From 35609b7b132158fc496b5c834766100e86f7c3bf Mon Sep 17 00:00:00 2001
From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com>
Date: Fri, 24 Apr 2026 10:41:11 +0200
Subject: [PATCH 01/17] Bump github.com/Azure/go-ntlmssp (#4094)

Bumps the go_modules group with 1 update in the / directory: [github.com/Azure/go-ntlmssp](https://github.com/Azure/go-ntlmssp).


Updates `github.com/Azure/go-ntlmssp` from 0.1.0 to 0.1.1
- [Release notes](https://github.com/Azure/go-ntlmssp/releases)
- [Commits](https://github.com/Azure/go-ntlmssp/compare/v0.1.0...v0.1.1)

---
updated-dependencies:
- dependency-name: github.com/Azure/go-ntlmssp
  dependency-version: 0.1.1
  dependency-type: indirect
  dependency-group: go_modules
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
---
 go.mod | 2 +-
 go.sum | 4 ++--
 2 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/go.mod b/go.mod
index 331261f8..57f7155f 100644
--- a/go.mod
+++ b/go.mod
@@ -32,7 +32,7 @@ require (
 )
 
 require (
-	github.com/Azure/go-ntlmssp v0.1.0 // indirect
+	github.com/Azure/go-ntlmssp v0.1.1 // indirect
 	github.com/andybalholm/brotli v1.2.1 // indirect
 	github.com/apernet/quic-go v0.59.1-0.20260217092621-db4786c77a22 // indirect
 	github.com/bytedance/gopkg v0.1.4 // indirect
diff --git a/go.sum b/go.sum
index 45931b83..78341c48 100644
--- a/go.sum
+++ b/go.sum
@@ -1,5 +1,5 @@
-github.com/Azure/go-ntlmssp v0.1.0 h1:DjFo6YtWzNqNvQdrwEyr/e4nhU3vRiwenz5QX7sFz+A=
-github.com/Azure/go-ntlmssp v0.1.0/go.mod h1:NYqdhxd/8aAct/s4qSYZEerdPuH1liG2/X9DiVTbhpk=
+github.com/Azure/go-ntlmssp v0.1.1 h1:l+FM/EEMb0U9QZE7mKNEDw5Mu3mFiaa2GKOoTSsNDPw=
+github.com/Azure/go-ntlmssp v0.1.1/go.mod h1:NYqdhxd/8aAct/s4qSYZEerdPuH1liG2/X9DiVTbhpk=
 github.com/BurntSushi/toml v1.6.0 h1:dRaEfpa2VI55EwlIW72hMRHdWouJeRF7TPYhI+AUQjk=
 github.com/BurntSushi/toml v1.6.0/go.mod h1:ukJfTF/6rtPPRCnwkur4qwRxa8vTRFBF0uk2lLoLwho=
 github.com/alexbrainman/sspi v0.0.0-20250919150558-7d374ff0d59e h1:4dAU9FXIyQktpoUAgOJK3OTFc/xug0PCXYCqU0FgDKI=

From a62c637632d0e4f0ff74fe185a3ea50048cb73d8 Mon Sep 17 00:00:00 2001
From: MHSanaei <ho3ein.sanaei@gmail.com>
Date: Sun, 26 Apr 2026 17:34:31 +0200
Subject: [PATCH 02/17] DNS outbound: Add rules

---
 web/assets/js/model/outbound.js | 143 ++++++++++++++++++++++++++++++--
 web/html/form/outbound.html     |  79 ++++++++++++++----
 web/service/inbound.go          |   2 +-
 web/web.go                      |   9 +-
 4 files changed, 209 insertions(+), 24 deletions(-)

diff --git a/web/assets/js/model/outbound.js b/web/assets/js/model/outbound.js
index 97602815..8db9d8e2 100644
--- a/web/assets/js/model/outbound.js
+++ b/web/assets/js/model/outbound.js
@@ -97,6 +97,74 @@ const Address_Port_Strategy = {
     TxtPortAndAddress: "txtportandaddress"
 };
 
+const DNSRuleActions = ['direct', 'drop', 'reject', 'hijack'];
+
+function normalizeDNSRuleField(value) {
+    if (value === null || value === undefined) {
+        return '';
+    }
+    if (Array.isArray(value)) {
+        return value.map(item => item.toString().trim()).filter(item => item.length > 0).join(',');
+    }
+    return value.toString().trim();
+}
+
+function normalizeDNSRuleAction(action) {
+    action = ObjectUtil.isEmpty(action) ? 'direct' : action.toString().toLowerCase().trim();
+    return DNSRuleActions.includes(action) ? action : 'direct';
+}
+
+function parseLegacyDNSBlockTypes(blockTypes) {
+    if (blockTypes === null || blockTypes === undefined || blockTypes === '') {
+        return [];
+    }
+
+    if (Array.isArray(blockTypes)) {
+        return blockTypes
+            .map(item => Number(item))
+            .filter(item => Number.isInteger(item) && item >= 0 && item <= 65535);
+    }
+
+    if (typeof blockTypes === 'number') {
+        return Number.isInteger(blockTypes) && blockTypes >= 0 && blockTypes <= 65535 ? [blockTypes] : [];
+    }
+
+    return blockTypes
+        .toString()
+        .split(',')
+        .map(item => item.trim())
+        .filter(item => /^\d+$/.test(item))
+        .map(item => Number(item))
+        .filter(item => item >= 0 && item <= 65535);
+}
+
+function buildLegacyDNSRules(nonIPQuery, blockTypes) {
+    const mode = ['reject', 'drop', 'skip'].includes(nonIPQuery) ? nonIPQuery : 'reject';
+    const rules = [];
+    const parsedBlockTypes = parseLegacyDNSBlockTypes(blockTypes);
+
+    if (parsedBlockTypes.length > 0) {
+        rules.push(new Outbound.DNSRule(mode === 'reject' ? 'reject' : 'drop', parsedBlockTypes.join(',')));
+    }
+
+    rules.push(new Outbound.DNSRule('hijack', '1,28'));
+    rules.push(new Outbound.DNSRule(mode === 'skip' ? 'direct' : mode));
+
+    return rules;
+}
+
+function getDNSRulesFromJson(json = {}) {
+    if (Array.isArray(json.rules) && json.rules.length > 0) {
+        return json.rules.map(rule => Outbound.DNSRule.fromJson(rule));
+    }
+
+    if (json.nonIPQuery !== undefined || json.blockTypes !== undefined) {
+        return buildLegacyDNSRules(json.nonIPQuery, json.blockTypes);
+    }
+
+    return [];
+}
+
 Object.freeze(Protocols);
 Object.freeze(SSMethods);
 Object.freeze(TLS_FLOW_CONTROL);
@@ -107,6 +175,7 @@ Object.freeze(WireguardDomainStrategy);
 Object.freeze(USERS_SECURITY);
 Object.freeze(MODE_OPTION);
 Object.freeze(Address_Port_Strategy);
+Object.freeze(DNSRuleActions);
 
 class CommonClass {
 
@@ -1277,20 +1346,69 @@ Outbound.BlackholeSettings = class extends CommonClass {
         };
     }
 };
+
+Outbound.DNSRule = class extends CommonClass {
+    constructor(action = 'direct', qtype = '', domain = '') {
+        super();
+        this.action = action;
+        this.qtype = qtype;
+        this.domain = domain;
+    }
+
+    static fromJson(json = {}) {
+        return new Outbound.DNSRule(
+            json.action,
+            normalizeDNSRuleField(json.qtype),
+            normalizeDNSRuleField(json.domain),
+        );
+    }
+
+    toJson() {
+        const rule = {
+            action: normalizeDNSRuleAction(this.action),
+        };
+
+        const qtype = normalizeDNSRuleField(this.qtype);
+        if (!ObjectUtil.isEmpty(qtype)) {
+            if (/^\d+$/.test(qtype)) {
+                rule.qtype = Number(qtype);
+            } else {
+                rule.qtype = qtype;
+            }
+        }
+
+        const domains = normalizeDNSRuleField(this.domain)
+            .split(',')
+            .map(d => d.trim())
+            .filter(d => d.length > 0);
+        if (domains.length > 0) {
+            rule.domain = domains;
+        }
+
+        return rule;
+    }
+};
+
 Outbound.DNSSettings = class extends CommonClass {
     constructor(
         network = 'udp',
         address = '',
         port = 53,
-        nonIPQuery = 'reject',
-        blockTypes = []
+        rules = []
     ) {
         super();
         this.network = network;
         this.address = address;
         this.port = port;
-        this.nonIPQuery = nonIPQuery;
-        this.blockTypes = blockTypes;
+        this.rules = Array.isArray(rules) ? rules.map(rule => rule instanceof Outbound.DNSRule ? rule : Outbound.DNSRule.fromJson(rule)) : [];
+    }
+
+    addRule(action = 'direct') {
+        this.rules.push(new Outbound.DNSRule(action));
+    }
+
+    delRule(index) {
+        this.rules.splice(index, 1);
     }
 
     static fromJson(json = {}) {
@@ -1298,10 +1416,23 @@ Outbound.DNSSettings = class extends CommonClass {
             json.network,
             json.address,
             json.port,
-            json.nonIPQuery,
-            json.blockTypes,
+            getDNSRulesFromJson(json),
         );
     }
+
+    toJson() {
+        const json = {
+            network: this.network,
+            address: this.address,
+            port: this.port,
+        };
+
+        if (this.rules.length > 0) {
+            json.rules = Outbound.DNSRule.toJsonArray(this.rules);
+        }
+
+        return json;
+    }
 };
 Outbound.VmessSettings = class extends CommonClass {
     constructor(address, port, id, security) {
diff --git a/web/html/form/outbound.html b/web/html/form/outbound.html
index a9119cf0..c350d70f 100644
--- a/web/html/form/outbound.html
+++ b/web/html/form/outbound.html
@@ -190,22 +190,73 @@
             >
           </a-select>
         </a-form-item>
-        <a-form-item label="non-IP queries">
-          <a-select
-            v-model="outbound.settings.nonIPQuery"
-            :dropdown-class-name="themeSwitcher.currentTheme"
-          >
-            <a-select-option v-for="s in ['reject','drop','skip']" :value="s"
-              >[[ s ]]</a-select-option
-            >
-          </a-select>
+        <a-form-item label="Rules">
+          <a-button
+            icon="plus"
+            type="primary"
+            size="small"
+            @click="outbound.settings.addRule()"
+          ></a-button>
         </a-form-item>
-        <a-form-item
-          v-if="outbound.settings.nonIPQuery === 'skip'"
-          label="Block Types"
+
+        <a-form
+          v-for="(rule, index) in outbound.settings.rules"
+          :colon="false"
+          :label-col="{ md: {span:8} }"
+          :wrapper-col="{ md: {span:14} }"
         >
-          <a-input v-model.number="outbound.settings.blockTypes"></a-input>
-        </a-form-item>
+          <a-divider :style="{ margin: '0' }">
+            Rule [[ index + 1 ]]
+            <a-icon
+              type="delete"
+              @click="() => outbound.settings.delRule(index)"
+              :style="{ color: 'rgb(255, 77, 79)', cursor: 'pointer' }"
+            ></a-icon>
+          </a-divider>
+
+          <a-form-item label="Action">
+            <a-select
+              v-model="rule.action"
+              :dropdown-class-name="themeSwitcher.currentTheme"
+            >
+              <a-select-option v-for="action in DNSRuleActions" :value="action"
+                >[[ action ]]</a-select-option
+              >
+            </a-select>
+          </a-form-item>
+
+          <a-form-item>
+            <template slot="label">
+              <a-tooltip>
+                <template slot="title">
+                  <span>Single qtype (e.g. 28) or list/range (e.g. 1,3,23-24)</span>
+                </template>
+                QType
+                <a-icon type="question-circle"></a-icon>
+              </a-tooltip>
+            </template>
+            <a-input
+              v-model.trim="rule.qtype"
+              placeholder="1,3,23-24"
+            ></a-input>
+          </a-form-item>
+
+          <a-form-item>
+            <template slot="label">
+              <a-tooltip>
+                <template slot="title">
+                  <span>Comma-separated domain rules, e.g. domain:example.com,full:example.com</span>
+                </template>
+                Domain
+                <a-icon type="question-circle"></a-icon>
+              </a-tooltip>
+            </template>
+            <a-input
+              v-model.trim="rule.domain"
+              placeholder="domain:example.com,full:example.com"
+            ></a-input>
+          </a-form-item>
+        </a-form>
       </template>
 
       <!-- wireguard settings -->
diff --git a/web/service/inbound.go b/web/service/inbound.go
index 7d5d8932..8ab5e6a8 100644
--- a/web/service/inbound.go
+++ b/web/service/inbound.go
@@ -779,7 +779,7 @@ func (s *InboundService) writeBackClientSubID(sourceInboundID int, sourceProtoco
 	}
 
 	settingsBytes, err := json.Marshal(map[string][]model.Client{
-		"clients": []model.Client{client},
+		"clients": {client},
 	})
 	if err != nil {
 		return false, err
diff --git a/web/web.go b/web/web.go
index 835e82e1..f25dada2 100644
--- a/web/web.go
+++ b/web/web.go
@@ -353,14 +353,17 @@ func (s *Server) startTask() {
 	isTgbotenabled, err := s.settingService.GetTgbotEnabled()
 	if (err == nil) && (isTgbotenabled) {
 		runtime, err := s.settingService.GetTgbotRuntime()
-		if err != nil || runtime == "" {
-			logger.Errorf("Add NewStatsNotifyJob error[%s], Runtime[%s] invalid, will run default", err, runtime)
+		if err != nil {
+			logger.Warningf("Add NewStatsNotifyJob: failed to load runtime: %v; using default @daily", err)
+			runtime = "@daily"
+		} else if strings.TrimSpace(runtime) == "" {
+			logger.Warning("Add NewStatsNotifyJob runtime is empty, using default @daily")
 			runtime = "@daily"
 		}
 		logger.Infof("Tg notify enabled,run at %s", runtime)
 		_, err = s.cron.AddJob(runtime, job.NewStatsNotifyJob())
 		if err != nil {
-			logger.Warning("Add NewStatsNotifyJob error", err)
+			logger.Warningf("Add NewStatsNotifyJob: failed to schedule runtime %q: %v", runtime, err)
 			return
 		}
 

From 4521beab7c245a3420ae558ce34c37fb9ed1a53d Mon Sep 17 00:00:00 2001
From: MHSanaei <ho3ein.sanaei@gmail.com>
Date: Sun, 26 Apr 2026 20:06:24 +0200
Subject: [PATCH 03/17] wireguard: link

---
 web/assets/js/model/inbound.js          | 50 ++++++++++++++++++++++---
 web/html/modals/inbound_info_modal.html | 15 +++++++-
 2 files changed, 58 insertions(+), 7 deletions(-)

diff --git a/web/assets/js/model/inbound.js b/web/assets/js/model/inbound.js
index 26da6cb3..e3816060 100644
--- a/web/assets/js/model/inbound.js
+++ b/web/assets/js/model/inbound.js
@@ -1907,7 +1907,7 @@ class Inbound extends XrayCommonClass {
         return url.toString();
     }
 
-    getWireguardLink(address, port, remark, peerId) {
+    getWireguardTxt(address, port, remark, peerId) {
         let txt = `[Interface]\n`
         txt += `PrivateKey = ${this.settings.peers[peerId].privateKey}\n`
         txt += `Address = ${this.settings.peers[peerId].allowedIPs[0]}\n`
@@ -1929,6 +1929,48 @@ class Inbound extends XrayCommonClass {
         return txt;
     }
 
+    getWireguardLink(address, port, remark, peerId) {
+        const peer = this.settings?.peers?.[peerId];
+        if (!peer) return '';
+
+        const link = `wireguard://${address}:${port}`;
+        const url = new URL(link);
+        url.username = peer.privateKey || '';
+
+        if (this.settings?.pubKey) {
+            url.searchParams.set("publickey", this.settings.pubKey);
+        }
+        if (Array.isArray(peer.allowedIPs) && peer.allowedIPs.length > 0 && peer.allowedIPs[0]) {
+            url.searchParams.set("address", peer.allowedIPs[0]);
+        }
+        if (this.settings?.mtu) {
+            url.searchParams.set("mtu", this.settings.mtu);
+        }
+
+        url.hash = encodeURIComponent(remark);
+        return url.toString();
+    }
+
+    genWireguardLinks(remark = '', remarkModel = '-ieo') {
+        const addr = !ObjectUtil.isEmpty(this.listen) && this.listen !== "0.0.0.0" ? this.listen : location.hostname;
+        const separationChar = remarkModel.charAt(0);
+        let links = [];
+        this.settings.peers.forEach((p, index) => {
+            links.push(this.getWireguardLink(addr, this.port, remark + separationChar + (index + 1), index));
+        });
+        return links.join('\r\n');
+    }
+
+    genWireguardConfigs(remark = '', remarkModel = '-ieo') {
+        const addr = !ObjectUtil.isEmpty(this.listen) && this.listen !== "0.0.0.0" ? this.listen : location.hostname;
+        const separationChar = remarkModel.charAt(0);
+        let links = [];
+        this.settings.peers.forEach((p, index) => {
+            links.push(this.getWireguardTxt(addr, this.port, remark + separationChar + (index + 1), index));
+        });
+        return links.join('\r\n');
+    }
+
     genLink(address = '', port = this.port, forceTls = 'same', remark = '', client) {
         switch (this.protocol) {
             case Protocols.VMESS:
@@ -1989,11 +2031,7 @@ class Inbound extends XrayCommonClass {
         } else {
             if (this.protocol == Protocols.SHADOWSOCKS && !this.isSSMultiUser) return this.genSSLink(addr, this.port, 'same', remark);
             if (this.protocol == Protocols.WIREGUARD) {
-                let links = [];
-                this.settings.peers.forEach((p, index) => {
-                    links.push(this.getWireguardLink(addr, this.port, remark + remarkModel.charAt(0) + (index + 1), index));
-                });
-                return links.join('\r\n');
+                return this.genWireguardConfigs(remark, remarkModel);
             }
             return '';
         }
diff --git a/web/html/modals/inbound_info_modal.html b/web/html/modals/inbound_info_modal.html
index 14b1d86b..67da21a9 100644
--- a/web/html/modals/inbound_info_modal.html
+++ b/web/html/modals/inbound_info_modal.html
@@ -513,9 +513,19 @@
                 <div v-html="infoModal.links[index].replaceAll(`\n`,`<br />`)"
                   :style="{ borderRadius: '1rem', padding: '0.5rem' }" class="client-table-odd-row">
                 </div>
+                <a-divider orientation="center">Link</a-divider>
+                <tr-info-title class="tr-info-title">
+                  <a-tag color="green">Link</a-tag>
+                  <a-tooltip title='{{ i18n "copy" }}'>
+                    <a-button :style="{ minWidth: '24px' }" size="small" icon="snippets"
+                      @click="copy(infoModal.wireguardLinks[index])"></a-button>
+                  </a-tooltip>
+                </tr-info-title>
+                <code :style="{ display: 'block', whiteSpace: 'normal', wordBreak: 'break-all' }">[[ infoModal.wireguardLinks[index] ]]</code>
               </tr-info-row>
             </td>
           </tr>
+        </template>
       </table>
     </template>
     </template>
@@ -603,6 +613,7 @@
     upStats: 0,
     downStats: 0,
     links: [],
+    wireguardLinks: [],
     index: null,
     isExpired: false,
     subLink: '',
@@ -633,9 +644,11 @@
         }
       }
       if (this.inbound.protocol == Protocols.WIREGUARD) {
-        this.links = this.inbound.genInboundLinks(dbInbound.remark).split('\r\n')
+        this.links = this.inbound.genWireguardConfigs(dbInbound.remark).split('\r\n')
+        this.wireguardLinks = this.inbound.genWireguardLinks(dbInbound.remark).split('\r\n')
       } else {
         this.links = this.inbound.genAllLinks(this.dbInbound.remark, app.remarkModel, this.clientSettings);
+        this.wireguardLinks = [];
       }
       if (this.clientSettings) {
         if (this.clientSettings.subId) {

From 47e229e3231b5e74e03bcc758c9123d1637dbd82 Mon Sep 17 00:00:00 2001
From: MHSanaei <ho3ein.sanaei@gmail.com>
Date: Sun, 26 Apr 2026 20:16:27 +0200
Subject: [PATCH 04/17] Default to dark theme when unset

---
 web/html/component/aThemeSwitch.html | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/web/html/component/aThemeSwitch.html b/web/html/component/aThemeSwitch.html
index 431614d6..ca340da3 100644
--- a/web/html/component/aThemeSwitch.html
+++ b/web/html/component/aThemeSwitch.html
@@ -40,7 +40,8 @@
 {{define "component/aThemeSwitch"}}
 <script>
   function createThemeSwitcher() {
-    const isDarkTheme = localStorage.getItem('dark-mode') === 'true';
+    const darkModePreference = localStorage.getItem('dark-mode');
+    const isDarkTheme = darkModePreference === null ? true : darkModePreference === 'true';
     const isUltra = localStorage.getItem('isUltraDarkThemeEnabled') === 'true';
     if (isUltra) {
       document.documentElement.setAttribute('data-theme', 'ultra-dark');

From 8620344925908d73f612fef325768e3a0949527d Mon Sep 17 00:00:00 2001
From: MHSanaei <ho3ein.sanaei@gmail.com>
Date: Sun, 26 Apr 2026 20:37:03 +0200
Subject: [PATCH 05/17] Replace with-block with explicit settings

---
 web/html/inbounds.html | 35 +++++++++++++++++------------------
 1 file changed, 17 insertions(+), 18 deletions(-)

diff --git a/web/html/inbounds.html b/web/html/inbounds.html
index b8485702..d7ba962b 100644
--- a/web/html/inbounds.html
+++ b/web/html/inbounds.html
@@ -1164,24 +1164,23 @@
         if (!msg.success) {
           return;
         }
-        with (msg.obj) {
-          this.expireDiff = expireDiff * 86400000;
-          this.trafficDiff = trafficDiff * 1073741824;
-          this.defaultCert = defaultCert;
-          this.defaultKey = defaultKey;
-          this.tgBotEnable = tgBotEnable;
-          this.subSettings = {
-            enable: subEnable,
-            subTitle: subTitle,
-            subURI: subURI,
-            subJsonURI: subJsonURI,
-            subJsonEnable: subJsonEnable,
-          };
-          this.pageSize = pageSize;
-          this.remarkModel = remarkModel;
-          this.datepicker = datepicker;
-          this.ipLimitEnable = ipLimitEnable;
-        }
+        const settings = msg.obj || {};
+        this.expireDiff = settings.expireDiff * 86400000;
+        this.trafficDiff = settings.trafficDiff * 1073741824;
+        this.defaultCert = settings.defaultCert;
+        this.defaultKey = settings.defaultKey;
+        this.tgBotEnable = settings.tgBotEnable;
+        this.subSettings = {
+          enable: settings.subEnable,
+          subTitle: settings.subTitle,
+          subURI: settings.subURI,
+          subJsonURI: settings.subJsonURI,
+          subJsonEnable: settings.subJsonEnable,
+        };
+        this.pageSize = settings.pageSize;
+        this.remarkModel = settings.remarkModel;
+        this.datepicker = settings.datepicker;
+        this.ipLimitEnable = settings.ipLimitEnable;
       },
       setInbounds(dbInbounds) {
         this.inbounds.splice(0);

From a7e7788e29e61d1e912f7832c632834fc981b880 Mon Sep 17 00:00:00 2001
From: MHSanaei <ho3ein.sanaei@gmail.com>
Date: Sun, 26 Apr 2026 20:45:00 +0200
Subject: [PATCH 06/17] Bump Xray release to v26.4.25

---
 .github/workflows/release.yml | 4 ++--
 DockerInit.sh                 | 2 +-
 go.mod                        | 4 ++--
 go.sum                        | 8 ++++----
 4 files changed, 9 insertions(+), 9 deletions(-)

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 7ee8ea65..228c1625 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -126,7 +126,7 @@ jobs:
           cd x-ui/bin
 
           # Download dependencies
-          Xray_URL="https://github.com/XTLS/Xray-core/releases/download/v26.4.17/"
+          Xray_URL="https://github.com/XTLS/Xray-core/releases/download/v26.4.25/"
           if [ "${{ matrix.platform }}" == "amd64" ]; then
             wget -q ${Xray_URL}Xray-linux-64.zip
             unzip Xray-linux-64.zip
@@ -244,7 +244,7 @@ jobs:
           cd x-ui\bin
 
           # Download Xray for Windows
-          $Xray_URL = "https://github.com/XTLS/Xray-core/releases/download/v26.4.17/"
+          $Xray_URL = "https://github.com/XTLS/Xray-core/releases/download/v26.4.25/"
           Invoke-WebRequest -Uri "${Xray_URL}Xray-windows-64.zip" -OutFile "Xray-windows-64.zip"
           Expand-Archive -Path "Xray-windows-64.zip" -DestinationPath .
           Remove-Item "Xray-windows-64.zip"
diff --git a/DockerInit.sh b/DockerInit.sh
index 7c31f06b..97f8c302 100755
--- a/DockerInit.sh
+++ b/DockerInit.sh
@@ -27,7 +27,7 @@ case $1 in
 esac
 mkdir -p build/bin
 cd build/bin
-curl -sfLRO "https://github.com/XTLS/Xray-core/releases/download/v26.4.17/Xray-linux-${ARCH}.zip"
+curl -sfLRO "https://github.com/XTLS/Xray-core/releases/download/v26.4.25/Xray-linux-${ARCH}.zip"
 unzip "Xray-linux-${ARCH}.zip"
 rm -f "Xray-linux-${ARCH}.zip" geoip.dat geosite.dat
 mv xray "xray-linux-${FNAME}"
diff --git a/go.mod b/go.mod
index 57f7155f..406a86a8 100644
--- a/go.mod
+++ b/go.mod
@@ -72,7 +72,7 @@ require (
 	github.com/quic-go/quic-go v0.59.0 // indirect
 	github.com/refraction-networking/utls v1.8.3-0.20260301010127-aa6edf4b11af // indirect
 	github.com/rogpeppe/go-internal v1.14.1 // indirect
-	github.com/sagernet/sing v0.8.8 // indirect
+	github.com/sagernet/sing v0.8.9 // indirect
 	github.com/sagernet/sing-shadowsocks v0.2.9 // indirect
 	github.com/tklauser/go-sysconf v0.3.16 // indirect
 	github.com/tklauser/numcpus v0.11.0 // indirect
@@ -95,7 +95,7 @@ require (
 	golang.org/x/tools v0.44.0 // indirect
 	golang.zx2c4.com/wintun v0.0.0-20230126152724-0fa3db229ce2 // indirect
 	golang.zx2c4.com/wireguard v0.0.0-20250521234502-f333402bd9cb // indirect
-	google.golang.org/genproto/googleapis/rpc v0.0.0-20260401024825-9d38bb4040a9 // indirect
+	google.golang.org/genproto/googleapis/rpc v0.0.0-20260420184626-e10c466a9529 // indirect
 	google.golang.org/protobuf v1.36.11 // indirect
 	gvisor.dev/gvisor v0.0.0-20260122175437-89a5d21be8f0 // indirect
 	lukechampine.com/blake3 v1.4.1 // indirect
diff --git a/go.sum b/go.sum
index 78341c48..acee05e0 100644
--- a/go.sum
+++ b/go.sum
@@ -156,8 +156,8 @@ github.com/robfig/cron/v3 v3.0.1 h1:WdRxkvbJztn8LMz/QEvLN5sBU+xKpSqwwUO1Pjr4qDs=
 github.com/robfig/cron/v3 v3.0.1/go.mod h1:eQICP3HwyT7UooqI/z+Ov+PtYAWygg1TEWWzGIFLtro=
 github.com/rogpeppe/go-internal v1.14.1 h1:UQB4HGPB6osV0SQTLymcB4TgvyWu6ZyliaW0tI/otEQ=
 github.com/rogpeppe/go-internal v1.14.1/go.mod h1:MaRKkUm5W0goXpeCfT7UZI6fk/L7L7so1lCWt35ZSgc=
-github.com/sagernet/sing v0.8.8 h1:1dRlGJ3wm4d2nwjKI1R/dr/7GKDKgUvXyD4OAWlQyt8=
-github.com/sagernet/sing v0.8.8/go.mod h1:ARkL0gM13/Iv5VCZmci/NuoOlePoIsW0m7BWfln/Hak=
+github.com/sagernet/sing v0.8.9 h1:iX8FyMrWNl/divVgTe7cLT9n36v6bfzfnCYlcM1cLaU=
+github.com/sagernet/sing v0.8.9/go.mod h1:ARkL0gM13/Iv5VCZmci/NuoOlePoIsW0m7BWfln/Hak=
 github.com/sagernet/sing-shadowsocks v0.2.9 h1:Paep5zCszRKsEn8587O0MnhFWKJwDW1Y4zOYYlIxMkM=
 github.com/sagernet/sing-shadowsocks v0.2.9/go.mod h1:TE/Z6401Pi8tgr0nBZcM/xawAI6u3F6TTbz4nH/qw+8=
 github.com/shirou/gopsutil/v4 v4.26.3 h1:2ESdQt90yU3oXF/CdOlRCJxrP+Am1aBYubTMTfxJ1qc=
@@ -256,8 +256,8 @@ golang.zx2c4.com/wireguard v0.0.0-20250521234502-f333402bd9cb h1:whnFRlWMcXI9d+Z
 golang.zx2c4.com/wireguard v0.0.0-20250521234502-f333402bd9cb/go.mod h1:rpwXGsirqLqN2L0JDJQlwOboGHmptD5ZD6T2VmcqhTw=
 gonum.org/v1/gonum v0.17.0 h1:VbpOemQlsSMrYmn7T2OUvQ4dqxQXU+ouZFQsZOx50z4=
 gonum.org/v1/gonum v0.17.0/go.mod h1:El3tOrEuMpv2UdMrbNlKEh9vd86bmQ6vqIcDwxEOc1E=
-google.golang.org/genproto/googleapis/rpc v0.0.0-20260401024825-9d38bb4040a9 h1:m8qni9SQFH0tJc1X0vmnpw/0t+AImlSvp30sEupozUg=
-google.golang.org/genproto/googleapis/rpc v0.0.0-20260401024825-9d38bb4040a9/go.mod h1:4Hqkh8ycfw05ld/3BWL7rJOSfebL2Q+DVDeRgYgxUU8=
+google.golang.org/genproto/googleapis/rpc v0.0.0-20260420184626-e10c466a9529 h1:XF8+t6QQiS0o9ArVan/HW8Q7cycNPGsJf6GA2nXxYAg=
+google.golang.org/genproto/googleapis/rpc v0.0.0-20260420184626-e10c466a9529/go.mod h1:4Hqkh8ycfw05ld/3BWL7rJOSfebL2Q+DVDeRgYgxUU8=
 google.golang.org/grpc v1.80.0 h1:Xr6m2WmWZLETvUNvIUmeD5OAagMw3FiKmMlTdViWsHM=
 google.golang.org/grpc v1.80.0/go.mod h1:ho/dLnxwi3EDJA4Zghp7k2Ec1+c2jqup0bFkw07bwF4=
 google.golang.org/protobuf v1.36.11 h1:fV6ZwhNocDyBLK0dj+fg8ektcVegBBuEolpbTQyBNVE=

From abc5cf3439ffec38accaa4242eb7d4a692cb5bb4 Mon Sep 17 00:00:00 2001
From: MHSanaei <ho3ein.sanaei@gmail.com>
Date: Sun, 26 Apr 2026 20:49:02 +0200
Subject: [PATCH 07/17] Increase KCP maxSendingWindow to 2MiB

---
 web/assets/js/model/inbound.js | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/web/assets/js/model/inbound.js b/web/assets/js/model/inbound.js
index e3816060..c653eb7a 100644
--- a/web/assets/js/model/inbound.js
+++ b/web/assets/js/model/inbound.js
@@ -323,7 +323,7 @@ class KcpStreamSettings extends XrayCommonClass {
         uplinkCapacity = 5,
         downlinkCapacity = 20,
         cwndMultiplier = 1,
-        maxSendingWindow = 1350,
+        maxSendingWindow = 2097152,
     ) {
         super();
         this.mtu = mtu;

From 8529f4f0cfbe40e211959571807af7128408b960 Mon Sep 17 00:00:00 2001
From: MHSanaei <ho3ein.sanaei@gmail.com>
Date: Sun, 26 Apr 2026 21:32:50 +0200
Subject: [PATCH 08/17] kcp: mtu and tti

