OutboundFormModal:
- Sockopt section gains 5 common-but-rarely-tweaked knobs:
acceptProxyProtocol, tproxy (off/redirect/tproxy), tcpcongestion
(bbr/cubic/reno), V6Only, tcpUserTimeout. The remaining sockopt
fields (tcpKeepAliveIdle, tcpMaxSeg, tcpWindowClamp,
trustedXForwardedFor) are still edit-via-JSON; they are deeply
tunable and not commonly touched.
InboundFormModal:
- TCP HTTP camouflage gains host + path inputs symmetric to the
outbound side. Switch ON seeds request with sensible defaults
(version 1.1, method GET, path ['/'], empty headers). The two
inputs use the same normalize/getValueProps comma-string ↔
string[] dance the outbound side uses, so the wire shape stays
identical to what xray-core expects.
Three small wins from the post-atomic-swap deferred list:
- VLESS Vision testpre + testseed: shown only when flow ===
'xtls-rprx-vision' (mirrors the legacy canEnableVisionSeed gate).
testseed binds to a Select mode='tags' with a normalize() that
coerces strings to positive integers and drops invalid entries.
- TCP HTTP camouflage host + path: when the TCP HTTP camouflage
Switch is on, surface two inputs that read/write directly into
streamSettings.tcpSettings.header.request.headers.Host and .path.
Both fields are string[] on the wire; normalize + getValueProps
translate to/from comma-joined strings in the UI (one entry per
host or path the user wants camouflaged).
- Wireguard pubKey auto-derive: Form.useWatch on settings.secretKey
+ useEffect that runs Wireguard.generateKeypair(secret).publicKey
on every change and writes the result into the disabled pubKey
display field. Matches the legacy modal's per-keystroke derive.
Step 7 of the Zod migration: lock the migration's gains in place via
lint + CI enforcement.
- eslint.config.js: `@typescript-eslint/no-explicit-any` set to error.
Verified locally — zero violations in src/, with the only file-level
disables being src/models/inbound.ts and src/models/outbound.ts
(kept for DBInbound's toInbound() consumer; their migration is out
of spec scope).
- .github/workflows/ci.yml: add Typecheck and Test steps to the
frontend job, between Lint and Build. PRs now have to pass
tsc --noEmit and the full vitest suite (285 tests + 172 snapshots)
before build runs.
Migration scoreboard (vs the spec):
Step 1 primitives + barrels done
Step 2 protocol leaf + DUs done
Step 3 pure-fn extraction done
Step 4 form modals -> Pattern A done (Inbound + Outbound)
Step 5 delete models/ files DEFERRED (DBInbound still uses
Inbound; spec marks DBInbound
migration out of scope)
Step 6 tighten .loose() / unknown DEFERRED (invasive, separate PR)
Step 7 lint + CI enforcement done (this commit)
Production code paths now have no direct dependency on the legacy
Inbound or Outbound classes.
With the inbound/outbound modal rewrites complete, the cross-check
against the legacy Inbound class has served its purpose. The new
pure-function / Zod-schema paths are the source of truth for production
code; the parity assertions were the migration safety net.
Convert the three parity test files to snapshot-based regression tests:
- headers.test.ts: toHeaders + toV2Headers run against snapshots
captured at the close of the migration (when both new and legacy
were verified byte-equal).
- protocol-capabilities.test.ts: 140 cases (10 fixtures × 14 stream
shapes) snapshot the predicate-result tuple. Was: parity vs legacy
Inbound.canEnableX() class methods.
- inbound-link.test.ts: per-protocol genXxxLink + genInboundLinks
orchestrator output is snapshotted. Was: byte-equality vs legacy
Inbound.genXxxLink() methods.
Also delete shadow.test.ts — its purpose was a dual-parse drift
detector (Inbound.Settings.fromJson vs InboundSettingsSchema.parse).
inbound-full.test.ts already snapshots the Zod parse output, which
covers the same ground without the legacy dependency.
models/inbound.ts and models/outbound.ts stay in the tree for now —
DBInbound still consumes Inbound via its toInbound() method, and
DBInbound migration is out of scope per the migration spec
('Do NOT migrate Status, DBInbound, or AllSetting...'). No
production page imports from @/models/inbound or @/models/outbound
directly anymore.
- Sockopts: Switch toggles streamSettings.sockopt between undefined and
a populated default object (17 fields with sane bbr/UseIP defaults).
Only the 8 most-used fields are rendered (dialer proxy, domain
strategy, keep alive interval, TFO, MPTCP, penetrate, mark, interface).
The remaining sockopt knobs (acceptProxyProtocol, tcpUserTimeout,
tcpcongestion, tcpKeepAliveIdle, tcpMaxSeg, tcpWindowClamp, V6Only,
trustedXForwardedFor, tproxy) are still in the wire payload — edit
them via the JSON tab.
- Mux: gated by isMuxAllowed(protocol, flow, network) — VMess/VLESS/
Trojan/SS/HTTP/SOCKS, no flow set, no xhttp transport. Sub-fields
(concurrency / xudpConcurrency / xudpProxyUDP443) only render when
enabled is true.
- Sockopt section visible only when streamAllowed AND network is set —
non-stream protocols (freedom/blackhole/dns/loopback) still edit
sockopt via the JSON tab.
- onSecurityChange cascade: swaps tlsSettings/realitySettings sub-key
matching the DU branch, seeding the new sub-form with empty/default
fields so the UI does not reference undefined values.
- Flow Select rendered when canEnableTlsFlow is true (VLESS + TCP +
TLS/Reality). Moved from the basic VLESS section so it only appears
in the relevant security context — matches the legacy modal UX.
