feat: Go 重写后端，替换 Python FastAPI

用 Go (Gin + GORM + SQLite) 重写整个后端：
- 单二进制部署，不依赖 Python/pip/SDK
- net/http 原生客户端，无 Cloudflare TLS 指纹问题
- 多阶段 Dockerfile：Node 构建前端 + Go 构建后端 + Alpine 运行
- 内存占用从 ~95MB 降至 ~3MB
- 完整保留所有 API 路由、JWT 认证、API Key 权限、审计日志

airwallex/authorizations.go

@@ -0,0 +1,23 @@
+package airwallex
+
+import (
+	"encoding/json"
+	"fmt"
+	"net/url"
+)
+
+// ListAuthorizations retrieves a paginated list of issuing authorizations.
+func (c *Client) ListAuthorizations(params url.Values) (*PaginatedResponse, error) {
+	data, statusCode, err := c.RequestRaw("GET", "api/v1/issuing/authorizations", params, nil)
+	if err != nil {
+		return nil, err
+	}
+	if statusCode >= 400 {
+		return nil, parseAPIError(data, statusCode)
+	}
+	var result PaginatedResponse
+	if err := json.Unmarshal(data, &result); err != nil {
+		return nil, fmt.Errorf("airwallex: failed to parse authorizations response: %w", err)
+	}
+	return &result, nil
+}

airwallex/cardholders.go

@@ -0,0 +1,28 @@
+package airwallex
+
+import (
+	"encoding/json"
+	"fmt"
+	"net/url"
+)
+
+// ListCardholders retrieves a paginated list of cardholders.
+func (c *Client) ListCardholders(params url.Values) (*PaginatedResponse, error) {
+	data, statusCode, err := c.RequestRaw("GET", "api/v1/issuing/cardholders", params, nil)
+	if err != nil {
+		return nil, err
+	}
+	if statusCode >= 400 {
+		return nil, parseAPIError(data, statusCode)
+	}
+	var result PaginatedResponse
+	if err := json.Unmarshal(data, &result); err != nil {
+		return nil, fmt.Errorf("airwallex: failed to parse cardholders response: %w", err)
+	}
+	return &result, nil
+}
+
+// CreateCardholder creates a new cardholder.
+func (c *Client) CreateCardholder(data map[string]interface{}) (map[string]interface{}, error) {
+	return c.Request("POST", "api/v1/issuing/cardholders/create", nil, data)
+}

airwallex/cards.go

@@ -0,0 +1,43 @@
+package airwallex
+
+import (
+	"encoding/json"
+	"fmt"
+	"net/url"
+)
+
+// ListCards retrieves a paginated list of issuing cards.
+func (c *Client) ListCards(params url.Values) (*PaginatedResponse, error) {
+	data, statusCode, err := c.RequestRaw("GET", "api/v1/issuing/cards", params, nil)
+	if err != nil {
+		return nil, err
+	}
+	if statusCode >= 400 {
+		return nil, parseAPIError(data, statusCode)
+	}
+	var result PaginatedResponse
+	if err := json.Unmarshal(data, &result); err != nil {
+		return nil, fmt.Errorf("airwallex: failed to parse cards response: %w", err)
+	}
+	return &result, nil
+}
+
+// CreateCard creates a new issuing card.
+func (c *Client) CreateCard(data map[string]interface{}) (map[string]interface{}, error) {
+	return c.Request("POST", "api/v1/issuing/cards/create", nil, data)
+}
+
+// GetCard retrieves a single card by ID.
+func (c *Client) GetCard(cardID string) (map[string]interface{}, error) {
+	return c.Request("GET", fmt.Sprintf("api/v1/issuing/cards/%s", cardID), nil, nil)
+}
+
+// GetCardDetails retrieves sensitive card details (PAN, CVV, etc.) by card ID.
+func (c *Client) GetCardDetails(cardID string) (map[string]interface{}, error) {
+	return c.Request("GET", fmt.Sprintf("api/v1/issuing/cards/%s/details", cardID), nil, nil)
+}
+
+// UpdateCard updates an existing card by ID.
+func (c *Client) UpdateCard(cardID string, data map[string]interface{}) (map[string]interface{}, error) {
+	return c.Request("POST", fmt.Sprintf("api/v1/issuing/cards/%s/update", cardID), nil, data)
+}

