Update deps to Go 1.25.6, fix API code per official Proton sources (#5)

* Update deps to Go 1.25.6, fix API code per official Proton sources

  - Upgrade Go 1.25.6 and all dependencies to latest versions
  - Fix certificate feature keys to match python-proton-vpn-api-core
  - Fix token refresh RedirectURI to match proton-python-client
  - Add IsSuccessCode() helper for API codes 1000/1001
  - Fix error codes per protoncore_android ResponseCodes.kt
  - Extract API documentation to API_REFERENCE.md

* add forgotten new line

* upd deps in ci

* fix: align comment whitespace in client.go

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

* rename to confgen

---------

Co-authored-by: Claude Opus 4.5 <noreply@anthropic.com>

Author: hatemosphere

.github/workflows/ci.yml

@@ -7,18 +7,18 @@ on:
     branches: [main]
 
 env:
-  GO_VERSION: "1.25.5"
-  GOLANGCI_LINT_VERSION: "v2.6.1"
+  GO_VERSION: "1.25.6"
+  GOLANGCI_LINT_VERSION: "v2.8.0"
 
 jobs:
   lint:
     name: Lint
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
 
       - name: Set up Go
-        uses: actions/setup-go@4dc6199c7b1a012772edbd06daecab0f50c9053c # v6.1.0
+        uses: actions/setup-go@7a3fe6cf4cb3a834922a1244abfce67bcef6a0c5 # v6.2.0
         with:
           go-version: ${{ env.GO_VERSION }}
           cache: true
@@ -43,10 +43,10 @@ jobs:
     name: Test
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
 
       - name: Set up Go
-        uses: actions/setup-go@4dc6199c7b1a012772edbd06daecab0f50c9053c # v6.1.0
+        uses: actions/setup-go@7a3fe6cf4cb3a834922a1244abfce67bcef6a0c5 # v6.2.0
         with:
           go-version: ${{ env.GO_VERSION }}
           cache: true
@@ -62,16 +62,16 @@ jobs:
       matrix:
         os: [ubuntu-latest, macos-latest, windows-latest]
     steps:
-      - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
 
       - name: Set up Go
-        uses: actions/setup-go@4dc6199c7b1a012772edbd06daecab0f50c9053c # v6.1.0
+        uses: actions/setup-go@7a3fe6cf4cb3a834922a1244abfce67bcef6a0c5 # v6.2.0
         with:
           go-version: ${{ env.GO_VERSION }}
           cache: true
 
       - name: Build (native)
-        run: go build -o build/protonvpn-wg-config-generate${{ matrix.os == 'windows-latest' && '.exe' || '' }} cmd/protonvpn-wg/main.go
+        run: go build -o build/protonvpn-wg-confgen${{ matrix.os == 'windows-latest' && '.exe' || '' }} cmd/protonvpn-wg/main.go
 
   cross-compile:
     name: Cross-compile
@@ -100,10 +100,10 @@ jobs:
             goarch: arm64
             ext: .exe
     steps:
-      - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
 
       - name: Set up Go
-        uses: actions/setup-go@4dc6199c7b1a012772edbd06daecab0f50c9053c # v6.1.0
+        uses: actions/setup-go@7a3fe6cf4cb3a834922a1244abfce67bcef6a0c5 # v6.2.0
         with:
           go-version: ${{ env.GO_VERSION }}
           cache: true
@@ -115,10 +115,10 @@ jobs:
           CGO_ENABLED: "0"
         run: |
           mkdir -p build
-          go build -o build/protonvpn-wg-config-generate-${{ matrix.goos }}-${{ matrix.goarch }}${{ matrix.ext }} cmd/protonvpn-wg/main.go
+          go build -o build/protonvpn-wg-confgen-${{ matrix.goos }}-${{ matrix.goarch }}${{ matrix.ext }} cmd/protonvpn-wg/main.go
 
       - name: Upload artifact
-        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
+        uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0
         with:
-          name: protonvpn-wg-config-generate-${{ matrix.goos }}-${{ matrix.goarch }}
-          path: build/protonvpn-wg-config-generate-${{ matrix.goos }}-${{ matrix.goarch }}${{ matrix.ext }}
+          name: protonvpn-wg-confgen-${{ matrix.goos }}-${{ matrix.goarch }}
+          path: build/protonvpn-wg-confgen-${{ matrix.goos }}-${{ matrix.goarch }}${{ matrix.ext }}

.github/workflows/release.yml

@@ -9,20 +9,20 @@ permissions:
   contents: write
 
 env:
-  GO_VERSION: "1.25.5"
+  GO_VERSION: "1.25.6"
 
 jobs:
   release:
     name: Release
     runs-on: ubuntu-latest
     steps:
       - name: Checkout
-        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
           fetch-depth: 0
 
