{"id":49699792,"url":"https://github.com/coo1white/cool-tunnel-server","last_synced_at":"2026-06-06T19:01:12.494Z","repository":{"id":356440495,"uuid":"1227722504","full_name":"coo1white/cool-tunnel-server","owner":"coo1white","description":"Self-hosted PHP control plane","archived":false,"fork":false,"pushed_at":"2026-05-21T17:12:12.000Z","size":5023,"stargazers_count":0,"open_issues_count":0,"forks_count":0,"subscribers_count":0,"default_branch":"main","last_synced_at":"2026-05-21T17:52:15.981Z","etag":null,"topics":["filamentphp","frankenphp","self-hosted"],"latest_commit_sha":null,"homepage":"","language":"PHP","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"agpl-3.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/coo1white.png","metadata":{"files":{"readme":"README.md","changelog":"CHANGELOG.md","contributing":"CONTRIBUTING.md","funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":"AUDIT.md","citation":null,"codeowners":null,"security":"SECURITY.md","support":"SUPPORT.md","governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":"NOTICE","maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2026-05-03T04:30:11.000Z","updated_at":"2026-05-21T17:12:31.000Z","dependencies_parsed_at":null,"dependency_job_id":null,"html_url":"https://github.com/coo1white/cool-tunnel-server","commit_stats":null,"previous_names":["coo1white/cool-tunnel-server"],"tags_count":136,"template":false,"template_full_name":null,"purl":"pkg:github/coo1white/cool-tunnel-server","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/coo1white%2Fcool-tunnel-server","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/coo1white%2Fcool-tunnel-server/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/coo1white%2Fcool-tunnel-server/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/coo1white%2Fcool-tunnel-server/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/coo1white","download_url":"https://codeload.github.com/coo1white/cool-tunnel-server/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/coo1white%2Fcool-tunnel-server/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":33596317,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-05-26T15:22:16.424Z","status":"online","status_checked_at":"2026-05-28T02:00:06.440Z","response_time":99,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["filamentphp","frankenphp","self-hosted"],"created_at":"2026-05-08T07:01:34.558Z","updated_at":"2026-06-06T19:01:12.466Z","avatar_url":"https://github.com/coo1white.png","language":"PHP","funding_links":[],"categories":[],"sub_categories":[],"readme":"# cool-tunnel-server\n\n[![License: AGPL-3.0-only](https://img.shields.io/badge/license-AGPL--3.0--only-1c5cdc)](./LICENSE)\n[![LTSC-Heng Draft](https://img.shields.io/badge/license--draft-LTSC--Heng-111111)](./LTSC-HENG-LICENSE-DRAFT.md)\n[![Latest release](https://img.shields.io/badge/release-v0.22.2-1c5cdc)](https://github.com/coo1white/cool-tunnel-server/releases/tag/v0.22.2)\n[![CI](https://github.com/coo1white/cool-tunnel-server/actions/workflows/ci.yml/badge.svg?branch=main)](https://github.com/coo1white/cool-tunnel-server/actions/workflows/ci.yml)\n[![Audit](https://github.com/coo1white/cool-tunnel-server/actions/workflows/audit.yml/badge.svg?branch=main)](https://github.com/coo1white/cool-tunnel-server/actions/workflows/audit.yml)\n\nOpen-source, self-hosted proxy server for a Debian VPS.\n\nCool Tunnel Server runs Caddy, sing-box, VLESS + Reality, a Next.js\nadmin web app, and a Bun/Hono API with Better Auth and SQLite in Docker\nCompose. You point a domain at your VPS, install the stack, create user\naccounts in the admin UI, and connect devices through per-user\nsubscription URLs.\n\nIt is a VPS-hosted VPN alternative for people who want to own and audit\ntheir server. It is not a managed VPN service: you are responsible for\nthe VPS, domain, updates, backups, provider terms, and local law.\n\n\u003e **👋 New here? Start gentle.