feat: backend core - auth, user, role, permission, device, webhook, monitoring, cache, repository, service, middleware, API handlers

internal/pkg/tlsfingerprint/dialer_capture_test.go

@@ -0,0 +1,368 @@
+//go:build integration
+
+package tlsfingerprint
+
+import (
+	"context"
+	"encoding/json"
+	"io"
+	"net/http"
+	"os"
+	"strings"
+	"testing"
+	"time"
+
+	utls "github.com/refraction-networking/utls"
+)
+
+// CapturedFingerprint mirrors the Fingerprint struct from tls-fingerprint-web.
+// Used to deserialize the JSON response from the capture server.
+type CapturedFingerprint struct {
+	JA3Raw              string   `json:"ja3_raw"`
+	JA3Hash             string   `json:"ja3_hash"`
+	JA4                 string   `json:"ja4"`
+	HTTP2               string   `json:"http2"`
+	CipherSuites        []int    `json:"cipher_suites"`
+	Curves              []int    `json:"curves"`
+	PointFormats        []int    `json:"point_formats"`
+	Extensions          []int    `json:"extensions"`
+	SignatureAlgorithms []int    `json:"signature_algorithms"`
+	ALPNProtocols       []string `json:"alpn_protocols"`
+	SupportedVersions   []int    `json:"supported_versions"`
+	KeyShareGroups      []int    `json:"key_share_groups"`
+	PSKModes            []int    `json:"psk_modes"`
+	CompressCertAlgos   []int    `json:"compress_cert_algos"`
+	EnableGREASE        bool     `json:"enable_grease"`
+}
+
+// TestDialerAgainstCaptureServer connects to the tls-fingerprint-web capture server
+// and verifies that the dialer's TLS fingerprint matches the configured Profile.
+//
+// Default capture server: https://tls.sub2api.org:8090
+// Override with env: TLSFINGERPRINT_CAPTURE_URL=https://localhost:8443
+//
+// Run: go test -v -run TestDialerAgainstCaptureServer ./internal/pkg/tlsfingerprint/...
+func TestDialerAgainstCaptureServer(t *testing.T) {
+	captureURL := os.Getenv("TLSFINGERPRINT_CAPTURE_URL")
+	if captureURL == "" {
+		captureURL = "https://tls.sub2api.org:8090"
+	}
+
+	tests := []struct {
+		name    string
+		profile *Profile
+	}{
+		{
+			name: "default_profile",
+			profile: &Profile{
+				Name:         "default",
+				EnableGREASE: false,
+				// All empty → uses built-in defaults
+			},
+		},
+		{
+			name: "linux_x64_node_v22171",
+			profile: &Profile{
+				Name:                "linux_x64_node_v22171",
+				EnableGREASE:        false,
+				CipherSuites:        []uint16{4866, 4867, 4865, 49199, 49195, 49200, 49196, 158, 49191, 103, 49192, 107, 163, 159, 52393, 52392, 52394, 49327, 49325, 49315, 49311, 49245, 49249, 49239, 49235, 162, 49326, 49324, 49314, 49310, 49244, 49248, 49238, 49234, 49188, 106, 49187, 64, 49162, 49172, 57, 56, 49161, 49171, 51, 50, 157, 49313, 49309, 49233, 156, 49312, 49308, 49232, 61, 60, 53, 47, 255},
+				Curves:              []uint16{29, 23, 30, 25, 24, 256, 257, 258, 259, 260},
+				PointFormats:        []uint16{0, 1, 2},
+				SignatureAlgorithms: []uint16{0x0403, 0x0503, 0x0603, 0x0807, 0x0808, 0x0809, 0x080a, 0x080b, 0x0804, 0x0805, 0x0806, 0x0401, 0x0501, 0x0601, 0x0303, 0x0301, 0x0302, 0x0402, 0x0502, 0x0602},
+				ALPNProtocols:       []string{"http/1.1"},
+				SupportedVersions:   []uint16{0x0304, 0x0303},
+				KeyShareGroups:      []uint16{29},
+				PSKModes:            []uint16{1},
+				Extensions:          []uint16{0, 11, 10, 35, 16, 22, 23, 13, 43, 45, 51},
+			},
+		},
+		{
+			name: "macos_arm64_node_v2430",
+			profile: &Profile{
+				Name:                "MacOS_arm64_node_v2430",
+				EnableGREASE:        false,
+				CipherSuites:        []uint16{4865, 4866, 4867, 49195, 49199, 49196, 49200, 52393, 52392, 49161, 49171, 49162, 49172, 156, 157, 47, 53},
+				Curves:              []uint16{29, 23, 24},
+				PointFormats:        []uint16{0},
+				SignatureAlgorithms: []uint16{0x0403, 0x0804, 0x0401, 0x0503, 0x0805, 0x0501, 0x0806, 0x0601, 0x0201},
+				ALPNProtocols:       []string{"http/1.1"},
+				SupportedVersions:   []uint16{0x0304, 0x0303},
+				KeyShareGroups:      []uint16{29},
+				PSKModes:            []uint16{1},
+				Extensions:          []uint16{0, 65037, 23, 65281, 10, 11, 35, 16, 5, 13, 18, 51, 45, 43},
+			},
+		},
+	}
+
+	for _, tc := range tests {
+		t.Run(tc.name, func(t *testing.T) {
+			captured := fetchCapturedFingerprint(t, captureURL, tc.profile)
+			if captured == nil {
+				return
+			}
+
+			t.Logf("JA3 Hash: %s", captured.JA3Hash)
+			t.Logf("JA4:      %s", captured.JA4)
+
+			// Resolve effective profile values (what the dialer actually uses)
+			effectiveCipherSuites := tc.profile.CipherSuites
+			if len(effectiveCipherSuites) == 0 {
+				effectiveCipherSuites = defaultCipherSuites
+			}
+			effectiveCurves := tc.profile.Curves
+			if len(effectiveCurves) == 0 {
+				effectiveCurves = make([]uint16, len(defaultCurves))
+				for i, c := range defaultCurves {
+					effectiveCurves[i] = uint16(c)
+				}
+			}
+			effectivePointFormats := tc.profile.PointFormats
+			if len(effectivePointFormats) == 0 {
+				effectivePointFormats = defaultPointFormats
+			}
+			effectiveSigAlgs := tc.profile.SignatureAlgorithms
+			if len(effectiveSigAlgs) == 0 {
+				effectiveSigAlgs = make([]uint16, len(defaultSignatureAlgorithms))
+				for i, s := range defaultSignatureAlgorithms {
+					effectiveSigAlgs[i] = uint16(s)
+				}
+			}
