feat(master): 🗑️ Master 卸载程序同步 v3.4.0 焦土逻辑

.github/workflows/daily_keywords.yml

@@ -0,0 +1,44 @@
+name: Daily Trends Factory
+
+on:
+  schedule:
+    # 每天 UTC 18:00 运行 (北京时间凌晨 02:00)
+    - cron: '0 18 * * *'
+  workflow_dispatch: 
+
+permissions:
+  contents: write
+
+jobs:
+  update-trends:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout Code
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0 
+
+      - name: Set up Python
+        uses: actions/setup-python@v4
+        with:
+          python-version: '3.10'
+
+      - name: Execute Trends Engine
+        run: python scripts/fetch_trends.py
+
+      - name: Commit and Push
+        run: |
+          git config --global user.name "github-actions[bot]"
+          git config --global user.email "github-actions[bot]@users.noreply.github.com"
+          
+          git add data/keywords/
+          
+          # 防御机制：如果没有新数据，就静默退出，不产生空提交
+          if git diff --staged --quiet; then
+            echo "No changes, skipping."
+            exit 0
+          fi
+          
+          # 策略：放弃危险的 amend 强制覆盖，采用带日期的标准安全提交
+          git commit -m "chore(data): 🤖 自动机兵：刷新全战区热点词库 [$(date +'%Y-%m-%d')]"
+          git push origin main

.github/workflows/ua_factory.yml

@@ -0,0 +1,33 @@
+name: Automated Massive UA Factory
+
+on:
+  schedule:
+    # 每个月 1 号凌晨 00:00 执行
+    - cron: '0 0 1 * *'
+  workflow_dispatch: # 允许手动点击运行
+
+jobs:
+  build-and-deploy:
+    runs-on: ubuntu-latest
+    permissions:
+      contents: write # 必须赋予写入权限，否则无法更新仓库文件
+      
+    steps:
+    - name: 📥 Checkout Repository
+      uses: actions/checkout@v4
+
+    - name: ⚙️ Setup Python
+      uses: actions/setup-python@v5
+      with:
+        python-version: '3.10'
+
+    - name: 🚀 Run UA Factory Generator
+      run: python scripts/ua_generator.py
+
+    - name: 📤 Commit and Push to Main
+      run: |
+        git config --local user.email "github-actions[bot]@users.noreply.github.com"
+        git config --local user.name "github-actions[bot]"
+        git add data/user_agents.txt
+        # 只有在文件内容确实发生变化时才执行提交
+        git diff --quiet && git diff --staged --quiet || (git commit -m "chore(data): 🤖 自动机兵：刷新 4000 条绝对坐标指纹库" && git push)

LICENSE

@@ -0,0 +1,661 @@
+                    GNU AFFERO GENERAL PUBLIC LICENSE
+                       Version 3, 19 November 2007
+
+ Copyright (C) 2007 Free Software Foundation, Inc. <https://fsf.org/>
+ Everyone is permitted to copy and distribute verbatim copies
+ of this license document, but changing it is not allowed.
+
+                            Preamble
+
+  The GNU Affero General Public License is a free, copyleft license for
+software and other kinds of works, specifically designed to ensure
+cooperation with the community in the case of network server software.
+
+  The licenses for most software and other practical works are designed
+to take away your freedom to share and change the works.  By contrast,
+our General Public Licenses are intended to guarantee your freedom to
+share and change all versions of a program--to make sure it remains free
+software for all its users.
+
+  When we speak of free software, we are referring to freedom, not
+price.  Our General Public Licenses are designed to make sure that you
+have the freedom to distribute copies of free software (and charge for
+them if you wish), that you receive source code or can get it if you
+want it, that you can change the software or use pieces of it in new
+free programs, and that you know you can do these things.
+
+  Developers that use our General Public Licenses protect your rights
+with two steps: (1) assert copyright on the software, and (2) offer
+you this License which gives you legal permission to copy, distribute
+and/or modify the software.
+
+  A secondary benefit of defending all users' freedom is that
+improvements made in alternate versions of the program, if they
+receive widespread use, become available for other developers to
+incorporate.  Many developers of free software are heartened and
+encouraged by the resulting cooperation.  However, in the case of
+software used on network servers, this result may fail to come about.
+The GNU General Public License permits making a modified version and
+letting the public access it on a server without ever releasing its
+source code to the public.
+
+  The GNU Affero General Public License is designed specifically to
+ensure that, in such cases, the modified source code becomes available
+to the community.  It requires the operator of a network server to
+provide the source code of the modified version running there to the
+users of that server.  Therefore, public use of a modified version, on
+a publicly accessible server, gives the public access to the source
+code of the modified version.
+
+  An older license, called the Affero General Public License and
+published by Affero, was designed to accomplish similar goals.  This is
+a different license, not a version of the Affero GPL, but Affero has
+released a new version of the Affero GPL which permits relicensing under
+this license.
+
+  The precise terms and conditions for copying, distribution and
+modification follow.
+
+                       TERMS AND CONDITIONS
+
+  0. Definitions.
+
+  "This License" refers to version 3 of the GNU Affero General Public License.
+
+  "Copyright" also means copyright-like laws that apply to other kinds of
+works, such as semiconductor masks.
+
+  "The Program" refers to any copyrightable work licensed under this
+License.  Each licensee is addressed as "you".  "Licensees" and
+"recipients" may be individuals or organizations.
+
+  To "modify" a work means to copy from or adapt all or part of the work
+in a fashion requiring copyright permission, other than the making of an
+exact copy.  The resulting work is called a "modified version" of the
+earlier work or a work "based on" the earlier work.
+
+  A "covered work" means either the unmodified Program or a work based
+on the Program.
+
+  To "propagate" a work means to do anything with it that, without
+permission, would make you directly or secondarily liable for
+infringement under applicable copyright law, except executing it on a
+computer or modifying a private copy.  Propagation includes copying,
+distribution (with or without modification), making available to the
+public, and in some countries other activities as well.
+
+  To "convey" a work means any kind of propagation that enables other
+parties to make or receive copies.  Mere interaction with a user through
+a computer network, with no transfer of a copy, is not conveying.
+
+  An interactive user interface displays "Appropriate Legal Notices"
+to the extent that it includes a convenient and prominently visible
+feature that (1) displays an appropriate copyright notice, and (2)
+tells the user that there is no warranty for the work (except to the
+extent that warranties are provided), that licensees may convey the
+work under this License, and how to view a copy of this License.  If
+the interface presents a list of user commands or options, such as a
+menu, a prominent item in the list meets this criterion.
+
+  1. Source Code.
+
+  The "source code" for a work means the preferred form of the work
+for making modifications to it.  "Object code" means any non-source
+form of a work.
+
+  A "Standard Interface" means an interface that either is an official
+standard defined by a recognized standards body, or, in the case of
+interfaces specified for a particular programming language, one that
+is widely used among developers working in that language.
+
+  The "System Libraries" of an executable work include anything, other
+than the work as a whole, that (a) is included in the normal form of
+packaging a Major Component, but which is not part of that Major
+Component, and (b) serves only to enable use of the work with that
+Major Component, or to implement a Standard Interface for which an
+implementation is available to the public in source code form.  A
+"Major Component", in this context, means a major essential component
+(kernel, window system, and so on) of the specific operating system
+(if any) on which the executable work runs, or a compiler used to
+produce the work, or an object code interpreter used to run it.
+
+  The "Corresponding Source" for a work in object code form means all
+the source code needed to generate, install, and (for an executable
+work) run the object code and to modify the work, including scripts to
+control those activities.  However, it does not include the work's
+System Libraries, or general-purpose tools or generally available free
+programs which are used unmodified in performing those activities but
+which are not part of the work.  For example, Corresponding Source
+includes interface definition files associated with source files for
+the work, and the source code for shared libraries and dynamically
+linked subprograms that the work is specifically designed to require,
+such as by intimate data communication or control flow between those
+subprograms and other parts of the work.
+
+  The Corresponding Source need not include anything that users
+can regenerate automatically from other parts of the Corresponding
+Source.
+
+  The Corresponding Source for a work in source code form is that
+same work.
+
+  2. Basic Permissions.
+
+  All rights granted under this License are granted for the term of
+copyright on the Program, and are irrevocable provided the stated
+conditions are met.  This License explicitly affirms your unlimited
+permission to run the unmodified Program.  The output from running a
+covered work is covered by this License only if the output, given its
+content, constitutes a covered work.  This License acknowledges your
+rights of fair use or other equivalent, as provided by copyright law.
+
+  You may make, run and propagate covered works that you do not
+convey, without conditions so long as your license otherwise remains
+in force.  You may convey covered works to others for the sole purpose
+of having them make modifications exclusively for you, or provide you
+with facilities for running those works, provided that you comply with
+the terms of this License in conveying all material for which you do
+not control copyright.  Those thus making or running the covered works
+for you must do so exclusively on your behalf, under your direction
+and control, on terms that prohibit them from making any copies of
+your copyrighted material outside their relationship with you.
+
+  Conveying under any other circumstances is permitted solely under
+the conditions stated below.  Sublicensing is not allowed; section 10
+makes it unnecessary.
+
+  3. Protecting Users' Legal Rights From Anti-Circumvention Law.
+
+  No covered work shall be deemed part of an effective technological
+measure under any applicable law fulfilling obligations under article
+11 of the WIPO copyright treaty adopted on 20 December 1996, or
+similar laws prohibiting or restricting circumvention of such
+measures.
+
+  When you convey a covered work, you waive any legal power to forbid
+circumvention of technological measures to the extent such circumvention
+is effected by exercising rights under this License with respect to
+the covered work, and you disclaim any intention to limit operation or
+modification of the work as a means of enforcing, against the work's
+users, your or third parties' legal rights to forbid circumvention of
+technological measures.
+
+  4. Conveying Verbatim Copies.
+
+  You may convey verbatim copies of the Program's source code as you
+receive it, in any medium, provided that you conspicuously and
+appropriately publish on each copy an appropriate copyright notice;
+keep intact all notices stating that this License and any
+non-permissive terms added in accord with section 7 apply to the code;
+keep intact all notices of the absence of any warranty; and give all
+recipients a copy of this License along with the Program.
+
+  You may charge any price or no price for each copy that you convey,
+and you may offer support or warranty protection for a fee.
+
+  5. Conveying Modified Source Versions.
+
+  You may convey a work based on the Program, or the modifications to
+produce it from the Program, in the form of source code under the
+terms of section 4, provided that you also meet all of these conditions:
+
+    a) The work must carry prominent notices stating that you modified
+    it, and giving a relevant date.
+
+    b) The work must carry prominent notices stating that it is
+    released under this License and any conditions added under section
+    7.  This requirement modifies the requirement in section 4 to
+    "keep intact all notices".
+
+    c) You must license the entire work, as a whole, under this
+    License to anyone who comes into possession of a copy.  This
+    License will therefore apply, along with any applicable section 7
+    additional terms, to the whole of the work, and all its parts,
+    regardless of how they are packaged.  This License gives no
+    permission to license the work in any other way, but it does not
+    invalidate such permission if you have separately received it.
+
+    d) If the work has interactive user interfaces, each must display
+    Appropriate Legal Notices; however, if the Program has interactive
+    interfaces that do not display Appropriate Legal Notices, your
+    work need not make them do so.
+
+  A compilation of a covered work with other separate and independent
+works, which are not by their nature extensions of the covered work,
+and which are not combined with it such as to form a larger program,
+in or on a volume of a storage or distribution medium, is called an
+"aggregate" if the compilation and its resulting copyright are not
+used to limit the access or legal rights of the compilation's users
+beyond what the individual works permit.  Inclusion of a covered work
+in an aggregate does not cause this License to apply to the other
+parts of the aggregate.
+
+  6. Conveying Non-Source Forms.
+
+  You may convey a covered work in object code form under the terms
+of sections 4 and 5, provided that you also convey the
+machine-readable Corresponding Source under the terms of this License,
+in one of these ways:
+
+    a) Convey the object code in, or embodied in, a physical product
+    (including a physical distribution medium), accompanied by the
+    Corresponding Source fixed on a durable physical medium
+    customarily used for software interchange.
+
+    b) Convey the object code in, or embodied in, a physical product
+    (including a physical distribution medium), accompanied by a
+    written offer, valid for at least three years and valid for as
+    long as you offer spare parts or customer support for that product
+    model, to give anyone who possesses the object code either (1) a
+    copy of the Corresponding Source for all the software in the
+    product that is covered by this License, on a durable physical
+    medium customarily used for software interchange, for a price no
+    more than your reasonable cost of physically performing this
+    conveying of source, or (2) access to copy the
+    Corresponding Source from a network server at no charge.
+
+    c) Convey individual copies of the object code with a copy of the
+    written offer to provide the Corresponding Source.  This
+    alternative is allowed only occasionally and noncommercially, and
+    only if you received the object code with such an offer, in accord
+    with subsection 6b.
+
+    d) Convey the object code by offering access from a designated
+    place (gratis or for a charge), and offer equivalent access to the
+    Corresponding Source in the same way through the same place at no
+    further charge.  You need not require recipients to copy the
+    Corresponding Source along with the object code.  If the place to
+    copy the object code is a network server, the Corresponding Source
+    may be on a different server (operated by you or a third party)
+    that supports equivalent copying facilities, provided you maintain
+    clear directions next to the object code saying where to find the
+    Corresponding Source.  Regardless of what server hosts the
+    Corresponding Source, you remain obligated to ensure that it is
+    available for as long as needed to satisfy these requirements.
+
+    e) Convey the object code using peer-to-peer transmission, provided
+    you inform other peers where the object code and Corresponding
+    Source of the work are being offered to the general public at no
+    charge under subsection 6d.
+
+  A separable portion of the object code, whose source code is excluded
+from the Corresponding Source as a System Library, need not be
+included in conveying the object code work.
+
+  A "User Product" is either (1) a "consumer product", which means any
+tangible personal property which is normally used for personal, family,
+or household purposes, or (2) anything designed or sold for incorporation
+into a dwelling.  In determining whether a product is a consumer product,
+doubtful cases shall be resolved in favor of coverage.  For a particular
+product received by a particular user, "normally used" refers to a
+typical or common use of that class of product, regardless of the status
+of the particular user or of the way in which the particular user
+actually uses, or expects or is expected to use, the product.  A product
+is a consumer product regardless of whether the product has substantial
+commercial, industrial or non-consumer uses, unless such uses represent
+the only significant mode of use of the product.
+
+  "Installation Information" for a User Product means any methods,
+procedures, authorization keys, or other information required to install
+and execute modified versions of a covered work in that User Product from
+a modified version of its Corresponding Source.  The information must
+suffice to ensure that the continued functioning of the modified object
+code is in no case prevented or interfered with solely because
+modification has been made.
+
+  If you convey an object code work under this section in, or with, or
+specifically for use in, a User Product, and the conveying occurs as
+part of a transaction in which the right of possession and use of the
+User Product is transferred to the recipient in perpetuity or for a
+fixed term (regardless of how the transaction is characterized), the
+Corresponding Source conveyed under this section must be accompanied
+by the Installation Information.  But this requirement does not apply
+if neither you nor any third party retains the ability to install
+modified object code on the User Product (for example, the work has
+been installed in ROM).
+
+  The requirement to provide Installation Information does not include a
+requirement to continue to provide support service, warranty, or updates
+for a work that has been modified or installed by the recipient, or for
+the User Product in which it has been modified or installed.  Access to a
+network may be denied when the modification itself materially and
+adversely affects the operation of the network or violates the rules and
+protocols for communication across the network.
+
+  Corresponding Source conveyed, and Installation Information provided,
+in accord with this section must be in a format that is publicly
+documented (and with an implementation available to the public in
+source code form), and must require no special password or key for
+unpacking, reading or copying.
+
+  7. Additional Terms.
+
+  "Additional permissions" are terms that supplement the terms of this
+License by making exceptions from one or more of its conditions.
+Additional permissions that are applicable to the entire Program shall
+be treated as though they were included in this License, to the extent
+that they are valid under applicable law.  If additional permissions
+apply only to part of the Program, that part may be used separately
+under those permissions, but the entire Program remains governed by
+this License without regard to the additional permissions.
+
+  When you convey a copy of a covered work, you may at your option
+remove any additional permissions from that copy, or from any part of
+it.  (Additional permissions may be written to require their own
+removal in certain cases when you modify the work.)  You may place
+additional permissions on material, added by you to a covered work,
+for which you have or can give appropriate copyright permission.
+
+  Notwithstanding any other provision of this License, for material you
+add to a covered work, you may (if authorized by the copyright holders of
+that material) supplement the terms of this License with terms:
+
+    a) Disclaiming warranty or limiting liability differently from the
+    terms of sections 15 and 16 of this License; or
+
+    b) Requiring preservation of specified reasonable legal notices or
+    author attributions in that material or in the Appropriate Legal
+    Notices displayed by works containing it; or
+
+    c) Prohibiting misrepresentation of the origin of that material, or
+    requiring that modified versions of such material be marked in
+    reasonable ways as different from the original version; or
+
+    d) Limiting the use for publicity purposes of names of licensors or
+    authors of the material; or
+
+    e) Declining to grant rights under trademark law for use of some
+    trade names, trademarks, or service marks; or
+
+    f) Requiring indemnification of licensors and authors of that
+    material by anyone who conveys the material (or modified versions of
+    it) with contractual assumptions of liability to the recipient, for
+    any liability that these contractual assumptions directly impose on
+    those licensors and authors.
+
+  All other non-permissive additional terms are considered "further
+restrictions" within the meaning of section 10.  If the Program as you
+received it, or any part of it, contains a notice stating that it is
+governed by this License along with a term that is a further
+restriction, you may remove that term.  If a license document contains
+a further restriction but permits relicensing or conveying under this
+License, you may add to a covered work material governed by the terms
+of that license document, provided that the further restriction does
+not survive such relicensing or conveying.
+
+  If you add terms to a covered work in accord with this section, you
+must place, in the relevant source files, a statement of the
+additional terms that apply to those files, or a notice indicating
+where to find the applicable terms.
+
+  Additional terms, permissive or non-permissive, may be stated in the
+form of a separately written license, or stated as exceptions;
+the above requirements apply either way.
+
+  8. Termination.
+
+  You may not propagate or modify a covered work except as expressly
+provided under this License.  Any attempt otherwise to propagate or
+modify it is void, and will automatically terminate your rights under
+this License (including any patent licenses granted under the third
+paragraph of section 11).
+
+  However, if you cease all violation of this License, then your
+license from a particular copyright holder is reinstated (a)
+provisionally, unless and until the copyright holder explicitly and
+finally terminates your license, and (b) permanently, if the copyright
+holder fails to notify you of the violation by some reasonable means
+prior to 60 days after the cessation.
+
+  Moreover, your license from a particular copyright holder is
+reinstated permanently if the copyright holder notifies you of the
+violation by some reasonable means, this is the first time you have
+received notice of violation of this License (for any work) from that
+copyright holder, and you cure the violation prior to 30 days after
+your receipt of the notice.
+
+  Termination of your rights under this section does not terminate the
+licenses of parties who have received copies or rights from you under
+this License.  If your rights have been terminated and not permanently
+reinstated, you do not qualify to receive new licenses for the same
+material under section 10.
+
+  9. Acceptance Not Required for Having Copies.
+
+  You are not required to accept this License in order to receive or
+run a copy of the Program.  Ancillary propagation of a covered work
+occurring solely as a consequence of using peer-to-peer transmission
+to receive a copy likewise does not require acceptance.  However,
+nothing other than this License grants you permission to propagate or
+modify any covered work.  These actions infringe copyright if you do
+not accept this License.  Therefore, by modifying or propagating a
+covered work, you indicate your acceptance of this License to do so.
+
+  10. Automatic Licensing of Downstream Recipients.
+
+  Each time you convey a covered work, the recipient automatically
+receives a license from the original licensors, to run, modify and
+propagate that work, subject to this License.  You are not responsible
+for enforcing compliance by third parties with this License.
+
+  An "entity transaction" is a transaction transferring control of an
+organization, or substantially all assets of one, or subdividing an
+organization, or merging organizations.  If propagation of a covered
+work results from an entity transaction, each party to that
+transaction who receives a copy of the work also receives whatever
+licenses to the work the party's predecessor in interest had or could
+give under the previous paragraph, plus a right to possession of the
+Corresponding Source of the work from the predecessor in interest, if
+the predecessor has it or can get it with reasonable efforts.
+
+  You may not impose any further restrictions on the exercise of the
+rights granted or affirmed under this License.  For example, you may
+not impose a license fee, royalty, or other charge for exercise of
+rights granted under this License, and you may not initiate litigation
+(including a cross-claim or counterclaim in a lawsuit) alleging that
+any patent claim is infringed by making, using, selling, offering for
+sale, or importing the Program or any portion of it.
+
+  11. Patents.
+
+  A "contributor" is a copyright holder who authorizes use under this
+License of the Program or a work on which the Program is based.  The
+work thus licensed is called the contributor's "contributor version".
+
+  A contributor's "essential patent claims" are all patent claims
+owned or controlled by the contributor, whether already acquired or
+hereafter acquired, that would be infringed by some manner, permitted
+by this License, of making, using, or selling its contributor version,
+but do not include claims that would be infringed only as a
+consequence of further modification of the contributor version.  For
+purposes of this definition, "control" includes the right to grant
+patent sublicenses in a manner consistent with the requirements of
+this License.
+
+  Each contributor grants you a non-exclusive, worldwide, royalty-free
+patent license under the contributor's essential patent claims, to
+make, use, sell, offer for sale, import and otherwise run, modify and
+propagate the contents of its contributor version.
+
+  In the following three paragraphs, a "patent license" is any express
+agreement or commitment, however denominated, not to enforce a patent
+(such as an express permission to practice a patent or covenant not to
+sue for patent infringement).  To "grant" such a patent license to a
+party means to make such an agreement or commitment not to enforce a
+patent against the party.
+
+  If you convey a covered work, knowingly relying on a patent license,
+and the Corresponding Source of the work is not available for anyone
+to copy, free of charge and under the terms of this License, through a
+publicly available network server or other readily accessible means,
+then you must either (1) cause the Corresponding Source to be so
+available, or (2) arrange to deprive yourself of the benefit of the
+patent license for this particular work, or (3) arrange, in a manner
+consistent with the requirements of this License, to extend the patent
+license to downstream recipients.  "Knowingly relying" means you have
+actual knowledge that, but for the patent license, your conveying the
+covered work in a country, or your recipient's use of the covered work
+in a country, would infringe one or more identifiable patents in that
+country that you have reason to believe are valid.
+
+  If, pursuant to or in connection with a single transaction or
+arrangement, you convey, or propagate by procuring conveyance of, a
+covered work, and grant a patent license to some of the parties
+receiving the covered work authorizing them to use, propagate, modify
+or convey a specific copy of the covered work, then the patent license
+you grant is automatically extended to all recipients of the covered
+work and works based on it.
+
+  A patent license is "discriminatory" if it does not include within
+the scope of its coverage, prohibits the exercise of, or is
+conditioned on the non-exercise of one or more of the rights that are
+specifically granted under this License.  You may not convey a covered
+work if you are a party to an arrangement with a third party that is
+in the business of distributing software, under which you make payment
+to the third party based on the extent of your activity of conveying
+the work, and under which the third party grants, to any of the
+parties who would receive the covered work from you, a discriminatory
+patent license (a) in connection with copies of the covered work
+conveyed by you (or copies made from those copies), or (b) primarily
+for and in connection with specific products or compilations that
+contain the covered work, unless you entered into that arrangement,
+or that patent license was granted, prior to 28 March 2007.
+
+  Nothing in this License shall be construed as excluding or limiting
+any implied license or other defenses to infringement that may
+otherwise be available to you under applicable patent law.
+
+  12. No Surrender of Others' Freedom.
+
+  If conditions are imposed on you (whether by court order, agreement or
+otherwise) that contradict the conditions of this License, they do not
+excuse you from the conditions of this License.  If you cannot convey a
+covered work so as to satisfy simultaneously your obligations under this
+License and any other pertinent obligations, then as a consequence you may
+not convey it at all.  For example, if you agree to terms that obligate you
+to collect a royalty for further conveying from those to whom you convey
+the Program, the only way you could satisfy both those terms and this
+License would be to refrain entirely from conveying the Program.
+
+  13. Remote Network Interaction; Use with the GNU General Public License.
+
+  Notwithstanding any other provision of this License, if you modify the
+Program, your modified version must prominently offer all users
+interacting with it remotely through a computer network (if your version
+supports such interaction) an opportunity to receive the Corresponding
+Source of your version by providing access to the Corresponding Source
+from a network server at no charge, through some standard or customary
+means of facilitating copying of software.  This Corresponding Source
+shall include the Corresponding Source for any work covered by version 3
+of the GNU General Public License that is incorporated pursuant to the
+following paragraph.
+
+  Notwithstanding any other provision of this License, you have
+permission to link or combine any covered work with a work licensed
+under version 3 of the GNU General Public License into a single
+combined work, and to convey the resulting work.  The terms of this
+License will continue to apply to the part which is the covered work,
+but the work with which it is combined will remain governed by version
+3 of the GNU General Public License.
+
+  14. Revised Versions of this License.
+
+  The Free Software Foundation may publish revised and/or new versions of
+the GNU Affero General Public License from time to time.  Such new versions
+will be similar in spirit to the present version, but may differ in detail to
+address new problems or concerns.
+
+  Each version is given a distinguishing version number.  If the
+Program specifies that a certain numbered version of the GNU Affero General
+Public License "or any later version" applies to it, you have the
+option of following the terms and conditions either of that numbered
+version or of any later version published by the Free Software
+Foundation.  If the Program does not specify a version number of the
+GNU Affero General Public License, you may choose any version ever published
+by the Free Software Foundation.
+
+  If the Program specifies that a proxy can decide which future
+versions of the GNU Affero General Public License can be used, that proxy's
+public statement of acceptance of a version permanently authorizes you
+to choose that version for the Program.
+
+  Later license versions may give you additional or different
+permissions.  However, no additional obligations are imposed on any
+author or copyright holder as a result of your choosing to follow a
+later version.
+
+  15. Disclaimer of Warranty.
+
+  THERE IS NO WARRANTY FOR THE PROGRAM, TO THE EXTENT PERMITTED BY
+APPLICABLE LAW.  EXCEPT WHEN OTHERWISE STATED IN WRITING THE COPYRIGHT
+HOLDERS AND/OR OTHER PARTIES PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY
+OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO,
+THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+PURPOSE.  THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE PROGRAM
+IS WITH YOU.  SHOULD THE PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF
+ALL NECESSARY SERVICING, REPAIR OR CORRECTION.
+
+  16. Limitation of Liability.
+
+  IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING
+WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MODIFIES AND/OR CONVEYS
+THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, INCLUDING ANY
+GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING OUT OF THE
+USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED TO LOSS OF
+DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY YOU OR THIRD
+PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER PROGRAMS),
+EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF
+SUCH DAMAGES.
+
+  17. Interpretation of Sections 15 and 16.
+
+  If the disclaimer of warranty and limitation of liability provided
+above cannot be given local legal effect according to their terms,
+reviewing courts shall apply local law that most closely approximates
+an absolute waiver of all civil liability in connection with the
+Program, unless a warranty or assumption of liability accompanies a
+copy of the Program in return for a fee.
+
+                     END OF TERMS AND CONDITIONS
+
+            How to Apply These Terms to Your New Programs
+
+  If you develop a new program, and you want it to be of the greatest
+possible use to the public, the best way to achieve this is to make it
+free software which everyone can redistribute and change under these terms.
+
+  To do so, attach the following notices to the program.  It is safest
+to attach them to the start of each source file to most effectively
+state the exclusion of warranty; and each file should have at least
+the "copyright" line and a pointer to where the full notice is found.
+
+    <one line to give the program's name and a brief idea of what it does.>
+    Copyright (C) <year>  <name of author>
+
+    This program is free software: you can redistribute it and/or modify
+    it under the terms of the GNU Affero General Public License as published
+    by the Free Software Foundation, either version 3 of the License, or
+    (at your option) any later version.
+
+    This program is distributed in the hope that it will be useful,
+    but WITHOUT ANY WARRANTY; without even the implied warranty of
+    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+    GNU Affero General Public License for more details.
+
+    You should have received a copy of the GNU Affero General Public License
+    along with this program.  If not, see <https://www.gnu.org/licenses/>.
+
+Also add information on how to contact you by electronic and paper mail.
+
+  If your software can interact with users remotely through a computer
+network, you should also make sure that it provides a way for users to
+get its source.  For example, if your program is a web application, its
+interface could display a "Source" link that leads users to an archive
+of the code.  There are many ways you could offer source, and different
+solutions will be better for different programs; see section 13 for the
+specific requirements.
+
+  You should also get your employer (if you work as a programmer) or school,
+if any, to sign a "copyright disclaimer" for the program, if necessary.
+For more information on this, and how to apply and follow the GNU AGPL, see
+<https://www.gnu.org/licenses/>.

