100 commits

Author	SHA1	Message	Date
MHSanaei	0fe48124c9	refactor(api): move every client-shaped endpoint off /inbounds onto /clients ... After the multi-inbound client migration, client state belongs to the client API surface, not the inbound one. Twelve routes that were crammed under /panel/api/inbounds/* now live where they belong, under /panel/api/clients/*. Moved (route, handler, doc): POST /clientIps/:email POST /clearClientIps/:email POST /onlines POST /lastOnline POST /updateClientTraffic/:email POST /resetAllClientTraffics/:id POST /delDepletedClients/:id POST /:id/resetClientTraffic/:email GET /getClientTraffics/:email GET /getClientTrafficsById/:id GET /getSubLinks/:subId GET /getClientLinks/:id/:email Their /clients/* counterparts are: POST /clients/clientIps/:email POST /clients/clearClientIps/:email POST /clients/onlines POST /clients/lastOnline POST /clients/updateTraffic/:email POST /clients/resetTraffic/:email (email-only, fans out) GET /clients/traffic/:email GET /clients/traffic/byId/:id GET /clients/subLinks/:subId GET /clients/links/:id/:email per-inbound resetAllClientTraffics and delDepletedClients are dropped entirely — the Clients page already exposes global Reset All Traffic and Delete depleted actions, and per-inbound resets are meaningless once a client can be attached to many inbounds. ClientService.ResetTrafficByEmail is the new email-only reset path: it looks up every inbound the client is attached to and pushes the counter reset + Xray re-add through inboundService.ResetClientTraffic for each one, so depleted users come back online instantly. Frontend callers (ClientsPage, useClients, ClientQrModal, ClientInfoModal, InboundInfoModal, InboundsPage, useInbounds) all switched to the new paths. The Inbounds page drops its per-inbound "Reset client traffic" and "Delete depleted clients" dropdown items — users do those at the client level now. api-docs is rebuilt to match. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>	2026-05-17 10:15:01 +02:00
MHSanaei	c84799ea2b	feat(clients): add Delete depleted action ... Mirrors the legacy delDepletedClients action that lived under the inbounds page, but as a first-class /panel/api/clients/delDepleted endpoint backed by ClientService. The new path goes through ClientService.Delete for each depleted email, so the new clients + client_inbounds + xray_client_traffic tables stay consistent. Adds a danger-styled toolbar button on the Clients page (next to Reset all client traffic) with a confirm dialog and a toast reporting the deleted count. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>	2026-05-17 09:45:38 +02:00
MHSanaei	c5217b9a78	refactor(inbounds): remove legacy per-inbound client UI ... Now that clients live as first-class rows attached to one or many inbounds, the per-inbound client UI on the inbounds page is dead weight — every client action either has a global equivalent on the Clients page or makes no sense in a many-to-many world. Deletes ClientFormModal, ClientBulkModal, CopyClientsModal, and ClientRowTable from inbounds/. Strips the matching emits, refs, handlers, and dropdown menu items from InboundList and InboundsPage, and removes the dead mobile expand-chevron state and the desktop expanded-row plumbing that drove the inline client table. The InboundFormModal Clients tab still works in add-mode (one inline client at inbound creation) — that flow goes through ClientService. SyncInbound on save and remains useful. Fixes a stray "</a-dropdown>" left over by an earlier toolbar edit in ClientsPage that broke the template parser. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>	2026-05-17 09:40:30 +02:00
