ccm/ocm: Make detour per-credential

Author: nekohasekai

docs/configuration/service/ccm.md

@@ -59,7 +59,7 @@ Conflict with `credentials`.
 
 List of credential configurations for multi-credential mode.
 
-When set, top-level `credential_path` and `usages_path` are forbidden. Each user must specify a `credential` tag.
+When set, top-level `credential_path`, `usages_path`, and `detour` are forbidden. Each user must specify a `credential` tag.
 
 Each credential has a `type` field (`default`, `balancer`, or `fallback`) and a required `tag` field.
 
@@ -70,6 +70,7 @@ Each credential has a `type` field (`default`, `balancer`, or `fallback`) and a
   "tag": "a",
   "credential_path": "/path/to/.credentials.json",
   "usages_path": "/path/to/usages.json",
+  "detour": "",
   "reserve_5h": 20,
   "reserve_weekly": 20
 }
@@ -79,6 +80,7 @@ A single OAuth credential file. The `type` field can be omitted (defaults to `de
 
 - `credential_path`: Path to the credentials file. Same defaults as top-level `credential_path`.
 - `usages_path`: Optional usage tracking file for this credential.
+- `detour`: Outbound tag for connecting to the Claude API with this credential.
 - `reserve_5h`: Reserve threshold (1-99) for 5-hour window. Credential pauses at (100-N)% utilization.
 - `reserve_weekly`: Reserve threshold (1-99) for weekly window. Credential pauses at (100-N)% utilization.
 
@@ -163,6 +165,8 @@ These headers will override any existing headers with the same name.
 
 Outbound tag for connecting to the Claude API.
 
+Conflict with `credentials`. In multi-credential mode, use `detour` on individual default credentials.
+
 #### tls
 
 TLS configuration, see [TLS](/configuration/shared/tls/#inbound).

docs/configuration/service/ccm.zh.md

@@ -59,7 +59,7 @@ Claude Code OAuth 凭据文件的路径。
 
 多凭据模式的凭据配置列表。
 
-设置后，顶层 `credential_path` 和 `usages_path` 被禁止。每个用户必须指定 `credential` 标签。
+设置后，顶层 `credential_path`、`usages_path` 和 `detour` 被禁止。每个用户必须指定 `credential` 标签。
 
 每个凭据有一个 `type` 字段（`default`、`balancer` 或 `fallback`）和一个必填的 `tag` 字段。
 
@@ -70,6 +70,7 @@ Claude Code OAuth 凭据文件的路径。
   "tag": "a",
   "credential_path": "/path/to/.credentials.json",
   "usages_path": "/path/to/usages.json",
+  "detour": "",
   "reserve_5h": 20,
   "reserve_weekly": 20
 }
@@ -79,6 +80,7 @@ Claude Code OAuth 凭据文件的路径。
 
 - `credential_path`：凭据文件的路径。默认值与顶层 `credential_path` 相同。
 - `usages_path`：此凭据的可选使用跟踪文件。
+- `detour`：此凭据用于连接 Claude API 的出站标签。
 - `reserve_5h`：5 小时窗口的保留阈值（1-99）。凭据在利用率达到 (100-N)% 时暂停。
 - `reserve_weekly`：每周窗口的保留阈值（1-99）。凭据在利用率达到 (100-N)% 时暂停。
 
@@ -163,6 +165,8 @@ Claude Code OAuth 凭据文件的路径。
 
 用于连接 Claude API 的出站标签。
 
+与 `credentials` 冲突。在多凭据模式下，在各个默认凭据上使用 `detour`。
+
 #### tls
 
 TLS 配置，参阅 [TLS](/zh/configuration/shared/tls/#inbound)。

docs/configuration/service/ocm.md

@@ -57,7 +57,7 @@ Conflict with `credentials`.
 
 List of credential configurations for multi-credential mode.
 
-When set, top-level `credential_path` and `usages_path` are forbidden. Each user must specify a `credential` tag.
+When set, top-level `credential_path`, `usages_path`, and `detour` are forbidden. Each user must specify a `credential` tag.
 
 Each credential has a `type` field (`default`, `balancer`, or `fallback`) and a required `tag` field.
 
@@ -68,6 +68,7 @@ Each credential has a `type` field (`default`, `balancer`, or `fallback`) and a
   "tag": "a",
   "credential_path": "/path/to/auth.json",
   "usages_path": "/path/to/usages.json",
+  "detour": "",
   "reserve_5h": 20,
   "reserve_weekly": 20
 }
@@ -77,6 +78,7 @@ A single OAuth credential file. The `type` field can be omitted (defaults to `de
 
 - `credential_path`: Path to the credentials file. Same defaults as top-level `credential_path`.
 - `usages_path`: Optional usage tracking file for this credential.
+- `detour`: Outbound tag for connecting to the OpenAI API with this credential.
 - `reserve_5h`: Reserve threshold (1-99) for primary rate limit window. Credential pauses at (100-N)% utilization.
 - `reserve_weekly`: Reserve threshold (1-99) for secondary (weekly) rate limit window. Credential pauses at (100-N)% utilization.
 
