vpnem: VPN infrastructure with load-balanced multi-protocol nodesHEADmain

- Multi-protocol VPS nodes (VLESS-REALITY + Hysteria2 + SOCKS5)
- Smart load balancing via recommendation API
- Windows/Linux client (Go + Wails + sing-box)
- Server API with RealIP detection and connection tracking
- Auto-deployment via vpnui control plane
- Silent Windows installer with UAC elevation
- Load-based server recommendation (no sticky sessions)
- Best Server one-click connection workflow

1 files changed, 149 insertions, 0 deletions

diff --git a/internal/control/lifecycle_test.go b/internal/control/lifecycle_test.go
new file mode 100644
index 0000000..2d9958c
--- /dev/null
+++ b/internal/control/lifecycle_test.go
@@ -0,0 +1,149 @@
+package control
+
+import (
+	"context"
+	"testing"
+)
+
+func TestSetNodeEnabled(t *testing.T) {
+	t.Parallel()
+
+	node := Node{ID: "nl-01", Enabled: true}
+	disabled := SetNodeEnabled(node, false)
+	if disabled.Enabled {
+		t.Fatal("expected node to be disabled")
+	}
+	if node.Enabled != true {
+		t.Fatal("expected original node to stay unchanged")
+	}
+}
+
+func TestRotateNodeSecrets(t *testing.T) {
+	t.Parallel()
+
+	node := Node{
+		ID: "nl-01",
+		Protocols: []ProtocolProfile{
+			{Type: "vless", Enabled: true, Port: 443, Auth: &AuthProfile{UUID: "old-vless"}},
+			{Type: "vmess", Enabled: true, Port: 8444, Auth: &AuthProfile{UUID: "old-vmess"}},
+			{Type: "shadowsocks", Enabled: true, Port: 8443, Auth: &AuthProfile{Method: "2022-blake3-aes-128-gcm", Password: "old-ss"}},
+			{Type: "hysteria2", Enabled: true, Port: 9443, Auth: &AuthProfile{Password: "old-hy2"}, Extra: map[string]any{"obfs_password": "old-obfs"}},
+		},
+	}
+
+	rotated, err := RotateNodeSecrets(node)
+	if err != nil {
+		t.Fatalf("RotateNodeSecrets() error = %v", err)
+	}
+
+	if rotated.Protocols[0].Auth.UUID == "old-vless" || rotated.Protocols[0].Auth.UUID == "" {
+		t.Fatal("expected rotated vless uuid")
+	}
+	if rotated.Protocols[1].Auth.UUID == "old-vmess" || rotated.Protocols[1].Auth.UUID == "" {
+		t.Fatal("expected rotated vmess uuid")
+	}
+	if rotated.Protocols[2].Auth.Password == "old-ss" || rotated.Protocols[2].Auth.Password == "" {
+		t.Fatal("expected rotated shadowsocks password")
+	}
+	if rotated.Protocols[3].Auth.Password == "old-hy2" || rotated.Protocols[3].Auth.Password == "" {
+		t.Fatal("expected rotated hysteria2 password")
+	}
+	if rotated.Protocols[3].Extra["obfs_password"] == "old-obfs" || rotated.Protocols[3].Extra["obfs_password"] == "" {
+		t.Fatal("expected rotated hysteria2 obfs password")
+	}
+}
+
+func TestAddSocks5Protocol(t *testing.T) {
+	t.Parallel()
+
+	node, err := AddSocks5Protocol(Node{
+		ID: "nl-01",
+		Protocols: []ProtocolProfile{
+			{Type: "vless-reality", Enabled: true, Port: 443},
+			{Type: "hysteria2", Enabled: true, Port: 443},
+		},
+	}, 54101)
+	if err != nil {
+		t.Fatalf("AddSocks5Protocol() error = %v", err)
+	}
+	if len(node.Protocols) != 3 {
+		t.Fatalf("expected 3 protocols, got %d", len(node.Protocols))
+	}
+	last := node.Protocols[len(node.Protocols)-1]
+	if last.Type != "socks5" || last.Port != 54101 || !last.Enabled {
+		t.Fatalf("unexpected socks5 protocol: %+v", last)
+	}
+}
+
+func TestRepairReinstallNode(t *testing.T) {
+	t.Parallel()
+
+	state, err := RepairReinstallNode(context.Background(), fakeRunner{}, Node{
+		ID:      "nl-01",
+		Name:    "NL 01",
+		Region:  "nl",
+		Host:    "203.0.113.10",
+		Domain:  "nl-01.example.com",
+		Enabled: true,
+		SSH:     SSHConfig{User: "root", Port: 22, Auth: "key", IdentityFile: "~/.ssh/id_ed25519"},
+		Protocols: []ProtocolProfile{
+			{Type: "vless", Enabled: true, Port: 443, TLS: &TLSProfile{Enabled: true, ServerName: "nl-01.example.com"}, Auth: &AuthProfile{UUID: "11111111-1111-1111-1111-111111111111"}, Extra: map[string]any{"path": "/ws"}},
+		},
+	}, t.TempDir())
+	if err != nil {
+		t.Fatalf("RepairReinstallNode() error = %v", err)
+	}
+	if state == nil {
+		t.Fatal("expected state")
+	}
+	if state.BootstrapStatus != "healthy" {
+		t.Fatalf("BootstrapStatus = %q, want healthy", state.BootstrapStatus)
+	}
+	if got := state.Metadata["lifecycle_action"]; got != "repair_reinstall" {
+		t.Fatalf("lifecycle_action = %v, want repair_reinstall", got)
+	}
+}
+
+func TestCleanReinstallNode(t *testing.T) {
+	t.Parallel()
+
+	state, err := CleanReinstallNode(context.Background(), fakeRunner{}, Node{
+		ID:      "nl-01",
+		Name:    "NL 01",
+		Region:  "nl",
+		Host:    "203.0.113.10",
+		Domain:  "nl-01.example.com",
+		Enabled: true,
+		SSH:     SSHConfig{User: "root", Port: 22, Auth: "key", IdentityFile: "~/.ssh/id_ed25519"},
+		Protocols: []ProtocolProfile{
+			{Type: "vless", Enabled: true, Port: 443, TLS: &TLSProfile{Enabled: true, ServerName: "nl-01.example.com"}, Auth: &AuthProfile{UUID: "11111111-1111-1111-1111-111111111111"}, Extra: map[string]any{"path": "/ws"}},
+		},
+	}, t.TempDir())
+	if err != nil {
+		t.Fatalf("CleanReinstallNode() error = %v", err)
+	}
+	if state == nil {
+		t.Fatal("expected state")
+	}
+	if state.BootstrapStatus != "healthy" {
+		t.Fatalf("BootstrapStatus = %q, want healthy", state.BootstrapStatus)
+	}
+	if got := state.Metadata["lifecycle_action"]; got != "clean_reinstall" {
+		t.Fatalf("lifecycle_action = %v, want clean_reinstall", got)
+	}
+}
+
+func TestParsePreflightInspectOutput(t *testing.T) {
+	t.Parallel()
+
+	data := ParsePreflightInspectOutput("OS_ID=ubuntu\nMANAGED=1\nTCP_443=0\n")
+	if data["OS_ID"] != "ubuntu" {
+		t.Fatalf("OS_ID = %q, want ubuntu", data["OS_ID"])
+	}
+	if data["MANAGED"] != "1" {
+		t.Fatalf("MANAGED = %q, want 1", data["MANAGED"])
+	}
+	if data["TCP_443"] != "0" {
+		t.Fatalf("TCP_443 = %q, want 0", data["TCP_443"])
+	}
+}