feat: release v3.0.0 risk telemetry

2026-05-01 01:14:10 +05:30 · 2026-04-29 18:30:49 +10:00
parent e109f6b246
commit a5f962db84
31 changed files with 1367 additions and 80 deletions
--- a/agent/jboard-agent/Makefile
+++ b/agent/jboard-agent/Makefile
@@ -1,5 +1,5 @@
 BINARY := jboard-agent
-VERSION := 2.3.0
+VERSION := 3.0.0
 LDFLAGS := -s -w
 .PHONY: build build-linux clean
--- a/agent/jboard-agent/README.md
+++ b/agent/jboard-agent/README.md
@@ -1,11 +1,12 @@
 # jboard-agent
-`jboard-agent` 只负责节点探测上报：
+`jboard-agent` 以旁路方式负责节点探测和可选的 Xray access log 风控上报：
 - 三网 TCP 延迟：`POST /api/agent/latency`
 - 三网路由跟踪：`POST /api/agent/trace`
 - Xray access log 聚合：`POST /api/agent/node-access`，安装/升级脚本会自动探测并写入 `XRAY_ACCESS_LOG_PATH`
-节点入站、客户端开通、暂停、删除、流量限制等配置均由 3x-ui 面板维护。J-Board 后端不向节点下发 Xray/Hy2 配置。
+节点入站、客户端开通、暂停、删除、流量限制等配置均由 3x-ui 面板维护。Agent 只读日志文件，不修改 3x-ui 配置、不重启 Xray。
 ## 构建
@@ -29,12 +30,16 @@ AUTH_TOKEN=后台生成的探测Token \
 | --- | --- | --- |
 | `LATENCY_INTERVAL` | `5m` | 延迟探测间隔，支持 `30s`、`5m` 或秒数 |
 | `TRACE_INTERVAL` | `30m` | 路由探测间隔，支持 `30m` 或秒数 |
 | `XRAY_ACCESS_LOG_PATH` | 自动探测 | Xray access log 路径；安装/升级脚本会优先查找 `/usr/local/x-ui/access.log` 等常见路径，仍为空时禁用节点真实连接风控 |
 | `XRAY_LOG_INTERVAL` | `1m` | 日志读取和聚合上报间隔 |
 | `XRAY_LOG_STATE_FILE` | `/var/lib/jboard-agent/xray-log-state.json` | 日志 offset 状态文件 |
 | `XRAY_LOG_START_AT_END` | `1` | 首次启动从文件末尾开始，避免上传历史巨量日志；设为 `0` 可从头读取 |
 路由探测依赖 `nexttrace` 命令；延迟探测无需额外依赖。
 ## systemd
-推荐从 J-Board 后台节点页复制一键安装命令。该命令会下载 release 二进制、安装 `nexttrace`、写入 systemd 服务并启动。
+推荐从 J-Board 后台节点页复制一键安装命令。该命令会下载 release 二进制、安装 `nexttrace`、自动探测 3x-ui/Xray access log、写入 systemd 服务并启动。
 ## 延迟算法
--- a/agent/jboard-agent/cmd/agent/main.go
+++ b/agent/jboard-agent/cmd/agent/main.go
@@ -12,7 +12,7 @@ import (
 	"github.com/jboard/jboard-agent/internal/probe"
 )
-const version = "2.3.0"
+const version = "3.0.0"
 func main() {
 	debug.SetGCPercent(50)
@@ -25,6 +25,7 @@ func main() {
 	go probe.LatencyLoop(ctx, cfg)
 	go probe.TraceLoop(ctx, cfg)
 	go probe.XrayAccessLogLoop(ctx, cfg)
 	sigCh := make(chan os.Signal, 1)
 	signal.Notify(sigCh, syscall.SIGINT, syscall.SIGTERM)
--- a/agent/jboard-agent/internal/config/config.go
+++ b/agent/jboard-agent/internal/config/config.go
@@ -4,6 +4,7 @@ import (
 	"log"
 	"os"
 	"strconv"
 	"strings"
 	"time"
 )
@@ -13,14 +14,23 @@ type Config struct {
 	LatencyInterval time.Duration
 	TraceInterval   time.Duration
 	XrayAccessLogPath string
 	XrayLogStateFile  string
 	XrayLogInterval   time.Duration
 	XrayLogStartAtEnd bool
 }
 func Load() *Config {
 	cfg := &Config{
-		ServerURL:       envOrDefault("SERVER_URL", ""),
+		ServerURL:         envOrDefault("SERVER_URL", ""),
-		AuthToken:       envOrDefault("AUTH_TOKEN", ""),
+		AuthToken:         envOrDefault("AUTH_TOKEN", ""),
-		LatencyInterval: envDuration("LATENCY_INTERVAL", 5*time.Minute),
+		LatencyInterval:   envDuration("LATENCY_INTERVAL", 5*time.Minute),
-		TraceInterval:   envDuration("TRACE_INTERVAL", 30*time.Minute),
+		TraceInterval:     envDuration("TRACE_INTERVAL", 30*time.Minute),
 		XrayAccessLogPath: envOrDefault("XRAY_ACCESS_LOG_PATH", ""),
 		XrayLogStateFile:  envOrDefault("XRAY_LOG_STATE_FILE", "/var/lib/jboard-agent/xray-log-state.json"),
 		XrayLogInterval:   envDuration("XRAY_LOG_INTERVAL", time.Minute),
 		XrayLogStartAtEnd: envBool("XRAY_LOG_START_AT_END", true),
 	}
 	if cfg.ServerURL == "" || cfg.AuthToken == "" {
@@ -53,3 +63,19 @@ func envDuration(key string, fallback time.Duration) time.Duration {
 	return fallback
 }
 func envBool(key string, fallback bool) bool {
 	v := os.Getenv(key)
 	if v == "" {
 		return fallback
 	}
 	switch strings.ToLower(strings.TrimSpace(v)) {
 	case "1", "true", "yes", "y", "on":
 		return true
 	case "0", "false", "no", "n", "off":
 		return false
 	default:
 		return fallback
 	}
 }
--- a/agent/jboard-agent/internal/probe/route_classify.go
+++ b/agent/jboard-agent/internal/probe/route_classify.go
@@ -0,0 +1,124 @@
 package probe
 import (
 	"regexp"
 	"strings"
 )
 var asnPattern = regexp.MustCompile(`(?i)(?:^|\b)AS?\s*(\d{2,10})(?:\b|$)`)
 func normalizeRouteText(value string) string {
 	return strings.ToUpper(strings.TrimSpace(value))
 }
 func normalizeASN(value string) string {
 	text := normalizeRouteText(value)
 	if text == "" {
 		return ""
 	}
 	match := asnPattern.FindStringSubmatch(text)
 	if len(match) > 1 {
 		return match[1]
 	}
 	for _, r := range text {
 		if r < '0' || r > '9' {
 			return ""
 		}
 	}
 	return text
 }
 func hasASN(asns map[string]struct{}, values ...string) bool {
 	for _, value := range values {
 		if _, ok := asns[value]; ok {
 			return true
 		}
 	}
 	return false
 }
 func hasText(combined string, values ...string) bool {
 	for _, value := range values {
 		if strings.Contains(combined, value) {
 			return true
 		}
 	}
 	return false
 }
 func hasIPPrefix(ips []string, prefixes ...string) bool {
 	for _, ip := range ips {
 		for _, prefix := range prefixes {
 			if strings.HasPrefix(ip, prefix) {
 				return true
 			}
 		}
 	}
 	return false
 }
 func detectSummary(hops []hopDetail) string {
 	var texts []string
 	var ips []string
 	asns := make(map[string]struct{})
 	for _, hop := range hops {
 		if hop.IP != "" && hop.IP != "*" {
 			ips = append(ips, hop.IP)
 		}
 		parts := []string{hop.Geo, hop.ASN, hop.Owner, hop.ISP}
 		text := normalizeRouteText(strings.Join(parts, " "))
 		texts = append(texts, text)
 		if asn := normalizeASN(hop.ASN); asn != "" {
 			asns[asn] = struct{}{}
 		}
 		for _, match := range asnPattern.FindAllStringSubmatch(text, -1) {
 			if len(match) > 1 {
 				asns[match[1]] = struct{}{}
 			}
 		}
 	}
 	combined := strings.Join(texts, " ")
 	cn2Evidence := hasASN(asns, "4809") ||
 		hasIPPrefix(ips, "59.43.") ||
 		hasText(combined, "CN2", "CTGNET", "CHINANET NEXT CARRYING NETWORK", "CHINA TELECOM GLOBAL")
 	cn2GIAText := hasText(combined, "CN2 GIA", "CN2GIA", "GIA", "GLOBAL INTERNET ACCESS")
 	ordinaryTelecomHops := 0
 	for _, text := range texts {
 		if strings.Contains(text, "AS4134") ||
 			strings.Contains(text, "CHINANET BACKBONE") ||
 			strings.Contains(text, "CHINANET 163") ||
 			strings.Contains(text, "163骨干") {
 			ordinaryTelecomHops++
 		}
 	}
 	for _, ip := range ips {
 		if strings.HasPrefix(ip, "202.97.") {
 			ordinaryTelecomHops++
 		}
 	}
 	if cn2Evidence {
 		if cn2GIAText || ordinaryTelecomHops <= 1 {
 			return "CN2 GIA"
 		}
 		return "CN2 GT"
 	}
 	if hasASN(asns, "9929", "10099") || hasText(combined, "CUII", "A网", "AS9929") {
 		return "AS9929"
 	}
 	if hasText(combined, "CMIN2") || hasASN(asns, "58807", "58809", "58813", "58819", "59807") {
 		return "CMIN2"
 	}
 	if hasText(combined, "CMI") || hasASN(asns, "58453") {
 		return "CMI"
 	}
 	if hasASN(asns, "4837") || hasText(combined, "AS4837") {
 		return "AS4837"
 	}
 	return "普通线路"
 }
--- a/agent/jboard-agent/internal/probe/route_classify_test.go
+++ b/agent/jboard-agent/internal/probe/route_classify_test.go
@@ -0,0 +1,35 @@
 package probe
 import "testing"
 func TestDetectSummaryCN2GIAFromAS4809And59_43(t *testing.T) {
 	hops := []hopDetail{
 		{Hop: 1, IP: "*"},
 		{Hop: 2, IP: "59.43.246.237", ASN: "AS4809", Geo: "中国 上海 China Telecom CN2"},
 		{Hop: 3, IP: "219.141.136.12", ASN: "AS4134", Geo: "中国 北京 电信"},
 	}
 	if got := detectSummary(hops); got != "CN2 GIA" {
 		t.Fatalf("detectSummary() = %q, want CN2 GIA", got)
 	}
 }
 func TestDetectSummaryCN2GTWhenCN2FallsBackTo163(t *testing.T) {
 	hops := []hopDetail{
 		{Hop: 1, IP: "59.43.248.1", ASN: "AS4809", Geo: "CN2"},
 		{Hop: 2, IP: "202.97.12.1", ASN: "AS4134", Geo: "CHINANET BACKBONE"},
 		{Hop: 3, IP: "202.97.18.1", ASN: "AS4134", Geo: "CHINANET BACKBONE"},
 	}
 	if got := detectSummary(hops); got != "CN2 GT" {