**\n\u003e - **I want to run my own server** (but I'm not fluent in SSH/Docker/DNS) →\n\u003e   [**Beginner's guide**](./docs/beginners-guide.md) explains what you need,\n\u003e   what it costs, and what each step does, then hands you to the exact\n\u003e   commands.\n\u003e - **I want to work on the code** → [**Your first contribution**](./docs/first-contribution.md)\n\u003e   takes you from a fresh clone to an open pull request.\n\u003e\n\u003e Comfortable already? The [Quickstart](#quickstart) below is the fast path.\n\n## What You Get\n\n- **Next.js admin UI** for accounts, settings, health, audit history,\n  and subscription URLs.\n- **Bun/Hono admin API** with Better Auth, RBAC, and SQLite storage.\n- **Private VLESS + Reality endpoint** generated from admin state — the\n  live sing-box config re-renders automatically on every account change,\n  with a grace window on UUID rotation so clients aren't dropped mid-rotate.\n- **`ct` operator CLI** for install, update, doctor, doctor auto-fix, backup,\n  restore, rollback, support bundles, and config validation/preview.\n- **Docker Compose runtime** with Caddy SNI routing, sing-box,\n  `admin-api`, `admin-web`, and an allowlist-only `docker-proxy` that\n  keeps the Docker socket out of the panel process.\n- **Release-pinned Docker image bundles** (one per architecture) with\n  `SHA256SUMS` verification.\n- **No local runtime builds on the VPS** during normal install/update:\n  the server downloads verified release images and loads them with\n  Docker.\n- **Privacy-first diagnostics**: project health checks, support bundles, audit\n  exports, and key-center metadata redact secrets and must not log per-user\n  destinations or track users.\n- **Per-account data metering** — each account's traffic is measured, its\n  data balance counts down as it's used, and the admin panel shows usage +\n  \"last seen\". Track usage per account without spreadsheets.\n- **Fast on bad long-haul links** — the install bakes in BBR + high-throughput\n  kernel tuning, and an optional second transport (**Hysteria2 / QUIC over UDP**)\n  that your client auto-selects by latency, so traffic slides to whichever path\n  is faster right now. (Distance still sets the floor — put a node near your\n  users; multiple nodes are supported.)\n- **Self-healing + self-diagnosing for non-experts** — the panel never\n  blank-screens (it shows a clear \"what to do\" message instead), common host\n  issues fix themselves on restart, and **`ct doctor`** checks everything and\n  tells you in plain English what to fix — no log-reading required.\n- **Operational recovery surfaces** — rollback previews, config previews,\n  redacted support bundles, node health trends, and the admin **System** page\n  make risky VPS operations inspectable before they change state.\n- **Operator experience polish** — the admin dashboard includes a guided\n  onboarding checklist, in-app operational notifications, clearer node/traffic\n  hints, consistent admin primitives, and safer security/support-bundle\n  guidance.\n\n## Requirements\n\n| Need | Notes |\n| --- | --- |\n| Debian VPS | Debian 12 or newer; Debian 12 is the primary target |\n| Root SSH or sudo | Required for Docker, firewall, and service setup |\n| Domain name | Point an `A` record at the VPS public IPv4 |\n| Open ports | `80/tcp` for ACME and `443/tcp` for panel/proxy traffic |\n| Small VPS | Designed for about 1 vCPU / 1 GB RAM deployments |\n| Disk | ~25 GB free recommended — the ~420 MB image bundle, the loaded Docker images, and update headroom can push a smaller disk to \"tight\" in `ct doctor` |\n\nNew to VPS, ACME, or Docker terms? See the\n[glossary](./docs/glossary.md).\n\n## Quickstart\n\nSSH to a fresh Debian VPS as root:\n\n```sh\nssh root@your.vps.public.ip\n```\n\nInstall base tools and open the firewall:\n\n```sh\napt update \u0026\u0026 apt -y upgrade\napt install -y ca-certificates curl git gnupg ufw dnsutils chrony fail2ban unattended-upgrades\n\nufw allow OpenSSH\nufw allow 80/tcp\nufw allow 443/tcp\nufw --force enable\n```\n\nBootstrap the latest release:\n\n```sh\nLATEST=\"$(curl -fsSLI -o /dev/null -w '%{url_effective}' https://github.com/coo1white/cool-tunnel-server/releases/latest | sed 's#.