ccm/ocm: Make detour per-credential

Author: nekohasekai

docs/configuration/service/ccm.md

@@ -59,7 +59,7 @@ Conflict with `credentials`.
 
 List of credential configurations for multi-credential mode.
 
-When set, top-level `credential_path` and `usages_path` are forbidden. Each user must specify a `credential` tag.
+When set, top-level `credential_path`, `usages_path`, and `detour` are forbidden. Each user must specify a `credential` tag.
 
 Each credential has a `type` field (`default`, `balancer`, or `fallback`) and a required `tag` field.
 
@@ -70,6 +70,7 @@ Each credential has a `type` field (`default`, `balancer`, or `fallback`) and a
   "tag": "a",
   "credential_path": "/path/to/.credentials.json",
   "usages_path": "/path/to/usages.json",
+  "detour": "",
   "reserve_5h": 20,
   "reserve_weekly": 20
 }
@@ -79,6 +80,7 @@ A single OAuth credential file. The `type` field can be omitted (defaults to `de
 
 - `credential_path`: Path to the credentials file. Same defaults as top-level `credential_path`.
 - `usages_path`: Optional usage tracking file for this credential.
+- `detour`: Outbound tag for connecting to the Claude API with this credential.
 - `reserve_5h`: Reserve threshold (1-99) for 5-hour window. Credential pauses at (100-N)% utilization.
 - `reserve_weekly`: Reserve threshold (1-99) for weekly window. Credential pauses at (100-N)% utilization.
 
@@ -163,6 +165,8 @@ These headers will override any existing headers with the same name.
 
 Outbound tag for connecting to the Claude API.
 
+Conflict with `credentials`. In multi-credential mode, use `detour` on individual default credentials.
+
 #### tls
 
 TLS configuration, see [TLS](/configuration/shared/tls/#inbound).

docs/configuration/service/ccm.zh.md

@@ -59,7 +59,7 @@ Claude Code OAuth 凭据文件的路径。
 
 多凭据模式的凭据配置列表。
 
-设置后，顶层 `credential_path` 和 `usages_path` 被禁止。每个用户必须指定 `credential` 标签。
+设置后，顶层 `credential_path`、`usages_path` 和 `detour` 被禁止。每个用户必须指定 `credential` 标签。
 
 每个凭据有一个 `type` 字段（`default`、`balancer` 或 `fallback`）和一个必填的 `tag` 字段。
 
@@ -70,6 +70,7 @@ Claude Code OAuth 凭据文件的路径。
   "tag": "a",
   "credential_path": "/path/to/.credentials.json",
   "usages_path": "/path/to/usages.json",
+  "detour": "",
   "reserve_5h": 20,
   "reserve_weekly": 20
 }
@@ -79,6 +80,7 @@ Claude Code OAuth 凭据文件的路径。
 
 - `credential_path`：凭据文件的路径。默认值与顶层 `credential_path` 相同。
 - `usages_path`：此凭据的可选使用跟踪文件。
+- `detour`：此凭据用于连接 Claude API 的出站标签。
 - `reserve_5h`：5 小时窗口的保留阈值（1-99）。凭据在利用率达到 (100-N)% 时暂停。
 - `reserve_weekly`：每周窗口的保留阈值（1-99）。凭据在利用率达到 (100-N)% 时暂停。
 
@@ -163,6 +165,8 @@ Claude Code OAuth 凭据文件的路径。
 
 用于连接 Claude API 的出站标签。
 
+与 `credentials` 冲突。在多凭据模式下，在各个默认凭据上使用 `detour`。
+
 #### tls
 
 TLS 配置，参阅 [TLS](/zh/configuration/shared/tls/#inbound)。

docs/configuration/service/ocm.md

@@ -57,7 +57,7 @@ Conflict with `credentials`.
 
 List of credential configurations for multi-credential mode.
 
-When set, top-level `credential_path` and `usages_path` are forbidden. Each user must specify a `credential` tag.
+When set, top-level `credential_path`, `usages_path`, and `detour` are forbidden. Each user must specify a `credential` tag.
 
