14 commits

Author	SHA1	Message	Date
MHSanaei	9c8cd08f90	feat(wireguard): multi-client support ... WireGuard inbounds now manage per-client peers using xray-core's native WireGuard users (AddUser/RemoveUser). Each client lives in settings.clients (canonical, like every other protocol) and is projected to peers[] only when emitting the xray config, at level 0 so the dispatcher's per-user traffic/online counters work with no extra plumbing. Backend: internal/util/wireguard gains KeyToHex (base64 to hex for the gRPC path), PublicKeyFromPrivate and GenerateWireguardPSK; xray/api.go builds a wireguard account in AddUser with hex keys (RemoveUser already worked); client CRUD generates a keypair and allocates a unique tunnel address per client and never rotates keys on edit; an idempotent migration converts legacy settings.peers into managed clients; WireGuard is included in the raw subscription. Frontend: WireGuard in the add-client modal with keys on the credential tab, client schema, per-client QR/link/.conf, inbound form reduced to server settings; i18n added across 13 locales. Fix: guard the settings[clients] assertion in add/update so a legacy WireGuard inbound stored without a clients key no longer panics.	2026-06-28 00:44:38 +02:00
MHSanaei	56b0be0b6a	fix(lint): use errors.Is for io.EOF comparison in sys_linux ... The errorlint linter rejects direct error comparison with != because it fails on wrapped errors. Compare via errors.Is(err, io.EOF) instead.	2026-06-27 16:38:07 +02:00
MHSanaei	fa1a19c03c	style: adopt golangci-lint v2 and resolve all findings ... Add .golangci.yml (v2): the standard linters plus bodyclose, errorlint, noctx, misspell, rowserrcheck, sqlclosecheck, unconvert, usestdlibvars, with gofumpt + goimports formatters. Enable the std-error-handling exclusion preset for idiomatic Close/Remove/Setenv ignores; scope-exclude SA1019 (parser.ParseDir in tools/openapigen) and ST1005 (intentional capitalized user-facing error copy that tests assert verbatim). No inline nolint directives were introduced. Resolve all 217 findings behavior-preserving: gofumpt/goimports formatting, explicit blank assignment on intentionally ignored errors, errors.Is/errors.As and %w wrapping, context-aware stdlib calls (CommandContext/QueryContext/NewRequestWithContext/Dialer), staticcheck simplifications, removed redundant conversions, http.StatusOK and http.MethodGet, inlined the go:fix intPtr helper, and deferred sql rows Close. Add a golangci CI job mirroring the existing Go jobs.	2026-06-27 15:42:22 +02:00
MHSanaei	69ad8b76e1	perf(memory): report real RSS and cut footprint via GOGC + periodic release ... The Usage card showed runtime.MemStats.Sys, a never-shrinking high-water mark of reserved address space that also counts memory already returned to the OS, so it overstated real usage (e.g. ~300 MB on an idle 1-client server). Report process RSS instead so the number matches the OS and drops as memory is freed. Replace the auto GOMEMLIMIT that targeted ~90 percent of total system RAM (a near no-op while the heap sits far below the limit, and a GC-thrash risk on small/shared VPS per go.dev/doc/gc-guide) with: a lower default GOGC (XUI_GOGC, default 75), a periodic debug.FreeOSMemory job (XUI_MEMORY_RELEASE_INTERVAL, default 10m, 0 disables), and a soft limit applied only from an explicit budget (GOMEMLIMIT, XUI_MEMORY_LIMIT, or a real cgroup cap at 90 percent).	2026-06-25 22:16:38 +02:00
MHSanaei	7d23a2c15b	perf: prevent cron job overlap, auto-set GOMEMLIMIT, fix tgbot userStates race ... cron: SkipIfStillRunning stops a slow 5s/10s job from overlapping itself and racing the shared xrayAPI (grpc conn leak) and the StatsLastValues map (fatal concurrent map write). memlimit: auto-detect a Go soft memory limit from XUI_MEMORY_LIMIT, the cgroup limit, or system RAM (about 90 percent); opt-in pprof via XUI_PPROF. tgbot: userStates now goes through a mutex-guarded store with TTL pruning (was raced by worker-pool and delayed-delete goroutines). check_client_ip: prefilter inbounds by settings LIKE limitIp instead of loading and JSON-parsing all of them every scan. minor: prune StatsLastValues, RateLimiter.lastSent, reportedRemoteTagConflict. docker-compose: document the memory knobs.	2026-06-22 02:48:58 +02:00