README.md

@@ -1,16 +1,46 @@
 # 🛡️ IP-Sentinel (分布式 IP 哨兵集群)
 
+![Agent Installs](https://img.shields.io/endpoint?url=https://ip-sentinel-count.samanthaestime296.workers.dev/stats/agent)
+![Master Commands](https://img.shields.io/endpoint?url=https://ip-sentinel-count.samanthaestime296.workers.dev/stats/master)
+![License](https://img.shields.io/github/license/hotyue/IP-Sentinel)
+
 > **一个极度轻量、零感知、支持中枢遥控的 VPS IP 自动化养护与区域纠偏引擎。**
 
-专为解决 VPS IPv4 被 Google 等数据库错误定位到中国大陆/香港（俗称“送中”）等问题而生。IP-Sentinel 已从单机脚本全面跃升为 **Master-Agent 分布式架构**。它像影子一样潜伏在全球各地的服务器后台，通过高度拟真的真实用户行为为你默默积累 IP 权重，并允许你通过 Telegram 随时随地对整个舰队进行毫秒级“点名”与“遥控”。
+📢 官方战术交流频道: 🛰️ [IP-Sentinel Matrix](https://t.me/IP_Sentinel_Matrix)
+
+专为解决 VPS IP 被 Google 等数据库错误定位到中国大陆/香港（俗称“送中”）等问题而生。IP-Sentinel 已从单机脚本全面跃升为 **Master-Agent 分布式架构**。它像影子一样潜伏在全球各地的服务器后台，通过高度拟真的真实用户行为为你默默积累 IP 权重，并允许你通过 Telegram 随时随地对整个舰队进行毫秒级“点名”与“遥控”。
 
 ## ✨ 核心极客特性
 
-* 🧠 **分布式中枢 (Master-Agent)**：彻底解决多台 VPS 的管理痛点。一台 Master 主控集成 SQLite 数据库与 Telegram 机器人，统管无数台 Agent 边缘节点，告别 API 消息冲突。
-* 🎮 **TG 战术面板 (Command Center)**：无需记忆繁琐命令，原生 Inline Keyboard 按钮驱动。支持一键调出节点列表、一键下发伪装指令、一键索要精准战报、**毫秒级抓取实时运行日志**。
-* 🛡️ **NAT 穿透与安全网关 (NAT-Friendly)**：边缘节点采用 Python3 极轻量 Webhook 监听，**完全自定义通信端口**，完美支持受限 NAT 小鸡。独创 TG 转发授权机制，杜绝野生节点恶意接入。
-* 👻 **高仿真人类行为 (Human-Like)**：摒弃死板的 Ping/Curl，引入单次会话指纹锁定、10 米级 GPS 坐标微抖动、以及 60~150 秒的真实阅读停顿拉伸，完美避开 AI 封控。
-* 📡 **OTA 静默进化 (Smart Updates)**：系统每周日凌晨自动从云端拉取最新的“热搜词汇”和“真实设备指纹池”，确保养护行为与时俱进、永不过时。
+ - 🗺️ **全球拓扑矩阵 (Global Nexus)**：v3.1 跨洲际跃升。守护版图现已横跨亚、欧、美三大洲（美、日、英、德、法、新、港）。为每个国家注入极其硬核的“原生本地化”搜索词库与本土高权重站点（如政府、权威媒体、高铁网），真正实现“拟真融入”。
+
+ - 👻 **设备资产持久化 (Hash-Seeded Persona)**：v3.2 核心换代。彻底摒弃传统的“随机抽取指纹”，引入基于节点物理 IP 的哈希锚定引擎。利用不可变哈希种子，为您的每台 VPS 在千万级指纹库中永久锁定 3 个绝对专属设备（如固定表现为 1台 Mac、1台 iPhone、1台 PC 交替上网）。完美构建高权重真实家庭内网画像，根除“僵尸网络”同质化特征！
+
+ - 🏭 **自动化指纹兵工厂 (Automated UA Factory)**：依托 GitHub Actions CI/CD 流水线，每月 1 日无人值守全自动生成 4000+ 带绝对物理分区的真实终端设备数据。配合边缘节点的守护进程静默拉取，实现千万级指纹资产的“自动驾驶”级演进。
+
+ - 📡 **OTA 动态活体词库 (Dynamic Trends)**：v3.3.0 跨时代跃升。彻底废弃静态搜索词，引入 GitHub Actions 云端流水线。每天自动抓取美、日、德、英等全战区当日 Google 热搜榜单，并通过边缘节点每日静默同步，让您的 IP 搜索行为永远贴合当地当天的真实网络脉搏。
+
+ - 🔀 **智能错峰调度 (Thundering Herd Mitigation)**：v3.3.0 架构升级。首创节点部署时间戳锚定逻辑。边缘节点按需智能分频（每日拉取几百行轻量词库，每月按 30 天周期错峰拉取千万级指纹库），完美化解“惊群效应”，彻底抹平统一升级时的数据并发特征，隐匿于无形。
+
+ - 🖧 **底层路由死锁 (Hard-Bind Routing)**：v3.2.1 热修复升级。底层探测引擎强力接管 curl 核心参数 (--interface)，强制将发出的每一滴伪装流量死死绑定在您设定的物理网卡或隧道 IP 上，彻底杜绝双栈或多网卡环境下的流量溢出漏洞。
+
+ - 🎯 **多级容灾与高精度探针 (High-Precision Probe)**：v3.2.2 底层重构。重写战报模块与底层协议自适应逻辑，植入多级 ISP 容灾探针链路，并按“底层数据共识原则”智能清洗冗余 AS 号。确保在纯 V6、隧道或弱网环境下，数据获取依然 100% 精准畅通。
+
+ - 🔄 **平滑热更新装甲 (Smooth Upgrade Engine)**：v3.2.2 体验进化。全系植入状态机嗅探逻辑。无论是 Master 司令部还是 Agent 边缘节点，再次执行部署脚本时将自动识别并继承历史配置、SQLite 数据库与锚定 IP，一键回车即可瞬间完成无损换代，告别繁琐的重复配置。
+ 
+ - ☁️ **云端中枢 (Public Master)**：引入官方公共机器人 @OmniBeacon_bot，新手无需部署 Master 司令部，部署 Agent 时一键回车即可调用官方加密网关，30 秒极速入伍！
+
+ - 🧠 **分布式中枢 (Master-Agent)**：对于硬核极客，支持私有化部署。一台 Master 主控集成 SQLite 数据库，统管无数台 Agent 边缘节点，确保数据绝对私有。
+
+ - 🔒 **叹息之墙 (Zero-Trust HMAC)**：全面废弃明文 Token，底层通讯引入 时间戳 + HMAC-SHA256 军用级动态签名。指令有效期仅 60 秒（阅后即焚），彻底免疫中间人抓包、重放攻击与端口爆破。
+
+ - 🛡️ **工业级并发与自净引擎**：底层 Webhook 采用多线程模型彻底免疫慢速耗尽攻击；独创“智能清道夫”逻辑，覆盖安装/升级时自动绞杀僵尸进程与冗余定时任务，绝对纯净，告别玄学冲突。
+
+ - 🎮 **TG 战术面板 (Command Center)**：无需记忆繁琐命令，全 Inline Keyboard 交互。支持一键下发伪装指令、一键索要精准战报、毫秒级抓取边缘节点实时运行日志。
+
+ - 👁️‍🗨️ **玻璃房透明遥测 (Glasshouse Telemetry)**：引入基于 Cloudflare Workers 的全透明计数中枢，首页动态徽章实时展示全球真实装机与调用量。绝对零隐私收集，仅作原子累加，底层网关源码全开源，接受全网极客审计。
+
+ - ⚡ **丝滑战术交互 (Seamless UI)**：司令部交互面板像素级打磨。新节点发送暗号入伍成功后，司令部将无缝零延迟自动呼出最新的活跃节点阵列面板，彻底免除重复输入命令的繁琐，掌控感拉满。
 
 ## 📂 项目架构 (Monorepo)
 
@@ -18,43 +48,87 @@
 
 ```text
 📦 IP-Sentinel
+ ┣ 📂 .github/workflows/      # 🏭 自动化兵工厂：每月定时触发指纹生成的 CI/CD 流水线
  ┣ 📂 master/                 # 🧠 司令部：SQLite 存储、TG 监听与 Webhook 调度中心
- ┣ 📂 core/                   # 🛡️ 边缘哨兵：Webhook 被动监听、高拟真养护引擎
- ┗ 📂 data/                   # 🗂️ 全球数据规则库
-    ┣ 📂 regions/             # 🧊 冷数据：各地区 GPS 基准配置 (固化)
-    ┣ 📂 keywords/            # 🔥 热数据：动态搜索词库 (OTA 自动更新)
-    ┗ 📜 user_agents.txt      # 🔥 热数据：全局真实设备指纹池
+ ┣ 📂 core/                   # 🛡️ 边缘哨兵：Webhook 被动监听、哈希锚定执行引擎
+ ┣ 📂 scripts/                # 🐍 兵工厂引擎：基于 Python 的多物理分区 UA 生成器
+ ┣ 📂 data/                   # 🗂️ 全球数据规则库 (动态拓扑)
+ ┃  ┣ 📜 map.json             # 🌐 全球区域索引大脑 (Master Index)
+ ┃  ┣ 📂 regions/             # 🧊 冷数据：按 [国家/省州/城市] 深度细分的 LBS 锚点
+ ┃  ┣ 📂 keywords/            # 🔥 热数据：按国家归类的动态搜索词库 (OTA 自动更新)
+ ┃  ┗ 📜 user_agents.txt      # 🔥 热数据：由兵工厂每月锻造的绝对坐标专属设备库
+ ┗ 📂 telemetry/              # 👁️‍🗨️ 玻璃房计划：Cloudflare Workers 透明计数器网关源码
 ```
 
-🚀 极速部署 (Quick Start)
-请准备一个 Telegram Bot Token 和你的个人 Chat ID。整个集群的部署分为两步：
+## 🚀 极速部署 (Quick Start)
 
-第一步：部署中枢司令部 (Master)
-找一台网络稳定的 VPS 作为大脑（仅需部署一台），以 root 身份执行：
+v3.3.x 提供了两种接入模式，请根据您的战术需求选择：
 
+### 🔹 模式 A：官方公共模式 (最简、推荐)
+**适合不想折腾、只想快速养护 IP 的新兵。**
+
+1. **关注机器人**：在 TG 中关注 [@OmniBeacon_bot](https://t.me/OmniBeacon_bot) 并发送 `/start`。
+2. **部署 Agent**：在目标 VPS 上执行以下指令，安装过程中**直接回车**使用官方机器人，并输入您的 Chat ID：
 ```Bash
-bash <(curl -sL https://git.94211762.xyz/hotyue/IP-Sentinel/raw/branch/main/master/install_master.sh)
+bash <(curl -sL https://raw.githubusercontent.com/hotyue/IP-Sentinel/main/core/install.sh)
+
 ```
-完成后，你的机器人将开始全局接客，等待边缘节点注册。
+3. **激活节点**：安装完成后，您的手机会收到一条 #REGISTER# 暗号，将其转发给机器人即可完成入库。
 
-第二步：部署边缘哨兵 (Agent)
-在你需要养护 IP 的无数台目标机器（包括 NAT 机器）上执行：
+### 🔸 模式 B：私有独立模式 (全自主、硬核)
+**适合追求绝对数据隐私、需自建机器人的领主。**
 
+1. **部署 Master**：找一台 VPS 作为大脑（仅需部署一台），执行：
 ```Bash
-bash <(curl -sL https://git.94211762.xyz/hotyue/IP-Sentinel/raw/branch/main/core/install.sh)
+bash <(curl -sL https://raw.githubusercontent.com/hotyue/IP-Sentinel/main/master/install_master.sh)
+
 ```
-安装时输入与 Master 相同的 Bot Token 及自定义 Webhook 端口。安装完毕后，请在手机 TG 端将生成的 #REGISTER# 暗号转发给机器人，完成安全授权入库！
+2. **部署 Agent**：在需要养护的机器上执行 Agent 脚本，输入您自建机器人的 Token 以及与 Master 一致的配置。
+```Bash
+bash <(curl -sL https://raw.githubusercontent.com/hotyue/IP-Sentinel/main/core/install.sh)
+
+```
+3. **激活节点**：同上，将暗号转发给您自己的机器人即可。
+
+### ⚠️ 平滑升级指引 (Upgrade to v3.3.0)
+
+得益于 **v3.2.2 全新引入的平滑热更新引擎 (Smooth Upgrade Engine)**，系统升级现已变得极其优雅与安全。
+
+无需卸载旧版本，无论您是要升级 Agent 边缘节点还是 Master 控制中枢，只需在您的终端中**再次运行上方对应的官方部署指令**。
+
+安装雷达会自动嗅探您的历史部署状态（包括您的 Token、区域设定、SQLite 数据库及物理网卡锚点）。当询问是否平滑升级时，您只需**一路回车 (默认选 y)**，脚本将在短短 3 秒内瞬间完成核心装甲的无损换脑手术，您的所有战术资产将得到 100% 保留！
 
 🗑️ 一键无痕卸载
-如果你需要清理某个边缘节点，只需重新运行 core/install.sh 并选择 [3]，或直接在节点终端执行：
+如果你需要清理某个边缘节点，只需重新运行 `core/install.sh` 并选择 **[2]**，或直接在节点终端执行：
 
 ```Bash
 bash /opt/ip_sentinel/core/uninstall.sh
+
 ```
 
+### 🧓 传家宝老旧系统专用通道 (Debian 9)
+
+如果你的小鸡系统版本过低（如 Debian 9），由于官方 APT 源已关闭且 Python 版本过旧，无法使用主线版本，请使用 **Legacy 兼容分支** 部署。
+*(注意：该分支仅作基础维护，不享受新功能迭代，请尽可能升级你的系统)*
+
+```bash
+bash <(curl -sL https://raw.githubusercontent.com/hotyue/IP-Sentinel/legacy/core/install.sh)
+```
+
+📡 战术联络 (Community)
+如果你在使用过程中遇到任何疑难杂症，或者想围观大佬们的养护战报，欢迎加入我们的基地：
+- Telegram 频道: [@IP_Sentinel_Matrix](https://t.me/IP_Sentinel_Matrix)
+
 🤝 参与贡献
 如果你想为项目增加新的节点区域（例如德国、英国、新加坡等），或者提供更丰富的本土化搜索词库，非常欢迎提交 Pull Request！
-只需在 data/regions/ 新增对应国家的 JSON 规则，并在 data/keywords/ 新增词库 txt 即可。
+
+**v3.0 全球节点贡献规范：**
+1. 在 `data/regions/国家代码/省州代码/` 目录下新增对应城市的配置 `.json`。
+2. 在 `data/keywords/` 目录下新增或完善配套国家的词库 `kw_XX.txt`。
+3. **最重要的一步：** 在 `data/map.json` 中登记你的国家、省州与城市信息。安装脚本将自动读取地图，在全球雷达中点亮你的节点！
 
 ⚠️ 免责声明
-本项目仅供网络原理研究、个人 VPS 维护学习使用。请遵守当地法律法规及目标服务商的 TOS（服务条款），切勿用于恶意高频请求或任何非法用途。使用者需自行承担因不当使用造成的 IP 封禁或其他相关风险。
+本项目仅供网络原理研究、个人 VPS 维护学习使用。请遵守当地法律法规及目标服务商的 TOS（服务条款），切勿用于恶意高频请求或任何非法用途。使用者需自行承担因不当使用造成的 IP 封禁或其他相关风险。
+
+## Stargazers over time
+[![Stargazers over time](https://starchart.cc/hotyue/IP-Sentinel.svg?variant=adaptive)](https://starchart.cc/hotyue/IP-Sentinel)

core/agent_daemon.sh

@@ -1,13 +1,13 @@
 #!/bin/bash
 
 # ==========================================================
-# 脚本名称: agent_daemon.sh (受控节点 Webhook 守护进程 V1.2)
-# 核心功能: 智能防打扰注册、进程防冲突自检、后台静默监听
+# 脚本名称: agent_daemon.sh (受控节点 Webhook 守护进程 v3.4.0 版本锚点版)
+# 核心功能: 智能防打扰注册、进程自检、模块级路由分发(403拦截)
 # ==========================================================
 
 INSTALL_DIR="/opt/ip_sentinel"
 CONFIG_FILE="${INSTALL_DIR}/config.conf"
-IP_CACHE="${INSTALL_DIR}/core/.last_ip" # 【新增】本地 IP 状态缓存文件
+IP_CACHE="${INSTALL_DIR}/core/.last_ip"
 
 [ ! -f "$CONFIG_FILE" ] && exit 1
 source "$CONFIG_FILE"
@@ -17,91 +17,243 @@ source "$CONFIG_FILE"
 
 # 默认 Webhook 监听端口
 AGENT_PORT=${AGENT_PORT:-9527}
-NODE_NAME=$(hostname | cut -c 1-15)
+# [v3.4.0 核心] 统一采用防 Markdown 崩溃的中划线连接符
+IP_HASH=$(echo "${PUBLIC_IP:-127.0.0.1}" | md5sum | cut -c 1-4 | tr 'a-z' 'A-Z')
+NODE_NAME="$(hostname | cut -c 1-10)-${IP_HASH}"
 
 # --- [重点升级 1: 守护进程防冲突自检] ---
-# 检查是否已经有 webhook 进程在监听当前端口，如果有，直接安静退出 (Cron 友好)
 if pgrep -f "webhook.py $AGENT_PORT" > /dev/null; then
-    # 保持静默，不输出多余日志，防止打扰系统的 syslog
     exit 0
 fi
 
-# 1. 获取本机原生公网 IPv4
-AGENT_IP=$(curl -4 -s -m 5 api.ip.sb/ip)
+# 1. 尝试获取实时公网 IP
+RAW_IP=$(curl -${IP_PREF:-4} -s -m 5 api.ip.sb/ip | tr -d '[:space:]')
+
+# [v3.3.1 修改] 为新获取到的 v6 自动加方括号；如果网络波动没抓到，强制信任本地 config 中的公网面孔
+if [ -n "$RAW_IP" ]; then
+    if [[ "$RAW_IP" == *":"* ]] && [[ "$RAW_IP" != *"["* ]]; then
+        AGENT_IP="[${RAW_IP}]"
+    else
+        AGENT_IP="$RAW_IP"
+    fi
+else
+    AGENT_IP="${PUBLIC_IP:-${BIND_IP:-Unknown}}"
+fi
 
 if [ -n "$AGENT_IP" ]; then
     # --- [重点升级 2: 智能防打扰注册机制] ---
     LAST_IP=""
-    [ -f "$IP_CACHE" ] && LAST_IP=$(cat "$IP_CACHE")
+    [ -f "$IP_CACHE" ] && LAST_IP=$(cat "$IP_CACHE" | tr -d '[:space:]')
 
     # 只有当这是第一次运行，或者公网 IP 发生变动时，才发送 Telegram 申请
     if [ "$AGENT_IP" != "$LAST_IP" ]; then
-        REG_MSG="👋 **[边缘节点接入申请]**%0A节点: \`${NODE_NAME}\`%0A地址: \`${AGENT_IP}:${AGENT_PORT}\`%0A%0A⚠️ **安全验证**: 为防止非法节点接入，请长按复制下方代码，并**发送给我**以完成最终授权录入：%0A%0A\`#REGISTER#|${NODE_NAME}|${AGENT_IP}|${AGENT_PORT}\`"
+        # V3.1.3 协议升级: 在底部暗号中精准嵌入 ${REGION_CODE} 大区标识
+        REG_MSG="👋 **[边缘节点接入申请]**%0A大区: \`${REGION_CODE}\`%0A节点: \`${NODE_NAME}\`%0A地址: \`${AGENT_IP}:${AGENT_PORT}\`%0A%0A⚠️ **安全验证**: 为防止非法节点接入，请长按复制下方代码，并**发送给我**以完成最终授权录入：%0A%0A\`#REGISTER#|${REGION_CODE}|${NODE_NAME}|${AGENT_IP}|${AGENT_PORT}\`"
         
-        curl -s -m 5 -X POST "https://api.telegram.org/bot${TG_TOKEN}/sendMessage" \
+        curl -s -m 5 -X POST "${TG_API_URL}" \
             -d "chat_id=${CHAT_ID}" \
             -d "text=${REG_MSG}" \
             -d "parse_mode=Markdown" > /dev/null
         
         echo "✅ [Agent] 已向司令部发送接入申请，请在 Telegram 手机端完成授权！"
-        # 记录当前 IP 到缓存文件
         echo "$AGENT_IP" > "$IP_CACHE"
     else
         echo "ℹ️ [Agent] IP 未变动 ($AGENT_IP)，跳过重复注册申请。"
     fi
 fi
 
-# 3. 启动轻量级 Python3 Webhook 监听服务
+# 3. 启动轻量级 Python3 Webhook 监听服务 (v3.0.4 动态 HMAC 签名防重放)
 cat > "${INSTALL_DIR}/core/webhook.py" << 'EOF'
 import http.server
 import socketserver
 import subprocess
 import sys
+import os
+import html
+# ================== [v3.0.4 新增密码学与解析依赖] ==================
+import urllib.parse
+import urllib.request  # [修复] 提升至全局作用域，防止局部变量遮蔽
+import hmac
+import hashlib
+import time
+# ====================================================================
 
 PORT = int(sys.argv[1])
 
+# 🛡️ 提取全局鉴权 Token (利用 CHAT_ID 作为 PSK 预共享密钥)
+AUTH_TOKEN = ""
+if os.path.exists('/opt/ip_sentinel/config.conf'):
+    with open('/opt/ip_sentinel/config.conf', 'r') as f:
+        for line in f:
+            line = line.strip()
+            if line.startswith('CHAT_ID='):
+                AUTH_TOKEN = line.split('=', 1)[1].strip('"\'')
+                break
+
 class AgentHandler(http.server.BaseHTTPRequestHandler):
     def do_GET(self):
-        # 统一返回成功，防止 Master 请求超时阻塞
-        self.send_response(200)
-        self.send_header("Content-type", "text/plain")
-        self.end_headers()
-        self.wfile.write(b"Agent Received Action\n")
+        # 🛡️ [v3.0.4 核心] URL 解析与动态 HMAC-SHA256 签名校验
+        parsed = urllib.parse.urlparse(self.path)
+        req_path = parsed.path
         
-        # 路由分发
-        if self.path == '/trigger_run':
-            subprocess.Popen(['bash', '/opt/ip_sentinel/core/mod_google.sh'])
-        elif self.path == '/trigger_report':
+        if AUTH_TOKEN:
+            query = urllib.parse.parse_qs(parsed.query)
+            req_t = query.get('t', [''])[0]
+            req_sign = query.get('sign', [''])[0]
+            
+            # 校验 1：参数是否齐全
+            if not req_t or not req_sign:
+                self.send_response(401)
+                self.end_headers()
+                self.wfile.write(b"401 Unauthorized: Missing Signature\n")
+                return
+                
+            try:
+                # 校验 2：时间戳防重放 (误差 ±60秒 内有效，拒绝隔夜抓包重放)
+                if abs(int(time.time()) - int(req_t)) > 60:
+                    self.send_response(401)
+                    self.end_headers()
+                    self.wfile.write(b"401 Unauthorized: Request Expired\n")
+                    return
+            except ValueError:
+                self.send_response(401)
+                self.end_headers()
+                return
+                
+            # 校验 3：HMAC 数据完整性与身份合法性校验
+            msg = f"{req_path}:{req_t}".encode('utf-8')
+            expected_sign = hmac.new(AUTH_TOKEN.encode('utf-8'), msg, hashlib.sha256).hexdigest()
+            
+            # 使用 compare_digest 防御时序攻击
+            if not hmac.compare_digest(expected_sign, req_sign):
+                self.send_response(401)
+                self.end_headers()
+                self.wfile.write(b"401 Unauthorized: Signature Mismatch\n")
+                return
+
+        # ================== 路由分发 (恢复为安全的精确匹配) ==================
+        
+        # 路由 0: 全局统筹调度 (处理 /trigger_run 一键全节点维护)
+        if req_path == '/trigger_run':
+            if os.path.exists('/opt/ip_sentinel/core/runner.sh'):
+                self.send_response(200)
+                self.send_header("Content-type", "text/plain")
+                self.end_headers()
+                self.wfile.write(b"Action Accepted: runner\n")
+                subprocess.Popen(['bash', '/opt/ip_sentinel/core/runner.sh'])
+            else:
+                self.send_response(404)
+                self.end_headers()
+                
+        # 路由 1: Google 区域纠偏
+        elif req_path == '/trigger_google':
+            if os.path.exists('/opt/ip_sentinel/core/mod_google.sh'):
+                self.send_response(200)
+                self.send_header("Content-type", "text/plain")
+                self.end_headers()
+                self.wfile.write(b"Action Accepted: mod_google\n")
+                subprocess.Popen(['bash', '/opt/ip_sentinel/core/mod_google.sh'])
+            else:
+                self.send_response(403)
+                self.send_header("Content-type", "text/plain")
+                self.end_headers()
+                self.wfile.write(b"403 Forbidden: Google Module Disabled\n")
+
+        # 路由 2: IP 信用净化
+        elif req_path == '/trigger_trust':
+            if os.path.exists('/opt/ip_sentinel/core/mod_trust.sh'):
+                self.send_response(200)
+                self.send_header("Content-type", "text/plain")
+                self.end_headers()
+                self.wfile.write(b"Action Accepted: mod_trust\n")
+                subprocess.Popen(['bash', '/opt/ip_sentinel/core/mod_trust.sh'])
+            else:
+                self.send_response(403)
+                self.send_header("Content-type", "text/plain")
+                self.end_headers()
+                self.wfile.write(b"403 Forbidden: Trust Module Disabled\n")
+
+        # 路由 3: 触发战报推送
+        elif req_path == '/trigger_report':
+            self.send_response(200)
+            self.send_header("Content-type", "text/plain")
+            self.end_headers()
+            self.wfile.write(b"Action Accepted: tg_report\n")
             subprocess.Popen(['bash', '/opt/ip_sentinel/core/tg_report.sh'])
-        elif self.path == '/trigger_log':
-            bash_cmd = """
-            source /opt/ip_sentinel/config.conf
-            LOG_DATA=$(tail -n 15 /opt/ip_sentinel/logs/sentinel.log)
-            NODE=$(hostname | cut -c 1-15)
-            curl -s -X POST "https://api.telegram.org/bot${TG_TOKEN}/sendMessage" \
-                -d "chat_id=${CHAT_ID}" \
-                -d "text=📄 **[${NODE}] 实时运行日志:**%0A\`\`\`log%0A${LOG_DATA}%0A\`\`\`" \
-                -d "parse_mode=Markdown"
-            """
-            subprocess.Popen(['bash', '-c', bash_cmd])
+
+        # 路由 4: 抓取并回传实时日志
+        elif req_path == '/trigger_log':
+            self.send_response(200)
+            self.send_header("Content-type", "text/plain")
+            self.end_headers()
+            self.wfile.write(b"Action Accepted: fetch_log\n")
+                        
+            try:
+                config = {}
+                if os.path.exists('/opt/ip_sentinel/config.conf'):
+                    with open('/opt/ip_sentinel/config.conf', 'r') as f:
+                        for line in f:
+                            line = line.strip()
+                            if '=' in line and not line.startswith('#'):
+                                key, val = line.split('=', 1)
+                                config[key] = val.strip('"\'')
+                
+                log_data = "日志文件不存在或为空"
+                log_path = '/opt/ip_sentinel/logs/sentinel.log'
+                if os.path.exists(log_path):
+                    with open(log_path, 'r', errors='ignore') as f:
+                        lines = f.readlines()
+                        if lines:
+                            log_data = html.escape("".join(lines[-15:]))
+                
+                # [v3.4.0 核心] 获取版本与主机名
+                local_ver = config.get('AGENT_VERSION', '未知')
+                node_hostname = subprocess.check_output(['hostname']).decode('utf-8').strip()[:10]
+                ip_hash = hashlib.md5(config.get('PUBLIC_IP', '127.0.0.1').encode()).hexdigest()[:4].upper()
+                full_node_name = f"{node_hostname}-{ip_hash}"
+                
+                text_msg = f"📄 <b>[{full_node_name}] 实时日志 (v{local_ver}):</b>\n<pre><code>{log_data}</code></pre>"
+                
+                data = urllib.parse.urlencode({
+                    'chat_id': config.get('CHAT_ID', ''),
+                    'text': text_msg,
+                    'parse_mode': 'HTML'
+                }).encode('utf-8')
+                
+                req = urllib.request.Request(
+                    config.get('TG_API_URL', ''), 
+                    data=data,
+                    headers={'User-Agent': 'IP-Sentinel-Agent/3.0.4'}
+                )
+                urllib.request.urlopen(req, timeout=10)
+                
+            except Exception as e:
+                print(f"Log transmission failed: {e}")
+            
+        else:
+            self.send_response(404)
+            self.end_headers()
 
     def log_message(self, format, *args):
-        # 关闭默认的控制台日志输出，保持后台清爽
         pass
 
