🚀 MTProto, WARP Rotation, Subscription Outbounds & a Typed API

• 🛡️ MTProto (FakeTLS) — new protocol served through a managed mtg sidecar, no external setup required.
• 🌐 WARP IP rotation — rotate WARP egress IPs manually or automatically on a schedule, with API requests routed through the panel proxy.
• 🔄 Subscription-based outbounds — import outbounds straight from a subscription URL, with automatic refresh.
• 🎨 Customizable subscription pages — bring-your-own templates for the subscription landing page.
• 📑 Typed API & OpenAPI — components, schemas, and response examples generated directly from the Go structs; /panel/setting and /panel/xray consolidated under /panel/api.
• 🕸️ Multi-hop nodes — correct traffic attribution across chained sub-nodes, synchronized access.log client IPs across nodes, and a distinct purple indicator when the panel is online but the Xray core has failed.
• 📊 Per-group traffic — used traffic now shown for each group in the groups table.

⚠️ Breaking: /panel/setting and /panel/xray moved under /panel/api. Update any integrations that call those paths.

🆕 New

• feat(mtproto): add MTProto (FakeTLS) protocol via managed mtg sidecar (#5076)
• feat: add manual and automatic WARP IP rotation (#5099) @rqzbeh
• feat: synchronize access.log client IPs across nodes (#5098) @rqzbeh
• feat: add support for subscription-based outbounds with auto-update (#5037) @rqzbeh
• feat: customizable subscription page templates (#5079) @rqzbeh
• feat(nodes): multi-hop node attribution for chained sub-nodes (#4983, #5005)
• feat(nodes): distinct purple indicator when panel is online but Xray core failed (#5040) @rqzbeh
• feat(groups): show used traffic per group in groups table
• feat(api-docs): generate OpenAPI components/schemas from Go structs
• feat(api-docs): generate response examples from Go structs; fix SS2022 PSK regen (#4996)
• feat(x-ui.sh): add migrateDB command for SQLite .db ⇄ .dump (#4910)

⚡ Update & improvement

• refactor(api)!: move /panel/setting and /panel/xray under /panel/api
• fix(subClashService): improve merging of clash rules in YAML (#5054) @shazzreab
• fix(update.sh): allow skipping ssl setup when updating (#5071)
• chore: bump frontend version and deps
• i18n(tr): improve Turkish translation consistency and terminology (#5066)
• docs(i18n): add Turkish translation for README (#5067)
• docs(i18n): refine Turkish translation and network terminology (#5092)
• i18n: translate sockopt / REALITY-target / Freedom strings for all locales (#4988)

🐞 Bug fixed

• fix: propagate inbound traffic reset to nodes (#5103) @rqzbeh
• fix: route WARP API requests through panel proxy (#5101) @rqzbeh
• fix(db): additional cross-DB and node-traffic edge cases (migration scan + node reset time) (#5045) @rqzbeh
• fix(postgres): make node traffic sync robust after public API inbound updates (#5038) @rqzbeh
• fix(node-sync): merge client enable with boolean AND for PostgreSQL
• fix(xray): sync routing rules when outbound tag is renamed (#5006) @nima1024m
• fix(panel): normalize XHTTP/sockopt/Reality wire output and validate REALITY target (#4988) @nima1024m
• fix(sub): emit VLESS encryption in Clash configs (#5053) @fs438187
• fix(sub): restore standard base64 for Shadowrocket sub link (#5001)
• fix(sub): don't project public inbounds through a fallback master
• fix(inbounds): drop unknown nodeId when importing an inbound
• fix(finalmask): validate fragment mask length so empty/zero-min can't crash xray
• fix(finalmask): treat sudoku customTables as array of tables
• fix(iplimit): skip stale access-log emails after client rename/delete
• fix(tgbot): apply bot settings on panel restart without full service restart
• fix(script): revoke also removes cert files and acme.sh tracking (#5009)
• fix: default hysteria tls to no utls fingerprint
• fix: correct arm architecture xray binary file name (#5060)
• fix(api-docs): target the panel base path in OpenAPI servers
• fix(ui): correct inline style syntax in client counts column on inbounds page (#5097)
• fix(ui): remove pointer cursor from non-interactive elements in cards (#5102)
• fix(inbound-form): wrap long labels and shorten RU pinned-cert label
• fix(mtproto): reap orphaned mtg, fix SysLog viewer, mtg log visibility, export remark

