Merge pull request #114 from shayanb/release/1.8.3

v1.8.3 — TUI menu + WebSocket default + dashboard/CLI user-mgmt fixes

Author: shayanb

.env.example

@@ -366,9 +366,10 @@ GRAFANA_APP_TITLE=
 # Access via: https://{CDN_SUBDOMAIN}.{DOMAIN}
 CDN_SUBDOMAIN=cdn
 
-# CDN transport type: httpupgrade (Cloudflare, less fingerprinted) or ws (CloudFront/universal WebSocket)
-# Use 'ws' if using AWS CloudFront — 'httpupgrade' will fail with CloudFront
-CDN_TRANSPORT=httpupgrade
+# CDN transport type: ws (WebSocket — default, universal client support, battle-tested
+# in heavy-censorship contexts) or httpupgrade (slightly lighter overhead, but newer
+# Xray clients warn it's deprecated and some CDNs like CloudFront don't support it).
+CDN_TRANSPORT=ws
 
 # CDN transport path for inbound
 # Auto-generated with a realistic-looking path if empty (recommended for DPI evasion)

CHANGELOG.md

@@ -7,6 +7,37 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ## [Unreleased]
 
+## [1.8.3] - 2026-06-02
+
+### Added
+- **Architecture overview page** ([`docs/architecture.md`](docs/architecture.md)) — container topology grouped by Compose profile, dns-router fan-out, bundle generation flow (bootstrap container → state volume → host bundle writer), and the monitoring stack. Registered in the MkDocs nav under About.
+- **`site/llms.txt`** at the site root (served at `https://moav.sh/llms.txt`) — [llmstxt.org-spec](https://llmstxt.org/) discovery file with project summary plus categorized links so AI assistants can navigate the docs. Deploys via the existing GitHub Pages workflow.
+- **TUI main menu** expanded with four high-value commands previously only reachable via CLI: **Donate configs** (`moav donate`), **Doctor** (`moav doctor`), **Admin password reset** (`moav admin password`), and **Update MoaV** (`moav update`). Existing items 7 and 8 (build/rebuild, export/import) shift to 11 and 12; slots 1–6 unchanged for muscle memory. Menu grouped into "Services / Users & donations / System" with dim headers.
+- **New `moav users` sections** for AmneziaWG, Xray (XHTTP + XDNS), TrustTunnel, and Telegram MTProxy — previously the listing only showed sing-box, WireGuard, and bundles, so operators couldn't see who had access to four of the eight per-user services. Each new section reads from the appropriate config file (jq for xray, awk for telemt's TOML, etc.) and shows totals.
+
+### Changed
+- **Default CDN transport flipped to WebSocket** — `.env.example`'s `CDN_TRANSPORT` changed from `httpupgrade` to `ws`, and the three matching shell fallback defaults (`scripts/bootstrap.sh`, `scripts/singbox-user-add.sh`, `scripts/generate-user.sh`) now also fall back to `ws` so older installs that lack the `.env` line still pick up the new default. WebSocket is universally supported across V2Ray-family clients, battle-tested in heavy-censorship contexts (Iran/China), and first-class on Cloudflare. Newer Xray clients (≥ v26.x) emit a deprecation warning for `httpupgrade`. Overhead difference (~50 bytes/frame) is negligible. **Existing installs keep their current setting** — only fresh installs / re-bootstraps pick up the new default. Operators specifically needing httpupgrade (CloudFront edge cases) can flip it back.
+- **Bootstrap domain prompt re-asks on invalid input** — previously, an unparseable hostname (like `foo bar`) was saved with just a warning. The prompt now loops up to 3 attempts, explaining what a valid hostname needs (a dot, only letters/digits/dots/hyphens). After 3 invalid tries it saves the last value with a warning so the operator can fix `.env` manually. Empty input still means domainless mode.
+- **Interactive bootstrap surfaces Cloudflare's required SSL/TLS Flexible setting** — the DNS records prompt previously listed only the Origin Rule as a CDN requirement; operators commonly missed that Cloudflare must also be in **Flexible** SSL/TLS mode (port 2082 is plain HTTP) and got a confusing `525` error after. The prompt now lists both settings up-front, with the 521/525 error decoder inline. `docs/DNS.md`'s Cloudflare CDN section is restructured the same way (Flexible up-front, response-code table for verification).
+- **TUI add-user preview lists every service** — the "This will add 'X' to:" screen was stuck on the 1.7-era list (sing-box + WireGuard). Replaced with a grouped 5-line list reflecting what `user-add.sh` actually provisions: proxies (Reality / Trojan / Hysteria2 / SS-2022 / XHTTP / CDN VLESS+WS), VPN (WireGuard direct + wstunnel / AmneziaWG / TrustTunnel), DNS tunnels (dnstt / Slipstream / MasterDNS / XDNS), Telegram MTProxy, and GooseRelay if enabled. Also shows the bundle output path.
+- **TUI Admin item goes straight to password reset** — was calling `cmd_admin` (which only prints usage from the menu context); now calls `cmd_admin password` directly, since that's the only useful interactive subcommand. Menu label updated to "Admin password reset." The admin URL is already shown in the main-menu status header.
+- **Bootstrap container build message** says "may take a few minutes" instead of "may take a minute" — the first-time build is typically 2–5 minutes on a small VPS.
+- **Documentation pass for v1.8.2 drift**: 
