From 1cf2582e6dccd7aeef90d8a27551fba6aec085ea Mon Sep 17 00:00:00 2001
From: MHSanaei <ho3ein.sanaei@gmail.com>
Date: Thu, 14 May 2026 12:30:48 +0200
Subject: [PATCH 01/16] fix: hide QR code for mldsa65 links (too long for QR
 generation)

---
 frontend/src/pages/inbounds/QrCodeModal.vue | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/frontend/src/pages/inbounds/QrCodeModal.vue b/frontend/src/pages/inbounds/QrCodeModal.vue
index 9d7db272..ebb7f1d0 100644
--- a/frontend/src/pages/inbounds/QrCodeModal.vue
+++ b/frontend/src/pages/inbounds/QrCodeModal.vue
@@ -111,7 +111,8 @@ function close() {
     <template v-if="dbInbound">
       <a-collapse v-model:active-key="activeKeys" ghost class="qr-collapse">
         <a-collapse-panel v-for="item in qrItems" :key="item.key" :header="item.header">
-          <QrPanel :value="item.value" :remark="item.header" :download-name="item.downloadName || ''" />
+          <QrPanel :value="item.value" :remark="item.header" :download-name="item.downloadName || ''"
+            :show-qr="!item.value.includes('mldsa65')" />
         </a-collapse-panel>
       </a-collapse>
     </template>

From ae6f13b53300ae4c6d7f8dedee4c09fa016d037c Mon Sep 17 00:00:00 2001
From: MHSanaei <ho3ein.sanaei@gmail.com>
Date: Thu, 14 May 2026 12:34:23 +0200
Subject: [PATCH 02/16] fix: also hide QR code for ML-KEM-768 links (too long
 for QR generation)

---
 frontend/src/pages/inbounds/QrCodeModal.vue | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/frontend/src/pages/inbounds/QrCodeModal.vue b/frontend/src/pages/inbounds/QrCodeModal.vue
index ebb7f1d0..6e01f8d7 100644
--- a/frontend/src/pages/inbounds/QrCodeModal.vue
+++ b/frontend/src/pages/inbounds/QrCodeModal.vue
@@ -112,7 +112,7 @@ function close() {
       <a-collapse v-model:active-key="activeKeys" ghost class="qr-collapse">
         <a-collapse-panel v-for="item in qrItems" :key="item.key" :header="item.header">
           <QrPanel :value="item.value" :remark="item.header" :download-name="item.downloadName || ''"
-            :show-qr="!item.value.includes('mldsa65')" />
+            :show-qr="!item.value.includes('mldsa65') && !item.value.includes('ML-KEM-768')" />
         </a-collapse-panel>
       </a-collapse>
     </template>

From 1f052c0e8f0c354b922211cf20c5e8a0557a9313 Mon Sep 17 00:00:00 2001
From: MHSanaei <ho3ein.sanaei@gmail.com>
Date: Thu, 14 May 2026 12:41:08 +0200
Subject: [PATCH 03/16] fix: preserve TLS cert file paths when deploying
 inbound to remote node
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

When creating a Hysteria (or any TLS-required) inbound from the central
panel and deploying it to a remote node, sanitizeStreamSettingsForRemote
was unconditionally stripping certificateFile / keyFile from the TLS
settings. This left Xray on the remote node with a TLS block containing
no certificate, causing Xray to crash and the inbounds page to hang.

The fix: only strip cert file paths when inline certificate content
(certificate / key arrays) is also present in the same entry — those
file paths are then truly redundant. When only file paths are present
the user explicitly entered paths that live on the remote node's
filesystem; they are now passed through untouched.

Fixes #4370
---
 web/runtime/remote.go      | 39 +++++++++++++---
 web/runtime/remote_test.go | 96 ++++++++++++++++++++++++++++++++++++++
 2 files changed, 129 insertions(+), 6 deletions(-)
 create mode 100644 web/runtime/remote_test.go

diff --git a/web/runtime/remote.go b/web/runtime/remote.go
index c71714e7..9cc83f32 100644
--- a/web/runtime/remote.go
+++ b/web/runtime/remote.go
@@ -344,10 +344,15 @@ func wireInbound(ib *model.Inbound) url.Values {
 }
 
 // sanitizeStreamSettingsForRemote strips file-based TLS certificate paths
-// from the StreamSettings before sending to a remote node. File paths
-// (certificateFile / keyFile) are local to the main panel's filesystem
-// and will cause Xray on the remote node to crash if they don't exist there.
-// Inline certificate content (certificate / key) is kept intact.
+// from the StreamSettings before sending to a remote node, but ONLY when
+// inline certificate content (certificate / key) is also present in the same
+// entry.  In that case the file paths are redundant and stripping them avoids
+// confusion when the central panel's local paths don't exist on the remote.
+//
+// When a certificate entry contains ONLY file paths (no inline content) the
+// paths are left untouched: the user explicitly entered paths that exist on
+// the remote node's filesystem, and removing them would leave Xray with TLS
+// configured but no certificate, causing Xray to crash on the remote node.
 func sanitizeStreamSettingsForRemote(streamSettings string) string {
 	if streamSettings == "" {
 		return streamSettings
@@ -368,18 +373,40 @@ func sanitizeStreamSettingsForRemote(streamSettings string) string {
 		return streamSettings
 	}
 
+	changed := false
 	for _, cert := range certificates {
 		c, ok := cert.(map[string]any)
 		if !ok {
 			continue
 		}
-		delete(c, "certificateFile")
-		delete(c, "keyFile")
+		// Only strip file paths when inline content is present so that the
+		// remote Xray still has a valid certificate to use.
+		hasCertFile := c["certificateFile"] != nil && c["certificateFile"] != ""
+		hasKeyFile := c["keyFile"] != nil && c["keyFile"] != ""
+		hasCertInline := isNonEmptySlice(c["certificate"])
+		hasKeyInline := isNonEmptySlice(c["key"])
+		if hasCertFile && hasCertInline {
+			delete(c, "certificateFile")
+			changed = true
+		}
+		if hasKeyFile && hasKeyInline {
+			delete(c, "keyFile")
+			changed = true
+		}
 	}
 
+	if !changed {
+		return streamSettings
+	}
 	out, err := json.Marshal(stream)
 	if err != nil {
 		return streamSettings
 	}
 	return string(out)
 }
+
+// isNonEmptySlice reports whether v is a non-nil, non-empty JSON array value.
+func isNonEmptySlice(v any) bool {
+	s, ok := v.([]any)
+	return ok && len(s) > 0
+}
diff --git a/web/runtime/remote_test.go b/web/runtime/remote_test.go
new file mode 100644
index 00000000..dd966792
--- /dev/null
+++ b/web/runtime/remote_test.go
@@ -0,0 +1,96 @@
+package runtime
+
+import (
+	"encoding/json"
+	"testing"
+)
+
+func TestSanitizeStreamSettingsForRemote(t *testing.T) {
+	tests := []struct {
+		name     string
+		input    string
+		// wantCertFile / wantKeyFile: expected presence after sanitize
+		wantCertFile bool
+		wantKeyFile  bool
+	}{
+		{
+			name: "file paths only — kept intact (remote node paths)",
+			input: `{
+				"tlsSettings": {
+					"certificates": [{
+						"certificateFile": "/etc/ssl/cert.crt",
+						"keyFile": "/etc/ssl/key.key"
+					}]
+				}
+			}`,
+			wantCertFile: true,
+			wantKeyFile:  true,
+		},
+		{
+			name: "inline content only — unchanged",
+			input: `{
+				"tlsSettings": {
+					"certificates": [{
+						"certificate": ["-----BEGIN CERTIFICATE-----"],
+						"key": ["-----BEGIN PRIVATE KEY-----"]
+					}]
+				}
+			}`,
+			wantCertFile: false,
+			wantKeyFile:  false,
+		},
+		{
+			name: "both file paths and inline content — file paths stripped (redundant)",
+			input: `{
+				"tlsSettings": {
+					"certificates": [{
+						"certificateFile": "/etc/ssl/cert.crt",
+						"keyFile": "/etc/ssl/key.key",
+						"certificate": ["-----BEGIN CERTIFICATE-----"],
+						"key": ["-----BEGIN PRIVATE KEY-----"]
+					}]
+				}
+			}`,
+			wantCertFile: false,
+			wantKeyFile:  false,
+		},
+		{
+			name: "empty stream settings",
+			input: "",
+			// empty input returns empty, nothing to check
+		},
+	}
+
+	for _, tc := range tests {
+		t.Run(tc.name, func(t *testing.T) {
+			if tc.input == "" {
+				if got := sanitizeStreamSettingsForRemote(tc.input); got != "" {
+					t.Errorf("expected empty string, got %q", got)
+				}
+				return
+			}
+			got := sanitizeStreamSettingsForRemote(tc.input)
+			var out map[string]any
+			if err := json.Unmarshal([]byte(got), &out); err != nil {
+				t.Fatalf("output is not valid JSON: %v\noutput: %s", err, got)
+			}
+
+			tls, _ := out["tlsSettings"].(map[string]any)
+			certs, _ := tls["certificates"].([]any)
+			if len(certs) == 0 {
+				t.Fatal("certificates array missing in output")
+			}
+			cert, _ := certs[0].(map[string]any)
+
+			_, hasCertFile := cert["certificateFile"]
+			_, hasKeyFile := cert["keyFile"]
+
+			if hasCertFile != tc.wantCertFile {
+				t.Errorf("certificateFile present=%v, want %v", hasCertFile, tc.wantCertFile)
+			}
+			if hasKeyFile != tc.wantKeyFile {
+				t.Errorf("keyFile present=%v, want %v", hasKeyFile, tc.wantKeyFile)
+			}
+		})
+	}
+}

From 1284756f8a1f7313f1132ebf97d7686ec2e55214 Mon Sep 17 00:00:00 2001
From: MHSanaei <ho3ein.sanaei@gmail.com>
Date: Thu, 14 May 2026 13:27:55 +0200
Subject: [PATCH 04/16] fix(outbound): restore TLS, QUIC params and TCP masks
 when importing share links

- fromHysteriaLink: parse security= URL param and populate stream.tls
  (SNI, fingerprint, ALPN, ECH) when security=tls; previously always
  forced security to 'none'
- fromHysteriaLink: parse fm JSON param and populate both
  stream.finalmask.quicParams (drives the QUIC Params toggle in
  FinalMaskForm) and the mirrored stream.hysteria fields
- fromParamLink (VLESS/Trojan/SS): parse fm JSON param and restore
  stream.finalmask (TCP masks, UDP masks, QUIC params)
- fromVmessLink (VMess): same fm handling for the base64-JSON path

Closes #4376
---
 frontend/src/models/outbound.js | 61 +++++++++++++++++++++++++++++++--
 1 file changed, 59 insertions(+), 2 deletions(-)

diff --git a/frontend/src/models/outbound.js b/frontend/src/models/outbound.js
index f2cabf3e..8277590e 100644
--- a/frontend/src/models/outbound.js
+++ b/frontend/src/models/outbound.js
@@ -1397,6 +1397,13 @@ export class Outbound extends CommonClass {
 
         const port = json.port * 1;
 
+        // Parse fm (finalmask) JSON string — TCP/UDP masks + QUIC params from 3x-ui share links
+        if (json.fm) {
+            try {
+                stream.finalmask = FinalMaskStreamSettings.fromJson(JSON.parse(json.fm));
+            } catch (_) { /* ignore malformed fm */ }
+        }
+
         return new Outbound(json.ps, Protocols.VMess, new Outbound.VmessSettings(json.add, port, json.id, json.scy), stream);
     }
 
@@ -1496,6 +1503,14 @@ export class Outbound extends CommonClass {
             default:
                 return null;
         }
+        // Parse fm (finalmask) JSON param — TCP/UDP masks + QUIC params from 3x-ui share links
+        const fmRaw = url.searchParams.get('fm');
+        if (fmRaw) {
+            try {
+                stream.finalmask = FinalMaskStreamSettings.fromJson(JSON.parse(fmRaw));
+            } catch (_) { /* ignore malformed fm */ }
+        }
+
         let remark = decodeURIComponent(url.hash);
         // Remove '#' from url.hash
         remark = remark.length > 0 ? remark.substring(1) : 'out-' + protocol + '-' + port;
@@ -1516,7 +1531,17 @@ export class Outbound extends CommonClass {
         let urlParams = new URLSearchParams(params);
 
         // Create stream settings with hysteria network
-        let stream = new StreamSettings('hysteria', 'none');
+        let security = urlParams.get('security') ?? 'none';
+        let stream = new StreamSettings('hysteria', security);
+
+        // Parse TLS settings when security=tls
+        if (security === 'tls') {
+            let fp = urlParams.get('fp') ?? 'none';
+            let alpn = urlParams.get('alpn');
+            let sni = urlParams.get('sni') ?? '';
+            let ech = urlParams.get('ech') ?? '';
+            stream.tls = new TlsStreamSettings(sni, alpn ? alpn.split(',') : [], fp, ech);
+        }
 
         // Set hysteria stream settings
         stream.hysteria.auth = password;
@@ -1534,7 +1559,7 @@ export class Outbound extends CommonClass {
             stream.hysteria.udphopIntervalMax = parseInt(urlParams.get('udphopIntervalMax') ?? '30');
         }
 
-        // Optional QUIC parameters
+        // Optional QUIC parameters for FinalMask support and hysteria2 share links
         if (urlParams.has('initStreamReceiveWindow')) {
             stream.hysteria.initStreamReceiveWindow = parseInt(urlParams.get('initStreamReceiveWindow'));
         }
@@ -1557,6 +1582,38 @@ export class Outbound extends CommonClass {
             stream.hysteria.disablePathMTUDiscovery = urlParams.get('disablePathMTUDiscovery') === 'true';
         }
 
+        // Parse fm (finalmask) JSON param — TCP/UDP masks + QUIC params from 3x-ui share links, with special handling to mirror QUIC params into both stream.finalmask and stream.hysteria
+        const fmRaw = urlParams.get('fm');
+        if (fmRaw) {
+            try {
+                const fm = JSON.parse(fmRaw);
+                const qp = fm.quicParams;
+                if (qp && typeof qp === 'object') {
+                    // Populate stream.finalmask.quicParams — this enables the "QUIC Params"
+                    // toggle in FinalMaskForm and carries all QUIC tuning settings.
+                    stream.finalmask.quicParams = QuicParams.fromJson(qp);
+
+                    // Also mirror the overlapping fields into stream.hysteria so the
+                    // Hysteria transport section of the form shows consistent values.
+                    if (qp.congestion) stream.hysteria.congestion = qp.congestion;
+                    if (Number.isInteger(qp.initStreamReceiveWindow)) stream.hysteria.initStreamReceiveWindow = qp.initStreamReceiveWindow;
+                    if (Number.isInteger(qp.maxStreamReceiveWindow)) stream.hysteria.maxStreamReceiveWindow = qp.maxStreamReceiveWindow;
+                    if (Number.isInteger(qp.initConnectionReceiveWindow)) stream.hysteria.initConnectionReceiveWindow = qp.initConnectionReceiveWindow;
+                    if (Number.isInteger(qp.maxConnectionReceiveWindow)) stream.hysteria.maxConnectionReceiveWindow = qp.maxConnectionReceiveWindow;
+                    if (Number.isInteger(qp.maxIdleTimeout)) stream.hysteria.maxIdleTimeout = qp.maxIdleTimeout;
+                    if (Number.isInteger(qp.keepAlivePeriod)) stream.hysteria.keepAlivePeriod = qp.keepAlivePeriod;
+                    if (qp.disablePathMTUDiscovery === true) stream.hysteria.disablePathMTUDiscovery = true;
+                    if (qp.udpHop) {
+                        stream.hysteria.udphopPort = qp.udpHop.ports ?? stream.hysteria.udphopPort;
+                        if (qp.udpHop.interval !== undefined) {
+                            stream.hysteria.udphopIntervalMin = qp.udpHop.interval;
+                            stream.hysteria.udphopIntervalMax = qp.udpHop.interval;
+                        }
+                    }
+                }
+            } catch (_) { /* ignore malformed fm */ }
+        }
+
         // Create settings
         let settings = new Outbound.HysteriaSettings(address, port, 2);
 

From 7065d41be6faa9e3fed662204143ebe85ff4b4eb Mon Sep 17 00:00:00 2001
From: Fedor Batonogov <fekinos@me.com>
Date: Thu, 14 May 2026 16:54:52 +0300
Subject: [PATCH 05/16] docs(readme): add Community Tools section (#4114)

3x-ui has a growing ecosystem of community tools (Terraform, scripts,
exporters, etc.). This adds a Community Tools section between
Acknowledgment and Support project in all 6 localized READMEs so users
can discover them from the main project page.

