28 commits

Author	SHA1	Message	Date
MHSanaei	e8878b71a4	feat(nodes): add Dev channel option to node panel updates ... The node update confirm dialog now offers a 'Dev channel (latest commit)' choice. The dev flag threads master -> nodes/updatePanel -> UpdatePanels -> remote.UpdatePanel -> the node's updatePanel endpoint, which calls StartUpdateChannel(dev) to install the rolling dev-latest build. With no dev flag the node keeps following its own channel setting.	2026-06-25 00:29:03 +02:00
w3struk	ae9bbdf267	fix(web): serve panel SPA routes from NoRoute (#5536) ... * fix(web): serve panel SPA routes from NoRoute Return the React shell for authenticated panel document routes that are not explicitly registered in Gin, such as /panel/hosts. Keep API, CSRF, static-file, method, and Accept exclusions so API misses remain 404 and auth semantics stay unchanged. * fix(web): remove unreachable panel path guard The panel path is always built by appending /panel, so it can never be empty. Remove the redundant fallback branch without changing SPA routing behavior. Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> * fix(web): allowlist static-asset extensions in SPA fallback The blanket path.Ext check rejected any panel route whose last segment contained a dot, which would reintroduce the refresh 404 for a future client route carrying a dotted parameter (version, domain, or email-like value). Restrict the static-asset exclusion to a known, case-insensitive extension allowlist and add predicate regression cases.	2026-06-24 21:19:12 +02:00
MHSanaei	1d1128cf94	fix(update): read setUpdateChannel body as form field, not JSON ... The panel's axios layer posts application/x-www-form-urlencoded, so the dev-channel toggle sent dev=true and ShouldBindJSON failed with 'invalid character d'. Parse c.PostForm("dev") to match the codebase's form-encoded POST convention.	2026-06-24 18:24:54 +02:00
MHSanaei	aad2b3eb1e	feat(update): add rolling dev update channel for per-commit builds ... Adds an opt-in Dev channel so panels running CI per-commit builds can self-update to the latest commit, mirroring the stable online-update flow. CI publishes/overwrites a single fixed-tag pre-release (dev-latest), force-moved to the newest main commit and marked --latest=false so releases/latest stays the stable tag. Builds stamp the short commit via -ldflags; the panel compares the running commit to the dev release commit to detect an update, and update.sh honors XUI_UPDATE_TAG to install from that tag. Linux/systemd only.	2026-06-24 18:11:22 +02:00
MHSanaei	93ff60e568	fix(tgbot): reload bot on settings save so a new token takes effect without a panel restart ... The Telegram bot was only started at panel boot, so saving a token or toggling tgBotEnable persisted to the DB but never reached the running bot until a full restart, making it look like the token did not save (issue #5539). The settings/update controller now reconciles the bot the same way panelOutbound reconciles Xray: when tgBotEnable, the token, chat ID, or API server change, it stops/(re)starts the bot and updates the event-bus subscription.	2026-06-24 17:34:05 +02:00
Rouzbeh†	14de0557f9	feat(clients): bulk-set XTLS flow from the Adjust dialog (#5524) ... * feat(clients): bulk-set XTLS flow from the Adjust dialog Add a "Set flow" dropdown to the bulk Adjust dialog so an admin can set or clear the XTLS flow on all selected clients at once, alongside the existing days/traffic bumps. Empty by default (no effect on save); "Disable" clears flow, and the two vision values mirror the per-client credential tab. Flow rides the existing inbound-JSON -> SyncInbound path (ClientRecord.Flow + client_inbounds.flow_override), so no new endpoint, DB column, or migration. Setting a vision flow is gated by inboundCanEnableTlsFlow: ineligible inbounds are left untouched and reported as skipped; clearing is always allowed. A real flow change requests an xray restart (local) or a node reconcile (remote). Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com> * fix(clients): keep days/traffic write when bulk flow is ineligible Address review on the bulk-flow-adjust PR: - Blocking: a client adjusted with both a days/traffic delta and a flow directive on a flow-ineligible inbound had the flow-ineligibility recorded into the same skip set that gates the ClientTraffic write, so the inbound JSON / ClientRecord advanced but ClientTraffic did not — divergent stores, and the client misreported as skipped. Track flow ineligibility in its own map (bulkInboundAdjustResult.flowIneligible) so it only feeds the final Skipped report and never suppresses the expiry/total persistence. - Drop the broad delete(skippedReasons, email): flow reasons no longer enter skippedReasons, so honoring a flow can no longer erase an unrelated skip reason (unlimited expiry, a real persistence error on another inbound). - Drop the inline comment block from ClientBulkAdjustModal.tsx (file had none); move the whitelist-sync note next to bulkFlowAllowed, the source of truth. - Document the optional flow field in the bulkAdjust API-docs example (endpoints.ts) and regenerate openapi.json. - Add a regression test covering days+flow on an ineligible inbound. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com> --------- Co-authored-by: Claude Opus 4.8 (1M context) <noreply@anthropic.com>	2026-06-24 12:55:08 +02:00
MHSanaei	dabd3f5d2b	feat(backup): prefer browser request host for backup filename ... Name downloaded DB backups after the host shown in the panel title (c.Request.Host) when available, falling back to the configured web domain and then the public IP. Telegram-sent backups have no request context and keep the domain/IP behavior.	2026-06-23 01:13:09 +02:00
MHSanaei	683653674c	fix(api-docs): exclude /panel/outbound and /panel/routing from route guard ... 718b7e16 added these top-level SPA page routes in spa.go but didn't add them to the TestAPIRoutesDocumented skip-list, so the guard flagged them as undocumented and failed CI on main. Like the other /panel/* page routes they serve the SPA, not a JSON API, so they belong in the skip-list rather than endpoints.ts.	2026-06-22 23:48:58 +02:00
MHSanaei	ce8b1bed77	feat(iplimit): gate IP limit on fail2ban and reset stale limits ... Per-client IP limit only enforces where fail2ban is installed, so the panel now reports enforceability and disables the field otherwise: - Add GET /panel/api/server/fail2banStatus (enabled/installed/usable/windows), cached 30s. - ClientFormModal and ClientBulkAddModal disable the IP Limit input when not usable and show a hover tooltip; Windows gets a platform-specific message instead of the bash-menu hint. - One-time migration ResetIpLimitNoFail2ban zeroes existing client limitIp (inbound settings JSON + clients table) on hosts without fail2ban, where the limit never applied. - Drop the recurring '[LimitIP] Fail2Ban is not installed' warning. - Add limitIpFail2banMissing/limitIpFail2banWindows/limitIpDisabled across all 13 locales.	2026-06-22 23:15:58 +02:00
MHSanaei	718b7e16e1	feat(sidebar): move Routing/Outbounds to top-level items with clean URLs ... - Move Routing out of the Xray Configs submenu; add Routing and Outbounds as top-level sidebar items below Hosts - Give them their own clean routes (/routing, /outbound) instead of /xray#routing and /xray#outbound, registered in the React router and the Go SPA shell so direct links and refresh work - XrayPage derives the active section from the pathname for those routes - Add menu.routing and menu.outbounds translation keys across all locales	2026-06-22 22:20:26 +02:00
MHSanaei	a7e959ff49	feat(backup): name DB backup files after the server address ... Panel downloads and Telegram backups were always named x-ui.db / x-ui.dump, so backups from different servers were indistinguishable. Name them after the panel address instead: the configured web domain, or the public IP (IPv4 before IPv6) when no domain is set, falling back to x-ui. Centralized in ServerService.BackupFilename(); host is sanitized to the getDb filename charset (IPv6 colons become hyphens) and read from the mutex-guarded LastStatus to avoid racing the status goroutine.	2026-06-22 21:55:58 +02:00
MHSanaei	0b0b6250d6	feat(clients): orphan cleanup + export/import via CodeMirror modals ... Add three client-management actions to the Clients page More menu: - Delete unattached clients: removes every client with no inbound attachment, cascading its traffic rows, IP log, and external links (POST /clients/delOrphans). - Export clients: shows the {client, inboundIds} list in a read-only CodeMirror viewer with copy/download (GET /clients/export returns the array in the standard envelope). - Import clients: pastes that JSON into an editable CodeMirror editor, mirroring Import an Inbound (POST /clients/import takes a { data } body). Attached clients go through the create-and-attach path; items with no inboundIds are restored as bare records; existing emails are never overwritten and are reported as skipped. Document the new endpoints in api-docs and translate the new strings into all supported languages.	2026-06-21 23:06:10 +02:00