+import socket
+# ================== [v3.0.3 变更: 引入多线程模型抵抗 Slowloris 攻击] ==================
+class ThreadedDualStackServer(socketserver.ThreadingMixIn, socketserver.TCPServer):
+    allow_reuse_address = True # 开启端口复用，防止热重启时端口冲突
+    address_family = socket.AF_INET6 if socket.has_ipv6 else socket.AF_INET
+
 try:
-    with socketserver.TCPServer(("", PORT), AgentHandler) as httpd:
+    bind_addr = "::" if socket.has_ipv6 else ""
+    with ThreadedDualStackServer((bind_addr, PORT), AgentHandler) as httpd:
         httpd.serve_forever()
 except Exception as e:
     sys.exit(1)
+# ====================================================================================
 EOF
 
 # --- [重点升级 3: 真正的静默后台启动] ---
 echo "🚀 [Agent] 正在后台启动 Webhook 监听服务 (端口: $AGENT_PORT)..."
-# 使用 nohup 和 & 将进程完全推入后台，不阻塞当前终端
 nohup python3 "${INSTALL_DIR}/core/webhook.py" "$AGENT_PORT" > /dev/null 2>&1 &
-
-# 尝试脱离终端会话控制 (忽略报错以兼容不同 shell 环境)
 disown 2>/dev/null || true
-
 echo "✅ [Agent] 守护进程启动完毕，可安全关闭终端。"

core/install.sh

@@ -1,21 +1,32 @@
 #!/bin/bash
 
 # ==========================================================
-# 脚本名称: install.sh (IP-Sentinel 分布式边缘节点部署脚本 V5.1)
-# 核心功能: 区域选择、一键卸载、解析冷数据、配置高频调度与双重 Webhook 守护
+# 脚本名称: install.sh (IP-Sentinel 分布式边缘节点部署脚本 v3.4.0 - OTA 活体引擎)
+# 核心功能: 区域选择、模块按需开启、官方机器人一键配置、平滑热更新、版本状态机路由
 # ==========================================================
 
-# 你的专属 Forgejo 仓库 Raw 数据直链前缀
-REPO_RAW_URL="https://git.94211762.xyz/hotyue/IP-Sentinel/raw/branch/main"
+# 你的 GitHub 仓库 Raw 数据直链前缀
+REPO_RAW_URL="https://raw.githubusercontent.com/hotyue/IP-Sentinel/main"
+# 临时改为私库地址用于测试
+# REPO_RAW_URL="https://git.94211762.xyz/hotyue/IP-Sentinel/raw/branch/main"
 INSTALL_DIR="/opt/ip_sentinel"
 CONFIG_FILE="${INSTALL_DIR}/config.conf"
 
+# [v3.4.0 核心: 全局版本控制锚点]
+TARGET_VERSION="3.4.0"
+
+# 轻量级版本号比对函数 (例如: version_lt "3.3.1" "3.4.0" 返回 true)
+version_lt() {
+    test "$(printf '%s\n' "$1" "$2" | sort -V | head -n 1)" = "$1" && test "$1" != "$2"
+}
+
 echo "========================================================"
 echo "      🛡️ 欢迎使用 IP-Sentinel (边缘节点 Edge Agent)"
+echo "               当前安装包版本: v${TARGET_VERSION}"
 echo "========================================================"
 
 # 1. 依赖检查与安装 (新增 python3 用于轻量级 Webhook 服务)
-echo -e "\n[1/6] 正在安装必要环境依赖 (curl, jq, cron, procps, python3)..."
+echo -e "\n[1/7] 正在安装必要环境依赖 (curl, jq, cron, procps, python3)..."
 if [ -f /etc/debian_version ]; then
     apt-get update -y >/dev/null 2>&1
     apt-get install -y curl jq cron procps python3 >/dev/null 2>&1
@@ -26,15 +37,21 @@ else
     echo "⚠️ 未知系统，请确保已手动安装 curl, jq, pgrep 和 python3"
 fi
 
-# 2. 交互式引导 (包含卸载选项)
-echo -e "\n[2/6] 请选择你要伪装的目标区域或执行卸载:"
-echo "  1) 🇯🇵 日本 (东京 - JP)"
-echo "  2) 🇺🇸 美国 (美西 - US)"
-echo "  3) 🗑️ 一键卸载 IP-Sentinel"
-read -p "请输入选择 [1-3] (默认1): " REGION_CHOICE
+# 2. 交互式引导与动态地图解析 (v3.0 全球网络)
+echo -e "\n[2/7] 正在连线云端，拉取全球节点地图..."
+curl -sL "${REPO_RAW_URL}/data/map.json" -o "/tmp/map.json"
 
-# 如果选择卸载，拉取卸载脚本执行并退出
-if [ "$REGION_CHOICE" == "3" ]; then
+if [ ! -s "/tmp/map.json" ]; then
+    echo -e "\033[31m❌ 拉取全球地图失败！请检查网络或 GitHub 仓库地址。\033[0m"
+    exit 1
+fi
+
+echo -e "\n请选择操作:"
+echo "  1) 🚀 部署边缘节点 (进入全球节点配置)"
+echo "  2) 🗑️ 一键卸载 IP-Sentinel"
+read -p "请输入选择 [1-2] (默认1): " ACTION_CHOICE
+
+if [ "$ACTION_CHOICE" == "2" ]; then
     echo -e "\n⏳ 正在拉取卸载程序..."
     curl -sL "${REPO_RAW_URL}/core/uninstall.sh" -o "/tmp/ip_uninstall.sh"
     chmod +x "/tmp/ip_uninstall.sh"
@@ -43,49 +60,313 @@ if [ "$REGION_CHOICE" == "3" ]; then
     exit 0
 fi
 
-# 正常安装流程匹配区域
-case ${REGION_CHOICE:-1} in
-    2) REGION_CODE="US" ;;
-    *) REGION_CODE="JP" ;;
-esac
+# ================== [v3.2.2 新增: 平滑升级模式嗅探] ==================
+UPGRADE_MODE="false"
+KEEP_LOGS="true"
 
-# 本地工作目录初始化
-mkdir -p "${INSTALL_DIR}/core"
-mkdir -p "${INSTALL_DIR}/data/keywords"
-mkdir -p "${INSTALL_DIR}/logs"
+if [ "$ACTION_CHOICE" == "1" ] && [ -f "$CONFIG_FILE" ]; then
+    echo -e "\n\033[33m💡 哨兵雷达提示：检测到本机已部署过 IP-Sentinel。\033[0m"
+    read -p "👉 是否按原配置直接进行平滑升级？(y/n, 默认y): " UPGRADE_CHOICE
+    if [[ -z "$UPGRADE_CHOICE" || "$UPGRADE_CHOICE" =~ ^[Yy]$ ]]; then
+        UPGRADE_MODE="true"
+        read -p "👉 是否保留历史运行日志？(y/n, 默认y): " LOG_CHOICE
+        if [[ "$LOG_CHOICE" =~ ^[Nn]$ ]]; then
+            KEEP_LOGS="false"
+        fi
+        
+        # 将原配置读入环境变量，为后续跳过配置步骤提供燃料
+        source "$CONFIG_FILE"
+        echo -e "\033[32m✅ 已激活 [平滑升级模式]，即将跳过基础配置，直接更新核心装甲...\033[0m"
+    else
+        echo -e "\033[33m🔄 您选择了重新配置，旧的哨兵数据将被彻底抹除。\033[0m"
+    fi
+fi
+# ====================================================================
 
-# 3. 接入 Master 中枢配置
-echo -e "\n[3/6] 是否接入 Master 司令部？(需要配置与主控相同的 TG 机器人) (y/n)"
-read -p "请输入选择 [y/n] (默认n): " TG_CHOICE
-TG_TOKEN=""
-CHAT_ID=""
-AGENT_PORT="9527"
-if [[ "$TG_CHOICE" =~ ^[Yy]$ ]]; then
-    read -p "请输入 Telegram Bot Token (与主控一致): " TG_TOKEN
-    read -p "请输入你的 Chat ID (与主控一致): " CHAT_ID
-    read -p "请输入本机用于接收指令的 Webhook 端口 (默认 9527，请确保防火墙已放开此端口): " INPUT_PORT
-    [ -n "$INPUT_PORT" ] && AGENT_PORT="$INPUT_PORT"
+# ================== [v3.1.1/v3.2.2 优化: 安装前环境纯净度清理] ==================
+echo -e "\n⏳ 正在清理旧版守护进程与冗余任务..."
+# 1. 强制超度可能存活的 Webhook 及各类看门狗进程，释放端口
+pkill -9 -f "webhook.py" >/dev/null 2>&1 || true
+pkill -9 -f "agent_daemon.sh" >/dev/null 2>&1 || true
+pkill -9 -f "runner.sh" >/dev/null 2>&1 || true
+
+# 2. 清除系统定时任务 (Cron) 中的旧版条目
+if crontab -l >/dev/null 2>&1; then
+    crontab -l | grep -v "ip_sentinel" > /tmp/cron_clean
+    crontab /tmp/cron_clean
+    rm -f /tmp/cron_clean
 fi
 
-# 4. 远程拉取冷数据并解析固化
-echo -e "\n[4/6] 正在从你的数据仓库拉取 [${REGION_CODE}] 节点的底层规则..."
-REGION_JSON=$(curl -sL "${REPO_RAW_URL}/data/regions/${REGION_CODE}.json")
-
-# 使用 jq 提取 JSON 里的核心值
-REGION_NAME=$(echo "$REGION_JSON" | jq -r '.region_name')
-BASE_LAT=$(echo "$REGION_JSON" | jq -r '.google_module.base_lat')
-BASE_LON=$(echo "$REGION_JSON" | jq -r '.google_module.base_lon')
-LANG_PARAMS=$(echo "$REGION_JSON" | jq -r '.google_module.lang_params')
-VALID_URL_SUFFIX=$(echo "$REGION_JSON" | jq -r '.google_module.valid_url_suffix')
-
-if [ -z "$BASE_LAT" ] || [ "$BASE_LAT" == "null" ]; then
-    echo "❌ 拉取或解析规则失败！请检查 Forgejo 仓库是否公开或网络是否畅通。"
-    exit 1
+# 3. 抹除旧版核心代码，杜绝代码冲突 (根据模式分流)
+if [ "$UPGRADE_MODE" == "true" ]; then
+    # 升级模式：仅销毁核心引擎，严格保留 config 与 data
+    rm -rf "${INSTALL_DIR}/core" 2>/dev/null
+    if [ "$KEEP_LOGS" == "false" ]; then
+        rm -rf "${INSTALL_DIR}/logs" 2>/dev/null
+        echo -e "🗑️ 历史日志已按指令清空。"
+    else
+        echo -e "📦 历史配置与战地日志已妥善保留。"
+    fi
+else
+    # 全新安装模式：焦土政策，彻底抹除
+    if [ -d "$INSTALL_DIR" ]; then
+        rm -rf "${INSTALL_DIR}/core" "${INSTALL_DIR}/data" "${INSTALL_DIR}/config.conf" "${INSTALL_DIR}/.last_ip" 2>/dev/null
+    fi
 fi
+echo -e "\033[32m✅ 环境清理完毕，幽灵进程已肃清！\033[0m"
+# ========================================================================================
 
-# 写入本地静态配置文件
-cat > "$CONFIG_FILE" << EOF
+# ==========================================================
+# 🛑 如果是全新部署，才执行以下所有交互逻辑；否则直接跳过
+# ==========================================================
+if [ "$UPGRADE_MODE" == "false" ]; then
+
+    # 📍 动态一级菜单：国家选择
+    echo -e "\n\033[36m📍 【第一级】请选择目标国家/地区:\033[0m"
+    jq -r '.countries[] | "\(.id)|\(.name)|\(.keyword_file)"' /tmp/map.json > /tmp/countries.txt
+    i=1; COUNTRY_MAP=(); KEYWORD_MAP=()
+    while IFS="|" read -r c_id c_name k_file; do
+        echo "  $i) $c_name"
+        COUNTRY_MAP[$i]="$c_id"
+        KEYWORD_MAP[$i]="$k_file"
+        ((i++))
+    done < /tmp/countries.txt
+
+    read -p "请输入选择 [1-$((i-1))] (默认1): " C_SEL
+    C_SEL=${C_SEL:-1}
+    COUNTRY_ID="${COUNTRY_MAP[$C_SEL]}"
+    KEYWORD_FILE="${KEYWORD_MAP[$C_SEL]}"
+    REGION_CODE="$COUNTRY_ID" # 兼容旧版的 config.conf
+
+    # 📍 动态二级菜单：省/州选择
+    echo -e "\n\033[36m📍 【第二级】正在检索 [$COUNTRY_ID] 的行政区数据...\033[0m"
+    jq -r ".countries[] | select(.id==\"$COUNTRY_ID\") | .states[] | \"\(.id)|\(.name)\"" /tmp/map.json > /tmp/states.txt
+    STATE_COUNT=$(wc -l < /tmp/states.txt)
+
+    if [ "$STATE_COUNT" -eq 1 ]; then
+        IFS="|" read -r STATE_ID STATE_NAME < /tmp/states.txt
+        echo -e "\033[32m💡 该国家下仅有单一配置 [$STATE_NAME]，已自动跃迁。\033[0m"
+    else
+        i=1; STATE_MAP=()
+        while IFS="|" read -r s_id s_name; do
+            echo "  $i) $s_name"
+            STATE_MAP[$i]="$s_id"
+            ((i++))
+        done < /tmp/states.txt
+        read -p "请输入选择 [1-$((i-1))] (默认1): " S_SEL
+        S_SEL=${S_SEL:-1}
+        STATE_ID="${STATE_MAP[$S_SEL]}"
+    fi
+
+    # 📍 动态三级菜单：城市选择
+    echo -e "\n\033[36m📍 【第三级】请锁定具体城市节点:\033[0m"
+    jq -r ".countries[] | select(.id==\"$COUNTRY_ID\") | .states[] | select(.id==\"$STATE_ID\") | .cities[] | \"\(.id)|\(.name)\"" /tmp/map.json > /tmp/cities.txt
+    CITY_COUNT=$(wc -l < /tmp/cities.txt)
+
+    if [ "$CITY_COUNT" -eq 1 ]; then
+        IFS="|" read -r CITY_ID CITY_NAME < /tmp/cities.txt
+        echo -e "\033[32m💡 该区域下仅有单一城市 [$CITY_NAME]，已自动锁定。\033[0m"
+    else
+        i=1; CITY_MAP=()
+        while IFS="|" read -r c_id c_name; do
+            echo "  $i) $c_name"
+            CITY_MAP[$i]="$c_id"
+            ((i++))
+        done < /tmp/cities.txt
+        read -p "请输入选择 [1-$((i-1))] (默认1): " CI_SEL
+        CI_SEL=${CI_SEL:-1}
+        CITY_ID="${CITY_MAP[$CI_SEL]}"
+    fi
+
+    # 清理临时文件
+    rm -f /tmp/map.json /tmp/countries.txt /tmp/states.txt /tmp/cities.txt
+
+    # 本地工作目录初始化 (支持 v3.0 的深度层级)
+    mkdir -p "${INSTALL_DIR}/core"
+    mkdir -p "${INSTALL_DIR}/data/keywords"
+    mkdir -p "${INSTALL_DIR}/data/regions/${COUNTRY_ID}/${STATE_ID}"
+    mkdir -p "${INSTALL_DIR}/logs"
+
+    # 3. 功能模块前置开关 (按需加载)
+    echo -e "\n[3/7] 请选择需要开启的养护模块 (按需开启，节省资源):"
+    echo "  1) 📍 仅开启 [Google 区域纠偏] (默认，适合流媒体解锁机位漂移)"
+    echo "  2) 🛡️ 仅开启 [IP 信用净化] (适合高风险机房 IP 降低 Scamalytics 分数)"
+    echo "  3) 🔥 双管齐下 (同时开启以上两项)"
+    read -p "请输入选择 [1-3] (默认1): " MODULE_CHOICE
+
+    ENABLE_GOOGLE="true"
+    ENABLE_TRUST="false"
+    case ${MODULE_CHOICE:-1} in
+        2) ENABLE_GOOGLE="false"; ENABLE_TRUST="true" ;;
+        3) ENABLE_GOOGLE="true"; ENABLE_TRUST="true" ;;
+        *) ENABLE_GOOGLE="true"; ENABLE_TRUST="false" ;;
+    esac
+
+    # 4. 接入 Master 中枢配置
+    echo -e "\n[4/7] 是否接入 Master 司令部？(需要配置与主控相同的 TG 机器人) (y/n)"
+    read -p "请输入选择 [y/n] (默认n): " TG_CHOICE
+    TG_TOKEN=""
+    CHAT_ID=""
+    AGENT_PORT="9527"
+    if [[ "$TG_CHOICE" =~ ^[Yy]$ ]]; then
+        echo -e "\n\033[33m💡 提示：您可以选择使用自己的机器人，或者直接回车使用官方公共机器人。\033[0m"
+        echo -e "\033[33m⚠️  注意：若使用官方机器人，请务必先在 TG 中关注 @OmniBeacon_bot 并发送 /start\033[0m"
+        
+        read -p "请输入您的 Telegram Bot Token (回车使用官方默认): " USER_TOKEN
+        
+        if [ -z "$USER_TOKEN" ]; then
+            TG_TOKEN="OFFICIAL_GATEWAY_MODE" 
+            TG_API_URL="https://omni-gateway.samanthaestime296.workers.dev" 
+            echo -e "\033[32m✅ 已自动连接官方安全网关 (@OmniBeacon_bot)。\033[0m"
+            echo -e "\033[33m👉 请确保您已关注官方机器人并发送过 /start，否则将无法接收消息。\033[0m"
+        else
+            TG_TOKEN="$USER_TOKEN"
+            TG_API_URL="https://api.telegram.org/bot${TG_TOKEN}/sendMessage"
+            echo -e "\033[32m✅ 已记录您的私有机器人 Token。\033[0m"
+        fi
+
+        echo -e "\033[33m💡 提示：如果您不知道自己的 Chat ID，可以关注 @userinfobot 获取。\033[0m"
+        read -p "请输入你的 Chat ID (与主控一致): " CHAT_ID
+        
+        # ================== [v3.0.3 变更: 智能随机高位端口生成系统] ==================
+        echo -e "\n\033[36m[4.2/7] 正在构建 Webhook 安全通信隧道...\033[0m"
+        echo -n "🎲 正在探测可用随机端口..."
+        while true; do
+            RANDOM_PORT=$((RANDOM % 55536 + 10000))
+            # 同时兼容 ss (新) 和 netstat (旧) 检查端口占用
+            if ! (ss -tuln 2>/dev/null | grep -q ":$RANDOM_PORT " || netstat -tuln 2>/dev/null | grep -q ":$RANDOM_PORT "); then
+                break
+            fi
+            echo -n "."
+        done
+        echo -e " 完成！"
+        
+        echo -e "💡 系统为您生成的推荐随机高位端口为: \033[32m$RANDOM_PORT\033[0m"
+        echo -e "\033[33m(该端口已通过本地占用校验，可直接使用)\033[0m"
+        
+        while true; do
+            read -p "请输入 Webhook 监听端口 (回车采用推荐, 或手动输入): " INPUT_PORT
+            
+            if [ -z "$INPUT_PORT" ]; then
+                AGENT_PORT="$RANDOM_PORT"
+                break
+            else
+                # 校验手动输入的合法性与可用性
+                if [[ "$INPUT_PORT" =~ ^[0-9]+$ ]] && [ "$INPUT_PORT" -ge 1 ] && [ "$INPUT_PORT" -le 65535 ]; then
+                    if (ss -tuln 2>/dev/null | grep -q ":$INPUT_PORT " || netstat -tuln 2>/dev/null | grep -q ":$INPUT_PORT "); then
+                        echo -e "\033[31m❌ 端口 $INPUT_PORT 已被占用，请重新输入或使用推荐端口。\033[0m"
+                    else
+                        AGENT_PORT="$INPUT_PORT"
+                        break
+                    fi
+                else
+                    echo -e "\033[31m❌ 输入非法！端口范围应为 1-65535。\033[0m"
+                fi
+            fi
+        done
+        echo -e "✅ 已锁定 Webhook 通讯端口: \033[32m$AGENT_PORT\033[0m"
+        # ====================================================================
+    fi
+
+    # ================== [v3.0.1新增修改 1: 冗余网络栈探测与锚点锁定] ==================
+    echo -e "\n\033[36m[4.5/7] 正在探测本机网络栈与可用出口 (多节点雷达扫描中)...\033[0m"
+
+    # 引入容灾机制：依次尝试三个不同的 API，拿到有效的 IP 格式就停止
+    DETECT_V4=$( (curl -4 -s -m 3 api.ip.sb/ip || curl -4 -s -m 3 ifconfig.me || curl -4 -s -m 3 ipv4.icanhazip.com) 2>/dev/null | grep -E "^[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+" | head -n 1 | tr -d '[:space:]')
+    DETECT_V6=$( (curl -6 -s -m 3 api.ip.sb/ip || curl -6 -s -m 3 ifconfig.me || curl -6 -s -m 3 ipv6.icanhazip.com) 2>/dev/null | grep -E "^[0-9a-fA-F:]+.*:" | head -n 1 | tr -d '[:space:]')
+
+    # 构建动态选项数组
+    IP_OPTIONS=()
+    IP_PROTO=()
+
+    [[ -n "$DETECT_V4" ]] && { IP_OPTIONS+=("$DETECT_V4"); IP_PROTO+=("4"); }
+    [[ -n "$DETECT_V6" ]] && { IP_OPTIONS+=("$DETECT_V6"); IP_PROTO+=("6"); }
+
+    if [ ${#IP_OPTIONS[@]} -eq 0 ]; then
+        echo -e "\033[33m⚠️ 雷达受阻：未能自动探测到公网 IP，请手动指定。\033[0m"
+        read -p "请输入您要绑定的公网 IP (v4 或 v6): " PUBLIC_IP
+        [[ "$PUBLIC_IP" == *":"* ]] && IP_PREF="6" || IP_PREF="4"
+    else
+        echo "📍 发现可用出口 IP，请选择要注册与养护的锚点:"
+        for i in "${!IP_OPTIONS[@]}"; do
+            num=$((i+1))
+            if [ "${IP_PROTO[$i]}" == "4" ]; then
+                echo "  $num) 🌐 IPv4: ${IP_OPTIONS[$i]} (默认选项)"
+            else
+                echo "  $num) 🌌 IPv6: ${IP_OPTIONS[$i]}"
+            fi
+        done
+        CUSTOM_OPT=$(( ${#IP_OPTIONS[@]} + 1 ))
+        echo "  $CUSTOM_OPT) ✍️ 手动指定其他 IP (适合多 IP 站群机)"
+        
+        read -p "请输入选择 (默认1): " IP_CHOICE
+        IP_CHOICE=${IP_CHOICE:-1}
+        
+        if [ "$IP_CHOICE" -le "${#IP_OPTIONS[@]}" ] && [ "$IP_CHOICE" -gt 0 ]; then
+            idx=$((IP_CHOICE-1))
+            PUBLIC_IP="${IP_OPTIONS[$idx]}"
+            IP_PREF="${IP_PROTO[$idx]}"
+        elif [ "$IP_CHOICE" -eq "$CUSTOM_OPT" ]; then
+            read -p "请输入您要绑定的公网 IP (v4 或 v6): " PUBLIC_IP
+            [[ "$PUBLIC_IP" == *":"* ]] && IP_PREF="6" || IP_PREF="4"
+        else
+            # 兜底：乱输就默认选第一个
+            PUBLIC_IP="${IP_OPTIONS[0]}"
+            IP_PREF="${IP_PROTO[0]}"
+        fi
+    fi
+
+    # ================== [v3.3.1 核心重构: 身份剥离与双栈实弹嗅探] ==================
+    # 1. 固化对外通讯身份 (自动穿透方括号护甲)
+    if [[ "$PUBLIC_IP" == *":"* ]] && [[ "$PUBLIC_IP" != *"["* ]]; then
+        SAFE_PUBLIC_IP="[${PUBLIC_IP}]"
+    else
+        SAFE_PUBLIC_IP="$PUBLIC_IP"
+    fi
+
+    # 2. 实弹打靶测试 (NAT 环境嗅探与双栈自适应)
+    echo -n "🕵️ 正在进行出站链路试射 (NAT环境与双栈嗅探)..."
+    RAW_TEST_IP=$(echo "$SAFE_PUBLIC_IP" | tr -d '[]')
+    
+    # 智能切换靶机：V6 机器打 Cloudflare V6 节点，V4 机器打 1.1.1.1
+    if [[ "$RAW_TEST_IP" == *":"* ]]; then
+        TEST_TARGET="https://[2606:4700:4700::1111]"
+    else
+        TEST_TARGET="https://1.1.1.1"
+    fi
+    
+    # 执行实弹试射
+    if curl --interface "$RAW_TEST_IP" -sI -m 3 "$TEST_TARGET" >/dev/null 2>&1; then
+        echo -e " \033[32m✅ 原生直连，物理网卡死锁已激活。\033[0m"
+        BIND_IP="$SAFE_PUBLIC_IP"
+    else
+        echo -e " \033[33m⚠️ 发现 NAT/虚拟路由架构，自动卸除网卡枷锁，交由内核路由。\033[0m"
+        BIND_IP=""
+    fi
+    echo -e "\033[32m✅ 哨兵对外联络点已永久锁定至: $SAFE_PUBLIC_IP\033[0m"
+    # ========================================================================
+
+    # 5. 远程拉取冷数据并解析固化
+    echo -e "\n[5/7] 正在从云端数据仓库拉取 [${CITY_NAME}] 节点的底层规则..."
+    REGION_JSON_FILE="${INSTALL_DIR}/data/regions/${COUNTRY_ID}/${STATE_ID}/${CITY_ID}.json"
+    curl -sL "${REPO_RAW_URL}/data/regions/${COUNTRY_ID}/${STATE_ID}/${CITY_ID}.json" -o "$REGION_JSON_FILE"
+
+    if [ ! -s "$REGION_JSON_FILE" ]; then
+        echo "❌ 拉取或解析规则失败！请检查 Forgejo 仓库是否公开或网络是否畅通。"
+        exit 1
+    fi
+
+    # 使用 jq 提取 JSON 里的核心值
+    REGION_NAME=$(jq -r '.region_name' "$REGION_JSON_FILE")
+    BASE_LAT=$(jq -r '.google_module.base_lat' "$REGION_JSON_FILE")
+    BASE_LON=$(jq -r '.google_module.base_lon' "$REGION_JSON_FILE")
+    LANG_PARAMS=$(jq -r '.google_module.lang_params' "$REGION_JSON_FILE")
+    VALID_URL_SUFFIX=$(jq -r '.google_module.valid_url_suffix' "$REGION_JSON_FILE")
+
+    # 写入本地静态配置文件 (v3.4.0 引入版本锚点)
+    cat > "$CONFIG_FILE" << EOF
 # IP-Sentinel 本地固化配置 (生成时间: $(date '+%Y-%m-%d %H:%M:%S'))
+AGENT_VERSION="$TARGET_VERSION"
 REGION_CODE="$REGION_CODE"
 REGION_NAME="$REGION_NAME"
 BASE_LAT="$BASE_LAT"
@@ -93,60 +374,250 @@ BASE_LON="$BASE_LON"
 LANG_PARAMS="$LANG_PARAMS"
 VALID_URL_SUFFIX="$VALID_URL_SUFFIX"
 