Add KCP-specific fields mtu and tti to inbound stream handling in web/assets/js/model/inbound.js. The changes add obj.mtu/obj.tti when serializing the kcp stream and set params for mtu and tti in the various KCP parameter-building branches so these values are preserved and transmitted where KCP is used.
---
 web/assets/js/model/inbound.js | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/web/assets/js/model/inbound.js b/web/assets/js/model/inbound.js
index c653eb7a..a091e1ef 100644
--- a/web/assets/js/model/inbound.js
+++ b/web/assets/js/model/inbound.js
@@ -1566,6 +1566,8 @@ class Inbound extends XrayCommonClass {
             }
         } else if (network === 'kcp') {
             const kcp = this.stream.kcp;
+            obj.mtu = kcp.mtu;
+            obj.tti = kcp.tti;
         } else if (network === 'ws') {
             const ws = this.stream.ws;
             obj.path = ws.path;
@@ -1626,6 +1628,8 @@ class Inbound extends XrayCommonClass {
                 break;
             case "kcp":
                 const kcp = this.stream.kcp;
+                params.set("mtu", kcp.mtu);
+                params.set("tti", kcp.tti);
                 break;
             case "ws":
                 const ws = this.stream.ws;
@@ -1727,6 +1731,8 @@ class Inbound extends XrayCommonClass {
                 break;
             case "kcp":
                 const kcp = this.stream.kcp;
+                params.set("mtu", kcp.mtu);
+                params.set("tti", kcp.tti);
                 break;
             case "ws":
                 const ws = this.stream.ws;
@@ -1804,6 +1810,8 @@ class Inbound extends XrayCommonClass {
                 break;
             case "kcp":
                 const kcp = this.stream.kcp;
+                params.set("mtu", kcp.mtu);
+                params.set("tti", kcp.tti);
                 break;
             case "ws":
                 const ws = this.stream.ws;

From 0aca2d3b3d7e54f0408670db5f7075eaee190066 Mon Sep 17 00:00:00 2001
From: MHSanaei <ho3ein.sanaei@gmail.com>
Date: Sun, 26 Apr 2026 23:04:47 +0200
Subject: [PATCH 09/17] sub: kcp finalmask

---
 sub/subService.go                             | 1262 +++++++++--------
 web/assets/js/model/inbound.js                |   54 +
 web/assets/js/model/outbound.js               |   11 +-
 .../settings/panel/subscription/subpage.html  |   19 +-
 4 files changed, 731 insertions(+), 615 deletions(-)

diff --git a/sub/subService.go b/sub/subService.go
index 272bf9d5..67b931ce 100644
--- a/sub/subService.go
+++ b/sub/subService.go
@@ -3,8 +3,10 @@ package sub
 import (
 	"encoding/base64"
 	"fmt"
+	"maps"
 	"net"
 	"net/url"
+	"slices"
 	"strings"
 	"time"
 
@@ -179,186 +181,54 @@ func (s *SubService) getLink(inbound *model.Inbound, email string) string {
 	return ""
 }
 
+// Protocol link generators are intentionally ordered as:
+// vmess -> vless -> trojan -> shadowsocks -> hysteria.
 func (s *SubService) genVmessLink(inbound *model.Inbound, email string) string {
 	if inbound.Protocol != model.VMESS {
 		return ""
 	}
-	var address string
-	if inbound.Listen == "" || inbound.Listen == "0.0.0.0" || inbound.Listen == "::" || inbound.Listen == "::0" {
-		address = s.address
-	} else {
-		address = inbound.Listen
-	}
+	address := s.resolveInboundAddress(inbound)
 	obj := map[string]any{
 		"v":    "2",
 		"add":  address,
 		"port": inbound.Port,
 		"type": "none",
 	}
-	var stream map[string]any
-	json.Unmarshal([]byte(inbound.StreamSettings), &stream)
+	stream := unmarshalStreamSettings(inbound.StreamSettings)
 	network, _ := stream["network"].(string)
-	obj["net"] = network
-	switch network {
-	case "tcp":
-		tcp, _ := stream["tcpSettings"].(map[string]any)
-		header, _ := tcp["header"].(map[string]any)
-		typeStr, _ := header["type"].(string)
-		obj["type"] = typeStr
-		if typeStr == "http" {
-			request := header["request"].(map[string]any)
-			requestPath, _ := request["path"].([]any)
-			obj["path"] = requestPath[0].(string)
-			headers, _ := request["headers"].(map[string]any)
-			obj["host"] = searchHost(headers)
-		}
-	case "kcp":
-		kcp, _ := stream["kcpSettings"].(map[string]any)
-		header, _ := kcp["header"].(map[string]any)
-		obj["type"], _ = header["type"].(string)
-		obj["path"], _ = kcp["seed"].(string)
-	case "ws":
-		ws, _ := stream["wsSettings"].(map[string]any)
-		obj["path"] = ws["path"].(string)
-		if host, ok := ws["host"].(string); ok && len(host) > 0 {
-			obj["host"] = host
-		} else {
-			headers, _ := ws["headers"].(map[string]any)
-			obj["host"] = searchHost(headers)
-		}
-	case "grpc":
-		grpc, _ := stream["grpcSettings"].(map[string]any)
-		obj["path"] = grpc["serviceName"].(string)
-		obj["authority"] = grpc["authority"].(string)
-		if grpc["multiMode"].(bool) {
-			obj["type"] = "multi"
-		}
-	case "httpupgrade":
-		httpupgrade, _ := stream["httpupgradeSettings"].(map[string]any)
-		obj["path"] = httpupgrade["path"].(string)
-		if host, ok := httpupgrade["host"].(string); ok && len(host) > 0 {
-			obj["host"] = host
-		} else {
-			headers, _ := httpupgrade["headers"].(map[string]any)
-			obj["host"] = searchHost(headers)
-		}
-	case "xhttp":
-		xhttp, _ := stream["xhttpSettings"].(map[string]any)
-		obj["path"] = xhttp["path"].(string)
-		if host, ok := xhttp["host"].(string); ok && len(host) > 0 {
-			obj["host"] = host
-		} else {
-			headers, _ := xhttp["headers"].(map[string]any)
-			obj["host"] = searchHost(headers)
-		}
-		obj["mode"], _ = xhttp["mode"].(string)
-		// VMess base64 JSON supports arbitrary keys; copy the padding
-		// settings through so clients can match the server's xhttp
-		// xPaddingBytes range and, when the admin opted into obfs
-		// mode, the custom key / header / placement / method.
-		if xpb, ok := xhttp["xPaddingBytes"].(string); ok && len(xpb) > 0 {
-			obj["x_padding_bytes"] = xpb
-		}
-		if obfs, ok := xhttp["xPaddingObfsMode"].(bool); ok && obfs {
-			obj["xPaddingObfsMode"] = true
-			for _, field := range []string{"xPaddingKey", "xPaddingHeader", "xPaddingPlacement", "xPaddingMethod"} {
-				if v, ok := xhttp[field].(string); ok && len(v) > 0 {
-					obj[field] = v
-				}
-			}
-		}
+	applyVmessNetworkParams(stream, network, obj)
+	if finalmask, ok := stream["finalmask"].(map[string]any); ok {
+		applyFinalMaskObj(finalmask, obj)
 	}
 	security, _ := stream["security"].(string)
 	obj["tls"] = security
 	if security == "tls" {
-		tlsSetting, _ := stream["tlsSettings"].(map[string]any)
-		alpns, _ := tlsSetting["alpn"].([]any)
-		if len(alpns) > 0 {
-			var alpn []string
-			for _, a := range alpns {
-				alpn = append(alpn, a.(string))
-			}
-			obj["alpn"] = strings.Join(alpn, ",")
-		}
-		if sniValue, ok := searchKey(tlsSetting, "serverName"); ok {
-			obj["sni"], _ = sniValue.(string)
-		}
-
-		tlsSettings, _ := searchKey(tlsSetting, "settings")
-		if tlsSetting != nil {
-			if fpValue, ok := searchKey(tlsSettings, "fingerprint"); ok {
-				obj["fp"], _ = fpValue.(string)
-			}
-		}
+		applyVmessTLSParams(stream, obj)
 	}
 
 	clients, _ := s.inboundService.GetClients(inbound)
-	clientIndex := -1
-	for i, client := range clients {
-		if client.Email == email {
-			clientIndex = i
-			break
-		}
-	}
+	clientIndex := findClientIndex(clients, email)
 	obj["id"] = clients[clientIndex].ID
 	obj["scy"] = clients[clientIndex].Security
 
 	externalProxies, _ := stream["externalProxy"].([]any)
 
 	if len(externalProxies) > 0 {
-		links := ""
-		for index, externalProxy := range externalProxies {
-			ep, _ := externalProxy.(map[string]any)
-			newSecurity, _ := ep["forceTls"].(string)
-			newObj := map[string]any{}
-			for key, value := range obj {
-				if !(newSecurity == "none" && (key == "alpn" || key == "sni" || key == "fp")) {
-					newObj[key] = value
-				}
-			}
-			newObj["ps"] = s.genRemark(inbound, email, ep["remark"].(string))
-			newObj["add"] = ep["dest"].(string)
-			newObj["port"] = int(ep["port"].(float64))
-
-			if newSecurity != "same" {
-				newObj["tls"] = newSecurity
-			}
-			if index > 0 {
-				links += "\n"
-			}
-			jsonStr, _ := json.MarshalIndent(newObj, "", "  ")
-			links += "vmess://" + base64.StdEncoding.EncodeToString(jsonStr)
-		}
-		return links
+		return s.buildVmessExternalProxyLinks(externalProxies, obj, inbound, email)
 	}
 
 	obj["ps"] = s.genRemark(inbound, email, "")
-
-	jsonStr, _ := json.MarshalIndent(obj, "", "  ")
-	return "vmess://" + base64.StdEncoding.EncodeToString(jsonStr)
+	return buildVmessLink(obj)
 }
 
 func (s *SubService) genVlessLink(inbound *model.Inbound, email string) string {
-	var address string
-	if inbound.Listen == "" || inbound.Listen == "0.0.0.0" || inbound.Listen == "::" || inbound.Listen == "::0" {
-		address = s.address
-	} else {
-		address = inbound.Listen
-	}
-
 	if inbound.Protocol != model.VLESS {
 		return ""
 	}
-	var stream map[string]any
-	json.Unmarshal([]byte(inbound.StreamSettings), &stream)
+	address := s.resolveInboundAddress(inbound)
+	stream := unmarshalStreamSettings(inbound.StreamSettings)
 	clients, _ := s.inboundService.GetClients(inbound)
-	clientIndex := -1
-	for i, client := range clients {
-		if client.Email == email {
-			clientIndex = i
-			break
-		}
-	}
+	clientIndex := findClientIndex(clients, email)
 	uuid := clients[clientIndex].ID
 	port := inbound.Port
 	streamNetwork := stream["network"].(string)
@@ -372,481 +242,122 @@ func (s *SubService) genVlessLink(inbound *model.Inbound, email string) string {
 		params["encryption"] = encryption
 	}
 
-	switch streamNetwork {
-	case "tcp":
-		tcp, _ := stream["tcpSettings"].(map[string]any)
-		header, _ := tcp["header"].(map[string]any)
-		typeStr, _ := header["type"].(string)
-		if typeStr == "http" {
-			request := header["request"].(map[string]any)
-			requestPath, _ := request["path"].([]any)
-			params["path"] = requestPath[0].(string)
-			headers, _ := request["headers"].(map[string]any)
-			params["host"] = searchHost(headers)
-			params["headerType"] = "http"
-		}
-	case "kcp":
-		kcp, _ := stream["kcpSettings"].(map[string]any)
-		header, _ := kcp["header"].(map[string]any)
-		params["headerType"] = header["type"].(string)
-		params["seed"] = kcp["seed"].(string)
-	case "ws":
-		ws, _ := stream["wsSettings"].(map[string]any)
-		params["path"] = ws["path"].(string)
-		if host, ok := ws["host"].(string); ok && len(host) > 0 {
-			params["host"] = host
-		} else {
-			headers, _ := ws["headers"].(map[string]any)
-			params["host"] = searchHost(headers)
-		}
-	case "grpc":
-		grpc, _ := stream["grpcSettings"].(map[string]any)
-		params["serviceName"] = grpc["serviceName"].(string)
-		params["authority"], _ = grpc["authority"].(string)
-		if grpc["multiMode"].(bool) {
-			params["mode"] = "multi"
-		}
-	case "httpupgrade":
-		httpupgrade, _ := stream["httpupgradeSettings"].(map[string]any)
-		params["path"] = httpupgrade["path"].(string)
-		if host, ok := httpupgrade["host"].(string); ok && len(host) > 0 {
-			params["host"] = host
-		} else {
-			headers, _ := httpupgrade["headers"].(map[string]any)
-			params["host"] = searchHost(headers)
-		}
-	case "xhttp":
-		xhttp, _ := stream["xhttpSettings"].(map[string]any)
-		params["path"] = xhttp["path"].(string)
-		if host, ok := xhttp["host"].(string); ok && len(host) > 0 {
-			params["host"] = host
-		} else {
-			headers, _ := xhttp["headers"].(map[string]any)
-			params["host"] = searchHost(headers)
-		}
-		params["mode"], _ = xhttp["mode"].(string)
-		applyXhttpPaddingParams(xhttp, params)
+	applyShareNetworkParams(stream, streamNetwork, params)
+	if finalmask, ok := stream["finalmask"].(map[string]any); ok {
+		applyFinalMaskParams(finalmask, params)
 	}
 	security, _ := stream["security"].(string)
-	if security == "tls" {
-		params["security"] = "tls"
-		tlsSetting, _ := stream["tlsSettings"].(map[string]any)
-		alpns, _ := tlsSetting["alpn"].([]any)
-		var alpn []string
-		for _, a := range alpns {
-			alpn = append(alpn, a.(string))
-		}
-		if len(alpn) > 0 {
-			params["alpn"] = strings.Join(alpn, ",")
-		}
-		if sniValue, ok := searchKey(tlsSetting, "serverName"); ok {
-			params["sni"], _ = sniValue.(string)
-		}
-
-		tlsSettings, _ := searchKey(tlsSetting, "settings")
-		if tlsSetting != nil {
-			if fpValue, ok := searchKey(tlsSettings, "fingerprint"); ok {
-				params["fp"], _ = fpValue.(string)
-			}
-		}
-
+	switch security {
+	case "tls":
+		applyShareTLSParams(stream, params)
 		if streamNetwork == "tcp" && len(clients[clientIndex].Flow) > 0 {
 			params["flow"] = clients[clientIndex].Flow
 		}
-	}
-
-	if security == "reality" {
-		params["security"] = "reality"
-		realitySetting, _ := stream["realitySettings"].(map[string]any)
-		realitySettings, _ := searchKey(realitySetting, "settings")
-		if realitySetting != nil {
-			if sniValue, ok := searchKey(realitySetting, "serverNames"); ok {
-				sNames, _ := sniValue.([]any)
-				params["sni"] = sNames[random.Num(len(sNames))].(string)
-			}
-			if pbkValue, ok := searchKey(realitySettings, "publicKey"); ok {
-				params["pbk"], _ = pbkValue.(string)
-			}
-			if sidValue, ok := searchKey(realitySetting, "shortIds"); ok {
-				shortIds, _ := sidValue.([]any)
-				params["sid"] = shortIds[random.Num(len(shortIds))].(string)
-			}
-			if fpValue, ok := searchKey(realitySettings, "fingerprint"); ok {
-				if fp, ok := fpValue.(string); ok && len(fp) > 0 {
-					params["fp"] = fp
-				}
-			}
-			if pqvValue, ok := searchKey(realitySettings, "mldsa65Verify"); ok {
-				if pqv, ok := pqvValue.(string); ok && len(pqv) > 0 {
-					params["pqv"] = pqv
-				}
-			}
-			params["spx"] = "/" + random.Seq(15)
-		}
-
+	case "reality":
+		applyShareRealityParams(stream, params)
 		if streamNetwork == "tcp" && len(clients[clientIndex].Flow) > 0 {
 			params["flow"] = clients[clientIndex].Flow
 		}
-	}
-
-	if security != "tls" && security != "reality" {
+	default:
 		params["security"] = "none"
 	}
 
 	externalProxies, _ := stream["externalProxy"].([]any)
 
 	if len(externalProxies) > 0 {
-		links := make([]string, 0, len(externalProxies))
-		for _, externalProxy := range externalProxies {
-			ep, _ := externalProxy.(map[string]any)
-			newSecurity, _ := ep["forceTls"].(string)
-			dest, _ := ep["dest"].(string)
-			port := int(ep["port"].(float64))
-			link := fmt.Sprintf("vless://%s@%s:%d", uuid, dest, port)
-
-			if newSecurity != "same" {
-				params["security"] = newSecurity
-			} else {
-				params["security"] = security
-			}
-			url, _ := url.Parse(link)
-			q := url.Query()
-
-			for k, v := range params {
-				if !(newSecurity == "none" && (k == "alpn" || k == "sni" || k == "fp")) {
-					q.Add(k, v)
-				}
-			}
-
-			// Set the new query values on the URL
-			url.RawQuery = q.Encode()
-
-			url.Fragment = s.genRemark(inbound, email, ep["remark"].(string))
-
-			links = append(links, url.String())
-		}
-		return strings.Join(links, "\n")
+		return s.buildExternalProxyURLLinks(
+			externalProxies,
+			params,
+			security,
+			func(dest string, port int) string {
+				return fmt.Sprintf("vless://%s@%s:%d", uuid, dest, port)
+			},
+			func(ep map[string]any) string {
+				return s.genRemark(inbound, email, ep["remark"].(string))
+			},
+		)
 	}
 
 	link := fmt.Sprintf("vless://%s@%s:%d", uuid, address, port)
-	url, _ := url.Parse(link)
-	q := url.Query()
-
-	for k, v := range params {
-		q.Add(k, v)
-	}
-
-	// Set the new query values on the URL
-	url.RawQuery = q.Encode()
-
-	url.Fragment = s.genRemark(inbound, email, "")
-	return url.String()
+	return buildLinkWithParams(link, params, s.genRemark(inbound, email, ""))
 }
 
 func (s *SubService) genTrojanLink(inbound *model.Inbound, email string) string {
-	var address string
-	if inbound.Listen == "" || inbound.Listen == "0.0.0.0" || inbound.Listen == "::" || inbound.Listen == "::0" {
-		address = s.address
-	} else {
-		address = inbound.Listen
-	}
 	if inbound.Protocol != model.Trojan {
 		return ""
 	}
-	var stream map[string]any
-	json.Unmarshal([]byte(inbound.StreamSettings), &stream)
+	address := s.resolveInboundAddress(inbound)
+	stream := unmarshalStreamSettings(inbound.StreamSettings)
 	clients, _ := s.inboundService.GetClients(inbound)
-	clientIndex := -1
-	for i, client := range clients {
-		if client.Email == email {
-			clientIndex = i
-			break
-		}
-	}
+	clientIndex := findClientIndex(clients, email)
 	password := clients[clientIndex].Password
 	port := inbound.Port
 	streamNetwork := stream["network"].(string)
 	params := make(map[string]string)
 	params["type"] = streamNetwork
 
-	switch streamNetwork {
-	case "tcp":
-		tcp, _ := stream["tcpSettings"].(map[string]any)
-		header, _ := tcp["header"].(map[string]any)
-		typeStr, _ := header["type"].(string)
-		if typeStr == "http" {
-			request := header["request"].(map[string]any)
-			requestPath, _ := request["path"].([]any)
-			params["path"] = requestPath[0].(string)
-			headers, _ := request["headers"].(map[string]any)
-			params["host"] = searchHost(headers)
-			params["headerType"] = "http"
-		}
-	case "kcp":
-		kcp, _ := stream["kcpSettings"].(map[string]any)
-		header, _ := kcp["header"].(map[string]any)
-		params["headerType"] = header["type"].(string)
-		params["seed"] = kcp["seed"].(string)
-	case "ws":
-		ws, _ := stream["wsSettings"].(map[string]any)
-		params["path"] = ws["path"].(string)
-		if host, ok := ws["host"].(string); ok && len(host) > 0 {
-			params["host"] = host
-		} else {
-			headers, _ := ws["headers"].(map[string]any)
-			params["host"] = searchHost(headers)
-		}
-	case "grpc":
-		grpc, _ := stream["grpcSettings"].(map[string]any)
-		params["serviceName"] = grpc["serviceName"].(string)
-		params["authority"], _ = grpc["authority"].(string)
-		if grpc["multiMode"].(bool) {
-			params["mode"] = "multi"
-		}
-	case "httpupgrade":
-		httpupgrade, _ := stream["httpupgradeSettings"].(map[string]any)
-		params["path"] = httpupgrade["path"].(string)
-		if host, ok := httpupgrade["host"].(string); ok && len(host) > 0 {
-			params["host"] = host
-		} else {
-			headers, _ := httpupgrade["headers"].(map[string]any)
-			params["host"] = searchHost(headers)
-		}
-	case "xhttp":
-		xhttp, _ := stream["xhttpSettings"].(map[string]any)
-		params["path"] = xhttp["path"].(string)
-		if host, ok := xhttp["host"].(string); ok && len(host) > 0 {
-			params["host"] = host
-		} else {
-			headers, _ := xhttp["headers"].(map[string]any)
-			params["host"] = searchHost(headers)
-		}
-		params["mode"], _ = xhttp["mode"].(string)
-		applyXhttpPaddingParams(xhttp, params)
+	applyShareNetworkParams(stream, streamNetwork, params)
+	if finalmask, ok := stream["finalmask"].(map[string]any); ok {
+		applyFinalMaskParams(finalmask, params)
 	}
 	security, _ := stream["security"].(string)
-	if security == "tls" {
-		params["security"] = "tls"
-		tlsSetting, _ := stream["tlsSettings"].(map[string]any)
-		alpns, _ := tlsSetting["alpn"].([]any)
-		var alpn []string
-		for _, a := range alpns {
-			alpn = append(alpn, a.(string))
-		}
-		if len(alpn) > 0 {
-			params["alpn"] = strings.Join(alpn, ",")
-		}
-		if sniValue, ok := searchKey(tlsSetting, "serverName"); ok {
-			params["sni"], _ = sniValue.(string)
-		}
-
-		tlsSettings, _ := searchKey(tlsSetting, "settings")
-		if tlsSetting != nil {
-			if fpValue, ok := searchKey(tlsSettings, "fingerprint"); ok {
-				params["fp"], _ = fpValue.(string)
-			}
-		}
-	}
-
-	if security == "reality" {
-		params["security"] = "reality"
-		realitySetting, _ := stream["realitySettings"].(map[string]any)
-		realitySettings, _ := searchKey(realitySetting, "settings")
-		if realitySetting != nil {
-			if sniValue, ok := searchKey(realitySetting, "serverNames"); ok {
-				sNames, _ := sniValue.([]any)
-				params["sni"] = sNames[random.Num(len(sNames))].(string)
-			}
-			if pbkValue, ok := searchKey(realitySettings, "publicKey"); ok {
-				params["pbk"], _ = pbkValue.(string)
-			}
-			if sidValue, ok := searchKey(realitySetting, "shortIds"); ok {
-				shortIds, _ := sidValue.([]any)
-				params["sid"] = shortIds[random.Num(len(shortIds))].(string)
-			}
-			if fpValue, ok := searchKey(realitySettings, "fingerprint"); ok {
-				if fp, ok := fpValue.(string); ok && len(fp) > 0 {
-					params["fp"] = fp
-				}
-			}
-			if pqvValue, ok := searchKey(realitySettings, "mldsa65Verify"); ok {
-				if pqv, ok := pqvValue.(string); ok && len(pqv) > 0 {
-					params["pqv"] = pqv
-				}
-			}
-			params["spx"] = "/" + random.Seq(15)
-		}
-
+	switch security {
+	case "tls":
+		applyShareTLSParams(stream, params)
+	case "reality":
+		applyShareRealityParams(stream, params)
 		if streamNetwork == "tcp" && len(clients[clientIndex].Flow) > 0 {
 			params["flow"] = clients[clientIndex].Flow
 		}
-	}
-
-	if security != "tls" && security != "reality" {
+	default:
 		params["security"] = "none"
 	}
 
 	externalProxies, _ := stream["externalProxy"].([]any)
 
 	if len(externalProxies) > 0 {
-		links := ""
-		for index, externalProxy := range externalProxies {
-			ep, _ := externalProxy.(map[string]any)
-			newSecurity, _ := ep["forceTls"].(string)
-			dest, _ := ep["dest"].(string)
-			port := int(ep["port"].(float64))
-			link := fmt.Sprintf("trojan://%s@%s:%d", password, dest, port)
-
-			if newSecurity != "same" {
-				params["security"] = newSecurity
-			} else {
-				params["security"] = security
-			}
-			url, _ := url.Parse(link)
-			q := url.Query()
-
-			for k, v := range params {
-				if !(newSecurity == "none" && (k == "alpn" || k == "sni" || k == "fp")) {
-					q.Add(k, v)
-				}
-			}
-
-			// Set the new query values on the URL
-			url.RawQuery = q.Encode()
-
-			url.Fragment = s.genRemark(inbound, email, ep["remark"].(string))
-
-			if index > 0 {
-				links += "\n"
-			}
-			links += url.String()
-		}
-		return links
+		return s.buildExternalProxyURLLinks(
+			externalProxies,
+			params,
+			security,
+			func(dest string, port int) string {
+				return fmt.Sprintf("trojan://%s@%s:%d", password, dest, port)
+			},
+			func(ep map[string]any) string {
+				return s.genRemark(inbound, email, ep["remark"].(string))
+			},
+		)
 	}
 
 	link := fmt.Sprintf("trojan://%s@%s:%d", password, address, port)
-
-	url, _ := url.Parse(link)
-	q := url.Query()
-
-	for k, v := range params {
-		q.Add(k, v)
-	}
-
-	// Set the new query values on the URL
-	url.RawQuery = q.Encode()
-
-	url.Fragment = s.genRemark(inbound, email, "")
-	return url.String()
+	return buildLinkWithParams(link, params, s.genRemark(inbound, email, ""))
 }
 
 func (s *SubService) genShadowsocksLink(inbound *model.Inbound, email string) string {
-	var address string
-	if inbound.Listen == "" || inbound.Listen == "0.0.0.0" || inbound.Listen == "::" || inbound.Listen == "::0" {
-		address = s.address
-	} else {
-		address = inbound.Listen
-	}
 	if inbound.Protocol != model.Shadowsocks {
 		return ""
 	}
-	var stream map[string]any
-	json.Unmarshal([]byte(inbound.StreamSettings), &stream)
+	address := s.resolveInboundAddress(inbound)
+	stream := unmarshalStreamSettings(inbound.StreamSettings)
 	clients, _ := s.inboundService.GetClients(inbound)
 
 	var settings map[string]any
 	json.Unmarshal([]byte(inbound.Settings), &settings)
 	inboundPassword := settings["password"].(string)
 	method := settings["method"].(string)
-	clientIndex := -1
-	for i, client := range clients {
-		if client.Email == email {
-			clientIndex = i
-			break
-		}
-	}
+	clientIndex := findClientIndex(clients, email)
 	streamNetwork := stream["network"].(string)
 	params := make(map[string]string)
 	params["type"] = streamNetwork
 
-	switch streamNetwork {
-	case "tcp":
-		tcp, _ := stream["tcpSettings"].(map[string]any)
-		header, _ := tcp["header"].(map[string]any)
-		typeStr, _ := header["type"].(string)
-		if typeStr == "http" {
-			request := header["request"].(map[string]any)
-			requestPath, _ := request["path"].([]any)
-			params["path"] = requestPath[0].(string)
-			headers, _ := request["headers"].(map[string]any)
-			params["host"] = searchHost(headers)
-			params["headerType"] = "http"
-		}
-	case "kcp":
-		kcp, _ := stream["kcpSettings"].(map[string]any)
-		header, _ := kcp["header"].(map[string]any)
-		params["headerType"] = header["type"].(string)
-		params["seed"] = kcp["seed"].(string)
-	case "ws":
-		ws, _ := stream["wsSettings"].(map[string]any)
-		params["path"] = ws["path"].(string)
-		if host, ok := ws["host"].(string); ok && len(host) > 0 {
-			params["host"] = host
-		} else {
-			headers, _ := ws["headers"].(map[string]any)
-			params["host"] = searchHost(headers)
-		}
-	case "grpc":
-		grpc, _ := stream["grpcSettings"].(map[string]any)
-		params["serviceName"] = grpc["serviceName"].(string)
-		params["authority"], _ = grpc["authority"].(string)
-		if grpc["multiMode"].(bool) {
-			params["mode"] = "multi"
-		}
-	case "httpupgrade":
-		httpupgrade, _ := stream["httpupgradeSettings"].(map[string]any)
-		params["path"] = httpupgrade["path"].(string)
-		if host, ok := httpupgrade["host"].(string); ok && len(host) > 0 {
-			params["host"] = host
-		} else {
-			headers, _ := httpupgrade["headers"].(map[string]any)
-			params["host"] = searchHost(headers)
-		}
-	case "xhttp":
-		xhttp, _ := stream["xhttpSettings"].(map[string]any)
-		params["path"] = xhttp["path"].(string)
-		if host, ok := xhttp["host"].(string); ok && len(host) > 0 {
-			params["host"] = host
-		} else {
-			headers, _ := xhttp["headers"].(map[string]any)
-			params["host"] = searchHost(headers)
-		}
-		params["mode"], _ = xhttp["mode"].(string)
-		applyXhttpPaddingParams(xhttp, params)
+	applyShareNetworkParams(stream, streamNetwork, params)
+	if finalmask, ok := stream["finalmask"].(map[string]any); ok {
+		applyFinalMaskParams(finalmask, params)
 	}
 
 	security, _ := stream["security"].(string)
 	if security == "tls" {
-		params["security"] = "tls"
-		tlsSetting, _ := stream["tlsSettings"].(map[string]any)
-		alpns, _ := tlsSetting["alpn"].([]any)
-		var alpn []string
-		for _, a := range alpns {
-			alpn = append(alpn, a.(string))
-		}
-		if len(alpn) > 0 {
-			params["alpn"] = strings.Join(alpn, ",")
-		}
-		if sniValue, ok := searchKey(tlsSetting, "serverName"); ok {
-			params["sni"], _ = sniValue.(string)
-		}
-
-		tlsSettings, _ := searchKey(tlsSetting, "settings")
-		if tlsSetting != nil {
-			if fpValue, ok := searchKey(tlsSettings, "fingerprint"); ok {
-				params["fp"], _ = fpValue.(string)
-			}
-		}
+		applyShareTLSParams(stream, params)
 	}
 
 	encPart := fmt.Sprintf("%s:%s", method, clients[clientIndex].Password)
@@ -857,61 +368,30 @@ func (s *SubService) genShadowsocksLink(inbound *model.Inbound, email string) st
 	externalProxies, _ := stream["externalProxy"].([]any)
 
 	if len(externalProxies) > 0 {
-		links := ""
-		for index, externalProxy := range externalProxies {
-			ep, _ := externalProxy.(map[string]any)
-			newSecurity, _ := ep["forceTls"].(string)
-			dest, _ := ep["dest"].(string)
-			port := int(ep["port"].(float64))
-			link := fmt.Sprintf("ss://%s@%s:%d", base64.StdEncoding.EncodeToString([]byte(encPart)), dest, port)
-
-			if newSecurity != "same" {
-				params["security"] = newSecurity
-			} else {
-				params["security"] = security
-			}
-			url, _ := url.Parse(link)
-			q := url.Query()
-
-			for k, v := range params {
-				if !(newSecurity == "none" && (k == "alpn" || k == "sni" || k == "fp")) {
-					q.Add(k, v)
-				}
-			}
-
-			// Set the new query values on the URL
-			url.RawQuery = q.Encode()
-
-			url.Fragment = s.genRemark(inbound, email, ep["remark"].(string))
-
-			if index > 0 {
-				links += "\n"
-			}
-			links += url.String()
-		}
-		return links
+		proxyParams := cloneStringMap(params)
+		proxyParams["security"] = security
+		return s.buildExternalProxyURLLinks(
+			externalProxies,
+			proxyParams,
+			security,
+			func(dest string, port int) string {
+				return fmt.Sprintf("ss://%s@%s:%d", base64.StdEncoding.EncodeToString([]byte(encPart)), dest, port)
+			},
+			func(ep map[string]any) string {
+				return s.genRemark(inbound, email, ep["remark"].(string))
+			},
+		)
 	}
 
 	link := fmt.Sprintf("ss://%s@%s:%d", base64.StdEncoding.EncodeToString([]byte(encPart)), address, inbound.Port)
-	url, _ := url.Parse(link)
-	q := url.Query()
-
-	for k, v := range params {
-		q.Add(k, v)
-	}
-
-	// Set the new query values on the URL
-	url.RawQuery = q.Encode()
-
-	url.Fragment = s.genRemark(inbound, email, "")
-	return url.String()
+	return buildLinkWithParams(link, params, s.genRemark(inbound, email, ""))
 }
 
 func (s *SubService) genHysteriaLink(inbound *model.Inbound, email string) string {
 	if !model.IsHysteria(inbound.Protocol) {
 		return ""
 	}
-	var stream map[string]interface{}
+	var stream map[string]any
 	json.Unmarshal([]byte(inbound.StreamSettings), &stream)
 	clients, _ := s.inboundService.GetClients(inbound)
 	clientIndex := -1
@@ -925,8 +405,8 @@ func (s *SubService) genHysteriaLink(inbound *model.Inbound, email string) strin
 	params := make(map[string]string)
 
 	params["security"] = "tls"
-	tlsSetting, _ := stream["tlsSettings"].(map[string]interface{})
-	alpns, _ := tlsSetting["alpn"].([]interface{})
+	tlsSetting, _ := stream["tlsSettings"].(map[string]any)
+	alpns, _ := tlsSetting["alpn"].([]any)
 	var alpn []string
 	for _, a := range alpns {
 		alpn = append(alpn, a.(string))
@@ -953,14 +433,15 @@ func (s *SubService) genHysteriaLink(inbound *model.Inbound, email string) strin
 	// salamander obfs (Hysteria2). The panel-side link generator already
 	// emits these; keep the subscription output in sync so a client has
 	// the obfs password to match the server.
-	if finalmask, ok := stream["finalmask"].(map[string]interface{}); ok {
-		if udpMasks, ok := finalmask["udp"].([]interface{}); ok {
+	if finalmask, ok := stream["finalmask"].(map[string]any); ok {
+		applyFinalMaskParams(finalmask, params)
+		if udpMasks, ok := finalmask["udp"].([]any); ok {
 			for _, m := range udpMasks {
-				mask, _ := m.(map[string]interface{})
+				mask, _ := m.(map[string]any)
 				if mask == nil || mask["type"] != "salamander" {
 					continue
 				}
-				settings, _ := mask["settings"].(map[string]interface{})
+				settings, _ := mask["settings"].(map[string]any)
 				if pw, ok := settings["password"].(string); ok && pw != "" {
 					params["obfs"] = "salamander"
 					params["obfs-password"] = pw
@@ -970,7 +451,7 @@ func (s *SubService) genHysteriaLink(inbound *model.Inbound, email string) strin
 		}
 	}
 