 		t.Fatalf("detectSummary() = %q, want CN2 GT", got)
 	}
 }
 func TestDetectSummaryCMIN2BeforeCMI(t *testing.T) {
 	hops := []hopDetail{
 		{Hop: 2, IP: "223.120.20.1", ASN: "AS58807", Geo: "CMIN2 China Mobile"},
 		{Hop: 3, IP: "211.136.25.153", ASN: "AS9808", Geo: "CMI Mobile"},
 	}
 	if got := detectSummary(hops); got != "CMIN2" {
 		t.Fatalf("detectSummary() = %q, want CMIN2", got)
 	}
 }
--- a/agent/jboard-agent/internal/probe/trace.go
+++ b/agent/jboard-agent/internal/probe/trace.go
@@ -27,6 +27,9 @@ type hopDetail struct {
 	IP      string  `json:"ip"`
 	Geo     string  `json:"geo"`
 	Latency float64 `json:"latency"`
 	ASN     string  `json:"asn,omitempty"`
 	Owner   string  `json:"owner,omitempty"`
 	ISP     string  `json:"isp,omitempty"`
 }
 type traceResult struct {
@@ -129,7 +132,6 @@ func runTrace(ip string) ([]hopDetail, string, error) {
 	}
 	var hops []hopDetail
 	var asnumbers []string
 	for i, hopGroup := range parsed.Hops {
 		hop := hopDetail{Hop: i + 1}
 		for _, probe := range hopGroup {
@@ -151,9 +153,9 @@ func runTrace(ip string) ([]hopDetail, string, error) {
 						parts = append(parts, probe.Geo.Owner)
 					}
 					hop.Geo = strings.Join(parts, " ")
-					if probe.Geo.Asnumber != "" {
+					hop.ASN = probe.Geo.Asnumber
-						asnumbers = append(asnumbers, probe.Geo.Asnumber)
+					hop.Owner = probe.Geo.Owner
-					}
+					hop.ISP = probe.Geo.Isp
 				}
 				break
 			}
@@ -167,34 +169,6 @@ func runTrace(ip string) ([]hopDetail, string, error) {
 		hops[0].Geo = ""
 	}
-	summary := detectSummary(hops, asnumbers)
+	summary := detectSummary(hops)
 	return hops, summary, nil
 }
 func detectSummary(hops []hopDetail, asnumbers []string) string {
 	combined := ""
 	for _, h := range hops {
 		combined += " " + strings.ToUpper(h.Geo)
 	}
 	asSet := ""
 	for _, asn := range asnumbers {
 		asSet += " " + asn
 	}
 	switch {
 	case strings.Contains(combined, "CN2") && strings.Contains(combined, "GIA"):
 		return "CN2 GIA"
 	case strings.Contains(combined, "CN2"):
 		return "CN2 GT"
 	case strings.Contains(asSet, "9929") || strings.Contains(combined, "CUII") || strings.Contains(combined, "A网"):
 		return "AS9929"
 	case strings.Contains(asSet, "4837"):
 		return "AS4837"
 	case strings.Contains(combined, "CMI") || strings.Contains(asSet, "58453"):
 		return "CMI"
 	case strings.Contains(combined, "CMIN2") || strings.Contains(asSet, "59807"):
 		return "CMIN2"
 	default:
 		return "普通线路"
 	}
 }
--- a/agent/jboard-agent/internal/probe/xraylog.go
+++ b/agent/jboard-agent/internal/probe/xraylog.go
@@ -0,0 +1,345 @@
 package probe
 import (
 	"context"
 	"encoding/json"
 	"errors"
 	"log"
 	"net"
 	"os"
 	"path/filepath"
 	"regexp"
 	"strconv"
 	"strings"
 	"syscall"
 	"time"
 	"github.com/jboard/jboard-agent/internal/config"
 )
 const maxXrayReadBytes int64 = 2 * 1024 * 1024
 const maxXrayEventsPerPush = 300
 var xrayAccessLinePattern = regexp.MustCompile(`^(\d{4}/\d{2}/\d{2} \d{2}:\d{2}:\d{2})\s+(\S+)\s+(accepted|rejected)\s+(?:(tcp|udp):)?(\S+)\s+\[([^\]]+)\](?:.*?\bemail:\s*([^\s]+))?`)
 type xrayLogState struct {
 	Path   string `json:"path"`
 	Inode  uint64 `json:"inode"`
 	Offset int64  `json:"offset"`
 }
 type nodeAccessEvent struct {
 	ClientEmail       string `json:"clientEmail"`
 	SourceIP          string `json:"sourceIp"`
 	InboundTag        string `json:"inboundTag,omitempty"`
 	Network           string `json:"network,omitempty"`
 	TargetHost        string `json:"targetHost,omitempty"`
 	TargetPort        int    `json:"targetPort,omitempty"`
 	Action            string `json:"action"`
 	ConnectionCount   int    `json:"connectionCount"`
 	UniqueTargetCount int    `json:"uniqueTargetCount,omitempty"`
 	FirstSeenAt       string `json:"firstSeenAt,omitempty"`
 	LastSeenAt        string `json:"lastSeenAt,omitempty"`
 }
 type nodeAccessPayload struct {
 	Events []nodeAccessEvent `json:"events"`
 }
 type parsedXrayAccess struct {
 	ClientEmail string
 	SourceIP    string
 	InboundTag  string
 	Network     string
 	TargetHost  string
 	TargetPort  int
 	Action      string
 	SeenAt      time.Time
 }
 type accessAggregate struct {
 	event   nodeAccessEvent
 	targets map[string]struct{}
 }
 func XrayAccessLogLoop(ctx context.Context, cfg *config.Config) {
 	if strings.TrimSpace(cfg.XrayAccessLogPath) == "" {
 		log.Println("[xray-log] disabled; set XRAY_ACCESS_LOG_PATH to enable node access risk telemetry")
 		return
 	}
 	ticker := time.NewTicker(cfg.XrayLogInterval)
 	defer ticker.Stop()
 	collectAndPushXrayLogs(cfg)
 	for {
 		select {
 		case <-ctx.Done():
 			return
 		case <-ticker.C:
 			collectAndPushXrayLogs(cfg)
 		}
 	}
 }
 func collectAndPushXrayLogs(cfg *config.Config) {
 	events, state, err := readNewXrayEvents(cfg)
 	if err != nil {
 		if !errors.Is(err, os.ErrNotExist) {
 			log.Printf("[xray-log] read error: %v", err)
 		}
 		return
 	}
 	if len(events) == 0 {
 		if err := saveXrayLogState(cfg.XrayLogStateFile, state); err != nil {
 			log.Printf("[xray-log] state save error: %v", err)
 		}
 		return
 	}
 	payload := nodeAccessPayload{Events: events}
 	body, _ := json.Marshal(payload)
 	if err := postToServer(cfg, "/api/agent/node-access", body); err != nil {
 		log.Printf("[xray-log] push error: %v", err)
 		return
 	}
 	if err := saveXrayLogState(cfg.XrayLogStateFile, state); err != nil {
 		log.Printf("[xray-log] state save error: %v", err)
 	}
 	log.Printf("[xray-log] pushed %d aggregate access events", len(events))
 }
 func readNewXrayEvents(cfg *config.Config) ([]nodeAccessEvent, xrayLogState, error) {
 	path := strings.TrimSpace(cfg.XrayAccessLogPath)
 	info, err := os.Stat(path)
 	if err != nil {
 		return nil, xrayLogState{}, err
 	}
 	inode := fileInode(info)
 	state := loadXrayLogState(cfg.XrayLogStateFile)
 	if state.Path != path || state.Inode != inode || state.Offset > info.Size() {
 		state = xrayLogState{Path: path, Inode: inode}
 		if cfg.XrayLogStartAtEnd {
 			state.Offset = info.Size()
 		}
 	}
 	if info.Size() <= state.Offset {
 		return nil, state, nil
 	}
 	readBytes := info.Size() - state.Offset
 	if readBytes > maxXrayReadBytes {
 		readBytes = maxXrayReadBytes
 	}
 	file, err := os.Open(path)
 	if err != nil {
 		return nil, state, err
 	}
 	defer file.Close()
 	buf := make([]byte, readBytes)
 	n, err := file.ReadAt(buf, state.Offset)
 	if err != nil && n == 0 {
 		return nil, state, err
 	}
 	data := string(buf[:n])
 	consumed := int64(n)
 	if lastNewline := strings.LastIndexByte(data, '\n'); lastNewline >= 0 && lastNewline < len(data)-1 {
 		data = data[:lastNewline+1]
 		consumed = int64(len(data))
 	}
 	state.Offset += consumed
 	events := aggregateXrayAccessLines(strings.Split(data, "\n"))
 	if len(events) > maxXrayEventsPerPush {
 		events = events[:maxXrayEventsPerPush]
 	}
 	return events, state, nil
 }
 func loadXrayLogState(path string) xrayLogState {
 	data, err := os.ReadFile(path)
 	if err != nil {
 		return xrayLogState{}
 	}
 	var state xrayLogState
 	if err := json.Unmarshal(data, &state); err != nil {
 		return xrayLogState{}
 	}
 	return state
 }
 func saveXrayLogState(path string, state xrayLogState) error {
 	if strings.TrimSpace(path) == "" {
 		return nil
 	}
 	if err := os.MkdirAll(filepath.Dir(path), 0o755); err != nil {
 		return err
 	}
 	data, _ := json.Marshal(state)
 	return os.WriteFile(path, data, 0o600)
 }
 func fileInode(info os.FileInfo) uint64 {
 	stat, ok := info.Sys().(*syscall.Stat_t)
 	if !ok || stat == nil {
 		return 0
 	}
 	return uint64(stat.Ino)
 }
 func aggregateXrayAccessLines(lines []string) []nodeAccessEvent {
 	aggregates := make(map[string]*accessAggregate)
 	var order []string
 	for _, line := range lines {
 		parsed, ok := parseXrayAccessLine(line)