MHSanaei	93ede81094	feat(clients): mobile cards, multi-select, bulk add ... Adds the same row-card layout the inbounds page uses on mobile: the table is suppressed under the mobile breakpoint and each client renders as a compact card with a status dot, email, Info button, Enable switch, and overflow menu. All the per-client detail (traffic, remaining, expiry, attached inbounds, flow, created/updated, URL, subscription) opens through the existing info modal. Multi-select with bulk delete wires AntD row-selection on desktop and a per-card checkbox on mobile; a Delete (N) button appears in the toolbar when anything is selected. Bulk add reuses the five email-generation modes from the inbound bulk modal but takes a multi-inbound picker so one bulk run can attach to several inbounds at once. Submits client-by-client through the existing /panel/api/clients/add endpoint. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>	2026-05-17 09:23:32 +02:00
MHSanaei	f315ed269e	refactor(traffic): drop all-time traffic tracking ... Removes the AllTime field from Inbound and ClientTraffic and migrates existing DBs by dropping the all_time columns on startup. The counter duplicated up+down without adding signal, and the per-event accumulator ran on every traffic write. Frontend: drop the All-time column from the inbound list and the client-row table, the All-time row from the client info modal, and the All-Time Total Usage tile from the inbounds summary card. The allTimeTraffic/allTimeTrafficUsage i18n keys are removed across every locale. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>	2026-05-17 09:01:04 +02:00
MHSanaei	8a4101a96b	1 ... Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>	2026-05-17 08:53:21 +02:00
MHSanaei	8fd1dc94bb	fix(clients): unbreak template parsing + stale i18n keys ... - InboundFormModal: split the multi-line help string in the PortFallback section onto one line — Vue's template parser was bailing on Unterminated string constant because a single-quoted literal spanned two lines inside a {{ }} interpolation. - ClientInfoModal: t('disable') was missing at the root level, so vue-i18n returned the key path literally. Use t('disabled') which exists. - Linter cleanup elsewhere: pages.client.* references renamed to pages.clients.* to match the merged i18n block; whitespace normalisation in a few unrelated Vue templates. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>	2026-05-17 08:25:38 +02:00
MHSanaei	7fbaf5fe2d	fix(clients): expose Attached inbounds in edit mode ... The multi-select was gated on add-only, so editing a client had no way to change which inbounds it belonged to. The picker now shows in both modes, and on submit the modal diffs the picked set against the original attachedIds — additions go through the /attach endpoint, removals through /detach, both after the field update lands so the new attachments get the latest values. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>	2026-05-17 07:52:24 +02:00
MHSanaei	bb5296aa0e	feat(clients): add Reset Traffic, QR Code, Info actions + Online/Remaining columns ... The Clients page table gains: - Online column — green/grey tag driven by /panel/api/inbounds/onlines, polled every 10s. - Remaining column — bytes-remaining tag, coloured green/orange/red against quota, purple infinity when unlimited. - Action icons per row: QR, Info, Reset traffic, Edit, Delete. ClientInfoModal shows the full client detail (uuid/password/auth, traffic ↑/↓ + remaining + all-time, expiry absolute + relative, attached inbounds chip list, online + last-online). ClientQrModal fetches links for the client's subId via /panel/api/inbounds/getSubLinks/:subId and renders each one through the existing QrPanel component. Reset Traffic confirms then calls the existing per-inbound endpoint on the client's first attached inbound (the traffic row is keyed on email globally, so any attached inbound resets the shared counter). Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>	2026-05-17 07:49:12 +02:00
