 0d0e0550..2501b4a8 100644
--- a/backend/internal/repository/http_upstream_antigravity.go
+++ b/backend/internal/repository/http_upstream_antigravity.go
@@ -23,17 +23,17 @@ import (
 )
 
 // isTLSFingerprintRoutingEnabled 检查 TLS 指纹路由是否启用
-// 复用 NodeTLSProxy.Enabled 配置项，保持配置兼容
+// 使用 TLSFingerprint.Enabled 配置项（而不是旧的 NodeTLSProxy.Enabled）
 func (s *httpUpstreamService) isTLSFingerprintRoutingEnabled() bool {
 	if s.cfg == nil {
 		return false
 	}
-	return s.cfg.Gateway.NodeTLSProxy.Enabled
+	return s.cfg.Gateway.TLSFingerprint.Enabled
 }
 
 // shouldRouteWithTLSFingerprint 判断请求是否应该使用 TLS 指纹
-// 仅拦截目标主机在 proxy_hosts 白名单中的 HTTPS 请求，
-// 白名单为空时默认只代理 api.anthropic.com。
+// 拦截目标主机在 proxy_hosts 白名单中的 HTTPS 请求
+// 白名单为空时默认代理 api.anthropic.com 和 Antigravity API 主机
 func (s *httpUpstreamService) shouldRouteWithTLSFingerprint(req *http.Request) bool {
 	if req == nil || req.URL == nil || req.URL.Scheme != "https" {
 		return false
@@ -45,7 +45,13 @@ func (s *httpUpstreamService) shouldRouteWithTLSFingerprint(req *http.Request) b
 
 	hosts := s.cfg.Gateway.NodeTLSProxy.ProxyHosts
 	if len(hosts) == 0 {
-		return reqHost == "api.anthropic.com"
+		// 默认白名单：api.anthropic.com 和 Antigravity API 主机
+		defaultHosts := map[string]bool{
+			"api.anthropic.com":           true,
+			"cloudcode-pa.googleapis.com": true,
+			"daily-cloudcode-pa.sandbox.googleapis.com": true,
+		}
+		return defaultHosts[reqHost]
 	}
 	for _, h := range hosts {
 		if reqHost == h {