       - name: Set up Go
-        uses: actions/setup-go@4dc6199c7b1a012772edbd06daecab0f50c9053c # v6.1.0
+        uses: actions/setup-go@7a3fe6cf4cb3a834922a1244abfce67bcef6a0c5 # v6.2.0
         with:
           go-version: ${{ env.GO_VERSION }}
           cache: true

.gitignore

@@ -18,7 +18,7 @@ vendor/
 build/
 
 # Binary
-protonvpn-wg-config-generate
+protonvpn-wg-confgen
 
 # IDE specific files
 .vscode/

.goreleaser.yaml

@@ -1,16 +1,16 @@
 # yaml-language-server: $schema=https://goreleaser.com/static/schema.json
 version: 2
 
-project_name: protonvpn-wg-config-generate
+project_name: protonvpn-wg-confgen
 
 before:
   hooks:
     - go mod tidy
 
 builds:
-  - id: protonvpn-wg-config-generate
+  - id: protonvpn-wg-confgen
     main: ./cmd/protonvpn-wg
-    binary: protonvpn-wg-config-generate
+    binary: protonvpn-wg-confgen
     env:
       - CGO_ENABLED=0
     goos:
@@ -69,7 +69,7 @@ changelog:
 release:
   github:
     owner: '{{ envOrDefault "GITHUB_REPOSITORY_OWNER" "" }}'
-    name: protonvpn-wg-config-generate
+    name: protonvpn-wg-confgen
   draft: false
   prerelease: auto
   mode: replace