*/##')\"\nBRANCH=\"${LATEST}\" /bin/bash -c \"$(curl -fsSL \"https://raw.githubusercontent.com/coo1white/cool-tunnel-server/${LATEST}/scripts/bootstrap.sh\")\"\n```\n\nThe bootstrap auto-generates `BETTER_AUTH_SECRET` **and** the\n`REALITY_PRIVATE_KEY` / `REALITY_PUBLIC_KEY` pair into `.env`, so a fresh install\nneeds no manual key step. (To rotate the Reality keys later, run\n`ct reality-keygen` and paste the new pair into `.env`.)\n\nConfigure and install — set your domains + ACME email in `.env`, then install:\n\n```sh\ncd /opt/cool-tunnel-server\nnano .env\n./ct install\n./ct doctor\n```\n\nRelease installs download the verified Docker image bundle for the VPS\nCPU architecture and load it in one step. The VPS uses `docker load`;\nit does not build Rust, Bun, Go, Node/Next, or Docker images\nduring `ct install` or `ct update`.\n\nSet at least these `.env` values before running `./ct install`:\n\n| Key | Meaning |\n| --- | --- |\n| `DOMAIN` | Proxy/base domain |\n| `PANEL_DOMAIN` | Admin panel hostname, usually `panel.\u003cDOMAIN\u003e` |\n| `ACME_EMAIL` | Email for certificate renewal notices |\n| `REALITY_PRIVATE_KEY` | `private_key` from `ct reality-keygen` (43-char base64url) |\n| `REALITY_PUBLIC_KEY` | Matching `public_key` from the same command |\n\nFor the full install walkthrough, expected output, DNS checks, and\nrecovery hints, read [GETTING_STARTED.md](./GETTING_STARTED.md).\n\n## Panel Login and Account Setup\n\nOpen the admin UI:\n\n```text\nhttps://\u003cPANEL_DOMAIN\u003e/login\n```\n\nCreate the first owner from the VPS. The token is one-time only and\nexpires:\n\n```sh\ncd /opt/cool-tunnel-server\nct admin bootstrap\n```\n\nOpen the root-only setup URL from the generated file once; the API\nstores the one-time token in an HttpOnly cookie and immediately\nredirects to a clean `/setup` page. Create the owner account, then log\nin at `/login`. Public signup is disabled by default. After that, create\na proxy account:\n\n```text\nUsers -\u003e New proxy account -\u003e Save\n```\n\nAfter the account is created, open the account row's **Subscription\nURL** action and copy the **Import URL** into the Cool Tunnel client.\nThat URL contains the per-account subscription token, so treat it like a\npassword. If you lose the URL, open the same action again; if you rotate\nthe UUID, copy the fresh URL after rotation.\n\nIf you need to recover access:\n\n```sh\ncd /opt/cool-tunnel-server\nprintf '%s\\n' '\u003cnew long password\u003e' | ct admin create-owner --email you@example.com --username you --password-stdin\nprintf '%s\\n' '\u003ctemporary long password\u003e' | ct admin users reset-password --id \u003cuser-id\u003e --password-stdin\n```\n\n## Daily Operation\n\nMost VPS operation should stay inside the `ct` command:\n\n```sh\ncd /opt/cool-tunnel-server\n\nct doctor   # health dashboard with PASS / WARN / FAIL remediation\nct doctor --fix --dry-run   # preview conservative auto-repairs\nct backup   # snapshot DB + .env + ACME certs\nct update   # update to the current release and restart safely\nct rollback status          # inspect update rollback state\nct support-bundle --dry-run --json\n```\n\n### Copy-Paste VPS Update\n\nSSH into an already-installed server and paste this — it backs up, updates to the\nlatest release, health-checks, and prints your admin URL:\n\n```sh\nsudo bash -lc 'set -euo pipefail; cd /opt/cool-tunnel-server; test -f .env || { echo \"ERROR: .env is missing. This looks like a fresh or unfinished install, not an update.