-	var settings map[string]interface{}
+	var settings map[string]any
 	json.Unmarshal([]byte(inbound.Settings), &settings)
 	version, _ := settings["version"].(float64)
 	protocol := "hysteria2"
@@ -983,11 +464,11 @@ func (s *SubService) genHysteriaLink(inbound *model.Inbound, email string) strin
 	// server's own IP/port even when the admin configured an alternate
 	// endpoint (e.g. a CDN hostname + port that forwards to the node).
 	// Matches the behaviour of genVlessLink / genTrojanLink / ….
-	externalProxies, _ := stream["externalProxy"].([]interface{})
+	externalProxies, _ := stream["externalProxy"].([]any)
 	if len(externalProxies) > 0 {
 		links := make([]string, 0, len(externalProxies))
 		for _, externalProxy := range externalProxies {
-			ep, ok := externalProxy.(map[string]interface{})
+			ep, ok := externalProxy.(map[string]any)
 			if !ok {
 				continue
 			}
@@ -1023,6 +504,319 @@ func (s *SubService) genHysteriaLink(inbound *model.Inbound, email string) strin
 	return url.String()
 }
 
+func (s *SubService) resolveInboundAddress(inbound *model.Inbound) string {
+	if inbound.Listen == "" || inbound.Listen == "0.0.0.0" || inbound.Listen == "::" || inbound.Listen == "::0" {
+		return s.address
+	}
+	return inbound.Listen
+}
+
+func findClientIndex(clients []model.Client, email string) int {
+	for i, client := range clients {
+		if client.Email == email {
+			return i
+		}
+	}
+	return -1
+}
+
+func unmarshalStreamSettings(streamSettings string) map[string]any {
+	var stream map[string]any
+	json.Unmarshal([]byte(streamSettings), &stream)
+	return stream
+}
+
+func applyPathAndHostParams(settings map[string]any, params map[string]string) {
+	params["path"] = settings["path"].(string)
+	if host, ok := settings["host"].(string); ok && len(host) > 0 {
+		params["host"] = host
+	} else {
+		headers, _ := settings["headers"].(map[string]any)
+		params["host"] = searchHost(headers)
+	}
+}
+
+func applyPathAndHostObj(settings map[string]any, obj map[string]any) {
+	obj["path"] = settings["path"].(string)
+	if host, ok := settings["host"].(string); ok && len(host) > 0 {
+		obj["host"] = host
+	} else {
+		headers, _ := settings["headers"].(map[string]any)
+		obj["host"] = searchHost(headers)
+	}
+}
+
+func applyShareNetworkParams(stream map[string]any, streamNetwork string, params map[string]string) {
+	switch streamNetwork {
+	case "tcp":
+		tcp, _ := stream["tcpSettings"].(map[string]any)
+		header, _ := tcp["header"].(map[string]any)
+		typeStr, _ := header["type"].(string)
+		if typeStr == "http" {
+			request := header["request"].(map[string]any)
+			requestPath, _ := request["path"].([]any)
+			params["path"] = requestPath[0].(string)
+			headers, _ := request["headers"].(map[string]any)
+			params["host"] = searchHost(headers)
+			params["headerType"] = "http"
+		}
+	case "kcp":
+		applyKcpShareParams(stream, params)
+	case "ws":
+		ws, _ := stream["wsSettings"].(map[string]any)
+		applyPathAndHostParams(ws, params)
+	case "grpc":
+		grpc, _ := stream["grpcSettings"].(map[string]any)
+		params["serviceName"] = grpc["serviceName"].(string)
+		params["authority"], _ = grpc["authority"].(string)
+		if grpc["multiMode"].(bool) {
+			params["mode"] = "multi"
+		}
+	case "httpupgrade":
+		httpupgrade, _ := stream["httpupgradeSettings"].(map[string]any)
+		applyPathAndHostParams(httpupgrade, params)
+	case "xhttp":
+		xhttp, _ := stream["xhttpSettings"].(map[string]any)
+		applyPathAndHostParams(xhttp, params)
+		params["mode"], _ = xhttp["mode"].(string)
+		applyXhttpPaddingParams(xhttp, params)
+	}
+}
+
+func applyXhttpPaddingObj(xhttp map[string]any, obj map[string]any) {
+	// VMess base64 JSON supports arbitrary keys; copy the padding
+	// settings through so clients can match the server's xhttp
+	// xPaddingBytes range and, when the admin opted into obfs
+	// mode, the custom key / header / placement / method.
+	if xpb, ok := xhttp["xPaddingBytes"].(string); ok && len(xpb) > 0 {
+		obj["x_padding_bytes"] = xpb
+	}
+	if obfs, ok := xhttp["xPaddingObfsMode"].(bool); ok && obfs {
+		obj["xPaddingObfsMode"] = true
+		for _, field := range []string{"xPaddingKey", "xPaddingHeader", "xPaddingPlacement", "xPaddingMethod"} {
+			if v, ok := xhttp[field].(string); ok && len(v) > 0 {
+				obj[field] = v
+			}
+		}
+	}
+}
+
+func applyVmessNetworkParams(stream map[string]any, network string, obj map[string]any) {
+	obj["net"] = network
+	switch network {
+	case "tcp":
+		tcp, _ := stream["tcpSettings"].(map[string]any)
+		header, _ := tcp["header"].(map[string]any)
+		typeStr, _ := header["type"].(string)
+		obj["type"] = typeStr
+		if typeStr == "http" {
+			request := header["request"].(map[string]any)
+			requestPath, _ := request["path"].([]any)
+			obj["path"] = requestPath[0].(string)
+			headers, _ := request["headers"].(map[string]any)
+			obj["host"] = searchHost(headers)
+		}
+	case "kcp":
+		applyKcpShareObj(stream, obj)
+	case "ws":
+		ws, _ := stream["wsSettings"].(map[string]any)
+		applyPathAndHostObj(ws, obj)
+	case "grpc":
+		grpc, _ := stream["grpcSettings"].(map[string]any)
+		obj["path"] = grpc["serviceName"].(string)
+		obj["authority"] = grpc["authority"].(string)
+		if grpc["multiMode"].(bool) {
+			obj["type"] = "multi"
+		}
+	case "httpupgrade":
+		httpupgrade, _ := stream["httpupgradeSettings"].(map[string]any)
+		applyPathAndHostObj(httpupgrade, obj)
+	case "xhttp":
+		xhttp, _ := stream["xhttpSettings"].(map[string]any)
+		applyPathAndHostObj(xhttp, obj)
+		obj["mode"], _ = xhttp["mode"].(string)
+		applyXhttpPaddingObj(xhttp, obj)
+	}
+}
+
+func applyShareTLSParams(stream map[string]any, params map[string]string) {
+	params["security"] = "tls"
+	tlsSetting, _ := stream["tlsSettings"].(map[string]any)
+	alpns, _ := tlsSetting["alpn"].([]any)
+	var alpn []string
+	for _, a := range alpns {
+		alpn = append(alpn, a.(string))
+	}
+	if len(alpn) > 0 {
+		params["alpn"] = strings.Join(alpn, ",")
+	}
+	if sniValue, ok := searchKey(tlsSetting, "serverName"); ok {
+		params["sni"], _ = sniValue.(string)
+	}
+
+	tlsSettings, _ := searchKey(tlsSetting, "settings")
+	if tlsSetting != nil {
+		if fpValue, ok := searchKey(tlsSettings, "fingerprint"); ok {
+			params["fp"], _ = fpValue.(string)
+		}
+	}
+}
+
+func applyVmessTLSParams(stream map[string]any, obj map[string]any) {
+	tlsSetting, _ := stream["tlsSettings"].(map[string]any)
+	alpns, _ := tlsSetting["alpn"].([]any)
+	if len(alpns) > 0 {
+		var alpn []string
+		for _, a := range alpns {
+			alpn = append(alpn, a.(string))
+		}
+		obj["alpn"] = strings.Join(alpn, ",")
+	}
+	if sniValue, ok := searchKey(tlsSetting, "serverName"); ok {
+		obj["sni"], _ = sniValue.(string)
+	}
+
+	tlsSettings, _ := searchKey(tlsSetting, "settings")
+	if tlsSetting != nil {
+		if fpValue, ok := searchKey(tlsSettings, "fingerprint"); ok {
+			obj["fp"], _ = fpValue.(string)
+		}
+	}
+}
+
+func applyShareRealityParams(stream map[string]any, params map[string]string) {
+	params["security"] = "reality"
+	realitySetting, _ := stream["realitySettings"].(map[string]any)
+	realitySettings, _ := searchKey(realitySetting, "settings")
+	if realitySetting != nil {
+		if sniValue, ok := searchKey(realitySetting, "serverNames"); ok {
+			sNames, _ := sniValue.([]any)
+			params["sni"] = sNames[random.Num(len(sNames))].(string)
+		}
+		if pbkValue, ok := searchKey(realitySettings, "publicKey"); ok {
+			params["pbk"], _ = pbkValue.(string)
+		}
+		if sidValue, ok := searchKey(realitySetting, "shortIds"); ok {
+			shortIds, _ := sidValue.([]any)
+			params["sid"] = shortIds[random.Num(len(shortIds))].(string)
+		}
+		if fpValue, ok := searchKey(realitySettings, "fingerprint"); ok {
+			if fp, ok := fpValue.(string); ok && len(fp) > 0 {
+				params["fp"] = fp
+			}
+		}
+		if pqvValue, ok := searchKey(realitySettings, "mldsa65Verify"); ok {
+			if pqv, ok := pqvValue.(string); ok && len(pqv) > 0 {
+				params["pqv"] = pqv
+			}
+		}
+		params["spx"] = "/" + random.Seq(15)
+	}
+}
+
+func buildVmessLink(obj map[string]any) string {
+	jsonStr, _ := json.MarshalIndent(obj, "", "  ")
+	return "vmess://" + base64.StdEncoding.EncodeToString(jsonStr)
+}
+
+func cloneVmessShareObj(baseObj map[string]any, newSecurity string) map[string]any {
+	newObj := map[string]any{}
+	for key, value := range baseObj {
+		if !(newSecurity == "none" && (key == "alpn" || key == "sni" || key == "fp")) {
+			newObj[key] = value
+		}
+	}
+	return newObj
+}
+
+func (s *SubService) buildVmessExternalProxyLinks(externalProxies []any, baseObj map[string]any, inbound *model.Inbound, email string) string {
+	var links strings.Builder
+	for index, externalProxy := range externalProxies {
+		ep, _ := externalProxy.(map[string]any)
+		newSecurity, _ := ep["forceTls"].(string)
+		newObj := cloneVmessShareObj(baseObj, newSecurity)
+		newObj["ps"] = s.genRemark(inbound, email, ep["remark"].(string))
+		newObj["add"] = ep["dest"].(string)
+		newObj["port"] = int(ep["port"].(float64))
+
+		if newSecurity != "same" {
+			newObj["tls"] = newSecurity
+		}
+		if index > 0 {
+			links.WriteString("\n")
+		}
+		links.WriteString(buildVmessLink(newObj))
+	}
+	return links.String()
+}
+
+func buildLinkWithParams(link string, params map[string]string, fragment string) string {
+	parsedURL, _ := url.Parse(link)
+	q := parsedURL.Query()
+	for k, v := range params {
+		q.Add(k, v)
+	}
+	parsedURL.RawQuery = q.Encode()
+	parsedURL.Fragment = fragment
+	return parsedURL.String()
+}
+
+func buildLinkWithParamsAndSecurity(link string, params map[string]string, fragment, security string, omitTLSFields bool) string {
+	parsedURL, _ := url.Parse(link)
+	q := parsedURL.Query()
+	for k, v := range params {
+		if k == "security" {
+			v = security
+		}
+		if omitTLSFields && (k == "alpn" || k == "sni" || k == "fp") {
+			continue
+		}
+		q.Add(k, v)
+	}
+	parsedURL.RawQuery = q.Encode()
+	parsedURL.Fragment = fragment
+	return parsedURL.String()
+}
+
+func (s *SubService) buildExternalProxyURLLinks(
+	externalProxies []any,
+	params map[string]string,
+	baseSecurity string,
+	makeLink func(dest string, port int) string,
+	makeRemark func(ep map[string]any) string,
+) string {
+	links := make([]string, 0, len(externalProxies))
+	for _, externalProxy := range externalProxies {
+		ep, _ := externalProxy.(map[string]any)
+		newSecurity, _ := ep["forceTls"].(string)
+		dest, _ := ep["dest"].(string)
+		port := int(ep["port"].(float64))
+
+		securityToApply := baseSecurity
+		if newSecurity != "same" {
+			securityToApply = newSecurity
+		}
+
+		links = append(
+			links,
+			buildLinkWithParamsAndSecurity(
+				makeLink(dest, port),
+				params,
+				makeRemark(ep),
+				securityToApply,
+				newSecurity == "none",
+			),
+		)
+	}
+	return strings.Join(links, "\n")
+}
+
+func cloneStringMap(source map[string]string) map[string]string {
+	cloned := make(map[string]string, len(source))
+	maps.Copy(cloned, source)
+	return cloned
+}
+
 func (s *SubService) genRemark(inbound *model.Inbound, email string, extra string) string {
 	separationChar := string(s.remarkModel[0])
 	orderChars := s.remarkModel[1:]
@@ -1182,6 +976,250 @@ func applyXhttpPaddingParams(xhttp map[string]any, params map[string]string) {
 	}
 }
 
+var kcpMaskToHeaderType = map[string]string{
+	"header-dns":       "dns",
+	"header-dtls":      "dtls",
+	"header-srtp":      "srtp",
+	"header-utp":       "utp",
+	"header-wechat":    "wechat-video",
+	"header-wireguard": "wireguard",
+}
+
+var validFinalMaskUDPTypes = map[string]struct{}{
+	"salamander":       {},
+	"mkcp-aes128gcm":   {},
+	"header-dns":       {},
+	"header-dtls":      {},
+	"header-srtp":      {},
+	"header-utp":       {},
+	"header-wechat":    {},
+	"header-wireguard": {},
+	"mkcp-original":    {},
+	"xdns":             {},
+	"xicmp":            {},
+	"header-custom":    {},
+	"noise":            {},
+	"sudoku":           {},
+}
+
+// applyKcpShareParams reconstructs legacy KCP share-link fields from either
+// the historical kcpSettings.header/seed shape or the current finalmask model.
+// This keeps subscription output compatible while avoiding panics when older
+// keys are absent from modern inbounds.
+func applyKcpShareParams(stream map[string]any, params map[string]string) {
+	extractKcpShareFields(stream).applyToParams(params)
+}
+
+func applyKcpShareObj(stream map[string]any, obj map[string]any) {
+	extractKcpShareFields(stream).applyToObj(obj)
+}
+
+type kcpShareFields struct {
+	headerType string
+	seed       string
+	mtu        int
+	tti        int
+}
+
+func (f kcpShareFields) applyToParams(params map[string]string) {
+	params["headerType"] = f.headerType
+	setStringParam(params, "seed", f.seed)
+	setIntParam(params, "mtu", f.mtu)
+	setIntParam(params, "tti", f.tti)
+}
+
+func (f kcpShareFields) applyToObj(obj map[string]any) {
+	obj["type"] = f.headerType
+	setStringField(obj, "path", f.seed)
+	setIntField(obj, "mtu", f.mtu)
+	setIntField(obj, "tti", f.tti)
+}
+
+func extractKcpShareFields(stream map[string]any) kcpShareFields {
+	fields := kcpShareFields{headerType: "none"}
+
+	if kcp, ok := stream["kcpSettings"].(map[string]any); ok {
+		if header, ok := kcp["header"].(map[string]any); ok {
+			if value, ok := header["type"].(string); ok && value != "" {
+				fields.headerType = value
+			}
+		}
+		if value, ok := kcp["seed"].(string); ok && value != "" {
+			fields.seed = value
+		}
+		if value, ok := readPositiveInt(kcp["mtu"]); ok {
+			fields.mtu = value
+		}
+		if value, ok := readPositiveInt(kcp["tti"]); ok {
+			fields.tti = value
+		}
+	}
+
+	for _, rawMask := range normalizedFinalMaskUDPMasks(stream["finalmask"]) {
+		mask, _ := rawMask.(map[string]any)
+		if mask == nil {
+			continue
+		}
+		maskType, _ := mask["type"].(string)
+		if mapped, ok := kcpMaskToHeaderType[maskType]; ok {
+			fields.headerType = mapped
+			continue
+		}
+
+		switch maskType {
+		case "mkcp-original":
+			fields.seed = ""
+		case "mkcp-aes128gcm":
+			fields.seed = ""
+			settings, _ := mask["settings"].(map[string]any)
+			if value, ok := settings["password"].(string); ok && value != "" {
+				fields.seed = value
+			}
+		}
+	}
+
+	return fields
+}
+
+func readPositiveInt(value any) (int, bool) {
+	switch number := value.(type) {
+	case int:
+		return number, number > 0
+	case int32:
+		return int(number), number > 0
+	case int64:
+		return int(number), number > 0
+	case float32:
+		parsed := int(number)
+		return parsed, parsed > 0
+	case float64:
+		parsed := int(number)
+		return parsed, parsed > 0
+	default:
+		return 0, false
+	}
+}
+
+func setStringParam(params map[string]string, key, value string) {
+	if value == "" {
+		delete(params, key)
+		return
+	}
+	params[key] = value
+}
+
+func setIntParam(params map[string]string, key string, value int) {
+	if value <= 0 {
+		delete(params, key)
+		return
+	}
+	params[key] = fmt.Sprintf("%d", value)
+}
+
+func setStringField(obj map[string]any, key, value string) {
+	if value == "" {
+		delete(obj, key)
+		return
+	}
+	obj[key] = value
+}
+
+func setIntField(obj map[string]any, key string, value int) {
+	if value <= 0 {
+		delete(obj, key)
+		return
+	}
+	obj[key] = value
+}
+
+// applyFinalMaskParams exports the finalmask payload as the compact
+// `fm=<json>` share-link field used by v2rayN-compatible clients.
+func applyFinalMaskParams(finalmask map[string]any, params map[string]string) {
+	if fm, ok := marshalFinalMask(finalmask); ok {
+		params["fm"] = fm
+	}
+}
+
+func applyFinalMaskObj(finalmask map[string]any, obj map[string]any) {
+	if fm, ok := marshalFinalMask(finalmask); ok {
+		obj["fm"] = fm
+	}
+}
+
+func marshalFinalMask(finalmask map[string]any) (string, bool) {
+	normalized := normalizeFinalMask(finalmask)
+	if !hasFinalMaskContent(normalized) {
+		return "", false
+	}
+	b, err := json.Marshal(normalized)
+	if err != nil || len(b) == 0 || string(b) == "null" {
+		return "", false
+	}
+	return string(b), true
+}
+
+func normalizeFinalMask(finalmask map[string]any) map[string]any {
+	udpMasks := normalizedFinalMaskUDPMasks(finalmask)
+	if len(udpMasks) == 0 {
+		return nil
+	}
+	return map[string]any{"udp": udpMasks}
+}
+
+func normalizedFinalMaskUDPMasks(value any) []any {
+	finalmask, _ := value.(map[string]any)
+	if finalmask == nil {
+		return nil
+	}
+	rawMasks, _ := finalmask["udp"].([]any)
+	if len(rawMasks) == 0 {
+		return nil
+	}
+
+	normalized := make([]any, 0, len(rawMasks))
+	for _, rawMask := range rawMasks {
+		mask, _ := rawMask.(map[string]any)
+		if mask == nil {
+			continue
+		}
+		maskType, _ := mask["type"].(string)
+		if _, ok := validFinalMaskUDPTypes[maskType]; !ok || maskType == "" {
+			continue
+		}
+
+		normalizedMask := map[string]any{"type": maskType}
+		if settings, ok := mask["settings"].(map[string]any); ok && len(settings) > 0 {
+			normalizedMask["settings"] = settings
+		}
+		normalized = append(normalized, normalizedMask)
+	}
+
+	if len(normalized) == 0 {
+		return nil
+	}
+	return normalized
+}
+
+func hasFinalMaskContent(value any) bool {
+	switch v := value.(type) {
+	case nil:
+		return false
+	case string:
+		return len(v) > 0
+	case map[string]any:
+		for _, item := range v {
+			if hasFinalMaskContent(item) {
+				return true
+			}
+		}
+		return false
+	case []any:
+		return slices.ContainsFunc(v, hasFinalMaskContent)
+	default:
+		return true
+	}
+}
+
 func searchHost(headers any) string {
 	data, _ := headers.(map[string]any)
 	for k, v := range data {
diff --git a/web/assets/js/model/inbound.js b/web/assets/js/model/inbound.js
index a091e1ef..ef9ad19c 100644
--- a/web/assets/js/model/inbound.js
+++ b/web/assets/js/model/inbound.js
@@ -1370,6 +1370,50 @@ class Inbound extends XrayCommonClass {
         }
     }
 
+    static hasShareableFinalMaskValue(value) {
+        if (value == null) {
+            return false;
+        }
+        if (Array.isArray(value)) {
+            return value.some(item => Inbound.hasShareableFinalMaskValue(item));
+        }
+        if (typeof value === 'object') {
+            return Object.values(value).some(item => Inbound.hasShareableFinalMaskValue(item));
+        }
+        if (typeof value === 'string') {
+            return value.length > 0;
+        }
+        return true;
+    }
+
+    static serializeFinalMask(finalmask) {
+        if (!finalmask) {
+            return '';
+        }
+        const value = typeof finalmask.toJson === 'function' ? finalmask.toJson() : finalmask;
+        return Inbound.hasShareableFinalMaskValue(value) ? JSON.stringify(value) : '';
+    }
+
+    // Export finalmask with the same compact JSON payload shape that
+    // v2rayN-compatible share links use: fm=<json>.
+    static applyFinalMaskToParams(finalmask, params) {
+        if (!params) return;
+        const payload = Inbound.serializeFinalMask(finalmask);
+        if (payload.length > 0) {
+            params.set("fm", payload);
+        }
+    }
+
+    // VMess links are a base64 JSON object, so keep the same fm payload
+    // under a flat property instead of a URL query string.
+    static applyFinalMaskToObj(finalmask, obj) {
+        if (!obj) return;
+        const payload = Inbound.serializeFinalMask(finalmask);
+        if (payload.length > 0) {
+            obj.fm = payload;
+        }
+    }
+
     get clients() {
         switch (this.protocol) {
             case Protocols.VMESS: return this.settings.vmesses;
@@ -1590,6 +1634,8 @@ class Inbound extends XrayCommonClass {
             Inbound.applyXhttpPaddingToObj(xhttp, obj);
         }
 
+        Inbound.applyFinalMaskToObj(this.stream.finalmask, obj);
+
         if (tls === 'tls') {
             if (!ObjectUtil.isEmpty(this.stream.tls.sni)) {
                 obj.sni = this.stream.tls.sni;
@@ -1658,6 +1704,8 @@ class Inbound extends XrayCommonClass {
                 break;
         }
 
+        Inbound.applyFinalMaskToParams(this.stream.finalmask, params);
+
         if (security === 'tls') {
             params.set("security", "tls");
             if (this.stream.isTls) {
@@ -1761,6 +1809,8 @@ class Inbound extends XrayCommonClass {
                 break;
         }
 
+        Inbound.applyFinalMaskToParams(this.stream.finalmask, params);
+
         if (security === 'tls') {
             params.set("security", "tls");
             if (this.stream.isTls) {
@@ -1840,6 +1890,8 @@ class Inbound extends XrayCommonClass {
                 break;
         }
 
+        Inbound.applyFinalMaskToParams(this.stream.finalmask, params);
+
         if (security === 'tls') {
             params.set("security", "tls");
             if (this.stream.isTls) {
@@ -1907,6 +1959,8 @@ class Inbound extends XrayCommonClass {
             }
         }
 
+        Inbound.applyFinalMaskToParams(this.stream.finalmask, params);
+
         const url = new URL(link);
         for (const [key, value] of params) {
             url.searchParams.set(key, value);
diff --git a/web/assets/js/model/outbound.js b/web/assets/js/model/outbound.js
index 8db9d8e2..a84c0318 100644
--- a/web/assets/js/model/outbound.js
+++ b/web/assets/js/model/outbound.js
@@ -992,6 +992,10 @@ class Outbound extends CommonClass {
             stream.kcp = new KcpStreamSettings();
             stream.type = json.type;
             stream.seed = json.path;
+            const mtu = Number(json.mtu);
+            if (Number.isFinite(mtu) && mtu > 0) stream.kcp.mtu = mtu;
+            const tti = Number(json.tti);
+            if (Number.isFinite(tti) && tti > 0) stream.kcp.tti = tti;
         } else if (network === 'ws') {
             stream.ws = new WsStreamSettings(json.path, json.host);
         } else if (network === 'grpc') {
@@ -1029,6 +1033,7 @@ class Outbound extends CommonClass {
         let headerType = url.searchParams.get('headerType') ?? undefined;
         let host = url.searchParams.get('host') ?? undefined;
         let path = url.searchParams.get('path') ?? undefined;
+        let seed = url.searchParams.get('seed') ?? path ?? undefined;
         let mode = url.searchParams.get('mode') ?? undefined;
 
         if (type === 'tcp' || type === 'none') {
@@ -1036,7 +1041,11 @@ class Outbound extends CommonClass {
         } else if (type === 'kcp') {
             stream.kcp = new KcpStreamSettings();
             stream.kcp.type = headerType ?? 'none';
-            stream.kcp.seed = path;
+            stream.kcp.seed = seed;
+            const mtu = Number(url.searchParams.get('mtu'));
+            if (Number.isFinite(mtu) && mtu > 0) stream.kcp.mtu = mtu;
+            const tti = Number(url.searchParams.get('tti'));
+            if (Number.isFinite(tti) && tti > 0) stream.kcp.tti = tti;
         } else if (type === 'ws') {
             stream.ws = new WsStreamSettings(path, host);
         } else if (type === 'grpc') {
diff --git a/web/html/settings/panel/subscription/subpage.html b/web/html/settings/panel/subscription/subpage.html
index 64c1224d..2b3c7939 100644
--- a/web/html/settings/panel/subscription/subpage.html
+++ b/web/html/settings/panel/subscription/subpage.html
@@ -6,6 +6,23 @@
 <script src="{{ .base_path }}assets/js/util/index.js?{{ .cur_ver }}"></script>
 <script src="{{ .base_path }}assets/qrcode/qrious2.min.js?{{ .cur_ver }}"></script>
 <style>
+    .subscription-page tr-qr-box.qr-box {
+        display: inline-flex;
+        flex-direction: column;
+        align-items: center;
+        width: 220px;
+    }
+
+    .subscription-page tr-qr-box.qr-box .qr-tag {
+        width: 100%;
+        justify-content: center;
+    }
+
+    .subscription-page tr-qr-box.qr-box .qr-bg,
+    .subscription-page tr-qr-box.qr-box .qr-bg-sub {
+        margin-inline: auto;
+    }
+
     .subscription-page .subscription-link-box {
         cursor: pointer;
         border-radius: 12px;
@@ -193,8 +210,6 @@
                             </div>
                         </div>
                     </div>
-
-                    </div>
                     <br />
 
                     <a-form layout="vertical">

From 9791b05a4efd2e22621927b9e80d288386e510df Mon Sep 17 00:00:00 2001
From: MHSanaei <ho3ein.sanaei@gmail.com>
Date: Mon, 27 Apr 2026 01:23:38 +0200
Subject: [PATCH 10/17] kcp: noise, header-custom, sudoku