+			effectiveALPN := tc.profile.ALPNProtocols
+			if len(effectiveALPN) == 0 {
+				effectiveALPN = []string{"http/1.1"}
+			}
+			effectiveVersions := tc.profile.SupportedVersions
+			if len(effectiveVersions) == 0 {
+				effectiveVersions = []uint16{0x0304, 0x0303}
+			}
+			effectiveKeyShare := tc.profile.KeyShareGroups
+			if len(effectiveKeyShare) == 0 {
+				effectiveKeyShare = []uint16{29} // X25519
+			}
+			effectivePSKModes := tc.profile.PSKModes
+			if len(effectivePSKModes) == 0 {
+				effectivePSKModes = []uint16{1} // psk_dhe_ke
+			}
+
+			// Verify each field
+			assertIntSliceEqual(t, "cipher_suites", uint16sToInts(effectiveCipherSuites), captured.CipherSuites)
+			assertIntSliceEqual(t, "curves", uint16sToInts(effectiveCurves), captured.Curves)
+			assertIntSliceEqual(t, "point_formats", uint16sToInts(effectivePointFormats), captured.PointFormats)
+			assertIntSliceEqual(t, "signature_algorithms", uint16sToInts(effectiveSigAlgs), captured.SignatureAlgorithms)
+			assertStringSliceEqual(t, "alpn_protocols", effectiveALPN, captured.ALPNProtocols)
+			assertIntSliceEqual(t, "supported_versions", uint16sToInts(effectiveVersions), captured.SupportedVersions)
+			assertIntSliceEqual(t, "key_share_groups", uint16sToInts(effectiveKeyShare), captured.KeyShareGroups)
+			assertIntSliceEqual(t, "psk_modes", uint16sToInts(effectivePSKModes), captured.PSKModes)
+
+			if captured.EnableGREASE != tc.profile.EnableGREASE {
+				t.Errorf("enable_grease: got %v, want %v", captured.EnableGREASE, tc.profile.EnableGREASE)
+			} else {
+				t.Logf("  enable_grease: %v OK", captured.EnableGREASE)
+			}
+
+			// Verify extension order
+			// Use profile.Extensions if set, otherwise the default order (Node.js 24.x)
+			expectedExtOrder := uint16sToInts(defaultExtensionOrder)
+			if len(tc.profile.Extensions) > 0 {
+				expectedExtOrder = uint16sToInts(tc.profile.Extensions)
+			}
+			// Strip GREASE values from both expected and captured for comparison
+			var filteredExpected, filteredActual []int
+			for _, e := range expectedExtOrder {
+				if !isGREASEValue(uint16(e)) {
+					filteredExpected = append(filteredExpected, e)
+				}
+			}
+			for _, e := range captured.Extensions {
+				if !isGREASEValue(uint16(e)) {
+					filteredActual = append(filteredActual, e)
+				}
+			}
+			assertIntSliceEqual(t, "extensions (order, non-GREASE)", filteredExpected, filteredActual)
+
+			// Print full captured data as JSON for debugging
+			capturedJSON, _ := json.MarshalIndent(captured, "  ", "  ")
+			t.Logf("Full captured fingerprint:\n  %s", string(capturedJSON))
+		})
+	}
+}
+
+func fetchCapturedFingerprint(t *testing.T, captureURL string, profile *Profile) *CapturedFingerprint {
+	t.Helper()
+
+	dialer := NewDialer(profile, nil)
+	client := &http.Client{
+		Transport: &http.Transport{
+			DialTLSContext: dialer.DialTLSContext,
+		},
+		Timeout: 10 * time.Second,
+	}
+
+	ctx, cancel := context.WithTimeout(context.Background(), 10*time.Second)
+	defer cancel()
+
+	req, err := http.NewRequestWithContext(ctx, "POST", captureURL, strings.NewReader(`{"model":"test"}`))
+	if err != nil {
+		t.Fatalf("create request: %v", err)
+		return nil
+	}
+	req.Header.Set("Content-Type", "application/json")
+	req.Header.Set("Authorization", "Bearer test-token")
+
+	resp, err := client.Do(req)
+	if err != nil {
+		t.Fatalf("request failed: %v", err)
+		return nil
+	}
+	defer resp.Body.Close()
+
+	body, err := io.ReadAll(resp.Body)
+	if err != nil {
+		t.Fatalf("read body: %v", err)
+		return nil
+	}
+
+	var fp CapturedFingerprint
+	if err := json.Unmarshal(body, &fp); err != nil {
+		t.Logf("Response body: %s", string(body))
+		t.Fatalf("parse response: %v", err)
+		return nil
+	}
+
+	return &fp
+}
+
+func uint16sToInts(vals []uint16) []int {
+	result := make([]int, len(vals))
+	for i, v := range vals {
+		result[i] = int(v)
+	}
+	return result
+}
+
+func assertIntSliceEqual(t *testing.T, name string, expected, actual []int) {
+	t.Helper()
+	if len(expected) != len(actual) {
+		t.Errorf("%s: length mismatch: got %d, want %d", name, len(actual), len(expected))
+		if len(actual) < 20 && len(expected) < 20 {
+			t.Errorf("  got:  %v", actual)
+			t.Errorf("  want: %v", expected)
+		}
+		return
+	}
+	mismatches := 0
+	for i := range expected {
+		if expected[i] != actual[i] {
+			if mismatches < 5 {
+				t.Errorf("%s[%d]: got %d (0x%04x), want %d (0x%04x)", name, i, actual[i], actual[i], expected[i], expected[i])
+			}
+			mismatches++
+		}
+	}
+	if mismatches == 0 {
+		t.Logf("  %s: %d items OK", name, len(expected))
+	} else if mismatches > 5 {
+		t.Errorf("  %s: %d/%d mismatches (showing first 5)", name, mismatches, len(expected))
+	}
+}
+
+func assertStringSliceEqual(t *testing.T, name string, expected, actual []string) {
+	t.Helper()
+	if len(expected) != len(actual) {
+		t.Errorf("%s: length mismatch: got %d (%v), want %d (%v)", name, len(actual), actual, len(expected), expected)
+		return
+	}
+	for i := range expected {
+		if expected[i] != actual[i] {
+			t.Errorf("%s[%d]: got %q, want %q", name, i, actual[i], expected[i])
+			return
+		}
+	}
+	t.Logf("  %s: %v OK", name, expected)
+}
+
+// TestBuildClientHelloSpecNewFields tests that new Profile fields are correctly applied.