Reports

Full Changelog: v3.2.8...v3.3.0

🚀 Multi-Node Resilience, ECH & Scale

• 🌐 Multi-node resilience — client/inbound edits survive an offline node, remote updates are scoped to a single inbound, and stale node snapshots no longer re-enable disabled clients or miscount traffic.
• 🔐 End-to-end ECH — now carried in TLS share links, JSON subscriptions, outbound import, and per-entry external proxy.
• 🧩 Modern Xray JSON subscriptions — new format with a unified finalmask editor.
• 🧭 Clash routing — routing rules and an enable-routing option for Clash subscriptions.
• 💾 DB migration — SQLite ⇄ .dump conversion and Download Migration from the Overview page.

⚡ Performance — scales to ~200k clients

Benchmarked on PostgreSQL 16 (gains are largest on Postgres, where every round-trip pays network latency):

🆕 New

• feat(sub): modern xray JSON format with unified finalmask editor (#4912) @biohazardous-man
• feat(Clash): add routing rules and enable-routing option for Clash subscriptions (#4904) @Misfit-s
• feat(migrate-db): SQLite ⇄ .dump conversion and Download Migration in Overview

⚡ Update & improvement

• perf(clients): make SyncInbound bulk to fix large-inbound timeouts (#4885)
• perf(clients): scale add/delete and bulk client operations
• perf(clients): chunk IN queries and de-quadratic bulk delete/group/list
• perf(clients): scale-audit remaining client/inbound endpoints to 200k
• chore(deps): bump i18next from 26.3.0 to 26.3.1 in /frontend (#4901)
• i18n: add 1-year expiration to language cookie (#4890) @lim-kim930
• docs(contributing): refresh frontend guide and add Postgres launch profile

🐞 Bug fixed

• fix(node): keep client/inbound edits working when a node is offline (#4923, #4931)
• fix(multi-node): scope remote client update/delete to one inbound (#4892)
• fix(node-traffic): prevent stale node snapshot from re-enabling disabled client (#4917) @younesvatan78
• fix: restart remote xray after disabling a client to kill active sessions (#4918) @younesvatan78
• fix(traffic): count local traffic for clients whose shared row is node-owned (#4921)
• fix(sub): include ECH config in TLS share links and JSON subscription
• fix(outbound): import ech and pcs from TLS share links
• fix(external-proxy): relabel "Host" as "Address", add per-entry ECH (#4935)
• fix(ssl): clean ECC state, guard cert reuse, register renew hook (#4875)
• fix(fail2ban): exempt SSH and panel ports from IP-limit ban (#4896)
• fix(migrate-db): drop legacy client_traffics FK before Postgres copy (#4882)
• fix(tgbot): ignore commands for other bots (#4894) @kanghouchao

Reports

Full Changelog: v3.2.7...v3.2.8

New

• feat(dashboard): richer System History & Xray Metrics charts
• feat(dashboard): more System History metrics, persistence & localized labels
• feat(xray): merge basic routing into the routing rules section
• feat(xray): add connIdle and bufferSize policy controls
• feat(settings): sidebar submenu nav for settings and xray with icon tabs
• feat(settings): move the remark model control to the subscription tab
• feat(inbounds): per-proxy Pinned Peer Cert SHA-256 + labeled External Proxy form
• feat(tls): add ocspStapling to certificate config
• feat(links): richer share-link labels across QR, client info and sub views
• feat(hysteria2): emit UDP port hopping in subscriptions and share links (#4789)
• feat(clients): show filtered count in clients list (#4808)
• feat(clients,routing): label inbounds by remark with tag fallback