MHSanaei	a5bc71a6f1	fix(sub): SS2022 share links must not base64-encode userinfo (#5432) ... Per SIP022, ss:// links for 2022-blake3-* methods must NOT base64-encode the userinfo; method and password are percent-encoded instead. Clients like Hiddify reject the base64 form. Fix both the server-side subscription path and the client-side panel link, plus the matching parsers for round-trip import.	2026-06-20 11:25:12 +02:00
n0ctal	f63ed9f510	fix(jobs): isolate per-node background goroutines from panics (#5397) ... A panic in a goroutine without a recover takes the whole panel down. The per-node heartbeat and traffic-sync goroutines run remote network I/O for each node with no panic isolation, so one misbehaving node could crash the master. Add common.GoRecover(name, fn), which runs fn in a goroutine guarded by a recover that logs the panic with a stack trace instead of crashing, and use it for the per-node heartbeat, traffic-sync and global-push goroutines. The deferred WaitGroup/semaphore releases still run during panic unwind, so the group never stalls. Other background goroutines can adopt the same helper.	2026-06-20 00:38:25 +02:00
MHSanaei	4915d6b18d	refactor(frontend): move form-item hints from extra to tooltip ... Switch reality target, node options, and WARP auto-update-IP hints from inline extra text to label tooltips for a cleaner form layout.	2026-06-17 17:24:16 +02:00
Sanaei	37c5e0bfd2	feat(node): node hardening — mTLS, hashed+zstd reconcile transport, per-node net metrics (#5382) ... * fix(api-docs): document clientIpsByGuid route Restores a green `go test ./...` baseline: TestAPIRoutesDocumented flagged POST /panel/api/clients/clientIpsByGuid (added in 9385b6c6) as undocumented in endpoints.ts. * test(node): characterize current node TLS + API auth behavior Phase 0 regression net for the mTLS work. These pass on unchanged production code and lock the pre-mTLS contracts so later phases can be proven additive: - tlsConfigForNode: skip -> InsecureSkipVerify (no VerifyConnection); pin -> VerifyConnection installed. - checkAPIAuth: bearer match -> Next + api_authed; unauthenticated -> 401 (XHR) / 404; valid session -> Next. - panel HTTPS listener with no ClientAuth accepts a client that presents no client certificate (the browsers-keep-working invariant). * feat(crypto): node-auth CA + client-cert minting (TDD) Stdlib-only ECDSA P-256 helpers for the node mTLS work: - GenerateNodeCA: self-signed CA (IsCA, CertSign, path len 0) - IssueClientCert: client-auth leaf (ExtKeyUsageClientAuth) signed by CA - LoadCAFromPEM: parse a CA cert+key for issuing / trust-pool building Tests assert the contract (leaf verifies against the issuing CA with ExtKeyUsageClientAuth), seen failing on the assertion before impl. * feat(node): lazy node mTLS CA + client cert in settings (TDD) SettingService gains opt-in mTLS material, all stored as Setting rows with empty defaults and kept out of entity.AllSetting (so private keys never reach the settings UI/export): - EnsureNodeMtlsCA: mint+persist the node-auth CA once, reuse thereafter - EnsureMasterClientCert: issue the master client cert from the CA, idempotent - NodeMtlsClientCAPool: ClientCAs trust pool for the listener; nil when unconfigured so the no-mTLS path is unchanged Tests assert idempotency and that the client cert verifies against the CA for client auth; seen failing on the assertion before impl. * feat(node): mtls client TLS config + master-cert provider (TDD) tlsConfigForNode gains an 'mtls' branch that presents the master client certificate and verifies the node server against system roots (no InsecureSkipVerify, no custom RootCAs). The cert is supplied via an injected MasterClientCertProvider so runtime need not import service; it fails closed when unconfigured. skip/pin contracts unchanged. * feat(node): allow tokenless mtls nodes in remote do() (TDD) mtls nodes authenticate with a client certificate, so the bearer token becomes optional for them: do() no longer rejects an empty ApiToken when TlsVerifyMode is mtls, and the Authorization header is omitted when no token is set. Every other mode still requires a token (regression kept). * feat(node): authenticate verified client certs in checkAPIAuth (TDD) A completed mTLS handshake (non-empty r.TLS.VerifiedChains) now authenticates an API request, equivalent to a valid bearer token, and sets api_authed so the CSRF middleware lets cert-authed mutations through. Bearer/session/reject