BEDOLAGA-DEV/remnawave-bedolaga-telegram-bot v3.60.0

on GitHub

3.60.0 (2026-06-05)

New Features

• gift: unify landing gifts onto the claimable code-only model (backend) (8637bec)
• i18n: add 159 missing localization keys across all 5 locales (a694eb0)
• i18n: full locale parity — fill 142 gap keys into en/ua/zh (9390af7)
• landing-stats: add payment-method, traffic-source & gift-claim breakdowns (357f4c1)
• security: email account merge via emailed OTP + initiator-bound execute (74a78ea)

Bug Fixes

• account-linking: forbid silent OAuth re-link to another account (357c3d7)
• auto-extend: only auto-extend after top-up if the user enabled autopay (c9abdd0)
• autopay: refund balance when the auto-renew extension fails (e014670)
• contests: channel start-announce button now works (deep link, not callback) (663064d)
• contests: rescue pre-fix channel announcements via callback url-redirect (be5524d)
• don't block handlers on long rate-limit backoff (WATA + channel gate) (b7c37f9)
• gift: finish cabinet unification + close review regressions (c2488b6)
• guest-payment: подарок/гость через шлюз с под-методом (rollypay_sbp и др.) (837e9e6)
• guest-purchase: roll back poisoned session on accounting-tx failure (f986d36)
• i18n: don't warn when t()/get() is given an explicit fallback (d108687)
• i18n: repair 38 stale translations with drifted placeholders (ee8ddb7)
• landing: суточные тарифы на лендингах показывали цену 0 и не покупались (b795583)
• payments: yookassa webhook log crash + miniapp pal24 dropped card/sbp choice (3935042)
• referral: keep invite links in the clipboard via <code> (#634720) (15d2996)
• security: admins can only grant permissions they hold (RBAC privilege escalation) (f73f73f)
• security: block identity/auth secrets from the settings API (privilege escalation) (c5a52c4)
• security: harden email-change OTP against brute force + admin-email binding (ATO) (4c53e94)
• security: require existing-account password before email-link merge (account takeover) (0c56a04)
• security: sign + expire media download URLs (close ticket-attachment IDOR) (f5c02cd)
• security: stop shared-cache leakage of private ticket attachments + validate file_id (881a1ed)
• security: Telegram Login Widget one-time-use + 24h window (replay/ATO) (b1e8ca4)
• stars: atomic subscription activation + idempotent payment (5b79b30)
• tariffs: update_tariff принимает trial_duration_days (51a2e11)
• topup: only auto-buy saved cart on a fresh, explicit top-up intent (66876fc)
• traffic: run package-reset job even when daily tariffs are off (#630055) (c93cf48)
• trial-reset: cabinet reset deletes the panel user too, not just disable (c4e65d5)
• trial-reset: wipe the Remnawave panel user on bulk trial reset, race-safe (6b6bad1)
• trial: 0 ГБ на триал-тарифе = безлимит, не подмена конфигом (1713452)
• trial: block trials from tariff-switch & gate trial conversion in extend_subscription (#629889) (7844f1a)
• trial: keep trials a trial on tariff relabel & days-promo (#629889) (acb2242)
• trial: кабинет не должен отбраковывать неактивный триал-тариф (e197857)
• web-api: make /health a public liveness probe (was 401 for healthchecks) (2450220)
• webhooks: atomic, single-transaction balance credit for Tribute + Stars (644fb45)
• wheel: expose won prize_id in spin history for exact sector landing (6277fa5)
• wheel: make Telegram Stars spins idempotent + enforce daily limit (ae3fa8b)
• wheel: serialize spins to close daily-limit & days-payment races (cbe134d)

Refactoring

• logs: repair degraded log messages across the codebase (e3f5da8)
• trial-reset: extract shared wipe_trial_subscriptions helper (dedup) (fb0be88)
• trial: one canonical trial-eligibility gate (dedup 4 copies) (c272a15)
• trial: unify cabinet trial gates + drop dead has_used_trial flag (f624d2d)