MHSanaei	62fd9f9d82	feat(inbounds): add Port-with-Fallback inbound type ... Adds a new "portfallback" protocol that emits as a VLESS-TLS inbound under the hood but is paired with a sidecar table of child inbounds. Panel auto-builds settings.fallbacks at Xray-config-gen time from the sidecar — each child's listen+port becomes the fallback dest, with SNI/ALPN/path/xver match criteria pulled from the row. No more typing loopback ports by hand or keeping settings.fallbacks in sync. Backend: new FallbackService (Get/SetChildren, BuildFallbacksJSON); two new routes (GET/POST /panel/api/inbounds/:id/fallbackChildren); xray.GetXrayConfig injects fallbacks for PortFallback inbounds; the inbound model emits protocol="vless" so Xray accepts the config. Frontend: PORTFALLBACK joins the protocol dropdown; selecting it shows the standard VLESS controls plus a Fallback Children table (inbound picker + per-row SNI/ALPN/path/xver). Children are loaded on edit and replaced atomically on save. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>	2026-05-17 07:44:01 +02:00
MHSanaei	2bcf287cf1	feat(clients): add top-level Clients tab and CRUD API ... Adds /panel/api/clients endpoints (list, get, add, update, del, attach, detach) backed by ClientService methods that orchestrate the per-inbound Add/Update/Del flows so a single client row is created once and attached to many inbounds in one operation. The frontend gains a dedicated Clients page (frontend/clients.html + src/pages/clients/) with an AntD table, multi-inbound attach modal, and full CRUD. Axios interceptor learns to honour Content-Type: application/json so the JSON endpoints work alongside the legacy form-encoded ones. The legacy per-inbound client modal stays untouched in this PR — both flows now write to the same source of truth. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>	2026-05-17 07:28:55 +02:00
MHSanaei	c251482f26	feat(clients): add shadow tables for first-class client promotion ... Introduces three new GORM-backed tables (clients, client_inbounds, inbound_fallback_children) and a populate-only seeder that backfills them from each inbound's existing settings.clients JSON. Duplicate emails across inbounds auto-merge under one client row, with each field conflict logged. Existing services are unchanged and continue reading from settings.clients — this commit is groundwork only.	2026-05-17 07:03:14 +02:00
MHSanaei	5a1019534f	refactor(inbounds): tighten advanced JSON helpers and fix dark-mode subtitles ... Collapsed repeated stream/sniffing/settings handling in InboundFormModal into shared helpers (stampAdvancedTextFor, parseAdvancedSliceWithLabel, compactAdvancedJson, withSaving) plus a wrapped-config factory for the single-key editors. Cuts ~120 lines from the script section with no behavior change. The advanced-panel subtitle and editor-meta text used a fixed dark color that was unreadable on the dark and ultra-dark modal backgrounds. Switched both to opacity-on-inherit so they pick up AntD's theme-aware foreground color, the same pattern .section-heading already uses.	2026-05-15 12:12:47 +02:00
MHSanaei	5cf8a08540	fix: disable balancer fallbackTag for random / roundRobin strategies ... Xray-core's RandomStrategy and RoundRobinStrategy register a pending dependency on the Observatory feature whenever fallbackTag is non-empty. Since the panel only provisions observatory for leastPing / leastLoad balancers, picking roundRobin with a fallbackTag caused xray to fail boot with "not all dependencies are resolved". Disable the fallback field for the two strategies that cannot resolve it, and strip fallbackTag from the wire balancer as a defensive backstop for users who edit the JSON template directly.	2026-05-15 11:24:50 +02:00
MHSanaei	79a9be7b22	fix: split locale chunks by removing eager i18n glob ... The eager `import.meta.glob` was statically pulling all 13 locale JSON files into the main bundle, defeating the sibling lazy glob and emitting INEFFECTIVE_DYNAMIC_IMPORT warnings. Statically import only the en-US fallback, lazy-load the rest, and await `readyI18n()` in each entry before mount so the first paint still uses the active locale.	2026-05-15 10:50:40 +02:00