paths unchanged. The accept-path assert was mutation-checked (guard flipped -> test red -> reverted). * feat(node): opt-in mTLS on the panel listener (TDD; mutation-checked) web.go now applies VerifyClientCertIfGiven + ClientCAs to the HTTPS listener when a node trust CA is configured, and wires the master client cert provider for outbound mtls calls. With no CA the listener is byte-identical to before (browsers unaffected). applyNodeMtls is covered end-to-end: no-cert client handshakes (browsers keep working), a CA-signed client cert verifies, a foreign-CA cert is rejected at the handshake. Mutation-checked: - RequireAndVerifyClientCert -> no-cert client rejected (red) -> reverted - drop ClientCAs -> master cert no longer trusted (red) -> reverted * feat(node): accept mtls verify-mode + CA reveal endpoint (TDD) - model.Node.TlsVerifyMode validator now accepts 'mtls' - normalize() preserves mtls and requires the node scheme to be https (fail closed), instead of clamping mtls back to verify - NodeService.NodeMtlsCaCert + POST /panel/api/nodes/mtls/ca return this panel's node-auth CA cert (public) to paste into a node, minting the CA + master client cert on first call - endpoints.ts documents the new route (doc-sync test) No model column added (enum is a string), so no migration/codegen. * feat(node): node mTLS UI + trust-CA setter (TDD) Backend: - NodeService.SetNodeMtlsTrustCA + POST /panel/api/nodes/mtls/trustCA store the CA this panel trusts for incoming node-API client certs (validates PEM, empty clears); applied on next restart - endpoints.ts + regenerated openapi.json document both mtls routes Frontend: - node form: 'mtls' TLS-verify option + setup hint (zod enum updated) - Nodes page 'Node mTLS' card: copy this panel's CA, and paste/save the trusted parent CA - en-US i18n keys (other locales fall back to en-US) Gates green: go build (native+windows), vet, go test ./...; frontend typecheck, lint, vitest (541). * style(node): gofmt web_mtls_test doc comment * feat(node): hashed+zstd reconcile transport (TDD, negotiated, mixed-version safe) Adds an integrity + compression envelope to node config pushes: - internal/util/wirecodec: shared zstd codec (bomb-capped decode) + SHA-256 hashing + the header/capability constants - Remote.do(): always attaches X-Config-Sha256 of the uncompressed body; zstd-compresses only when the node advertised support (learned from its X-3x-Node-Caps response header) and the body is >=1KiB - ConfigEnvelopeMiddleware on /panel/api: advertises the cap, decompresses and verifies the hash (handler not invoked on mismatch) before binding Mixed-version safe: old nodes never advertise the cap -> plain bodies; the hash header is verify-if-present so any panel/node mix interoperates (existing reconcile tests stay green). klauspost/compress promoted to a direct dep. Hash-mismatch reject was mutation-checked (compare defeated -> test red -> reverted). * feat(node): per-node network throughput metrics (TDD) The node status response already carries gopsutil netIO.up/down (summed non-virtual interfaces), so no node-side change is needed: - probe() parses netIO.up/down into HeartbeatPatch.NetUp/NetDown - Node gains net_up/net_down columns (AutoMigrate); UpdateHeartbeat persists them and appends netUp/netDown to the per-node metric history - NodeMetricKeys whitelists netUp/netDown so the history endpoint serves them - NodeHistoryPanel renders Net Up/Down sparklines (KB/s, no 0-100 clamp) - regenerated frontend types + openapi.json for the new Node fields * feat(node): move node mTLS controls into a toolbar button + modal The Node mTLS panel was an always-visible card cluttering the nodes page. Replace it with a 'Node mTLS' button beside 'Add node' that opens a modal with the same copy-CA + trusted-parent-CA controls; the modal closes on a successful save. No backend/i18n changes. * i18n(node): translate mTLS + net-metrics keys for all locales Adds the node mTLS strings (tlsMtls, mtlsFormHint, mtls.* dialog + the saveMtls toast) and the netUp/netDown chart labels to all 12 non-English catalogs (ar, es, fa, id, ja, pt, ru, tr, uk, vi, zh-CN, zh-TW), matching each catalog's existing terminology. Technical tokens (mTLS/TLS/CA/API/ KB/s) kept verbatim. * fix(node): address Copilot review on node-hardening PR - setting_mtls: fail closed on a half-present CA/master-cert pair instead of silently regenerating (which would rotate the CA and break fleet trust). - config_envelope: reject non-zstd Content-Encoding on the envelope path rather than hashing/forwarding a still-encoded body to the handler. - node mTLS: support tokenless mTLS end-to-end — apiToken is now required_unless tlsVerifyMode=mtls (model) with matching conditional validation in NodeFormSchema, so the runtime allowance is actually reachable. - NodesPage: add a catch block to onSaveTrustCa so save failures surface.	2026-06-16 12:19:33 +02:00