+func TestBuildClientHelloSpecNewFields(t *testing.T) {
+	// Test custom ALPN, versions, key shares, PSK modes
+	profile := &Profile{
+		Name:                "custom_full",
+		EnableGREASE:        false,
+		CipherSuites:        []uint16{0x1301, 0x1302},
+		Curves:              []uint16{29, 23},
+		PointFormats:        []uint16{0},
+		SignatureAlgorithms: []uint16{0x0403, 0x0804},
+		ALPNProtocols:       []string{"h2", "http/1.1"},
+		SupportedVersions:   []uint16{0x0304},
+		KeyShareGroups:      []uint16{29, 23},
+		PSKModes:            []uint16{1},
+	}
+
+	spec := buildClientHelloSpecFromProfile(profile)
+
+	// Verify cipher suites
+	if len(spec.CipherSuites) != 2 || spec.CipherSuites[0] != 0x1301 {
+		t.Errorf("cipher suites: got %v", spec.CipherSuites)
+	}
+
+	// Check extensions for expected values
+	var foundALPN, foundVersions, foundKeyShare, foundPSK, foundSigAlgs bool
+	for _, ext := range spec.Extensions {
+		switch e := ext.(type) {
+		case *utls.ALPNExtension:
+			foundALPN = true
+			if len(e.AlpnProtocols) != 2 || e.AlpnProtocols[0] != "h2" {
+				t.Errorf("ALPN: got %v, want [h2, http/1.1]", e.AlpnProtocols)
+			}
+		case *utls.SupportedVersionsExtension:
+			foundVersions = true
+			if len(e.Versions) != 1 || e.Versions[0] != 0x0304 {
+				t.Errorf("versions: got %v, want [0x0304]", e.Versions)
+			}
+		case *utls.KeyShareExtension:
+			foundKeyShare = true
+			if len(e.KeyShares) != 2 {
+				t.Errorf("key shares: got %d entries, want 2", len(e.KeyShares))
+			}
+		case *utls.PSKKeyExchangeModesExtension:
+			foundPSK = true
+			if len(e.Modes) != 1 || e.Modes[0] != 1 {
+				t.Errorf("PSK modes: got %v, want [1]", e.Modes)
+			}
+		case *utls.SignatureAlgorithmsExtension:
+			foundSigAlgs = true
+			if len(e.SupportedSignatureAlgorithms) != 2 {
+				t.Errorf("sig algs: got %d, want 2", len(e.SupportedSignatureAlgorithms))
+			}
+		}
+	}
+
+	for name, found := range map[string]bool{
+		"ALPN": foundALPN, "Versions": foundVersions, "KeyShare": foundKeyShare,
+		"PSK": foundPSK, "SigAlgs": foundSigAlgs,
+	} {
+		if !found {
+			t.Errorf("extension %s not found in spec", name)
+		}
+	}
+
+	// Test nil profile uses all defaults
+	specDefault := buildClientHelloSpecFromProfile(nil)
+	for _, ext := range specDefault.Extensions {
+		switch e := ext.(type) {
+		case *utls.ALPNExtension:
+			if len(e.AlpnProtocols) != 1 || e.AlpnProtocols[0] != "http/1.1" {
+				t.Errorf("default ALPN: got %v, want [http/1.1]", e.AlpnProtocols)
+			}
+		case *utls.SupportedVersionsExtension:
+			if len(e.Versions) != 2 {
+				t.Errorf("default versions: got %v, want 2 entries", e.Versions)
+			}
+		case *utls.KeyShareExtension:
+			if len(e.KeyShares) != 1 {
+				t.Errorf("default key shares: got %d, want 1", len(e.KeyShares))
+			}
+		}
+	}
+
+	t.Log("TestBuildClientHelloSpecNewFields passed")
+}

internal/pkg/tlsfingerprint/dialer_integration_test.go

@@ -0,0 +1,223 @@
+//go:build integration
+
+// Package tlsfingerprint provides TLS fingerprint simulation for HTTP clients.
+//
+// Integration tests for verifying TLS fingerprint correctness.
+// These tests make actual network requests to external services and should be run manually.
+//
+// Run with: go test -v -tags=integration ./internal/pkg/tlsfingerprint/...