Update & improvement

• chore(deps): bump xray-core to v1.260327.1 and add pion/wireguard deps
• chore(frontend): bump deps to 0.2.7 and hide node row selection for single node
• i18n: translate connection-limit strings for all languages
• fix(sidebar): set fixed sider width to 220
• fix(ci): bump Go to 1.26.4 and exempt /panel/groups SPA route from api-docs test
• ci(issue-bot): ground the assistant in repo source with an investigation step

Bug fixed

• fix(api-token): hash tokens at rest and show plaintext only once
• fix(online): scope per-inbound online to inbounds that carried traffic (#4859)
• fix(nodes): Set Cert from Panel uses the node's own web cert for node inbounds (#4854)
• fix(panel): register /groups SPA route so hard refresh returns index.html (#4837)
• fix(clients): keep reverse tag clearable and preserve flow on attach (#4834)
• fix(settings): fall back to defaults for empty/NULL setting values (#4830)
• fix(links): use configured domain for panel copy/QR links on loopback (#4829)
• fix(docker): make x-ui CLI menu work inside containers (#4817)
• fix(hysteria2): emit pinSHA256 as hex in subscriptions, not base64 (#4818)
• fix(online): scope online status per node instead of a global union (#4809)
• fix(iplimit): populate client IP log without an IP limit (#4800)
• fix(sub): advertise routable inbound Listen in subscription links (#4798)
• fix(outbounds): preserve SNI/TLS settings on transport change (#4791)
• fix(clients): derive edit-form flow from per-inbound override (#4792)
• fix(tls): correct pinned cert SHA-256 hint to hex, not base64 (#4793)
• fix(node): fix "invalid input" on save and gate save on connectivity (#4794)
• fix(xray): default freedom finalRules to allow-all so reverse egress works
• fix(migrate): relax legacy freedom finalRules so reverse egress works on existing installs (#4782)
• fix(panel-proxy): route custom geo and http(s) Telegram through panelProxy
• fix(migrate-db): preserve false-valued columns in SQLite to Postgres copy
• fix(clients): use client_inbounds link to resolve inbound, not stale id
• fix(settings): allow pagination size of 0 to disable pagination
• fix(sub): escape Clash subscription profile filename header (#4799) @xiaoxiyao

Reports

Full Changelog: v3.2.6...v3.2.7

New

• feat(outbounds): pick dialerProxy from other outbound tags for proxy chaining
• feat(nodes): add per-node TLS verification mode for self-signed certs (#4757)
• feat(inbounds): support Unix domain socket path in Listen field (#4429)
• feat(x-ui.sh): support Cloudflare API Token for DNS SSL (menu 20) (#4595)
• feat(x-ui.sh): add PostgreSQL management menu

Update & improvement

• perf(clients): batch bulk attach/detach to cut per-item DB work
• docs(readme): revamp README and sync all translations
• chore(generated): sync node types/zod with TLS verification fields (#4757)
• chore(ui): remove cards jump on hover (#4755) @fgsfds
• Replace static label with translation for downlink stats (#4762) @ckun52880
• Remove .svg extension from shields URLs in READMEs

Bug fixed

• fix(migrate): copy composite-key tables without FindInBatches (#4787)
• fix(node): suppress unavoidable InsecureSkipVerify alert for cert pinning
• fix(node): capture node cert via VerifyConnection for fingerprint fetch
• fix(clients): keep Add Client modal in viewport with internal scroll
• fix(xray): clear dirty state after saving unchanged config
• fix(job): skip fail2ban IP limit when disabled (#4581) @Mayurifag
• fix(fallbacks): allow free-form dest entries for external servers (#4748)
• fix(raw): complete the HTTP header section for inbound and outbound
• fix(x-ui.sh): preserve 2FA on credential reset (#4758)
• fix(inbounds): allow port 0 for UDS inbounds (#4783)
• fix(warp): persist client_id so WARP outbound gets reserved bytes (#4781)
• fix(nodes): sum client traffic across nodes instead of overwriting
• fix(hysteria): use pinSHA256 for pinned cert and emit ech in share links
• fix(sub): source Userinfo total/expiry from client config in multi-node (#4645)
• fix(db): make password-hash migration idempotent to prevent lock-out (#4612)
• fix(outbound): add None option to uTLS fingerprint in TLS form (#4760)
• fix(outbound): carry ALPN, fingerprint and UDP mask when importing a Hysteria2 link (#4760)
• fix(sockopt): rename interfaceName to interface so xray honors it
• fix(sub): ensure unique Clash proxy names (#4641)
• fix(settings): enforce trafficDiff max of 100 in UI (#4769)
• fix(outbound): fill encryption and pqv when importing VLESS link
• fix(docker): grant NET_ADMIN/NET_RAW so fail2ban IP-limit bans apply
• Fix IP limit enforcement and clarify related comments (#4699) @aloky
• fix(sub): Add Clash subscription profile filename header (#4743) @xiaoxiyao