- Security Radio (none / TLS / Reality) gated by canEnableTls and
canEnableReality pure-function predicates from
lib/xray/protocol-capabilities.
- TLS sub-form: 6 outbound-specific fields (SNI/uTLS/ALPN/ECH/
verifyPeerCertByName/pinnedPeerCertSha256) matching the legacy
TlsStreamSettings flat shape (no certificates list — outbound is
client-side).
- Reality sub-form: 6 fields (SNI/uTLS/shortId/spiderX/publicKey/
mldsa65Verify). publicKey + mldsa65Verify get TextAreas to handle
the long base64 strings.
Wire the stream sub-form into the Pattern A modal:
- newStreamSlice(network) helper bootstraps the per-network DU branch
with Xray defaults (mtu=1350, tti=20, uplinkCapacity=5, etc.).
- streamSettings is seeded once when the protocol supports streams
but the form has no slice yet (new outbound + protocol switch).
- onNetworkChange swaps the sub-key and preserves security when the
new network still supports it, else snaps back to 'none'.
- Per-network sub-forms wired:
TCP: HTTP camouflage Switch (sets header.type = 'http' / 'none')
KCP: 6 numeric tuning fields
WS: host + path + heartbeat
gRPC: service name + authority + multi-mode switch
HTTPUpgrade: host + path
XHTTP: host + path + mode + padding bytes (advanced fields via JSON)
Security radio, TLS/Reality sub-forms, sockopt, and mux still pending.
- DNS: rewriteNetwork (udp/tcp Select) + rewriteAddress + rewritePort +
userLevel + rules Form.List (action/qtype/domain).
- Freedom: domainStrategy + redirect + Fragment Switch with conditional
4-field sub-block (legacy 'enable Fragment' UX preserved — Switch sets
all four fields to populated defaults, off-state empties them all out
so the adapter strips them on submit) + Noises Form.List (rand/base64/
str/hex types, packet/delay/applyTo per row) + Final Rules Form.List
with conditional block-delay sub-field.
- VLESS reverse-sniffing slice: rendered only when reverseTag is set
(matches the legacy modal's nested conditional). All six fields wired
to the form state with appropriate widgets (Switch / Select multi /
Select tags).
- SOCKS / HTTP: user + pass at settings root.
- Hysteria: read-only version=2 (the actual transport knobs live on
stream.hysteria, added with the stream tab).
- Loopback: inboundTag.
- Blackhole: response type Select with empty/none/http options.
- Wireguard: address (csv) + secretKey (with regenerate icon) + derived
pubKey + domain strategy + MTU + workers + no-kernel-tun + reserved
(csv) + peers Form.List with nested allowedIPs sub-list.
Wireguard regenerate icon uses Wireguard.generateKeypair() and writes
both keys to the form via setFieldValue — preserves the legacy UX of
the SyncOutlined inline-icon next to the privateKey label.
- Shared connect-target sub-block (address + port) for the six protocols
whose form schema carries them flat at settings root.
- VMess: id + security Select (USERS_SECURITY).
- VLESS: id + encryption + flow + reverseTag (reverse-sniffing slice and
Vision testpre/testseed come in a later commit).
- Trojan: password.
- Shadowsocks: password + method Select (SSMethodSchema) + UoT switch +
UoT version.
onValuesChange cascade: when the user picks a different protocol, the
adapter re-seeds the settings sub-object to the new protocol's defaults
so leftover fields from the previous protocol do not bleed through.
Sibling .new.tsx file with the Modal shell, Tabs (Basic/JSON), Form.useForm
hydration via rawOutboundToFormValues, and the submit pipeline that calls
formValuesToWirePayload before onConfirm. Tag uniqueness check is wired in.
Protocol-specific sub-forms, stream, security, sockopt, and mux sections
are deferred to subsequent commits — accessible via the JSON tab in the
meantime. The InboundsPage continues to render the legacy modal until the
atomic swap at the end.
Also: rawOutboundToFormValues now returns streamSettings as undefined
when the wire payload omits it, so Form.useForm doesn't receive a value
that does not match the NetworkSettings discriminated union.
Lay the groundwork for OutboundFormModal's Pattern A rewrite:
- schemas/forms/outbound-form.ts: discriminated-union form values across
all 12 outbound protocols, with flat per-protocol settings shapes that
match the legacy class fields (vmess vnext / trojan-ss-socks-http
servers / wireguard csv address-reserved all flattened).
- lib/xray/outbound-form-adapter.ts: rawOutboundToFormValues converts
wire-shape outbound JSON to typed form values; formValuesToWirePayload
re-nests on submit. Replaces the Outbound.fromJson/toJson dependency
the modal currently has on the legacy class hierarchy.
- test/outbound-form-adapter.test.ts: 15 round-trip cases covering each
protocol's wire quirks (vmess vnext flatten, vless reverse-wrap,
wireguard csv↔array, blackhole response wrap, DNS rule normalization,
mux gating).
Deletes the 2261-line class-mutation modal and renames the
1900-line sibling rewrite into its place. InboundsPage.tsx already
imports the file by path so no consumer change is needed — the swap
is one file delete plus one file rename. Build, lint, and 280 tests
stay green.