MHSanaei	7c8889466b	feat(tls,reality): port xray TLS/REALITY fields, cert-hash helpers, fallback UX ... TLS: add verifyPeerCertByName (vcn) to inbound settings + emit in both share-link generators (frontend + Go sub) and outbound parser; the allowInsecure replacement xray removed after 2026-06-01. Add server-side curvePreferences, masterKeyLog, echSockopt (passthrough + form) at tlsSettings top-level so they survive the panel-only settings strip. REALITY: add limitFallbackUpload/Download (afterBytes/bytesPerSec/burstBytesPerSec) with per-field tooltips, plus masterKeyLog. Verified field names/semantics against pinned xray v1.260327.1 (bytesPerSec=0 disables). Hosts: fix verify_peer_cert_by_name column bool->string (xray expects comma-separated names) with an idempotent, history-gate-free migration (SQLite typeof blank; Postgres ALTER once); emit vcn for hosts/external proxies. Server: add getCertHash (local cert DER SHA-256) and getRemoteCertHash (xray tls ping) endpoints + api-docs; wire pinned-cert field buttons. Drop the meaningless random-hash button. Xray UI: metrics endpoint (listen/tag) config in Basics; import/export for routing rules and outbounds. Fallbacks card: compact empty state, header-aligned actions, responsive labeled grid rows. i18n: add all new keys to every locale; drop unused generateRandomPin.	2026-06-21 15:58:42 +02:00
MHSanaei	4915d6b18d	refactor(frontend): move form-item hints from extra to tooltip ... Switch reality target, node options, and WARP auto-update-IP hints from inline extra text to label tooltips for a cleaner form layout.	2026-06-17 17:24:16 +02:00
Sanaei	709b332d17	feat(hosts): managed Hosts for per-host subscription link overrides (#5409) ... * test(sub): characterize current link output (externalProxy + single-link baselines) Phase 0 of the Hosts feature. Locks current subscription-link output for the externalProxy paths (vless/vmess/trojan/ss exact, reality/hysteria by Contains) so the upcoming ShareEndpoint refactor can be proven behavior-preserving. These must stay green and unedited through every later phase. * refactor(sub): unify external-proxy link building behind ShareEndpoint (TDD, snapshot-locked) Phase 1 of the Hosts feature. Collapse the duplicated externalProxy link builders (param-form for vless/trojan/ss, object-form for vmess) onto a single ShareEndpoint abstraction so Phase 4 can add Host-driven links with ~zero new branching. Design: an externalProxy-derived endpoint carries the original entry map and applies it through the UNCHANGED applyExternalProxyTLS{Params,Obj} helpers, so output is provably byte-identical. buildExternalProxyURLLinks / buildVmessExternalProxyLinks become thin adapters; the genVless/Trojan/SS/Vmess call sites are untouched. genHysteriaLink is deliberately left on its own path (hex pinSHA256, not pcs). The no-externalProxy default tails are unchanged. TDD: N1-N4 (externalProxyToEndpoint, inboundDefaultEndpoint, buildEndpointLinks, buildEndpointVmessLinks) written failing-first against stubs, then implemented. Mutation sanity (performed + reverted): dropping the ep-carry in externalProxyToEndpoint makes the Phase-0 C1/C2 characterization snapshots go red (TLS overrides vanish), proving the snapshots guard the emitted output. Gate: go test ./internal/sub/... and go test ./... green with ZERO edits to the Phase-0 snapshots; go build ./... green on linux and windows; go vet clean. * feat(model): Host entity + automigrate + openapi codegen (TDD) Phase 2 of the Hosts feature. Adds the Host GORM model: an override endpoint attached to an inbound (address/port + TLS/transport/clash overrides + sub scoping), superseding the legacy externalProxy array functionally while leaving it intact. - model.Host with snake_case column tags, json serializer for slices, text for free-JSON (mux/sockopt/xhttp), validate tags (remark 1-40, port 0-65535, security + mihomoIpVersion enums); TableName "hosts". NodeGuids column is added now but unused (host->node scoping deferred to v2). - Registered in BOTH initModels() (db.go) and migrationModels() (migrate_data.go); the latter is required for cross-DB migration and is easy to miss. PG sequence resync iterates the initModels slice, so it is covered automatically. - pruneOrphanedHosts() deletes hosts whose inbound_id has no inbound, called alongside pruneOrphanedClientInbounds(). - openapigen manifest: Host added to StructAllow with MuxParams/SockoptParams/ XhttpExtraParams -> KindAny; regenerated frontend/src/generated/* + openapi.json. TDD: TestHostTableName, TestHostValidation, TestHostAutoMigrateCreatesColumns (+ _Postgres), TestPruneOrphanedHosts written failing-first against a wrong-name, untagged, unregistered stub, then implemented. Gate: go test ./... green on SQLite AND a real Postgres DSN (local container); go build/vet/gofmt clean; npm run gen succeeds with the new Host type/schema/ example/zod; npm run typecheck + npm run test (542) green. * feat(api): Host CRUD service + controller + routes (TDD) Phase 3 of the Hosts feature. - service/host.go (HostService, empty struct + database.GetDB() like ClientService): GetHosts, GetHostsByInbound, GetHost, AddHost (verifies the inbound exists — no hard FK), UpdateHost (inbound + sort order immutable here), DeleteHost, SetHostEnable, SetHostsEnable, DeleteHosts, ReorderHosts (single driver-safe transaction), GetAllTags. - controller/host.go mirrors NodeController: routes under /panel/api/hosts (list/get/byInbound/tags + add/update/del/setEnable/reorder + bulk/setEnable, bulk/del), binds via middleware.BindAndValidate so the model validate tags are enforced, {success,msg,obj} envelopes. - Wired the hosts group into api.go after nodes (inherits checkAPIAuth + CSRF). - DelInbound now cascades: deleting an inbound deletes its hosts. - Documented all 11 routes in api-docs endpoints.ts (referencing the generated Host schema) and regenerated openapi.json; extended TestAPIRoutesDocumented's controller->basePath switch for host.go. Backend en toast keys added. TDD: service tests (Add/GetByInbound, RejectsUnknownInbound, Reorder, Set/Bulk enable, DeleteHosts, DeleteInboundCascadesHosts, GetAllTags) written failing- first against a nil-returning stub; controller test (AddListGetDelete envelope round-trip + AuthInherited 401) added. Gate: go test ./internal/web/... + go test ./... green; npm run gen + typecheck + lint + test (542) + build green. * feat(sub): render subscription links from hosts; legacy fallback when none (TDD, mutation-checked) Phase 4 of the Hosts feature. Inserts host resolution between inbound and link across all three subscription formats. Mechanism: hostEndpoints(inbound, format) loads the inbound's enabled hosts (filtered by ExcludeFromSubTypes, ordered by sort_order then id) and projects each onto the externalProxy entry shape the raw/json/clash renderers already consume. So a host fans out one link/proxy reusing the exact existing rendering (address/port/security/sni/fp/alpn/pins/ech) with zero new TLS code. Host header and path overrides are applied additively in the raw builders (no-op for legacy externalProxy, which never carries those keys — characterization snapshots stay green). Clash ip-version (MihomoIpVersion) is set last on the proxy. Integration points: - getSubs (raw): per inbound, hostEndpoints AFTER projectThroughFallbackMaster; len>0 -> linkFromHosts (renders only the hosts), else legacy GetLink. - GetJson/GetClash: inject the host endpoints into the inbound's externalProxy before the existing getConfig/getProxies loop. - Precedence: hosts win over any legacy externalProxy (injection replaces it). Backward compat: a zero-host inbound takes the legacy path -> byte-identical output (all Phase-0 characterization snapshots unchanged). TDD: 9 cycles (zero-hosts identical, N-links-ordered with host/path override, disabled skipped, host-vs-externalProxy precedence, no-dedup, sort composes with SubSortIndex, host-over-fallback, resolve-via-client-inbounds, ExcludeFromSubTypes per format) written failing-first against unwired helpers, then wired green. Mutation sanity (performed + reverted, documented here): - zero-hosts fallback: flipping the len(hostEps)>0 guard to >=0 makes TestSub_ZeroHosts_IdenticalOutput go red (host path yields "" for no hosts). - no-dedup: adding a remark-dedup in hostEndpoints makes TestSub_NHosts_NoDedup go red (two distinct hosts collapse to one link). Gate: go test ./internal/sub/... + go test ./... green with ZERO edits to the Phase-0 snapshots; go build green on linux and windows; go vet + gofmt clean. * feat(migration): seed hosts from inbound externalProxy (TDD, idempotent, dual-driver) Phase 5 of the Hosts feature. One-time migration so existing installs surface their legacy externalProxy entries as first-class Host rows. - seedHostsFromExternalProxy() is self-gated on a HistoryOfSeeders "HostsFromExternalProxy" row (run-once) and wired into runSeeders. For each inbound it parses StreamSettings, reads externalProxy[], and creates one Host per entry: forceTls->Security (unknown->same), dest->Address, port->Port, remark->Remark (generated when blank, capped at 40), sni/fingerprint/alpn/ pinnedPeerCertSha256/echConfigList copied; SortOrder=index; InboundId set. - Additive: externalProxy is left intact in StreamSettings (rollback-safe; the sub layer prefers hosts when present, §Phase 4). - Postgres: GORM db.Create advances hosts_id_seq via the sequence, so no extra resync is needed beyond the existing startup resync. TDD: field-mapping, idempotency (second run no-op), no-externalProxy->no-hosts, externalProxy-kept-intact written failing-first against a stub; plus a Postgres counterpart that skips without XUI_DB_DSN. Gate: go test ./internal/web/service/... ./internal/database/... green on SQLite; the *_Postgres tests green against a real Postgres container; go build green on linux and windows; go vet + gofmt clean. (Running the whole database package under XUI_DB_TYPE=postgres is not supported — the SQLite-path tests share the one DSN — so only the t.Skip-gated *_Postgres tests run with the env set.) * feat(ui): Hosts page + schema + query hooks + link preview helper (TDD on schema/helpers) Phase 6 of the Hosts feature — the admin UI. - schemas/api/host.ts: HostFormSchema (validation: remark 1-40, tags ^[A-Z0-9_:]+$ ≤10×≤36, port 0-65535, security/mihomoIpVersion enums, alpn/fingerprint reused from the shared primitives) + a loose HostRecordSchema/HostListSchema for reads. - lib/hosts/host-link.ts: hostToExternalProxyEntry — the frontend mirror of the backend hostToExternalProxyMap (security->forceTls, sni override rules, port inherit), for share-link previews. - api/queries/useHostsQuery.ts + useHostMutations.ts (mirror the node hooks): list/get + add/update/del/setEnable/reorder/bulk; queryKeys.hosts.* added; mutations invalidate keys.hosts.root(). - pages/hosts/{HostsPage,HostList,HostFormModal}.tsx (+CSS) mirroring pages/nodes: list with remark · address:port · inbound · security · tags · enable Switch · per-inbound move up/down (reorder) · bulk enable/disable/delete; form grouped into Basic / Advanced / Clash / Subscription-scope sections. - Route '/hosts' + sidebar item (Global icon); menu.hosts + pages.hosts.* added to the en-US bundle (other locales fall back to English until translated). TDD: HostFormSchema (10 cases) and hostToExternalProxyEntry (6 cases) written failing-first, then implemented. UI verified by lint/typecheck/test/build. Deferred (documented enhancement): the live in-form share-link preview (needs inbound+client context) and a per-host host/path override in JSON/Clash output (raw already overrides; JSON/Clash inherit the inbound's host/path). Gate: cd frontend && npm run lint && npm run typecheck && npm run test (557) && npm run build all green; go build ./... + go test ./... still green. * refactor(ui): remove the External Proxy form from the inbound stream settings Hosts supersede the legacy externalProxy: the subscription renders from hosts (hosts win when both exist) and the migration converts existing externalProxy entries to hosts. externalProxy's only real consumers were the subscription (now covered) and this form's preview — the backend per-client copy-link never used it — so removing the editor has no functional regression. - Drop ExternalProxyForm + toggleExternalProxy from InboundFormModal and delete the orphaned form component + its export; remove its block test + snapshot. - KEEP the externalProxy schema field and backend parsing/link-generation: an existing inbound's externalProxy still round-trips through the form (not silently destroyed on edit) and still renders if a host was removed. Gate: cd frontend && npm run typecheck + lint + test (556) + build green. * fix(ui): use Alert `title` instead of deprecated `message` (antd 6) Ant Design 6 deprecated <Alert message=> in favor of <Alert title=>; the panel was mid-migration (21 Alerts already on title). Renamed the 7 remaining stragglers across 5 files (SubLinksModal, InboundFormModal, sockopt, EmailTab, TelegramTab), silencing the runtime deprecation warning. description= is unchanged. Pre-existing warning, surfaced while testing Hosts — not introduced by it. Gate: npm run typecheck + lint + test (556) + build green. * style(ui): align Hosts page with Clients/Inbounds cards + reorder columns - page-shell.css never listed .hosts-page, so the Hosts page got no content padding / transparent-layout / summary-card spacing. Add a .hosts-page shell block (background, dark/ultra vars, content-area + summary-card padding). This is the actual "card spacing" bug. - HostList: match the Clients/Inbounds list card — hoverable + the toolbar moved into the card title as a .card-toolbar (Add when nothing selected; selected count + bulk enable/disable/delete on selection). Re-declare .card-toolbar in HostList.css since the shared rule lives in a lazily-loaded page stylesheet. - Reorder table columns as requested: Actions, Enable, then Remark, Endpoint, Inbound, Security, Tags. Added scroll x for narrow screens. - HostsPage: add a summary card (Total / Enabled / Disabled) like the other pages. New i18n keys: pages.hosts.selectedCount + pages.hosts.summary.*. Gate: npm run typecheck + lint + test (556) + build green. * style(ui): use Tabs instead of Collapse in the Add/Edit Host form The Basic / Advanced / Clash / Subscription-scope sections are now tabs. Each pane sets forceRender so all fields stay mounted — required because the form uses preserve=false, so an unmounted tab's values would otherwise be dropped on submit (and a required field on a hidden tab still blocks submit). Gate: npm run typecheck + lint + test (556) + build green. * style(ui): split Host form into Security + Advanced tabs; drop unused JSON fields - Remove the Mux/Sockopt/XHTTP raw-JSON fields from the Host form: they were not wired into link generation and the inbound's structured editors are inbound- specific (not reusable). The DB columns + read schema + generated type stay, so they can get proper editors later. (HostFormSchema drops them; HostRecordSchema keeps them.) - Reorganize tabs to Basic / Security / Advanced / Clash / Subscription scope: Security holds the TLS/cert fields (security, sni, sni-overrides, alpn, fingerprint, pins, verify-by-name, ech); Advanced now holds the transport overrides (host header, path). - i18n: add pages.hosts.sections.security; drop the 3 unused field labels. Gate: npm run typecheck + lint + test (556) + build green. * style(ui): restore Mux/Sockopt/XHTTP fields in the Host Advanced tab Put the three free-JSON override fields back, in the Advanced tab next to host header / path (as JSON inputs — the inbound's structured editors aren't reusable here). Re-added to HostFormSchema + defaults + the i18n labels. Gate: npm run typecheck + lint + test (556) + build green. * feat(hosts): add allowInsecure (rendered) + serverDescription/mihomoX25519/vlessRouteId fields Closes most of the Remnawave-host gap analysis. - model.Host: + allowInsecure, serverDescription (≤64), vlessRouteId (0-65535), mihomoX25519. Auto-migrated (SQLite + Postgres verified); openapi regenerated. - allowInsecure is fully RENDERED into subscription output (TDD): - raw link: allowInsecure=1 (TLS/Reality, skipped for none) via the endpoint builder; - JSON/Clash: applyExternalProxyTLSToStream writes tlsSettings.settings. allowInsecure, and clash applySecurity now emits skip-cert-verify for the tls case (it previously only did so for Hysteria — a pre-existing gap, so inbound allowInsecure now renders for vless/trojan/ss clash too). - Frontend: the four fields added to the Host form (allowInsecure → Security, serverDescription → Basic, vlessRouteId → Advanced, mihomoX25519 → Clash); serverDescription shown under the remark in the list. Schema + i18n updated. serverDescription / vlessRouteId / mihomoX25519 are stored + editable; their deeper rendering (and per-host mux/sockopt/xhttp into JSON/Clash, plus a per-host xray JSON template) are tracked as follow-ups. Gate: go test ./... green (SQLite + Postgres for the host schema/migration); go build linux+windows; go vet + gofmt clean; npm run gen + typecheck + lint + test (556) + build green; generated files in sync. * feat(sub): render host sockopt + xhttp-extra params into JSON/Clash output (TDD) A host's sockoptParams and xhttpExtraParams (free-JSON) now take effect: applyHostStreamOverrides injects sockopt into the per-host stream (re-added since the base stream strips it) and merges xhttpExtraParams