 		if !ok || parsed.ClientEmail == "" || parsed.SourceIP == "" {
 			continue
 		}
 		key := strings.Join([]string{
 			parsed.ClientEmail,
 			parsed.SourceIP,
 			parsed.InboundTag,
 			parsed.Network,
 			parsed.Action,
 		}, "|")
 		agg, ok := aggregates[key]
 		if !ok {
 			agg = &accessAggregate{
 				event: nodeAccessEvent{
 					ClientEmail:     parsed.ClientEmail,
 					SourceIP:        parsed.SourceIP,
 					InboundTag:      parsed.InboundTag,
 					Network:         parsed.Network,
 					TargetHost:      parsed.TargetHost,
 					TargetPort:      parsed.TargetPort,
 					Action:          parsed.Action,
 					ConnectionCount: 0,
 					FirstSeenAt:     parsed.SeenAt.Format(time.RFC3339),
 					LastSeenAt:      parsed.SeenAt.Format(time.RFC3339),
 				},
 				targets: make(map[string]struct{}),
 			}
 			aggregates[key] = agg
 			order = append(order, key)
 		}
 		agg.event.ConnectionCount++
 		if parsed.TargetHost != "" {
 			agg.targets[parsed.TargetHost] = struct{}{}
 		}
 		if parsed.SeenAt.After(parseRFC3339OrZero(agg.event.LastSeenAt)) {
 			agg.event.LastSeenAt = parsed.SeenAt.Format(time.RFC3339)
 		}
 	}
 	events := make([]nodeAccessEvent, 0, len(order))
 	for _, key := range order {
 		agg := aggregates[key]
 		agg.event.UniqueTargetCount = len(agg.targets)
 		events = append(events, agg.event)
 	}
 	return events
 }
 func parseXrayAccessLine(line string) (parsedXrayAccess, bool) {
 	line = strings.TrimSpace(line)
 	if line == "" {
 		return parsedXrayAccess{}, false
 	}
 	match := xrayAccessLinePattern.FindStringSubmatch(line)
 	if len(match) == 0 {
 		return parsedXrayAccess{}, false
 	}
 	seenAt, err := time.ParseInLocation("2006/01/02 15:04:05", match[1], time.Local)
 	if err != nil {
 		seenAt = time.Now()
 	}
 	network := strings.ToLower(match[4])
 	targetHost, targetPort := splitTarget(match[5])
 	if network == "" {
 		network = inferNetwork(match[5])
 	}
 	return parsedXrayAccess{
 		ClientEmail: strings.TrimSpace(match[7]),
 		SourceIP:    stripPort(match[2]),
 		InboundTag:  normalizeInboundTag(match[6]),
 		Network:     network,
 		TargetHost:  targetHost,
 		TargetPort:  targetPort,
 		Action:      strings.ToLower(match[3]),
 		SeenAt:      seenAt,
 	}, true
 }
 func normalizeInboundTag(value string) string {
 	parts := strings.Split(value, ">>")
 	return strings.TrimSpace(parts[0])
 }
 func inferNetwork(target string) string {
 	if strings.HasPrefix(strings.ToLower(target), "udp:") {
 		return "udp"
 	}
 	return "tcp"
 }
 func splitTarget(value string) (string, int) {
 	value = trimTransportPrefix(strings.TrimSpace(value))
 	if host, port, err := net.SplitHostPort(value); err == nil {
 		return strings.Trim(host, "[]"), atoiOrZero(port)
 	}
 	idx := strings.LastIndex(value, ":")
 	if idx > 0 && idx < len(value)-1 {
 		port := atoiOrZero(value[idx+1:])
 		if port > 0 {
 			return strings.Trim(value[:idx], "[]"), port
 		}
 	}
 	return strings.Trim(value, "[]"), 0
 }
 func stripPort(value string) string {
 	value = trimTransportPrefix(strings.TrimSpace(value))
 	if host, _, err := net.SplitHostPort(value); err == nil {
 		return strings.Trim(host, "[]")
 	}
 	idx := strings.LastIndex(value, ":")
 	if idx > 0 && idx < len(value)-1 && atoiOrZero(value[idx+1:]) > 0 {
 		return strings.Trim(value[:idx], "[]")
 	}
 	return strings.Trim(value, "[]")
 }
 func trimTransportPrefix(value string) string {
 	lower := strings.ToLower(value)
 	if strings.HasPrefix(lower, "tcp:") || strings.HasPrefix(lower, "udp:") {
 		return value[4:]
 	}
 	return value
 }
 func atoiOrZero(value string) int {
 	n, err := strconv.Atoi(value)
 	if err != nil {
 		return 0
 	}
 	return n
 }
 func parseRFC3339OrZero(value string) time.Time {
 	parsed, err := time.Parse(time.RFC3339, value)
 	if err != nil {
 		return time.Time{}
 	}
 	return parsed
 }
--- a/agent/jboard-agent/internal/probe/xraylog_test.go
+++ b/agent/jboard-agent/internal/probe/xraylog_test.go
@@ -0,0 +1,63 @@
 package probe
 import "testing"
 func TestParseXrayAccessLine(t *testing.T) {
 	line := "2026/04/29 10:11:12 203.0.113.9:51820 accepted tcp:example.com:443 [proxy-in >> freedom] email: user@example.com-cabc1234"
 	got, ok := parseXrayAccessLine(line)
 	if !ok {
 		t.Fatal("parseXrayAccessLine() failed")
 	}
 	if got.SourceIP != "203.0.113.9" {
 		t.Fatalf("SourceIP = %q", got.SourceIP)
 	}
 	if got.ClientEmail != "user@example.com-cabc1234" {
 		t.Fatalf("ClientEmail = %q", got.ClientEmail)
 	}
 	if got.InboundTag != "proxy-in" {
 		t.Fatalf("InboundTag = %q", got.InboundTag)
 	}
 	if got.Network != "tcp" || got.TargetHost != "example.com" || got.TargetPort != 443 {
 		t.Fatalf("target = %s %s:%d", got.Network, got.TargetHost, got.TargetPort)
 	}
 }
 func TestParseXrayAccessLineWithTransportPrefixedSource(t *testing.T) {
 	line := "2026/04/29 10:11:12 tcp:203.0.113.9:51820 accepted tcp:example.com:443 [proxy] email: user@example.com-cabc1234"
 	got, ok := parseXrayAccessLine(line)
 	if !ok {
 		t.Fatal("parseXrayAccessLine() failed")
 	}
 	if got.SourceIP != "203.0.113.9" {
 		t.Fatalf("SourceIP = %q", got.SourceIP)
 	}
 }
 func TestParseXrayAccessLineWithIPv6Source(t *testing.T) {
 	line := "2026/04/29 10:11:12 tcp:[2001:db8::1]:51820 accepted tcp:example.com:443 [proxy] email: user@example.com-cabc1234"
 	got, ok := parseXrayAccessLine(line)
 	if !ok {
 		t.Fatal("parseXrayAccessLine() failed")
 	}
 	if got.SourceIP != "2001:db8::1" {
 		t.Fatalf("SourceIP = %q", got.SourceIP)
 	}
 }
 func TestAggregateXrayAccessLines(t *testing.T) {
 	lines := []string{
 		"2026/04/29 10:11:12 203.0.113.9:51820 accepted tcp:example.com:443 [proxy] email: user@example.com-cabc1234",
 		"2026/04/29 10:11:13 203.0.113.9:51821 accepted tcp:openai.com:443 [proxy] email: user@example.com-cabc1234",
 		"2026/04/29 10:11:14 198.51.100.2:51821 accepted udp:1.1.1.1:53 [proxy] email: user@example.com-cabc1234",
 	}
 	events := aggregateXrayAccessLines(lines)
 	if len(events) != 2 {
 		t.Fatalf("len(events) = %d, want 2", len(events))
 	}
 	if events[0].ConnectionCount != 2 || events[0].UniqueTargetCount != 2 {
 		t.Fatalf("first aggregate = %+v", events[0])
 	}
 	if events[1].Network != "udp" || events[1].TargetPort != 53 {
 		t.Fatalf("second aggregate = %+v", events[1])
 	}
 }
--- a/package-lock.json
+++ b/package-lock.json
@@ -1,12 +1,12 @@
 {
  "name": "j-board",
-  "version": "0.1.0",
+  "version": "3.0.0",
  "lockfileVersion": 3,
  "requires": true,
  "packages": {
    "": {
      "name": "j-board",
-      "version": "0.1.0",
+      "version": "3.0.0",
      "dependencies": {
        "@base-ui/react": "^1.4.1",
        "@marsidev/react-turnstile": "^1.5.0",
--- a/package.json
+++ b/package.json
@@ -1,6 +1,6 @@
 {
  "name": "j-board",
-  "version": "0.1.0",
+  "version": "3.0.0",
  "private": true,
  "scripts": {
    "dev": "next dev",
--- a/prisma/schema.prisma
+++ b/prisma/schema.prisma
@@ -53,6 +53,10 @@ enum SubscriptionRiskReason {
  REGION_VARIANCE_SUSPEND
  COUNTRY_VARIANCE_WARNING
  COUNTRY_VARIANCE_SUSPEND
  NODE_ACCESS_VOLUME_WARNING
  NODE_ACCESS_VOLUME_SUSPEND
  NODE_ACCESS_TARGET_WARNING
  NODE_ACCESS_TARGET_SUSPEND
 }
 enum SubscriptionRiskReviewStatus {
@@ -775,6 +779,11 @@ model AppConfig {
  subscriptionRiskCountrySuspend    Int      @default(3)
  subscriptionRiskIpLimitPerHour    Int      @default(180)
  subscriptionRiskTokenLimitPerHour Int      @default(60)
  nodeAccessRiskEnabled             Boolean  @default(true)
  nodeAccessConnectionWarning        Int      @default(180)
  nodeAccessConnectionSuspend        Int      @default(360)
  nodeAccessUniqueTargetWarning      Int      @default(80)
  nodeAccessUniqueTargetSuspend      Int      @default(160)
  inviteRewardCouponId              String?