---
 web/assets/js/model/inbound.js             | 41 ++++++++++-
 web/assets/js/model/outbound.js            | 41 ++++++++++-
 web/assets/js/util/index.js                |  6 ++
 web/html/form/outbound.html                | 86 ++++++++++++----------
 web/html/form/stream/stream_finalmask.html | 71 +++++++++++-------
 web/html/xray.html                         |  3 +-
 6 files changed, 174 insertions(+), 74 deletions(-)

diff --git a/web/assets/js/model/inbound.js b/web/assets/js/model/inbound.js
index ef9ad19c..b5971a68 100644
--- a/web/assets/js/model/inbound.js
+++ b/web/assets/js/model/inbound.js
@@ -1085,11 +1085,23 @@ class UdpMask extends XrayCommonClass {
             case 'header-wireguard':
                 return {};
             case 'header-custom':
-                return { client: [], server: [] };
+                return {
+                    client: Array.isArray(settings.client) ? settings.client : [],
+                    server: Array.isArray(settings.server) ? settings.server : [],
+                };
             case 'noise':
-                return { reset: 0, noise: [] };
+                return {
+                    reset: settings.reset ?? 0,
+                    noise: Array.isArray(settings.noise) ? settings.noise : [],
+                };
             case 'sudoku':
-                return { ascii: '', customTable: '', customTables: [], paddingMin: 0, paddingMax: 0 };
+                return {
+                    ascii: settings.ascii || '',
+                    customTable: settings.customTable || '',
+                    customTables: settings.customTables ?? [],
+                    paddingMin: settings.paddingMin ?? 0,
+                    paddingMax: settings.paddingMax ?? 0,
+                };
             default:
                 return settings;
         }
@@ -1103,9 +1115,30 @@ class UdpMask extends XrayCommonClass {
     }
 
     toJson() {
+        const cleanItem = item => {
+            const out = { ...item };
+            if (out.type === 'array') {
+                delete out.packet;
+            } else {
+                out.rand = 0;
+            }
+            return out;
+        };
+
+        let settings = this.settings;
+        if (this.type === 'noise' && settings && Array.isArray(settings.noise)) {
+            settings = { ...settings, noise: settings.noise.map(cleanItem) };
+        } else if (this.type === 'header-custom' && settings) {
+            settings = {
+                ...settings,
+                client: Array.isArray(settings.client) ? settings.client.map(cleanItem) : settings.client,
+                server: Array.isArray(settings.server) ? settings.server.map(cleanItem) : settings.server,
+            };
+        }
+
         return {
             type: this.type,
-            settings: (this.settings && Object.keys(this.settings).length > 0) ? this.settings : undefined
+            settings: (settings && Object.keys(settings).length > 0) ? settings : undefined
         };
     }
 }
diff --git a/web/assets/js/model/outbound.js b/web/assets/js/model/outbound.js
index a84c0318..aa90d20d 100644
--- a/web/assets/js/model/outbound.js
+++ b/web/assets/js/model/outbound.js
@@ -655,11 +655,23 @@ class UdpMask extends CommonClass {
             case 'header-wireguard':
                 return {}; // No settings needed
             case 'header-custom':
-                return { client: [], server: [] };
+                return {
+                    client: Array.isArray(settings.client) ? settings.client : [],
+                    server: Array.isArray(settings.server) ? settings.server : [],
+                };
             case 'noise':
-                return { reset: 0, noise: [] };
+                return {
+                    reset: settings.reset ?? 0,
+                    noise: Array.isArray(settings.noise) ? settings.noise : [],
+                };
             case 'sudoku':
-                return { ascii: '', customTable: '', customTables: [], paddingMin: 0, paddingMax: 0 };
+                return {
+                    ascii: settings.ascii || '',
+                    customTable: settings.customTable || '',
+                    customTables: Array.isArray(settings.customTables) ? settings.customTables : [],
+                    paddingMin: settings.paddingMin ?? 0,
+                    paddingMax: settings.paddingMax ?? 0
+                };
             default:
                 return settings;
         }
@@ -673,9 +685,30 @@ class UdpMask extends CommonClass {
     }
 
     toJson() {
+        const cleanItem = item => {
+            const out = { ...item };
+            if (out.type === 'array') {
+                delete out.packet;
+            } else {
+                out.rand = 0;
+            }
+            return out;
+        };
+
+        let settings = this.settings;
+        if (this.type === 'noise' && settings && Array.isArray(settings.noise)) {
+            settings = { ...settings, noise: settings.noise.map(cleanItem) };
+        } else if (this.type === 'header-custom' && settings) {
+            settings = {
+                ...settings,
+                client: Array.isArray(settings.client) ? settings.client.map(cleanItem) : settings.client,
+                server: Array.isArray(settings.server) ? settings.server.map(cleanItem) : settings.server,
+            };
+        }
+
         return {
             type: this.type,
-            settings: (this.settings && Object.keys(this.settings).length > 0) ? this.settings : undefined
+            settings: (settings && Object.keys(settings).length > 0) ? settings : undefined
         };
     }
 }
diff --git a/web/assets/js/util/index.js b/web/assets/js/util/index.js
index cc7b9287..1f481c85 100644
--- a/web/assets/js/util/index.js
+++ b/web/assets/js/util/index.js
@@ -152,6 +152,12 @@ class RandomUtil {
         return Base64.alternativeEncode(String.fromCharCode(...array));
     }
 
+    static randomBase64(length = 16) {
+        const array = new Uint8Array(length);
+        window.crypto.getRandomValues(array);
+        return Base64.alternativeEncode(String.fromCharCode(...array));
+    }
+
     static randomBase32String(length = 16) {
         const array = new Uint8Array(length);
 
diff --git a/web/html/form/outbound.html b/web/html/form/outbound.html
index c350d70f..81b488c7 100644
--- a/web/html/form/outbound.html
+++ b/web/html/form/outbound.html
@@ -972,22 +972,11 @@
                     :style="{ color: 'rgb(255, 77, 79)', cursor: 'pointer' }"
                   ></a-icon>
                 </a-divider>
-                <a-form-item label="Rand">
-                  <a-input-number
-                    v-model.number="c.rand"
-                    :min="0"
-                  ></a-input-number>
-                </a-form-item>
-                <a-form-item label="Rand Range">
-                  <a-input
-                    v-model.trim="c.randRange"
-                    placeholder="0-255"
-                  ></a-input>
-                </a-form-item>
                 <a-form-item label="Type">
                   <a-select
                     v-model="c.type"
                     :dropdown-class-name="themeSwitcher.currentTheme"
+                    @change="t => { if(t === 'array') c.packet = []; else c.packet = ''; }"
                   >
                     <a-select-option value="array">Array</a-select-option>
                     <a-select-option value="str">String</a-select-option>
@@ -995,7 +984,21 @@
                     <a-select-option value="base64">Base64</a-select-option>
                   </a-select>
                 </a-form-item>
-                <a-form-item label="Packet">
+                <template v-if="c.type === 'array'">
+                  <a-form-item label="Rand">
+                    <a-input-number
+                      v-model.number="c.rand"
+                      :min="0"
+                    ></a-input-number>
+                  </a-form-item>
+                  <a-form-item label="Rand Range">
+                    <a-input
+                      v-model.trim="c.randRange"
+                      placeholder="0-255"
+                    ></a-input>
+                  </a-form-item>
+                </template>
+                <a-form-item label="Packet" v-else>
                   <a-input v-model.trim="c.packet" placeholder="binary data" />
                 </a-form-item>
               </template>
@@ -1017,22 +1020,11 @@
                     :style="{ color: 'rgb(255, 77, 79)', cursor: 'pointer' }"
                   ></a-icon>
                 </a-divider>
-                <a-form-item label="Rand">
-                  <a-input-number
-                    v-model.number="s.rand"
-                    :min="0"
-                  ></a-input-number>
-                </a-form-item>
-                <a-form-item label="Rand Range">
-                  <a-input
-                    v-model.trim="s.randRange"
-                    placeholder="0-255"
-                  ></a-input>
-                </a-form-item>
                 <a-form-item label="Type">
                   <a-select
                     v-model="s.type"
                     :dropdown-class-name="themeSwitcher.currentTheme"
+                    @change="t => { if(t === 'array') s.packet = []; else s.packet = ''; }"
                   >
                     <a-select-option value="array">Array</a-select-option>
                     <a-select-option value="str">String</a-select-option>
@@ -1040,7 +1032,21 @@
                     <a-select-option value="base64">Base64</a-select-option>
                   </a-select>
                 </a-form-item>
-                <a-form-item label="Packet">
+                <template v-if="s.type === 'array'">
+                  <a-form-item label="Rand">
+                    <a-input-number
+                      v-model.number="s.rand"
+                      :min="0"
+                    ></a-input-number>
+                  </a-form-item>
+                  <a-form-item label="Rand Range">
+                    <a-input
+                      v-model.trim="s.randRange"
+                      placeholder="0-255"
+                    ></a-input>
+                  </a-form-item>
+                </template>
+                <a-form-item label="Packet" v-else>
                   <a-input v-model.trim="s.packet" placeholder="binary data" />
                 </a-form-item>
               </template>
@@ -1080,7 +1086,7 @@
                   type="plus"
                   type="primary"
                   size="small"
-                  @click="mask.settings.noise.push({rand: '1-8192', randRange: '0-255', type: 'array', packet: '', delay: ''})"
+                  @click="mask.settings.noise.push({rand: 0, randRange: '0-255', type: 'array', packet: [], delay: ''})"
                 />
               </a-form-item>
               <template v-for="(n, index) in mask.settings.noise" :key="index">
@@ -1092,22 +1098,11 @@
                     :style="{ color: 'rgb(255, 77, 79)', cursor: 'pointer' }"
                   ></a-icon>
                 </a-divider>
-                <a-form-item label="Rand">
-                  <a-input-number
-                    v-model.number="n.rand"
-                    :min="0"
-                  ></a-input-number>
-                </a-form-item>
-                <a-form-item label="Rand Range">
-                  <a-input
-                    v-model.trim="n.randRange"
-                    placeholder="0-255"
-                  ></a-input>
-                </a-form-item>
                 <a-form-item label="Type">
                   <a-select
                     v-model="n.type"
                     :dropdown-class-name="themeSwitcher.currentTheme"
+                    @change="t => { if(t === 'array') n.packet = []; else n.packet = ''; }"
                   >
                     <a-select-option value="array">Array</a-select-option>
                     <a-select-option value="str">String</a-select-option>
@@ -1115,7 +1110,18 @@
                     <a-select-option value="base64">Base64</a-select-option>
                   </a-select>
                 </a-form-item>
-                <a-form-item label="Packet">
+                <template v-if="n.type === 'array'">
+                  <a-form-item label="Rand">
+                    <a-input v-model.trim="n.rand" placeholder="0 or 1-8192" />
+                  </a-form-item>
+                  <a-form-item label="Rand Range">
+                    <a-input
+                      v-model.trim="n.randRange"
+                      placeholder="0-255"
+                    ></a-input>
+                  </a-form-item>
+                </template>
+                <a-form-item label="Packet" v-else>
                   <a-input v-model.trim="n.packet" placeholder="binary data" />
                 </a-form-item>
                 <a-form-item label="Delay">
diff --git a/web/html/form/stream/stream_finalmask.html b/web/html/form/stream/stream_finalmask.html
index 64bf2c06..f0ec87cf 100644
--- a/web/html/form/stream/stream_finalmask.html
+++ b/web/html/form/stream/stream_finalmask.html
@@ -116,16 +116,11 @@
               :style="{ color: 'rgb(255, 77, 79)', cursor: 'pointer' }"
             ></a-icon>
           </a-divider>
-          <a-form-item label="Rand">
-            <a-input-number v-model.number="c.rand" />
-          </a-form-item>
-          <a-form-item label="Rand Range">
-            <a-input v-model.trim="c.randRange" placeholder="0-255" />
-          </a-form-item>
           <a-form-item label='{{ i18n "pages.xray.outbound.type" }}'>
             <a-select
               v-model="c.type"
               :dropdown-class-name="themeSwitcher.currentTheme"
+              @change="t => { if(t === 'base64') c.packet = RandomUtil.randomBase64(); else if(t === 'array') c.packet = []; else c.packet = ''; }"
             >
               <a-select-option value="array">Array</a-select-option>
               <a-select-option value="str">String</a-select-option>
@@ -133,8 +128,20 @@
               <a-select-option value="base64">Base64</a-select-option>
             </a-select>
           </a-form-item>
-          <a-form-item label="Packet">
-            <a-input v-model.trim="c.packet" placeholder="binary data" />
+          <template v-if="c.type === 'array'">
+            <a-form-item label="Rand">
+              <a-input-number v-model.number="c.rand" />
+            </a-form-item>
+            <a-form-item label="Rand Range">
+              <a-input v-model.trim="c.randRange" placeholder="0-255" />
+            </a-form-item>
+          </template>
+          <a-form-item v-else label="Packet">
+            <a-input-group compact v-if="c.type === 'base64'">
+              <a-input v-model.trim="c.packet" placeholder="binary data" :style="{ width: 'calc(100% - 32px)' }" />
+              <a-button icon="reload" @click="c.packet = RandomUtil.randomBase64()" />
+            </a-input-group>
+            <a-input v-else v-model.trim="c.packet" placeholder="binary data" />
           </a-form-item>
         </template>
         <a-divider :style="{ margin: '0' }"></a-divider>
@@ -155,16 +162,11 @@
               :style="{ color: 'rgb(255, 77, 79)', cursor: 'pointer' }"
             ></a-icon>
           </a-divider>
-          <a-form-item label="Rand">
-            <a-input-number v-model.number="s.rand" />
-          </a-form-item>
-          <a-form-item label="Rand Range">
-            <a-input v-model.trim="s.randRange" placeholder="0-255" />
-          </a-form-item>
           <a-form-item label='{{ i18n "pages.xray.outbound.type" }}'>
             <a-select
               v-model="s.type"
               :dropdown-class-name="themeSwitcher.currentTheme"
+              @change="t => { if(t === 'base64') s.packet = RandomUtil.randomBase64(); else if(t === 'array') s.packet = []; else s.packet = ''; }"
             >
               <a-select-option value="array">Array</a-select-option>
               <a-select-option value="str">String</a-select-option>
@@ -172,8 +174,20 @@
               <a-select-option value="base64">Base64</a-select-option>
             </a-select>
           </a-form-item>
-          <a-form-item label="Packet">
-            <a-input v-model.trim="s.packet" placeholder="binary data" />
+          <template v-if="s.type === 'array'">
+            <a-form-item label="Rand">
+              <a-input-number v-model.number="s.rand" />
+            </a-form-item>
+            <a-form-item label="Rand Range">
+              <a-input v-model.trim="s.randRange" placeholder="0-255" />
+            </a-form-item>
+          </template>
+          <a-form-item v-else label="Packet">
+            <a-input-group compact v-if="s.type === 'base64'">
+              <a-input v-model.trim="s.packet" placeholder="binary data" :style="{ width: 'calc(100% - 32px)' }" />
+              <a-button icon="reload" @click="s.packet = RandomUtil.randomBase64()" />
+            </a-input-group>
+            <a-input v-else v-model.trim="s.packet" placeholder="binary data" />
           </a-form-item>
         </template>
       </template>
@@ -186,7 +200,7 @@
             type="plus"
             type="primary"
             size="small"
-            @click="mask.settings.noise.push({rand: '1-8192', randRange: '0-255', type: 'array', packet: '', delay: ''})"
+            @click="mask.settings.noise.push({rand: '1-8192', randRange: '0-255', type: 'array', packet: [], delay: '10-20'})"
           />
         </a-form-item>
         <template v-for="(n, index) in mask.settings.noise" :key="index">
@@ -198,16 +212,11 @@
               :style="{ color: 'rgb(255, 77, 79)', cursor: 'pointer' }"
             ></a-icon>
           </a-divider>
-          <a-form-item label="Rand">
-            <a-input v-model.trim="n.rand" placeholder="1-8192" />
-          </a-form-item>
-          <a-form-item label="Rand Range">
-            <a-input v-model.trim="n.randRange" placeholder="0-255" />
-          </a-form-item>
           <a-form-item label='{{ i18n "pages.xray.outbound.type" }}'>
             <a-select
               v-model="n.type"
               :dropdown-class-name="themeSwitcher.currentTheme"
+              @change="t => { if(t === 'base64') n.packet = RandomUtil.randomBase64(); else if(t === 'array') n.packet = []; else n.packet = ''; }"
             >
               <a-select-option value="array">Array</a-select-option>
               <a-select-option value="str">String</a-select-option>
@@ -215,8 +224,20 @@
               <a-select-option value="base64">Base64</a-select-option>
             </a-select>
           </a-form-item>
-          <a-form-item label="Packet">
-            <a-input v-model.trim="n.packet" placeholder="binary data" />
+          <template v-if="n.type === 'array'">
+            <a-form-item label="Rand">
+              <a-input v-model.trim="n.rand" placeholder="0 or 1-8192" />
+            </a-form-item>
+            <a-form-item label="Rand Range">
+              <a-input v-model.trim="n.randRange" placeholder="0-255" />
+            </a-form-item>
+          </template>
+          <a-form-item v-else label="Packet">
+            <a-input-group compact v-if="n.type === 'base64'">
+              <a-input v-model.trim="n.packet" placeholder="binary data" :style="{ width: 'calc(100% - 32px)' }" />
+              <a-button icon="reload" @click="n.packet = RandomUtil.randomBase64()" />
+            </a-input-group>
+            <a-input v-else v-model.trim="n.packet" placeholder="binary data" />
           </a-form-item>
           <a-form-item label="Delay">
             <a-input v-model.trim="n.delay" placeholder="10-20" />
diff --git a/web/html/xray.html b/web/html/xray.html
index a4d17459..61c40c80 100644
--- a/web/html/xray.html
+++ b/web/html/xray.html
@@ -1077,7 +1077,8 @@
             return;
           }
           if (!msg.obj) return;
-          const { geoip = [], geosite = [] } = msg.obj;
+          const geoip = msg.obj.geoip ?? [];
+          const geosite = msg.obj.geosite ?? [];
           const geoSuffix = this.customGeoAliasLabelSuffix || '';
           geoip.forEach((x) => {
             this.settingsData.IPsOptions.push({

From 6d05702d005aeab043d71f9dc0fe51f50d10ccf7 Mon Sep 17 00:00:00 2001
From: MHSanaei <ho3ein.sanaei@gmail.com>
Date: Mon, 27 Apr 2026 02:29:13 +0200
Subject: [PATCH 11/17] TCP Masks

---
 sub/subService.go                          |  61 ++-
 web/assets/js/model/inbound.js             | 208 +++++++++-
 web/assets/js/model/outbound.js            | 167 +++++++-
 web/html/form/outbound.html                | 451 ++++++++++++++------
 web/html/form/stream/stream_finalmask.html | 456 +++++++++++++++------
 5 files changed, 1069 insertions(+), 274 deletions(-)

diff --git a/sub/subService.go b/sub/subService.go
index 67b931ce..1ab55039 100644
--- a/sub/subService.go
+++ b/sub/subService.go
@@ -997,9 +997,14 @@ var validFinalMaskUDPTypes = map[string]struct{}{
 	"mkcp-original":    {},
 	"xdns":             {},
 	"xicmp":            {},
-	"header-custom":    {},
 	"noise":            {},
-	"sudoku":           {},
+	"header-custom":    {},
+}
+
+var validFinalMaskTCPTypes = map[string]struct{}{
+	"header-custom": {},
+	"fragment":      {},
+	"sudoku":        {},
 }
 
 // applyKcpShareParams reconstructs legacy KCP share-link fields from either
@@ -1159,11 +1164,59 @@ func marshalFinalMask(finalmask map[string]any) (string, bool) {
 }
 
 func normalizeFinalMask(finalmask map[string]any) map[string]any {
+	tcpMasks := normalizedFinalMaskTCPMasks(finalmask)
 	udpMasks := normalizedFinalMaskUDPMasks(finalmask)
-	if len(udpMasks) == 0 {
+	quicParams, hasQuicParams := finalmask["quicParams"].(map[string]any)
+
+	if len(tcpMasks) == 0 && len(udpMasks) == 0 && !hasQuicParams {
 		return nil
 	}
-	return map[string]any{"udp": udpMasks}
+
+	result := map[string]any{}
+	if len(tcpMasks) > 0 {
+		result["tcp"] = tcpMasks
+	}
+	if len(udpMasks) > 0 {
+		result["udp"] = udpMasks
+	}
+	if hasQuicParams && len(quicParams) > 0 {
+		result["quicParams"] = quicParams
+	}
+	return result
+}
+
+func normalizedFinalMaskTCPMasks(value any) []any {
+	finalmask, _ := value.(map[string]any)
+	if finalmask == nil {
+		return nil
+	}
+	rawMasks, _ := finalmask["tcp"].([]any)
+	if len(rawMasks) == 0 {
+		return nil
+	}
+
+	normalized := make([]any, 0, len(rawMasks))
+	for _, rawMask := range rawMasks {
+		mask, _ := rawMask.(map[string]any)
+		if mask == nil {
+			continue
+		}
+		maskType, _ := mask["type"].(string)
+		if _, ok := validFinalMaskTCPTypes[maskType]; !ok || maskType == "" {
+			continue
+		}
+
+		normalizedMask := map[string]any{"type": maskType}
+		if settings, ok := mask["settings"].(map[string]any); ok && len(settings) > 0 {
+			normalizedMask["settings"] = settings
+		}
+		normalized = append(normalized, normalizedMask)
+	}
+
+	if len(normalized) == 0 {
+		return nil
+	}
+	return normalized
 }
 
 func normalizedFinalMaskUDPMasks(value any) []any {
diff --git a/web/assets/js/model/inbound.js b/web/assets/js/model/inbound.js
index b5971a68..e002ac91 100644
--- a/web/assets/js/model/inbound.js
+++ b/web/assets/js/model/inbound.js
@@ -1094,14 +1094,6 @@ class UdpMask extends XrayCommonClass {
                     reset: settings.reset ?? 0,
                     noise: Array.isArray(settings.noise) ? settings.noise : [],
                 };
-            case 'sudoku':
-                return {
-                    ascii: settings.ascii || '',
-                    customTable: settings.customTable || '',
-                    customTables: settings.customTables ?? [],
-                    paddingMin: settings.paddingMin ?? 0,
-                    paddingMax: settings.paddingMax ?? 0,
-                };
             default:
                 return settings;
         }
@@ -1120,7 +1112,8 @@ class UdpMask extends XrayCommonClass {
             if (out.type === 'array') {
                 delete out.packet;
             } else {
-                out.rand = 0;
+                delete out.rand;
+                delete out.randRange;
             }
             return out;
         };
@@ -1143,20 +1136,190 @@ class UdpMask extends XrayCommonClass {
     }
 }
 
-class FinalMaskStreamSettings extends XrayCommonClass {
-    constructor(udp = []) {
+class TcpMask extends XrayCommonClass {
+    constructor(type = 'fragment', settings = {}) {
         super();
-        this.udp = Array.isArray(udp) ? udp.map(u => new UdpMask(u.type, u.settings)) : [new UdpMask(udp.type, udp.settings)];
+        this.type = type;
+        this.settings = this._getDefaultSettings(type, settings);
+    }
+
+    _getDefaultSettings(type, settings = {}) {
+        switch (type) {
+            case 'fragment':
+                return {
+                    packets: settings.packets ?? 'tlshello',
+                    length: settings.length ?? '',
+                    delay: settings.delay ?? '',
+                    maxSplit: settings.maxSplit ?? '',
+                };
+            case 'sudoku':
+                return {
+                    password: settings.password ?? '',
+                    ascii: settings.ascii ?? '',
+                    customTable: settings.customTable ?? '',
+                    customTables: Array.isArray(settings.customTables) ? settings.customTables : [],
+                    paddingMin: settings.paddingMin ?? 0,
+                    paddingMax: settings.paddingMax ?? 0,
+                };
+            case 'header-custom':
+                return {
+                    clients: Array.isArray(settings.clients) ? settings.clients : [],
+                    servers: Array.isArray(settings.servers) ? settings.servers : [],
+                };
+            default:
+                return settings;
+        }
     }
 
     static fromJson(json = {}) {
-        return new FinalMaskStreamSettings(json.udp || []);
+        return new TcpMask(
+            json.type || 'fragment',
+            json.settings || {}
+        );
     }
 
     toJson() {
-        return {
-            udp: this.udp.map(udp => udp.toJson())
+        const cleanItem = item => {
+            const out = { ...item };
+            if (out.type === 'array') {
+                delete out.packet;
+            } else {
+                delete out.rand;
+                delete out.randRange;
+            }
+            return out;
         };
+
+        let settings = this.settings;
+        if (this.type === 'header-custom' && settings) {
+            const cleanGroup = group => Array.isArray(group) ? group.map(cleanItem) : group;
+            settings = {
+                ...settings,
+                clients: Array.isArray(settings.clients) ? settings.clients.map(cleanGroup) : settings.clients,
+                servers: Array.isArray(settings.servers) ? settings.servers.map(cleanGroup) : settings.servers,
+            };
+        }
+
+        return {
+            type: this.type,
+            settings: (settings && Object.keys(settings).length > 0) ? settings : undefined
+        };
+    }
+}
+
+class QuicParams extends XrayCommonClass {
+    constructor(
+        congestion = 'bbr',
+        debug = false,
+        brutalUp = '',
+        brutalDown = '',
+        udpHop = undefined,
+        initStreamReceiveWindow = 8388608,
+        maxStreamReceiveWindow = 8388608,
+        initConnectionReceiveWindow = 20971520,
+        maxConnectionReceiveWindow = 20971520,
+        maxIdleTimeout = 30,
+        keepAlivePeriod = 0,
+        disablePathMTUDiscovery = false,
+        maxIncomingStreams = 1024,
+    ) {
+        super();
+        this.congestion = congestion;
+        this.debug = debug;
+        this.brutalUp = brutalUp;
+        this.brutalDown = brutalDown;
+        this.udpHop = udpHop;
+        this.initStreamReceiveWindow = initStreamReceiveWindow;
+        this.maxStreamReceiveWindow = maxStreamReceiveWindow;
+        this.initConnectionReceiveWindow = initConnectionReceiveWindow;
+        this.maxConnectionReceiveWindow = maxConnectionReceiveWindow;
+        this.maxIdleTimeout = maxIdleTimeout;
+        this.keepAlivePeriod = keepAlivePeriod;
+        this.disablePathMTUDiscovery = disablePathMTUDiscovery;
+        this.maxIncomingStreams = maxIncomingStreams;
+    }
+
+    get hasUdpHop() {
+        return this.udpHop != null;
+    }
+
+    set hasUdpHop(value) {
+        this.udpHop = value ? (this.udpHop || { ports: '20000-50000', interval: '5-10' }) : undefined;
+    }
+
+    static fromJson(json = {}) {
+        if (!json || Object.keys(json).length === 0) return undefined;
+        return new QuicParams(
+            json.congestion,
+            json.debug,
+            json.brutalUp,
+            json.brutalDown,
+            json.udpHop ? { ports: json.udpHop.ports, interval: json.udpHop.interval } : undefined,
+            json.initStreamReceiveWindow,
+            json.maxStreamReceiveWindow,
+            json.initConnectionReceiveWindow,
+            json.maxConnectionReceiveWindow,
+            json.maxIdleTimeout,
+            json.keepAlivePeriod,
+            json.disablePathMTUDiscovery,
+            json.maxIncomingStreams,
+        );
+    }
+
+    toJson() {
+        const result = { congestion: this.congestion };
+        if (this.debug) result.debug = this.debug;
+        if (this.brutalUp) result.brutalUp = this.brutalUp;
+        if (this.brutalDown) result.brutalDown = this.brutalDown;
+        if (this.udpHop) result.udpHop = { ports: this.udpHop.ports, interval: this.udpHop.interval };
+        if (this.initStreamReceiveWindow > 0) result.initStreamReceiveWindow = this.initStreamReceiveWindow;
+        if (this.maxStreamReceiveWindow > 0) result.maxStreamReceiveWindow = this.maxStreamReceiveWindow;
+        if (this.initConnectionReceiveWindow > 0) result.initConnectionReceiveWindow = this.initConnectionReceiveWindow;
+        if (this.maxConnectionReceiveWindow > 0) result.maxConnectionReceiveWindow = this.maxConnectionReceiveWindow;
+        if (this.maxIdleTimeout !== 30 && this.maxIdleTimeout > 0) result.maxIdleTimeout = this.maxIdleTimeout;
+        if (this.keepAlivePeriod > 0) result.keepAlivePeriod = this.keepAlivePeriod;
+        if (this.disablePathMTUDiscovery) result.disablePathMTUDiscovery = this.disablePathMTUDiscovery;
+        if (this.maxIncomingStreams > 0) result.maxIncomingStreams = this.maxIncomingStreams;
+        return result;
+    }
+}
+
+class FinalMaskStreamSettings extends XrayCommonClass {
+    constructor(tcp = [], udp = [], quicParams = undefined) {
+        super();
+        this.tcp = Array.isArray(tcp) ? tcp.map(t => t instanceof TcpMask ? t : new TcpMask(t.type, t.settings)) : [];
+        this.udp = Array.isArray(udp) ? udp.map(u => new UdpMask(u.type, u.settings)) : [new UdpMask(udp.type, udp.settings)];
+        this.quicParams = quicParams instanceof QuicParams ? quicParams : (quicParams ? QuicParams.fromJson(quicParams) : undefined);
+    }
+
+    get enableQuicParams() {
+        return this.quicParams != null;
+    }
+
+    set enableQuicParams(value) {
+        this.quicParams = value ? (this.quicParams || new QuicParams()) : undefined;
+    }
+
+    static fromJson(json = {}) {
+        return new FinalMaskStreamSettings(
+            json.tcp || [],
+            json.udp || [],
+            json.quicParams ? QuicParams.fromJson(json.quicParams) : undefined,
+        );
+    }
+
+    toJson() {
+        const result = {};
+        if (this.tcp && this.tcp.length > 0) {
+            result.tcp = this.tcp.map(t => t.toJson());
+        }
+        if (this.udp && this.udp.length > 0) {
+            result.udp = this.udp.map(udp => udp.toJson());
+        }
+        if (this.quicParams) {
+            result.quicParams = this.quicParams.toJson();
+        }
+        return result;
     }
 }
 
@@ -1193,6 +1356,16 @@ class StreamSettings extends XrayCommonClass {
         this.sockopt = sockopt;
     }
 
+    addTcpMask(type = 'fragment') {
+        this.finalmask.tcp.push(new TcpMask(type));
+    }
+
+    delTcpMask(index) {
+        if (this.finalmask.tcp) {
+            this.finalmask.tcp.splice(index, 1);
+        }
+    }
+
     addUdpMask(type = 'salamander') {
         this.finalmask.udp.push(new UdpMask(type));
     }
@@ -1204,7 +1377,10 @@ class StreamSettings extends XrayCommonClass {
     }
 
     get hasFinalMask() {
-        return this.finalmask.udp && this.finalmask.udp.length > 0;
+        const hasTcp = this.finalmask.tcp && this.finalmask.tcp.length > 0;
+        const hasUdp = this.finalmask.udp && this.finalmask.udp.length > 0;
+        const hasQuicParams = this.finalmask.quicParams != null;
+        return hasTcp || hasUdp || hasQuicParams;
     }
 
     get isTls() {
diff --git a/web/assets/js/model/outbound.js b/web/assets/js/model/outbound.js
index aa90d20d..6be2ec1b 100644
--- a/web/assets/js/model/outbound.js
+++ b/web/assets/js/model/outbound.js
@@ -690,7 +690,8 @@ class UdpMask extends CommonClass {
             if (out.type === 'array') {
                 delete out.packet;
             } else {
-                out.rand = 0;
+                delete out.rand;
+                delete out.randRange;
             }
             return out;
         };
@@ -713,21 +714,158 @@ class UdpMask extends CommonClass {
     }
 }
 
-class FinalMaskStreamSettings extends CommonClass {
-    constructor(udp = []) {
+class TcpMask extends CommonClass {
+    constructor(type = 'fragment', settings = {}) {
         super();
-        this.udp = Array.isArray(udp) ? udp.map(u => new UdpMask(u.type, u.settings)) : [new UdpMask(udp.type, udp.settings)];
+        this.type = type;
+        this.settings = this._getDefaultSettings(type, settings);
+    }
+
+    _getDefaultSettings(type, settings = {}) {
+        switch (type) {
+            case 'fragment':
+                return {
+                    packets: settings.packets ?? 'tlshello',
+                    length: settings.length ?? '',
+                    delay: settings.delay ?? '',
+                    maxSplit: settings.maxSplit ?? '',
+                };
+            case 'sudoku':
+                return {
+                    password: settings.password ?? '',
+                    ascii: settings.ascii ?? '',
+                    customTable: settings.customTable ?? '',
+                    customTables: Array.isArray(settings.customTables) ? settings.customTables : [],
+                    paddingMin: settings.paddingMin ?? 0,
+                    paddingMax: settings.paddingMax ?? 0,
+                };
+            case 'header-custom':
+                return {
+                    clients: Array.isArray(settings.clients) ? settings.clients : [],
+                    servers: Array.isArray(settings.servers) ? settings.servers : [],
+                };
+            default:
+                return settings;
+        }
     }
 
     static fromJson(json = {}) {
-        return new FinalMaskStreamSettings(json.udp || []);
+        return new TcpMask(
+            json.type || 'fragment',
+            json.settings || {}
+        );
     }
 
     toJson() {
-        return {
-            udp: this.udp.map(udp => udp.toJson())
+        const cleanItem = item => {
+            const out = { ...item };
+            if (out.type === 'array') {
+                delete out.packet;
+            } else {
+                delete out.rand;
+                delete out.randRange;
+            }
+            return out;
         };
 