The format mirrors the existing Acknowledgment section so future
maintainers of 3x-ui-related tools can extend it with one-line PRs.
---
 README.ar_EG.md | 6 ++++++
 README.es_ES.md | 6 ++++++
 README.fa_IR.md | 6 ++++++
 README.md       | 6 ++++++
 README.ru_RU.md | 6 ++++++
 README.zh_CN.md | 6 ++++++
 6 files changed, 36 insertions(+)

diff --git a/README.ar_EG.md b/README.ar_EG.md
index 0dd359f8..45858626 100644
--- a/README.ar_EG.md
+++ b/README.ar_EG.md
@@ -39,6 +39,12 @@ bash <(curl -Ls https://raw.githubusercontent.com/mhsanaei/3x-ui/master/install.
 - [Iran v2ray rules](https://github.com/chocolate4u/Iran-v2ray-rules) (الترخيص: **GPL-3.0**): _قواعد توجيه v2ray/xray و v2ray/xray-clients المحسنة مع النطاقات الإيرانية المدمجة وتركيز على الأمان وحظر الإعلانات._
 - [Russia v2ray rules](https://github.com/runetfreedom/russia-v2ray-rules-dat) (الترخيص: **GPL-3.0**): _يحتوي هذا المستودع على قواعد توجيه V2Ray محدثة تلقائيًا بناءً على بيانات النطاقات والعناوين المحظورة في روسيا._
 
+## أدوات المجتمع
+
+أدوات وتكاملات بناها المجتمع حول 3x-ui.
+
+- [terraform-provider-3x-ui](https://github.com/batonogov/terraform-provider-threexui) (الترخيص: **MIT**): _إدارة الاتصالات الواردة والعملاء وإعدادات اللوحة وتكوين Xray كرمز باستخدام Terraform / OpenTofu._
+
 ## دعم المشروع
 
 **إذا كان هذا المشروع مفيدًا لك، فقد ترغب في إعطائه**:star2:
diff --git a/README.es_ES.md b/README.es_ES.md
index 50758f08..84d012a5 100644
--- a/README.es_ES.md
+++ b/README.es_ES.md
@@ -39,6 +39,12 @@ Para documentación completa, visita la [Wiki del proyecto](https://github.com/M
 - [Iran v2ray rules](https://github.com/chocolate4u/Iran-v2ray-rules) (Licencia: **GPL-3.0**): _Reglas de enrutamiento mejoradas para v2ray/xray y v2ray/xray-clients con dominios iraníes incorporados y un enfoque en seguridad y bloqueo de anuncios._
 - [Russia v2ray rules](https://github.com/runetfreedom/russia-v2ray-rules-dat) (Licencia: **GPL-3.0**): _Este repositorio contiene reglas de enrutamiento V2Ray actualizadas automáticamente basadas en datos de dominios y direcciones bloqueadas en Rusia._
 
+## Herramientas de la Comunidad
+
+Herramientas e integraciones construidas por la comunidad alrededor de 3x-ui.
+
+- [terraform-provider-3x-ui](https://github.com/batonogov/terraform-provider-threexui) (Licencia: **MIT**): _Gestiona inbounds, clientes, configuración del panel y configuración de Xray como código con Terraform / OpenTofu._
+
 ## Apoyar el Proyecto
 
 **Si este proyecto te es útil, puedes darle una**:star2:
diff --git a/README.fa_IR.md b/README.fa_IR.md
index e08fd8c2..a6f4956b 100644
--- a/README.fa_IR.md
+++ b/README.fa_IR.md
@@ -39,6 +39,12 @@ bash <(curl -Ls https://raw.githubusercontent.com/mhsanaei/3x-ui/master/install.
 - [Iran v2ray rules](https://github.com/chocolate4u/Iran-v2ray-rules) (مجوز: **GPL-3.0**): _قوانین مسیریابی بهبود یافته v2ray/xray و v2ray/xray-clients با دامنه‌های ایرانی داخلی و تمرکز بر امنیت و مسدود کردن تبلیغات._
 - [Russia v2ray rules](https://github.com/runetfreedom/russia-v2ray-rules-dat) (مجوز: **GPL-3.0**): _این مخزن شامل قوانین مسیریابی V2Ray به‌روزرسانی شده خودکار بر اساس داده‌های دامنه‌ها و آدرس‌های مسدود شده در روسیه است._
 
+## ابزارهای جامعه
+
+ابزارها و یکپارچه‌سازی‌هایی که توسط جامعه پیرامون 3x-ui ساخته شده‌اند.
+
+- [terraform-provider-3x-ui](https://github.com/batonogov/terraform-provider-threexui) (مجوز: **MIT**): _مدیریت اینباندها، کلاینت‌ها، تنظیمات پنل و پیکربندی Xray به‌صورت کد با Terraform / OpenTofu._
+
 ## پشتیبانی از پروژه
 
 **اگر این پروژه برای شما مفید است، می‌توانید به آن یک**:star2: بدهید
diff --git a/README.md b/README.md
index 4009acdb..c678ad92 100644
--- a/README.md
+++ b/README.md
@@ -39,6 +39,12 @@ For full documentation, please visit the [project Wiki](https://github.com/MHSan
 - [Iran v2ray rules](https://github.com/chocolate4u/Iran-v2ray-rules) (License: **GPL-3.0**): _Enhanced v2ray/xray and v2ray/xray-clients routing rules with built-in Iranian domains and a focus on security and adblocking._
 - [Russia v2ray rules](https://github.com/runetfreedom/russia-v2ray-rules-dat) (License: **GPL-3.0**): _This repository contains automatically updated V2Ray routing rules based on data on blocked domains and addresses in Russia._
 
+## Community Tools
+
+Tools and integrations built by the community around 3x-ui.
+
+- [terraform-provider-3x-ui](https://github.com/batonogov/terraform-provider-threexui) (License: **MIT**): _Manage inbounds, clients, panel settings, and Xray configuration as code with Terraform / OpenTofu._
+
 ## Support project
 
 **If this project is helpful to you, you may wish to give it a**:star2:
diff --git a/README.ru_RU.md b/README.ru_RU.md
index 8ec606a7..d303a306 100644
--- a/README.ru_RU.md
+++ b/README.ru_RU.md
@@ -39,6 +39,12 @@ bash <(curl -Ls https://raw.githubusercontent.com/mhsanaei/3x-ui/master/install.
 - [Iran v2ray rules](https://github.com/chocolate4u/Iran-v2ray-rules) (Лицензия: **GPL-3.0**): _Улучшенные правила маршрутизации для v2ray/xray и v2ray/xray-clients со встроенными иранскими доменами и фокусом на безопасность и блокировку рекламы._
 - [Russia v2ray rules](https://github.com/runetfreedom/russia-v2ray-rules-dat) (Лицензия: **GPL-3.0**): _Этот репозиторий содержит автоматически обновляемые правила маршрутизации V2Ray на основе данных о заблокированных доменах и адресах в России._
 
+## Инструменты сообщества
+
+Инструменты и интеграции, созданные сообществом вокруг 3x-ui.
+
+- [terraform-provider-3x-ui](https://github.com/batonogov/terraform-provider-threexui) (Лицензия: **MIT**): _Управление входящими, клиентами, настройками панели и конфигурацией Xray через код с помощью Terraform / OpenTofu._
+
 ## Поддержка проекта
 
 **Если этот проект полезен для вас, вы можете поставить ему**:star2:
diff --git a/README.zh_CN.md b/README.zh_CN.md
index 12c7f9cb..731cf785 100644
--- a/README.zh_CN.md
+++ b/README.zh_CN.md
@@ -39,6 +39,12 @@ bash <(curl -Ls https://raw.githubusercontent.com/mhsanaei/3x-ui/master/install.
 - [Iran v2ray rules](https://github.com/chocolate4u/Iran-v2ray-rules) (许可证: **GPL-3.0**): _增强的 v2ray/xray 和 v2ray/xray-clients 路由规则，内置伊朗域名，专注于安全性和广告拦截。_
 - [Russia v2ray rules](https://github.com/runetfreedom/russia-v2ray-rules-dat) (许可证: **GPL-3.0**): _此仓库包含基于俄罗斯被阻止域名和地址数据自动更新的 V2Ray 路由规则。_
 
+## 社区工具
+
+社区围绕 3x-ui 构建的工具和集成。
+
+- [terraform-provider-3x-ui](https://github.com/batonogov/terraform-provider-threexui) (许可证: **MIT**): _使用 Terraform / OpenTofu 通过代码管理入站、客户端、面板设置和 Xray 配置。_
+
 ## 支持项目
 
 **如果这个项目对您有帮助，您可以给它一个**:star2:

From e4218a1029a762a224abf0fdd07856a9adfaee11 Mon Sep 17 00:00:00 2001
From: MHSanaei <ho3ein.sanaei@gmail.com>
Date: Thu, 14 May 2026 17:40:40 +0200
Subject: [PATCH 06/16] feat: click QR to copy/save image instead of link text

---
 frontend/src/pages/inbounds/QrPanel.vue | 69 +++++++++++++++++++++++--
 1 file changed, 65 insertions(+), 4 deletions(-)

diff --git a/frontend/src/pages/inbounds/QrPanel.vue b/frontend/src/pages/inbounds/QrPanel.vue
index 4535137a..dae967f9 100644
--- a/frontend/src/pages/inbounds/QrPanel.vue
+++ b/frontend/src/pages/inbounds/QrPanel.vue
@@ -1,6 +1,7 @@
 <script setup>
+import { ref } from 'vue';
 import { useI18n } from 'vue-i18n';
-import { CopyOutlined, DownloadOutlined } from '@ant-design/icons-vue';
+import { CopyOutlined, DownloadOutlined, PictureOutlined } from '@ant-design/icons-vue';
 import { message } from 'ant-design-vue';
 
 import { ClipboardManager, FileManager } from '@/utils';
@@ -15,6 +16,8 @@ const props = defineProps({
   showQr: { type: Boolean, default: true },
 });
 
+const qrRef = ref(null);
+
 async function copy() {
   const ok = await ClipboardManager.copyText(props.value);
   if (ok) message.success(t('copied'));
@@ -24,6 +27,55 @@ function download() {
   if (!props.downloadName) return;
   FileManager.downloadTextFile(props.value, props.downloadName);
 }
+
+function svgToPngBlob(size = 360) {
+  const svgEl = qrRef.value?.querySelector('svg');
+  if (!svgEl) return Promise.resolve(null);
+  const svgData = new XMLSerializer().serializeToString(svgEl);
+  const svgBlob = new Blob([svgData], { type: 'image/svg+xml;charset=utf-8' });
+  const url = URL.createObjectURL(svgBlob);
+  return new Promise((resolve) => {
+    const img = new Image();
+    img.onload = () => {
+      const canvas = document.createElement('canvas');
+      canvas.width = size;
+      canvas.height = size;
+      const ctx = canvas.getContext('2d');
+      ctx.fillStyle = '#ffffff';
+      ctx.fillRect(0, 0, size, size);
+      ctx.drawImage(img, 0, 0, size, size);
+      URL.revokeObjectURL(url);
+      canvas.toBlob(resolve, 'image/png');
+    };
+    img.onerror = () => { URL.revokeObjectURL(url); resolve(null); };
+    img.src = url;
+  });
+}
+
+async function copyImage() {
+  const blob = await svgToPngBlob(props.size);
+  if (!blob) return;
+  try {
+    await navigator.clipboard.write([new ClipboardItem({ 'image/png': blob })]);
+    message.success(t('copied'));
+  } catch {
+    downloadImageBlob(blob);
+  }
+}
+
+function downloadImageBlob(blob) {
+  const url = URL.createObjectURL(blob);
+  const link = document.createElement('a');
+  link.href = url;
+  link.download = `${props.remark || 'qrcode'}.png`;
+  link.click();
+  URL.revokeObjectURL(url);
+}
+
+async function downloadImage() {
+  const blob = await svgToPngBlob(props.size);
+  if (blob) downloadImageBlob(blob);
+}
 </script>
 
 <template>
@@ -37,6 +89,13 @@ function download() {
           </template>
         </a-button>
       </a-tooltip>
+      <a-tooltip v-if="showQr" :title="t('downloadImage', 'Download Image')">
+        <a-button size="small" @click="downloadImage">
+          <template #icon>
+            <PictureOutlined />
+          </template>
+        </a-button>
+      </a-tooltip>
       <a-tooltip v-if="downloadName" :title="t('download')">
         <a-button size="small" @click="download">
           <template #icon>
@@ -45,9 +104,11 @@ function download() {
         </a-button>
       </a-tooltip>
     </div>
-    <div v-if="showQr" class="qr-panel-canvas">
-      <a-qrcode class="qr-code" :value="value" :size="size" type="svg" :bordered="false"
-        color="#000000" bg-color="#ffffff" :title="t('copy')" @click="copy" />
+    <div v-if="showQr" ref="qrRef" class="qr-panel-canvas">
+      <a-tooltip :title="t('copy')">
+        <a-qrcode class="qr-code" :value="value" :size="size" type="svg" :bordered="false" color="#000000"
+          bg-color="#ffffff" @click="copyImage" />
+      </a-tooltip>
     </div>
   </div>
 </template>

From 9b0fd047cb52742d171346fde88ace3f8d05a55c Mon Sep 17 00:00:00 2001
From: MHSanaei <ho3ein.sanaei@gmail.com>
Date: Thu, 14 May 2026 17:46:24 +0200
Subject: [PATCH 07/16] fix: guard certificate and key against undefined before
 join

---
 frontend/src/models/inbound.js | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/frontend/src/models/inbound.js b/frontend/src/models/inbound.js
index 29b0057a..cd789023 100644
--- a/frontend/src/models/inbound.js
+++ b/frontend/src/models/inbound.js
@@ -827,8 +827,8 @@ TlsStreamSettings.Cert = class extends XrayCommonClass {
         } else {
             return new TlsStreamSettings.Cert(
                 false, '', '',
-                json.certificate.join('\n'),
-                json.key.join('\n'),
+                Array.isArray(json.certificate) ? json.certificate.join('\n') : (json.certificate ?? ''),
+                Array.isArray(json.key) ? json.key.join('\n') : (json.key ?? ''),
                 json.oneTimeLoading,
                 json.usage,
                 json.buildChain,

From f3c7660f849cfd4a44a21b5ecd1e7d2bfeac5338 Mon Sep 17 00:00:00 2001
From: Abdalrahman <ug_31107079@ics.tanta.edu.eg>
Date: Thu, 14 May 2026 19:53:04 +0300
Subject: [PATCH 08/16] fix: correct Hysteria2 Obfs password label to Auth
 password (#4388)

The Obfs password field in the Hysteria2 stream settings tab was incorrectly
labeled. It binds to hysteriaSettings.auth (the server-wide authentication
password), not to the salamander obfuscation password. Per Xray-core docs,
Hysteria2 salamander obfuscation belongs in finalmask.udp[].salamander.password,
which is correctly handled by the FinalMaskForm (UDP Masks section).

