feat(proxy): align codex header and continuity defaults

Author: DeliciousBuding

main.go

@@ -149,10 +149,8 @@ func main() {
 	r.Use(security.RequestSizeLimiter(security.MaxRequestBodySize))
 
 	// handler 不再接收 cfg.APIKeys
-	// 从环境变量读取设备指纹配置（后续可从数据库配置）
-	deviceCfg := &proxy.DeviceProfileConfig{
-		StabilizeDeviceProfile: os.Getenv("STABILIZE_DEVICE_PROFILE") == "true",
-	}
+	// 从环境变量读取 Codex 画像与 Beta 配置。
+	deviceCfg := proxy.DeviceProfileConfigFromEnv(os.Getenv)
 	handler := proxy.NewHandler(store, db, cfg, deviceCfg)
 
 	// 注册 WebSocket 执行函数（避免 proxy ↔ wsrelay 循环依赖）

proxy/device_profile.go

@@ -40,6 +40,7 @@ type DeviceProfileConfig struct {
 	OS                     string
 	Arch                   string
 	StabilizeDeviceProfile bool
+	BetaFeatures           string
 }
 
 // CLIVersion 表示 Codex CLI 版本
@@ -95,6 +96,25 @@ func IsDeviceProfileStabilizationEnabled(cfg *DeviceProfileConfig) bool {
 	return cfg.StabilizeDeviceProfile
 }
 
+// DeviceProfileConfigFromEnv loads Codex header defaults from environment variables.
+func DeviceProfileConfigFromEnv(lookup func(string) string) *DeviceProfileConfig {
+	if lookup == nil {
+		lookup = func(string) string { return "" }
+	}
+	trimmed := func(key string) string {
+		return strings.TrimSpace(lookup(key))
+	}
+	return &DeviceProfileConfig{
+		UserAgent:              trimmed("CODEX_USER_AGENT"),
+		PackageVersion:         trimmed("CODEX_PACKAGE_VERSION"),
+		RuntimeVersion:         trimmed("CODEX_RUNTIME_VERSION"),
+		OS:                     trimmed("CODEX_OS"),
+		Arch:                   trimmed("CODEX_ARCH"),
+		StabilizeDeviceProfile: strings.EqualFold(trimmed("STABILIZE_DEVICE_PROFILE"), "true"),
+		BetaFeatures:           trimmed("CODEX_BETA_FEATURES"),
+	}
+}
+
 func defaultDeviceProfile(cfg *DeviceProfileConfig) deviceProfile {
 	// 如果 cfg 为 nil，使用默认空配置兜底
 	if cfg == nil {

proxy/device_profile_env_test.go

@@ -0,0 +1,51 @@
+package proxy
+
+import "testing"
+
+func TestDeviceProfileConfigFromEnv(t *testing.T) {
+	cfg := DeviceProfileConfigFromEnv(func(key string) string {
+		switch key {
+		case "STABILIZE_DEVICE_PROFILE":
+			return "true"
+		case "CODEX_USER_AGENT":
+			return "codex_cli_rs/0.120.0 (Mac OS 15.5.0; arm64) Apple_Terminal/464"
+		case "CODEX_PACKAGE_VERSION":
+			return "0.120.0"
+		case "CODEX_RUNTIME_VERSION":
+			return "0.120.0"
+		case "CODEX_OS":
+			return "MacOS"
+		case "CODEX_ARCH":
+			return "arm64"
+		case "CODEX_BETA_FEATURES":
+			return "multi_agent"
+		default:
+			return ""
+		}
+	})
+
+	if cfg == nil {
+		t.Fatal("expected config")
+	}
+	if !cfg.StabilizeDeviceProfile {
+		t.Fatal("expected device profile stabilization to be enabled")
+	}
+	if cfg.UserAgent != "codex_cli_rs/0.120.0 (Mac OS 15.5.0; arm64) Apple_Terminal/464" {
+		t.Fatalf("UserAgent = %q", cfg.UserAgent)
+	}
+	if cfg.PackageVersion != "0.120.0" {
+		t.Fatalf("PackageVersion = %q", cfg.PackageVersion)
+	}
+	if cfg.RuntimeVersion != "0.120.0" {
+		t.Fatalf("RuntimeVersion = %q", cfg.RuntimeVersion)
+	}
+	if cfg.OS != "MacOS" {
+		t.Fatalf("OS = %q", cfg.OS)
+	}
+	if cfg.Arch != "arm64" {
+		t.Fatalf("Arch = %q", cfg.Arch)
+	}
+	if cfg.BetaFeatures != "multi_agent" {
+		t.Fatalf("BetaFeatures = %q", cfg.BetaFeatures)
+	}
+}

proxy/executor.go

@@ -132,7 +132,7 @@ const (
 )
 