Reports

Full Changelog: v3.2.5...v3.2.6

New

• feat(postgres): in-panel backup/restore and consistent CLI backend
• feat(nodes): bulk panel self-update with live online indicator
• feat(inbounds): multi-select and bulk delete
• feat(inbounds): attach existing clients to an inbound in one click
• feat(clients): live online dot + last-online tooltip on offline
• feat(clients): enforce unique subId per client like email
• feat(clients/inbounds): IP log popups, clearer titles, tag-based inbound labels
• feat(finalmask): sync transport with upstream Xray core changes
• feat(outbound): sync DNS outbound config with Xray core changes
• feat(sub): add HEAD method support for subscription endpoints (#4684) @spokyle
• feat(inbounds): clearer client validation errors on save

Update & improvement

• refactor(frontend): reorganize source tree & break down oversized modals/tabs (#4698)
• chore: bump bundled Xray-core to v26.6.1
• refactor(inbounds): remove column sorter from inbound list
• i18n(nodes): translate basePath and apiToken labels
• Update Go module dependency versions

Bug fixed

• fix(outbounds): preserve TLS/Reality security on save
• fix(outbounds): lock hysteria to its QUIC transport + TLS, add version/masquerade
• fix(outbounds): prevent freedom save crash, complete its fields (#4686)
• fix(outbounds): parse wireguard:// links and fix ss:// query-string port
• fix(outbounds): support proxyProtocol on freedom outbound
• fix(xray): test UDP outbounds via xray probe + Vision testseed & Flow form fixes (#4657)
• fix(inbounds): preserve client data on delete and show traffic in detail
• fix(inbounds): auto-increment WireGuard peer IP
• fix(model): accept tun protocol in inbound validation
• fix(clients): store flow per-inbound for shared clients
• fix(clients): preserve UUID when toggling enable from clients page
• fix(clients): persist group for node-inbound clients
• fix: reject spaces, slashes and control chars in client email, subId and URI path
• fix(ssl): prompt before setting IP cert path for panel
• fix(qr): hide QR for post-quantum links on client QR page
• fix(sub): keep listen/bind IP out of subscription links and pages
• fix(ui): exit infinite spinner with a retry card on failed initial load
• fix(postgres): resync id sequences so adding clients no longer collides
• fix(postgres): stop FK constraint from blocking inbound delete
• fix(postgres): record client traffic when inbound_id is stale

Reports

Full Changelog: v3.2.0...v3.2.5

New

• feat(frontend): TanStack Query + React Router migration & in-panel API docs (#4541)
• Migrate frontend models/api/utils to TypeScript and modernize AntD theming (#4563)
• feat: complete Zod migration of frontend + bulk client batching (#4599)
• feat(inbound): Advanced XHTTP and external TLS proxy settings (#4491) @beehunt9r
• feat(clients,groups): client groups + sub-links export + dedicated groups page
• feat(clients): advanced filter drawer with multi-select state/protocol/inbound + expiry/usage ranges + auto-renew/tg/comment
• feat(clients): selective bulk attach + new bulk detach
• feat(inbounds): bulk-attach & assign-group client actions + form defaults
• feat(inbounds): row action to delete all clients of an inbound
• feat(clients,inbound): Auto Renew in Bulk Add + cleaner inbound wire payload
• feat(settings): panel network proxy for the panel's own outbound requests
• feat(tls): surface pinnedPeerCertSha256 in panel, share links, and subs
• Random PostgreSQL role + post-install credentials display (#4608)
• feat(inbound-form): salamander auto-seed for Hysteria + modernize random buttons
• feat(inbounds): expose Vision testseed field with sensible default
• feat(inbounds): restore "Set Cert from Panel" / Clear buttons in TLS certs
• feat(settings): include email in default remarkModel pattern
• feat(clients): tidier bulk action toolbar + toolbar sort selector
• feat(clients): restore Auto Renew field in client form
• feat(fallbacks): add per-rule dest override