MHSanaei	7fe082a7f1	fix(nodes): stop multi-attached client traffic inflating across node inbounds ... Xray counts client traffic globally per email, so a client attached to several of a node's inbounds has its single shared counter copied onto every inbound by the node's enriched inbound list. When those copies diverge (legacy per-inbound rows surviving a v3.2.x->v3.3.x upgrade, or any drift) the per-inbound delta loop read the lower sibling as a node-counter reset and re-added its full value, inflating the client far past real usage (#5274). Fold each email to its per-field node-wide max before the delta loop so every occurrence is equal: the per-email baseline dedup then holds and the reset clamp never misfires.	2026-06-15 19:31:57 +02:00
MHSanaei	f7ffe89813	fix(outbound): preserve non-ASCII characters in imported subscription tags (#5354) ... SlugRemark stripped every non-ASCII character, so tags generated from remarks like Cyrillic names collapsed to just their digits, making imported outbounds hard to identify. Keep Unicode letters and digits in the slug regex while still collapsing punctuation into dashes.	2026-06-15 19:16:57 +02:00
Sanaei	7605902324	Test-quality audit: fix 2 prod bugs, strengthen weak tests, add mutation/fuzz/CI tooling (#5345) ... * test(audit): add gremlins/rapid/coverage tooling + AUDIT.md scaffold * test(audit): hygiene sweep (race-clean except logger global; Finding #2) + smell inventory * test(audit): cover untested error/edge branches (TLS proxy+pin, migration tag cleanup=Finding #1) * test(audit): strengthen internal/sub link tests (dedup key, TLS/Reality mapping, clash well-formedness) * test(audit): property (rapid) + fuzz tests for joinHostPort/userinfo/pin/ParseLink * test(audit): tighten frontend subSortIndex rejection assertions + wire coverage * ci(audit): add shuffle gate + non-blocking race job (Finding #2) + fuzz-smoke; document mutation policy * chore(audit): gitignore frontend coverage output * test(audit): exhaustive whole-repo pass — strengthen 5 weak/fake tests (netproxy, CSP, modal per-protocol loops, schema coercions) * docs(contributing): add Testing section (conventions, race/shuffle, fuzz, mutation policy); drop AUDIT.md ledger * fix(logger,migration): guard logBuffer with mutex; execute legacy tag cleanup (tx.Exec); make CI race gate blocking * ci(mutation): add nightly scoped gremlins workflow (informational artifacts) * test(audit): strengthen runtime tests — baseURL scheme/port bounds, isNonEmptySlice, trafficReset * test(audit): strengthen clash tests — reality field mapping + tcp-header validation * test(audit): runtime — egress-proxy + content-type tests; drop redundant bp=='' branch * test(audit): strengthen link parser/helper tests (defaultPort, splitComma, base64, canonicalQuery, tls/reality/transport mapping) * test(audit): strengthen sub/xray/common/netsafe/mtproto/config/middleware tests (kill surviving mutants) * test(audit): raise timeout on protocol-iteration modal tests (heavy re-renders, slow on CI) * fix(logger): GetLogs returns at most c entries (off-by-one fix; addresses PR review) * perf(logger): snapshot logBuffer under lock so GetLogs doesn't block logging; clarify fuzz-seed docs (addresses PR review)	2026-06-15 15:17:03 +02:00
MHSanaei	60da6bed15	fix(xhttp): stop injecting scMaxEachPostBytes/scMinPostsIntervalMs defaults (#5141) ... The panel seeded xhttp configs with scMaxEachPostBytes=1000000 and scMinPostsIntervalMs=30 — xray-core''s own defaults — and emitted them into every generated config and share link. The literal scMinPostsIntervalMs=30 is a stable DPI fingerprint that Russia''s TSPU keys on to block connections on mobile networks. New configs no longer seed these values (empty schema/template defaults, so xray-core applies its internal defaults). For configs already stored with the old defaults, the link/subscription builders now drop values equal to xray-core''s defaults instead of advertising them — covering panel share links, the raw subscription, and the JSON subscription without requiring every inbound to be re-saved. Non-default values the user set deliberately are still emitted.	2026-06-12 01:50:37 +02:00