What the new modal covers end-to-end:
- Basic (enable / remark / nodeId / protocol / listen / port /
totalGB / trafficReset / expireDate)
- Sniffing (enabled / destOverride / metadataOnly / routeOnly /
ipsExcluded / domainsExcluded)
- Protocol per DU branch: VLESS (decryption/encryption + buttons),
Shadowsocks (method/password/network/ivCheck), HTTP + Mixed
(accounts list + per-protocol toggles), Tunnel (rewrite + portMap +
followRedirect), TUN (interface/mtu + four primitive lists +
userLevel/autoInterface), Wireguard (secretKey + derived pubKey +
peers list with nested allowedIPs)
- Stream per network: TCP base, KCP, WS, gRPC, HTTPUpgrade, XHTTP
(the 22-field one), plus external-proxy and sockopt extras
- Security: TLS (SNI/cipher/version/uTLS/ALPN/policy switches +
certificates list with file/inline toggle + ECH controls), Reality
(every field + the four API-call buttons), none
- Advanced JSON (settings / streamSettings / sniffing live editors
that round-trip into form state on every valid parse)
- Fallbacks (load on open for VLESS/Trojan TLS-or-Reality TCP hosts;
save through the secondary endpoint after the main POST succeeds)
Known regressions vs the legacy modal, all reachable via Advanced JSON
until backfilled in follow-up commits:
- Hysteria stream sub-form (masquerade / udpIdleTimeout / version) —
schema gap; the existing inbound DU has no hysteria stream branch
- FinalMaskForm hookup — the component is still class-shape coupled
- HeaderMapEditor — TCP request/response headers, WS / HTTPUpgrade /
XHTTP headers, Hysteria masquerade headers all need a shared editor
- TCP HTTP camouflage request/response body (version, method, path
list, headers, status, reason) — only the on/off toggle is wired
- Fallbacks polish — up/down move, quick-add-all, rederive-from-child,
the per-row advanced-toggle / proxy-tag chips
No reference to @/models/inbound's Inbound class anywhere in the new
modal — only @/models/dbinbound (out of scope) and
@/models/reality-targets (out of scope). The protocol-capabilities
predicates and the rawInboundToFormValues + formValuesToWirePayload
adapters carry every behavior the class used to provide.
Adds the fallbacks card rendered inside the protocol tab whenever the
current values describe a fallback host — VLESS or Trojan on tcp with
tls or reality security. The protocol tab visibility widens to include
Trojan in that exact case (it has no other protocol sub-form).
Fallbacks live in a useState alongside the form rather than inside form
values, mirroring the legacy modal: fallbacks save via a distinct
endpoint (/panel/api/inbounds/{id}/fallbacks) after the main inbound
POST, not as part of the inbound payload. loadFallbacks runs on open
for edit-mode VLESS/Trojan; saveFallbacks runs after a successful POST
inside the submit handler.
Each row: child picker (filtered down to other inbounds), then four
inline edits for SNI / ALPN / path / xver. Add adds an empty row;
delete pulls the row from state.
Quick-Add-All, the rederive-from-child helper, and the per-row up/down
movers are deferred — the basic add/edit/remove cycle is what the modal
actually needs to function.
Adds the advanced JSON tab. Each sub-tab (settings / streamSettings /
sniffing) renders an AdvancedSliceEditor — a small CodeMirror-backed
JsonEditor that holds a local text buffer and forwards parsed JSON to
form state on every valid edit.
Invalid JSON sits silently in the local buffer; once the user finishes
balancing braces / quoting, the next valid parse pushes through to the
form. No stamping ref, no apply-on-tab-switch ceremony — the form is
the single source of truth.
The buffer seeds once from form state on mount. The Modal's
destroyOnHidden means each open is a fresh editor instance, so external
form mutations during a single open session can't desync the editor
either.
The streamSettings sub-tab is omitted when streamEnabled is false
(matching the legacy modal's behavior for protocols like Http / Mixed
that have no stream layer).
Closes out the security tab: a Form.List of certificates that toggles
between TlsCertFileSchema (certificateFile + keyFile string paths) and
TlsCertInlineSchema (certificate + key as string arrays per the wire
shape) via a per-row useFile boolean.
useFile is a transient form-only field — not part of TlsCertSchema.
Zod's default-strip behavior drops it during InboundFormSchema parse
on submit, leaving only the matching wire branch's keys populated.
Whichever side the user wasn't on stays empty, so Zod's union picks
the populated branch.
For inline certs the TextAreas use normalize + getValueProps to convert
between the wire-side string[] and the multi-line text the user types.
Each line becomes one array element, matching the legacy class's
`cert.split('\n')` toJson convention.
Per-row buildChain is conditionally rendered when usage === 'issue' —
a shouldUpdate-closure watches the specific path so the toggle
re-renders inline without listening to unrelated form changes.
Security tab is now functionally complete. Advanced JSON tab,
Fallbacks card, and the atomic swap in InboundsPage are next.
Adds the Reality sub-form and the four API-call buttons that drive
the server-generated material:
- genRealityKeypair calls /panel/api/server/getNewX25519Cert and writes
the result into ['streamSettings', 'realitySettings', 'privateKey']
and the nested settings.publicKey path.
- genMldsa65 calls /panel/api/server/getNewmldsa65 for the
post-quantum seed/verify pair.
- getNewEchCert calls /panel/api/server/getNewEchCert with the current
serverName and writes echServerKeys + settings.echConfigList.
- randomizeRealityTarget seeds target + serverNames from the random
reality-targets pool.
- randomizeShortIds calls RandomUtil.randomShortIds (comma-joined
string) and splits into the schema's string[] form.
Reality fields are bound directly to schema paths — show/xver/target,
maxTimediff, min/max ClientVer, the settings.{publicKey, fingerprint,
spiderX, mldsa65Verify} nested subtree, plus the array fields
(serverNames, shortIds) rendered as Select mode="tags" since both ship
as string[] on the wire.
TLS certificates list (Form.List with the useFile DU) still pending —
that's a chunky sub-form on its own.