\"; echo \"Run: cd /opt/cool-tunnel-server \u0026\u0026 cp .env.example .env \u0026\u0026 nano .env \u0026\u0026 ./ct install\"; exit 1; }; ./ct backup; ./ct update; ./ct doctor; echo; echo \"Admin URL:\"; . ./.env; echo \"https://${PANEL_DOMAIN}/login\"; echo; echo \"If first-owner setup is still needed, run: ct admin bootstrap\"'\n```\n\nHealthy when `ct doctor` ends in **`0 FAIL`**. After first login, open\n`/system` to walk the onboarding checklist: owner account, panel domain,\nTLS/ACME, runtime services, sing-box render, Reality keys, access accounts,\nredeem codes, rollback, support bundle, and key-center readiness. The admin\npages use the same compact header, stat, badge, table, empty/error, and risk\nhint patterns so Dashboard, System, Nodes, Users, Settings, Security, Audit, and\nNotifications scan the same way. For the step-by-step beginner walkthrough, the\nnormal-looking log lines, version-jump notes, turning on Hysteria2, rollback,\nand recovering a lost `.env`, see the\n**[Update guide (wiki)](https://github.com/coo1white/cool-tunnel-server/wiki/Updating-and-backups)**.\n\n## Speed and Metering\n\nOn by default for new installs; existing servers opt in via `.env` + `ct update`.\nRun `ct doctor` any time to see their status in plain English.\n\n### Per-account usage metering\n\nEach account's traffic is measured and its **data balance** counts down as it's\nused; the panel shows **Usage** and **Last seen**. On by default\n(`CT_TRAFFIC_STATS=true`). Verify with:\n\n```sh\nct doctor   # look for:  Traffic metering: ON — N account(s) metered\n```\n\nPush some traffic through a key, wait ~30s, and the numbers move. When an\naccount's balance hits 0, its key pauses automatically until you add more data\nbalance or the user redeems an access code. The customer portal uses neutral\nAccess / Entitlement / Quota / Redeem / Expires wording; there is no public\npricing, checkout, or payment flow.\n\n### Make it faster on a long route (BBR + Hysteria2)\n\nTwo speed-ups for a far-away server (e.g. crossing continents):\n\n- **BBR kernel tuning** is baked into the installer — nothing to do; `ct doctor`\n  shows `Congestion ctl: bbr`.\n- **Hysteria2** adds a second transport (QUIC over UDP). Your client measures\n  both and uses whichever is faster *right now*. On by default for new installs.\n- **Brutal congestion control** (v0.19.14+, optional) — tell Hysteria2 your real\n  bandwidth and it switches from BBR to a fixed-rate, loss-tolerant sender.\n  Measured benefit is **conditional**: on a long-haul, lossy path (≈300 ms RTT,\n  5–20 % loss) Brutal delivered **~1.2–1.4× BBR's throughput** in our lab; on a\n  clean or short-hop link BBR is already as good, and a cap set *below* your real\n  capacity will *reduce* speed. Only turn it on if your users are far and the\n  path is lossy. Step 5 below.\n\n#### Open Hysteria2 on an existing server (one time, ~2 min)\n\n1. **Get the new code** (the QUIC sing-box + the UDP/443 port map):\n   ```sh\n   cd /opt/cool-tunnel-server \u0026\u0026 ./ct backup \u0026\u0026 ./ct update\n   ```\n2. **Generate the cert + enable it** — run this block **once** (it appends 4 lines to `.env`):\n   ```sh\n   d=$(mktemp -d)\n   openssl req -x509 -newkey ec -pkeyopt ec_paramgen_curve:prime256v1 -nodes \\\n     -keyout \"$d/k.pem\" -out \"$d/c.pem\" -days 3650 -subj \"/CN=cool-tunnel.local\" \\\n     -addext \"subjectAltName=DNS:cool-tunnel.local\" 2\u003e/dev/null   # SAN is required\n   { echo \"CT_HYSTERIA_ENABLED=true\"; echo \"CT_HYSTERIA_PORT=443\"; \\\n     echo \"HYSTERIA_CERT_B64=$(base64 -w0 \u003c\"$d/c.pem\")\"; \\\n     echo \"HYSTERIA_KEY_B64=$(base64 -w0 \u003c\"$d/k.pem\")\"; } \u003e\u003e .env\n   rm -rf \"$d\"\n   ```\n3. **Apply it** (re-renders the proxy config; sing-box hot-reloads — no restart needed):\n   ```sh\n   ./ct render singbox \u0026\u0026 ./ct doctor   # confirm:  Hysteria2: on (QUIC/UDP :443)\n   ```\n4. **Open UDP/443 in your firewall.** Easy to miss — TCP/443 is already open, but\n   Hysteria2 is **UDP**:\n   ```sh\n   sudo ufw allow 443/udp   # only if you run ufw\n   ```\n   Also allow **UDP 443** in your VPS provider's cloud firewall / security group\n   if it has one (Oracle, AWS, GCP…). Many providers leave all ports open — then\n   there's nothing to do.\n5. **(Optional, v0.19.14+) Hold throughput for 4K.