+  - `docs/CLI.md` profiles table rewritten (was 11 rows missing the `dnstunnel` composite, `telegram`, `xhttp`, `gooserelay`, `amneziawg`, `monitoring`, and `setup` profiles); new "Disabled profiles" subsection under `moav start`; new `moav conduit-offsets` section (was 100% undocumented since 1.7.9).
+  - `docs/DNS.md` consolidates the four separate NS-delegation Steps + two redundant "all 4 tunnels coexist on port 53" notes into a single table-based section, and the Cloudflare records table gains the missing `m` and `x` NS rows.
+  - `docs/SETUP.md` drops the duplicated profile bullet list (cross-links to CLI.md); the 1.8.2 implementation-detail callout (cleaning behavior, readline, Ctrl-C recovery) replaced with a short user-facing note that the prompt accepts any input format and re-running picks up where you left off.
+  - `docs/MONITORING.md` new "Conduit lifetime bandwidth" section documenting the offset watcher, recording rules, and auto-install behavior (1.7.9+ feature that was missing from docs).
+  - `docs/philosophy.md` rewritten to integrate the article-derived narrative ("This Is Ours to Build", "What Infrastructure Actually Means", "The Internet Is Closing", "A Global Pattern", "The Arms Race Gets Creative", "You Are Donating Bandwidth", "The Window Is Open") with the existing institutional sections (Human Rights, Why Multi-Protocol Matters, Iran's Shutdown History), plus a cite-ready sources appendix.
+  - `docs/client-guide-template.html` (bundle viewer): Telegram MTProxy section 9 now has a clickable "Open in Telegram" button on top of the copy-pastable link; Tor (10) + Psiphon (11) sections converted to collapsible `<details>` to match the V2Ray-compatible cards; WireGuard-over-WebSocket subsection inside WireGuard (6) also collapsible. EN + FA mirrors.
+
+### Fixed
+- **Dashboard user-add silently broke after CLI user-revoke** — when an operator ran `sudo moav user revoke X`, `wg-user-revoke.sh` and `awg-user-revoke.sh` did `mktemp + awk > tmp; mv -f tmp orig`. `mv -f` swaps inodes, so the rewritten config ended up `-rw------- root:root`. The admin container (running as `moav:moav`) then couldn't write the same config on the next dashboard user-add → permission denied. Same pattern existed in the sing-box, Xray, and TrustTunnel rewrite paths. Replaced every `mv -f tmp orig` with `cat tmp > orig; rm -f tmp` so the original file's inode (and thus mode + owner) survives. `user-add.sh` and `user-revoke.sh` also run a `chmod a+rw` sweep over the six config files at the top of every invocation, so legacy installs whose perms were already broken self-heal on the next CLI op (no admin container restart required).
+- **`moav user revoke` reported "User not found in sing-box (skipping)" for users that did exist** — the outer check used `grep -q "\"name\":\"$USERNAME\"" configs/sing-box/config.json`, which requires `"name":"X"` with no whitespace between `:` and `"`. But `jq -S` (which renders the config) always emits `"name": "X"` with a space. Grep returned false-negative every time, the revoke skipped the sing-box cleanup (and its chain of TrustTunnel + telemt + xray), bundles got deleted but users stayed in the configs. Three checks (`user-revoke.sh`, `singbox-user-revoke.sh`, `singbox-user-add.sh`) replaced with the same jq query `user-list.sh` uses — whitespace-insensitive, source-of-truth consistent.
+- **Xray (XHTTP + XDNS) revoke was completely missing.** `singbox-user-revoke.sh` cleaned sing-box, TrustTunnel, and telemt but never touched `configs/xray/config.json`. Revoked users' XHTTP `vless://...?type=xhttp` and XDNS configs kept working. New jq-deletion block in `singbox-user-revoke.sh` removes the user from both `.settings.clients[]` and `.settings.users[]` (the v26.5.9 schema rename made these aliases — bootstrap writes the new `users` field, legacy add wrote `clients`, so we now check + delete in both). Restarts xray to apply.
+- **Xray users/clients alias split-brain.** Related to the previous: `moav users` showed "(no users)" for Xray on a working install, because bootstrap-added users live in `.settings.users` (template path) and the listing only checked `.settings.clients`. Fixed in `user-list.sh` (reads both); fixed in `singbox-user-add.sh` (exists-check now scans both; new users now written to the canonical `.settings.users` to match the template).
+- **`user-add.sh` GOPROXY auto-heal failed on read-only `.env`** — when the admin container called `user-add.sh`, `sed -i.bak .env` errored with "Read-only file system" because `/project` is mounted read-only inside the admin service. Now heals into a tempfile, sources the tempfile (so env vars load correctly), and only `cat`'s the heal back to `.env` when it's writable (the CLI path). The admin-container path no longer trips on the leading sed failure.
+- **Main-menu status line leaked `.env` inline comments** — the admin URL rendered as `https://t7d.my:9443      # Admin dashboard` because `get_admin_url`'s parser (`grep | cut -d= -f2 | tr -d '"'`) stripped quotes but not trailing `# comments`. Routed all four URL helpers (`get_admin_url`, `get_grafana_url`, `get_grafana_cdn_url`, `get_cdn_url`) through the existing `get_env_val` helper which strips both comments and whitespace.
+
 ## [1.8.2] - 2026-05-29
 