Update & improvement

• refactor(clients): coherent group management — rename, split, extract
• refactor(inbounds): cleaner network tags and cover Mixed/Tunnel + client form select polish
• refactor(inbound-tag): node-prefixed + transport-suffixed canonical shape
• refactor(outbound): probe via xray burstObservatory instead of SOCKS round-trip
• Client/inbound resilience + Postgres pool tuning + schema fixes (#4607)
• feat(port-conflict): include offending inbound + L4 in the error, cover quic and tunnel.allowedNetwork
• i18n(panel): migrate hardcoded panel strings to en-US and translate all locales
• refactor(forms): modernize random buttons in client + outbound modals
• refactor(metrics-modal): mark min/max on chart + improve grid contrast
• change tg message when send qrCode (#4623) @sb15551

Bug fixed

• Fix REALITY share links missing SNI (#4621) @pooyaww
• fix(groups): fetch full client list for Add/Remove/SubLinks modals
• fix(clients): backfill missing subId on startup and guard create/update
• fix(inbounds): heal legacy client data and TLS cert form hydration
• fix(links): include TCP HTTP host header in share links
• fix(clients): avoid duplicate ClientRecord when email is changed on edit
• fix(sub): preserve userinfo encoding in trojan/shadowsocks/hysteria links
• fix(remote-traffic): handle tag collisions + readable warning format
• fix: address open bug reports (#4539, #4538, #4535, #4531, #4515) (#4545)
• fix(ui): polish across routing, groups, inbounds, mobile sidebar
• fix(sub): stop external-proxy dest from clobbering TLS SNI
• fix(inbounds): restore xHTTP Headers editor in form

Reports

Full Changelog: v3.1.0...v3.2.0

New

• Frontend rewrite: React + TypeScript with AntD v6 (#4498)
• Feat/multi inbound clients (#4469)
• feat(bash): prompt for PostgreSQL
• Bulk extend client expiry / traffic + clients page polish (#4499)
• Add SockOpt.Mark and SockOpt.Interface parameters for Outbound stream (#4480) @githacs2022
• Make HSTS policy configurable if https is enabled (#4462) @kayukin
• feat(panel): copy connection strings for mixed inbound (#4450) @BlackRockSoul
• feat(tgbot): add Flow picker when creating a VLESS client
• feat: click QR to copy/save image instead of link text
• feat(clients): add inbound filter + mobile page-size control

Update & improvement

• perf(frontend): lazy-load modals + split heavy vendor chunks (#4501)
• Reduce list-page payloads with slim/paged endpoints (#4500)
• i18n: translate hardcoded inbound action + security warning strings (#4502)
• fix(translation): correct typos and improve phrasing in English localization (#4430) @g3ntrix
• fix: add i18n translations for Allow private address node option across all locales (#4386) @abdalrahmanx9
• docs(readme): add Community Tools section (#4114) @batonogov
• refactor(inbounds): tighten advanced JSON helpers and fix dark-mode subtitles
• refactor: remove legacy advancedJson state
• Bump frontend deps: vue and vite

