New
- feat: add API token to install output (#4322) @abdalrahmanx9
- feat(panel): add Edit button to tables and enhance layout (#4355) @BlackRockSoul
- feat(json): swap raw textareas for a CodeMirror 6 JsonEditor
- feat(tabs): collapse settings and xray tab bars to evenly-spread icons
- feat(nodes): mobile card list, info modal, and tighter summary layout
- feat(inbounds): collapse mobile cards to id/email + info button
- feat(inbounds): align tunnel, tun, and hysteria UI with Xray docs
- feat(api-tokens): manage multiple named tokens; add tab/section anchor URLs
- feat(routing): drag-reorder rules, split balancer column, mobile card layout
- feat(ui): use the host as the browser tab title prefix
- feat(api-docs): enhance in-panel API documentation (#4312) @abdalrahmanx9
- feat(nodes): blur address column with eye-toggle, mirroring IndexPage IP card
- feat(inbounds): restore copy-clients-between-inbounds modal
- Feat: clarify VLESS encryption auth selection (#4271) @farhadh
- feat: sortable inbounds table columns (#4300) @abdalrahmanx9
- feat(panel): xray metrics dashboard with observatory probe history
Update & improvement
- style(api-docs): redesign TOC, section icons, endpoint rows, and code blocks with ultra-dark support (#4332) @abdalrahmanx9
- add: log rotate to 3xui.log file to avoid disk space consumption (#4277) @samssh
- Security hardening: sessions, SSRF, CSP nonce, CSRF logout, trusted proxies (#4275) @farhadh
- ci(codeql): run on push to main
- ci: gate workflows on relevant source paths
- Bump Go module dependency versions
Bug fixed
- fix(sub): include xhttp mode in extra JSON for karing compatibility (#4365) @abdalrahmanx9
- fix(docker): update port mapping for 3xui service in docker-compose (#4362) @farhadh
- fix(routing): make rule drag-and-drop work on mobile cards
- fix(qr): lock QR code modules to black-on-white across all themes
- Adjust QR panel sizing and collapse JSON subscription by default
- fix(inbounds): refresh client rows live over websocket
- fix(iplog): parse xray access-log timestamps in local time
- fix(warp): set license against Cloudflare API and surface errors inline
- fix(forms): validate JSON tabs before applying or saving
- fix(inbounds): hide node UI when no enabled node exists
- fix(outbound): accept JSON-only configs and sync JSON to basic form on tab switch
- fix: single inbound traffic reset resets all inbounds (#4334, #4338) @abdalrahmanx9
- fix: strip main-panel TLS cert file paths when sending inbound to remote node (#4339) @abdalrahmanx9
- fix: reality random target/sni buttons not working (#4337, #4340) @abdalrahmanx9
- fix(auth): invalidate sessions when 2FA is enabled, fix dev 401 loop
- fix(inbound): require email when adding or updating a client
- fix(security): SSRF-guard node and remote HTTP clients
- fix(api-docs): resolve no-useless-escape lint errors
- fix(fail2ban): escape percent signs in 3x-ipl datepattern (#4328) @usk2223
- fix(graphs): increase y-axis paddingLeft from 32 to 56 to prevent clipped labels (#4309) @abdalrahmanx9
- fix: delete button missing after searching for a user (#4315) @abdalrahmanx9
- fix(hysteria2): restore missing masquerade config in inbound form (#4316) @abdalrahmanx9
- fix: auto-renew must re-enable client in inbound settings JSON (#4317) @abdalrahmanx9
- fix: show UDP tag for Hysteria and fix client count spacing (#4318) @abdalrahmanx9
- fix: preserve space between date and time in log modal (#4326) @abdalrahmanx9
- fix(api-docs): copy API token button
- Fix: traffic writer restart freeze (#4265) @farhadh
- fix(node): normalize base path during probe so missing trailing slash doesn't break status checks
- Add possibility to remove client email from sub (#4297) @Kasp42
- fix: sync advancedJson before tab switch in convertLink
- fix: ignore duplicate column errors during AutoMigrate on upgraded DBs
Reports
Full Changelog: v3.0.1...v3.0.2