  inviteRewardRate                  Decimal  @default(0) @db.Decimal(5, 2)
  inviteRewardEnabled               Boolean  @default(false)
--- a/scripts/install-jboard-agent.sh
+++ b/scripts/install-jboard-agent.sh
@@ -8,6 +8,10 @@ SERVICE_NAME="${SERVICE_NAME:-jboard-agent}"
 ENV_FILE="${ENV_FILE:-/etc/jboard-agent.env}"
 LATENCY_INTERVAL="${LATENCY_INTERVAL:-5m}"
 TRACE_INTERVAL="${TRACE_INTERVAL:-30m}"
 XRAY_ACCESS_LOG_PATH="${XRAY_ACCESS_LOG_PATH:-}"
 XRAY_LOG_INTERVAL="${XRAY_LOG_INTERVAL:-1m}"
 XRAY_LOG_STATE_FILE="${XRAY_LOG_STATE_FILE:-/var/lib/jboard-agent/xray-log-state.json}"
 XRAY_LOG_START_AT_END="${XRAY_LOG_START_AT_END:-1}"
 INSTALL_NEXTTRACE="${INSTALL_NEXTTRACE:-1}"
 TMP_DIR="$(mktemp -d)"
 ARCH="$(uname -m)"
@@ -35,6 +39,16 @@ run_as_root() {
  fi
 }
 run_as_root_output() {
  if [ "$(id -u)" -eq 0 ]; then
    "$@"
  elif command -v sudo >/dev/null 2>&1; then
    sudo "$@"
  else
    return 1
  fi
 }
 detect_asset() {
  case "$ARCH" in
    x86_64|amd64)
@@ -61,6 +75,77 @@ resolve_release_tag() {
    | head -n 1
 }
 detect_xray_access_log() {
  if [ -n "$XRAY_ACCESS_LOG_PATH" ]; then
    printf '%s\n' "$XRAY_ACCESS_LOG_PATH"
    return 0
  fi
  for candidate in \
    /usr/local/x-ui/access.log \
    /usr/local/x-ui/bin/access.log \
    /usr/local/x-ui/xray/access.log \
    /etc/x-ui/access.log \
    /etc/x-ui/xray/access.log \
    /var/log/xray/access.log \
    /var/log/x-ui/access.log \
    /opt/3x-ui/access.log \
    /opt/x-ui/access.log; do
    if run_as_root_output test -f "$candidate" 2>/dev/null; then
      printf '%s\n' "$candidate"
      return 0
    fi
  done
  for root in /usr/local /etc /var/log /opt /var/lib/docker/volumes; do
    if ! run_as_root_output test -d "$root" 2>/dev/null; then
      continue
    fi
    while IFS= read -r candidate; do
      case "$candidate" in
        *x-ui*|*3x-ui*|*xray*|*Xray*)
          printf '%s\n' "$candidate"
          return 0
          ;;
      esac
    done < <(run_as_root_output find "$root" -type f \( -name 'access.log' -o -name '*xray*.log' \) 2>/dev/null | head -n 50)
  done
  return 1
 }
 prepare_xray_access_log() {
  local detected=""
  detected="$(detect_xray_access_log || true)"
  if [ -z "$detected" ]; then
    XRAY_ACCESS_LOG_PATH=""
    return 1
  fi
  XRAY_ACCESS_LOG_PATH="$detected"
  run_as_root mkdir -p "$(dirname "$XRAY_LOG_STATE_FILE")"
  if run_as_root_output test -f "$XRAY_ACCESS_LOG_PATH" 2>/dev/null; then
    run_as_root chmod a+r "$XRAY_ACCESS_LOG_PATH" 2>/dev/null || true
  fi
  return 0
 }
 print_xray_log_hint() {
  cat <<'HINT'
 Xray access log was not found automatically, so node access risk telemetry is disabled for now.
 To enable it, open 3x-ui panel -> Xray Config and set:
 "log": {
  "access": "/usr/local/x-ui/access.log",
  "error": "/usr/local/x-ui/error.log",
  "loglevel": "warning"
 }
 Then restart x-ui and rerun this installer, or add XRAY_ACCESS_LOG_PATH=/usr/local/x-ui/access.log to /etc/jboard-agent.env.
 HINT
 }
 ASSET="$(detect_asset)"
 RESOLVED_TAG="$(resolve_release_tag)"
@@ -73,12 +158,12 @@ DOWNLOAD_BASE="https://github.com/${GH_REPO}/releases/download/${RESOLVED_TAG}"
 DOWNLOAD_URL="${DOWNLOAD_BASE}/${ASSET}"
 CHECKSUM_URL="${DOWNLOAD_BASE}/SHA256SUMS"
-echo "[1/8] Release tag: ${RESOLVED_TAG}"
+echo "[1/9] Release tag: ${RESOLVED_TAG}"
-echo "[2/8] Downloading probe agent binary: ${ASSET}"
+echo "[2/9] Downloading probe agent binary: ${ASSET}"
 curl -fsSL "$DOWNLOAD_URL" -o "$TMP_DIR/$ASSET"
 if curl -fsSL "$CHECKSUM_URL" -o "$TMP_DIR/SHA256SUMS" 2>/dev/null; then
-  echo "[3/8] Verifying checksum..."
+  echo "[3/9] Verifying checksum..."
  grep "  ${ASSET}$" "$TMP_DIR/SHA256SUMS" > "$TMP_DIR/SHA256SUMS.current"
  (
    cd "$TMP_DIR"
@@ -89,32 +174,43 @@ if curl -fsSL "$CHECKSUM_URL" -o "$TMP_DIR/SHA256SUMS" 2>/dev/null; then
    fi
  )
 else
-  echo "[3/8] Checksum file not found; skipping verification."
+  echo "[3/9] Checksum file not found; skipping verification."
 fi
-echo "[4/8] Installing binary..."
+echo "[4/9] Installing binary..."
 run_as_root install -m 0755 "$TMP_DIR/$ASSET" "${INSTALL_DIR}/jboard-agent"
-run_as_root mkdir -p /var/log/jboard
+run_as_root mkdir -p /var/log/jboard /var/lib/jboard-agent
 if [ "$INSTALL_NEXTTRACE" = "1" ] && ! command -v nexttrace >/dev/null 2>&1; then
-  echo "[5/8] Installing nexttrace for route probing..."
+  echo "[5/9] Installing nexttrace for route probing..."
  curl -fsSL https://raw.githubusercontent.com/nxtrace/NTrace-core/main/nt_install.sh -o "$TMP_DIR/nt_install.sh"
  run_as_root bash "$TMP_DIR/nt_install.sh"
 else
-  echo "[5/8] nexttrace already installed or skipped."
+  echo "[5/9] nexttrace already installed or skipped."
 fi
-echo "[6/8] Writing environment file..."
+echo "[6/9] Detecting Xray access log..."
 if prepare_xray_access_log; then
  echo "Found Xray access log: ${XRAY_ACCESS_LOG_PATH}"
 else
  echo "Xray access log not found; continuing without node access risk telemetry."
 fi
 echo "[7/9] Writing environment file..."
 ENV_TMP="$TMP_DIR/jboard-agent.env"
 {
  printf 'SERVER_URL=%q\n' "$SERVER_URL"
  printf 'AUTH_TOKEN=%q\n' "$AUTH_TOKEN"
  printf 'LATENCY_INTERVAL=%q\n' "$LATENCY_INTERVAL"
  printf 'TRACE_INTERVAL=%q\n' "$TRACE_INTERVAL"
  printf 'XRAY_ACCESS_LOG_PATH=%q\n' "$XRAY_ACCESS_LOG_PATH"
  printf 'XRAY_LOG_INTERVAL=%q\n' "$XRAY_LOG_INTERVAL"
  printf 'XRAY_LOG_STATE_FILE=%q\n' "$XRAY_LOG_STATE_FILE"
  printf 'XRAY_LOG_START_AT_END=%q\n' "$XRAY_LOG_START_AT_END"
 } > "$ENV_TMP"
 run_as_root install -m 0600 "$ENV_TMP" "$ENV_FILE"
-echo "[7/8] Writing systemd service..."
+echo "[8/9] Writing systemd service..."
 SERVICE_TMP="$TMP_DIR/${SERVICE_NAME}.service"
 cat > "$SERVICE_TMP" <<SERVICE
 [Unit]
@@ -135,12 +231,19 @@ WantedBy=multi-user.target
 SERVICE
 run_as_root install -m 0644 "$SERVICE_TMP" "/etc/systemd/system/${SERVICE_NAME}.service"
-echo "[8/8] Enabling and starting service..."
+echo "[9/9] Enabling and starting service..."
 run_as_root systemctl daemon-reload
 run_as_root systemctl enable --now "$SERVICE_NAME"
 echo
 echo "Install complete."
 if [ -n "$XRAY_ACCESS_LOG_PATH" ]; then
  echo "Node access risk telemetry: enabled (${XRAY_ACCESS_LOG_PATH})"
 else
  echo "Node access risk telemetry: disabled"
  print_xray_log_hint
 fi
 echo
 echo "Service status:"
 run_as_root systemctl --no-pager --full status "$SERVICE_NAME" || true
--- a/scripts/upgrade-jboard-agent.sh
+++ b/scripts/upgrade-jboard-agent.sh
@@ -5,6 +5,11 @@ GH_REPO="${GH_REPO:-JetSprow/J-Board}"
 AGENT_TAG="${AGENT_TAG:-latest}"
 INSTALL_DIR="${INSTALL_DIR:-/usr/local/bin}"
 SERVICE_NAME="${SERVICE_NAME:-jboard-agent}"
 ENV_FILE="${ENV_FILE:-/etc/jboard-agent.env}"
 XRAY_ACCESS_LOG_PATH="${XRAY_ACCESS_LOG_PATH:-}"
 XRAY_LOG_INTERVAL="${XRAY_LOG_INTERVAL:-1m}"
 XRAY_LOG_STATE_FILE="${XRAY_LOG_STATE_FILE:-/var/lib/jboard-agent/xray-log-state.json}"
 XRAY_LOG_START_AT_END="${XRAY_LOG_START_AT_END:-1}"
 TMP_DIR="$(mktemp -d)"
 ARCH="$(uname -m)"
@@ -24,6 +29,16 @@ run_as_root() {
  fi
 }
 run_as_root_output() {
  if [ "$(id -u)" -eq 0 ]; then
    "$@"
  elif command -v sudo >/dev/null 2>&1; then
    sudo "$@"
  else
    return 1
  fi
 }
 detect_asset() {
  case "$ARCH" in
    x86_64|amd64)
@@ -50,6 +65,119 @@ resolve_release_tag() {
    | head -n 1
 }
 get_env_value() {
  local key="$1"
  if ! run_as_root_output test -f "$ENV_FILE" 2>/dev/null; then
    return 0
  fi
  run_as_root_output grep -E "^${key}=" "$ENV_FILE" 2>/dev/null \
    | tail -n 1 \
    | cut -d= -f2- \
    | sed -e "s/^\'//" -e "s/\'$//" -e 's/^"//' -e 's/"$//' || true
 }
 detect_xray_access_log() {
  if [ -n "$XRAY_ACCESS_LOG_PATH" ]; then
    printf '%s\n' "$XRAY_ACCESS_LOG_PATH"
    return 0
  fi
  for candidate in \
    /usr/local/x-ui/access.log \
    /usr/local/x-ui/bin/access.log \
    /usr/local/x-ui/xray/access.log \
    /etc/x-ui/access.log \
    /etc/x-ui/xray/access.log \
    /var/log/xray/access.log \
    /var/log/x-ui/access.log \
    /opt/3x-ui/access.log \
    /opt/x-ui/access.log; do
    if run_as_root_output test -f "$candidate" 2>/dev/null; then
      printf '%s\n' "$candidate"
      return 0
    fi
  done
  for root in /usr/local /etc /var/log /opt /var/lib/docker/volumes; do
    if ! run_as_root_output test -d "$root" 2>/dev/null; then
      continue
    fi
    while IFS= read -r candidate; do
      case "$candidate" in
        *x-ui*|*3x-ui*|*xray*|*Xray*)
          printf '%s\n' "$candidate"
          return 0
          ;;
      esac
    done < <(run_as_root_output find "$root" -type f \( -name 'access.log' -o -name '*xray*.log' \) 2>/dev/null | head -n 50)
  done
  return 1
 }
 upsert_env_value() {
  local key="$1"
  local value="$2"
  local quoted=""
  printf -v quoted %q "$value"
  if run_as_root_output test -f "$ENV_FILE" 2>/dev/null; then
    run_as_root_output cat "$ENV_FILE" > "$TMP_DIR/env.current"
  else
    : > "$TMP_DIR/env.current"
  fi
  if grep -qE "^${key}=" "$TMP_DIR/env.current"; then
    sed -E "s|^${key}=.*|${key}=${quoted}|" "$TMP_DIR/env.current" > "$TMP_DIR/env.next"
  else
    cp "$TMP_DIR/env.current" "$TMP_DIR/env.next"
    printf '%s=%s\n' "$key" "$quoted" >> "$TMP_DIR/env.next"
  fi
  run_as_root install -m 0600 "$TMP_DIR/env.next" "$ENV_FILE"
 }
 configure_xray_log_env() {
  local current=""
  current="$(get_env_value XRAY_ACCESS_LOG_PATH)"
  if [ -n "$current" ]; then
    XRAY_ACCESS_LOG_PATH="$current"
  fi
  local detected=""
  detected="$(detect_xray_access_log || true)"
  if [ -z "$detected" ]; then
    return 1
  fi
  XRAY_ACCESS_LOG_PATH="$detected"
  run_as_root mkdir -p "$(dirname "$XRAY_LOG_STATE_FILE")"
  if run_as_root_output test -f "$XRAY_ACCESS_LOG_PATH" 2>/dev/null; then
    run_as_root chmod a+r "$XRAY_ACCESS_LOG_PATH" 2>/dev/null || true
  fi
  upsert_env_value XRAY_ACCESS_LOG_PATH "$XRAY_ACCESS_LOG_PATH"
  upsert_env_value XRAY_LOG_INTERVAL "$XRAY_LOG_INTERVAL"
  upsert_env_value XRAY_LOG_STATE_FILE "$XRAY_LOG_STATE_FILE"
  upsert_env_value XRAY_LOG_START_AT_END "$XRAY_LOG_START_AT_END"
  return 0
 }
 print_xray_log_hint() {
  cat <<'HINT'
 Xray access log was not found automatically. Node access risk telemetry remains disabled.