Adds the security tab to the sibling-file rewrite. Visibility is paired
with the stream tab — both gated on canEnableStream. The security
selector is itself disabled when canEnableTls is false, and the reality
option only appears when canEnableReality is true, mirroring the legacy
modal's Radio.Group guards.
onSecurityChange clears the previous branch's *Settings key and seeds
the new branch from the schema's parsed defaults (the same trick the
sockopt toggle uses). The security selector itself is rendered via a
shouldUpdate closure so the on-change handler can write the cleaned
streamSettings shape atomically without racing AntD's per-field sync.
TLS section: serverName (the wire field — the legacy class calls it
sni internally), cipherSuites (with the 13 named suites from
TLS_CIPHER_OPTION), min/max version pair, uTLS fingerprint, ALPN
multi-select, plus the three policy Switches.
TLS certificates list, ECH controls, the full Reality sub-form, and
the four API-call buttons (genRealityKeypair / genMldsa65 / getNewEchCert
/ randomizers) land in a follow-up commit.
External Proxy: Switch driven by externalProxy array length. Toggling
on seeds one row with the window hostname + the inbound's current port;
toggling off clears the array. Each row is a Form.List item with
forceTls/dest/port/remark inline, and a nested SNI/Fingerprint/ALPN
row that conditionally renders on forceTls === 'tls' via a
shouldUpdate-closure that watches the per-row forceTls path.
Sockopt: Switch driven by whether the sockopt object exists in form
state. Toggling on calls SockoptStreamSettingsSchema.parse({}) so every
default the schema declares (mark=0, tproxy='off', domainStrategy='UseIP',
tcpcongestion='bbr', etc.) flows into the form; toggling off sets to
undefined.
Renders the seventeen sockopt fields directly bound to
['streamSettings', 'sockopt', X] paths. Option lists pull from the
primitives const dictionaries (UTLS_FINGERPRINT, ALPN_OPTION,
DOMAIN_STRATEGY_OPTION, TCP_CONGESTION_OPTION) rather than the
schema's .options to keep one source of truth for UI label strings.
XHTTP is the heaviest network branch — 19 fields rendered conditionally
on mode, xPaddingObfsMode, and the three *Placement selectors. Each
gates its dependent field set via Form.useWatch.
Field structure mirrors the legacy XHTTPStreamSettings form 1:1:
- mode picker (auto / packet-up / stream-up / stream-one)
- packet-up adds scMaxBufferedPosts + scMaxEachPostBytes; stream-up
adds scStreamUpServerSecs
- serverMaxHeaderBytes, xPaddingBytes, uplinkHTTPMethod (with the
packet-up gate on the GET option)
- xPaddingObfsMode unlocks xPadding{Key,Header,Placement,Method}
- sessionPlacement / seqPlacement each unlock their respective Key
field when set to anything other than 'path'
- packet-up mode additionally unlocks uplinkDataPlacement, and that
in turn unlocks uplinkDataKey when the placement is not 'body'
- noSSEHeader Switch at the tail
XHTTP headers editor still pending (same WsHeaderMap as WS — will be
unified in the header-editor extraction commit).
Adds the three medium-complexity network branches to the stream tab.
Plain Form.Item paths into the corresponding *Settings keys — no
Form.List wrappers since these schemas don't have arrays at the top
level.
WS: acceptProxyProtocol, host, path, heartbeatPeriod
gRPC: serviceName, authority, multiMode
HTTPUpgrade: acceptProxyProtocol, host, path
Header editing is deferred to a later commit — WsHeaderMap is a
Record<string,string> on the wire, V2HeaderMap a Record<string,string[]>,
and the form needs an array-of-{name,value} UI that converts on edit.
Worth building once and reusing across WS, HTTPUpgrade, XHTTP, TCP
request/response, and Hysteria masquerade headers.
XHTTP + external-proxy + sockopt + hysteria stream + finalmask hookup
still pending.
Opens the stream tab on the sibling-file rewrite. Tab visibility is
driven by canEnableStream from lib/xray/protocol-capabilities — same
gate the legacy modal used, now schema-aware.
Transmission picker (network select) is hidden for HYSTERIA since
that protocol's network is implicit. onNetworkChange clears any stale
per-network settings keys (tcpSettings/kcpSettings/...) and seeds an
empty object for the new branch so AntD Form.Items don't read from
undefined nested paths.
TCP section: acceptProxyProtocol Switch (literal-true-optional on the
wire — the form stores true/false but Zod's strip behavior keeps
false-as-omission round-trips clean) plus an HTTP-camouflage toggle
that flips header.type between 'none' and 'http'. The full HTTP
camouflage request/response sub-form lands in a follow-up commit.
KCP section: six numeric knobs (mtu, tti, upCap, downCap,
cwndMultiplier, maxSendingWindow).
WS / gRPC / HTTPUpgrade / XHTTP / external-proxy / sockopt / hysteria
stream / FinalMaskForm hookup all still pending.
Adds the Wireguard sub-form: server secretKey input with regen icon,
derived disabled public-key display, mtu, noKernelTun toggle, and a
Form.List of peers — each peer having its own privateKey (regen icon),
publicKey, preSharedKey, allowedIPs (nested Form.List for the string
array), keepAlive.
pubKey is purely derived (computed via Wireguard.generateKeypair from
the watched secretKey) and is NOT stored in the form value — the schema
omits it from the wire shape on purpose. The disabled display shows the
live derivation without polluting form state.
regenInboundWg generates a fresh keypair and writes only the
secretKey path; pubKey re-derives automatically. regenWgPeerKeypair
writes both privateKey and publicKey at the peer's path index.
The preSharedKey wire-shape name is used instead of the legacy class's
internal psk — matches WireguardInboundPeerSchema.
Tab visibility widens to Wireguard.
Adds the TUN sub-form: interface name, MTU, four primitive-array
Form.Lists (gateway, dns, autoSystemRoutingTable), userLevel,
autoOutboundsInterface.