airwallex/client.go

@@ -0,0 +1,254 @@
+package airwallex
+
+import (
+	"bytes"
+	"context"
+	"encoding/json"
+	"fmt"
+	"io"
+	"net"
+	"net/http"
+	"net/url"
+	"strings"
+	"sync"
+	"time"
+
+	"golang.org/x/net/proxy"
+)
+
+// Client is the core HTTP client for Airwallex API.
+type Client struct {
+	ClientID    string
+	APIKey      string
+	LoginAs     string // optional x-login-as header
+	BaseURL     string // e.g. "https://api.airwallex.com"
+	ProxyURL    string // socks5:// or http:// proxy
+	Token       string
+	TokenExpiry time.Time
+	HTTPClient  *http.Client
+	mu          sync.Mutex
+}
+
+// NewClient creates a new Airwallex API client with optional proxy support.
+func NewClient(clientID, apiKey, baseURL, loginAs, proxyURL string) *Client {
+	baseURL = strings.TrimRight(baseURL, "/")
+
+	httpClient := &http.Client{Timeout: 30 * time.Second}
+
+	if proxyURL != "" {
+		parsed, err := url.Parse(proxyURL)
+		if err == nil {
+			switch parsed.Scheme {
+			case "socks5", "socks5h":
+				dialer, err := proxy.FromURL(parsed, proxy.Direct)
+				if err == nil {
+					contextDialer, ok := dialer.(proxy.ContextDialer)
+					if ok {
+						httpClient.Transport = &http.Transport{
+							DialContext: contextDialer.DialContext,
+						}
+					} else {
+						httpClient.Transport = &http.Transport{
+							DialContext: func(ctx context.Context, network, addr string) (net.Conn, error) {
+								return dialer.Dial(network, addr)
+							},
+						}
+					}
+				}
+			case "http", "https":
+				httpClient.Transport = &http.Transport{
+					Proxy: http.ProxyURL(parsed),
+				}
+			}
+		}
+	}
+
+	return &Client{
+		ClientID:   clientID,
+		APIKey:     apiKey,
+		BaseURL:    baseURL,
+		LoginAs:    loginAs,
+		ProxyURL:   proxyURL,
+		HTTPClient: httpClient,
+	}
+}
+
+// Authenticate obtains an access token from the Airwallex API.
+func (c *Client) Authenticate() error {
+	c.mu.Lock()
+	defer c.mu.Unlock()
+
+	authURL := c.BaseURL + "/api/v1/authentication/login"
+
+	req, err := http.NewRequest(http.MethodPost, authURL, bytes.NewBufferString("{}"))
+	if err != nil {
+		return fmt.Errorf("airwallex: failed to create auth request: %w", err)
+	}
+
+	req.Header.Set("Content-Type", "application/json")
+	req.Header.Set("x-client-id", c.ClientID)
+	req.Header.Set("x-api-key", c.APIKey)
+	if c.LoginAs != "" {
+		req.Header.Set("x-login-as", c.LoginAs)
+	}
+
+	resp, err := c.HTTPClient.Do(req)
+	if err != nil {
+		return fmt.Errorf("airwallex: auth request failed: %w", err)
+	}
+	defer resp.Body.Close()
+
+	body, err := io.ReadAll(resp.Body)
+	if err != nil {
+		return fmt.Errorf("airwallex: failed to read auth response: %w", err)
+	}
+
+	if resp.StatusCode != http.StatusCreated {
+		return fmt.Errorf("airwallex: auth failed with status %d: %s", resp.StatusCode, string(body))
+	}
+
+	var result map[string]interface{}
+	if err := json.Unmarshal(body, &result); err != nil {
+		return fmt.Errorf("airwallex: failed to parse auth response: %w", err)
+	}
+
+	token, ok := result["token"].(string)
+	if !ok || token == "" {
+		return fmt.Errorf("airwallex: no token in auth response")
+	}
+
+	c.Token = token
+
+	// Parse expires_at or default to 28 minutes from now.
+	if expiresAt, ok := result["expires_at"].(string); ok && expiresAt != "" {
+		if t, err := time.Parse(time.RFC3339, expiresAt); err == nil {
+			c.TokenExpiry = t
+		} else {
+			c.TokenExpiry = time.Now().Add(28 * time.Minute)
+		}
+	} else {
+		c.TokenExpiry = time.Now().Add(28 * time.Minute)
+	}
+
+	return nil
+}
+
+// IsTokenValid checks if the current token is non-empty and not expired.
+func (c *Client) IsTokenValid() bool {
+	return c.Token != "" && time.Now().Before(c.TokenExpiry)
+}
+
+// Request performs an authenticated API request and returns the parsed JSON response.
+func (c *Client) Request(method, path string, params url.Values, body interface{}) (map[string]interface{}, error) {
+	data, statusCode, err := c.doRequest(method, path, params, body)
+	if err != nil {
+		return nil, err
+	}
+
+	// On 401, re-authenticate and retry once.
+	if statusCode == http.StatusUnauthorized {
+		if err := c.Authenticate(); err != nil {
+			return nil, err
+		}
+		data, statusCode, err = c.doRequest(method, path, params, body)
+		if err != nil {
+			return nil, err
+		}
+	}
+
+	if statusCode >= 400 {
+		return nil, parseAPIError(data, statusCode)
+	}
+
+	var result map[string]interface{}
+	if err := json.Unmarshal(data, &result); err != nil {
+		return nil, fmt.Errorf("airwallex: failed to parse response: %w", err)
+	}
+
+	return result, nil
+}
+
+// RequestRaw performs an authenticated API request and returns the raw response bytes and status code.
+func (c *Client) RequestRaw(method, path string, params url.Values, body interface{}) ([]byte, int, error) {
+	data, statusCode, err := c.doRequest(method, path, params, body)
+	if err != nil {
+		return nil, 0, err
+	}
+
+	// On 401, re-authenticate and retry once.
+	if statusCode == http.StatusUnauthorized {
+		if err := c.Authenticate(); err != nil {
+			return nil, 0, err
+		}
+		data, statusCode, err = c.doRequest(method, path, params, body)
+		if err != nil {
+			return nil, 0, err
+		}
+	}
+
+	return data, statusCode, nil
+}
+
+// doRequest performs the actual HTTP request with current auth token.
+func (c *Client) doRequest(method, path string, params url.Values, body interface{}) ([]byte, int, error) {
+	if !c.IsTokenValid() {
+		if err := c.Authenticate(); err != nil {
+			return nil, 0, err
+		}
+	}
+
+	// Build full URL, avoiding double slashes.
+	path = strings.TrimLeft(path, "/")
+	fullURL := c.BaseURL + "/" + path
+
+	var reqBody io.Reader
+	if body != nil && (method == http.MethodPost || method == http.MethodPut) {
+		jsonBytes, err := json.Marshal(body)
+		if err != nil {
+			return nil, 0, fmt.Errorf("airwallex: failed to marshal request body: %w", err)
+		}
+		reqBody = bytes.NewBuffer(jsonBytes)
+	}
+
+	req, err := http.NewRequest(method, fullURL, reqBody)
+	if err != nil {
+		return nil, 0, fmt.Errorf("airwallex: failed to create request: %w", err)
+	}
+
+	// Append query params for GET requests.
+	if method == http.MethodGet && params != nil {
+		req.URL.RawQuery = params.Encode()
+	}
+
+	req.Header.Set("Authorization", "Bearer "+c.Token)
+	req.Header.Set("Content-Type", "application/json")
+	if c.LoginAs != "" {
+		req.Header.Set("x-login-as", c.LoginAs)
+	}
+
+	resp, err := c.HTTPClient.Do(req)
+	if err != nil {
+		return nil, 0, fmt.Errorf("airwallex: request failed: %w", err)
+	}
+	defer resp.Body.Close()
+
+	data, err := io.ReadAll(resp.Body)
+	if err != nil {
+		return nil, 0, fmt.Errorf("airwallex: failed to read response: %w", err)
+	}
+
+	return data, resp.StatusCode, nil
+}
+
+// parseAPIError attempts to parse an error response into an APIError.
+func parseAPIError(data []byte, statusCode int) *APIError {
+	var apiErr APIError
+	if err := json.Unmarshal(data, &apiErr); err != nil || apiErr.Message == "" {
+		apiErr = APIError{
+			Code:    "UNKNOWN",
+			Message: string(data),
+		}
+	}
+	apiErr.StatusCode = statusCode
+	return &apiErr
+}

