Refactor install command generation and update response structure

Merge pull request #2 from Flikify/codex/build-github-workflow-for-new-changes
CI overhaul and major frontend UI refactor (new components, layouts, and release workflow)
2026-03-19 20:49:23 +08:00 · 2026-03-19 20:22:23 +08:00 · 2026-03-19 20:21:05 +08:00 · 2026-03-19 20:12:13 +08:00 · 2026-03-19 20:08:00 +08:00 · 2026-03-19 19:47:35 +08:00
64 changed files with 3600 additions and 9102 deletions
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -0,0 +1,117 @@
+name: CI Build
+
+on:
+  push:
+  pull_request:
+
+permissions:
+  contents: read
+
+concurrency:
+  group: ci-${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
+jobs:
+  frontend:
+    name: Build frontend
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+
+      - name: Setup Node.js
+        uses: actions/setup-node@v4
+        with:
+          node-version: '20'
+          cache: npm
+          cache-dependency-path: web/package-lock.json
+
+      - name: Install frontend dependencies
+        working-directory: web
+        run: npm ci
+
+      - name: Build frontend
+        working-directory: web
+        run: npm run build
+
+      - name: Upload frontend artifact
+        uses: actions/upload-artifact@v4
+        with:
+          name: frontend-dist
+          path: web/dist
+          retention-days: 1
+
+  build:
+    name: Build ${{ matrix.goos }}/${{ matrix.goarch }}
+    needs: frontend
+    runs-on: ${{ matrix.runner }}
+    strategy:
+      fail-fast: false
+      matrix:
+        include:
+          - runner: ubuntu-latest
+            goos: linux
+            goarch: amd64
+          - runner: ubuntu-latest
+            goos: linux
+            goarch: arm64
+          - runner: windows-latest
+            goos: windows
+            goarch: amd64
+          - runner: macos-latest
+            goos: darwin
+            goarch: amd64
+          - runner: macos-latest
+            goos: darwin
+            goarch: arm64
+
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+
+      - name: Setup Go
+        uses: actions/setup-go@v5
+        with:
+          go-version-file: go.mod
+          cache: true
+
+      - name: Download frontend artifact
+        uses: actions/download-artifact@v4
+        with:
+          name: frontend-dist
+          path: internal/server/app/dist
+
+      - name: Download Go modules
+        run: go mod download
+
+      - name: Build server and client
+        shell: bash
+        env:
+          GOOS: ${{ matrix.goos }}
+          GOARCH: ${{ matrix.goarch }}
+          CGO_ENABLED: 0
+        run: |
+          mkdir -p build/${GOOS}_${GOARCH}
+          EXT=""
+          if [ "$GOOS" = "windows" ]; then
+            EXT=".exe"
+          fi
+
+          BUILD_TIME="$(date -u '+%Y-%m-%dT%H:%M:%SZ')"
+          GIT_COMMIT="${GITHUB_SHA::7}"
+          VERSION="${GITHUB_REF_NAME}"
+          if [ "${GITHUB_REF_TYPE}" != "tag" ]; then
+            VERSION="${GITHUB_SHA::7}"
+          fi
+
+          LDFLAGS="-s -w -X 'main.Version=${VERSION}' -X 'main.BuildTime=${BUILD_TIME}' -X 'main.GitCommit=${GIT_COMMIT}'"
+
+          go build -trimpath -ldflags "$LDFLAGS" -o "build/${GOOS}_${GOARCH}/server${EXT}" ./cmd/server
+          go build -trimpath -ldflags "$LDFLAGS" -o "build/${GOOS}_${GOARCH}/client${EXT}" ./cmd/client
+
+      - name: Upload binaries artifact
+        uses: actions/upload-artifact@v4
+        with:
+          name: gotunnel-${{ matrix.goos }}-${{ matrix.goarch }}
+          path: build/${{ matrix.goos }}_${{ matrix.goarch }}/
+          retention-days: 7
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -0,0 +1,214 @@
+name: Release
+
+on:
+  push:
+    tags:
+      - 'v*'
+  workflow_dispatch:
+    inputs:
+      tag:
+        description: 'Release tag to publish, e.g. v1.2.3'
+        required: true
+        type: string
+
+permissions:
+  contents: write
+
+concurrency:
+  group: release-${{ github.event.inputs.tag || github.ref }}
+  cancel-in-progress: false
+
+jobs:
+  frontend:
+    name: Build frontend
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+
+      - name: Setup Node.js
+        uses: actions/setup-node@v4
+        with:
+          node-version: '20'
+          cache: npm
+          cache-dependency-path: web/package-lock.json
+
+      - name: Install frontend dependencies
+        working-directory: web
+        run: npm ci
+
+      - name: Build frontend
+        working-directory: web
+        run: npm run build
+
+      - name: Upload frontend artifact
+        uses: actions/upload-artifact@v4
+        with:
+          name: frontend-dist
+          path: web/dist
+          retention-days: 1
+
+  build-assets:
+    name: Package ${{ matrix.component }} ${{ matrix.goos }}/${{ matrix.goarch }}
+    needs: frontend
+    runs-on: ubuntu-latest
+    strategy:
+      fail-fast: false
+      matrix:
+        include:
+          - component: server
+            goos: linux
+            goarch: amd64
+            archive_ext: tar.gz
+          - component: client
+            goos: linux
+            goarch: amd64
+            archive_ext: tar.gz
+          - component: server
+            goos: linux
+            goarch: arm64
+            archive_ext: tar.gz
+          - component: client
+            goos: linux
+            goarch: arm64
+            archive_ext: tar.gz
+          - component: server
+            goos: darwin
+            goarch: amd64
+            archive_ext: tar.gz
+          - component: client
+            goos: darwin
+            goarch: amd64
+            archive_ext: tar.gz
+          - component: server
+            goos: darwin
+            goarch: arm64
+            archive_ext: tar.gz
+          - component: client
+            goos: darwin
+            goarch: arm64
+            archive_ext: tar.gz
+          - component: server
+            goos: windows
+            goarch: amd64
+            archive_ext: zip
+          - component: client
+            goos: windows
+            goarch: amd64
+            archive_ext: zip
+
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+
+      - name: Setup Go
+        uses: actions/setup-go@v5
+        with:
+          go-version-file: go.mod
+          cache: true
+
+      - name: Download frontend artifact
+        uses: actions/download-artifact@v4
+        with:
+          name: frontend-dist
+          path: internal/server/app/dist
+
+      - name: Download Go modules
+        run: go mod download
+
+      - name: Resolve release metadata
+        id: meta
+        shell: bash
+        run: |
+          if [ "${GITHUB_EVENT_NAME}" = "workflow_dispatch" ]; then
+            TAG="${{ github.event.inputs.tag }}"
+          else
+            TAG="${GITHUB_REF_NAME}"
+          fi
+          echo "tag=${TAG}" >> "$GITHUB_OUTPUT"
+          echo "commit=${GITHUB_SHA::7}" >> "$GITHUB_OUTPUT"
+          echo "build_time=$(date -u '+%Y-%m-%dT%H:%M:%SZ')" >> "$GITHUB_OUTPUT"
+
+      - name: Build binary
+        shell: bash
+        env:
+          GOOS: ${{ matrix.goos }}
+          GOARCH: ${{ matrix.goarch }}
+          CGO_ENABLED: 0
+          VERSION: ${{ steps.meta.outputs.tag }}
+          GIT_COMMIT: ${{ steps.meta.outputs.commit }}
+          BUILD_TIME: ${{ steps.meta.outputs.build_time }}
+        run: |
+          mkdir -p dist/package
+          EXT=""
+          if [ "$GOOS" = "windows" ]; then
+            EXT=".exe"
+          fi
+
+          OUTPUT_NAME="${{ matrix.component }}${EXT}"
+          LDFLAGS="-s -w -X 'main.Version=${VERSION}' -X 'main.BuildTime=${BUILD_TIME}' -X 'main.GitCommit=${GIT_COMMIT}'"
+          go build -trimpath -ldflags "$LDFLAGS" -o "dist/package/${OUTPUT_NAME}" ./cmd/${{ matrix.component }}
+
+      - name: Create release archive
+        id: package
+        shell: bash
+        run: |
+          TAG="${{ steps.meta.outputs.tag }}"
+          ARCHIVE="gotunnel-${{ matrix.component }}-${TAG}-${{ matrix.goos }}-${{ matrix.goarch }}.${{ matrix.archive_ext }}"
+          mkdir -p dist/out
+          if [ "${{ matrix.archive_ext }}" = "zip" ]; then
+            (cd dist/package && zip -r "../out/${ARCHIVE}" .)
+          else
+            tar -C dist/package -czf "dist/out/${ARCHIVE}" .
+          fi
+          echo "archive=dist/out/${ARCHIVE}" >> "$GITHUB_OUTPUT"
+
+      - name: Upload release asset artifact
+        uses: actions/upload-artifact@v4
+        with:
+          name: release-${{ matrix.component }}-${{ matrix.goos }}-${{ matrix.goarch }}
+          path: ${{ steps.package.outputs.archive }}
+          retention-days: 1
+
+  publish:
+    name: Publish release
+    needs: build-assets
+    runs-on: ubuntu-latest
+    steps:
+      - name: Download packaged assets
+        uses: actions/download-artifact@v4
+        with:
+          path: release-artifacts
+          pattern: release-*
+          merge-multiple: true
+
+      - name: Resolve release metadata
+        id: meta
+        shell: bash
+        run: |
+          if [ "${GITHUB_EVENT_NAME}" = "workflow_dispatch" ]; then
+            TAG="${{ github.event.inputs.tag }}"
+          else
+            TAG="${GITHUB_REF_NAME}"
+          fi
+          echo "tag=${TAG}" >> "$GITHUB_OUTPUT"
+
+      - name: Generate checksums
+        shell: bash
+        run: |
+          cd release-artifacts
+          sha256sum * > SHA256SUMS.txt
+
+      - name: Create or update GitHub release
+        uses: softprops/action-gh-release@v2
+        with:
+          tag_name: ${{ steps.meta.outputs.tag }}
+          target_commitish: ${{ github.sha }}
+          generate_release_notes: true
+          fail_on_unmatched_files: true
+          files: |
+            release-artifacts/*
--- a/AGENTS.md
+++ b/AGENTS.md
@@ -0,0 +1,113 @@
+# AGENTS.md
+
+This file provides guidance to Codex (Codex.ai/code) when working with code in this repository.
+
+## Build Commands
+
+```bash
+# Build server and client binaries
+go build -o server ./cmd/server
+go build -o client ./cmd/client
+
+# Run server (zero-config, auto-generates token and TLS cert)
+./server
+./server -c server.yaml  # with config file
+
+# Run client
+./client -s <server>:7000 -t <token>
+
+# Web UI development (in web/ directory)
+cd web && npm install && npm run dev    # development server
+cd web && npm run build                  # production build (outputs to web/dist/)
+
+# Cross-platform build (Windows PowerShell)
+.\scripts\build.ps1
+
+# Cross-platform build (Linux/Mac)
+./scripts/build.sh all
+```
+
+## Architecture Overview
+
+GoTunnel is an intranet penetration tool (similar to frp) with **server-centric configuration** - clients require zero configuration and receive mapping rules from the server after authentication.
+
+### Core Design
+
+- **Yamux Multiplexing**: Single TCP connection carries both control (auth, config, heartbeat) and data channels
+- **Binary Protocol**: `[Type(1 byte)][Length(4 bytes)][Payload(JSON)]` - see `pkg/protocol/message.go`
+- **TLS by Default**: Auto-generated self-signed ECDSA P-256 certificates, no manual setup required
+- **Embedded Web UI**: Vue.js SPA embedded in server binary via `//go:embed`
+- **JS Plugin System**: Extensible plugin system using goja JavaScript runtime
+
+### Package Structure
+
+```
+cmd/server/          # Server entry point
+cmd/client/          # Client entry point
+internal/server/
+  ├── tunnel/        # Core tunnel server, client session management
+  ├── config/        # YAML configuration loading
+  ├── db/            # SQLite storage (ClientStore, JSPluginStore interfaces)
+  ├── app/           # Web server, SPA handler
+  ├── router/        # REST API endpoints (Swagger documented)
+  └── plugin/        # Server-side JS plugin manager
+internal/client/
+  └── tunnel/        # Client tunnel logic, auto-reconnect, plugin execution
+pkg/
+  ├── protocol/      # Message types and serialization
+  ├── crypto/        # TLS certificate generation
+  ├── relay/         # Bidirectional data relay (32KB buffers)
+  ├── auth/          # JWT authentication
+  ├── utils/         # Port availability checking
+  ├── version/       # Version info and update checking (Gitea API)
+  └── update/        # Shared update logic (download, extract tar.gz/zip)
+web/                 # Vue 3 + TypeScript frontend (Vite + naive-ui)
+scripts/             # Build scripts (build.sh, build.ps1)
+```
+
+### Key Interfaces
+
+- `ClientStore` (internal/server/db/): Database abstraction for client rules storage
+- `ServerInterface` (internal/server/router/handler/): API handler interface
+
+### Proxy Types
+
+1. **TCP** (default): Direct port forwarding (remote_port → local_ip:local_port)
+2. **UDP**: UDP port forwarding
+3. **HTTP**: HTTP proxy through client network
+4. **HTTPS**: HTTPS proxy through client network
+5. **SOCKS5**: SOCKS5 proxy through client network
+
+### Data Flow
+
+External User → Server Port → Yamux Stream → Client → Local Service
+
+### Configuration
+
+- Server: YAML config + SQLite database for client rules and JS plugins
+- Client: Command-line flags only (server address, token)
+- Default ports: 7000 (tunnel), 7500 (web console)
+
+## API Documentation
+
+The server provides Swagger-documented REST APIs at `/api/`.
+
+### Key Endpoints
+
+- `POST /api/auth/login` - JWT authentication
+- `GET /api/clients` - List all clients
+- `GET /api/client/{id}` - Get client details
+- `PUT /api/client/{id}` - Update client config
+- `POST /api/client/{id}/push` - Push config to online client
+- `POST /api/client/{id}/plugin/{name}/{action}` - Plugin actions (start/stop/restart/delete)
+- `GET /api/plugins` - List registered plugins
+- `GET /api/update/check/server` - Check server updates
+- `POST /api/update/apply/server` - Apply server update
+
+## Update System
+
+Both server and client support self-update from Gitea releases.
+
+- Release assets are compressed archives (`.tar.gz` for Linux/Mac, `.zip` for Windows)
+- The `pkg/update/` package handles download, extraction, and binary replacement
+- Updates can be triggered from the Web UI at `/update` page
--- a/CLAUDE.md
+++ b/CLAUDE.md
@@ -14,8 +14,7 @@ go build -o client ./cmd/client
 ./server -c server.yaml  # with config file

 # Run client
-./client -s <server>:7000 -t <token> -id <client-id>
-./client -s <server>:7000 -t <token> -id <client-id> -no-tls  # disable TLS
+./client -s <server>:7000 -t <token>

 # Web UI development (in web/ directory)
 cd web && npm install && npm run dev    # development server
@@ -61,13 +60,7 @@ pkg/
  ├── auth/          # JWT authentication
  ├── utils/         # Port availability checking
  ├── version/       # Version info and update checking (Gitea API)
-  ├── update/        # Shared update logic (download, extract tar.gz/zip)
-  └── plugin/        # Plugin system core
-      ├── types.go       # Plugin interfaces
-      ├── registry.go    # Plugin registry
-      ├── script/        # JS plugin runtime (goja)
-      ├── sign/          # Plugin signature verification
-      └── store/         # Plugin persistence (SQLite)
+  └── update/        # Shared update logic (download, extract tar.gz/zip)
 web/                 # Vue 3 + TypeScript frontend (Vite + naive-ui)
 scripts/             # Build scripts (build.sh, build.ps1)
 ```
@@ -75,23 +68,16 @@ scripts/             # Build scripts (build.sh, build.ps1)
 ### Key Interfaces

 - `ClientStore` (internal/server/db/): Database abstraction for client rules storage
- `JSPluginStore` (internal/server/db/): JS plugin persistence
 - `ServerInterface` (internal/server/router/handler/): API handler interface
- `ClientPlugin` (pkg/plugin/): Plugin interface for client-side plugins

 ### Proxy Types

-**内置类型** (直接在 tunnel 中处理):
 1. **TCP** (default): Direct port forwarding (remote_port → local_ip:local_port)
 2. **UDP**: UDP port forwarding
 3. **HTTP**: HTTP proxy through client network
 4. **HTTPS**: HTTPS proxy through client network
 5. **SOCKS5**: SOCKS5 proxy through client network

-**JS 插件类型** (通过 goja 运行时):
- Custom application plugins (file-server, api-server, etc.)
- Runs on client side with sandbox restrictions
-
 ### Data Flow

 External User → Server Port → Yamux Stream → Client → Local Service
@@ -99,47 +85,9 @@ External User → Server Port → Yamux Stream → Client → Local Service
 ### Configuration

 - Server: YAML config + SQLite database for client rules and JS plugins
- Client: Command-line flags only (server address, token, client ID)
+- Client: Command-line flags only (server address, token)
 - Default ports: 7000 (tunnel), 7500 (web console)

-## Plugin System
-
-GoTunnel supports a JavaScript-based plugin system using the goja runtime.
-
-### Plugin Architecture
-
- **内置协议**: tcp, udp, http, https, socks5 直接在 tunnel 代码中处理
- **JS Plugins**: 自定义应用插件通过 goja 运行时在客户端执行
- **Plugin Store**: 从官方商店浏览和安装插件
- **Signature Verification**: 插件需要签名验证才能运行
-
-### JS Plugin Lifecycle
-
-```javascript
-function metadata() {
-    return {
-        name: "plugin-name",
-        version: "1.0.0",
-        type: "app",
-        description: "Plugin description",
-        author: "Author"
-    };
-}
-
-function start() { /* called on plugin start */ }
-function handleConn(conn) { /* handle each connection */ }
-function stop() { /* called on plugin stop */ }
-```
-
-### Plugin APIs
-
- **Basic**: `log()`, `config()`
- **Connection**: `conn.Read()`, `conn.Write()`, `conn.Close()`
- **File System**: `fs.readFile()`, `fs.writeFile()`, `fs.readDir()`, `fs.stat()`, etc.
- **HTTP**: `http.serve()`, `http.json()`, `http.sendFile()`
-
-See `PLUGINS.md` for detailed plugin development documentation.
-
 ## API Documentation

 The server provides Swagger-documented REST APIs at `/api/`.
--- a/PLUGINS.md
+++ b/PLUGINS.md
@@ -1,645 +0,0 @@
-# GoTunnel 插件开发指南
-
-本文档介绍如何为 GoTunnel 开发 JS 插件。JS 插件基于 [goja](https://github.com/dop251/goja) 运行时，运行在客户端上。
-
-## 目录
-
- [快速开始](#快速开始)
- [插件结构](#插件结构)
- [API 参考](#api-参考)
- [示例插件](#示例插件)
- [插件签名](#插件签名)
- [发布到商店](#发布到商店)
-
---
-
-## 快速开始
-
-### 最小插件示例
-
-```javascript
-// 必须：定义插件元数据
-function metadata() {
-    return {
-        name: "my-plugin",
-        version: "1.0.0",
-        type: "app",
-        description: "My first plugin",
-        author: "Your Name"
-    };
-}
-
-// 可选：插件启动时调用
-function start() {
-    log("Plugin started");
-}
-
-// 必须：处理连接
-function handleConn(conn) {
-    // 处理连接逻辑
-    conn.Close();
-}
-
-// 可选：插件停止时调用
-function stop() {
-    log("Plugin stopped");
-}
-```
-
---
-
-## 插件结构
-
-### 生命周期函数
-
-| 函数 | 必须 | 说明 |
-|------|------|------|
-| `metadata()` | 否 | 返回插件元数据，不定义则使用默认值 |
-| `start()` | 否 | 插件启动时调用 |
-| `handleConn(conn)` | 是 | 处理每个连接 |
-| `stop()` | 否 | 插件停止时调用 |
-
-### 元数据字段
-
-```javascript
-function metadata() {
-    return {
-        name: "plugin-name",      // 插件名称
-        version: "1.0.0",         // 版本号
-        type: "app",              // 类型: "app" (应用插件)
-        description: "描述",      // 插件描述
-        author: "作者"            // 作者名称
-    };
-}
-```
-
---
-
-## API 参考
-
-### 基础 API
-
-#### `log(message)`
-
-输出日志信息。
-
-```javascript
-log("Hello, World!");
-// 输出: [JS:plugin-name] Hello, World!
-```
-
-#### `config(key)`
-
-获取插件配置值。
-
-```javascript
-var port = config("port");
-var host = config("host") || "127.0.0.1";
-```
-
---
-
-### 连接 API (conn)
-
-`handleConn` 函数接收的 `conn` 对象提供以下方法：
-
-#### `conn.Read(size)`
-
-读取数据，返回字节数组，失败返回 `null`。
-
-```javascript
-var data = conn.Read(1024);
-if (data) {
-    log("Received " + data.length + " bytes");
-}
-```
-
-#### `conn.Write(data)`
-
-写入数据，返回写入的字节数。
-
-```javascript
-var written = conn.Write(data);
-log("Wrote " + written + " bytes");
-```
-
-#### `conn.Close()`
-
-关闭连接。
-
-```javascript
-conn.Close();
-```
-
---
-
-### 文件系统 API (fs)
-
-所有文件操作都在沙箱中执行，有路径和大小限制。
-
-#### `fs.readFile(path)`
-
-读取文件内容。
-
-```javascript
-var result = fs.readFile("/path/to/file.txt");
-if (result.error) {
-    log("Error: " + result.error);
-} else {
-    log("Content: " + result.data);
-}
-```
-
-#### `fs.writeFile(path, content)`
-
-写入文件内容。
-
-```javascript
-var result = fs.writeFile("/path/to/file.txt", "Hello");
-if (result.ok) {
-    log("File written");
-} else {
-    log("Error: " + result.error);
-}
-```
-
-#### `fs.readDir(path)`
-
-读取目录内容。
-
-```javascript
-var result = fs.readDir("/path/to/dir");
-if (!result.error) {
-    for (var i = 0; i < result.entries.length; i++) {
-        var entry = result.entries[i];
-        log(entry.name + " - " + (entry.isDir ? "DIR" : entry.size + " bytes"));
-    }
-}
-```
-
-#### `fs.stat(path)`
-
-获取文件信息。
-
-```javascript
-var result = fs.stat("/path/to/file");
-if (!result.error) {
-    log("Name: " + result.name);
-    log("Size: " + result.size);
-    log("IsDir: " + result.isDir);
-    log("ModTime: " + result.modTime);
-}
-```
-
-#### `fs.exists(path)`
-
-检查文件是否存在。
-
-```javascript
-var result = fs.exists("/path/to/file");
-if (result.exists) {
-    log("File exists");
-}
-```
-
-#### `fs.mkdir(path)`
-
-创建目录。
-
-```javascript
-var result = fs.mkdir("/path/to/new/dir");
-if (result.ok) {
-    log("Directory created");
-}
-```
-
-#### `fs.remove(path)`
-
-删除文件或目录。
-
-```javascript
-var result = fs.remove("/path/to/file");
-if (result.ok) {
-    log("Removed");
-}
-```
-
---
-
-### HTTP API (http)
-
-用于构建简单的 HTTP 服务。
-
-#### `http.serve(conn, handler)`
-
-处理 HTTP 请求。
-
-```javascript
-function handleConn(conn) {
-    http.serve(conn, function(req) {
-        return {
-            status: 200,
-            contentType: "application/json",
-            body: http.json({ message: "Hello", path: req.path })
-        };
-    });
-}
-```
-
-**请求对象 (req):**
-
-| 字段 | 类型 | 说明 |
-|------|------|------|
-| `method` | string | HTTP 方法 (GET, POST, etc.) |
-| `path` | string | 请求路径 |
-| `body` | string | 请求体 |
-
-**响应对象:**
-
-| 字段 | 类型 | 说明 |
-|------|------|------|
-| `status` | number | HTTP 状态码 (默认 200) |
-| `contentType` | string | Content-Type (默认 application/json) |
-| `body` | string | 响应体 |
-
-#### `http.json(data)`
-
-将对象序列化为 JSON 字符串。
-
-```javascript
-var jsonStr = http.json({ name: "test", value: 123 });
-// 返回: '{"name":"test","value":123}'
-```
-
-#### `http.sendFile(conn, filePath)`
-
-发送文件作为 HTTP 响应。
-
-```javascript
-function handleConn(conn) {
-    http.sendFile(conn, "/path/to/index.html");
-}
-```
-
---
-
-### 增强 API (Enhanced APIs)
-
-GoTunnel v2.0+ 提供了更多强大的 API 能力。
-
-#### `logger` (日志)
-
-推荐使用结构化日志替代简单的 `log()`。
-
- `logger.info(msg)`
- `logger.warn(msg)`
- `logger.error(msg)`
-
-```javascript
-logger.info("Server started");
-logger.error("Connection failed");
-```
-
-#### `config` (配置)
-
-增强的配置获取方式。
-
- `config.get(key)`: 获取配置值
- `config.getAll()`: 获取所有配置
-
-```javascript
-var all = config.getAll();
-var port = config.get("port");
-```
-
-#### `storage` (持久化存储)
-
-简单的 Key-Value 存储，数据保存在客户端本地。
-
- `storage.get(key, default)`
- `storage.set(key, value)`
- `storage.delete(key)`
- `storage.keys()`
-
-```javascript
-storage.set("last_run", Date.now());
-var last = storage.get("last_run", 0);
-```
-
-#### `event` (事件总线)
-
-插件内部或插件间的事件通信。
-
- `event.on(name, callback)`
- `event.emit(name, data)`
- `event.off(name)`
-
-```javascript
-event.on("user_login", function(user) {
-    logger.info("User logged in: " + user);
-});
-event.emit("user_login", "admin");
-```
-
-#### `request` (HTTP 请求)
-
-发起外部 HTTP 请求。
-
- `request.get(url)`
- `request.post(url, contentType, body)`
-
-```javascript
-var res = request.get("https://api.ipify.org");
-logger.info("My IP: " + res.body);
-```
-
-#### `notify` (通知)
-
-发送系统通知。
-
- `notify.send(title, message)`
-
-```javascript
-notify.send("Download Complete", "File saved to disk");
-```
-
---
-
-## 示例插件
-
-### Echo 服务
-
-```javascript
-function metadata() {
-    return {
-        name: "echo",
-        version: "1.0.0",
-        type: "app",
-        description: "Echo back received data"
-    };
-}
-
-function handleConn(conn) {
-    while (true) {
-        var data = conn.Read(4096);
-        if (!data || data.length === 0) {
-            break;
-        }
-        conn.Write(data);
-    }
-    conn.Close();
-}
-```
-
-### HTTP 文件服务器
-
-```javascript
-function metadata() {
-    return {
-        name: "file-server",
-        version: "1.0.0",
-        type: "app",
-        description: "Simple HTTP file server"
-    };
-}
-
-var rootDir = "";
-
-function start() {
-    rootDir = config("root") || "/tmp";
-    log("Serving files from: " + rootDir);
-}
-
-function handleConn(conn) {
-    http.serve(conn, function(req) {
-        if (req.method === "GET") {
-            var filePath = rootDir + req.path;
-            if (req.path === "/") {
-                filePath = rootDir + "/index.html";
-            }
-
-            var stat = fs.stat(filePath);
-            if (stat.error) {
-                return { status: 404, body: "Not Found" };
-            }
-
-            if (stat.isDir) {
-                return listDirectory(filePath);
-            }
-
-            var file = fs.readFile(filePath);
-            if (file.error) {
-                return { status: 500, body: file.error };
-            }
-
-            return {
-                status: 200,
-                contentType: "text/html",
-                body: file.data
-            };
-        }
-        return { status: 405, body: "Method Not Allowed" };
-    });
-}
-
-function listDirectory(path) {
-    var result = fs.readDir(path);
-    if (result.error) {
-        return { status: 500, body: result.error };
-    }
-
-    var html = "<html><body><h1>Directory Listing</h1><ul>";
-    for (var i = 0; i < result.entries.length; i++) {
-        var e = result.entries[i];
-        html += "<li><a href='" + e.name + "'>" + e.name + "</a></li>";
-    }
-    html += "</ul></body></html>";
-
-    return { status: 200, contentType: "text/html", body: html };
-}
-```
-
-### JSON API 服务
-
-```javascript
-function metadata() {
-    return {
-        name: "api-server",
-        version: "1.0.0",
-        type: "app",
-        description: "JSON API server"
-    };
-}
-
-var counter = 0;
-
-function handleConn(conn) {
-    http.serve(conn, function(req) {
-        if (req.path === "/api/status") {
-            return {
-                status: 200,
-                body: http.json({
-                    status: "ok",
-                    counter: counter++,
-                    timestamp: Date.now()
-                })
-            };
-        }
-
-        if (req.path === "/api/echo" && req.method === "POST") {
-            return {
-                status: 200,
-                body: http.json({
-                    received: req.body
-                })
-            };
-        }
-
-        return {
-            status: 404,
-            body: http.json({ error: "Not Found" })
-        };
-    });
-}
-```
-
---
-
-## 插件签名
-
-为了安全，JS 插件需要官方签名才能运行。
-
-### 签名格式
-
-签名文件 (`.sig`) 包含 Base64 编码的签名数据：
-
-```json
-{
-  "payload": {
-    "name": "plugin-name",
-    "version": "1.0.0",
-    "checksum": "sha256-hash",
-    "key_id": "official-v1"
-  },
-  "signature": "base64-signature"
-}
-```
-
-### 获取签名
-
-1. 提交插件到官方仓库
-2. 通过审核后获得签名
-3. 将 `.js` 和 `.sig` 文件一起分发
-
---
-
-## 发布到商店
-
-### 商店 JSON 格式
-
-插件商店使用 `store.json` 文件索引所有插件：
-
-```json
-[
-  {
-    "name": "echo",
-    "version": "1.0.0",
-    "type": "app",
-    "description": "Echo service plugin",
-    "author": "GoTunnel",
-    "icon": "https://example.com/icon.png",
-    "download_url": "https://example.com/plugins/echo.js"
-  }
-]
-```
-
-### 提交流程
-
-1. Fork 官方插件仓库
-2. 添加插件文件到 `plugins/` 目录
-3. 更新 `store.json`
-4. 提交 Pull Request
-5. 等待审核和签名
-
---
-
-## 沙箱限制
-
-为了安全，JS 插件运行在沙箱环境中：
-
-| 限制项 | 默认值 |
-|--------|--------|
-| 最大读取文件大小 | 10 MB |
-| 最大写入文件大小 | 10 MB |
-| 允许读取路径 | 插件数据目录 |
-| 允许写入路径 | 插件数据目录 |
-
---
-
-## 调试技巧
-
-### 日志输出
-
-使用 `log()` 函数输出调试信息：
-
-```javascript
-log("Debug: variable = " + JSON.stringify(variable));
-```
-
-### 错误处理
-
-始终检查 API 返回的错误：
-
-```javascript
-var result = fs.readFile(path);
-if (result.error) {
-    log("Error reading file: " + result.error);
-    return;
-}
-```
-
-### 配置测试
-
-在 Web 控制台的插件管理页面安装并配置插件，或通过 API 安装：
-
-```bash
-# 安装 JS 插件到客户端
-POST /api/client/{id}/plugin/js/install
-Content-Type: application/json
-{
-  "plugin_name": "my-plugin",
-  "source": "function metadata() {...}",
-  "rule_name": "my-rule",
-  "remote_port": 8080,
-  "config": {"debug": "true"},
-  "auto_start": true
-}
-```
-
---
-
-## 常见问题
-
-**Q: 插件无法加载？**
-
-A: 检查签名文件是否存在且有效。
-
-**Q: 文件操作失败？**
-
-A: 确认路径在沙箱允许范围内。
-
-**Q: 如何获取客户端 IP？**
-
-A: 目前 API 不支持，计划在后续版本添加。
-
---
-
-## 更新日志
-
-### v1.0.0
-
- 初始版本
- 支持基础 API: log, config
- 支持连接 API: Read, Write, Close
- 支持文件系统 API: fs.*
- 支持 HTTP API: http.*
--- a/README.md
+++ b/README.md
@@ -17,7 +17,7 @@ GoTunnel 是一个类似 frp 的内网穿透解决方案，核心特点是**服
 | TLS 证书 | 自动生成，零配置 | 需手动配置 |
 | 管理界面 | 内置 Web 控制台 (naive-ui) | 需额外部署 Dashboard |
 | 客户端部署 | 仅需 2 个参数 | 需配置文件 |
-| 客户端 ID | 可选，服务端自动分配 | 需手动配置 |
+| 客户端 ID | 自动根据设备标识计算 | 需手动配置 |

 ### 架构设计

@@ -111,14 +111,9 @@ go build -o client ./cmd/client
 ### 客户端启动

 ```bash
-# 最简启动（ID 由服务端自动分配）
+# 最简启动（ID 由客户端根据设备标识自动计算）
 ./client -s <服务器IP>:7000 -t <Token>

-# 指定客户端 ID
-./client -s <服务器IP>:7000 -t <Token> -id <客户端ID>
-
-# 禁用 TLS（需服务端也禁用）
-./client -s <服务器IP>:7000 -t <Token> -no-tls
 ```

 **参数说明：**
@@ -127,9 +122,6 @@ go build -o client ./cmd/client
 |------|------|------|
 | `-s` | 服务器地址 (ip:port) | 是 |
 | `-t` | 认证 Token | 是 |
-| `-id` | 客户端 ID | 否（服务端自动分配） |
-| `-no-tls` | 禁用 TLS 加密 | 否 |
-| `-skip-verify` | 跳过证书验证（不安全，仅测试用） | 否 |

 ## 配置系统

@@ -388,7 +380,7 @@ curl -X POST http://server:7500/api/clients \
  -d '{"id":"home","rules":[{"name":"web","type":"tcp","local_ip":"127.0.0.1","local_port":80,"remote_port":8080}]}'

 # 客户端连接
-./client -s server:7000 -t <token> -id home
+./client -s server:7000 -t <token>

 # 访问：http://server:8080 -> 内网 127.0.0.1:80
 ```
@@ -411,7 +403,7 @@ A: 在 Web 控制台点击客户端详情，进入编辑模式即可设置昵称

 **Q: 如何禁用 TLS？**

-A: 服务端配置 `tls_disabled: true`，客户端使用 `-no-tls` 参数。
+A: 客户端命令行默认使用 TLS；如需兼容旧的非 TLS 部署，请改用客户端配置文件中的 `no_tls: true`。

 **Q: 端口被占用怎么办？**

@@ -419,7 +411,7 @@ A: 服务端会自动检测端口冲突，请检查日志并更换端口。

 **Q: 客户端 ID 是如何分配的？**

-A: 如果客户端未指定 `-id` 参数，服务端会自动生成 16 位随机 ID。
+A: 客户端会把系统机器 ID、全部可用 MAC、主机名和网卡名等稳定标识组合后再进行哈希，得到固定客户端 ID；服务端不再为客户端分配或修正 ID。

 **Q: 如何更新服务端/客户端？**

--- a/cmd/client/main.go
+++ b/cmd/client/main.go
@@ -7,7 +7,6 @@ import (
 	"github.com/gotunnel/internal/client/config"
 	"github.com/gotunnel/internal/client/tunnel"
 	"github.com/gotunnel/pkg/crypto"
-	"github.com/gotunnel/pkg/plugin"
 	"github.com/gotunnel/pkg/version"
 )

@@ -24,8 +23,6 @@ func init() {
 func main() {
 	server := flag.String("s", "", "server address (ip:port)")
 	token := flag.String("t", "", "auth token")
-	id := flag.String("id", "", "client id (optional, auto-assigned if empty)")
-	noTLS := flag.Bool("no-tls", false, "disable TLS")
 	configPath := flag.String("c", "", "config file path")
 	flag.Parse()

@@ -48,18 +45,12 @@ func main() {
 	if *token != "" {
 		cfg.Token = *token
 	}
-	if *id != "" {
-		cfg.ID = *id
-	}
-	if *noTLS {
-		cfg.NoTLS = *noTLS
-	}

 	if cfg.Server == "" || cfg.Token == "" {
-		log.Fatal("Usage: client [-c config.yaml] | [-s <server:port> -t <token> [-id <client_id>] [-no-tls]]")
+		log.Fatal("Usage: client [-c config.yaml] | [-s <server:port> -t <token>]")
 	}

-	client := tunnel.NewClient(cfg.Server, cfg.Token, cfg.ID)
+	client := tunnel.NewClient(cfg.Server, cfg.Token)

 	// TLS 默认启用，默认跳过证书验证（类似 frp）
 	if !cfg.NoTLS {
@@ -68,14 +59,5 @@ func main() {
 		log.Printf("[Client] TLS enabled")
 	}

-	// 初始化插件注册表（用于 JS 插件）
-	registry := plugin.NewRegistry()
-	client.SetPluginRegistry(registry)
-
-	// 初始化版本存储
-	if err := client.InitVersionStore(); err != nil {
-		log.Printf("[Client] Warning: failed to init version store: %v", err)
-	}
-
 	client.Run()
 }
--- a/cmd/server/main.go
+++ b/cmd/server/main.go
@@ -26,7 +26,6 @@ import (
 	"github.com/gotunnel/internal/server/db"
 	"github.com/gotunnel/internal/server/tunnel"
 	"github.com/gotunnel/pkg/crypto"
-	"github.com/gotunnel/pkg/plugin"
 	"github.com/gotunnel/pkg/version"
 )

@@ -80,10 +79,8 @@ func main() {
 		log.Printf("[Server] TLS enabled")
 	}

-	// 初始化插件系统（用于客户端 JS 插件管理）
-	registry := plugin.NewRegistry()
-	server.SetPluginRegistry(registry)
-	server.SetJSPluginStore(clientStore) // 设置 JS 插件存储，用于客户端重连时恢复插件
+	// 设置流量存储，用于记录流量统计
+	server.SetTrafficStore(clientStore)