+# 模块开关状态
+ENABLE_GOOGLE="$ENABLE_GOOGLE"
+ENABLE_TRUST="$ENABLE_TRUST"
+
 TG_TOKEN="$TG_TOKEN"
+TG_API_URL="$TG_API_URL"
 CHAT_ID="$CHAT_ID"
 AGENT_PORT="$AGENT_PORT"
 INSTALL_DIR="$INSTALL_DIR"
 LOG_FILE="${INSTALL_DIR}/logs/sentinel.log"
+
+# [v3.3.1修改: 双核身份剥离配置] 
+IP_PREF="$IP_PREF"
+PUBLIC_IP="$SAFE_PUBLIC_IP"
+BIND_IP="$BIND_IP"
 EOF
 
-# 5. 拉取全套组件 (引擎、业务、更新、战报、Webhook守护进程、卸载脚本及热数据)
-echo -e "\n[5/6] 正在部署核心引擎、Webhook 组件与热数据..."
+    # ================== [v3.0.3 变更: 敏感配置文件权限收敛] ==================
+    chmod 600 "$CONFIG_FILE"
+    # ====================================================================
+
+fi
+# 🛑 拦截块结束 (全套交互配置跳过完毕)
+
+# ================== [v3.3.1 核心修复: 老节点配置无损热迁移] ==================
+if [ "$UPGRADE_MODE" == "true" ]; then
+    if ! grep -q "PUBLIC_IP=" "$CONFIG_FILE"; then
+        echo -e "\n🔄 [平滑迁移] 正在对老节点进行 v3.3.1 双核身份架构升级..."
+        
+        # 重新抓取公网面孔 (应对老节点 BIND_IP 可能已被手动清空的情况)
+        MIGRATE_IP=$(curl -${IP_PREF:-4} -s -m 5 api.ip.sb/ip | tr -d '[:space:]')
+        [[ "$MIGRATE_IP" == *":"* ]] && [[ "$MIGRATE_IP" != *"["* ]] && MIGRATE_IP="[${MIGRATE_IP}]"
+        
+        echo -n "🕵️ 正在进行补发链路试射 (NAT与双栈嗅探)..."
+        RAW_TEST_IP=$(echo "$MIGRATE_IP" | tr -d '[]')
+        if [[ "$RAW_TEST_IP" == *":"* ]]; then
+            TEST_TARGET="https://[2606:4700:4700::1111]"
+        else
+            TEST_TARGET="https://1.1.1.1"
+        fi
+        
+        if curl --interface "$RAW_TEST_IP" -sI -m 3 "$TEST_TARGET" >/dev/null 2>&1; then
+            echo -e " \033[32m✅ 原生直连，网卡死锁已继承。\033[0m"
+            NEW_BIND_IP="$MIGRATE_IP"
+        else
+            echo -e " \033[33m⚠️ 发现 NAT 架构，已自动卸除老版本的物理枷锁。\033[0m"
+            NEW_BIND_IP=""
+        fi
+        
+        # 动态修改旧配置文件 (更新 BIND_IP，追加 PUBLIC_IP)
+        sed -i "s/^BIND_IP=.*/BIND_IP=\"$NEW_BIND_IP\"/" "$CONFIG_FILE"
+        echo "PUBLIC_IP=\"$MIGRATE_IP\"" >> "$CONFIG_FILE"
+        
+        # 刷新当前安装脚本的环境变量，防止底部代码报错
+        SAFE_PUBLIC_IP="$MIGRATE_IP"
+        BIND_IP="$NEW_BIND_IP"
+    else
+        # 如果是未来再升级，配置文件已是最新，直接提取变量供安装脚本尾部使用
+        SAFE_PUBLIC_IP=$(grep "^PUBLIC_IP=" "$CONFIG_FILE" | cut -d'"' -f2)
+    fi
+fi
+# ========================================================================
+
+# 6. 拉取全套组件 (按需下载，绝不浪费空间)
+echo -e "\n[6/7] 正在根据模块开关部署核心引擎与热数据..."
+# 确保目录在升级模式下也能被正确建立
+mkdir -p "${INSTALL_DIR}/core"
+mkdir -p "${INSTALL_DIR}/data/keywords"
+
+# 基础公共组件
 curl -sL "${REPO_RAW_URL}/core/runner.sh" -o "${INSTALL_DIR}/core/runner.sh"
-curl -sL "${REPO_RAW_URL}/core/mod_google.sh" -o "${INSTALL_DIR}/core/mod_google.sh"
 curl -sL "${REPO_RAW_URL}/core/updater.sh" -o "${INSTALL_DIR}/core/updater.sh"
 curl -sL "${REPO_RAW_URL}/core/tg_report.sh" -o "${INSTALL_DIR}/core/tg_report.sh"
 curl -sL "${REPO_RAW_URL}/core/agent_daemon.sh" -o "${INSTALL_DIR}/core/agent_daemon.sh"
 curl -sL "${REPO_RAW_URL}/core/uninstall.sh" -o "${INSTALL_DIR}/core/uninstall.sh"
+curl -sL "${REPO_RAW_URL}/data/user_agents.txt" -o "${INSTALL_DIR}/data/user_agents.txt"
+
+# 动态按需组件
+if [ "$ENABLE_GOOGLE" == "true" ]; then
+    curl -sL "${REPO_RAW_URL}/core/mod_google.sh" -o "${INSTALL_DIR}/core/mod_google.sh"
+    # [v3.2.2 修复] 动态匹配词库下载逻辑
+    if [ "$UPGRADE_MODE" == "false" ]; then
+        curl -sL "${REPO_RAW_URL}/data/keywords/${KEYWORD_FILE}" -o "${INSTALL_DIR}/data/keywords/${KEYWORD_FILE}"
+    else
+        # 升级模式：利用已有的 REGION_CODE 更新通用词库
+        curl -sL "${REPO_RAW_URL}/data/keywords/kw_${REGION_CODE}.txt" -o "${INSTALL_DIR}/data/keywords/kw_${REGION_CODE}.txt" 2>/dev/null || true
+    fi
+fi
+
+if [ "$ENABLE_TRUST" == "true" ]; then
+    curl -sL "${REPO_RAW_URL}/core/mod_trust.sh" -o "${INSTALL_DIR}/core/mod_trust.sh"
+fi
+
 chmod +x ${INSTALL_DIR}/core/*.sh
 
-curl -sL "${REPO_RAW_URL}/data/user_agents.txt" -o "${INSTALL_DIR}/data/user_agents.txt"
-curl -sL "${REPO_RAW_URL}/data/keywords/kw_${REGION_CODE}.txt" -o "${INSTALL_DIR}/data/keywords/kw_${REGION_CODE}.txt"
-
-# 6. 配置系统定时任务 (高频调度与看门狗)
-echo -e "\n[6/6] 正在注入系统定时任务与看门狗进程..."
+# 7. 配置系统定时任务 (高频调度与看门狗)
+echo -e "\n[7/7] 正在注入系统定时任务与看门狗进程..."
 crontab -l 2>/dev/null | grep -v "ip_sentinel" > /tmp/cron_backup
 
 # 核心养护模块: 每 30 分钟触发一次
 echo "*/30 * * * * ${INSTALL_DIR}/core/runner.sh >/dev/null 2>&1" >> /tmp/cron_backup
-# 养料更新模块: 每周日凌晨 3 点静默去云端更新热数据
-echo "0 3 * * 0 ${INSTALL_DIR}/core/updater.sh >/dev/null 2>&1" >> /tmp/cron_backup
+# 养料更新模块: (v3.3.0升级) 每天凌晨 3 点触发，由中枢自动进行分频调度
+echo "0 3 * * * ${INSTALL_DIR}/core/updater.sh >/dev/null 2>&1" >> /tmp/cron_backup
+
+# [v3.3.0 新增] 初始化 UA 指纹库更新时间戳，确立 30 天滚动周期的计算锚点
+echo $(date +%s) > "${INSTALL_DIR}/core/.ua_last_update"
 
 # 如果配置了联控，启动 Webhook 与战报任务
 if [[ -n "$TG_TOKEN" ]] && [[ -n "$CHAT_ID" ]]; then
     # 每天早上 8 点发送昨天的统计战报
     echo "0 8 * * * ${INSTALL_DIR}/core/tg_report.sh >/dev/null 2>&1" >> /tmp/cron_backup
     
-    # 【升级点】双保险守护进程看门狗: 
-    # 1. 保证服务器重启后开机秒唤醒
+    # [v3.0.1新增修改 3: 删除原来的 curl 取 IP，直接使用我们上方锁定的 BIND_IP]
+    # 并提前写入 IP 缓存，彻底阻断 agent_daemon 首次启动时的重复推送
+    # [修复竞态]: 提前写入公网 IP 缓存，彻底阻断 agent_daemon 首次启动时的抢跑推送
+    echo "$SAFE_PUBLIC_IP" > "${INSTALL_DIR}/core/.last_ip"
+    
+    # 双保险守护进程看门狗
     echo "@reboot nohup bash ${INSTALL_DIR}/core/agent_daemon.sh >/dev/null 2>&1 &" >> /tmp/cron_backup
-    # 2. 保证平时手滑杀掉进程后，1分钟内自动复活 (由于 daemon 脚本内自带 pgrep 防冲突，这里可以直接调用)
     echo "* * * * * nohup bash ${INSTALL_DIR}/core/agent_daemon.sh >/dev/null 2>&1 &" >> /tmp/cron_backup
     
-    # 安装时立刻启动一次边缘守护进程 (触发注册与 Webhook 监听)
+    # 安装时立刻启动一次边缘守护进程
     nohup bash "${INSTALL_DIR}/core/agent_daemon.sh" >/dev/null 2>&1 &
 fi
 
 crontab /tmp/cron_backup
 rm -f /tmp/cron_backup
 
+# ================== [v3.4.0 核心: 状态机驱动的热更新路由] ==================
+if [[ -n "$TG_TOKEN" ]] && [[ -n "$CHAT_ID" ]]; then
+    # 构造当前节点的唯一代号 (v3.3.2引入的防撞甲，已修正连接符)
+    IP_HASH=$(echo "${SAFE_PUBLIC_IP:-127.0.0.1}" | md5sum | cut -c 1-4 | tr 'a-z' 'A-Z')
+    NODE_NAME="$(hostname | cut -c 1-10)-${IP_HASH}"
+    
+    REG_MSG="#REGISTER#|${REGION_CODE}|${NODE_NAME}|${SAFE_PUBLIC_IP}|${AGENT_PORT}"
+    
+    if [ "$UPGRADE_MODE" == "true" ]; then
+        # 读取本地老版本号，如果没有则视为远古版本 v3.3.1
+        OLD_VERSION=$(grep "^AGENT_VERSION=" "$CONFIG_FILE" | cut -d'"' -f2)
+        [ -z "$OLD_VERSION" ] && OLD_VERSION="3.3.1"
+        
+        # [路由表 1]: 跨代兼容 (老版本 < v3.3.2)
+        # 必须强制下发带有 #REGISTER# 的警告，引导长官重新同步哈希身份
+        if version_lt "$OLD_VERSION" "3.3.2"; then
+            echo -e "\n📡 [路由枢纽] 正在执行跨代架构重组 (v${OLD_VERSION} -> v${TARGET_VERSION})..."
+            curl -s -X POST "${TG_API_URL}" \
+                -d "chat_id=${CHAT_ID}" \
+                -d "parse_mode=Markdown" \
+                -d "text=✨ *IP-Sentinel 引擎热更新完成！*
+📍 节点：\`${NODE_NAME}\`
+🌐 IP：\`${SAFE_PUBLIC_IP}\`
+🚀 状态：v${TARGET_VERSION} OTA 动态活体引擎已部署
+
+⚠️ *战区架构已重组，请务必点击下方指令并发送，以同步新的防撞档案：*
+\`${REG_MSG}\`" >/dev/null 2>&1
+            echo -e "\033[32m✅ 升级通知已推送！请前往 TG 点击注册指令完成身份同步！\033[0m"
+            
+        # [路由表 2]: 现代静默升级 (老版本 >= v3.3.2)
+        else
+            echo -e "\n📡 [路由枢纽] 正在执行静默平滑升级 (v${OLD_VERSION} -> v${TARGET_VERSION})..."
+            curl -s -X POST "${TG_API_URL}" \
+                -d "chat_id=${CHAT_ID}" \
+                -d "parse_mode=Markdown" \
+                -d "text=✨ *IP-Sentinel 引擎热更新完成！*
+📍 节点：\`${NODE_NAME}\`
+🌐 IP：\`${SAFE_PUBLIC_IP}\`
+🚀 状态：v${TARGET_VERSION} OTA 动态活体引擎已部署" >/dev/null 2>&1
+            echo -e "\033[32m✅ 升级成功通知已推送到您的 Telegram！\033[0m"
+        fi
+        
+        # [清理遗留垃圾并刷新版本号]
+        sed -i '/^NAME_HASHED=/d' "$CONFIG_FILE" 2>/dev/null # 抹除上个版本的临时基因锁
+        if grep -q "^AGENT_VERSION=" "$CONFIG_FILE"; then
+            sed -i "s/^AGENT_VERSION=.*/AGENT_VERSION=\"$TARGET_VERSION\"/" "$CONFIG_FILE"
+        else
+            echo "AGENT_VERSION=\"$TARGET_VERSION\"" >> "$CONFIG_FILE"
+        fi
+        
+    else
+        # [全新安装路由]
+        echo -e "\n📡 正在向指挥部发送注册暗号..."
+        PUSH_RESULT=$(curl -s -X POST "${TG_API_URL}" \
+            -d "chat_id=${CHAT_ID}" \
+            -d "parse_mode=Markdown" \
+            -d "text=✨ *IP-Sentinel 部署成功！*
+📍 区域：${REGION_NAME}
+🌐 IP：${SAFE_PUBLIC_IP}
+🔌 端口：${AGENT_PORT}
+
+🔑 *请点击下方指令复制并回复给机器人：*
+\`${REG_MSG}\`")
+
+        if echo "$PUSH_RESULT" | grep -q '"ok":true'; then
+            echo -e "\033[32m✅ 注册信息已推送到您的 Telegram，请按指令完成最终激活！\033[0m"
+        else
+            echo -e "\033[31m❌ 消息推送失败，请检查 Chat ID 是否正确或是否已关注机器人。\033[0m"
+        fi
+    fi
+fi
+# =========================================================================
+
 echo "========================================================"
-echo "🎉 边缘节点 (Agent) 部署流程彻底完成！"
+if [ "$UPGRADE_MODE" == "true" ]; then
+    echo "🎉 边缘节点 (Agent) 平滑热更新已彻底完成！"
+else
+    echo "🎉 边缘节点 (Agent) 部署流程彻底完成！"
+fi
 echo "📍 你的本地守护区域已锁定为: $REGION_NAME"
 echo "⚙️ 哨兵现已开启 [每30分钟] 的高频高拟真养护循环。"
 if [[ -n "$TG_TOKEN" ]]; then
     echo "📡 Webhook 监听已启动 (端口: $AGENT_PORT) 并向中枢发送了注册请求。"
-    echo "⚠️ 请务必确保本机的防火墙放行了 TCP $AGENT_PORT 端口！"
+    
+    # ================== [v3.0.3 变更: 智能防火墙检测与放行指引] ==================
+    FW_MSG=""
+    if command -v ufw >/dev/null 2>&1 && ufw status | grep -qw active; then
+        FW_MSG="ufw allow $AGENT_PORT/tcp"
+    elif command -v firewall-cmd >/dev/null 2>&1 && systemctl is-active firewalld | grep -qw active; then
+        FW_MSG="firewall-cmd --zone=public --add-port=$AGENT_PORT/tcp --permanent && firewall-cmd --reload"
+    elif command -v iptables >/dev/null 2>&1; then
+        # 智能双栈雷达：根据对外公网 IP 属性，动态下发对应的防火墙放行指令
+        if [[ "$SAFE_PUBLIC_IP" == *":"* ]]; then
+            FW_MSG="ip6tables -I INPUT -p tcp --dport $AGENT_PORT -j ACCEPT"
+        else
+            FW_MSG="iptables -I INPUT -p tcp --dport $AGENT_PORT -j ACCEPT"
+        fi
+    fi
+    
+    echo -e "\033[33m⚠️ 警告：请务必确保本机及云服务商安全组放行了 TCP $AGENT_PORT 端口！\033[0m"
+    if [ -n "$FW_MSG" ]; then
+        echo "💡 检测到本地防火墙开启，您可以尝试执行以下命令放行："
+        echo -e "\033[36m   $FW_MSG\033[0m"
+    fi
+    # ====================================================================
 fi
-echo "🗑️ 若未来需卸载，可重新运行本脚本选择[3]或执行: bash ${INSTALL_DIR}/core/uninstall.sh"
-echo "========================================================"
+echo "🗑️ 若未来需卸载，可重新运行本脚本选择[2]或执行: bash ${INSTALL_DIR}/core/uninstall.sh"
+echo "========================================================"
+
+# ================== [v3.1.2 新增: 玻璃房透明装机统计] ==================
+echo -e "\n📡 正在向开源社区汇报装机量 (完全匿名，不收集IP)..."
+AGENT_COUNT=$(curl -s -m 3 "https://ip-sentinel-count.samanthaestime296.workers.dev/ping/agent" || echo "")
+
+if [ -n "$AGENT_COUNT" ] && [[ "$AGENT_COUNT" =~ ^[0-9]+$ ]]; then
+    echo -e "\033[32m✅ 感谢您成为全球第 ${AGENT_COUNT} 名 IP-Sentinel 哨兵！\033[0m"
+else
+    echo -e "\033[32m✅ 感谢您加入 IP-Sentinel 哨兵阵列！\033[0m"
+fi
+echo -e "\n"

core/mod_google.sh

@@ -1,7 +1,7 @@
 #!/bin/bash
 
 # ==========================================================
-# 脚本名称: mod_google.sh (Google 业务逻辑模块)
+# 脚本名称: mod_google.sh (Google 业务逻辑模块 v3.4.0 版本锚点版)
 # 核心功能: 执行坐标微抖动、模拟真实阅读时长、会话行为拉伸
 # ==========================================================
 
@@ -16,11 +16,15 @@ else
     exit 1
 fi
 
-# 容错机制：如果父进程没有传递 log 函数，则本地定义一个作为 fallback
+# 容错机制：如果父进程没有传递 log 函数，则本地定义一个作为 fallback (v3.4.0 引入版本探针)
 if ! type log >/dev/null 2>&1; then
     log() {
+        # [v3.4.0 核心] 提取当前配置中的版本锚点
+        local local_ver="${AGENT_VERSION:-未知}"
+        
         mkdir -p "${INSTALL_DIR}/logs"
-        printf "[$(date '+%Y-%m-%d %H:%M:%S')] [%-5s] [%-7s] [%s] %s\n" "$2" "$1" "$REGION_CODE" "$3" >> "${INSTALL_DIR}/logs/sentinel.log"
+        # 统一日志格式，注入 [版本号] 追踪标识
+        printf "[$(date '+%Y-%m-%d %H:%M:%S')] [v%-5s] [%-5s] [%-7s] [%s] %s\n" "$local_ver" "$2" "$1" "$REGION_CODE" "$3" >> "${INSTALL_DIR}/logs/sentinel.log"
     }
 fi
 
@@ -48,11 +52,32 @@ get_random_coord() {
 }
 
 # --- [环境初始化] ---
-# 获取当前出口 IP 仅用于日志记录
-CURRENT_V4=$(curl -4 -m 10 -s https://api.ip.sb/ip || echo "获取IP失败")
+# [v3.3.1修改] 优先读取对外公网面孔作为哈希种子，兼容 NAT 机的空 BIND_IP
+CURRENT_IP="${PUBLIC_IP:-${BIND_IP:-Unknown}}"
 
-# 会话锁定：单次执行内使用固定的浏览器指纹
-SESSION_UA=${UA_POOL[$RANDOM % ${#UA_POOL[@]}]}
+# -----------------------------------------------------------
+# [V3.1.5] 哈希锚定法 (Hash-Seeded Persona) 
+# 利用 IP 算力固定 3 个永久化专属指纹，破除僵尸网络同质化特征
+# -----------------------------------------------------------
+TOTAL_UA=${#UA_POOL[@]}
+if [ "$TOTAL_UA" -gt 0 ]; then
+    # 1. 以本地锁定的公网 IP 为种子，计算固定不变的 CRC32 哈希值
+    SEED=$(echo -n "$CURRENT_IP" | cksum | awk '{print $1}')
+    
+    # 2. 利用确定的种子和质数乘数，在全球 4000 的库中计算出本机的 3 个绝对专属坐标
+    IDX1=$(( SEED % TOTAL_UA ))
+    IDX2=$(( (SEED * 17) % TOTAL_UA ))
+    IDX3=$(( (SEED * 31) % TOTAL_UA ))
+    
+    # 3. 将绝对坐标映射为该节点的“专属设备库”
+    MY_UA_POOL=("${UA_POOL[$IDX1]}" "${UA_POOL[$IDX2]}" "${UA_POOL[$IDX3]}")
+    
+    # 4. 本次会话从这 3 台专属设备中随机挑选 1 台进行模拟
+    SESSION_UA=${MY_UA_POOL[$RANDOM % 3]}
+else
+    # 兜底容错机制
+    SESSION_UA="Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36"
+fi
 # 位置锁定：在基准点(比如东京新宿)附近 3 公里内随机生成本次上网的“固定咖啡馆”坐标
 SESSION_BASE_LAT=$(get_random_coord $BASE_LAT 270)
 SESSION_BASE_LON=$(get_random_coord $BASE_LON 270)
@@ -60,10 +85,29 @@ SESSION_BASE_LON=$(get_random_coord $BASE_LON 270)
 # 【核心升级】随机决定本次上网深度 (6 - 10 个复合动作，配合高频长效拉伸)
 TOTAL_ACTIONS=$((6 + RANDOM % 5))
 
-log "$MODULE_NAME" "INFO " "当前出网 IP: $CURRENT_V4"
+log "$MODULE_NAME" "INFO " "当前出网 IP: $CURRENT_IP"
 log "$MODULE_NAME" "INFO " "设备指纹锁定: ${SESSION_UA:0:45}..."
 log "$MODULE_NAME" "INFO " "虚拟驻留坐标: $SESSION_BASE_LAT, $SESSION_BASE_LON"
 
+# -----------------------------------------------------------
+# [V3.2.1 热修复] 网络锚定与协议自适应构建 
+# 强制 curl 绑定网卡，并自动匹配 IPv4/v6 协议，杜绝 curl 冲突报错
+# -----------------------------------------------------------
+CURL_BIND_OPT=""
+DYNAMIC_IP_PREF="-${IP_PREF:-4}" # 默认提取用户配置
+
+if [[ -n "$BIND_IP" && "$BIND_IP" =~ ^[0-9a-fA-F:\.]+$ ]]; then
+    CURL_BIND_OPT="--interface $BIND_IP"
+    # 智能探测：带冒号为 V6，带点号为 V4
+    if [[ "$BIND_IP" == *":"* ]]; then
+        DYNAMIC_IP_PREF="-6"
+        log "$MODULE_NAME" "INFO " "底层路由锁定: 绑定 IPv6 出口及协议 ($BIND_IP)"
+    elif [[ "$BIND_IP" == *"."* ]]; then
+        DYNAMIC_IP_PREF="-4"
+        log "$MODULE_NAME" "INFO " "底层路由锁定: 绑定 IPv4 出口及协议 ($BIND_IP)"
+    fi
+fi
+
 # --- [行为循环模拟] ---
 for ((i=1; i<=TOTAL_ACTIONS; i++)); do
     # 模拟真实移动设备拿在手里时的 GPS 信号微抖动 (范围约 10 米)
@@ -77,21 +121,22 @@ for ((i=1; i<=TOTAL_ACTIONS; i++)); do
     # 随机选择一种上网行为
     ACTION_TYPE=$((1 + RANDOM % 4))
     