Fixed the label to Auth password with an accurate tooltip explaining that
salamander obfuscation is configured via the UDP Masks section below.
---
 frontend/src/pages/inbounds/InboundFormModal.vue | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/frontend/src/pages/inbounds/InboundFormModal.vue b/frontend/src/pages/inbounds/InboundFormModal.vue
index 022693ec..b7815d2a 100644
--- a/frontend/src/pages/inbounds/InboundFormModal.vue
+++ b/frontend/src/pages/inbounds/InboundFormModal.vue
@@ -1836,8 +1836,8 @@ watch(
             </a-form-item>
             <a-form-item>
               <template #label>
-                <a-tooltip title="Obfuscation password. Must match between server and client.">
-                  Obfs password
+                <a-tooltip title="Hysteria server authentication password. Overridden by per-client auth when clients are configured. Obfuscation (salamander) is configured via UDP Masks below.">
+                  Auth password
                 </a-tooltip>
               </template>
               <a-input v-model:value="inbound.stream.hysteria.auth" />

From 05b68c3b1346c5c07faa407920ddcb3520403ed9 Mon Sep 17 00:00:00 2001
From: MHSanaei <ho3ein.sanaei@gmail.com>
Date: Thu, 14 May 2026 19:28:09 +0200
Subject: [PATCH 09/16] fix: remove Auth password

#4388
---
 frontend/src/pages/inbounds/InboundFormModal.vue | 8 --------
 1 file changed, 8 deletions(-)

diff --git a/frontend/src/pages/inbounds/InboundFormModal.vue b/frontend/src/pages/inbounds/InboundFormModal.vue
index b7815d2a..c01b8323 100644
--- a/frontend/src/pages/inbounds/InboundFormModal.vue
+++ b/frontend/src/pages/inbounds/InboundFormModal.vue
@@ -1834,14 +1834,6 @@ watch(
               </template>
               <a-input-number v-model:value="inbound.stream.hysteria.version" :min="2" :max="2" />
             </a-form-item>
-            <a-form-item>
-              <template #label>
-                <a-tooltip title="Hysteria server authentication password. Overridden by per-client auth when clients are configured. Obfuscation (salamander) is configured via UDP Masks below.">
-                  Auth password
-                </a-tooltip>
-              </template>
-              <a-input v-model:value="inbound.stream.hysteria.auth" />
-            </a-form-item>
             <a-form-item>
               <template #label>
                 <a-tooltip title="Idle timeout (seconds) for a single QUIC native UDP connection.">

From b79abc8bc99e64af29116af07891a7f4c7056b3a Mon Sep 17 00:00:00 2001
From: MHSanaei <ho3ein.sanaei@gmail.com>
Date: Thu, 14 May 2026 20:32:38 +0200
Subject: [PATCH 10/16] refactor: remove legacy advancedJson state

---
 .../src/pages/inbounds/InboundFormModal.vue   | 358 ++++++++++++++++--
 1 file changed, 327 insertions(+), 31 deletions(-)

diff --git a/frontend/src/pages/inbounds/InboundFormModal.vue b/frontend/src/pages/inbounds/InboundFormModal.vue
index c01b8323..45351144 100644
--- a/frontend/src/pages/inbounds/InboundFormModal.vue
+++ b/frontend/src/pages/inbounds/InboundFormModal.vue
@@ -70,8 +70,11 @@ const FLOW_OPTIONS = Object.values(TLS_FLOW_CONTROL);
 const inbound = ref(null);
 const dbForm = ref(null);
 const saving = ref(false);
-const advancedJson = ref({ stream: '', sniffing: '', settings: '' });
+const advancedStreamText = ref('');
+const advancedSniffingText = ref('');
+const advancedSettingsText = ref('');
 const activeTabKey = ref('basic');
+const advancedSectionKey = ref('all');
 // Cached default cert/key paths from /panel/setting/defaultSettings —
 // powers the "Set default cert" button on the TLS form.
 const defaultCert = ref('');
@@ -224,13 +227,13 @@ function freshDbForm() {
 function primeAdvancedJson() {
   if (!inbound.value) return;
   try {
-    advancedJson.value.stream = JSON.stringify(JSON.parse(inbound.value.stream.toString()), null, 2);
+    advancedStreamText.value = JSON.stringify(JSON.parse(inbound.value.stream.toString()), null, 2);
   } catch (_e) { /* keep prior text */ }
   try {
-    advancedJson.value.sniffing = JSON.stringify(JSON.parse(inbound.value.sniffing.toString()), null, 2);
+    advancedSniffingText.value = JSON.stringify(JSON.parse(inbound.value.sniffing.toString()), null, 2);
   } catch (_e) { /* keep prior text */ }
   try {
-    advancedJson.value.settings = JSON.stringify(JSON.parse(inbound.value.settings.toString()), null, 2);
+    advancedSettingsText.value = JSON.stringify(JSON.parse(inbound.value.settings.toString()), null, 2);
   } catch (_e) { /* keep prior text */ }
 }
 
@@ -244,6 +247,7 @@ watch(() => props.open, (next) => {
     primeAdvancedJson();
   }
   activeTabKey.value = 'basic';
+  advancedSectionKey.value = 'all';
   fetchDefaultCertSettings();
 });
 
@@ -253,18 +257,18 @@ function applyAdvancedJsonToBasic() {
   let parsedStream;
   let parsedSniffing;
   try {
-    parsedSettings = advancedJson.value.settings.trim()
-      ? JSON.parse(advancedJson.value.settings)
+    parsedSettings = advancedSettingsText.value.trim()
+      ? JSON.parse(advancedSettingsText.value)
       : inbound.value.settings?.toJson?.();
   } catch (e) { message.error(`Settings JSON invalid: ${e.message}`); return false; }
   try {
-    parsedStream = advancedJson.value.stream.trim()
-      ? JSON.parse(advancedJson.value.stream)
+    parsedStream = advancedStreamText.value.trim()
+      ? JSON.parse(advancedStreamText.value)
       : inbound.value.stream?.toJson?.();
   } catch (e) { message.error(`Stream JSON invalid: ${e.message}`); return false; }
   try {
-    parsedSniffing = advancedJson.value.sniffing.trim()
-      ? JSON.parse(advancedJson.value.sniffing)
+    parsedSniffing = advancedSniffingText.value.trim()
+      ? JSON.parse(advancedSniffingText.value)
       : inbound.value.sniffing?.toJson?.();
   } catch (e) { message.error(`Sniffing JSON invalid: ${e.message}`); return false; }
 
@@ -324,6 +328,203 @@ function onNetworkChange(next) {
   }
 }
 
+function parseAdvancedSliceOrFallback(rawText, fallbackValue) {
+  if (!rawText?.trim()) return fallbackValue;
+  return JSON.parse(rawText);
+}
+
+function unwrapWrappedObject(parsed, key) {
+  if (
+    parsed
+    && typeof parsed === 'object'
+    && !Array.isArray(parsed)
+    && parsed[key] !== undefined
+  ) {
+    return parsed[key];
+  }
+  return parsed;
+}
+
+const advancedAllConfig = computed({
+  get: () => {
+    if (!inbound.value) return '';
+    try {
+      const settings = parseAdvancedSliceOrFallback(
+        advancedSettingsText.value,
+        inbound.value.settings?.toJson?.() || {},
+      );
+      const streamSettings = parseAdvancedSliceOrFallback(
+        advancedStreamText.value,
+        inbound.value.stream?.toJson?.() || {},
+      );
+      const sniffing = parseAdvancedSliceOrFallback(
+        advancedSniffingText.value,
+        inbound.value.sniffing?.toJson?.() || {},
+      );
+      return JSON.stringify({
+        listen: inbound.value.listen,
+        port: inbound.value.port,
+        protocol: inbound.value.protocol,
+        settings,
+        sniffing,
+        streamSettings,
+        tag: inbound.value.tag,
+      }, null, 2);
+    } catch (_e) {
+      return '';
+    }
+  },
+  set: (next) => {
+    let parsed;
+    try {
+      parsed = JSON.parse(next);
+    } catch (e) {
+      message.error(`All JSON invalid: ${e.message}`);
+      return;
+    }
+    if (!parsed || typeof parsed !== 'object' || Array.isArray(parsed)) {
+      message.error('All JSON must be an inbound object.');
+      return;
+    }
+
+    try {
+      if (typeof parsed.listen === 'string') {
+        inbound.value.listen = parsed.listen;
+      }
+      if (parsed.port !== undefined) {
+        const parsedPort = Number(parsed.port);
+        if (!Number.isNaN(parsedPort) && Number.isFinite(parsedPort)) {
+          inbound.value.port = parsedPort;
+        }
+      }
+      if (typeof parsed.protocol === 'string' && PROTOCOLS.includes(parsed.protocol)) {
+        inbound.value.protocol = parsed.protocol;
+      }
+      if (typeof parsed.tag === 'string') {
+        inbound.value.tag = parsed.tag;
+      }
+
+      const existingSettings = parseAdvancedSliceOrFallback(
+        advancedSettingsText.value,
+        inbound.value?.settings?.toJson?.() || {},
+      );
+      const settings = parsed.settings ?? existingSettings;
+      const streamSettings = parsed.streamSettings ?? (inbound.value?.stream?.toJson?.() || {});
+      const sniffing = parsed.sniffing ?? (inbound.value?.sniffing?.toJson?.() || {});
+      advancedSettingsText.value = JSON.stringify(settings, null, 2);
+      advancedStreamText.value = JSON.stringify(streamSettings, null, 2);
+      advancedSniffingText.value = JSON.stringify(sniffing, null, 2);
+    } catch (e) {
+      message.error(`All JSON invalid: ${e.message}`);
+    }
+  },
+});
+
+const advancedSettingsConfig = computed({
+  get: () => {
+    if (!inbound.value) return '';
+    try {
+      const settings = parseAdvancedSliceOrFallback(
+        advancedSettingsText.value,
+        inbound.value.settings?.toJson?.() || {},
+      );
+      return JSON.stringify({
+        settings,
+      }, null, 2);
+    } catch (_e) {
+      return '';
+    }
+  },
+  set: (next) => {
+    let parsed;
+    try {
+      parsed = JSON.parse(next);
+    } catch (e) {
+      message.error(`Settings JSON invalid: ${e.message}`);
+      return;
+    }
+    const unwrapped = unwrapWrappedObject(parsed, 'settings');
+    if (!unwrapped || typeof unwrapped !== 'object' || Array.isArray(unwrapped)) {
+      message.error('Settings JSON must be an object or { settings: { ... } }.');
+      return;
+    }
+
+    try {
+      advancedSettingsText.value = JSON.stringify(unwrapped, null, 2);
+    } catch (e) {
+      message.error(`Settings JSON invalid: ${e.message}`);
+    }
+  },
+});
+
+const advancedSniffingConfig = computed({
+  get: () => {
+    if (!inbound.value) return '';
+    try {
+      const sniffing = parseAdvancedSliceOrFallback(
+        advancedSniffingText.value,
+        inbound.value.sniffing?.toJson?.() || {},
+      );
+      return JSON.stringify({ sniffing }, null, 2);
+    } catch (_e) {
+      return '';
+    }
+  },
+  set: (next) => {
+    let parsed;
+    try {
+      parsed = JSON.parse(next);
+    } catch (e) {
+      message.error(`Sniffing JSON invalid: ${e.message}`);
+      return;
+    }
+    const unwrapped = unwrapWrappedObject(parsed, 'sniffing');
+    if (!unwrapped || typeof unwrapped !== 'object' || Array.isArray(unwrapped)) {
+      message.error('Sniffing JSON must be an object or { sniffing: { ... } }.');
+      return;
+    }
+    try {
+      advancedSniffingText.value = JSON.stringify(unwrapped, null, 2);
+    } catch (e) {
+      message.error(`Sniffing JSON invalid: ${e.message}`);
+    }
+  },
+});
+
+const advancedStreamConfig = computed({
+  get: () => {
+    if (!inbound.value) return '';
+    try {
+      const streamSettings = parseAdvancedSliceOrFallback(
+        advancedStreamText.value,
+        inbound.value.stream?.toJson?.() || {},
+      );
+      return JSON.stringify({ streamSettings }, null, 2);
+    } catch (_e) {
+      return '';
+    }
+  },
+  set: (next) => {
+    let parsed;
+    try {
+      parsed = JSON.parse(next);
+    } catch (e) {
+      message.error(`Stream JSON invalid: ${e.message}`);
+      return;
+    }
+    const unwrapped = unwrapWrappedObject(parsed, 'streamSettings');
+    if (!unwrapped || typeof unwrapped !== 'object' || Array.isArray(unwrapped)) {
+      message.error('Stream JSON must be an object or { streamSettings: { ... } }.');
+      return;
+    }
+    try {
+      advancedStreamText.value = JSON.stringify(unwrapped, null, 2);
+    } catch (e) {
+      message.error(`Stream JSON invalid: ${e.message}`);
+    }
+  },
+});
+
 // === Random helpers wired to the form's sync icons ==================
 function randomEmail(target) {
   if (target) target.email = RandomUtil.randomLowerAndNum(9);
@@ -525,16 +726,16 @@ async function submit() {
     let settings;
     try {
       streamSettings = canEnableStream.value
-        ? JSON.stringify(JSON.parse(advancedJson.value.stream))
+        ? JSON.stringify(JSON.parse(advancedStreamText.value))
         : (inbound.value.stream?.sockopt
           ? JSON.stringify({ sockopt: inbound.value.stream.sockopt.toJson() })
           : '');
     } catch (e) { message.error(`Stream JSON invalid: ${e.message}`); return; }
     try {
-      sniffing = JSON.stringify(JSON.parse(advancedJson.value.sniffing || inbound.value.sniffing.toString()));
+      sniffing = JSON.stringify(JSON.parse(advancedSniffingText.value || inbound.value.sniffing.toString()));
     } catch (e) { message.error(`Sniffing JSON invalid: ${e.message}`); return; }
     try {
-      settings = JSON.stringify(JSON.parse(advancedJson.value.settings || inbound.value.settings.toString()));
+      settings = JSON.stringify(JSON.parse(advancedSettingsText.value || inbound.value.settings.toString()));
     } catch (e) { message.error(`Settings JSON invalid: ${e.message}`); return; }
 
     // The structured form mutates `inbound.stream` directly when the
@@ -598,7 +799,7 @@ watch(
   () => {
     if (!inbound.value?.stream) return;
     try {
-      advancedJson.value.stream = JSON.stringify(JSON.parse(inbound.value.stream.toString()), null, 2);
+      advancedStreamText.value = JSON.stringify(JSON.parse(inbound.value.stream.toString()), null, 2);
     } catch (_e) { /* leave as is */ }
   },
 );
@@ -607,7 +808,7 @@ watch(
   () => {
     if (!inbound.value?.sniffing) return;
     try {
-      advancedJson.value.sniffing = JSON.stringify(JSON.parse(inbound.value.sniffing.toString()), null, 2);
+      advancedSniffingText.value = JSON.stringify(JSON.parse(inbound.value.sniffing.toString()), null, 2);
     } catch (_e) { /* leave as is */ }
   },
 );
@@ -616,7 +817,7 @@ watch(
   () => {
     if (!inbound.value?.settings) return;
     try {
-      advancedJson.value.settings = JSON.stringify(JSON.parse(inbound.value.settings.toString()), null, 2);
+      advancedSettingsText.value = JSON.stringify(JSON.parse(inbound.value.settings.toString()), null, 2);
     } catch (_e) { /* leave as is */ }
   },
 );
@@ -1005,7 +1206,7 @@ watch(
           <a-form-item>
             <template #label>
               <a-tooltip
-                title='Physical interface for outbound traffic. Use "auto" to detect; auto-enabled when Auto system routes is set.'>
+                title="Physical interface for outbound traffic. Use 'auto' to detect; auto-enabled when Auto system routes is set.">
                 Auto outbounds interface
               </a-tooltip>
             </template>
@@ -1944,20 +2145,48 @@ watch(
 