 To enable it, open 3x-ui panel -> Xray Config and set:
 "log": {
  "access": "/usr/local/x-ui/access.log",
  "error": "/usr/local/x-ui/error.log",
  "loglevel": "warning"
 }
 Then restart x-ui and rerun this upgrade script, or add XRAY_ACCESS_LOG_PATH=/usr/local/x-ui/access.log to /etc/jboard-agent.env.
 HINT
 }
 ASSET="$(detect_asset)"
 RESOLVED_TAG="$(resolve_release_tag)"
@@ -62,12 +190,12 @@ DOWNLOAD_BASE="https://github.com/${GH_REPO}/releases/download/${RESOLVED_TAG}"
 DOWNLOAD_URL="${DOWNLOAD_BASE}/${ASSET}"
 CHECKSUM_URL="${DOWNLOAD_BASE}/SHA256SUMS"
-echo "[1/5] Release tag: ${RESOLVED_TAG}"
+echo "[1/6] Release tag: ${RESOLVED_TAG}"
-echo "[2/5] Downloading probe agent binary: ${ASSET}"
+echo "[2/6] Downloading probe agent binary: ${ASSET}"
 curl -fsSL "$DOWNLOAD_URL" -o "$TMP_DIR/$ASSET"
 if curl -fsSL "$CHECKSUM_URL" -o "$TMP_DIR/SHA256SUMS" 2>/dev/null; then
-  echo "[3/5] Verifying checksum..."
+  echo "[3/6] Verifying checksum..."
  grep "  ${ASSET}$" "$TMP_DIR/SHA256SUMS" > "$TMP_DIR/SHA256SUMS.current"
  (
    cd "$TMP_DIR"
@@ -78,14 +206,22 @@ if curl -fsSL "$CHECKSUM_URL" -o "$TMP_DIR/SHA256SUMS" 2>/dev/null; then
    fi
  )
 else
-  echo "[3/5] Checksum file not found; skipping verification."
+  echo "[3/6] Checksum file not found; skipping verification."
 fi
-echo "[4/5] Installing binary..."
+echo "[4/6] Installing binary..."
 run_as_root install -m 0755 "$TMP_DIR/$ASSET" "${INSTALL_DIR}/jboard-agent"
-run_as_root mkdir -p /var/log/jboard
+run_as_root mkdir -p /var/log/jboard /var/lib/jboard-agent
-echo "[5/5] Restarting service..."
+echo "[5/6] Detecting Xray access log..."
 if configure_xray_log_env; then
  echo "Node access risk telemetry: enabled (${XRAY_ACCESS_LOG_PATH})"
 else
  echo "Node access risk telemetry: disabled"
  print_xray_log_hint
 fi
 echo "[6/6] Restarting service..."
 run_as_root systemctl daemon-reload
 run_as_root systemctl restart "$SERVICE_NAME"
--- a/src/actions/admin/settings.ts
+++ b/src/actions/admin/settings.ts
@@ -38,6 +38,11 @@ const settingsSchema = z.object({
  subscriptionRiskCountrySuspend: z.coerce.number().int().min(2).max(100).optional(),
  subscriptionRiskIpLimitPerHour: z.coerce.number().int().min(1).max(100000).optional(),
  subscriptionRiskTokenLimitPerHour: z.coerce.number().int().min(1).max(100000).optional(),
  nodeAccessRiskEnabled: z.string().optional(),
  nodeAccessConnectionWarning: z.coerce.number().int().min(1).max(100000).optional(),
  nodeAccessConnectionSuspend: z.coerce.number().int().min(1).max(100000).optional(),
  nodeAccessUniqueTargetWarning: z.coerce.number().int().min(1).max(100000).optional(),
  nodeAccessUniqueTargetSuspend: z.coerce.number().int().min(1).max(100000).optional(),
  inviteRewardEnabled: z.string().optional(),
  inviteRewardRate: z.coerce.number().min(0).max(100).optional(),
  inviteRewardCouponId: z.string().trim().optional(),
@@ -158,6 +163,18 @@ function buildSettingsUpdate(parsed: z.infer<typeof settingsSchema>, current: Aw
      parsed.subscriptionRiskIpLimitPerHour ?? current.subscriptionRiskIpLimitPerHour,
    subscriptionRiskTokenLimitPerHour:
      parsed.subscriptionRiskTokenLimitPerHour ?? current.subscriptionRiskTokenLimitPerHour,
    nodeAccessRiskEnabled: optionalBoolean(
      parsed.nodeAccessRiskEnabled,
      current.nodeAccessRiskEnabled,
    ),
    nodeAccessConnectionWarning:
      parsed.nodeAccessConnectionWarning ?? current.nodeAccessConnectionWarning,
    nodeAccessConnectionSuspend:
      parsed.nodeAccessConnectionSuspend ?? current.nodeAccessConnectionSuspend,
    nodeAccessUniqueTargetWarning:
      parsed.nodeAccessUniqueTargetWarning ?? current.nodeAccessUniqueTargetWarning,
    nodeAccessUniqueTargetSuspend:
      parsed.nodeAccessUniqueTargetSuspend ?? current.nodeAccessUniqueTargetSuspend,
    inviteRewardEnabled: optionalBoolean(parsed.inviteRewardEnabled, current.inviteRewardEnabled),
    inviteRewardRate: parsed.inviteRewardRate ?? Number(current.inviteRewardRate),
    inviteRewardCouponId: parsed.inviteRewardCouponId || null,
@@ -182,6 +199,12 @@ function buildSettingsUpdate(parsed: z.infer<typeof settingsSchema>, current: Aw
  if (next.subscriptionRiskCountrySuspend < next.subscriptionRiskCountryWarning) {
    throw new Error("国家暂停阈值不能小于国家警告阈值");
  }
  if (next.nodeAccessConnectionSuspend < next.nodeAccessConnectionWarning) {
    throw new Error("节点连接暂停阈值不能小于警告阈值");
  }
  if (next.nodeAccessUniqueTargetSuspend < next.nodeAccessUniqueTargetWarning) {
    throw new Error("节点目标数暂停阈值不能小于警告阈值");
  }
  if (next.smtpEnabled || next.emailVerificationRequired) {
    if (!next.smtpHost || !next.smtpPort || !next.smtpFromEmail) {
--- a/src/app/(admin)/admin/nodes/node-actions.tsx
+++ b/src/app/(admin)/admin/nodes/node-actions.tsx
@@ -91,7 +91,7 @@ export function NodeActions({ node, siteUrl }: { node: NodeActionValue; siteUrl:
          size="sm"
          variant="outline"
          title="撤销这个探测 Token？"
-          description="撤销后，延迟和线路探测程序将无法继续上报数据。"
+          description="撤销后，延迟、线路探测和节点日志风控程序将无法继续上报数据。"
          confirmLabel="撤销 Token"
          successMessage="探测 Token 已撤销"
          errorMessage="撤销失败"
@@ -170,7 +170,7 @@ export function NodeActions({ node, siteUrl }: { node: NodeActionValue; siteUrl:
              </p>
            )}
            <p className="text-xs leading-5 text-muted-foreground">
-              此 Agent 仅用于 `/api/agent/latency` 和 `/api/agent/trace` 探测上报；节点客户端开通已改由 3x-ui 面板 API 处理。
+              此 Agent 用于 `/api/agent/latency`、`/api/agent/trace` 探测上报；安装脚本会自动查找 3x-ui/Xray access log，找到后启用节点日志风控。Agent 只读日志，不修改 3x-ui 配置。
            </p>
          </div>
        </DialogContent>
--- a/src/app/(admin)/admin/settings/page.tsx
+++ b/src/app/(admin)/admin/settings/page.tsx
@@ -48,6 +48,11 @@ export default async function AdminSettingsPage() {
          subscriptionRiskCountrySuspend: config.subscriptionRiskCountrySuspend,
          subscriptionRiskIpLimitPerHour: config.subscriptionRiskIpLimitPerHour,
          subscriptionRiskTokenLimitPerHour: config.subscriptionRiskTokenLimitPerHour,
          nodeAccessRiskEnabled: config.nodeAccessRiskEnabled,
          nodeAccessConnectionWarning: config.nodeAccessConnectionWarning,
          nodeAccessConnectionSuspend: config.nodeAccessConnectionSuspend,
          nodeAccessUniqueTargetWarning: config.nodeAccessUniqueTargetWarning,
          nodeAccessUniqueTargetSuspend: config.nodeAccessUniqueTargetSuspend,
          inviteRewardEnabled: config.inviteRewardEnabled,
          inviteRewardRate: Number(config.inviteRewardRate),
          inviteRewardCouponId: config.inviteRewardCouponId,
--- a/src/app/(admin)/admin/settings/settings-form.tsx
+++ b/src/app/(admin)/admin/settings/settings-form.tsx
@@ -37,6 +37,11 @@ interface AppConfig {
  subscriptionRiskCountrySuspend: number;
  subscriptionRiskIpLimitPerHour: number;
  subscriptionRiskTokenLimitPerHour: number;
  nodeAccessRiskEnabled: boolean;
  nodeAccessConnectionWarning: number;
  nodeAccessConnectionSuspend: number;
  nodeAccessUniqueTargetWarning: number;
  nodeAccessUniqueTargetSuspend: number;
  inviteRewardEnabled: boolean;
  inviteRewardRate: number;
  inviteRewardCouponId: string | null;
@@ -389,9 +394,37 @@ export function SettingsForm({ config, coupons }: { config: AppConfig; coupons:
                  defaultValue={config.subscriptionRiskTokenLimitPerHour}
                />
              </div>
              <div className="space-y-2">
                <Label htmlFor="nodeAccessRiskEnabled">节点日志风控</Label>
                <select
                  id="nodeAccessRiskEnabled"
                  name="nodeAccessRiskEnabled"
                  defaultValue={String(config.nodeAccessRiskEnabled)}
                  className={selectClassName}
                >
                  <option value="true">开启，接收 Agent Xray 日志上报</option>
                  <option value="false">关闭，只保留订阅接口风控</option>
                </select>
              </div>
              <div className="space-y-2">
                <Label htmlFor="nodeAccessConnectionWarning">节点连接警告阈值</Label>