@@ -161,6 +163,8 @@ These headers will override any existing headers with the same name.
 
 Outbound tag for connecting to the OpenAI API.
 
+Conflict with `credentials`. In multi-credential mode, use `detour` on individual default credentials.
+
 #### tls
 
 TLS configuration, see [TLS](/configuration/shared/tls/#inbound).

docs/configuration/service/ocm.zh.md

@@ -57,7 +57,7 @@ OpenAI OAuth 凭据文件的路径。
 
 多凭据模式的凭据配置列表。
 
-设置后，顶层 `credential_path` 和 `usages_path` 被禁止。每个用户必须指定 `credential` 标签。
+设置后，顶层 `credential_path`、`usages_path` 和 `detour` 被禁止。每个用户必须指定 `credential` 标签。
 
 每个凭据有一个 `type` 字段（`default`、`balancer` 或 `fallback`）和一个必填的 `tag` 字段。
 
@@ -68,6 +68,7 @@ OpenAI OAuth 凭据文件的路径。
   "tag": "a",
   "credential_path": "/path/to/auth.json",
   "usages_path": "/path/to/usages.json",
+  "detour": "",
   "reserve_5h": 20,
   "reserve_weekly": 20
 }
@@ -77,6 +78,7 @@ OpenAI OAuth 凭据文件的路径。
 
 - `credential_path`：凭据文件的路径。默认值与顶层 `credential_path` 相同。
 - `usages_path`：此凭据的可选使用跟踪文件。
+- `detour`：此凭据用于连接 OpenAI API 的出站标签。
 - `reserve_5h`：主要速率限制窗口的保留阈值（1-99）。凭据在利用率达到 (100-N)% 时暂停。
 - `reserve_weekly`：次要（每周）速率限制窗口的保留阈值（1-99）。凭据在利用率达到 (100-N)% 时暂停。
 
@@ -161,6 +163,8 @@ OpenAI OAuth 凭据文件的路径。
 
 用于连接 OpenAI API 的出站标签。
 
+与 `credentials` 冲突。在多凭据模式下，在各个默认凭据上使用 `detour`。
+
 #### tls
 
 TLS 配置，参阅 [TLS](/zh/configuration/shared/tls/#inbound)。

option/ccm.go

@@ -76,6 +76,7 @@ func (c *CCMCredential) UnmarshalJSON(bytes []byte) error {
 type CCMDefaultCredentialOptions struct {
 	CredentialPath string `json:"credential_path,omitempty"`
 	UsagesPath     string `json:"usages_path,omitempty"`
+	Detour         string `json:"detour,omitempty"`
 	Reserve5h      uint8  `json:"reserve_5h,omitempty"`
 	ReserveWeekly  uint8  `json:"reserve_weekly,omitempty"`
 }

option/ocm.go

@@ -76,6 +76,7 @@ func (c *OCMCredential) UnmarshalJSON(bytes []byte) error {
 type OCMDefaultCredentialOptions struct {
 	CredentialPath string `json:"credential_path,omitempty"`
 	UsagesPath     string `json:"usages_path,omitempty"`
+	Detour         string `json:"detour,omitempty"`
 	Reserve5h      uint8  `json:"reserve_5h,omitempty"`
 	ReserveWeekly  uint8  `json:"reserve_weekly,omitempty"`
 }

service/ccm/credential_state.go

@@ -3,17 +3,23 @@ package ccm
 import (
 	"bytes"
 	"context"
+	stdTLS "crypto/tls"
 	"encoding/json"
 	"io"
+	"net"
 	"net/http"
 	"strconv"
 	"strings"
 	"sync"
 	"time"
 
+	"github.com/sagernet/sing-box/adapter"
+	"github.com/sagernet/sing-box/common/dialer"
 	"github.com/sagernet/sing-box/log"
 	"github.com/sagernet/sing-box/option"
 	E "github.com/sagernet/sing/common/exceptions"
+	M "github.com/sagernet/sing/common/metadata"
+	"github.com/sagernet/sing/common/ntp"
 )
 
 const defaultPollInterval = 60 * time.Second
@@ -44,7 +50,29 @@ type defaultCredential struct {
 	logger         log.ContextLogger
 }
 