Abdalrahman	19d50bd16c	fix: add i18n translations for Allow private address node option across all locales (#4386) ... * fix: add Chinese locale translations for Allow private address node option * fix: add Allow private address translations to all remaining locale files	2026-05-15 09:51:14 +02:00
MHSanaei	3af45c1462	fix: Add base-path meta tag for Cloudflare Rocket Loader compatibility ... When Cloudflare Rocket Loader is enabled, it interferes with inline scripts that set window.X_UI_BASE_PATH, causing the frontend to fail to configure the correct base URL for API calls. This results in 404 errors on the login page when calling /getTwoFactorEnable. Solution: Add meta name='base-path' tag to HTML (similar to csrf-token), update axios initialization to read from meta tag as fallback. Meta tags are not affected by CSP or Rocket Loader delays. Fixes #4393	2026-05-14 23:37:25 +02:00
MHSanaei	6badd829df	Remove streamSettings for protocols that don't support it ... - Frontend: Only include streamSettings in toJson() for vmess, vless, trojan, shadowsocks, and hysteria protocols - Frontend: Hide Stream tab in Advanced section for unsupported protocols - Frontend: Clear streamSettings in Advanced tab when switching to unsupported protocols - Frontend: Add CodeMirror JSON editor to config view in index page with mobile responsive design - Backend: Add normalizeStreamSettings() to clear streamSettings for tunnel, mixed, http, tun, and wireguard protocols - Backend: Apply normalization in AddInbound() and UpdateInbound() - Backend: Add omitempty JSON tag to StreamSettings field to exclude null values from Xray config	2026-05-14 23:18:23 +02:00
MHSanaei	b79abc8bc9	refactor: remove legacy advancedJson state	2026-05-14 20:32:38 +02:00
MHSanaei	05b68c3b13	fix: remove Auth password ... #4388	2026-05-14 19:28:09 +02:00
Abdalrahman	f3c7660f84	fix: correct Hysteria2 Obfs password label to Auth password (#4388) ... The Obfs password field in the Hysteria2 stream settings tab was incorrectly labeled. It binds to hysteriaSettings.auth (the server-wide authentication password), not to the salamander obfuscation password. Per Xray-core docs, Hysteria2 salamander obfuscation belongs in finalmask.udp[].salamander.password, which is correctly handled by the FinalMaskForm (UDP Masks section). Fixed the label to Auth password with an accurate tooltip explaining that salamander obfuscation is configured via the UDP Masks section below.	2026-05-14 18:53:04 +02:00
MHSanaei	9b0fd047cb	fix: guard certificate and key against undefined before join	2026-05-14 17:46:24 +02:00
MHSanaei	e4218a1029	feat: click QR to copy/save image instead of link text	2026-05-14 17:40:40 +02:00
MHSanaei	1284756f8a	fix(outbound): restore TLS, QUIC params and TCP masks when importing share links ... - fromHysteriaLink: parse security= URL param and populate stream.tls (SNI, fingerprint, ALPN, ECH) when security=tls; previously always forced security to 'none' - fromHysteriaLink: parse fm JSON param and populate both stream.finalmask.quicParams (drives the QUIC Params toggle in FinalMaskForm) and the mirrored stream.hysteria fields - fromParamLink (VLESS/Trojan/SS): parse fm JSON param and restore stream.finalmask (TCP masks, UDP masks, QUIC params) - fromVmessLink (VMess): same fm handling for the base64-JSON path Closes #4376	2026-05-14 13:27:55 +02:00
MHSanaei	ae6f13b533	fix: also hide QR code for ML-KEM-768 links (too long for QR generation)	2026-05-14 12:34:23 +02:00
MHSanaei	1cf2582e6d	fix: hide QR code for mldsa65 links (too long for QR generation)	2026-05-14 12:30:48 +02:00
Abdalrahman	eacb9f63b0	fix: protocol filter placeholder not showing on initial load (#4372)	2026-05-14 12:12:44 +02:00
MHSanaei	e7035b56fe	fix: sync advancedJson before tab switch in convertLink	2026-05-14 11:46:07 +02:00
MHSanaei	5dc02a9af3	v3.0.2	2026-05-14 10:27:33 +02:00
MHSanaei	2204c8231d	Adjust QR panel sizing and collapse JSON subscription by default	2026-05-14 10:23:27 +02:00