 	// 启动 Web 控制台
 	if cfg.Server.Web.Enabled {
--- a/go.mod
+++ b/go.mod
@@ -3,13 +3,13 @@ module github.com/gotunnel
 go 1.24.0

 require (
-	github.com/dop251/goja v0.0.0-20251201205617-2bb4c724c0f9
 	github.com/gin-gonic/gin v1.11.0
 	github.com/go-playground/validator/v10 v10.30.1
 	github.com/golang-jwt/jwt/v5 v5.3.0
 	github.com/google/uuid v1.6.0
 	github.com/gorilla/websocket v1.5.3
 	github.com/hashicorp/yamux v0.1.1
+	github.com/kbinani/screenshot v0.0.0-20250624051815-089614a94018
 	github.com/shirou/gopsutil/v3 v3.24.5
 	github.com/swaggo/files v1.0.1
 	github.com/swaggo/gin-swagger v1.6.1
@@ -24,9 +24,9 @@ require (
 	github.com/bytedance/sonic v1.14.2 // indirect
 	github.com/bytedance/sonic/loader v0.4.0 // indirect
 	github.com/cloudwego/base64x v0.1.6 // indirect
-	github.com/dlclark/regexp2 v1.11.4 // indirect
 	github.com/dustin/go-humanize v1.0.1 // indirect
 	github.com/gabriel-vasile/mimetype v1.4.12 // indirect
+	github.com/gen2brain/shm v0.1.0 // indirect
 	github.com/gin-contrib/sse v1.1.0 // indirect
 	github.com/go-ole/go-ole v1.2.6 // indirect
 	github.com/go-openapi/jsonpointer v0.22.4 // indirect
@@ -41,15 +41,16 @@ require (
 	github.com/go-openapi/swag/yamlutils v0.25.4 // indirect
 	github.com/go-playground/locales v0.14.1 // indirect
 	github.com/go-playground/universal-translator v0.18.1 // indirect
-	github.com/go-sourcemap/sourcemap v2.1.3+incompatible // indirect
 	github.com/goccy/go-json v0.10.5 // indirect
 	github.com/goccy/go-yaml v1.19.1 // indirect
-	github.com/google/pprof v0.0.0-20250317173921-a4b03ec1a45e // indirect
+	github.com/godbus/dbus/v5 v5.1.0 // indirect
+	github.com/jezek/xgb v1.1.1 // indirect
 	github.com/json-iterator/go v1.1.12 // indirect
 	github.com/klauspost/cpuid/v2 v2.3.0 // indirect
 	github.com/kr/text v0.2.0 // indirect
 	github.com/leodido/go-urn v1.4.0 // indirect
 	github.com/lufia/plan9stats v0.0.0-20211012122336-39d0f177ccd0 // indirect
+	github.com/lxn/win v0.0.0-20210218163916-a377121e959e // indirect
 	github.com/mattn/go-isatty v0.0.20 // indirect
 	github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd // indirect
 	github.com/modern-go/reflect2 v1.0.2 // indirect
@@ -59,7 +60,7 @@ require (
 	github.com/quic-go/qpack v0.6.0 // indirect
 	github.com/quic-go/quic-go v0.58.0 // indirect
 	github.com/remyoudompheng/bigfft v0.0.0-20230129092748-24d4a6f8daec // indirect
-	github.com/shoenig/go-m1cpu v0.1.6 // indirect
+	github.com/shoenig/go-m1cpu v0.1.7 // indirect
 	github.com/tklauser/go-sysconf v0.3.12 // indirect
 	github.com/tklauser/numcpus v0.6.1 // indirect
 	github.com/twitchyliquid64/golang-asm v0.15.1 // indirect
--- a/go.sum
+++ b/go.sum
@@ -1,7 +1,5 @@
 github.com/KyleBanks/depth v1.2.1 h1:5h8fQADFrWtarTdtDudMmGsC7GPbOAu6RVB3ffsVFHc=
 github.com/KyleBanks/depth v1.2.1/go.mod h1:jzSb9d0L43HxTQfT+oSA1EEp2q+ne2uh6XgeJcm8brE=
-github.com/Masterminds/semver/v3 v3.2.1 h1:RN9w6+7QoMeJVGyfmbcgs28Br8cvmnucEXnY0rYXWg0=
-github.com/Masterminds/semver/v3 v3.2.1/go.mod h1:qvl/7zhW3nngYb5+80sSMF+FG2BjYrf8m9wsX0PNOMQ=
 github.com/bytedance/gopkg v0.1.3 h1:TPBSwH8RsouGCBcMBktLt1AymVo2TVsBVCY4b6TnZ/M=
 github.com/bytedance/gopkg v0.1.3/go.mod h1:576VvJ+eJgyCzdjS+c4+77QF3p7ubbtiKARP3TxducM=
 github.com/bytedance/sonic v1.14.2 h1:k1twIoe97C1DtYUo+fZQy865IuHia4PR5RPiuGPPIIE=
@@ -14,14 +12,12 @@ github.com/creack/pty v1.1.9/go.mod h1:oKZEueFk5CKHvIhNR5MUki03XCEU+Q6VDXinZuGJ3
 github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c=
 github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
-github.com/dlclark/regexp2 v1.11.4 h1:rPYF9/LECdNymJufQKmri9gV604RvvABwgOA8un7yAo=
-github.com/dlclark/regexp2 v1.11.4/go.mod h1:DHkYz0B9wPfa6wondMfaivmHpzrQ3v9q8cnmRbL6yW8=
-github.com/dop251/goja v0.0.0-20251201205617-2bb4c724c0f9 h1:3uSSOd6mVlwcX3k5OYOpiDqFgRmaE2dBfLvVIFWWHrw=
-github.com/dop251/goja v0.0.0-20251201205617-2bb4c724c0f9/go.mod h1:MxLav0peU43GgvwVgNbLAj1s/bSGboKkhuULvq/7hx4=
 github.com/dustin/go-humanize v1.0.1 h1:GzkhY7T5VNhEkwH0PVJgjz+fX1rhBrR7pRT3mDkpeCY=
 github.com/dustin/go-humanize v1.0.1/go.mod h1:Mu1zIs6XwVuF/gI1OepvI0qD18qycQx+mFykh5fBlto=
 github.com/gabriel-vasile/mimetype v1.4.12 h1:e9hWvmLYvtp846tLHam2o++qitpguFiYCKbn0w9jyqw=
 github.com/gabriel-vasile/mimetype v1.4.12/go.mod h1:d+9Oxyo1wTzWdyVUPMmXFvp4F9tea18J8ufA774AB3s=
+github.com/gen2brain/shm v0.1.0 h1:MwPeg+zJQXN0RM9o+HqaSFypNoNEcNpeoGp0BTSx2YY=
+github.com/gen2brain/shm v0.1.0/go.mod h1:UgIcVtvmOu+aCJpqJX7GOtiN7X2ct+TKLg4RTxwPIUA=
 github.com/gin-contrib/gzip v0.0.6 h1:NjcunTcGAj5CO1gn4N8jHOSIeRFHIbn51z6K+xaN4d4=
 github.com/gin-contrib/gzip v0.0.6/go.mod h1:QOJlmV2xmayAjkNS2Y8NQsMneuRShOU/kjovCXNuzzk=
 github.com/gin-contrib/sse v1.1.0 h1:n0w2GMuUpWDVp7qSpvze6fAu9iRxJY4Hmj6AmBOU05w=
@@ -65,12 +61,12 @@ github.com/go-playground/universal-translator v0.18.1 h1:Bcnm0ZwsGyWbCzImXv+pAJn
 github.com/go-playground/universal-translator v0.18.1/go.mod h1:xekY+UJKNuX9WP91TpwSH2VMlDf28Uj24BCp08ZFTUY=
 github.com/go-playground/validator/v10 v10.30.1 h1:f3zDSN/zOma+w6+1Wswgd9fLkdwy06ntQJp0BBvFG0w=
 github.com/go-playground/validator/v10 v10.30.1/go.mod h1:oSuBIQzuJxL//3MelwSLD5hc2Tu889bF0Idm9Dg26cM=
-github.com/go-sourcemap/sourcemap v2.1.3+incompatible h1:W1iEw64niKVGogNgBN3ePyLFfuisuzeidWPMPWmECqU=
-github.com/go-sourcemap/sourcemap v2.1.3+incompatible/go.mod h1:F8jJfvm2KbVjc5NqelyYJmf/v5J0dwNLS2mL4sNA1Jg=
 github.com/goccy/go-json v0.10.5 h1:Fq85nIqj+gXn/S5ahsiTlK3TmC85qgirsdTP/+DeaC4=
 github.com/goccy/go-json v0.10.5/go.mod h1:oq7eo15ShAhp70Anwd5lgX2pLfOS3QCiwU/PULtXL6M=
 github.com/goccy/go-yaml v1.19.1 h1:3rG3+v8pkhRqoQ/88NYNMHYVGYztCOCIZ7UQhu7H+NE=
 github.com/goccy/go-yaml v1.19.1/go.mod h1:XBurs7gK8ATbW4ZPGKgcbrY1Br56PdM69F7LkFRi1kA=
+github.com/godbus/dbus/v5 v5.1.0 h1:4KLkAxT3aOY8Li4FRJe/KvhoNFFxo0m6fNuFUO8QJUk=
+github.com/godbus/dbus/v5 v5.1.0/go.mod h1:xhWf0FNVPg57R7Z0UbKHbJfkEywrmjJnf7w5xrFpKfA=
 github.com/golang-jwt/jwt/v5 v5.3.0 h1:pv4AsKCKKZuqlgs5sUmn4x8UlGa0kEVt/puTpKx9vvo=
 github.com/golang-jwt/jwt/v5 v5.3.0/go.mod h1:fxCRLWMO43lRc8nhHWY6LGqRcf+1gQWArsqaEUEa5bE=
 github.com/google/go-cmp v0.5.6/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
@@ -85,8 +81,12 @@ github.com/gorilla/websocket v1.5.3 h1:saDtZ6Pbx/0u+bgYQ3q96pZgCzfhKXGPqt7kZ72aN
 github.com/gorilla/websocket v1.5.3/go.mod h1:YR8l580nyteQvAITg2hZ9XVh4b55+EU/adAjf1fMHhE=
 github.com/hashicorp/yamux v0.1.1 h1:yrQxtgseBDrq9Y652vSRDvsKCJKOUD+GzTS4Y0Y8pvE=
 github.com/hashicorp/yamux v0.1.1/go.mod h1:CtWFDAQgb7dxtzFs4tWbplKIe2jSi3+5vKbgIO0SLnQ=
+github.com/jezek/xgb v1.1.1 h1:bE/r8ZZtSv7l9gk6nU0mYx51aXrvnyb44892TwSaqS4=
+github.com/jezek/xgb v1.1.1/go.mod h1:nrhwO0FX/enq75I7Y7G8iN1ubpSGZEiA3v9e9GyRFlk=
 github.com/json-iterator/go v1.1.12 h1:PV8peI4a0ysnczrg+LtxykD8LfKY9ML6u2jnxaEnrnM=
 github.com/json-iterator/go v1.1.12/go.mod h1:e30LSqwooZae/UwlEbR2852Gd8hjQvJoHmT4TnhNGBo=
+github.com/kbinani/screenshot v0.0.0-20250624051815-089614a94018 h1:NQYgMY188uWrS+E/7xMVpydsI48PMHcc7SfR4OxkDF4=
+github.com/kbinani/screenshot v0.0.0-20250624051815-089614a94018/go.mod h1:Pmpz2BLf55auQZ67u3rvyI2vAQvNetkK/4zYUmpauZQ=
 github.com/klauspost/cpuid/v2 v2.3.0 h1:S4CRMLnYUhGeDFDqkGriYKdfoFlDnMtqTiI/sFzhA9Y=
 github.com/klauspost/cpuid/v2 v2.3.0/go.mod h1:hqwkgyIinND0mEev00jJYCxPNVRVXFQeu1XKlok6oO0=
 github.com/kr/pretty v0.3.1 h1:flRD4NNwYAUpkphVc1HcthR4KEIFJ65n8Mw5qdRn3LE=
@@ -97,6 +97,8 @@ github.com/leodido/go-urn v1.4.0 h1:WT9HwE9SGECu3lg4d/dIA+jxlljEa1/ffXKmRjqdmIQ=
 github.com/leodido/go-urn v1.4.0/go.mod h1:bvxc+MVxLKB4z00jd1z+Dvzr47oO32F/QSNjSBOlFxI=
 github.com/lufia/plan9stats v0.0.0-20211012122336-39d0f177ccd0 h1:6E+4a0GO5zZEnZ81pIr0yLvtUWk2if982qA3F3QD6H4=
 github.com/lufia/plan9stats v0.0.0-20211012122336-39d0f177ccd0/go.mod h1:zJYVVT2jmtg6P3p1VtQj7WsuWi/y4VnjVBn7F8KPB3I=
+github.com/lxn/win v0.0.0-20210218163916-a377121e959e h1:H+t6A/QJMbhCSEH5rAuRxh+CtW96g0Or0Fxa9IKr4uc=
+github.com/lxn/win v0.0.0-20210218163916-a377121e959e/go.mod h1:KxxjdtRkfNoYDCUP5ryK7XJJNTnpC8atvtmTheChOtk=
 github.com/mattn/go-isatty v0.0.20 h1:xfD0iDuEKnDkl03q4limB+vH+GxLEtL/jb4xVJSWWEY=
 github.com/mattn/go-isatty v0.0.20/go.mod h1:W+V8PltTTMOvKvAeJH7IuucS94S2C6jfK/D7dTCTo3Y=
 github.com/modern-go/concurrent v0.0.0-20180228061459-e0a39a4cb421/go.mod h1:6dJC0mAP4ikYIbvyc7fijjWJddQyLn8Ig3JB5CqoB9Q=
@@ -122,10 +124,10 @@ github.com/rogpeppe/go-internal v1.10.0 h1:TMyTOH3F/DB16zRVcYyreMH6GnZZrwQVAoYjR
 github.com/rogpeppe/go-internal v1.10.0/go.mod h1:UQnix2H7Ngw/k4C5ijL5+65zddjncjaFoBhdsK/akog=
 github.com/shirou/gopsutil/v3 v3.24.5 h1:i0t8kL+kQTvpAYToeuiVk3TgDeKOFioZO3Ztz/iZ9pI=
 github.com/shirou/gopsutil/v3 v3.24.5/go.mod h1:bsoOS1aStSs9ErQ1WWfxllSeS1K5D+U30r2NfcubMVk=
-github.com/shoenig/go-m1cpu v0.1.6 h1:nxdKQNcEB6vzgA2E2bvzKIYRuNj7XNJ4S/aRSwKzFtM=
-github.com/shoenig/go-m1cpu v0.1.6/go.mod h1:1JJMcUBvfNwpq05QDQVAnx3gUHr9IYF7GNg9SUEw2VQ=
-github.com/shoenig/test v0.6.4 h1:kVTaSd7WLz5WZ2IaoM0RSzRsUD+m8wRR+5qvntpn4LU=
-github.com/shoenig/test v0.6.4/go.mod h1:byHiCGXqrVaflBLAMq/srcZIHynQPQgeyvkvXnjqq0k=
+github.com/shoenig/go-m1cpu v0.1.7 h1:C76Yd0ObKR82W4vhfjZiCp0HxcSZ8Nqd84v+HZ0qyI0=
+github.com/shoenig/go-m1cpu v0.1.7/go.mod h1:KkDOw6m3ZJQAPHbrzkZki4hnx+pDRR1Lo+ldA56wD5w=
+github.com/shoenig/test v1.7.0 h1:eWcHtTXa6QLnBvm0jgEabMRN/uJ4DMV3M8xUGgRkZmk=
+github.com/shoenig/test v1.7.0/go.mod h1:UxJ6u/x2v/TNs/LoLxBNJRV9DiwBBKYxXSyczsBHFoI=
 github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
 github.com/stretchr/objx v0.4.0/go.mod h1:YvHI0jy2hoMjB+UWwv71VJQ9isScKT/TqJzVSSt89Yw=
 github.com/stretchr/objx v0.5.0/go.mod h1:Yh+to48EsGEfYuaHDzXPcE3xhTkx73EhmCGUpEOglKo=
@@ -181,6 +183,7 @@ golang.org/x/sync v0.19.0 h1:vV+1eWNmZ5geRlYjzm2adRgW2/mcpevXNg50YZtPCE4=
 golang.org/x/sync v0.19.0/go.mod h1:9KTHXmSnoGruLpwFjVSX0lNNA75CykiMECbovNTZqGI=
 golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20190916202348-b4ddaad3f8a3/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20201018230417-eeed37f84f13/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20201119102817-f84b799fce68/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20201204225414-ed752295db88/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20210615035016-665e8c7367d1/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
@@ -213,8 +216,6 @@ google.golang.org/protobuf v1.36.11/go.mod h1:HTf+CrKn2C3g5S8VImy6tdcUvCska2kB7j
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
 gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c h1:Hei/4ADfdWqJk1ZMxUNpqntNwaWcugrBjAiHlqqRiVk=
 gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c/go.mod h1:JHkPIbrfpd72SG/EVd6muEfDQjcINNoR0C8j2r3qZ4Q=
-gopkg.in/yaml.v2 v2.4.0 h1:D8xgwECY7CYvx+Y2n4sBz93Jn9JRvxdiyyo8CTfuKaY=
-gopkg.in/yaml.v2 v2.4.0/go.mod h1:RDklbk79AGWmwhnvt/jBztapEOGDOx6ZbXqjP6csGnQ=
 gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
 gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=
 gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
--- a/internal/client/config/config.go
+++ b/internal/client/config/config.go
@@ -10,7 +10,6 @@ import (
 type ClientConfig struct {
 	Server string `yaml:"server"` // 服务器地址
 	Token  string `yaml:"token"`  // 认证 Token
-	ID     string `yaml:"id"`     // 客户端 ID
 	NoTLS  bool   `yaml:"no_tls"` // 禁用 TLS
 }

--- a/internal/client/tunnel/client.go
+++ b/internal/client/tunnel/client.go
--- a/internal/client/tunnel/machine_id.go
+++ b/internal/client/tunnel/machine_id.go
@@ -0,0 +1,152 @@
+package tunnel
+
+import (
+	"crypto/sha256"
+	"encoding/hex"
+	"net"
+	"os"
+	"os/exec"
+	"runtime"
+	"sort"
+	"strings"
+)
+
+// getMachineID builds a stable fingerprint from multiple host identifiers
+// and hashes the combined result into the client ID we expose externally.
+func getMachineID() string {
+	return hashID(strings.Join(collectMachineIDParts(), "|"))
+}
+
+func collectMachineIDParts() []string {
+	parts := []string{"os=" + runtime.GOOS, "arch=" + runtime.GOARCH}
+
+	if id := getSystemMachineID(); id != "" {
+		parts = append(parts, "system="+id)
+	}
+
+	if hostname, err := os.Hostname(); err == nil && hostname != "" {
+		parts = append(parts, "host="+hostname)
+	}
+
+	if macs := getMACAddresses(); len(macs) > 0 {
+		parts = append(parts, "macs="+strings.Join(macs, ","))
+	}
+
+	if names := getInterfaceNames(); len(names) > 0 {
+		parts = append(parts, "ifaces="+strings.Join(names, ","))
+	}
+
+	return parts
+}
+
+func getSystemMachineID() string {
+	switch runtime.GOOS {
+	case "linux":
+		return getLinuxMachineID()
+	case "darwin":
+		return getDarwinMachineID()
+	case "windows":
+		return getWindowsMachineID()
+	default:
+		return ""
+	}
+}
+
+func getLinuxMachineID() string {
+	if data, err := os.ReadFile("/etc/machine-id"); err == nil {
+		return strings.TrimSpace(string(data))
+	}
+	if data, err := os.ReadFile("/var/lib/dbus/machine-id"); err == nil {
+		return strings.TrimSpace(string(data))
+	}
+	return ""
+}
+
+func getDarwinMachineID() string {
+	cmd := exec.Command("ioreg", "-rd1", "-c", "IOPlatformExpertDevice")
+	output, err := cmd.Output()
+	if err != nil {
+		return ""
+	}
+
+	for _, line := range strings.Split(string(output), "\n") {
+		if !strings.Contains(line, "IOPlatformUUID") {
+			continue
+		}
+
+		parts := strings.Split(line, "=")
+		if len(parts) != 2 {
+			continue
+		}
+
+		uuid := strings.TrimSpace(parts[1])
+		return strings.Trim(uuid, "\"")
+	}
+
+	return ""
+}
+
+func getWindowsMachineID() string {
+	cmd := exec.Command("reg", "query", `HKLM\SOFTWARE\Microsoft\Cryptography`, "/v", "MachineGuid")
+	output, err := cmd.Output()
+	if err != nil {
+		return ""
+	}
+
+	for _, line := range strings.Split(string(output), "\n") {
+		if !strings.Contains(line, "MachineGuid") {
+			continue
+		}
+
+		fields := strings.Fields(line)
+		if len(fields) >= 3 {
+			return fields[len(fields)-1]
+		}
+	}
+
+	return ""
+}
+
+func getMACAddresses() []string {
+	interfaces, err := net.Interfaces()
+	if err != nil {
+		return nil
+	}
+
+	macs := make([]string, 0, len(interfaces))
+	for _, iface := range interfaces {
+		if iface.Flags&net.FlagLoopback != 0 {
+			continue
+		}
+		if len(iface.HardwareAddr) == 0 {
+			continue
+		}
+		macs = append(macs, iface.HardwareAddr.String())
+	}
+
+	sort.Strings(macs)
+	return macs
+}
+
+func getInterfaceNames() []string {
+	interfaces, err := net.Interfaces()
+	if err != nil {
+		return nil
+	}
+
+	names := make([]string, 0, len(interfaces))
+	for _, iface := range interfaces {
+		if iface.Flags&net.FlagLoopback != 0 {
+			continue
+		}
+		names = append(names, iface.Name)
+	}
+
+	sort.Strings(names)
+	return names
+}
+
+func hashID(id string) string {
+	hash := sha256.Sum256([]byte(id))
+	return hex.EncodeToString(hash[:])[:16]
+}
--- a/internal/server/app/app.go
+++ b/internal/server/app/app.go
@@ -20,7 +20,6 @@ type WebServer struct {
 	Server       router.ServerInterface
 	Config       *config.ServerConfig
 	ConfigPath   string
-	JSPluginStore db.JSPluginStore
 	TrafficStore db.TrafficStore
 }

@@ -31,7 +30,6 @@ func NewWebServer(cs db.ClientStore, srv router.ServerInterface, cfg *config.Ser
 		Server:       srv,
 		Config:       cfg,
 		ConfigPath:   cfgPath,
-		JSPluginStore: store,
 		TrafficStore: store,
 	}
 }
@@ -107,11 +105,6 @@ func (w *WebServer) SaveConfig() error {
 	return config.SaveServerConfig(w.ConfigPath, w.Config)
 }

-// GetJSPluginStore 获取 JS 插件存储
-func (w *WebServer) GetJSPluginStore() db.JSPluginStore {
-	return w.JSPluginStore
-}
-
 // GetTrafficStore 获取流量存储
 func (w *WebServer) GetTrafficStore() db.TrafficStore {
 	return w.TrafficStore
--- a/internal/server/config/config.go
+++ b/internal/server/config/config.go
@@ -13,22 +13,6 @@ type ServerConfig struct {
 	Server ServerSettings `yaml:"server"`
 }

-// PluginStoreSettings 插件仓库设置
-type PluginStoreSettings struct {
-	URL string `yaml:"url"` // 插件仓库 URL，为空则使用默认值
-}
-
-// 默认插件仓库 URL
-const DefaultPluginStoreURL = "https://git.92coco.cn/flik/GoTunnel-Plugins/raw/branch/main/store.json"
-
-// GetPluginStoreURL 获取插件仓库 URL
-func (s *PluginStoreSettings) GetPluginStoreURL() string {
-	if s.URL != "" {
-		return s.URL
-	}
-	return DefaultPluginStoreURL
-}
-
 // ServerSettings 服务端设置
 type ServerSettings struct {
 	BindAddr         string      `yaml:"bind_addr"`
@@ -39,7 +23,6 @@ type ServerSettings struct {
 	DBPath           string      `yaml:"db_path"`
 	TLSDisabled      bool        `yaml:"tls_disabled"`
 	Web              WebSettings `yaml:"web"`
-	PluginStore      PluginStoreSettings `yaml:"plugin_store"`
 }

 // WebSettings Web控制台设置
--- a/internal/server/db/install_token.go
+++ b/internal/server/db/install_token.go
@@ -0,0 +1,45 @@
+package db
+
+// CreateInstallToken 创建安装token
+func (s *SQLiteStore) CreateInstallToken(token *InstallToken) error {
+	s.mu.Lock()
+	defer s.mu.Unlock()
+
+	_, err := s.db.Exec(`INSERT INTO install_tokens (token, client_id, created_at, used) VALUES (?, '', ?, ?)`,
+		token.Token, token.CreatedAt, 0)
+	return err
+}
+
+// GetInstallToken 获取安装token
+func (s *SQLiteStore) GetInstallToken(token string) (*InstallToken, error) {
+	s.mu.RLock()
+	defer s.mu.RUnlock()
+
+	var t InstallToken
+	var used int
+	err := s.db.QueryRow(`SELECT token, created_at, used FROM install_tokens WHERE token = ?`, token).
+		Scan(&t.Token, &t.CreatedAt, &used)
+	if err != nil {
+		return nil, err
+	}
+	t.Used = used == 1
+	return &t, nil
+}
+
+// MarkTokenUsed 标记token已使用
+func (s *SQLiteStore) MarkTokenUsed(token string) error {
+	s.mu.Lock()
+	defer s.mu.Unlock()
+
+	_, err := s.db.Exec(`UPDATE install_tokens SET used = 1 WHERE token = ?`, token)
+	return err
+}
+
+// DeleteExpiredTokens 删除过期token
+func (s *SQLiteStore) DeleteExpiredTokens(expireTime int64) error {
+	s.mu.Lock()
+	defer s.mu.Unlock()
+
+	_, err := s.db.Exec(`DELETE FROM install_tokens WHERE created_at < ?`, expireTime)
+	return err
+}
--- a/internal/server/db/interface.go
+++ b/internal/server/db/interface.go
@@ -2,52 +2,11 @@ package db

 import "github.com/gotunnel/pkg/protocol"

-// ConfigField 配置字段定义
-type ConfigField struct {
-	Key         string   `json:"key"`
-	Label       string   `json:"label"`
-	Type        string   `json:"type"`
-	Default     string   `json:"default,omitempty"`
-	Required    bool     `json:"required,omitempty"`
-	Options     []string `json:"options,omitempty"`
-	Description string   `json:"description,omitempty"`
-}
-
-// ClientPlugin 客户端已安装的插件
-type ClientPlugin struct {
-	ID           string            `json:"id"`                      // 插件实例唯一 ID
-	Name         string            `json:"name"`
-	Version      string            `json:"version"`
-	Enabled      bool              `json:"enabled"`
-	Running      bool              `json:"running"`                 // 运行状态
-	Config       map[string]string `json:"config,omitempty"`        // 插件配置
-	RemotePort   int               `json:"remote_port,omitempty"`   // 远程监听端口
-	ConfigSchema []ConfigField     `json:"config_schema,omitempty"` // 配置模式
-	AuthEnabled  bool              `json:"auth_enabled,omitempty"`  // 是否启用认证
-	AuthUsername string            `json:"auth_username,omitempty"` // 认证用户名
-	AuthPassword string            `json:"auth_password,omitempty"` // 认证密码
-}
-
 // Client 客户端数据
 type Client struct {
 	ID       string               `json:"id"`
 	Nickname string               `json:"nickname,omitempty"`
 	Rules    []protocol.ProxyRule `json:"rules"`
-	Plugins  []ClientPlugin       `json:"plugins,omitempty"` // 已安装的插件
-}
-
-// JSPlugin JS 插件数据
-type JSPlugin struct {
-	Name        string            `json:"name"`
-	Source      string            `json:"source"`
-	Signature   string            `json:"signature"` // 官方签名 (Base64)
-	Description string            `json:"description"`
-	Author      string            `json:"author"`
-	Version     string            `json:"version,omitempty"`
-	AutoPush    []string          `json:"auto_push"`
-	Config      map[string]string `json:"config"`
-	AutoStart   bool              `json:"auto_start"`
-	Enabled     bool              `json:"enabled"`
 }

 // ClientStore 客户端存储接口
@@ -62,20 +21,9 @@ type ClientStore interface {
 	Close() error
 }

-// JSPluginStore JS 插件存储接口
-type JSPluginStore interface {
-	GetAllJSPlugins() ([]JSPlugin, error)
-	GetJSPlugin(name string) (*JSPlugin, error)
-	SaveJSPlugin(p *JSPlugin) error
-	DeleteJSPlugin(name string) error
-	SetJSPluginEnabled(name string, enabled bool) error
-	UpdateJSPluginConfig(name string, config map[string]string) error
-}
-
 // Store 统一存储接口
 type Store interface {
 	ClientStore
-	JSPluginStore
 	TrafficStore
 	Close() error
 }
@@ -94,3 +42,18 @@ type TrafficStore interface {
 	Get24HourTraffic() (inbound, outbound int64, err error)
 	GetHourlyTraffic(hours int) ([]TrafficRecord, error)
 }
+
+// InstallToken 安装token
+type InstallToken struct {
+	Token     string `json:"token"`
+	CreatedAt int64  `json:"created_at"`
+	Used      bool   `json:"used"`
+}
+
+// InstallTokenStore 安装token存储接口
+type InstallTokenStore interface {
+	CreateInstallToken(token *InstallToken) error
+	GetInstallToken(token string) (*InstallToken, error)
+	MarkTokenUsed(token string) error
+	DeleteExpiredTokens(expireTime int64) error
+}
--- a/internal/server/db/sqlite.go
+++ b/internal/server/db/sqlite.go
@@ -40,8 +40,7 @@ func (s *SQLiteStore) init() error {
 		CREATE TABLE IF NOT EXISTS clients (
 			id TEXT PRIMARY KEY,
 			nickname TEXT NOT NULL DEFAULT '',
-			rules TEXT NOT NULL DEFAULT '[]',
-			plugins TEXT NOT NULL DEFAULT '[]'
+			rules TEXT NOT NULL DEFAULT '[]'
 		)
 	`)
 	if err != nil {
@@ -50,36 +49,6 @@ func (s *SQLiteStore) init() error {

 	// 迁移：添加 nickname 列
 	s.db.Exec(`ALTER TABLE clients ADD COLUMN nickname TEXT NOT NULL DEFAULT ''`)
-	// 迁移：添加 plugins 列
-	s.db.Exec(`ALTER TABLE clients ADD COLUMN plugins TEXT NOT NULL DEFAULT '[]'`)
-
-	// 创建 JS 插件表
-	_, err = s.db.Exec(`
-		CREATE TABLE IF NOT EXISTS js_plugins (
-			name TEXT PRIMARY KEY,
-			source TEXT NOT NULL,
-			signature TEXT NOT NULL DEFAULT '',
-			description TEXT,
-			author TEXT,
-			version TEXT DEFAULT '',
-			auto_push TEXT NOT NULL DEFAULT '[]',
-			config TEXT NOT NULL DEFAULT '{}',
-			auto_start INTEGER DEFAULT 1,
-			enabled INTEGER DEFAULT 1,
-			created_at DATETIME DEFAULT CURRENT_TIMESTAMP,
-			updated_at DATETIME DEFAULT CURRENT_TIMESTAMP
-		)
-	`)
-	if err != nil {
-		return err
-	}
-
-	// 迁移：添加 signature 列
-	s.db.Exec(`ALTER TABLE js_plugins ADD COLUMN signature TEXT NOT NULL DEFAULT ''`)
-	// 迁移：添加 version 列
-	s.db.Exec(`ALTER TABLE js_plugins ADD COLUMN version TEXT DEFAULT ''`)
-	// 迁移：添加 updated_at 列
-	s.db.Exec(`ALTER TABLE js_plugins ADD COLUMN updated_at DATETIME DEFAULT CURRENT_TIMESTAMP`)

 	// 创建流量统计表
 	_, err = s.db.Exec(`
@@ -108,6 +77,19 @@ func (s *SQLiteStore) init() error {
 	// 初始化总流量记录
 	s.db.Exec(`INSERT OR IGNORE INTO traffic_total (id, inbound, outbound) VALUES (1, 0, 0)`)

+	// 创建安装token表
+	_, err = s.db.Exec(`
+		CREATE TABLE IF NOT EXISTS install_tokens (
+			token TEXT PRIMARY KEY,
+			client_id TEXT NOT NULL DEFAULT '',
+			created_at INTEGER NOT NULL,
+			used INTEGER NOT NULL DEFAULT 0
+		)
+	`)
+	if err != nil {
+		return err
+	}
+
 	return nil
 }

@@ -121,7 +103,7 @@ func (s *SQLiteStore) GetAllClients() ([]Client, error) {
 	s.mu.RLock()
 	defer s.mu.RUnlock()

-	rows, err := s.db.Query(`SELECT id, nickname, rules, plugins FROM clients`)
+	rows, err := s.db.Query(`SELECT id, nickname, rules FROM clients`)
 	if err != nil {
 		return nil, err
 	}
@@ -130,16 +112,13 @@ func (s *SQLiteStore) GetAllClients() ([]Client, error) {
 	var clients []Client
 	for rows.Next() {
 		var c Client
-		var rulesJSON, pluginsJSON string
-		if err := rows.Scan(&c.ID, &c.Nickname, &rulesJSON, &pluginsJSON); err != nil {
+		var rulesJSON string
+		if err := rows.Scan(&c.ID, &c.Nickname, &rulesJSON); err != nil {
 			return nil, err
 		}
 		if err := json.Unmarshal([]byte(rulesJSON), &c.Rules); err != nil {
 			c.Rules = []protocol.ProxyRule{}
 		}
-		if err := json.Unmarshal([]byte(pluginsJSON), &c.Plugins); err != nil {
-			c.Plugins = []ClientPlugin{}
-		}
 		clients = append(clients, c)
 	}
 	return clients, nil
@@ -151,17 +130,14 @@ func (s *SQLiteStore) GetClient(id string) (*Client, error) {
 	defer s.mu.RUnlock()

 	var c Client
-	var rulesJSON, pluginsJSON string
-	err := s.db.QueryRow(`SELECT id, nickname, rules, plugins FROM clients WHERE id = ?`, id).Scan(&c.ID, &c.Nickname, &rulesJSON, &pluginsJSON)
+	var rulesJSON string
+	err := s.db.QueryRow(`SELECT id, nickname, rules FROM clients WHERE id = ?`, id).Scan(&c.ID, &c.Nickname, &rulesJSON)
 	if err != nil {
 		return nil, err
 	}
 	if err := json.Unmarshal([]byte(rulesJSON), &c.Rules); err != nil {
 		c.Rules = []protocol.ProxyRule{}
 	}
-	if err := json.Unmarshal([]byte(pluginsJSON), &c.Plugins); err != nil {
-		c.Plugins = []ClientPlugin{}
-	}
 	return &c, nil
 }

@@ -174,12 +150,8 @@ func (s *SQLiteStore) CreateClient(c *Client) error {
 	if err != nil {
 		return err
 	}
-	pluginsJSON, err := json.Marshal(c.Plugins)
-	if err != nil {
-		return err
-	}
-	_, err = s.db.Exec(`INSERT INTO clients (id, nickname, rules, plugins) VALUES (?, ?, ?, ?)`,
-		c.ID, c.Nickname, string(rulesJSON), string(pluginsJSON))
+	_, err = s.db.Exec(`INSERT INTO clients (id, nickname, rules) VALUES (?, ?, ?)`,
+		c.ID, c.Nickname, string(rulesJSON))
 	return err
 }

@@ -192,12 +164,8 @@ func (s *SQLiteStore) UpdateClient(c *Client) error {
 	if err != nil {
 		return err
 	}
-	pluginsJSON, err := json.Marshal(c.Plugins)
-	if err != nil {
-		return err
-	}
-	_, err = s.db.Exec(`UPDATE clients SET nickname = ?, rules = ?, plugins = ? WHERE id = ?`,
-		c.Nickname, string(rulesJSON), string(pluginsJSON), c.ID)
+	_, err = s.db.Exec(`UPDATE clients SET nickname = ?, rules = ? WHERE id = ?`,
+		c.Nickname, string(rulesJSON), c.ID)
 	return err
 }

@@ -229,121 +197,6 @@ func (s *SQLiteStore) GetClientRules(id string) ([]protocol.ProxyRule, error) {
 	return c.Rules, nil
 }

-// ========== JS 插件存储方法 ==========
-
-// GetAllJSPlugins 获取所有 JS 插件
-func (s *SQLiteStore) GetAllJSPlugins() ([]JSPlugin, error) {
-	s.mu.RLock()
-	defer s.mu.RUnlock()
-
-	rows, err := s.db.Query(`
-		SELECT name, source, signature, description, author, version, auto_push, config, auto_start, enabled
-		FROM js_plugins
-	`)
-	if err != nil {
-		return nil, err
-	}
-	defer rows.Close()
-
-	var plugins []JSPlugin
-	for rows.Next() {
-		var p JSPlugin
-		var autoPushJSON, configJSON string
-		var version sql.NullString
-		var autoStart, enabled int
-		err := rows.Scan(&p.Name, &p.Source, &p.Signature, &p.Description, &p.Author,
-			&version, &autoPushJSON, &configJSON, &autoStart, &enabled)
-		if err != nil {
-			return nil, err
-		}
-		p.Version = version.String
-		json.Unmarshal([]byte(autoPushJSON), &p.AutoPush)
-		json.Unmarshal([]byte(configJSON), &p.Config)
-		p.AutoStart = autoStart == 1
-		p.Enabled = enabled == 1
-		plugins = append(plugins, p)
-	}
-	return plugins, nil
-}
-
-// GetJSPlugin 获取单个 JS 插件
-func (s *SQLiteStore) GetJSPlugin(name string) (*JSPlugin, error) {
-	s.mu.RLock()
-	defer s.mu.RUnlock()
-
-	var p JSPlugin
-	var autoPushJSON, configJSON string
-	var version sql.NullString
-	var autoStart, enabled int
-	err := s.db.QueryRow(`
-		SELECT name, source, signature, description, author, version, auto_push, config, auto_start, enabled
-		FROM js_plugins WHERE name = ?
-	`, name).Scan(&p.Name, &p.Source, &p.Signature, &p.Description, &p.Author,
-		&version, &autoPushJSON, &configJSON, &autoStart, &enabled)
-	if err != nil {
-		return nil, err
-	}
-	p.Version = version.String
-	json.Unmarshal([]byte(autoPushJSON), &p.AutoPush)
-	json.Unmarshal([]byte(configJSON), &p.Config)
-	p.AutoStart = autoStart == 1
-	p.Enabled = enabled == 1
-	return &p, nil
-}
-
-// SaveJSPlugin 保存 JS 插件
-func (s *SQLiteStore) SaveJSPlugin(p *JSPlugin) error {
-	s.mu.Lock()
-	defer s.mu.Unlock()
-
-	autoPushJSON, _ := json.Marshal(p.AutoPush)
-	configJSON, _ := json.Marshal(p.Config)
-	autoStart, enabled := 0, 0
-	if p.AutoStart {
-		autoStart = 1
-	}
-	if p.Enabled {
-		enabled = 1
-	}
-
-	_, err := s.db.Exec(`
-		INSERT OR REPLACE INTO js_plugins
-		(name, source, signature, description, author, version, auto_push, config, auto_start, enabled, updated_at)
-		VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, ?, CURRENT_TIMESTAMP)
-	`, p.Name, p.Source, p.Signature, p.Description, p.Author, p.Version,
-		string(autoPushJSON), string(configJSON), autoStart, enabled)
-	return err
-}
-
-// DeleteJSPlugin 删除 JS 插件
-func (s *SQLiteStore) DeleteJSPlugin(name string) error {
-	s.mu.Lock()
-	defer s.mu.Unlock()
-	_, err := s.db.Exec(`DELETE FROM js_plugins WHERE name = ?`, name)
-	return err
-}
-
-// SetJSPluginEnabled 设置 JS 插件启用状态
-func (s *SQLiteStore) SetJSPluginEnabled(name string, enabled bool) error {
-	s.mu.Lock()
-	defer s.mu.Unlock()
-	val := 0
-	if enabled {
-		val = 1
-	}
-	_, err := s.db.Exec(`UPDATE js_plugins SET enabled = ?, updated_at = CURRENT_TIMESTAMP WHERE name = ?`, val, name)
-	return err
-}
-
-// UpdateJSPluginConfig 更新 JS 插件配置
-func (s *SQLiteStore) UpdateJSPluginConfig(name string, config map[string]string) error {
-	s.mu.Lock()
-	defer s.mu.Unlock()
-	configJSON, _ := json.Marshal(config)
-	_, err := s.db.Exec(`UPDATE js_plugins SET config = ?, updated_at = CURRENT_TIMESTAMP WHERE name = ?`, string(configJSON), name)
-	return err
-}
-
 // ========== 流量统计方法 ==========

 // getHourTimestamp 获取当前小时的时间戳
@@ -397,12 +250,17 @@ func (s *SQLiteStore) Get24HourTraffic() (inbound, outbound int64, err error) {
 	return
 }

-// GetHourlyTraffic 获取每小时流量记录
+// GetHourlyTraffic 获取每小时流量记录（始终返回完整的 hours 小时数据）
 func (s *SQLiteStore) GetHourlyTraffic(hours int) ([]TrafficRecord, error) {
 	s.mu.RLock()
 	defer s.mu.RUnlock()

-	cutoff := time.Now().Add(-time.Duration(hours) * time.Hour).Unix()
+	// 计算当前小时的起始时间戳
+	now := time.Now()
+	currentHour := time.Date(now.Year(), now.Month(), now.Day(), now.Hour(), 0, 0, 0, now.Location())
+
+	// 查询数据库中的记录
+	cutoff := currentHour.Add(-time.Duration(hours-1) * time.Hour).Unix()
 	rows, err := s.db.Query(`
 		SELECT hour_ts, inbound, outbound FROM traffic_stats
 		WHERE hour_ts >= ? ORDER BY hour_ts ASC
@@ -412,13 +270,26 @@ func (s *SQLiteStore) GetHourlyTraffic(hours int) ([]TrafficRecord, error) {
 	}
 	defer rows.Close()

-	var records []TrafficRecord
+	// 将数据库记录放入 map 以便快速查找
+	dbRecords := make(map[int64]TrafficRecord)
 	for rows.Next() {
 		var r TrafficRecord
 		if err := rows.Scan(&r.Timestamp, &r.Inbound, &r.Outbound); err != nil {
 			return nil, err
 		}
-		records = append(records, r)
+		dbRecords[r.Timestamp] = r
 	}
+
+	// 生成完整的 hours 小时数据
+	records := make([]TrafficRecord, hours)
+	for i := 0; i < hours; i++ {
+		ts := currentHour.Add(-time.Duration(hours-1-i) * time.Hour).Unix()
+		if r, ok := dbRecords[ts]; ok {
+			records[i] = r
+		} else {
+			records[i] = TrafficRecord{Timestamp: ts, Inbound: 0, Outbound: 0}
+		}
+	}
+
 	return records, nil
 }
--- a/internal/server/plugin/manager.go
+++ b/internal/server/plugin/manager.go
@@ -1,34 +0,0 @@
-package plugin
-
-import (
-	"sync"
-
-	"github.com/gotunnel/pkg/plugin"
-)
-
-// Manager 服务端 plugin 管理器
-type Manager struct {
-	registry *plugin.Registry
-	mu       sync.RWMutex
-}
-
-// NewManager 创建 plugin 管理器
-func NewManager() (*Manager, error) {
-	registry := plugin.NewRegistry()
-
-	m := &Manager{
-		registry: registry,
-	}
-
-	return m, nil
-}
-
-// ListPlugins 返回所有插件
-func (m *Manager) ListPlugins() []plugin.Info {
-	return m.registry.List()
-}
-
-// GetRegistry 返回插件注册表
-func (m *Manager) GetRegistry() *plugin.Registry {
-	return m.registry
-}
--- a/internal/server/router/dto/client.go
+++ b/internal/server/router/dto/client.go
@@ -1,7 +1,6 @@
 package dto

 import (
-	"github.com/gotunnel/internal/server/db"
 	"github.com/gotunnel/pkg/protocol"
 )

@@ -17,7 +16,6 @@ type CreateClientRequest struct {
 type UpdateClientRequest struct {
 	Nickname string               `json:"nickname" binding:"max=128" example:"My Client"`
 	Rules    []protocol.ProxyRule `json:"rules"`
-	Plugins  []db.ClientPlugin    `json:"plugins"`
 }

 // ClientResponse 客户端详情响应
@@ -26,7 +24,6 @@ type ClientResponse struct {
 	ID         string               `json:"id" example:"client-001"`
 	Nickname   string               `json:"nickname,omitempty" example:"My Client"`
 	Rules      []protocol.ProxyRule `json:"rules"`
-	Plugins    []db.ClientPlugin    `json:"plugins,omitempty"`
 	Online     bool                 `json:"online" example:"true"`
 	LastPing   string               `json:"last_ping,omitempty" example:"2025-01-02T10:30:00Z"`
 	RemoteAddr string               `json:"remote_addr,omitempty" example:"192.168.1.100:54321"`
@@ -47,17 +44,3 @@ type ClientListItem struct {
 	OS         string `json:"os,omitempty" example:"linux"`
 	Arch       string `json:"arch,omitempty" example:"amd64"`
 }
-
-// InstallPluginsRequest 安装插件到客户端请求
-// @Description 安装插件到指定客户端
-type InstallPluginsRequest struct {
-	Plugins []string `json:"plugins" binding:"required,min=1,dive,required" example:"socks5,http-proxy"`
-}
-
-// ClientPluginActionRequest 客户端插件操作请求
-// @Description 对客户端插件执行操作
-type ClientPluginActionRequest struct {
-	RuleName string            `json:"rule_name"`
-	Config   map[string]string `json:"config,omitempty"`
-	Restart  bool              `json:"restart"`
-}
--- a/internal/server/router/dto/config.go
+++ b/internal/server/router/dto/config.go
@@ -1,15 +1,12 @@
 package dto

-// UpdateServerConfigRequest 更新服务器配置请求
-// @Description 更新服务器配置
+// UpdateServerConfigRequest is the config update payload.
 type UpdateServerConfigRequest struct {
 	Server *ServerConfigPart `json:"server"`
 	Web    *WebConfigPart    `json:"web"`
-	PluginStore *PluginStoreConfigPart `json:"plugin_store"`
 }