       <!-- ============================== ADVANCED ============================== -->
       <a-tab-pane key="advanced" :tab="t('pages.xray.advancedTemplate')">
-        <a-alert type="info" show-icon
-          message="Edit raw stream JSON to access advanced fields we don't yet expose through the form."
-          class="mb-12" />
-        <a-form layout="vertical">
-          <a-form-item label="settings (clients, encryption, fallbacks, …)">
-            <JsonEditor v-model:value="advancedJson.settings" min-height="280px" max-height="520px" />
-          </a-form-item>
-          <a-form-item label="streamSettings">
-            <JsonEditor v-model:value="advancedJson.stream" min-height="280px" max-height="520px" />
-          </a-form-item>
-          <a-form-item label="sniffing (overrides the Sniffing tab when set)">
-            <JsonEditor v-model:value="advancedJson.sniffing" min-height="180px" max-height="360px" />
-          </a-form-item>
-        </a-form>
+        <div class="advanced-shell">
+          <div class="advanced-panel">
+            <div class="advanced-panel__header">
+              <div>
+                <div class="advanced-panel__title">Inbound JSON sections</div>
+                <div class="advanced-panel__subtitle">
+                  Full inbound JSON and focused editors for settings, sniffing, and streamSettings.
+                </div>
+              </div>
+            </div>
+
+            <a-tabs v-model:active-key="advancedSectionKey" class="advanced-inner-tabs">
+              <a-tab-pane key="all" tab="All">
+                <div class="advanced-editor-meta">
+                  Full inbound object with all fields in one editor.
+                </div>
+                <JsonEditor v-model:value="advancedAllConfig" min-height="340px" max-height="560px" />
+              </a-tab-pane>
+              <a-tab-pane key="settings" tab="Settings">
+                <div class="advanced-editor-meta">
+                  Xray settings block wrapper:
+                  <code>{ settings: { ... } }</code>.
+                </div>
+                <JsonEditor v-model:value="advancedSettingsConfig" min-height="320px" max-height="540px" />
+              </a-tab-pane>
+              <a-tab-pane key="sniffingSection" tab="Sniffing">
+                <div class="advanced-editor-meta">
+                  Xray sniffing block wrapper:
+                  <code>{ sniffing: { ... } }</code>.
+                </div>
+                <JsonEditor v-model:value="advancedSniffingConfig" min-height="240px" max-height="420px" />
+              </a-tab-pane>
+              <a-tab-pane key="streamSection" tab="Stream">
+                <div class="advanced-editor-meta">
+                  Xray stream block wrapper:
+                  <code>{ streamSettings: { ... } }</code>.
+                </div>
+                <JsonEditor v-model:value="advancedStreamConfig" min-height="320px" max-height="540px" />
+              </a-tab-pane>
+            </a-tabs>
+          </div>
+        </div>
       </a-tab-pane>
     </a-tabs>
   </a-modal>
@@ -2033,6 +2262,73 @@ watch(
   margin-top: 4px;
 }
 
+.advanced-shell {
+  display: flex;
+  flex-direction: column;
+  gap: 12px;
+}
+
+.advanced-panel {
+  padding: 14px;
+  border: 1px solid rgba(128, 128, 128, 0.18);
+  border-radius: 12px;
+  background: rgba(128, 128, 128, 0.04);
+}
+
+.advanced-panel__header {
+  margin-bottom: 12px;
+}
+
+.advanced-panel__title {
+  font-size: 14px;
+  font-weight: 600;
+  line-height: 1.4;
+}
+
+.advanced-panel__subtitle {
+  margin-top: 4px;
+  color: rgba(0, 0, 0, 0.6);
+  line-height: 1.5;
+}
+
+.advanced-inner-tabs :deep(.ant-tabs-nav) {
+  margin-bottom: 12px;
+}
+
+.advanced-inner-tabs :deep(.ant-tabs-tab) {
+  padding-inline: 14px;
+}
+
+.advanced-editor-meta {
+  margin-bottom: 10px;
+  color: rgba(0, 0, 0, 0.65);
+  line-height: 1.5;
+}
+
+@media (max-width: 768px) {
+  .advanced-panel {
+    padding: 12px;
+    border-radius: 10px;
+  }
+
+  .advanced-inner-tabs :deep(.ant-tabs-tab) {
+    padding-inline: 10px;
+  }
+}
+
+:global(.dark) .advanced-panel__subtitle,
+:global(.dark) .advanced-editor-meta,
+:global(.ultra) .advanced-panel__subtitle,
+:global(.ultra) .advanced-editor-meta {
+  color: rgba(255, 255, 255, 0.65);
+}
+
+:global(.dark) .advanced-panel,
+:global(.ultra) .advanced-panel {
+  border-color: rgba(255, 255, 255, 0.12);
+  background: rgba(255, 255, 255, 0.03);
+}
+
 .section-heading {
   font-weight: 500;
   margin: 12px 0 6px;

From 6badd829df54744b7813a4188f441c755a18605b Mon Sep 17 00:00:00 2001
From: MHSanaei <ho3ein.sanaei@gmail.com>
Date: Thu, 14 May 2026 23:18:23 +0200
Subject: [PATCH 11/16] Remove streamSettings for protocols that don't support
 it

- Frontend: Only include streamSettings in toJson() for vmess, vless, trojan, shadowsocks, and hysteria protocols
- Frontend: Hide Stream tab in Advanced section for unsupported protocols
- Frontend: Clear streamSettings in Advanced tab when switching to unsupported protocols
- Frontend: Add CodeMirror JSON editor to config view in index page with mobile responsive design
- Backend: Add normalizeStreamSettings() to clear streamSettings for tunnel, mixed, http, tun, and wireguard protocols
- Backend: Apply normalization in AddInbound() and UpdateInbound()
- Backend: Add omitempty JSON tag to StreamSettings field to exclude null values from Xray config
---
 frontend/package-lock.json                    | 156 +++++++++---------
 frontend/src/models/inbound.js                |  17 +-
 .../src/pages/inbounds/InboundFormModal.vue   |  52 +++++-
 frontend/src/pages/index/IndexPage.vue        |  42 ++++-
 web/service/inbound.go                        |  23 +++
 xray/config.go                                |  12 +-
 xray/inbound.go                               |   4 +-
 7 files changed, 200 insertions(+), 106 deletions(-)