API_REFERENCE.md

@@ -0,0 +1,149 @@
+# API Reference Implementation
+
+This project's API integration was developed by reverse-engineering ProtonVPN's authentication and VPN APIs. The implementation is based on patterns from these official Proton libraries:
+
+## Authentication (SRP Protocol)
+- **[ProtonMail/proton-python-client](https://github.com/ProtonMail/proton-python-client)** - Python implementation of Proton's SRP authentication
+  - Reference for: `/auth/info`, `/auth`, `/auth/2fa`, `/auth/refresh` endpoints
+  - SRP protocol implementation patterns
+- **[ProtonMail/go-srp](https://github.com/ProtonMail/go-srp)** - Go SRP library (direct dependency)
+
+## VPN API
+- **[ProtonVPN/python-proton-vpn-api-core](https://github.com/ProtonVPN/python-proton-vpn-api-core)** - Official Python VPN API client
+  - Reference for: `/vpn/v1/certificate`, `/vpn/v1/logicals`, `/vpn/v1/sessions` endpoints
+  - Server filtering and selection patterns
+  - Certificate request format (`Duration`, `Features`)
+
+## Key Generation
+- **[ProtonVPN/go-vpn-lib](https://github.com/ProtonVPN/go-vpn-lib)** - Ed25519 to X25519 key conversion (direct dependency)
+
+## Client Version
+- **[ProtonVPN/proton-vpn-gtk-app](https://github.com/ProtonVPN/proton-vpn-gtk-app)** - Official Linux client
+  - Source for `x-pm-appversion` header value (fetched dynamically at build time)
+
+## API Endpoints Used
+
+| Endpoint | Method | Description |
+|----------|--------|-------------|
+| `/core/v4/auth/info` | POST | Get SRP authentication parameters |
+| `/core/v4/auth` | POST | Authenticate with SRP proofs |
+| `/core/v4/auth/2fa` | POST | Submit 2FA code for session upgrade |
+| `/auth/refresh` | POST | Refresh session tokens |
+| `/vpn/v1/certificate` | POST | Generate WireGuard certificate |
+| `/vpn/v1/logicals` | GET | List available VPN servers |
+
+## Certificate Request Format
+
+The certificate request to `/vpn/v1/certificate` uses the following format:
+
+```json
+{
+  "ClientPublicKey": "<PEM-encoded public key>",
+  "ClientPublicKeyMode": "EC",
+  "Mode": "persistent",
+  "DeviceName": "<device name>",
+  "Duration": "<duration in minutes> min",
+  "Features": {
+    "NetShieldLevel": 0,
+    "RandomNAT": false,
+    "PortForwarding": false,
+    "SplitTCP": true
+  }
+}
+```
+
+### Feature Keys
+
+| Key | Type | Description |
+|-----|------|-------------|
+| `NetShieldLevel` | int | NetShield ad/malware blocking (0=off, 1=malware, 2=ads+malware) |
+| `RandomNAT` | bool | Moderate NAT / Random NAT for gaming |
+| `PortForwarding` | bool | Port forwarding support |
+| `SplitTCP` | bool | VPN Accelerator (performance optimization) |
+
+## API Response Codes
+
+**Official sources:**
+- [ProtonMail/protoncore_android - ResponseCodes.kt](https://github.com/ProtonMail/protoncore_android/blob/main/network/domain/src/main/kotlin/me/proton/core/network/domain/ResponseCodes.kt) - Kotlin constants (authoritative)
+- [ProtonMail/proton-python-client - README.md](https://github.com/ProtonMail/proton-python-client#error-handling) - Python client error handling
+- [ProtonMail/proton-python-client - api.py](https://github.com/ProtonMail/proton-python-client/blob/master/proton/api.py) - Python API implementation
+
+### Success Codes
+| Code | Constant | Meaning |
+|------|----------|---------|
+| 1000 | OK | Success |
+| 1001 | - | Success (multi-status) |
+
+### Authentication Errors
+| Code | Constant | Meaning |
+|------|----------|---------|
+| 8002 | PASSWORD_WRONG | Incorrect password |
+| 8100 | AUTH_SWITCH_TO_SSO | Switch to SSO authentication |
+| 8101 | AUTH_SWITCH_TO_SRP | Switch to SRP authentication |
+| 9001 | HUMAN_VERIFICATION_REQUIRED | CAPTCHA/human verification required |
+| 9002 | DEVICE_VERIFICATION_REQUIRED | Device verification required |
+| 9101 | SCOPE_REAUTH_LOCKED | Scope re-authentication locked |
+| 9102 | SCOPE_REAUTH_PASSWORD | Scope re-authentication requires password |
+
+### Account Errors
+| Code | Constant | Meaning |
+|------|----------|---------|
+| 10001 | ACCOUNT_FAILED_GENERIC | Generic account failure |
+| 10002 | ACCOUNT_DELETED | Account has been deleted |
+| 10003 | ACCOUNT_DISABLED | Account has been disabled |
+
+### Version Errors
+| Code | Constant | Meaning |
+|------|----------|---------|
+| 5003 | APP_VERSION_BAD | App version no longer supported |
+| 5005 | API_VERSION_INVALID | API version invalid |
+| 5099 | APP_VERSION_NOT_SUPPORTED_FOR_EXTERNAL_ACCOUNTS | App version not supported for external accounts |
+
+### Other Errors
+| Code | Constant | Meaning |
+|------|----------|---------|
+| 6001 | BODY_PARSE_FAILURE | Request body parse failure |
+| 12081 | USER_CREATE_NAME_INVALID | Invalid username during creation |
+| 12087 | USER_CREATE_TOKEN_INVALID | Invalid token during user creation |
+
+### VPN-Specific Codes (observed, not in official docs)
+| Code | Meaning | Notes |
+|------|---------|-------|
+| 9100 | 2FA required for VPN | VPN certificate endpoint requires 2FA-authenticated session |
+| 10013 | Mailbox password required | Legacy 2-password mode (proton-python-client says "RefreshToken invalid") |
+
+**Note:** Codes 9100 and 10013 were observed during VPN operations but are not documented in the official protoncore_android library. Their meanings may vary by context.
+
+## Required Headers
+
+All authenticated requests require these headers:
+
+```
+Authorization: Bearer <access_token>
+x-pm-uid: <session_uid>
+x-pm-appversion: linux-vpn@X.Y.Z
+User-Agent: ProtonVPN/X.Y.Z (Linux; Ubuntu)
+Content-Type: application/json
+```
+
+**Important**: Using a web client version (like `web-vpn-settings@X.Y.Z`) may trigger CAPTCHA challenges. Always use the Linux client version format.
+
+## Token Refresh
+
+The token refresh endpoint expects:
+
+```json
+{
+  "ResponseType": "token",
+  "GrantType": "refresh_token",
+  "RefreshToken": "<refresh_token>",
+  "RedirectURI": "http://protonmail.ch"
+}
+```
+
+## Local Reference Libraries
+
+For debugging and verification, reference implementations are cloned in `.debug-libs/`:
+- `proton-python-client` - SRP authentication reference
+- `python-proton-vpn-api-core` - VPN API reference
+- `proton-vpn-gtk-app` - Linux client reference

Makefile

@@ -1,33 +1,42 @@
-.PHONY: build clean test fmt vet lint install vendor
+.PHONY: build build-all clean test fmt vet lint install vendor run dev show-version
 
-BINARY_NAME=protonvpn-wg-config-generate
+BINARY_NAME=protonvpn-wg-confgen
 BUILD_DIR=build
 CMD_DIR=cmd/protonvpn-wg
+MODULE=protonvpn-wg-confgen
+
+# Fetch latest ProtonVPN Linux client version from GitHub (with fallback)
+PROTON_VERSION_URL=https://raw.githubusercontent.com/ProtonVPN/proton-vpn-gtk-app/stable/versions.yml
+PROTON_VERSION ?= $(shell curl -sf "$(PROTON_VERSION_URL)" 2>/dev/null | head -1 | cut -d' ' -f2 || echo "4.13.1")
+
+# ldflags to inject version at build time
+LDFLAGS=-ldflags "-X '$(MODULE)/internal/constants.AppVersion=linux-vpn@$(PROTON_VERSION)' \
+                  -X '$(MODULE)/internal/constants.UserAgent=ProtonVPN/$(PROTON_VERSION) (Linux; Ubuntu)'"
 
