s-ui v1.0.0-beta5

s-ui-x-extended v1.0.0-beta5

Pre-release. Unifies the navigation menu across the two UI environments. The
Classic and Nexus shells previously kept independent, hand-maintained
menu lists that had drifted apart — Providers showed only in Classic, Paid
Subscriptions only in Nexus. Both shells now read a single shared source, so the
tabs stay in sync and neither environment can silently lose one again.

Highlights

• One menu, both environments. New frontend/src/layouts/menu.ts is the
  single source of truth; the Classic drawer and the Nexus sidebar both import it.
  nexusMenu.ts becomes a thin backward-compatible re-export, and the nexus-only
  singBoxSettings metadata now lives in the shared list.
• Tabs reconciled. Classic and Nexus now expose the same 16 tabs in the same
  order — Classic gains Paid Subscriptions, Nexus gains Providers.
  /migrate-xui stays a contextual page reached from the Backup dialog, not a
  top-level tab.
• Localization parity. Providers / Paid Subscriptions are now translated
  in zh-Hans, zh-Hant, Persian and Vietnamese instead of falling back to English.
• Drift-guard test pins the menu's paths, order, uniqueness and the nexus
  sing-box surfaces so the two environments can't diverge again unnoticed.

See CHANGELOG.md for the full bilingual list and
SECURITY.md for supply-chain and hardening notes. This is a
pre-release — review SECURITY.md before exposing the panel.

s-ui v1.0.0-beta4

s-ui-x-extended v1.0.0-beta4

Pre-release. Makes the extended protocols actually usable end-to-end: the panel
could already configure ssh / mieru / sudoku / trusttunnel / mtproxy inbounds,
but had nothing to hand the client — the JSON subscription was empty for them and
mtproxy couldn't even start. This release fixes delivery and consolidates protocol
knowledge into a single embedded source of truth.

Highlights

• Client delivery for ssh / mieru / sudoku / trusttunnel. These inbounds now
  emit a working client outbound in the JSON subscription (previously the server
  config was generated but the subscription dropped them). Per-user credentials map
  correctly (name → username for mieru/trusttunnel, name → user for ssh).
• MTProxy via Telegram — and it finally starts. mtproxy inbounds now produce a
  tg://proxy deep link and are excluded from JSON/Clash (there is no sing-box
  mtproxy outbound). Crucially, the per-user secret is now a valid faketls (ee)
  secret — 0xee || 16-byte key || faketls SNI host — instead of the bare hex the
  panel used to generate, which the core (mtglib) rejected at inbound start.
• Single source of truth for protocol capabilities. A new embedded manifest
  (core/capabilities/protocols.json) drives the backend maps, the frontend lists,
  the docs/protocol-matrix.md table, and a new admin-only /api/capabilities
  endpoint. The inbound-type picker now greys out protocols not compiled into the
  running binary (detected via //go:build flags, not by parsing build scripts).

Security

• No server-secret leakage. Every out_json builder is a strict allow-list (ssh
  copies nothing — private host keys never leave the server). A forbidden-keys
  invariant test recursively scans every out_json and subscription body and fails on
  TLS keys, reality private keys, ssh host_key*, server fallback /
  handshake_timeout, etc.; a static test forbids a builder from range-copying the
  whole inbound.
• /api/capabilities is admin-authenticated and returns only boolean build-tag
  flags and UI capability metadata — no paths, versions, builder names or secrets.

Diagnostics

• ShadowTLS is marked broken (not delivered as working): the panel never
  creates the required backing-shadowsocks detour, and the core inbound is not
  fail-closed without one. Auto-pair is deferred.

See CHANGELOG.md for the full bilingual list and
SECURITY.md for supply-chain and hardening notes. This is a
pre-release — review SECURITY.md before exposing the panel.

s-ui v1.0.0-beta3

s-ui-x-extended v1.0.0-beta3

Third public beta — the s-ui-x web panel on the sing-box-extended core
(shtorm-7/sing-box-extended, a fork of SagerNet/sing-box).