+package tlsfingerprint
+
+import (
+	"context"
+	"encoding/json"
+	"io"
+	"net/http"
+	"strings"
+	"testing"
+	"time"
+)
+
+// skipIfExternalServiceUnavailable checks if the external service is available.
+// If not, it skips the test instead of failing.
+func skipIfExternalServiceUnavailable(t *testing.T, err error) {
+	t.Helper()
+	if err != nil {
+		// Check for common network/TLS errors that indicate external service issues
+		errStr := err.Error()
+		if strings.Contains(errStr, "certificate has expired") ||
+			strings.Contains(errStr, "certificate is not yet valid") ||
+			strings.Contains(errStr, "connection refused") ||
+			strings.Contains(errStr, "no such host") ||
+			strings.Contains(errStr, "network is unreachable") ||
+			strings.Contains(errStr, "timeout") ||
+			strings.Contains(errStr, "deadline exceeded") {
+			t.Skipf("skipping test: external service unavailable: %v", err)
+		}
+		t.Fatalf("failed to get fingerprint: %v", err)
+	}
+}
+
+// TestJA3Fingerprint verifies the JA3/JA4 fingerprint matches expected value.
+// This test uses tls.peet.ws to verify the fingerprint.
+// Expected JA3 hash: 44f88fca027f27bab4bb08d4af15f23e (Node.js 24.x)
+// Expected JA4: t13d1714h1_5b57614c22b0_7baf387fc6ff
+func TestJA3Fingerprint(t *testing.T) {
+	if testing.Short() {
+		t.Skip("skipping integration test in short mode")
+	}
+
+	profile := &Profile{
+		Name:         "Default Profile Test",
+		EnableGREASE: false,
+	}
+	dialer := NewDialer(profile, nil)
+
+	client := &http.Client{
+		Transport: &http.Transport{
+			DialTLSContext: dialer.DialTLSContext,
+		},
+		Timeout: 30 * time.Second,
+	}
+
+	ctx, cancel := context.WithTimeout(context.Background(), 30*time.Second)
+	defer cancel()
+
+	req, err := http.NewRequestWithContext(ctx, "GET", "https://tls.peet.ws/api/all", nil)
+	if err != nil {
+		t.Fatalf("failed to create request: %v", err)
+	}
+	req.Header.Set("User-Agent", "Claude Code/2.0.0 Node.js/24.3.0")
+
+	resp, err := client.Do(req)
+	skipIfExternalServiceUnavailable(t, err)
+	defer func() { _ = resp.Body.Close() }()
+
+	body, err := io.ReadAll(resp.Body)
+	if err != nil {
+		t.Fatalf("failed to read response: %v", err)
+	}
+
+	var fpResp FingerprintResponse
+	if err := json.Unmarshal(body, &fpResp); err != nil {
+		t.Logf("Response body: %s", string(body))
+		t.Fatalf("failed to parse fingerprint response: %v", err)
+	}
+
+	t.Logf("JA3: %s", fpResp.TLS.JA3)
+	t.Logf("JA3 Hash: %s", fpResp.TLS.JA3Hash)
+	t.Logf("JA4: %s", fpResp.TLS.JA4)
+
+	expectedJA3Hash := "44f88fca027f27bab4bb08d4af15f23e"
+	if fpResp.TLS.JA3Hash == expectedJA3Hash {
+		t.Logf("✓ JA3 hash matches: %s", expectedJA3Hash)
+	} else {
+		t.Errorf("✗ JA3 hash mismatch: got %s, expected %s", fpResp.TLS.JA3Hash, expectedJA3Hash)
+	}
+
+	expectedJA4CipherHash := "_5b57614c22b0_"
+	if strings.Contains(fpResp.TLS.JA4, expectedJA4CipherHash) {
+		t.Logf("✓ JA4 cipher hash matches: %s", expectedJA4CipherHash)
+	} else {
+		t.Errorf("✗ JA4 cipher hash mismatch: got %s, expected containing %s", fpResp.TLS.JA4, expectedJA4CipherHash)
+	}
+}
+
+// TestAllProfiles tests multiple TLS fingerprint profiles against tls.peet.ws.
+// Run with: go test -v -tags=integration -run TestAllProfiles ./internal/pkg/tlsfingerprint/...