Bug fixed

• fix(frontend): override browser default background color on autofilled login inputs (#4478) @eric15342335
• ix(clients): drop tombstone gate that blocked re-import after delete
• fix(frontend): resolve lazy chunk URLs against runtime base path
• fix: parse XHTTP extra fields from V2Ray links and v2rayN JSON imports (#4426) @abdalrahmanx9
• fix: prevent online clients from randomly disappearing from panel UI (#4387) @abdalrahmanx9
• fix: correct Hysteria2 Obfs password label to Auth password (#4388) @abdalrahmanx9
• fix: protocol filter placeholder not showing on initial load (#4372) @abdalrahmanx9
• fix(xray): resolve relative log paths under panel log folder
• fix(frontend): stack form fields on mobile in client/inbound/node modals
• fix(sub): use standard sub://BASE64#REMARK scheme for Shadowrocket
• fix(clients): honor global pageSize and widen size-changer dropdown
• fix(migrate): include hysteria, hysteria2, shadowsocks in client sync
• fix(clients): seed all clients when settings.clients has string tgId
• fix(xray): allow private-IP destinations via freedom finalRules
• fix(security): redact at source and cap marshal sizes for CodeQL
• fix(client): guard against int overflow in ClientWithAttachments marshal
• fix(db): redact credentials in client-merge conflict logs
• fix(websocket): order register/unregister via single ops channel
• fix(inbounds): don't delete remote inbound when toggling enable
• fix(outbound): probe UDP-based outbounds over UDP instead of TCP
• fix: disable balancer fallbackTag for random / roundRobin strategies
• fix: split locale chunks by removing eager i18n glob
• fix: Add base-path meta tag for Cloudflare Rocket Loader compatibility
• Remove streamSettings for protocols that don't support it
• fix: remove Auth password
• fix: guard certificate and key against undefined before join
• fix(outbound): restore TLS, QUIC params and TCP masks when importing share links
• fix: preserve TLS cert file paths when deploying inbound to remote node
• fix: also hide QR code for ML-KEM-768 links (too long for QR generation)
• fix(clients): match by email when client identifier is stale
• fix: hide QR code for mldsa65 links (too long for QR generation)

Reports

Full Changelog: v3.0.2...v3.1.0

New

• feat: add API token to install output (#4322) @abdalrahmanx9
• feat(panel): add Edit button to tables and enhance layout (#4355) @BlackRockSoul
• feat(json): swap raw textareas for a CodeMirror 6 JsonEditor
• feat(tabs): collapse settings and xray tab bars to evenly-spread icons
• feat(nodes): mobile card list, info modal, and tighter summary layout
• feat(inbounds): collapse mobile cards to id/email + info button
• feat(inbounds): align tunnel, tun, and hysteria UI with Xray docs
• feat(api-tokens): manage multiple named tokens; add tab/section anchor URLs
• feat(routing): drag-reorder rules, split balancer column, mobile card layout
• feat(ui): use the host as the browser tab title prefix
• feat(api-docs): enhance in-panel API documentation (#4312) @abdalrahmanx9
• feat(nodes): blur address column with eye-toggle, mirroring IndexPage IP card
• feat(inbounds): restore copy-clients-between-inbounds modal
• Feat: clarify VLESS encryption auth selection (#4271) @farhadh
• feat: sortable inbounds table columns (#4300) @abdalrahmanx9
• feat(panel): xray metrics dashboard with observatory probe history

Update & improvement

• style(api-docs): redesign TOC, section icons, endpoint rows, and code blocks with ultra-dark support (#4332) @abdalrahmanx9
• add: log rotate to 3xui.log file to avoid disk space consumption (#4277) @samssh
• Security hardening: sessions, SSRF, CSP nonce, CSRF logout, trusted proxies (#4275) @farhadh
• ci(codeql): run on push to main
• ci: gate workflows on relevant source paths
• Bump Go module dependency versions