Primitive Form.Lists bind each row's Input directly to `field.name`
(no inner key) — distinct from the object-row Form.Lists that bind to
`[field.name, 'fieldKey']`.
The Form.useWatch('protocol') return type comes from the schema's
protocol enum which excludes 'tun' (TUN is in the legacy Protocols
const for data parity but never accepted by the wire validator). Cast
to string at the source so per-section comparisons against
Protocols.TUN typecheck. Why: legacy DB rows with protocol === 'tun'
still need to render; widening here keeps reads from rejecting them.
Tab visibility widens to TUN.
Adds the Tunnel sub-form: rewriteAddress + rewritePort, allowedNetwork
picker (tcp/udp/tcp,udp), Form.List-driven portMap with name/value
pairs, and the followRedirect Switch.
portMap is the second Form.List in the rewrite — same shape as the
HTTP/Mixed accounts list but with name/value rather than user/pass.
The wire shape stays `settings.portMap: { name, value }[]` exactly.
Tab visibility widens to Tunnel.
Adds the HTTP and Mixed sub-forms. Both share an accounts list — first
Form.List usage in the rewrite. Each row binds via [field.name, 'user']
/ [field.name, 'pass'] under the parent ['settings', 'accounts'] path,
so the wire shape stays exactly what HttpInboundSettingsSchema and
MixedInboundSettingsSchema validate.
HTTP-only: allowTransparent Switch.
Mixed-only: auth Select (noauth/password), udp Switch, conditional ip
Input gated on the udp value via Form.useWatch.
Tab visibility widens to include http + mixed alongside vless +
shadowsocks. The string cast on the includes-check keeps the frozen
Protocols const's narrow union from rejecting the broader protocol
string at the call site.
Adds the Shadowsocks sub-form: method picker (from SSMethodSchema's
seven schema-aligned options), conditional password input gated on
isSS2022, network picker (tcp/udp/tcp,udp), ivCheck toggle.
Method change cascades through the Select's onChange — regenerating
the inbound-level password via RandomUtil.randomShadowsocksPassword.
The shadowsockses[] multi-user list reset is deferred until the
clients-management section lands.
Uses isSS2022 from lib/xray/protocol-capabilities to gate the password
field exactly the way the legacy modal did — keeps the form behavior
identical without referencing the legacy class.
SSMethodSchema.options drives the Select rather than the legacy
SSMethods const (which the inbound modal pulled from models/inbound.ts).
This commits to the schema-aligned 7-entry list for inbound; the
outbound divergence (9 entries with legacy aliases) is still pending
in OutboundFormModal — defer the UX decision to that rewrite.
Adds the protocol tab to the sibling-file rewrite — currently only the
VLESS section, which lays out decryption/encryption inputs and the three
buttons that drive them: Get New x25519, Get New mlkem768, Clear.
getNewVlessEnc + clearVlessEnc are ported from the legacy modal as
pure setFieldValue paths into ['settings', 'decryption'] /
['settings', 'encryption'] — no class methods, no inboundRef. The
matchesVlessAuth helper mirrors the legacy fuzzy label-matching so the
backend response shape stays the only source of truth.
selectedVlessAuth derives the displayed auth label from the encryption
string via Form.useWatch — same heuristic as the legacy modal
(.length > 300 → mlkem768, otherwise x25519).
Tab spread is conditional: the protocol tab only appears when
protocol === 'vless' right now. As more protocol sections land
(shadowsocks, http/mixed, tunnel, tun, wireguard) the condition will
widen to cover each one.
Second section of the sibling-file rewrite. Wires the six sniffing
sub-fields to nested form paths ['sniffing', 'enabled'], ['sniffing',
'destOverride'], etc. Uses Form.useWatch on the enabled flag to drive
conditional rendering of the dependent fields — the same gate the
legacy modal expressed via `ib.sniffing.enabled &&`.
Checkbox.Group renders one Checkbox per SNIFFING_OPTION entry. The two
exclusion lists use Select mode="tags" so the user can paste comma-
separated IP/CIDR or domain rules.
No transient form state, no class methods — every field maps directly
to a wire-shape path in InboundFormValues.
Protocol tab is next.
First real section of the sibling-file rewrite. Wires AntD Form.Items
to InboundFormValues paths for the basic tab — enable, remark, deployTo
(when protocol is node-eligible), protocol, listen, port, totalGB,
trafficReset, expireDate.
The port input gets a per-field antdRule against
InboundFormBaseSchema.shape.port — the spec's Pattern A reference. The
intersection-typed InboundFormSchema has no .shape accessor, so per-field
rules pull from the underlying ZodObject components.
totalGB and expireDate are bytes/timestamp on the wire but a GB number /
dayjs picker in the UI. Both use shouldUpdate-closure children that read
form state and call setFieldValue on user input — no transient
form-only fields, no DU-shape surprises at submit time.
Protocol-change cascade lives in Form's onValuesChange: pick a new
protocol and the settings DU branch is reset to
createDefaultInboundSettings(next); a non-node-eligible protocol also
clears nodeId.
Modal still renders a single-tab Tabs container. Sniffing tab is next.
First commit of the sibling-file modal rewrite. The new modal mounts
Form.useForm<InboundFormValues>, hydrates via rawInboundToFormValues on
open (edit) or buildAddModeValues (add), runs validateFields + safeParse
on submit, and posts the formValuesToWirePayload result. No tabs yet —
the modal body shows a WIP placeholder.
The file is not imported anywhere; the existing InboundFormModal.tsx
remains the one InboundsPage renders. Build, lint, and 280 tests stay
green. Subsequent commits add the basic / sniffing / protocol / stream /
security / advanced / fallbacks sections; the atomic import swap in
InboundsPage.tsx lands last.