+        let settings = this.settings;
+        if (this.type === 'header-custom' && settings) {
+            const cleanGroup = group => Array.isArray(group) ? group.map(cleanItem) : group;
+            settings = {
+                ...settings,
+                clients: Array.isArray(settings.clients) ? settings.clients.map(cleanGroup) : settings.clients,
+                servers: Array.isArray(settings.servers) ? settings.servers.map(cleanGroup) : settings.servers,
+            };
+        }
+
+        return {
+            type: this.type,
+            settings: (settings && Object.keys(settings).length > 0) ? settings : undefined
+        };
+    }
+}
+
+class QuicParams extends CommonClass {
+    constructor(
+        congestion = 'bbr',
+        debug = false,
+        brutalUp = '',
+        brutalDown = '',
+        udpHop = undefined,
+    ) {
+        super();
+        this.congestion = congestion;
+        this.debug = debug;
+        this.brutalUp = brutalUp;
+        this.brutalDown = brutalDown;
+        this.udpHop = udpHop;
+    }
+
+    get hasUdpHop() {
+        return this.udpHop != null;
+    }
+
+    set hasUdpHop(value) {
+        this.udpHop = value ? (this.udpHop || { ports: '20000-50000', interval: '5-10' }) : undefined;
+    }
+
+    static fromJson(json = {}) {
+        if (!json || Object.keys(json).length === 0) return undefined;
+        return new QuicParams(
+            json.congestion,
+            json.debug,
+            json.brutalUp,
+            json.brutalDown,
+            json.udpHop ? { ports: json.udpHop.ports, interval: json.udpHop.interval } : undefined,
+        );
+    }
+
+    toJson() {
+        const result = { congestion: this.congestion };
+        if (this.debug) result.debug = this.debug;
+        if (this.brutalUp) result.brutalUp = this.brutalUp;
+        if (this.brutalDown) result.brutalDown = this.brutalDown;
+        if (this.udpHop) result.udpHop = { ports: this.udpHop.ports, interval: this.udpHop.interval };
+        return result;
+    }
+}
+
+class FinalMaskStreamSettings extends CommonClass {
+    constructor(tcp = [], udp = [], quicParams = undefined) {
+        super();
+        this.tcp = Array.isArray(tcp) ? tcp.map(t => t instanceof TcpMask ? t : new TcpMask(t.type, t.settings)) : [];
+        this.udp = Array.isArray(udp) ? udp.map(u => new UdpMask(u.type, u.settings)) : [new UdpMask(udp.type, udp.settings)];
+        this.quicParams = quicParams instanceof QuicParams ? quicParams : (quicParams ? QuicParams.fromJson(quicParams) : undefined);
+    }
+
+    get enableQuicParams() {
+        return this.quicParams != null;
+    }
+
+    set enableQuicParams(value) {
+        this.quicParams = value ? (this.quicParams || new QuicParams()) : undefined;
+    }
+
+    static fromJson(json = {}) {
+        return new FinalMaskStreamSettings(
+            json.tcp || [],
+            json.udp || [],
+            json.quicParams ? QuicParams.fromJson(json.quicParams) : undefined,
+        );
+    }
+
+    toJson() {
+        const result = {};
+        if (this.tcp && this.tcp.length > 0) {
+            result.tcp = this.tcp.map(t => t.toJson());
+        }
+        if (this.udp && this.udp.length > 0) {
+            result.udp = this.udp.map(udp => udp.toJson());
+        }
+        if (this.quicParams) {
+            result.quicParams = this.quicParams.toJson();
+        }
+        return result;
     }
 }
 
@@ -763,6 +901,16 @@ class StreamSettings extends CommonClass {
         this.sockopt = sockopt;
     }
 
+    addTcpMask(type = 'fragment') {
+        this.finalmask.tcp.push(new TcpMask(type));
+    }
+
+    delTcpMask(index) {
+        if (this.finalmask.tcp) {
+            this.finalmask.tcp.splice(index, 1);
+        }
+    }
+
     addUdpMask(type = 'salamander') {
         this.finalmask.udp.push(new UdpMask(type));
     }
@@ -774,7 +922,10 @@ class StreamSettings extends CommonClass {
     }
 
     get hasFinalMask() {
-        return this.finalmask.udp && this.finalmask.udp.length > 0;
+        const hasTcp = this.finalmask.tcp && this.finalmask.tcp.length > 0;
+        const hasUdp = this.finalmask.udp && this.finalmask.udp.length > 0;
+        const hasQuicParams = this.finalmask.quicParams != null;
+        return hasTcp || hasUdp || hasQuicParams;
     }
 
     get isTls() {
diff --git a/web/html/form/outbound.html b/web/html/form/outbound.html
index 81b488c7..4f584d5e 100644
--- a/web/html/form/outbound.html
+++ b/web/html/form/outbound.html
@@ -842,7 +842,7 @@
               :max="60"
             ></a-input-number>
           </a-form-item>
-          <a-form-item label="Disable Path MTU">
+          <a-form-item label="Disable Path MTU Dis">
             <a-switch
               v-model="outbound.stream.hysteria.disablePathMTUDiscovery"
             ></a-switch>
@@ -852,6 +852,176 @@
 
       <!-- finalmask settings -->
       <template v-if="outbound.canEnableStream()">
+        <!-- TCP Masks – for raw/tcp/httpupgrade/ws/grpc/xhttp -->
+        <a-form-item
+          label="TCP Masks"
+          v-if="['raw', 'tcp', 'httpupgrade', 'ws', 'grpc', 'xhttp'].includes(outbound.stream.network)"
+        >
+          <a-button
+            icon="plus"
+            type="primary"
+            size="small"
+            @click="outbound.stream.addTcpMask('fragment')"
+          ></a-button>
+        </a-form-item>
+        <template v-if="outbound.stream.finalmask.tcp && outbound.stream.finalmask.tcp.length > 0">
+          <a-form
+            v-for="(mask, index) in outbound.stream.finalmask.tcp"
+            :key="index"
+            :colon="false"
+            :label-col="{ md: {span:8} }"
+            :wrapper-col="{ md: {span:14} }"
+          >
+            <a-divider :style="{ margin: '0' }">
+              TCP Mask [[ index + 1 ]]
+              <a-icon
+                type="delete"
+                @click="() => outbound.stream.delTcpMask(index)"
+                :style="{ color: 'rgb(255, 77, 79)', cursor: 'pointer' }"
+              ></a-icon>
+            </a-divider>
+            <a-form-item label="Type">
+              <a-select
+                v-model="mask.type"
+                @change="(type) => { mask.settings = mask._getDefaultSettings(type, {}); }"
+                :dropdown-class-name="themeSwitcher.currentTheme"
+              >
+                <a-select-option value="fragment">Fragment</a-select-option>
+                <a-select-option value="header-custom">Header Custom</a-select-option>
+                <a-select-option value="sudoku">Sudoku</a-select-option>
+              </a-select>
+            </a-form-item>
+
+            <!-- Fragment -->
+            <template v-if="mask.type === 'fragment'">
+              <a-form-item label="Packets">
+                <a-select v-model="mask.settings.packets" :dropdown-class-name="themeSwitcher.currentTheme">
+                  <a-select-option value="tlshello">tlshello</a-select-option>
+                  <a-select-option value="1-3">1-3</a-select-option>
+                  <a-select-option value="1-5">1-5</a-select-option>
+                </a-select>
+              </a-form-item>
+              <a-form-item label="Length">
+                <a-input v-model.trim="mask.settings.length" placeholder="e.g. 100-200" />
+              </a-form-item>
+              <a-form-item label="Delay">
+                <a-input v-model.trim="mask.settings.delay" placeholder="e.g. 10-20" />
+              </a-form-item>
+              <a-form-item label="Max Split">
+                <a-input v-model.trim="mask.settings.maxSplit" placeholder="e.g. 3-6" />
+              </a-form-item>
+            </template>
+
+            <!-- Sudoku (TCP) -->
+            <template v-if="mask.type === 'sudoku'">
+              <a-form-item label="Password">
+                <a-input v-model.trim="mask.settings.password" placeholder="Obfuscation password" />
+              </a-form-item>
+              <a-form-item label="ASCII">
+                <a-input v-model.trim="mask.settings.ascii" placeholder="ASCII" />
+              </a-form-item>
+              <a-form-item label="Custom Table">
+                <a-input v-model.trim="mask.settings.customTable" placeholder="Custom Table" />
+              </a-form-item>
+              <a-form-item label="Custom Tables">
+                <a-input v-model.trim="mask.settings.customTables" placeholder="Custom Tables" />
+              </a-form-item>
+              <a-form-item label="Padding Min">
+                <a-input-number v-model.number="mask.settings.paddingMin" :min="0" />
+              </a-form-item>
+              <a-form-item label="Padding Max">
+                <a-input-number v-model.number="mask.settings.paddingMax" :min="0" />
+              </a-form-item>
+            </template>
+
+            <!-- Header Custom (TCP) – clients/servers are 2D arrays of groups -->
+            <template v-if="mask.type === 'header-custom'">
+              <!-- Clients -->
+              <a-form-item label="Clients">
+                <a-icon type="plus" @click="mask.settings.clients.push([{delay: 0, rand: 0, randRange: '0-255', type: 'array', packet: []}])" />
+              </a-form-item>
+              <template v-for="(group, gi) in mask.settings.clients" :key="'cg'+gi">
+                <a-divider :style="{ margin: '0' }">
+                  Clients Group [[ gi + 1 ]]
+                  <a-icon type="delete" @click="mask.settings.clients.splice(gi, 1)" :style="{ color: 'rgb(255, 77, 79)', cursor: 'pointer' }" />
+                  <a-icon type="plus" @click="group.push({delay: 0, rand: 0, randRange: '0-255', type: 'array', packet: []})" :style="{ marginLeft: '8px' }" />
+                </a-divider>
+                <template v-for="(item, ii) in group" :key="'ci'+ii">
+                  <a-divider :style="{ margin: '0', fontSize: '12px' }">
+                    Item [[ ii + 1 ]]
+                    <a-icon type="delete" @click="() => { group.splice(ii, 1); if(group.length === 0) mask.settings.clients.splice(gi, 1); }" :style="{ color: 'rgb(255, 77, 79)', cursor: 'pointer' }" />
+                  </a-divider>
+                  <a-form-item label='{{ i18n "pages.xray.outbound.type" }}'>
+                    <a-select v-model="item.type" :dropdown-class-name="themeSwitcher.currentTheme"
+                      @change="t => { if(t === 'array') { item.rand = 0; item.packet = []; } else { item.packet = ''; } }">
+                      <a-select-option value="array">Array</a-select-option>
+                      <a-select-option value="str">String</a-select-option>
+                      <a-select-option value="hex">Hex</a-select-option>
+                      <a-select-option value="base64">Base64</a-select-option>
+                    </a-select>
+                  </a-form-item>
+                  <a-form-item label="Delay (ms)">
+                    <a-input-number v-model.number="item.delay" :min="0" />
+                  </a-form-item>
+                  <template v-if="item.type === 'array'">
+                    <a-form-item label="Rand">
+                      <a-input-number v-model.number="item.rand" :min="0" />
+                    </a-form-item>
+                    <a-form-item label="Rand Range">
+                      <a-input v-model.trim="item.randRange" placeholder="0-255" />
+                    </a-form-item>
+                  </template>
+                  <a-form-item v-else label="Packet">
+                    <a-input v-model.trim="item.packet" placeholder="binary data" />
+                  </a-form-item>
+                </template>
+              </template>
+
+              <!-- Servers -->
+              <a-form-item label="Servers">
+                <a-icon type="plus" @click="mask.settings.servers.push([{delay: 0, rand: 0, randRange: '0-255', type: 'array', packet: []}])" />
+              </a-form-item>
+              <template v-for="(group, gi) in mask.settings.servers" :key="'sg'+gi">
+                <a-divider :style="{ margin: '0' }">
+                  Servers Group [[ gi + 1 ]]
+                  <a-icon type="delete" @click="mask.settings.servers.splice(gi, 1)" :style="{ color: 'rgb(255, 77, 79)', cursor: 'pointer' }" />
+                  <a-icon type="plus" @click="group.push({delay: 0, rand: 0, randRange: '0-255', type: 'array', packet: []})" :style="{ marginLeft: '8px' }" />
+                </a-divider>
+                <template v-for="(item, ii) in group" :key="'si'+ii">
+                  <a-divider :style="{ margin: '0', fontSize: '12px' }">
+                    Item [[ ii + 1 ]]
+                    <a-icon type="delete" @click="() => { group.splice(ii, 1); if(group.length === 0) mask.settings.servers.splice(gi, 1); }" :style="{ color: 'rgb(255, 77, 79)', cursor: 'pointer' }" />
+                  </a-divider>
+                  <a-form-item label='{{ i18n "pages.xray.outbound.type" }}'>
+                    <a-select v-model="item.type" :dropdown-class-name="themeSwitcher.currentTheme"
+                      @change="t => { if(t === 'array') { item.rand = 0; item.packet = []; } else { item.packet = ''; } }">
+                      <a-select-option value="array">Array</a-select-option>
+                      <a-select-option value="str">String</a-select-option>
+                      <a-select-option value="hex">Hex</a-select-option>
+                      <a-select-option value="base64">Base64</a-select-option>
+                    </a-select>
+                  </a-form-item>
+                  <a-form-item label="Delay (ms)">
+                    <a-input-number v-model.number="item.delay" :min="0" />
+                  </a-form-item>
+                  <template v-if="item.type === 'array'">
+                    <a-form-item label="Rand">
+                      <a-input-number v-model.number="item.rand" :min="0" />
+                    </a-form-item>
+                    <a-form-item label="Rand Range">
+                      <a-input v-model.trim="item.randRange" placeholder="0-255" />
+                    </a-form-item>
+                  </template>
+                <a-form-item label="Packet" v-else>
+                  <a-input v-model.trim="item.packet" placeholder="binary data" />
+                </a-form-item>
+                </template>
+              </template>
+            </template>
+
+          </a-form>
+        </template>
+
         <a-form-item
           label="UDP Masks"
           v-if="outbound.stream.network === 'kcp' || outbound.protocol === Protocols.Hysteria"
@@ -920,17 +1090,14 @@
                   >
                   <a-select-option value="xdns">xDNS</a-select-option>
                   <a-select-option value="xicmp">xICMP</a-select-option>
-                  <a-select-option value="header-custom"
-                    >Header Custom</a-select-option
-                  >
+                  <a-select-option value="header-custom">Header Custom</a-select-option>
                   <a-select-option value="noise">Noise</a-select-option>
-                  <a-select-option value="sudoku">Sudoku</a-select-option>
                 </template>
               </a-select>
             </a-form-item>
             <a-form-item
               label="Password"
-              v-if="['salamander', 'mkcp-aes128gcm', 'sudoku'].includes(mask.type)"
+              v-if="['salamander', 'mkcp-aes128gcm'].includes(mask.type)"
             >
               <a-input
                 v-model.trim="mask.settings.password"
@@ -954,129 +1121,6 @@
                 ></a-select>
               </a-form-item>
             </template>
-            <template v-if="mask.type === 'header-custom'">
-              <a-form-item label="Client">
-                <a-icon
-                  type="plus"
-                  type="primary"
-                  size="small"
-                  @click="mask.settings.client.push({rand: 0, randRange: '0-255', type: 'array', packet: []})"
-                />
-              </a-form-item>
-              <template v-for="(c, index) in mask.settings.client" :key="index">
-                <a-divider :style="{ margin: '0' }">
-                  Client [[ index + 1 ]]
-                  <a-icon
-                    type="delete"
-                    @click="() => mask.settings.client.splice(index, 1)"
-                    :style="{ color: 'rgb(255, 77, 79)', cursor: 'pointer' }"
-                  ></a-icon>
-                </a-divider>
-                <a-form-item label="Type">
-                  <a-select
-                    v-model="c.type"
-                    :dropdown-class-name="themeSwitcher.currentTheme"
-                    @change="t => { if(t === 'array') c.packet = []; else c.packet = ''; }"
-                  >
-                    <a-select-option value="array">Array</a-select-option>
-                    <a-select-option value="str">String</a-select-option>
-                    <a-select-option value="hex">Hex</a-select-option>
-                    <a-select-option value="base64">Base64</a-select-option>
-                  </a-select>
-                </a-form-item>
-                <template v-if="c.type === 'array'">
-                  <a-form-item label="Rand">
-                    <a-input-number
-                      v-model.number="c.rand"
-                      :min="0"
-                    ></a-input-number>
-                  </a-form-item>
-                  <a-form-item label="Rand Range">
-                    <a-input
-                      v-model.trim="c.randRange"
-                      placeholder="0-255"
-                    ></a-input>
-                  </a-form-item>
-                </template>
-                <a-form-item label="Packet" v-else>
-                  <a-input v-model.trim="c.packet" placeholder="binary data" />
-                </a-form-item>
-              </template>
-              <a-divider :style="{ margin: '0' }"></a-divider>
-              <a-form-item label="Server">
-                <a-icon
-                  type="plus"
-                  type="primary"
-                  size="small"
-                  @click="mask.settings.server.push({rand: 0, randRange: '0-255', type: 'array', packet: []})"
-                />
-              </a-form-item>
-              <template v-for="(s, index) in mask.settings.server" :key="index">
-                <a-divider :style="{ margin: '0' }">
-                  Server [[ index + 1 ]]
-                  <a-icon
-                    type="delete"
-                    @click="() => mask.settings.server.splice(index, 1)"
-                    :style="{ color: 'rgb(255, 77, 79)', cursor: 'pointer' }"
-                  ></a-icon>
-                </a-divider>
-                <a-form-item label="Type">
-                  <a-select
-                    v-model="s.type"
-                    :dropdown-class-name="themeSwitcher.currentTheme"
-                    @change="t => { if(t === 'array') s.packet = []; else s.packet = ''; }"
-                  >
-                    <a-select-option value="array">Array</a-select-option>
-                    <a-select-option value="str">String</a-select-option>
-                    <a-select-option value="hex">Hex</a-select-option>
-                    <a-select-option value="base64">Base64</a-select-option>
-                  </a-select>
-                </a-form-item>
-                <template v-if="s.type === 'array'">
-                  <a-form-item label="Rand">
-                    <a-input-number
-                      v-model.number="s.rand"
-                      :min="0"
-                    ></a-input-number>
-                  </a-form-item>
-                  <a-form-item label="Rand Range">
-                    <a-input
-                      v-model.trim="s.randRange"
-                      placeholder="0-255"
-                    ></a-input>
-                  </a-form-item>
-                </template>
-                <a-form-item label="Packet" v-else>
-                  <a-input v-model.trim="s.packet" placeholder="binary data" />
-                </a-form-item>
-              </template>
-            </template>
-            <template v-if="mask.type === 'sudoku'">
-              <a-form-item label="ASCII">
-                <a-input
-                  v-model.trim="mask.settings.ascii"
-                  placeholder="ASCII"
-                ></a-input>
-              </a-form-item>
-              <a-form-item label="Custom Table">
-                <a-input
-                  v-model.trim="mask.settings.customTable"
-                  placeholder="Custom Table"
-                ></a-input>
-              </a-form-item>
-              <a-form-item label="Custom Tables">
-                <a-input
-                  v-model.trim="mask.settings.customTables"
-                  placeholder="Custom Tables"
-                ></a-input>
-              </a-form-item>
-              <a-form-item label="Padding Min">
-                <a-input-number
-                  v-model.number="mask.settings.paddingMin"
-                  :min="0"
-                ></a-input-number>
-              </a-form-item>
-            </template>
             <template v-if="mask.type === 'noise'">
               <a-form-item label="Reset">
                 <a-input-number v-model.number="mask.settings.reset" :min="0" />
@@ -1129,6 +1173,89 @@
                 </a-form-item>
               </template>
             </template>
+            <template v-if="mask.type === 'header-custom'">
+              <a-form-item label="Client">
+                <a-icon
+                  type="plus"
+                  size="small"
+                  @click="mask.settings.client.push({rand: 0, randRange: '0-255', type: 'array', packet: []})"
+                />
+              </a-form-item>
+              <template v-for="(c, index) in mask.settings.client" :key="index">
+                <a-divider :style="{ margin: '0' }">
+                  Client [[ index + 1 ]]
+                  <a-icon
+                    type="delete"
+                    @click="mask.settings.client.splice(index, 1)"
+                    :style="{ color: 'rgb(255, 77, 79)', cursor: 'pointer' }"
+                  ></a-icon>
+                </a-divider>
+                <a-form-item label="Type">
+                  <a-select
+                    v-model="c.type"
+                    :dropdown-class-name="themeSwitcher.currentTheme"
+                    @change="t => { if(t === 'array') c.packet = []; else c.packet = ''; }"
+                  >
+                    <a-select-option value="array">Array</a-select-option>
+                    <a-select-option value="str">String</a-select-option>
+                    <a-select-option value="hex">Hex</a-select-option>
+                    <a-select-option value="base64">Base64</a-select-option>
+                  </a-select>
+                </a-form-item>
+                <template v-if="c.type === 'array'">
+                  <a-form-item label="Rand">
+                    <a-input-number v-model.number="c.rand" :min="0"></a-input-number>
+                  </a-form-item>
+                  <a-form-item label="Rand Range">
+                    <a-input v-model.trim="c.randRange" placeholder="0-255"></a-input>
+                  </a-form-item>
+                </template>
+                <a-form-item label="Packet" v-else>
+                  <a-input v-model.trim="c.packet" placeholder="binary data" />
+                </a-form-item>
+              </template>
+              <a-divider :style="{ margin: '0' }"></a-divider>
+              <a-form-item label="Server">
+                <a-icon
+                  type="plus"
+                  size="small"
+                  @click="mask.settings.server.push({rand: 0, randRange: '0-255', type: 'array', packet: []})"
+                />
+              </a-form-item>
+              <template v-for="(s, index) in mask.settings.server" :key="index">
+                <a-divider :style="{ margin: '0' }">
+                  Server [[ index + 1 ]]
+                  <a-icon
+                    type="delete"
+                    @click="mask.settings.server.splice(index, 1)"
+                    :style="{ color: 'rgb(255, 77, 79)', cursor: 'pointer' }"
+                  ></a-icon>
+                </a-divider>
+                <a-form-item label="Type">
+                  <a-select
+                    v-model="s.type"
+                    :dropdown-class-name="themeSwitcher.currentTheme"
+                    @change="t => { if(t === 'array') s.packet = []; else s.packet = ''; }"
+                  >
+                    <a-select-option value="array">Array</a-select-option>
+                    <a-select-option value="str">String</a-select-option>
+                    <a-select-option value="hex">Hex</a-select-option>
+                    <a-select-option value="base64">Base64</a-select-option>
+                  </a-select>
+                </a-form-item>
+                <template v-if="s.type === 'array'">
+                  <a-form-item label="Rand">
+                    <a-input-number v-model.number="s.rand" :min="0"></a-input-number>
+                  </a-form-item>
+                  <a-form-item label="Rand Range">
+                    <a-input v-model.trim="s.randRange" placeholder="0-255"></a-input>
+                  </a-form-item>
+                </template>
+                <a-form-item label="Packet" v-else>
+                  <a-input v-model.trim="s.packet" placeholder="binary data" />
+                </a-form-item>
+              </template>
+            </template>
             <template v-if="mask.type === 'xicmp'">
               <a-form-item label="IP">
                 <a-input
@@ -1145,6 +1272,72 @@
             </template>
           </a-form>
         </template>
+
+        <!-- quicParams – only for xhttp H3 and hysteria -->
+        <template v-if="outbound.stream.network === 'xhttp' || outbound.protocol === Protocols.Hysteria">
+          <a-form-item label="QUIC Params">
+            <a-switch v-model="outbound.stream.finalmask.enableQuicParams"></a-switch>
+          </a-form-item>
+          <template v-if="outbound.stream.finalmask.enableQuicParams">
+            <a-form-item label="Congestion">
+              <a-select
+                v-model="outbound.stream.finalmask.quicParams.congestion"
+                :dropdown-class-name="themeSwitcher.currentTheme"
+              >
+                <a-select-option value="reno">Reno</a-select-option>
+                <a-select-option value="bbr">BBR</a-select-option>
+                <a-select-option value="brutal">Brutal</a-select-option>
+                <a-select-option value="force-brutal">Force Brutal</a-select-option>
+              </a-select>
+            </a-form-item>
+            <a-form-item label="Debug">
+              <a-switch v-model="outbound.stream.finalmask.quicParams.debug"></a-switch>
+            </a-form-item>
+            <template v-if="['brutal','force-brutal'].includes(outbound.stream.finalmask.quicParams.congestion)">
+              <a-form-item label="Brutal Up">
+                <a-input v-model.trim="outbound.stream.finalmask.quicParams.brutalUp" placeholder="e.g. 60 mbps" />
+              </a-form-item>
+              <a-form-item label="Brutal Down">
+                <a-input v-model.trim="outbound.stream.finalmask.quicParams.brutalDown" placeholder="e.g. 60 mbps" />
+              </a-form-item>
+            </template>
+            <a-form-item label="UDP Hop">
+              <a-switch v-model="outbound.stream.finalmask.quicParams.hasUdpHop"></a-switch>
+            </a-form-item>
+            <template v-if="outbound.stream.finalmask.quicParams.hasUdpHop">
+              <a-form-item label="Hop Ports">
+                <a-input v-model.trim="outbound.stream.finalmask.quicParams.udpHop.ports" placeholder="e.g. 20000-50000" />
+              </a-form-item>
+              <a-form-item label="Hop Interval (s)">
+                <a-input-number v-model.number="outbound.stream.finalmask.quicParams.udpHop.interval" :min="5" />
+              </a-form-item>
+            </template>
+            <a-form-item label="Max Idle Timeout (s)">
+              <a-input-number v-model.number="outbound.stream.finalmask.quicParams.maxIdleTimeout" :min="4" :max="120" />
+            </a-form-item>
+            <a-form-item label="Keep Alive Period (s)">
+              <a-input-number v-model.number="outbound.stream.finalmask.quicParams.keepAlivePeriod" :min="0" :max="60" />
+            </a-form-item>
+            <a-form-item label="Disable Path MTU Dis">
+              <a-switch v-model="outbound.stream.finalmask.quicParams.disablePathMTUDiscovery"></a-switch>
+            </a-form-item>
+            <a-form-item label="Max Incoming Streams">
+              <a-input-number v-model.number="outbound.stream.finalmask.quicParams.maxIncomingStreams" :min="0" placeholder="0 = default" />
+            </a-form-item>
+            <a-form-item label="Init Stream Window">
+              <a-input-number v-model.number="outbound.stream.finalmask.quicParams.initStreamReceiveWindow" :min="0" placeholder="0 = default" />
+            </a-form-item>
+            <a-form-item label="Max Stream Window">
+              <a-input-number v-model.number="outbound.stream.finalmask.quicParams.maxStreamReceiveWindow" :min="0" placeholder="0 = default" />
+            </a-form-item>
+            <a-form-item label="Init Conn Window">
+              <a-input-number v-model.number="outbound.stream.finalmask.quicParams.initConnectionReceiveWindow" :min="0" placeholder="0 = default" />
+            </a-form-item>
+            <a-form-item label="Max Conn Window">
+              <a-input-number v-model.number="outbound.stream.finalmask.quicParams.maxConnectionReceiveWindow" :min="0" placeholder="0 = default" />
+            </a-form-item>
+          </template>
+        </template>
       </template>
 