+    # [V3.2.1 热修复] 注入 $CURL_BIND_OPT 与 $DYNAMIC_IP_PREF 协议自适应
     case $ACTION_TYPE in
         1) # 搜索行为
-            CODE=$(curl -4 -m 15 -s -L -o /dev/null -w "%{http_code}" -A "$SESSION_UA" \
+            CODE=$(curl $CURL_BIND_OPT $DYNAMIC_IP_PREF -m 15 -s -L -o /dev/null -w "%{http_code}" -A "$SESSION_UA" \
                  "https://www.google.com/search?q=${ENCODED_KEY}&${LANG_PARAMS}")
             ;;
         2) # 浏览本土新闻
-            CODE=$(curl -4 -m 15 -s -L -o /dev/null -w "%{http_code}" -A "$SESSION_UA" \
+            CODE=$(curl $CURL_BIND_OPT $DYNAMIC_IP_PREF -m 15 -s -L -o /dev/null -w "%{http_code}" -A "$SESSION_UA" \
                  "https://news.google.com/home?${LANG_PARAMS}")
             ;;
         3) # 地图坐标查询
-            CODE=$(curl -4 -m 15 -s -o /dev/null -w "%{http_code}" -A "$SESSION_UA" \
-                 "https://www.google.com/maps/search/${ENCODED_KEY}/@${ACTION_LAT},${ACTION_LON},17z?${LANG_PARAMS}")
+            CODE=$(curl $CURL_BIND_OPT $DYNAMIC_IP_PREF -m 15 -s -o /dev/null -w "%{http_code}" -A "$SESSION_UA" \
+                 "https://www.google.com/maps/search/$${ENCODED_KEY}/@${ACTION_LAT},${ACTION_LON},17z?${LANG_PARAMS}")
             ;;
         4) # 触发移动端系统底层位置检测像素
-            CODE=$(curl -4 -m 10 -s -o /dev/null -w "%{http_code}" -A "$SESSION_UA" \
+            CODE=$(curl $CURL_BIND_OPT $DYNAMIC_IP_PREF -m 10 -s -o /dev/null -w "%{http_code}" -A "$SESSION_UA" \
                  "https://connectivitycheck.gstatic.com/generate_204")
             ;;
     esac
@@ -107,16 +152,45 @@ for ((i=1; i<=TOTAL_ACTIONS; i++)); do
     fi
 done
 
-# --- [结果纠偏自检] ---
-# 去掉所有语言参数，进行一次最干净的直连测试
-FINAL_URL=$(curl -4 -m 15 -s -L -o /dev/null -w "%{url_effective}" https://www.google.com)
+# --- [结果纠偏自检 (V3.2.1 高精度容错版)] ---
+# [V3.2.1 热修复] 探针同样应用 $DYNAMIC_IP_PREF 协议自适应
+PROBE_RESULT=$(curl $CURL_BIND_OPT $DYNAMIC_IP_PREF -m 15 -s -L -o /dev/null -w "%{http_code}|%{url_effective}" https://www.google.com)
 
-if [[ "$FINAL_URL" == *"$VALID_URL_SUFFIX"* ]]; then
-    STATUS="✅ 目标区域达成 ($VALID_URL_SUFFIX)"
-elif [[ "$FINAL_URL" == *"google.com.hk"* ]]; then
-    STATUS="❌ 判定为送中区 (CN/HK)"
+# 分离状态码与 URL
+PROBE_CODE=$(echo "$PROBE_RESULT" | cut -d'|' -f1)
+FINAL_URL=$(echo "$PROBE_RESULT" | cut -d'|' -f2)
+
+# 0. 致命拦截：网络断开、DNS 解析失败或严重超时
+if [ "$PROBE_CODE" == "000" ] || [ -z "$FINAL_URL" ]; then
+    STATUS="🚨 探针失效 (网络阻断或底层路由异常)"
 else
-    STATUS="⚠️ 其他分站跳板 ($FINAL_URL)"
+    # 核心战术：精准提取最终 URL 的域名部分
+    ACTUAL_DOMAIN=$(echo "$FINAL_URL" | awk -F/ '{print $3}')
+    
+    # [V3.2.1 优化] 使用通配符 * 剔除任意前缀 (无论是 www.google. 还是 ipv4.google.)
+    ACTUAL_SUFFIX=${ACTUAL_DOMAIN#*google.}
+
+    # 1. 优先验证：绝对匹配目标后缀 (彻底杜绝 com 包含于 com.hk 的陷阱)
+    if [ "$ACTUAL_SUFFIX" == "$VALID_URL_SUFFIX" ]; then
+        STATUS="✅ 目标区域达成 ($ACTUAL_SUFFIX)"
+
+    # 2. 核心拦截：精准捕捉送中特征 (com.hk)
+    elif [ "$ACTUAL_SUFFIX" == "com.hk" ]; then
+        if [ "$REGION_CODE" == "HK" ]; then
+            STATUS="✅ 目标区域达成 (HK 专属 com.hk)"
+        else
+            STATUS="❌ 严重漂移！判定为送中区 (实际跳往 $ACTUAL_SUFFIX)"
+        fi
+
+    # 3. 宽容处理：遵守 Google 无跳转新规 (严格限定必须是纯粹的 com)
+    # [视觉优化] 留在 .com 代表 IP 极度纯净未被区域沙盒锁定，计入成功战绩！
+    elif [ "$ACTUAL_SUFFIX" == "com" ]; then
+        STATUS="✅ 目标区域达成 (免签停留 .com 通用主站)"
+
+    # 4. 跨区漂移：所有预判之外的后缀，全部视为异常
+    else
+        STATUS="⚠️ 跨区跳板漂移 (当前实际归属: $ACTUAL_SUFFIX)"
+    fi
 fi
 
 log "$MODULE_NAME" "SCORE" "自检结论: $STATUS"

core/mod_trust.sh

@@ -0,0 +1,156 @@
+#!/bin/bash
+
+# ==========================================================
+# 脚本名称: mod_trust.sh (IP 信用净化模块 v3.4.0 版本锚点版)
+# 核心功能: 动态扫描本地 LBS 冷数据，提取权威白名单，执行流量净化
+# ==========================================================
+
+INSTALL_DIR="/opt/ip_sentinel"
+CONFIG_FILE="${INSTALL_DIR}/config.conf"
+UA_FILE="${INSTALL_DIR}/data/user_agents.txt"
+# 你的 GitHub 仓库 Raw 数据直链前缀
+REPO_RAW_URL="https://raw.githubusercontent.com/hotyue/IP-Sentinel/main"
+# 临时改为私库地址用于测试
+# REPO_RAW_URL="https://git.94211762.xyz/hotyue/IP-Sentinel/raw/branch/main"
+
+# 1. 基础环境校验
+[ ! -f "$CONFIG_FILE" ] && exit 1
+source "$CONFIG_FILE"
+
+REGION=${REGION_CODE:-"US"}
+LOG_FILE="${INSTALL_DIR}/logs/sentinel.log"
+
+# 2. 动态获取配置 (V3 拓扑自适应与兜底)
+# 利用 find 穿透多级子目录，自动抓取安装时落地的那份专属 json 文件
+REGION_JSON_FILE=$(find "${INSTALL_DIR}/data/regions" -name "*.json" 2>/dev/null | head -n 1)
+
+# 兼容旧节点兜底：如果本地真没找到 json，回退到拉取云端通用大区配置
+if [ -z "$REGION_JSON_FILE" ] || [ ! -f "$REGION_JSON_FILE" ]; then
+    REGION_JSON_FILE="${INSTALL_DIR}/data/regions/${REGION}.json"
+    mkdir -p "${INSTALL_DIR}/data/regions"
+    curl -${IP_PREF:-4} -sL "${REPO_RAW_URL}/data/regions/${REGION}.json" -o "$REGION_JSON_FILE"
+fi
+
+# 使用 jq 将 json 中的网址数组安全地读入 Bash 数组
+if [ -f "$REGION_JSON_FILE" ]; then
+    mapfile -t TRUST_URLS < <(jq -r '.trust_module.white_urls[]' "$REGION_JSON_FILE" 2>/dev/null)
+fi
+
+# 兜底：如果仓库挂了或者解析失败，提供国际通用白名单
+if [ ${#TRUST_URLS[@]} -eq 0 ]; then
+    TRUST_URLS=("https://en.wikipedia.org/wiki/Special:Random" "https://www.apple.com/" "https://www.microsoft.com/")
+fi
+
+# 3. 日志规范化 (v3.4.0 引入版本探针)
+log_msg() {
+    local TYPE=$1
+    local MSG=$2
+    local TIME=$(date "+%Y-%m-%d %H:%M:%S")
+    # [v3.4.0 核心] 提取当前配置中的版本锚点
+    local local_ver="${AGENT_VERSION:-未知}"
+    
+    # 日志格式注入 [版本号] 追踪标识，保持对齐
+    echo "[$TIME] [v%-5s] [%-5s] [Trust  ] [$REGION] $MSG" | sed "s/%-5s/$local_ver/;s/%-5s/$TYPE/" | tee -a "$LOG_FILE"
+}
+
+# 4. 锁定单次会话指纹
+# -----------------------------------------------------------
+# [V3.1.5] 哈希锚定法 (Hash-Seeded Persona) 
+# 利用 IP 算力固定 3 个永久化专属指纹，破除僵尸网络同质化特征
+# -----------------------------------------------------------
+if [ -f "$UA_FILE" ]; then
+    mapfile -t UA_POOL < <(grep -v '^$' "$UA_FILE")
+    TOTAL_UA=${#UA_POOL[@]}
+    
+    if [ "$TOTAL_UA" -gt 0 ]; then
+        # [v3.3.1修改] 优先使用固化的公网 IP 作为哈希种子，防止 NAT 节点指纹同质化
+        SEED=$(echo -n "${PUBLIC_IP:-${BIND_IP:-127.0.0.1}}" | cksum | awk '{print $1}')
+        
+        # 利用确定的种子，在全球 4000 的库中，计算出本机的 3 个绝对专属坐标
+        IDX1=$(( SEED % TOTAL_UA ))
+        IDX2=$(( (SEED * 17) % TOTAL_UA ))
+        IDX3=$(( (SEED * 31) % TOTAL_UA ))
+        
+        # 将专属坐标映射为专属设备库
+        MY_UA_POOL=("${UA_POOL[$IDX1]}" "${UA_POOL[$IDX2]}" "${UA_POOL[$IDX3]}")
+        
+        # 本次会话从这 3 台专属设备中随机挑选 1 台 (模拟真实的家庭多设备环境)
+        CURRENT_UA=${MY_UA_POOL[$RANDOM % 3]}
+    else
+        # 兜底容错
+        CURRENT_UA="Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36"
+    fi
+else
+    CURRENT_UA="Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36"
+fi
+
+# ==========================================
+# 🚀 净化行动开始
+# ==========================================
+log_msg "START" "========== 启动区域 IP 信用净化会话 =========="
+log_msg "INFO " "已载入 [${REGION}] 区域白名单，配置库条目: ${#TRUST_URLS[@]} 个"
+log_msg "INFO " "已锁定本地伪装指纹: $(echo $CURRENT_UA | cut -d' ' -f1-2)..."
+
+# -----------------------------------------------------------
+# [V3.2.1 热修复] 网络锚定与协议自适应构建 
+# 强制 curl 绑定网卡，并自动匹配 IPv4/v6 协议，杜绝 curl 冲突报错
+# -----------------------------------------------------------
+CURL_BIND_OPT=""
+DYNAMIC_IP_PREF="-${IP_PREF:-4}" # 默认提取用户配置
+
+if [[ -n "$BIND_IP" && "$BIND_IP" =~ ^[0-9a-fA-F:\.]+$ ]]; then
+    CURL_BIND_OPT="--interface $BIND_IP"
+    # 智能探测：带冒号为 V6，带点号为 V4
+    if [[ "$BIND_IP" == *":"* ]]; then
+        DYNAMIC_IP_PREF="-6"
+        log_msg "INFO " "底层路由锁定: 绑定 IPv6 出口及协议 ($BIND_IP)"
+    elif [[ "$BIND_IP" == *"."* ]]; then
+        DYNAMIC_IP_PREF="-4"
+        log_msg "INFO " "底层路由锁定: 绑定 IPv4 出口及协议 ($BIND_IP)"
+    fi
+fi
+
+STEP_COUNT=$((RANDOM % 4 + 3))
+SUCCESS_INJECT=0
+
+for ((i=1; i<=STEP_COUNT; i++)); do
+    # 随机抽取本地区域权威网址
+    TARGET_URL=${TRUST_URLS[$RANDOM % ${#TRUST_URLS[@]}]}
+    
+    # [v3.0.1修复] 注入高权重流量时，强制从绑定的 IPv4 或 IPv6 隧道出网
+    # [V3.2.1 热修复] 注入 $CURL_BIND_OPT 与 $DYNAMIC_IP_PREF 协议自适应
+    HTTP_CODE=$(curl $CURL_BIND_OPT $DYNAMIC_IP_PREF -A "$CURRENT_UA" \
+        -H "Accept: text/html,application/xhtml+xml;q=0.9,image/avif,image/webp,*/*;q=0.8" \
+        -H "Accept-Language: en-US,en;q=0.9" \
+        -H "Sec-Fetch-Dest: document" \
+        -H "Sec-Fetch-Mode: navigate" \
+        -H "Upgrade-Insecure-Requests: 1" \
+        --compressed \
+        -s -o /dev/null -w "%{http_code}" -m 15 "$TARGET_URL")
+
+    # 扩大 HTTP 状态码容错区间：包含所有 20x (如亚马逊的 202) 和 30x 重定向
+    if [[ "$HTTP_CODE" =~ ^(20[0-9]|30[1-8])$ ]]; then
+        log_msg "EXEC " "动作[$i/$STEP_COUNT]完成 | 状态: $HTTP_CODE | 注入: $TARGET_URL"
+        ((SUCCESS_INJECT++))
+    else
+        log_msg "EXEC " "动作[$i/$STEP_COUNT]异常 | 状态: $HTTP_CODE | 阻拦: $TARGET_URL"
+    fi
+
+    if [ $i -lt $STEP_COUNT ]; then
+        SLEEP_TIME=$((RANDOM % 76 + 45))
+        log_msg "WAIT " "正在浏览本地高权重页面，模拟停留 $SLEEP_TIME 秒..."
+        sleep $SLEEP_TIME
+    fi
+done
+
+# ==========================================
+# 📊 结论判定与输出
+# ==========================================
+if [ "$SUCCESS_INJECT" -ge $((STEP_COUNT / 2)) ]; then
+    log_msg "SCORE" "自检结论: ✅ 信用净化完成 (已成功注入 $SUCCESS_INJECT 条无害流量)"
+else
+    log_msg "SCORE" "自检结论: ❌ 净化受阻 (部分站点拦截或网络超时)"
+fi
+
+log_msg "END  " "========== 会话结束，释放进程 =========="
+log_msg "INFO " "系统级调度完毕，信任因子持续积累中..."

core/runner.sh

@@ -1,8 +1,8 @@
 #!/bin/bash
 
 # ==========================================================
-# 脚本名称: runner.sh (IP-Sentinel 主控调度引擎)
-# 核心功能: 防并发随机延迟启动、加载本地固化配置、调度业务模块
+# 脚本名称: runner.sh (IP-Sentinel 主控调度引擎 v3.4.0 版本锚点版)
+# 核心功能: 防并发延迟启动、功能开关(Feature Flag)自适应、多模块概率轮盘调度
 # ==========================================================
 
 INSTALL_DIR="/opt/ip_sentinel"
@@ -15,34 +15,67 @@ if [ ! -f "$CONFIG_FILE" ]; then
 fi
 source "$CONFIG_FILE"
 
-# 2. 全局日志写入函数 (导出给子进程共享使用)
+# 2. 全局日志写入函数 (导出给子进程共享使用，v3.4.0 引入版本探针)
 log() {
     local module=$1
     local level=$2
     local msg=$3
+    # [v3.4.0 核心] 提取当前配置中的版本锚点
+    local local_ver="${AGENT_VERSION:-未知}"
+    
     # 保证日志目录存在
     mkdir -p "${INSTALL_DIR}/logs"
-    printf "[$(date '+%Y-%m-%d %H:%M:%S')] [%-5s] [%-7s] [%s] %s\n" "$level" "$module" "$REGION_CODE" "$msg" >> "$LOG_FILE"
+    # 日志格式注入 [版本号] 追踪标识
+    printf "[$(date '+%Y-%m-%d %H:%M:%S')] [v%-5s] [%-5s] [%-7s] [%s] %s\n" "$local_ver" "$level" "$module" "$REGION_CODE" "$msg" >> "$LOG_FILE"
 }
 export -f log
 export CONFIG_FILE INSTALL_DIR
 
 # 3. 防僵尸网络特征 (Cron Jitter) - 核心隐蔽逻辑
-# 【核心升级】配合每 30 分钟的调度周期，将随机休眠控制在 0 到 180 秒 (3分钟) 内，彻底打散全球并发请求
-JITTER_TIME=$((RANDOM % 180))
-log "SYSTEM" "INFO" "主控引擎被 Cron 唤醒，进入防并发随机休眠状态: ${JITTER_TIME} 秒..."
-sleep $JITTER_TIME
-
-# 4. 唤醒并调度业务模块
-log "SYSTEM" "INFO" "休眠结束，开始执行养护任务..."
-
-# 调度 Google 模块
-if [ -x "${INSTALL_DIR}/core/mod_google.sh" ]; then
-    log "SYSTEM" "INFO" "加载子模块: Google 业务模拟"
-    # 核心降耗逻辑：使用 nice -n 19 赋予进程最低 CPU 优先级，绝不抢占 VPS 正常业务的资源
-    nice -n 19 bash "${INSTALL_DIR}/core/mod_google.sh"
+# 配合每 30 分钟的调度周期，将随机休眠控制在 0 到 180 秒内，彻底打散全球并发请求
+if [ -t 1 ]; then
+    log "SYSTEM" "INFO " "💻 检测到人工终端干预，跳过静默休眠，立即执行任务！"
 else
-    log "SYSTEM" "ERROR" "未找到可执行的 Google 模块"
+    JITTER_TIME=$((RANDOM % 180))
+    log "SYSTEM" "INFO " "⏱️ 主控引擎由后台唤醒，进入防并发随机休眠状态: ${JITTER_TIME} 秒..."
+    sleep $JITTER_TIME
+fi
+
+# 4. 唤醒并读取功能开关，执行智能调度 (Feature Flag)
+log "SYSTEM" "INFO" "休眠结束，开始计算本轮任务轮盘..."
+
+TARGET_MOD=""
+MOD_NAME=""
+
+# 智能轮盘赌算法
+if [ "$ENABLE_GOOGLE" == "true" ] && [ "$ENABLE_TRUST" == "true" ]; then
+    # 双管齐下: 70% 概率跑 Google 稳固定位，30% 概率跑 Trust 洗刷风控分
+    ROLL=$((RANDOM % 100 + 1))
+    if [ $ROLL -le 70 ]; then
+        TARGET_MOD="mod_google.sh"
+        MOD_NAME="Google 区域纠偏"
+    else
+        TARGET_MOD="mod_trust.sh"
+        MOD_NAME="IP 信用净化"
+    fi
+elif [ "$ENABLE_GOOGLE" == "true" ]; then
+    TARGET_MOD="mod_google.sh"
+    MOD_NAME="Google 区域纠偏"
+elif [ "$ENABLE_TRUST" == "true" ]; then
+    TARGET_MOD="mod_trust.sh"
+    MOD_NAME="IP 信用净化"
+else
+    log "SYSTEM" "WARN" "节点未开启任何养护模块，跳过本轮执行。"
+    exit 0
+fi
+
+# 5. 拉起选定的业务模块
+if [ -n "$TARGET_MOD" ] && [ -x "${INSTALL_DIR}/core/${TARGET_MOD}" ]; then
+    log "SYSTEM" "INFO" "命中触发条件，加载并执行子模块: ${MOD_NAME}"
+    # 核心降耗逻辑：使用 nice -n 19 赋予进程最低 CPU 优先级，绝不抢占 VPS 正常业务的资源
+    nice -n 19 bash "${INSTALL_DIR}/core/${TARGET_MOD}"
+else
+    log "SYSTEM" "ERROR" "配置了模块 ${MOD_NAME}，但未找到对应的可执行脚本: ${TARGET_MOD}"
 fi
 
 log "SYSTEM" "INFO" "本轮所有模块调度完毕，哨兵继续隐蔽待命。"

core/tg_report.sh

@@ -1,8 +1,8 @@
 #!/bin/bash
 
 # ==========================================================
-# 脚本名称: tg_report.sh (Telegram 每日战报模块 V5.3 缝合加强版)
-# 核心功能: 分析日志并推送 24 小时统计数据到 TG (修复 Markdown 断联Bug)
+# 脚本名称: tg_report.sh (Telegram 每日战报模块 V3.4.0 动态拼装版)
+# 核心功能: 适配 Feature Flag 架构，按需展示 Google/Trust 独立统计数据
 # ==========================================================
 
 INSTALL_DIR="/opt/ip_sentinel"
@@ -18,93 +18,180 @@ if [ -z "$TG_TOKEN" ] || [ -z "$CHAT_ID" ]; then
     exit 0
 fi
 
-# 2. 节点元数据抓取
-NODE_NAME=$(hostname | cut -c 1-15)
-CURRENT_IP=$(curl -4 -s -m 5 api.ip.sb/ip || echo "Unknown")
+# 2. 节点元数据抓取 (v3.2.2 协议自适应与多级容灾版)
+# [v3.3.2 修复: 引入 IP 哈希防同名覆盖机制]
+IP_HASH=$(echo "${PUBLIC_IP:-127.0.0.1}" | md5sum | cut -c 1-4 | tr 'a-z' 'A-Z')
+NODE_NAME="$(hostname | cut -c 1-10)-${IP_HASH}"
+
+# --- [防线 1: 底层路由锁定与协议自适应] ---
+CURL_BIND_OPT=""
+DYNAMIC_IP_PREF="-${IP_PREF:-4}"
+
+if [[ -n "$BIND_IP" && "$BIND_IP" =~ ^[0-9a-fA-F:\.]+$ ]]; then
+    CURL_BIND_OPT="--interface $BIND_IP"
+    if [[ "$BIND_IP" == *":"* ]]; then
+        DYNAMIC_IP_PREF="-6"
+    elif [[ "$BIND_IP" == *"."* ]]; then
+        DYNAMIC_IP_PREF="-4"
+    fi
+fi
+
+# 多节点容灾探测出口 IP (注入协议自适应)
+CURRENT_IP=$( (curl $CURL_BIND_OPT $DYNAMIC_IP_PREF -s -m 5 api.ip.sb/ip || curl $CURL_BIND_OPT $DYNAMIC_IP_PREF -s -m 5 ifconfig.me) 2>/dev/null | tr -d '[:space:]' )
+# [v3.3.1 修改] 强制兜底：如果外部 API 挂了，优先使用固化的对外公网面孔 (兼容 NAT 机的空 BIND_IP)
+[ -z "$CURRENT_IP" ] && CURRENT_IP="${PUBLIC_IP:-$BIND_IP}"
+
+# 为可能获取到的 IPv6 自动添加方括号护甲
+[[ "$CURRENT_IP" == *":"* ]] && [[ "$CURRENT_IP" != *"["* ]] && CURRENT_IP="[${CURRENT_IP}]"
+
+# --- [防线 2: 多级 ISP 容灾探针链路] ---
+ISP_INFO=""
+
+# 探针 A: 纯文本 API (免 jq，极速稳定)
+ISP_INFO=$(curl $CURL_BIND_OPT $DYNAMIC_IP_PREF -s -m 5 ipinfo.io/org 2>/dev/null)
+
+# 探针 B: 备用纯文本 API
+if [ -z "$ISP_INFO" ] || [[ "$ISP_INFO" == *"error"* ]]; then
+    ISP_INFO=$(curl $CURL_BIND_OPT $DYNAMIC_IP_PREF -s -m 5 ip-api.com/line/?fields=isp 2>/dev/null)
+fi
+
+# 探针 C: 原版的 JSON API (需要 jq 兜底)
+if [ -z "$ISP_INFO" ] || [[ "$ISP_INFO" == *"error"* ]]; then
+    if command -v jq &> /dev/null; then
+        ISP_INFO=$(curl $CURL_BIND_OPT $DYNAMIC_IP_PREF -s -m 5 api.ip.sb/geoip | jq -r '.organization' 2>/dev/null)
+    fi
+fi
+
+# --- [防线 3: 数据清洗 (遵循底层共识原则)] ---
+# 剔除 ipinfo 返回的开头 AS 号 (例如 "AS137535 JT TELECOM" -> "JT TELECOM")
+ISP_INFO=$(echo "$ISP_INFO" | sed -E 's/^AS[0-9]+ //')
+
+# 最终兜底判断
+[ -z "$ISP_INFO" ] || [ "$ISP_INFO" == "null" ] && ISP_INFO="未知 ISP"
 
-# 智能判断 IP 属性 (通过检查 ISP 标识)
-ISP_INFO=$(curl -4 -s -m 5 api.ip.sb/geoip | jq -r '.organization' 2>/dev/null)
 if [[ "$ISP_INFO" == *"Cloudflare"* ]]; then
     IP_TYPE="Cloudflare Warp 🛰️"
 else
-    IP_TYPE="Native 原生网卡 🏠"
+    IP_TYPE="$ISP_INFO 🏠"
 fi
 
+# 动态国旗
+case "$REGION_CODE" in
+    "JP") FLAG="🇯🇵" ;;
+    "US") FLAG="🇺🇸" ;;
+    "DE") FLAG="🇩🇪" ;;
+    "SG") FLAG="🇸🇬" ;;
+    "HK") FLAG="🇭🇰" ;;
+    "GB"|"UK") FLAG="🇬🇧" ;;
+    *) FLAG="🌐" ;;
+esac
+
 # 3. 截取过去 24 小时的日志
 LOG_CONTENT=$(find "$LOG_FILE" -mtime -1 -exec cat {} \; 2>/dev/null)
 
 if [ -z "$LOG_CONTENT" ]; then
-    # 修复了换行问题，统一用 EOF 块构造
     read -r -d '' MSG <<EOT
 🛑 **[IP-Sentinel] 告警：节点异常**
 ----------------------------
 📍 **节点名称**: \`${NODE_NAME}\`
 ⚠️ **警告**: 过去 24 小时无运行日志！
-🛠️ **建议**: 节点可能刚部署完毕，请手动执行一次 [执行深度伪装]。
+🛠️ **建议**: 节点可能刚部署完毕，请在面板手动执行一次养护动作。
 EOT
 else
-    # 4. 数据精准分析
-    TOTAL_SESSIONS=$(echo "$LOG_CONTENT" | grep "\[START\]" -c)
-    SUCCESS_COUNT=$(echo "$LOG_CONTENT" | grep "✅" -c)
-    FAILED_COUNT=$(echo "$LOG_CONTENT" | grep "❌" -c)
-    UNKNOWN_COUNT=$(echo "$LOG_CONTENT" | grep "⚠️" -c)
+    # ==========================================
+    # 4. 动态模块数据分析 (核心升级)
+    # ==========================================
+    
+    # 提取最近一次运行的快照 (智能识别所属模块)
+    LAST_LOG_LINE=$(echo "$LOG_CONTENT" | grep "\[SCORE\]" | tail -n 1)
+    LAST_TIME=$(echo "$LAST_LOG_LINE" | awk '{print $1,$2}' | tr -d '[]')
+    LAST_MOD=$(echo "$LAST_LOG_LINE" | awk '{print $4}' | tr -d '[]')
+    LAST_SCORE=$(echo "$LAST_LOG_LINE" | awk -F'自检结论: ' '{print $2}')
 