 // WebsocketExecuteFunc WebSocket 执行函数（由 wsrelay 包在 main.go 中注册，避免循环依赖）
-var WebsocketExecuteFunc func(ctx context.Context, account *auth.Account, requestBody []byte, sessionID string, proxyOverride string) (*http.Response, error)
+var WebsocketExecuteFunc func(ctx context.Context, account *auth.Account, requestBody []byte, sessionID string, proxyOverride string, apiKey string, deviceCfg *DeviceProfileConfig, headers http.Header) (*http.Response, error)
 
 // ExecuteRequest 向 Codex 上游发送请求
 // sessionID 可选，用于 prompt cache 会话绑定
@@ -141,7 +141,7 @@ var WebsocketExecuteFunc func(ctx context.Context, account *auth.Account, reques
 func ExecuteRequest(ctx context.Context, account *auth.Account, requestBody []byte, sessionID string, proxyOverride string, apiKey string, deviceCfg *DeviceProfileConfig, headers http.Header, useWebsocket ...bool) (*http.Response, error) {
 	// 检查是否使用 WebSocket
 	if len(useWebsocket) > 0 && useWebsocket[0] && WebsocketExecuteFunc != nil {
-		return WebsocketExecuteFunc(ctx, account, requestBody, sessionID, proxyOverride)
+		return WebsocketExecuteFunc(ctx, account, requestBody, sessionID, proxyOverride, apiKey, deviceCfg, headers)
 	}
 
 	if ctx == nil {
@@ -150,7 +150,6 @@ func ExecuteRequest(ctx context.Context, account *auth.Account, requestBody []by
 
 	account.Mu().RLock()
 	accessToken := account.AccessToken
-	accountID := account.AccountID
 	proxyURL := account.ProxyURL
 	account.Mu().RUnlock()
 
@@ -193,67 +192,103 @@ func ExecuteRequest(ctx context.Context, account *auth.Account, requestBody []by
 	}
 
 	// ==================== 请求头（伪装 Codex CLI） ====================
-	// 应用设备指纹稳定化
+	applyCodexRequestHeaders(req, account, accessToken, cacheKey, apiKey, deviceCfg, headers)
+
+	// 获取连接池 HTTP 客户端（账号级隔离，复用 TCP/TLS 连接）
+	client := getPooledClient(account, proxyURL)
+
+	resp, err := client.Do(req)
+	if err != nil {
+		if shouldRecyclePooledClient(err) {
+			recyclePooledClient(account, proxyURL)
+		}
+		return nil, ErrUpstream(0, "请求上游失败", err)
+	}
+
+	return resp, nil
+}
+
+func codexVersionFromProfile(profile deviceProfile, fallback string) string {
+	if profile.HasVersion {
+		return fmt.Sprintf("%d.%d.%d", profile.Version.major, profile.Version.minor, profile.Version.patch)
+	}
+	return strings.TrimSpace(fallback)
+}
+
+func applyCodexRequestHeaders(req *http.Request, account *auth.Account, accessToken, cacheKey, apiKey string, deviceCfg *DeviceProfileConfig, downstreamHeaders http.Header) {
+	if req == nil {
+		return
+	}
+
+	accountID := ""
+	if account != nil {
+		account.Mu().RLock()
+		accountID = account.AccountID
+		account.Mu().RUnlock()
+	}
+
+	var profile deviceProfile
+	version := ""
 	if IsDeviceProfileStabilizationEnabled(deviceCfg) {
-		profile := ResolveDeviceProfile(account, apiKey, headers, deviceCfg)
+		profile = ResolveDeviceProfile(account, apiKey, downstreamHeaders, deviceCfg)
 		ApplyDeviceProfileHeaders(req, profile)
-		// 稳定化时也需要设置 Version 头，保持行为一致
-		if profile.HasVersion {
-			req.Header.Set("Version", fmt.Sprintf("%d.%d.%d", profile.Version.major, profile.Version.minor, profile.Version.patch))
-		}
+		version = codexVersionFromProfile(profile, strings.TrimSpace(deviceCfg.PackageVersion))
 	} else {
-		// 每个账号使用确定性的 ClientProfile（UA + Version），模拟真实用户多样性
-		profile := ProfileForAccount(account.ID())
-		req.Header.Set("User-Agent", profile.UserAgent)
-		req.Header.Set("Version", profile.Version)
+		clientProfile := ProfileForAccount(account.ID())
+		req.Header.Set("User-Agent", clientProfile.UserAgent)
+		version = clientProfile.Version
 	}
 