-// ServerConfigPart 服务器配置部分
-// @Description 隧道服务器配置
+// ServerConfigPart is the server config subset.
 type ServerConfigPart struct {
 	BindAddr         string `json:"bind_addr" binding:"omitempty"`
 	BindPort         int    `json:"bind_port" binding:"omitempty,min=1,max=65535"`
@@ -18,8 +15,7 @@ type ServerConfigPart struct {
 	HeartbeatTimeout int    `json:"heartbeat_timeout" binding:"omitempty,min=1,max=600"`
 }

-// WebConfigPart Web 配置部分
-// @Description Web 控制台配置
+// WebConfigPart is the web console config subset.
 type WebConfigPart struct {
 	Enabled  bool   `json:"enabled"`
 	BindPort int    `json:"bind_port" binding:"omitempty,min=1,max=65535"`
@@ -27,37 +23,25 @@ type WebConfigPart struct {
 	Password string `json:"password" binding:"omitempty,min=6,max=64"`
 }

-// ServerConfigResponse 服务器配置响应
-// @Description 服务器配置信息
+// ServerConfigResponse is the config response payload.
 type ServerConfigResponse struct {
 	Server ServerConfigInfo `json:"server"`
 	Web    WebConfigInfo    `json:"web"`
-	PluginStore PluginStoreConfigInfo `json:"plugin_store"`
 }

-// ServerConfigInfo 服务器配置信息
+// ServerConfigInfo describes the server config.
 type ServerConfigInfo struct {
 	BindAddr         string `json:"bind_addr"`
 	BindPort         int    `json:"bind_port"`
-	Token            string `json:"token"` // 脱敏后的 token
+	Token            string `json:"token"`
 	HeartbeatSec     int    `json:"heartbeat_sec"`
 	HeartbeatTimeout int    `json:"heartbeat_timeout"`
 }

-// WebConfigInfo Web 配置信息
+// WebConfigInfo describes the web console config.
 type WebConfigInfo struct {
 	Enabled  bool   `json:"enabled"`
 	BindPort int    `json:"bind_port"`
 	Username string `json:"username"`
-	Password string `json:"password"` // 显示为 ****
-}
-
-// PluginStoreConfigPart 插件商店配置部分
-type PluginStoreConfigPart struct {
-	URL string `json:"url"`
-}
-
-// PluginStoreConfigInfo 插件商店配置信息
-type PluginStoreConfigInfo struct {
-	URL string `json:"url"`
+	Password string `json:"password"`
 }
--- a/internal/server/router/dto/plugin.go
+++ b/internal/server/router/dto/plugin.go
@@ -1,119 +0,0 @@
-package dto
-
-// PluginConfigRequest 更新插件配置请求
-// @Description 更新客户端插件配置
-type PluginConfigRequest struct {
-	Config map[string]string `json:"config" binding:"required"`
-}
-
-// PluginConfigResponse 插件配置响应
-// @Description 插件配置详情
-type PluginConfigResponse struct {
-	PluginName string        `json:"plugin_name"`
-	Schema     []ConfigField `json:"schema"`
-	Config     map[string]string `json:"config"`
-}
-
-// ConfigField 配置字段定义
-// @Description 配置表单字段
-type ConfigField struct {
-	Key         string   `json:"key"`
-	Label       string   `json:"label"`
-	Type        string   `json:"type"`
-	Default     string   `json:"default,omitempty"`
-	Required    bool     `json:"required,omitempty"`
-	Options     []string `json:"options,omitempty"`
-	Description string   `json:"description,omitempty"`
-}
-
-// RuleSchema 规则表单模式
-// @Description 代理规则的配置模式
-type RuleSchema struct {
-	NeedsLocalAddr bool          `json:"needs_local_addr"`
-	ExtraFields    []ConfigField `json:"extra_fields,omitempty"`
-}
-
-// PluginInfo 插件信息
-// @Description 服务端插件信息
-type PluginInfo struct {
-	Name        string      `json:"name"`
-	Version     string      `json:"version"`
-	Type        string      `json:"type"`
-	Description string      `json:"description"`
-	Source      string      `json:"source"`
-	Icon        string      `json:"icon,omitempty"`
-	Enabled     bool        `json:"enabled"`
-	RuleSchema  *RuleSchema `json:"rule_schema,omitempty"`
-}
-
-// JSPluginCreateRequest 创建 JS 插件请求
-// @Description 创建新的 JS 插件
-type JSPluginCreateRequest struct {
-	Name        string            `json:"name" binding:"required,min=1,max=64"`
-	Source      string            `json:"source" binding:"required"`
-	Signature   string            `json:"signature"`
-	Description string            `json:"description" binding:"max=500"`
-	Author      string            `json:"author" binding:"max=64"`
-	Config      map[string]string `json:"config"`
-	AutoStart   bool              `json:"auto_start"`
-}
-
-// JSPluginUpdateRequest 更新 JS 插件请求
-// @Description 更新 JS 插件
-type JSPluginUpdateRequest struct {
-	Source      string            `json:"source"`
-	Signature   string            `json:"signature"`
-	Description string            `json:"description" binding:"max=500"`
-	Author      string            `json:"author" binding:"max=64"`
-	Config      map[string]string `json:"config"`
-	AutoStart   bool              `json:"auto_start"`
-	Enabled     bool              `json:"enabled"`
-}
-
-// JSPluginInstallRequest JS 插件安装请求
-// @Description 安装 JS 插件到客户端
-type JSPluginInstallRequest struct {
-	PluginName string            `json:"plugin_name" binding:"required"`
-	Source     string            `json:"source" binding:"required"`
-	Signature  string            `json:"signature"`
-	RuleName   string            `json:"rule_name"`
-	RemotePort int               `json:"remote_port"`
-	Config     map[string]string `json:"config"`
-	AutoStart  bool              `json:"auto_start"`
-}
-
-// StorePluginInfo 扩展商店插件信息
-// @Description 插件商店中的插件信息
-type StorePluginInfo struct {
-	Name         string        `json:"name"`
-	Version      string        `json:"version"`
-	Type         string        `json:"type"`
-	Description  string        `json:"description"`
-	Author       string        `json:"author"`
-	Icon         string        `json:"icon,omitempty"`
-	DownloadURL  string        `json:"download_url,omitempty"`
-	SignatureURL string        `json:"signature_url,omitempty"`
-	ConfigSchema []ConfigField `json:"config_schema,omitempty"`
-}
-
-// StoreInstallRequest 从商店安装插件请求
-// @Description 从插件商店安装插件到客户端
-type StoreInstallRequest struct {
-	PluginName   string        `json:"plugin_name" binding:"required"`
-	Version      string        `json:"version"`
-	DownloadURL  string        `json:"download_url" binding:"required,url"`
-	SignatureURL string        `json:"signature_url" binding:"required,url"`
-	ClientID     string        `json:"client_id" binding:"required"`
-	RemotePort   int           `json:"remote_port"`
-	ConfigSchema []ConfigField `json:"config_schema,omitempty"`
-	// HTTP Basic Auth 配置
-	AuthEnabled  bool   `json:"auth_enabled,omitempty"`
-	AuthUsername string `json:"auth_username,omitempty"`
-	AuthPassword string `json:"auth_password,omitempty"`
-}
-
-// JSPluginPushRequest 推送 JS 插件到客户端请求
-// @Description 推送 JS 插件到指定客户端
-type JSPluginPushRequest struct {
-	RemotePort int `json:"remote_port"`
-}
--- a/internal/server/router/handler/client.go
+++ b/internal/server/router/handler/client.go
@@ -6,7 +6,6 @@ import (
 	"github.com/gin-gonic/gin"
 	"github.com/gotunnel/internal/server/db"
 	"github.com/gotunnel/internal/server/router/dto"
-	"github.com/gotunnel/pkg/protocol"
 )

 // ClientHandler 客户端处理器
@@ -115,41 +114,18 @@ func (h *ClientHandler) Get(c *gin.Context) {
 		return
 	}

-	online, lastPing, remoteAddr, clientOS, clientArch, clientVersion := h.app.GetServer().GetClientStatus(clientID)
+	online, lastPing, remoteAddr, clientName, clientOS, clientArch, clientVersion := h.app.GetServer().GetClientStatus(clientID)

-	// 复制插件列表
-	plugins := make([]db.ClientPlugin, len(client.Plugins))
-	copy(plugins, client.Plugins)
-
-	// 如果客户端在线，获取实时插件运行状态
-	if online {
-		if statusList, err := h.app.GetServer().GetClientPluginStatus(clientID); err == nil {
-			// 创建运行中插件的映射
-			runningPlugins := make(map[string]bool)
-			for _, s := range statusList {
-				runningPlugins[s.PluginName] = s.Running
-			}
-			// 更新插件状态
-			for i := range plugins {
-				if running, ok := runningPlugins[plugins[i].Name]; ok {
-					plugins[i].Running = running
-				} else {
-					plugins[i].Running = false
-				}
-			}
-		}
-	} else {
-		// 客户端离线时，所有插件都标记为未运行
-		for i := range plugins {
-			plugins[i].Running = false
-		}
+	// 如果客户端在线且有名称，优先使用在线名称
+	nickname := client.Nickname
+	if online && clientName != "" && nickname == "" {
+		nickname = clientName
 	}

 	resp := dto.ClientResponse{
 		ID:         client.ID,
-		Nickname:   client.Nickname,
+		Nickname:   nickname,
 		Rules:      client.Rules,
-		Plugins:    plugins,
 		Online:     online,
 		LastPing:   lastPing,
 		RemoteAddr: remoteAddr,
@@ -190,9 +166,6 @@ func (h *ClientHandler) Update(c *gin.Context) {

 	client.Nickname = req.Nickname
 	client.Rules = req.Rules
-	if req.Plugins != nil {
-		client.Plugins = req.Plugins
-	}

 	if err := h.app.GetClientStore().UpdateClient(client); err != nil {
 		InternalError(c, err.Error())
@@ -242,8 +215,7 @@ func (h *ClientHandler) Delete(c *gin.Context) {
 func (h *ClientHandler) PushConfig(c *gin.Context) {
 	clientID := c.Param("id")

-	online, _, _, _, _, _ := h.app.GetServer().GetClientStatus(clientID)
-	if !online {
+	if !h.app.GetServer().IsClientOnline(clientID) {
 		ClientNotOnline(c)
 		return
 	}
@@ -296,160 +268,12 @@ func (h *ClientHandler) Restart(c *gin.Context) {
 	SuccessWithMessage(c, gin.H{"status": "ok"}, "client restart initiated")
 }

-// InstallPlugins 安装插件到客户端
-// @Summary 安装插件
-// @Description 将指定插件安装到客户端
-// @Tags 客户端
-// @Accept json
-// @Produce json
-// @Security Bearer
-// @Param id path string true "客户端ID"
-// @Param request body dto.InstallPluginsRequest true "插件列表"
-// @Success 200 {object} Response
 // @Failure 400 {object} Response
 // @Router /api/client/{id}/install-plugins [post]
-func (h *ClientHandler) InstallPlugins(c *gin.Context) {
-	clientID := c.Param("id")

-	online, _, _, _, _, _ := h.app.GetServer().GetClientStatus(clientID)
-	if !online {
-		ClientNotOnline(c)
-		return
-	}
-
-	var req dto.InstallPluginsRequest
-	if !BindJSON(c, &req) {
-		return
-	}
-
-	if err := h.app.GetServer().InstallPluginsToClient(clientID, req.Plugins); err != nil {
-		InternalError(c, err.Error())
-		return
-	}
-
-	Success(c, gin.H{"status": "ok"})
-}
-
-// PluginAction 客户端插件操作
-// @Summary 插件操作
-// @Description 对客户端插件执行操作(start/stop/restart/config/delete)
-// @Tags 客户端
-// @Accept json
-// @Produce json
-// @Security Bearer
-// @Param id path string true "客户端ID"
-// @Param pluginID path string true "插件实例ID"
-// @Param action path string true "操作类型" Enums(start, stop, restart, config, delete)
-// @Param request body dto.ClientPluginActionRequest false "操作参数"
-// @Success 200 {object} Response
 // @Failure 400 {object} Response
 // @Router /api/client/{id}/plugin/{pluginID}/{action} [post]
-func (h *ClientHandler) PluginAction(c *gin.Context) {
-	clientID := c.Param("id")
-	pluginID := c.Param("pluginID")
-	action := c.Param("action")

-	var req dto.ClientPluginActionRequest
-	c.ShouldBindJSON(&req) // 忽略错误，使用默认值
-
-	// 通过 pluginID 查找插件信息
-	client, err := h.app.GetClientStore().GetClient(clientID)
-	if err != nil {
-		NotFound(c, "client not found")
-		return
-	}
-
-	var pluginName string
-	for _, p := range client.Plugins {
-		if p.ID == pluginID {
-			pluginName = p.Name
-			break
-		}
-	}
-	if pluginName == "" {
-		NotFound(c, "plugin not found")
-		return
-	}
-
-	if req.RuleName == "" {
-		req.RuleName = pluginName
-	}
-
-	switch action {
-	case "start":
-		err = h.app.GetServer().StartClientPlugin(clientID, pluginID, pluginName, req.RuleName)
-	case "stop":
-		err = h.app.GetServer().StopClientPlugin(clientID, pluginID, pluginName, req.RuleName)
-	case "restart":
-		err = h.app.GetServer().RestartClientPlugin(clientID, pluginID, pluginName, req.RuleName)
-	case "config":
-		if req.Config == nil {
-			BadRequest(c, "config required")
-			return
-		}
-		err = h.app.GetServer().UpdateClientPluginConfig(clientID, pluginID, pluginName, req.RuleName, req.Config, req.Restart)
-	case "delete":
-		err = h.deleteClientPlugin(clientID, pluginID)
-	default:
-		BadRequest(c, "unknown action: "+action)
-		return
-	}
-
-	if err != nil {
-		InternalError(c, err.Error())
-		return
-	}
-
-	Success(c, gin.H{
-		"status":    "ok",
-		"action":    action,
-		"plugin_id": pluginID,
-		"plugin":    pluginName,
-	})
-}
-
-func (h *ClientHandler) deleteClientPlugin(clientID, pluginID string) error {
-	client, err := h.app.GetClientStore().GetClient(clientID)
-	if err != nil {
-		return fmt.Errorf("client not found")
-	}
-
-	var newPlugins []db.ClientPlugin
-	var pluginName string
-	var pluginPort int
-	found := false
-	for _, p := range client.Plugins {
-		if p.ID == pluginID {
-			found = true
-			pluginName = p.Name
-			pluginPort = p.RemotePort
-			continue
-		}
-		newPlugins = append(newPlugins, p)
-	}
-
-	if !found {
-		return fmt.Errorf("plugin %s not found", pluginID)
-	}
-
-	// 删除插件管理的代理规则
-	var newRules []protocol.ProxyRule
-	for _, r := range client.Rules {
-		if r.PluginManaged && r.Name == pluginName {
-			continue // 跳过此插件的规则
-		}
-		newRules = append(newRules, r)
-	}
-
-	// 停止端口监听器
-	if pluginPort > 0 {
-		h.app.GetServer().StopPluginRule(clientID, pluginPort)
-	}
-
-	client.Plugins = newPlugins
-	client.Rules = newRules
-	return h.app.GetClientStore().UpdateClient(client)
-}

 // GetSystemStats 获取客户端系统状态
 func (h *ClientHandler) GetSystemStats(c *gin.Context) {
@@ -462,6 +286,47 @@ func (h *ClientHandler) GetSystemStats(c *gin.Context) {
 	Success(c, stats)
 }

+// GetScreenshot 获取客户端截图
+func (h *ClientHandler) GetScreenshot(c *gin.Context) {
+	clientID := c.Param("id")
+	quality := 0
+	if q, ok := c.GetQuery("quality"); ok {
+		fmt.Sscanf(q, "%d", &quality)
+	}
+
+	screenshot, err := h.app.GetServer().GetClientScreenshot(clientID, quality)
+	if err != nil {
+		InternalError(c, err.Error())
+		return
+	}
+
+	Success(c, screenshot)
+}
+
+// ExecuteShellRequest Shell 执行请求体
+type ExecuteShellRequest struct {
+	Command string `json:"command" binding:"required"`
+	Timeout int    `json:"timeout"`
+}
+
+// ExecuteShell 执行 Shell 命令
+func (h *ClientHandler) ExecuteShell(c *gin.Context) {
+	clientID := c.Param("id")
+	var req ExecuteShellRequest
+	if err := c.ShouldBindJSON(&req); err != nil {
+		BadRequest(c, "Invalid request: "+err.Error())
+		return
+	}
+
+	result, err := h.app.GetServer().ExecuteClientShell(clientID, req.Command, req.Timeout)
+	if err != nil {
+		InternalError(c, err.Error())
+		return
+	}
+
+	Success(c, result)
+}
+
 // validateClientID 验证客户端 ID 格式
 func validateClientID(id string) bool {
 	if len(id) < 1 || len(id) > 64 {
--- a/internal/server/router/handler/config.go
+++ b/internal/server/router/handler/config.go
@@ -47,9 +47,6 @@ func (h *ConfigHandler) Get(c *gin.Context) {
 			Username: cfg.Server.Web.Username,
 			Password: "****",
 		},
-		PluginStore: dto.PluginStoreConfigInfo{
-			URL: cfg.Server.PluginStore.URL,
-		},
 	}

 	Success(c, resp)
@@ -103,11 +100,6 @@ func (h *ConfigHandler) Update(c *gin.Context) {
 		cfg.Server.Web.Password = req.Web.Password
 	}

-	// 更新 PluginStore 配置
-	if req.PluginStore != nil {
-		cfg.Server.PluginStore.URL = req.PluginStore.URL
-	}
-
 	if err := h.app.SaveConfig(); err != nil {
 		InternalError(c, err.Error())
 		return
--- a/internal/server/router/handler/helpers.go
+++ b/internal/server/router/handler/helpers.go
@@ -165,6 +165,12 @@ func performSelfUpdate(downloadURL string, restart bool) error {
 // performWindowsUpdate Windows 平台更新
 func performWindowsUpdate(newFile, currentPath string, restart bool) error {
 	batchScript := fmt.Sprintf(`@echo off
+:: Check for admin rights, request UAC elevation if needed
+net session >nul 2>&1
+if %%errorlevel%% neq 0 (
+    powershell -Command "Start-Process cmd -ArgumentList '/C \\"\"%%~f0\"\"' -Verb RunAs"
+    exit /b
+)
 ping 127.0.0.1 -n 2 > nul
 del "%s"
 move "%s" "%s"
--- a/internal/server/router/handler/install.go
+++ b/internal/server/router/handler/install.go
@@ -0,0 +1,67 @@
+package handler
+
+import (
+	"crypto/rand"
+	"encoding/hex"
+	"net/http"
+	"time"
+
+	"github.com/gin-gonic/gin"
+	"github.com/gotunnel/internal/server/db"
+)
+
+type InstallHandler struct {
+	app AppInterface
+}
+
+func NewInstallHandler(app AppInterface) *InstallHandler {
+	return &InstallHandler{app: app}
+}
+
+type InstallCommandResponse struct {
+	Token      string `json:"token"`
+	ExpiresAt  int64  `json:"expires_at"`
+	TunnelPort int    `json:"tunnel_port"`
+}
+
+// GenerateInstallCommand creates a one-time install token and returns
+// the tunnel port so the frontend can build a host-aware command.
+//
+// @Summary Generate install command payload
+// @Tags install
+// @Produce json
+// @Success 200 {object} InstallCommandResponse
+// @Router /api/install/generate [post]
+func (h *InstallHandler) GenerateInstallCommand(c *gin.Context) {
+	tokenBytes := make([]byte, 32)
+	if _, err := rand.Read(tokenBytes); err != nil {
+		c.JSON(http.StatusInternalServerError, gin.H{"error": "failed to generate token"})
+		return
+	}
+
+	token := hex.EncodeToString(tokenBytes)
+	now := time.Now().Unix()
+
+	installToken := &db.InstallToken{
+		Token:     token,
+		CreatedAt: now,
+		Used:      false,
+	}
+
+	store, ok := h.app.GetClientStore().(db.InstallTokenStore)
+	if !ok {
+		c.JSON(http.StatusInternalServerError, gin.H{"error": "install token store is not supported"})
+		return
+	}
+
+	if err := store.CreateInstallToken(installToken); err != nil {
+		c.JSON(http.StatusInternalServerError, gin.H{"error": "failed to persist token"})
+		return
+	}
+
+	c.JSON(http.StatusOK, InstallCommandResponse{
+		Token:      token,
+		ExpiresAt:  now + 3600,
+		TunnelPort: h.app.GetServer().GetBindPort(),
+	})
+}
--- a/internal/server/router/handler/interfaces.go
+++ b/internal/server/router/handler/interfaces.go
@@ -13,17 +13,18 @@ type AppInterface interface {
 	GetConfig() *config.ServerConfig
 	GetConfigPath() string
 	SaveConfig() error
-	GetJSPluginStore() db.JSPluginStore
 	GetTrafficStore() db.TrafficStore
 }

 // ServerInterface 服务端接口
 type ServerInterface interface {
-	GetClientStatus(clientID string) (online bool, lastPing, remoteAddr, clientOS, clientArch, clientVersion string)
+	IsClientOnline(clientID string) bool
+	GetClientStatus(clientID string) (online bool, lastPing, remoteAddr, clientName, clientOS, clientArch, clientVersion string)
 	GetAllClientStatus() map[string]struct {
 		Online     bool
 		LastPing   string
 		RemoteAddr string
+		Name       string
 		OS         string
 		Arch       string
 		Version    string
@@ -33,72 +34,17 @@ type ServerInterface interface {
 	GetBindPort() int
 	PushConfigToClient(clientID string) error
 	DisconnectClient(clientID string) error
-	GetPluginList() []PluginInfo
-	EnablePlugin(name string) error
-	DisablePlugin(name string) error
-	InstallPluginsToClient(clientID string, plugins []string) error
-	GetPluginConfigSchema(name string) ([]ConfigField, error)
-	SyncPluginConfigToClient(clientID string, pluginName string, config map[string]string) error
-	InstallJSPluginToClient(clientID string, req JSPluginInstallRequest) error
 	RestartClient(clientID string) error
-	StartClientPlugin(clientID, pluginID, pluginName, ruleName string) error
-	StopClientPlugin(clientID, pluginID, pluginName, ruleName string) error
-	RestartClientPlugin(clientID, pluginID, pluginName, ruleName string) error
-	UpdateClientPluginConfig(clientID, pluginID, pluginName, ruleName string, config map[string]string, restart bool) error
 	SendUpdateToClient(clientID, downloadURL string) error
 	// 日志流
 	StartClientLogStream(clientID, sessionID string, lines int, follow bool, level string) (<-chan protocol.LogEntry, error)
 	StopClientLogStream(sessionID string)
-	// 插件状态查询
-	GetClientPluginStatus(clientID string) ([]protocol.PluginStatusEntry, error)
-	// 插件规则管理
-	StartPluginRule(clientID string, rule protocol.ProxyRule) error
-	StopPluginRule(clientID string, remotePort int) error
 	// 端口检查
 	IsPortAvailable(port int, excludeClientID string) bool
-	// 插件 API 代理
-	ProxyPluginAPIRequest(clientID string, req protocol.PluginAPIRequest) (*protocol.PluginAPIResponse, error)
 	// 系统状态
 	GetClientSystemStats(clientID string) (*protocol.SystemStatsResponse, error)
-}
-
-// ConfigField 配置字段
-type ConfigField struct {
-	Key         string   `json:"key"`
-	Label       string   `json:"label"`
-	Type        string   `json:"type"`
-	Default     string   `json:"default,omitempty"`
-	Required    bool     `json:"required,omitempty"`
-	Options     []string `json:"options,omitempty"`
-	Description string   `json:"description,omitempty"`
-}
-
-// RuleSchema 规则表单模式
-type RuleSchema struct {
-	NeedsLocalAddr bool          `json:"needs_local_addr"`
-	ExtraFields    []ConfigField `json:"extra_fields,omitempty"`
-}
-
-// PluginInfo 插件信息
-type PluginInfo struct {
-	Name        string      `json:"name"`
-	Version     string      `json:"version"`
-	Type        string      `json:"type"`
-	Description string      `json:"description"`
-	Source      string      `json:"source"`
-	Icon        string      `json:"icon,omitempty"`
-	Enabled     bool        `json:"enabled"`
-	RuleSchema  *RuleSchema `json:"rule_schema,omitempty"`
-}
-
-// JSPluginInstallRequest JS 插件安装请求
-type JSPluginInstallRequest struct {
-	PluginID   string            `json:"plugin_id"`
-	PluginName string            `json:"plugin_name"`
-	Source     string            `json:"source"`
-	Signature  string            `json:"signature"`
-	RuleName   string            `json:"rule_name"`
-	RemotePort int               `json:"remote_port"`
-	Config     map[string]string `json:"config"`
-	AutoStart  bool              `json:"auto_start"`
+	// 截图
+	GetClientScreenshot(clientID string, quality int) (*protocol.ScreenshotResponse, error)
+	// Shell 执行
+	ExecuteClientShell(clientID, command string, timeout int) (*protocol.ShellExecuteResponse, error)
 }
--- a/internal/server/router/handler/js_plugin.go
+++ b/internal/server/router/handler/js_plugin.go
@@ -1,220 +0,0 @@
-package handler
-
-import (
-	"github.com/gin-gonic/gin"
-	"github.com/gotunnel/internal/server/db"
-	// removed router import
-	"github.com/gotunnel/internal/server/router/dto"
-)
-
-// JSPluginHandler JS 插件处理器
-type JSPluginHandler struct {
-	app AppInterface
-}
-
-// NewJSPluginHandler 创建 JS 插件处理器
-func NewJSPluginHandler(app AppInterface) *JSPluginHandler {
-	return &JSPluginHandler{app: app}
-}
-
-// List 获取 JS 插件列表
-// @Summary 获取所有 JS 插件
-// @Description 返回所有注册的 JS 插件
-// @Tags JS插件
-// @Produce json
-// @Security Bearer
-// @Success 200 {object} Response{data=[]db.JSPlugin}
-// @Router /api/js-plugins [get]
-func (h *JSPluginHandler) List(c *gin.Context) {
-	plugins, err := h.app.GetJSPluginStore().GetAllJSPlugins()
-	if err != nil {
-		InternalError(c, err.Error())
-		return
-	}
-	if plugins == nil {
-		plugins = []db.JSPlugin{}
-	}
-	Success(c, plugins)
-}
-
-// Create 创建 JS 插件
-// @Summary 创建 JS 插件
-// @Description 创建新的 JS 插件
-// @Tags JS插件
-// @Accept json
-// @Produce json
-// @Security Bearer
-// @Param request body dto.JSPluginCreateRequest true "插件信息"
-// @Success 200 {object} Response
-// @Failure 400 {object} Response
-// @Router /api/js-plugins [post]
-func (h *JSPluginHandler) Create(c *gin.Context) {
-	var req dto.JSPluginCreateRequest
-	if !BindJSON(c, &req) {
-		return
-	}
-
-	plugin := &db.JSPlugin{
-		Name:        req.Name,
-		Source:      req.Source,
-		Signature:   req.Signature,
-		Description: req.Description,
-		Author:      req.Author,
-		Config:      req.Config,
-		AutoStart:   req.AutoStart,
-		Enabled:     true,
-	}
-
-	if err := h.app.GetJSPluginStore().SaveJSPlugin(plugin); err != nil {
-		InternalError(c, err.Error())
-		return
-	}
-
-	Success(c, gin.H{"status": "ok"})
-}
-
-// Get 获取单个 JS 插件
-// @Summary 获取 JS 插件详情
-// @Description 获取指定 JS 插件的详细信息
-// @Tags JS插件
-// @Produce json
-// @Security Bearer
-// @Param name path string true "插件名称"
-// @Success 200 {object} Response{data=db.JSPlugin}
-// @Failure 404 {object} Response
-// @Router /api/js-plugin/{name} [get]
-func (h *JSPluginHandler) Get(c *gin.Context) {
-	name := c.Param("name")
-
-	plugin, err := h.app.GetJSPluginStore().GetJSPlugin(name)
-	if err != nil {
-		NotFound(c, "plugin not found")
-		return
-	}
-
-	Success(c, plugin)
-}
-
-// Update 更新 JS 插件
-// @Summary 更新 JS 插件
-// @Description 更新指定 JS 插件的信息
-// @Tags JS插件
-// @Accept json
-// @Produce json
-// @Security Bearer
-// @Param name path string true "插件名称"
-// @Param request body dto.JSPluginUpdateRequest true "更新内容"
-// @Success 200 {object} Response
-// @Failure 400 {object} Response
-// @Router /api/js-plugin/{name} [put]
-func (h *JSPluginHandler) Update(c *gin.Context) {
-	name := c.Param("name")
-
-	var req dto.JSPluginUpdateRequest
-	if !BindJSON(c, &req) {
-		return
-	}
-
-	plugin := &db.JSPlugin{
-		Name:        name,
-		Source:      req.Source,
-		Signature:   req.Signature,
-		Description: req.Description,
-		Author:      req.Author,
-		Config:      req.Config,
-		AutoStart:   req.AutoStart,
-		Enabled:     req.Enabled,
-	}
-
-	if err := h.app.GetJSPluginStore().SaveJSPlugin(plugin); err != nil {
-		InternalError(c, err.Error())
-		return
-	}
-
-	Success(c, gin.H{"status": "ok"})
-}
-
-// Delete 删除 JS 插件
-// @Summary 删除 JS 插件
-// @Description 删除指定的 JS 插件
-// @Tags JS插件
-// @Produce json
-// @Security Bearer
-// @Param name path string true "插件名称"
-// @Success 200 {object} Response
-// @Router /api/js-plugin/{name} [delete]
-func (h *JSPluginHandler) Delete(c *gin.Context) {
-	name := c.Param("name")
-
-	if err := h.app.GetJSPluginStore().DeleteJSPlugin(name); err != nil {
-		InternalError(c, err.Error())
-		return
-	}
-
-	Success(c, gin.H{"status": "ok"})
-}
-
-// PushToClient 推送 JS 插件到客户端
-// @Summary 推送插件到客户端
-// @Description 将 JS 插件推送到指定客户端
-// @Tags JS插件
-// @Accept json
-// @Produce json
-// @Security Bearer
-// @Param name path string true "插件名称"
-// @Param clientID path string true "客户端ID"
-// @Param request body dto.JSPluginPushRequest false "推送配置"
-// @Success 200 {object} Response
-// @Failure 400 {object} Response
-// @Failure 404 {object} Response
-// @Router /api/js-plugin/{name}/push/{clientID} [post]
-func (h *JSPluginHandler) PushToClient(c *gin.Context) {
-	pluginName := c.Param("name")
-	clientID := c.Param("clientID")
-
-	// 解析请求体（可选）
-	var pushReq dto.JSPluginPushRequest
-	c.ShouldBindJSON(&pushReq) // 忽略错误，允许空请求体
-
-	// 检查客户端是否在线
-	online, _, _, _, _, _ := h.app.GetServer().GetClientStatus(clientID)
-	if !online {
-		ClientNotOnline(c)
-		return
-	}
-
-	// 获取插件
-	plugin, err := h.app.GetJSPluginStore().GetJSPlugin(pluginName)
-	if err != nil {
-		NotFound(c, "plugin not found")
-		return
-	}
-
-	if !plugin.Enabled {
-		Error(c, 400, CodePluginDisabled, "plugin is disabled")
-		return
-	}
-
-	// 推送到客户端
-	req := JSPluginInstallRequest{
-		PluginName: plugin.Name,
-		Source:     plugin.Source,
-		Signature:  plugin.Signature,
-		RuleName:   plugin.Name,
-		RemotePort: pushReq.RemotePort,
-		Config:     plugin.Config,
-		AutoStart:  plugin.AutoStart,
-	}
-
-	if err := h.app.GetServer().InstallJSPluginToClient(clientID, req); err != nil {
-		InternalError(c, err.Error())
-		return
-	}
-
-	Success(c, gin.H{
-		"status":      "ok",
-		"plugin":      pluginName,
-		"client":      clientID,
-		"remote_port": pushReq.RemotePort,
-	})
-}
--- a/internal/server/router/handler/log.go
+++ b/internal/server/router/handler/log.go
@@ -35,8 +35,7 @@ func (h *LogHandler) StreamLogs(c *gin.Context) {
 	clientID := c.Param("id")