+func TestAllProfiles(t *testing.T) {
+	if testing.Short() {
+		t.Skip("skipping integration test in short mode")
+	}
+
+	// Define all profiles to test with their expected fingerprints
+	// These profiles are from config.yaml gateway.tls_fingerprint.profiles
+	profiles := []TestProfileExpectation{
+		{
+			// Default profile (Node.js 24.x)
+			Profile: &Profile{
+				Name:         "default_node_v24",
+				EnableGREASE: false,
+			},
+			JA4CipherHash: "5b57614c22b0",
+		},
+		{
+			// Linux x64 Node.js v22.17.1 (explicit profile with v22 extensions)
+			Profile: &Profile{
+				Name:         "linux_x64_node_v22171",
+				EnableGREASE: false,
+				CipherSuites: []uint16{4866, 4867, 4865, 49199, 49195, 49200, 49196, 158, 49191, 103, 49192, 107, 163, 159, 52393, 52392, 52394, 49327, 49325, 49315, 49311, 49245, 49249, 49239, 49235, 162, 49326, 49324, 49314, 49310, 49244, 49248, 49238, 49234, 49188, 106, 49187, 64, 49162, 49172, 57, 56, 49161, 49171, 51, 50, 157, 49313, 49309, 49233, 156, 49312, 49308, 49232, 61, 60, 53, 47, 255},
+				Curves:       []uint16{29, 23, 30, 25, 24, 256, 257, 258, 259, 260},
+				PointFormats: []uint16{0, 1, 2},
+				Extensions:   []uint16{0, 11, 10, 35, 16, 22, 23, 13, 43, 45, 51},
+			},
+			JA4CipherHash: "a33745022dd6",
+		},
+	}
+
+	for _, tc := range profiles {
+		tc := tc // capture range variable
+		t.Run(tc.Profile.Name, func(t *testing.T) {
+			fp := fetchFingerprint(t, tc.Profile)
+			if fp == nil {
+				return // fetchFingerprint already called t.Fatal
+			}
+
+			t.Logf("Profile: %s", tc.Profile.Name)
+			t.Logf("  JA3:           %s", fp.JA3)
+			t.Logf("  JA3 Hash:      %s", fp.JA3Hash)
+			t.Logf("  JA4:           %s", fp.JA4)
+			t.Logf("  PeetPrint:     %s", fp.PeetPrint)
+			t.Logf("  PeetPrintHash: %s", fp.PeetPrintHash)
+
+			// Verify expectations
+			if tc.ExpectedJA3 != "" {
+				if fp.JA3Hash == tc.ExpectedJA3 {
+					t.Logf("  ✓ JA3 hash matches: %s", tc.ExpectedJA3)
+				} else {
+					t.Errorf("  ✗ JA3 hash mismatch: got %s, expected %s", fp.JA3Hash, tc.ExpectedJA3)
+				}
+			}
+
+			if tc.ExpectedJA4 != "" {
+				if fp.JA4 == tc.ExpectedJA4 {
+					t.Logf("  ✓ JA4 matches: %s", tc.ExpectedJA4)
+				} else {
+					t.Errorf("  ✗ JA4 mismatch: got %s, expected %s", fp.JA4, tc.ExpectedJA4)
+				}
+			}
+
+			// Check JA4 cipher hash (stable middle part)
+			// JA4 format: prefix_cipherHash_extHash
+			if tc.JA4CipherHash != "" {
+				if strings.Contains(fp.JA4, "_"+tc.JA4CipherHash+"_") {
+					t.Logf("  ✓ JA4 cipher hash matches: %s", tc.JA4CipherHash)
+				} else {
+					t.Errorf("  ✗ JA4 cipher hash mismatch: got %s, expected cipher hash %s", fp.JA4, tc.JA4CipherHash)
+				}
+			}
+		})
+	}
+}
+
+// fetchFingerprint makes a request to tls.peet.ws and returns the TLS fingerprint info.
+func fetchFingerprint(t *testing.T, profile *Profile) *TLSInfo {
+	t.Helper()
+
+	dialer := NewDialer(profile, nil)
+	client := &http.Client{
+		Transport: &http.Transport{
+			DialTLSContext: dialer.DialTLSContext,
+		},
+		Timeout: 30 * time.Second,
+	}
+
+	ctx, cancel := context.WithTimeout(context.Background(), 30*time.Second)
+	defer cancel()
+
+	req, err := http.NewRequestWithContext(ctx, "GET", "https://tls.peet.ws/api/all", nil)
+	if err != nil {
+		t.Fatalf("failed to create request: %v", err)
+		return nil
+	}
+	req.Header.Set("User-Agent", "Claude Code/2.0.0 Node.js/20.0.0")
+
+	resp, err := client.Do(req)
+	skipIfExternalServiceUnavailable(t, err)
+	defer func() { _ = resp.Body.Close() }()
+
+	body, err := io.ReadAll(resp.Body)
+	if err != nil {
+		t.Fatalf("failed to read response: %v", err)
+		return nil
+	}
+
+	var fpResp FingerprintResponse
+	if err := json.Unmarshal(body, &fpResp); err != nil {
+		t.Logf("Response body: %s", string(body))
+		t.Fatalf("failed to parse fingerprint response: %v", err)
+		return nil
+	}
+
+	return &fpResp.TLS
+}

internal/pkg/tlsfingerprint/dialer_test.go

@@ -0,0 +1,410 @@
+//go:build unit
+
+// Package tlsfingerprint provides TLS fingerprint simulation for HTTP clients.
+//
+// Unit tests for TLS fingerprint dialer.
+// Integration tests that require external network are in dialer_integration_test.go
+// and require the 'integration' build tag.
+//
+// Run unit tests: go test -v ./internal/pkg/tlsfingerprint/...
+// Run integration tests: go test -v -tags=integration ./internal/pkg/tlsfingerprint/...
+package tlsfingerprint
+
+import (
+	"context"
+	"encoding/json"
+	"io"
+	"net/http"
+	"net/url"
+	"os"
+	"strings"
+	"testing"
+	"time"
+)
+
+// TestDialerBasicConnection tests that the dialer can establish TLS connections.
+func TestDialerBasicConnection(t *testing.T) {
+	skipNetworkTest(t)
+
+	// Create a dialer with default profile
+	profile := &Profile{
+		Name:         "Test Profile",
+		EnableGREASE: false,
+	}
+	dialer := NewDialer(profile, nil)
+
+	// Create HTTP client with custom TLS dialer
+	client := &http.Client{
+		Transport: &http.Transport{
+			DialTLSContext: dialer.DialTLSContext,
+		},
+		Timeout: 30 * time.Second,
+	}
+
+	// Make a request to a known HTTPS endpoint
+	resp, err := client.Get("https://www.google.com")
+	if err != nil {
+		t.Fatalf("failed to connect: %v", err)
+	}
+	defer func() { _ = resp.Body.Close() }()
+
+	if resp.StatusCode != http.StatusOK {
+		t.Errorf("expected status 200, got %d", resp.StatusCode)
+	}
+}
+
+// TestJA3Fingerprint verifies the JA3/JA4 fingerprint matches expected value.
+// This test uses tls.peet.ws to verify the fingerprint.