into xhttpSettings, called in both getConfig (JSON) and getProxies (Clash) right after the per-host TLS apply. No-op for legacy externalProxy entries (keys absent) — characterization snapshots unchanged. mux rendering is outbound-level (overrides outbound.Mux) and needs a genVless/ genVnext/genServer signature change — deferred, along with the per-host xray JSON template. Gate: go test ./internal/sub/... + go test ./... green (snapshots unchanged); go build + vet + gofmt clean. * feat(sub): render host muxParams as a per-host JSON outbound mux override (TDD) genVnext/genVless/genServer take a muxOverride: a host's muxParams (when valid JSON) overrides the global mux on its JSON outbound; empty falls back to the panel mux (behavior unchanged for non-host configs). Completes the host mux/sockopt/xhttp trio. Test call sites updated for the new signature. Gate: go test ./internal/sub/... + go test ./... green (snapshots unchanged); go build + gofmt clean. * style(ui): show Host security fields conditionally per security (like externalProxy) * feat(sub): apply host SNI + fingerprint override for reality (TDD) A reality host now overrides SNI and fingerprint while inheriting publicKey/ shortId from the inbound (reality keys can't be host-supplied). Previously the reality link kept the inbound's serverName because the TLS appliers are gated to security=="tls". - raw: applyEndpointRealityParams sets sni/fp on the params for reality; - JSON/Clash: applyHostStreamOverrides sets realitySettings.serverName + serverNames from the host SNI. Gated to host endpoints via an isHost marker on the synthesized ep, so the legacy externalProxy path stays byte-identical (characterization snapshots unchanged). The marker is internal and never emitted. Gate: go test ./internal/sub/... + go test ./... green; go build + vet + gofmt clean. * fix(ui): start the Host inbound select unselected instead of showing 0 A new host left inboundId defaulting to 0, so the Select rendered "0". inboundId is now optional in the form (undefined until chosen), so it shows its placeholder ("Select an inbound"); the required rule still enforces a choice on save. Port keeps 0 (means "inherit the inbound's port"). Gate: npm run typecheck + lint + build green. * fix(ui): drop redundant :port suffix from the Host inbound select label The inbound tag (e.g. in-59303-tcp) already carries the port, so the appended ":59303" was duplicated. Show just the remark/tag. Gate: npm run typecheck + lint + build green. * style(ui): apply the shared card hover shadows to the Hosts page page-cards.css scoped its card styling + hover shadows to each page class but not .hosts-page, so Hosts fell back to antd's default hoverable (a larger/blurry shadow + pointer cursor). Add a .hosts-page block matching the other pages. Gate: npm run build green. * feat(hosts): move Tags to Basic tab, add Nodes field, accept VLESS route ranges - Move the Tags field into the Host form's Basic tab and add a Nodes multi-select (visual-only assignment, backed by the existing node_guids column) so the Basic tab matches the reference layout. - Replace the single-port vlessRouteId integer with a free-form vlessRoute string that accepts comma-separated ports/ranges (e.g. 53,443,1000-2000); format-validated on the frontend, stored verbatim on the backend. - Regenerated frontend types/openapi from the changed model. * feat(hosts): structured editors for Mux/Sockopt/XHTTP + new Final Mask Replace the raw JSON textareas in the Host form's Advanced tab with the same structured editors used elsewhere, under a nested tabbed layout (General / Mux / Sockopt / XHTTP / Final Mask), mirroring the Sub-JSON settings tab: - Mux: the Sub-JSON mux editor (enable + concurrency/xudpConcurrency/xudp443). - Sockopt + XHTTP: reuse the outbound SockoptForm / XhttpForm, wrapped in an isolated form that serializes the edited subtree back to the host's JSON string (pruned so the override stays sparse). - Final Mask: new host field (model + column + JSON-render wiring that merges the masks into the host's JSON-subscription stream), edited via the shared FinalMaskForm like the Sub-JSON Final Mask editor. Each editor stays a controlled value/onChange component bound to its existing host JSON string field; backend rendering of mux/sockopt/xhttp is unchanged. * feat(hosts): drop XHTTP + Xray-JSON-template overrides; fix mobile form layout Remove the host's XHTTP extra-params and Xray-JSON-template overrides entirely (model fields + columns, JSON-subscription render paths incl. hostTemplateOutbound, schema, form tab/field, i18n, openapi codegen, and their tests) — they did not fit the host model. Mux, Sockopt and Final Mask stay as structured editors. Mobile fixes for the Edit Host modal: - responsive width (95vw on mobile, was a fixed 760px that overflowed the viewport and clipped the tabs/labels) + a scrollable body so the footer stays on screen; - Mux fields use responsive Row/Col (stack on mobile) instead of a fixed-width label grid. * fix(hosts): hide the spurious horizontal scrollbar in the Edit Host modal Setting overflowY:auto on the modal body forced overflow-x to auto too (CSS rule), so antd Row's negative gutter margins triggered a horizontal scrollbar. Pin overflowX:hidden. * feat(hosts): inbound-style responsive field layout + icon empty state - Host form (main form + Mux/Sockopt/Final Mask editors) now use the inbound form's label layout: label beside the input on desktop (labelCol sm span 8 / wrapperCol sm span 14, right-aligned), stacked label-above-input on mobile. Rewrote HostMuxForm onto an internal antd Form so it follows the same layout instead of a manual grid. - Empty hosts table now shows the host icon + the shared 'Nothing here yet' (noData) text, matching Nodes/Inbounds/Clients, replacing the bespoke 'No hosts yet…' string. * fix(hosts): avoid nested <form> in the Edit Host modal The Mux/Sockopt/Final Mask editors each render their own antd Form inside the host's main Form, producing an invalid nested <form> DOM node (hydration warning). Render those inner forms with component={false} so they keep the form instance/context but emit no <form> element. * fix(hosts): make the Mux enable toggle work The Switch's checked state came from Form.useWatch('mux'), but the mux object field had no registered Form.Item while disabled, so setFieldValue never notified the watcher and the toggle stayed off. Bind the Switch to a real name='enabled' field (antd drives its checked state directly) and keep the sub-fields registered via hidden={!enabled}, serialized to the flat mux JSON. * refactor(hosts): reuse the outbound MuxForm instead of a bespoke Mux editor The Mux fields duplicated the outbound MuxForm. Reuse it through the same wrapper as Sockopt: generalize OutboundSubtreeJsonForm with defaultSubtree (pre-fill on enable) and a serialize hook, and have HostMuxForm render MuxForm at the ['mux'] path. The host keeps its inherit-when-off semantics by storing '' unless mux.enabled. Also drops the now-unused enableSwitch path from the wrapper (only the removed XHTTP editor used it). * style(hosts): use default-width Port input like the inbound form The host Port used width:100% (full width); the inbound's numeric inputs use antd's default width. Drop the override so Port matches. The Mux number inputs already use the default width via the reused MuxForm. * refactor(sockopt): readable customSockopt editor as a shared component The customSockopt rows were a single cramped Space.Compact line and duplicated verbatim in the inbound and outbound sockopt forms. Extract a shared CustomSockoptList that renders each entry as a titled group of labeled fields (System / Level / Opt / Type / Value), matching the rest of the form, and use it in both (and thus the host Sockopt editor). * fix(finalmask): drop the empty Custom Tables tag on a new sudoku mask The sudoku TCP-mask default seeded customTables: [''] (one empty string), which rendered as a blank removable tag. Seed [] instead. * fix(sockopt): make the outbound (and host) Sockopt client-only Per the XTLS sockopt docs, tproxy / acceptProxyProtocol / V6Only / trustedXForwardedFor only apply to an inbound (listening socket); they are meaningless on an outbound/dialer. Drop them from the outbound SockoptForm (which the host reuses). The Sockopt default object still seeds those keys, so the host also strips them on serialize, keeping its override honest to the server/client split. The inbound SockoptForm is left unchanged. * fix(sockopt): make the inbound Sockopt server-only Complete the server/client split: drop the outbound/dialer-only fields from the inbound SockoptForm — dialerProxy, domainStrategy, interface, addressPortStrategy, happyEyeballs, tcpMptcp (client-only since Go 1.24 auto-enables MPTCP on listen). mark stays (xray applies SO_MARK on inbound sockets too). Update the form-blocks snapshot to