fix(hysteria): use pinSHA256 for pinned cert and emit ech in share links

Hysteria links now carry the pinned peer cert under the hysteria2-standard pinSHA256 key instead of pcs (frontend genHysteriaLink + outbound importer round-trip), and the Go subscription generator emits ech from echConfigList. Also drops the dead allowInsecure guard in genHysteriaLink, which read a field that does not exist on TlsClientSettings.

frontend/src/lib/xray/inbound-link.ts

@@ -610,6 +610,9 @@ export function genHysteriaLink(input: GenHysteriaLinkInput): string {
   if (tls.alpn.length > 0) params.set('alpn', tls.alpn.join(','));
   if (tls.settings.echConfigList.length > 0) params.set('ech', tls.settings.echConfigList);
   if (tls.serverName.length > 0) params.set('sni', tls.serverName);
+  if (tls.settings.pinnedPeerCertSha256.length > 0) {
+    params.set('pinSHA256', tls.settings.pinnedPeerCertSha256.join(','));
+  }
 
   const udpMasks = stream.finalmask?.udp;
   if (Array.isArray(udpMasks)) {

frontend/src/lib/xray/outbound-link-parser.ts

@@ -417,7 +417,7 @@ export function parseHysteria2Link(link: string): Raw | null {
       fingerprint: params.get('fp') ?? '',
       echConfigList: params.get('ech') ?? '',
       verifyPeerCertByName: '',
-      pinnedPeerCertSha256: params.get('pcs') ?? '',
+      pinnedPeerCertSha256: params.get('pinSHA256') ?? '',
     },
   };
   applyFinalMaskParam(stream, params);

sub/subService.go

@@ -603,9 +603,9 @@ func (s *SubService) genHysteriaLink(inbound *model.Inbound, email string) strin
 		if fpValue, ok := searchKey(tlsSettings, "fingerprint"); ok {
 			params["fp"], _ = fpValue.(string)
 		}
-		if insecure, ok := searchKey(tlsSettings, "allowInsecure"); ok {
+		if echValue, ok := searchKey(tlsSettings, "echConfigList"); ok {
-			if insecure.(bool) {
+			if ech, _ := echValue.(string); ech != "" {
-				params["insecure"] = "1"
+				params["ech"] = ech
 			}
 		}
 		if pins, ok := pinnedSha256List(tlsSettings); ok {