+// Expected JA3 hash: 44f88fca027f27bab4bb08d4af15f23e (Node.js 24.x)
+// Expected JA4: t13d1714h1_5b57614c22b0_7baf387fc6ff
+func TestJA3Fingerprint(t *testing.T) {
+	skipNetworkTest(t)
+
+	profile := &Profile{
+		Name:         "Default Profile Test",
+		EnableGREASE: false,
+	}
+	dialer := NewDialer(profile, nil)
+
+	client := &http.Client{
+		Transport: &http.Transport{
+			DialTLSContext: dialer.DialTLSContext,
+		},
+		Timeout: 30 * time.Second,
+	}
+
+	// Use tls.peet.ws fingerprint detection API
+	ctx, cancel := context.WithTimeout(context.Background(), 30*time.Second)
+	defer cancel()
+
+	req, err := http.NewRequestWithContext(ctx, "GET", "https://tls.peet.ws/api/all", nil)
+	if err != nil {
+		t.Fatalf("failed to create request: %v", err)
+	}
+	req.Header.Set("User-Agent", "Claude Code/2.0.0 Node.js/24.3.0")
+
+	resp, err := client.Do(req)
+	if err != nil {
+		t.Fatalf("failed to get fingerprint: %v", err)
+	}
+	defer func() { _ = resp.Body.Close() }()
+
+	body, err := io.ReadAll(resp.Body)
+	if err != nil {
+		t.Fatalf("failed to read response: %v", err)
+	}
+
+	var fpResp FingerprintResponse
+	if err := json.Unmarshal(body, &fpResp); err != nil {
+		t.Logf("Response body: %s", string(body))
+		t.Fatalf("failed to parse fingerprint response: %v", err)
+	}
+
+	// Log all fingerprint information
+	t.Logf("JA3: %s", fpResp.TLS.JA3)
+	t.Logf("JA3 Hash: %s", fpResp.TLS.JA3Hash)
+	t.Logf("JA4: %s", fpResp.TLS.JA4)
+	t.Logf("PeetPrint: %s", fpResp.TLS.PeetPrint)
+	t.Logf("PeetPrint Hash: %s", fpResp.TLS.PeetPrintHash)
+
+	// Verify JA3 hash matches expected value (Node.js 24.x default)
+	expectedJA3Hash := "44f88fca027f27bab4bb08d4af15f23e"
+	if fpResp.TLS.JA3Hash == expectedJA3Hash {
+		t.Logf("✓ JA3 hash matches expected value: %s", expectedJA3Hash)
+	} else {
+		t.Errorf("✗ JA3 hash mismatch: got %s, expected %s", fpResp.TLS.JA3Hash, expectedJA3Hash)
+	}
+
+	// Verify JA4 cipher hash (stable middle part)
+	expectedJA4CipherHash := "_5b57614c22b0_"
+	if strings.Contains(fpResp.TLS.JA4, expectedJA4CipherHash) {
+		t.Logf("✓ JA4 cipher hash matches: %s", expectedJA4CipherHash)
+	} else {
+		t.Errorf("✗ JA4 cipher hash mismatch: got %s, expected containing %s", fpResp.TLS.JA4, expectedJA4CipherHash)
+	}
+
+	// Verify JA4 prefix (t13d1714h1 or t13i1714h1)
+	expectedJA4Prefix := "t13d1714h1"
+	if strings.HasPrefix(fpResp.TLS.JA4, expectedJA4Prefix) {
+		t.Logf("✓ JA4 prefix matches: %s (t13=TLS1.3, d=domain, 17=ciphers, 14=extensions, h1=HTTP/1.1)", expectedJA4Prefix)
+	} else {
+		altPrefix := "t13i1714h1"
+		if strings.HasPrefix(fpResp.TLS.JA4, altPrefix) {
+			t.Logf("✓ JA4 prefix matches (IP variant): %s", altPrefix)
+		} else {
+			t.Errorf("✗ JA4 prefix mismatch: got %s, expected %s or %s", fpResp.TLS.JA4, expectedJA4Prefix, altPrefix)
+		}
+	}
+
+	// Verify JA3 contains expected TLS 1.3 cipher suites
+	if strings.Contains(fpResp.TLS.JA3, "4865-4866-4867") {
+		t.Logf("✓ JA3 contains expected TLS 1.3 cipher suites")
+	} else {
+		t.Logf("Warning: JA3 does not contain expected TLS 1.3 cipher suites")
+	}
+
+	// Verify extension list (14 extensions, Node.js 24.x order)
+	expectedExtensions := "0-65037-23-65281-10-11-35-16-5-13-18-51-45-43"
+	if strings.Contains(fpResp.TLS.JA3, expectedExtensions) {
+		t.Logf("✓ JA3 contains expected extension list: %s", expectedExtensions)
+	} else {
+		t.Logf("Warning: JA3 extension list may differ")
+	}
+}
+
+func skipNetworkTest(t *testing.T) {
+	if testing.Short() {
+		t.Skip("跳过网络测试（short 模式）")
+	}
+	if os.Getenv("TLSFINGERPRINT_NETWORK_TESTS") != "1" {
+		t.Skip("跳过网络测试（需要设置 TLSFINGERPRINT_NETWORK_TESTS=1）")
+	}
+}
+
+// TestDialerWithProfile tests that different profiles produce different fingerprints.