Abdalrahman	01a7dc807b	fix(sub): include xhttp mode in extra JSON for karing compatibility (#4365) ... - Add mode to buildXhttpExtra() so clients reading xtra param (karing, etc.) receive the xhttp mode alongside other bidirectional SplitHTTP fields. Previously mode was only a flat URL param and was silently dropped when xtra was present. - Add xhttp case to streamData() to strip acceptProxyProtocol and server-only fields (noSSEHeader, scMaxBufferedPosts, scStreamUpServerSecs, serverMaxHeaderBytes) from JSON sub configs. - Sync frontend buildXhttpExtra() with the same mode addition. Closes #4364	2026-05-14 10:02:45 +02:00
MHSanaei	21058eb63c	fix(routing): make rule drag-and-drop work on mobile cards ... The pointermove handler looked up the drop target via el.closest('tr[data-row-key]'). That selector only matches the desktop a-table rows; the mobile branch renders each rule as a <div class="rule-card" data-row-key>, so on phones the lookup always returned null, dropTargetIndex stayed pinned to the start index, and the eventual drop was a no-op. Loosened the selector to [data-row-key] so both DOM shapes resolve.	2026-05-14 02:04:05 +02:00
Black	194de8869e	feat(panel): add 'Edit' button to tables and enhance layout (#4355) ... - Move 'Edit' button from dropdown to the table since it's the most used action. Only for desktop. - Increase column widths for action keys in Inbounds, Balancers, Outbounds and Routing tables. - Slightly enhance layout for consistency.	2026-05-14 01:55:00 +02:00
MHSanaei	26accfd8f7	fix(qr): lock QR code modules to black-on-white across all themes ... AntD's <a-qrcode> defaults the module color to the active theme's text token. Under the dark and ultra-dark themes that text is a light gray, so the QR rendered low-contrast on the white canvas background and phones could not lock onto it. Pinned color="#000000" and bg-color="#ffffff" on every <a-qrcode> usage (share links in QrPanel, 2FA enrollment in TwoFactorModal, sub/json/clash codes on SubPage) so the contrast stays high regardless of panel theme.	2026-05-14 01:45:00 +02:00
MHSanaei	2551a673c3	fix(inbounds): refresh client rows live over websocket ... Two bugs combined to leave per-client traffic / remained / all-time columns stuck at stale numbers while only the inbound-level row and the online badge refreshed: 1. Backend (xray + node sync traffic jobs) only included the per-client array in the client_stats broadcast when activeEmails / touched was non-empty. Cycles with no client deltas — or any node sync that failed to fetch a snapshot — shipped only the inbound summary, so the frontend had nothing to merge for clients. Replaced both code paths with a single GetAllClientTraffics() snapshot per cycle; the broadcast now always carries the full client list. 2. Frontend mutated dbInbound.clientStats[i] in place. DBInbound is a plain class instance (not wrapped in reactive()), so Vue could not see the field-level changes and ClientRowTable's statsMap computed stayed cached forever. Added a statsVersion tick bumped on every merge and read inside statsMap so the computed re-evaluates and the template pulls fresh up/down/allTime/expiryTime each push. Removed the now-dead emailSet helper from node_traffic_sync_job and the activeEmails filter from xray_traffic_job.	2026-05-14 01:31:49 +02:00
MHSanaei	ce4c42e09c	feat(json): swap raw textareas for a CodeMirror 6 JsonEditor ... A new JsonEditor.vue component wraps CodeMirror 6 + lang-json with line numbers, JSON syntax highlighting, bracket matching, code folding, search (Ctrl+F), undo/redo, lint (red squiggle and gutter icon on invalid JSON), tab indent, and line wrapping. It is wired into the four raw-JSON spots that previously used <a-textarea class="json-editor">: the Xray Advanced Template tab, the Outbound JSON tab, the Balancer Observatory pane, and the Inbound Advanced tab (settings / streamSettings / sniffing). Chrome colors are driven by EditorView.theme so they win the specificity fight cleanly against CodeMirror's own injected styles. A single buildDarkTheme() factory yields a Dark+ palette (#1e1e1e background, #252526 active line, #2d2d30 panels) for the regular dark mode and a near-black variant (#0a0a0a / #141414 / #1f1f1f border) for ultra-dark — both pair with oneDarkHighlightStyle for the syntax colors. Light mode stays on basicSetup's default. CodeMirror lazy-loads as a ~17 kB gzipped chunk that only appears on the Xray/Inbounds bundles.	2026-05-14 00:02:59 +02:00