 	req.Header.Set("Authorization", "Bearer "+accessToken)
 	req.Header.Set("Content-Type", "application/json")
 	req.Header.Set("Accept", "text/event-stream")
-	req.Header.Set("Originator", Originator)
 	req.Header.Set("Connection", "Keep-Alive")
+	if version != "" {
+		req.Header.Set("Version", version)
+	}
+	if originator := strings.TrimSpace(downstreamHeaders.Get("Originator")); originator != "" {
+		req.Header.Set("Originator", originator)
+	} else {
+		req.Header.Set("Originator", Originator)
+	}
 	if accountID != "" {
 		req.Header.Set("Chatgpt-Account-Id", accountID)
 	}
-
-	// Session/Conversation 头（用于 prompt cache 绑定）
-	// 参考 CLIProxyAPI: req.Header.Set("Conversation_id", cache.ID)
-	// 参考 sub2api: headers.Set("session_id", sessionResolution.SessionID)
 	if cacheKey != "" {
 		req.Header.Set("Session_id", cacheKey)
-		req.Header.Set("Conversation_id", cacheKey)
+		req.Header.Del("Conversation_id")
 	}
-
-	// 获取连接池 HTTP 客户端（账号级隔离，复用 TCP/TLS 连接）
-	client := getPooledClient(account, proxyURL)
-
-	resp, err := client.Do(req)
-	if err != nil {
-		if shouldRecyclePooledClient(err) {
-			recyclePooledClient(account, proxyURL)
-		}
-		return nil, ErrUpstream(0, "请求上游失败", err)
-	}
-
-	return resp, nil
 }
 
 // ResolveSessionID 从下游请求提取或生成 session ID
-// 优先级（参考 sub2api）：
-//  1. Header: session_id
-//  2. Header: conversation_id
-//  3. Body:   prompt_cache_key
-//  4. 基于 Bearer API Key 的确定性 UUID（参考 CLIProxyAPI）
-func ResolveSessionID(authHeader string, body []byte) string {
-	// 此函数由 handler 调用，将 gin.Context 的 header 传进来
-
+// 优先级：
+//  1. Header: Session_id
+//  2. Header: Conversation_id
+//  3. Header: Idempotency-Key
+//  4. Body:   prompt_cache_key
+//  5. 基于 Bearer API Key 的确定性 UUID
+func ResolveSessionID(headers http.Header, body []byte) string {
+	if headers != nil {
+		if v := strings.TrimSpace(headers.Get("Session_id")); v != "" {
+			return v
+		}
+		if v := strings.TrimSpace(headers.Get("Conversation_id")); v != "" {
+			return v
+		}
+		if v := strings.TrimSpace(headers.Get("Idempotency-Key")); v != "" {
+			return v
+		}
+	}
 	// 优先从 body 的 prompt_cache_key 提取
 	if v := strings.TrimSpace(gjson.GetBytes(body, "prompt_cache_key").String()); v != "" {
 		return v
 	}
 
 	// 基于下游用户的 API Key 生成确定性 cache key（参考 CLIProxyAPI codex_executor.go:621）
+	authHeader := ""
+	if headers != nil {
+		authHeader = headers.Get("Authorization")
+	}
 	apiKey := strings.TrimPrefix(authHeader, "Bearer ")
 	apiKey = strings.TrimSpace(apiKey)
 	if apiKey != "" {

proxy/executor_test.go

@@ -3,8 +3,11 @@ package proxy
 import (
 	"context"
 	"errors"
+	"net/http"
 	"strings"
 	"testing"
+
+	"github.com/codex2api/auth"
 )
 