 Each credential has a `type` field (`default`, `balancer`, or `fallback`) and a required `tag` field.
 
@@ -68,6 +68,7 @@ Each credential has a `type` field (`default`, `balancer`, or `fallback`) and a
   "tag": "a",
   "credential_path": "/path/to/auth.json",
   "usages_path": "/path/to/usages.json",
+  "detour": "",
   "reserve_5h": 20,
   "reserve_weekly": 20
 }
@@ -77,6 +78,7 @@ A single OAuth credential file. The `type` field can be omitted (defaults to `de
 
 - `credential_path`: Path to the credentials file. Same defaults as top-level `credential_path`.
 - `usages_path`: Optional usage tracking file for this credential.
+- `detour`: Outbound tag for connecting to the OpenAI API with this credential.
 - `reserve_5h`: Reserve threshold (1-99) for primary rate limit window. Credential pauses at (100-N)% utilization.
 - `reserve_weekly`: Reserve threshold (1-99) for secondary (weekly) rate limit window. Credential pauses at (100-N)% utilization.
 
@@ -161,6 +163,8 @@ These headers will override any existing headers with the same name.
 
 Outbound tag for connecting to the OpenAI API.
 
+Conflict with `credentials`. In multi-credential mode, use `detour` on individual default credentials.
+
 #### tls
 
 TLS configuration, see [TLS](/configuration/shared/tls/#inbound).

docs/configuration/service/ocm.zh.md

@@ -57,7 +57,7 @@ OpenAI OAuth 凭据文件的路径。
 
 多凭据模式的凭据配置列表。
 
-设置后，顶层 `credential_path` 和 `usages_path` 被禁止。每个用户必须指定 `credential` 标签。
+设置后，顶层 `credential_path`、`usages_path` 和 `detour` 被禁止。每个用户必须指定 `credential` 标签。
 
 每个凭据有一个 `type` 字段（`default`、`balancer` 或 `fallback`）和一个必填的 `tag` 字段。
 
@@ -68,6 +68,7 @@ OpenAI OAuth 凭据文件的路径。
   "tag": "a",
   "credential_path": "/path/to/auth.json",
   "usages_path": "/path/to/usages.json",
+  "detour": "",
   "reserve_5h": 20,
   "reserve_weekly": 20
 }
@@ -77,6 +78,7 @@ OpenAI OAuth 凭据文件的路径。
 
 - `credential_path`：凭据文件的路径。默认值与顶层 `credential_path` 相同。
 - `usages_path`：此凭据的可选使用跟踪文件。
+- `detour`：此凭据用于连接 OpenAI API 的出站标签。
 - `reserve_5h`：主要速率限制窗口的保留阈值（1-99）。凭据在利用率达到 (100-N)% 时暂停。
 - `reserve_weekly`：次要（每周）速率限制窗口的保留阈值（1-99）。凭据在利用率达到 (100-N)% 时暂停。
 
@@ -161,6 +163,8 @@ OpenAI OAuth 凭据文件的路径。
 
 用于连接 OpenAI API 的出站标签。
 
+与 `credentials` 冲突。在多凭据模式下，在各个默认凭据上使用 `detour`。
+
 #### tls
 
 TLS 配置，参阅 [TLS](/zh/configuration/shared/tls/#inbound)。

option/ccm.go

@@ -76,6 +76,7 @@ func (c *CCMCredential) UnmarshalJSON(bytes []byte) error {
 type CCMDefaultCredentialOptions struct {
 	CredentialPath string `json:"credential_path,omitempty"`
 	UsagesPath     string `json:"usages_path,omitempty"`
+	Detour         string `json:"detour,omitempty"`
 	Reserve5h      uint8  `json:"reserve_5h,omitempty"`
 	ReserveWeekly  uint8  `json:"reserve_weekly,omitempty"`
 }