                <Input id="nodeAccessConnectionWarning" name="nodeAccessConnectionWarning" type="number" min={1} max={100000} defaultValue={config.nodeAccessConnectionWarning} />
              </div>
              <div className="space-y-2">
                <Label htmlFor="nodeAccessConnectionSuspend">节点连接暂停阈值</Label>
                <Input id="nodeAccessConnectionSuspend" name="nodeAccessConnectionSuspend" type="number" min={1} max={100000} defaultValue={config.nodeAccessConnectionSuspend} />
              </div>
              <div className="space-y-2">
                <Label htmlFor="nodeAccessUniqueTargetWarning">不同目标警告阈值</Label>
                <Input id="nodeAccessUniqueTargetWarning" name="nodeAccessUniqueTargetWarning" type="number" min={1} max={100000} defaultValue={config.nodeAccessUniqueTargetWarning} />
              </div>
              <div className="space-y-2">
                <Label htmlFor="nodeAccessUniqueTargetSuspend">不同目标暂停阈值</Label>
                <Input id="nodeAccessUniqueTargetSuspend" name="nodeAccessUniqueTargetSuspend" type="number" min={1} max={100000} defaultValue={config.nodeAccessUniqueTargetSuspend} />
              </div>
            </div>
            <p className="text-xs leading-5 text-muted-foreground">
-              默认值对应原规则：24 小时内 4 城市警告、5 城市暂停；2 省/地区警告、3 省/地区暂停；2 国家警告、3 国家暂停；IP 180 次/小时，订阅 60 次/小时。
+              默认值对应原规则：24 小时内 4 城市警告、5 城市暂停；2 省/地区警告、3 省/地区暂停；2 国家警告、3 国家暂停；IP 180 次/小时，订阅 60 次/小时。节点日志风控只在 Agent 配置 XRAY_ACCESS_LOG_PATH 后生效；连接数和不同目标数按 Agent 单次聚合窗口计算。
            </p>
          </div>
        )}
--- a/src/app/(admin)/admin/subscription-risk/_components/subscription-risk-geo-details.tsx
+++ b/src/app/(admin)/admin/subscription-risk/_components/subscription-risk-geo-details.tsx
@@ -44,7 +44,7 @@ function WorldRiskMap({ summary }: { summary: SubscriptionRiskGeoSummary }) {
        viewBox="0 0 360 180"
        className="h-[15rem] w-full bg-[radial-gradient(circle_at_30%_20%,color-mix(in_oklch,var(--primary)_10%,transparent),transparent_30%),linear-gradient(135deg,var(--muted),var(--card))]"
        role="img"
-        aria-label="订阅访问 IP 世界地图分布"
+        aria-label="订阅访问与节点连接 IP 世界地图分布"
      >
        <rect width="360" height="180" rx="12" fill="transparent" />
        {[-120, -60, 0, 60, 120].map((longitude) => {
@@ -164,7 +164,7 @@ export function SubscriptionRiskGeoDetails({ summary }: { summary: SubscriptionR
      <details className="group rounded-xl border border-border/70 bg-muted/20">
        <summary className="flex cursor-pointer list-none items-center justify-between gap-3 px-3 py-2 text-sm font-medium [&::-webkit-details-marker]:hidden">
          <span className="flex items-center gap-2">
-            <MapPin className="size-4 text-primary" /> IP 访问明细
+            <MapPin className="size-4 text-primary" /> IP 访问/连接明细
          </span>
          <ChevronDown className="size-4 text-muted-foreground transition-transform group-open:rotate-180" />
        </summary>
--- a/src/app/(admin)/admin/subscription-risk/_components/subscription-risk-table.tsx
+++ b/src/app/(admin)/admin/subscription-risk/_components/subscription-risk-table.tsx
@@ -31,6 +31,14 @@ function reasonLabel(reason: SubscriptionRiskEvent["reason"]) {
      return "国家异常警告";
    case "COUNTRY_VARIANCE_SUSPEND":
      return "国家异常暂停";
    case "NODE_ACCESS_VOLUME_WARNING":
      return "节点高频警告";
    case "NODE_ACCESS_VOLUME_SUSPEND":
      return "节点高频暂停";
    case "NODE_ACCESS_TARGET_WARNING":
      return "目标分散警告";
    case "NODE_ACCESS_TARGET_SUSPEND":
      return "目标分散暂停";
  }
 }
@@ -255,7 +263,7 @@ export function SubscriptionRiskTable({ events }: { events: SubscriptionRiskEven
    return (
      <EmptyState
        title="暂无订阅风控事件"
-        description="订阅链接出现跨城市、跨省份或跨国家访问异常后，会在这里进入人工跟进队列。"
+        description="订阅链接或节点真实连接出现跨城市、跨省份或跨国家异常后，会在这里进入人工跟进队列。"
      />
    );
  }
--- a/src/app/(admin)/admin/subscription-risk/page.tsx
+++ b/src/app/(admin)/admin/subscription-risk/page.tsx
@@ -7,7 +7,7 @@ import { getSubscriptionRiskEvents } from "./risk-data";
 export const metadata: Metadata = {
  title: "订阅风控",
-  description: "查看订阅访问异常、关联用户和人工处理状态。",
+  description: "查看订阅访问与节点连接异常、关联用户和人工处理状态。",
 };
 export default async function AdminSubscriptionRiskPage({
@@ -22,7 +22,7 @@ export default async function AdminSubscriptionRiskPage({
      <PageHeader
        eyebrow="商品与订单"
        title="订阅风控"
-        description="订阅链接跨城市或跨省份访问异常后，会进入这里供管理员确认、备注、恢复或继续处置。"
+        description="订阅链接或节点真实连接出现跨城市、跨省份访问异常后，会进入这里供管理员确认、备注、恢复或继续处置。"
      />
      <AdminFilterBar
--- a/src/app/(admin)/admin/subscriptions/[id]/_components/subscription-access-risk-section.tsx
+++ b/src/app/(admin)/admin/subscriptions/[id]/_components/subscription-access-risk-section.tsx
@@ -67,6 +67,14 @@ function reasonLabel(reason: SubscriptionRiskEvent["reason"]) {
      return "国家异常警告";
    case "COUNTRY_VARIANCE_SUSPEND":
      return "国家异常暂停";
    case "NODE_ACCESS_VOLUME_WARNING":
      return "节点高频警告";
    case "NODE_ACCESS_VOLUME_SUSPEND":
      return "节点高频暂停";
    case "NODE_ACCESS_TARGET_WARNING":
      return "目标分散警告";
    case "NODE_ACCESS_TARGET_SUSPEND":
      return "目标分散暂停";
  }
 }
@@ -113,7 +121,7 @@ export function SubscriptionAccessRiskSection({
          </span>
          <div>
            <h3 className="text-lg font-semibold tracking-[-0.02em]">订阅访问风控</h3>
-            <p className="mt-0.5 text-sm text-muted-foreground">记录订阅拉取 IP、地区变化和人工处理状态。</p>
+            <p className="mt-0.5 text-sm text-muted-foreground">记录订阅拉取与节点真实连接 IP、地区变化和人工处理状态。</p>
          </div>
        </div>
        <Link href="/admin/subscription-risk" className={buttonVariants({ variant: "outline", size: "sm" })}>
--- a/src/app/(user)/support/page.tsx
+++ b/src/app/(user)/support/page.tsx
@@ -47,7 +47,7 @@ export default async function SupportPage({
        subject: "订阅风控复核申请",
        category: "订阅风控",
        priority: "HIGH" as const,
-        body: "我需要复核订阅风控限制。\n\n请在这里补充：近期访问订阅的设备、所在城市/国家、是否出差或旅行、是否曾分享订阅链接。\n\n系统判定：" + reasonLabel(riskEvent.reason) + "\n" + riskEvent.message,
+        body: "我需要复核订阅风控限制。\n\n请在这里补充：近期访问订阅的设备、所在城市/国家、是否出差或旅行、是否曾分享订阅链接或通过其他设备转发节点。\n\n系统判定：" + reasonLabel(riskEvent.reason) + "\n" + riskEvent.message,
      }
    : undefined;
--- a/src/app/api/agent/node-access/route.ts
+++ b/src/app/api/agent/node-access/route.ts
@@ -0,0 +1,148 @@
 import { isIP } from "node:net";
 import { NextResponse } from "next/server";
 import { z } from "zod";
 import { prisma } from "@/lib/prisma";
 import { authenticateAgent, isAuthError } from "@/lib/agent-auth";
 import { getIpGeoContext } from "@/lib/request-context";
 import { getAppConfig } from "@/services/app-config";
 import { evaluateNodeAccessAbuseRisk, recordSubscriptionAccess } from "@/services/subscription-risk";
 const MAX_EVENTS = 500;
 const MAX_TEXT_LENGTH = 200;
 const nodeAccessEventSchema = z.object({
  clientEmail: z.string().trim().min(1).max(320),
  sourceIp: z.string().trim().refine((value) => isIP(value) !== 0, "sourceIp 必须是有效 IP"),
  inboundTag: z.string().trim().max(MAX_TEXT_LENGTH).optional().nullable(),
  network: z.string().trim().max(16).optional().nullable(),
  targetHost: z.string().trim().max(MAX_TEXT_LENGTH).optional().nullable(),
  targetPort: z.coerce.number().int().min(0).max(65535).optional().nullable(),
  action: z.string().trim().max(32).optional().nullable(),
  connectionCount: z.coerce.number().int().min(1).max(100000).optional().default(1),
  uniqueTargetCount: z.coerce.number().int().min(0).max(100000).optional().default(0),
  firstSeenAt: z.string().trim().max(64).optional().nullable(),
  lastSeenAt: z.string().trim().max(64).optional().nullable(),
 });
 const nodeAccessPayloadSchema = z.object({
  events: z.array(nodeAccessEventSchema).min(1).max(MAX_EVENTS),
 });
 function compactText(value: string | null | undefined) {
  const text = value?.trim();
  return text ? text.slice(0, MAX_TEXT_LENGTH) : null;
 }
 function normalizeAction(action: string | null | undefined) {
  const normalized = action?.trim().toLowerCase();
  return normalized === "rejected" ? "rejected" : "accepted";
 }