diff --git a/frontend/package-lock.json b/frontend/package-lock.json
index aa68ab6d..7da007d9 100644
--- a/frontend/package-lock.json
+++ b/frontend/package-lock.json
@@ -210,9 +210,9 @@
       }
     },
     "node_modules/@codemirror/view": {
-      "version": "6.42.1",
-      "resolved": "https://registry.npmjs.org/@codemirror/view/-/view-6.42.1.tgz",
-      "integrity": "sha512-ToN3oFc0nsxNUYVF5P0ztLgbC4UPPjPtA9aKYhkOKQaZASpOUo6ISXyQLP66ctVwlDc+j6Jv0uK5IFALkiXztg==",
+      "version": "6.43.0",
+      "resolved": "https://registry.npmjs.org/@codemirror/view/-/view-6.43.0.tgz",
+      "integrity": "sha512-V7ZCLQO3Jus9hzh2jVCCPW3mO4IBMr43O37PqSUYautJSnnJF41YlgLw21x0fLJTYvJ+Vkm6Gp+qKGH9pltgXA==",
       "license": "MIT",
       "dependencies": {
         "@codemirror/state": "^6.6.0",
@@ -610,9 +610,9 @@
       }
     },
     "node_modules/@oxc-project/types": {
-      "version": "0.129.0",
-      "resolved": "https://registry.npmjs.org/@oxc-project/types/-/types-0.129.0.tgz",
-      "integrity": "sha512-3oz8m3FGdr2nDXVqmFUw7jolKliC4MoyXYIG2c7gpjBnzUWQpUGIYcXYKxTdTi+N2jusvt610ckTMkxdwHkYEg==",
+      "version": "0.130.0",
+      "resolved": "https://registry.npmjs.org/@oxc-project/types/-/types-0.130.0.tgz",
+      "integrity": "sha512-ibD2usx9JRu7f5pu2tMKMI4cpA4NgXJQoYRP4pQ7Pxmn1l6k/53qWtQWZayhYy3X4QZkt90Ot+mJEaeXouio6Q==",
       "dev": true,
       "license": "MIT",
       "funding": {
@@ -620,9 +620,9 @@
       }
     },
     "node_modules/@rolldown/binding-android-arm64": {
-      "version": "1.0.0",
-      "resolved": "https://registry.npmjs.org/@rolldown/binding-android-arm64/-/binding-android-arm64-1.0.0.tgz",
-      "integrity": "sha512-TWMZnRLMe63C2Lhyicviu7ZHaU4kxa6PS3rofvc9GmcvptzNN11BcfQ4Sl7MwTOsisQoa2keB/EBdNCAnUo8vA==",
+      "version": "1.0.1",
+      "resolved": "https://registry.npmjs.org/@rolldown/binding-android-arm64/-/binding-android-arm64-1.0.1.tgz",
+      "integrity": "sha512-fJI3I0r3C3Oj/zdBCpaCmBRZYf07xpaq4yCfDDoSFm+beWNzbIl26puW8RraUdugoJw/95zerNOn6jasAhzSmg==",
       "cpu": [
         "arm64"
       ],
@@ -637,9 +637,9 @@
       }
     },
     "node_modules/@rolldown/binding-darwin-arm64": {
-      "version": "1.0.0",
-      "resolved": "https://registry.npmjs.org/@rolldown/binding-darwin-arm64/-/binding-darwin-arm64-1.0.0.tgz",
-      "integrity": "sha512-6XcD+8k0gPVItNagEw78/qqcBDwKcwDYS8V2hRmVsfUSIrd8cWe/CBvRDI5toqFyPfj+FJr6t8U6Xj2P2prEew==",
+      "version": "1.0.1",
+      "resolved": "https://registry.npmjs.org/@rolldown/binding-darwin-arm64/-/binding-darwin-arm64-1.0.1.tgz",
+      "integrity": "sha512-cKnAhWEsV7TPcA/5EAteDp6KcJZBQ2G+BqE7zayMMi7kMvwRsbv7WT9aOnn0WNl4SKEIf43vjS31iUPu80nzXg==",
       "cpu": [
         "arm64"
       ],
@@ -654,9 +654,9 @@
       }
     },
     "node_modules/@rolldown/binding-darwin-x64": {
-      "version": "1.0.0",
-      "resolved": "https://registry.npmjs.org/@rolldown/binding-darwin-x64/-/binding-darwin-x64-1.0.0.tgz",
-      "integrity": "sha512-iN/tWVXRQDWvmZlKdceP1Dwug9GDpEymhb9p4xnEe6zvCg5lFmzVljl+1qR1NVx3yfGpr2Na+CuLmv5IU8uzfQ==",
+      "version": "1.0.1",
+      "resolved": "https://registry.npmjs.org/@rolldown/binding-darwin-x64/-/binding-darwin-x64-1.0.1.tgz",
+      "integrity": "sha512-YKrVwQjIRBPo+5G/u03wGjbdy4q7pyzCe93DK9VJ7zkVmeg8LJ7GbgsiHWdR4xSoe4CAXRD7Bcjgbtr64bkXNg==",
       "cpu": [
         "x64"
       ],
@@ -671,9 +671,9 @@
       }
     },
     "node_modules/@rolldown/binding-freebsd-x64": {
-      "version": "1.0.0",
-      "resolved": "https://registry.npmjs.org/@rolldown/binding-freebsd-x64/-/binding-freebsd-x64-1.0.0.tgz",
-      "integrity": "sha512-jjQMDvvwSOuhOwMszD/klSOjyWMM3zI64hWTj9KT5x4MxRbZAf+7vLQ6qouRhtsLVFHr3f0ILaJAfgENPiQdAQ==",
+      "version": "1.0.1",
+      "resolved": "https://registry.npmjs.org/@rolldown/binding-freebsd-x64/-/binding-freebsd-x64-1.0.1.tgz",
+      "integrity": "sha512-z/oBsREo46SsFqBwYtFe0kpJeBijAT48O/WXLI4suiCLBkr03RTtTJMCzSdDd2znlh8VJizL09XVkQgk8IZonw==",
       "cpu": [
         "x64"
       ],
@@ -688,9 +688,9 @@
       }
     },
     "node_modules/@rolldown/binding-linux-arm-gnueabihf": {
-      "version": "1.0.0",
-      "resolved": "https://registry.npmjs.org/@rolldown/binding-linux-arm-gnueabihf/-/binding-linux-arm-gnueabihf-1.0.0.tgz",
-      "integrity": "sha512-d//Dtg2x6/m3mbV64yUGNnDGNZaDGRpDLLNGerHQUVObuNaIQaaDp25yUiqGXtHEXX+NP2d0wAlmKgpYgIAJ2A==",
+      "version": "1.0.1",
+      "resolved": "https://registry.npmjs.org/@rolldown/binding-linux-arm-gnueabihf/-/binding-linux-arm-gnueabihf-1.0.1.tgz",
+      "integrity": "sha512-ik8q7GM11zxvYxFc2PeDcT6TBvhCQMaUxfph/M5l9sKuTs/Sjg3L+Byw0F7w0ZVLBZmx30P+gG0ECzzN+MFcmQ==",
       "cpu": [
         "arm"
       ],
@@ -705,9 +705,9 @@
       }
     },
     "node_modules/@rolldown/binding-linux-arm64-gnu": {
-      "version": "1.0.0",
-      "resolved": "https://registry.npmjs.org/@rolldown/binding-linux-arm64-gnu/-/binding-linux-arm64-gnu-1.0.0.tgz",
-      "integrity": "sha512-n7Ofp0mx+aB2cC+Sdy5YtMnXtY9lchnHbY+3Yt0uq9JsWQExf4f5Whu0tK0R8Jdc9S6RchTHjIFY7uc92puOVQ==",
+      "version": "1.0.1",
+      "resolved": "https://registry.npmjs.org/@rolldown/binding-linux-arm64-gnu/-/binding-linux-arm64-gnu-1.0.1.tgz",
+      "integrity": "sha512-QoSx2EkyrrdZ6kcyE8stqZ62t0Yra8Fs5ia9lOxJrh6TMQJK7gQKmscdTHf7pOXKREKrVwOtJcQG3qVSfc866A==",
       "cpu": [
         "arm64"
       ],
@@ -725,9 +725,9 @@
       }
     },
     "node_modules/@rolldown/binding-linux-arm64-musl": {
-      "version": "1.0.0",
-      "resolved": "https://registry.npmjs.org/@rolldown/binding-linux-arm64-musl/-/binding-linux-arm64-musl-1.0.0.tgz",
-      "integrity": "sha512-EIVjy2cgd7uuMMo94FVkBp7F6DhcZAUwNURkSG3RwUmvAXR6s0ISxM81U+IydcZByPG0pZIHsf1b6kTxoFDgJA==",
+      "version": "1.0.1",
+      "resolved": "https://registry.npmjs.org/@rolldown/binding-linux-arm64-musl/-/binding-linux-arm64-musl-1.0.1.tgz",
+      "integrity": "sha512-uwNwFpwKeNiZawfAWBgg0VIztPTV3ihhh1vV334h9ivnNLorxnQMU6Fz8wG1Zb4Qh9LC1/MkcyT3YlDXG3Rsgg==",
       "cpu": [
         "arm64"
       ],
@@ -745,9 +745,9 @@
       }
     },
     "node_modules/@rolldown/binding-linux-ppc64-gnu": {
-      "version": "1.0.0",
-      "resolved": "https://registry.npmjs.org/@rolldown/binding-linux-ppc64-gnu/-/binding-linux-ppc64-gnu-1.0.0.tgz",
-      "integrity": "sha512-JEwwOPcwTLAcpDQlqSmjEmfs63xJnSiUNIGvLcDLUHCWK4XowpS/7c7tUsUH6uT/ct6bMUTdXKfI8967FYj6mg==",
+      "version": "1.0.1",
+      "resolved": "https://registry.npmjs.org/@rolldown/binding-linux-ppc64-gnu/-/binding-linux-ppc64-gnu-1.0.1.tgz",
+      "integrity": "sha512-zY1bul7OWr7DFBiJ++wofXvnr8B45ce3QsQUhKrIhXsygAh7bTkwyeM1bi1a2g5C/yC/N8TZyGDEoMfm/l9mpg==",
       "cpu": [
         "ppc64"
       ],
@@ -765,9 +765,9 @@
       }
     },
     "node_modules/@rolldown/binding-linux-s390x-gnu": {
-      "version": "1.0.0",
-      "resolved": "https://registry.npmjs.org/@rolldown/binding-linux-s390x-gnu/-/binding-linux-s390x-gnu-1.0.0.tgz",
-      "integrity": "sha512-0wjCFhLrihtAubnT9iA0N++0pSV0z5Hg7tNGdNJ4RFaINceHadoF+kiFGyY1qSSNVIAZtLotG8Ju1bgDPkjnFA==",
+      "version": "1.0.1",
+      "resolved": "https://registry.npmjs.org/@rolldown/binding-linux-s390x-gnu/-/binding-linux-s390x-gnu-1.0.1.tgz",
+      "integrity": "sha512-0frlsT/f4Ft6I7SMESTKnF3cZsdicQn1dCMkF/jT9wDLE+gGoiQfv1nmT9e+s7s/fekvvy6tZM2jHvI2tkbJDQ==",
       "cpu": [
         "s390x"
       ],
@@ -785,9 +785,9 @@
       }
     },
     "node_modules/@rolldown/binding-linux-x64-gnu": {
-      "version": "1.0.0",
-      "resolved": "https://registry.npmjs.org/@rolldown/binding-linux-x64-gnu/-/binding-linux-x64-gnu-1.0.0.tgz",
-      "integrity": "sha512-Dfn7iak9BcMMePxcoJfpSbWqnEyrp/dRF63/8qW/eHBdOZov6x5aShLLEYGYdIeSJ6vMLK/XCVB+lGIxm41bQA==",
+      "version": "1.0.1",
+      "resolved": "https://registry.npmjs.org/@rolldown/binding-linux-x64-gnu/-/binding-linux-x64-gnu-1.0.1.tgz",
+      "integrity": "sha512-XABVmGp9Tg0WspTVvwduTc4fpqy6JnAUrSQe6OuyqD/03nI7r0O9OWUkMIwFrjKAIqolvqoA4ZrJppgwE0Gxmw==",
       "cpu": [
         "x64"
       ],
@@ -805,9 +805,9 @@
       }
     },
     "node_modules/@rolldown/binding-linux-x64-musl": {
-      "version": "1.0.0",
-      "resolved": "https://registry.npmjs.org/@rolldown/binding-linux-x64-musl/-/binding-linux-x64-musl-1.0.0.tgz",
-      "integrity": "sha512-5/utzzDmD/pD/bmuaUcbTf/sZYy0aztwIVlfpoW1fTjCZ0BaPOMVWGZL1zvgxyi7ZIVYWlxKONHmSbHuiOh8Jw==",
+      "version": "1.0.1",
+      "resolved": "https://registry.npmjs.org/@rolldown/binding-linux-x64-musl/-/binding-linux-x64-musl-1.0.1.tgz",
+      "integrity": "sha512-bV4fzswuzVcKD90o/VM6QqKxnxlDq0g2BISDLNVmxrnhpv1DDbyPhCIjYfvzYLV+MvkKKnQt2Q6AO86SEBULUQ==",
       "cpu": [
         "x64"
       ],
@@ -825,9 +825,9 @@
       }
     },
     "node_modules/@rolldown/binding-openharmony-arm64": {
-      "version": "1.0.0",
-      "resolved": "https://registry.npmjs.org/@rolldown/binding-openharmony-arm64/-/binding-openharmony-arm64-1.0.0.tgz",
-      "integrity": "sha512-ouJs8VcUomfLfpbUECqFMRqdV4x6aeAK3MA4m6vTrJJjKyWTV5KnxZx7Jd9G+GlDaQQxubcba00x16OyJ1meig==",
+      "version": "1.0.1",
+      "resolved": "https://registry.npmjs.org/@rolldown/binding-openharmony-arm64/-/binding-openharmony-arm64-1.0.1.tgz",
+      "integrity": "sha512-/Mh0Zhq3OP7fVs0kcQHZP6lZEthMGTaSf8UBQYSFEZDWGXXlEC+nJ6EqenaK2t4LBXMe3A+K/G2BVXXdtOr4PQ==",
       "cpu": [
         "arm64"
       ],
@@ -842,9 +842,9 @@
       }
     },
     "node_modules/@rolldown/binding-wasm32-wasi": {
-      "version": "1.0.0",
-      "resolved": "https://registry.npmjs.org/@rolldown/binding-wasm32-wasi/-/binding-wasm32-wasi-1.0.0.tgz",
-      "integrity": "sha512-E+oHKGiDA+lsKMmFtffDDw91EryDT7uJocrIuCHqhm6bCTM6xFK+3gaCkYOHfPwQr0cCNarSM2xaELoQDz9jJg==",
+      "version": "1.0.1",
+      "resolved": "https://registry.npmjs.org/@rolldown/binding-wasm32-wasi/-/binding-wasm32-wasi-1.0.1.tgz",
+      "integrity": "sha512-+1xc9X45l8ufsBAm6Gjvx2qDRIY9lTVt0cgWNcJ+1gdhXvkbxePA60yRTwSTuXL09CMhyJmjpV7E3NoyxbqFQQ==",
       "cpu": [
         "wasm32"
       ],
@@ -861,9 +861,9 @@
       }
     },
     "node_modules/@rolldown/binding-win32-arm64-msvc": {
-      "version": "1.0.0",
-      "resolved": "https://registry.npmjs.org/@rolldown/binding-win32-arm64-msvc/-/binding-win32-arm64-msvc-1.0.0.tgz",
-      "integrity": "sha512-yYK02n8Rngo+gbm1y6G0+7jk1sJ/2Wt7K0me0Y7k/ErBpyf+LJ2gFpqWVTcRV1rUepBlQRmpgWkTQCiiwrK0Ow==",
+      "version": "1.0.1",
+      "resolved": "https://registry.npmjs.org/@rolldown/binding-win32-arm64-msvc/-/binding-win32-arm64-msvc-1.0.1.tgz",
+      "integrity": "sha512-1D+UqZdfnuR+Jy1GgMJwi85bD40H21uNmOPRWQhw4oRSuolZ/B5rixZ45DK2KXOTCvmVCecauWgEhbw8bI7tOw==",
       "cpu": [
         "arm64"
       ],
@@ -878,9 +878,9 @@
       }
     },
     "node_modules/@rolldown/binding-win32-x64-msvc": {
-      "version": "1.0.0",
-      "resolved": "https://registry.npmjs.org/@rolldown/binding-win32-x64-msvc/-/binding-win32-x64-msvc-1.0.0.tgz",
-      "integrity": "sha512-14bpChMahXRRXiTwahSl+zzHPW6qQTXtkMuJBFlbo+pqSAews2d4BdCSHfrJ/MBsCZtpmTafsY+1QhBzitcmdg==",
+      "version": "1.0.1",
+      "resolved": "https://registry.npmjs.org/@rolldown/binding-win32-x64-msvc/-/binding-win32-x64-msvc-1.0.1.tgz",
+      "integrity": "sha512-INAycaWuhlOK3wk4mRHGsdgwYWmd9cChdPdE9bwWmy6rn9VqVNYNFGhOdXrofXUxwHIncSiPNb8tNm8knDVIeQ==",
       "cpu": [
         "x64"
       ],
@@ -2715,14 +2715,14 @@
       "license": "MIT"
     },
     "node_modules/rolldown": {
-      "version": "1.0.0",
-      "resolved": "https://registry.npmjs.org/rolldown/-/rolldown-1.0.0.tgz",
-      "integrity": "sha512-yD986aXDESFGS95spT1LAv0jssywP4npMEjmMHyN2/5+eE8qQJUype2AaKkRiLgBgyD0LFlubwAht7VmY8rGoA==",
+      "version": "1.0.1",
+      "resolved": "https://registry.npmjs.org/rolldown/-/rolldown-1.0.1.tgz",
+      "integrity": "sha512-X0KQHljNnEkWNqqiz9zJrGunh1B0HgOxLXvnFpCOcadzcy5qohZ3tqMEUg00vncoRovXuK3ZqCT9KnnKzoInFQ==",
       "dev": true,
       "license": "MIT",
       "dependencies": {
-        "@oxc-project/types": "=0.129.0",
-        "@rolldown/pluginutils": "1.0.0"
+        "@oxc-project/types": "=0.130.0",
+        "@rolldown/pluginutils": "^1.0.0"
       },
       "bin": {
         "rolldown": "bin/cli.mjs"
@@ -2731,27 +2731,27 @@
         "node": "^20.19.0 || >=22.12.0"
       },
       "optionalDependencies": {
-        "@rolldown/binding-android-arm64": "1.0.0",
-        "@rolldown/binding-darwin-arm64": "1.0.0",
-        "@rolldown/binding-darwin-x64": "1.0.0",
-        "@rolldown/binding-freebsd-x64": "1.0.0",
-        "@rolldown/binding-linux-arm-gnueabihf": "1.0.0",
-        "@rolldown/binding-linux-arm64-gnu": "1.0.0",
-        "@rolldown/binding-linux-arm64-musl": "1.0.0",
-        "@rolldown/binding-linux-ppc64-gnu": "1.0.0",
-        "@rolldown/binding-linux-s390x-gnu": "1.0.0",
-        "@rolldown/binding-linux-x64-gnu": "1.0.0",
-        "@rolldown/binding-linux-x64-musl": "1.0.0",
-        "@rolldown/binding-openharmony-arm64": "1.0.0",
-        "@rolldown/binding-wasm32-wasi": "1.0.0",
-        "@rolldown/binding-win32-arm64-msvc": "1.0.0",
-        "@rolldown/binding-win32-x64-msvc": "1.0.0"
+        "@rolldown/binding-android-arm64": "1.0.1",
+        "@rolldown/binding-darwin-arm64": "1.0.1",
+        "@rolldown/binding-darwin-x64": "1.0.1",
+        "@rolldown/binding-freebsd-x64": "1.0.1",
+        "@rolldown/binding-linux-arm-gnueabihf": "1.0.1",
+        "@rolldown/binding-linux-arm64-gnu": "1.0.1",
+        "@rolldown/binding-linux-arm64-musl": "1.0.1",
+        "@rolldown/binding-linux-ppc64-gnu": "1.0.1",
+        "@rolldown/binding-linux-s390x-gnu": "1.0.1",
+        "@rolldown/binding-linux-x64-gnu": "1.0.1",
+        "@rolldown/binding-linux-x64-musl": "1.0.1",
+        "@rolldown/binding-openharmony-arm64": "1.0.1",
+        "@rolldown/binding-wasm32-wasi": "1.0.1",
+        "@rolldown/binding-win32-arm64-msvc": "1.0.1",
+        "@rolldown/binding-win32-x64-msvc": "1.0.1"
       }
     },
     "node_modules/rolldown/node_modules/@rolldown/pluginutils": {
-      "version": "1.0.0",
-      "resolved": "https://registry.npmjs.org/@rolldown/pluginutils/-/pluginutils-1.0.0.tgz",
-      "integrity": "sha512-aKs/3GSWyV0mrhNmt/96/Z3yczC3yvrzYATCiCXQebBsGyYzjNdUphRVLeJQ67ySKVXRfMxt2lm12pmXvbPFQQ==",
+      "version": "1.0.1",
+      "resolved": "https://registry.npmjs.org/@rolldown/pluginutils/-/pluginutils-1.0.1.tgz",
+      "integrity": "sha512-2j9bGt5Jh8hj+vPtgzPtl72j0yRxHAyumoo6TNfAjsLB04UtpSvPbPcDcBMxz7n+9CYB0c1GxQFxYRg2jimqGw==",
       "dev": true,
       "license": "MIT"
     },
@@ -2964,16 +2964,16 @@
       "license": "MIT"
     },
     "node_modules/vite": {
-      "version": "8.0.12",
-      "resolved": "https://registry.npmjs.org/vite/-/vite-8.0.12.tgz",
-      "integrity": "sha512-w2dDofOWv2QB09ZITZBsvKTVAlYvPR4IAmrY/v0ir9KvLs0xybR7i48wxhM1/oyBWO34wPns+bPGw5ZrZqDpZg==",
+      "version": "8.0.13",
+      "resolved": "https://registry.npmjs.org/vite/-/vite-8.0.13.tgz",
+      "integrity": "sha512-MFtjBYgzmSxmgA4RAfjIyXWpGe1oALnjgUTzzV7QLx/TKxCzjtMH6Fd9/eVK+5Fg1qNoz5VAwsmMs/NofrmJvw==",
       "dev": true,
       "license": "MIT",
       "dependencies": {
         "lightningcss": "^1.32.0",
         "picomatch": "^4.0.4",
         "postcss": "^8.5.14",
-        "rolldown": "1.0.0",
+        "rolldown": "1.0.1",
         "tinyglobby": "^0.2.16"
       },
       "bin": {
diff --git a/frontend/src/models/inbound.js b/frontend/src/models/inbound.js
index cd789023..830dc9a9 100644
--- a/frontend/src/models/inbound.js
+++ b/frontend/src/models/inbound.js
@@ -2412,20 +2412,25 @@ export class Inbound extends XrayCommonClass {
     }
 
     toJson() {
-        let streamSettings;
-        if (this.canEnableStream() || this.stream?.sockopt) {
-            streamSettings = this.stream.toJson();
-        }
-        return {
+        // Only these protocols use streamSettings
+        const streamProtocols = [Protocols.VLESS, Protocols.VMESS, Protocols.TROJAN, Protocols.SHADOWSOCKS, Protocols.HYSTERIA];
+
+        const result = {
             port: this.port,
             listen: this.listen,
             protocol: this.protocol,
             settings: this.settings instanceof XrayCommonClass ? this.settings.toJson() : this.settings,
-            streamSettings: streamSettings,
             tag: this.tag,
             sniffing: this.sniffing.toJson(),
             clientStats: this.clientStats
         };
+
+        // Only add streamSettings if protocol supports it
+        if (streamProtocols.includes(this.protocol)) {
+            result.streamSettings = this.stream.toJson();
+        }
+
+        return result;
     }
 }
 
diff --git a/frontend/src/pages/inbounds/InboundFormModal.vue b/frontend/src/pages/inbounds/InboundFormModal.vue
index 45351144..5da9d341 100644
--- a/frontend/src/pages/inbounds/InboundFormModal.vue
+++ b/frontend/src/pages/inbounds/InboundFormModal.vue
@@ -226,9 +226,14 @@ function freshDbForm() {
 
 function primeAdvancedJson() {
   if (!inbound.value) return;
-  try {
-    advancedStreamText.value = JSON.stringify(JSON.parse(inbound.value.stream.toString()), null, 2);
-  } catch (_e) { /* keep prior text */ }
+  // Only set stream text for protocols that support it
+  if (canEnableStream.value) {
+    try {
+      advancedStreamText.value = JSON.stringify(JSON.parse(inbound.value.stream.toString()), null, 2);
+    } catch (_e) { /* keep prior text */ }
+  } else {
+    advancedStreamText.value = '{}';
+  }
   try {
     advancedSniffingText.value = JSON.stringify(JSON.parse(inbound.value.sniffing.toString()), null, 2);
   } catch (_e) { /* keep prior text */ }
@@ -361,15 +366,22 @@ const advancedAllConfig = computed({
         advancedSniffingText.value,
         inbound.value.sniffing?.toJson?.() || {},
       );
-      return JSON.stringify({
+
+      const result = {
         listen: inbound.value.listen,
         port: inbound.value.port,
         protocol: inbound.value.protocol,
         settings,
         sniffing,
-        streamSettings,
         tag: inbound.value.tag,
-      }, null, 2);
+      };
+
+      // Only include streamSettings for protocols that support it
+      if (canEnableStream.value) {
+        result.streamSettings = streamSettings;
+      }
+
+      return JSON.stringify(result, null, 2);
     } catch (_e) {
       return '';
     }
@@ -409,11 +421,17 @@ const advancedAllConfig = computed({
         inbound.value?.settings?.toJson?.() || {},
       );
       const settings = parsed.settings ?? existingSettings;
-      const streamSettings = parsed.streamSettings ?? (inbound.value?.stream?.toJson?.() || {});
       const sniffing = parsed.sniffing ?? (inbound.value?.sniffing?.toJson?.() || {});
       advancedSettingsText.value = JSON.stringify(settings, null, 2);
-      advancedStreamText.value = JSON.stringify(streamSettings, null, 2);
       advancedSniffingText.value = JSON.stringify(sniffing, null, 2);
+
+      // Only update stream settings if protocol supports it
+      if (canEnableStream.value) {
+        const streamSettings = parsed.streamSettings ?? (inbound.value?.stream?.toJson?.() || {});
+        advancedStreamText.value = JSON.stringify(streamSettings, null, 2);
+      } else {
+        advancedStreamText.value = '{}';
+      }
     } catch (e) {
       message.error(`All JSON invalid: ${e.message}`);
     }
@@ -798,6 +816,11 @@ watch(
   () => inbound.value && JSON.stringify(inbound.value.stream?.toJson?.() || {}),
   () => {
     if (!inbound.value?.stream) return;
+    // Only update stream text for protocols that support it
+    if (!canEnableStream.value) {
+      advancedStreamText.value = '{}';
+      return;
+    }
     try {
       advancedStreamText.value = JSON.stringify(JSON.parse(inbound.value.stream.toString()), null, 2);
     } catch (_e) { /* leave as is */ }
@@ -821,6 +844,17 @@ watch(
     } catch (_e) { /* leave as is */ }
   },
 );
+
+// Watch protocol changes to clear stream settings for protocols that don't support it
+watch(
+  () => inbound.value?.protocol,
+  () => {
+    if (!inbound.value) return;
+    if (!canEnableStream.value) {
+      advancedStreamText.value = '{}';
+    }
+  },
+);
 </script>
 