 ### Fixed

README-fa.md

@@ -2,6 +2,8 @@
 
 # MoaV
 
+[![Website](https://img.shields.io/badge/website-moav.sh-cyan.svg)](https://moav.sh)  [![Docs](https://img.shields.io/badge/docs-moav.sh%2Fdocs-cyan.svg)](https://moav.sh/docs/)  [![Version](https://img.shields.io/badge/version-1.8.2-blue.svg)](CHANGELOG.md)  [![License](https://img.shields.io/badge/license-MIT-green.svg)](LICENSE)
+
 **[English](README.md)** | فارسی
 
 استک عبور از سانسور چند پروتکلی بهینه‌سازی شده برای محیط‌های شبکه‌ای خصمانه.
@@ -361,6 +363,10 @@ MoaV/
 
 MIT
 
+## تغییرات
+
+برای یادداشت‌های انتشار و تاریخچه نسخه‌ها به [CHANGELOG.md](CHANGELOG.md) مراجعه کنید.
+
 ## سلب مسئولیت
 
 این پروژه **فقط نرم‌افزار شبکه متن‌باز با کاربرد عمومی** ارائه می‌دهد.

README.md

@@ -1,6 +1,6 @@
 # MoaV
 
-[![Website](https://img.shields.io/badge/website-moav.sh-cyan.svg)](https://moav.sh)  [![Docs](https://img.shields.io/badge/docs-moav.sh%2Fdocs-cyan.svg)](https://moav.sh/docs/)  [![Version](https://img.shields.io/badge/version-1.8.2-blue.svg)](CHANGELOG.md)  [![License](https://img.shields.io/badge/license-MIT-green.svg)](LICENSE)
+[![Website](https://img.shields.io/badge/website-moav.sh-cyan.svg)](https://moav.sh)  [![Docs](https://img.shields.io/badge/docs-moav.sh%2Fdocs-cyan.svg)](https://moav.sh/docs/)  [![Version](https://img.shields.io/badge/version-1.8.3-blue.svg)](CHANGELOG.md)  [![License](https://img.shields.io/badge/license-MIT-green.svg)](LICENSE)
 
 English | **[فارسی](README-fa.md)** 
 

VERSION

@@ -1 +1 @@
-1.8.2
+1.8.3

docs/CLI.md

@@ -232,15 +232,28 @@ Start services.
 
 ```bash
 moav start                    # Start DEFAULT_PROFILES from .env
-moav start all                # Start all services
+moav start all                # Start all services whose ENABLE_* is true
 moav start proxy              # Start proxy profile only
 moav start proxy admin        # Start multiple profiles
 moav start proxy wireguard admin  # Start three profiles
 ```
 