airwallex/config.go

@@ -0,0 +1,11 @@
+package airwallex
+
+// GetIssuingConfig retrieves the issuing configuration.
+func (c *Client) GetIssuingConfig() (map[string]interface{}, error) {
+	return c.Request("GET", "api/v1/issuing/config", nil, nil)
+}
+
+// GetBalance retrieves the current account balance.
+func (c *Client) GetBalance() (map[string]interface{}, error) {
+	return c.Request("GET", "api/v1/balances/current", nil, nil)
+}

airwallex/transactions.go

@@ -0,0 +1,23 @@
+package airwallex
+
+import (
+	"encoding/json"
+	"fmt"
+	"net/url"
+)
+
+// ListTransactions retrieves a paginated list of issuing transactions.
+func (c *Client) ListTransactions(params url.Values) (*PaginatedResponse, error) {
+	data, statusCode, err := c.RequestRaw("GET", "api/v1/issuing/transactions", params, nil)
+	if err != nil {
+		return nil, err
+	}
+	if statusCode >= 400 {
+		return nil, parseAPIError(data, statusCode)
+	}
+	var result PaginatedResponse
+	if err := json.Unmarshal(data, &result); err != nil {
+		return nil, fmt.Errorf("airwallex: failed to parse transactions response: %w", err)
+	}
+	return &result, nil
+}

airwallex/types.go

@@ -0,0 +1,22 @@
+package airwallex
+
+import "fmt"
+
+// PaginatedResponse represents a paginated API response.
+type PaginatedResponse struct {
+	Items   []map[string]interface{} `json:"items"`
+	HasMore bool                     `json:"has_more"`
+}
+
+// APIError represents an Airwallex API error.
+type APIError struct {
+	Code       string `json:"code"`
+	Message    string `json:"message"`
+	Source     string `json:"source"`
+	StatusCode int    `json:"-"`
+}
+
+// Error implements the error interface.
+func (e *APIError) Error() string {
+	return fmt.Sprintf("airwallex: %s - %s (status %d)", e.Code, e.Message, e.StatusCode)
+}