the server-side field set (intentional spec change). * feat(hosts): populate Sockopt dialerProxy with the panel's outbound tags The host Sockopt editor reused the outbound SockoptForm with outboundTags=[], so the dialerProxy dropdown was empty. Feed it the panel's outbound tags via the existing useOutboundTags hook (shares the cached xray-config query; blackhole excluded), so a host can chain through a subscription outbound by tag. * fix(hosts): empty-state styling on direct load + exclude balancers from dialerProxy - .card-empty was only defined in lazily-loaded Clients/Inbounds/Nodes stylesheets, so a direct /hosts refresh rendered the empty table state unstyled (faint + uncentered) until another page was visited. Re-declare it in HostList.css so it's correct on first load. - The Sockopt dialerProxy dropdown listed balancer tags (useOutboundTags merges them in for mtproto egress). dialerProxy chains a single outbound, so balancers aren't valid — switch to useOutboundTagGroups and use only the outbound group. * fix(outbounds): icon + 'Nothing here yet' empty state; stop fading other pages The Outbounds empty state was a faint '—', and OutboundsTab.css set the global .card-empty to opacity:0.4 — which leaked onto whichever page's empty state was shown after the Outbounds CSS had loaded (e.g. Hosts went faint after visiting Outbounds). Render the icon + noData ('Nothing here yet') like the other lists, and align .card-empty to the shared centered/secondary style (no opacity). * fix(outbounds): custom empty state on the desktop table too The desktop Outbounds Table had no locale.emptyText, so it showed antd's default 'No data' box. Add the same ExportOutlined + noData empty state as the card (mobile) view. * style(sidebar): use ExportOutlined for the Outbounds nav item The Outbounds sidebar item used UploadOutlined (an upload tray). Switch to ExportOutlined, matching the outbound icon now used in the routing target and the outbounds empty states. * feat(hosts): icons on the form tabs (icon-only on mobile) Wrap every Host form tab label (Basic/Security/Advanced/Clash/Subscription scope and the nested General/Mux/Sockopt/Final Mask) with catTabLabel, so the tabs show icon + text on desktop and just the icon (with a tooltip) on mobile, matching the Settings/Xray tab bars. * refactor(hosts): fold Exclude-from-formats into Advanced, drop the one-field tab The Subscription scope tab held only excludeFromSubTypes after Tags moved to Basic — a niche per-format scoping knob. Move it into the Advanced > General sub-tab and remove the standalone tab (and its now-unused subScope label/icon). * feat(sub): per-client remark template variables; drop the remark model & Show Usage Info * fix(migration): cap seeded host remark at the model's 256-char limit, not 40	2026-06-17 12:06:55 +02:00
Sanaei	37c5e0bfd2	feat(node): node hardening — mTLS, hashed+zstd reconcile transport, per-node net metrics (#5382) ... * fix(api-docs): document clientIpsByGuid route Restores a green `go test ./...` baseline: TestAPIRoutesDocumented flagged POST /panel/api/clients/clientIpsByGuid (added in 9385b6c6) as undocumented in endpoints.ts. * test(node): characterize current node TLS + API auth behavior Phase 0 regression net for the mTLS work. These pass on unchanged production code and lock the pre-mTLS contracts so later phases can be proven additive: - tlsConfigForNode: skip -> InsecureSkipVerify (no VerifyConnection); pin -> VerifyConnection installed. - checkAPIAuth: bearer match -> Next + api_authed; unauthenticated -> 401 (XHR) / 404; valid session -> Next. - panel HTTPS listener with no ClientAuth accepts a client that presents no client certificate (the browsers-keep-working invariant). * feat(crypto): node-auth CA + client-cert minting (TDD) Stdlib-only ECDSA P-256 helpers for the node mTLS work: - GenerateNodeCA: self-signed CA (IsCA, CertSign, path len 0) - IssueClientCert: client-auth leaf (ExtKeyUsageClientAuth) signed by CA - LoadCAFromPEM: parse a CA cert+key for issuing / trust-pool building Tests assert the contract (leaf verifies against the issuing CA with ExtKeyUsageClientAuth), seen failing on the assertion before impl. * feat(node): lazy node mTLS CA + client cert in settings (TDD) SettingService gains opt-in mTLS material, all stored as Setting rows with empty defaults and kept out of entity.AllSetting (so private keys never reach the settings UI/export): - EnsureNodeMtlsCA: mint+persist the node-auth CA once, reuse thereafter - EnsureMasterClientCert: issue the master client cert from the CA, idempotent - NodeMtlsClientCAPool: ClientCAs trust pool for the listener; nil when unconfigured so the no-mTLS path is unchanged Tests assert idempotency and that the client cert verifies against the CA for client auth; seen failing on the assertion before impl. * feat(node): mtls client TLS config + master-cert provider (TDD) tlsConfigForNode gains an 'mtls' branch that presents the master client certificate and verifies the node server against system roots (no InsecureSkipVerify, no custom RootCAs). The cert is supplied via an injected MasterClientCertProvider so runtime need not import service; it fails closed when unconfigured. skip/pin contracts unchanged. * feat(node): allow tokenless mtls nodes in remote do() (TDD) mtls nodes authenticate with a client certificate, so the bearer token becomes optional for them: do() no longer rejects an empty ApiToken when TlsVerifyMode is mtls, and the Authorization header is omitted when no token is set. Every other mode still requires a token (regression kept). * feat(node): authenticate verified client certs in checkAPIAuth (TDD) A completed mTLS handshake (non-empty r.TLS.VerifiedChains) now authenticates an API request, equivalent to a valid bearer token, and sets api_authed so the CSRF middleware lets cert-authed mutations through. Bearer/session/reject paths unchanged. The accept-path assert was mutation-checked (guard flipped -> test red -> reverted). * feat(node): opt-in mTLS on the panel listener (TDD; mutation-checked) web.go now applies VerifyClientCertIfGiven + ClientCAs to the HTTPS listener when a node trust CA is configured, and wires the master client cert provider for outbound mtls calls. With no CA the listener is byte-identical to before (browsers unaffected). applyNodeMtls is covered end-to-end: no-cert client handshakes (browsers keep working), a CA-signed client cert verifies, a foreign-CA cert is rejected at the handshake. Mutation-checked: - RequireAndVerifyClientCert -> no-cert client rejected (red) -> reverted - drop ClientCAs -> master cert no longer trusted (red) -> reverted * feat(node): accept mtls verify-mode + CA reveal endpoint (TDD) - model.Node.TlsVerifyMode validator now accepts 'mtls' - normalize() preserves mtls and requires the node scheme to be https (fail closed), instead of clamping mtls back to verify - NodeService.NodeMtlsCaCert + POST /panel/api/nodes/mtls/ca return this panel's node-auth CA cert (public) to paste into a node, minting the CA + master client cert on first call - endpoints.ts documents the new route (doc-sync test) No model column added (enum is a string), so no migration/codegen. * feat(node): node mTLS UI + trust-CA setter (TDD) Backend: - NodeService.SetNodeMtlsTrustCA + POST /panel/api/nodes/mtls/trustCA store the CA this panel trusts for incoming node-API client certs (validates PEM, empty clears); applied on next restart - endpoints.ts + regenerated openapi.json document both mtls routes Frontend: - node form: 'mtls' TLS-verify option + setup hint (zod enum updated) - Nodes page 'Node mTLS' card: copy this panel's CA, and paste/save the trusted parent CA - en-US i18n keys (other locales fall back to en-US) Gates green: go build (native+windows), vet, go test ./...; frontend typecheck, lint, vitest (541). * style(node): gofmt web_mtls_test doc comment * feat(node): hashed+zstd reconcile transport (TDD, negotiated, mixed-version safe) Adds an integrity + compression envelope to node config pushes: - internal/util/wirecodec: shared zstd codec (bomb-capped decode) + SHA-256 hashing + the header/capability constants - Remote.do(): always attaches X-Config-Sha256 of the uncompressed body; zstd-compresses only when the node advertised support (learned from its X-3x-Node-Caps response header) and the body is >=1KiB - ConfigEnvelopeMiddleware on /panel/api: advertises the cap, decompresses and verifies the hash (handler not invoked on mismatch) before binding Mixed-version safe: old nodes never advertise the cap -> plain bodies; the hash header is verify-if-present so any panel/node mix interoperates (existing reconcile tests stay green). klauspost/compress promoted to a direct dep. Hash-mismatch reject was mutation-checked (compare defeated -> test red -> reverted). * feat(node): per-node network throughput metrics (TDD) The node status response already carries gopsutil netIO.up/down (summed non-virtual interfaces), so no node-side change is needed: - probe() parses netIO.up/down into HeartbeatPatch.NetUp/NetDown - Node gains net_up/net_down columns (AutoMigrate); UpdateHeartbeat persists them and appends netUp/netDown to the per-node metric history - NodeMetricKeys whitelists netUp/netDown so the history endpoint serves them - NodeHistoryPanel renders Net Up/Down sparklines (KB/s, no 0-100 clamp) - regenerated frontend types + openapi.json for the new Node fields * feat(node): move node mTLS controls into a toolbar button + modal The Node mTLS panel was an always-visible card cluttering the nodes page. Replace it with a 'Node mTLS' button beside 'Add node' that opens a modal with the same copy-CA + trusted-parent-CA controls; the modal closes on a successful save. No backend/i18n changes. * i18n(node): translate mTLS + net-metrics keys for all locales Adds the node mTLS strings (tlsMtls, mtlsFormHint, mtls.