option/ocm.go

@@ -76,6 +76,7 @@ func (c *OCMCredential) UnmarshalJSON(bytes []byte) error {
 type OCMDefaultCredentialOptions struct {
 	CredentialPath string `json:"credential_path,omitempty"`
 	UsagesPath     string `json:"usages_path,omitempty"`
+	Detour         string `json:"detour,omitempty"`
 	Reserve5h      uint8  `json:"reserve_5h,omitempty"`
 	ReserveWeekly  uint8  `json:"reserve_weekly,omitempty"`
 }

service/ccm/credential_state.go

@@ -3,17 +3,23 @@ package ccm
 import (
 	"bytes"
 	"context"
+	stdTLS "crypto/tls"
 	"encoding/json"
 	"io"
+	"net"
 	"net/http"
 	"strconv"
 	"strings"
 	"sync"
 	"time"
 
+	"github.com/sagernet/sing-box/adapter"
+	"github.com/sagernet/sing-box/common/dialer"
 	"github.com/sagernet/sing-box/log"
 	"github.com/sagernet/sing-box/option"
 	E "github.com/sagernet/sing/common/exceptions"
+	M "github.com/sagernet/sing/common/metadata"
+	"github.com/sagernet/sing/common/ntp"
 )
 
 const defaultPollInterval = 60 * time.Second
@@ -44,7 +50,29 @@ type defaultCredential struct {
 	logger         log.ContextLogger
 }
 
-func newDefaultCredential(tag string, options option.CCMDefaultCredentialOptions, httpClient *http.Client, logger log.ContextLogger) *defaultCredential {
+func newDefaultCredential(ctx context.Context, tag string, options option.CCMDefaultCredentialOptions, logger log.ContextLogger) (*defaultCredential, error) {
+	credentialDialer, err := dialer.NewWithOptions(dialer.Options{
+		Context: ctx,
+		Options: option.DialerOptions{
+			Detour: options.Detour,
+		},
+		RemoteIsDomain: true,
+	})
+	if err != nil {
+		return nil, E.Cause(err, "create dialer for credential ", tag)
+	}
+	httpClient := &http.Client{
+		Transport: &http.Transport{
+			ForceAttemptHTTP2: true,
+			TLSClientConfig: &stdTLS.Config{
+				RootCAs: adapter.RootPoolFromContext(ctx),
+				Time:    ntp.TimeFuncFromContext(ctx),
+			},
+			DialContext: func(ctx context.Context, network, addr string) (net.Conn, error) {
+				return credentialDialer.DialContext(ctx, network, M.ParseSocksaddr(addr))
+			},
+		},
+	}
 	credential := &defaultCredential{
 		tag:            tag,
 		credentialPath: options.CredentialPath,
@@ -61,7 +89,7 @@ func newDefaultCredential(tag string, options option.CCMDefaultCredentialOptions
 			logger:       logger,
 		}
 	}
-	return credential
+	return credential, nil
 }
 
 func (c *defaultCredential) start() error {
@@ -244,6 +272,7 @@ func (c *defaultCredential) pollUsage(ctx context.Context) {
 	}
 	request.Header.Set("Authorization", "Bearer "+accessToken)
 	request.Header.Set("Content-Type", "application/json")
+	request.Header.Set("anthropic-beta", anthropicBetaOAuthValue)
 
 	httpClient := &http.Client{
 		Transport: c.httpClient.Transport,
@@ -264,12 +293,12 @@ func (c *defaultCredential) pollUsage(ctx context.Context) {
 