 <template>
@@ -2177,7 +2211,7 @@ watch(
                 </div>
                 <JsonEditor v-model:value="advancedSniffingConfig" min-height="240px" max-height="420px" />
               </a-tab-pane>
-              <a-tab-pane key="streamSection" tab="Stream">
+              <a-tab-pane v-if="canEnableStream" key="streamSection" tab="Stream">
                 <div class="advanced-editor-meta">
                   Xray stream block wrapper:
                   <code>{ streamSettings: { ... } }</code>.
diff --git a/frontend/src/pages/index/IndexPage.vue b/frontend/src/pages/index/IndexPage.vue
index 0551c2b6..fe918465 100644
--- a/frontend/src/pages/index/IndexPage.vue
+++ b/frontend/src/pages/index/IndexPage.vue
@@ -1,6 +1,7 @@
 <script setup>
 import { computed, onMounted, ref } from 'vue';
 import { useI18n } from 'vue-i18n';
+import { message } from 'ant-design-vue';
 import {
   BarsOutlined,
   ControlOutlined,
@@ -18,17 +19,18 @@ import {
   DesktopOutlined,
   DatabaseOutlined,
   ForkOutlined,
+  CopyOutlined,
 } from '@ant-design/icons-vue';
 
 const { t } = useI18n();
 
-import { HttpUtil, SizeFormatter, TimeFormatter } from '@/utils';
+import { HttpUtil, SizeFormatter, TimeFormatter, ClipboardManager, FileManager } from '@/utils';
 import { theme as themeState, antdThemeConfig } from '@/composables/useTheme.js';
 import { useStatus } from '@/composables/useStatus.js';
 import { useMediaQuery } from '@/composables/useMediaQuery.js';
 import AppSidebar from '@/components/AppSidebar.vue';
 import CustomStatistic from '@/components/CustomStatistic.vue';
-import TextModal from '@/components/TextModal.vue';
+import JsonEditor from '@/components/JsonEditor.vue';
 import StatusCard from './StatusCard.vue';
 import XrayStatusCard from './XrayStatusCard.vue';
 import PanelUpdateModal from './PanelUpdateModal.vue';
@@ -117,7 +119,7 @@ function openTelegram() {
 }
 
 // Legacy "Config" action — fetch the rendered xray config and show
-// it as JSON in the shared TextModal (same UX as main).
+// it as JSON in the config modal with syntax highlighting.
 async function openConfig() {
   loading.value = true;
   try {
@@ -129,6 +131,17 @@ async function openConfig() {
     loading.value = false;
   }
 }
+
+async function copyConfig() {
+  const ok = await ClipboardManager.copyText(configText.value || '');
+  if (ok) {
+    message.success('Copied');
+  }
+}
+
+function downloadConfig() {
+  FileManager.downloadTextFile(configText.value, 'config.json');
+}
 </script>
 
 <template>
@@ -360,8 +373,27 @@ async function openConfig() {
       <XrayMetricsModal v-model:open="xrayMetricsOpen" />
       <XrayLogModal v-model:open="xrayLogsOpen" />
       <VersionModal v-model:open="versionOpen" :status="status" @busy="setBusy" />
-      <TextModal v-model:open="configTextOpen" :title="t('pages.index.config')" :content="configText"
-        file-name="config.json" />
+
+      <a-modal v-model:open="configTextOpen" :title="t('pages.index.config')" :width="isMobile ? '100%' : '900px'"
+        :style="isMobile ? { top: '20px', maxWidth: 'calc(100vw - 16px)' } : {}" :closable="true">
+        <JsonEditor v-model:value="configText" :min-height="isMobile ? '300px' : '420px'"
+          :max-height="isMobile ? '500px' : '720px'" :readonly="true" />
+        <template #footer>
+          <a-button @click="downloadConfig" :size="isMobile ? 'small' : 'middle'">
+            <template #icon>
+              <CloudDownloadOutlined />
+            </template>
+            <span v-if="!isMobile">config.json</span>
+            <span v-else>Download</span>
+          </a-button>
+          <a-button type="primary" @click="copyConfig" :size="isMobile ? 'small' : 'middle'">
+            <template #icon>
+              <CopyOutlined />
+            </template>
+            Copy
+          </a-button>
+        </template>
+      </a-modal>
     </a-layout>
   </a-config-provider>
 </template>
diff --git a/web/service/inbound.go b/web/service/inbound.go
index 00cb58fe..4025659e 100644
--- a/web/service/inbound.go
+++ b/web/service/inbound.go
@@ -278,11 +278,31 @@ func (s *InboundService) checkEmailsExistForClients(clients []model.Client) (str
 	return "", nil
 }
 
+// normalizeStreamSettings clears StreamSettings for protocols that don't use it.
+// Only vmess, vless, trojan, shadowsocks, and hysteria protocols use streamSettings.
+func (s *InboundService) normalizeStreamSettings(inbound *model.Inbound) {
+	protocolsWithStream := map[model.Protocol]bool{
+		model.VMESS:       true,
+		model.VLESS:       true,
+		model.Trojan:      true,
+		model.Shadowsocks: true,
+		model.Hysteria:    true,
+		model.Hysteria2:   true,
+	}
+	
+	if !protocolsWithStream[inbound.Protocol] {
+		inbound.StreamSettings = ""
+	}
+}
+
 // AddInbound creates a new inbound configuration.
 // It validates port uniqueness, client email uniqueness, and required fields,
 // then saves the inbound to the database and optionally adds it to the running Xray instance.
 // Returns the created inbound, whether Xray needs restart, and any error.
 func (s *InboundService) AddInbound(inbound *model.Inbound) (*model.Inbound, bool, error) {
+	// Normalize streamSettings based on protocol
+	s.normalizeStreamSettings(inbound)
+	
 	exist, err := s.checkPortConflict(inbound, 0)
 	if err != nil {
 		return inbound, false, err
@@ -530,6 +550,9 @@ func (s *InboundService) SetInboundEnable(id int, enable bool) (bool, error) {
 }
 
 func (s *InboundService) UpdateInbound(inbound *model.Inbound) (*model.Inbound, bool, error) {
+	// Normalize streamSettings based on protocol
+	s.normalizeStreamSettings(inbound)
+	
 	exist, err := s.checkPortConflict(inbound, inbound.Id)
 	if err != nil {
 		return inbound, false, err
diff --git a/xray/config.go b/xray/config.go
index 35ebfd7d..0bd7999c 100644
--- a/xray/config.go
+++ b/xray/config.go
@@ -11,17 +11,17 @@ import (
 type Config struct {
 	LogConfig        json_util.RawMessage `json:"log"`
 	RouterConfig     json_util.RawMessage `json:"routing"`
-	DNSConfig        json_util.RawMessage `json:"dns"`
+	DNSConfig        json_util.RawMessage `json:"dns,omitempty"`
 	InboundConfigs   []InboundConfig      `json:"inbounds"`
 	OutboundConfigs  json_util.RawMessage `json:"outbounds"`
-	Transport        json_util.RawMessage `json:"transport"`
+	Transport        json_util.RawMessage `json:"transport,omitempty"`
 	Policy           json_util.RawMessage `json:"policy"`
 	API              json_util.RawMessage `json:"api"`
 	Stats            json_util.RawMessage `json:"stats"`
-	Reverse          json_util.RawMessage `json:"reverse"`
-	FakeDNS          json_util.RawMessage `json:"fakedns"`
-	Observatory      json_util.RawMessage `json:"observatory"`
-	BurstObservatory json_util.RawMessage `json:"burstObservatory"`
+	Reverse          json_util.RawMessage `json:"reverse,omitempty"`
+	FakeDNS          json_util.RawMessage `json:"fakedns,omitempty"`
+	Observatory      json_util.RawMessage `json:"observatory,omitempty"`
+	BurstObservatory json_util.RawMessage `json:"burstObservatory,omitempty"`
 	Metrics          json_util.RawMessage `json:"metrics"`
 }
 
diff --git a/xray/inbound.go b/xray/inbound.go
index d69e3afc..7cafa87b 100644
--- a/xray/inbound.go
+++ b/xray/inbound.go
@@ -13,9 +13,9 @@ type InboundConfig struct {
 	Port           int                  `json:"port"`
 	Protocol       string               `json:"protocol"`
 	Settings       json_util.RawMessage `json:"settings"`
-	StreamSettings json_util.RawMessage `json:"streamSettings"`
+	StreamSettings json_util.RawMessage `json:"streamSettings,omitempty"`
 	Tag            string               `json:"tag"`
-	Sniffing       json_util.RawMessage `json:"sniffing"`
+	Sniffing       json_util.RawMessage `json:"sniffing,omitempty"`
 }
 
 // Equals compares two InboundConfig instances for deep equality.

From 3af45c14622c65e5b815b1ae4399c96d32f3a737 Mon Sep 17 00:00:00 2001
From: MHSanaei <ho3ein.sanaei@gmail.com>
Date: Thu, 14 May 2026 23:37:25 +0200
Subject: [PATCH 12/16] fix: Add base-path meta tag for Cloudflare Rocket
 Loader compatibility

When Cloudflare Rocket Loader is enabled, it interferes with inline scripts that set window.X_UI_BASE_PATH, causing the frontend to fail to configure the correct base URL for API calls. This results in 404 errors on the login page when calling /getTwoFactorEnable.

Solution: Add meta name='base-path' tag to HTML (similar to csrf-token), update axios initialization to read from meta tag as fallback. Meta tags are not affected by CSP or Rocket Loader delays.

Fixes #4393
---
 frontend/src/api/axios-init.js | 7 ++++++-
 web/controller/dist.go         | 2 ++
 2 files changed, 8 insertions(+), 1 deletion(-)

diff --git a/frontend/src/api/axios-init.js b/frontend/src/api/axios-init.js
index 2ea235c5..3055e883 100644
--- a/frontend/src/api/axios-init.js
+++ b/frontend/src/api/axios-init.js
@@ -51,7 +51,12 @@ export function setupAxios() {
   axios.defaults.headers.post['Content-Type'] = 'application/x-www-form-urlencoded; charset=UTF-8';
   axios.defaults.headers.common['X-Requested-With'] = 'XMLHttpRequest';
 
-  const basePath = window.X_UI_BASE_PATH;
+  // Read base path from window object or fallback to meta tag (for Cloudflare Rocket Loader compatibility)
+  let basePath = window.X_UI_BASE_PATH;
+  if (!basePath) {
+    const metaTag = document.querySelector('meta[name="base-path"]');
+    basePath = metaTag ? metaTag.getAttribute('content') : null;
+  }
   if (typeof basePath === 'string' && basePath !== '' && basePath !== '/') {
     axios.defaults.baseURL = basePath;
   }
diff --git a/web/controller/dist.go b/web/controller/dist.go
index fd1b35a9..682f0024 100644
--- a/web/controller/dist.go
+++ b/web/controller/dist.go
@@ -56,6 +56,7 @@ func serveDistPage(c *gin.Context, name string) {
 		csrfToken = ""
 	}
 	csrfMeta := []byte(`<meta name="csrf-token" content="` + htmlpkg.EscapeString(csrfToken) + `">`)
+	basePathMeta := []byte(`<meta name="base-path" content="` + htmlpkg.EscapeString(basePath) + `">`)
 
 	nonceAttr := ""
 	if nonce := c.GetString("csp_nonce"); nonce != "" {
@@ -69,6 +70,7 @@ func serveDistPage(c *gin.Context, name string) {
 	script += `;</script>`
 	inject := []byte(script)
 	inject = append(inject, csrfMeta...)
+	inject = append(inject, basePathMeta...)
 	inject = append(inject, []byte(`</head>`)...)
 	out := bytes.Replace(body, []byte("</head>"), inject, 1)
 

From 19d50bd16cb0f61557629f8ef8123ac9c08b834e Mon Sep 17 00:00:00 2001
From: Abdalrahman <ug_31107079@ics.tanta.edu.eg>
Date: Fri, 15 May 2026 10:51:14 +0300
Subject: [PATCH 13/16] fix: add i18n translations for Allow private address
 node option across all locales (#4386)

* fix: add Chinese locale translations for Allow private address node option

* fix: add Allow private address translations to all remaining locale files
---
 frontend/src/pages/nodes/NodeFormModal.vue | 4 ++--
 web/translation/ar-EG.json                 | 2 ++
 web/translation/en-US.json                 | 2 ++
 web/translation/es-ES.json                 | 2 ++
 web/translation/fa-IR.json                 | 2 ++
 web/translation/id-ID.json                 | 2 ++
 web/translation/ja-JP.json                 | 2 ++
 web/translation/pt-BR.json                 | 2 ++
 web/translation/ru-RU.json                 | 2 ++
 web/translation/tr-TR.json                 | 2 ++
 web/translation/uk-UA.json                 | 2 ++
 web/translation/vi-VN.json                 | 2 ++
 web/translation/zh-CN.json                 | 2 ++
 web/translation/zh-TW.json                 | 2 ++
 14 files changed, 28 insertions(+), 2 deletions(-)

diff --git a/frontend/src/pages/nodes/NodeFormModal.vue b/frontend/src/pages/nodes/NodeFormModal.vue
index 720f4e8b..9c392ffa 100644
--- a/frontend/src/pages/nodes/NodeFormModal.vue
+++ b/frontend/src/pages/nodes/NodeFormModal.vue
@@ -163,9 +163,9 @@ async function onSave() {
         </a-col>
       </a-row>
 
-      <a-form-item label="Allow private address">
+      <a-form-item :label="t('pages.nodes.allowPrivateAddress')">
         <a-switch v-model:checked="form.allowPrivateAddress" />
-        <div class="hint">Enable only for nodes on a private network or VPN.</div>
+        <div class="hint">{{ t('pages.nodes.allowPrivateAddressHint') }}</div>
       </a-form-item>
 