* dialog + the saveMtls toast) and the netUp/netDown chart labels to all 12 non-English catalogs (ar, es, fa, id, ja, pt, ru, tr, uk, vi, zh-CN, zh-TW), matching each catalog's existing terminology. Technical tokens (mTLS/TLS/CA/API/ KB/s) kept verbatim. * fix(node): address Copilot review on node-hardening PR - setting_mtls: fail closed on a half-present CA/master-cert pair instead of silently regenerating (which would rotate the CA and break fleet trust). - config_envelope: reject non-zstd Content-Encoding on the envelope path rather than hashing/forwarding a still-encoded body to the handler. - node mTLS: support tokenless mTLS end-to-end — apiToken is now required_unless tlsVerifyMode=mtls (model) with matching conditional validation in NodeFormSchema, so the runtime allowance is actually reachable. - NodesPage: add a catch block to onSaveTrustCa so save failures surface.	2026-06-16 12:19:33 +02:00
MHSanaei	9385b6c609	feat(nodes): per-node client IP attribution for IP-limit ... Record each panel's own Xray IP observations under its panelGuid and merge each node's guid-keyed report on the master, so the panel can tell which node a client IP is connecting through (the flat inbound_client_ips union is pushed back to every node and cannot attribute). Adds the NodeClientIp model + migration, the clientIpsByGuid endpoint and node-sync merge, node-name labels in the client IP log, and cleanup on node deletion.	2026-06-15 23:50:05 +02:00
Sentiago	eec030f86f	feat(notifications): event bus architecture with Telegram and SMTP subscribers (#5326) ... * feat(notifications): event bus architecture with Telegram and SMTP subscribers - Event bus core with buffered channel, fan-out, panic recovery - Telegram subscriber with HTML formatting and rate limiting - Email subscriber with SMTP/TLS/STARTTLS support and stage diagnostics - 5 event types: outbound.down/up, xray.crash, cpu.high, login.attempt - CPU threshold checks per subscriber (tgCpu for TG, smtpCpu for Email) - SystemMetricData struct for raw metric values in events - i18n keys for en-US, ru-RU, and English defaults for other locales * fix * fix(notifications): repair crash/CPU alerts, harden secrets, add node alerts Bug fixes: - Xray crash notifications were permanently suppressed after the first crash: XrayStateTracker latched state="down" with no reset and no recovery event, so only the first crash per process lifetime ever notified. Removed the tracker; the existing 1/min rate limiter already dedupes crash-loop spam. - Email CPU alerts could never fire unless Telegram was also enabled, because the CPU job was registered only inside the tgbot block. Register it whenever either Telegram or SMTP wants cpu.high (new cpuAlarmWanted gate) and relax the cadence to @every 1m (cpu.Percent already samples over a full minute). - SMTP password (and, pre-existing, all other secrets) were shipped to the browser in plaintext: GetAllSettingView was dead code and /setting/all returned the raw model. Wire getAllSetting -> GetAllSettingView, redact smtpPassword with a hasSmtpPassword presence flag, and preserve it on blank save. Closes the leak for tgBotToken/ldapPassword/2FA token too. Polish: - email Send: use nil SMTP auth when no credentials (Go refuses PlainAuth over the unencrypted "none" transport). - Remove unused EventClientDepleted; fix inaccurate bus.go doc comments; drop stale tgBotLoginNotify from the frontend schema; gofmt alignment. Feature - node online/offline alerts: - Emit node.down/node.up from the heartbeat job on a real status transition (with a startup-spam guard), reusing NodeHealthData. Formatted by both the Telegram and email subscribers and selectable in the settings UI. Regenerated frontend types (hasSmtpPassword). New i18n keys added to en-US; other locales fall back to English (bundle default) until translated. * fix(settings): use antd Space orientation instead of deprecated direction Ant Design 6 deprecated Space's `direction` prop in favor of `orientation`, which logged a console warning from the Telegram/Email notification tabs. Brings these two tabs in line with the rest of the codebase, which already uses `orientation`. * i18n(notifications): translate the notification feature into all locales The notifications PR shipped ~99 new strings (SMTP settings, event labels, Telegram/email message templates) as English placeholders in every non-English locale. Translate them — plus the node-alert keys added during this review — into all 12 locales: Arabic, Spanish, Persian, Indonesian, Japanese, Portuguese-BR, Russian, Turkish, Ukrainian, Vietnamese, and Simplified/ Traditional Chinese. Go-template placeholders ({{ .Tag }}, {{ .Name }}, etc.) are preserved exactly; tgbot message values carry no leading status emoji (the bot/email code adds those, so an emoji in the value would duplicate it); product/protocol names (SMTP, STARTTLS, TLS, CPU, Xray, Telegram) are kept as-is. --------- Co-authored-by: Sanaei <ho3ein.sanaei@gmail.com>	2026-06-15 21:03:41 +02:00
Nikan Zeyaei	05ad7f417c	feat(node): per node outbound routing (#5275) ... * feat: add per-node outbound routing for panel-to-node connections * feat(ui): add outbound tag selector to node form with i18n * fix(xray): avoid potential overflow warning in node egress rule allocation * chore: run "npm run gen" * fix --------- Co-authored-by: Sanaei <ho3ein.sanaei@gmail.com>	2026-06-14 23:10:52 +02:00
MHSanaei	dcb923b4a1	feat(sub): per-client external links and remote subscriptions ... Add a Links tab to the client form for attaching third-party share links and remote subscription URLs per client. They are merged into the client's raw/JSON/Clash subscription output: links are emitted verbatim and parsed for JSON/Clash; subscription URLs are fetched (cached, with a short timeout) and their configs merged in. i18n keys added across all 13 locales.	2026-06-14 20:57:14 +02:00
MHSanaei	5716ae5987	feat(outbound): batched connection tester with direct timed HTTP probes ... Replace the per-outbound burstObservatory polling (one temp xray spawn + up to 15s of /debug/vars polling per outbound, serialised) with one shared temp xray instance per batch: every tested outbound gets its own loopback SOCKS inbound plus an inboundTag->outboundTag routing rule, and the panel times a real HTTP request through each one in parallel. The probe returns as soon as the response lands and records the HTTP status plus an httptrace breakdown (proxy connect / TLS via outbound / first byte) shown in the result popover. New POST /panel/api/xray/testOutbounds endpoint (array in, results in input order, max 50); the legacy /testOutbound endpoint now delegates to the same engine. Test All chunks HTTP probes 16 per request, and a batch whose shared process never comes up (one structurally-broken outbound poisons the config) retries each item in an isolated instance so the broken outbound reports xray's real error while the rest still test.	2026-06-12 16:55:53 +02:00
MHSanaei	d1a13844b2	feat(api): include consumed traffic in the client-get response (#4973) ... GET /panel/api/clients/get/:email returned the quota (totalGB) but not the bytes the client has actually used, forcing API consumers to scrape it elsewhere. Add a sibling "usedTraffic" field (up+down, including the cross-node global overlay) next to "client" and "inboundIds".	2026-06-12 09:06:35 +02:00
animesha3	554d85c2f7	feat: allow selecting inbounds synchronized from nodes (#5178) ... * feat: select node inbounds for synchronization Allow node owners to import either all remote inbounds or an explicit tag-based selection. Add remote inbound discovery, persistence, snapshot filtering, API documentation, tests, and localized UI labels. * fix * fix: scope node reconcile and orphan sweep to selected inbound tags In 'selected' sync mode unselected inbounds never enter the panel DB, so ReconcileNode treated them as undesired and deleted them from the node the first time it went config-dirty. Reconcile now only sweeps remote tags that are part of the selection; everything else on the node is unmanaged. Panel-created or renamed inbounds on a selected-mode node also vanished: their tag was outside the selection, so the next traffic pull filtered them out of the snapshot and the orphan sweep silently dropped the central row. AddInbound/UpdateInbound now allow the tag on the node before committing. --------- Co-authored-by: Sanaei <ho3ein.sanaei@gmail.com>	2026-06-11 20:48:26 +02:00