       <!-- tls settings -->
diff --git a/web/html/form/stream/stream_finalmask.html b/web/html/form/stream/stream_finalmask.html
index f0ec87cf..1a8a052d 100644
--- a/web/html/form/stream/stream_finalmask.html
+++ b/web/html/form/stream/stream_finalmask.html
@@ -3,9 +3,192 @@
   :colon="false"
   :label-col="{ md: {span:8} }"
   :wrapper-col="{ md: {span:14} }"
-  v-if="inbound.protocol == Protocols.HYSTERIA || inbound.stream.network == 'kcp'"
+  v-if="inbound.protocol == Protocols.HYSTERIA || ['kcp', 'xhttp', 'raw', 'tcp', 'httpupgrade', 'ws', 'grpc'].includes(inbound.stream.network)"
 >
   <a-divider :style="{ margin: '5px 0 0' }"></a-divider>
+
+  <!-- TCP Masks – for raw/tcp/httpupgrade/ws/grpc/xhttp -->
+  <template v-if="['raw', 'tcp', 'httpupgrade', 'ws', 'grpc', 'xhttp'].includes(inbound.stream.network)">
+  <a-form-item label="TCP Masks">
+    <a-button
+      icon="plus"
+      type="primary"
+      size="small"
+      @click="inbound.stream.addTcpMask('fragment')"
+    ></a-button>
+  </a-form-item>
+  <template v-if="inbound.stream.finalmask.tcp && inbound.stream.finalmask.tcp.length > 0">
+    <a-form
+      v-for="(mask, index) in inbound.stream.finalmask.tcp"
+      :key="index"
+      :colon="false"
+      :label-col="{ md: {span:8} }"
+      :wrapper-col="{ md: {span:14} }"
+    >
+      <a-divider :style="{ margin: '0' }">
+        TCP Mask [[ index + 1 ]]
+        <a-icon
+          type="delete"
+          @click="() => inbound.stream.delTcpMask(index)"
+          :style="{ color: 'rgb(255, 77, 79)', cursor: 'pointer' }"
+        ></a-icon>
+      </a-divider>
+      <a-form-item label='{{ i18n "pages.xray.outbound.type" }}'>
+        <a-select
+          v-model="mask.type"
+          @change="(type) => { mask.settings = mask._getDefaultSettings(type, {}); }"
+          :dropdown-class-name="themeSwitcher.currentTheme"
+        >
+          <a-select-option value="fragment">Fragment</a-select-option>
+          <a-select-option value="header-custom">Header Custom</a-select-option>
+          <a-select-option value="sudoku">Sudoku</a-select-option>
+        </a-select>
+      </a-form-item>
+
+      <!-- Fragment settings -->
+      <template v-if="mask.type === 'fragment'">
+        <a-form-item label="Packets">
+          <a-select
+            v-model="mask.settings.packets"
+            :dropdown-class-name="themeSwitcher.currentTheme"
+          >
+            <a-select-option value="tlshello">tlshello</a-select-option>
+            <a-select-option value="1-3">1-3</a-select-option>
+            <a-select-option value="1-5">1-5</a-select-option>
+          </a-select>
+        </a-form-item>
+        <a-form-item label="Length">
+          <a-input v-model.trim="mask.settings.length" placeholder="e.g. 100-200" />
+        </a-form-item>
+        <a-form-item label="Delay">
+          <a-input v-model.trim="mask.settings.delay" placeholder="e.g. 10-20" />
+        </a-form-item>
+        <a-form-item label="Max Split">
+          <a-input v-model.trim="mask.settings.maxSplit" placeholder="e.g. 3-6" />
+        </a-form-item>
+      </template>
+
+      <!-- Sudoku settings (TCP) -->
+      <template v-if="mask.type === 'sudoku'">
+        <a-form-item label="Password">
+          <a-input v-model.trim="mask.settings.password" placeholder="Obfuscation password" />
+        </a-form-item>
+        <a-form-item label="ASCII">
+          <a-input v-model.trim="mask.settings.ascii" placeholder="ASCII" />
+        </a-form-item>
+        <a-form-item label="Custom Table">
+          <a-input v-model.trim="mask.settings.customTable" placeholder="Custom Table" />
+        </a-form-item>
+        <a-form-item label="Custom Tables">
+          <a-input v-model.trim="mask.settings.customTables" placeholder="Custom Tables" />
+        </a-form-item>
+        <a-form-item label="Padding Min">
+          <a-input-number v-model.number="mask.settings.paddingMin" :min="0" />
+        </a-form-item>
+        <a-form-item label="Padding Max">
+          <a-input-number v-model.number="mask.settings.paddingMax" :min="0" />
+        </a-form-item>
+      </template>
+
+      <!-- Header Custom (TCP) – clients/servers/errors are 2D arrays of groups -->
+      <template v-if="mask.type === 'header-custom'">
+        <!-- Clients -->
+        <a-form-item label="Clients">
+          <a-icon type="plus" @click="mask.settings.clients.push([{delay: 0, rand: 0, randRange: '0-255', type: 'array', packet: []}])" />
+        </a-form-item>
+        <template v-for="(group, gi) in mask.settings.clients" :key="'cg'+gi">
+          <a-divider :style="{ margin: '0' }">
+            Clients Group [[ gi + 1 ]]
+            <a-icon type="delete" @click="mask.settings.clients.splice(gi, 1)" :style="{ color: 'rgb(255, 77, 79)', cursor: 'pointer' }" />
+            <a-icon type="plus" @click="group.push({delay: 0, rand: 0, randRange: '0-255', type: 'array', packet: []})" :style="{ marginLeft: '8px' }" />
+          </a-divider>
+          <template v-for="(item, ii) in group" :key="'ci'+ii">
+            <a-divider :style="{ margin: '0', fontSize: '12px' }">
+              Item [[ ii + 1 ]]
+              <a-icon type="delete" @click="() => { group.splice(ii, 1); if(group.length === 0) mask.settings.clients.splice(gi, 1); }" :style="{ color: 'rgb(255, 77, 79)', cursor: 'pointer' }" />
+            </a-divider>
+            <a-form-item label='{{ i18n "pages.xray.outbound.type" }}'>
+              <a-select v-model="item.type" :dropdown-class-name="themeSwitcher.currentTheme"
+                @change="t => { if(t === 'base64') item.packet = RandomUtil.randomBase64(); else if(t === 'array') { item.rand = 0; item.packet = []; } else { item.packet = ''; } }">
+                <a-select-option value="array">Array</a-select-option>
+                <a-select-option value="str">String</a-select-option>
+                <a-select-option value="hex">Hex</a-select-option>
+                <a-select-option value="base64">Base64</a-select-option>
+              </a-select>
+            </a-form-item>
+            <a-form-item label="Delay (ms)">
+              <a-input-number v-model.number="item.delay" :min="0" />
+            </a-form-item>
+            <template v-if="item.type === 'array'">
+              <a-form-item label="Rand">
+                <a-input-number v-model.number="item.rand" :min="0" />
+              </a-form-item>
+              <a-form-item label="Rand Range">
+                <a-input v-model.trim="item.randRange" placeholder="0-255" />
+              </a-form-item>
+            </template>
+            <a-form-item v-else label="Packet">
+              <a-input-group compact v-if="item.type === 'base64'">
+                <a-input v-model.trim="item.packet" placeholder="binary data" :style="{ width: 'calc(100% - 32px)' }" />
+                <a-button icon="reload" @click="item.packet = RandomUtil.randomBase64()" />
+              </a-input-group>
+              <a-input v-else v-model.trim="item.packet" placeholder="binary data" />
+            </a-form-item>
+          </template>
+        </template>
+
+        <!-- Servers -->
+        <a-form-item label="Servers">
+          <a-icon type="plus" @click="mask.settings.servers.push([{delay: 0, rand: 0, randRange: '0-255', type: 'array', packet: []}])" />
+        </a-form-item>
+        <template v-for="(group, gi) in mask.settings.servers" :key="'sg'+gi">
+          <a-divider :style="{ margin: '0' }">
+            Servers Group [[ gi + 1 ]]
+            <a-icon type="delete" @click="mask.settings.servers.splice(gi, 1)" :style="{ color: 'rgb(255, 77, 79)', cursor: 'pointer' }" />
+            <a-icon type="plus" @click="group.push({delay: 0, rand: 0, randRange: '0-255', type: 'array', packet: []})" :style="{ marginLeft: '8px' }" />
+          </a-divider>
+          <template v-for="(item, ii) in group" :key="'si'+ii">
+            <a-divider :style="{ margin: '0', fontSize: '12px' }">
+              Item [[ ii + 1 ]]
+              <a-icon type="delete" @click="() => { group.splice(ii, 1); if(group.length === 0) mask.settings.servers.splice(gi, 1); }" :style="{ color: 'rgb(255, 77, 79)', cursor: 'pointer' }" />
+            </a-divider>
+
+            <a-form-item label='{{ i18n "pages.xray.outbound.type" }}'>
+              <a-select v-model="item.type" :dropdown-class-name="themeSwitcher.currentTheme"
+                @change="t => { if(t === 'base64') item.packet = RandomUtil.randomBase64(); else if(t === 'array') { item.rand = 0; item.packet = []; } else { item.packet = ''; } }">
+                <a-select-option value="array">Array</a-select-option>
+                <a-select-option value="str">String</a-select-option>
+                <a-select-option value="hex">Hex</a-select-option>
+                <a-select-option value="base64">Base64</a-select-option>
+              </a-select>
+            </a-form-item>
+            <a-form-item label="Delay (ms)">
+              <a-input-number v-model.number="item.delay" :min="0" />
+            </a-form-item>
+            <template v-if="item.type === 'array'">
+              <a-form-item label="Rand">
+                <a-input-number v-model.number="item.rand" :min="0" />
+              </a-form-item>
+              <a-form-item label="Rand Range">
+                <a-input v-model.trim="item.randRange" placeholder="0-255" />
+              </a-form-item>
+            </template>
+            <a-form-item v-else label="Packet">
+              <a-input-group compact v-if="item.type === 'base64'">
+                <a-input v-model.trim="item.packet" placeholder="binary data" :style="{ width: 'calc(100% - 32px)' }" />
+                <a-button icon="reload" @click="item.packet = RandomUtil.randomBase64()" />
+              </a-input-group>
+              <a-input v-else v-model.trim="item.packet" placeholder="binary data" />
+            </a-form-item>
+          </template>
+        </template>
+      </template>
+
+    </a-form>
+  </template>
+  </template>
+
+  <template v-if="inbound.protocol == Protocols.HYSTERIA || inbound.stream.network == 'kcp'">
   <a-form-item label="UDP Masks">
     <a-button
       icon="plus"
@@ -64,17 +247,14 @@
             >
             <a-select-option value="xdns">xDNS</a-select-option>
             <a-select-option value="xicmp">xICMP</a-select-option>
-            <a-select-option value="header-custom"
-              >Header Custom</a-select-option
-            >
+            <a-select-option value="header-custom">Header Custom</a-select-option>
             <a-select-option value="noise">Noise</a-select-option>
-            <a-select-option value="sudoku">Sudoku</a-select-option>
           </template>
         </a-select>
       </a-form-item>
       <a-form-item
         label="Password"
-        v-if="['mkcp-aes128gcm', 'salamander', 'sudoku'].includes(mask.type)"
+        v-if="['mkcp-aes128gcm', 'salamander'].includes(mask.type)"
       >
         <a-input
           v-model.trim="mask.settings.password"
@@ -98,99 +278,6 @@
           ></a-select>
         </a-form-item>
       </template>
-      <template v-if="mask.type === 'header-custom'">
-        <a-form-item label="Client">
-          <a-icon
-            type="plus"
-            type="primary"
-            size="small"
-            @click="mask.settings.client.push({rand: 0, randRange: '0-255', type: 'array', packet: []})"
-          />
-        </a-form-item>
-        <template v-for="(c, index) in mask.settings.client" :key="index">
-          <a-divider :style="{ margin: '0' }">
-            Client [[ index + 1 ]]
-            <a-icon
-              type="delete"
-              @click="() => mask.settings.client.splice(index, 1)"
-              :style="{ color: 'rgb(255, 77, 79)', cursor: 'pointer' }"
-            ></a-icon>
-          </a-divider>
-          <a-form-item label='{{ i18n "pages.xray.outbound.type" }}'>
-            <a-select
-              v-model="c.type"
-              :dropdown-class-name="themeSwitcher.currentTheme"
-              @change="t => { if(t === 'base64') c.packet = RandomUtil.randomBase64(); else if(t === 'array') c.packet = []; else c.packet = ''; }"
-            >
-              <a-select-option value="array">Array</a-select-option>
-              <a-select-option value="str">String</a-select-option>
-              <a-select-option value="hex">Hex</a-select-option>
-              <a-select-option value="base64">Base64</a-select-option>
-            </a-select>
-          </a-form-item>
-          <template v-if="c.type === 'array'">
-            <a-form-item label="Rand">
-              <a-input-number v-model.number="c.rand" />
-            </a-form-item>
-            <a-form-item label="Rand Range">
-              <a-input v-model.trim="c.randRange" placeholder="0-255" />
-            </a-form-item>
-          </template>
-          <a-form-item v-else label="Packet">
-            <a-input-group compact v-if="c.type === 'base64'">
-              <a-input v-model.trim="c.packet" placeholder="binary data" :style="{ width: 'calc(100% - 32px)' }" />
-              <a-button icon="reload" @click="c.packet = RandomUtil.randomBase64()" />
-            </a-input-group>
-            <a-input v-else v-model.trim="c.packet" placeholder="binary data" />
-          </a-form-item>
-        </template>
-        <a-divider :style="{ margin: '0' }"></a-divider>
-        <a-form-item label="Server">
-          <a-icon
-            type="plus"
-            type="primary"
-            size="small"
-            @click="mask.settings.server.push({rand: 0, randRange: '0-255', type: 'array', packet: []})"
-          />
-        </a-form-item>
-        <template v-for="(s, index) in mask.settings.server" :key="index">
-          <a-divider :style="{ margin: '0' }">
-            Server [[ index + 1 ]]
-            <a-icon
-              type="delete"
-              @click="() => mask.settings.server.splice(index, 1)"
-              :style="{ color: 'rgb(255, 77, 79)', cursor: 'pointer' }"
-            ></a-icon>
-          </a-divider>
-          <a-form-item label='{{ i18n "pages.xray.outbound.type" }}'>
-            <a-select
-              v-model="s.type"
-              :dropdown-class-name="themeSwitcher.currentTheme"
-              @change="t => { if(t === 'base64') s.packet = RandomUtil.randomBase64(); else if(t === 'array') s.packet = []; else s.packet = ''; }"
-            >
-              <a-select-option value="array">Array</a-select-option>
-              <a-select-option value="str">String</a-select-option>
-              <a-select-option value="hex">Hex</a-select-option>
-              <a-select-option value="base64">Base64</a-select-option>
-            </a-select>
-          </a-form-item>
-          <template v-if="s.type === 'array'">
-            <a-form-item label="Rand">
-              <a-input-number v-model.number="s.rand" />
-            </a-form-item>
-            <a-form-item label="Rand Range">
-              <a-input v-model.trim="s.randRange" placeholder="0-255" />
-            </a-form-item>
-          </template>
-          <a-form-item v-else label="Packet">
-            <a-input-group compact v-if="s.type === 'base64'">
-              <a-input v-model.trim="s.packet" placeholder="binary data" :style="{ width: 'calc(100% - 32px)' }" />
-              <a-button icon="reload" @click="s.packet = RandomUtil.randomBase64()" />
-            </a-input-group>
-            <a-input v-else v-model.trim="s.packet" placeholder="binary data" />
-          </a-form-item>
-        </template>
-      </template>
       <template v-if="mask.type === 'noise'">
         <a-form-item label="Reset">
           <a-input-number v-model.number="mask.settings.reset" :min="0" />
@@ -244,28 +331,96 @@
           </a-form-item>
         </template>
       </template>
-      <template v-if="mask.type === 'sudoku'">
-        <a-form-item label="ASCII">
-          <a-input v-model.trim="mask.settings.ascii" placeholder="ASCII" />
-        </a-form-item>
-        <a-form-item label="Custom Table">
-          <a-input
-            v-model.trim="mask.settings.customTable"
-            placeholder="Custom Table"
+      <template v-if="mask.type === 'header-custom'">
+        <a-form-item label="Client">
+          <a-icon
+            type="plus"
+            size="small"
+            @click="mask.settings.client.push({rand: 0, randRange: '0-255', type: 'array', packet: []})"
           />
         </a-form-item>
-        <a-form-item label="Custom Tables">
-          <a-input
-            v-model.trim="mask.settings.customTables"
-            placeholder="Custom Tables"
+        <template v-for="(c, index) in mask.settings.client" :key="index">
+          <a-divider :style="{ margin: '0' }">
+            Client [[ index + 1 ]]
+            <a-icon
+              type="delete"
+              @click="mask.settings.client.splice(index, 1)"
+              :style="{ color: 'rgb(255, 77, 79)', cursor: 'pointer' }"
+            ></a-icon>
+          </a-divider>
+          <a-form-item label='{{ i18n "pages.xray.outbound.type" }}'>
+            <a-select
+              v-model="c.type"
+              :dropdown-class-name="themeSwitcher.currentTheme"
+              @change="t => { if(t === 'base64') c.packet = RandomUtil.randomBase64(); else if(t === 'array') c.packet = []; else c.packet = ''; }"
+            >
+              <a-select-option value="array">Array</a-select-option>
+              <a-select-option value="str">String</a-select-option>
+              <a-select-option value="hex">Hex</a-select-option>
+              <a-select-option value="base64">Base64</a-select-option>
+            </a-select>
+          </a-form-item>
+          <template v-if="c.type === 'array'">
+            <a-form-item label="Rand">
+              <a-input-number v-model.number="c.rand" />
+            </a-form-item>
+            <a-form-item label="Rand Range">
+              <a-input v-model.trim="c.randRange" placeholder="0-255" />
+            </a-form-item>
+          </template>
+          <a-form-item v-else label="Packet">
+            <a-input-group compact v-if="c.type === 'base64'">
+              <a-input v-model.trim="c.packet" placeholder="binary data" :style="{ width: 'calc(100% - 32px)' }" />
+              <a-button icon="reload" @click="c.packet = RandomUtil.randomBase64()" />
+            </a-input-group>
+            <a-input v-else v-model.trim="c.packet" placeholder="binary data" />
+          </a-form-item>
+        </template>
+        <a-divider :style="{ margin: '0' }"></a-divider>
+        <a-form-item label="Server">
+          <a-icon
+            type="plus"
+            size="small"
+            @click="mask.settings.server.push({rand: 0, randRange: '0-255', type: 'array', packet: []})"
           />
         </a-form-item>
-        <a-form-item label="Padding Min">
-          <a-input-number v-model.number="mask.settings.paddingMin" :min="0" />
-        </a-form-item>
-        <a-form-item label="Padding Max">
-          <a-input-number v-model.number="mask.settings.paddingMax" :min="0" />
-        </a-form-item>
+        <template v-for="(s, index) in mask.settings.server" :key="index">
+          <a-divider :style="{ margin: '0' }">
+            Server [[ index + 1 ]]
+            <a-icon
+              type="delete"
+              @click="mask.settings.server.splice(index, 1)"
+              :style="{ color: 'rgb(255, 77, 79)', cursor: 'pointer' }"
+            ></a-icon>
+          </a-divider>
+          <a-form-item label='{{ i18n "pages.xray.outbound.type" }}'>
+            <a-select
+              v-model="s.type"
+              :dropdown-class-name="themeSwitcher.currentTheme"
+              @change="t => { if(t === 'base64') s.packet = RandomUtil.randomBase64(); else if(t === 'array') s.packet = []; else s.packet = ''; }"
+            >
+              <a-select-option value="array">Array</a-select-option>
+              <a-select-option value="str">String</a-select-option>
+              <a-select-option value="hex">Hex</a-select-option>
+              <a-select-option value="base64">Base64</a-select-option>
+            </a-select>
+          </a-form-item>
+          <template v-if="s.type === 'array'">
+            <a-form-item label="Rand">
+              <a-input-number v-model.number="s.rand" />
+            </a-form-item>
+            <a-form-item label="Rand Range">
+              <a-input v-model.trim="s.randRange" placeholder="0-255" />
+            </a-form-item>
+          </template>
+          <a-form-item v-else label="Packet">
+            <a-input-group compact v-if="s.type === 'base64'">
+              <a-input v-model.trim="s.packet" placeholder="binary data" :style="{ width: 'calc(100% - 32px)' }" />
+              <a-button icon="reload" @click="s.packet = RandomUtil.randomBase64()" />
+            </a-input-group>
+            <a-input v-else v-model.trim="s.packet" placeholder="binary data" />
+          </a-form-item>
+        </template>
       </template>
       <template v-if="mask.type === 'xicmp'">
         <a-form-item label="IP">
@@ -277,5 +432,72 @@
       </template>
     </a-form>
   </template>
+  </template>
+
+  <!-- quicParams – only for xhttp H3 and hysteria -->
+  <template v-if="inbound.protocol == Protocols.HYSTERIA || inbound.stream.network == 'xhttp'">
+    <a-form-item label="QUIC Params">
+      <a-switch v-model="inbound.stream.finalmask.enableQuicParams"></a-switch>
+    </a-form-item>
+    <template v-if="inbound.stream.finalmask.enableQuicParams">
+      <a-form-item label="Congestion">
+        <a-select
+          v-model="inbound.stream.finalmask.quicParams.congestion"
+          :dropdown-class-name="themeSwitcher.currentTheme"
+        >
+          <a-select-option value="reno">Reno</a-select-option>
+          <a-select-option value="bbr">BBR</a-select-option>
+          <a-select-option value="brutal">Brutal</a-select-option>
+          <a-select-option value="force-brutal">Force Brutal</a-select-option>
+        </a-select>
+      </a-form-item>
+      <a-form-item label="Debug">
+        <a-switch v-model="inbound.stream.finalmask.quicParams.debug"></a-switch>
+      </a-form-item>
+      <template v-if="['brutal','force-brutal'].includes(inbound.stream.finalmask.quicParams.congestion)">
+        <a-form-item label="Brutal Up">
+          <a-input v-model.trim="inbound.stream.finalmask.quicParams.brutalUp" placeholder="e.g. 60 mbps" />
+        </a-form-item>
+        <a-form-item label="Brutal Down">
+          <a-input v-model.trim="inbound.stream.finalmask.quicParams.brutalDown" placeholder="e.g. 60 mbps" />
+        </a-form-item>
+      </template>
+      <a-form-item label="UDP Hop">
+        <a-switch v-model="inbound.stream.finalmask.quicParams.hasUdpHop"></a-switch>
+      </a-form-item>
+      <template v-if="inbound.stream.finalmask.quicParams.hasUdpHop">
+        <a-form-item label="Hop Ports">
+          <a-input v-model.trim="inbound.stream.finalmask.quicParams.udpHop.ports" placeholder="e.g. 20000-50000" />
+        </a-form-item>
+        <a-form-item label="Hop Interval (s)">
+          <a-input-number v-model.number="inbound.stream.finalmask.quicParams.udpHop.interval" :min="5" />
+        </a-form-item>
+      </template>
+      <a-form-item label="Max Idle Timeout (s)">
+        <a-input-number v-model.number="inbound.stream.finalmask.quicParams.maxIdleTimeout" :min="4" :max="120" />
+      </a-form-item>
+      <a-form-item label="Keep Alive Period (s)">
+        <a-input-number v-model.number="inbound.stream.finalmask.quicParams.keepAlivePeriod" :min="0" :max="60" />
+      </a-form-item>
+      <a-form-item label="Disable Path MTU Dis">
+        <a-switch v-model="inbound.stream.finalmask.quicParams.disablePathMTUDiscovery"></a-switch>
+      </a-form-item>
+      <a-form-item label="Max Incoming Streams">
+        <a-input-number v-model.number="inbound.stream.finalmask.quicParams.maxIncomingStreams" :min="0" placeholder="0 = default" />
+      </a-form-item>
+      <a-form-item label="Init Stream Window">
+        <a-input-number v-model.number="inbound.stream.finalmask.quicParams.initStreamReceiveWindow" :min="0" placeholder="0 = default" />
+      </a-form-item>
+      <a-form-item label="Max Stream Window">
+        <a-input-number v-model.number="inbound.stream.finalmask.quicParams.maxStreamReceiveWindow" :min="0" placeholder="0 = default" />
+      </a-form-item>
+      <a-form-item label="Init Conn Window">
+        <a-input-number v-model.number="inbound.stream.finalmask.quicParams.initConnectionReceiveWindow" :min="0" placeholder="0 = default" />
+      </a-form-item>
+      <a-form-item label="Max Conn Window">
+        <a-input-number v-model.number="inbound.stream.finalmask.quicParams.maxConnectionReceiveWindow" :min="0" placeholder="0 = default" />
+      </a-form-item>
+    </template>
+  </template>
 </a-form>
 {{end}}

From b56db67759744ff3db3bf96b86e1d3c0fc5ef799 Mon Sep 17 00:00:00 2001
From: MHSanaei <ho3ein.sanaei@gmail.com>
Date: Mon, 27 Apr 2026 14:11:28 +0200
Subject: [PATCH 12/17] fix: handle Init error in GetXrayTraffic to prevent nil
 pointer panic

#3969
---
 web/service/xray.go | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/web/service/xray.go b/web/service/xray.go
index ab440ac2..958d36d2 100644
--- a/web/service/xray.go
+++ b/web/service/xray.go
@@ -206,7 +206,10 @@ func (s *XrayService) GetXrayTraffic() ([]*xray.Traffic, []*xray.ClientTraffic,
 		return nil, nil, err
 	}
 	apiPort := p.GetAPIPort()
-	s.xrayAPI.Init(apiPort)
+	if err := s.xrayAPI.Init(apiPort); err != nil {
+		logger.Debug("Failed to initialize Xray API:", err)
+		return nil, nil, err
+	}
 	defer s.xrayAPI.Close()
 
 	traffic, clientTraffic, err := s.xrayAPI.GetTraffic(true)

From 03393c9f527b62c124ea72120a62c92f3d269d30 Mon Sep 17 00:00:00 2001
From: MHSanaei <ho3ein.sanaei@gmail.com>
Date: Mon, 27 Apr 2026 15:02:43 +0200
Subject: [PATCH 13/17] Minor changes

---
 sub/subService.go                          |  8 ++-
 web/html/form/outbound.html                | 56 ++++++++++++---------
 web/html/form/stream/stream_finalmask.html | 57 +++++++++++++---------
 3 files changed, 72 insertions(+), 49 deletions(-)

diff --git a/sub/subService.go b/sub/subService.go
index 1ab55039..19ca21d9 100644
--- a/sub/subService.go
+++ b/sub/subService.go
@@ -1027,14 +1027,18 @@ type kcpShareFields struct {
 }
 
 func (f kcpShareFields) applyToParams(params map[string]string) {
-	params["headerType"] = f.headerType
+	if f.headerType != "" && f.headerType != "none" {
+		params["headerType"] = f.headerType
+	}
 	setStringParam(params, "seed", f.seed)
 	setIntParam(params, "mtu", f.mtu)
 	setIntParam(params, "tti", f.tti)
 }
 
 func (f kcpShareFields) applyToObj(obj map[string]any) {
-	obj["type"] = f.headerType
+	if f.headerType != "" && f.headerType != "none" {
+		obj["type"] = f.headerType
+	}
 	setStringField(obj, "path", f.seed)
 	setIntField(obj, "mtu", f.mtu)
 	setIntField(obj, "tti", f.tti)
diff --git a/web/html/form/outbound.html b/web/html/form/outbound.html
index 4f584d5e..a425f3d4 100644
--- a/web/html/form/outbound.html
+++ b/web/html/form/outbound.html
@@ -938,19 +938,23 @@
             <template v-if="mask.type === 'header-custom'">
               <!-- Clients -->
               <a-form-item label="Clients">
-                <a-icon type="plus" @click="mask.settings.clients.push([{delay: 0, rand: 0, randRange: '0-255', type: 'array', packet: []}])" />
+                <a-button
+                  icon="plus"
+                  type="primary"
+                  size="small"
+                  @click="mask.settings.clients.push([{delay: 0, rand: 0, randRange: '0-255', type: 'array', packet: []}])"
+                ></a-button>
               </a-form-item>
               <template v-for="(group, gi) in mask.settings.clients" :key="'cg'+gi">
                 <a-divider :style="{ margin: '0' }">
                   Clients Group [[ gi + 1 ]]
-                  <a-icon type="delete" @click="mask.settings.clients.splice(gi, 1)" :style="{ color: 'rgb(255, 77, 79)', cursor: 'pointer' }" />
-                  <a-icon type="plus" @click="group.push({delay: 0, rand: 0, randRange: '0-255', type: 'array', packet: []})" :style="{ marginLeft: '8px' }" />
+                  <a-icon
+                    type="delete"
+                    @click="mask.settings.clients.splice(gi, 1)"
+                    :style="{ color: 'rgb(255, 77, 79)', cursor: 'pointer', marginLeft: '8px' }"
+                  ></a-icon>
                 </a-divider>
                 <template v-for="(item, ii) in group" :key="'ci'+ii">
-                  <a-divider :style="{ margin: '0', fontSize: '12px' }">
-                    Item [[ ii + 1 ]]
-                    <a-icon type="delete" @click="() => { group.splice(ii, 1); if(group.length === 0) mask.settings.clients.splice(gi, 1); }" :style="{ color: 'rgb(255, 77, 79)', cursor: 'pointer' }" />
-                  </a-divider>
                   <a-form-item label='{{ i18n "pages.xray.outbound.type" }}'>
                     <a-select v-model="item.type" :dropdown-class-name="themeSwitcher.currentTheme"
                       @change="t => { if(t === 'array') { item.rand = 0; item.packet = []; } else { item.packet = ''; } }">
@@ -979,19 +983,23 @@
 
               <!-- Servers -->
               <a-form-item label="Servers">
-                <a-icon type="plus" @click="mask.settings.servers.push([{delay: 0, rand: 0, randRange: '0-255', type: 'array', packet: []}])" />
+                <a-button
+                  icon="plus"
+                  type="primary"
+                  size="small"
+                  @click="mask.settings.servers.push([{delay: 0, rand: 0, randRange: '0-255', type: 'array', packet: []}])"
+                ></a-button>
               </a-form-item>
               <template v-for="(group, gi) in mask.settings.servers" :key="'sg'+gi">
                 <a-divider :style="{ margin: '0' }">
                   Servers Group [[ gi + 1 ]]
-                  <a-icon type="delete" @click="mask.settings.servers.splice(gi, 1)" :style="{ color: 'rgb(255, 77, 79)', cursor: 'pointer' }" />
-                  <a-icon type="plus" @click="group.push({delay: 0, rand: 0, randRange: '0-255', type: 'array', packet: []})" :style="{ marginLeft: '8px' }" />
+                  <a-icon
+                    type="delete"
+                    @click="mask.settings.servers.splice(gi, 1)"
+                    :style="{ color: 'rgb(255, 77, 79)', cursor: 'pointer', marginLeft: '8px' }"
+                  ></a-icon>
                 </a-divider>
                 <template v-for="(item, ii) in group" :key="'si'+ii">
-                  <a-divider :style="{ margin: '0', fontSize: '12px' }">
-                    Item [[ ii + 1 ]]
-                    <a-icon type="delete" @click="() => { group.splice(ii, 1); if(group.length === 0) mask.settings.servers.splice(gi, 1); }" :style="{ color: 'rgb(255, 77, 79)', cursor: 'pointer' }" />
-                  </a-divider>
                   <a-form-item label='{{ i18n "pages.xray.outbound.type" }}'>
                     <a-select v-model="item.type" :dropdown-class-name="themeSwitcher.currentTheme"
                       @change="t => { if(t === 'array') { item.rand = 0; item.packet = []; } else { item.packet = ''; } }">
@@ -1126,12 +1134,12 @@
                 <a-input-number v-model.number="mask.settings.reset" :min="0" />
               </a-form-item>
               <a-form-item label="Noise">
-                <a-icon
-                  type="plus"
+                <a-button
+                  icon="plus"
                   type="primary"
                   size="small"
                   @click="mask.settings.noise.push({rand: 0, randRange: '0-255', type: 'array', packet: [], delay: ''})"
-                />
+                ></a-button>
               </a-form-item>
               <template v-for="(n, index) in mask.settings.noise" :key="index">
                 <a-divider :style="{ margin: '0' }">
@@ -1175,11 +1183,12 @@
             </template>
             <template v-if="mask.type === 'header-custom'">
               <a-form-item label="Client">
-                <a-icon
-                  type="plus"
+                <a-button
+                  icon="plus"
+                  type="primary"
                   size="small"
                   @click="mask.settings.client.push({rand: 0, randRange: '0-255', type: 'array', packet: []})"
-                />
+                ></a-button>
               </a-form-item>
               <template v-for="(c, index) in mask.settings.client" :key="index">
                 <a-divider :style="{ margin: '0' }">
@@ -1216,11 +1225,12 @@
               </template>
               <a-divider :style="{ margin: '0' }"></a-divider>
               <a-form-item label="Server">
-                <a-icon
-                  type="plus"
+                <a-button
+                  icon="plus"
+                  type="primary"
                   size="small"
                   @click="mask.settings.server.push({rand: 0, randRange: '0-255', type: 'array', packet: []})"
-                />
+                ></a-button>
               </a-form-item>
               <template v-for="(s, index) in mask.settings.server" :key="index">
                 <a-divider :style="{ margin: '0' }">
diff --git a/web/html/form/stream/stream_finalmask.html b/web/html/form/stream/stream_finalmask.html
index 1a8a052d..9fc8e3c9 100644
--- a/web/html/form/stream/stream_finalmask.html
+++ b/web/html/form/stream/stream_finalmask.html
@@ -94,19 +94,23 @@
       <template v-if="mask.type === 'header-custom'">
         <!-- Clients -->
         <a-form-item label="Clients">
-          <a-icon type="plus" @click="mask.settings.clients.push([{delay: 0, rand: 0, randRange: '0-255', type: 'array', packet: []}])" />
+          <a-button
+            icon="plus"
+            type="primary"
+            size="small"
+            @click="mask.settings.clients.push([{delay: 0, rand: 0, randRange: '0-255', type: 'array', packet: []}])"
+          ></a-button>
         </a-form-item>
         <template v-for="(group, gi) in mask.settings.clients" :key="'cg'+gi">
           <a-divider :style="{ margin: '0' }">
             Clients Group [[ gi + 1 ]]
-            <a-icon type="delete" @click="mask.settings.clients.splice(gi, 1)" :style="{ color: 'rgb(255, 77, 79)', cursor: 'pointer' }" />
-            <a-icon type="plus" @click="group.push({delay: 0, rand: 0, randRange: '0-255', type: 'array', packet: []})" :style="{ marginLeft: '8px' }" />
+            <a-icon
+              type="delete"
+              @click="mask.settings.clients.splice(gi, 1)"
+              :style="{ color: 'rgb(255, 77, 79)', cursor: 'pointer', marginLeft: '8px' }"
+            ></a-icon>
           </a-divider>
           <template v-for="(item, ii) in group" :key="'ci'+ii">
-            <a-divider :style="{ margin: '0', fontSize: '12px' }">
-              Item [[ ii + 1 ]]
-              <a-icon type="delete" @click="() => { group.splice(ii, 1); if(group.length === 0) mask.settings.clients.splice(gi, 1); }" :style="{ color: 'rgb(255, 77, 79)', cursor: 'pointer' }" />
-            </a-divider>
             <a-form-item label='{{ i18n "pages.xray.outbound.type" }}'>
               <a-select v-model="item.type" :dropdown-class-name="themeSwitcher.currentTheme"
                 @change="t => { if(t === 'base64') item.packet = RandomUtil.randomBase64(); else if(t === 'array') { item.rand = 0; item.packet = []; } else { item.packet = ''; } }">
@@ -139,20 +143,23 @@
 
         <!-- Servers -->
         <a-form-item label="Servers">
-          <a-icon type="plus" @click="mask.settings.servers.push([{delay: 0, rand: 0, randRange: '0-255', type: 'array', packet: []}])" />
+          <a-button
+            icon="plus"
+            type="primary"
+            size="small"
+            @click="mask.settings.servers.push([{delay: 0, rand: 0, randRange: '0-255', type: 'array', packet: []}])"
+          ></a-button>
         </a-form-item>
         <template v-for="(group, gi) in mask.settings.servers" :key="'sg'+gi">
           <a-divider :style="{ margin: '0' }">
             Servers Group [[ gi + 1 ]]
-            <a-icon type="delete" @click="mask.settings.servers.splice(gi, 1)" :style="{ color: 'rgb(255, 77, 79)', cursor: 'pointer' }" />
-            <a-icon type="plus" @click="group.push({delay: 0, rand: 0, randRange: '0-255', type: 'array', packet: []})" :style="{ marginLeft: '8px' }" />
+            <a-icon
+              type="delete"
+              @click="mask.settings.servers.splice(gi, 1)"
+              :style="{ color: 'rgb(255, 77, 79)', cursor: 'pointer', marginLeft: '8px' }"
+            ></a-icon>
           </a-divider>
           <template v-for="(item, ii) in group" :key="'si'+ii">
-            <a-divider :style="{ margin: '0', fontSize: '12px' }">
-              Item [[ ii + 1 ]]
-              <a-icon type="delete" @click="() => { group.splice(ii, 1); if(group.length === 0) mask.settings.servers.splice(gi, 1); }" :style="{ color: 'rgb(255, 77, 79)', cursor: 'pointer' }" />
-            </a-divider>
-
             <a-form-item label='{{ i18n "pages.xray.outbound.type" }}'>
               <a-select v-model="item.type" :dropdown-class-name="themeSwitcher.currentTheme"
                 @change="t => { if(t === 'base64') item.packet = RandomUtil.randomBase64(); else if(t === 'array') { item.rand = 0; item.packet = []; } else { item.packet = ''; } }">
@@ -283,12 +290,12 @@
           <a-input-number v-model.number="mask.settings.reset" :min="0" />
         </a-form-item>
         <a-form-item label="Noise">
-          <a-icon
-            type="plus"
+          <a-button
+            icon="plus"
             type="primary"
             size="small"
             @click="mask.settings.noise.push({rand: '1-8192', randRange: '0-255', type: 'array', packet: [], delay: '10-20'})"
-          />
+          ></a-button>
         </a-form-item>
         <template v-for="(n, index) in mask.settings.noise" :key="index">
           <a-divider :style="{ margin: '0' }">
@@ -333,11 +340,12 @@
       </template>
       <template v-if="mask.type === 'header-custom'">
         <a-form-item label="Client">
-          <a-icon
-            type="plus"
+          <a-button
+            icon="plus"
+            type="primary"
             size="small"
             @click="mask.settings.client.push({rand: 0, randRange: '0-255', type: 'array', packet: []})"
-          />
+          ></a-button>
         </a-form-item>
         <template v-for="(c, index) in mask.settings.client" :key="index">
           <a-divider :style="{ margin: '0' }">
@@ -378,11 +386,12 @@
         </template>
         <a-divider :style="{ margin: '0' }"></a-divider>
         <a-form-item label="Server">
-          <a-icon
-            type="plus"
+          <a-button
+            icon="plus"
+            type="primary"
             size="small"
             @click="mask.settings.server.push({rand: 0, randRange: '0-255', type: 'array', packet: []})"
-          />
+          ></a-button>
         </a-form-item>
         <template v-for="(s, index) in mask.settings.server" :key="index">
           <a-divider :style="{ margin: '0' }">