 **Arguments:**
-- No arguments: Uses `DEFAULT_PROFILES` from `.env`
-- Profile names: Start specific profiles (space-separated)
+- No arguments: uses `DEFAULT_PROFILES` from `.env`
+- Profile names: start specific profiles (space-separated)
+- `--force` / `-f`: bypass the profile-filtering prompt (see below)
+
+##### Disabled profiles
+
+`moav start` respects the `ENABLE_*` flags in `.env`:
+
+- **No args** or **`moav start all`**: starts only the profiles whose `ENABLE_*` is `true`. Anything disabled is skipped (you'll see `Skipping disabled profiles: <list>`).
+- **`moav start <name>`** for a profile that's disabled in `.env`: you get a prompt:
+  1. **Enable + start** — flips `ENABLE_*=true` in `.env`, then starts (persists for next time).
+  2. **Skip** — don't start; `.env` stays as-is.
+  3. **Start once** — start now without modifying `.env` (won't auto-start next time).
+
+  For profiles backed by multiple flags (`proxy`, `dnstunnel`), option 1 shows which flags to set manually. `--force` bypasses the prompt. Non-interactive shells default to skip.
 
 #### `moav stop`
 Stop services.
@@ -567,6 +580,17 @@ link inside Ryve.
 > publicly. The link you share with users is the Personal Pairing link
 > generated inside Ryve, not the claim link. `moav donate info` is an alias.
 
+#### `moav conduit-offsets`
+Manage the watcher that keeps Conduit's **lifetime bandwidth** Grafana panels accurate across container restarts.
+
+```bash
+moav conduit-offsets install    # Install the systemd watcher
+moav conduit-offsets status     # Show watcher state (enabled/disabled, last run)
+moav conduit-offsets uninstall  # Remove the watcher
+```
+
+The watcher installs itself automatically the first time Conduit and monitoring run together — you usually don't need to touch this. Set `CONDUIT_OFFSETS_AUTOUPDATE=false` in `.env` to opt out. Hosts without systemd skip the watcher; run `scripts/update-conduit-offsets.sh` from cron instead. See [Monitoring → Conduit lifetime bandwidth](MONITORING.md#conduit-lifetime-bandwidth).
+
 ---
 
 ### Migration
@@ -632,26 +656,30 @@ Use this after:
 
 ## Profiles
 
-Profiles group related services together.
-
-| Profile | Services Included |
-|---------|-------------------|
-| `proxy` | sing-box, decoy, certbot |
-| `wireguard` | wireguard, wstunnel |
-| `dnstt` | dnstt |
-| `slipstream` | slipstream |
-| `masterdns` | masterdns |
-| `trusttunnel` | trusttunnel |
-| `admin` | admin |
-| `conduit` | psiphon-conduit |
-| `snowflake` | snowflake |
-| `client` | client (for testing) |
-| `all` | All of the above |
+Profiles group related services. Each maps to one or more `ENABLE_*` flags in `.env`; `moav start` filters disabled profiles automatically (see [Profile filtering](#moav-start)).
+
+| Profile | Services | Controlled by |
+|---------|----------|---------------|
+| `proxy` | sing-box, decoy, certbot | `ENABLE_REALITY` / `ENABLE_TROJAN` / `ENABLE_HYSTERIA2` / `ENABLE_SS` (any) |
+| `xhttp` | xray | `ENABLE_XHTTP` |
+| `wireguard` | wireguard, wstunnel, decoy, certbot | `ENABLE_WIREGUARD` |
+| `amneziawg` | amneziawg | `ENABLE_AMNEZIAWG` |
+| `dnstunnel` | dns-router, dnstt, slipstream, masterdns, xray (XDNS) | `ENABLE_DNSTT` / `ENABLE_SLIPSTREAM` / `ENABLE_MASTERDNS` / `ENABLE_XDNS` (any) |
+| `trusttunnel` | trusttunnel | `ENABLE_TRUSTTUNNEL` |
+| `telegram` | telemt | `ENABLE_TELEMT` |
+| `admin` | admin, docker-proxy | `ENABLE_ADMIN_UI` |
+| `conduit` | psiphon-conduit | `ENABLE_CONDUIT` |
+| `snowflake` | snowflake, snowflake-exporter | `ENABLE_SNOWFLAKE` |
+| `gooserelay` | gooserelay | `ENABLE_GOOSERELAY` (opt-in) |
+| `monitoring` | prometheus, grafana, grafana-proxy, node-exporter, cadvisor + per-protocol exporters | `ENABLE_MONITORING` (opt-in) |
+| `setup` | bootstrap, geoip-updater | (lifecycle, not user-toggled) |
+| `client` | client | (for local testing) |
+| `all` | All services above | (used by `moav start all`, `moav build`, `moav logs`, etc.) |
 
 **Usage:**
 ```bash
 moav start proxy admin        # Start proxy and admin profiles
-moav start all                # Start everything
+moav start all                # Expands to every profile whose ENABLE_* is true
 ```
 
 ---