** Set your plan's **real**\n   bandwidth and Hysteria2 uses the Brutal controller instead of BBR — it keeps\n   the pipe full on a lossy path so a 4K stream buffers ahead. Both-or-neither;\n   over-stating capacity causes loss, not speed, so keep these at/below what the\n   server actually delivers:\n   ```sh\n   { echo \"CT_HYSTERIA_UP_MBPS=50\"; echo \"CT_HYSTERIA_DOWN_MBPS=200\"; } \u003e\u003e .env   # ← your real Mbps\n   ./ct render singbox \u0026\u0026 ./ct doctor\n   ```\n   Leave them unset to keep adaptive BBR (the safe default).\n\n**Use it from a client:** take your account's **Subscription URL** (panel →\n**Users** → the account → **Copy**) and **add `/singbox.json`** to the end:\n\n```\nhttps://panel.yourdomain.com/api/v1/subscription/\u003ctoken\u003e/singbox.json\n```\n\nImport that into a **sing-box** app (SFA on Android, SFI on iOS, SFM on macOS, or\nthe `sing-box` CLI) — it carries *both* transports and auto-selects the faster\none. The plain VLESS subscription keeps working unchanged; this just adds the\nfaster UDP option. **Safe if UDP is blocked** anywhere — the client just stays on\nVLESS/TCP, nothing breaks.\n\n\u003e **Latency vs. throughput:** these tune *throughput*. The biggest cut to\n\u003e *latency* (ping) is a server closer to your users — cool-tunnel supports\n\u003e multiple nodes, so add one in the right region on the **Nodes** page. The\n\u003e **System** page summarizes service health, node probe trends, config state,\n\u003e rollback/support-bundle reminders, and recent audit activity.\n\nActive node probes record bounded history and currently check TCP reachability\nand latency to the node endpoint. UDP/protocol-specific probes are surfaced as\nnot checked until a future transport-aware probe lands.\n\n## What Runs\n\n| Service | Role |\n| --- | --- |\n| `caddy` | Public `:443` front door, ACME, TLS, and SNI routing |\n| `singbox` | VLESS + Reality proxy service |\n| `admin-api` | Hono/Bun API, Better Auth, SQLite store, subscription endpoint, and render actions |\n| `admin-web` | Next.js admin dashboard |\n| `docker-proxy` | Allowlist-only Docker-socket forwarder — the **only** service mounting the socket (read-only). It permits just container health reads and restarts, so `admin-api` never holds socket access that could reach the host daemon |\n| `redis` | Internal BullMQ backend for scheduled admin jobs such as audit/traffic retention; startup failure is logged without taking unrelated API routes down |\n\nThe control plane is the Better-T-Stack monorepo: `apps/web`,\n`apps/api`, `packages/shared`, `packages/db`, `packages/security`,\n`packages/config`, the TypeScript operator CLI, `singbox-core`, and the\nshared Rust `ct-protocol` crate. See [docs/architecture.md](./docs/architecture.md)\nfor diagrams and design rationale.\n\nOperational boundaries are explicit:\n\n- `ct` owns host operations: install, update, rollback, backup, restore,\n  doctor, support bundles, host config staging, Docker Compose orchestration,\n  and release/bundle validation.\n- `admin-api` owns control-plane operations: auth/session/RBAC, users,\n  accounts, nodes, portal, settings, audit, status summaries, safe render\n  requests, and non-destructive diagnostics.\n- `admin-web` owns UI only. It calls `admin-api`, parses shared API contracts,\n  never shells out, never assumes host paths, and never receives raw secrets\n  except one-time values intentionally returned for setup or node enrollment.\n\n## Security\n\nDefense-in-depth for protecting admin and proxy-user data:\n\n- **Docker-socket isolation.** Only the minimal `docker-proxy` holds the Docker\n  socket (read-only) and forwards just container health reads and restarts, so a\n  panel compromise cannot reach the host daemon to escape the container.\n- **RBAC with peer-admin limits.** Owner / admin / operator / viewer roles are\n  enforced in the API and re-checked in the data layer; admins manage only\n  operator/viewer (never a peer admin or owner), and the last active owner\n  cannot be removed.\n- **Auth hardening.** Argon2id password hashing, secure-by-default forced\n  rotation for admin-created accounts, per-IP **and** per-account login\n  throttling against brute-force/spray, session-bound CSRF tokens, and\n  HSTS + a strict CSP on the panel.