-func newDefaultCredential(tag string, options option.CCMDefaultCredentialOptions, httpClient *http.Client, logger log.ContextLogger) *defaultCredential {
+func newDefaultCredential(ctx context.Context, tag string, options option.CCMDefaultCredentialOptions, logger log.ContextLogger) (*defaultCredential, error) {
+	credentialDialer, err := dialer.NewWithOptions(dialer.Options{
+		Context: ctx,
+		Options: option.DialerOptions{
+			Detour: options.Detour,
+		},
+		RemoteIsDomain: true,
+	})
+	if err != nil {
+		return nil, E.Cause(err, "create dialer for credential ", tag)
+	}
+	httpClient := &http.Client{
+		Transport: &http.Transport{
+			ForceAttemptHTTP2: true,
+			TLSClientConfig: &stdTLS.Config{
+				RootCAs: adapter.RootPoolFromContext(ctx),
+				Time:    ntp.TimeFuncFromContext(ctx),
+			},
+			DialContext: func(ctx context.Context, network, addr string) (net.Conn, error) {
+				return credentialDialer.DialContext(ctx, network, M.ParseSocksaddr(addr))
+			},
+		},
+	}
 	credential := &defaultCredential{
 		tag:            tag,
 		credentialPath: options.CredentialPath,
@@ -61,7 +89,7 @@ func newDefaultCredential(tag string, options option.CCMDefaultCredentialOptions
 			logger:       logger,
 		}
 	}
-	return credential
+	return credential, nil
 }
 
 func (c *defaultCredential) start() error {
@@ -548,8 +576,8 @@ func extractCCMSessionID(bodyBytes []byte) string {
 }
 
 func buildCredentialProviders(
+	ctx context.Context,
 	options option.CCMServiceOptions,
-	httpClient *http.Client,
 	logger log.ContextLogger,
 ) (map[string]credentialProvider, []*defaultCredential, error) {
 	defaultCredentials := make(map[string]*defaultCredential)
@@ -559,7 +587,10 @@ func buildCredentialProviders(
 	for _, credOpt := range options.Credentials {
 		switch credOpt.Type {
 		case "default":
-			credential := newDefaultCredential(credOpt.Tag, credOpt.DefaultOptions, httpClient, logger)
+			credential, err := newDefaultCredential(ctx, credOpt.Tag, credOpt.DefaultOptions, logger)
+			if err != nil {
+				return nil, nil, err
+			}
 			defaultCredentials[credOpt.Tag] = credential
 			allDefaults = append(allDefaults, credential)
 			providers[credOpt.Tag] = &singleCredentialProvider{credential: credential}
@@ -645,13 +676,17 @@ func validateCCMOptions(options option.CCMServiceOptions) error {
 	hasCredentials := len(options.Credentials) > 0
 	hasLegacyPath := options.CredentialPath != ""
 	hasLegacyUsages := options.UsagesPath != ""
+	hasLegacyDetour := options.Detour != ""
 
 	if hasCredentials && hasLegacyPath {
 		return E.New("credential_path and credentials are mutually exclusive")
 	}
 	if hasCredentials && hasLegacyUsages {
 		return E.New("usages_path and credentials are mutually exclusive; use usages_path on individual credentials")
 	}
+	if hasCredentials && hasLegacyDetour {
+		return E.New("detour and credentials are mutually exclusive; use detour on individual credentials")
+	}
 
 	if hasCredentials {
 		tags := make(map[string]bool)
@@ -685,7 +720,6 @@ func validateCCMOptions(options option.CCMServiceOptions) error {
 
 // retryRequestWithBody re-sends a buffered request body using a different credential.
 func retryRequestWithBody(
-	httpClient *http.Client,
 	originalRequest *http.Request,
 	bodyBytes []byte,
 	credential *defaultCredential,
@@ -726,7 +760,7 @@ func retryRequestWithBody(
 	}
 	retryRequest.Header.Set("Authorization", "Bearer "+accessToken)
 
-	return httpClient.Do(retryRequest)
+	return credential.httpClient.Do(retryRequest)
 }
 
 // credentialForUser finds the credential provider for a user.

service/ccm/service.go

@@ -3,12 +3,10 @@ package ccm
 import (
 	"bytes"
 	"context"
-	stdTLS "crypto/tls"
 	"encoding/json"
 	"errors"
 	"io"
 	"mime"
-	"net"
 	"net/http"
 	"strconv"
 	"strings"
@@ -17,7 +15,6 @@ import (
 