+func TestDialerWithProfile(t *testing.T) {
+	// Create two dialers with different profiles
+	profile1 := &Profile{
+		Name:         "Profile 1 - No GREASE",
+		EnableGREASE: false,
+	}
+	profile2 := &Profile{
+		Name:         "Profile 2 - With GREASE",
+		EnableGREASE: true,
+	}
+
+	dialer1 := NewDialer(profile1, nil)
+	dialer2 := NewDialer(profile2, nil)
+
+	// Build specs and compare
+	// Note: We can't directly compare JA3 without making network requests
+	// but we can verify the specs are different
+	spec1 := buildClientHelloSpecFromProfile(dialer1.profile)
+	spec2 := buildClientHelloSpecFromProfile(dialer2.profile)
+
+	// Profile with GREASE should have more extensions
+	if len(spec2.Extensions) <= len(spec1.Extensions) {
+		t.Error("expected GREASE profile to have more extensions")
+	}
+}
+
+// TestHTTPProxyDialerBasic tests HTTP proxy dialer creation.
+// Note: This is a unit test - actual proxy testing requires a proxy server.
+func TestHTTPProxyDialerBasic(t *testing.T) {
+	profile := &Profile{
+		Name:         "Test Profile",
+		EnableGREASE: false,
+	}
+
+	// Test that dialer is created without panic
+	proxyURL := mustParseURL("http://proxy.example.com:8080")
+	dialer := NewHTTPProxyDialer(profile, proxyURL)
+
+	if dialer == nil {
+		t.Fatal("expected dialer to be created")
+	}
+	if dialer.profile != profile {
+		t.Error("expected profile to be set")
+	}
+	if dialer.proxyURL != proxyURL {
+		t.Error("expected proxyURL to be set")
+	}
+}
+
+// TestSOCKS5ProxyDialerBasic tests SOCKS5 proxy dialer creation.
+// Note: This is a unit test - actual proxy testing requires a proxy server.
+func TestSOCKS5ProxyDialerBasic(t *testing.T) {
+	profile := &Profile{
+		Name:         "Test Profile",
+		EnableGREASE: false,
+	}
+
+	// Test that dialer is created without panic
+	proxyURL := mustParseURL("socks5://proxy.example.com:1080")
+	dialer := NewSOCKS5ProxyDialer(profile, proxyURL)
+
+	if dialer == nil {
+		t.Fatal("expected dialer to be created")
+	}
+	if dialer.profile != profile {
+		t.Error("expected profile to be set")
+	}
+	if dialer.proxyURL != proxyURL {
+		t.Error("expected proxyURL to be set")
+	}
+}
+
+// TestBuildClientHelloSpec tests ClientHello spec construction.
+func TestBuildClientHelloSpec(t *testing.T) {
+	// Test with nil profile (should use defaults)
+	spec := buildClientHelloSpecFromProfile(nil)
+
+	if len(spec.CipherSuites) == 0 {
+		t.Error("expected cipher suites to be set")
+	}
+	if len(spec.Extensions) == 0 {
+		t.Error("expected extensions to be set")
+	}
+
+	// Verify default cipher suites are used
+	if len(spec.CipherSuites) != len(defaultCipherSuites) {
+		t.Errorf("expected %d cipher suites, got %d", len(defaultCipherSuites), len(spec.CipherSuites))
+	}
+
+	// Test with custom profile
+	customProfile := &Profile{
+		Name:         "Custom",
+		EnableGREASE: false,
+		CipherSuites: []uint16{0x1301, 0x1302},
+	}
+	spec = buildClientHelloSpecFromProfile(customProfile)
+
+	if len(spec.CipherSuites) != 2 {
+		t.Errorf("expected 2 cipher suites, got %d", len(spec.CipherSuites))
+	}
+}
+
+// TestToUTLSCurves tests curve ID conversion.
+func TestToUTLSCurves(t *testing.T) {
+	input := []uint16{0x001d, 0x0017, 0x0018}
+	result := toUTLSCurves(input)
+
+	if len(result) != len(input) {
+		t.Errorf("expected %d curves, got %d", len(input), len(result))
+	}
+
+	for i, curve := range result {
+		if uint16(curve) != input[i] {
+			t.Errorf("curve %d: expected 0x%04x, got 0x%04x", i, input[i], uint16(curve))
+		}
+	}
+}
+
+// Helper function to parse URL without error handling.
+func mustParseURL(rawURL string) *url.URL {
+	u, err := url.Parse(rawURL)
+	if err != nil {
+		panic(err)
+	}
+	return u
+}
+
+// TestAllProfiles tests multiple TLS fingerprint profiles against tls.peet.ws.
+// Run with: go test -v -run TestAllProfiles ./internal/pkg/tlsfingerprint/...