 	var usageResponse struct {
 		FiveHour struct {
-			Utilization float64 `json:"utilization"`
-			ResetsAt    int64   `json:"resets_at"`
+			Utilization float64     `json:"utilization"`
+			ResetsAt    json.Number `json:"resets_at"`
 		} `json:"five_hour"`
 		SevenDay struct {
-			Utilization float64 `json:"utilization"`
-			ResetsAt    int64   `json:"resets_at"`
+			Utilization float64     `json:"utilization"`
+			ResetsAt    json.Number `json:"resets_at"`
 		} `json:"seven_day"`
 	}
 	err = json.NewDecoder(response.Body).Decode(&usageResponse)
@@ -281,12 +310,14 @@ func (c *defaultCredential) pollUsage(ctx context.Context) {
 	c.stateMutex.Lock()
 	defer c.stateMutex.Unlock()
 	c.state.fiveHourUtilization = usageResponse.FiveHour.Utilization * 100
-	if usageResponse.FiveHour.ResetsAt > 0 {
-		c.state.fiveHourReset = time.Unix(usageResponse.FiveHour.ResetsAt, 0)
+	fiveHourReset, _ := usageResponse.FiveHour.ResetsAt.Int64()
+	if fiveHourReset > 0 {
+		c.state.fiveHourReset = time.Unix(fiveHourReset, 0)
 	}
 	c.state.weeklyUtilization = usageResponse.SevenDay.Utilization * 100
-	if usageResponse.SevenDay.ResetsAt > 0 {
-		c.state.weeklyReset = time.Unix(usageResponse.SevenDay.ResetsAt, 0)
+	weeklyReset, _ := usageResponse.SevenDay.ResetsAt.Int64()
+	if weeklyReset > 0 {
+		c.state.weeklyReset = time.Unix(weeklyReset, 0)
 	}
 	if c.state.hardRateLimited && time.Now().After(c.state.rateLimitResetAt) {
 		c.state.hardRateLimited = false
@@ -548,8 +579,8 @@ func extractCCMSessionID(bodyBytes []byte) string {
 }
 
 func buildCredentialProviders(
+	ctx context.Context,
 	options option.CCMServiceOptions,
-	httpClient *http.Client,
 	logger log.ContextLogger,
 ) (map[string]credentialProvider, []*defaultCredential, error) {
 	defaultCredentials := make(map[string]*defaultCredential)
@@ -559,7 +590,10 @@ func buildCredentialProviders(
 	for _, credOpt := range options.Credentials {
 		switch credOpt.Type {
 		case "default":
-			credential := newDefaultCredential(credOpt.Tag, credOpt.DefaultOptions, httpClient, logger)
+			credential, err := newDefaultCredential(ctx, credOpt.Tag, credOpt.DefaultOptions, logger)
+			if err != nil {
+				return nil, nil, err
+			}
 			defaultCredentials[credOpt.Tag] = credential
 			allDefaults = append(allDefaults, credential)
 			providers[credOpt.Tag] = &singleCredentialProvider{credential: credential}
@@ -645,13 +679,17 @@ func validateCCMOptions(options option.CCMServiceOptions) error {
 	hasCredentials := len(options.Credentials) > 0
 	hasLegacyPath := options.CredentialPath != ""
 	hasLegacyUsages := options.UsagesPath != ""
+	hasLegacyDetour := options.Detour != ""
 
 	if hasCredentials && hasLegacyPath {
 		return E.New("credential_path and credentials are mutually exclusive")
 	}
 	if hasCredentials && hasLegacyUsages {
 		return E.New("usages_path and credentials are mutually exclusive; use usages_path on individual credentials")
 	}
+	if hasCredentials && hasLegacyDetour {
+		return E.New("detour and credentials are mutually exclusive; use detour on individual credentials")
+	}
 
 	if hasCredentials {
 		tags := make(map[string]bool)
@@ -685,7 +723,6 @@ func validateCCMOptions(options option.CCMServiceOptions) error {
 
 // retryRequestWithBody re-sends a buffered request body using a different credential.
 func retryRequestWithBody(
-	httpClient *http.Client,
 	originalRequest *http.Request,
 	bodyBytes []byte,
 	credential *defaultCredential,
@@ -726,7 +763,7 @@ func retryRequestWithBody(
 	}
 	retryRequest.Header.Set("Authorization", "Bearer "+accessToken)
 
-	return httpClient.Do(retryRequest)
+	return credential.httpClient.Do(retryRequest)
 }
 
 // credentialForUser finds the credential provider for a user.