       <a-form-item :label="t('pages.nodes.apiToken')" required>
diff --git a/web/translation/ar-EG.json b/web/translation/ar-EG.json
index e73eee06..663e81f3 100644
--- a/web/translation/ar-EG.json
+++ b/web/translation/ar-EG.json
@@ -418,6 +418,8 @@
       "apiTokenHint": "البانل البعيد بيعرض توكن API بتاعه في الإعدادات → توكن API.",
       "regenerate": "تجديد التوكن",
       "regenerateConfirm": "تجديد التوكن هيلغي التوكن الحالي. أي بانل مركزي بيستخدمه هيفقد الصلاحية لحد ما تحدّث التوكن. تكمّل؟",
+      "allowPrivateAddress": "السماح بالعنوان الخاص",
+      "allowPrivateAddressHint": "التفعيل فقط للعقد على شبكة خاصة أو VPN.",
       "enable": "مفعل",
       "status": "الحالة",
       "cpu": "المعالج",
diff --git a/web/translation/en-US.json b/web/translation/en-US.json
index 1e8d01c6..5cf1f7c0 100644
--- a/web/translation/en-US.json
+++ b/web/translation/en-US.json
@@ -418,6 +418,8 @@
       "apiTokenHint": "The remote panel exposes its API token under Settings → API Token.",
       "regenerate": "Regenerate Token",
       "regenerateConfirm": "Regenerating invalidates the current token. Any central panel using it will lose access until updated. Continue?",
+      "allowPrivateAddress": "Allow private address",
+      "allowPrivateAddressHint": "Enable only for nodes on a private network or VPN.",
       "enable": "Enabled",
       "status": "Status",
       "cpu": "CPU",
diff --git a/web/translation/es-ES.json b/web/translation/es-ES.json
index c02b4de4..9b6a5e87 100644
--- a/web/translation/es-ES.json
+++ b/web/translation/es-ES.json
@@ -418,6 +418,8 @@
       "apiTokenHint": "El panel remoto expone su token de API en Configuración → Token de API.",
       "regenerate": "Regenerar token",
       "regenerateConfirm": "Regenerar invalida el token actual. Cualquier panel central que lo use perderá el acceso hasta que se actualice. ¿Continuar?",
+      "allowPrivateAddress": "Permitir dirección privada",
+      "allowPrivateAddressHint": "Habilitar solo para nodos en una red privada o VPN.",
       "enable": "Habilitado",
       "status": "Estado",
       "cpu": "CPU",
diff --git a/web/translation/fa-IR.json b/web/translation/fa-IR.json
index f2052f66..1295e400 100644
--- a/web/translation/fa-IR.json
+++ b/web/translation/fa-IR.json
@@ -418,6 +418,8 @@
       "apiTokenHint": "پنل ریموت توکن API خودش را در بخش تنظیمات → توکن API نمایش می‌دهد.",
       "regenerate": "تولید مجدد توکن",
       "regenerateConfirm": "تولید مجدد، توکن فعلی را باطل می‌کند. هر پنل مرکزی‌ای که از این توکن استفاده می‌کند تا زمان به‌روزرسانی، دسترسی‌اش قطع می‌شود. ادامه می‌دهید؟",
+      "allowPrivateAddress": "اجازه آدرس خصوصی",
+      "allowPrivateAddressHint": "فقط برای نودهای روی شبکه خصوصی یا VPN فعال شود.",
       "enable": "فعال",
       "status": "وضعیت",
       "cpu": "پردازنده",
diff --git a/web/translation/id-ID.json b/web/translation/id-ID.json
index 095984e3..84769a3b 100644
--- a/web/translation/id-ID.json
+++ b/web/translation/id-ID.json
@@ -418,6 +418,8 @@
       "apiTokenHint": "Panel jarak jauh menampilkan token API-nya di Pengaturan → Token API.",
       "regenerate": "Buat Ulang Token",
       "regenerateConfirm": "Membuat ulang akan membatalkan token saat ini. Setiap panel pusat yang menggunakannya akan kehilangan akses sampai diperbarui. Lanjutkan?",
+      "allowPrivateAddress": "Izinkan alamat pribadi",
+      "allowPrivateAddressHint": "Aktifkan hanya untuk node di jaringan pribadi atau VPN.",
       "enable": "Aktif",
       "status": "Status",
       "cpu": "CPU",
diff --git a/web/translation/ja-JP.json b/web/translation/ja-JP.json
index 93c2dbbf..913ef5e5 100644
--- a/web/translation/ja-JP.json
+++ b/web/translation/ja-JP.json
@@ -418,6 +418,8 @@
       "apiTokenHint": "リモートパネルでは、設定 → APIトークン でAPIトークンを確認できます。",
       "regenerate": "トークンを再生成",
       "regenerateConfirm": "再生成すると現在のトークンは無効になります。これを使用しているすべての中央パネルは更新されるまでアクセスできなくなります。続行しますか？",
+      "allowPrivateAddress": "プライベートアドレスを許可",
+      "allowPrivateAddressHint": "プライベートネットワークまたはVPN上のノードにのみ有効にします。",
       "enable": "有効",
       "status": "ステータス",
       "cpu": "CPU",
diff --git a/web/translation/pt-BR.json b/web/translation/pt-BR.json
index fa56b477..74cd6ba7 100644
--- a/web/translation/pt-BR.json
+++ b/web/translation/pt-BR.json
@@ -418,6 +418,8 @@
       "apiTokenHint": "O painel remoto exibe o token da API em Configurações → Token da API.",
       "regenerate": "Regenerar token",
       "regenerateConfirm": "Regenerar invalida o token atual. Qualquer painel central que o utilize perderá acesso até ser atualizado. Continuar?",
+      "allowPrivateAddress": "Permitir endereço privado",
+      "allowPrivateAddressHint": "Ativar apenas para nós em uma rede privada ou VPN.",
       "enable": "Ativado",
       "status": "Status",
       "cpu": "CPU",
diff --git a/web/translation/ru-RU.json b/web/translation/ru-RU.json
index f6f59287..3c16ede8 100644
--- a/web/translation/ru-RU.json
+++ b/web/translation/ru-RU.json
@@ -418,6 +418,8 @@
       "apiTokenHint": "Удалённая панель показывает свой токен API в разделе Настройки → Токен API.",
       "regenerate": "Сгенерировать токен заново",
       "regenerateConfirm": "Повторная генерация аннулирует текущий токен. Любая центральная панель, использующая его, потеряет доступ до обновления. Продолжить?",
+      "allowPrivateAddress": "Разрешить частный адрес",
+      "allowPrivateAddressHint": "Включить только для узлов в частной сети или VPN.",
       "enable": "Включён",
       "status": "Статус",
       "cpu": "CPU",
diff --git a/web/translation/tr-TR.json b/web/translation/tr-TR.json
index 84064211..7895c1b6 100644
--- a/web/translation/tr-TR.json
+++ b/web/translation/tr-TR.json
@@ -418,6 +418,8 @@
       "apiTokenHint": "Uzak panel API token'ını Ayarlar → API Token altında gösterir.",
       "regenerate": "Token'ı Yeniden Oluştur",
       "regenerateConfirm": "Yeniden oluşturmak mevcut token'ı geçersiz kılar. Onu kullanan tüm merkezi paneller, güncellenene kadar erişimini kaybeder. Devam edilsin mi?",
+      "allowPrivateAddress": "Özel adrese izin ver",
+      "allowPrivateAddressHint": "Yalnızca özel ağ veya VPN üzerindeki düğümler için etkinleştir.",
       "enable": "Etkin",
       "status": "Durum",
       "cpu": "CPU",
diff --git a/web/translation/uk-UA.json b/web/translation/uk-UA.json
index 150decb5..6ed76eb0 100644
--- a/web/translation/uk-UA.json
+++ b/web/translation/uk-UA.json
@@ -418,6 +418,8 @@
       "apiTokenHint": "Віддалена панель показує свій токен API в Налаштуваннях → Токен API.",
       "regenerate": "Перегенерувати токен",
       "regenerateConfirm": "Перегенерація скасовує поточний токен. Будь-яка центральна панель, що його використовує, втратить доступ до оновлення. Продовжити?",
+      "allowPrivateAddress": "Дозволити приватну адресу",
+      "allowPrivateAddressHint": "Увімкнути лише для вузлів у приватній мережі або VPN.",
       "enable": "Увімкнено",
       "status": "Статус",
       "cpu": "CPU",
diff --git a/web/translation/vi-VN.json b/web/translation/vi-VN.json
index 9eaef4f2..09e8d8b2 100644
--- a/web/translation/vi-VN.json
+++ b/web/translation/vi-VN.json
@@ -418,6 +418,8 @@
       "apiTokenHint": "Panel từ xa hiển thị token API tại Cài đặt → Token API.",
       "regenerate": "Tạo lại token",
       "regenerateConfirm": "Tạo lại sẽ vô hiệu hóa token hiện tại. Mọi panel trung tâm dùng nó sẽ mất quyền truy cập cho đến khi được cập nhật. Tiếp tục?",
+      "allowPrivateAddress": "Cho phép địa chỉ riêng",
+      "allowPrivateAddressHint": "Chỉ bật cho các nút trên mạng riêng hoặc VPN.",
       "enable": "Kích hoạt",
       "status": "Trạng thái",
       "cpu": "CPU",
diff --git a/web/translation/zh-CN.json b/web/translation/zh-CN.json
index beb78ccb..0d65cb53 100644
--- a/web/translation/zh-CN.json
+++ b/web/translation/zh-CN.json
@@ -418,6 +418,8 @@
       "apiTokenHint": "远程面板在 设置 → API 令牌 中显示其 API 令牌。",
       "regenerate": "重新生成令牌",
       "regenerateConfirm": "重新生成会使当前令牌失效。任何使用该令牌的中央面板都会失去访问权限，直至更新。是否继续？",
+      "allowPrivateAddress": "允许私有地址",
+      "allowPrivateAddressHint": "仅对私有网络或VPN上的节点启用。",
       "enable": "已启用",
       "status": "状态",
       "cpu": "CPU",
diff --git a/web/translation/zh-TW.json b/web/translation/zh-TW.json
index 36b60a67..56a0c075 100644
--- a/web/translation/zh-TW.json
+++ b/web/translation/zh-TW.json
@@ -418,6 +418,8 @@
       "apiTokenHint": "遠端面板在 設定 → API 權杖 中顯示其 API 權杖。",
       "regenerate": "重新產生權杖",
       "regenerateConfirm": "重新產生會使目前的權杖失效。任何使用該權杖的中央面板將失去存取權，直到更新為止。是否繼續？",
+      "allowPrivateAddress": "允許私有地址",
+      "allowPrivateAddressHint": "僅對私有網路或VPN上的節點啟用。",
       "enable": "已啟用",
       "status": "狀態",
       "cpu": "CPU",

From 79a9be7b22ab5bbf40d81cdc9bcc3edc1e417e4a Mon Sep 17 00:00:00 2001
From: MHSanaei <ho3ein.sanaei@gmail.com>
Date: Fri, 15 May 2026 10:50:40 +0200
Subject: [PATCH 14/16] fix: split locale chunks by removing eager i18n glob

The eager `import.meta.glob` was statically pulling all 13 locale JSON
files into the main bundle, defeating the sibling lazy glob and emitting
INEFFECTIVE_DYNAMIC_IMPORT warnings. Statically import only the en-US
fallback, lazy-load the rest, and await `readyI18n()` in each entry
before mount so the first paint still uses the active locale.
---
 frontend/src/entries/api-docs.js |  6 ++-
 frontend/src/entries/inbounds.js |  6 ++-
 frontend/src/entries/index.js    |  6 ++-
 frontend/src/entries/login.js    |  8 ++--
 frontend/src/entries/nodes.js    |  6 ++-
 frontend/src/entries/settings.js |  6 ++-
 frontend/src/entries/subpage.js  |  6 ++-
 frontend/src/entries/xray.js     |  6 ++-
 frontend/src/i18n/index.js       | 77 ++++++++------------------------
 9 files changed, 51 insertions(+), 76 deletions(-)

diff --git a/frontend/src/entries/api-docs.js b/frontend/src/entries/api-docs.js
index 852bbc41..c2baff6c 100644
--- a/frontend/src/entries/api-docs.js
+++ b/frontend/src/entries/api-docs.js
@@ -4,7 +4,7 @@ import 'ant-design-vue/dist/reset.css';
 
 import { setupAxios } from '@/api/axios-init.js';
 import '@/composables/useTheme.js';
-import { i18n } from '@/i18n/index.js';
+import { i18n, readyI18n } from '@/i18n/index.js';
 import { applyDocumentTitle } from '@/utils';
 import ApiDocsPage from '@/pages/api-docs/ApiDocsPage.vue';
 
@@ -16,4 +16,6 @@ if (messageContainer) {
   message.config({ getContainer: () => messageContainer });
 }
 
-createApp(ApiDocsPage).use(Antd).use(i18n).mount('#app');
+readyI18n().then(() => {
+  createApp(ApiDocsPage).use(Antd).use(i18n).mount('#app');
+});
diff --git a/frontend/src/entries/inbounds.js b/frontend/src/entries/inbounds.js
index 8342f476..dd9b8170 100644
--- a/frontend/src/entries/inbounds.js
+++ b/frontend/src/entries/inbounds.js
@@ -4,7 +4,7 @@ import 'ant-design-vue/dist/reset.css';
 
 import { setupAxios } from '@/api/axios-init.js';
 import '@/composables/useTheme.js';
-import { i18n } from '@/i18n/index.js';
+import { i18n, readyI18n } from '@/i18n/index.js';
 import { applyDocumentTitle } from '@/utils';
 import InboundsPage from '@/pages/inbounds/InboundsPage.vue';
 
@@ -16,4 +16,6 @@ if (messageContainer) {
   message.config({ getContainer: () => messageContainer });
 }
 
-createApp(InboundsPage).use(Antd).use(i18n).mount('#app');
+readyI18n().then(() => {
+  createApp(InboundsPage).use(Antd).use(i18n).mount('#app');
+});
diff --git a/frontend/src/entries/index.js b/frontend/src/entries/index.js
index 8e14d2ae..33593f31 100644
--- a/frontend/src/entries/index.js
+++ b/frontend/src/entries/index.js
@@ -6,7 +6,7 @@ import { setupAxios } from '@/api/axios-init.js';
 // Importing useTheme triggers the boot side-effect that applies the
 // stored theme to <body>/<html> before Vue mounts.
 import '@/composables/useTheme.js';
-import { i18n } from '@/i18n/index.js';
+import { i18n, readyI18n } from '@/i18n/index.js';
 import { applyDocumentTitle } from '@/utils';
 import IndexPage from '@/pages/index/IndexPage.vue';
 
@@ -18,4 +18,6 @@ if (messageContainer) {
   message.config({ getContainer: () => messageContainer });
 }
 
-createApp(IndexPage).use(Antd).use(i18n).mount('#app');
+readyI18n().then(() => {
+  createApp(IndexPage).use(Antd).use(i18n).mount('#app');
+});
diff --git a/frontend/src/entries/login.js b/frontend/src/entries/login.js
index 6b8b0fc2..33c1e629 100644
--- a/frontend/src/entries/login.js
+++ b/frontend/src/entries/login.js
@@ -6,18 +6,18 @@ import { setupAxios } from '@/api/axios-init.js';
 // Importing this module triggers the boot side-effect that applies the
 // stored theme to <body>/<html> before Vue renders anything.
 import '@/composables/useTheme.js';
-import { i18n } from '@/i18n/index.js';
+import { i18n, readyI18n } from '@/i18n/index.js';
 import { applyDocumentTitle } from '@/utils';
 import LoginPage from '@/pages/login/LoginPage.vue';
 
 setupAxios();
 applyDocumentTitle();
 
-// Toasts attach to a #message div the page provides — keeps theme
-// styling in sync with the rest of the panel.
 const messageContainer = document.getElementById('message');
 if (messageContainer) {
   message.config({ getContainer: () => messageContainer });
 }
 
-createApp(LoginPage).use(Antd).use(i18n).mount('#app');
+readyI18n().then(() => {
+  createApp(LoginPage).use(Antd).use(i18n).mount('#app');
+});
diff --git a/frontend/src/entries/nodes.js b/frontend/src/entries/nodes.js
index 819fe9a9..92e60a15 100644
--- a/frontend/src/entries/nodes.js
+++ b/frontend/src/entries/nodes.js
@@ -4,7 +4,7 @@ import 'ant-design-vue/dist/reset.css';
 
 import { setupAxios } from '@/api/axios-init.js';
 import '@/composables/useTheme.js';
-import { i18n } from '@/i18n/index.js';
+import { i18n, readyI18n } from '@/i18n/index.js';
 import { applyDocumentTitle } from '@/utils';
 import NodesPage from '@/pages/nodes/NodesPage.vue';
 
@@ -16,4 +16,6 @@ if (messageContainer) {
   message.config({ getContainer: () => messageContainer });
 }
 
-createApp(NodesPage).use(Antd).use(i18n).mount('#app');
+readyI18n().then(() => {
+  createApp(NodesPage).use(Antd).use(i18n).mount('#app');
+});
diff --git a/frontend/src/entries/settings.js b/frontend/src/entries/settings.js
index 4a32bb7e..ca3e6f29 100644
--- a/frontend/src/entries/settings.js
+++ b/frontend/src/entries/settings.js
@@ -6,7 +6,7 @@ import { setupAxios } from '@/api/axios-init.js';
 // Importing useTheme triggers the boot side-effect that applies the
 // stored theme to <body>/<html> before Vue mounts.
 import '@/composables/useTheme.js';
-import { i18n } from '@/i18n/index.js';
+import { i18n, readyI18n } from '@/i18n/index.js';
 import { applyDocumentTitle } from '@/utils';
 import SettingsPage from '@/pages/settings/SettingsPage.vue';
 
@@ -18,4 +18,6 @@ if (messageContainer) {
   message.config({ getContainer: () => messageContainer });
 }
 
-createApp(SettingsPage).use(Antd).use(i18n).mount('#app');
+readyI18n().then(() => {
+  createApp(SettingsPage).use(Antd).use(i18n).mount('#app');
+});
diff --git a/frontend/src/entries/subpage.js b/frontend/src/entries/subpage.js
index 159aee1b..a2b0d8bb 100644
--- a/frontend/src/entries/subpage.js
+++ b/frontend/src/entries/subpage.js
@@ -7,7 +7,7 @@ import 'ant-design-vue/dist/reset.css';
 // with the parsed traffic/quota/expiry view-model and the rendered
 // share links — the SPA reads those at mount.
 import '@/composables/useTheme.js';
-import { i18n } from '@/i18n/index.js';
+import { i18n, readyI18n } from '@/i18n/index.js';
 import SubPage from '@/pages/sub/SubPage.vue';
 
 const messageContainer = document.getElementById('message');
@@ -15,4 +15,6 @@ if (messageContainer) {
   message.config({ getContainer: () => messageContainer });
 }
 