-    # 提取最近一次运行的时间和结论文本 
-    # (⚠️ 核心 Bug 修复: 用 awk 切割并过滤掉中括号 []，防止触发 TG Markdown 语法错误导致消息丢弃)
-    LAST_TIME=$(echo "$LOG_CONTENT" | grep "\[END" | tail -n 1 | awk '{print $1,$2}' | tr -d '[]')
-    LAST_SCORE=$(echo "$LOG_CONTENT" | grep "\[SCORE\]" | tail -n 1 | awk -F'自检结论: ' '{print $2}' | tr -d '[]')
-
-    # 计算成功率
-    if [ "$TOTAL_SESSIONS" -gt 0 ]; then
-        RATE=$(awk "BEGIN {printf \"%.1f\", ($SUCCESS_COUNT/$TOTAL_SESSIONS)*100}")
-    else
-        RATE=0
-    fi
-
-    # 状态表情逻辑：成功率 100% 显绿色，0% 显红色，中间显黄色
-    if [ "$SUCCESS_COUNT" -eq "$TOTAL_SESSIONS" ] && [ "$TOTAL_SESSIONS" -gt 0 ]; then
-        STATUS_EMOJI="🟢 隐匿完美"
-    elif [ "$SUCCESS_COUNT" -gt 0 ]; then
-        STATUS_EMOJI="🟡 伪装拉锯中"
-    else
-        STATUS_EMOJI="🔴 目标已暴露"
-    fi
-
-    # 动态国旗
-    case "$REGION_CODE" in
-        "JP") FLAG="🇯🇵" ;;
-        "US") FLAG="🇺🇸" ;;
-        "DE") FLAG="🇩🇪" ;;
-        "SG") FLAG="🇸🇬" ;;
-        *) FLAG="🌐" ;;
-    esac
-
-    # 5. 组装 Markdown 消息体 (吸收了老版本的优点)
-    read -r -d '' MSG <<EOT
-📊 **IP-Sentinel 每日简报 (${FLAG} ${REGION_NAME})**
+    # 开始组装战报头部
+    MSG="📊 **IP-Sentinel 每日简报 (${FLAG} ${REGION_NAME})**
 ----------------------------
 📍 **节点名称**: \`${NODE_NAME}\`
 📡 **出口 IP**: \`${CURRENT_IP}\`
-🛡️ **IP 属性**: ${IP_TYPE}
-🔰 **当前状态**: ${STATUS_EMOJI}
+🛡️ **IP 属性**: ${IP_TYPE}"
 
-📅 **24H 统计数据**:
-🚀 执行总数: ${TOTAL_SESSIONS} 次
-✅ 成功伪装: ${SUCCESS_COUNT} 次
-❌ 判定送中: ${FAILED_COUNT} 次
-⚠️ 未知跳转: ${UNKNOWN_COUNT} 次
-📈 综合胜率: **${RATE}%**
+    # --- [分析块 1: Google 纠偏模块] ---
+    if [ "$ENABLE_GOOGLE" == "true" ]; then
+        GOOGLE_LOGS=$(echo "$LOG_CONTENT" | grep "\[Google")
+        G_TOTAL=$(echo "$GOOGLE_LOGS" | grep "\[START\]" -c)
+        G_SUCCESS=$(echo "$GOOGLE_LOGS" | grep "✅" -c)
+        G_FAILED=$(echo "$GOOGLE_LOGS" | grep "❌" -c)
+        G_WARN=$(echo "$GOOGLE_LOGS" | grep "⚠️" -c)
+        
+        G_RATE="0.0"
+        [ "$G_TOTAL" -gt 0 ] && G_RATE=$(awk "BEGIN {printf \"%.1f\", ($G_SUCCESS/$G_TOTAL)*100}")
 
-🕒 **最近执行快照**:
+        MSG="$MSG
+
+🎯 **[Google 区域纠偏]**
+🚀 执行总数: ${G_TOTAL} 次 (胜率: **${G_RATE}%**)
+✅ 成功: ${G_SUCCESS} | ❌ 送中: ${G_FAILED} | ⚠️ 警告: ${G_WARN}"
+    fi
+
+    # --- [分析块 2: IP 信用净化模块] ---
+    if [ "$ENABLE_TRUST" == "true" ]; then
+        TRUST_LOGS=$(echo "$LOG_CONTENT" | grep "\[Trust")
+        T_TOTAL=$(echo "$TRUST_LOGS" | grep "\[START\]" -c)
+        T_SUCCESS=$(echo "$TRUST_LOGS" | grep "✅" -c)
+        T_FAILED=$(echo "$TRUST_LOGS" | grep "❌" -c)
+        
+        T_RATE="0.0"
+        [ "$T_TOTAL" -gt 0 ] && T_RATE=$(awk "BEGIN {printf \"%.1f\", ($T_SUCCESS/$T_TOTAL)*100}")
+
+        MSG="$MSG
+
+🔰 **[IP 信用净化]**
+🚀 净化总数: ${T_TOTAL} 轮 (成功率: **${T_RATE}%**)
+✅ 成功注入: ${T_SUCCESS} | ❌ 访问受阻: ${T_FAILED}"
+    fi
+
+    # 组装战报尾部 (最近快照)
+    MSG="$MSG
+
+🕒 **最近执行快照 [${LAST_MOD:-"System"}]:**
 时间: ${LAST_TIME:-"暂无数据"}
-结论: ${LAST_SCORE:-"暂无数据"}
-----------------------------
-💡 哨兵正在后台默默守护您的资产。
-EOT
+结论: ${LAST_SCORE:-"暂无数据"}"
+
 fi
 
-# 6. 调用 API 推送 (增加返回值校验输出，方便查错)
-RESPONSE=$(curl -s -m 10 -X POST "https://api.telegram.org/bot${TG_TOKEN}/sendMessage" \
+# ==========================================
+# 5. [v3.4.0 新增] 云端版本探针与告警模块
+# ==========================================
+# 从配置文件提取当前本地版本，若无则默认为未知
+LOCAL_VER="${AGENT_VERSION:-未知}"
+
+# 极轻量级探针: 抓取 GitHub 云端的 version.txt (超时 3 秒)
+REPO_RAW_URL="https://raw.githubusercontent.com/hotyue/IP-Sentinel/main"
+REMOTE_VER=$(curl -s -m 3 "${REPO_RAW_URL}/version.txt" | tr -d '[:space:]')
+
+# 构建底部引擎状态块
+MSG="$MSG
+----------------------------
+🛡️ **系统引擎状态**
+当前运行版本: \`v${LOCAL_VER}\`"
+
+# 比对逻辑：如果成功抓到了远端版本，且和本地不一样
+if [ -n "$REMOTE_VER" ] && [ "$REMOTE_VER" != "$LOCAL_VER" ]; then
+    MSG="$MSG
+最新官方版本: \`v${REMOTE_VER}\` (✨有新版)
+💡 *司令部提示：检测到新版装甲，请长官登录节点执行平滑热更新！*"
+elif [ -n "$REMOTE_VER" ] && [ "$REMOTE_VER" == "$LOCAL_VER" ]; then
+    MSG="$MSG
+最新官方版本: \`v${REMOTE_VER}\` (✅已是最新)
+💡 *哨兵正在后台默默守护您的资产。*"
+else
+    # 抓取失败兜底
+    MSG="$MSG
+💡 *哨兵正在后台默默守护您的资产。*"
+fi
+
+# 5. 调用 API 推送 (接入安全网关)
+RESPONSE=$(curl -s -m 10 -X POST "${TG_API_URL}" \
     -d "chat_id=${CHAT_ID}" \
     -d "text=${MSG}" \
     -d "parse_mode=Markdown")

core/uninstall.sh

@@ -1,35 +1,58 @@
 #!/bin/bash
 
 # ==========================================================
-# 脚本名称: uninstall.sh (IP-Sentinel 一键卸载脚本)
-# 核心功能: 清除守护进程、清理系统定时任务、删除所有程序文件
+# 脚本名称: uninstall.sh (IP-Sentinel 一键卸载脚本 V3.4.0 焦土版)
+# 核心功能: 无痕清理守护进程、定时任务、运行目录及临时缓存
 # ==========================================================
 
 INSTALL_DIR="/opt/ip_sentinel"
 
 echo "========================================================"
-echo "      🗑️ 准备卸载 IP-Sentinel (VPS IP 自动养护哨兵)"
+echo "      🗑️ 准备卸载 IP-Sentinel (边缘节点 Edge Agent)"
+
+# [v3.4.0 优化] 尝试获取当前本地版本号
+CONFIG_FILE="${INSTALL_DIR}/config.conf"
+if [ -f "$CONFIG_FILE" ]; then
+    CURRENT_VER=$(grep "^AGENT_VERSION=" "$CONFIG_FILE" | cut -d'"' -f2)
+    [ -n "$CURRENT_VER" ] && echo "        📍 目标版本: v${CURRENT_VER}"
+fi
 echo "========================================================"
 
-# 1. 停止运行中的守护进程与主控模块
-echo "[1/3] 正在终止后台 Telegram 守护进程与养护任务..."
-pgrep -f tg_daemon.sh | xargs -r kill -9 >/dev/null 2>&1
-pgrep -f runner.sh | xargs -r kill -9 >/dev/null 2>&1
-pgrep -f mod_google.sh | xargs -r kill -9 >/dev/null 2>&1
+# 1. 停止运行中的守护进程与主控模块 (涵盖所有历史版本进程)
+echo "[1/3] 正在终止后台守护进程与所有养护任务..."
+
+# 使用 pkill 替代传统的 pgrep | xargs，指令更短、容错率更高
+pkill -9 -f "tg_daemon.sh" >/dev/null 2>&1
+pkill -9 -f "agent_daemon.sh" >/dev/null 2>&1
+# [v3.4.0 优化] 确保清理所有 python3 调起的 Webhook 实例
+pkill -9 -f "python3.*webhook.py" >/dev/null 2>&1
+pkill -9 -f "webhook.py" >/dev/null 2>&1
+pkill -9 -f "runner.sh" >/dev/null 2>&1
+pkill -9 -f "updater.sh" >/dev/null 2>&1
+pkill -9 -f "tg_report.sh" >/dev/null 2>&1
+pkill -9 -f "mod_google.sh" >/dev/null 2>&1
+pkill -9 -f "mod_trust.sh" >/dev/null 2>&1
 
 # 2. 清除系统定时任务 (Cron)
 echo "[2/3] 正在清理系统定时任务 (Cron)..."
-crontab -l 2>/dev/null | grep -v "ip_sentinel" > /tmp/cron_backup
-crontab /tmp/cron_backup
-rm -f /tmp/cron_backup
+if crontab -l >/dev/null 2>&1; then
+    crontab -l | grep -v "ip_sentinel" > /tmp/cron_backup
+    crontab /tmp/cron_backup
+    rm -f /tmp/cron_backup
+fi
 
-# 3. 删除所有文件与日志
-echo "[3/3] 正在抹除核心程序、配置文件与系统日志..."
+# 3. 删除所有文件、日志与临时缓存
+echo "[3/3] 正在抹除核心程序、配置文件与系统痕迹..."
 if [ -d "$INSTALL_DIR" ]; then
     rm -rf "$INSTALL_DIR"
 fi
 
+# 拔除 /tmp 目录下的所有更新下载临时文件和 V1/V2 遗留的偏移量记录
+rm -f /tmp/ip_sentinel_*.txt
+rm -f /tmp/ip_sentinel_*.json
+
 echo "========================================================"
 echo "✅ 卸载彻底完成！IP-Sentinel 已从您的系统中无痕移除。"
-echo "👋 感谢您的使用，期待未来再次为您守护 IP！"
+echo "💡 提示：如果安装时在防火墙放行了 Webhook 随机端口，请您按需手动关闭。"
+echo "👋 感谢您的使用，期待未来再次为您守护资产！"
 echo "========================================================"

core/updater.sh

@@ -1,14 +1,16 @@
 #!/bin/bash
 
 # ==========================================================
-# 脚本名称: updater.sh (IP-Sentinel 养料注入与系统维护模块)
-# 核心功能: 定期静默更新热数据、清理瘦身日志文件
+# 脚本名称: updater.sh (IP-Sentinel v3.4.0 养料注入与分频调度中枢)
+# 核心功能: 静默更新热搜词/LBS、指纹库错峰调度、强制出站死锁、版本锚点版
 # ==========================================================
 
 INSTALL_DIR="/opt/ip_sentinel"
 CONFIG_FILE="${INSTALL_DIR}/config.conf"
-# 你的专属 Forgejo 仓库 Raw 数据直链前缀
-REPO_RAW_URL="https://git.94211762.xyz/hotyue/IP-Sentinel/raw/branch/main"
+UA_TIME_FILE="${INSTALL_DIR}/core/.ua_last_update"
+
+# GitHub 仓库 Raw 数据直链前缀
+REPO_RAW_URL="https://raw.githubusercontent.com/hotyue/IP-Sentinel/main"
 
 # 1. 加载本地冷数据配置
 if [ ! -f "$CONFIG_FILE" ]; then
@@ -16,37 +18,106 @@ if [ ! -f "$CONFIG_FILE" ]; then
 fi
 source "$CONFIG_FILE"
 
-# 2. 全局日志写入函数
+# 2. 全局日志写入函数 (v3.4.0 引入版本探针)
 log() {
+    # [v3.4.0 核心] 提取当前配置中的版本锚点
+    local local_ver="${AGENT_VERSION:-未知}"
+    
     mkdir -p "${INSTALL_DIR}/logs"
-    printf "[$(date '+%Y-%m-%d %H:%M:%S')] [%-5s] [%-7s] [%s] %s\n" "$2" "$1" "$REGION_CODE" "$3" >> "$LOG_FILE"
+    # 日志格式注入 [版本号] 追踪标识
+    printf "[$(date '+%Y-%m-%d %H:%M:%S')] [v%-5s] [%-5s] [%-7s] [%s] %s\n" "$local_ver" "$2" "$1" "$REGION_CODE" "$3" >> "$LOG_FILE"
 }
 
 log "Updater" "INFO " "========== 触发后台静默 OTA 热数据更新 =========="
 
-# 3. 容灾机制拉取 UA 池
-TMP_UA="/tmp/ip_sentinel_ua.txt"
-curl -sL "${REPO_RAW_URL}/data/user_agents.txt" -o "$TMP_UA"
-if [ -s "$TMP_UA" ]; then
-    mv "$TMP_UA" "${INSTALL_DIR}/data/user_agents.txt"
-    log "Updater" "INFO " "✅ 设备指纹池 (User-Agents) 更新成功"
-else
-    log "Updater" "WARN " "❌ UA 池拉取失败或为空，保留本地旧数据防崩溃"
-    rm -f "$TMP_UA"
+# ==========================================================
+# 🛡️ 终极护城河：构建强锚定出站的 curl 请求引擎
+# ==========================================================
+# 基础参数：跟随 install.sh 锁定的协议偏好 (4 或 6)
+CURL_CMD="curl -${IP_PREF:-4} -sL"
+
+# 【防坑核心】如果用户配置了死锁锚点，必须强制绑定网卡，杜绝流量溢出！
+if [ -n "$BIND_IP" ]; then
+    # curl 的 --interface 参数不支持带方括号的 IPv6 地址，必须强行脱壳
+    RAW_BIND_IP=$(echo "$BIND_IP" | tr -d '[]')
+    CURL_CMD="$CURL_CMD --interface $RAW_BIND_IP"
 fi
 
-# 4. 容灾机制拉取当地最新搜索词库
+# ==========================================================
+# 3. 容灾机制拉取 UA 指纹池 (V3.3.0 引入 30 天错峰防惊群逻辑)
+# ==========================================================
+NOW=$(date +%s)
+LAST_UPDATE=0
+
+# 读取上一次更新的时间戳
+if [ -f "$UA_TIME_FILE" ]; then
+    # tr -d 清除可能存在的换行或回车符，防止算术崩溃
+    LAST_UPDATE=$(cat "$UA_TIME_FILE" | tr -d '\r\n')
+fi
+
+# 校验数据合法性，防崩溃
+if ! [[ "$LAST_UPDATE" =~ ^[0-9]+$ ]]; then
+    LAST_UPDATE=0
+fi
+
+DIFF=$((NOW - LAST_UPDATE))
+
+# 距离上次拉取超过 30 天 (2592000 秒)，才执行下载
+if [ "$DIFF" -ge 2592000 ] || [ "$LAST_UPDATE" -eq 0 ]; then
+    TMP_UA="/tmp/ip_sentinel_ua.txt"
+    # 使用重装升级后的 CURL_CMD
+    $CURL_CMD "${REPO_RAW_URL}/data/user_agents.txt" -o "$TMP_UA"
+    
+    if [ -s "$TMP_UA" ]; then
+        mv "$TMP_UA" "${INSTALL_DIR}/data/user_agents.txt"
+        echo "$NOW" > "$UA_TIME_FILE"
+        log "Updater" "INFO " "✅ 设备指纹池 (User-Agents) 30天错峰滚动更新成功"
+    else
+        log "Updater" "WARN " "❌ UA 池拉取失败，保留本地旧数据防崩溃"
+        rm -f "$TMP_UA"
+    fi
+else
+    DAYS_LEFT=$(((2592000 - DIFF) / 86400))
+    log "Updater" "INFO " "⏳ 设备指纹池处于 30 天静默期 (剩余约 ${DAYS_LEFT} 天)，跳过拉取"
+fi
+
+# ==========================================================
+# 4. 容灾机制拉取当地最新搜索词库 (每日高频拉取，保证活体新鲜度)
+# ==========================================================
 TMP_KW="/tmp/ip_sentinel_kw.txt"
-curl -sL "${REPO_RAW_URL}/data/keywords/kw_${REGION_CODE}.txt" -o "$TMP_KW"
+$CURL_CMD "${REPO_RAW_URL}/data/keywords/kw_${REGION_CODE}.txt" -o "$TMP_KW"
+
 if [ -s "$TMP_KW" ]; then
     mv "$TMP_KW" "${INSTALL_DIR}/data/keywords/kw_${REGION_CODE}.txt"
-    log "Updater" "INFO " "✅ 区域搜索词库 (kw_${REGION_CODE}) 更新成功"
+    log "Updater" "INFO " "✅ 区域搜索词库 (kw_${REGION_CODE}) 每日同步成功"
 else
     log "Updater" "WARN " "❌ 搜索词库拉取失败，保留本地旧数据防崩溃"
     rm -f "$TMP_KW"
 fi
 
-# 5. 【升级点】日志防满瘦身机制 (保留最近 2000 行)
+# ==========================================================
+# 5. 自适应拉取本地 LBS 专属 JSON 规则库 (每日同步)
+# ==========================================================
+REGION_JSON_FILE=$(find "${INSTALL_DIR}/data/regions" -name "*.json" 2>/dev/null | head -n 1)
+
+if [ -n "$REGION_JSON_FILE" ] && [ -f "$REGION_JSON_FILE" ]; then
+    REL_PATH=${REGION_JSON_FILE#*${INSTALL_DIR}/}
+    TMP_JSON="/tmp/ip_sentinel_region.json"
+    
+    $CURL_CMD "${REPO_RAW_URL}/${REL_PATH}" -o "$TMP_JSON"
+    
+    if [ -s "$TMP_JSON" ]; then
+        mv "$TMP_JSON" "$REGION_JSON_FILE"
+        log "Updater" "INFO " "✅ 核心战区规则库 ($REL_PATH) 每日同步成功"
+    else
+        log "Updater" "WARN " "❌ 战区规则库拉取失败，保留本地旧数据"
+        rm -f "$TMP_JSON"
+    fi
+fi
+
+# ==========================================================
+# 6. 日志防满瘦身机制 (保留最近 2000 行)
+# ==========================================================
 if [ -f "$LOG_FILE" ]; then
     tail -n 2000 "$LOG_FILE" > "${LOG_FILE}.tmp"
     mv "${LOG_FILE}.tmp" "$LOG_FILE"

data/keywords/kw_DE.txt

@@ -0,0 +1,30 @@
+dietrich grönemeyer
+fränkische schweiz
+scarlett johansson
+jeff bezos
+dan brown
+паспорт громадянина україни для виїзду за кордон
+serena williams
+kampf der realitystars
+манчестер юнайтед – лидс
+catherine deneuve
+bobzin
+sprit
+kev
+abschiebung
+steuer
+masters rory mcilroy
+großglockner
+news38
+jessie cave
+michael schulte
+wetter frankfurt heute
+bundesliga ergebnisse
+aktuelle nachrichten deutschland
+restaurant in der nähe
+deutsche bahn fahrplan
+urlaub buchen
+rezept für kartoffelsalat
+dax aktueller stand
+apotheke notdienst frankfurt
+günstige flüge

data/keywords/kw_FR.txt

@@ -0,0 +1,30 @@
+yann barthes
+camille cerf
+alain delon
+loto du 13 avril 2026
+juan arbeláez
+hbo
+katy perry justin trudeau
+jacob elordi
+tondela – gil vicente
+le rugbynistère
+epstein
+kino
+horoscope du 13 avril 2026
+golf masters augusta 2026
+boursorama bourse
+cac 40
+sept à huit
+ligne 12 métro
+alice taglioni
+pedro sánchez
+meteo paris
+actualités en direct
+résultats ligue 1
+pharmacie de garde
+horaires sncf
+recette crêpes
+cac 40 en direct
+acheter billet louvre
+boulangerie autour de moi
+carte vitale ameli

data/keywords/kw_HK.txt

@@ -0,0 +1,30 @@
+man united vs leeds
+曼聯 對 里茲聯
+prediction market
+預測市場
+polymarket
+巴基斯坦
+sndk
+江美儀
+楊何蓓茵
+樂珈嘉
+姜濤
+日經平均指數
+飲茶
+上市公司
+daniel caesar
+中年好聲音4
+香港天文台
+煤氣
+livenation
+政府
+香港天文台天氣預報
+MTR 港鐵路線圖
+OpenRice 附近美食
+LIHKG 討論區
+恆生指數今日行情
+SCMP breaking news
+HKEX 港交所股價
+國泰航空航班狀態
+香港迪士尼樂園門票
+百佳超級市場網購

data/keywords/kw_JP.txt

@@ -1,7 +1,26 @@
+man united vs leeds
+白鵬翔
+日本アカデミー賞 最優秀助演男優賞
+マンu 対 リーズ u
+サンディスク 株価
+らじるらじる
+マクドナルド
+ロシア
+広島市
+ゲイブル・スティーブソン
+日本維新の会
+新 日本 繊維
+高見沢 俊彦
+不登校
+後期高齢者医療制度
+バーミヤン
+宮澤エマ
+チケプラ
+横綱
+宮里美香
 東京 天気 明日
 新宿 おすすめ 居酒屋
 最新のニュース 速報
 ゴールド 相場 チャート
 近くの静かなカフェ
-地震 速報
-円安 影響 生活
+円安 影響 生活

data/keywords/kw_SG.txt

@@ -0,0 +1,30 @@
+man united vs leeds
+cbse class 10 result 2026 date
+euphoria season 3
+srh vs rr
+tamil new year 2026
+low de wei
+pope
+flexar
+microsoft outlook
+new rolex 2026
+medical classification
+blasphemy law
+big bang coachella 2026
+小贩
+malaysia fuel price crisis
+sbti personality test
+cancer survivor
+tim cook
+spurs vs nuggets
+asia flights cancelled delayed
+singapore weather forecast
+mrt map singapore
+straitstimes breaking news
+cpf board login
+hdb bto launch updates
+best chicken rice near me
+public holidays sg
+singpass login portal
+changi airport flight status
+iras tax filing

data/keywords/kw_UK.txt

@@ -0,0 +1,30 @@
+noah okafor
+casemiro
+talksport
+lazio
+leeds united fixtures
+bruno fernandes
+afc champions league
+meteor
+carlos queiroz
+travel warning
+tori amos
+cloud
+reading
+rolls-royce smr
+istanbul airport
+a27
+bridget phillipson
+tottenham standings
+may bank holiday 2026
+toto wolff
+london weather today
+bbc news latest
+premier league fixtures
+tesco near me
+tube map london
+uk bank holidays
+royal family news
+how to make english tea
+nhs symptom checker
+property for sale in london

data/keywords/kw_US.txt

@@ -1,6 +1,29 @@
+usa network
+natalie sago
+carlos queiroz
+carlos batista
+katie boulter
+levante - getafe
+levante vs getafe
+mcilroy green jacket presentation
+man united vs leeds
+7-eleven closing locations
+cloud
+sports
+sony playstation
+alaska airline
+toronto
+sydney
+paris
+tokyo
+delhi
+sykkuno drama
 Los Angeles weather today
 S&P 500 stock chart
 local coffee shops near me
 latest tech news
 California traffic updates
-AI startups in Silicon Valley
+AI startups in Silicon ValleySan Jose weather this weekend
+Silicon Valley tech news
+best tacos in San Jose
+Apple park visitor center hours

data/map.json

@@ -0,0 +1,105 @@
+{
+  "version": "3.1.0",
+  "updated_at": "2026-04-11",
+  "countries": [
+    {
+      "id": "US",
+      "name": "United States (美国)",
+      "keyword_file": "kw_US.txt",
+      "states": [
+        {
+          "id": "CA",
+          "name": "California (加州)",
+          "cities": [
+            { "id": "Los_Angeles", "name": "Los Angeles (洛杉矶)" },
+            { "id": "San_Jose", "name": "San Jose (圣何塞)" }
+          ]
+        }
+      ]
+    },
+    {
+      "id": "JP",
+      "name": "Japan (日本)",
+      "keyword_file": "kw_JP.txt",
+      "states": [
+        {
+          "id": "Default",
+          "name": "Default State",
+          "cities": [
+            { "id": "Tokyo", "name": "Tokyo (东京)" }
+          ]
+        }
+      ]
+    },
+    {
+      "id": "UK",
+      "name": "United Kingdom (英国)",
+      "keyword_file": "kw_UK.txt",
+      "states": [
+        {
+          "id": "Default",
+          "name": "Default State",
+          "cities": [
+            { "id": "London", "name": "London (伦敦)" }
+          ]
+        }
+      ]
+    },
+    {
+      "id": "DE",
+      "name": "Germany (德国)",
+      "keyword_file": "kw_DE.txt",
+      "states": [
+        {
+          "id": "Default",
+          "name": "Default State",
+          "cities": [
+            { "id": "Frankfurt", "name": "Frankfurt (法兰克福)" }
+          ]
+        }
+      ]
+    },
+    {
+      "id": "FR",
+      "name": "France (法国)",
+      "keyword_file": "kw_FR.txt",
+      "states": [
+        {
+          "id": "Default",
+          "name": "Default State",
+          "cities": [
+            { "id": "Paris", "name": "Paris (巴黎)" }
+          ]
+        }
+      ]
+    },
+    {
+      "id": "SG",
+      "name": "Singapore (新加坡)",
+      "keyword_file": "kw_SG.txt",
+      "states": [
+        {
+          "id": "Default",
+          "name": "Default State",
+          "cities": [
+            { "id": "Singapore", "name": "Singapore (新加坡)" }
+          ]
+        }
+      ]
+    },
+    {
+      "id": "HK",
+      "name": "Hong Kong (香港)",
+      "keyword_file": "kw_HK.txt",
+      "states": [
+        {
+          "id": "Default",
+          "name": "Default State",
+          "cities": [
+            { "id": "HongKong", "name": "Hong Kong (香港)" }
+          ]
+        }
+      ]
+    }
+  ]
+}