Sanaei	41645255f1	refactor: focused service files, leaf subpackages, and an internal/ layout (#5167) ... * refactor(service): split client.go into focused files client.go had grown to 4455 lines mixing ~10 responsibilities. Split it verbatim into cohesive same-package files (no behavior change): client.go foundation: ClientService, ClientWithAttachments, ClientCreatePayload, ErrClientNotInInbound, sqlInChunk client_locks.go inbound mutation locks, delete tombstones, compactOrphans client_lookup.go read-only lookups (GetByID, List, EffectiveFlow, ...) client_link.go inbound association sync (SyncInbound, DetachInbound, ...) client_crud.go single-client CRUD + validation + protocol defaults client_inbound_apply.go low-level inbound-settings mutators + by-email setters client_bulk.go bulk attach/detach/adjust/delete/create + DelDepleted client_traffic.go traffic-reset paths client_groups.go client group management client_paging.go paged listing, filtering, sorting, summary Every declaration moved unchanged (verified: identical func/type/const/var signature set before vs after). Imports redistributed per file via goimports. go build ./..., go vet, and go test ./web/service/... all pass. * refactor(service): split inbound.go into focused files inbound.go was 4100 lines. Split it verbatim into cohesive same-package files (no behavior change): inbound.go core inbound CRUD + InboundService (keeps pkg doc) inbound_protocol.go protocol / stream capability helpers inbound_node.go node/runtime/remote coordination + online tracking inbound_traffic.go traffic accounting, reset, client stats inbound_client_ips.go per-client IP tracking inbound_clients.go client lookups within inbounds + copy-clients inbound_disable.go auto-disable invalid inbounds/clients inbound_migration.go DB migrations inbound_sublink.go subscription link providers inbound_util.go generic slice/string helpers Identical func/type/const/var signature set before vs after; package doc comment preserved on inbound.go. Imports redistributed via goimports. Build, vet, and go test ./web/service/... all pass. * refactor(service): split tgbot.go into focused files tgbot.go was 3738 lines dominated by a 1246-line answerCallback. Split it verbatim into cohesive same-package files (no behavior change): tgbot.go lifecycle, bot setup, caches, small utils tgbot_router.go incoming update / command / callback dispatch tgbot_send.go outbound messaging primitives tgbot_client.go client views, actions, subscription links tgbot_inbound.go inbound listing / pickers tgbot_report.go server usage, exhausted, online, backups, notifications Identical func/type/const/var signature set before vs after. Imports redistributed via goimports. Build, vet, and go test ./web/service/... pass. * refactor(client): dedupe single-field by-email setters ResetClientIpLimitByEmail, ResetClientExpiryTimeByEmail, and ResetClientTrafficLimitByEmail shared an identical ~50-line body that resolves the inbound by email, confirms the client exists, rewrites a single-client settings payload, and delegates to UpdateInboundClient. Extract that into applyClientFieldByEmail(inboundSvc, email, mutate) and reduce each setter to a 3-line wrapper. Behavior is unchanged: same checks and error strings, same single-client payload contract, same totalGB guard. SetClientTelegramUserID (resolves by traffic id, different error text) and ToggleClientEnableByEmail/SetClientEnableByEmail (different return shape and a pre-read of the old state) intentionally keep their own bodies. * refactor(service): extract panel/ subpackage Move the panel-administration leaf services out of the flat service package into web/service/panel/ (package panel): user.go UserService (auth / 2FA / LDAP) panel.go PanelService (restart / self-update) + version helpers panel_other.go non-unix RestartPanel panel_unix.go unix RestartPanel api_token.go ApiTokenService websocket.go WebSocketService panel_test.go version/shellQuote unit tests These are leaves: they depend on core (SettingService, Release) but no core file references them, so the extraction creates no import cycle. Core references are now qualified (service.SettingService, service.Release); callers in main.go, web/web.go, and web/controller/* updated to panel.