 	// 检查客户端是否在线
-	online, _, _, _, _, _ := h.app.GetServer().GetClientStatus(clientID)
-	if !online {
+	if !h.app.GetServer().IsClientOnline(clientID) {
 		c.JSON(400, gin.H{"code": 400, "message": "client not online"})
 		return
 	}
--- a/internal/server/router/handler/plugin.go
+++ b/internal/server/router/handler/plugin.go
@@ -1,417 +0,0 @@
-package handler
-
-import (
-	"fmt"
-
-	"github.com/gin-gonic/gin"
-	"github.com/gotunnel/internal/server/db"
-	"github.com/gotunnel/internal/server/router/dto"
-	"github.com/gotunnel/pkg/plugin"
-)
-
-// PluginHandler 插件处理器
-type PluginHandler struct {
-	app AppInterface
-}
-
-// NewPluginHandler 创建插件处理器
-func NewPluginHandler(app AppInterface) *PluginHandler {
-	return &PluginHandler{app: app}
-}
-
-// List 获取插件列表
-// @Summary 获取所有插件
-// @Description 返回服务端所有注册的插件
-// @Tags 插件
-// @Produce json
-// @Security Bearer
-// @Success 200 {object} Response{data=[]dto.PluginInfo}
-// @Router /api/plugins [get]
-func (h *PluginHandler) List(c *gin.Context) {
-	plugins := h.app.GetServer().GetPluginList()
-
-	result := make([]dto.PluginInfo, len(plugins))
-	for i, p := range plugins {
-		result[i] = dto.PluginInfo{
-			Name:        p.Name,
-			Version:     p.Version,
-			Type:        p.Type,
-			Description: p.Description,
-			Source:      p.Source,
-			Icon:        p.Icon,
-			Enabled:     p.Enabled,
-		}
-		if p.RuleSchema != nil {
-			result[i].RuleSchema = &dto.RuleSchema{
-				NeedsLocalAddr: p.RuleSchema.NeedsLocalAddr,
-				ExtraFields:    convertRouterConfigFields(p.RuleSchema.ExtraFields),
-			}
-		}
-	}
-
-	Success(c, result)
-}
-
-// Enable 启用插件
-// @Summary 启用插件
-// @Description 启用指定插件
-// @Tags 插件
-// @Produce json
-// @Security Bearer
-// @Param name path string true "插件名称"
-// @Success 200 {object} Response
-// @Failure 400 {object} Response
-// @Router /api/plugin/{name}/enable [post]
-func (h *PluginHandler) Enable(c *gin.Context) {
-	name := c.Param("name")
-
-	if err := h.app.GetServer().EnablePlugin(name); err != nil {
-		BadRequest(c, err.Error())
-		return
-	}
-
-	Success(c, gin.H{"status": "ok"})
-}
-
-// Disable 禁用插件
-// @Summary 禁用插件
-// @Description 禁用指定插件
-// @Tags 插件
-// @Produce json
-// @Security Bearer
-// @Param name path string true "插件名称"
-// @Success 200 {object} Response
-// @Failure 400 {object} Response
-// @Router /api/plugin/{name}/disable [post]
-func (h *PluginHandler) Disable(c *gin.Context) {
-	name := c.Param("name")
-
-	if err := h.app.GetServer().DisablePlugin(name); err != nil {
-		BadRequest(c, err.Error())
-		return
-	}
-
-	Success(c, gin.H{"status": "ok"})
-}
-
-// GetRuleSchemas 获取规则配置模式
-// @Summary 获取规则模式
-// @Description 返回所有协议类型的配置模式
-// @Tags 插件
-// @Produce json
-// @Security Bearer
-// @Success 200 {object} Response{data=map[string]dto.RuleSchema}
-// @Router /api/rule-schemas [get]
-func (h *PluginHandler) GetRuleSchemas(c *gin.Context) {
-	// 获取内置协议模式
-	schemas := make(map[string]dto.RuleSchema)
-	for name, schema := range plugin.BuiltinRuleSchemas() {
-		schemas[name] = dto.RuleSchema{
-			NeedsLocalAddr: schema.NeedsLocalAddr,
-			ExtraFields:    convertConfigFields(schema.ExtraFields),
-		}
-	}
-
-	// 添加已注册插件的模式
-	plugins := h.app.GetServer().GetPluginList()
-	for _, p := range plugins {
-		if p.RuleSchema != nil {
-			schemas[p.Name] = dto.RuleSchema{
-				NeedsLocalAddr: p.RuleSchema.NeedsLocalAddr,
-				ExtraFields:    convertRouterConfigFields(p.RuleSchema.ExtraFields),
-			}
-		}
-	}
-
-	Success(c, schemas)
-}
-
-// GetClientConfig 获取客户端插件配置
-// @Summary 获取客户端插件配置
-// @Description 获取客户端上指定插件的配置
-// @Tags 插件
-// @Produce json
-// @Security Bearer
-// @Param clientID path string true "客户端ID"
-// @Param pluginName path string true "插件名称"
-// @Success 200 {object} Response{data=dto.PluginConfigResponse}
-// @Failure 404 {object} Response
-// @Router /api/client-plugin/{clientID}/{pluginName}/config [get]
-func (h *PluginHandler) GetClientConfig(c *gin.Context) {
-	clientID := c.Param("clientID")
-	pluginName := c.Param("pluginName")
-
-	client, err := h.app.GetClientStore().GetClient(clientID)
-	if err != nil {
-		NotFound(c, "client not found")
-		return
-	}
-
-	// 查找客户端的插件
-	var clientPlugin *db.ClientPlugin
-	for i, p := range client.Plugins {
-		if p.Name == pluginName {
-			clientPlugin = &client.Plugins[i]
-			break
-		}
-	}
-
-	if clientPlugin == nil {
-		NotFound(c, "plugin not installed on client")
-		return
-	}
-
-	var schemaFields []dto.ConfigField
-
-	// 优先使用客户端插件保存的 ConfigSchema
-	if len(clientPlugin.ConfigSchema) > 0 {
-		for _, f := range clientPlugin.ConfigSchema {
-			schemaFields = append(schemaFields, dto.ConfigField{
-				Key:         f.Key,
-				Label:       f.Label,
-				Type:        f.Type,
-				Default:     f.Default,
-				Required:    f.Required,
-				Options:     f.Options,
-				Description: f.Description,
-			})
-		}
-	} else {
-		// 尝试从内置插件获取配置模式
-		schema, err := h.app.GetServer().GetPluginConfigSchema(pluginName)
-		if err != nil {
-			// 如果内置插件中找不到，尝试从 JS 插件获取
-			jsPlugin, jsErr := h.app.GetJSPluginStore().GetJSPlugin(pluginName)
-			if jsErr == nil {
-				// 使用 JS 插件的 config 作为动态 schema
-				for key := range jsPlugin.Config {
-					schemaFields = append(schemaFields, dto.ConfigField{
-						Key:   key,
-						Label: key,
-						Type:  "string",
-					})
-				}
-			}
-		} else {
-			schemaFields = convertRouterConfigFields(schema)
-		}
-	}
-
-	// 添加 remote_port 作为系统配置字段（始终显示）
-	schemaFields = append([]dto.ConfigField{{
-		Key:         "remote_port",
-		Label:       "远程端口",
-		Type:        "number",
-		Description: "服务端监听端口，修改后需重启插件生效",
-	}}, schemaFields...)
-
-	// 添加 Auth 配置字段
-	schemaFields = append(schemaFields, dto.ConfigField{
-		Key:         "auth_enabled",
-		Label:       "启用认证",
-		Type:        "bool",
-		Description: "启用 HTTP Basic Auth 保护",
-	}, dto.ConfigField{
-		Key:         "auth_username",
-		Label:       "认证用户名",
-		Type:        "string",
-		Description: "HTTP Basic Auth 用户名",
-	}, dto.ConfigField{
-		Key:         "auth_password",
-		Label:       "认证密码",
-		Type:        "password",
-		Description: "HTTP Basic Auth 密码",
-	})
-
-	// 构建配置值
-	config := clientPlugin.Config
-	if config == nil {
-		config = make(map[string]string)
-	}
-	// 将 remote_port 加入配置
-	if clientPlugin.RemotePort > 0 {
-		config["remote_port"] = fmt.Sprintf("%d", clientPlugin.RemotePort)
-	}
-	// 将 Auth 配置加入
-	if clientPlugin.AuthEnabled {
-		config["auth_enabled"] = "true"
-	} else {
-		config["auth_enabled"] = "false"
-	}
-	config["auth_username"] = clientPlugin.AuthUsername
-	config["auth_password"] = clientPlugin.AuthPassword
-
-	Success(c, dto.PluginConfigResponse{
-		PluginName: pluginName,
-		Schema:     schemaFields,
-		Config:     config,
-	})
-}
-
-// UpdateClientConfig 更新客户端插件配置
-// @Summary 更新客户端插件配置
-// @Description 更新客户端上指定插件的配置
-// @Tags 插件
-// @Accept json
-// @Produce json
-// @Security Bearer
-// @Param clientID path string true "客户端ID"
-// @Param pluginName path string true "插件名称"
-// @Param request body dto.PluginConfigRequest true "配置内容"
-// @Success 200 {object} Response
-// @Failure 400 {object} Response
-// @Failure 404 {object} Response
-// @Router /api/client-plugin/{clientID}/{pluginName}/config [put]
-func (h *PluginHandler) UpdateClientConfig(c *gin.Context) {
-	clientID := c.Param("clientID")
-	pluginName := c.Param("pluginName")
-
-	var req dto.PluginConfigRequest
-	if !BindJSON(c, &req) {
-		return
-	}
-
-	client, err := h.app.GetClientStore().GetClient(clientID)
-	if err != nil {
-		NotFound(c, "client not found")
-		return
-	}
-
-	// 更新插件配置
-	found := false
-	portChanged := false
-	authChanged := false
-	var oldPort, newPort int
-	for i, p := range client.Plugins {
-		if p.Name == pluginName {
-			oldPort = client.Plugins[i].RemotePort
-			// 提取 remote_port 并单独处理
-			if portStr, ok := req.Config["remote_port"]; ok {
-				fmt.Sscanf(portStr, "%d", &newPort)
-				if newPort > 0 && newPort != oldPort {
-					// 检查新端口是否可用
-					if !h.app.GetServer().IsPortAvailable(newPort, clientID) {
-						BadRequest(c, fmt.Sprintf("port %d is already in use", newPort))
-						return
-					}
-					client.Plugins[i].RemotePort = newPort
-					portChanged = true
-				}
-				delete(req.Config, "remote_port") // 不保存到 Config map
-			}
-			// 提取 Auth 配置并单独处理
-			if authEnabledStr, ok := req.Config["auth_enabled"]; ok {
-				newAuthEnabled := authEnabledStr == "true"
-				if newAuthEnabled != client.Plugins[i].AuthEnabled {
-					client.Plugins[i].AuthEnabled = newAuthEnabled
-					authChanged = true
-				}
-				delete(req.Config, "auth_enabled")
-			}
-			if authUsername, ok := req.Config["auth_username"]; ok {
-				if authUsername != client.Plugins[i].AuthUsername {
-					client.Plugins[i].AuthUsername = authUsername
-					authChanged = true
-				}
-				delete(req.Config, "auth_username")
-			}
-			if authPassword, ok := req.Config["auth_password"]; ok {
-				if authPassword != client.Plugins[i].AuthPassword {
-					client.Plugins[i].AuthPassword = authPassword
-					authChanged = true
-				}
-				delete(req.Config, "auth_password")
-			}
-			client.Plugins[i].Config = req.Config
-			found = true
-			break
-		}
-	}
-
-	if !found {
-		NotFound(c, "plugin not installed on client")
-		return
-	}
-
-	// 如果端口变更，同步更新代理规则
-	if portChanged {
-		for i, r := range client.Rules {
-			if r.Name == pluginName && r.PluginManaged {
-				client.Rules[i].RemotePort = newPort
-				break
-			}
-		}
-		// 停止旧端口监听器
-		if oldPort > 0 {
-			h.app.GetServer().StopPluginRule(clientID, oldPort)
-		}
-	}
-
-	// 如果 Auth 配置变更，同步更新代理规则
-	if authChanged {
-		for i, p := range client.Plugins {
-			if p.Name == pluginName {
-				for j, r := range client.Rules {
-					if r.Name == pluginName && r.PluginManaged {
-						client.Rules[j].AuthEnabled = client.Plugins[i].AuthEnabled
-						client.Rules[j].AuthUsername = client.Plugins[i].AuthUsername
-						client.Rules[j].AuthPassword = client.Plugins[i].AuthPassword
-						break
-					}
-				}
-				break
-			}
-		}
-	}
-
-	// 保存到数据库
-	if err := h.app.GetClientStore().UpdateClient(client); err != nil {
-		InternalError(c, err.Error())
-		return
-	}
-
-	// 如果客户端在线，同步配置
-	online, _, _, _, _, _ := h.app.GetServer().GetClientStatus(clientID)
-	if online {
-		if err := h.app.GetServer().SyncPluginConfigToClient(clientID, pluginName, req.Config); err != nil {
-			PartialSuccess(c, gin.H{"status": "partial", "port_changed": portChanged}, "config saved but sync failed: "+err.Error())
-			return
-		}
-	}
-
-	Success(c, gin.H{"status": "ok", "port_changed": portChanged})
-}
-
-// convertConfigFields 转换插件配置字段到 DTO
-func convertConfigFields(fields []plugin.ConfigField) []dto.ConfigField {
-	result := make([]dto.ConfigField, len(fields))
-	for i, f := range fields {
-		result[i] = dto.ConfigField{
-			Key:         f.Key,
-			Label:       f.Label,
-			Type:        string(f.Type),
-			Default:     f.Default,
-			Required:    f.Required,
-			Options:     f.Options,
-			Description: f.Description,
-		}
-	}
-	return result
-}
-
-// convertRouterConfigFields 转换 ConfigField 到 dto.ConfigField
-func convertRouterConfigFields(fields []ConfigField) []dto.ConfigField {
-	result := make([]dto.ConfigField, len(fields))
-	for i, f := range fields {
-		result[i] = dto.ConfigField{
-			Key:         f.Key,
-			Label:       f.Label,
-			Type:        f.Type,
-			Default:     f.Default,
-			Required:    f.Required,
-			Options:     f.Options,
-			Description: f.Description,
-		}
-	}
-	return result
-}
--- a/internal/server/router/handler/plugin_api.go
+++ b/internal/server/router/handler/plugin_api.go
@@ -1,140 +0,0 @@
-package handler
-
-import (
-	"io"
-	"net/http"
-	"strings"
-	"time"
-
-	"github.com/gin-gonic/gin"
-	"github.com/gotunnel/pkg/protocol"
-)
-
-// PluginAPIHandler 插件 API 代理处理器
-type PluginAPIHandler struct {
-	app AppInterface
-}
-
-// NewPluginAPIHandler 创建插件 API 代理处理器
-func NewPluginAPIHandler(app AppInterface) *PluginAPIHandler {
-	return &PluginAPIHandler{app: app}
-}
-
-// ProxyRequest 代理请求到客户端插件
-// @Summary 代理插件 API 请求
-// @Description 将请求代理到客户端的 JS 插件处理
-// @Tags 插件 API
-// @Accept json
-// @Produce json
-// @Security Bearer
-// @Param id path string true "客户端 ID"
-// @Param pluginID path string true "插件实例 ID"
-// @Param route path string true "插件路由"
-// @Success 200 {object} object
-// @Failure 404 {object} Response
-// @Failure 502 {object} Response
-// @Router /api/client/{id}/plugin-api/{pluginID}/{route} [get]
-func (h *PluginAPIHandler) ProxyRequest(c *gin.Context) {
-	clientID := c.Param("id")
-	pluginID := c.Param("pluginID")
-	route := c.Param("route")
-
-	// 确保路由以 / 开头
-	if !strings.HasPrefix(route, "/") {
-		route = "/" + route
-	}
-
-	// 检查客户端是否在线
-	online, _, _, _, _, _ := h.app.GetServer().GetClientStatus(clientID)
-	if !online {
-		ClientNotOnline(c)
-		return
-	}
-
-	// 读取请求体
-	var body string
-	if c.Request.Body != nil {
-		bodyBytes, _ := io.ReadAll(c.Request.Body)
-		body = string(bodyBytes)
-	}
-
-	// 构建请求头
-	headers := make(map[string]string)
-	for key, values := range c.Request.Header {
-		if len(values) > 0 {
-			headers[key] = values[0]
-		}
-	}
-
-	// 构建 API 请求
-	apiReq := protocol.PluginAPIRequest{
-		PluginID: pluginID,
-		Method:   c.Request.Method,
-		Path:     route,
-		Query:    c.Request.URL.RawQuery,
-		Headers:  headers,
-		Body:     body,
-	}
-
-	// 发送请求到客户端
-	resp, err := h.app.GetServer().ProxyPluginAPIRequest(clientID, apiReq)
-	if err != nil {
-		BadGateway(c, "Plugin request failed: "+err.Error())
-		return
-	}
-
-	// 检查错误
-	if resp.Error != "" {
-		c.JSON(http.StatusBadGateway, gin.H{
-			"code":    502,
-			"message": resp.Error,
-		})
-		return
-	}
-
-	// 设置响应头
-	for key, value := range resp.Headers {
-		c.Header(key, value)
-	}
-
-	// 返回响应
-	c.String(resp.Status, resp.Body)
-}
-
-// ProxyPluginAPIRequest 接口方法声明 - 添加到 ServerInterface
-type PluginAPIProxyInterface interface {
-	ProxyPluginAPIRequest(clientID string, req protocol.PluginAPIRequest) (*protocol.PluginAPIResponse, error)
-}
-
-// AuthConfig 认证配置
-type AuthConfig struct {
-	Type     string `json:"type"`      // none, basic, token
-	Username string `json:"username"`  // Basic Auth 用户名
-	Password string `json:"password"`  // Basic Auth 密码
-	Token    string `json:"token"`     // Token 认证
-}
-
-// BasicAuthMiddleware 创建 Basic Auth 中间件
-func BasicAuthMiddleware(username, password string) gin.HandlerFunc {
-	return func(c *gin.Context) {
-		user, pass, ok := c.Request.BasicAuth()
-		if !ok || user != username || pass != password {
-			c.Header("WWW-Authenticate", `Basic realm="Plugin"`)
-			c.AbortWithStatusJSON(http.StatusUnauthorized, gin.H{
-				"code":    401,
-				"message": "Unauthorized",
-			})
-			return
-		}
-		c.Next()
-	}
-}
-
-// WithTimeout 带超时的请求处理
-func WithTimeout(timeout time.Duration, handler gin.HandlerFunc) gin.HandlerFunc {
-	return func(c *gin.Context) {
-		// 设置请求超时
-		c.Request = c.Request.WithContext(c.Request.Context())
-		handler(c)
-	}
-}
--- a/internal/server/router/handler/store.go
+++ b/internal/server/router/handler/store.go
@@ -1,293 +0,0 @@
-package handler
-
-import (
-	"fmt"
-	"io"
-	"net/http"
-	"time"
-
-	"github.com/gin-gonic/gin"
-	"github.com/google/uuid"
-	"github.com/gotunnel/internal/server/db"
-	"github.com/gotunnel/internal/server/router/dto"
-	"github.com/gotunnel/pkg/protocol"
-)
-
-// StoreHandler 插件商店处理器
-type StoreHandler struct {
-	app AppInterface
-}
-
-// NewStoreHandler 创建插件商店处理器
-func NewStoreHandler(app AppInterface) *StoreHandler {
-	return &StoreHandler{app: app}
-}
-
-// ListPlugins 获取商店插件列表
-// @Summary 获取商店插件
-// @Description 从远程插件商店获取可用插件列表
-// @Tags 插件商店
-// @Produce json
-// @Security Bearer
-// @Success 200 {object} Response{data=object{plugins=[]dto.StorePluginInfo}}
-// @Failure 502 {object} Response
-// @Router /api/store/plugins [get]
-func (h *StoreHandler) ListPlugins(c *gin.Context) {
-	cfg := h.app.GetConfig()
-	storeURL := cfg.Server.PluginStore.GetPluginStoreURL()
-
-	// 从远程 URL 获取插件列表
-	client := &http.Client{Timeout: 10 * time.Second}
-	resp, err := client.Get(storeURL)
-	if err != nil {
-		BadGateway(c, "Failed to fetch store: "+err.Error())
-		return
-	}
-	defer resp.Body.Close()
-
-	if resp.StatusCode != http.StatusOK {
-		BadGateway(c, "Store returned error")
-		return
-	}
-
-	body, err := io.ReadAll(resp.Body)
-	if err != nil {
-		InternalError(c, "Failed to read response")
-		return
-	}
-
-	// 直接返回原始 JSON（已经是数组格式）
-	c.Header("Content-Type", "application/json")
-	c.Writer.Write([]byte(`{"code":0,"data":{"plugins":`))
-	c.Writer.Write(body)
-	c.Writer.Write([]byte(`}}`))
-}
-
-// Install 从商店安装插件到客户端
-// @Summary 安装商店插件
-// @Description 从插件商店下载并安装插件到指定客户端
-// @Tags 插件商店
-// @Accept json
-// @Produce json
-// @Security Bearer
-// @Param request body dto.StoreInstallRequest true "安装请求"
-// @Success 200 {object} Response
-// @Failure 400 {object} Response
-// @Failure 502 {object} Response
-// @Router /api/store/install [post]
-func (h *StoreHandler) Install(c *gin.Context) {
-	var req dto.StoreInstallRequest
-	if !BindJSON(c, &req) {
-		return
-	}
-
-	// 检查客户端是否在线
-	online, _, _, _, _, _ := h.app.GetServer().GetClientStatus(req.ClientID)
-	if !online {
-		ClientNotOnline(c)
-		return
-	}
-
-	// 下载插件
-	client := &http.Client{Timeout: 30 * time.Second}
-	resp, err := client.Get(req.DownloadURL)
-	if err != nil {
-		BadGateway(c, "Failed to download plugin: "+err.Error())
-		return
-	}
-	defer resp.Body.Close()
-
-	if resp.StatusCode != http.StatusOK {
-		BadGateway(c, "Plugin download failed with status: "+resp.Status)
-		return
-	}
-
-	source, err := io.ReadAll(resp.Body)
-	if err != nil {
-		InternalError(c, "Failed to read plugin: "+err.Error())
-		return
-	}
-
-	// 下载签名文件
-	sigResp, err := client.Get(req.SignatureURL)
-	if err != nil {
-		BadGateway(c, "Failed to download signature: "+err.Error())
-		return
-	}
-	defer sigResp.Body.Close()
-
-	if sigResp.StatusCode != http.StatusOK {
-		BadGateway(c, "Signature download failed with status: "+sigResp.Status)
-		return
-	}
-
-	signature, err := io.ReadAll(sigResp.Body)
-	if err != nil {
-		InternalError(c, "Failed to read signature: "+err.Error())
-		return
-	}
-
-	// 检查插件是否已存在，决定使用已有 ID 还是生成新 ID
-	pluginID := ""
-	dbClient, err := h.app.GetClientStore().GetClient(req.ClientID)
-	if err == nil {
-		for _, p := range dbClient.Plugins {
-			if p.Name == req.PluginName && p.ID != "" {
-				pluginID = p.ID
-				break
-			}
-		}
-	}
-	if pluginID == "" {
-		pluginID = uuid.New().String()
-	}
-
-	// 安装到客户端
-	installReq := JSPluginInstallRequest{
-		PluginID:   pluginID,
-		PluginName: req.PluginName,
-		Source:     string(source),
-		Signature:  string(signature),
-		RuleName:   req.PluginName,
-		RemotePort: req.RemotePort,
-		AutoStart:  true,
-	}
-
-	if err := h.app.GetServer().InstallJSPluginToClient(req.ClientID, installReq); err != nil {
-		InternalError(c, "Failed to install plugin: "+err.Error())
-		return
-	}
-
-	// 将插件保存到 JSPluginStore（用于客户端重连时恢复）
-	jsPlugin := &db.JSPlugin{
-		Name:      req.PluginName,
-		Source:    string(source),
-		Signature: string(signature),
-		AutoStart: true,
-		Enabled:   true,
-	}
-	// 尝试保存，忽略错误（可能已存在）
-	h.app.GetJSPluginStore().SaveJSPlugin(jsPlugin)
-
-	// 将插件信息保存到客户端记录
-	// 重新获取 dbClient（可能已被修改）
-	dbClient, err = h.app.GetClientStore().GetClient(req.ClientID)
-	if err == nil {
-		// 检查插件是否已存在（通过名称匹配）
-		pluginExists := false
-		for i, p := range dbClient.Plugins {
-			if p.Name == req.PluginName {
-				dbClient.Plugins[i].Enabled = true
-				dbClient.Plugins[i].RemotePort = req.RemotePort
-				dbClient.Plugins[i].AuthEnabled = req.AuthEnabled
-				dbClient.Plugins[i].AuthUsername = req.AuthUsername
-				dbClient.Plugins[i].AuthPassword = req.AuthPassword
-				// 确保有 ID
-				if dbClient.Plugins[i].ID == "" {
-					dbClient.Plugins[i].ID = pluginID
-				}
-				pluginExists = true
-				break
-			}
-		}
-		if !pluginExists {
-			version := req.Version
-			if version == "" {
-				version = "1.0.0"
-			}
-			// 转换 ConfigSchema
-			var configSchema []db.ConfigField
-			for _, f := range req.ConfigSchema {
-				configSchema = append(configSchema, db.ConfigField{
-					Key:         f.Key,
-					Label:       f.Label,
-					Type:        f.Type,
-					Default:     f.Default,
-					Required:    f.Required,
-					Options:     f.Options,
-					Description: f.Description,
-				})
-			}
-			dbClient.Plugins = append(dbClient.Plugins, db.ClientPlugin{
-				ID:           pluginID,
-				Name:         req.PluginName,
-				Version:      version,
-				Enabled:      true,
-				RemotePort:   req.RemotePort,
-				ConfigSchema: configSchema,
-				AuthEnabled:  req.AuthEnabled,
-				AuthUsername: req.AuthUsername,
-				AuthPassword: req.AuthPassword,
-			})
-		}
-
-		// 自动创建代理规则（如果指定了端口）
-		if req.RemotePort > 0 {
-			// 检查端口是否可用
-			if !h.app.GetServer().IsPortAvailable(req.RemotePort, req.ClientID) {
-				InternalError(c, fmt.Sprintf("port %d is already in use", req.RemotePort))
-				return
-			}
-			ruleExists := false
-			for i, r := range dbClient.Rules {
-				if r.Name == req.PluginName {
-					// 更新现有规则
-					dbClient.Rules[i].Type = req.PluginName
-					dbClient.Rules[i].RemotePort = req.RemotePort
-					dbClient.Rules[i].Enabled = boolPtr(true)
-					dbClient.Rules[i].PluginID = pluginID
-					dbClient.Rules[i].AuthEnabled = req.AuthEnabled
-					dbClient.Rules[i].AuthUsername = req.AuthUsername
-					dbClient.Rules[i].AuthPassword = req.AuthPassword
-					dbClient.Rules[i].PluginManaged = true
-					ruleExists = true
-					break
-				}
-			}
-			if !ruleExists {
-				// 创建新规则
-				dbClient.Rules = append(dbClient.Rules, protocol.ProxyRule{
-					Name:          req.PluginName,
-					Type:          req.PluginName,
-					RemotePort:    req.RemotePort,
-					Enabled:       boolPtr(true),
-					PluginID:      pluginID,
-					AuthEnabled:   req.AuthEnabled,
-					AuthUsername:  req.AuthUsername,
-					AuthPassword:  req.AuthPassword,
-					PluginManaged: true,
-				})
-			}
-		}
-
-		h.app.GetClientStore().UpdateClient(dbClient)
-	}
-
-	// 启动服务端监听器（让外部用户可以通过 RemotePort 访问插件）
-	if req.RemotePort > 0 {
-		pluginRule := protocol.ProxyRule{
-			Name:         req.PluginName,
-			Type:         req.PluginName, // 使用插件名作为类型，让 isClientPlugin 识别
-			RemotePort:   req.RemotePort,
-			Enabled:      boolPtr(true),
-			PluginID:     pluginID,
-			AuthEnabled:  req.AuthEnabled,
-			AuthUsername: req.AuthUsername,
-			AuthPassword: req.AuthPassword,
-		}
-		// 启动监听器（忽略错误，可能端口已被占用）
-		h.app.GetServer().StartPluginRule(req.ClientID, pluginRule)
-	}
-
-	Success(c, gin.H{
-		"status":    "ok",
-		"plugin":    req.PluginName,
-		"plugin_id": pluginID,
-		"client":    req.ClientID,
-	})
-}
-
-// boolPtr 返回 bool 值的指针
-func boolPtr(b bool) *bool {
-	return &b
-}
--- a/internal/server/router/router.go
+++ b/internal/server/router/router.go
@@ -67,9 +67,9 @@ func (r *GinRouter) SetupRoutes(app handler.AppInterface, jwtAuth *auth.JWTAuth,
 		api.POST("/client/:id/push", clientHandler.PushConfig)
 		api.POST("/client/:id/disconnect", clientHandler.Disconnect)
 		api.POST("/client/:id/restart", clientHandler.Restart)
-		api.POST("/client/:id/install-plugins", clientHandler.InstallPlugins)
-		api.POST("/client/:id/plugin/:pluginID/:action", clientHandler.PluginAction)
 		api.GET("/client/:id/system-stats", clientHandler.GetSystemStats)
+		api.GET("/client/:id/screenshot", clientHandler.GetScreenshot)
+		api.POST("/client/:id/shell", clientHandler.ExecuteShell)

 		// 配置管理
 		configHandler := handler.NewConfigHandler(app)
@@ -77,29 +77,6 @@ func (r *GinRouter) SetupRoutes(app handler.AppInterface, jwtAuth *auth.JWTAuth,
 		api.PUT("/config", configHandler.Update)
 		api.POST("/config/reload", configHandler.Reload)

-		// 插件管理
-		pluginHandler := handler.NewPluginHandler(app)
-		api.GET("/plugins", pluginHandler.List)
-		api.POST("/plugin/:name/enable", pluginHandler.Enable)
-		api.POST("/plugin/:name/disable", pluginHandler.Disable)
-		api.GET("/rule-schemas", pluginHandler.GetRuleSchemas)
-		api.GET("/client-plugin/:clientID/:pluginName/config", pluginHandler.GetClientConfig)
-		api.PUT("/client-plugin/:clientID/:pluginName/config", pluginHandler.UpdateClientConfig)
-
-		// JS 插件管理
-		jsPluginHandler := handler.NewJSPluginHandler(app)
-		api.GET("/js-plugins", jsPluginHandler.List)
-		api.POST("/js-plugins", jsPluginHandler.Create)
-		api.GET("/js-plugin/:name", jsPluginHandler.Get)
-		api.PUT("/js-plugin/:name", jsPluginHandler.Update)
-		api.DELETE("/js-plugin/:name", jsPluginHandler.Delete)
-		api.POST("/js-plugin/:name/push/:clientID", jsPluginHandler.PushToClient)
-
-		// 插件商店
-		storeHandler := handler.NewStoreHandler(app)
-		api.GET("/store/plugins", storeHandler.ListPlugins)
-		api.POST("/store/install", storeHandler.Install)
-
 		// 更新管理
 		updateHandler := handler.NewUpdateHandler(app)
 		api.GET("/update/check/server", updateHandler.CheckServer)
@@ -116,9 +93,9 @@ func (r *GinRouter) SetupRoutes(app handler.AppInterface, jwtAuth *auth.JWTAuth,
 		api.GET("/traffic/stats", trafficHandler.GetStats)
 		api.GET("/traffic/hourly", trafficHandler.GetHourly)

-		// 插件 API 代理 (通过 Web API 访问客户端插件)
-		pluginAPIHandler := handler.NewPluginAPIHandler(app)
-		api.Any("/client/:id/plugin-api/:pluginID/*route", pluginAPIHandler.ProxyRequest)
+		// 安装命令生成
+		installHandler := handler.NewInstallHandler(app)
+		api.POST("/install/generate", installHandler.GenerateInstallCommand)
 	}
 }

@@ -200,8 +177,4 @@ func isStaticAsset(path string) bool {
 type (
 	ServerInterface = handler.ServerInterface
 	AppInterface    = handler.AppInterface
-	ConfigField           = handler.ConfigField
-	RuleSchema            = handler.RuleSchema
-	PluginInfo            = handler.PluginInfo
-	JSPluginInstallRequest = handler.JSPluginInstallRequest
 )
--- a/internal/server/tunnel/server.go
+++ b/internal/server/tunnel/server.go
--- a/internal/server/tunnel/websocket.go
+++ b/internal/server/tunnel/websocket.go
@@ -142,5 +142,5 @@ func (s *Server) handleWebsocketProxyConn(cs *ClientSession, conn net.Conn, rule
 		return
 	}