Bug fixed

• fix(sub): include xhttp mode in extra JSON for karing compatibility (#4365) @abdalrahmanx9
• fix(docker): update port mapping for 3xui service in docker-compose (#4362) @farhadh
• fix(routing): make rule drag-and-drop work on mobile cards
• fix(qr): lock QR code modules to black-on-white across all themes
• Adjust QR panel sizing and collapse JSON subscription by default
• fix(inbounds): refresh client rows live over websocket
• fix(iplog): parse xray access-log timestamps in local time
• fix(warp): set license against Cloudflare API and surface errors inline
• fix(forms): validate JSON tabs before applying or saving
• fix(inbounds): hide node UI when no enabled node exists
• fix(outbound): accept JSON-only configs and sync JSON to basic form on tab switch
• fix: single inbound traffic reset resets all inbounds (#4334, #4338) @abdalrahmanx9
• fix: strip main-panel TLS cert file paths when sending inbound to remote node (#4339) @abdalrahmanx9
• fix: reality random target/sni buttons not working (#4337, #4340) @abdalrahmanx9
• fix(auth): invalidate sessions when 2FA is enabled, fix dev 401 loop
• fix(inbound): require email when adding or updating a client
• fix(security): SSRF-guard node and remote HTTP clients
• fix(api-docs): resolve no-useless-escape lint errors
• fix(fail2ban): escape percent signs in 3x-ipl datepattern (#4328) @usk2223
• fix(graphs): increase y-axis paddingLeft from 32 to 56 to prevent clipped labels (#4309) @abdalrahmanx9
• fix: delete button missing after searching for a user (#4315) @abdalrahmanx9
• fix(hysteria2): restore missing masquerade config in inbound form (#4316) @abdalrahmanx9
• fix: auto-renew must re-enable client in inbound settings JSON (#4317) @abdalrahmanx9
• fix: show UDP tag for Hysteria and fix client count spacing (#4318) @abdalrahmanx9
• fix: preserve space between date and time in log modal (#4326) @abdalrahmanx9
• fix(api-docs): copy API token button
• Fix: traffic writer restart freeze (#4265) @farhadh
• fix(node): normalize base path during probe so missing trailing slash doesn't break status checks
• Add possibility to remove client email from sub (#4297) @Kasp42
• fix: sync advancedJson before tab switch in convertLink
• fix: ignore duplicate column errors during AutoMigrate on upgraded DBs

Reports

Full Changelog: v3.0.1...v3.0.2

New

• feat(frontend): refresh dark theme + redesign login page
• feat(inbounds): add sub/client link endpoints; hide panel version on login
• feat(panel): in-panel API documentation page
• feat(sidebar): pin Logout above trigger, inline 3-state theme cycle
• feat(inbounds): bulk-select clients + UX polish
• feat(xray/outbounds): TCP probe mode + Test All + timing breakdown
• feat(xray/nord): searchable server list + colored load tag, surface API errors
• feat(xray/balancer): restore observatory editor + auto-sync selectors
• feat(install): add skip-SSL option for reverse-proxy / SSH-tunnel setups
• feat(frontend): swap QRious for ant-design-vue's a-qrcode

Update & improvement

• refactor(panel): rename injected globals + collapse QR modal entries
• add loopback and dns servers tag to inbound lists in RuleFormModal @samssh
• chore: fix remarks shadowrocket subscription @harryngne

Bug fixed

• fix(xray): implement graceful shutdown for xray process and add tests @farhadh
• fix(inbounds): scope port check to node and preserve caller tag
• fix(theme): default to dark, polish theme cycle visibility and hover
• fix(inbounds): bulk-delete keeps last client to satisfy backend constraint
• fix(inbounds): paginate expanded client list, restore ID column, hide empty Remark
• fix(alpine): restart_xray uses rc-service; OpenRC reload reads pidfile contents
• fix(outbound): default VLESS encryption to "none"
• fix: backup path with webbasepath @GRCR13
• fix(fail2ban): escape % in 3x-ipl action date format
• fix(traffic-writer): replace sync.Once with Start/Stop cycle so SIGHUP restart works