*. Build, vet, and go test ./web/... pass. * refactor(service): extract integration/ subpackage Move the external-provider integration leaves into web/service/integration/ (package integration): warp.go WarpService (Cloudflare WARP) nord.go NordService (NordVPN) custom_geo.go CustomGeoService (custom geo asset management) *_test.go custom_geo / panel-proxy tests These depend on core (SettingService, ServerService, XraySettingService) but no core file references them. xray_setting.go stays in core because it calls the unexported SettingService.saveSetting. The shared isBlockedIP SSRF helper (used by core url_safety.go and by custom_geo) now has a small copy in each package rather than being exported. Core references qualified; callers in web/web.go, web/job/*, and web/controller/* updated to integration.*. Build, vet, and go test ./web/... pass. * refactor(service): extract tgbot/ subpackage Move the Telegram bot (6 files + test) into web/service/tgbot/ (package tgbot). It is a leaf: it embeds five core services (Inbound/Client/Setting/ Server/Xray) and the core never references it, so no import cycle. To support the package boundary without changing behavior: - core exposes XrayProcess() *xray.Process so tgbot keeps calling the exact same running-process methods it used via the package-level `p`; - three core methods tgbot calls are exported: ClientService.checkIs- EnabledByEmail -> CheckIsEnabledByEmail, InboundService.getAllEmails -> GetAllEmails (callers updated in-package); - tgbot's embedded-field types and the few core type refs (Status, ClientCreatePayload, SanitizePublicHTTPURL) are now service-qualified. Callers in main.go, web/web.go, web/job/*, and web/controller/* updated to tgbot.*. Build, vet, and go test ./web/... pass. * refactor(service): extract outbound/ subpackage OutboundService (outbound.go) imports only neutral packages (config, database, model, xray) and its production code is referenced by no core or sibling service file — only by web/controller/xray_setting.go and web/job/xray_traffic_job.go. Move it to web/service/outbound/ (package outbound); no core qualification needed inside. Callers updated to outbound.*. The one coupling was a tiny pure test helper, outboundsContainTag, used by both outbound.go and the core outbound_subscription_test.go; it now has a small copy in that test file rather than being shared across the boundary. Build, vet, and go test ./web/... pass. * refactor(util): move wireguard into its own subpackage util/wireguard.go was the lone file of the root `util` package (24 lines, one exported func GenerateWireguardKeypair), while every other util concern lives in a focused subpackage (util/common, util/crypto, util/netsafe, ...). Move it to util/wireguard/ (package wireguard) for consistency; its only importer, web/service/integration/warp.go, is updated. The root `util` package no longer exists. * refactor(sub): drop redundant sub prefix from filenames Inside package sub the subXxx.go prefix just repeats the package name (like client_*.go did inside service). Rename for consistency; content and type names are unchanged: subController.go -> controller.go subService.go -> service.go subClashService.go -> clash_service.go subJsonService.go -> json_service.go (+ matching _test.go files) * refactor(controller): rename xui.go -> spa.go XUIController serves the panel's single-page-app shell; spa.go names that role plainly (the other controller files are domain-named). File rename only — the type stays XUIController. api_docs_test.go keys route base paths by filename, so its "xui.go" case is updated to "spa.go". * refactor: move backend packages under internal/ Adopt the idiomatic Go application layout: the backend packages now live under internal/ (a boundary the toolchain enforces), signalling private implementation instead of a library-style flat root. No runtime behavior changes — only import paths and a few build/config paths move. Moved: config, database, logger, mtproto, sub, util, web, xray -> internal/. main.go stays at the repo root and tools/openapigen stays under tools/ (both still