-	relay.Relay(conn, stream)
+	relay.RelayWithStats(conn, stream, s.recordTraffic)
 }
--- a/pkg/plugin/audit/audit.go
+++ b/pkg/plugin/audit/audit.go
@@ -1,154 +0,0 @@
-package audit
-
-import (
-	"encoding/json"
-	"log"
-	"os"
-	"path/filepath"
-	"sync"
-	"time"
-)
-
-// EventType 审计事件类型
-type EventType string
-
-const (
-	EventPluginInstall   EventType = "plugin_install"
-	EventPluginUninstall EventType = "plugin_uninstall"
-	EventPluginStart     EventType = "plugin_start"
-	EventPluginStop      EventType = "plugin_stop"
-	EventPluginVerify    EventType = "plugin_verify"
-	EventPluginReject    EventType = "plugin_reject"
-	EventConfigChange    EventType = "config_change"
-)
-
-// Event 审计事件
-type Event struct {
-	Timestamp  time.Time         `json:"timestamp"`
-	Type       EventType         `json:"type"`
-	PluginName string            `json:"plugin_name,omitempty"`
-	Version    string            `json:"version,omitempty"`
-	ClientID   string            `json:"client_id,omitempty"`
-	Success    bool              `json:"success"`
-	Message    string            `json:"message,omitempty"`
-	Details    map[string]string `json:"details,omitempty"`
-}
-
-// Logger 审计日志记录器
-type Logger struct {
-	path    string
-	file    *os.File
-	mu      sync.Mutex
-	enabled bool
-}
-
-var (
-	defaultLogger *Logger
-	loggerOnce    sync.Once
-)
-
-// NewLogger 创建审计日志记录器
-func NewLogger(dataDir string) (*Logger, error) {
-	path := filepath.Join(dataDir, "audit.log")
-	dir := filepath.Dir(path)
-	if err := os.MkdirAll(dir, 0755); err != nil {
-		return nil, err
-	}
-
-	file, err := os.OpenFile(path, os.O_CREATE|os.O_APPEND|os.O_WRONLY, 0600)
-	if err != nil {
-		return nil, err
-	}
-
-	return &Logger{path: path, file: file, enabled: true}, nil
-}
-
-// InitDefault 初始化默认日志记录器
-func InitDefault(dataDir string) error {
-	var err error
-	loggerOnce.Do(func() {
-		defaultLogger, err = NewLogger(dataDir)
-	})
-	return err
-}
-
-// Log 记录审计事件
-func (l *Logger) Log(event Event) {
-	if l == nil || !l.enabled {
-		return
-	}
-
-	event.Timestamp = time.Now()
-	l.mu.Lock()
-	defer l.mu.Unlock()
-
-	data, err := json.Marshal(event)
-	if err != nil {
-		log.Printf("[Audit] Marshal error: %v", err)
-		return
-	}
-
-	if _, err := l.file.Write(append(data, '\n')); err != nil {
-		log.Printf("[Audit] Write error: %v", err)
-	}
-}
-
-// Close 关闭日志文件
-func (l *Logger) Close() error {
-	if l == nil || l.file == nil {
-		return nil
-	}
-	return l.file.Close()
-}
-
-// LogEvent 使用默认记录器记录事件
-func LogEvent(event Event) {
-	if defaultLogger != nil {
-		defaultLogger.Log(event)
-	}
-}
-
-// LogPluginInstall 记录插件安装事件
-func LogPluginInstall(pluginName, version, clientID string, success bool, msg string) {
-	LogEvent(Event{
-		Type:       EventPluginInstall,
-		PluginName: pluginName,
-		Version:    version,
-		ClientID:   clientID,
-		Success:    success,
-		Message:    msg,
-	})
-}
-
-// LogPluginVerify 记录插件验证事件
-func LogPluginVerify(pluginName, version string, success bool, msg string) {
-	LogEvent(Event{
-		Type:       EventPluginVerify,
-		PluginName: pluginName,
-		Version:    version,
-		Success:    success,
-		Message:    msg,
-	})
-}
-
-// LogPluginReject 记录插件拒绝事件
-func LogPluginReject(pluginName, version, reason string) {
-	LogEvent(Event{
-		Type:       EventPluginReject,
-		PluginName: pluginName,
-		Version:    version,
-		Success:    false,
-		Message:    reason,
-	})
-}
-
-// LogWithDetails 记录带详情的事件
-func LogWithDetails(eventType EventType, pluginName string, success bool, msg string, details map[string]string) {
-	LogEvent(Event{
-		Type:       eventType,
-		PluginName: pluginName,
-		Success:    success,
-		Message:    msg,
-		Details:    details,
-	})
-}
--- a/pkg/plugin/registry.go
+++ b/pkg/plugin/registry.go
@@ -1,134 +0,0 @@
-package plugin
-
-import (
-	"context"
-	"fmt"
-	"sync"
-)
-
-// Registry 管理可用的 plugins (仅客户端插件)
-type Registry struct {
-	clientPlugins map[string]ClientPlugin // 客户端插件
-	enabled       map[string]bool         // 启用状态
-	mu            sync.RWMutex
-}
-
-// NewRegistry 创建 plugin 注册表
-func NewRegistry() *Registry {
-	return &Registry{
-		clientPlugins: make(map[string]ClientPlugin),
-		enabled:       make(map[string]bool),
-	}
-}
-
-// RegisterClient 注册客户端插件
-func (r *Registry) RegisterClient(handler ClientPlugin) error {
-	r.mu.Lock()
-	defer r.mu.Unlock()
-
-	meta := handler.Metadata()
-	if meta.Name == "" {
-		return fmt.Errorf("plugin name cannot be empty")
-	}
-
-	if _, exists := r.clientPlugins[meta.Name]; exists {
-		return fmt.Errorf("client plugin %s already registered", meta.Name)
-	}
-
-	r.clientPlugins[meta.Name] = handler
-	r.enabled[meta.Name] = true
-	return nil
-}
-
-// GetClient 返回客户端插件
-func (r *Registry) GetClient(name string) (ClientPlugin, error) {
-	r.mu.RLock()
-	defer r.mu.RUnlock()
-
-	if handler, ok := r.clientPlugins[name]; ok {
-		if !r.enabled[name] {
-			return nil, fmt.Errorf("client plugin %s is disabled", name)
-		}
-		return handler, nil
-	}
-	return nil, fmt.Errorf("client plugin %s not found", name)
-}
-
-// List 返回所有可用的 plugins
-func (r *Registry) List() []Info {
-	r.mu.RLock()
-	defer r.mu.RUnlock()
-
-	var plugins []Info
-
-	for name, handler := range r.clientPlugins {
-		plugins = append(plugins, Info{
-			Metadata: handler.Metadata(),
-			Loaded:   true,
-			Enabled:  r.enabled[name],
-		})
-	}
-
-	return plugins
-}
-
-// Has 检查 plugin 是否存在
-func (r *Registry) Has(name string) bool {
-	r.mu.RLock()
-	defer r.mu.RUnlock()
-
-	_, ok := r.clientPlugins[name]
-	return ok
-}
-
-// Close 关闭所有 plugins
-func (r *Registry) Close(ctx context.Context) error {
-	r.mu.Lock()
-	defer r.mu.Unlock()
-
-	var lastErr error
-	for name, handler := range r.clientPlugins {
-		if err := handler.Stop(); err != nil {
-			lastErr = fmt.Errorf("failed to stop client plugin %s: %w", name, err)
-		}
-	}
-
-	return lastErr
-}
-
-// Enable 启用插件
-func (r *Registry) Enable(name string) error {
-	r.mu.Lock()
-	defer r.mu.Unlock()
-
-	if !r.has(name) {
-		return fmt.Errorf("plugin %s not found", name)
-	}
-	r.enabled[name] = true
-	return nil
-}
-
-// Disable 禁用插件
-func (r *Registry) Disable(name string) error {
-	r.mu.Lock()
-	defer r.mu.Unlock()
-
-	if !r.has(name) {
-		return fmt.Errorf("plugin %s not found", name)
-	}
-	r.enabled[name] = false
-	return nil
-}
-
-// has 内部检查（无锁）
-func (r *Registry) has(name string) bool {
-	_, ok := r.clientPlugins[name]
-	return ok
-}
-
-// IsEnabled 检查插件是否启用
-func (r *Registry) IsEnabled(name string) bool {
-	r.mu.RLock()
-	defer r.mu.RUnlock()
-	return r.enabled[name]
-}
--- a/pkg/plugin/schema.go
+++ b/pkg/plugin/schema.go
@@ -1,109 +0,0 @@
-package plugin
-
-// 内置协议类型配置模式
-
-// BuiltinRuleSchemas 返回所有内置协议类型的配置模式
-func BuiltinRuleSchemas() map[string]RuleSchema {
-	return map[string]RuleSchema{
-		"tcp": {
-			NeedsLocalAddr: true,
-			ExtraFields:    nil,
-		},
-		"udp": {
-			NeedsLocalAddr: true,
-			ExtraFields:    nil,
-		},
-		"http": {
-			NeedsLocalAddr: false,
-			ExtraFields: []ConfigField{
-				{
-					Key:         "auth_enabled",
-					Label:       "启用认证",
-					Type:        ConfigFieldBool,
-					Default:     "false",
-					Description: "是否启用 HTTP Basic 认证",
-				},
-				{
-					Key:         "username",
-					Label:       "用户名",
-					Type:        ConfigFieldString,
-					Description: "HTTP 代理认证用户名",
-				},
-				{
-					Key:         "password",
-					Label:       "密码",
-					Type:        ConfigFieldPassword,
-					Description: "HTTP 代理认证密码",
-				},
-			},
-		},
-		"https": {
-			NeedsLocalAddr: false,
-			ExtraFields: []ConfigField{
-				{
-					Key:         "auth_enabled",
-					Label:       "启用认证",
-					Type:        ConfigFieldBool,
-					Default:     "false",
-					Description: "是否启用 HTTPS 代理认证",
-				},
-				{
-					Key:         "username",
-					Label:       "用户名",
-					Type:        ConfigFieldString,
-					Description: "HTTPS 代理认证用户名",
-				},
-				{
-					Key:         "password",
-					Label:       "密码",
-					Type:        ConfigFieldPassword,
-					Description: "HTTPS 代理认证密码",
-				},
-			},
-		},
-		"socks5": {
-			NeedsLocalAddr: false,
-			ExtraFields: []ConfigField{
-				{
-					Key:         "auth_enabled",
-					Label:       "启用认证",
-					Type:        ConfigFieldBool,
-					Default:     "false",
-					Description: "是否启用 SOCKS5 用户名/密码认证",
-				},
-				{
-					Key:         "username",
-					Label:       "用户名",
-					Type:        ConfigFieldString,
-					Description: "SOCKS5 认证用户名",
-				},
-				{
-					Key:         "password",
-					Label:       "密码",
-					Type:        ConfigFieldPassword,
-					Description: "SOCKS5 认证密码",
-				},
-			},
-		},
-	}
-}
-
-// GetRuleSchema 获取指定协议类型的配置模式
-func GetRuleSchema(proxyType string) *RuleSchema {
-	schemas := BuiltinRuleSchemas()
-	if schema, ok := schemas[proxyType]; ok {
-		return &schema
-	}
-	return nil
-}
-
-// IsBuiltinType 检查是否为内置协议类型
-func IsBuiltinType(proxyType string) bool {
-	builtinTypes := []string{"tcp", "udp", "http", "https"}
-	for _, t := range builtinTypes {
-		if t == proxyType {
-			return true
-		}
-	}
-	return false
-}
--- a/pkg/plugin/script/js.go
+++ b/pkg/plugin/script/js.go
@@ -1,913 +0,0 @@
-package script
-
-import (
-	"bufio"
-	"encoding/json"
-	"fmt"
-	"io"
-	"net"
-	"net/http"
-	"os"
-	"path/filepath"
-	"strconv"
-	"strings"
-	"sync"
-
-	"github.com/dop251/goja"
-	"github.com/gotunnel/pkg/plugin"
-)
-
-// JSPlugin JavaScript 脚本插件
-type JSPlugin struct {
-	name           string
-	source         string
-	vm             *goja.Runtime
-	metadata       plugin.Metadata
-	config         map[string]string
-	sandbox        *Sandbox
-	running        bool
-	mu             sync.Mutex
-	eventListeners map[string][]func(goja.Value)
-	storagePath    string
-	apiHandlers    map[string]map[string]goja.Callable // method -> path -> handler
-}
-
-// NewJSPlugin 从 JS 源码创建插件
-func NewJSPlugin(name, source string) (*JSPlugin, error) {
-	p := &JSPlugin{
-		name:           name,
-		source:         source,
-		vm:             goja.New(),
-		sandbox:        DefaultSandbox(),
-		eventListeners: make(map[string][]func(goja.Value)),
-		storagePath:    filepath.Join("plugin_data", name+".json"),
-		apiHandlers:    make(map[string]map[string]goja.Callable),
-	}
-
-	// 确保存储目录存在
-	os.MkdirAll("plugin_data", 0755)
-
-	if err := p.init(); err != nil {
-		return nil, err
-	}
-
-	return p, nil
-}
-
-// SetSandbox 设置沙箱配置
-func (p *JSPlugin) SetSandbox(sandbox *Sandbox) {
-	p.sandbox = sandbox
-}
-
-// init 初始化 JS 运行时
-func (p *JSPlugin) init() error {
-	// 设置栈深度限制（防止递归攻击）
-	if p.sandbox.MaxStackDepth > 0 {
-		p.vm.SetMaxCallStackSize(p.sandbox.MaxStackDepth)
-	}
-
-	// 注入基础 API
-	p.vm.Set("log", p.jsLog)
-
-	// Config API (兼容旧的 config() 调用，同时支持 config.get/getAll)
-	p.vm.Set("config", p.jsGetConfig)
-	if configObj := p.vm.Get("config"); configObj != nil {
-		obj := configObj.ToObject(p.vm)
-		obj.Set("get", p.jsGetConfig)
-		obj.Set("getAll", p.jsGetAllConfig)
-	}
-
-	// 注入增强 API
-	p.vm.Set("logger", p.createLoggerAPI())
-	p.vm.Set("storage", p.createStorageAPI())
-	p.vm.Set("event", p.createEventAPI())
-	p.vm.Set("request", p.createRequestAPI())
-	p.vm.Set("notify", p.createNotifyAPI())
-
-	// 注入文件 API
-	p.vm.Set("fs", p.createFsAPI())
-
-	// 注入 HTTP API
-	p.vm.Set("http", p.createHttpAPI())
-
-	// 注入路由 API
-	p.vm.Set("api", p.createRouteAPI())
-
-	// 执行脚本
-	_, err := p.vm.RunString(p.source)
-	if err != nil {
-		return fmt.Errorf("run script: %w", err)
-	}
-
-	// 获取元数据
-	if err := p.loadMetadata(); err != nil {
-		return err
-	}
-
-	return nil
-}
-
-// loadMetadata 从 JS 获取元数据
-func (p *JSPlugin) loadMetadata() error {
-	fn, ok := goja.AssertFunction(p.vm.Get("metadata"))
-	if !ok {
-		// 使用默认元数据
-		p.metadata = plugin.Metadata{
-			Name:   p.name,
-			Type:   plugin.PluginTypeApp,
-			Source: plugin.PluginSourceScript,
-			RunAt:  plugin.SideClient,
-		}
-		return nil
-	}
-
-	result, err := fn(goja.Undefined())
-	if err != nil {
-		return err
-	}
-
-	obj := result.ToObject(p.vm)
-	p.metadata = plugin.Metadata{
-		Name:        getString(obj, "name", p.name),
-		Version:     getString(obj, "version", "1.0.0"),
-		Type:        plugin.PluginType(getString(obj, "type", "app")),
-		Source:      plugin.PluginSourceScript,
-		RunAt:       plugin.Side(getString(obj, "run_at", "client")),
-		Description: getString(obj, "description", ""),
-		Author:      getString(obj, "author", ""),
-	}
-	return nil
-}
-
-// Metadata 返回插件元数据
-func (p *JSPlugin) Metadata() plugin.Metadata {
-	return p.metadata
-}
-
-// Init 初始化插件配置
-func (p *JSPlugin) Init(config map[string]string) error {
-	p.config = config
-
-	// 根据 root_path 配置设置沙箱允许的路径
-	if rootPath := config["root_path"]; rootPath != "" {
-		absPath, err := filepath.Abs(rootPath)
-		if err == nil {
-			p.sandbox.AllowedPaths = append(p.sandbox.AllowedPaths, absPath)
-			p.sandbox.WritablePaths = append(p.sandbox.WritablePaths, absPath)
-		}
-	} else {
-		// 如果没有配置 root_path，默认允许访问当前目录
-		cwd, err := os.Getwd()
-		if err == nil {
-			p.sandbox.AllowedPaths = append(p.sandbox.AllowedPaths, cwd)
-			p.sandbox.WritablePaths = append(p.sandbox.WritablePaths, cwd)
-		}
-	}
-
-	return nil
-}
-
-// Start 启动插件
-func (p *JSPlugin) Start() (string, error) {
-	p.mu.Lock()
-	defer p.mu.Unlock()
-
-	if p.running {
-		return "", nil
-	}
-
-	fn, ok := goja.AssertFunction(p.vm.Get("start"))
-	if ok {
-		_, err := fn(goja.Undefined())
-		if err != nil {
-			return "", err
-		}
-	}
-
-	p.running = true
-	return "script-plugin", nil
-}
-
-// HandleConn 处理连接
-func (p *JSPlugin) HandleConn(conn net.Conn) error {
-	defer conn.Close()
-
-	// goja Runtime 不是线程安全的，需要加锁
-	p.mu.Lock()
-	defer p.mu.Unlock()
-
-	// 创建连接包装器
-	jsConn := newJSConn(conn)
-
-	fn, ok := goja.AssertFunction(p.vm.Get("handleConn"))
-	if !ok {
-		return fmt.Errorf("handleConn not defined")
-	}
-
-	_, err := fn(goja.Undefined(), p.vm.ToValue(jsConn))
-	return err
-}
-
-// Stop 停止插件
-func (p *JSPlugin) Stop() error {
-	p.mu.Lock()
-	defer p.mu.Unlock()
-
-	if !p.running {
-		return nil
-	}
-
-	fn, ok := goja.AssertFunction(p.vm.Get("stop"))
-	if ok {
-		fn(goja.Undefined())
-	}
-
-	p.running = false
-	return nil
-}
-
-// jsLog JS 日志函数
-func (p *JSPlugin) jsLog(msg string) {
-	fmt.Printf("[JS:%s] %s\n", p.name, msg)
-}
-
-// jsGetConfig 获取配置
-func (p *JSPlugin) jsGetConfig(key string) string {
-	if p.config == nil {
-		return ""
-	}
-	return p.config[key]
-}
-
-// getString 从 JS 对象获取字符串
-func getString(obj *goja.Object, key, def string) string {
-	v := obj.Get(key)
-	if v == nil || goja.IsUndefined(v) {
-		return def
-	}
-	return v.String()
-}
-
-// jsConn JS 连接包装器
-type jsConn struct {
-	conn net.Conn
-}
-
-func newJSConn(conn net.Conn) *jsConn {
-	return &jsConn{conn: conn}
-}
-
-func (c *jsConn) Read(size int) []byte {
-	buf := make([]byte, size)
-	n, err := c.conn.Read(buf)
-	if err != nil {
-		return nil
-	}
-	return buf[:n]
-}
-
-func (c *jsConn) Write(data []byte) int {
-	n, _ := c.conn.Write(data)
-	return n
-}
-
-func (c *jsConn) Close() {
-	c.conn.Close()
-}
-
-// =============================================================================
-// 文件系统 API
-// =============================================================================
-
-// createFsAPI 创建文件系统 API
-func (p *JSPlugin) createFsAPI() map[string]interface{} {
-	return map[string]interface{}{
-		"readFile":  p.fsReadFile,
-		"writeFile": p.fsWriteFile,
-		"readDir":   p.fsReadDir,
-		"stat":      p.fsStat,
-		"exists":    p.fsExists,
-		"mkdir":     p.fsMkdir,
-		"remove":    p.fsRemove,
-	}
-}
-
-func (p *JSPlugin) fsReadFile(path string) map[string]interface{} {
-	if err := p.sandbox.ValidateReadPath(path); err != nil {
-		return map[string]interface{}{"error": err.Error(), "data": ""}
-	}
-
-	info, err := os.Stat(path)
-	if err != nil {
-		return map[string]interface{}{"error": err.Error(), "data": ""}
-	}
-	if info.Size() > p.sandbox.MaxReadSize {
-		return map[string]interface{}{"error": "file too large", "data": ""}
-	}
-
-	data, err := os.ReadFile(path)
-	if err != nil {
-		return map[string]interface{}{"error": err.Error(), "data": ""}
-	}
-	return map[string]interface{}{"error": "", "data": string(data)}
-}
-
-func (p *JSPlugin) fsWriteFile(path, content string) map[string]interface{} {
-	if err := p.sandbox.ValidateWritePath(path); err != nil {
-		return map[string]interface{}{"error": err.Error(), "ok": false}
-	}
-
-	if int64(len(content)) > p.sandbox.MaxWriteSize {
-		return map[string]interface{}{"error": "content too large", "ok": false}
-	}
-
-	err := os.WriteFile(path, []byte(content), 0644)
-	if err != nil {
-		return map[string]interface{}{"error": err.Error(), "ok": false}
-	}
-	return map[string]interface{}{"error": "", "ok": true}
-}
-
-func (p *JSPlugin) fsReadDir(path string) map[string]interface{} {
-	if err := p.sandbox.ValidateReadPath(path); err != nil {
-		return map[string]interface{}{"error": err.Error(), "entries": nil}
-	}
-
-	entries, err := os.ReadDir(path)
-	if err != nil {
-		return map[string]interface{}{"error": err.Error(), "entries": nil}
-	}
-	var result []map[string]interface{}
-	for _, e := range entries {
-		info, _ := e.Info()
-		result = append(result, map[string]interface{}{
-			"name":  e.Name(),
-			"isDir": e.IsDir(),
-			"size":  info.Size(),
-		})
-	}
-	return map[string]interface{}{"error": "", "entries": result}
-}
-
-func (p *JSPlugin) fsStat(path string) map[string]interface{} {
-	if err := p.sandbox.ValidateReadPath(path); err != nil {
-		return map[string]interface{}{"error": err.Error()}
-	}
-
-	info, err := os.Stat(path)
-	if err != nil {
-		return map[string]interface{}{"error": err.Error()}
-	}
-	return map[string]interface{}{
-		"error":   "",
-		"name":    info.Name(),
-		"size":    info.Size(),
-		"isDir":   info.IsDir(),
-		"modTime": info.ModTime().Unix(),
-	}
-}
-
-func (p *JSPlugin) fsExists(path string) map[string]interface{} {
-	if err := p.sandbox.ValidateReadPath(path); err != nil {
-		return map[string]interface{}{"error": err.Error(), "exists": false}
-	}
-	_, err := os.Stat(path)
-	return map[string]interface{}{"error": "", "exists": err == nil}
-}
-
-func (p *JSPlugin) fsMkdir(path string) map[string]interface{} {
-	if err := p.sandbox.ValidateWritePath(path); err != nil {
-		return map[string]interface{}{"error": err.Error(), "ok": false}
-	}
-	err := os.MkdirAll(path, 0755)
-	if err != nil {
-		return map[string]interface{}{"error": err.Error(), "ok": false}
-	}
-	return map[string]interface{}{"error": "", "ok": true}
-}
-
-func (p *JSPlugin) fsRemove(path string) map[string]interface{} {
-	if err := p.sandbox.ValidateWritePath(path); err != nil {
-		return map[string]interface{}{"error": err.Error(), "ok": false}
-	}
-	err := os.RemoveAll(path)
-	if err != nil {
-		return map[string]interface{}{"error": err.Error(), "ok": false}
-	}
-	return map[string]interface{}{"error": "", "ok": true}
-}
-
-// =============================================================================
-// HTTP 服务 API
-// =============================================================================
-
-// createHttpAPI 创建 HTTP API
-func (p *JSPlugin) createHttpAPI() map[string]interface{} {
-	return map[string]interface{}{
-		"serve":    p.httpServe,
-		"json":     p.httpJSON,
-		"sendFile": p.httpSendFile,
-	}
-}
-
-// httpServe 启动 HTTP 服务处理连接
-func (p *JSPlugin) httpServe(connObj interface{}, handler goja.Callable) {
-	// 从 jsConn 包装器中提取原始 net.Conn
-	var conn net.Conn
-	if jc, ok := connObj.(*jsConn); ok {
-		conn = jc.conn
-	} else if nc, ok := connObj.(net.Conn); ok {
-		conn = nc
-	} else {
-		fmt.Printf("[JS:%s] httpServe: invalid conn type: %T\n", p.name, connObj)
-		return
-	}
-
-	// 注意：不要在这里关闭连接，HandleConn 会负责关闭
-
-	// Use bufio to read the request properly
-	reader := bufio.NewReader(conn)
-
-	for {
-		// 1. Read Request Line
-		line, err := reader.ReadString('\n')
-		if err != nil {
-			if err != io.EOF {
-				fmt.Printf("[JS:%s] httpServe read error: %v\n", p.name, err)
-			}
-			return
-		}
-		line = strings.TrimSpace(line)
-		if line == "" {
-			continue
-		}
-
-		parts := strings.Split(line, " ")
-		if len(parts) < 2 {
-			fmt.Printf("[JS:%s] Invalid request line: %s\n", p.name, line)
-			return
-		}
-		method := parts[0]
-		path := parts[1]
-
-		fmt.Printf("[JS:%s] Request: %s %s\n", p.name, method, path)
-
-		// 2. Read Headers
-		headers := make(map[string]string)
-		contentLength := 0
-		for {
-			hLine, err := reader.ReadString('\n')
-			if err != nil {
-				break
-			}
-			hLine = strings.TrimSpace(hLine)
-			if hLine == "" {
-				break
-			}
-			if idx := strings.Index(hLine, ":"); idx > 0 {
-				key := strings.TrimSpace(hLine[:idx])
-				val := strings.TrimSpace(hLine[idx+1:])
-				headers[strings.ToLower(key)] = val
-				if strings.ToLower(key) == "content-length" {
-					contentLength, _ = strconv.Atoi(val)
-				}
-			}
-		}
-
-		// 3. Read Body
-		body := ""
-		if contentLength > 0 {
-			bodyBuf := make([]byte, contentLength)
-			if _, err := io.ReadFull(reader, bodyBuf); err == nil {
-				body = string(bodyBuf)
-			}
-		}
-
-		req := map[string]interface{}{
-			"method":  method,
-			"path":    path,
-			"headers": headers,
-			"body":    body,
-		}
-
-		// 调用 JS handler 函数
-		result, err := handler(goja.Undefined(), p.vm.ToValue(req))
-		if err != nil {
-			fmt.Printf("[JS:%s] HTTP handler error: %v\n", p.name, err)
-			conn.Write([]byte("HTTP/1.1 500 Internal Server Error\r\nConnection: close\r\n\r\n"))
-			return
-		}
-
-		// 将结果转换为 map
-		if result == nil || goja.IsUndefined(result) || goja.IsNull(result) {
-			conn.Write([]byte("HTTP/1.1 200 OK\r\nContent-Length: 0\r\n\r\n"))
-			continue
-		}
-
-		resp := make(map[string]interface{})
-		respObj := result.ToObject(p.vm)
-		for _, key := range respObj.Keys() {
-			val := respObj.Get(key)
-			resp[key] = val.Export()
-		}
-
-		writeHTTPResponse(conn, resp)
-	}
-}
-
-func (p *JSPlugin) httpJSON(data interface{}) string {
-	b, _ := json.Marshal(data)
-	return string(b)
-}
-
-func (p *JSPlugin) httpSendFile(connObj interface{}, filePath string) {
-	// 从 jsConn 包装器中提取原始 net.Conn
-	var conn net.Conn
-	if jc, ok := connObj.(*jsConn); ok {
-		conn = jc.conn
-	} else if nc, ok := connObj.(net.Conn); ok {
-		conn = nc
-	} else {
-		fmt.Printf("[JS:%s] httpSendFile: invalid conn type: %T\n", p.name, connObj)
-		return
-	}
-
-	f, err := os.Open(filePath)
-	if err != nil {
-		conn.Write([]byte("HTTP/1.1 404 Not Found\r\n\r\n"))
-		return
-	}
-	defer f.Close()
-
-	info, _ := f.Stat()
-	contentType := getContentType(filePath)
-
-	header := fmt.Sprintf("HTTP/1.1 200 OK\r\nContent-Type: %s\r\nContent-Length: %d\r\n\r\n",
-		contentType, info.Size())
-	conn.Write([]byte(header))
-	io.Copy(conn, f)
-}
-
-// parseHTTPRequest is deprecated, logic moved to httpServe
-func parseHTTPRequest(data []byte) map[string]interface{} {
-	return nil
-}
-
-// writeHTTPResponse 写入 HTTP 响应
-func writeHTTPResponse(conn net.Conn, resp map[string]interface{}) {
-	status := 200
-	if s, ok := resp["status"].(int); ok {
-		status = s
-	}
-
-	body := ""
-	if b, ok := resp["body"].(string); ok {
-		body = b
-	}
-
-	contentType := "application/json"
-	if ct, ok := resp["contentType"].(string); ok {
-		contentType = ct
-	}
-
-	header := fmt.Sprintf("HTTP/1.1 %d OK\r\nContent-Type: %s\r\nContent-Length: %d\r\n\r\n",
-		status, contentType, len(body))
-	conn.Write([]byte(header + body))
-}
-
-func indexOf(s, substr string) int {
-	for i := 0; i <= len(s)-len(substr); i++ {
-		if s[i:i+len(substr)] == substr {
-			return i
-		}
-	}
-	return -1
-}
-
-func getContentType(path string) string {
-	ext := filepath.Ext(path)
-	types := map[string]string{
-		".html": "text/html",
-		".css":  "text/css",
-		".js":   "application/javascript",
-		".json": "application/json",
-		".png":  "image/png",
-		".jpg":  "image/jpeg",
-		".gif":  "image/gif",
-		".txt":  "text/plain",
-	}
-	if ct, ok := types[ext]; ok {
-		return ct
-	}
-	return "application/octet-stream"
-}
-
-// =============================================================================
-// Logger API
-// =============================================================================
-
-func (p *JSPlugin) createLoggerAPI() map[string]interface{} {
-	return map[string]interface{}{
-		"info":  func(msg string) { fmt.Printf("[JS:%s][INFO] %s\n", p.name, msg) },
-		"warn":  func(msg string) { fmt.Printf("[JS:%s][WARN] %s\n", p.name, msg) },
-		"error": func(msg string) { fmt.Printf("[JS:%s][ERROR] %s\n", p.name, msg) },
-	}
-}
-
-// =============================================================================
-// Config API Enhancements
-// =============================================================================
-
-func (p *JSPlugin) jsGetAllConfig() map[string]string {
-	if p.config == nil {
-		return map[string]string{}
-	}
-	return p.config
-}
-
-// =============================================================================
-// Storage API
-// =============================================================================
-
-func (p *JSPlugin) createStorageAPI() map[string]interface{} {
-	return map[string]interface{}{
-		"get":    p.storageGet,
-		"set":    p.storageSet,
-		"delete": p.storageDelete,
-		"keys":   p.storageKeys,
-	}
-}
-
-func (p *JSPlugin) loadStorage() map[string]interface{} {
-	data := make(map[string]interface{})
-	if _, err := os.Stat(p.storagePath); err == nil {
-		content, _ := os.ReadFile(p.storagePath)
-		json.Unmarshal(content, &data)
-	}
-	return data
-}
-
-func (p *JSPlugin) saveStorage(data map[string]interface{}) {
-	content, _ := json.MarshalIndent(data, "", "  ")
-	os.WriteFile(p.storagePath, content, 0644)
-}
-
-func (p *JSPlugin) storageGet(key string, def interface{}) interface{} {
-	p.mu.Lock()
-	defer p.mu.Unlock()
-	data := p.loadStorage()
-	if v, ok := data[key]; ok {
-		return v
-	}
-	return def
-}
-
-func (p *JSPlugin) storageSet(key string, value interface{}) {
-	p.mu.Lock()
-	defer p.mu.Unlock()
-	data := p.loadStorage()
-	data[key] = value
-	p.saveStorage(data)
-}
-
-func (p *JSPlugin) storageDelete(key string) {
-	p.mu.Lock()
-	defer p.mu.Unlock()
-	data := p.loadStorage()
-	delete(data, key)
-	p.saveStorage(data)
-}
-
-func (p *JSPlugin) storageKeys() []string {
-	p.mu.Lock()
-	defer p.mu.Unlock()
-	data := p.loadStorage()
-	keys := make([]string, 0, len(data))
-	for k := range data {
-		keys = append(keys, k)
-	}
-	return keys
-}
-
-// =============================================================================
-// Event API
-// =============================================================================
-
-func (p *JSPlugin) createEventAPI() map[string]interface{} {
-	return map[string]interface{}{
-		"on":   p.eventOn,
-		"emit": p.eventEmit,
-		"off":  p.eventOff,
-	}
-}
-
-func (p *JSPlugin) eventOn(event string, callback func(goja.Value)) {
-	p.mu.Lock()
-	defer p.mu.Unlock()
-	p.eventListeners[event] = append(p.eventListeners[event], callback)
-}
-
-func (p *JSPlugin) eventEmit(event string, data interface{}) {
-	p.mu.Lock()
-	listeners := p.eventListeners[event]
-	p.mu.Unlock() // 释放锁以允许回调中操作
-
-	val := p.vm.ToValue(data)
-	for _, cb := range listeners {
-		cb(val)
-	}
-}
-
-func (p *JSPlugin) eventOff(event string) {
-	p.mu.Lock()
-	defer p.mu.Unlock()
-	delete(p.eventListeners, event)
-}
-
-// =============================================================================
-// Request API (HTTP Client)
-// =============================================================================
-
-func (p *JSPlugin) createRequestAPI() map[string]interface{} {
-	return map[string]interface{}{
-		"get":  p.requestGet,
-		"post": p.requestPost,
-	}
-}
-
-func (p *JSPlugin) requestGet(url string) map[string]interface{} {
-	resp, err := http.Get(url)
-	if err != nil {
-		return map[string]interface{}{"error": err.Error(), "status": 0}
-	}
-	defer resp.Body.Close()
-	body, _ := io.ReadAll(resp.Body)
-	return map[string]interface{}{
-		"status": resp.StatusCode,
-		"body":   string(body),
-		"error":  "",
-	}
-}
-
-func (p *JSPlugin) requestPost(url string, contentType, data string) map[string]interface{} {
-	resp, err := http.Post(url, contentType, strings.NewReader(data))
-	if err != nil {
-		return map[string]interface{}{"error": err.Error(), "status": 0}
-	}
-	defer resp.Body.Close()
-	body, _ := io.ReadAll(resp.Body)
-	return map[string]interface{}{
-		"status": resp.StatusCode,
-		"body":   string(body),
-		"error":  "",
-	}
-}
-
-// =============================================================================
-// Notify API
-// =============================================================================
-
-func (p *JSPlugin) createNotifyAPI() map[string]interface{} {
-	return map[string]interface{}{
-		"send": func(title, msg string) {
-			// 目前仅打印到日志，后续对接系统通知
-			fmt.Printf("[NOTIFY][%s] %s: %s\n", p.name, title, msg)
-		},
-	}
-}
-
-// =============================================================================
-// Route API (用于 Web API 代理)
-// =============================================================================
-
-func (p *JSPlugin) createRouteAPI() map[string]interface{} {
-	return map[string]interface{}{
-		"handle": p.apiHandle,
-		"get":    func(path string, handler goja.Callable) { p.apiRegister("GET", path, handler) },
-		"post":   func(path string, handler goja.Callable) { p.apiRegister("POST", path, handler) },
-		"put":    func(path string, handler goja.Callable) { p.apiRegister("PUT", path, handler) },
-		"delete": func(path string, handler goja.Callable) { p.apiRegister("DELETE", path, handler) },
-	}
-}
-
-// apiHandle 注册 API 路由处理函数
-func (p *JSPlugin) apiHandle(method, path string, handler goja.Callable) {
-	p.apiRegister(method, path, handler)
-}
-
-// apiRegister 注册 API 路由
-func (p *JSPlugin) apiRegister(method, path string, handler goja.Callable) {
-	p.mu.Lock()
-	defer p.mu.Unlock()
-
-	if p.apiHandlers[method] == nil {
-		p.apiHandlers[method] = make(map[string]goja.Callable)
-	}
-	p.apiHandlers[method][path] = handler
-	fmt.Printf("[JS:%s] Registered API: %s %s\n", p.name, method, path)
-}
-
-// HandleAPIRequest 处理 API 请求
-func (p *JSPlugin) HandleAPIRequest(method, path, query string, headers map[string]string, body string) (int, map[string]string, string, error) {
-	p.mu.Lock()
-	handlers := p.apiHandlers[method]
-	p.mu.Unlock()
-
-	if handlers == nil {
-		return 404, nil, `{"error":"method not allowed"}`, nil
-	}
-
-	// 查找匹配的路由
-	var handler goja.Callable
-	var matchedPath string
-
-	for registeredPath, h := range handlers {
-		if matchRoute(registeredPath, path) {
-			handler = h
-			matchedPath = registeredPath
-			break
-		}
-	}
-
-	if handler == nil {
-		return 404, nil, `{"error":"route not found"}`, nil
-	}
-
-	// 构建请求对象
-	reqObj := map[string]interface{}{
-		"method":  method,
-		"path":    path,
-		"pattern": matchedPath,
-		"query":   query,
-		"headers": headers,
-		"body":    body,
-		"params":  extractParams(matchedPath, path),
-	}
-
-	// 调用处理函数
-	result, err := handler(goja.Undefined(), p.vm.ToValue(reqObj))
-	if err != nil {
-		return 500, nil, fmt.Sprintf(`{"error":"%s"}`, err.Error()), nil
-	}
-
-	// 解析响应
-	if result == nil || goja.IsUndefined(result) || goja.IsNull(result) {
-		return 200, nil, "", nil
-	}
-
-	respObj := result.ToObject(p.vm)
-	status := 200
-	if s := respObj.Get("status"); s != nil && !goja.IsUndefined(s) {
-		status = int(s.ToInteger())
-	}
-
-	respHeaders := make(map[string]string)
-	if h := respObj.Get("headers"); h != nil && !goja.IsUndefined(h) {
-		hObj := h.ToObject(p.vm)
-		for _, key := range hObj.Keys() {
-			respHeaders[key] = hObj.Get(key).String()
-		}
-	}
-
-	respBody := ""
-	if b := respObj.Get("body"); b != nil && !goja.IsUndefined(b) {
-		respBody = b.String()
-	}
-
-	return status, respHeaders, respBody, nil
-}
-
-// matchRoute 匹配路由 (支持简单的路径参数)
-func matchRoute(pattern, path string) bool {
-	patternParts := strings.Split(strings.Trim(pattern, "/"), "/")
-	pathParts := strings.Split(strings.Trim(path, "/"), "/")
-
-	if len(patternParts) != len(pathParts) {
-		return false
-	}
-
-	for i, part := range patternParts {
-		if strings.HasPrefix(part, ":") {
-			continue // 路径参数，匹配任意值
-		}
-		if part != pathParts[i] {
-			return false
-		}
-	}
-	return true
-}
-
-// extractParams 提取路径参数
-func extractParams(pattern, path string) map[string]string {
-	params := make(map[string]string)
-	patternParts := strings.Split(strings.Trim(pattern, "/"), "/")
-	pathParts := strings.Split(strings.Trim(path, "/"), "/")
-
-	for i, part := range patternParts {
-		if strings.HasPrefix(part, ":") && i < len(pathParts) {
-			paramName := strings.TrimPrefix(part, ":")
-			params[paramName] = pathParts[i]
-		}
-	}
-	return params
-}
--- a/pkg/plugin/script/sandbox.go
+++ b/pkg/plugin/script/sandbox.go
@@ -1,161 +0,0 @@
-package script
-
-import (
-	"fmt"
-	"os"
-	"path/filepath"
-	"strings"
-)
-
-// Sandbox 插件沙箱配置
-type Sandbox struct {
-	// 允许访问的路径列表（绝对路径）
-	AllowedPaths []string
-	// 允许写入的路径列表（必须是 AllowedPaths 的子集）
-	WritablePaths []string
-	// 禁止访问的路径（黑名单，优先级高于白名单）
-	DeniedPaths []string
-	// 是否允许网络访问
-	AllowNetwork bool
-	// 最大文件读取大小 (bytes)
-	MaxReadSize int64
-	// 最大文件写入大小 (bytes)
-	MaxWriteSize int64
-	// 最大内存使用量 (bytes)，0 表示不限制
-	MaxMemory int64
-	// 最大调用栈深度
-	MaxStackDepth int
-}
-
-// DefaultSandbox 返回默认沙箱配置（最小权限）
-func DefaultSandbox() *Sandbox {
-	return &Sandbox{
-		AllowedPaths:  []string{},
-		WritablePaths: []string{},
-		DeniedPaths:   defaultDeniedPaths(),
-		AllowNetwork:  false,
-		MaxReadSize:   10 * 1024 * 1024, // 10MB
-		MaxWriteSize:  1 * 1024 * 1024,  // 1MB
-		MaxMemory:     64 * 1024 * 1024, // 64MB
-		MaxStackDepth: 1000,             // 最大调用栈深度
-	}
-}
-
-// defaultDeniedPaths 返回默认禁止访问的路径
-func defaultDeniedPaths() []string {
-	home, _ := os.UserHomeDir()
-	denied := []string{
-		"/etc/passwd",
-		"/etc/shadow",
-		"/etc/sudoers",
-		"/root",
-		"/.ssh",
-		"/.gnupg",
-		"/.aws",
-		"/.kube",
-		"/proc",
-		"/sys",
-	}
-	if home != "" {
-		denied = append(denied,
-			filepath.Join(home, ".ssh"),
-			filepath.Join(home, ".gnupg"),
-			filepath.Join(home, ".aws"),
-			filepath.Join(home, ".kube"),
-			filepath.Join(home, ".config"),
-			filepath.Join(home, ".local"),
-		)
-	}
-	return denied
-}
-
-// ValidateReadPath 验证读取路径是否允许
-func (s *Sandbox) ValidateReadPath(path string) error {
-	return s.validatePath(path, false)
-}
-
-// ValidateWritePath 验证写入路径是否允许
-func (s *Sandbox) ValidateWritePath(path string) error {
-	return s.validatePath(path, true)
-}
-
-func (s *Sandbox) validatePath(path string, write bool) error {
-	// 清理路径，防止路径遍历攻击
-	cleanPath, err := s.cleanPath(path)
-	if err != nil {
-		return err
-	}
-
-	// 检查黑名单（优先级最高）
-	if s.isDenied(cleanPath) {
-		return fmt.Errorf("access denied: path is in denied list")
-	}
-
-	// 检查白名单
-	allowedList := s.AllowedPaths
-	if write {
-		allowedList = s.WritablePaths
-	}
-
-	if len(allowedList) == 0 {
-		return fmt.Errorf("access denied: no paths allowed")
-	}
-
-	if !s.isAllowed(cleanPath, allowedList) {
-		if write {
-			return fmt.Errorf("access denied: path not in writable list")
-		}
-		return fmt.Errorf("access denied: path not in allowed list")
-	}
-
-	return nil
-}
-
-// cleanPath 清理并验证路径
-func (s *Sandbox) cleanPath(path string) (string, error) {
-	// 转换为绝对路径
-	absPath, err := filepath.Abs(path)
-	if err != nil {
-		return "", fmt.Errorf("invalid path: %w", err)
-	}
-
-	// 清理路径（解析 .. 和 .）
-	cleanPath := filepath.Clean(absPath)
-
-	// 检查符号链接（防止通过符号链接绕过限制）
-	realPath, err := filepath.EvalSymlinks(cleanPath)
-	if err != nil {
-		// 文件可能不存在，使用清理后的路径
-		if !os.IsNotExist(err) {
-			return "", fmt.Errorf("invalid path: %w", err)
-		}
-		realPath = cleanPath
-	}
-
-	// 再次检查路径遍历
-	if strings.Contains(realPath, "..") {
-		return "", fmt.Errorf("path traversal detected")
-	}
-
-	return realPath, nil
-}
-
-// isDenied 检查路径是否在黑名单中
-func (s *Sandbox) isDenied(path string) bool {
-	for _, denied := range s.DeniedPaths {
-		if strings.HasPrefix(path, denied) || path == denied {
-			return true
-		}
-	}
-	return false
-}
-
-// isAllowed 检查路径是否在白名单中
-func (s *Sandbox) isAllowed(path string, allowedList []string) bool {
-	for _, allowed := range allowedList {
-		if strings.HasPrefix(path, allowed) || path == allowed {
-			return true
-		}
-	}
-	return false
-}
--- a/pkg/plugin/sign/official.go
+++ b/pkg/plugin/sign/official.go
@@ -1,31 +0,0 @@
-package sign
-
-import (
-	"crypto/ed25519"
-	"sync"
-)
-
-// 官方固定公钥（客户端内置）
-const OfficialPublicKeyBase64 = "0A0xRthj0wgPg8X8GJZ6/EnNpAUw5v7O//XLty+P5Yw="
-
-var (
-	officialPubKey     ed25519.PublicKey
-	officialPubKeyOnce sync.Once
-	officialPubKeyErr  error
-)
-
-// initOfficialKey 初始化官方公钥
-func initOfficialKey() {
-	officialPubKey, officialPubKeyErr = DecodePublicKey(OfficialPublicKeyBase64)
-}
-
-// GetOfficialPublicKey 获取官方公钥
-func GetOfficialPublicKey() (ed25519.PublicKey, error) {
-	officialPubKeyOnce.Do(initOfficialKey)
-	return officialPubKey, officialPubKeyErr
-}
-
-// GetPublicKeyByID 根据 ID 获取公钥（兼容旧接口，忽略 keyID）
-func GetPublicKeyByID(keyID string) (ed25519.PublicKey, error) {
-	return GetOfficialPublicKey()
-}
--- a/pkg/plugin/sign/payload.go
+++ b/pkg/plugin/sign/payload.go
@@ -1,107 +0,0 @@
-package sign
-
-import (
-	"crypto/ed25519"
-	"crypto/sha256"
-	"encoding/hex"
-	"encoding/json"
-	"fmt"
-	"strings"
-	"time"
-)
-
-// PluginPayload 插件签名载荷
-type PluginPayload struct {
-	Name       string `json:"name"`        // 插件名称
-	Version    string `json:"version"`     // 版本号
-	SourceHash string `json:"source_hash"` // 源码 SHA256
-	KeyID      string `json:"key_id"`      // 签名密钥 ID
-	Timestamp  int64  `json:"timestamp"`   // 签名时间戳
-}
-
-// SignedPlugin 已签名的插件
-type SignedPlugin struct {
-	Payload   PluginPayload `json:"payload"`
-	Signature string        `json:"signature"` // Base64 签名
-}
-
-// NormalizeSource 规范化源码（统一换行符）
-func NormalizeSource(source string) string {
-	// 统一换行符为 LF
-	normalized := strings.ReplaceAll(source, "\r\n", "\n")
-	normalized = strings.ReplaceAll(normalized, "\r", "\n")
-	// 去除尾部空白
-	normalized = strings.TrimRight(normalized, " \t\n")
-	return normalized
-}
-
-// HashSource 计算源码哈希
-func HashSource(source string) string {
-	normalized := NormalizeSource(source)
-	hash := sha256.Sum256([]byte(normalized))
-	return hex.EncodeToString(hash[:])
-}
-
-// CreatePayload 创建签名载荷
-func CreatePayload(name, version, source, keyID string) *PluginPayload {
-	return &PluginPayload{
-		Name:       name,
-		Version:    version,
-		SourceHash: HashSource(source),
-		KeyID:      keyID,
-		Timestamp:  time.Now().Unix(),
-	}
-}
-
-// SignPlugin 签名插件
-func SignPlugin(priv ed25519.PrivateKey, payload *PluginPayload) (*SignedPlugin, error) {
-	// 序列化载荷
-	data, err := json.Marshal(payload)
-	if err != nil {
-		return nil, fmt.Errorf("marshal payload: %w", err)
-	}
-
-	// 签名
-	sig := SignBase64(priv, data)
-
-	return &SignedPlugin{
-		Payload:   *payload,
-		Signature: sig,
-	}, nil
-}
-
-// VerifyPlugin 验证插件签名
-func VerifyPlugin(pub ed25519.PublicKey, signed *SignedPlugin, source string) error {
-	// 验证源码哈希
-	expectedHash := HashSource(source)
-	if signed.Payload.SourceHash != expectedHash {
-		return fmt.Errorf("source hash mismatch")
-	}
-
-	// 序列化载荷
-	data, err := json.Marshal(signed.Payload)
-	if err != nil {
-		return fmt.Errorf("marshal payload: %w", err)
-	}
-
-	// 验证签名
-	return VerifyBase64(pub, data, signed.Signature)
-}
-
-// EncodeSignedPlugin 编码已签名插件为 JSON
-func EncodeSignedPlugin(sp *SignedPlugin) (string, error) {
-	data, err := json.Marshal(sp)
-	if err != nil {
-		return "", err
-	}
-	return string(data), nil
-}
-
-// DecodeSignedPlugin 从 JSON 解码已签名插件
-func DecodeSignedPlugin(data string) (*SignedPlugin, error) {
-	var sp SignedPlugin
-	if err := json.Unmarshal([]byte(data), &sp); err != nil {
-		return nil, err
-	}
-	return &sp, nil
-}
--- a/pkg/plugin/sign/sign.go
+++ b/pkg/plugin/sign/sign.go
@@ -1,92 +0,0 @@
-package sign
-
-import (
-	"crypto/ed25519"
-	"crypto/rand"
-	"encoding/base64"
-	"errors"
-	"fmt"
-)
-
-var (
-	ErrInvalidSignature  = errors.New("invalid signature")
-	ErrInvalidPublicKey  = errors.New("invalid public key")
-	ErrInvalidPrivateKey = errors.New("invalid private key")
-)
-
-// KeyPair Ed25519 密钥对
-type KeyPair struct {
-	PublicKey  ed25519.PublicKey
-	PrivateKey ed25519.PrivateKey
-}
-
-// GenerateKeyPair 生成新的密钥对
-func GenerateKeyPair() (*KeyPair, error) {
-	pub, priv, err := ed25519.GenerateKey(rand.Reader)
-	if err != nil {
-		return nil, fmt.Errorf("generate key: %w", err)
-	}
-	return &KeyPair{PublicKey: pub, PrivateKey: priv}, nil
-}
-
-// Sign 使用私钥签名数据
-func Sign(privateKey ed25519.PrivateKey, data []byte) []byte {
-	return ed25519.Sign(privateKey, data)
-}
-
-// Verify 使用公钥验证签名
-func Verify(publicKey ed25519.PublicKey, data, signature []byte) bool {
-	return ed25519.Verify(publicKey, data, signature)
-}
-
-// SignBase64 签名并返回 Base64 编码
-func SignBase64(privateKey ed25519.PrivateKey, data []byte) string {
-	sig := Sign(privateKey, data)
-	return base64.StdEncoding.EncodeToString(sig)
-}
-
-// VerifyBase64 验证 Base64 编码的签名
-func VerifyBase64(publicKey ed25519.PublicKey, data []byte, sigB64 string) error {
-	sig, err := base64.StdEncoding.DecodeString(sigB64)
-	if err != nil {
-		return fmt.Errorf("decode signature: %w", err)
-	}
-	if !Verify(publicKey, data, sig) {
-		return ErrInvalidSignature
-	}
-	return nil
-}
-
-// EncodePublicKey 编码公钥为 Base64
-func EncodePublicKey(pub ed25519.PublicKey) string {
-	return base64.StdEncoding.EncodeToString(pub)
-}
-
-// DecodePublicKey 从 Base64 解码公钥
-func DecodePublicKey(s string) (ed25519.PublicKey, error) {
-	data, err := base64.StdEncoding.DecodeString(s)
-	if err != nil {
-		return nil, err
-	}
-	if len(data) != ed25519.PublicKeySize {
-		return nil, ErrInvalidPublicKey
-	}
-	return ed25519.PublicKey(data), nil
-}
-
-// EncodePrivateKey 编码私钥为 Base64
-func EncodePrivateKey(priv ed25519.PrivateKey) string {
-	return base64.StdEncoding.EncodeToString(priv)
-}
-
-// DecodePrivateKey 从 Base64 解码私钥
-func DecodePrivateKey(s string) (ed25519.PrivateKey, error) {
-	data, err := base64.StdEncoding.DecodeString(s)
-	if err != nil {
-		return nil, err
-	}
-	if len(data) != ed25519.PrivateKeySize {
-		return nil, ErrInvalidPrivateKey
-	}
-	return ed25519.PrivateKey(data), nil
-}
--- a/pkg/plugin/sign/version.go
+++ b/pkg/plugin/sign/version.go
@@ -1,47 +0,0 @@
-package sign
-
-import (
-	"strconv"
-	"strings"
-)
-
-// CompareVersions 比较两个版本号
-// 返回: -1 (v1 < v2), 0 (v1 == v2), 1 (v1 > v2)
-func CompareVersions(v1, v2 string) int {
-	parts1 := parseVersion(v1)
-	parts2 := parseVersion(v2)
-
-	maxLen := len(parts1)
-	if len(parts2) > maxLen {
-		maxLen = len(parts2)
-	}
-
-	for i := 0; i < maxLen; i++ {
-		var p1, p2 int
-		if i < len(parts1) {
-			p1 = parts1[i]
-		}
-		if i < len(parts2) {
-			p2 = parts2[i]
-		}
-
-		if p1 < p2 {
-			return -1
-		}
-		if p1 > p2 {
-			return 1
-		}
-	}
-	return 0
-}
-
-func parseVersion(v string) []int {
-	v = strings.TrimPrefix(v, "v")
-	parts := strings.Split(v, ".")
-	result := make([]int, len(parts))
-	for i, p := range parts {
-		n, _ := strconv.Atoi(p)
-		result[i] = n
-	}
-	return result
-}
--- a/pkg/plugin/types.go
+++ b/pkg/plugin/types.go
@@ -1,110 +0,0 @@
-package plugin
-
-import (
-	"net"
-	"time"
-)
-
-// =============================================================================
-// 基础类型
-// =============================================================================
-
-// Side 运行侧
-type Side string
-
-const (
-	SideClient Side = "client"
-)
-
-// PluginType 插件类别
-type PluginType string
-
-const (
-	PluginTypeProxy PluginType = "proxy" // 代理协议 (SOCKS5 等)
-	PluginTypeApp   PluginType = "app"   // 应用服务 (VNC, Echo 等)
-)
-
-// PluginSource 插件来源
-type PluginSource string
-
-const (
-	PluginSourceBuiltin PluginSource = "builtin" // 内置编译
-	PluginSourceScript  PluginSource = "script"  // 脚本插件
-)
-
-// =============================================================================
-// 配置相关
-// =============================================================================
-
-// ConfigFieldType 配置字段类型
-type ConfigFieldType string
-
-const (
-	ConfigFieldString   ConfigFieldType = "string"
-	ConfigFieldNumber   ConfigFieldType = "number"
-	ConfigFieldBool     ConfigFieldType = "bool"
-	ConfigFieldSelect   ConfigFieldType = "select"
-	ConfigFieldPassword ConfigFieldType = "password"
-)
-
-// ConfigField 配置字段定义
-type ConfigField struct {
-	Key         string          `json:"key"`
-	Label       string          `json:"label"`
-	Type        ConfigFieldType `json:"type"`
-	Default     string          `json:"default,omitempty"`
-	Required    bool            `json:"required,omitempty"`
-	Options     []string        `json:"options,omitempty"`
-	Description string          `json:"description,omitempty"`
-}
-
-// RuleSchema 规则表单模式
-type RuleSchema struct {
-	NeedsLocalAddr bool          `json:"needs_local_addr"`
-	ExtraFields    []ConfigField `json:"extra_fields,omitempty"`
-}
-
-// =============================================================================
-// 元数据
-// =============================================================================
-
-// Metadata 插件元数据
-type Metadata struct {
-	Name         string        `json:"name"`
-	Version      string        `json:"version"`
-	Type         PluginType    `json:"type"`
-	Source       PluginSource  `json:"source"`
-	RunAt        Side          `json:"run_at"`
-	Description  string        `json:"description"`
-	Author       string        `json:"author,omitempty"`
-	ConfigSchema []ConfigField `json:"config_schema,omitempty"`
-	RuleSchema   *RuleSchema   `json:"rule_schema,omitempty"`
-}
-
-// Info 插件运行时信息
-type Info struct {
-	Metadata Metadata  `json:"metadata"`
-	Loaded   bool      `json:"loaded"`
-	Enabled  bool      `json:"enabled"`
-	LoadedAt time.Time `json:"loaded_at,omitempty"`
-	Error    string    `json:"error,omitempty"`
-}
-
-// =============================================================================
-// 核心接口
-// =============================================================================
-
-// Dialer 网络拨号接口
-type Dialer interface {
-	Dial(network, address string) (net.Conn, error)
-}
-
-// ClientPlugin 客户端插件接口
-// 运行在客户端，提供本地服务
-type ClientPlugin interface {
-	Metadata() Metadata
-	Init(config map[string]string) error
-	Start() (localAddr string, err error)
-	HandleConn(conn net.Conn) error
-	Stop() error
-}
--- a/pkg/protocol/message.go
+++ b/pkg/protocol/message.go
@@ -26,34 +26,11 @@ const (
 	MsgTypeProxyConnect uint8 = 9  // 代理连接请求 (SOCKS5/HTTP)
 	MsgTypeProxyResult  uint8 = 10 // 代理连接结果

-	// Plugin 相关消息
-	MsgTypePluginList     uint8 = 20 // 请求/响应可用 plugins
-	MsgTypePluginDownload uint8 = 21 // 请求下载 plugin
-	MsgTypePluginData     uint8 = 22 // Plugin 二进制数据（分块）
-	MsgTypePluginReady    uint8 = 23 // Plugin 加载确认
-
 	// UDP 相关消息
 	MsgTypeUDPData uint8 = 30 // UDP 数据包

-	// 插件安装消息
-	MsgTypeInstallPlugins uint8 = 24 // 服务端推送安装插件列表
-	MsgTypePluginConfig   uint8 = 25 // 插件配置同步
-
-	// 客户端插件消息
-	MsgTypeClientPluginStart     uint8 = 40 // 启动客户端插件
-	MsgTypeClientPluginStop      uint8 = 41 // 停止客户端插件
-	MsgTypeClientPluginStatus    uint8 = 42 // 客户端插件状态
-	MsgTypeClientPluginConn      uint8 = 43 // 客户端插件连接请求
-	MsgTypePluginStatusQuery     uint8 = 44 // 查询所有插件状态
-	MsgTypePluginStatusQueryResp uint8 = 45 // 插件状态查询响应
-
-	// JS 插件动态安装
-	MsgTypeJSPluginInstall uint8 = 50 // 安装 JS 插件
-	MsgTypeJSPluginResult  uint8 = 51 // 安装结果
-
 	// 客户端控制消息
 	MsgTypeClientRestart uint8 = 60 // 重启客户端
-	MsgTypePluginConfigUpdate uint8 = 61 // 更新插件配置

 	// 更新相关消息
 	MsgTypeUpdateCheck    uint8 = 70 // 检查更新请求
@@ -68,13 +45,17 @@ const (
 	MsgTypeLogData    uint8 = 81 // 日志数据
 	MsgTypeLogStop    uint8 = 82 // 停止日志流

-	// 插件 API 路由消息
-	MsgTypePluginAPIRequest  uint8 = 90 // 插件 API 请求
-	MsgTypePluginAPIResponse uint8 = 91 // 插件 API 响应
-
 	// 系统状态消息
 	MsgTypeSystemStatsRequest  uint8 = 100 // 请求系统状态
 	MsgTypeSystemStatsResponse uint8 = 101 // 系统状态响应
+
+	// 截图消息
+	MsgTypeScreenshotRequest  uint8 = 102 // 请求截图
+	MsgTypeScreenshotResponse uint8 = 103 // 截图响应
+
+	// Shell 执行消息
+	MsgTypeShellExecuteRequest  uint8 = 104 // 执行 Shell 命令
+	MsgTypeShellExecuteResponse uint8 = 105 // Shell 执行结果
 )