Highlights

• Recommended defaults pre-filled across the admin panel. Creating inbounds,
  outbounds, endpoints, DNS servers, services, TLS templates, transports and
  routing rules now starts from security-first, ready-to-use values instead of
  blank fields — TUIC / Naive / TrustTunnel default to bbr congestion control,
  VLESS / VMess to xudp packet encoding, VMess to auto security, OpenVPN to
  AES-256-GCM / SHA256, Sudoku to the core's recommended AEAD / padding, and
  new TLS templates to min_version: 1.3.
• Dropdowns for fixed-value fields. Parameters that accept only a fixed set
  of values are now proper dropdowns (congestion controls, Mieru transport /
  multiplexing, Sudoku AEAD / mask modes, SOCKS version, Tun stack, TLS cipher
  suites, …), so an invalid token can no longer be typed by hand.
• Editable suggestion fields for free text. Free-text parameters with common
  values now offer an editable combobox with suggestions plus a sensible default
  (Go durations, byte-size quotas, bandwidth speeds, listen addresses, time
  zones, NTP servers, DNS resolvers, SSH versions / algorithms, health-check
  URLs, …) while still accepting custom input.

All option tokens were verified against the sing-box-extended core. Secrets are
never hard-coded (UUIDs / passwords / keys are still generated), and camouflage
targets (Reality dest / ShadowTLS handshake / SNI) are intentionally left empty.

See CHANGELOG.md for the full list and SECURITY.md
for supply-chain and hardening notes.

This is a beta build — review SECURITY.md before exposing the panel.

s-ui v1.0.0-beta2

s-ui-x-extended v1.0.0-beta2

Second public beta — the s-ui-x web panel on the sing-box-extended core
(shtorm-7/sing-box-extended, a fork of SagerNet/sing-box).

Highlights

• Full protocol tag set in every build path. Prebuilt Linux tarballs and the
  Windows packages now include the same protocols as the Docker image / build.sh:
  WireGuard/WARP, MASQUE, OpenVPN, MTProxy, Sudoku, TrustTunnel, DHCP-DNS and
  CCM/OCM/OOMKiller. Previously these were compiled out of the prebuilt binaries and
  returned a not included in this build, rebuild with -tags ... error at runtime.
  Only Naive (cronet/CGO) still varies by platform — present on Linux
  amd64/arm64/armv7/armv6/386, Docker, and Windows amd64; absent on armv5/s390x and
  Windows arm64.
• Fix — database token scope. API tokens scoped to database now grant database
  export/import (getdb/importdb) and x-ui / 3x-ui migration (import-xui). These
  were unintentionally admin-only before.
• Docs. docs/scope-matrix.md corrected to all six token scopes; the README was
  restructured and fact-checked (HTTP API, migration, backup, Telegram, paid
  subscriptions, security & hardening, monitoring, transports/TLS, build matrix).

See CHANGELOG.md for the full list and SECURITY.md
for supply-chain and hardening notes.

This is a beta build — review SECURITY.md before exposing the panel.

s-ui v1.0.0-beta1

s-ui-x-extended v1.0.0-beta1

Initial commit — first public build of s-ui-x-extended.

The s-ui-x web panel running on the sing-box-extended core (the
shtorm-7/sing-box-extended fork of SagerNet/sing-box), with extended
protocol/transport support and the inherited security/reliability hardening.

• Extended protocols/transports: OpenVPN, MASQUE, MTProxy, TrustTunnel,
  WireGuard/AmneziaWG, CCM/OCM, DHCP, QUIC, mKCP/XHTTP, providers, and
  rate/traffic/bandwidth/connection limiters.
• Supply-chain and hardening notes: see SECURITY.md.

This is a beta build — review SECURITY.md before exposing the panel.