 func TestReadSSEStream_MergesMultilineData(t *testing.T) {
@@ -140,3 +143,73 @@ func TestShouldTransparentRetryStream(t *testing.T) {
 		t.Fatal("expected retry to stop when downstream context is canceled")
 	}
 }
+
+func TestApplyCodexRequestHeadersUsesSessionIDWithoutConversationID(t *testing.T) {
+	req, err := http.NewRequest(http.MethodPost, "https://example.com/v1/responses", nil)
+	if err != nil {
+		t.Fatalf("http.NewRequest() error = %v", err)
+	}
+
+	acc := &auth.Account{
+		DBID:      42,
+		AccountID: "acct-42",
+	}
+	cfg := &DeviceProfileConfig{
+		UserAgent:              "codex_cli_rs/0.120.0 (Mac OS 15.5.0; arm64) Apple_Terminal/464",
+		PackageVersion:         "0.120.0",
+		RuntimeVersion:         "0.120.0",
+		OS:                     "MacOS",
+		Arch:                   "arm64",
+		StabilizeDeviceProfile: true,
+	}
+	downstreamHeaders := http.Header{
+		"Originator": []string{"custom-originator"},
+	}
+
+	applyCodexRequestHeaders(req, acc, "token-123", "cache-key-1", "api-key-1", cfg, downstreamHeaders)
+
+	if got := req.Header.Get("Authorization"); got != "Bearer token-123" {
+		t.Fatalf("Authorization = %q", got)
+	}
+	if got := req.Header.Get("Session_id"); got != "cache-key-1" {
+		t.Fatalf("Session_id = %q", got)
+	}
+	if got := req.Header.Get("Conversation_id"); got != "" {
+		t.Fatalf("Conversation_id = %q, want empty", got)
+	}
+	if got := req.Header.Get("User-Agent"); got != cfg.UserAgent {
+		t.Fatalf("User-Agent = %q", got)
+	}
+	if got := req.Header.Get("Version"); got != "0.120.0" {
+		t.Fatalf("Version = %q", got)
+	}
+	if got := req.Header.Get("Originator"); got != "custom-originator" {
+		t.Fatalf("Originator = %q", got)
+	}
+	if got := req.Header.Get("Chatgpt-Account-Id"); got != "acct-42" {
+		t.Fatalf("Chatgpt-Account-Id = %q", got)
+	}
+}
+
+func TestResolveSessionIDPrefersContinuityHeaders(t *testing.T) {
+	headers := http.Header{
+		"Session_id":      []string{"session-from-header"},
+		"Conversation_id": []string{"conversation-from-header"},
+		"Authorization":   []string{"Bearer sk-test-123"},
+	}
+
+	if got := ResolveSessionID(headers, []byte(`{"prompt_cache_key":"body-key"}`)); got != "session-from-header" {
+		t.Fatalf("ResolveSessionID() = %q, want %q", got, "session-from-header")
+	}
+
+	headers.Del("Session_id")
+	if got := ResolveSessionID(headers, []byte(`{"prompt_cache_key":"body-key"}`)); got != "conversation-from-header" {
+		t.Fatalf("ResolveSessionID() = %q, want %q", got, "conversation-from-header")
+	}
+
+	headers.Del("Conversation_id")
+	headers.Set("Idempotency-Key", "idempotency-key-1")
+	if got := ResolveSessionID(headers, []byte(`{"prompt_cache_key":"body-key"}`)); got != "idempotency-key-1" {
+		t.Fatalf("ResolveSessionID() = %q, want %q", got, "idempotency-key-1")
+	}
+}

proxy/handler.go

@@ -426,7 +426,7 @@ func (h *Handler) Responses(c *gin.Context) {
 
 	rawBody = normalizeServiceTierField(rawBody)
 	isStream := gjson.GetBytes(rawBody, "stream").Bool()
-	sessionID := ResolveSessionID(c.GetHeader("Authorization"), rawBody)
+	sessionID := ResolveSessionID(c.Request.Header, rawBody)
 	reasoningEffort := extractReasoningEffort(rawBody)
 	serviceTier := extractServiceTier(rawBody)
 	if serviceTier != "" {
@@ -798,7 +798,7 @@ func (h *Handler) ChatCompletions(c *gin.Context) {
 		return
 	}
 
-	sessionID := ResolveSessionID(c.GetHeader("Authorization"), codexBody)
+	sessionID := ResolveSessionID(c.Request.Header, codexBody)
 
 	// 3. 带重试的上游请求
 	maxRetries := h.getMaxRetries()

proxy/handler_anthropic.go

@@ -109,7 +109,7 @@ func (h *Handler) Messages(c *gin.Context) {
 
 	// 提取 reasoning effort（从翻译后的 codex body 中）
 	reasoningEffort := extractReasoningEffort(codexBody)
-	sessionID := ResolveSessionID(c.GetHeader("Authorization"), codexBody)
+	sessionID := ResolveSessionID(c.Request.Header, codexBody)
 
 	// 3. 带重试的上游请求
 	maxRetries := h.getMaxRetries()
@@ -424,4 +424,3 @@ func (h *Handler) Messages(c *gin.Context) {
 		sendAnthropicError(c, lastStatusCode, errType, fmt.Sprintf("Upstream returned status %d", lastStatusCode))
 	}
 }
-