 // Message 基础消息结构
@@ -87,6 +68,7 @@ type Message struct {
 type AuthRequest struct {
 	ClientID string `json:"client_id"`
 	Token    string `json:"token"`
+	Name     string `json:"name,omitempty"`    // 客户端名称（主机名）
 	OS       string `json:"os,omitempty"`      // 客户端操作系统
 	Arch     string `json:"arch,omitempty"`    // 客户端架构
 	Version  string `json:"version,omitempty"` // 客户端版本
@@ -102,22 +84,17 @@ type AuthResponse struct {
 // ProxyRule 代理规则
 type ProxyRule struct {
 	Name       string `json:"name" yaml:"name"`
-	Type       string `json:"type" yaml:"type"`                 // 内置: tcp, udp, http, https, websocket; 插件: socks5 等
+	Type       string `json:"type" yaml:"type"`                 // tcp, udp, http, https, socks5
 	LocalIP    string `json:"local_ip" yaml:"local_ip"`         // tcp/udp 模式使用
 	LocalPort  int    `json:"local_port" yaml:"local_port"`     // tcp/udp 模式使用
 	RemotePort int    `json:"remote_port" yaml:"remote_port"`   // 服务端监听端口
 	Enabled    *bool  `json:"enabled,omitempty" yaml:"enabled"` // 是否启用，默认为 true
-	// Plugin 支持字段
-	PluginID      string            `json:"plugin_id,omitempty" yaml:"plugin_id"` // 插件实例ID
-	PluginName    string            `json:"plugin_name,omitempty" yaml:"plugin_name"`
-	PluginVersion string            `json:"plugin_version,omitempty" yaml:"plugin_version"`
-	PluginConfig  map[string]string `json:"plugin_config,omitempty" yaml:"plugin_config"`
-	// HTTP Basic Auth 字段 (用于独立端口模式)
+	// HTTP Basic Auth 字段
 	AuthEnabled  bool   `json:"auth_enabled,omitempty" yaml:"auth_enabled"`
 	AuthUsername string `json:"auth_username,omitempty" yaml:"auth_username"`
 	AuthPassword string `json:"auth_password,omitempty" yaml:"auth_password"`
-	// 插件管理标记 - 由插件自动创建的规则，不允许手动编辑/删除
-	PluginManaged bool `json:"plugin_managed,omitempty" yaml:"plugin_managed"`
+	// 端口状态: "listening", "failed: <error message>", ""
+	PortStatus string `json:"port_status,omitempty" yaml:"-"`
 }

 // IsEnabled 检查规则是否启用，默认为 true
@@ -155,60 +132,6 @@ type ProxyConnectResult struct {
 	Message string `json:"message,omitempty"`
 }

-// PluginMetadata Plugin 元数据（协议层）
-type PluginMetadata struct {
-	Name        string `json:"name"`
-	Version     string `json:"version"`
-	Checksum    string `json:"checksum"`
-	Size        int64  `json:"size"`
-	Description string `json:"description,omitempty"`
-}
-
-// PluginListRequest 请求可用 plugins
-type PluginListRequest struct {
-	ClientVersion string `json:"client_version"`
-}
-
-// PluginListResponse 返回可用 plugins
-type PluginListResponse struct {
-	Plugins []PluginMetadata `json:"plugins"`
-}
-
-// PluginDownloadRequest 请求下载 plugin
-type PluginDownloadRequest struct {
-	Name    string `json:"name"`
-	Version string `json:"version"`
-}
-
-// PluginDataChunk Plugin 二进制数据块
-type PluginDataChunk struct {
-	Name        string `json:"name"`
-	Version     string `json:"version"`
-	ChunkIndex  int    `json:"chunk_index"`
-	TotalChunks int    `json:"total_chunks"`
-	Data        []byte `json:"data"`
-	Checksum    string `json:"checksum,omitempty"`
-}
-
-// PluginReadyNotification Plugin 加载确认
-type PluginReadyNotification struct {
-	Name    string `json:"name"`
-	Version string `json:"version"`
-	Success bool   `json:"success"`
-	Error   string `json:"error,omitempty"`
-}
-
-// InstallPluginsRequest 安装插件请求
-type InstallPluginsRequest struct {
-	Plugins []string `json:"plugins"` // 要安装的插件名称列表
-}
-
-// PluginConfigSync 插件配置同步
-type PluginConfigSync struct {
-	PluginName string            `json:"plugin_name"` // 插件名称
-	Config     map[string]string `json:"config"`      // 配置内容
-}
-
 // UDPPacket UDP 数据包
 type UDPPacket struct {
 	RemotePort int    `json:"remote_port"` // 服务端监听端口
@@ -216,67 +139,6 @@ type UDPPacket struct {
 	Data       []byte `json:"data"`        // UDP 数据
 }

-// ClientPluginStartRequest 启动客户端插件请求
-type ClientPluginStartRequest struct {
-	PluginName string            `json:"plugin_name"` // 插件名称
-	RuleName   string            `json:"rule_name"`   // 规则名称
-	RemotePort int               `json:"remote_port"` // 服务端监听端口
-	Config     map[string]string `json:"config"`      // 插件配置
-}
-
-// ClientPluginStopRequest 停止客户端插件请求
-type ClientPluginStopRequest struct {
-	PluginID   string `json:"plugin_id,omitempty"` // 插件ID（优先使用）
-	PluginName string `json:"plugin_name"`         // 插件名称
-	RuleName   string `json:"rule_name"`           // 规则名称
-}
-
-// ClientPluginStatusResponse 客户端插件状态响应
-type ClientPluginStatusResponse struct {
-	PluginName string `json:"plugin_name"` // 插件名称
-	RuleName   string `json:"rule_name"`   // 规则名称
-	Running    bool   `json:"running"`     // 是否运行中
-	LocalAddr  string `json:"local_addr"`  // 本地监听地址
-	Error      string `json:"error"`       // 错误信息
-}
-
-// ClientPluginConnRequest 客户端插件连接请求
-type ClientPluginConnRequest struct {
-	PluginID   string `json:"plugin_id,omitempty"` // 插件ID（优先使用）
-	PluginName string `json:"plugin_name"`         // 插件名称
-	RuleName   string `json:"rule_name"`           // 规则名称
-}
-
-// PluginStatusEntry 单个插件状态
-type PluginStatusEntry struct {
-	PluginName string `json:"plugin_name"` // 插件名称
-	Running    bool   `json:"running"`     // 是否运行中
-}
-
-// PluginStatusQueryResponse 插件状态查询响应
-type PluginStatusQueryResponse struct {
-	Plugins []PluginStatusEntry `json:"plugins"` // 所有插件状态
-}
-
-// JSPluginInstallRequest JS 插件安装请求
-type JSPluginInstallRequest struct {
-	PluginID   string            `json:"plugin_id"`   // 插件实例唯一 ID
-	PluginName string            `json:"plugin_name"` // 插件名称
-	Source     string            `json:"source"`      // JS 源码
-	Signature  string            `json:"signature"`   // 官方签名 (Base64)
-	RuleName   string            `json:"rule_name"`   // 规则名称
-	RemotePort int               `json:"remote_port"` // 服务端监听端口
-	Config     map[string]string `json:"config"`      // 插件配置
-	AutoStart  bool              `json:"auto_start"`  // 是否自动启动
-}
-
-// JSPluginInstallResult JS 插件安装结果
-type JSPluginInstallResult struct {
-	PluginName string `json:"plugin_name"`
-	Success    bool   `json:"success"`
-	Error      string `json:"error,omitempty"`
-}
-
 // ClientRestartRequest 客户端重启请求
 type ClientRestartRequest struct {
 	Reason string `json:"reason,omitempty"` // 重启原因
@@ -288,23 +150,6 @@ type ClientRestartResponse struct {
 	Message string `json:"message,omitempty"`
 }

-// PluginConfigUpdateRequest 插件配置更新请求
-type PluginConfigUpdateRequest struct {
-	PluginID   string            `json:"plugin_id,omitempty"` // 插件ID（优先使用）
-	PluginName string            `json:"plugin_name"`         // 插件名称
-	RuleName   string            `json:"rule_name"`           // 规则名称
-	Config     map[string]string `json:"config"`              // 新配置
-	Restart    bool              `json:"restart"`             // 是否重启插件
-}
-
-// PluginConfigUpdateResponse 插件配置更新响应
-type PluginConfigUpdateResponse struct {
-	PluginName string `json:"plugin_name"`
-	RuleName   string `json:"rule_name"`
-	Success    bool   `json:"success"`
-	Error      string `json:"error,omitempty"`
-}
-
 // UpdateCheckRequest 更新检查请求
 type UpdateCheckRequest struct {
 	Component string `json:"component"` // "server" 或 "client"
@@ -358,7 +203,7 @@ type LogEntry struct {
 	Timestamp int64  `json:"ts"`    // Unix 时间戳 (毫秒)
 	Level     string `json:"level"` // 日志级别: debug, info, warn, error
 	Message   string `json:"msg"`   // 日志消息
-	Source    string `json:"src"`   // 来源: client, plugin:<name>
+	Source    string `json:"src"`   // 来源: client
 }

 // LogData 日志数据
@@ -373,25 +218,6 @@ type LogStopRequest struct {
 	SessionID string `json:"session_id"` // 会话 ID
 }

-// PluginAPIRequest 插件 API 请求
-type PluginAPIRequest struct {
-	PluginID   string            `json:"plugin_id"`   // 插件实例唯一 ID
-	PluginName string            `json:"plugin_name"` // 插件名称 (向后兼容)
-	Method     string            `json:"method"`      // HTTP 方法: GET, POST, PUT, DELETE
-	Path       string            `json:"path"`        // 路由路径
-	Query      string            `json:"query"`       // 查询参数
-	Headers    map[string]string `json:"headers"`     // 请求头
-	Body       string            `json:"body"`        // 请求体
-}
-
-// PluginAPIResponse 插件 API 响应
-type PluginAPIResponse struct {
-	Status  int               `json:"status"`  // HTTP 状态码
-	Headers map[string]string `json:"headers"` // 响应头
-	Body    string            `json:"body"`    // 响应体
-	Error   string            `json:"error"`   // 错误信息
-}
-
 // WriteMessage 写入消息到 writer
 func WriteMessage(w io.Writer, msg *Message) error {
 	header := make([]byte, HeaderSize)
@@ -460,3 +286,30 @@ type SystemStatsResponse struct {
 	DiskUsed    uint64  `json:"disk_used"`    // 已用磁盘 (字节)
 	DiskUsage   float64 `json:"disk_usage"`   // 磁盘使用率 (0-100)
 }
+
+// ScreenshotRequest 截图请求
+type ScreenshotRequest struct {
+	Quality int `json:"quality"` // JPEG 质量 1-100, 0 使用默认值
+}
+
+// ScreenshotResponse 截图响应
+type ScreenshotResponse struct {
+	Data      string `json:"data"`            // Base64 编码的 JPEG 图片
+	Width     int    `json:"width"`           // 图片宽度
+	Height    int    `json:"height"`          // 图片高度
+	Timestamp int64  `json:"timestamp"`       // 截图时间戳
+	Error     string `json:"error,omitempty"` // 错误信息
+}
+
+// ShellExecuteRequest Shell 执行请求
+type ShellExecuteRequest struct {
+	Command string `json:"command"` // 要执行的命令
+	Timeout int    `json:"timeout"` // 超时秒数, 0 使用默认值 (30秒)
+}
+
+// ShellExecuteResponse Shell 执行响应
+type ShellExecuteResponse struct {
+	Output   string `json:"output"`          // stdout + stderr 组合输出
+	ExitCode int    `json:"exit_code"`       // 进程退出码
+	Error    string `json:"error,omitempty"` // 错误信息
+}
--- a/pkg/proxy/http.go
+++ b/pkg/proxy/http.go
@@ -2,20 +2,27 @@ package proxy

 import (
 	"bufio"
+	"encoding/base64"
+	"errors"
 	"io"
 	"net"
 	"net/http"
 	"strings"
+
+	"github.com/gotunnel/pkg/relay"
 )

 // HTTPServer HTTP 代理服务
 type HTTPServer struct {
 	dialer   Dialer
+	onStats  func(in, out int64) // 流量统计回调
+	username string
+	password string
 }

 // NewHTTPServer 创建 HTTP 代理服务
-func NewHTTPServer(dialer Dialer) *HTTPServer {
-	return &HTTPServer{dialer: dialer}
+func NewHTTPServer(dialer Dialer, onStats func(in, out int64), username, password string) *HTTPServer {
+	return &HTTPServer{dialer: dialer, onStats: onStats, username: username, password: password}
 }

 // HandleConn 处理 HTTP 代理连接
@@ -28,12 +35,45 @@ func (h *HTTPServer) HandleConn(conn net.Conn) error {
 		return err
 	}

+	// 检查认证
+	if h.username != "" && h.password != "" {
+		if !h.checkAuth(req) {
+			conn.Write([]byte("HTTP/1.1 407 Proxy Authentication Required\r\nProxy-Authenticate: Basic realm=\"proxy\"\r\n\r\n"))
+			return errors.New("authentication required")
+		}
+	}
+
 	if req.Method == http.MethodConnect {
 		return h.handleConnect(conn, req)
 	}
 	return h.handleHTTP(conn, req, reader)
 }

+// checkAuth 检查 Proxy-Authorization 头
+func (h *HTTPServer) checkAuth(req *http.Request) bool {
+	auth := req.Header.Get("Proxy-Authorization")
+	if auth == "" {
+		return false
+	}
+
+	const prefix = "Basic "
+	if !strings.HasPrefix(auth, prefix) {
+		return false
+	}
+
+	decoded, err := base64.StdEncoding.DecodeString(auth[len(prefix):])
+	if err != nil {
+		return false
+	}
+
+	credentials := strings.SplitN(string(decoded), ":", 2)
+	if len(credentials) != 2 {
+		return false
+	}
+
+	return credentials[0] == h.username && credentials[1] == h.password
+}
+
 // handleConnect 处理 CONNECT 方法 (HTTPS)
 func (h *HTTPServer) handleConnect(conn net.Conn, req *http.Request) error {
 	target := req.Host
@@ -50,8 +90,8 @@ func (h *HTTPServer) handleConnect(conn net.Conn, req *http.Request) error {

 	conn.Write([]byte("HTTP/1.1 200 Connection Established\r\n\r\n"))

-	go io.Copy(remote, conn)
-	io.Copy(conn, remote)
+	// 双向转发 (带流量统计)
+	relay.RelayWithStats(conn, remote, h.onStats)
 	return nil
 }

@@ -82,7 +122,10 @@ func (h *HTTPServer) handleHTTP(conn net.Conn, req *http.Request, reader *bufio.
 		return err
 	}

-	// 转发响应
-	_, err = io.Copy(conn, remote)
+	// 转发响应 (带流量统计)
+	n, err := io.Copy(conn, remote)
+	if h.onStats != nil && n > 0 {
+		h.onStats(0, n) // 响应数据为出站流量
+	}
 	return err
 }
--- a/pkg/proxy/server.go
+++ b/pkg/proxy/server.go
@@ -14,10 +14,10 @@ type Server struct {
 }

 // NewServer 创建代理服务器
-func NewServer(typ string, dialer Dialer) *Server {
+func NewServer(typ string, dialer Dialer, onStats func(in, out int64), username, password string) *Server {
 	return &Server{
-		socks5: NewSOCKS5Server(dialer),
-		http:   NewHTTPServer(dialer),
+		socks5: NewSOCKS5Server(dialer, onStats, username, password),
+		http:   NewHTTPServer(dialer, onStats, username, password),
 		typ:    typ,
 	}
 }
--- a/pkg/proxy/socks5.go
+++ b/pkg/proxy/socks5.go
@@ -6,11 +6,14 @@ import (
 	"fmt"
 	"io"
 	"net"
+
+	"github.com/gotunnel/pkg/relay"
 )

 const (
 	socks5Version = 0x05
 	noAuth        = 0x00
+	userPassAuth  = 0x02
 	cmdConnect    = 0x01
 	atypIPv4      = 0x01
 	atypDomain    = 0x03
@@ -20,6 +23,9 @@ const (
 // SOCKS5Server SOCKS5 代理服务
 type SOCKS5Server struct {
 	dialer   Dialer
+	onStats  func(in, out int64) // 流量统计回调
+	username string
+	password string
 }

 // Dialer 连接拨号器接口
@@ -28,8 +34,8 @@ type Dialer interface {
 }

 // NewSOCKS5Server 创建 SOCKS5 服务
-func NewSOCKS5Server(dialer Dialer) *SOCKS5Server {
-	return &SOCKS5Server{dialer: dialer}
+func NewSOCKS5Server(dialer Dialer, onStats func(in, out int64), username, password string) *SOCKS5Server {
+	return &SOCKS5Server{dialer: dialer, onStats: onStats, username: username, password: password}
 }

 // HandleConn 处理 SOCKS5 连接
@@ -60,9 +66,8 @@ func (s *SOCKS5Server) HandleConn(conn net.Conn) error {
 		return err
 	}

-	// 双向转发
-	go io.Copy(remote, conn)
-	io.Copy(conn, remote)
+	// 双向转发 (带流量统计)
+	relay.RelayWithStats(conn, remote, s.onStats)

 	return nil
 }
@@ -83,11 +88,54 @@ func (s *SOCKS5Server) handshake(conn net.Conn) error {
 		return err
 	}

-	// 响应：使用无认证
+	// 如果配置了用户名密码，要求认证
+	if s.username != "" && s.password != "" {
+		_, err := conn.Write([]byte{socks5Version, userPassAuth})
+		if err != nil {
+			return err
+		}
+		return s.authenticate(conn)
+	}
+
+	// 无认证
 	_, err := conn.Write([]byte{socks5Version, noAuth})
 	return err
 }

+// authenticate 处理用户名密码认证
+func (s *SOCKS5Server) authenticate(conn net.Conn) error {
+	buf := make([]byte, 2)
+	if _, err := io.ReadFull(conn, buf); err != nil {
+		return err
+	}
+	if buf[0] != 0x01 {
+		return errors.New("unsupported auth version")
+	}
+
+	ulen := int(buf[1])
+	username := make([]byte, ulen)
+	if _, err := io.ReadFull(conn, username); err != nil {
+		return err
+	}
+
+	plen := make([]byte, 1)
+	if _, err := io.ReadFull(conn, plen); err != nil {
+		return err
+	}
+	password := make([]byte, plen[0])
+	if _, err := io.ReadFull(conn, password); err != nil {
+		return err
+	}
+
+	if string(username) == s.username && string(password) == s.password {
+		conn.Write([]byte{0x01, 0x00}) // 认证成功
+		return nil
+	}
+
+	conn.Write([]byte{0x01, 0x01}) // 认证失败
+	return errors.New("authentication failed")
+}
+
 // readRequest 读取请求
 func (s *SOCKS5Server) readRequest(conn net.Conn) (string, error) {
 	buf := make([]byte, 4)
--- a/pkg/utils/screenshot.go
+++ b/pkg/utils/screenshot.go
@@ -0,0 +1,98 @@
+package utils
+
+import (
+	"bytes"
+	"fmt"
+	"image"
+	"image/jpeg"
+
+	"github.com/kbinani/screenshot"
+)
+
+// CaptureScreenshot 捕获主屏幕截图
+// quality: JPEG 质量 (1-100), 0 使用默认值 (75)
+// 返回: JPEG 图片数据, 宽度, 高度, 错误
+func CaptureScreenshot(quality int) ([]byte, int, int, error) {
+	// 默认质量
+	if quality <= 0 || quality > 100 {
+		quality = 75
+	}
+
+	// 获取活动显示器数量
+	n := screenshot.NumActiveDisplays()
+	if n == 0 {
+		return nil, 0, 0, fmt.Errorf("no active display found")
+	}
+
+	// 获取主显示器边界
+	bounds := screenshot.GetDisplayBounds(0)
+	if bounds.Empty() {
+		return nil, 0, 0, fmt.Errorf("failed to get display bounds")
+	}
+
+	// 捕获屏幕
+	img, err := screenshot.CaptureRect(bounds)
+	if err != nil {
+		return nil, 0, 0, fmt.Errorf("capture screen: %w", err)
+	}
+
+	// 编码为 JPEG
+	var buf bytes.Buffer
+	opts := &jpeg.Options{Quality: quality}
+	if err := jpeg.Encode(&buf, img, opts); err != nil {
+		return nil, 0, 0, fmt.Errorf("encode jpeg: %w", err)
+	}
+
+	return buf.Bytes(), bounds.Dx(), bounds.Dy(), nil
+}
+
+// CaptureAllScreens 捕获所有屏幕并拼接
+// quality: JPEG 质量 (1-100), 0 使用默认值 (75)
+// 返回: JPEG 图片数据, 宽度, 高度, 错误
+func CaptureAllScreens(quality int) ([]byte, int, int, error) {
+	// 默认质量
+	if quality <= 0 || quality > 100 {
+		quality = 75
+	}
+
+	// 获取活动显示器数量
+	n := screenshot.NumActiveDisplays()
+	if n == 0 {
+		return nil, 0, 0, fmt.Errorf("no active display found")
+	}
+
+	// 计算所有屏幕的总边界
+	var totalBounds image.Rectangle
+	for i := 0; i < n; i++ {
+		bounds := screenshot.GetDisplayBounds(i)
+		totalBounds = totalBounds.Union(bounds)
+	}
+
+	// 创建总画布
+	totalImg := image.NewRGBA(totalBounds)
+
+	// 捕获每个屏幕并绘制到总画布
+	for i := 0; i < n; i++ {
+		bounds := screenshot.GetDisplayBounds(i)
+		img, err := screenshot.CaptureRect(bounds)
+		if err != nil {
+			continue // 跳过失败的屏幕
+		}
+
+		// 绘制到总画布
+		for y := bounds.Min.Y; y < bounds.Max.Y; y++ {
+			for x := bounds.Min.X; x < bounds.Max.X; x++ {
+				totalImg.Set(x, y, img.At(x-bounds.Min.X, y-bounds.Min.Y))
+			}
+		}
+	}
+
+	// 编码为 JPEG
+	var buf bytes.Buffer
+	opts := &jpeg.Options{Quality: quality}
+	if err := jpeg.Encode(&buf, totalImg, opts); err != nil {
+		return nil, 0, 0, fmt.Errorf("encode jpeg: %w", err)
+	}
+
+	return buf.Bytes(), totalBounds.Dx(), totalBounds.Dy(), nil
+}
--- a/test_config.yaml
+++ b/test_config.yaml
@@ -1,3 +0,0 @@
-server: "127.0.0.1:7000"
-token: "testtoken"
-id: "testclient"
--- a/web/package-lock.json
+++ b/web/package-lock.json
@@ -1217,7 +1217,6 @@
      "integrity": "sha512-ne4A0IpG3+2ETuREInjPNhUGis1SFjv1d5asp8MzEAGtOZeTeHVDOYqOgqfhvseqg/iXty2hjBf1zAOb7RNiNw==",
      "dev": true,
      "license": "MIT",
-      "peer": true,
      "dependencies": {
        "undici-types": "~7.16.0"
      }
@@ -1518,7 +1517,6 @@
        }
      ],
      "license": "MIT",
-      "peer": true,
      "dependencies": {
        "baseline-browser-mapping": "^2.9.0",
        "caniuse-lite": "^1.0.30001759",
@@ -2296,7 +2294,6 @@
      "integrity": "sha512-5gTmgEY/sqK6gFXLIsQNH19lWb4ebPDLA4SdLP7dsWkIXHWlG66oPuVvXSGFPppYZz8ZDZq0dYYrbHfBCVUb1Q==",
      "dev": true,
      "license": "MIT",
-      "peer": true,
      "engines": {
        "node": ">=12"
      },
@@ -2323,7 +2320,6 @@
        }
      ],
      "license": "MIT",
-      "peer": true,
      "dependencies": {
        "nanoid": "^3.3.11",
        "picocolors": "^1.1.1",
@@ -2444,7 +2440,6 @@
      "integrity": "sha512-jl1vZzPDinLr9eUt3J/t7V6FgNEw9QjvBPdysz9KfQDD41fQrC2Y4vKQdiaUpFT4bXlb1RHhLpp8wtm6M5TgSw==",
      "devOptional": true,
      "license": "Apache-2.0",
-      "peer": true,
      "bin": {
        "tsc": "bin/tsc",
        "tsserver": "bin/tsserver"
@@ -2497,7 +2492,6 @@
      "integrity": "sha512-w+N7Hifpc3gRjZ63vYBXA56dvvRlNWRczTdmCBBa+CotUzAPf5b7YMdMR/8CQoeYE5LX3W4wj6RYTgonm1b9DA==",
      "dev": true,
      "license": "MIT",
-      "peer": true,
      "dependencies": {
        "esbuild": "^0.27.0",
        "fdir": "^6.5.0",
@@ -2579,7 +2573,6 @@
      "resolved": "https://registry.npmjs.org/vue/-/vue-3.5.27.tgz",
      "integrity": "sha512-aJ/UtoEyFySPBGarREmN4z6qNKpbEguYHMmXSiOGk69czc+zhs0NF6tEFrY8TZKAl8N/LYAkd4JHVd5E/AsSmw==",
      "license": "MIT",
-      "peer": true,
      "dependencies": {
        "@vue/compiler-dom": "3.5.27",
        "@vue/compiler-sfc": "3.5.27",
--- a/web/src/App.vue
+++ b/web/src/App.vue
--- a/web/src/api/index.ts
+++ b/web/src/api/index.ts
@@ -1,5 +1,5 @@
 import { get, post, put, del, getToken } from '../config/axios'
-import type { ClientConfig, ClientStatus, ClientDetail, ServerStatus, PluginInfo, StorePluginInfo, PluginConfigResponse, JSPlugin, RuleSchemasMap, LogEntry, LogStreamOptions, ConfigField } from '../types'
+import type { ClientConfig, ClientStatus, ClientDetail, ServerStatus, LogEntry, LogStreamOptions, InstallCommandResponse } from '../types'

 // 重新导出 token 管理方法
 export { getToken, setToken, removeToken } from '../config/axios'
@@ -24,91 +24,6 @@ export const reloadConfig = () => post('/config/reload')
 export const pushConfigToClient = (id: string) => post(`/client/${id}/push`)
 export const disconnectClient = (id: string) => post(`/client/${id}/disconnect`)
 export const restartClient = (id: string) => post(`/client/${id}/restart`)
-export const installPluginsToClient = (id: string, plugins: string[]) =>
-  post(`/client/${id}/install-plugins`, { plugins })
-
-// 规则配置模式
-export const getRuleSchemas = () => get<RuleSchemasMap>('/rule-schemas')
-
-// 客户端插件控制（使用 pluginID）
-export const startClientPlugin = (clientId: string, pluginId: string, ruleName: string) =>
-  post(`/client/${clientId}/plugin/${pluginId}/start`, { rule_name: ruleName })
-export const stopClientPlugin = (clientId: string, pluginId: string, ruleName: string) =>
-  post(`/client/${clientId}/plugin/${pluginId}/stop`, { rule_name: ruleName })
-export const restartClientPlugin = (clientId: string, pluginId: string, ruleName: string) =>
-  post(`/client/${clientId}/plugin/${pluginId}/restart`, { rule_name: ruleName })
-export const deleteClientPlugin = (clientId: string, pluginId: string) =>
-  post(`/client/${clientId}/plugin/${pluginId}/delete`)
-export const updateClientPluginConfigWithRestart = (clientId: string, pluginId: string, ruleName: string, config: Record<string, string>, restart: boolean) =>
-  post(`/client/${clientId}/plugin/${pluginId}/config`, { rule_name: ruleName, config, restart })
-
-// 插件管理
-export const getPlugins = () => get<PluginInfo[]>('/plugins')
-export const enablePlugin = (name: string) => post(`/plugin/${name}/enable`)
-export const disablePlugin = (name: string) => post(`/plugin/${name}/disable`)
-
-// 扩展商店
-export const getStorePlugins = () => get<{ plugins: StorePluginInfo[] }>('/store/plugins')
-export const installStorePlugin = (
-  pluginName: string,
-  downloadUrl: string,
-  signatureUrl: string,
-  clientId: string,
-  remotePort?: number,
-  version?: string,
-  configSchema?: ConfigField[],
-  authEnabled?: boolean,
-  authUsername?: string,
-  authPassword?: string
-) =>
-  post('/store/install', {
-    plugin_name: pluginName,
-    version: version || '',
-    download_url: downloadUrl,
-    signature_url: signatureUrl,
-    client_id: clientId,
-    remote_port: remotePort || 0,
-    config_schema: configSchema || [],
-    auth_enabled: authEnabled || false,
-    auth_username: authUsername || '',
-    auth_password: authPassword || ''
-  })
-
-// 客户端插件配置
-export const getClientPluginConfig = (clientId: string, pluginName: string) =>
-  get<PluginConfigResponse>(`/client-plugin/${clientId}/${pluginName}/config`)
-export const updateClientPluginConfig = (clientId: string, pluginName: string, config: Record<string, string>) =>
-  put(`/client-plugin/${clientId}/${pluginName}/config`, { config })
-
-// JS 插件管理
-export const getJSPlugins = () => get<JSPlugin[]>('/js-plugins')
-export const createJSPlugin = (plugin: JSPlugin) => post('/js-plugins', plugin)
-export const getJSPlugin = (name: string) => get<JSPlugin>(`/js-plugin/${name}`)
-export const updateJSPlugin = (name: string, plugin: JSPlugin) => put(`/js-plugin/${name}`, plugin)
-export const deleteJSPlugin = (name: string) => del(`/js-plugin/${name}`)
-export const pushJSPluginToClient = (pluginName: string, clientId: string, remotePort?: number) =>
-  post(`/js-plugin/${pluginName}/push/${clientId}`, { remote_port: remotePort || 0 })
-export const updateJSPluginConfig = (name: string, config: Record<string, string>) =>
-  put(`/js-plugin/${name}/config`, { config })
-export const setJSPluginEnabled = (name: string, enabled: boolean) =>
-  post(`/js-plugin/${name}/${enabled ? 'enable' : 'disable'}`)
-
-// 插件 API 代理（通过 pluginID 调用插件自定义 API）
-export const callPluginAPI = <T = any>(clientId: string, pluginId: string, method: string, route: string, body?: any) => {
-  const path = `/client/${clientId}/plugin-api/${pluginId}${route.startsWith('/') ? route : '/' + route}`
-  switch (method.toUpperCase()) {
-    case 'GET':
-      return get<T>(path)
-    case 'POST':
-      return post<T>(path, body)
-    case 'PUT':
-      return put<T>(path, body)
-    case 'DELETE':
-      return del<T>(path)
-    default:
-      return get<T>(path)
-  }
-}

 // 更新管理
 export interface UpdateInfo {
@@ -209,6 +124,28 @@ export interface SystemStats {

 export const getClientSystemStats = (clientId: string) => get<SystemStats>(`/client/${clientId}/system-stats`)

+// 客户端截图
+export interface ScreenshotData {
+  data: string      // Base64 JPEG
+  width: number
+  height: number
+  timestamp: number
+  error?: string
+}
+
+export const getClientScreenshot = (clientId: string, quality?: number) =>
+  get<ScreenshotData>(`/client/${clientId}/screenshot${quality ? '?quality=' + quality : ''}`)
+
+// Shell 执行
+export interface ShellResult {
+  output: string
+  exit_code: number
+  error?: string
+}
+
+export const executeClientShell = (clientId: string, command: string, timeout?: number) =>
+  post<ShellResult>(`/client/${clientId}/shell`, { command, timeout: timeout || 30 })
+
 // 服务器配置
 export interface ServerConfigInfo {
  bind_addr: string
@@ -225,21 +162,19 @@ export interface WebConfigInfo {
  password: string
 }

-export interface PluginStoreConfigInfo {
-  url: string
-}
-
 export interface ServerConfigResponse {
  server: ServerConfigInfo
  web: WebConfigInfo
-  plugin_store: PluginStoreConfigInfo
 }

 export interface UpdateServerConfigRequest {
  server?: Partial<ServerConfigInfo>
  web?: Partial<WebConfigInfo>
-  plugin_store?: Partial<PluginStoreConfigInfo>
 }

 export const getServerConfig = () => get<ServerConfigResponse>('/config')
 export const updateServerConfig = (config: UpdateServerConfigRequest) => put('/config', config)
+
+// 安装命令生成
+export const generateInstallCommand = () =>
+  post<InstallCommandResponse>('/install/generate')
--- a/web/src/components/InlineLogPanel.vue
+++ b/web/src/components/InlineLogPanel.vue
@@ -134,9 +134,9 @@ onUnmounted(() => {

 <style scoped>
 .inline-log-panel {
-  background: rgba(0, 0, 0, 0.3);
+  background: var(--glass-bg);
  border-radius: 12px;
-  border: 1px solid rgba(255, 255, 255, 0.08);
+  border: 1px solid var(--color-border);
  overflow: hidden;
 }

@@ -145,8 +145,8 @@ onUnmounted(() => {
  justify-content: space-between;
  align-items: center;
  padding: 12px 16px;
-  border-bottom: 1px solid rgba(255, 255, 255, 0.08);
-  background: rgba(255, 255, 255, 0.03);
+  border-bottom: 1px solid var(--color-border);
+  background: var(--glass-bg-light);
 }

 .toolbar-left {
@@ -158,7 +158,7 @@ onUnmounted(() => {
 .log-title {
  font-size: 13px;
  font-weight: 600;
-  color: white;
+  color: var(--color-text-primary);
 }

 .streaming-badge {
@@ -166,8 +166,8 @@ onUnmounted(() => {
  align-items: center;
  gap: 6px;
  font-size: 11px;
-  color: #34d399;
-  background: rgba(52, 211, 153, 0.15);
+  color: var(--color-success);
+  background: rgba(16, 185, 129, 0.15);
  padding: 2px 8px;
  border-radius: 10px;
 }
@@ -176,7 +176,7 @@ onUnmounted(() => {
  width: 6px;
  height: 6px;
  border-radius: 50%;
-  background: #34d399;
+  background: var(--color-success);
  animation: pulse 1.5s ease-in-out infinite;
 }

@@ -192,11 +192,11 @@ onUnmounted(() => {
 }

 .tool-btn {
-  background: rgba(255, 255, 255, 0.1);
+  background: var(--color-border);
  border: none;
  border-radius: 6px;
  padding: 6px;
-  color: rgba(255, 255, 255, 0.7);
+  color: var(--color-text-secondary);
  cursor: pointer;
  transition: all 0.2s;
  display: flex;
@@ -205,8 +205,8 @@ onUnmounted(() => {
 }

 .tool-btn:hover {
-  background: rgba(255, 255, 255, 0.2);
-  color: white;
+  background: var(--color-bg-elevated);
+  color: var(--color-text-primary);
 }

 .tool-icon {
@@ -219,14 +219,14 @@ onUnmounted(() => {
  align-items: center;
  gap: 6px;
  font-size: 12px;
-  color: rgba(255, 255, 255, 0.6);
+  color: var(--color-text-secondary);
  cursor: pointer;
 }

 .auto-scroll-toggle input {
  width: 14px;
  height: 14px;
-  accent-color: #a78bfa;
+  accent-color: var(--color-accent);
 }

 .log-content {
@@ -235,6 +235,7 @@ onUnmounted(() => {
  font-family: 'Monaco', 'Menlo', 'Ubuntu Mono', monospace;
  font-size: 12px;
  line-height: 1.6;
+  background: var(--color-bg-elevated);
 }

 .log-loading,
@@ -243,7 +244,7 @@ onUnmounted(() => {
  align-items: center;
  justify-content: center;
  height: 100%;
-  color: rgba(255, 255, 255, 0.4);
+  color: var(--color-text-muted);
  font-size: 13px;
 }

@@ -259,7 +260,7 @@ onUnmounted(() => {
 }

 .log-time {
-  color: rgba(255, 255, 255, 0.4);
+  color: var(--color-text-muted);
  flex-shrink: 0;
 }

@@ -269,12 +270,12 @@ onUnmounted(() => {
 }

 .log-src {
-  color: rgba(255, 255, 255, 0.5);
+  color: var(--color-text-muted);
  flex-shrink: 0;
 }

 .log-msg {
-  color: rgba(255, 255, 255, 0.8);
+  color: var(--color-text-secondary);
  overflow: hidden;
  text-overflow: ellipsis;
 }
@@ -289,11 +290,11 @@ onUnmounted(() => {
 }

 .log-content::-webkit-scrollbar-thumb {
-  background: rgba(255, 255, 255, 0.2);
+  background: var(--color-border);
  border-radius: 3px;
 }

 .log-content::-webkit-scrollbar-thumb:hover {
-  background: rgba(255, 255, 255, 0.3);
+  background: var(--color-text-muted);
 }
 </style>
--- a/web/src/components/MetricCard.vue
+++ b/web/src/components/MetricCard.vue
@@ -0,0 +1,62 @@
+<script setup lang="ts">
+const props = defineProps<{
+  label: string
+  value: string | number
+  hint?: string
+  tone?: 'default' | 'success' | 'warning' | 'info'
+}>()
+
+const toneClass = props.tone || 'default'
+</script>
+
+<template>
+  <article class="metric-card" :class="`metric-card--${toneClass}`">
+    <span class="metric-card__label">{{ label }}</span>
+    <strong class="metric-card__value">{{ value }}</strong>
+    <span v-if="hint" class="metric-card__hint">{{ hint }}</span>
+  </article>
+</template>
+
+<style scoped>
+.metric-card {
+  display: flex;
+  flex-direction: column;
+  gap: 10px;
+  padding: 18px;
+  min-height: 128px;
+  border-radius: 20px;
+  background: var(--glass-bg-card);
+  border: 1px solid var(--color-border);
+  box-shadow: var(--shadow-card);
+}
+
+.metric-card__label {
+  font-size: 13px;
+  color: var(--color-text-secondary);
+}
+
+.metric-card__value {
+  font-size: clamp(26px, 4vw, 34px);
+  line-height: 1;
+  color: var(--color-text-primary);
+  letter-spacing: -0.04em;
+}
+
+.metric-card__hint {
+  margin-top: auto;
+  font-size: 13px;
+  color: var(--color-text-muted);
+}
+
+.metric-card--success {
+  border-color: rgba(16, 185, 129, 0.24);
+}
+
+.metric-card--warning {
+  border-color: rgba(245, 158, 11, 0.24);
+}
+
+.metric-card--info {
+  border-color: rgba(6, 182, 212, 0.24);
+}
+</style>
--- a/web/src/components/PageShell.vue
+++ b/web/src/components/PageShell.vue
@@ -0,0 +1,154 @@
+<script setup lang="ts">
+defineProps<{
+  title: string
+  subtitle?: string
+  eyebrow?: string
+}>()
+</script>
+
+<template>
+  <section class="page-shell">
+    <div class="page-shell__glow page-shell__glow--primary"></div>
+    <div class="page-shell__glow page-shell__glow--secondary"></div>
+
+    <header class="page-shell__header">
+      <div class="page-shell__heading">
+        <span v-if="eyebrow" class="page-shell__eyebrow">{{ eyebrow }}</span>
+        <h1>{{ title }}</h1>
+        <p v-if="subtitle">{{ subtitle }}</p>
+      </div>
+      <div v-if="$slots.actions" class="page-shell__actions">
+        <slot name="actions" />
+      </div>
+    </header>
+
+    <div v-if="$slots.metrics" class="page-shell__metrics">
+      <slot name="metrics" />
+    </div>
+
+    <div class="page-shell__content">
+      <slot />
+    </div>
+  </section>
+</template>
+
+<style scoped>
+.page-shell {
+  position: relative;
+  padding: 32px;
+  overflow: hidden;
+}
+
+.page-shell__glow {
+  position: absolute;
+  border-radius: 999px;
+  filter: blur(80px);
+  opacity: 0.18;
+  pointer-events: none;
+}
+
+.page-shell__glow--primary {
+  width: 320px;
+  height: 320px;
+  top: -120px;
+  right: -80px;
+  background: var(--color-accent);
+}
+
+.page-shell__glow--secondary {
+  width: 280px;
+  height: 280px;
+  bottom: -120px;
+  left: -40px;
+  background: #8b5cf6;
+}
+
+.page-shell__header,
+.page-shell__metrics,
+.page-shell__content {
+  position: relative;
+  z-index: 1;
+}
+
+.page-shell__header {
+  display: flex;
+  justify-content: space-between;
+  gap: 20px;
+  align-items: flex-start;
+  margin-bottom: 24px;
+}
+
+.page-shell__heading {
+  max-width: 720px;
+}
+
+.page-shell__eyebrow {
+  display: inline-flex;
+  align-items: center;
+  gap: 6px;
+  padding: 6px 10px;
+  margin-bottom: 12px;
+  border-radius: 999px;
+  background: rgba(59, 130, 246, 0.12);
+  border: 1px solid rgba(59, 130, 246, 0.18);
+  color: var(--color-accent);
+  font-size: 12px;
+  font-weight: 600;
+  letter-spacing: 0.04em;
+}
+
+.page-shell__heading h1 {
+  margin: 0;
+  font-size: clamp(28px, 4vw, 40px);
+  font-weight: 700;
+  letter-spacing: -0.03em;
+  color: var(--color-text-primary);
+}
+
+.page-shell__heading p {
+  margin: 10px 0 0;
+  max-width: 640px;
+  color: var(--color-text-secondary);
+  font-size: 15px;
+  line-height: 1.7;
+}
+
+.page-shell__actions {
+  display: flex;
+  flex-wrap: wrap;
+  justify-content: flex-end;
+  gap: 10px;
+}
+
+.page-shell__metrics {
+  display: grid;
+  gap: 16px;
+  grid-template-columns: repeat(auto-fit, minmax(180px, 1fr));
+  margin-bottom: 24px;
+}
+
+.page-shell__content {
+  display: flex;
+  flex-direction: column;
+  gap: 20px;
+}
+
+@media (max-width: 768px) {
+  .page-shell {
+    padding: 20px;
+  }
+
+  .page-shell__header {
+    flex-direction: column;
+  }
+
+  .page-shell__actions {
+    width: 100%;
+    justify-content: stretch;
+  }
+
+  .page-shell__actions :deep(*) {
+    flex: 1;
+  }
+}
+</style>
--- a/web/src/components/SectionCard.vue
+++ b/web/src/components/SectionCard.vue
@@ -0,0 +1,79 @@
+<script setup lang="ts">
+defineProps<{
+  title: string
+  description?: string
+}>()
+</script>
+
+<template>
+  <section class="section-card glass-card">
+    <header class="section-card__header">
+      <div>
+        <h2>{{ title }}</h2>
+        <p v-if="description">{{ description }}</p>
+      </div>
+      <div v-if="$slots.header" class="section-card__extra">
+        <slot name="header" />
+      </div>
+    </header>
+
+    <div class="section-card__body">
+      <slot />
+    </div>
+  </section>
+</template>
+
+<style scoped>
+.section-card {
+  padding: 22px;
+}
+
+.section-card__header {
+  display: flex;
+  justify-content: space-between;
+  align-items: flex-start;
+  gap: 16px;
+  margin-bottom: 18px;
+}
+
+.section-card__header h2 {
+  margin: 0;
+  font-size: 18px;
+  font-weight: 700;
+  color: var(--color-text-primary);
+}
+
+.section-card__header p {
+  margin: 8px 0 0;
+  font-size: 13px;
+  line-height: 1.6;
+  color: var(--color-text-secondary);
+}
+
+.section-card__extra {
+  display: flex;
+  gap: 8px;
+  align-items: center;
+  flex-wrap: wrap;
+}
+
+.section-card__body {
+  display: flex;
+  flex-direction: column;
+  gap: 16px;
+}
+
+@media (max-width: 768px) {
+  .section-card {
+    padding: 18px;
+  }
+
+  .section-card__header {
+    flex-direction: column;
+  }
+
+  .section-card__extra {
+    width: 100%;
+  }
+}
+</style>
--- a/web/src/types/index.ts
+++ b/web/src/types/index.ts
@@ -6,43 +6,6 @@ export interface ProxyRule {
  remote_port: number
  type?: string
  enabled?: boolean
-  plugin_config?: Record<string, string>
-  plugin_managed?: boolean // 插件管理标记 - 由插件自动创建的规则
-}
-
-// 客户端已安装的插件
-export interface ClientPlugin {
-  id: string           // 插件实例唯一 ID
-  name: string
-  version: string
-  enabled: boolean
-  running: boolean
-  config?: Record<string, string>
-  remote_port?: number // 远程监听端口
-}
-
-// 插件配置字段
-export interface ConfigField {
-  key: string
-  label: string
-  type: 'string' | 'number' | 'bool' | 'select' | 'password'
-  default?: string
-  required?: boolean
-  options?: string[]
-  description?: string
-}
-
-// 规则表单模式
-export interface RuleSchema {
-  needs_local_addr: boolean
-  extra_fields?: ConfigField[]
-}
-
-// 插件配置响应
-export interface PluginConfigResponse {
-  plugin_name: string
-  schema: ConfigField[]
-  config: Record<string, string>
 }