MHSanaei	58905d81a4	feat(node-sync): push global client usage to nodes for display and local enforcement ... A client attached to several panels has one aggregated row on each master, but a node only ever saw its local share: the node UI under-reported usage, and the node kept serving a client whose cross-panel total had already exceeded its quota — the master's disable push doesn't kill established connections unless the node restarts xray itself. Masters now push their aggregated per-client counters to each node from NodeTrafficSyncJob (throttled, scoped to the clients that node hosts). The node stores them in the new client_global_traffics side table keyed by (masterGuid, email), overwritten on every push so a master-side reset propagates, and: - overlays max(local, pushed) onto UI read paths (slim inbound list, inbound detail, clients list, WS stats, per-email lookups). The full /panel/api/inbounds/list stays un-overlaid on purpose: it doubles as the traffic snapshot masters poll, and overlaying it would corrupt every master's delta accounting; - trips disableInvalidClients when any master's pushed total exceeds the client's quota, so the existing RestartXrayOnClientDisable flow disconnects the client locally; - clears the side rows on traffic reset, auto-renew, and client delete, keeping a renewed quota window clean. Supersedes #5204, which folded pushed globals into client_traffics and compensated with read-back baselines — that double-counted first-sight emails and could not work with several masters sharing one node.	2026-06-11 15:14:08 +02:00
MHSanaei	ca4f32e3da	feat: replace panel proxy URL with outbound-based egress bridge ... Instead of requiring a manual SOCKS5/HTTP URL, the panel now lets the admin pick an Xray outbound from a dropdown (same UX as Geodata Auto-Update). At runtime, injectPanelEgress appends a loopback SOCKS inbound (tag: panel-egress) and prepends a routing rule so the panel's own HTTP traffic — version checks, Telegram, normal geo-file updates — is routed through the chosen outbound. Xray-native Geodata Auto-Update is unaffected (it uses its own geodata.outbound inside Xray). Blackhole outbounds are excluded from both picker dropdowns since routing any download through one just drops it. Translations updated for all 13 locales.	2026-06-10 23:52:20 +02:00
MHSanaei	6b16d8c37a	feat: apply inbound/outbound/routing changes live via Xray gRPC API ... Add a hot-apply layer that computes a diff between the old and new generated config and applies only the changed parts through the Xray gRPC HandlerService and RoutingService, avoiding a full process restart whenever possible. A restart is still performed when sections that have no reload API (log, dns, policy, observatory, ...) actually change. Key additions: - internal/xray/hot_diff.go: ComputeHotDiff with canonical-JSON comparison (sorted keys, null=absent, full number precision) so UI reformatting never triggers a spurious restart - internal/xray/api.go: AddOutbound/DelOutbound, ApplyRoutingConfig, GetBalancerInfo, SetBalancerTarget, TestRoute gRPC wrappers - internal/web/service/xray.go: tryHotApply, ensureAPIServices, GetBalancersStatus, OverrideBalancer, TestRoute service methods - internal/web/controller/xray_setting.go: balancerStatus, balancerOverride, routeTest API endpoints - frontend: BalancersTab live-status/override columns, RouteTester component, Restart button removed (Save now hot-applies) - balancer-helpers.ts: syncObservatories never creates observatory sections for random/roundRobin balancers (no reload API → restart) - i18n: balancerLive/Override/routeTester keys added to all 13 locales	2026-06-10 23:01:33 +02:00
MHSanaei	3092326d9e	refactor: replace custom geo manager with Xray-core native geodata auto-update ... Remove the panel-side custom geo download feature (service, controller, /panel/api/custom-geo/* endpoints, CustomGeoResource model, UI tab) in favor of Xray-core's native geodata section (https://xtls.github.io/config/geodata.html). - pass the top-level "geodata" key through xray.Config so it survives the template round-trip into the generated config - add a Geodata Auto-Update section to the Xray Updates modal that edits geodata (cron schedule, download outbound, asset list) in the config template and restarts Xray on save - previously downloaded geo files in the bin folder keep working in ext: routing rules; the orphaned custom_geo_resources table is left in place so existing source URLs stay recoverable	2026-06-10 18:27:12 +02:00
Sanaei	41645255f1	refactor: focused service files, leaf subpackages, and an internal/ layout (#5167) ... * refactor(service): split client.go into focused files client.go had grown to 4455 lines mixing ~10 responsibilities. Split it verbatim into cohesive same-package files (no behavior change): client.go foundation: ClientService, ClientWithAttachments, ClientCreatePayload, ErrClientNotInInbound, sqlInChunk client_locks.go inbound mutation locks, delete tombstones, compactOrphans client_lookup.go read-only lookups (GetByID, List, EffectiveFlow, ...) client_link.go inbound association sync (SyncInbound, DetachInbound, ...) client_crud.go single-client CRUD + validation + protocol defaults client_inbound_apply.go low-level inbound-settings mutators + by-email setters client_bulk.go bulk attach/detach/adjust/delete/create + DelDepleted client_traffic.go traffic-reset paths client_groups.go client group management client_paging.go paged listing, filtering, sorting, summary Every declaration moved unchanged (verified: identical func/type/const/var signature set before vs after). Imports redistributed per file via goimports. go build ./..., go vet, and go test ./web/service/... all pass. * refactor(service): split inbound.go into focused files inbound.go was 4100 lines. Split it verbatim into cohesive same-package files (no behavior change): inbound.go core inbound CRUD + InboundService (keeps pkg doc) inbound_protocol.go protocol / stream capability helpers inbound_node.go node/runtime/remote coordination + online tracking inbound_traffic.go traffic accounting, reset, client stats inbound_client_ips.go per-client IP tracking inbound_clients.go client lookups within inbounds + copy-clients inbound_disable.go auto-disable invalid inbounds/clients inbound_migration.go DB migrations inbound_sublink.go subscription link providers inbound_util.go generic slice/string helpers Identical func/type/const/var signature set before vs after; package doc comment preserved on inbound.go. Imports redistributed via goimports. Build, vet, and go test ./web/service/... all pass. * refactor(service): split tgbot.go into focused files tgbot.go was 3738 lines dominated by a 1246-line answerCallback. Split it verbatim into cohesive same-package files (no behavior change): tgbot.go lifecycle, bot setup, caches, small utils tgbot_router.go incoming update / command / callback dispatch tgbot_send.go outbound messaging primitives tgbot_client.go client views, actions, subscription links tgbot_inbound.go inbound listing / pickers tgbot_report.go server usage, exhausted, online, backups, notifications Identical func/type/const/var signature set before vs after. Imports redistributed via goimports. Build, vet, and go test ./web/service/... pass. * refactor(client): dedupe single-field by-email setters ResetClientIpLimitByEmail, ResetClientExpiryTimeByEmail, and ResetClientTrafficLimitByEmail shared an identical ~50-line body that resolves the inbound by email, confirms the client exists, rewrites a single-client settings payload, and delegates to UpdateInboundClient. Extract that into applyClientFieldByEmail(inboundSvc, email, mutate) and reduce each setter to a 3-line wrapper. Behavior is unchanged: same checks and error strings, same single-client payload contract, same totalGB guard. SetClientTelegramUserID (resolves by traffic id, different error text) and ToggleClientEnableByEmail/SetClientEnableByEmail (different return shape and a pre-read of the old state) intentionally keep their own bodies. * refactor(service): extract panel/ subpackage Move the panel-administration leaf services out of the flat service package into web/service/panel/ (package panel): user.go UserService (auth / 2FA / LDAP) panel.go PanelService (restart / self-update) + version helpers panel_other.go non-unix RestartPanel panel_unix.go unix RestartPanel api_token.go ApiTokenService websocket.go WebSocketService panel_test.go version/shellQuote unit tests These are leaves: they depend on core (SettingService, Release) but no core file references them, so the extraction creates no import cycle. Core references are now qualified (service.SettingService, service.Release); callers in main.go, web/web.go, and web/controller/* updated to panel.