-createApp(SubPage).use(Antd).use(i18n).mount('#app');
+readyI18n().then(() => {
+  createApp(SubPage).use(Antd).use(i18n).mount('#app');
+});
diff --git a/frontend/src/entries/xray.js b/frontend/src/entries/xray.js
index ba203da0..a5b1ebcd 100644
--- a/frontend/src/entries/xray.js
+++ b/frontend/src/entries/xray.js
@@ -4,7 +4,7 @@ import 'ant-design-vue/dist/reset.css';
 
 import { setupAxios } from '@/api/axios-init.js';
 import '@/composables/useTheme.js';
-import { i18n } from '@/i18n/index.js';
+import { i18n, readyI18n } from '@/i18n/index.js';
 import { applyDocumentTitle } from '@/utils';
 import XrayPage from '@/pages/xray/XrayPage.vue';
 
@@ -16,4 +16,6 @@ if (messageContainer) {
   message.config({ getContainer: () => messageContainer });
 }
 
-createApp(XrayPage).use(Antd).use(i18n).mount('#app');
+readyI18n().then(() => {
+  createApp(XrayPage).use(Antd).use(i18n).mount('#app');
+});
diff --git a/frontend/src/i18n/index.js b/frontend/src/i18n/index.js
index 1e21d215..7b13784c 100644
--- a/frontend/src/i18n/index.js
+++ b/frontend/src/i18n/index.js
@@ -1,93 +1,54 @@
-// vue-i18n setup. Locale files live in web/translation/*.json — the same
-// directory the Go binary embeds, so SPA + Telegram bot + subscription
-// page all read from a single source.
-//
-// Usage in a component:
-//   import { useI18n } from 'vue-i18n';
-//   const { t } = useI18n();
-//   ...
-//   <span>{{ t('pages.inbounds.email') }}</span>
-//
-// Or via the global helper exposed on the app:
-//   <span>{{ $t('pages.inbounds.email') }}</span>
-//
-// The locale follows the `lang` cookie that LanguageManager already
-// reads/writes — switching language anywhere in the app continues to
-// trigger a full page reload (matches legacy ergonomics), so we don't
-// need a runtime locale switcher here.
-
 import { createI18n } from 'vue-i18n';
 
 import { LanguageManager } from '@/utils';
+import enUS from '../../../web/translation/en-US.json';
 
-// Lazy-loaded locales — Vite splits each one into its own chunk. We
-// eager-load only the active language plus the en-US fallback so the
-// initial page payload stays small (the inbounds bundle was sitting
-// at ~700kB gzipped with all 13 locales eager; now ~480kB).
-//
-// LanguageManager.setLanguage() does a full reload on change, so
-// "lazy" here effectively means "load only what this page needs for
-// its lifetime."
 const FALLBACK = 'en-US';
-const lazyModules = import.meta.glob('../../../web/translation/*.json');
-const eagerModules = import.meta.glob('../../../web/translation/*.json', { eager: true });
+const lazyModules = import.meta.glob([
+  '../../../web/translation/*.json',
+  '!../../../web/translation/en-US.json',
+]);
 
 function moduleKeyFor(code) {
   return `../../../web/translation/${code}.json`;
 }
 
-// Resolve the active locale via LanguageManager so the cookie set on
-// the legacy panel keeps working after a user upgrades. Falls back
-// to en-US when the cookie names a language we don't have.
 let active = LanguageManager.getLanguage();
-if (!Object.prototype.hasOwnProperty.call(lazyModules, moduleKeyFor(active))) {
+if (active !== FALLBACK && !Object.prototype.hasOwnProperty.call(lazyModules, moduleKeyFor(active))) {
   active = FALLBACK;
 }
 
-const messages = {};
-// Eagerly include the active locale + the fallback (when distinct)
-// so the very first render has strings ready. Vite still emits these
-// as their own chunks so the user pays for at most two locales.
-for (const code of new Set([active, FALLBACK])) {
-  const mod = eagerModules[moduleKeyFor(code)];
-  if (mod) messages[code] = mod.default || mod;
-}
-
 export const i18n = createI18n({
   legacy: false,
-  // `composition` mode (legacy: false) so `useI18n()` works in
-  // <script setup> blocks.
   globalInjection: true,
   locale: active,
   fallbackLocale: FALLBACK,
-  // Locale JSON is nested by namespace ({pages: {inbounds: {email: ...}}})
-  // so vue-i18n's default `.`-delimited lookups walk straight into it.
-  messages,
-  // The Go side sometimes interpolates `#variable#` into translated
-  // strings (e.g. xraySwitchVersionDialogDesc). vue-i18n's default
-  // expects `{var}` — disable warnings about strings that look like
-  // they don't use the new syntax.
+  messages: { [FALLBACK]: enUS },
   warnHtmlMessage: false,
   missingWarn: false,
   fallbackWarn: false,
 });
 
-// Convenience export for non-component contexts (HTTP error toasts,
-// stores, etc.) that need to look up a translation outside a setup
-// scope.
 export function t(key, params) {
   return i18n.global.t(key, params || {});
 }
 
-// loadLocale fetches a locale module on demand and registers it with
-// vue-i18n. Pages that switch language at runtime (rather than via
-// LanguageManager's reload) can call this to swap strings live.
 export async function loadLocale(code) {
-  const key = moduleKeyFor(code);
-  const loader = lazyModules[key];
+  if (code === FALLBACK) {
+    i18n.global.locale.value = FALLBACK;
+    return true;
+  }
+  const loader = lazyModules[moduleKeyFor(code)];
   if (!loader) return false;
   const mod = await loader();
   i18n.global.setLocaleMessage(code, mod.default || mod);
   i18n.global.locale.value = code;
   return true;
 }
+
+export async function readyI18n() {
+  if (active !== FALLBACK) {
+    await loadLocale(active);
+  }
+  return i18n;
+}

From 5cf8a0854050fad259de5c775cda9e62e35853b6 Mon Sep 17 00:00:00 2001
From: MHSanaei <ho3ein.sanaei@gmail.com>
Date: Fri, 15 May 2026 11:24:50 +0200
Subject: [PATCH 15/16] fix: disable balancer fallbackTag for random /
 roundRobin strategies

Xray-core's RandomStrategy and RoundRobinStrategy register a pending
dependency on the Observatory feature whenever fallbackTag is non-empty.
Since the panel only provisions observatory for leastPing / leastLoad
balancers, picking roundRobin with a fallbackTag caused xray to fail
boot with "not all dependencies are resolved". Disable the fallback
field for the two strategies that cannot resolve it, and strip
fallbackTag from the wire balancer as a defensive backstop for users
who edit the JSON template directly.
---
 frontend/src/pages/xray/BalancerFormModal.vue | 15 +++++++++++++--
 frontend/src/pages/xray/BalancersTab.vue      |  3 ++-
 2 files changed, 15 insertions(+), 3 deletions(-)

diff --git a/frontend/src/pages/xray/BalancerFormModal.vue b/frontend/src/pages/xray/BalancerFormModal.vue
index 47dd2d41..05aabfeb 100644
--- a/frontend/src/pages/xray/BalancerFormModal.vue
+++ b/frontend/src/pages/xray/BalancerFormModal.vue
@@ -61,6 +61,16 @@ const isValid = computed(
   () => !tagEmpty.value && !duplicateTag.value && !emptySelector.value,
 );
 
+const fallbackSupported = computed(
+  () => form.strategy === 'leastPing' || form.strategy === 'leastLoad',
+);
+
+watch(() => form.strategy, (next) => {
+  if (next !== 'leastPing' && next !== 'leastLoad') {
+    form.fallbackTag = '';
+  }
+});
+
 const tagValidateStatus = computed(() => {
   if (tagEmpty.value) return 'error';
   if (duplicateTag.value) return 'warning';
@@ -111,8 +121,9 @@ const okText = computed(() =>
         </a-select>
       </a-form-item>
 
-      <a-form-item label="Fallback">
-        <a-select v-model:value="form.fallbackTag" allow-clear>
+      <a-form-item label="Fallback"
+        :help="fallbackSupported ? '' : 'Available only with Least ping / Least load'">
+        <a-select v-model:value="form.fallbackTag" allow-clear :disabled="!fallbackSupported">
           <a-select-option v-for="tag in ['', ...outboundTags]" :key="tag || '__empty'" :value="tag">
             {{ tag || `(${t('none')})` }}
           </a-select-option>
diff --git a/frontend/src/pages/xray/BalancersTab.vue b/frontend/src/pages/xray/BalancersTab.vue
index 0cf5b602..255ed108 100644
--- a/frontend/src/pages/xray/BalancersTab.vue
+++ b/frontend/src/pages/xray/BalancersTab.vue
@@ -145,10 +145,11 @@ function syncObservatories() {
 }
 
 function buildWireBalancer(form) {
+  const supportsFallback = form.strategy === 'leastPing' || form.strategy === 'leastLoad';
   const out = {
     tag: form.tag,
     selector: [...form.selector],
-    fallbackTag: form.fallbackTag,
+    fallbackTag: supportsFallback ? form.fallbackTag : '',
   };
   if (form.strategy && form.strategy !== 'random') {
     out.strategy = { type: form.strategy };

From 78f1719c6dd7db4088a7e53afff63f0f314a76f2 Mon Sep 17 00:00:00 2001
From: Abdalrahman <ug_31107079@ics.tanta.edu.eg>
Date: Fri, 15 May 2026 12:41:29 +0300
Subject: [PATCH 16/16] fix: prevent online clients from randomly disappearing
 from panel UI (#4387)

* fix: prevent online clients from randomly disappearing from panel UI

Online status was determined solely by whether a client transferred
bytes in the current 5-second polling window. The online list was
completely replaced each cycle, so idle-but-connected clients with no
traffic delta in that window were dropped from the UI.

Now online status is computed from lastOnline DB timestamps with a
5-second grace period via RefreshOnlineClientsFromMap(), so clients
remain visible across idle polling windows.

Closes #4384

* fix: extend online client grace period to survive idle poll cycles

The 5s grace period equalled the traffic-poll interval, so a client
whose Xray stats reported a zero delta for one cycle was still dropped
on the very next tick. Bump to 20s (~4 polls) so idle-but-connected
sessions stay visible across momentary counter gaps without lingering
long after a real disconnect.

Refs #4384

---------

Co-authored-by: MHSanaei <ho3ein.sanaei@gmail.com>
---
 web/job/node_traffic_sync_job.go | 11 +++++++----
 web/job/xray_traffic_job.go      | 15 +++++++++++----
 web/service/inbound.go           | 30 ++++++++++++++++++++----------
 3 files changed, 38 insertions(+), 18 deletions(-)

diff --git a/web/job/node_traffic_sync_job.go b/web/job/node_traffic_sync_job.go
index a978d767..c2f5fa6a 100644
--- a/web/job/node_traffic_sync_job.go
+++ b/web/job/node_traffic_sync_job.go
@@ -87,10 +87,6 @@ func (j *NodeTrafficSyncJob) Run() {
 		return
 	}
 
-	online := j.inboundService.GetOnlineClients()
-	if online == nil {
-		online = []string{}
-	}
 	lastOnline, err := j.inboundService.GetClientsLastOnline()
 	if err != nil {
 		logger.Warning("node traffic sync: get last-online failed:", err)
@@ -98,6 +94,13 @@ func (j *NodeTrafficSyncJob) Run() {
 	if lastOnline == nil {
 		lastOnline = map[string]int64{}
 	}
+
+	j.inboundService.RefreshOnlineClientsFromMap(lastOnline)
+
+	online := j.inboundService.GetOnlineClients()
+	if online == nil {
+		online = []string{}
+	}
 	websocket.BroadcastTraffic(map[string]any{
 		"onlineClients": online,
 		"lastOnlineMap": lastOnline,
diff --git a/web/job/xray_traffic_job.go b/web/job/xray_traffic_job.go
index 96539986..7a471b4c 100644
--- a/web/job/xray_traffic_job.go
+++ b/web/job/xray_traffic_job.go
@@ -77,10 +77,6 @@ func (j *XrayTrafficJob) Run() {
 	// a missing/null onlineClients field as "no update", so without this the
 	// "everyone went offline" transition was silently dropped — stale online
 	// users lingered in the list and the online filter kept showing them.
-	onlineClients := j.inboundService.GetOnlineClients()
-	if onlineClients == nil {
-		onlineClients = []string{}
-	}
 	lastOnlineMap, err := j.inboundService.GetClientsLastOnline()
 	if err != nil {
 		logger.Warning("get clients last online failed:", err)
@@ -88,6 +84,17 @@ func (j *XrayTrafficJob) Run() {
 	if lastOnlineMap == nil {
 		lastOnlineMap = make(map[string]int64)
 	}
+
+	// Determine online clients from lastOnline timestamps with a 5-second
+	// grace period instead of just the current 5-second traffic poll. This
+	// prevents idle-but-connected clients from randomly disappearing from
+	// the UI between polling windows.
+	j.inboundService.RefreshOnlineClientsFromMap(lastOnlineMap)
+
+	onlineClients := j.inboundService.GetOnlineClients()
+	if onlineClients == nil {
+		onlineClients = []string{}
+	}
 	websocket.BroadcastTraffic(map[string]any{
 		"traffics":       traffics,
 		"clientTraffics": clientTraffics,
diff --git a/web/service/inbound.go b/web/service/inbound.go
index 4025659e..866a765c 100644
--- a/web/service/inbound.go
+++ b/web/service/inbound.go
@@ -1539,6 +1539,13 @@ func (s *InboundService) UpdateInboundClient(data *model.Inbound, clientId strin
 
 const resetGracePeriodMs int64 = 30000
 
+// onlineGracePeriodMs must comfortably exceed the 5s traffic-poll interval —
+// Xray's stats counters often report a zero delta for an active session across
+// a single poll, so a 5s grace would still drop the client on the next tick.
+// ~4 polls of slack keeps idle-but-connected clients visible without lingering
+// long after a real disconnect.
+const onlineGracePeriodMs int64 = 20000
+
 func (s *InboundService) SetRemoteTraffic(nodeID int, snap *runtime.TrafficSnapshot) (bool, error) {
 	var structuralChange bool
 	err := submitTrafficWrite(func() error {
@@ -1880,15 +1887,9 @@ func (s *InboundService) addInboundTraffic(tx *gorm.DB, traffics []*xray.Traffic
 
 func (s *InboundService) addClientTraffic(tx *gorm.DB, traffics []*xray.ClientTraffic) (err error) {
 	if len(traffics) == 0 {
-		// Empty onlineUsers
-		if p != nil {
-			p.SetOnlineClients(make([]string, 0))
-		}
 		return nil
 	}
 
-	onlineClients := make([]string, 0)
-
 	emails := make([]string, 0, len(traffics))
 	for _, traffic := range traffics {
 		emails = append(emails, traffic.Email)
@@ -1931,14 +1932,10 @@ func (s *InboundService) addClientTraffic(tx *gorm.DB, traffics []*xray.ClientTr
 		dbClientTraffics[dbTraffic_index].Down += t.Down
 		dbClientTraffics[dbTraffic_index].AllTime += t.Up + t.Down
 		if t.Up+t.Down > 0 {
-			onlineClients = append(onlineClients, t.Email)
 			dbClientTraffics[dbTraffic_index].LastOnline = now
 		}
 	}
 
-	// Set onlineUsers
-	p.SetOnlineClients(onlineClients)
-
 	err = tx.Save(dbClientTraffics).Error
 	if err != nil {
 		logger.Warning("AddClientTraffic update data ", err)
@@ -3764,6 +3761,19 @@ func (s *InboundService) GetClientsLastOnline() (map[string]int64, error) {
 	return result, nil
 }
 
+func (s *InboundService) RefreshOnlineClientsFromMap(lastOnlineMap map[string]int64) {
+	now := time.Now().UnixMilli()
+	newOnlineClients := make([]string, 0, len(lastOnlineMap))
+	for email, lastOnline := range lastOnlineMap {
+		if now-lastOnline < onlineGracePeriodMs {
+			newOnlineClients = append(newOnlineClients, email)
+		}
+	}
+	if p != nil {
+		p.SetOnlineClients(newOnlineClients)
+	}
+}
+
 func (s *InboundService) FilterAndSortClientEmails(emails []string) ([]string, []string, error) {
 	db := database.GetDB()