 // 客户端配置
@@ -50,7 +13,6 @@ export interface ClientConfig {
  id: string
  nickname?: string
  rules: ProxyRule[]
-  plugins?: ClientPlugin[]
 }

 // 客户端状态
@@ -70,7 +32,6 @@ export interface ClientDetail {
  id: string
  nickname?: string
  rules: ProxyRule[]
-  plugins?: ClientPlugin[]
  online: boolean
  last_ping?: string
  remote_addr?: string
@@ -88,64 +49,12 @@ export interface ServerStatus {
  client_count: number
 }

-// 插件类型
-export const PluginType = {
-  Proxy: 'proxy',
-  App: 'app',
-  Service: 'service',
-  Tool: 'tool'
-} as const
-
-export type PluginTypeValue = typeof PluginType[keyof typeof PluginType]
-
-// 插件信息
-export interface PluginInfo {
-  name: string
-  version: string
-  type: string
-  description: string
-  source: string
-  icon?: string
-  enabled: boolean
-  rule_schema?: RuleSchema
-}
-
-// 扩展商店插件信息
-export interface StorePluginInfo {
-  name: string
-  version: string
-  type: string
-  description: string
-  author: string
-  icon?: string
-  download_url?: string
-  signature_url?: string
-  config_schema?: ConfigField[]
-}
-
-// JS 插件信息
-export interface JSPlugin {
-  name: string
-  source: string
-  signature?: string
-  description: string
-  author: string
-  version?: string
-  auto_push: string[]
-  config: Record<string, string>
-  auto_start: boolean
-  enabled: boolean
-}
-
-// 规则配置模式集合
-export type RuleSchemasMap = Record<string, RuleSchema>
-
 // 日志条目
 export interface LogEntry {
  ts: number      // Unix 时间戳 (毫秒)
  level: string   // 日志级别: debug, info, warn, error
  msg: string     // 日志消息
-  src: string     // 来源: client, plugin:<name>
+  src: string     // 来源: client
 }

 // 日志流选项
@@ -154,3 +63,10 @@ export interface LogStreamOptions {
  follow?: boolean // 是否持续推送
  level?: string   // 日志级别过滤
 }
+
+// 安装命令响应
+export interface InstallCommandResponse {
+  token: string
+  expires_at: number
+  tunnel_port: number
+}
--- a/web/src/views/ClientView.vue
+++ b/web/src/views/ClientView.vue
--- a/web/src/views/ClientsView.vue
+++ b/web/src/views/ClientsView.vue
@@ -1,430 +1,317 @@
 <script setup lang="ts">
-import { ref, onMounted, computed } from 'vue'
+import { computed, onMounted, ref } from 'vue'
 import { useRouter } from 'vue-router'
-import { getClients } from '../api'
-import type { ClientStatus } from '../types'
+import GlassModal from '../components/GlassModal.vue'
+import MetricCard from '../components/MetricCard.vue'
+import PageShell from '../components/PageShell.vue'
+import SectionCard from '../components/SectionCard.vue'
+import { generateInstallCommand, getClients } from '../api'
+import { useToast } from '../composables/useToast'
+import type { ClientStatus, InstallCommandResponse } from '../types'

 const router = useRouter()
+const message = useToast()
 const clients = ref<ClientStatus[]>([])
 const loading = ref(true)
+const showInstallModal = ref(false)
+const installData = ref<InstallCommandResponse | null>(null)
+const generatingInstall = ref(false)
+const search = ref('')
+const installScriptUrl = 'https://raw.githubusercontent.com/gotunnel/gotunnel/main/scripts/install.sh'
+const installPs1Url = 'https://raw.githubusercontent.com/gotunnel/gotunnel/main/scripts/install.ps1'
+
+const quoteShellArg = (value: string) => `'${value.replace(/'/g, `'\"'\"'`)}'`
+
+const resolveTunnelHost = () => window.location.hostname || 'localhost'
+
+const formatServerAddr = (host: string, port: number) => {
+  const normalizedHost = host.includes(':') && !host.startsWith('[') ? `[${host}]` : host
+  return `${normalizedHost}:${port}`
+}
+
+const buildInstallCommands = (data: InstallCommandResponse) => {
+  const serverAddr = formatServerAddr(resolveTunnelHost(), data.tunnel_port)
+
+  return {
+    linux: `bash <(curl -fsSL ${installScriptUrl}) -s ${quoteShellArg(serverAddr)} -t ${quoteShellArg(data.token)}`,
+    macos: `bash <(curl -fsSL ${installScriptUrl}) -s ${quoteShellArg(serverAddr)} -t ${quoteShellArg(data.token)}`,
+    windows: `powershell -c \"irm ${installPs1Url} | iex; Install-GoTunnel -Server '${serverAddr}' -Token '${data.token}'\"`,
+  }
+}

 const loadClients = async () => {
  loading.value = true
  try {
    const { data } = await getClients()
    clients.value = data || []
-  } catch (e) {
-    console.error('Failed to load clients', e)
+  } catch (error) {
+    console.error('Failed to load clients', error)
+    message.error('客户端列表加载失败')
  } finally {
    loading.value = false
  }
 }

-const onlineClients = computed(() => clients.value.filter(c => c.online).length)
-
-const viewClient = (id: string) => {
-  router.push(`/client/${id}`)
+const openInstallModal = async () => {
+  generatingInstall.value = true
+  try {
+    const { data } = await generateInstallCommand()
+    installData.value = data
+    showInstallModal.value = true
+  } catch (error) {
+    console.error('Failed to generate install command', error)
+    message.error('安装命令生成失败')
+  } finally {
+    generatingInstall.value = false
+  }
 }

+const copyCommand = async (command: string) => {
+  try {
+    await navigator.clipboard.writeText(command)
+    message.success('命令已复制')
+  } catch (error) {
+    console.error('Failed to copy command', error)
+    message.error('复制失败，请手动复制')
+  }
+}
+
+const filteredClients = computed(() => {
+  const keyword = search.value.trim().toLowerCase()
+  if (!keyword) return clients.value
+  return clients.value.filter((client) => {
+    return [client.id, client.nickname, client.remote_addr, client.os, client.arch]
+      .filter(Boolean)
+      .some((value) => String(value).toLowerCase().includes(keyword))
+  })
+})
+
+const onlineClients = computed(() => clients.value.filter((client) => client.online).length)
+const offlineClients = computed(() => Math.max(clients.value.length - onlineClients.value, 0))
+const installCommands = computed(() => (installData.value ? buildInstallCommands(installData.value) : null))
+
 onMounted(loadClients)
 </script>

 <template>
-  <div class="clients-page">
-    <!-- Particles -->
-    <div class="particles">
-      <div class="particle particle-1"></div>
-      <div class="particle particle-2"></div>
-      <div class="particle particle-3"></div>
+  <PageShell title="客户端" eyebrow="Clients" subtitle="统一管理已注册节点、连接状态与快速安装命令，减少操作跳转。">
+    <template #actions>
+      <button class="glass-btn" :disabled="generatingInstall" @click="openInstallModal">
+        {{ generatingInstall ? '生成中...' : '安装命令' }}
+      </button>
+      <button class="glass-btn primary" @click="loadClients">{{ loading ? '刷新中...' : '刷新列表' }}</button>
+    </template>
+
+    <template #metrics>
+      <MetricCard label="客户端总数" :value="clients.length" hint="已接入的全部节点" />
+      <MetricCard label="在线节点" :value="onlineClients" hint="可立即推送配置" tone="success" />
+      <MetricCard label="离线节点" :value="offlineClients" hint="等待心跳恢复" tone="warning" />
+      <MetricCard label="当前筛选结果" :value="filteredClients.length" hint="支持 ID / 昵称 / 地址搜索" tone="info" />
+    </template>
+
+    <SectionCard title="节点列表" description="使用统一卡片样式展示连接信息，便于快速判断状态与进入详情页。">
+      <template #header>
+        <input v-model="search" class="glass-input search-input" type="search" placeholder="搜索 ID / 昵称 / 地址" />
+      </template>
+
+      <div v-if="loading" class="empty-state">正在加载客户端列表...</div>
+      <div v-else-if="filteredClients.length === 0" class="empty-state">未找到匹配的客户端。</div>
+      <div v-else class="client-grid">
+        <article v-for="client in filteredClients" :key="client.id" class="client-card" @click="router.push(`/client/${client.id}`)">
+          <div class="client-card__header">
+            <div>
+              <div class="client-card__title">
+                <span class="status-dot" :class="{ online: client.online }"></span>
+                <strong>{{ client.nickname || client.id }}</strong>
+              </div>
+              <p>{{ client.nickname ? client.id : client.remote_addr || '等待首次连接' }}</p>
+            </div>
+            <span class="state-pill" :class="client.online ? 'online' : 'offline'">{{ client.online ? '在线' : '离线' }}</span>
          </div>

-    <div class="clients-content">
-      <!-- Header -->
-      <div class="page-header">
-        <h1 class="page-title">客户端管理</h1>
-        <p class="page-subtitle">管理所有连接的客户端</p>
+          <dl class="client-card__meta">
+            <div>
+              <dt>地址</dt>
+              <dd>{{ client.remote_addr || '未上报' }}</dd>
            </div>
+            <div>
+              <dt>规则数</dt>
+              <dd>{{ client.rule_count || 0 }}</dd>
+            </div>
+            <div>
+              <dt>平台</dt>
+              <dd>{{ [client.os, client.arch].filter(Boolean).join(' / ') || '未知' }}</dd>
+            </div>
+          </dl>
+        </article>
+      </div>
+    </SectionCard>

-      <!-- Stats Row -->
-      <div class="stats-row">
-        <div class="stat-card">
-          <span class="stat-value">{{ clients.length }}</span>
-          <span class="stat-label">总客户端</span>
-        </div>
-        <div class="stat-card">
-          <span class="stat-value online">{{ onlineClients }}</span>
-          <span class="stat-label">在线</span>
-        </div>
-        <div class="stat-card">
-          <span class="stat-value offline">{{ clients.length - onlineClients }}</span>
-          <span class="stat-label">离线</span>
-        </div>
-      </div>
-
-      <!-- Client List -->
-      <div class="glass-card">
-        <div class="card-header">
-          <h3>客户端列表</h3>
-          <button class="glass-btn small" @click="loadClients">刷新</button>
-        </div>
-        <div class="card-body">
-          <div v-if="loading" class="loading-state">加载中...</div>
-          <div v-else-if="clients.length === 0" class="empty-state">
-            <p>暂无客户端连接</p>
-            <p class="empty-hint">等待客户端连接...</p>
-          </div>
-          <div v-else class="clients-grid">
-            <div
-              v-for="client in clients"
-              :key="client.id"
-              class="client-card"
-              @click="viewClient(client.id)"
-            >
-              <div class="client-header">
-                <div class="client-status" :class="{ online: client.online }"></div>
-                <h4 class="client-name">{{ client.nickname || client.id }}</h4>
-              </div>
-              <p v-if="client.nickname" class="client-id">{{ client.id }}</p>
-              <div class="client-info">
-                <span v-if="client.remote_addr && client.online">{{ client.remote_addr }}</span>
-                <span>{{ client.rule_count || 0 }} 条规则</span>
-              </div>
-              <div class="client-tag" :class="client.online ? 'online' : 'offline'">
-                {{ client.online ? '在线' : '离线' }}
-              </div>
-              <!-- Heartbeat indicator -->
-              <div class="heartbeat-indicator" :class="{ online: client.online, offline: !client.online }">
-                <span class="heartbeat-dot"></span>
-              </div>
-            </div>
-          </div>
-        </div>
-      </div>
-    </div>
+    <GlassModal :show="showInstallModal" title="安装命令" width="760px" @close="showInstallModal = false">
+      <div v-if="installCommands" class="install-grid">
+        <article v-for="item in [
+          { label: 'Linux', value: installCommands.linux },
+          { label: 'macOS', value: installCommands.macos },
+          { label: 'Windows', value: installCommands.windows },
+        ]" :key="item.label" class="install-card">
+          <header>
+            <strong>{{ item.label }}</strong>
+            <button class="glass-btn small" @click="copyCommand(item.value)">复制</button>
+          </header>
+          <code>{{ item.value }}</code>
+        </article>
      </div>
+      <template #footer>
+        <span class="install-footnote">命令内含一次性 token，使用后请重新生成。</span>
+      </template>
+    </GlassModal>
+  </PageShell>
 </template>

 <style scoped>
-.clients-page {
-  min-height: calc(100vh - 116px);
-  position: relative;
-  overflow: hidden;
-  padding: 32px;
+.search-input {
+  min-width: min(320px, 100%);
 }

-/* 动画背景粒子 */
-.particles {
-  position: absolute;
-  inset: 0;
-  overflow: hidden;
-  pointer-events: none;
-  z-index: 0;
-}
-
-.particle {
-  position: absolute;
-  border-radius: 50%;
-  opacity: 0.15;
-  filter: blur(60px);
-  animation: float 20s ease-in-out infinite;
-}
-
-.particle-1 {
-  width: 350px;
-  height: 350px;
-  background: var(--color-accent);
-  top: -80px;
-  right: -80px;
-}
-
-.particle-2 {
-  width: 280px;
-  height: 280px;
-  background: #8b5cf6;
-  bottom: -40px;
-  left: -40px;
-  animation-delay: -5s;
-}
-
-.particle-3 {
-  width: 220px;
-  height: 220px;
-  background: var(--color-success);
-  top: 40%;
-  left: 30%;
-  animation-delay: -10s;
-}
-
-@keyframes float {
-  0%, 100% { transform: translate(0, 0) scale(1); }
-  25% { transform: translate(30px, -30px) scale(1.05); }
-  50% { transform: translate(-20px, 20px) scale(0.95); }
-  75% { transform: translate(-30px, -20px) scale(1.02); }
-}
-
-.clients-content {
-  position: relative;
-  z-index: 10;
-  max-width: 1200px;
-  margin: 0 auto;
-}
-
-.page-header { margin-bottom: 24px; }
-.page-title {
-  font-size: 28px;
-  font-weight: 700;
-  color: var(--color-text-primary);
-  margin: 0 0 8px 0;
-}
-.page-subtitle {
-  color: var(--color-text-secondary);
-  margin: 0;
-  font-size: 14px;
-}
-
-/* Stats */
-.stats-row {
+.client-grid {
  display: grid;
-  grid-template-columns: repeat(3, 1fr);
  gap: 16px;
-  margin-bottom: 24px;
-}
-
-.stat-card {
-  background: var(--glass-bg);
-  backdrop-filter: var(--glass-blur);
-  -webkit-backdrop-filter: var(--glass-blur);
-  border-radius: 16px;
-  border: 1px solid var(--color-border);
-  padding: 20px;
-  text-align: center;
-  box-shadow: var(--shadow-card);
-  transition: all 0.2s ease;
-  position: relative;
-}
-
-.stat-card::before {
-  content: '';
-  position: absolute;
-  top: 0;
-  left: 20%;
-  right: 20%;
-  height: 1px;
-  background: linear-gradient(90deg,
-    transparent 0%,
-    rgba(255, 255, 255, 0.1) 50%,
-    transparent 100%);
-}
-
-.stat-card:hover {
-  transform: translateY(-2px);
-  box-shadow: var(--shadow-lg), var(--shadow-glow);
-}
-
-.stat-value {
-  display: block;
-  font-size: 32px;
-  font-weight: 700;
-  color: var(--color-text-primary);
-}
-.stat-value.online { color: var(--color-success); }
-.stat-value.offline { color: var(--color-text-muted); }
-.stat-label {
-  font-size: 13px;
-  color: var(--color-text-secondary);
-}
-
-/* Glass Card */
-.glass-card {
-  background: var(--glass-bg);
-  backdrop-filter: var(--glass-blur);
-  -webkit-backdrop-filter: var(--glass-blur);
-  border-radius: 16px;
-  border: 1px solid var(--color-border);
-  box-shadow: var(--shadow-card);
-  position: relative;
-}
-
-.glass-card::before {
-  content: '';
-  position: absolute;
-  top: 0;
-  left: 10%;
-  right: 10%;
-  height: 1px;
-  background: linear-gradient(90deg,
-    transparent 0%,
-    rgba(255, 255, 255, 0.1) 50%,
-    transparent 100%);
-}
-
-.card-header {
-  padding: 16px 20px;
-  border-bottom: 1px solid var(--color-border-light);
-  display: flex;
-  justify-content: space-between;
-  align-items: center;
-}
-.card-header h3 {
-  margin: 0;
-  font-size: 15px;
-  font-weight: 600;
-  color: var(--color-text-primary);
-}
-.card-body { padding: 20px; }
-
-.loading-state, .empty-state {
-  text-align: center;
-  padding: 48px;
-  color: var(--color-text-muted);
-}
-.empty-hint {
-  font-size: 13px;
-  color: var(--color-text-muted);
-  margin-top: 8px;
-}
-
-/* Clients Grid */
-.clients-grid {
-  display: grid;
-  grid-template-columns: repeat(3, 1fr);
-  gap: 16px;
-}
-
-@media (max-width: 900px) {
-  .clients-grid { grid-template-columns: repeat(2, 1fr); }
-  .stats-row { grid-template-columns: 1fr; }
-}
-@media (max-width: 600px) {
-  .clients-grid { grid-template-columns: 1fr; }
+  grid-template-columns: repeat(auto-fit, minmax(260px, 1fr));
 }

 .client-card {
-  background: var(--glass-bg-light);
-  border-radius: 12px;
  padding: 18px;
-  border: 1px solid var(--color-border);
+  border-radius: 18px;
+  background: var(--glass-bg-light);
+  border: 1px solid var(--color-border-light);
  cursor: pointer;
-  transition: all 0.2s ease;
-  position: relative;
+  transition: transform 0.2s ease, border-color 0.2s ease, box-shadow 0.2s ease;
 }
+
 .client-card:hover {
-  background: var(--glass-bg-hover);
  transform: translateY(-2px);
+  border-color: rgba(59, 130, 246, 0.24);
  box-shadow: var(--shadow-md);
 }

-.client-header {
+.client-card__header {
+  display: flex;
+  justify-content: space-between;
+  gap: 12px;
+  margin-bottom: 18px;
+}
+
+.client-card__title {
  display: flex;
  align-items: center;
  gap: 10px;
  margin-bottom: 8px;
 }

-.client-status {
+.client-card__header p {
+  color: var(--color-text-secondary);
+  font-size: 13px;
+}
+
+.status-dot {
  width: 10px;
  height: 10px;
-  border-radius: 50%;
-  background: var(--color-text-muted);
+  border-radius: 999px;
+  background: var(--color-error);
 }
-.client-status.online {
+
+.status-dot.online {
  background: var(--color-success);
-  box-shadow: 0 0 10px var(--color-success-glow);
 }

-.client-name {
-  font-size: 15px;
-  font-weight: 600;
-  color: var(--color-text-primary);
-  margin: 0;
-}
-
-.client-id {
+.state-pill {
+  height: fit-content;
+  padding: 4px 10px;
+  border-radius: 999px;
  font-size: 12px;
-  color: var(--color-text-muted);
-  margin: 0 0 8px 0;
-  font-family: monospace;
+  border: 1px solid transparent;
 }

-.client-info {
-  display: flex;
-  flex-direction: column;
-  gap: 4px;
-  font-size: 13px;
+.state-pill.online {
+  color: var(--color-success);
+  background: rgba(16, 185, 129, 0.12);
+  border-color: rgba(16, 185, 129, 0.2);
+}
+
+.state-pill.offline {
  color: var(--color-text-secondary);
+  background: rgba(148, 163, 184, 0.12);
+  border-color: rgba(148, 163, 184, 0.2);
+}
+
+.client-card__meta {
+  display: grid;
+  grid-template-columns: repeat(3, minmax(0, 1fr));
+  gap: 12px;
+}
+
+.client-card__meta dt {
+  margin-bottom: 6px;
+  color: var(--color-text-muted);
+  font-size: 12px;
+}
+
+.client-card__meta dd {
+  color: var(--color-text-primary);
+  font-size: 13px;
+  word-break: break-word;
+}
+
+.install-grid {
+  display: grid;
+  gap: 14px;
+}
+
+.install-card {
+  padding: 16px;
+  border-radius: 16px;
+  background: var(--glass-bg-light);
+  border: 1px solid var(--color-border-light);
+}
+
+.install-card header {
+  display: flex;
+  justify-content: space-between;
+  align-items: center;
+  gap: 12px;
  margin-bottom: 12px;
 }

-.client-tag {
-  display: inline-block;
-  padding: 4px 10px;
-  border-radius: 8px;
-  font-size: 12px;
-  font-weight: 500;
-}
-.client-tag.online {
-  background: rgba(16, 185, 129, 0.15);
-  color: var(--color-success);
-  border: 1px solid rgba(16, 185, 129, 0.2);
-}
-.client-tag.offline {
-  background: var(--glass-bg-light);
-  color: var(--color-text-muted);
-  border: 1px solid var(--color-border);
-}
-
-/* Button */
-.glass-btn {
-  background: var(--glass-bg);
-  backdrop-filter: var(--glass-blur-light);
-  border: 1px solid var(--color-border);
-  border-radius: 10px;
-  padding: 8px 16px;
-  color: var(--color-text-primary);
-  font-size: 13px;
-  cursor: pointer;
-  transition: all 0.2s ease;
-}
-.glass-btn:hover {
-  background: var(--glass-bg-hover);
-  transform: translateY(-1px);
-}
-.glass-btn.small { padding: 6px 12px; font-size: 12px; }
-
-/* Heartbeat Indicator */
-.heartbeat-indicator {
-  position: absolute;
-  top: 18px;
-  right: 18px;
-}
-
-.heartbeat-dot {
+.install-card code {
  display: block;
-  width: 10px;
-  height: 10px;
-  border-radius: 50%;
-  background: var(--color-error);
+  color: var(--color-text-primary);
+  white-space: pre-wrap;
+  word-break: break-all;
+  font-size: 12px;
+  line-height: 1.7;
 }

-.heartbeat-indicator.online .heartbeat-dot {
-  background: var(--color-success);
-  animation: heartbeat-pulse 2s ease-in-out infinite;
-  box-shadow: 0 0 8px var(--color-success-glow);
+.install-footnote {
+  color: var(--color-text-secondary);
+  font-size: 12px;
 }

-.heartbeat-indicator.offline .heartbeat-dot {
-  background: var(--color-error);
-  animation: none;
+.empty-state {
+  padding: 48px 20px;
+  text-align: center;
+  color: var(--color-text-secondary);
+  background: var(--glass-bg-light);
+  border: 1px dashed var(--color-border);
+  border-radius: 16px;
 }

-@keyframes heartbeat-pulse {
-  0%, 100% {
-    box-shadow: 0 0 0 0 var(--color-success-glow);
-    transform: scale(1);
+@media (max-width: 768px) {
+  .client-card__header {
+    flex-direction: column;
  }
-  50% {
-    box-shadow: 0 0 0 8px rgba(16, 185, 129, 0);
-    transform: scale(1.1);
+
+  .client-card__meta {
+    grid-template-columns: 1fr;
  }
 }
 </style>
--- a/web/src/views/HomeView.vue
+++ b/web/src/views/HomeView.vue
@@ -1,682 +1,324 @@
 <script setup lang="ts">
-import { ref, onMounted, computed } from 'vue'
-import { getClients, getTrafficStats, getTrafficHourly, type TrafficRecord } from '../api'
+import { computed, onMounted, ref } from 'vue'
+import { getClients, getTrafficHourly, getTrafficStats, type TrafficRecord } from '../api'
 import type { ClientStatus } from '../types'
+import MetricCard from '../components/MetricCard.vue'
+import PageShell from '../components/PageShell.vue'
+import SectionCard from '../components/SectionCard.vue'

 const clients = ref<ClientStatus[]>([])
-
-// 流量统计数据
 const traffic24h = ref({ inbound: 0, outbound: 0 })
 const trafficTotal = ref({ inbound: 0, outbound: 0 })
 const trafficHistory = ref<TrafficRecord[]>([])
+const loading = ref(true)

-// 格式化字节数
 const formatBytes = (bytes: number): { value: string; unit: string } => {
  if (bytes === 0) return { value: '0', unit: 'B' }
-  const k = 1024
-  const sizes: string[] = ['B', 'KB', 'MB', 'GB', 'TB']
-  const i = Math.min(Math.floor(Math.log(bytes) / Math.log(k)), sizes.length - 1)
+  const units = ['B', 'KB', 'MB', 'GB', 'TB']
+  const index = Math.min(Math.floor(Math.log(bytes) / Math.log(1024)), units.length - 1)
  return {
-    value: parseFloat((bytes / Math.pow(k, i)).toFixed(2)).toString(),
-    unit: sizes[i] as string
+    value: (bytes / Math.pow(1024, index)).toFixed(index === 0 ? 0 : 1),
+    unit: units[index] ?? 'B',
  }
 }

-// 加载流量统计
-const loadTrafficStats = async () => {
+const loadDashboard = async () => {
+  loading.value = true
  try {
-    const { data } = await getTrafficStats()
-    traffic24h.value = data.traffic_24h
-    trafficTotal.value = data.traffic_total
-  } catch (e) {
-    console.error('Failed to load traffic stats', e)
-  }
-}
+    const [{ data: clientData }, { data: statsData }, { data: hourlyData }] = await Promise.all([
+      getClients(),
+      getTrafficStats(),
+      getTrafficHourly(),
+    ])
+
+    clients.value = clientData || []
+    traffic24h.value = statsData.traffic_24h
+    trafficTotal.value = statsData.traffic_total
+
+    const records = hourlyData.records || []
+    if (records.length) {
+      trafficHistory.value = records.slice(-12)
+      return
+    }

-// 加载每小时流量
-const loadTrafficHourly = async () => {
-  try {
-    const { data } = await getTrafficHourly()
-    const records = data.records || []
-    // 如果没有数据，生成从当前时间开始的24小时空数据
-    if (records.length === 0) {
    const now = new Date()
-      const currentHour = new Date(now.getFullYear(), now.getMonth(), now.getDate(), now.getHours())
-      const emptyRecords: TrafficRecord[] = []
-      for (let i = 23; i >= 0; i--) {
-        const ts = new Date(currentHour.getTime() - i * 3600 * 1000)
-        emptyRecords.push({
-          timestamp: Math.floor(ts.getTime() / 1000),
+    trafficHistory.value = Array.from({ length: 12 }, (_, index) => {
+      const slot = new Date(now.getTime() - (11 - index) * 3600 * 1000)
+      return {
+        timestamp: Math.floor(slot.getTime() / 1000),
        inbound: 0,
-          outbound: 0
+        outbound: 0,
+      }
    })
-      }
-      trafficHistory.value = emptyRecords
-    } else {
-      trafficHistory.value = records
-    }
-  } catch (e) {
-    console.error('Failed to load hourly traffic', e)
+  } catch (error) {
+    console.error('Failed to load dashboard', error)
+  } finally {
+    loading.value = false
  }
 }

-const loadClients = async () => {
-  try {
-    const { data } = await getClients()
-    clients.value = data || []
-  } catch (e) {
-    console.error('Failed to load clients', e)
-  }
-}
-
-const onlineClients = computed(() => {
-  return clients.value.filter(client => client.online).length
-})
-
-const totalRules = computed(() => {
-  return clients.value.reduce((sum, c) => sum + (c.rule_count || 0), 0)
-})
-
-// 格式化后的流量统计
+const onlineClients = computed(() => clients.value.filter((client) => client.online).length)
+const offlineClients = computed(() => Math.max(clients.value.length - onlineClients.value, 0))
+const totalRules = computed(() => clients.value.reduce((sum, client) => sum + (client.rule_count || 0), 0))
+const topClients = computed(() => [...clients.value].sort((a, b) => Number(b.online) - Number(a.online)).slice(0, 6))
+const chartMax = computed(() => Math.max(...trafficHistory.value.flatMap((item) => [item.inbound, item.outbound]), 1))
 const formatted24hInbound = computed(() => formatBytes(traffic24h.value.inbound))
 const formatted24hOutbound = computed(() => formatBytes(traffic24h.value.outbound))
 const formattedTotalInbound = computed(() => formatBytes(trafficTotal.value.inbound))
 const formattedTotalOutbound = computed(() => formatBytes(trafficTotal.value.outbound))
+const formatHour = (timestamp: number) => new Date(timestamp * 1000).toLocaleTimeString('zh-CN', { hour: '2-digit', minute: '2-digit' })

-// Chart helpers
-const maxTraffic = computed(() => {
-  const max = Math.max(
-    ...trafficHistory.value.map(d => Math.max(d.inbound, d.outbound))
-  )
-  return max || 100
-})
-
-const getBarHeight = (value: number) => {
-  return (value / maxTraffic.value) * 100
-}
-
-// 格式化时间戳为小时
-const formatHour = (timestamp: number) => {
-  const date = new Date(timestamp * 1000)
-  return date.getHours().toString().padStart(2, '0') + ':00'
-}
-
-onMounted(() => {
-  loadClients()
-  loadTrafficStats()
-  loadTrafficHourly()
-})
+onMounted(loadDashboard)
 </script>

 <template>
-  <div class="dashboard-container">
-    <!-- Animated background particles -->
-    <div class="particles">
-      <div class="particle particle-1"></div>
-      <div class="particle particle-2"></div>
-      <div class="particle particle-3"></div>
-      <div class="particle particle-4"></div>
-      <div class="particle particle-5"></div>
-    </div>
+  <PageShell title="控制台" eyebrow="Overview" subtitle="统一查看连接状态、流量趋势与客户端健康情况，减少页面层级并突出关键数据。">
+    <template #actions>
+      <button class="glass-btn" @click="loadDashboard">{{ loading ? '刷新中...' : '刷新数据' }}</button>
+    </template>

-    <!-- Main content -->
-    <div class="dashboard-content">
-      <!-- Header -->
-      <div class="dashboard-header">
-        <h1 class="text-3xl font-bold text-white mb-2">仪表盘</h1>
-        <p class="text-white/70">监控隧道连接和流量状态</p>
-      </div>
+    <template #metrics>
+      <MetricCard label="在线客户端" :value="onlineClients" :hint="`离线 ${offlineClients} 台`" tone="success" />
+      <MetricCard label="代理规则" :value="totalRules" hint="全部客户端规则总数" />
+      <MetricCard
+        label="24H 出站"
+        :value="formatted24hOutbound.value"
+        :hint="formatted24hOutbound.unit"
+        tone="info"
+      />
+      <MetricCard
+        label="总入站"
+        :value="formattedTotalInbound.value"
+        :hint="formattedTotalInbound.unit"
+        tone="warning"
+      />
+    </template>

-      <!-- Stats Grid -->
-      <div class="stats-grid">
-        <!-- Outbound Traffic -->
-        <div class="stat-card glass-stat">
-          <div class="stat-icon outbound">
-            <svg xmlns="http://www.w3.org/2000/svg" class="w-6 h-6" fill="none" viewBox="0 0 24 24" stroke="currentColor">
-              <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" d="M7 11l5-5m0 0l5 5m-5-5v12" />
-            </svg>
+    <div class="dashboard-grid">
+      <SectionCard title="流量趋势" description="近 12 小时入站 / 出站流量概览。">
+        <div class="traffic-summary">
+          <div class="traffic-pill">
+            <span>24H 入站</span>
+            <strong>{{ formatted24hInbound.value }} {{ formatted24hInbound.unit }}</strong>
          </div>
-          <div class="stat-content">
-            <span class="stat-label">24h出站</span>
-            <div class="stat-value-row">
-              <span class="stat-value">{{ formatted24hOutbound.value }}</span>
-              <span class="stat-unit-inline">{{ formatted24hOutbound.unit }}</span>
+          <div class="traffic-pill">
+            <span>24H 出站</span>
+            <strong>{{ formatted24hOutbound.value }} {{ formatted24hOutbound.unit }}</strong>
          </div>
+          <div class="traffic-pill">
+            <span>总出站</span>
+            <strong>{{ formattedTotalOutbound.value }} {{ formattedTotalOutbound.unit }}</strong>
          </div>
        </div>

-        <!-- Inbound Traffic -->
-        <div class="stat-card glass-stat">
-          <div class="stat-icon inbound">
-            <svg xmlns="http://www.w3.org/2000/svg" class="w-6 h-6" fill="none" viewBox="0 0 24 24" stroke="currentColor">
-              <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" d="M17 13l-5 5m0 0l-5-5m5 5V6" />
-            </svg>
-          </div>
-          <div class="stat-content">
-            <span class="stat-label">24h入站</span>
-            <div class="stat-value-row">
-              <span class="stat-value">{{ formatted24hInbound.value }}</span>
-              <span class="stat-unit-inline">{{ formatted24hInbound.unit }}</span>
+        <div class="traffic-chart">
+          <div v-for="item in trafficHistory" :key="item.timestamp" class="traffic-chart__item">
+            <div class="traffic-chart__bars">
+              <span class="bar bar--inbound" :style="{ height: `${(item.inbound / chartMax) * 100}%` }"></span>
+              <span class="bar bar--outbound" :style="{ height: `${(item.outbound / chartMax) * 100}%` }"></span>
            </div>
+            <span class="traffic-chart__label">{{ formatHour(item.timestamp) }}</span>
          </div>
        </div>
+      </SectionCard>

-        <!-- Total Outbound Traffic -->
-        <div class="stat-card glass-stat">
-          <div class="stat-icon total-out">
-            <svg xmlns="http://www.w3.org/2000/svg" class="w-6 h-6" fill="none" viewBox="0 0 24 24" stroke="currentColor">
-              <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" d="M7 11l5-5m0 0l5 5m-5-5v12" />
-            </svg>
-          </div>
-          <div class="stat-content">
-            <span class="stat-label">总出站</span>
-            <div class="stat-value-row">
-              <span class="stat-value">{{ formattedTotalOutbound.value }}</span>
-              <span class="stat-unit-inline">{{ formattedTotalOutbound.unit }}</span>
-            </div>
-          </div>
-        </div>
-
-        <!-- Total Inbound Traffic -->
-        <div class="stat-card glass-stat">
-          <div class="stat-icon total-in">
-            <svg xmlns="http://www.w3.org/2000/svg" class="w-6 h-6" fill="none" viewBox="0 0 24 24" stroke="currentColor">
-              <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" d="M17 13l-5 5m0 0l-5-5m5 5V6" />
-            </svg>
-          </div>
-          <div class="stat-content">
-            <span class="stat-label">总入站</span>
-            <div class="stat-value-row">
-              <span class="stat-value">{{ formattedTotalInbound.value }}</span>
-              <span class="stat-unit-inline">{{ formattedTotalInbound.unit }}</span>
-            </div>
-          </div>
-        </div>
-
-        <!-- Client Count -->
-        <div class="stat-card glass-stat">
-          <div class="stat-icon clients">
-            <svg xmlns="http://www.w3.org/2000/svg" class="w-6 h-6" fill="none" viewBox="0 0 24 24" stroke="currentColor">
-              <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" d="M9 3v2m6-2v2M9 19v2m6-2v2M5 9H3m2 6H3m18-6h-2m2 6h-2M7 19h10a2 2 0 002-2V7a2 2 0 00-2-2H7a2 2 0 00-2 2v10a2 2 0 002 2zM9 9h6v6H9V9z" />
-            </svg>
-          </div>
-          <div class="stat-content">
-            <span class="stat-label">客户端</span>
-            <div class="client-count">
-              <span class="stat-value online">{{ onlineClients }}</span>
-              <span class="stat-separator">/</span>
-              <span class="stat-value total">{{ clients.length }}</span>
-            </div>
-            <span class="stat-unit">在线 / 总数</span>
-          </div>
-          <div class="online-indicator" :class="{ active: onlineClients > 0 }">
-            <span class="pulse"></span>
-          </div>
-        </div>
-
-        <!-- Rules Count -->
-        <div class="stat-card glass-stat">
-          <div class="stat-icon rules">
-            <svg xmlns="http://www.w3.org/2000/svg" class="w-6 h-6" fill="none" viewBox="0 0 24 24" stroke="currentColor">
-              <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" d="M4 6h16M4 10h16M4 14h16M4 18h16" />
-            </svg>
-          </div>
-          <div class="stat-content">
-            <span class="stat-label">代理规则</span>
-            <span class="stat-value">{{ totalRules }}</span>
-            <span class="stat-unit">条规则</span>
-          </div>
-        </div>
-      </div>
-
-      <!-- Traffic Chart Section -->
-      <div class="chart-section">
-        <div class="section-header">
-          <h2 class="section-title">24小时流量趋势</h2>
-          <div class="chart-legend">
-            <span class="legend-item inbound"><span class="legend-dot"></span>入站</span>
-            <span class="legend-item outbound"><span class="legend-dot"></span>出站</span>
-          </div>
-        </div>
-
-        <div class="chart-card glass-card">
-          <div class="chart-container">
-            <div class="chart-bars">
-              <div v-for="(data, index) in trafficHistory" :key="index" class="bar-group">
-                <div class="bar-wrapper">
-                  <div class="bar inbound" :style="{ height: getBarHeight(data.inbound) + '%' }"></div>
-                  <div class="bar outbound" :style="{ height: getBarHeight(data.outbound) + '%' }"></div>
-                </div>
-                <span class="bar-label">{{ formatHour(data.timestamp) }}</span>
-              </div>
-            </div>
+      <SectionCard title="客户端概况" description="优先展示在线客户端，并保留连接来源与规则数量。">
+        <div v-if="topClients.length" class="client-list">
+          <article v-for="client in topClients" :key="client.id" class="client-row">
+            <div>
+              <div class="client-row__title">
+                <span class="client-dot" :class="{ online: client.online }"></span>
+                <strong>{{ client.nickname || client.id }}</strong>
              </div>
+              <p>{{ client.remote_addr || '等待连接地址' }}</p>
            </div>
+            <div class="client-row__meta">
+              <span>{{ client.rule_count || 0 }} 条规则</span>
+              <span class="state-pill" :class="client.online ? 'online' : 'offline'">{{ client.online ? '在线' : '离线' }}</span>
            </div>
+          </article>
        </div>
+        <div v-else class="empty-state">暂无客户端数据。</div>
+      </SectionCard>
    </div>
+  </PageShell>
 </template>

 <style scoped>
-/* Container */
-.dashboard-container {
-  min-height: calc(100vh - 116px);
-  position: relative;
-  overflow: hidden;
-  padding: 32px;
-}
-
-/* 动画背景粒子 */
-.particles {
-  position: absolute;
-  inset: 0;
-  overflow: hidden;
-  pointer-events: none;
-  z-index: 0;
-}
-
-.particle {
-  position: absolute;
-  border-radius: 50%;
-  opacity: 0.15;
-  filter: blur(60px);
-  animation: float 20s ease-in-out infinite;
-}
-
-.particle-1 {
-  width: 400px;
-  height: 400px;
-  background: var(--color-accent);
-  top: -100px;
-  right: -100px;
-}
-
-.particle-2 {
-  width: 300px;
-  height: 300px;
-  background: #8b5cf6;
-  bottom: -50px;
-  left: -50px;
-  animation-delay: -5s;
-}
-
-.particle-3 {
-  width: 250px;
-  height: 250px;
-  background: var(--color-info);
-  top: 50%;
-  left: 50%;
-  animation-delay: -10s;
-}
-
-.particle-4 {
-  width: 200px;
-  height: 200px;
-  background: var(--color-success);
-  bottom: 20%;
-  right: 20%;
-  animation-delay: -15s;
-}
-
-.particle-5 {
-  width: 350px;
-  height: 350px;
-  background: #ec4899;
-  top: 30%;
-  left: 10%;
-  animation-delay: -7s;
-}
-
-@keyframes float {
-  0%, 100% { transform: translate(0, 0) scale(1); }
-  25% { transform: translate(30px, -30px) scale(1.05); }
-  50% { transform: translate(-20px, 20px) scale(0.95); }
-  75% { transform: translate(-30px, -20px) scale(1.02); }
-}
-
-/* Main content */
-.dashboard-content {
-  position: relative;
-  z-index: 10;
-  max-width: 1200px;
-  margin: 0 auto;
-}
-
-.dashboard-header {
-  margin-bottom: 32px;
-}
-
-/* Stats Grid */
-.stats-grid {
+.dashboard-grid {
  display: grid;
-  grid-template-columns: repeat(3, 1fr);
  gap: 20px;
-  margin-bottom: 32px;
+  grid-template-columns: minmax(0, 1.6fr) minmax(320px, 1fr);
 }