 # Build the binary
 build:
-	@echo "Building $(BINARY_NAME)..."
+	@echo "Building $(BINARY_NAME) with ProtonVPN client version $(PROTON_VERSION)..."
 	@mkdir -p $(BUILD_DIR)
-	@go build -o $(BUILD_DIR)/$(BINARY_NAME) $(CMD_DIR)/main.go
+	@go build $(LDFLAGS) -o $(BUILD_DIR)/$(BINARY_NAME) $(CMD_DIR)/main.go
 
 # Build for multiple platforms
 build-all:
-	@echo "Building for multiple platforms..."
+	@echo "Building for multiple platforms with ProtonVPN client version $(PROTON_VERSION)..."
 	@mkdir -p $(BUILD_DIR)
 	@echo "  Linux amd64..."
-	@GOOS=linux GOARCH=amd64 go build -o $(BUILD_DIR)/$(BINARY_NAME)-linux-amd64 $(CMD_DIR)/main.go
+	@GOOS=linux GOARCH=amd64 go build $(LDFLAGS) -o $(BUILD_DIR)/$(BINARY_NAME)-linux-amd64 $(CMD_DIR)/main.go
 	@echo "  Linux arm64..."
-	@GOOS=linux GOARCH=arm64 go build -o $(BUILD_DIR)/$(BINARY_NAME)-linux-arm64 $(CMD_DIR)/main.go
+	@GOOS=linux GOARCH=arm64 go build $(LDFLAGS) -o $(BUILD_DIR)/$(BINARY_NAME)-linux-arm64 $(CMD_DIR)/main.go
 	@echo "  Linux arm..."
-	@GOOS=linux GOARCH=arm go build -o $(BUILD_DIR)/$(BINARY_NAME)-linux-arm $(CMD_DIR)/main.go
+	@GOOS=linux GOARCH=arm go build $(LDFLAGS) -o $(BUILD_DIR)/$(BINARY_NAME)-linux-arm $(CMD_DIR)/main.go
 	@echo "  macOS amd64..."
-	@GOOS=darwin GOARCH=amd64 go build -o $(BUILD_DIR)/$(BINARY_NAME)-darwin-amd64 $(CMD_DIR)/main.go
+	@GOOS=darwin GOARCH=amd64 go build $(LDFLAGS) -o $(BUILD_DIR)/$(BINARY_NAME)-darwin-amd64 $(CMD_DIR)/main.go
 	@echo "  macOS arm64..."
-	@GOOS=darwin GOARCH=arm64 go build -o $(BUILD_DIR)/$(BINARY_NAME)-darwin-arm64 $(CMD_DIR)/main.go
+	@GOOS=darwin GOARCH=arm64 go build $(LDFLAGS) -o $(BUILD_DIR)/$(BINARY_NAME)-darwin-arm64 $(CMD_DIR)/main.go
 	@echo "  Windows amd64..."
-	@GOOS=windows GOARCH=amd64 go build -o $(BUILD_DIR)/$(BINARY_NAME)-windows-amd64.exe $(CMD_DIR)/main.go
+	@GOOS=windows GOARCH=amd64 go build $(LDFLAGS) -o $(BUILD_DIR)/$(BINARY_NAME)-windows-amd64.exe $(CMD_DIR)/main.go
 	@echo "  Windows arm64..."
-	@GOOS=windows GOARCH=arm64 go build -o $(BUILD_DIR)/$(BINARY_NAME)-windows-arm64.exe $(CMD_DIR)/main.go
+	@GOOS=windows GOARCH=arm64 go build $(LDFLAGS) -o $(BUILD_DIR)/$(BINARY_NAME)-windows-arm64.exe $(CMD_DIR)/main.go
 	@echo "Done!"
 
 # Clean build artifacts
@@ -72,5 +81,9 @@ run: build
 
 # Development build with race detector
 dev:
-	@echo "Building with race detector..."
-	@go build -race -o $(BUILD_DIR)/$(BINARY_NAME)-dev $(CMD_DIR)/main.go
+	@echo "Building with race detector and ProtonVPN client version $(PROTON_VERSION)..."
+	@go build -race $(LDFLAGS) -o $(BUILD_DIR)/$(BINARY_NAME)-dev $(CMD_DIR)/main.go
+
+# Show current ProtonVPN version that would be used
+show-version:
+	@echo "ProtonVPN client version: $(PROTON_VERSION)"