MHSanaei	18614bd6ea	feat(tabs): collapse settings and xray tab bars to evenly-spread icons ... On phones the five Settings tabs and six Xray tabs overflowed the viewport. Now the tab labels are stripped (v-if="!isMobile"), the nav-list stretches to full width via display:flex + width:100%, and each tab claims an equal share with flex:1 1 0 so the icons spread across the row instead of bunching. Icons bumped to 18px with a tooltip carrying the original label for discoverability.	2026-05-13 23:33:50 +02:00
MHSanaei	e564c9283d	feat(nodes): mobile card list, info modal, and tighter summary layout ... NodeList now branches on isMobile: a vertical card list mirrors the inbound mobile redesign — status dot + name + an Info icon that opens an a-modal with the full per-node stats (address, status, CPU/mem, xray version, uptime, latency, last heartbeat). The card head expands to surface NodeHistoryPanel inline (parity with the desktop expandable row), and the more-dropdown carries probe/edit/delete. NodesPage also gets two layout fixes: an 8px vertical gutter between the summary card and the node list on mobile (was 0), and a 2x2 grid for the four summary statistics on phones via :xs="12" plus a 16px inner vertical gutter, so Total/Online/Offline/Avg Latency no longer crowd each other.	2026-05-13 23:14:56 +02:00
MHSanaei	933567d423	feat(inbounds): collapse mobile cards to id/email + info button ... Mobile inbound cards now show only #id and remark; mobile client cards show only the status badge and email. The full stat grid (protocol, port, node, traffic, all-time, clients, expiry — and per-client remained/online/expiry) moves behind a new info icon that opens an a-modal, so the list stays scannable on small screens.	2026-05-13 23:03:19 +02:00
MHSanaei	771bc7c8ef	feat(inbounds): align tunnel, tun, and hysteria UI with Xray docs ... * tunnel: rename settings to Xray's current schema (address → rewriteAddress, port → rewritePort, network → allowedNetwork) in the model, form modal, info modal, and the bundled API inbound template; expose portMap so per-port forwarding can be configured from the panel. * tun: add the full TUN protocol form and read-only info blocks (name, mtu, gateway, dns, userLevel, autoSystemRoutingTable, autoOutboundsInterface) — previously the protocol was selectable but the form rendered blank. * hysteria: surface the stream-level version, obfs password, and udpIdleTimeout fields that the model already supported. Refs https://xtls.github.io/config/inbounds/tunnel.html Refs https://xtls.github.io/config/inbounds/tun.html Refs https://xtls.github.io/config/transports/hysteria.html	2026-05-13 22:44:08 +02:00
MHSanaei	adc262a238	fix(warp): set license against Cloudflare API and surface errors inline ... The license update was always failing because the Cloudflare response has no `success` field — the check rejected every successful PUT. On real errors (e.g. "Too many connected devices."), the toast leaked the raw URL + JSON body. Now the WARP API's error envelope is parsed into a clean message and shown inline next to the Update button.	2026-05-13 21:13:16 +02:00
Vladislav Kasperov	67b098dfd3	Add possibility to remove client email from sub (#4297)	2026-05-13 19:04:17 +02:00
MHSanaei	5543466fcc	fix(forms): validate JSON tabs before applying or saving ... InboundFormModal: switching out of the Advanced tab now parses the three JSON textareas and rebuilds the structured Inbound via Inbound.fromJson, so the Basic tab reflects what was pasted. Invalid JSON keeps the user on Advanced with a specific parse error. XrayPage: Save now parses xraySetting upfront and snaps the user back to the Advanced tab on invalid JSON instead of letting the backend reject a generic blob.	2026-05-13 19:01:12 +02:00