 	"github.com/sagernet/sing-box/adapter"
 	boxService "github.com/sagernet/sing-box/adapter/service"
-	"github.com/sagernet/sing-box/common/dialer"
 	"github.com/sagernet/sing-box/common/listener"
 	"github.com/sagernet/sing-box/common/tls"
 	C "github.com/sagernet/sing-box/constant"
@@ -26,9 +23,7 @@ import (
 	"github.com/sagernet/sing/common"
 	"github.com/sagernet/sing/common/buf"
 	E "github.com/sagernet/sing/common/exceptions"
-	M "github.com/sagernet/sing/common/metadata"
 	N "github.com/sagernet/sing/common/network"
-	"github.com/sagernet/sing/common/ntp"
 	aTLS "github.com/sagernet/sing/common/tls"
 
 	"github.com/anthropics/anthropic-sdk-go"
@@ -114,7 +109,6 @@ type Service struct {
 	ctx           context.Context
 	logger        log.ContextLogger
 	options       option.CCMServiceOptions
-	httpClient    *http.Client
 	httpHeaders   http.Header
 	listener      *listener.Listener
 	tlsConfig     tls.ServerConfig
@@ -139,30 +133,6 @@ func NewService(ctx context.Context, logger log.ContextLogger, tag string, optio
 		return nil, E.Cause(err, "validate options")
 	}
 
-	serviceDialer, err := dialer.NewWithOptions(dialer.Options{
-		Context: ctx,
-		Options: option.DialerOptions{
-			Detour: options.Detour,
-		},
-		RemoteIsDomain: true,
-	})
-	if err != nil {
-		return nil, E.Cause(err, "create dialer")
-	}
-
-	httpClient := &http.Client{
-		Transport: &http.Transport{
-			ForceAttemptHTTP2: true,
-			TLSClientConfig: &stdTLS.Config{
-				RootCAs: adapter.RootPoolFromContext(ctx),
-				Time:    ntp.TimeFuncFromContext(ctx),
-			},
-			DialContext: func(ctx context.Context, network, addr string) (net.Conn, error) {
-				return serviceDialer.DialContext(ctx, network, M.ParseSocksaddr(addr))
-			},
-		},
-	}
-
 	userManager := &UserManager{
 		tokenMap: make(map[string]string),
 	}
@@ -172,7 +142,6 @@ func NewService(ctx context.Context, logger log.ContextLogger, tag string, optio
 		ctx:         ctx,
 		logger:      logger,
 		options:     options,
-		httpClient:  httpClient,
 		httpHeaders: options.Headers.Build(),
 		listener: listener.New(listener.Options{
 			Context: ctx,
@@ -184,7 +153,7 @@ func NewService(ctx context.Context, logger log.ContextLogger, tag string, optio
 	}
 
 	if len(options.Credentials) > 0 {
-		providers, allDefaults, err := buildCredentialProviders(options, httpClient, logger)
+		providers, allDefaults, err := buildCredentialProviders(ctx, options, logger)
 		if err != nil {
 			return nil, E.Cause(err, "build credential providers")
 		}
@@ -197,10 +166,14 @@ func NewService(ctx context.Context, logger log.ContextLogger, tag string, optio
 		}
 		service.userCredentialMap = userCredentialMap
 	} else {
-		credential := newDefaultCredential("default", option.CCMDefaultCredentialOptions{
+		credential, err := newDefaultCredential(ctx, "default", option.CCMDefaultCredentialOptions{
 			CredentialPath: options.CredentialPath,
 			UsagesPath:     options.UsagesPath,
-		}, httpClient, logger)
+			Detour:         options.Detour,
+		}, logger)
+		if err != nil {
+			return nil, err
+		}
 		service.legacyCredential = credential
 		service.legacyProvider = &singleCredentialProvider{credential: credential}
 		service.allDefaults = []*defaultCredential{credential}
@@ -402,7 +375,7 @@ func (s *Service) ServeHTTP(w http.ResponseWriter, r *http.Request) {
 
 	proxyRequest.Header.Set("Authorization", "Bearer "+accessToken)
 
-	response, err := s.httpClient.Do(proxyRequest)
+	response, err := credential.httpClient.Do(proxyRequest)
 	if err != nil {
 		writeJSONError(w, r, http.StatusBadGateway, "api_error", err.Error())
 		return
@@ -417,7 +390,7 @@ func (s *Service) ServeHTTP(w http.ResponseWriter, r *http.Request) {
 		}
 		response.Body.Close()
 		s.logger.Info("retrying with credential ", nextCredential.tag, " after 429 from ", credential.tag)
-		retryResponse, retryErr := retryRequestWithBody(s.httpClient, r, bodyBytes, nextCredential, s.httpHeaders)
+		retryResponse, retryErr := retryRequestWithBody(r, bodyBytes, nextCredential, s.httpHeaders)
 		if retryErr != nil {
 			s.logger.Error("retry request: ", retryErr)
 			writeJSONError(w, r, http.StatusBadGateway, "api_error", retryErr.Error())