+func TestAllProfiles(t *testing.T) {
+	skipNetworkTest(t)
+
+	profiles := []TestProfileExpectation{
+		{
+			// Default profile (Node.js 24.x)
+			// JA3 Hash: 44f88fca027f27bab4bb08d4af15f23e
+			// JA4: t13d1714h1_5b57614c22b0_7baf387fc6ff
+			Profile: &Profile{
+				Name:         "default_node_v24",
+				EnableGREASE: false,
+			},
+			JA4CipherHash: "5b57614c22b0",
+		},
+		{
+			// Linux x64 Node.js v22.17.1 (explicit profile)
+			Profile: &Profile{
+				Name:         "linux_x64_node_v22171",
+				EnableGREASE: false,
+				CipherSuites: []uint16{4866, 4867, 4865, 49199, 49195, 49200, 49196, 158, 49191, 103, 49192, 107, 163, 159, 52393, 52392, 52394, 49327, 49325, 49315, 49311, 49245, 49249, 49239, 49235, 162, 49326, 49324, 49314, 49310, 49244, 49248, 49238, 49234, 49188, 106, 49187, 64, 49162, 49172, 57, 56, 49161, 49171, 51, 50, 157, 49313, 49309, 49233, 156, 49312, 49308, 49232, 61, 60, 53, 47, 255},
+				Curves:       []uint16{29, 23, 30, 25, 24, 256, 257, 258, 259, 260},
+				PointFormats: []uint16{0, 1, 2},
+				Extensions:   []uint16{0, 11, 10, 35, 16, 22, 23, 13, 43, 45, 51},
+			},
+			JA4CipherHash: "a33745022dd6",
+		},
+	}
+
+	for _, tc := range profiles {
+		tc := tc // capture range variable
+		t.Run(tc.Profile.Name, func(t *testing.T) {
+			fp := fetchFingerprint(t, tc.Profile)
+			if fp == nil {
+				return // fetchFingerprint already called t.Fatal
+			}
+
+			t.Logf("Profile: %s", tc.Profile.Name)
+			t.Logf("  JA3:           %s", fp.JA3)
+			t.Logf("  JA3 Hash:      %s", fp.JA3Hash)
+			t.Logf("  JA4:           %s", fp.JA4)
+			t.Logf("  PeetPrint:     %s", fp.PeetPrint)
+			t.Logf("  PeetPrintHash: %s", fp.PeetPrintHash)
+
+			// Verify expectations
+			if tc.ExpectedJA3 != "" {
+				if fp.JA3Hash == tc.ExpectedJA3 {
+					t.Logf("  ✓ JA3 hash matches: %s", tc.ExpectedJA3)
+				} else {
+					t.Errorf("  ✗ JA3 hash mismatch: got %s, expected %s", fp.JA3Hash, tc.ExpectedJA3)
+				}
+			}
+
+			if tc.ExpectedJA4 != "" {
+				if fp.JA4 == tc.ExpectedJA4 {
+					t.Logf("  ✓ JA4 matches: %s", tc.ExpectedJA4)
+				} else {
+					t.Errorf("  ✗ JA4 mismatch: got %s, expected %s", fp.JA4, tc.ExpectedJA4)
+				}
+			}
+
+			// Check JA4 cipher hash (stable middle part)
+			// JA4 format: prefix_cipherHash_extHash
+			if tc.JA4CipherHash != "" {
+				if strings.Contains(fp.JA4, "_"+tc.JA4CipherHash+"_") {
+					t.Logf("  ✓ JA4 cipher hash matches: %s", tc.JA4CipherHash)
+				} else {
+					t.Errorf("  ✗ JA4 cipher hash mismatch: got %s, expected cipher hash %s", fp.JA4, tc.JA4CipherHash)
+				}
+			}
+		})
+	}
+}
+
+// fetchFingerprint makes a request to tls.peet.ws and returns the TLS fingerprint info.
+func fetchFingerprint(t *testing.T, profile *Profile) *TLSInfo {
+	t.Helper()
+
+	dialer := NewDialer(profile, nil)
+	client := &http.Client{
+		Transport: &http.Transport{
+			DialTLSContext: dialer.DialTLSContext,
+		},
+		Timeout: 30 * time.Second,
+	}
+
+	ctx, cancel := context.WithTimeout(context.Background(), 30*time.Second)
+	defer cancel()
+
+	req, err := http.NewRequestWithContext(ctx, "GET", "https://tls.peet.ws/api/all", nil)
+	if err != nil {
+		t.Fatalf("failed to create request: %v", err)
+		return nil
+	}
+	req.Header.Set("User-Agent", "Claude Code/2.0.0 Node.js/20.0.0")
+
+	resp, err := client.Do(req)
+	if err != nil {
+		t.Fatalf("failed to get fingerprint: %v", err)
+		return nil
+	}
+	defer func() { _ = resp.Body.Close() }()
+
+	body, err := io.ReadAll(resp.Body)
+	if err != nil {
+		t.Fatalf("failed to read response: %v", err)
+		return nil
+	}
+
+	var fpResp FingerprintResponse
+	if err := json.Unmarshal(body, &fpResp); err != nil {
+		t.Logf("Response body: %s", string(body))
+		t.Fatalf("failed to parse fingerprint response: %v", err)
+		return nil
+	}
+
+	return &fpResp.TLS
+}

internal/pkg/tlsfingerprint/profile.go

@@ -0,0 +1,17 @@
+// Package tlsfingerprint provides TLS fingerprint simulation for HTTP clients.
+package tlsfingerprint
+
+// Profile represents a TLS fingerprint profile for HTTP clients.
+type Profile struct {
+	Name                string
+	EnableGREASE        bool
+	CipherSuites        []uint16
+	Curves              []uint16
+	PointFormats        []uint16
+	SignatureAlgorithms []uint16
+	ALPNProtocols       []string
+	SupportedVersions   []uint16
+	KeyShareGroups      []uint16
+	PSKModes            []uint16
+	Extensions          []uint16
+}

internal/pkg/tlsfingerprint/test_types_test.go

@@ -0,0 +1,28 @@
+package tlsfingerprint
+
+// FingerprintResponse represents the response from tls.peet.ws/api/all.
+// 共享测试类型，供 unit 和 integration 测试文件使用。
+type FingerprintResponse struct {
+	IP    string  `json:"ip"`
+	TLS   TLSInfo `json:"tls"`
+	HTTP2 any     `json:"http2"`
+}
+
+// TestProfileExpectation defines expected fingerprint values for a profile.
+type TestProfileExpectation struct {
+	Profile       *Profile
+	ExpectedJA3   string // Expected JA3 hash (empty = don't check)
+	ExpectedJA4   string // Expected full JA4 (empty = don't check)
+	JA4CipherHash string // Expected JA4 cipher hash - the stable middle part (empty = don't check)
+}
+
+// TLSInfo contains TLS fingerprint details.
+type TLSInfo struct {
+	JA3           string `json:"ja3"`
+	JA3Hash       string `json:"ja3_hash"`
+	JA4           string `json:"ja4"`
+	PeetPrint     string `json:"peetprint"`
+	PeetPrintHash string `json:"peetprint_hash"`
+	ClientRandom  string `json:"client_random"`
+	SessionID     string `json:"session_id"`
+}