MHSanaei	b10a9f1de7	fix(inbounds): hide node UI when no enabled node exists ... The Deploy-to selector, node column, node stat row, and node filter all appeared whenever a node row existed in the DB. Local-only deployments with no nodes (or only disabled nodes) saw a dropdown that only had "Local Panel" and a filter that did nothing. useNodeList now exposes hasActive (any node with enable === true). Inbounds form and list gate node UI on hasActive instead of map size.	2026-05-13 17:42:40 +02:00
MHSanaei	6c6b40e063	fix(outbound): accept JSON-only configs and sync JSON to basic form on tab switch ... Pasting a JSON config and clicking OK failed with "Something went wrong" because validation read the empty form-side tag input instead of the JSON's tag. Switching from the JSON tab to Basic also discarded any JSON the user had pasted. - onOk now validates and submits from the JSON tab using the parsed JSON - Tab switch JSON→Basic deserializes the JSON back into the structured form - Invalid JSON keeps the user on the JSON tab with a clear parse error - Empty form-tag / duplicate-tag errors are now specific, not generic	2026-05-13 16:48:16 +02:00
MHSanaei	b97ff40ad6	feat(api-tokens): manage multiple named tokens; add tab/section anchor URLs ... Replace the single regenerable API token with a named-token list: - New ApiToken model + service with constant-time auth matching - Seeder migrates the legacy `apiToken` setting into a "default" row - Security tab gets create/enable/delete UI; api-docs page links to it - Dedicated "API Tokens" section in the in-panel docs URL anchors now reflect the active tab/section on Settings, Xray, and API Docs pages, so deep links like `/panel/settings#security` work. Translations for the 8 new SecurityTab strings added across all locales.	2026-05-13 16:34:31 +02:00
MHSanaei	46b6f8c66c	feat(routing): drag-reorder rules, split balancer column, mobile card layout ... - Grip-handle drag-and-drop on the # cell to reorder rules, built on Pointer Events so the same code works for mouse, touch, and pen (HTML5 drag doesn't fire from touch on iOS Safari). 5px threshold keeps quick taps from triggering a reorder; up/down arrow menu items stay as a keyboard/a11y fallback. Drop indicator is a 2px blue line on the target edge; dragged row fades to 40%. - Split the old combined target column into Outbounds and Balancer columns. Each row now has exactly one populated cell — green outbound tag or purple balancer tag. - Mobile drops the a-table (520px+ of column widths overflowed every phone) for a stacked card layout: # + grip + actions on top, an "Inbound → Outbound/Balancer" flow row in the middle, and criteria chips (domain, IP, port, src IP/port, L4, protocol, user, VLESS) below for whichever fields are actually set. Multi-value chips collapse to "first +N" with full value on hover.	2026-05-13 15:30:25 +02:00
Abdalrahman	102df7a290	style(api-docs): redesign TOC, section icons, endpoint rows, and code blocks with ultra-dark support (#4332) ... * style(api-docs): redesign TOC, section icons, endpoint rows, and code blocks with ultra-dark support * style(api-docs): rename visibleSections to visibleEndpoints, drop dead toc-stuck CSS - visibleSections counted endpoints, not sections — rename matches the displayed "X / Y endpoints" label. - .toc-nav.toc-stuck was never toggled by any code path. * docs(api): add missing POST /panel/api/inbounds/:id/resetTraffic entry This route was added in #4334/#4338 but endpoints.js wasn't updated, breaking TestAPIRoutesDocumented (91 routes in source, 90 documented). --------- Co-authored-by: Sanaei <ho3ein.sanaei@gmail.com>	2026-05-13 15:05:23 +02:00
Abdalrahman	f29c8a5e29	fix: single inbound traffic reset resets all inbounds (#4334) (#4338)	2026-05-13 14:49:54 +02:00
Abdalrahman	b47f794ed0	fix: reality random target/sni buttons not working (#4337) (#4340)	2026-05-13 14:42:20 +02:00