import internal/* because the internal rule keys off the module root). The module path github.com/mhsanaei/3x-ui/v3 is unchanged; 149 .go files had their import prefix rewritten to .../internal/<pkg>. Couplings the Go compiler can't see, updated to the new layout: - frontend i18n imports of web/translation (react.ts, setup.components.ts) - vite outDir + eslint/tsconfig ignore globs -> internal/web/dist - Dockerfile COPY paths for web/dist and web/translation - locale.go os.DirFS("web") disk fallback -> "internal/web" - .gitignore and ci.yml go:embed stub for internal/web/dist - api_docs_test.go repo-root relative walk (one level deeper) - tools/openapigen filesystem package paths; ApiTokenView repointed to the web/service/panel subpackage and codegen regenerated (clears a stale type the ci.yml codegen check was failing on) Verified: go build/vet/test (all packages), and frontend typecheck, lint, vitest (478 tests), and production build into internal/web/dist. * fix(config): keep test runs from writing logs into the source tree GetLogFolder() returns a CWD-relative "./log" on Windows. Under `go test` the working directory is each package's own folder, so InitLogger (called by tests in web/job, web/service, xray, web/websocket) created stray log/ directories scattered through the source tree (e.g. internal/web/job/log/). Redirect to a shared temp folder when testing.Testing() reports a test run. Production behavior is unchanged: Windows still uses ./log next to the binary and Linux /var/log/x-ui. The log files were always gitignored (*.log) and never committed; this just stops the noise at the source. * docs: move subscription-template guide out of root into docs/ sub_templates/ was a top-level folder holding only a README and no actual templates (3x-ui ships none by design), referenced nowhere and unlinked from any doc — it read like an empty placeholder cluttering the repo root. Move the guide to docs/custom-subscription-templates.md (a proper docs home), reword its intro to read as documentation rather than a folder note, link it from the Features list in README.md, and drop the empty sub_templates/ folder. * fix: update stale web/ path references after the internal/ move The internal/ migration rewrote Go import paths but left some references to the old top-level layout in docs, comments, and a few runtime disk paths. Functional (dev-mode only): the disk-serving fallbacks that read the Vite build from disk when running from source still pointed at web/dist/, which moved to internal/web/dist/ — so `os.DirFS`/`os.Stat`/`os.ReadFile` in internal/web/web.go and internal/sub/{sub,controller}.go are corrected. Production was unaffected (it serves the embedded FS; verified by the Docker build), but `go run` with a live frontend build silently fell back to embed. Docs/comments: frontend/README.md, CONTRIBUTING.md, the claude-issue-bot and release workflows, the openapigen -root help text, and assorted Go comments now reference internal/web, internal/database, internal/sub, internal/xray, etc. Package-name mentions (the "web" package), root paths (main.go, frontend/, install scripts, /etc/x-ui), routes (/panel/api/xray), and the historical "web/assets no longer exists" note were intentionally left as-is. * refactor(web): remove the legacy /xui -> /panel redirect middleware RedirectMiddleware existed only for backward compatibility with the old `/xui` URL scheme (301-redirecting /xui and /xui/API to /panel and /panel/api). That cutover was long ago, so drop the middleware, its registration in initRouter, and the now-inaccurate "URL redirection" mention in the middleware package doc. Old /xui URLs now 404 like any other unknown path. HTTPS auto-redirect and auth redirects are unrelated and stay. * build: fix .dockerignore for internal/ layout and exclude runtime dir - web/dist -> internal/web/dist: the embedded frontend moved under internal/, so the stale exclude no longer matched and the locally-built dist could be sent to the build context (the frontend stage rebuilds it fresh anyway). - exclude x-ui/: the local runtime directory (SQLite db, geo .dat files, xray binaries, certs — ~150MB) was being shipped into the build context for no reason. Verified the pattern excludes only the directory and still keeps x-ui.sh, which the Dockerfile copies to /usr/bin/x-ui.	2026-06-10 15:19:22 +02:00