 function buildReason(event: z.infer<typeof nodeAccessEventSchema>, nodeId: string) {
  const parts = [
    "来源：节点 Xray access log",
    "节点：" + nodeId,
    event.inboundTag ? "入站：" + event.inboundTag : null,
    event.network ? "网络：" + event.network : null,
    event.targetPort ? "目标端口：" + event.targetPort : null,
    event.targetHost ? "样本目标：" + event.targetHost : null,
    "连接数：" + event.connectionCount,
    event.uniqueTargetCount ? "不同目标：" + event.uniqueTargetCount : null,
    event.firstSeenAt ? "首次：" + event.firstSeenAt : null,
    event.lastSeenAt ? "最近：" + event.lastSeenAt : null,
  ].filter(Boolean);
  return parts.join("；").slice(0, 1000);
 }
 export async function POST(req: Request) {
  const auth = await authenticateAgent(req);
  if (isAuthError(auth)) return auth;
  const { nodeId } = auth;
  let body: unknown;
  try {
    body = await req.json();
  } catch {
    return NextResponse.json({ error: "请求体不是有效 JSON，期望格式：{ events: [...] }" }, { status: 400 });
  }
  const parsed = nodeAccessPayloadSchema.safeParse(body);
  if (!parsed.success) {
    return NextResponse.json({ error: parsed.error.issues[0]?.message ?? "节点访问日志格式无效" }, { status: 400 });
  }
  const config = await getAppConfig();
  if (!config.subscriptionRiskEnabled || !config.nodeAccessRiskEnabled) {
    return NextResponse.json({ ok: true, skipped: parsed.data.events.length, reason: "node_access_risk_disabled" });
  }
  const clientEmails = [...new Set(parsed.data.events.map((event) => event.clientEmail))];
  const clients = await prisma.nodeClient.findMany({
    where: {
      email: { in: clientEmails },
      inbound: { serverId: nodeId },
    },
    select: {
      email: true,
      userId: true,
      subscriptionId: true,
    },
  });
  const clientByEmail = new Map(clients.map((client) => [client.email, client]));
  let processed = 0;
  let skipped = 0;
  let warnings = 0;
  let suspended = 0;
  for (const event of parsed.data.events) {
    const client = clientByEmail.get(event.clientEmail);
    if (!client) {
      skipped++;
      continue;
    }
    const action = normalizeAction(event.action);
    const allowed = action === "accepted";
    const result = await recordSubscriptionAccess({
      kind: "SINGLE",
      userId: client.userId,
      subscriptionId: client.subscriptionId,
      context: {
        ip: event.sourceIp,
        userAgent: "jboard-agent/xray-access-log",
        geo: getIpGeoContext(event.sourceIp),
      },
      allowed,
      reason: buildReason({
        ...event,
        inboundTag: compactText(event.inboundTag),
        network: compactText(event.network),
        targetHost: compactText(event.targetHost),
        action,
      }, nodeId),
      evaluateRisk: allowed,
      riskConfig: config,
      sourceLabel: "节点真实连接",
    });
    const abuseResult = allowed
      ? await evaluateNodeAccessAbuseRisk({
          userId: client.userId,
          subscriptionId: client.subscriptionId,
          ip: event.sourceIp,
          connectionCount: event.connectionCount,
          uniqueTargetCount: event.uniqueTargetCount,
          targetHost: compactText(event.targetHost),
          targetPort: event.targetPort ?? null,
          config,
        })
      : { warned: false, suspended: false };
    processed++;
    if (result.warned || abuseResult.warned) warnings++;
    if (result.suspended || abuseResult.suspended) suspended++;
  }
  return NextResponse.json({ ok: true, processed, skipped, warnings, suspended });
 }
--- a/src/app/api/agent/trace/route.ts
+++ b/src/app/api/agent/trace/route.ts
@@ -2,6 +2,7 @@ import { NextResponse } from "next/server";
 import { prisma } from "@/lib/prisma";
 import { authenticateAgent, isAuthError } from "@/lib/agent-auth";
 import { normalizeTraceHops, normalizeTraceText } from "@/lib/trace-normalize";
 import { classifyTraceRoute } from "@/lib/route-classify";
 export async function POST(req: Request) {
  const auth = await authenticateAgent(req);
@@ -32,7 +33,8 @@ export async function POST(req: Request) {
  for (const trace of body.traces) {
    if (!validCarriers.has(trace.carrier)) continue;
    const normalizedHops = normalizeTraceHops(trace.hops);
-    const normalizedSummary = normalizeTraceText(trace.summary) || "路由信息";
+    const submittedSummary = normalizeTraceText(trace.summary);
    const normalizedSummary = classifyTraceRoute({ summary: submittedSummary, hops: normalizedHops });
    const hopCount = Number(trace.hopCount);
    const normalizedHopCount =
      Number.isFinite(hopCount) && hopCount > 0
--- a/src/app/api/traces/route.ts
+++ b/src/app/api/traces/route.ts
@@ -1,5 +1,7 @@
 import { NextResponse } from "next/server";
 import { prisma } from "@/lib/prisma";
 import { classifyTraceRoute } from "@/lib/route-classify";
 import { normalizeTraceHops } from "@/lib/trace-normalize";
 const MAX_NODE_IDS = 100;
@@ -24,7 +26,7 @@ export async function GET(req: Request) {
    }
    result[row.nodeId].push({
      carrier: row.carrier,
-      summary: row.summary,
+      summary: classifyTraceRoute({ summary: row.summary, hops: normalizeTraceHops(row.hops) }),
      hopCount: row.hopCount,
      hops: row.hops,
      updatedAt: row.updatedAt.toISOString(),
--- a/src/lib/request-context.ts
+++ b/src/lib/request-context.ts
@@ -79,7 +79,7 @@ function localizedName(record: { names?: object } | null | undefined) {
  return names["zh-CN"] ?? names.en ?? Object.values(names).find((value) => typeof value === "string") ?? null;
 }
-function getGeoIpLocation(ip: string): RequestGeoContext {
+export function getIpGeoContext(ip: string): RequestGeoContext {
  if (ip === "unknown" || !isIP(ip)) return emptyGeoContext();
  const reader = getGeoIpReader();
@@ -244,7 +244,7 @@ export function getRequestGeo(headers: HeaderReader, ip = "unknown"): RequestGeo
  }
  const headerGeo = { country, region, regionCode, city, latitude, longitude, source };
-  return mergeGeoContext(headerGeo, getGeoIpLocation(ip));
+  return mergeGeoContext(headerGeo, getIpGeoContext(ip));
 }
 export function getClientRequestContext(headers: HeaderReader): ClientRequestContext {
--- a/src/lib/route-classify.ts
+++ b/src/lib/route-classify.ts
@@ -0,0 +1,77 @@
 import { normalizeTraceText, type NormalizedTraceHop } from "@/lib/trace-normalize";
 function normalizeAsn(value: unknown) {
  const text = normalizeTraceText(value).toUpperCase();
  const match = text.match(/(?:^|\b)AS?\s*(\d{2,10})(?:\b|$)/);
  if (match) return match[1];
  return /^\d{2,10}$/.test(text) ? text : "";
 }
 function isIpInPrefix(ip: string, prefix: string) {
  return ip === prefix.slice(0, -1) || ip.startsWith(prefix);
 }
 function countMatches(values: string[], predicate: (value: string) => boolean) {
  return values.reduce((count, value) => count + (predicate(value) ? 1 : 0), 0);
 }
 export function classifyTraceRoute(input: {
  summary?: unknown;
  hops: Array<NormalizedTraceHop | { ip?: unknown; geo?: unknown; asn?: unknown; owner?: unknown; isp?: unknown }>;
 }) {
  const summary = normalizeTraceText(input.summary).toUpperCase();
  const hopTexts = input.hops.map((hop) => [
    normalizeTraceText(hop.ip),
    normalizeTraceText(hop.geo),
    normalizeTraceText("owner" in hop ? hop.owner : ""),
    normalizeTraceText("isp" in hop ? hop.isp : ""),
    normalizeTraceText("asn" in hop ? hop.asn : ""),
  ].join(" ").toUpperCase());
  const combined = [summary, ...hopTexts].join(" ");
  const ips = input.hops.map((hop) => normalizeTraceText(hop.ip)).filter(Boolean);
  const asns = new Set<string>();
  for (const hop of input.hops) {
    const directAsn = normalizeAsn("asn" in hop ? hop.asn : "");
    if (directAsn) asns.add(directAsn);
  }
  for (const match of combined.matchAll(/(?:^|\b)AS\s*(\d{2,10})(?:\b|$)/g)) {
    asns.add(match[1]);
  }
  const hasAsn = (...values: string[]) => values.some((value) => asns.has(value));
  const hasText = (...values: string[]) => values.some((value) => combined.includes(value));
  const hasIpPrefix = (...prefixes: string[]) => ips.some((ip) => prefixes.some((prefix) => isIpInPrefix(ip, prefix)));
  const cn2Evidence = hasAsn("4809")
    || hasIpPrefix("59.43.")
