feat(mtproto): add MTProto (FakeTLS) protocol via managed mtg sidecar (#5076)

* feat(mtproto): add MTProto (FakeTLS) protocol via managed mtg sidecar

Xray-core has no mtproto proxy, so mtproto inbounds run as standalone
mtg (9seconds/mtg) sidecar processes managed by the panel — one per
inbound — and are excluded from the generated Xray config entirely.

- model: MTProto protocol constant, validator, and FakeTLS secret
  helpers (GenerateFakeTLSSecret/HealMtprotoSecret)
- mtproto package: per-inbound mtg process manager with reconcile,
  graceful stop, and best-effort Prometheus traffic scraping
- runtime: delegate mtproto inbounds to the mtg manager instead of the
  Xray gRPC API; skip mtproto when building the Xray config
- web: boot reconcile + StopAll wiring, periodic reconcile/traffic job,
  port-conflict transport, secret healing on inbound add/update
- sub: tg:// proxy share-link generation
- frontend: protocol option, Zod schema, Protocol tab (FakeTLS domain +
  regenerable secret), info-modal link, and i18n
- provisioning: fetch mtg v2.2.8 in install.sh, DockerInit.sh, and the
  Linux + Windows release workflows

* fix

* fix

* fix: address Copilot review comments on mtproto PR

- web/web.go: create NewMtprotoJob once and reuse for cron + initial run
- mtproto/manager.go: StopAll cleans up per-inbound config files on shutdown
- mtproto/manager.go: CollectTraffic releases mutex before HTTP scrapes to
  avoid blocking Ensure/Reconcile/Remove during network I/O
- database/model/model.go: panic on crypto/rand failure in mtprotoRandomMiddle
  instead of silently producing a weak all-zero secret
- install.sh: fix chmod to handle renamed bin/mtg-linux-arm on armv5/v6/v7

sub/subService.go

@@ -374,10 +374,38 @@ func (s *SubService) GetLink(inbound *model.Inbound, email string) string {
 		return s.genShadowsocksLink(inbound, email)
 	case "hysteria":
 		return s.genHysteriaLink(inbound, email)
+	case "mtproto":
+		return s.genMtprotoLink(inbound, email)
 	}
 	return ""
 }
 
+// genMtprotoLink builds a Telegram proxy deep link for an mtproto inbound:
+// tg://proxy?server=<addr>&port=<port>&secret=<ee FakeTLS secret>.
+func (s *SubService) genMtprotoLink(inbound *model.Inbound, email string) string {
+	if inbound.Protocol != model.MTProto {
+		return ""
+	}
+	settings := map[string]any{}
+	json.Unmarshal([]byte(inbound.Settings), &settings)
+	secret, _ := settings["secret"].(string)
+	if secret == "" {
+		if healed, ok := model.HealMtprotoSecret(inbound.Settings); ok {
+			_ = json.Unmarshal([]byte(healed), &settings)
+			secret, _ = settings["secret"].(string)
+		}
+	}
+	if secret == "" {
+		return ""
+	}
+	params := map[string]string{
+		"server": s.resolveInboundAddress(inbound),
+		"port":   fmt.Sprintf("%d", inbound.Port),
+		"secret": secret,
+	}
+	return buildLinkWithParams("tg://proxy", params, s.genRemark(inbound, email, ""))
+}
+
 // Protocol link generators are intentionally ordered as:
 // vmess -> vless -> trojan -> shadowsocks -> hysteria.
 func (s *SubService) genVmessLink(inbound *model.Inbound, email string) string {
@@ -743,9 +771,10 @@ func (s *SubService) loadNodes() {
 }
 
 // resolveInboundAddress picks the host an external client should connect to:
-//   1. node-managed inbound -> the node's address
-//   2. an explicit, client-reachable bind Listen -> that Listen
-//   3. otherwise the subscriber's request host (s.address)
+//  1. node-managed inbound -> the node's address
+//  2. an explicit, client-reachable bind Listen -> that Listen
+//  3. otherwise the subscriber's request host (s.address)
+//
 // A loopback/wildcard bind or a unix-domain-socket listen is a server-side
 // detail and is never advertised; External Proxy remains the way to advertise
 // an arbitrary endpoint. Mirrors the frontend's resolveAddr so the panel QR and