data/regions/DE/Default/Frankfurt.json

@@ -0,0 +1,20 @@
+{
+  "region_name": "Germany - Frankfurt",
+  "google_module": {
+    "base_lat": 50.1109,
+    "base_lon": 8.6821,
+    "lang_params": "hl=de&gl=DE",
+    "valid_url_suffix": "de"
+  },
+  "trust_module": {
+    "white_urls": [
+      "https://www.amazon.de/",
+      "https://www.spiegel.de/",
+      "https://www.tagesschau.de/",
+      "https://de.wikipedia.org/wiki/Spezial:Zuf%C3%A4llige_Seite",
+      "https://www.ebay.de/",
+      "https://www.bild.de/",
+      "https://www.kicker.de/"
+    ]
+  }
+}

data/regions/FR/Default/Paris.json

@@ -0,0 +1,20 @@
+{
+  "region_name": "France - Paris",
+  "google_module": {
+    "base_lat": 48.8566,
+    "base_lon": 2.3522,
+    "lang_params": "hl=fr&gl=FR",
+    "valid_url_suffix": "fr"
+  },
+  "trust_module": {
+    "white_urls": [
+      "https://www.lemonde.fr/",
+      "https://www.lefigaro.fr/",
+      "https://www.amazon.fr/",
+      "https://www.service-public.fr/",
+      "https://fr.wikipedia.org/wiki/Sp%C3%A9cial:Page_au_hasard",
+      "https://www.cdiscount.com/",
+      "https://www.fnac.com/"
+    ]
+  }
+}

data/regions/HK/Default/HongKong.json

@@ -0,0 +1,20 @@
+{
+  "region_name": "Hong Kong",
+  "google_module": {
+    "base_lat": 22.2847,
+    "base_lon": 114.1582,
+    "lang_params": "hl=zh-HK&gl=HK",
+    "valid_url_suffix": "com.hk"
+  },
+  "trust_module": {
+    "white_urls": [
+      "https://www.gov.hk/",
+      "https://www.hko.gov.hk/",
+      "https://www.scmp.com/",
+      "https://www.hk01.com/",
+      "https://zh.wikipedia.org/wiki/Special:Random",
+      "https://www.hktvmall.com/",
+      "https://www.mtr.com.hk/"
+    ]
+  }
+}

data/regions/JP.json

@@ -1,10 +0,0 @@
-{
-  "region_code": "JP",
-  "region_name": "日本 (东京)",
-  "google_module": {
-    "base_lat": 35.6895,
-    "base_lon": 139.6917,
-    "lang_params": "hl=ja&gl=jp&ceid=JP:ja",
-    "valid_url_suffix": "google.co.jp"
-  }
-}

data/regions/JP/Default/Tokyo.json

@@ -0,0 +1,20 @@
+{
+  "region_name": "日本 (东京)",
+  "google_module": {
+    "base_lat": 35.6812,
+    "base_lon": 139.7671,
+    "lang_params": "hl=ja&gl=JP",
+    "valid_url_suffix": "com" 
+  },
+  "trust_module": {
+    "white_urls": [
+      "https://ja.wikipedia.org/wiki/Special:Random",
+      "https://www.yahoo.co.jp/",
+      "https://www.rakuten.co.jp/",
+      "https://www.nhk.or.jp/",
+      "kakaku.com/",
+      "https://www.goo.ne.jp/",
+      "https://www.amazon.co.jp/"
+    ]
+  }
+}

data/regions/SG/Default/Singapore.json

@@ -0,0 +1,20 @@
+{
+  "region_name": "Singapore - Singapore",
+  "google_module": {
+    "base_lat": 1.3521,
+    "base_lon": 103.8198,
+    "lang_params": "hl=en-SG&gl=SG",
+    "valid_url_suffix": "com.sg"
+  },
+  "trust_module": {
+    "white_urls": [
+      "https://www.straitstimes.com/",
+      "https://www.channelnewsasia.com/",
+      "https://www.gov.sg/",
+      "https://shopee.sg/",
+      "https://en.wikipedia.org/wiki/Special:Random",
+      "https://www.fairprice.com.sg/",
+      "https://www.dbs.com.sg/"
+    ]
+  }
+}

data/regions/UK/Default/London.json

@@ -0,0 +1,20 @@
+{
+  "region_name": "United Kingdom - London",
+  "google_module": {
+    "base_lat": 51.5074,
+    "base_lon": -0.1278,
+    "lang_params": "hl=en&gl=GB",
+    "valid_url_suffix": "co.uk"
+  },
+  "trust_module": {
+    "white_urls": [
+      "https://www.bbc.co.uk/",
+      "https://www.gov.uk/",
+      "https://www.amazon.co.uk/",
+      "https://www.theguardian.com/uk",
+      "https://www.nhs.uk/",
+      "https://en.wikipedia.org/wiki/Special:Random",
+      "https://www.ebay.co.uk/"
+    ]
+  }
+}

data/regions/US.json

@@ -1,10 +0,0 @@
-{
-  "region_code": "US",
-  "region_name": "美国 (美西洛杉矶)",
-  "google_module": {
-    "base_lat": 34.0522,
-    "base_lon": -118.2437,
-    "lang_params": "hl=en&gl=us&ceid=US:en",
-    "valid_url_suffix": "google.com"
-  }
-}

data/regions/US/CA/Los_Angeles.json

@@ -0,0 +1,20 @@
+{
+  "region_name": "United States - Los Angeles",
+  "google_module": {
+    "base_lat": 34.0522,
+    "base_lon": -118.2437,
+    "lang_params": "hl=en&gl=US",
+    "valid_url_suffix": "com"
+  },
+  "trust_module": {
+    "white_urls": [
+      "https://en.wikipedia.org/wiki/Special:Random",
+      "https://www.yahoo.com/",
+      "https://www.target.com/",
+      "https://www.npr.org/",
+      "https://www.weather.com/",
+      "https://www.amazon.com/",
+      "https://www.cdc.gov/"
+    ]
+  }
+}

data/regions/US/CA/San_Jose.json

@@ -0,0 +1,21 @@
+{
+  "region_name": "United States - San Jose",
+  "google_module": {
+    "base_lat": 37.3382,
+    "base_lon": -121.8863,
+    "lang_params": "hl=en&gl=US",
+    "valid_url_suffix": "com"
+  },
+  "trust_module": {
+    "white_urls": [
+      "https://en.wikipedia.org/wiki/Special:Random",
+      "https://www.yahoo.com/",
+      "https://www.target.com/",
+      "https://www.npr.org/",
+      "https://www.weather.com/",
+      "https://www.amazon.com/",
+      "https://www.cdc.gov/",
+      "https://www.mercurynews.com/"
+    ]
+  }
+}

master/install_master.sh

@@ -1,19 +1,95 @@
 #!/bin/bash
 
 # ==========================================================
-# 脚本名称: install_master.sh (IP-Sentinel 控制中枢部署脚本)
-# 核心功能: 安装 SQLite3、初始化数据库表、配置后台守护进程
+# 脚本名称: install_master.sh (IP-Sentinel 控制中枢部署脚本 v3.4.0)
+# 核心功能: 部署/卸载调度中枢、SQLite 资产管理、平滑热更新引擎
 # ==========================================================
 
+# [v3.4.0 核心: 全局版本控制锚点]
+TARGET_VERSION="3.4.0"
+
+# 你的 GitHub 仓库 Raw 数据直链前缀
+REPO_RAW_URL="https://raw.githubusercontent.com/hotyue/IP-Sentinel/main"
+# 临时改为私库地址用于测试
+# REPO_RAW_URL="https://git.94211762.xyz/hotyue/IP-Sentinel/raw/branch/main"
+
 MASTER_DIR="/opt/ip_sentinel_master"
 DB_FILE="${MASTER_DIR}/sentinel.db"
 
 echo "========================================================"
-echo "      🧠 准备部署 IP-Sentinel Master 控制中枢"
+# [修改] 将欢迎语改为更通用的文案，因为现在不仅能部署，还能卸载
+echo "      🧠 欢迎使用 IP-Sentinel Master (控制中枢) v${TARGET_VERSION}"
 echo "========================================================"
 
+# [新增] 交互式操作菜单：支持选择部署或调用卸载程序
+echo -e "\n请选择操作:"
+echo "  1) 🚀 部署 Master 控制中枢"
+echo "  2) 🗑️ 一键卸载 Master 中枢"
+read -p "请输入选择 [1-2] (默认1): " ACTION_CHOICE
+
+if [ "$ACTION_CHOICE" == "2" ]; then
+    echo -e "\n⏳ 正在拉取卸载程序..."
+    # [新增逻辑] 使用上面定义的 REPO_RAW_URL 动态拉取卸载脚本，执行后自动销毁临时文件
+    curl -sL "${REPO_RAW_URL}/master/uninstall_master.sh" -o "/tmp/uninstall_master.sh"
+    chmod +x "/tmp/uninstall_master.sh"
+    bash "/tmp/uninstall_master.sh"
+    rm -f "/tmp/uninstall_master.sh"
+    exit 0
+fi
+
+# ================== [v3.2.2 新增: 平滑升级模式嗅探] ==================
+UPGRADE_MODE="false"
+KEEP_DB="true"
+
+if [ "$ACTION_CHOICE" == "1" ] && [ -f "${MASTER_DIR}/master.conf" ]; then
+    echo -e "\n\033[33m💡 司令部雷达提示：检测到本机已部署过 Master 中枢。\033[0m"
+    read -p "👉 是否按原配置直接进行平滑升级？(y/n, 默认y): " UPGRADE_CHOICE
+    if [[ -z "$UPGRADE_CHOICE" || "$UPGRADE_CHOICE" =~ ^[Yy]$ ]]; then
+        UPGRADE_MODE="true"
+        read -p "👉 是否保留历史节点数据库 (SQLite)？(y/n, 默认y): " DB_CHOICE
+        if [[ "$DB_CHOICE" =~ ^[Nn]$ ]]; then
+            KEEP_DB="false"
+        fi
+        
+        # 汲取原配置进入内存
+        source "${MASTER_DIR}/master.conf"
+        
+        # [v3.4.0 核心] 升级后立即同步/补录版本号至配置文件
+        if grep -q "^MASTER_VERSION=" "${MASTER_DIR}/master.conf"; then
+            sed -i "s/^MASTER_VERSION=.*/MASTER_VERSION=\"$TARGET_VERSION\"/" "${MASTER_DIR}/master.conf"
+        else
+            echo "MASTER_VERSION=\"$TARGET_VERSION\"" >> "${MASTER_DIR}/master.conf"
+        fi
+        
+        echo -e "\033[32m✅ 已激活 [平滑升级模式]，版本已锚定为 v${TARGET_VERSION}...\033[0m"
+    else
+        echo -e "\033[33m🔄 您选择了重新配置，旧的中枢数据将被彻底抹除。\033[0m"
+    fi
+fi
+# ====================================================================
+
+# ================== [v3.2.2 优化: 安装前环境纯净度清理与数据保护] ==================
+echo -e "\n⏳ 正在清理旧版 Master 守护进程..."
+pkill -9 -f "tg_master.sh" >/dev/null 2>&1 || true
+
+if [ "$UPGRADE_MODE" == "true" ]; then
+    if [ "$KEEP_DB" == "false" ]; then
+        rm -f "$DB_FILE" 2>/dev/null
+        echo -e "🗑️ 历史节点数据库已按指令清空。"
+    else
+        echo -e "📦 历史节点数据库 (SQLite) 已绝密保留。"
+    fi
+    # 删除旧的核心脚本，准备拉取新的
+    rm -f "${MASTER_DIR}/tg_master.sh" 2>/dev/null
+else
+    # 焦土政策：如果不是升级模式，直接扬了整个司令部目录
+    rm -rf "$MASTER_DIR" 2>/dev/null
+fi
+echo -e "\033[32m✅ 旧进程已肃清！\033[0m"
+# =======================================================================
+
 # 1. 环境依赖安装
-echo "[1/4] 安装核心依赖 (curl, jq, sqlite3)..."
+echo -e "\n[1/4] 安装核心依赖 (curl, jq, sqlite3)..."
 if [ -f /etc/debian_version ]; then
     apt-get update -y >/dev/null 2>&1
     apt-get install -y curl jq sqlite3 procps >/dev/null 2>&1
@@ -23,17 +99,25 @@ fi
 
 mkdir -p "$MASTER_DIR"
 
-# 2. 交互配置机器人
-echo -e "\n[2/4] 配置控制中枢机器人:"
-read -p "请输入 Telegram Bot Token: " TG_TOKEN
+# ==========================================================
+# 🛑 如果是全新部署，才询问 Token 并写入配置
+# ==========================================================
+if [ "$UPGRADE_MODE" == "false" ]; then
+    # 2. 交互配置机器人
+    echo -e "\n[2/4] 配置控制中枢机器人:"
+    read -p "请输入 Telegram Bot Token: " TG_TOKEN
 
-cat > "${MASTER_DIR}/master.conf" << EOF
+    cat > "${MASTER_DIR}/master.conf" << EOF
+# IP-Sentinel Master 本地固化配置 (v3.4.0)
+MASTER_VERSION="$TARGET_VERSION"
 TG_TOKEN="$TG_TOKEN"
 DB_FILE="$DB_FILE"
 MASTER_DIR="$MASTER_DIR"
 EOF
+fi
+# 🛑 拦截块结束
 
-# 3. 初始化 SQLite 数据库
+# 3. 初始化 SQLite 数据库 (幂等操作，升级模式下可安全修补表结构)
 echo -e "\n[3/4] 正在初始化 SQLite 数据库表结构..."
 sqlite3 "$DB_FILE" <<EOF
 CREATE TABLE IF NOT EXISTS nodes (
@@ -47,9 +131,15 @@ CREATE TABLE IF NOT EXISTS nodes (
 EOF
 echo "✅ 数据库创建成功: $DB_FILE"
 
+# ================== [v3.0.3 变更: 敏感文件权限收敛] ==================
+chmod 600 "${MASTER_DIR}/master.conf"
+chmod 600 "$DB_FILE"
+# ====================================================================
+
 # 4. 拉取核心调度代码并运行
 echo -e "\n[4/4] 部署 TG 调度守护进程..."
-curl -sL "https://git.94211762.xyz/hotyue/IP-Sentinel/raw/branch/main/master/tg_master.sh" -o "${MASTER_DIR}/tg_master.sh"
+# [修改] 剥离了写死的网址，改用顶部的 ${REPO_RAW_URL} 变量，确保与卸载脚本的数据源同源
+curl -sL "${REPO_RAW_URL}/master/tg_master.sh" -o "${MASTER_DIR}/tg_master.sh"
 chmod +x "${MASTER_DIR}/tg_master.sh"
 
 # 写入看门狗 Cron
@@ -61,7 +151,25 @@ rm -f /tmp/cron_master
 # 立刻启动
 pgrep -f tg_master.sh >/dev/null || nohup bash "${MASTER_DIR}/tg_master.sh" >/dev/null 2>&1 &
 
+# ================== [v3.2.2 优化: 战报文案分流] ==================
 echo "========================================================"
-echo "🎉 Master 控制中枢部署完成！"
-echo "🤖 机器人现已开始全局接客，等待边缘节点注册。"
-echo "========================================================"
+if [ "$UPGRADE_MODE" == "true" ]; then
+    echo "🎉 Master 控制中枢平滑热更新完成！"
+    echo "🤖 新版中枢引擎已接管数据库，继续等待边缘节点汇报。"
+else
+    echo "🎉 Master 控制中枢部署完成！"
+    echo "🤖 机器人现已开始全局接客，等待边缘节点注册。"
+fi
+echo "========================================================"
+# =================================================================
+
+# ================== [v3.1.2 新增: 玻璃房透明装机统计] ==================
+echo -e "\n📡 正在向开源社区汇报装机量 (完全匿名，不收集IP)..."
+MASTER_COUNT=$(curl -s -m 3 "https://ip-sentinel-count.samanthaestime296.workers.dev/ping/master" || echo "")
+
+if [ -n "$MASTER_COUNT" ] && [[ "$MASTER_COUNT" =~ ^[0-9]+$ ]]; then
+    echo -e "\033[32m✅ 感谢您成为全球第 ${MASTER_COUNT} 名 IP-Sentinel 指挥官！\033[0m"
+else
+    echo -e "\033[32m✅ 感谢您建立 IP-Sentinel 司令部！\033[0m"
+fi
+echo -e "\n"

master/tg_master.sh

@@ -1,15 +1,19 @@
 #!/bin/bash
 
 # ==========================================================
-# 脚本名称: tg_master.sh (Master 端调度枢纽 V1.2)
-# 核心功能: 监听 TG、操作 SQLite、Webhook 调度、僵尸节点清理
+# 脚本名称: tg_master.sh (Master 端调度枢纽 V3.3.2 动态签名版)
+# 核心功能: 监听 TG、操作 SQLite、Webhook 精准调度、403权限拦截、僵尸节点清理
 # ==========================================================
 
 CONF="/opt/ip_sentinel_master/master.conf"
 [ ! -f "$CONF" ] && exit 1
 source "$CONF"
 
-OFFSET_FILE="/tmp/tg_master_offset"
+# [v3.4.0 核心: 主控版本锚点与云通信地址]
+MASTER_VERSION="3.4.0"
+REPO_RAW_URL="https://raw.githubusercontent.com/hotyue/IP-Sentinel/main"
+
+OFFSET_FILE="${MASTER_DIR}/.tg_offset"
 [[ -f $OFFSET_FILE ]] || echo "0" > $OFFSET_FILE
 
 # --- 工具函数 ---
@@ -24,11 +28,41 @@ send_msg() {
         -d "chat_id=$1" -d "text=$2" -d "parse_mode=Markdown" > /dev/null
 }
 
+# ================== [v3.0.1 新增: 消息原位刷新函数] ==================
+edit_msg() {
+    curl -s -X POST "https://api.telegram.org/bot${TG_TOKEN}/editMessageText" \
+        -d "chat_id=$1" -d "message_id=$2" -d "text=$3" -d "parse_mode=Markdown" > /dev/null
+}
+
 # 数据库执行函数
 db_exec() {
     sqlite3 "$DB_FILE" "$1"
 }
 
+# ================== [v3.0.4 核心: 动态 HMAC 签名生成器] ==================
+# 用法: generate_signed_url <IP> <PORT> <PATH>
+generate_signed_url() {
+    local target_ip=$1
+    local target_port=$2
+    local action_path=$3
+    local current_t=$(date +%s)
+    
+    # 构建加密载荷: "路径:时间戳"
+    local payload="${action_path}:${current_t}"
+    
+    # 使用 CHAT_ID 作为密钥，生成 SHA256 HMAC 签名
+    local signature=$(echo -n "$payload" | openssl dgst -sha256 -hmac "$CHAT_ID" | awk '{print $NF}')
+    
+    # 返回最终带签名的 URL
+    echo "http://${target_ip}:${target_port}${action_path}?t=${current_t}&sign=${signature}"
+}
+# ========================================================================
+
+# ================== [v3.1.3 核心: 数据库结构无损热升级] ==================
+# 自动探测并增加 region 字段，屏蔽已存在的报错，保护老节点数据
+db_exec "ALTER TABLE nodes ADD COLUMN region TEXT DEFAULT 'UNKNOWN';" 2>/dev/null
+# ========================================================================
+
 # --- 核心轮询循环 ---
 while true; do
     OFFSET=$(cat $OFFSET_FILE)
@@ -44,94 +78,257 @@ while true; do
             CHAT_ID=$(echo "$UPDATE" | jq -r '.message.chat.id // .callback_query.message.chat.id')
             TEXT=$(echo "$UPDATE" | jq -r '.message.text // .callback_query.data')
 
+            # ================== [v3.0.1 新增: 消除转圈圈与获取消息ID] ==================
+            CB_ID=$(echo "$UPDATE" | jq -r '.callback_query.id // empty')
+            MSG_ID=$(echo "$UPDATE" | jq -r '.callback_query.message.message_id // empty')
+            
+            # 告诉 TG 官方“指令已收到”，立刻消除按钮上的加载圈圈
+            if [ -n "$CB_ID" ]; then
+                curl -s -X POST "https://api.telegram.org/bot${TG_TOKEN}/answerCallbackQuery" -d "callback_query_id=${CB_ID}" > /dev/null
+            fi
+
             # ==========================================
-            # 1. 节点注册通道 (处理 Agent 发来的注册暗号)
-            # 格式: #REGISTER#|<NodeName>|<IP>|<Port>
+            # 1. 节点注册通道 (V3.1.3 大区拓扑升级版)
             # ==========================================
             if [[ "$TEXT" == *"#REGISTER#"* ]]; then
-                # 提取包含暗号的那一行，并剔除可能误复制的反引号和空格
                 REG_LINE=$(echo "$TEXT" | grep "#REGISTER#" | head -n 1 | tr -d '\` ')
-                IFS='|' read -r MAGIC NODE_NAME AGENT_IP AGENT_PORT <<< "$REG_LINE"
                 
-                # UPSERT 逻辑
-                db_exec "INSERT INTO nodes (chat_id, node_name, agent_ip, agent_port, last_seen) VALUES ('$CHAT_ID', '$NODE_NAME', '$AGENT_IP', '$AGENT_PORT', CURRENT_TIMESTAMP) ON CONFLICT(chat_id, node_name) DO UPDATE SET agent_ip='$AGENT_IP', agent_port='$AGENT_PORT', last_seen=CURRENT_TIMESTAMP;"
-                send_msg "$CHAT_ID" "✅ 司令部已确认！节点接入成功: \`$NODE_NAME\` ($AGENT_IP:$AGENT_PORT)"
+                # V3.1.3 兼容性拆包: 判断是新版协议 (5个字段) 还是老版协议 (4个字段)
+                FIELD_COUNT=$(echo "$REG_LINE" | awk -F'|' '{print NF}')
+                if [ "$FIELD_COUNT" -ge 5 ]; then
+                    IFS='|' read -r MAGIC RAW_REGION RAW_NODE RAW_IP RAW_PORT <<< "$REG_LINE"
+                else
+                    IFS='|' read -r MAGIC RAW_NODE RAW_IP RAW_PORT <<< "$REG_LINE"
+                    RAW_REGION="UNKNOWN"
+                fi
+                
+                # 🛡️ 强制字符白名单过滤：保留历史特征不变
+                CHAT_ID=$(echo "$CHAT_ID" | tr -cd '0-9-')
+                AGENT_REGION=$(echo "$RAW_REGION" | tr -cd 'a-zA-Z0-9' | cut -c 1-10) # 提取国家大区
+                NODE_NAME=$(echo "$RAW_NODE" | tr -cd 'a-zA-Z0-9_.-' | cut -c 1-30)
+                AGENT_IP=$(echo "$RAW_IP" | tr -cd 'a-zA-Z0-9.:\[\]-' | cut -c 1-50)
+                AGENT_PORT=$(echo "$RAW_PORT" | tr -cd '0-9' | cut -c 1-5)
+                
+                if [[ "$AGENT_IP" =~ ^127\.|^10\.|^192\.168\.|^172\.(1[6-9]|2[0-9]|3[0-1])\.|^::1$|^localhost$ ]]; then
+                    send_msg "$CHAT_ID" "⛔ **安全拦截**：禁止注册内网或回环 IP，防止 SSRF 攻击渗透。"
+                    continue
+                fi
+                
+                if [ -z "$NODE_NAME" ] || [ -z "$AGENT_IP" ] || [ -z "$AGENT_PORT" ] || [ -z "$CHAT_ID" ]; then
+                    send_msg "$CHAT_ID" "⛔ **安全拦截**：检测到非法注册载荷，请求已拒绝。"
+                    continue
+                fi
+
+                # 入库时追加 region 字段
+                db_exec "INSERT INTO nodes (chat_id, node_name, agent_ip, agent_port, last_seen, region) VALUES ('$CHAT_ID', '$NODE_NAME', '$AGENT_IP', '$AGENT_PORT', CURRENT_TIMESTAMP, '$AGENT_REGION') ON CONFLICT(chat_id, node_name) DO UPDATE SET agent_ip='$AGENT_IP', agent_port='$AGENT_PORT', last_seen=CURRENT_TIMESTAMP, region='$AGENT_REGION';"
+                send_msg "$CHAT_ID" "✅ **司令部确认 (v${MASTER_VERSION})**\n节点接入成功: \`$NODE_NAME\`\n地址: \`$AGENT_IP:$AGENT_PORT\`"
+                
+                # ================== [v3.1.3 丝滑连招: 直接呼出全球大区雷达] ==================
+                REGION_DATA=$(db_exec "SELECT region, COUNT(*) FROM nodes WHERE chat_id='$CHAT_ID' GROUP BY region;")
+                if [ -n "$REGION_DATA" ]; then
+                    BTNS="["
+                    while IFS='|' read -r REGION_NAME NODE_COUNT; do
+                        [ -z "$REGION_NAME" ] && REGION_NAME="UNKNOWN"
+                        FLAG="🌐"
+                        case "$REGION_NAME" in
+                            "US") FLAG="🇺🇸" ;; "JP") FLAG="🇯🇵" ;; "HK") FLAG="🇭🇰" ;;
+                            "SG") FLAG="🇸🇬" ;; "UK"|"GB") FLAG="🇬🇧" ;; "DE") FLAG="🇩🇪" ;; "FR") FLAG="🇫🇷" ;;
+                            "CA") FLAG="🇨🇦" ;; "AU") FLAG="🇦🇺" ;; "KR") FLAG="🇰🇷" ;; "NL") FLAG="🇳🇱" ;; "BR") FLAG="🇧🇷" ;; "IN") FLAG="🇮🇳" ;; "TW") FLAG="🇹🇼" ;;
+                        esac
+                        BTNS="$BTNS[{\"text\":\"$FLAG $REGION_NAME ($NODE_COUNT 台)\",\"callback_data\":\"region:$REGION_NAME\"}],"
+                    done <<< "$REGION_DATA"
+                    BTNS="${BTNS%,}]"
+                    send_ui "$CHAT_ID" "🌍 **全视界战略雷达**\n请选择要检阅的战区：" "$BTNS"
+                fi
+                # ========================================================================
+                
                 continue
             fi
 
             # ==========================================
-            # 2. 交互菜单与下发通道 (主控逻辑)
+            # 2. 交互菜单与下发通道
             # ==========================================
             case "$TEXT" in
                 "/start"|"/menu")
-                    BTNS="[[{\"text\":\"🖥️ 我的节点列表\",\"callback_data\":\"list_nodes\"}], [{\"text\":\"🚀 全节点一键维护\",\"callback_data\":\"all_run\"}]]"
-                    send_ui "$CHAT_ID" "🛡️ **IP-Sentinel 司令部**\n欢迎回来，长官。请下达指令：" "$BTNS"
+                    # [v3.4.0 核心] 抓取云端最新版本
+                    REMOTE_VER=$(curl -s -m 2 "${REPO_RAW_URL}/version.txt" | tr -d '[:space:]')
+                    VER_INFO="当前版本: \`v${MASTER_VERSION}\`"
+                    
+                    if [ -n "$REMOTE_VER" ] && [ "$REMOTE_VER" != "$MASTER_VERSION" ]; then
+                        VER_INFO="${VER_INFO}\n✨ **发现新版本**: \`v${REMOTE_VER}\` (请尽快更新主控)"
+                    fi
+
+                    BTNS="[[{\"text\":\"🖥️ 我的节点列表\",\"callback_data\":\"list_nodes\"}], [{\"text\":\"🚀 全节点日报汇总\",\"callback_data\":\"all_reports\"}], [{\"text\":\"🛠️ 全节点一键维护\",\"callback_data\":\"all_run\"}]]"
+                    send_ui "$CHAT_ID" "🛡️ **IP-Sentinel 司令部**\n${VER_INFO}\n\n欢迎回来，长官。请下达指令：" "$BTNS"
                     ;;
 