\n- **Secrets at rest.** `.env` and the SQLite database (with its WAL/SHM\n  sidecars) are mode `0600`; subscription tokens are unforgeable HMACs; audit\n  entries and logs redact secret values.\n- **Security operations.** The admin **Security** page can export redacted audit\n  records and preview key rotations. Node sync secrets can be rotated with an\n  audit trail; session and Reality key material stay manual-only because they\n  can invalidate active users or client profiles.\n- **Verified transport TLS.** Reality borrows a real cover site's certificate,\n  so there's no server cert to leak or mis-issue; the optional Hysteria2\n  transport pins a self-signed cert, and config load refuses a cert with no\n  SubjectAltName (a CN-only cert modern clients silently reject) instead of\n  failing closed with no visible cause.\n\nFound something? See [SECURITY.md](./SECURITY.md).\n\n## Project Rule\n\nThe operator experience should stay simple:\n\n```text\ninstall simple -\u003e update simple -\u003e doctor simple -\u003e fix simple\n```\n\nThat means `ct install`, `ct update`, and `ct doctor` are the normal\nsurface, and diagnostics should name the next command to run when\nsomething fails.\n\n## Release\n\nLatest stable server release: `v0.22.2`.\n\nServer releases own the runtime assets used by clients:\n\n- server package/source release;\n- `SHA256SUMS`;\n- `ct-operator-linux-x64` and `ct-operator-linux-arm64`;\n- per-architecture `cool-tunnel-server-images-linux-*.tar.gz` image bundle\n  for VPS `ct install` and `ct update` — the sing-box engine and `singbox-core`\n  ship baked inside it (no separate `singbox-core-linux-*` download).\n\nThe macOS client runtime (`sing-box-*-darwin-universal` + `cool-tunnel-core-v*`)\nis a stable pin: published only on the release named in\n[`manifests/client-runtime.upstream.json`](manifests/client-runtime.upstream.json),\nnot on every release. The client bundles its own copies and updates from that\npinned release, so clients and server stay on compatible parts.\n\n## Documentation\n\n| Goal | Read |\n| --- | --- |\n| New to all this — deploy gently | [docs/beginners-guide.md](./docs/beginners-guide.md) |\n| Install for the first time | [GETTING_STARTED.md](./GETTING_STARTED.md) |\n| Debian VPS install reference | [docs/installation-debian.md](./docs/installation-debian.md) |\n| Update, backup, rotate, debug | [docs/operations.md](./docs/operations.md) |\n| Go faster + meter usage | [Speed \u0026 metering (wiki)](https://github.com/coo1white/cool-tunnel-server/wiki/Speed-and-metering) |\n| Troubleshoot install/update/doctor | [docs/operator-runbook.md](./docs/operator-runbook.md) |\n| Smoke-test a release | [docs/test-vps.md](./docs/test-vps.md) |\n| Understand the architecture | [docs/architecture.md](./docs/architecture.md) |\n| Look up terms | [docs/glossary.md](./docs/glossary.md) |\n| Make your first code change | [docs/first-contribution.md](./docs/first-contribution.md) |\n| Contribute (full conventions) | [CONTRIBUTING.md](./CONTRIBUTING.md) |\n| Report a security issue | [SECURITY.md](./SECURITY.md) |\n\nThe operator CLI also includes built-in help:\n\n```sh\nct help\n```\n\n## License + Posture\n\n- Active license: [AGPL-3.0-only](./LICENSE).\n- Stricter LTSC-Heng draft:\n  [LTSC-HENG-LICENSE-DRAFT.md](./LTSC-HENG-LICENSE-DRAFT.md).\n- No user tracking. Internal health metrics are allowed; per-user\n  destination logging is forbidden.\n- Read [Disclaimer.md](./Disclaimer.md) before production use.\n\nBundled upstream components keep their own licenses. See\n[NOTICE](./NOTICE) and\n[THIRD_PARTY_LICENSES.md](./THIRD_PARTY_LICENSES.md).\n\n\u003csub\u003eJurisdiction: Wyoming, USA. Steward: coolwhite LLC.\u003c/sub\u003e\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fcoo1white%2Fcool-tunnel-server","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fcoo1white%2Fcool-tunnel-server","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fcoo1white%2Fcool-tunnel-server/lists"}