*. Build, vet, and go test ./web/... pass. * refactor(service): extract integration/ subpackage Move the external-provider integration leaves into web/service/integration/ (package integration): warp.go WarpService (Cloudflare WARP) nord.go NordService (NordVPN) custom_geo.go CustomGeoService (custom geo asset management) *_test.go custom_geo / panel-proxy tests These depend on core (SettingService, ServerService, XraySettingService) but no core file references them. xray_setting.go stays in core because it calls the unexported SettingService.saveSetting. The shared isBlockedIP SSRF helper (used by core url_safety.go and by custom_geo) now has a small copy in each package rather than being exported. Core references qualified; callers in web/web.go, web/job/*, and web/controller/* updated to integration.*. Build, vet, and go test ./web/... pass. * refactor(service): extract tgbot/ subpackage Move the Telegram bot (6 files + test) into web/service/tgbot/ (package tgbot). It is a leaf: it embeds five core services (Inbound/Client/Setting/ Server/Xray) and the core never references it, so no import cycle. To support the package boundary without changing behavior: - core exposes XrayProcess() *xray.Process so tgbot keeps calling the exact same running-process methods it used via the package-level `p`; - three core methods tgbot calls are exported: ClientService.checkIs- EnabledByEmail -> CheckIsEnabledByEmail, InboundService.getAllEmails -> GetAllEmails (callers updated in-package); - tgbot's embedded-field types and the few core type refs (Status, ClientCreatePayload, SanitizePublicHTTPURL) are now service-qualified. Callers in main.go, web/web.go, web/job/*, and web/controller/* updated to tgbot.*. Build, vet, and go test ./web/... pass. * refactor(service): extract outbound/ subpackage OutboundService (outbound.go) imports only neutral packages (config, database, model, xray) and its production code is referenced by no core or sibling service file — only by web/controller/xray_setting.go and web/job/xray_traffic_job.go. Move it to web/service/outbound/ (package outbound); no core qualification needed inside. Callers updated to outbound.*. The one coupling was a tiny pure test helper, outboundsContainTag, used by both outbound.go and the core outbound_subscription_test.go; it now has a small copy in that test file rather than being shared across the boundary. Build, vet, and go test ./web/... pass. * refactor(util): move wireguard into its own subpackage util/wireguard.go was the lone file of the root `util` package (24 lines, one exported func GenerateWireguardKeypair), while every other util concern lives in a focused subpackage (util/common, util/crypto, util/netsafe, ...). Move it to util/wireguard/ (package wireguard) for consistency; its only importer, web/service/integration/warp.go, is updated. The root `util` package no longer exists. * refactor(sub): drop redundant sub prefix from filenames Inside package sub the subXxx.go prefix just repeats the package name (like client_*.go did inside service). Rename for consistency; content and type names are unchanged: subController.go -> controller.go subService.go -> service.go subClashService.go -> clash_service.go subJsonService.go -> json_service.go (+ matching _test.go files) * refactor(controller): rename xui.go -> spa.go XUIController serves the panel's single-page-app shell; spa.go names that role plainly (the other controller files are domain-named). File rename only — the type stays XUIController. api_docs_test.go keys route base paths by filename, so its "xui.go" case is updated to "spa.go". * refactor: move backend packages under internal/ Adopt the idiomatic Go application layout: the backend packages now live under internal/ (a boundary the toolchain enforces), signalling private implementation instead of a library-style flat root. No runtime behavior changes — only import paths and a few build/config paths move. Moved: config, database, logger, mtproto, sub, util, web, xray -> internal/. main.go stays at the repo root and tools/openapigen stays under tools/ (both still import internal/* because the internal rule keys off the module root). The module path github.com/mhsanaei/3x-ui/v3 is unchanged; 149 .go files had their import prefix rewritten to .../internal/<pkg>. Couplings the Go compiler can't see, updated to the new layout: - frontend i18n imports of web/translation (react.ts, setup.components.ts) - vite outDir + eslint/tsconfig ignore globs -> internal/web/dist - Dockerfile COPY paths for web/dist and web/translation - locale.go os.DirFS("web") disk fallback -> "internal/web" - .gitignore and ci.yml go:embed stub for internal/web/dist - api_docs_test.go repo-root relative walk (one level deeper) - tools/openapigen filesystem package paths; ApiTokenView repointed to the web/service/panel subpackage and codegen regenerated (clears a stale type the ci.yml codegen check was failing on) Verified: go build/vet/test (all packages), and frontend typecheck, lint, vitest (478 tests), and production build into internal/web/dist. * fix(config): keep test runs from writing logs into the source tree GetLogFolder() returns a CWD-relative "./log" on Windows. Under `go test` the working directory is each package's own folder, so InitLogger (called by tests in web/job, web/service, xray, web/websocket) created stray log/ directories scattered through the source tree (e.g. internal/web/job/log/). Redirect to a shared temp folder when testing.Testing() reports a test run. Production behavior is unchanged: Windows still uses ./log next to the binary and Linux /var/log/x-ui. The log files were always gitignored (*.log) and never committed; this just stops the noise at the source. * docs: move subscription-template guide out of root into docs/ sub_templates/ was a top-level folder holding only a README and no actual templates (3x-ui ships none by design), referenced nowhere and unlinked from any doc — it read like an empty placeholder cluttering the repo root. Move the guide to docs/custom-subscription-templates.md (a proper docs home), reword its intro to read as documentation rather than a folder note, link it from the Features list in README.md, and drop the empty sub_templates/ folder. * fix: update stale web/ path references after the internal/ move The internal/ migration rewrote Go import paths but left some references to the old top-level layout in docs, comments, and a few runtime disk paths. Functional (dev-mode only): the disk-serving fallbacks that read the Vite build from disk when running from source still pointed at web/dist/, which moved to internal/web/dist/ — so `os.DirFS`/`os.Stat`/`os.ReadFile` in internal/web/web.go and internal/sub/{sub,controller}.go are corrected. Production was unaffected (it serves the embedded FS; verified by the Docker build), but `go run` with a live frontend build silently fell back to embed. Docs/comments: frontend/README.md, CONTRIBUTING.md, the claude-issue-bot and release workflows, the openapigen -root help text, and assorted Go comments now reference internal/web, internal/database, internal/sub, internal/xray, etc. Package-name mentions (the "web" package), root paths (main.go, frontend/, install scripts, /etc/x-ui), routes (/panel/api/xray), and the historical "web/assets no longer exists" note were intentionally left as-is. * refactor(web): remove the legacy /xui -> /panel redirect middleware RedirectMiddleware existed only for backward compatibility with the old `/xui` URL scheme (301-redirecting /xui and /xui/API to /panel and /panel/api). That cutover was long ago, so drop the middleware, its registration in initRouter, and the now-inaccurate "URL redirection" mention in the middleware package doc. Old /xui URLs now 404 like any other unknown path. HTTPS auto-redirect and auth redirects are unrelated and stay. * build: fix .dockerignore for internal/ layout and exclude runtime dir - web/dist -> internal/web/dist: the embedded frontend moved under internal/, so the stale exclude no longer matched and the locally-built dist could be sent to the build context (the frontend stage rebuilds it fresh anyway). - exclude x-ui/: the local runtime directory (SQLite db, geo .dat files, xray binaries, certs — ~150MB) was being shipped into the build context for no reason. Verified the pattern excludes only the directory and still keeps x-ui.sh, which the Dockerfile copies to /usr/bin/x-ui.	2026-06-10 15:19:22 +02:00