From 0b5c239f98fd112df10ed4846377563a391ebf60 Mon Sep 17 00:00:00 2001
From: MHSanaei <ho3ein.sanaei@gmail.com>
Date: Mon, 27 Apr 2026 15:31:32 +0200
Subject: [PATCH 14/17] v2.9.3

---
 config/version                 |  2 +-
 main.go                        | 20 ++++++++++++++------
 web/assets/js/model/inbound.js |  6 +++---
 3 files changed, 18 insertions(+), 10 deletions(-)

diff --git a/config/version b/config/version
index 391e9856..eafef0d4 100644
--- a/config/version
+++ b/config/version
@@ -1 +1 @@
-2.9.2
\ No newline at end of file
+2.9.3
\ No newline at end of file
diff --git a/main.go b/main.go
index f8d3357b..20724169 100644
--- a/main.go
+++ b/main.go
@@ -130,20 +130,22 @@ func runWebServer() {
 }
 
 // resetSetting resets all panel settings to their default values.
-func resetSetting() {
+func resetSetting() error {
 	err := database.InitDB(config.GetDBPath())
 	if err != nil {
 		fmt.Println("Failed to initialize database:", err)
-		return
+		return err
 	}
 
 	settingService := service.SettingService{}
 	err = settingService.ResetSettings()
 	if err != nil {
 		fmt.Println("Failed to reset settings:", err)
+		return err
 	} else {
 		fmt.Println("Settings successfully reset.")
 	}
+	return nil
 }
 
 // showSetting displays the current panel settings if show is true.
@@ -255,11 +257,11 @@ func updateTgbotSetting(tgBotToken string, tgBotChatid string, tgBotRuntime stri
 }
 
 // updateSetting updates various panel settings including port, credentials, base path, listen IP, and two-factor authentication.
-func updateSetting(port int, username string, password string, webBasePath string, listenIP string, resetTwoFactor bool) {
+func updateSetting(port int, username string, password string, webBasePath string, listenIP string, resetTwoFactor bool) error {
 	err := database.InitDB(config.GetDBPath())
 	if err != nil {
 		fmt.Println("Database initialization failed:", err)
-		return
+		return err
 	}
 
 	settingService := service.SettingService{}
@@ -311,6 +313,8 @@ func updateSetting(port int, username string, password string, webBasePath strin
 			fmt.Printf("listen %v set successfully", listenIP)
 		}
 	}
+
+	return nil
 }
 
 // updateCert updates the SSL certificate files for the panel.
@@ -481,9 +485,13 @@ func main() {
 			return
 		}
 		if reset {
-			resetSetting()
+			if err = resetSetting(); err != nil {
+				return
+			}
 		} else {
-			updateSetting(port, username, password, webBasePath, listenIP, resetTwoFactor)
+			if err = updateSetting(port, username, password, webBasePath, listenIP, resetTwoFactor); err != nil {
+				return
+			}
 		}
 		if show {
 			showSetting(show)
diff --git a/web/assets/js/model/inbound.js b/web/assets/js/model/inbound.js
index e002ac91..f695d251 100644
--- a/web/assets/js/model/inbound.js
+++ b/web/assets/js/model/inbound.js
@@ -3,12 +3,12 @@ const Protocols = {
     VLESS: 'vless',
     TROJAN: 'trojan',
     SHADOWSOCKS: 'shadowsocks',
-    TUNNEL: 'tunnel',
+    WIREGUARD: 'wireguard',
+    HYSTERIA: 'hysteria',
     MIXED: 'mixed',
     HTTP: 'http',
-    WIREGUARD: 'wireguard',
+    TUNNEL: 'tunnel',
     TUN: 'tun',
-    HYSTERIA: 'hysteria',
 };
 
 const SSMethods = {

From 22de983752fb4cc10bd16b756c4ccaab239e2e3b Mon Sep 17 00:00:00 2001
From: pwnnex <pwnnex@proton.me>
Date: Tue, 28 Apr 2026 18:49:39 +0300
Subject: [PATCH 15/17] xray-setting: pin api routing rule to index 0 on save
 (#4124)

when the admin adds a custom outbound (eg vless cascade to a second
server) and a routing rule sending all inbound traffic to it, that
catch-all gets evaluated before the existing api->api rule, so the
panel's internal stats inbound's traffic ends up on the cascade
outbound. the grpc stats query then can't see anything, GetTraffic
returns no inbound/user counters, and every client appears offline
with zero traffic even though the actual proxy path works fine.

before save, find the api rule and move it to the front of
routing.rules. if it's missing entirely, insert a default. other
rules keep their relative order.

closes #4113. probably also fixes the long-standing #2818 where the
documented workaround was "manually move the api rule to the top".
---
 web/service/xray_setting.go      | 120 +++++++++++++++++++++++++++++++
 web/service/xray_setting_test.go | 115 +++++++++++++++++++++++++++++
 2 files changed, 235 insertions(+)

diff --git a/web/service/xray_setting.go b/web/service/xray_setting.go
index 4c3892e4..da77404a 100644
--- a/web/service/xray_setting.go
+++ b/web/service/xray_setting.go
@@ -24,6 +24,9 @@ func (s *XraySettingService) SaveXraySetting(newXraySettings string) error {
 	if err := s.CheckXrayConfig(newXraySettings); err != nil {
 		return err
 	}
+	if hoisted, err := EnsureStatsRouting(newXraySettings); err == nil {
+		newXraySettings = hoisted
+	}
 	return s.SettingService.saveSetting("xrayTemplateConfig", newXraySettings)
 }
 
@@ -83,3 +86,120 @@ func UnwrapXrayTemplateConfig(raw string) string {
 	}
 	return raw
 }
+
+// EnsureStatsRouting hoists the `api -> api` routing rule to the front
+// of routing.rules so the stats query path is never starved by a
+// catch-all rule the admin may have added or reordered above it.
+//
+// Why this matters (#4113, #2818): an admin who adds a cascade outbound
+// (e.g. vless to another server) and a routing rule sending all inbound
+// traffic to it ends up sending the internal stats inbound's traffic to
+// that cascade too, since rules are evaluated top-to-bottom and the
+// catch-all matches first. The panel's gRPC stats query then can't reach
+// the running xray instance, GetTraffic returns nothing, and every
+// client appears offline with zero traffic even though the actual proxy
+// path works fine.
+//
+// The api inbound is special-cased internal infrastructure for the
+// panel, not something the admin should ever route to a real outbound.
+// Keeping its rule pinned at index 0 is the only correct configuration.
+//
+// If the api rule is already at index 0 the input is returned unchanged.
+// If it exists somewhere else it is moved. If it is missing entirely a
+// default rule (`type=field, inboundTag=[api], outboundTag=api`) is
+// inserted at the front. Other routing entries keep their relative order.
+func EnsureStatsRouting(raw string) (string, error) {
+	var cfg map[string]json.RawMessage
+	if err := json.Unmarshal([]byte(raw), &cfg); err != nil {
+		return raw, err
+	}
+
+	var routing map[string]json.RawMessage
+	if r, ok := cfg["routing"]; ok && len(r) > 0 {
+		if err := json.Unmarshal(r, &routing); err != nil {
+			return raw, err
+		}
+	}
+	if routing == nil {
+		routing = make(map[string]json.RawMessage)
+	}
+
+	var rules []map[string]any
+	if r, ok := routing["rules"]; ok && len(r) > 0 {
+		if err := json.Unmarshal(r, &rules); err != nil {
+			return raw, err
+		}
+	}
+
+	apiIdx := findApiRule(rules)
+	if apiIdx == 0 {
+		return raw, nil // already correct, don't churn the JSON
+	}
+
+	var apiRule map[string]any
+	if apiIdx > 0 {
+		apiRule = rules[apiIdx]
+		rules = append(rules[:apiIdx], rules[apiIdx+1:]...)
+	} else {
+		apiRule = map[string]any{
+			"type":        "field",
+			"inboundTag":  []string{"api"},
+			"outboundTag": "api",
+		}
+	}
+	rules = append([]map[string]any{apiRule}, rules...)
+
+	rulesJSON, err := json.Marshal(rules)
+	if err != nil {
+		return raw, err
+	}
+	routing["rules"] = rulesJSON
+
+	routingJSON, err := json.Marshal(routing)
+	if err != nil {
+		return raw, err
+	}
+	cfg["routing"] = routingJSON
+
+	out, err := json.Marshal(cfg)
+	if err != nil {
+		return raw, err
+	}
+	return string(out), nil
+}
+
+// findApiRule returns the index of the routing rule that targets the
+// internal api inbound (inboundTag contains "api" and outboundTag is
+// "api"), or -1 if no such rule exists.
+func findApiRule(rules []map[string]any) int {
+	for i, rule := range rules {
+		if outTag, _ := rule["outboundTag"].(string); outTag != "api" {
+			continue
+		}
+		raw, ok := rule["inboundTag"]
+		if !ok {
+			continue
+		}
+		// inboundTag is usually []string but can come as []any from a
+		// roundtrip through map[string]any. Accept both shapes.
+		switch tags := raw.(type) {
+		case []any:
+			for _, t := range tags {
+				if s, ok := t.(string); ok && s == "api" {
+					return i
+				}
+			}
+		case []string:
+			for _, s := range tags {
+				if s == "api" {
+					return i
+				}
+			}
+		case string:
+			if tags == "api" {
+				return i
+			}
+		}
+	}
+	return -1
+}
diff --git a/web/service/xray_setting_test.go b/web/service/xray_setting_test.go
index 2c165576..22b00ce3 100644
--- a/web/service/xray_setting_test.go
+++ b/web/service/xray_setting_test.go
@@ -88,3 +88,118 @@ func equalJSON(t *testing.T, a, b string) bool {
 	jb, _ := json.Marshal(vb)
 	return string(ja) == string(jb)
 }
+
+// firstRuleOutbound parses the (post-hoisted) config and returns
+// routing.rules[0].outboundTag, or "" if anything is missing.
+func firstRuleOutbound(t *testing.T, raw string) string {
+	t.Helper()
+	var cfg map[string]any
+	if err := json.Unmarshal([]byte(raw), &cfg); err != nil {
+		t.Fatalf("unmarshal cfg: %v", err)
+	}
+	routing, _ := cfg["routing"].(map[string]any)
+	rules, _ := routing["rules"].([]any)
+	if len(rules) == 0 {
+		return ""
+	}
+	first, _ := rules[0].(map[string]any)
+	tag, _ := first["outboundTag"].(string)
+	return tag
+}
+
+func TestEnsureStatsRouting_HoistsApiRuleFromMiddle(t *testing.T) {
+	// #4113 repro shape: admin added a cascade outbound and put a
+	// catch-all routing rule above the api rule. stats query path
+	// gets starved by the catch-all unless we hoist the api rule.
+	in := `{
+		"routing": {
+			"rules": [
+				{"type":"field","inboundTag":["inbound-vless"],"outboundTag":"vless-cascade"},
+				{"type":"field","inboundTag":["api"],"outboundTag":"api"},
+				{"type":"field","outboundTag":"blocked","ip":["geoip:private"]}
+			]
+		}
+	}`
+	out, err := EnsureStatsRouting(in)
+	if err != nil {
+		t.Fatalf("unexpected err: %v", err)
+	}
+	if got := firstRuleOutbound(t, out); got != "api" {
+		t.Fatalf("api rule should be at index 0 after hoist, got first outboundTag = %q\nfull: %s", got, out)
+	}
+}
+
+func TestEnsureStatsRouting_NoOpWhenAlreadyFirst(t *testing.T) {
+	// Don't churn the JSON when nothing needs fixing — same string in,
+	// same string out. Lets the diff in the panel UI stay quiet for
+	// well-formed configs.
+	in := `{"routing":{"rules":[{"type":"field","inboundTag":["api"],"outboundTag":"api"},{"type":"field","outboundTag":"blocked","ip":["geoip:private"]}]}}`
+	out, err := EnsureStatsRouting(in)
+	if err != nil {
+		t.Fatalf("unexpected err: %v", err)
+	}
+	if out != in {
+		t.Fatalf("expected unchanged input, got: %s", out)
+	}
+}
+
+func TestEnsureStatsRouting_InsertsDefaultWhenMissing(t *testing.T) {
+	// Some admins delete the api rule by accident. Re-add a default
+	// at the front so stats keep working after the next save.
+	in := `{"routing":{"rules":[{"type":"field","outboundTag":"vless-cascade","inboundTag":["inbound-vless"]}]}}`
+	out, err := EnsureStatsRouting(in)
+	if err != nil {
+		t.Fatalf("unexpected err: %v", err)
+	}
+	if got := firstRuleOutbound(t, out); got != "api" {
+		t.Fatalf("default api rule should be inserted at index 0, got %q\nfull: %s", got, out)
+	}
+	// The original rule should still be there, just shifted.
+	var cfg map[string]any
+	json.Unmarshal([]byte(out), &cfg)
+	rules := cfg["routing"].(map[string]any)["rules"].([]any)
+	if len(rules) != 2 {
+		t.Fatalf("expected 2 rules after insert, got %d: %v", len(rules), rules)
+	}
+}
+
+func TestEnsureStatsRouting_NoRoutingBlock(t *testing.T) {
+	// Pathological but possible: empty config or one without a routing
+	// section. Don't crash, and create the section with the api rule.
+	in := `{"log":{}}`
+	out, err := EnsureStatsRouting(in)
+	if err != nil {
+		t.Fatalf("unexpected err: %v", err)
+	}
+	if got := firstRuleOutbound(t, out); got != "api" {
+		t.Fatalf("api rule should be created when routing was missing, got %q\nfull: %s", got, out)
+	}
+}
+
+func TestEnsureStatsRouting_InvalidJsonReturnsAsIs(t *testing.T) {
+	// SaveXraySetting calls CheckXrayConfig before this helper, so
+	// invalid JSON shouldn't reach us in practice — but be defensive
+	// about garbage in (return same garbage out plus an error) so the
+	// caller can choose to skip the hoist instead of corrupting input.
+	in := "definitely not json"
+	out, err := EnsureStatsRouting(in)
+	if err == nil {
+		t.Fatalf("expected error for invalid json, got none")
+	}
+	if out != in {
+		t.Fatalf("expected raw passthrough on error, got %q", out)
+	}
+}
+
+func TestEnsureStatsRouting_AcceptsInboundTagAsString(t *testing.T) {
+	// Some manually-edited configs use a single string instead of an
+	// array for inboundTag. Make sure we still recognize the api rule.
+	in := `{"routing":{"rules":[{"type":"field","inboundTag":["other"],"outboundTag":"vless-cascade"},{"type":"field","inboundTag":"api","outboundTag":"api"}]}}`
+	out, err := EnsureStatsRouting(in)
+	if err != nil {
+		t.Fatalf("unexpected err: %v", err)
+	}
+	if got := firstRuleOutbound(t, out); got != "api" {
+		t.Fatalf("api rule with string-form inboundTag should hoist to front, got %q\nfull: %s", got, out)
+	}
+}

From f21ed9229695ed1cbcc86d65b52d98cfc9116f5a Mon Sep 17 00:00:00 2001
From: "Farhad H. P. Shirvan" <9374298+farhadh@users.noreply.github.com>
Date: Tue, 28 Apr 2026 18:46:55 +0200
Subject: [PATCH 16/17] feat: add panel update functionality via web GUI
 (#4117)

* feat: add panel update functionality via web GUI

* feat: enhance panel update notifications in web GUI

* feat: implement panel update modal and enhance translation strings

* fix design
---
 web/controller/server.go             |  19 +++
 web/html/index.html                  | 113 +++++++++++++++--
 web/service/panel.go                 | 174 +++++++++++++++++++++++++++
 web/service/panel_other.go           |   7 ++
 web/service/panel_test.go            |  41 +++++++
 web/service/panel_unix.go            |  12 ++
 web/translation/translate.en_US.toml |  11 ++
 7 files changed, 367 insertions(+), 10 deletions(-)
 create mode 100644 web/service/panel_other.go
 create mode 100644 web/service/panel_test.go
 create mode 100644 web/service/panel_unix.go

diff --git a/web/controller/server.go b/web/controller/server.go
index d32209e1..188e987a 100644
--- a/web/controller/server.go
+++ b/web/controller/server.go
@@ -22,6 +22,7 @@ type ServerController struct {
 
 	serverService  service.ServerService
 	settingService service.SettingService
+	panelService   service.PanelService
 
 	lastStatus *service.Status
 
@@ -43,6 +44,7 @@ func (a *ServerController) initRouter(g *gin.RouterGroup) {
 	g.GET("/status", a.status)
 	g.GET("/cpuHistory/:bucket", a.getCpuHistoryBucket)
 	g.GET("/getXrayVersion", a.getXrayVersion)
+	g.GET("/getPanelUpdateInfo", a.getPanelUpdateInfo)
 	g.GET("/getConfigJson", a.getConfigJson)
 	g.GET("/getDb", a.getDb)
 	g.GET("/getNewUUID", a.getNewUUID)
@@ -54,6 +56,7 @@ func (a *ServerController) initRouter(g *gin.RouterGroup) {
 	g.POST("/stopXrayService", a.stopXrayService)
 	g.POST("/restartXrayService", a.restartXrayService)
 	g.POST("/installXray/:version", a.installXray)
+	g.POST("/updatePanel", a.updatePanel)
 	g.POST("/updateGeofile", a.updateGeofile)
 	g.POST("/updateGeofile/:fileName", a.updateGeofile)
 	g.POST("/logs/:count", a.getLogs)
@@ -131,6 +134,16 @@ func (a *ServerController) getXrayVersion(c *gin.Context) {
 	jsonObj(c, versions, nil)
 }
 
+// getPanelUpdateInfo retrieves the current and latest panel version.
+func (a *ServerController) getPanelUpdateInfo(c *gin.Context) {
+	info, err := a.panelService.GetUpdateInfo()
+	if err != nil {
+		jsonMsg(c, I18nWeb(c, "pages.index.panelUpdateCheckPopover"), err)
+		return
+	}
+	jsonObj(c, info, nil)
+}
+
 // installXray installs or updates Xray to the specified version.
 func (a *ServerController) installXray(c *gin.Context) {
 	version := c.Param("version")
@@ -138,6 +151,12 @@ func (a *ServerController) installXray(c *gin.Context) {
 	jsonMsg(c, I18nWeb(c, "pages.index.xraySwitchVersionPopover"), err)
 }
 
+// updatePanel starts a panel self-update to the latest release.
+func (a *ServerController) updatePanel(c *gin.Context) {
+	err := a.panelService.StartUpdate()
+	jsonMsg(c, I18nWeb(c, "pages.index.panelUpdateStartedPopover"), err)
+}
+
 // updateGeofile updates the specified geo file for Xray.
 func (a *ServerController) updateGeofile(c *gin.Context) {
 	fileName := c.Param("fileName")
diff --git a/web/html/index.html b/web/html/index.html
index 0a36b9cb..62e9453b 100644
--- a/web/html/index.html
+++ b/web/html/index.html
@@ -139,7 +139,7 @@
                       <a-icon type="reload"></a-icon>
                       <span v-if="!isMobile">{{ i18n "pages.index.restartXray" }}</span>
                     </a-space>
-                    <a-space direction="horizontal" @click="openSelectV2rayVersion" class="jc-center">
+                    <a-space direction="horizontal" @click="openSelectV2rayVersion()" class="jc-center">
                       <a-icon type="tool"></a-icon>
                       <span v-if="!isMobile">
                         [[ status.xray.version != 'Unknown' ? `v${status.xray.version}` : '{{ i18n
@@ -169,6 +169,14 @@
               </a-col>
               <a-col :sm="24" :lg="12">
                 <a-card title='3X-UI' hoverable>
+                  <template v-if="panelUpdateModal.info.updateAvailable" #extra>
+                    <a-tooltip :overlay-class-name="themeSwitcher.currentTheme" :title='`{{ i18n "pages.index.updatePanel" }}: ${panelUpdateModal.info.latestVersion}`'>
+                      <a-tag color="orange" style="cursor:pointer;margin:0" @click="openPanelUpdate">
+                        <a-icon type="cloud-download"></a-icon>[[ panelUpdateModal.info.latestVersion ]]
+                      <span v-if="!isMobile">{{ i18n "pages.index.updatePanel" }}</span>
+                      </a-tag>
+                    </a-tooltip>
+                  </template>
                   <a rel="noopener" href="https://github.com/MHSanaei/3x-ui/releases" target="_blank">
                     <a-tag color="green">
                       <span>v{{ .cur_ver }}</span>
@@ -317,9 +325,36 @@
       </a-spin>
     </a-layout-content>
   </a-layout>
-  <a-modal id="version-modal" v-model="versionModal.visible" title='{{ i18n "pages.index.xraySwitch" }}'
+  <a-modal id="panel-update-modal" v-model="panelUpdateModal.visible" title='{{ i18n "pages.index.updatePanel" }}'
+    :closable="true" @ok="() => panelUpdateModal.visible = false" :class="themeSwitcher.currentTheme" footer="">
+    <a-alert type="warning" class="mb-12 w-100" message='{{ i18n "pages.index.panelUpdateDesc" }}'
+      show-icon></a-alert>
+    <a-list class="ant-version-list w-100" bordered>
+      <a-list-item class="ant-version-list-item">
+        <span>{{ i18n "pages.index.currentPanelVersion" }}</span>
+        <a-tag color="green">v[[ panelUpdateModal.info.currentVersion || '{{ .cur_ver }}' ]]</a-tag>
+      </a-list-item>
+      <a-list-item class="ant-version-list-item" v-if="panelUpdateModal.info.updateAvailable">
+        <span>{{ i18n "pages.index.latestPanelVersion" }}</span>
+        <a-tag color="purple">
+          [[ panelUpdateModal.info.latestVersion || '-' ]]
+        </a-tag>
+      </a-list-item>
+      <a-list-item class="ant-version-list-item" v-else>
+        <span>{{ i18n "pages.index.panelUpToDate" }}</span>
+        <a-tag color="green">{{ i18n "pages.index.upToDate" }}</a-tag>
+      </a-list-item>
+    </a-list>
+    <div class="mt-5 d-flex justify-end">
+      <a-button type="primary" icon="cloud-download" :disabled="!panelUpdateModal.info.updateAvailable"
+        @click="updatePanel">
+        {{ i18n "pages.index.updatePanel" }}
+      </a-button>
+    </div>
+  </a-modal>
+  <a-modal id="version-modal" v-model="versionModal.visible" title='{{ i18n "pages.index.xrayUpdates" }}'
     :closable="true" @ok="() => versionModal.visible = false" :class="themeSwitcher.currentTheme" footer="">
-    <a-collapse default-active-key="1">
+    <a-collapse accordion :active-key="versionModal.activeKey" @change="key => versionModal.activeKey = key">
       <a-collapse-panel key="1" header='Xray'>
         <a-alert type="warning" class="mb-12 w-100" message='{{ i18n "pages.index.xraySwitchClickDesk" }}'
           show-icon></a-alert>
@@ -799,9 +834,11 @@
 
   const versionModal = {
     visible: false,
+    activeKey: '1',
     versions: [],
-    show(versions) {
+    show(versions, activeKey = '1') {
       this.visible = true;
+      this.activeKey = activeKey;
       this.versions = versions;
     },
     hide() {
@@ -809,6 +846,24 @@
     },
   };
 
+  const panelUpdateModal = {
+    visible: false,
+    info: {
+      currentVersion: '{{ .cur_ver }}',
+      latestVersion: '',
+      updateAvailable: false,
+    },
+    show(info) {
+      this.visible = true;
+      if (info) {
+        this.info = info;
+      }
+    },
+    hide() {
+      this.visible = false;
+    },
+  };
+
   const logModal = {
     visible: false,
     logs: [],
@@ -958,11 +1013,12 @@
         spinning: false
       },
       status: new Status(),
-  cpuHistory: [], // small live widget history
-  cpuHistoryLong: [], // aggregated points from backend
-  cpuHistoryLabels: [],
-  cpuHistoryModal: { visible: false, bucket: 2 },
+      cpuHistory: [], // small live widget history
+      cpuHistoryLong: [], // aggregated points from backend
+      cpuHistoryLabels: [],
+      cpuHistoryModal: { visible: false, bucket: 2 },
       versionModal,
+      panelUpdateModal,
       logModal,
       xraylogModal,
       backupModal,
@@ -1049,16 +1105,25 @@
           console.error('Failed to fetch bucketed cpu history', e)
         }
       },
-      async openSelectV2rayVersion() {
+      async openSelectV2rayVersion(activeKey = '1') {
         this.loading(true);
         const msg = await HttpUtil.get('/panel/api/server/getXrayVersion');
         this.loading(false);
         if (!msg.success) {
           return;
         }
-        versionModal.show(msg.obj);
+        versionModal.show(msg.obj, activeKey);
         this.loadCustomGeo();
       },
+      async openPanelUpdate() {
+        this.loading(true);
+        const msg = await HttpUtil.get('/panel/api/server/getPanelUpdateInfo');
+        this.loading(false);
+        if (!msg.success) {
+          return;
+        }
+        panelUpdateModal.show(msg.obj);
+      },
       customGeoFormatTime(ts) {
         if (!ts) return '';
         return typeof moment !== 'undefined' ? moment(ts * 1000).format('YYYY-MM-DD HH:mm') : String(ts);
@@ -1195,6 +1260,27 @@
           },
         });
       },
+      updatePanel() {
+        this.$confirm({
+          title: '{{ i18n "pages.index.panelUpdateDialog" }}',
+          content: '{{ i18n "pages.index.panelUpdateDialogDesc" }}'
+            .replace('#version#', panelUpdateModal.info.latestVersion || ''),
+          okText: '{{ i18n "confirm"}}',
+          class: themeSwitcher.currentTheme,
+          cancelText: '{{ i18n "cancel"}}',
+          onOk: async () => {
+            panelUpdateModal.hide();
+            this.loading(true, '{{ i18n "pages.index.dontRefresh"}}');
+            const msg = await HttpUtil.post('/panel/api/server/updatePanel');
+            if (!msg.success) {
+              this.loading(false);
+              return;
+            }
+            await PromiseUtil.sleep(15000);
+            window.location.reload();
+          },
+        });
+      },
       updateGeofile(fileName) {
         const isSingleFile = !!fileName;
         this.$confirm({
@@ -1346,6 +1432,13 @@
       // Initial status fetch
       await this.getStatus();
 
+      // Silently check for panel updates so the indicator shows on load
+      HttpUtil.get('/panel/api/server/getPanelUpdateInfo').then(msg => {
+        if (msg && msg.success && msg.obj) {
+          panelUpdateModal.info = msg.obj;
+        }
+      });
+
       // Setup WebSocket for real-time updates
       if (window.wsClient) {
         window.wsClient.connect();
diff --git a/web/service/panel.go b/web/service/panel.go
index e4fb0c68..75f2f155 100644
--- a/web/service/panel.go
+++ b/web/service/panel.go
@@ -1,10 +1,19 @@
 package service
 
 import (
+	"encoding/json"
+	"fmt"
+	"net/http"
 	"os"
+	"os/exec"
+	"path/filepath"
+	"runtime"
+	"strconv"
+	"strings"
 	"syscall"
 	"time"
 
+	"github.com/mhsanaei/3x-ui/v2/config"
 	"github.com/mhsanaei/3x-ui/v2/logger"
 )
 
@@ -12,6 +21,13 @@ import (
 // It handles panel restart, updates, and system-level panel controls.
 type PanelService struct{}
 