Adds lib/xray/outbound-defaults.ts parallel to inbound-defaults.ts:
13 createDefault*OutboundSettings factories (one per outbound protocol)
plus the createDefaultOutboundSettings(protocol) dispatcher mirroring
Outbound.Settings.getSettings's contract — non-null on each known
protocol, null otherwise.
The factory output matches the legacy `new Outbound.<X>Settings()` start
state: required-by-schema fields the user fills in via the form
(address, port, password, id, peer publicKey/endpoint) come back as
empty stubs. Wireguard alone seeds secretKey via the X25519 generator;
the rest expose blank fields. This is the same behavior the
OutboundFormModal relies on for protocol-change resets.
Shadowsocks defaults to 2022-blake3-aes-128-gcm rather than the legacy
undefined — the Select snaps to the first option anyway, so the
coherent default keeps the modal from rendering an empty picker.
Tests cover three layers:
- exact-shape snapshots per factory (13 cases)
- Zod schema acceptance after sensible stub fill-in (13 cases)
- dispatcher non-null per known protocol + null for the unknown (14 cases)
Adds lib/xray/protocol-capabilities.ts with the seven predicates the
modals call: canEnableTls, canEnableReality, canEnableTlsFlow,
canEnableStream, canEnableVisionSeed, isSS2022, isSSMultiUser. Each
takes a minimal slice of an InboundFormValues, no class instance.
The legacy isSSMultiUser returns true on non-shadowsocks protocols too
(method getter resolves to "" which != blake3-chacha20-poly1305). The
new function preserves this quirk and documents it inline; callers all
narrow on protocol === shadowsocks before checking, so the surprising
return value never surfaces.
Parity harness in test/protocol-capabilities.test.ts crosses each of
the 10 golden fixtures with 14 stream configurations (network × security)
and asserts each predicate matches the legacy class method — 140 cases,
all green.
Adds lib/xray/inbound-form-adapter.ts with rawInboundToFormValues and
formValuesToWirePayload. The pair is the data boundary the upcoming
Pattern A modal will use: it consumes the DB row shape (settings et al.
as string OR object — coerced internally), hands the modal typed
InboundFormValues, and on submit reverses the trip to a wire payload
with the three JSON-stringified slices the Go endpoints expect.
No dependency on the legacy Inbound/DBInbound classes — the coerce step
is inlined so the adapter survives the eventual models/ deletion.
Adds 10 Vitest cases covering string vs object inputs, the optional
streamSettings/nodeId fields, trafficReset coercion, and a raw-to-payload
-to-raw round-trip equality.
Foundation for the InboundFormModal rewrite. Mirrors the wire Inbound
shape (intersection of core fields + protocol settings DU + stream/security
DUs) plus the DB-side fields (up/down/total/trafficReset/nodeId/...) that
flow through DBInbound rather than the xray config slice.
InboundStreamFormSchema is exported separately so individual sub-form
sections can rule against just the stream portion when needed.
FallbackRowSchema is co-located here even though fallbacks save via a
distinct endpoint after the main POST — they belong to the same form
state from the user's perspective.
No modal changes in this commit. Foundation only; subsequent turns swap
the modal's `inboundRef`/`dbFormRef` mutable-class state for
Form.useForm<InboundFormValues>().
Extends primitives/options.ts with the five inbound-only option dicts
(TLS_VERSION_OPTION, TLS_CIPHER_OPTION, USAGE_OPTION,
DOMAIN_STRATEGY_OPTION, TCP_CONGESTION_OPTION) and lifts InboundFormModal
off @/models/inbound for 10 of its 12 imports. Only the Inbound class
and SSMethods (inbound vs outbound versions diverge by 2 entries) still
come from @/models/.
Widens NODE_ELIGIBLE_PROTOCOLS Set element type to string since the new
primitives const exposes a narrow literal union that `.has(arbitraryString)`
would otherwise reject.
Adds schemas/primitives/options.ts with UTLS_FINGERPRINT, ALPN_OPTION,
SNIFFING_OPTION, USERS_SECURITY, MODE_OPTION (all identical between
models/inbound.ts and models/outbound.ts) plus the outbound-only
WireguardDomainStrategy, Address_Port_Strategy, and DNSRuleActions.
OutboundFormModal now pulls 9 consts from primitives. Only `Outbound`
(the class) and `SSMethods` (whose inbound/outbound versions diverge by
2 legacy aliases — keep the picker open for the Pattern A rewrite) still
come from @/models/outbound.
Drops three stale `as string[]` casts on what are now readonly tuples.
Moves the two outbound-side consts out of models/outbound.ts and into
schemas/primitives/outbound-protocol.ts. Renames the export to
OutboundProtocols to disambiguate from the inbound Protocols const
(different key casing — PascalCase vs ALL CAPS — and partly different
member set, so they cannot share a single const).
OutboundsTab.tsx keeps its 15+ Protocols.X call sites by aliasing
the import. FinalMaskForm.tsx and BasicsTab.tsx swap directly.
Drops a stale `as string[]` cast in BasicsTab that no longer fits
the new readonly-tuple typing.
After this commit only the two big form modals
(InboundFormModal/OutboundFormModal) plus three intentional parity
tests still import from @/models/.
Step 4b. The Protocols and TLS_FLOW_CONTROL enums on models/inbound.ts
were dragging five page files into that 3,300-line module just to read
literal string constants. Lifting them to schemas/primitives lets those
pages drop the @/models/inbound import entirely.
- schemas/primitives/protocol.ts now exports a Protocols const map
alongside the existing ProtocolSchema. TUN stays in the const for
parity (legacy panel deployments may have saved TUN inbounds) even
though the Go validator no longer accepts it as a new write.