    || hasText("CN2", "CTGNET", "CHINANET NEXT CARRYING NETWORK", "CHINA TELECOM GLOBAL");
  const cn2GiaText = hasText("CN2 GIA", "CN2GIA", "GIA", "GLOBAL INTERNET ACCESS");
  const ordinaryTelecomHops = countMatches(hopTexts, (text) => (
    text.includes("AS4134")
    || text.includes("CHINANET BACKBONE")
    || text.includes("CHINANET 163")
    || text.includes("163骨干")
  )) + countMatches(ips, (ip) => isIpInPrefix(ip, "202.97."));
  if (cn2Evidence) {
    if (cn2GiaText || ordinaryTelecomHops <= 1) return "CN2 GIA";
    return "CN2 GT";
  }
  if (hasAsn("9929", "10099") || hasText("CUII", "A网", "AS9929")) {
    return "AS9929";
  }
  if (hasText("CMIN2") || hasAsn("58807", "58809", "58813", "58819", "59807")) {
    return "CMIN2";
  }
  if (hasText("CMI") || hasAsn("58453")) {
    return "CMI";
  }
  if (hasAsn("4837") || hasText("AS4837")) {
    return "AS4837";
  }
  const normalizedSummary = normalizeTraceText(input.summary);
  return normalizedSummary && normalizedSummary !== "普通线路" ? normalizedSummary : "普通线路";
 }
--- a/src/lib/trace-normalize.ts
+++ b/src/lib/trace-normalize.ts
@@ -77,6 +77,9 @@ export interface NormalizedTraceHop {
  ip: string;
  geo: string;
  latency: number;
  asn?: string;
  owner?: string;
  isp?: string;
 }
 export function normalizeTraceHops(hops: unknown): NormalizedTraceHop[] {
@@ -94,6 +97,9 @@ export function normalizeTraceHops(hops: unknown): NormalizedTraceHop[] {
        ip: normalizeTraceText(hopObject.ip),
        geo: normalizeTraceText(hopObject.geo),
        latency: Math.max(0, toSafeNumber(hopObject.latency, 0)),
        asn: normalizeTraceText(hopObject.asn) || undefined,
        owner: normalizeTraceText(hopObject.owner) || undefined,
        isp: normalizeTraceText(hopObject.isp) || undefined,
      };
    })
    .filter((hop) => hop.ip || hop.geo || hop.latency > 0);
--- a/src/services/subscription-risk-review.ts
+++ b/src/services/subscription-risk-review.ts
@@ -142,6 +142,14 @@ export function reasonLabel(reason: SubscriptionRiskReason) {
      return "国家异常警告";
    case "COUNTRY_VARIANCE_SUSPEND":
      return "国家异常暂停";
    case "NODE_ACCESS_VOLUME_WARNING":
      return "节点高频警告";
    case "NODE_ACCESS_VOLUME_SUSPEND":
      return "节点高频暂停";
    case "NODE_ACCESS_TARGET_WARNING":
      return "目标分散警告";
    case "NODE_ACCESS_TARGET_SUSPEND":
      return "目标分散暂停";
  }
 }
@@ -334,8 +342,8 @@ export function buildSubscriptionRiskReport(input: {
  const userLabel = user ? `${user.email}${user.name ? `（${user.name}）` : ""}` : event.userId ?? "未知用户";
  const windowRange = `${formatDate(event.windowStartedAt)} 至 ${formatDate(event.createdAt)}`;
  const actionSuggestion = event.level === "SUSPENDED"
-    ? "建议保持暂停，等待用户确认是否本人跨地区使用、订阅链接是否外泄，并在工单中补充说明后再解除限制。"
+    ? "建议保持暂停，等待用户确认是否本人跨地区使用、订阅链接是否外泄或节点连接是否被共享，并在工单中补充说明后再解除限制。"
-    : "建议先联系用户确认近期访问来源；如果用户无法解释这些地区/IP，建议重置订阅链接并临时暂停相关订阅。";
+    : "建议先联系用户确认近期访问/连接来源；如果用户无法解释这些地区/IP，建议重置订阅链接并临时暂停相关订阅。";
  return [
    "订阅风控风险报告",
--- a/src/services/subscription-risk.ts
+++ b/src/services/subscription-risk.ts
@@ -24,6 +24,11 @@ type SubscriptionRiskConfig = Pick<
  | "subscriptionRiskRegionSuspend"
  | "subscriptionRiskCountryWarning"
  | "subscriptionRiskCountrySuspend"
  | "nodeAccessRiskEnabled"
  | "nodeAccessConnectionWarning"
  | "nodeAccessConnectionSuspend"
  | "nodeAccessUniqueTargetWarning"
  | "nodeAccessUniqueTargetSuspend"
 >;
 interface RecordSubscriptionAccessInput {
@@ -35,6 +40,7 @@ interface RecordSubscriptionAccessInput {
  reason?: string | null;
  evaluateRisk?: boolean;
  riskConfig?: SubscriptionRiskConfig;
  sourceLabel?: string | null;
 }
 interface RiskDecision {
@@ -99,8 +105,9 @@ function riskMessage(options: {
  countryLabels: string[];
  regionLabels: string[];
  cityLabels: string[];
  sourceLabel?: string | null;
 }) {
-  const scope = getScopeLabel(options.kind);
+  const scope = options.sourceLabel?.trim() || getScopeLabel(options.kind);
  const locationSummary = options.decision.reason.startsWith("COUNTRY")
    ? `${options.countryCount} 个国家/地区：${formatKeyPreview(options.countryLabels)}`
    : options.decision.reason.startsWith("REGION")
@@ -358,6 +365,7 @@ async function evaluateSubscriptionRisk(input: {
  userId?: string | null;
  subscriptionId?: string | null;
  ip: string;
  sourceLabel?: string | null;
  db: DbClient;
  config?: SubscriptionRiskConfig;
 }): Promise<RiskEvaluationResult> {
@@ -433,6 +441,7 @@ async function evaluateSubscriptionRisk(input: {
    countryLabels,
    regionLabels,
    cityLabels,
    sourceLabel: input.sourceLabel,
  });
  const { event, created } = await createRiskEvent({
@@ -497,6 +506,142 @@ async function evaluateSubscriptionRisk(input: {
  return { warned: true, suspended: false, eventId: event.id };
 }
 function decideNodeAccessAbuseRisk(input: {
  connectionCount: number;
  uniqueTargetCount: number;
  config: SubscriptionRiskConfig;
 }): RiskDecision | null {
  if (!input.config.nodeAccessRiskEnabled) return null;
  if (input.config.subscriptionRiskAutoSuspend && input.uniqueTargetCount >= input.config.nodeAccessUniqueTargetSuspend) {
    return { level: "SUSPENDED", reason: "NODE_ACCESS_TARGET_SUSPEND" };
  }
  if (input.config.subscriptionRiskAutoSuspend && input.connectionCount >= input.config.nodeAccessConnectionSuspend) {
    return { level: "SUSPENDED", reason: "NODE_ACCESS_VOLUME_SUSPEND" };
  }
  if (input.uniqueTargetCount >= input.config.nodeAccessUniqueTargetWarning) {
    return { level: "WARNING", reason: "NODE_ACCESS_TARGET_WARNING" };
  }
  if (input.connectionCount >= input.config.nodeAccessConnectionWarning) {
    return { level: "WARNING", reason: "NODE_ACCESS_VOLUME_WARNING" };
  }
  return null;
 }
 function nodeAccessAbuseMessage(input: {
  decision: RiskDecision;
  ip: string;
  connectionCount: number;
  uniqueTargetCount: number;
  targetHost?: string | null;
  targetPort?: number | null;
 }) {
  const metric = input.decision.reason.includes("TARGET")
    ? "不同目标 " + input.uniqueTargetCount + " 个"
    : "连接 " + input.connectionCount + " 次";
  const targetValue = [input.targetHost, input.targetPort].filter(Boolean).join(":");
  const target = targetValue ? "，样本目标 " + targetValue : "";
  const action = input.decision.level === "SUSPENDED" ? "已自动暂停" : "已记录警告";
  return "节点真实连接行为异常，单个聚合窗口内出现 " + metric + "，来源 IP " + input.ip + target + "，" + action + "。";
 }
 export async function evaluateNodeAccessAbuseRisk(input: {
  userId: string;
  subscriptionId: string;
  ip: string;
  connectionCount: number;
  uniqueTargetCount: number;
  targetHost?: string | null;
  targetPort?: number | null;
  config?: SubscriptionRiskConfig;
  db?: DbClient;
 }): Promise<RiskEvaluationResult> {
  const db = input.db ?? prisma;
  const config = input.config ?? await getAppConfig(db);
  if (!config.subscriptionRiskEnabled || !config.nodeAccessRiskEnabled) {
    return { warned: false, suspended: false };
  }
  const decision = decideNodeAccessAbuseRisk({
    connectionCount: input.connectionCount,
    uniqueTargetCount: input.uniqueTargetCount,
    config,
  });
  if (!decision) return { warned: false, suspended: false };
  const windowStartedAt = new Date(Date.now() - config.subscriptionRiskWindowHours * 60 * 60 * 1000);
  const message = nodeAccessAbuseMessage({
    decision,
    ip: input.ip,
    connectionCount: input.connectionCount,
    uniqueTargetCount: input.uniqueTargetCount,
    targetHost: input.targetHost,
    targetPort: input.targetPort,
  });
  const { event, created } = await createRiskEvent({
    kind: "SINGLE",
    userId: input.userId,
    subscriptionId: input.subscriptionId,
    ip: input.ip,
    decision,
    message,
    windowStartedAt,
    countryLabels: [],
    regionLabels: [],
    cityLabels: [],
    db,
  });
  if (created) {
    const targetLabel = await getTargetLabel({ userId: input.userId, subscriptionId: input.subscriptionId }, db);
    await recordAuditLog({
      action: decision.level === "SUSPENDED" ? "risk.node_access.suspend" : "risk.node_access.warning",
      targetType: "UserSubscription",
      targetId: input.subscriptionId,
      targetLabel,
      message,
      metadata: {
        eventId: event.id,
        reason: decision.reason,
        ip: input.ip,
        connectionCount: input.connectionCount,
        uniqueTargetCount: input.uniqueTargetCount,
        targetHost: input.targetHost ?? null,
        targetPort: input.targetPort ?? null,
        windowStartedAt: windowStartedAt.toISOString(),
      },
    }, db);
    if (decision.level === "WARNING") {
      await createNotification({
        userId: input.userId,
        type: "SUBSCRIPTION",
        level: "WARNING",
        title: "节点连接行为异常",
        body: "检测到你的订阅在节点侧出现异常高频连接或目标分散。如果不是你本人操作，请重置订阅访问并联系管理员。",
        link: "/subscriptions/" + input.subscriptionId,
        dedupeKey: "risk:node-access:warning:" + event.id,
      }, db);
    }
  }
  if (decision.level === "SUSPENDED") {
    const suspendedIds = await suspendScopeForRisk({
      kind: "SINGLE",
      userId: input.userId,
      subscriptionId: input.subscriptionId,
      message,
    });
    revalidateRiskViews(suspendedIds);
    return { warned: false, suspended: true, eventId: event.id };
  }
  if (created) revalidateRiskViews([input.subscriptionId]);
  return { warned: true, suspended: false, eventId: event.id };
 }
 export async function recordSubscriptionAccess(
  input: RecordSubscriptionAccessInput,
  db: DbClient = prisma,
@@ -529,6 +674,7 @@ export async function recordSubscriptionAccess(
    userId: input.userId,
    subscriptionId: input.subscriptionId,
    ip: input.context.ip,
    sourceLabel: input.sourceLabel,
    db,
    config: input.riskConfig,
  });