+// PanelUpdateInfo contains the current and latest available panel versions.
+type PanelUpdateInfo struct {
+	CurrentVersion  string `json:"currentVersion"`
+	LatestVersion   string `json:"latestVersion"`
+	UpdateAvailable bool   `json:"updateAvailable"`
+}
+
 func (s *PanelService) RestartPanel(delay time.Duration) error {
 	p, err := os.FindProcess(syscall.Getpid())
 	if err != nil {
@@ -26,3 +42,161 @@ func (s *PanelService) RestartPanel(delay time.Duration) error {
 	}()
 	return nil
 }
+
+// GetUpdateInfo checks GitHub for the latest 3x-ui release.
+func (s *PanelService) GetUpdateInfo() (*PanelUpdateInfo, error) {
+	latest, err := fetchLatestPanelVersion()
+	if err != nil {
+		return nil, err
+	}
+	current := config.GetVersion()
+	return &PanelUpdateInfo{
+		CurrentVersion:  current,
+		LatestVersion:   latest,
+		UpdateAvailable: isNewerVersion(latest, current),
+	}, nil
+}
+
+// StartUpdate starts the official updater outside of the current web request.
+func (s *PanelService) StartUpdate() error {
+	if runtime.GOOS != "linux" {
+		return fmt.Errorf("panel web update is supported only on Linux installations")
+	}
+
+	bash, err := exec.LookPath("bash")
+	if err != nil {
+		return fmt.Errorf("bash is required to run the panel updater: %w", err)
+	}
+	curl, err := exec.LookPath("curl")
+	if err != nil {
+		return fmt.Errorf("curl is required to download the panel updater: %w", err)
+	}
+
+	mainFolder, serviceFolder := resolveUpdateFolders()
+	updateScript := fmt.Sprintf("set -o pipefail; %s -fLs https://raw.githubusercontent.com/MHSanaei/3x-ui/main/update.sh | %s", shellQuote(curl), shellQuote(bash))
+
+	if systemdRun, err := exec.LookPath("systemd-run"); err == nil {
+		unitName := fmt.Sprintf("x-ui-web-update-%d", time.Now().Unix())
+		cmd := exec.Command(systemdRun,
+			"--unit", unitName,
+			"--setenv", "XUI_MAIN_FOLDER="+mainFolder,
+			"--setenv", "XUI_SERVICE="+serviceFolder,
+			bash, "-lc", updateScript,
+		)
+		out, err := cmd.CombinedOutput()
+		if err != nil {
+			output := strings.TrimSpace(string(out))
+			if !strings.Contains(output, "System has not been booted with systemd") &&
+				!strings.Contains(output, "Failed to connect to bus") {
+				return fmt.Errorf("failed to start panel update job: %w: %s", err, output)
+			}
+			logger.Warning("systemd-run is unavailable, falling back to detached update process:", output)
+		} else {
+			logger.Infof("started panel update job via systemd-run unit %s", unitName)
+			return nil
+		}
+	}
+
+	cmd := exec.Command(bash, "-lc", updateScript)
+	cmd.Env = append(os.Environ(),
+		"XUI_MAIN_FOLDER="+mainFolder,
+		"XUI_SERVICE="+serviceFolder,
+	)
+	setDetachedProcess(cmd)
+	if err := cmd.Start(); err != nil {
+		return fmt.Errorf("failed to start panel update job: %w", err)
+	}
+	if err := cmd.Process.Release(); err != nil {
+		logger.Warning("failed to release panel update process:", err)
+	}
+	logger.Infof("started panel update job with pid %d", cmd.Process.Pid)
+	return nil
+}
+
+func fetchLatestPanelVersion() (string, error) {
+	client := &http.Client{Timeout: 10 * time.Second}
+	resp, err := client.Get("https://api.github.com/repos/MHSanaei/3x-ui/releases/latest")
+	if err != nil {
+		return "", err
+	}
+	defer resp.Body.Close()
+	if resp.StatusCode != http.StatusOK {
+		return "", fmt.Errorf("GitHub API returned status %d: %s", resp.StatusCode, resp.Status)
+	}
+
+	var release Release
+	if err := json.NewDecoder(resp.Body).Decode(&release); err != nil {
+		return "", err
+	}
+	if release.TagName == "" {
+		return "", fmt.Errorf("latest panel release tag is empty")
+	}
+	return release.TagName, nil
+}
+
+func resolveUpdateFolders() (string, string) {
+	mainFolder := os.Getenv("XUI_MAIN_FOLDER")
+	if mainFolder == "" {
+		if exePath, err := os.Executable(); err == nil {
+			mainFolder = filepath.Dir(exePath)
+		}
+	}
+	if mainFolder == "" {
+		mainFolder = "/usr/local/x-ui"
+	}
+
+	serviceFolder := os.Getenv("XUI_SERVICE")
+	if serviceFolder == "" {
+		serviceFolder = "/etc/systemd/system"
+	}
+	return mainFolder, serviceFolder
+}
+
+func isNewerVersion(latest string, current string) bool {
+	cmp, ok := compareVersionStrings(latest, current)
+	if !ok {
+		return normalizeVersionTag(latest) != normalizeVersionTag(current)
+	}
+	return cmp > 0
+}
+
+func compareVersionStrings(a string, b string) (int, bool) {
+	aParts, okA := parseVersionParts(a)
+	bParts, okB := parseVersionParts(b)
+	if !okA || !okB {
+		return 0, false
+	}
+	for i := 0; i < len(aParts); i++ {
+		if aParts[i] > bParts[i] {
+			return 1, true
+		}
+		if aParts[i] < bParts[i] {
+			return -1, true
+		}
+	}
+	return 0, true
+}
+
+func parseVersionParts(version string) ([3]int, bool) {
+	var result [3]int
+	parts := strings.Split(normalizeVersionTag(version), ".")
+	if len(parts) != 3 {
+		return result, false
+	}
+	for i, part := range parts {
+		n, err := strconv.Atoi(part)
+		if err != nil {
+			return result, false
+		}
+		result[i] = n
+	}
+	return result, true
+}
+
+func normalizeVersionTag(version string) string {
+	return strings.TrimPrefix(strings.TrimSpace(version), "v")
+}
+
+func shellQuote(value string) string {
+	return "'" + strings.ReplaceAll(value, "'", "'\\''") + "'"
+}
diff --git a/web/service/panel_other.go b/web/service/panel_other.go
new file mode 100644
index 00000000..53295c10
--- /dev/null
+++ b/web/service/panel_other.go
@@ -0,0 +1,7 @@
+//go:build !linux
+
+package service
+
+import "os/exec"
+
+func setDetachedProcess(cmd *exec.Cmd) {}
diff --git a/web/service/panel_test.go b/web/service/panel_test.go
new file mode 100644
index 00000000..44e9ba34
--- /dev/null
+++ b/web/service/panel_test.go
@@ -0,0 +1,41 @@
+package service
+
+import "testing"
+
+func TestIsNewerVersion(t *testing.T) {
+	cases := []struct {
+		latest  string
+		current string
+		want    bool
+	}{
+		{"v2.9.4", "2.9.3", true},
+		{"v2.10.0", "2.9.9", true},
+		{"v2.9.3", "2.9.3", false},
+		{"v2.9.2", "2.9.3", false},
+		{"v3.0.0", "2.9.3", true},
+	}
+
+	for _, tc := range cases {
+		if got := isNewerVersion(tc.latest, tc.current); got != tc.want {
+			t.Fatalf("isNewerVersion(%q, %q) = %v, want %v", tc.latest, tc.current, got, tc.want)
+		}
+	}
+}
+
+func TestCompareVersionStringsRejectsUnexpectedFormats(t *testing.T) {
+	if _, ok := compareVersionStrings("latest", "2.9.3"); ok {
+		t.Fatal("expected non-semver latest tag to be rejected")
+	}
+	if _, ok := compareVersionStrings("v2.9", "2.9.3"); ok {
+		t.Fatal("expected short version to be rejected")
+	}
+}
+
+func TestShellQuote(t *testing.T) {
+	if got := shellQuote("/usr/bin/curl"); got != "'/usr/bin/curl'" {
+		t.Fatalf("unexpected quote result: %s", got)
+	}
+	if got := shellQuote("/tmp/a'b"); got != "'/tmp/a'\\''b'" {
+		t.Fatalf("unexpected quote result with single quote: %s", got)
+	}
+}
diff --git a/web/service/panel_unix.go b/web/service/panel_unix.go
new file mode 100644
index 00000000..13d2237c
--- /dev/null
+++ b/web/service/panel_unix.go
@@ -0,0 +1,12 @@
+//go:build linux
+
+package service
+
+import (
+	"os/exec"
+	"syscall"
+)
+
+func setDetachedProcess(cmd *exec.Cmd) {
+	cmd.SysProcAttr = &syscall.SysProcAttr{Setsid: true}
+}
diff --git a/web/translation/translate.en_US.toml b/web/translation/translate.en_US.toml
index 45186187..49c9f952 100644
--- a/web/translation/translate.en_US.toml
+++ b/web/translation/translate.en_US.toml
@@ -124,8 +124,15 @@
 "stopXray" = "Stop"
 "restartXray" = "Restart"
 "xraySwitch" = "Version"
+"xrayUpdates" = "Xray Updates"
 "xraySwitchClick" = "Choose the version you want to switch to."
 "xraySwitchClickDesk" = "Choose carefully, as older versions may not be compatible with current configurations."
+"updatePanel" = "Update Panel"
+"panelUpdateDesc" = "This will update 3X-UI itself to the latest release and restart the panel service."
+"currentPanelVersion" = "Current panel version"
+"latestPanelVersion" = "Latest panel version"
+"panelUpToDate" = "Panel is up to date"
+"upToDate" = "Up to date"
 "xrayStatusUnknown" = "Unknown"
 "xrayStatusRunning" = "Running"
 "xrayStatusStop" = "Stop"
@@ -147,6 +154,10 @@
 "xraySwitchVersionDialog" = "Do you really want to change the Xray version?"
 "xraySwitchVersionDialogDesc" = "This will change the Xray version to #version#."
 "xraySwitchVersionPopover" = "Xray updated successfully"
+"panelUpdateDialog" = "Do you really want to update the panel?"
+"panelUpdateDialogDesc" = "This will update 3X-UI to #version# and restart the panel service."
+"panelUpdateCheckPopover" = "Panel update check failed"
+"panelUpdateStartedPopover" = "Panel update started"
 "geofileUpdateDialog" = "Do you really want to update the geofile?"
 "geofileUpdateDialogDesc" = "This will update the #filename# file."
 "geofilesUpdateDialogDesc" = "This will update all geofiles."

From 51e2fb6dbfb6f3f21b3f578c15c3dc0d47c4a66e Mon Sep 17 00:00:00 2001
From: MHSanaei <ho3ein.sanaei@gmail.com>
Date: Tue, 28 Apr 2026 19:17:11 +0200
Subject: [PATCH 17/17] translate update

#4117
---
 web/translation/translate.ar_EG.toml | 11 +++++++++++
 web/translation/translate.es_ES.toml | 11 +++++++++++
 web/translation/translate.fa_IR.toml | 11 +++++++++++
 web/translation/translate.id_ID.toml | 11 +++++++++++
 web/translation/translate.ja_JP.toml | 11 +++++++++++
 web/translation/translate.pt_BR.toml | 11 +++++++++++
 web/translation/translate.ru_RU.toml | 11 +++++++++++
 web/translation/translate.tr_TR.toml | 11 +++++++++++
 web/translation/translate.uk_UA.toml | 11 +++++++++++
 web/translation/translate.vi_VN.toml | 11 +++++++++++
 web/translation/translate.zh_CN.toml | 11 +++++++++++
 web/translation/translate.zh_TW.toml | 11 +++++++++++
 12 files changed, 132 insertions(+)

diff --git a/web/translation/translate.ar_EG.toml b/web/translation/translate.ar_EG.toml
index ca7076c8..2e76cf94 100644
--- a/web/translation/translate.ar_EG.toml
+++ b/web/translation/translate.ar_EG.toml
@@ -126,6 +126,13 @@
 "xraySwitch" = "النسخة"
 "xraySwitchClick" = "اختار النسخة اللي عايز تتحول لها."
 "xraySwitchClickDesk" = "اختار بحذر، النسخ القديمة ممكن ما تتوافقش مع الإعدادات الحالية."
+"xrayUpdates" = "تحديثات Xray"
+"updatePanel" = "تحديث البانل"
+"panelUpdateDesc" = "ده هيحدث 3X-UI لآخر إصدار وهيعيد تشغيل خدمة البانل."
+"currentPanelVersion" = "إصدار البانل الحالي"
+"latestPanelVersion" = "أحدث إصدار للبانل"
+"panelUpToDate" = "البانل محدث لآخر إصدار"
+"upToDate" = "محدث"
 "xrayStatusUnknown" = "مش معروف"
 "xrayStatusRunning" = "شغالة"
 "xrayStatusStop" = "متوقفة"
@@ -147,6 +154,10 @@
 "xraySwitchVersionDialog" = "هل تريد حقًا تغيير إصدار Xray؟"
 "xraySwitchVersionDialogDesc" = "سيؤدي هذا إلى تغيير إصدار Xray إلى #version#."
 "xraySwitchVersionPopover" = "تم تحديث Xray بنجاح"
+"panelUpdateDialog" = "هل فعلاً عايز تحدث البانل؟"
+"panelUpdateDialogDesc" = "ده هيحدث 3X-UI للإصدار #version# وهيعيد تشغيل البانل."
+"panelUpdateCheckPopover" = "فشل التحقق من تحديث البانل"
+"panelUpdateStartedPopover" = "بدأ تحديث البانل"
 "geofileUpdateDialog" = "هل تريد حقًا تحديث ملف الجغرافيا؟"
 "geofileUpdateDialogDesc" = "سيؤدي هذا إلى تحديث ملف #filename#."
 "geofilesUpdateDialogDesc" = "سيؤدي هذا إلى تحديث كافة الملفات."
diff --git a/web/translation/translate.es_ES.toml b/web/translation/translate.es_ES.toml
index d8f94461..cce4018f 100644
--- a/web/translation/translate.es_ES.toml
+++ b/web/translation/translate.es_ES.toml
@@ -126,6 +126,13 @@
 "xraySwitch" = "Versión"
 "xraySwitchClick" = "Elige la versión a la que deseas cambiar."
 "xraySwitchClickDesk" = "Elige sabiamente, ya que las versiones anteriores pueden no ser compatibles con las configuraciones actuales."
+"xrayUpdates" = "Actualizaciones de Xray"
+"updatePanel" = "Actualizar panel"
+"panelUpdateDesc" = "Esto actualizará 3X-UI a la última versión y reiniciará el servicio del panel."
+"currentPanelVersion" = "Versión actual del panel"
+"latestPanelVersion" = "Última versión del panel"
+"panelUpToDate" = "El panel está actualizado"
+"upToDate" = "Actualizado"
 "xrayStatusUnknown" = "Desconocido"
 "xrayStatusRunning" = "En ejecución"
 "xrayStatusStop" = "Detenido"
@@ -147,6 +154,10 @@
 "xraySwitchVersionDialog" = "¿Realmente deseas cambiar la versión de Xray?"
 "xraySwitchVersionDialogDesc" = "Esto cambiará la versión de Xray a #version#."
 "xraySwitchVersionPopover" = "Xray se actualizó correctamente"
+"panelUpdateDialog" = "¿Deseas actualizar el panel?"
+"panelUpdateDialogDesc" = "Esto actualizará 3X-UI a la versión #version# y reiniciará el servicio del panel."
+"panelUpdateCheckPopover" = "Fallo al comprobar actualización del panel"
+"panelUpdateStartedPopover" = "Actualización del panel iniciada"
 "geofileUpdateDialog" = "¿Realmente deseas actualizar el geofichero?"
 "geofileUpdateDialogDesc" = "Esto actualizará el archivo #filename#."
 "geofilesUpdateDialogDesc" = "Esto actualizará todos los archivos."
diff --git a/web/translation/translate.fa_IR.toml b/web/translation/translate.fa_IR.toml
index aaec75f6..e1f49b80 100644
--- a/web/translation/translate.fa_IR.toml
+++ b/web/translation/translate.fa_IR.toml
@@ -126,6 +126,13 @@
 "xraySwitch" = "‌نسخه"
 "xraySwitchClick" = "نسخه مورد نظر را انتخاب کنید"
 "xraySwitchClickDesk" = "لطفا بادقت انتخاب کنید. درصورت انتخاب نسخه قدیمی‌تر، امکان ناهماهنگی با پیکربندی فعلی وجود دارد"
+"xrayUpdates" = "به‌روزرسانی‌های Xray"
+"updatePanel" = "به‌روزرسانی پنل"
+"panelUpdateDesc" = "این عملیات 3X-UI را به آخرین نسخه به‌روزرسانی می‌کند و سرویس پنل را مجدداً راه‌اندازی می‌کند."
+"currentPanelVersion" = "نسخه فعلی پنل"
+"latestPanelVersion" = "آخرین نسخه پنل"
+"panelUpToDate" = "پنل به‌روز است"
+"upToDate" = "به‌روز"
 "xrayStatusUnknown" = "ناشناخته"
 "xrayStatusRunning" = "در حال اجرا"
 "xrayStatusStop" = "متوقف"
@@ -147,6 +154,10 @@
 "xraySwitchVersionDialog" = "آیا واقعاً می‌خواهید نسخه Xray را تغییر دهید؟"
 "xraySwitchVersionDialogDesc" = "این کار نسخه Xray را به #version# تغییر می‌دهد."
 "xraySwitchVersionPopover" = "Xray با موفقیت به‌روز شد"
+"panelUpdateDialog" = "آیا مطمئن هستید که می‌خواهید پنل را به‌روزرسانی کنید؟"
+"panelUpdateDialogDesc" = "این 3X-UI را به نسخه #version# به‌روزرسانی کرده و سرویس پنل را مجدداً راه‌اندازی می‌کند."
+"panelUpdateCheckPopover" = "خطا در بررسی به‌روزرسانی پنل"
+"panelUpdateStartedPopover" = "به‌روزرسانی پنل آغاز شد"
 "geofileUpdateDialog" = "آیا واقعاً می‌خواهید فایل جغرافیایی را به‌روز کنید؟"
 "geofileUpdateDialogDesc" = "این عمل فایل #filename# را به‌روز می‌کند."
 "geofilesUpdateDialogDesc" = "با این کار همه فایل‌ها به‌روزرسانی می‌شوند."
diff --git a/web/translation/translate.id_ID.toml b/web/translation/translate.id_ID.toml
index e115aaa8..f2ac71fc 100644
--- a/web/translation/translate.id_ID.toml
+++ b/web/translation/translate.id_ID.toml
@@ -126,6 +126,13 @@
 "xraySwitch" = "Versi"
 "xraySwitchClick" = "Pilih versi yang ingin Anda pindah."
 "xraySwitchClickDesk" = "Pilih dengan hati-hati, karena versi yang lebih lama mungkin tidak kompatibel dengan konfigurasi saat ini."
+"xrayUpdates" = "Pembaruan Xray"
+"updatePanel" = "Perbarui Panel"
+"panelUpdateDesc" = "Ini akan memperbarui 3X-UI ke rilis terbaru dan me-restart layanan panel."
+"currentPanelVersion" = "Versi panel saat ini"
+"latestPanelVersion" = "Versi panel terbaru"
+"panelUpToDate" = "Panel sudah terbaru"
+"upToDate" = "Terbaru"
 "xrayStatusUnknown" = "Tidak diketahui"
 "xrayStatusRunning" = "Berjalan"
 "xrayStatusStop" = "Berhenti"
@@ -147,6 +154,10 @@
 "xraySwitchVersionDialog" = "Apakah Anda yakin ingin mengubah versi Xray?"
 "xraySwitchVersionDialogDesc" = "Ini akan mengubah versi Xray ke #version#."
 "xraySwitchVersionPopover" = "Xray berhasil diperbarui"
+"panelUpdateDialog" = "Apakah Anda benar-benar ingin memperbarui panel?"
+"panelUpdateDialogDesc" = "Ini akan memperbarui 3X-UI ke #version# dan me-restart layanan panel."
+"panelUpdateCheckPopover" = "Pemeriksaan pembaruan panel gagal"
+"panelUpdateStartedPopover" = "Pembaruan panel dimulai"
 "geofileUpdateDialog" = "Apakah Anda yakin ingin memperbarui geofile?"
 "geofileUpdateDialogDesc" = "Ini akan memperbarui file #filename#."
 "geofilesUpdateDialogDesc" = "Ini akan memperbarui semua berkas."
diff --git a/web/translation/translate.ja_JP.toml b/web/translation/translate.ja_JP.toml
index ffa9168b..da67e758 100644
--- a/web/translation/translate.ja_JP.toml
+++ b/web/translation/translate.ja_JP.toml
@@ -126,6 +126,13 @@
 "xraySwitch" = "バージョン"
 "xraySwitchClick" = "切り替えるバージョンを選択してください"
 "xraySwitchClickDesk" = "慎重に選択してください。古いバージョンは現在の設定と互換性がない可能性があります。"
+"xrayUpdates" = "Xrayの更新"
+"updatePanel" = "パネルを更新"
+"panelUpdateDesc" = "これにより3X-UIが最新リリースに更新され、パネルサービスが再起動されます。"
+"currentPanelVersion" = "現在のパネルバージョン"
+"latestPanelVersion" = "最新のパネルバージョン"
+"panelUpToDate" = "パネルは最新です"
+"upToDate" = "最新"
 "xrayStatusUnknown" = "不明"
 "xrayStatusRunning" = "実行中"
 "xrayStatusStop" = "停止"
@@ -147,6 +154,10 @@
 "xraySwitchVersionDialog" = "Xrayのバージョンを本当に変更しますか？"
 "xraySwitchVersionDialogDesc" = "Xrayのバージョンが#version#に変更されます。"
 "xraySwitchVersionPopover" = "Xrayの更新が成功しました"
+"panelUpdateDialog" = "本当にパネルを更新しますか？"
+"panelUpdateDialogDesc" = "これにより3X-UIが#version#に更新され、パネルサービスが再起動されます。"
+"panelUpdateCheckPopover" = "パネルの更新確認に失敗しました"
+"panelUpdateStartedPopover" = "パネルの更新を開始しました"
 "geofileUpdateDialog" = "ジオファイルを本当に更新しますか？"
 "geofileUpdateDialogDesc" = "これにより#filename#ファイルが更新されます。"
 "geofilesUpdateDialogDesc" = "これにより、すべてのファイルが更新されます。"
diff --git a/web/translation/translate.pt_BR.toml b/web/translation/translate.pt_BR.toml
index 18db4d62..10a2b156 100644
--- a/web/translation/translate.pt_BR.toml
+++ b/web/translation/translate.pt_BR.toml
@@ -126,6 +126,13 @@
 "xraySwitch" = "Versão"
 "xraySwitchClick" = "Escolha a versão para a qual deseja alternar."
 "xraySwitchClickDesk" = "Escolha com cuidado, pois versões mais antigas podem não ser compatíveis com as configurações atuais."
+"xrayUpdates" = "Atualizações do Xray"
+"updatePanel" = "Atualizar painel"
+"panelUpdateDesc" = "Isso atualizará o 3X-UI para a versão mais recente e reiniciará o serviço do painel."
+"currentPanelVersion" = "Versão atual do painel"
+"latestPanelVersion" = "Última versão do painel"
+"panelUpToDate" = "O painel está atualizado"
+"upToDate" = "Atualizado"
 "xrayStatusUnknown" = "Desconhecido"
 "xrayStatusRunning" = "Em execução"
 "xrayStatusStop" = "Parado"
@@ -147,6 +154,10 @@
 "xraySwitchVersionDialog" = "Você realmente deseja alterar a versão do Xray?"
 "xraySwitchVersionDialogDesc" = "Isso mudará a versão do Xray para #version#."
 "xraySwitchVersionPopover" = "Xray atualizado com sucesso"
+"panelUpdateDialog" = "Deseja realmente atualizar o painel?"
+"panelUpdateDialogDesc" = "Isso atualizará o 3X-UI para #version# e reiniciará o serviço do painel."
+"panelUpdateCheckPopover" = "Falha na verificação de atualização do painel"
+"panelUpdateStartedPopover" = "Atualização do painel iniciada"
 "geofileUpdateDialog" = "Você realmente deseja atualizar o geofile?"
 "geofileUpdateDialogDesc" = "Isso atualizará o arquivo #filename#."
 "geofilesUpdateDialogDesc" = "Isso atualizará todos os arquivos."
diff --git a/web/translation/translate.ru_RU.toml b/web/translation/translate.ru_RU.toml
index 5bf89dfd..b3ec617d 100644
--- a/web/translation/translate.ru_RU.toml
+++ b/web/translation/translate.ru_RU.toml
@@ -126,6 +126,13 @@
 "xraySwitch" = "Выбор версии"
 "xraySwitchClick" = "Выберите нужную версию"
 "xraySwitchClickDesk" = "Важно: старые версии могут не поддерживать текущие настройки"
+"xrayUpdates" = "Обновления Xray"
+"updatePanel" = "Обновить панель"
+"panelUpdateDesc" = "Это обновит 3X-UI до последнего релиза и перезапустит сервис панели."
+"currentPanelVersion" = "Текущая версия панели"
+"latestPanelVersion" = "Последняя версия панели"
+"panelUpToDate" = "Панель обновлена"
+"upToDate" = "Обновлено"
 "xrayStatusUnknown" = "Неизвестно"
 "xrayStatusRunning" = "Запущен"
 "xrayStatusStop" = "Остановлен"
@@ -147,6 +154,10 @@
 "xraySwitchVersionDialog" = "Переключить версию Xray"
 "xraySwitchVersionDialogDesc" = "Вы точно хотите сменить версию Xray?"
 "xraySwitchVersionPopover" = "Xray успешно обновлён"
+"panelUpdateDialog" = "Вы действительно хотите обновить панель?"
+"panelUpdateDialogDesc" = "Это обновит 3X-UI до версии #version# и перезапустит сервис панели."
+"panelUpdateCheckPopover" = "Проверка обновления панели не удалась"
+"panelUpdateStartedPopover" = "Обновление панели началось"
 "geofileUpdateDialog" = "Вы действительно хотите обновить геофайл?"
 "geofileUpdateDialogDesc" = "Это обновит файл #filename#."
 "geofilesUpdateDialogDesc" = "Это обновит все геофайлы."
diff --git a/web/translation/translate.tr_TR.toml b/web/translation/translate.tr_TR.toml
index 0393a7dc..5aaa1b03 100644
--- a/web/translation/translate.tr_TR.toml
+++ b/web/translation/translate.tr_TR.toml
@@ -126,6 +126,13 @@
 "xraySwitch" = "Sürüm"
 "xraySwitchClick" = "Geçiş yapmak istediğiniz sürümü seçin."
 "xraySwitchClickDesk" = "Dikkatli seçin, eski sürümler mevcut yapılandırmalarla uyumlu olmayabilir."
+"xrayUpdates" = "Xray Güncellemeleri"
+"updatePanel" = "Paneli Güncelle"
+"panelUpdateDesc" = "Bu, 3X-UI'yi en son sürüme güncelleyecek ve panel servisini yeniden başlatacaktır."
+"currentPanelVersion" = "Mevcut panel sürümü"
+"latestPanelVersion" = "Panelin en son sürümü"
+"panelUpToDate" = "Panel güncel"
+"upToDate" = "Güncel"
 "xrayStatusUnknown" = "Bilinmiyor"
 "xrayStatusRunning" = "Çalışıyor"
 "xrayStatusStop" = "Durduruldu"
@@ -147,6 +154,10 @@
 "xraySwitchVersionDialog" = "Xray sürümünü gerçekten değiştirmek istiyor musunuz?"
 "xraySwitchVersionDialogDesc" = "Bu işlem Xray sürümünü #version# olarak değiştirecektir."
 "xraySwitchVersionPopover" = "Xray başarıyla güncellendi"
+"panelUpdateDialog" = "Gerçekten paneli güncellemek istiyor musunuz?"
+"panelUpdateDialogDesc" = "Bu, 3X-UI'yi #version# sürümüne güncelleyecek ve panel servisini yeniden başlatacaktır."
+"panelUpdateCheckPopover" = "Panel güncelleme kontrolü başarısız oldu"
+"panelUpdateStartedPopover" = "Panel güncellemesi başlatıldı"
 "geofileUpdateDialog" = "Geofile'ı gerçekten güncellemek istiyor musunuz?"
 "geofileUpdateDialogDesc" = "Bu işlem #filename# dosyasını güncelleyecektir."
 "geofilesUpdateDialogDesc" = "Bu, tüm dosyaları güncelleyecektir."
diff --git a/web/translation/translate.uk_UA.toml b/web/translation/translate.uk_UA.toml
index 40bcaa76..b83122c9 100644
--- a/web/translation/translate.uk_UA.toml
+++ b/web/translation/translate.uk_UA.toml
@@ -126,6 +126,13 @@
 "xraySwitch" = "Версія"
 "xraySwitchClick" = "Виберіть версію, на яку ви хочете перейти."
 "xraySwitchClickDesk" = "Вибирайте уважно, оскільки старіші версії можуть бути несумісними з поточними конфігураціями."
+"xrayUpdates" = "Оновлення Xray"
+"updatePanel" = "Оновити панель"
+"panelUpdateDesc" = "Це оновить 3X-UI до останнього релізу та перезапустить сервіс панелі."
+"currentPanelVersion" = "Поточна версія панелі"
+"latestPanelVersion" = "Остання версія панелі"
+"panelUpToDate" = "Панель оновлено"
+"upToDate" = "Оновлено"
 "xrayStatusUnknown" = "Невідомо"
 "xrayStatusRunning" = "Запущено"
 "xrayStatusStop" = "Зупинено"
@@ -147,6 +154,10 @@
 "xraySwitchVersionDialog" = "Ви дійсно хочете змінити версію Xray?"
 "xraySwitchVersionDialogDesc" = "Це змінить версію Xray на #version#."
 "xraySwitchVersionPopover" = "Xray успішно оновлено"
+"panelUpdateDialog" = "Ви дійсно хочете оновити панель?"
+"panelUpdateDialogDesc" = "Це оновить 3X-UI до #version# та перезапустить сервіс панелі."
+"panelUpdateCheckPopover" = "Перевірка оновлення панелі не вдалася"
+"panelUpdateStartedPopover" = "Розпочато оновлення панелі"
 "geofileUpdateDialog" = "Ви дійсно хочете оновити геофайл?"
 "geofileUpdateDialogDesc" = "Це оновить файл #filename#."
 "geofilesUpdateDialogDesc" = "Це оновить усі геофайли."
diff --git a/web/translation/translate.vi_VN.toml b/web/translation/translate.vi_VN.toml
index 43afe89b..3d836b33 100644
--- a/web/translation/translate.vi_VN.toml
+++ b/web/translation/translate.vi_VN.toml
@@ -126,6 +126,13 @@
 "xraySwitch" = "Phiên bản"
 "xraySwitchClick" = "Chọn phiên bản mà bạn muốn chuyển đổi sang."
 "xraySwitchClickDesk" = "Hãy lựa chọn thận trọng, vì các phiên bản cũ có thể không tương thích với các cấu hình hiện tại."
+"xrayUpdates" = "Cập nhật Xray"
+"updatePanel" = "Cập nhật Panel"
+"panelUpdateDesc" = "Điều này sẽ cập nhật 3X-UI lên bản phát hành mới nhất và khởi động lại dịch vụ panel."
+"currentPanelVersion" = "Phiên bản panel hiện tại"
+"latestPanelVersion" = "Phiên bản panel mới nhất"
+"panelUpToDate" = "Panel đã được cập nhật"
+"upToDate" = "Đã cập nhật"
 "xrayStatusUnknown" = "Không xác định"
 "xrayStatusRunning" = "Đang chạy"
 "xrayStatusStop" = "Dừng"
@@ -147,6 +154,10 @@
 "xraySwitchVersionDialog" = "Bạn có chắc chắn muốn thay đổi phiên bản Xray không?"
 "xraySwitchVersionDialogDesc" = "Hành động này sẽ thay đổi phiên bản Xray thành #version#."
 "xraySwitchVersionPopover" = "Xray đã được cập nhật thành công"
+"panelUpdateDialog" = "Bạn có chắc muốn cập nhật panel không?"
+"panelUpdateDialogDesc" = "Điều này sẽ cập nhật 3X-UI lên #version# và khởi động lại dịch vụ panel."
+"panelUpdateCheckPopover" = "Kiểm tra cập nhật panel thất bại"
+"panelUpdateStartedPopover" = "Bắt đầu cập nhật panel"
 "geofileUpdateDialog" = "Bạn có chắc chắn muốn cập nhật geofile không?"
 "geofileUpdateDialogDesc" = "Hành động này sẽ cập nhật tệp #filename#."
 "geofilesUpdateDialogDesc" = "Thao tác này sẽ cập nhật tất cả các tập tin."
diff --git a/web/translation/translate.zh_CN.toml b/web/translation/translate.zh_CN.toml
index cb42afce..57c23eac 100644
--- a/web/translation/translate.zh_CN.toml
+++ b/web/translation/translate.zh_CN.toml
@@ -126,6 +126,13 @@
 "xraySwitch" = "版本"
 "xraySwitchClick" = "选择你要切换到的版本"
 "xraySwitchClickDesk" = "请谨慎选择，因为较旧版本可能与当前配置不兼容"
+"xrayUpdates" = "Xray 更新"
+"updatePanel" = "更新面板"
+"panelUpdateDesc" = "这将把 3X-UI 更新到最新版本并重启面板服务。"
+"currentPanelVersion" = "当前面板版本"
+"latestPanelVersion" = "最新面板版本"
+"panelUpToDate" = "面板已是最新"
+"upToDate" = "已是最新"
 "xrayStatusUnknown" = "未知"
 "xrayStatusRunning" = "运行中"
 "xrayStatusStop" = "停止"
@@ -147,6 +154,10 @@
 "xraySwitchVersionDialog" = "您确定要更改Xray版本吗？"
 "xraySwitchVersionDialogDesc" = "这将把Xray版本更改为#version#。"
 "xraySwitchVersionPopover" = "Xray 更新成功"
+"panelUpdateDialog" = "您确定要更新面板吗？"
+"panelUpdateDialogDesc" = "这将把 3X-UI 更新到 #version# 并重启面板服务。"
+"panelUpdateCheckPopover" = "面板更新检查失败"
+"panelUpdateStartedPopover" = "已开始更新面板"
 "geofileUpdateDialog" = "您确定要更新地理文件吗？"
 "geofileUpdateDialogDesc" = "这将更新 #filename# 文件。"
 "geofilesUpdateDialogDesc" = "这将更新所有文件。"
diff --git a/web/translation/translate.zh_TW.toml b/web/translation/translate.zh_TW.toml
index 551ebbd0..69e5164c 100644
--- a/web/translation/translate.zh_TW.toml
+++ b/web/translation/translate.zh_TW.toml
@@ -126,6 +126,13 @@
 "xraySwitch" = "版本"
 "xraySwitchClick" = "選擇你要切換到的版本"
 "xraySwitchClickDesk" = "請謹慎選擇，因為較舊版本可能與當前配置不相容"
+"xrayUpdates" = "Xray 更新"
+"updatePanel" = "更新面板"
+"panelUpdateDesc" = "這將把 3X-UI 更新到最新版本並重新啟動面板服務。"
+"currentPanelVersion" = "目前面板版本"
+"latestPanelVersion" = "最新面板版本"
+"panelUpToDate" = "面板已是最新"
+"upToDate" = "已是最新"
 "xrayStatusUnknown" = "未知"
 "xrayStatusRunning" = "運行中"
 "xrayStatusStop" = "停止"
@@ -147,6 +154,10 @@
 "xraySwitchVersionDialog" = "您確定要變更Xray版本嗎？"
 "xraySwitchVersionDialogDesc" = "這將會把Xray版本變更為#version#。"
 "xraySwitchVersionPopover" = "Xray 更新成功"
+"panelUpdateDialog" = "您確定要更新面板嗎？"
+"panelUpdateDialogDesc" = "這將把 3X-UI 更新到 #version# 並重新啟動面板服務。"
+"panelUpdateCheckPopover" = "面板更新檢查失敗"
+"panelUpdateStartedPopover" = "面板更新已開始"
 "geofileUpdateDialog" = "您確定要更新地理檔案嗎？"
 "geofileUpdateDialogDesc" = "這將更新 #filename# 檔案。"
 "geofilesUpdateDialogDesc" = "這將更新所有文件。"