- schemas/primitives/flow.ts now exports TLS_FLOW_CONTROL. The
empty-string default isn't keyed because the legacy never had a
NONE entry — call sites compare against the two real flow values.
Updated five consumers:
- useInbounds.ts: TRACKED_PROTOCOLS now annotated readonly string[]
so .includes(string) keeps narrowing through the array literal
- QrCodeModal.tsx, InboundInfoModal.tsx: Protocols
- ClientFormModal.tsx, ClientBulkAddModal.tsx: TLS_FLOW_CONTROL
Suite: 89 tests across 8 files; typecheck + lint clean.
models/inbound.ts is now imported by:
- InboundFormModal.tsx (heavy use of Inbound class + getSettings)
- test/inbound-link.test.ts + test/shadow.test.ts + test/headers.test.ts
(intentional — these are parity tests against the legacy class)
OutboundFormModal still imports from models/outbound. Both form modals
are the multi-day Pattern A rewrites the plan scopes separately.
First Step 4 call-site swap. createDefaultInboundSettings(protocol) lands
in lib/xray/inbound-defaults — a protocol-aware dispatch over the 10
per-protocol settings factories already in this module. Returns a Zod-
parsable plain object instead of a class instance, so callers that just
need the wire-shape JSON can drop the class hierarchy without touching
the broader form modals.
InboundsPage's clone path used Inbound.Settings.getSettings(p).toString()
as the fallback when settings JSON parsing failed. That's now
createDefaultInboundSettings + JSON.stringify, with a final '{}' guard
for unknown protocols (legacy returned null and .toString() crashed —
we just emit empty settings instead). The Inbound import on this file
is now unused and removed.
The 2 remaining getSettings call sites in InboundFormModal aren't safe
to swap in isolation — the form mutates the returned class instance
through methods like .addClient() and .toJson() across ~2000 lines of
JSX. Those land with the full Pattern A rewrite of InboundFormModal,
which the plan budgets at multiple days on its own.
Suite: 89 tests across 8 files; typecheck + lint clean.
Last slice of Step 3d. Five orchestrator exports compose the per-
protocol generators into the public surface the panel consumes:
- resolveAddr(inbound, hostOverride, fallbackHostname): picks the
address that goes into share/sub URLs. Browser `location.hostname`
is no longer a hidden dependency — callers pass it in (or any other
fallback they want).
- getInboundClients(inbound): protocol-aware clients accessor.
Mirrors the legacy `Inbound.clients` getter, including the SS
quirk where 2022-blake3-chacha20 single-user inbounds report null
(no client loop) and everything else returns the clients array.
- genLink: per-protocol dispatcher matching legacy Inbound.genLink.
- genAllLinks: per-client fanout. Builds the remarkModel-formatted
remark (separator + 'i'/'e'/'o' field picker) and iterates
streamSettings.externalProxy when present.
- genInboundLinks: top-level \r\n-joined link block. Loops per
client for clientful protocols, single-shots SS for non-multi-user,
and delegates to genWireguardConfigs for wireguard. Returns ''
for http/mixed/tunnel (no share URL at all).
Plus genWireguardLinks / genWireguardConfigs fanouts which iterate
peers and append index-suffixed remarks.
Parity test exercises every full-inbound fixture against legacy
Inbound.genInboundLinks. Skips hysteria2 (no legacy dispatch case;
that bridge belongs in a separate intentional commit alongside the
form modal swap). Suite: 89 tests across 8 files; typecheck + lint
clean.
Next: Step 4 form modal migrations. Forms can now drop
`new Inbound.Settings.getSettings(protocol)` in favor of the
createDefault*InboundSettings factories, and InboundsPage clone can
swap to genInboundLinks. Models/ deletion follows in Step 5 once all
call sites are off the class.
Fifth and sixth link generators. genHysteriaLink builds the v1/v2
share URL (scheme picked from settings.version), copying TLS knobs into
the query, surfacing the salamander obfs password from
finalmask.udp[type=salamander] when present, and writing the broader
finalmask payload under `fm` like the other links.
Legacy parity note: the old genHysteriaLink read
stream.tls.settings.allowInsecure, which isn't a field on
TlsStreamSettings.Settings — the guard always evaluated false and the
`insecure` param never made it into the URL. We omit it here to stay
byte-stable.
genWireguardLink and genWireguardConfig take a typed
WireguardInboundSettings + peer index and:
- link: wireguard://<peerPriv>@host:port?publickey=&address=&mtu=#remark
- config: the .conf text WireGuard clients consume directly
Both derive the server pubKey from settings.secretKey via
Wireguard.generateKeypair at call time — Zod stores only secretKey on
the wire (pubKey is computed). The Wireguard utility is pure JS (X25519
over Float64Array), so it runs fine under node + the window polyfill we
added with the vmess extraction.
Two new full-inbound fixtures (hysteria-v1-tls, wireguard-server) plus
matching parity tests bring the suite to 78 tests across 8 files;
typecheck + lint clean.
Hysteria2 (protocol literal) parity stays deferred — the legacy
class has no HYSTERIA2 dispatch case, so it can't round-trip a
hysteria2 fixture without a protocol remap. Same trick the shadow
harness uses; revisit in the orchestrator commit.
Third and fourth link generators. genTrojanLink mirrors genVlessLink's
shape (URLSearchParams + network/security branches + remark hash) minus
the encryption/flow VLESS-isms. genShadowsocksLink shares the same query
construction but base64-encodes the userinfo portion as method:password
or method:settingsPw:clientPw depending on whether SS-2022 is in
single-user or multi-user mode.