Reports

Full Changelog: v3.0.0...v3.0.1

New

• feat: Vue 3 migration — full frontend rewrite (#4198)
  • Stack: Vue 2 + Ant Design Vue 1 + Go HTML templates → Vue 3 + Ant Design Vue 4 + Vite 8 (multi-page bundles embedded into the Go binary via web/dist/)
  • Single-File Components with <script setup> and composables replacing global Vue.component() registrations and Vue 2 mixins
  • WebSocket-driven live updates across the panel (dashboard, inbounds, nodes) replace the legacy polling loop
  • Translation files migrated from TOML to JSON; vue-i18n 11 with per-locale code-split bundles for all 13 locales
  • Pages ported end-to-end: login, dashboard (with live status / xray / cpu-history / logs / backup / panel-update / custom-geo modals), settings (General / Security + 2FA / Telegram / Subscription), inbounds (list, search/filter, add/edit/delete/clone/reset, client modal + bulk-add, info + QR, expand-row), xray (Basics / Routing / Outbounds / Balancers / DNS / WARP / NordVPN), nodes
  • Inbound forms switched from raw JSON textareas to structured per-protocol/per-transport editors (an "Advanced" tab still exposes raw JSON for unsupported transports)
  • Multi-node deployment landed alongside the migration: new runtime/{local,manager,remote} layer, node_heartbeat_job + node_traffic_sync_job, central panel can deploy inbounds to remote node panels
  • Frontend bundle is split by route (login / xray / inbounds / settings / nodes) for faster initial load (LCP) on the dashboard
• feat(nodes): multi-node deployment with traffic-writer queue, full-mirror sync, and WebSocket event fixes
• feat(security): CSRF protection and security hardening across the application @farhadh
• feat(xray): add loopback outbound protocol
• feat(inbounds): mobile card layout for inbounds and clients
• feat(logs): mobile-friendly log modals with theme-aware colors
• feat(custom-geo): refresh index UI
• feat(xray/dns): expanded DNS settings with hosts editor, presets gallery, and Delete-All

Update & improvement

• refactor(websocket): split controller into service + thin controller
• refactor(fallbacks): share template, tighter UX, cleaner JSON
• refactor(xhttp): split fields by direction, expand outbound coverage
• refactor(vless): drop selectedAuth, expose two explicit auth buttons
• refactor(inbounds): reorder Inbound's Data tabs (client first, sub inline)
• perf(xray): bound Xray-version request and extend cache
• i18n: localize sidebar theme toggle, xray-status badge, and nodes menu
• avoid reset in QueryStatsRequest @samssh
• exclude virtual interfaces from network stats
• outbound: reverse Sniffing
• inbound: check transport in port conflict, allow tcp and udp on same port @pwnnex
• Reality: remove tesla.com because of blocking
• skip Xray 26.5.3 and bump version cutoff
• fix(scripts): harden server-IP detection with multi-provider + manual fallback
• Bump Go to 1.26.3
• Axios v1.16.0
• build frontend for CodeQL; remove release analyze job

Bug fixed

• fix(panel): make webBasePath work end-to-end in dev and prod
• fix(panel): silence update-check WARN spam when offline
• fix(panel-update): poll for restart, fix dark-mode version label
• fix(websocket): guard stale events and disconnect race in JS client
• fix(nodes): bind form-encoded posts and skip node inbounds in central xray
• fix(xray): align DNS outbound to spec and repair item-list rules UI
• fix(xray): clear outbound test state on delete to prevent result bleed @iAliF
• fix(xray): surface reverse tags in routing and balancer dropdowns
• fix(xray): silently ignored error when saving outbound test URL setting @hobostay
• fix(inbounds): remove stale reverse outbound tags after client deletion
• fix(tun): use single mtu number per Xray spec
• fix(vless): scope testseed to xtls-rprx-vision flow
• fix(warp): harden API client and frontend, bump to v0a4005
• fix(fail2ban): banning regression and Docker zero-jail issue
• fix(security): overly permissive file permissions (os.ModePerm) @hobostay
• fix(security): silently ignored errors in password migration seeder @hobostay
• fix(docker): include web/translation in frontend and final stages
• fix(x-ui.sh): pass silent flag to stop/start during IP SSL setup
• fix(arch): correct x-ui service path @odrawq
• fix(ui): mobile dashboard layout
• fix(ui): correct responsive breakpoints for inbound form and settings
• fix(ui): correct responsive breakpoints for add client form and bulk
• fix(ui): mobile filter view
• fix(outbound): mobile style
• fix: swap left/right classes for client table cells
• chore: fix shadowrocketUrl client @harryngne
• revert: Xray Core v26.5.3 (buggy — vless reverse broken)

Reports

Full Changelog: v2.9.4...v3.0.0