-@media (max-width: 1024px) {
-  .stats-grid {
-    grid-template-columns: repeat(2, 1fr);
-  }
+.traffic-summary {
+  display: grid;
+  gap: 12px;
+  grid-template-columns: repeat(auto-fit, minmax(160px, 1fr));
 }

-@media (max-width: 640px) {
-  .stats-grid {
-    grid-template-columns: 1fr;
-  }
-}
-
-/* Glass stat card - 毛玻璃效果 */
-.glass-stat {
-  background: var(--glass-bg);
-  backdrop-filter: var(--glass-blur);
-  -webkit-backdrop-filter: var(--glass-blur);
+.traffic-pill {
+  padding: 14px 16px;
  border-radius: 16px;
-  border: 1px solid var(--color-border);
-  padding: 20px;
-  display: flex;
-  align-items: flex-start;
-  gap: 16px;
-  position: relative;
-  transition: all 0.2s ease;
-  box-shadow: var(--shadow-card);
+  background: var(--glass-bg-light);
+  border: 1px solid var(--color-border-light);
 }

-/* 卡片顶部高光 */
-.glass-stat::before {
-  content: '';
-  position: absolute;
-  top: 0;
-  left: 10%;
-  right: 10%;
-  height: 1px;
-  background: linear-gradient(90deg,
-    transparent 0%,
-    rgba(255, 255, 255, 0.1) 50%,
-    transparent 100%);
-}
-
-.glass-stat:hover {
-  background: var(--glass-bg-hover);
-  transform: translateY(-2px);
-  box-shadow: var(--shadow-lg), var(--shadow-glow);
-}
-
-/* Stat icon */
-.stat-icon {
-  width: 48px;
-  height: 48px;
-  border-radius: 12px;
-  display: flex;
-  align-items: center;
-  justify-content: center;
-  flex-shrink: 0;
-  box-shadow: 0 4px 12px rgba(0, 0, 0, 0.2);
-}
-
-.stat-icon.outbound {
-  background: var(--gradient-accent);
-}
-
-.stat-icon.inbound {
-  background: linear-gradient(135deg, #8b5cf6 0%, #a78bfa 100%);
-}
-
-.stat-icon.clients {
-  background: linear-gradient(135deg, #10b981 0%, #34d399 100%);
-}
-
-.stat-icon.rules {
-  background: linear-gradient(135deg, #f59e0b 0%, #fbbf24 100%);
-}
-
-.stat-icon.total-out {
-  background: linear-gradient(135deg, #0284c7 0%, #38bdf8 100%);
-}
-
-.stat-icon.total-in {
-  background: linear-gradient(135deg, #9333ea 0%, #c084fc 100%);
-}
-
-.stat-icon svg {
-  color: white;
-}
-
-/* Stat content */
-.stat-content {
-  flex: 1;
-  display: flex;
-  flex-direction: column;
-  gap: 2px;
-  min-height: 44px;
-  justify-content: center;
-}
-
-.stat-label {
-  font-size: 13px;
-  color: var(--color-text-secondary);
-  font-weight: 500;
-  line-height: 1.2;
-}
-
-.stat-value {
-  font-size: 26px;
-  font-weight: 700;
-  color: var(--color-text-primary);
-  line-height: 1.2;
-}
-
-.stat-unit {
-  font-size: 12px;
-  color: var(--color-text-muted);
-  line-height: 1.2;
-}
-
-.stat-value-row {
-  display: flex;
-  align-items: baseline;
-  gap: 4px;
-}
-
-.stat-unit-inline {
-  font-size: 14px;
-  color: var(--color-text-muted);
-  font-weight: 500;
-}
-
-/* Client count special styling */
-.client-count {
-  display: flex;
-  align-items: baseline;
-  gap: 4px;
-}
-
-.client-count .stat-value.online {
-  color: var(--color-success);
-}
-
-.client-count .stat-value.total {
-  font-size: 24px;
-  color: var(--color-text-secondary);
-}
-
-.stat-separator {
-  font-size: 20px;
-  color: var(--color-text-muted);
-}
-
-/* Stat trend indicator */
-.stat-trend {
-  position: absolute;
-  top: 16px;
-  right: 16px;
-  padding: 4px 8px;
-  border-radius: 8px;
-  font-size: 12px;
-}
-
-.stat-trend.up {
-  background: rgba(0, 186, 124, 0.15);
-  color: var(--color-success);
-}
-
-/* Online indicator with pulse */
-.online-indicator {
-  position: absolute;
-  top: 16px;
-  right: 16px;
-}
-
-.online-indicator .pulse {
+.traffic-pill span {
  display: block;
-  width: 10px;
-  height: 10px;
-  border-radius: 50%;
-  background: var(--color-text-muted);
-}
-
-.online-indicator.active .pulse {
-  background: var(--color-success);
-  animation: pulse-animation 2s ease-in-out infinite;
-  box-shadow: 0 0 8px var(--color-success-glow);
-}
-
-@keyframes pulse-animation {
-  0%, 100% { box-shadow: 0 0 0 0 var(--color-success-glow); }
-  50% { box-shadow: 0 0 0 8px rgba(16, 185, 129, 0); }
-}
-
-/* Chart Section */
-.chart-section {
-  margin-top: 16px;
-}
-
-.section-header {
-  display: flex;
-  align-items: center;
-  justify-content: space-between;
-  margin-bottom: 20px;
-}
-
-.section-title {
-  font-size: 16px;
-  font-weight: 600;
-  color: var(--color-text-primary);
-  margin: 0;
-}
-
-.chart-legend {
-  display: flex;
-  gap: 16px;
-}
-
-.legend-item {
-  display: flex;
-  align-items: center;
-  gap: 6px;
-  font-size: 13px;
  color: var(--color-text-secondary);
+  font-size: 12px;
 }

-.legend-dot {
-  width: 10px;
-  height: 10px;
-  border-radius: 2px;
+.traffic-pill strong {
+  display: block;
+  margin-top: 8px;
+  color: var(--color-text-primary);
+  font-size: 18px;
 }

-.legend-item.inbound .legend-dot {
-  background: #8b5cf6;
+.traffic-chart {
+  display: grid;
+  grid-template-columns: repeat(12, minmax(0, 1fr));
+  gap: 10px;
+  align-items: end;
+  min-height: 240px;
 }

-.legend-item.outbound .legend-dot {
-  background: var(--color-accent);
-}
-
-/* Chart Card */
-.chart-card {
-  padding: 24px;
-}
-
-.chart-container {
-  height: 200px;
-  overflow-x: auto;
-}
-
-.chart-bars {
-  display: flex;
-  gap: 4px;
-  height: 100%;
-  min-width: 600px;
-  align-items: flex-end;
-}
-
-.bar-group {
-  flex: 1;
+.traffic-chart__item {
  display: flex;
  flex-direction: column;
  align-items: center;
-  gap: 8px;
+  gap: 10px;
 }

-.bar-wrapper {
-  flex: 1;
-  width: 100%;
+.traffic-chart__bars {
  display: flex;
-  gap: 2px;
-  align-items: flex-end;
+  align-items: end;
+  gap: 4px;
+  height: 200px;
+  width: 100%;
 }

 .bar {
  flex: 1;
-  border-radius: 3px 3px 0 0;
-  min-height: 2px;
-  transition: height 0.3s ease;
+  min-height: 4px;
+  border-radius: 999px 999px 6px 6px;
 }

-.bar.inbound {
-  background: #8b5cf6;
+.bar--inbound {
+  background: linear-gradient(180deg, rgba(6, 182, 212, 0.95), rgba(6, 182, 212, 0.25));
 }

-.bar.outbound {
-  background: var(--color-accent);
+.bar--outbound {
+  background: linear-gradient(180deg, rgba(59, 130, 246, 0.95), rgba(59, 130, 246, 0.25));
 }

-.bar-label {
-  font-size: 10px;
-  color: var(--color-text-muted);
-  white-space: nowrap;
-}
-
-.chart-hint {
-  margin-top: 16px;
-  padding-top: 16px;
-  border-top: 1px solid var(--color-border);
-  text-align: center;
-  font-size: 12px;
+.traffic-chart__label {
+  font-size: 11px;
  color: var(--color-text-muted);
 }

-/* Glass card base - 毛玻璃效果 */
-.glass-card {
-  background: var(--glass-bg);
-  backdrop-filter: var(--glass-blur);
-  -webkit-backdrop-filter: var(--glass-blur);
+.client-list {
+  display: flex;
+  flex-direction: column;
+  gap: 12px;
+}
+
+.client-row {
+  display: flex;
+  justify-content: space-between;
+  gap: 16px;
+  padding: 16px;
  border-radius: 16px;
-  border: 1px solid var(--color-border);
-  box-shadow: var(--shadow-card);
-  position: relative;
+  background: var(--glass-bg-light);
+  border: 1px solid var(--color-border-light);
 }

-.glass-card::before {
-  content: '';
-  position: absolute;
-  top: 0;
-  left: 10%;
-  right: 10%;
-  height: 1px;
-  background: linear-gradient(90deg,
-    transparent 0%,
-    rgba(255, 255, 255, 0.1) 50%,
-    transparent 100%);
+.client-row__title {
+  display: flex;
+  align-items: center;
+  gap: 10px;
+  margin-bottom: 8px;
+}
+
+.client-row p {
+  color: var(--color-text-secondary);
+  font-size: 13px;
+}
+
+.client-row__meta {
+  display: flex;
+  flex-direction: column;
+  align-items: flex-end;
+  gap: 10px;
+  color: var(--color-text-secondary);
+  font-size: 13px;
+}
+
+.client-dot {
+  width: 10px;
+  height: 10px;
+  border-radius: 999px;
+  background: var(--color-error);
+  box-shadow: 0 0 0 6px rgba(239, 68, 68, 0.08);
+}
+
+.client-dot.online {
+  background: var(--color-success);
+  box-shadow: 0 0 0 6px rgba(16, 185, 129, 0.1);
+}
+
+.state-pill {
+  padding: 4px 10px;
+  border-radius: 999px;
+  font-size: 12px;
+  border: 1px solid transparent;
+}
+
+.state-pill.online {
+  color: var(--color-success);
+  background: rgba(16, 185, 129, 0.12);
+  border-color: rgba(16, 185, 129, 0.2);
+}
+
+.state-pill.offline {
+  color: var(--color-text-secondary);
+  background: rgba(148, 163, 184, 0.12);
+  border-color: rgba(148, 163, 184, 0.2);
+}
+
+.empty-state {
+  padding: 36px 16px;
+  text-align: center;
+  color: var(--color-text-secondary);
+  background: var(--glass-bg-light);
+  border: 1px dashed var(--color-border);
+  border-radius: 16px;
+}
+
+@media (max-width: 1024px) {
+  .dashboard-grid {
+    grid-template-columns: 1fr;
+  }
+}
+
+@media (max-width: 768px) {
+  .traffic-chart {
+    overflow-x: auto;
+    padding-bottom: 8px;
+  }
+
+  .traffic-chart__bars {
+    width: 28px;
+  }
+
+  .client-row {
+    flex-direction: column;
+  }
+
+  .client-row__meta {
+    align-items: flex-start;
+  }
 }
 </style>
--- a/web/src/views/LoginView.vue
+++ b/web/src/views/LoginView.vue
@@ -1,5 +1,5 @@
 <script setup lang="ts">
-import { ref } from 'vue'
+import { computed, ref } from 'vue'
 import { useRouter } from 'vue-router'
 import { login, setToken } from '../api'

@@ -9,6 +9,14 @@ const password = ref('')
 const error = ref('')
 const loading = ref(false)

+const features = [
+  '统一管理隧道、客户端与规则状态',
+  '自动下发配置，客户端零配置接入',
+  '内置更新与运行状态查看，便于运维排障',
+]
+
+const canSubmit = computed(() => Boolean(username.value && password.value) && !loading.value)
+
 const handleLogin = async () => {
  if (!username.value || !password.value) {
    error.value = '请输入用户名和密码'
@@ -17,7 +25,6 @@ const handleLogin = async () => {

  loading.value = true
  error.value = ''
-
  try {
    const { data } = await login(username.value, password.value)
    setToken(data.token)
@@ -32,65 +39,39 @@ const handleLogin = async () => {

 <template>
  <div class="login-page">
-    <!-- Animated particles -->
-    <div class="particles">
-      <div class="particle particle-1"></div>
-      <div class="particle particle-2"></div>
-      <div class="particle particle-3"></div>
-      <div class="particle particle-4"></div>
+    <div class="login-shell glass-card">
+      <section class="login-hero">
+        <span class="login-badge">GoTunnel Console</span>
+        <h1>更统一、更轻量的管理界面。</h1>
+        <p>聚焦连接状态、更新能力与节点管理，让日常操作更直观、页面更简洁。</p>
+        <ul>
+          <li v-for="item in features" :key="item">{{ item }}</li>
+        </ul>
+      </section>
+
+      <section class="login-panel">
+        <div class="login-panel__header">
+          <h2>登录控制台</h2>
+          <p>使用服务端配置的 Web 账号进入管理界面。</p>
        </div>

-    <!-- Login card -->
-    <div class="login-card">
-      <div class="login-header">
-        <div class="logo-icon">
-          <svg xmlns="http://www.w3.org/2000/svg" class="w-8 h-8" fill="none" viewBox="0 0 24 24" stroke="currentColor">
-            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" d="M13 10V3L4 14h7v7l9-11h-7z" />
-          </svg>
-        </div>
-        <h1 class="logo-text">GoTunnel</h1>
-        <p class="subtitle">安全的内网穿透工具</p>
-      </div>
+        <form class="login-form" @submit.prevent="handleLogin">
+          <label class="form-group">
+            <span>用户名</span>
+            <input v-model="username" class="glass-input" type="text" autocomplete="username" placeholder="请输入用户名" />
+          </label>
+          <label class="form-group">
+            <span>密码</span>
+            <input v-model="password" class="glass-input" type="password" autocomplete="current-password" placeholder="请输入密码" />
+          </label>

-      <form @submit.prevent="handleLogin" class="login-form">
-        <div class="form-group">
-          <label class="form-label">用户名</label>
-          <input
-            v-model="username"
-            type="text"
-            class="glass-input"
-            placeholder="请输入用户名"
-            :disabled="loading"
-          />
-        </div>
+          <div v-if="error" class="error-alert">{{ error }}</div>

-        <div class="form-group">
-          <label class="form-label">密码</label>
-          <input
-            v-model="password"
-            type="password"
-            class="glass-input"
-            placeholder="请输入密码"
-            :disabled="loading"
-          />
-        </div>
-
-        <div v-if="error" class="error-alert">
-          <svg xmlns="http://www.w3.org/2000/svg" class="w-4 h-4" fill="none" viewBox="0 0 24 24" stroke="currentColor">
-            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" d="M12 8v4m0 4h.01M21 12a9 9 0 11-18 0 9 9 0 0118 0z" />
-          </svg>
-          <span>{{ error }}</span>
-        </div>
-
-        <button type="submit" class="glass-button" :disabled="loading">
-          <span v-if="loading" class="loading-spinner"></span>
-          {{ loading ? '登录中...' : '登录' }}
+          <button class="glass-btn primary submit-btn" type="submit" :disabled="!canSubmit">
+            {{ loading ? '登录中...' : '进入控制台' }}
          </button>
        </form>
-
-      <div class="login-footer">
-        <span>欢迎使用 GoTunnel</span>
-      </div>
+      </section>
    </div>
  </div>
 </template>
@@ -101,145 +82,94 @@ const handleLogin = async () => {
  display: flex;
  align-items: center;
  justify-content: center;
-  background: var(--gradient-bg);
-  padding: 16px;
-  position: relative;
+  padding: 24px;
+}
+
+.login-shell {
+  width: min(1080px, 100%);
+  display: grid;
+  grid-template-columns: minmax(0, 1.2fr) minmax(320px, 420px);
  overflow: hidden;
 }

-/* 动画背景粒子 */
-.particles {
-  position: absolute;
-  inset: 0;
-  overflow: hidden;
-  pointer-events: none;
-  z-index: 0;
+.login-hero,
+.login-panel {
+  padding: 40px;
 }

-.particle {
-  position: absolute;
-  border-radius: 50%;
-  opacity: 0.2;
-  filter: blur(60px);
-  animation: float 20s ease-in-out infinite;
-}
-
-.particle-1 {
-  width: 400px;
-  height: 400px;
-  background: var(--color-accent);
-  top: -100px;
-  right: -100px;
-}
-
-.particle-2 {
-  width: 300px;
-  height: 300px;
-  background: #8b5cf6;
-  bottom: -50px;
-  left: -50px;
-  animation-delay: -5s;
-}
-
-.particle-3 {
-  width: 250px;
-  height: 250px;
-  background: var(--color-info);
-  top: 50%;
-  left: 20%;
-  animation-delay: -10s;
-}
-
-.particle-4 {
-  width: 200px;
-  height: 200px;
-  background: #ec4899;
-  bottom: 30%;
-  right: 10%;
-  animation-delay: -15s;
-}
-
-@keyframes float {
-  0%, 100% { transform: translate(0, 0) scale(1); }
-  25% { transform: translate(30px, -30px) scale(1.05); }
-  50% { transform: translate(-20px, 20px) scale(0.95); }
-  75% { transform: translate(-30px, -20px) scale(1.02); }
-}
-
-/* Login card - 毛玻璃效果 */
-.login-card {
-  width: 100%;
-  max-width: 400px;
-  background: var(--glass-bg);
-  backdrop-filter: var(--glass-blur);
-  -webkit-backdrop-filter: var(--glass-blur);
-  border-radius: 20px;
-  border: 1px solid var(--color-border);
-  box-shadow: var(--shadow-card);
-  padding: 48px 36px;
-  position: relative;
-  z-index: 10;
-}
-
-/* 卡片顶部高光 */
-.login-card::before {
-  content: '';
-  position: absolute;
-  top: 0;
-  left: 20%;
-  right: 20%;
-  height: 1px;
-  background: linear-gradient(90deg,
-    transparent 0%,
-    rgba(255, 255, 255, 0.15) 50%,
-    transparent 100%);
-}
-
-/* Header */
-.login-header {
-  text-align: center;
-  margin-bottom: 36px;
-}
-
-.logo-icon {
-  width: 64px;
-  height: 64px;
-  margin: 0 auto 20px;
-  background: var(--gradient-accent);
-  border-radius: 16px;
+.login-hero {
  display: flex;
-  align-items: center;
+  flex-direction: column;
  justify-content: center;
-  box-shadow: 0 8px 24px var(--color-accent-glow);
+  gap: 18px;
+  background: linear-gradient(135deg, rgba(59, 130, 246, 0.14), rgba(139, 92, 246, 0.08));
+  border-right: 1px solid var(--color-border);
 }

-.logo-icon svg {
-  color: white;
-  width: 32px;
-  height: 32px;
+.login-badge {
+  width: fit-content;
+  padding: 6px 10px;
+  border-radius: 999px;
+  font-size: 12px;
+  font-weight: 600;
+  letter-spacing: 0.04em;
+  color: var(--color-accent);
+  background: rgba(59, 130, 246, 0.12);
+  border: 1px solid rgba(59, 130, 246, 0.18);
 }

-.logo-text {
-  font-size: 28px;
-  font-weight: 700;
-  background: var(--gradient-accent);
-  -webkit-background-clip: text;
-  -webkit-text-fill-color: transparent;
-  background-clip: text;
-  margin: 0 0 8px 0;
-}
-
-.subtitle {
-  color: var(--color-text-secondary);
+.login-hero h1 {
  margin: 0;
-  font-size: 14px;
+  font-size: clamp(34px, 4.5vw, 54px);
+  line-height: 1.1;
+  letter-spacing: -0.05em;
+}
+
+.login-hero p {
+  margin: 0;
+  color: var(--color-text-secondary);
+  font-size: 15px;
+  line-height: 1.8;
+}
+
+.login-hero ul {
+  display: grid;
+  gap: 12px;
+  padding: 0;
+  margin: 8px 0 0;
+  list-style: none;
+}
+
+.login-hero li {
+  padding: 14px 16px;
+  border-radius: 16px;
+  background: var(--glass-bg-light);
+  border: 1px solid var(--color-border-light);
+  color: var(--color-text-primary);
+}
+
+.login-panel {
+  display: flex;
+  flex-direction: column;
+  justify-content: center;
+  gap: 26px;
+}
+
+.login-panel__header h2 {
+  margin: 0 0 8px;
+  font-size: 28px;
+}
+
+.login-panel__header p {
+  margin: 0;
+  color: var(--color-text-secondary);
+  line-height: 1.7;
 }

-/* Form */
 .login-form {
  display: flex;
  flex-direction: column;
-  gap: 20px;
+  gap: 16px;
 }

 .form-group {
@@ -248,111 +178,44 @@ const handleLogin = async () => {
  gap: 8px;
 }

-.form-label {
-  font-size: 14px;
-  font-weight: 500;
-  color: var(--color-text-primary);
-}
-
-.glass-input {
-  background: var(--glass-bg-light);
-  backdrop-filter: var(--glass-blur-light);
-  -webkit-backdrop-filter: var(--glass-blur-light);
-  border: 1px solid var(--color-border);
-  border-radius: 12px;
-  padding: 14px 16px;
-  color: var(--color-text-primary);
-  font-size: 15px;
-  width: 100%;
-  transition: all 0.2s ease;
-  outline: none;
-}
-
-.glass-input:focus {
-  border-color: var(--color-accent);
-  box-shadow: 0 0 0 3px var(--color-accent-glow);
-}
-
-.glass-input::placeholder {
-  color: var(--color-text-muted);
-}
-
-.glass-input:disabled {
-  opacity: 0.6;
-  cursor: not-allowed;
-}
-
-/* Error alert */
-.error-alert {
-  display: flex;
-  align-items: center;
-  gap: 8px;
-  padding: 12px 14px;
-  background: rgba(239, 68, 68, 0.1);
-  border: 1px solid rgba(239, 68, 68, 0.3);
-  border-radius: 10px;
-  color: var(--color-error);
-  font-size: 14px;
-}
-
-.error-alert svg {
-  flex-shrink: 0;
-}
-
-/* Button */
-.glass-button {
-  background: var(--gradient-accent);
-  border: none;
-  border-radius: 12px;
-  padding: 14px 24px;
-  color: white;
-  font-size: 15px;
-  font-weight: 600;
-  cursor: pointer;
-  transition: all 0.2s ease;
-  display: flex;
-  align-items: center;
-  justify-content: center;
-  gap: 8px;
-  box-shadow: 0 4px 15px var(--color-accent-glow);
-}
-
-.glass-button:hover:not(:disabled) {
-  box-shadow: 0 6px 20px var(--color-accent-glow);
-  transform: translateY(-2px);
-  filter: brightness(1.1);
-}
-
-.glass-button:active:not(:disabled) {
-  transform: translateY(0) scale(0.98);
-}
-
-.glass-button:disabled {
-  opacity: 0.6;
-  cursor: not-allowed;
-}
-
-/* Loading spinner */
-.loading-spinner {
-  width: 16px;
-  height: 16px;
-  border: 2px solid rgba(255, 255, 255, 0.3);
-  border-top-color: white;
-  border-radius: 50%;
-  animation: spin 0.8s linear infinite;
-}
-
-@keyframes spin {
-  to { transform: rotate(360deg); }
-}
-
-/* Footer */
-.login-footer {
-  text-align: center;
-  margin-top: 28px;
-  padding-top: 24px;
-  border-top: 1px solid var(--color-border);
-  color: var(--color-text-muted);
+.form-group span {
+  color: var(--color-text-secondary);
  font-size: 13px;
 }
+
+.submit-btn {
+  justify-content: center;
+  width: 100%;
+  margin-top: 8px;
+}
+
+.error-alert {
+  padding: 12px 14px;
+  border-radius: 14px;
+  color: var(--color-error);
+  background: rgba(239, 68, 68, 0.1);
+  border: 1px solid rgba(239, 68, 68, 0.18);
+}
+
+@media (max-width: 900px) {
+  .login-shell {
+    grid-template-columns: 1fr;
+  }
+
+  .login-hero {
+    border-right: none;
+    border-bottom: 1px solid var(--color-border);
+  }
+}
+
+@media (max-width: 640px) {
+  .login-page {
+    padding: 16px;
+  }
+
+  .login-hero,
+  .login-panel {
+    padding: 28px 22px;
+  }
+}
 </style>
--- a/web/src/views/SettingsView.vue
+++ b/web/src/views/SettingsView.vue
@@ -1,88 +1,90 @@
 <script setup lang="ts">
-import { ref, onMounted } from 'vue'
-import { ServerOutline, SettingsOutline, SaveOutline } from '@vicons/ionicons5'
-import { useToast } from '../composables/useToast'
+import { onMounted, ref } from 'vue'
+import MetricCard from '../components/MetricCard.vue'
+import PageShell from '../components/PageShell.vue'
+import SectionCard from '../components/SectionCard.vue'
 import {
-  getVersionInfo, getServerConfig, updateServerConfig,
-  type VersionInfo, type ServerConfigResponse
+  getServerConfig,
+  getVersionInfo,
+  updateServerConfig,
+  type ServerConfigResponse,
+  type UpdateServerConfigRequest,
+  type VersionInfo,
 } from '../api'
+import { useToast } from '../composables/useToast'

 const message = useToast()
-
 const versionInfo = ref<VersionInfo | null>(null)
-const loading = ref(true)
-
-// 服务器配置
 const serverConfig = ref<ServerConfigResponse | null>(null)
-const configLoading = ref(false)
-const savingConfig = ref(false)
+const loadingVersion = ref(true)
+const loadingConfig = ref(true)
+const saving = ref(false)

-// 配置表单
 const configForm = ref({
  heartbeat_sec: 30,
  heartbeat_timeout: 90,
  web_username: '',
  web_password: '',
-  plugin_store_url: ''
 })

 const loadVersionInfo = async () => {
+  loadingVersion.value = true
  try {
    const { data } = await getVersionInfo()
    versionInfo.value = data
-  } catch (e) {
-    console.error('Failed to load version info', e)
+  } catch (error) {
+    console.error('Failed to load version info', error)
  } finally {
-    loading.value = false
+    loadingVersion.value = false
  }
 }

 const loadServerConfig = async () => {
-  configLoading.value = true
+  loadingConfig.value = true
  try {
    const { data } = await getServerConfig()
    serverConfig.value = data
-    // 填充表单
    configForm.value = {
      heartbeat_sec: data.server.heartbeat_sec,
      heartbeat_timeout: data.server.heartbeat_timeout,
      web_username: data.web.username,
      web_password: '',
-      plugin_store_url: data.plugin_store.url
    }
-  } catch (e) {
-    console.error('Failed to load server config', e)
+  } catch (error) {
+    console.error('Failed to load server config', error)
+    message.error('服务器配置加载失败')
  } finally {
-    configLoading.value = false
+    loadingConfig.value = false
  }
 }

 const handleSaveConfig = async () => {
-  savingConfig.value = true
+  saving.value = true
  try {
-    const updateReq: any = {
+    const payload: UpdateServerConfigRequest = {
      server: {
        heartbeat_sec: configForm.value.heartbeat_sec,
-        heartbeat_timeout: configForm.value.heartbeat_timeout
+        heartbeat_timeout: configForm.value.heartbeat_timeout,
      },
      web: {
-        username: configForm.value.web_username
+        username: configForm.value.web_username,
      },
-      plugin_store: {
-        url: configForm.value.plugin_store_url
    }
-    }
-    // 只有填写了密码才更新
+
    if (configForm.value.web_password) {
-      updateReq.web.password = configForm.value.web_password
+      payload.web = {
+        ...payload.web,
+        password: configForm.value.web_password,
      }
-    await updateServerConfig(updateReq)
-    message.success('配置已保存，部分配置需要重启服务后生效')
+    }
+
+    await updateServerConfig(payload)
    configForm.value.web_password = ''
-  } catch (e: any) {
-    message.error(e.response?.data || '保存配置失败')
+    message.success('配置已保存，部分配置需要重启后生效')
+  } catch (error: any) {
+    message.error(error.response?.data || '保存配置失败')
  } finally {
-    savingConfig.value = false
+    saving.value = false
  }
 }

@@ -93,413 +95,122 @@ onMounted(() => {
 </script>

 <template>
-  <div class="settings-page">
-    <!-- Particles -->
-    <div class="particles">
-      <div class="particle particle-1"></div>
-      <div class="particle particle-2"></div>
-      <div class="particle particle-3"></div>
-    </div>
+  <PageShell title="系统设置" eyebrow="Settings" subtitle="统一整理运行版本与服务配置，减少样式重复并保留关键运维操作。">
+    <template #actions>
+      <button class="glass-btn" @click="loadVersionInfo">刷新版本</button>
+      <button class="glass-btn primary" :disabled="saving" @click="handleSaveConfig">{{ saving ? '保存中...' : '保存配置' }}</button>
+    </template>

-    <div class="settings-content">
-      <!-- Header -->
-      <div class="page-header">
-        <h1 class="page-title">系统设置</h1>
-        <p class="page-subtitle">管理服务端配置和系统更新</p>
-      </div>
+    <template #metrics>
+      <MetricCard label="当前版本" :value="versionInfo?.version || '—'" :hint="versionInfo?.git_commit?.slice(0, 8) || '未知提交'" />
+      <MetricCard label="Go 版本" :value="versionInfo?.go_version || '—'" hint="运行时版本" tone="info" />
+      <MetricCard label="运行平台" :value="versionInfo ? `${versionInfo.os}/${versionInfo.arch}` : '—'" hint="服务端当前平台" tone="success" />
+      <MetricCard label="Web 用户名" :value="configForm.web_username || '—'" hint="控制台登录账号" tone="warning" />
+    </template>

-      <!-- Version Info Card -->
-      <div class="glass-card">
-        <div class="card-header">
-          <h3>版本信息</h3>
-          <ServerOutline class="header-icon" />
-        </div>
-        <div class="card-body">
-          <div v-if="loading" class="loading-state">加载中...</div>
-          <div v-else-if="versionInfo" class="info-grid">
-            <div class="info-item">
-              <span class="info-label">版本号</span>
-              <span class="info-value">{{ versionInfo.version }}</span>
-            </div>
-            <div class="info-item">
-              <span class="info-label">Git 提交</span>
-              <span class="info-value mono">{{ versionInfo.git_commit?.slice(0, 8) || 'N/A' }}</span>
-            </div>
-            <div class="info-item">
-              <span class="info-label">构建时间</span>
-              <span class="info-value">{{ versionInfo.build_time || 'N/A' }}</span>
-            </div>
-            <div class="info-item">
-              <span class="info-label">Go 版本</span>
-              <span class="info-value">{{ versionInfo.go_version }}</span>
-            </div>
-            <div class="info-item">
-              <span class="info-label">操作系统</span>
-              <span class="info-value">{{ versionInfo.os }}</span>
-            </div>
-            <div class="info-item">
-              <span class="info-label">架构</span>
-              <span class="info-value">{{ versionInfo.arch }}</span>
-            </div>
-          </div>
-          <div v-else class="empty-state">无法加载版本信息</div>
-        </div>
-      </div>
+    <div class="settings-grid">
+      <SectionCard title="版本信息" description="查看当前服务端构建信息，方便排查环境与升级状态。">
+        <div v-if="loadingVersion" class="empty-state">正在加载版本信息...</div>
+        <dl v-else-if="versionInfo" class="info-grid">
+          <div><dt>版本号</dt><dd>{{ versionInfo.version }}</dd></div>
+          <div><dt>Git 提交</dt><dd>{{ versionInfo.git_commit || 'N/A' }}</dd></div>
+          <div><dt>构建时间</dt><dd>{{ versionInfo.build_time || 'N/A' }}</dd></div>
+          <div><dt>Go 版本</dt><dd>{{ versionInfo.go_version }}</dd></div>
+          <div><dt>操作系统</dt><dd>{{ versionInfo.os }}</dd></div>
+          <div><dt>架构</dt><dd>{{ versionInfo.arch }}</dd></div>
+        </dl>
+        <div v-else class="empty-state">无法获取版本信息。</div>
+      </SectionCard>

-      <!-- Server Config Card -->
-      <div class="glass-card">
-        <div class="card-header">
-          <h3>服务器配置</h3>
-          <SettingsOutline class="header-icon" />
-        </div>
-        <div class="card-body">
-          <div v-if="configLoading" class="loading-state">加载中...</div>
-          <div v-else-if="serverConfig" class="config-form">
-            <div class="form-row">
-              <div class="form-group">
-                <label class="form-label">心跳间隔 (秒)</label>
-                <input
-                  v-model.number="configForm.heartbeat_sec"
-                  type="number"
-                  class="glass-input"
-                  min="1"
-                  max="300"
-                />
-              </div>
-              <div class="form-group">
-                <label class="form-label">心跳超时 (秒)</label>
-                <input
-                  v-model.number="configForm.heartbeat_timeout"
-                  type="number"
-                  class="glass-input"
-                  min="1"
-                  max="600"
-                />
-              </div>
-            </div>
-
-            <div class="form-divider"></div>
-
-            <div class="form-row">
-              <div class="form-group">
-                <label class="form-label">Web 用户名</label>
-                <input
-                  v-model="configForm.web_username"
-                  type="text"
-                  class="glass-input"
-                  placeholder="admin"
-                />
-              </div>
-              <div class="form-group">
-                <label class="form-label">Web 密码</label>
-                <input
-                  v-model="configForm.web_password"
-                  type="password"
-                  class="glass-input"
-                  placeholder="留空则不修改"
-                />
-              </div>
-            </div>
-
-            <div class="form-divider"></div>
-
-            <div class="form-group">
-              <label class="form-label">插件商店地址</label>
-              <input
-                v-model="configForm.plugin_store_url"
-                type="text"
-                class="glass-input"
-                placeholder="https://git.92coco.cn/flik/GoTunnel-Plugins/raw/branch/main/store.json"
-              />
-              <span class="form-hint">插件商店的 API 地址，留空使用默认地址</span>
-            </div>
-
-            <div class="form-actions">
-              <button
-                class="glass-btn primary"
-                :disabled="savingConfig"
-                @click="handleSaveConfig"
-              >
-                <SaveOutline class="btn-icon" />
-                保存配置
-              </button>
-            </div>
-          </div>
-          <div v-else class="empty-state">无法加载配置信息</div>
-        </div>
-      </div>
-    </div>
+      <SectionCard title="服务配置" description="保留最常用的心跳与登录项配置，页面结构更精简。">
+        <div v-if="loadingConfig" class="empty-state">正在加载服务器配置...</div>
+        <form v-else class="config-form" @submit.prevent="handleSaveConfig">
+          <label class="form-group">
+            <span>心跳间隔（秒）</span>
+            <input v-model.number="configForm.heartbeat_sec" class="glass-input" min="1" max="300" type="number" />
+          </label>
+          <label class="form-group">
+            <span>心跳超时（秒）</span>
+            <input v-model.number="configForm.heartbeat_timeout" class="glass-input" min="1" max="600" type="number" />
+          </label>
+          <label class="form-group form-group--full">
+            <span>Web 用户名</span>
+            <input v-model="configForm.web_username" class="glass-input" type="text" placeholder="admin" />
+          </label>
+          <label class="form-group form-group--full">
+            <span>Web 密码</span>
+            <input v-model="configForm.web_password" class="glass-input" type="password" placeholder="留空则保持不变" />
+          </label>
+        </form>
+      </SectionCard>
    </div>
+  </PageShell>
 </template>

 <style scoped>
-.settings-page {
-  min-height: calc(100vh - 108px);
-  background: var(--color-bg-primary);
-  position: relative;
-  overflow: hidden;
-  padding: 32px;
+.settings-grid {
+  display: grid;
+  gap: 20px;
+  grid-template-columns: repeat(2, minmax(0, 1fr));
 }

-/* Hide particles */
-.particles {
-  display: none;
-}
-
-.settings-content {
-  position: relative;
-  z-index: 10;
-  max-width: 900px;
-  margin: 0 auto;
-}
-
-.page-header {
-  margin-bottom: 24px;
-}
-
-.page-title {
-  font-size: 28px;
-  font-weight: 700;
-  color: var(--color-text-primary);
-  margin: 0 0 8px 0;
-}
-
-.page-subtitle {
-  color: var(--color-text-secondary);
-  margin: 0;
-  font-size: 14px;
-}
-
-/* Glass Card */
-.glass-card {
-  background: var(--color-bg-tertiary);
-  border-radius: 12px;
-  border: 1px solid var(--color-border);
-  margin-bottom: 20px;
-}
-
-.card-header {
-  padding: 16px 20px;
-  border-bottom: 1px solid var(--color-border-light);
-  display: flex;
-  justify-content: space-between;
-  align-items: center;
-}
-
-.card-header h3 {
-  margin: 0;
-  font-size: 15px;
-  font-weight: 600;
-  color: var(--color-text-primary);
-}
-
-.card-body {
-  padding: 20px;
-}
-
-/* Info Grid */
 .info-grid {
  display: grid;
-  grid-template-columns: repeat(3, 1fr);
-  gap: 16px;
+  gap: 14px;
+  grid-template-columns: repeat(2, minmax(0, 1fr));
 }

-@media (max-width: 600px) {
-  .info-grid { grid-template-columns: repeat(2, 1fr); }
+.info-grid div,
+.form-group {
+  padding: 16px;
+  border-radius: 16px;
+  background: var(--glass-bg-light);
+  border: 1px solid var(--color-border-light);
 }

-.info-item {
-  display: flex;
-  flex-direction: column;
-  gap: 4px;
-}
-
-.info-label {
-  font-size: 12px;
-  color: var(--color-text-muted);
-}
-
-.info-value {
-  font-size: 14px;
-  color: var(--color-text-primary);
-  font-weight: 500;
-}
-
-.info-value.mono {
-  font-family: monospace;
-}
-
-/* States */
-.loading-state, .empty-state {
-  text-align: center;
-  padding: 32px;
-  color: var(--color-text-muted);
-}
-
-/* Update Alert */
-.update-alert {
-  padding: 12px 16px;
-  border-radius: 8px;
-  margin-bottom: 16px;
-  font-size: 13px;
-}
-
-.update-alert.success {
-  background: rgba(0, 186, 124, 0.15);
-  border: 1px solid rgba(0, 186, 124, 0.3);
-  color: var(--color-success);
-}
-
-.update-alert.info {
-  background: rgba(29, 155, 240, 0.15);
-  border: 1px solid rgba(29, 155, 240, 0.3);
-  color: var(--color-info);
-}
-
-/* Download Info */
-.download-info {
-  color: var(--color-text-secondary);
-  font-size: 13px;
-  margin-bottom: 12px;
-}
-
-/* Release Note */
-.release-note {
-  margin-bottom: 16px;
-}
-
-.note-label {
+.info-grid dt,
+.form-group span {
  display: block;
-  font-size: 12px;
-  color: var(--color-text-muted);
-  margin-bottom: 6px;
-}
-
-.release-note pre {
-  margin: 0;
-  white-space: pre-wrap;
-  font-size: 12px;
+  margin-bottom: 8px;
  color: var(--color-text-secondary);
-  background: var(--color-bg-elevated);
-  padding: 12px;
-  border-radius: 8px;
-  max-height: 150px;
-  overflow-y: auto;
-}
-
-/* Glass Button */
-.glass-btn {
-  background: var(--color-bg-elevated);
-  border: 1px solid var(--color-border);
-  border-radius: 8px;
-  padding: 8px 16px;
-  color: var(--color-text-primary);
  font-size: 13px;
-  cursor: pointer;
-  transition: all 0.15s;
-  display: flex;
-  align-items: center;
-  gap: 6px;
 }

-.glass-btn:hover:not(:disabled) {
-  background: var(--color-border);
+.info-grid dd {
+  color: var(--color-text-primary);
+  word-break: break-word;
 }

-.glass-btn:disabled {
-  opacity: 0.5;
-  cursor: not-allowed;
-}
-
-.glass-btn.small {
-  padding: 6px 12px;
-  font-size: 12px;
-}
-
-.glass-btn.primary {
-  background: var(--color-accent);
-  border: none;
-}
-
-.glass-btn.primary:hover:not(:disabled) {
-  background: var(--color-accent-hover);
-}
-
-/* Icon styles */
-.header-icon {
-  width: 20px;
-  height: 20px;
-  color: var(--color-text-muted);
-}
-
-.btn-icon {
-  width: 14px;
-  height: 14px;
-}
-
-/* Config Form */
 .config-form {
-  display: flex;
-  flex-direction: column;
-  gap: 16px;
+  display: grid;
+  gap: 14px;
+  grid-template-columns: repeat(2, minmax(0, 1fr));
 }

 .form-group {
  display: flex;
  flex-direction: column;
-  gap: 6px;
+  gap: 8px;
 }

-.form-label {
-  font-size: 13px;
+.form-group--full {
+  grid-column: 1 / -1;
+}
+
+.empty-state {
+  padding: 48px 20px;
+  text-align: center;
  color: var(--color-text-secondary);
-  font-weight: 500;
+  background: var(--glass-bg-light);
+  border: 1px dashed var(--color-border);
+  border-radius: 16px;
 }

-.form-hint {
-  font-size: 11px;
-  color: var(--color-text-muted);
-}
-
-.form-row {
-  display: grid;
-  grid-template-columns: 1fr 1fr;
-  gap: 16px;
-}
-
-@media (max-width: 500px) {
-  .form-row {
+@media (max-width: 960px) {
+  .settings-grid,
+  .info-grid,
+  .config-form {
    grid-template-columns: 1fr;
  }
 }
-
-.form-divider {
-  height: 1px;
-  background: var(--color-border-light);
-  margin: 8px 0;
-}
-
-.form-actions {
-  margin-top: 8px;
-}
-
-/* Glass Input */
-.glass-input {
-  background: var(--color-bg-elevated);
-  border: 1px solid var(--color-border);
-  border-radius: 8px;
-  padding: 10px 14px;
-  color: var(--color-text-primary);
-  font-size: 14px;
-  outline: none;
-  transition: all 0.15s;
-}
-
-.glass-input:focus {
-  border-color: var(--color-accent);
-}
-
-.glass-input::placeholder {
-  color: var(--color-text-muted);
-}
 </style>