+                "all_reports")
+                    NODE_DATA=$(db_exec "SELECT node_name, agent_ip, agent_port FROM nodes WHERE chat_id='$CHAT_ID';")
+                    if [ -z "$NODE_DATA" ]; then
+                        send_msg "$CHAT_ID" "⚠️ 您名下暂无在线节点。"
+                    else
+                        send_msg "$CHAT_ID" "📢 **司令部指令下达：正在召唤所有哨兵回传简报...**"
+                        echo "$NODE_DATA" | while IFS='|' read -r NNAME AIP APORT; do
+                            # 🛡️ [v3.0.4] 动态签名防重放批量下发
+                            TARGET_URL=$(generate_signed_url "$AIP" "$APORT" "/trigger_report")
+                            curl -s -m 5 "$TARGET_URL" > /dev/null &
+                        done
+                    fi
+                    ;;
+
+                # ================== [补充缺失的全节点一键维护功能] ==================
+                "all_run")
+                    NODE_DATA=$(db_exec "SELECT node_name, agent_ip, agent_port FROM nodes WHERE chat_id='$CHAT_ID';")
+                    if [ -z "$NODE_DATA" ]; then
+                        send_msg "$CHAT_ID" "⚠️ 您名下暂无在线节点。"
+                    else
+                        send_msg "$CHAT_ID" "📢 **司令部指令下达：正在唤醒所有哨兵执行系统维护...**"
+                        echo "$NODE_DATA" | while IFS='|' read -r NNAME AIP APORT; do
+                            # 🛡️ [v3.0.4] 动态签名防重放批量下发 (维护模块)
+                            TARGET_URL=$(generate_signed_url "$AIP" "$APORT" "/trigger_run")
+                            curl -s -m 5 "$TARGET_URL" > /dev/null &
+                        done
+                    fi
+                    ;;
+                # ====================================================================
+
                 "list_nodes")
-                    # 从 SQLite 查询属于该 CHAT_ID 的节点
-                    NODE_LIST=$(db_exec "SELECT node_name FROM nodes WHERE chat_id='$CHAT_ID';")
-                    if [ -z "$NODE_LIST" ]; then
+                    # 【V3.1.3】一级菜单：大区聚合并列出数量
+                    REGION_DATA=$(db_exec "SELECT region, COUNT(*) FROM nodes WHERE chat_id='$CHAT_ID' GROUP BY region;")
+                    if [ -z "$REGION_DATA" ]; then
                         send_msg "$CHAT_ID" "⚠️ 您名下暂无在线节点，请先在边缘机执行部署。"
                     else
                         BTNS="["
-                        for N in $NODE_LIST; do
-                            BTNS="$BTNS[{\"text\":\"🖥️ $N\",\"callback_data\":\"manage:$N\"}],"
-                        done
+                        while IFS='|' read -r REGION_NAME NODE_COUNT; do
+                            [ -z "$REGION_NAME" ] && REGION_NAME="UNKNOWN"
+                            FLAG="🌐"
+                            case "$REGION_NAME" in
+                            "US") FLAG="🇺🇸" ;; "JP") FLAG="🇯🇵" ;; "HK") FLAG="🇭🇰" ;;
+                            "SG") FLAG="🇸🇬" ;; "UK"|"GB") FLAG="🇬🇧" ;; "DE") FLAG="🇩🇪" ;; "FR") FLAG="🇫🇷" ;;
+                            "CA") FLAG="🇨🇦" ;; "AU") FLAG="🇦🇺" ;; "KR") FLAG="🇰🇷" ;; "NL") FLAG="🇳🇱" ;; "BR") FLAG="🇧🇷" ;; "IN") FLAG="🇮🇳" ;; "TW") FLAG="🇹🇼" ;;
+                            esac
+                            BTNS="$BTNS[{\"text\":\"$FLAG $REGION_NAME ($NODE_COUNT 台)\",\"callback_data\":\"region:$REGION_NAME\"}],"
+                        done <<< "$REGION_DATA"
                         BTNS="${BTNS%,}]"
-                        send_ui "$CHAT_ID" "🔍 您名下的活跃节点：" "$BTNS"
+                        send_ui "$CHAT_ID" "🌍 **全视界战略雷达**\n请选择要检阅的战区：" "$BTNS"
+                    fi
+                    ;;
+
+                region:*)
+                    # 【V3.1.3】二级菜单：目标大区下的节点双列排版
+                    TARGET_REGION=$(echo "${TEXT#*:}" | tr -cd 'a-zA-Z0-9')
+                    CHAT_ID=$(echo "$CHAT_ID" | tr -cd '0-9-')
+                    
+                    NODE_LIST=$(db_exec "SELECT node_name FROM nodes WHERE chat_id='$CHAT_ID' AND region='$TARGET_REGION';")
+                    if [ -z "$NODE_LIST" ]; then
+                        send_msg "$CHAT_ID" "⚠️ 该战区下暂无可用节点。"
+                    else
+                        BTNS="["
+                        COL=0
+                        ROW_STR="["
+                        for N in $NODE_LIST; do
+                            ROW_STR="$ROW_STR{\"text\":\"🖥️ $N\",\"callback_data\":\"manage:$N\"},"
+                            COL=$((COL+1))
+                            if [ $COL -eq 2 ]; then
+                                ROW_STR="${ROW_STR%,}]"
+                                BTNS="$BTNS$ROW_STR,"
+                                COL=0
+                                ROW_STR="["
+                            fi
+                        done
+                        # 如果是奇数，补齐最后的尾巴
+                        if [ $COL -eq 1 ]; then
+                            ROW_STR="${ROW_STR%,}]"
+                            BTNS="$BTNS$ROW_STR,"
+                        fi
+                        # 添加返回上级大区雷达的按钮
+                        BTNS="$BTNS[{\"text\":\"⬅️ 返回全球战区分布\",\"callback_data\":\"list_nodes\"}]]"
+                        send_ui "$CHAT_ID" "📍 **[$TARGET_REGION] 战区哨兵矩阵**\n请下达控制指令：" "$BTNS"
                     fi
                     ;;
 
                 manage:*)
-                    TARGET_NODE=${TEXT#*:}
-                    # 【升级点 1】重构战术面板排版，新增 [剔除失联节点] 按钮，采用 3 行优雅布局
-                    BTNS="[[{\"text\":\"▶️ 执行深度伪装\",\"callback_data\":\"run:$TARGET_NODE\"}, {\"text\":\"📜 查看实时日志\",\"callback_data\":\"log:$TARGET_NODE\"}], [{\"text\":\"📊 索要统计战报\",\"callback_data\":\"report:$TARGET_NODE\"}, {\"text\":\"🗑️ 剔除失联节点\",\"callback_data\":\"del:$TARGET_NODE\"}], [{\"text\":\"⬅️ 返回主列表\",\"callback_data\":\"list_nodes\"}]]"
+                    # 🛡️ 强制过滤节点名，防止面板渲染时发生 XSS 或注入
+                    TARGET_NODE=$(echo "${TEXT#*:}" | tr -cd 'a-zA-Z0-9_.-')
+                    # 【核心升级】拆分下发按钮，精准对应 Google 与 Trust 两个模块，并排版为 3 行 2 列
+                    BTNS="[[{\"text\":\"📍 Google 纠偏\",\"callback_data\":\"google:$TARGET_NODE\"}, {\"text\":\"🛡️ 信用净化\",\"callback_data\":\"trust:$TARGET_NODE\"}], [{\"text\":\"📜 实时日志\",\"callback_data\":\"log:$TARGET_NODE\"}, {\"text\":\"📊 统计战报\",\"callback_data\":\"report:$TARGET_NODE\"}], [{\"text\":\"🗑️ 剔除失联节点\",\"callback_data\":\"del:$TARGET_NODE\"}, {\"text\":\"⬅️ 返回大区目录\",\"callback_data\":\"list_nodes\"}]]"
                     send_ui "$CHAT_ID" "⚙️ **目标锁定**: \`$TARGET_NODE\`\n请选择战术动作：" "$BTNS"
                     ;;
 
                 del:*)
-                    # 【升级点 2】执行数据库硬删除，并自动刷新节点列表
-                    TARGET_NODE=${TEXT#*:}
+                    # 🛡️ 提取并强制过滤节点名与 CHAT_ID 防注入
+                    TARGET_NODE=$(echo "${TEXT#*:}" | tr -cd 'a-zA-Z0-9_.-')
+                    CHAT_ID=$(echo "$CHAT_ID" | tr -cd '0-9-')
+                    
                     db_exec "DELETE FROM nodes WHERE chat_id='$CHAT_ID' AND node_name='$TARGET_NODE';"
                     send_msg "$CHAT_ID" "🗑️ 节点 \`$TARGET_NODE\` 的档案已从司令部彻底销毁！"
                     
-                    # 删除后自动重新渲染节点列表展示
-                    NODE_LIST=$(db_exec "SELECT node_name FROM nodes WHERE chat_id='$CHAT_ID';")
-                    if [ -z "$NODE_LIST" ]; then
+                    # 剔除后直接返回上级一级雷达菜单
+                    REGION_DATA=$(db_exec "SELECT region, COUNT(*) FROM nodes WHERE chat_id='$CHAT_ID' GROUP BY region;")
+                    if [ -z "$REGION_DATA" ]; then
                         send_msg "$CHAT_ID" "⚠️ 当前司令部已无任何节点挂载。"
                     else
                         BTNS="["
-                        for N in $NODE_LIST; do
-                            BTNS="$BTNS[{\"text\":\"🖥️ $N\",\"callback_data\":\"manage:$N\"}],"
-                        done
+                        while IFS='|' read -r REGION_NAME NODE_COUNT; do
+                            [ -z "$REGION_NAME" ] && REGION_NAME="UNKNOWN"
+                            FLAG="🌐"
+                            case "$REGION_NAME" in
+                                "US") FLAG="🇺🇸" ;; "JP") FLAG="🇯🇵" ;; "HK") FLAG="🇭🇰" ;;
+                                "SG") FLAG="🇸🇬" ;; "UK"|"GB") FLAG="🇬🇧" ;; "DE") FLAG="🇩🇪" ;; "FR") FLAG="🇫🇷" ;;
+                            esac
+                            BTNS="$BTNS[{\"text\":\"$FLAG $REGION_NAME ($NODE_COUNT 台)\",\"callback_data\":\"region:$REGION_NAME\"}],"
+                        done <<< "$REGION_DATA"
                         BTNS="${BTNS%,}]"
-                        send_ui "$CHAT_ID" "🔍 刷新后的节点列表：" "$BTNS"
+                        send_ui "$CHAT_ID" "🌍 刷新后的全视界雷达：" "$BTNS"
                     fi
                     ;;
 
-                run:*|report:*|log:*)
-                    ACTION_TYPE=$(echo "$TEXT" | cut -d':' -f1)
-                    TARGET_NODE=$(echo "$TEXT" | cut -d':' -f2)
+                # 【核心升级】增加拦截规则，支持 google 和 trust 前缀
+                google:*|trust:*|run:*|report:*|log:*)
+                    # 🛡️ 提取并强制过滤动作参数、节点名与 CHAT_ID
+                    ACTION_TYPE=$(echo "$TEXT" | cut -d':' -f1 | tr -cd 'a-z')
+                    TARGET_NODE=$(echo "$TEXT" | cut -d':' -f2 | tr -cd 'a-zA-Z0-9_.-')
+                    CHAT_ID=$(echo "$CHAT_ID" | tr -cd '0-9-')
                     
-                    # 从 DB 提取 IP 和 Port
                     AGENT_INFO=$(db_exec "SELECT agent_ip, agent_port FROM nodes WHERE chat_id='$CHAT_ID' AND node_name='$TARGET_NODE' LIMIT 1;")
                     AGENT_IP=$(echo "$AGENT_INFO" | cut -d'|' -f1)
                     AGENT_PORT=$(echo "$AGENT_INFO" | cut -d'|' -f2)
 
                     if [ -n "$AGENT_IP" ] && [ -n "$AGENT_PORT" ]; then
-                        send_msg "$CHAT_ID" "⏳ 正在向 \`$TARGET_NODE\` ($AGENT_IP) 下发 [$ACTION_TYPE] 指令，请稍候..."
-                        
-                        # 向 Agent 的开放端口发送动态 Webhook 唤醒指令
-                        RESPONSE=$(curl -s -m 5 "http://${AGENT_IP}:${AGENT_PORT}/trigger_${ACTION_TYPE}" || echo "FAILED")
-                        
-                        if [ "$RESPONSE" == "FAILED" ]; then
-                            send_msg "$CHAT_ID" "❌ 指令下发超时或失败！请检查节点公网 IP 或防火墙端口 ($AGENT_PORT) 是否放行。"
+                        # [v3.0.2 防刷屏] 原位刷新菜单为等待状态
+                        if [ -n "$MSG_ID" ]; then
+                            edit_msg "$CHAT_ID" "$MSG_ID" "⏳ 正在向 \`$TARGET_NODE\` ($AGENT_IP) 下发 [$ACTION_TYPE] 指令，请稍候..."
                         else
-                            if [ "$ACTION_TYPE" == "run" ]; then
-                                send_msg "$CHAT_ID" "✅ 节点 \`$TARGET_NODE\` 回应: 指令已接收，伪装程序启动。"
+                            send_msg "$CHAT_ID" "⏳ 正在向 \`$TARGET_NODE\` ($AGENT_IP) 下发 [$ACTION_TYPE] 指令，请稍候..."
+                        fi
+                        
+                        # 🛡️ [v3.0.4] 动态签名生成与触发 (防重放与防篡改)
+                        TARGET_URL=$(generate_signed_url "$AGENT_IP" "$AGENT_PORT" "/trigger_${ACTION_TYPE}")
+                        RESPONSE=$(curl -s -m 5 "$TARGET_URL" || echo "FAILED")
+                        
+                        # 结果判定
+                        if [ "$RESPONSE" == "FAILED" ]; then
+                            TEXT_RES="❌ 指令下发超时或失败！请检查节点公网 IP 或防火墙端口 ($AGENT_PORT) 是否放行。"
+                        elif [[ "$RESPONSE" == *"403"* ]]; then
+                            TEXT_RES="⚠️ **拒绝执行**：该节点未在本地开启此模块，请检查安装时的配置！"
+                        else
+                            if [ "$ACTION_TYPE" == "google" ] || [ "$ACTION_TYPE" == "run" ]; then 
+                                TEXT_RES="✅ 节点 \`$TARGET_NODE\` 回应: 📍 Google 纠偏程序启动。"
+                            elif [ "$ACTION_TYPE" == "trust" ]; then 
+                                TEXT_RES="✅ 节点 \`$TARGET_NODE\` 回应: 🛡️ IP 信用净化程序启动。"
+                            elif [ "$ACTION_TYPE" == "log" ]; then 
+                                TEXT_RES="✅ 节点 \`$TARGET_NODE\` 正在抓取日志..."
+                            else 
+                                TEXT_RES="✅ 节点 \`$TARGET_NODE\` 接收指令: $ACTION_TYPE"
                             fi
                         fi
+                        
+                        # [v3.0.1 防刷屏] 将等待状态刷新为最终结果
+                        if [ -n "$MSG_ID" ]; then
+                            edit_msg "$CHAT_ID" "$MSG_ID" "$TEXT_RES"
+                        else
+                            send_msg "$CHAT_ID" "$TEXT_RES"
+                        fi
                     else
                         send_msg "$CHAT_ID" "❌ 数据库中未找到该节点的通讯地址。"
                     fi

master/uninstall_master.sh

@@ -0,0 +1,46 @@
+#!/bin/bash
+
+# ==========================================================
+# 脚本名称: uninstall_master.sh (IP-Sentinel Master 一键卸载脚本 v3.4.0)
+# 核心功能: 终止调度进程、清理看门狗定时任务、抹除数据库与配置
+# ==========================================================
+
+MASTER_DIR="/opt/ip_sentinel_master"
+CONF_FILE="${MASTER_DIR}/master.conf"
+
+echo "========================================================"
+echo "      🗑️ 准备卸载 IP-Sentinel Master (控制中枢)"
+
+# [v3.4.0 优化] 卸载前读取并播报中枢版本号
+if [ -f "$CONF_FILE" ]; then
+    MASTER_VER=$(grep "^MASTER_VERSION=" "$CONF_FILE" | cut -d'"' -f2)
+    [ -n "$MASTER_VER" ] && echo "        📍 目标版本: v${MASTER_VER}"
+fi
+echo "========================================================"
+
+echo -e "\n⚠️ 警告: 此操作将永久删除包含所有节点档案的 SQLite 数据库！"
+read -p "确定要继续卸载吗？(y/n) [默认 n]: " CONFIRM_DEL
+if [[ ! "$CONFIRM_DEL" =~ ^[Yy]$ ]]; then
+    echo "已取消卸载操作。"
+    exit 0
+fi
+
+# 1. 停止运行中的 Master 守护进程
+echo "[1/3] 正在终止后台中枢调度进程..."
+pgrep -f tg_master.sh | xargs -r kill -9 >/dev/null 2>&1
+
+# 2. 清除看门狗定时任务 (Cron)
+echo "[2/3] 正在清理系统定时任务 (Cron)..."
+crontab -l 2>/dev/null | grep -v "tg_master.sh" > /tmp/cron_backup
+crontab /tmp/cron_backup
+rm -f /tmp/cron_backup
+
+# 3. 删除所有文件、配置与数据库
+echo "[3/3] 正在抹除核心程序、配置文件与 SQLite 数据库..."
+if [ -d "$MASTER_DIR" ]; then
+    rm -rf "$MASTER_DIR"
+fi
+
+echo "========================================================"
+echo "✅ 卸载彻底完成！Master 司令部已从您的系统中无痕移除。"
+echo "========================================================"

scripts/fetch_trends.py

@@ -0,0 +1,81 @@
+import urllib.request
+import xml.etree.ElementTree as ET
+import os
+import json
+import re
+
+# ================== [路径防弹装甲] ==================
+# 无论在哪里执行该脚本，都能精准反推项目根目录
+SCRIPT_DIR = os.path.dirname(os.path.abspath(__file__))
+PROJECT_ROOT = os.path.dirname(SCRIPT_DIR)
+
+MAP_JSON_PATH = os.path.join(PROJECT_ROOT, "data", "map.json")
+DATA_DIR = os.path.join(PROJECT_ROOT, "data", "keywords")
+# ====================================================
+
+# 特殊战区代码映射 (Google Trends RSS 要求)
+GEO_FIX = {'UK': 'GB'}
+
+HEADERS = {
+    'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36'
+}
+
+def get_active_regions():
+    """动态提取 map.json 中的战区 (修正：精准穿透 JSON 数组结构)"""
+    try:
+        with open(MAP_JSON_PATH, 'r', encoding='utf-8') as f:
+            data = json.load(f)
+            # 穿透到 countries 列表，提取所有的国家代码 (id)
+            regions = []
+            for country in data.get('countries', []):
+                if 'id' in country:
+                    regions.append(country['id'])
+            return regions
+    except Exception as e:
+        print(f"❌ [读取地图失败]: {e}")
+        return []
+
+def fetch_trends(region_code):
+    """从 Google Trends 抓取当日热搜"""
+    geo = GEO_FIX.get(region_code, region_code)
+    url = f"https://trends.google.com/trending/rss?geo={geo}"
+    try:
+        req = urllib.request.Request(url, headers=HEADERS)
+        with urllib.request.urlopen(req, timeout=10) as response:
+            xml_data = response.read()
+            root = ET.fromstring(xml_data)
+            return [re.sub(r'[\n\r\t]', ' ', item.find('title').text).strip() 
+                    for item in root.findall('./channel/item') 
+                    if item.find('title') is not None]
+    except Exception as e:
+        print(f"⚠️ {region_code} 抓取异常: {e}")
+        return []
+
+def update_file(region, new_words):
+    """滑动窗口更新，保留 200 条最热记录"""
+    os.makedirs(DATA_DIR, exist_ok=True)
+    file_path = os.path.join(DATA_DIR, f"kw_{region}.txt")
+    old_words = []
+    if os.path.exists(file_path):
+        with open(file_path, 'r', encoding='utf-8') as f:
+            old_words = [l.strip() for l in f if l.strip()]
+    
+    # 新词排在最前面，去重
+    combined = new_words + [w for w in old_words if w not in new_words]
+    final_list = combined[:200]
+    
+    with open(file_path, 'w', encoding='utf-8') as f:
+        f.write('\n'.join(final_list) + '\n')
+    print(f"✅ [同步完成] {region}: 注入 {len(new_words)} 条新热点")
+
+if __name__ == '__main__':
+    regions = get_active_regions()
+    if not regions:
+        print("🛑 未发现活跃战区，请检查 map.json")
+        exit(1)
+    
+    for r in regions:
+        print(f"📡 正在拉取 {r} 战区情报...")
+        words = fetch_trends(r)
+        if words:
+            update_file(r, words)

scripts/ua_generator.py

@@ -0,0 +1,77 @@
+import random
+import os
+
+# ==========================================
+# IP-Sentinel 超大型高保真指纹工厂 (V3.1.5)
+# 无需第三方库，直接生成千万级组合的真实指纹
+# ==========================================
+
+def generate_chrome_version():
+    # 模拟 2024 年主流 Chrome 内核号 (122 - 125)
+    major = random.randint(122, 125)
+    build = random.randint(5000, 6500)
+    patch = random.randint(10, 150)
+    return f"{major}.0.{build}.{patch}"
+
+def generate_windows_ua(count=1000):
+    uas = set()
+    while len(uas) < count:
+        # 现代 Windows UA 已经固化为 Windows NT 10.0
+        uas.add(f"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/{generate_chrome_version()} Safari/537.36")
+    return list(uas)
+
+def generate_macos_ua(count=1000):
+    uas = set()
+    while len(uas) < count:
+        mac_os_minor = random.randint(11, 15)
+        mac_os_patch = random.randint(1, 6)
+        if random.choice([True, False]):
+            # Chrome on Mac
+            uas.add(f"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_{mac_os_minor}_{mac_os_patch}) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/{generate_chrome_version()} Safari/537.36")
+        else:
+            # Safari on Mac
+            safari_build = f"605.1.{random.randint(10, 15)}"
+            safari_version = f"17.{random.randint(1, 4)}"
+            uas.add(f"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_{mac_os_minor}_{mac_os_patch}) AppleWebKit/{safari_build} (KHTML, like Gecko) Version/{safari_version} Safari/{safari_build}")
+    return list(uas)
+
+def generate_ios_ua(count=1000):
+    uas = set()
+    devices = ["iPhone", "iPad"]
+    while len(uas) < count:
+        device = random.choice(devices)
+        ios_major = random.randint(16, 17)
+        ios_minor = random.randint(1, 5)
+        ios_patch = random.randint(1, 3)
+        safari_build = f"605.1.{random.randint(10, 15)}"
+        safari_version = f"{ios_major}.{random.choice(['0', '1', '2', '3'])}"
+        
+        uas.add(f"Mozilla/5.0 ({device}; CPU {'iPhone ' if device=='iPhone' else ''}OS {ios_major}_{ios_minor}_{ios_patch} like Mac OS X) AppleWebKit/{safari_build} (KHTML, like Gecko) Version/{safari_version} Mobile/15E148 Safari/604.1")
+    return list(uas)
+
+def generate_android_ua(count=1000):
+    uas = set()
+    # 主流 Android 机型库
+    models = ["Pixel 8 Pro", "Pixel 8", "Pixel 7a", "Pixel 7 Pro", "SM-S928B", "SM-S928U", "SM-S918B", "SM-A546B", "SM-A346B", "23113RKC6C", "23049PCD8G", "CPH2437", "V2227A", "PGT-AN10", "NX729J"]
+    while len(uas) < count:
+        android_ver = random.randint(12, 14)
+        model = random.choice(models)
+        uas.add(f"Mozilla/5.0 (Linux; Android {android_ver}; {model}) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/{generate_chrome_version()} Mobile Safari/537.36")
+    return list(uas)
+
+if __name__ == "__main__":
+    # 确保输出目录存在
+    os.makedirs('data', exist_ok=True)
+    
+    # 严格按照“绝对坐标”顺序生成 4000 条数据
+    pool = []
+    pool.extend(generate_windows_ua(1000))  # 行 1-1000
+    pool.extend(generate_macos_ua(1000))    # 行 1001-2000
+    pool.extend(generate_ios_ua(1000))      # 行 2001-3000
+    pool.extend(generate_android_ua(1000))  # 行 3001-4000
+    
+    with open('data/user_agents.txt', 'w') as f:
+        for ua in pool:
+            f.write(ua + '\n')
+            
+    print(f"✅ 成功生成 4000 条高保真绝对坐标指纹库！")

telemetry/worker.js

@@ -0,0 +1,75 @@
+// IP-Sentinel Glasshouse Telemetry (全透明装机量统计中枢)
+// 部署环境: Cloudflare Workers + KV
+// 隐私声明: 绝对不采集、不存储用户的 IP 地址、Header、Token 及任何系统特征参数。仅做纯粹的原子累加。
+
+export default {
+  async fetch(request, env) {
+    const url = new URL(request.url);
+    const path = url.pathname;
+
+    // 全局跨域头，确保 GitHub README 的 Shields.io 徽章能正常读取
+    const corsHeaders = {
+      "Access-Control-Allow-Origin": "*",
+      "Access-Control-Allow-Methods": "GET",
+    };
+
+    // 核心原子操作：无情的 +1 机器
+    async function incrementCounter(key) {
+      let count = await env.SENTINEL_KV.get(key);
+      count = count ? parseInt(count) + 1 : 1;
+      await env.SENTINEL_KV.put(key, count.toString());
+      return count;
+    }
+
+    async function getCounter(key) {
+      let count = await env.SENTINEL_KV.get(key);
+      return count ? parseInt(count) : 0;
+    }
+
+    try {
+      // 1. Agent (哨兵) 部署触发接口
+      if (path === '/ping/agent') {
+        const count = await incrementCounter('agent_count');
+        return new Response(count.toString(), { headers: corsHeaders });
+      }
+      
+      // 2. Master (指挥部) 部署触发接口
+      if (path === '/ping/master') {
+        const count = await incrementCounter('master_count');
+        return new Response(count.toString(), { headers: corsHeaders });
+      }
+
+      // 3. GitHub README Agent 徽章接口 (输出给 Shields.io)
+      if (path === '/stats/agent') {
+        const count = await getCounter('agent_count');
+        const shield = {
+          schemaVersion: 1,
+          label: "Agent Nodes",
+          message: count.toString(),
+          color: "blue"
+        };
+        return new Response(JSON.stringify(shield), { 
+          headers: { ...corsHeaders, "Content-Type": "application/json" } 
+        });
+      }
+
+      // 4. GitHub README Master 徽章接口 (输出给 Shields.io)
+      if (path === '/stats/master') {
+        const count = await getCounter('master_count');
+        const shield = {
+          schemaVersion: 1,
+          label: "Master Commands",
+          message: count.toString(),
+          color: "orange"
+        };
+        return new Response(JSON.stringify(shield), { 
+          headers: { ...corsHeaders, "Content-Type": "application/json" } 
+        });
+      }
+
+      return new Response("IP-Sentinel Glasshouse Telemetry API (No IP Logged, 100% Transparent)", { status: 200 });
+    } catch (err) {
+      return new Response("Error", { status: 500 });
+    }
+  }
+};

version.txt

@@ -0,0 +1 @@
+3.4.0