Three reusable helpers move out of the per-protocol functions:
- writeNetworkParams: the per-network switch that all param-style
links share (tcp http header / kcp mtu+tti / ws path+host /
grpc serviceName+authority / httpupgrade / xhttp extras)
- writeTlsParams: fingerprint/alpn/ech/sni
- writeRealityParams: pbk/sid/spx/pqv (preserves the SNI-omission
legacy parity quirk noted in the genVlessLink commit)
genVmessLink stays with its inline switch — it builds a JSON obj instead
of URLSearchParams and has per-network quirks (kcp emits mtu+tti at
the obj root, grpc maps multiMode to obj.type='multi') that don't
factor cleanly through the shared writer.
Two new full-inbound fixtures (trojan-ws-tls, shadowsocks-tcp-2022)
plus matching parity tests bring the suite to 74 tests across 8 files;
typecheck + lint clean.
Second link generator. genVlessLink builds the
vless://<uuid>@<host>:<port>?<query>#<remark> share URL from a typed
Inbound + client args, dispatching on streamSettings.network for the
network-specific knobs and on streamSettings.security for the
TLS/Reality knobs. Three param-style helpers move alongside the obj-
style ones already in this file:
- applyXhttpExtraToParams — writes path/host/mode/x_padding_bytes and
the JSON extra blob into URLSearchParams
- applyFinalMaskToParams — writes the fm payload when shareable
- applyExternalProxyTLSParams — overrides sni/fp/alpn when an external
proxy entry is supplied and security is tls
A vless-tcp-reality fixture lands alongside the existing vless-ws-tls
one, so the parity test now exercises both security branches.
Discovered a latent legacy bug while writing parity: the old class
stored realitySettings.serverNames as a comma-joined string and gated
SNI on `!ObjectUtil.isArrEmpty(serverNames)`, which always returns true
for strings — so SNI was never written into Reality share URLs.
Existing clients rely on the omission (they pull SNI from
realitySettings.target instead). We preserve the omission here to keep
this extraction byte-stable; an inline comment marks the spot for a
separate intentional fix.
Suite: 70 tests across 8 files; typecheck + lint clean.
First link generator to leave the class hierarchy. genVmessLink takes a
typed Inbound + client args and returns the base64-encoded vmess://
URL. Internal helpers (buildXhttpExtra, applyXhttpExtraToObj,
applyFinalMaskToObj, applyExternalProxyTLSObj, serializeFinalMask,
hasShareableFinalMaskValue, externalProxyAlpn) port across from
XrayCommonClass — same logic, rewritten to read the Zod schemas'
Record<string, string> headers instead of the legacy HeaderEntry[].
Parity test (inbound-link.test.ts) loads each vmess fixture in
golden/fixtures/inbound-full, parses it with InboundSchema for the new
pure fn AND constructs LegacyInbound.fromJson(raw) for the class method,
then asserts the URLs match byte-for-byte. Drift between the two impls
fails here before the call sites in pages/inbounds/* get swapped.
Adds a small test setup file that aliases globalThis.window to globalThis
so Base64.encode's window.btoa works under Node — keeps the test env at
'node' and avoids pulling jsdom as a new dep.
A first vmess-tcp-tls full-inbound fixture pins the round-trip path.
Suite: 67 tests across 8 files; typecheck + lint clean. Five more link
generators (vless/trojan/ss/hysteria/wireguard) plus the orchestrator
(toShareLink, genAllLinks) follow in subsequent turns.
Step 3d's last scaffolding piece before link generators. Three new
stream-extras schemas land alongside the network/security DUs:
- finalmask: TcpMask[] + UdpMask[] + QuicParams. Mask `settings` stays
record<string, unknown> for now — there are 13 UDP mask types and 3
TCP mask types with distinct per-type setting shapes, and modeling
them all as DUs would dwarf the rest of stream/ without buying
anything the shadow harness doesn't already catch. Tightened in
Step 6.
- sockopt: 17 socket-tuning knobs (TCP keepalive, TFO, mark, tproxy,
mptcp, dialer proxy, IPv6-only, congestion). `interfaceName` field
matches the panel class naming; serializers rename to `interface` on
the wire.
- external-proxy: rows ship per inbound describing edge fronts (CDN
mirrors). Used by link generators to fan out share URLs.
schemas/api/inbound.ts composes the top-level wire shape with
intersection-of-DUs:
StreamSettingsSchema = NetworkSettingsSchema
.and(SecuritySettingsSchema)
.and(StreamExtrasSchema)
InboundSchema = InboundCoreSchema.and(InboundSettingsSchema)
A fixture (vless-ws-tls.json) exercises the full shape — protocol DU,
network DU, security DU, and TLS cert file branch in one round trip.
The snapshot pins the canonical parsed form so the upcoming link
extractor consumes typed input with no class hierarchy underneath.
Suite: 65 tests across 7 files; typecheck + lint clean. Zod 4
intersection-of-DUs works.
Tiny piece of the toShareLink scaffold. The legacy Inbound.getHeader(obj,
name) iterated the panel's internal HeaderEntry[] form; the new
getHeaderValue reads the Record<string, string|string[]> map our Zod
schemas store on the wire. Case-insensitive, returns '' on miss to match
the legacy fallback so link-generator call sites stay simple.
For repeated-name maps (TCP/WS-style string[] values) the first value
wins — matches the legacy iteration order so the share URL's Host hint
stays deterministic.
Five unit tests cover undefined/null/empty inputs, case folding,
string-valued and array-valued matches, empty-array edge case, and
missing-key fallback. Suite: 64 tests across 6 files; typecheck + lint
clean.
This unblocks the next slice: per-protocol link generators (genVmessLink
etc.) take a typed inbound + client and call getHeaderValue against the
ws/httpupgrade/xhttp/tcp.request header maps.
