Add docs and link from README

useruserdev · useruserdev · commit 70e106fa565b · 2026-06-03T05:34:32.000+05:00
diff --git a/README.md b/README.md
@@ -25,6 +25,7 @@ or a ready-to-use subscription link.
 | **iOS**    | Sideload the `.ipa` from [**Releases**](../../releases/latest) (AltStore · Sideloadly · TrollStore) |
 | **Web**    | Open the console → [**useruserdev.github.io/happwn**](https://useruserdev.github.io/happwn/) |
 | **Subscription** | Deploy your own free Cloudflare [**Worker**](worker/README.md), paste its URL in Settings |
+| **Docs**   | Guides & reference → [**docs/**](docs/) |
 
 <br>
 
diff --git a/docs/README.md b/docs/README.md
@@ -0,0 +1,24 @@
+# happwn docs
+
+happwn decrypts Happ `happ://` links and turns the configs into something you can use —
+an iOS app, a web console, or a hosted subscription URL. Everything decrypts on-device.
+
+## Contents
+
+- [iOS app](ios.md) — install the sideloaded `.ipa`, settings, how it builds
+- [Web console](web.md) — browser decrypt, manual extraction
+- [Subscription Worker](../worker/README.md) — deploy your own Cloudflare Worker
+- [How decryption works](crypto.md) — schemes, crypto, keys
+- [FAQ & troubleshooting](faq.md)
+
+## At a glance
+
+```
+happ://crypt…  ──decrypt──▶  subscription URL
+                               │  GET with User-Agent + X-HWID
+                               ▼
+                          configs (vless / vmess / trojan / …)
+```
+
+The subscription server rejects requests that don't carry the Happ `User-Agent` and your
+`X-HWID`, so those are set in Settings (app or web).
diff --git a/docs/crypto.md b/docs/crypto.md
@@ -0,0 +1,28 @@
+# How decryption works
+
+`happ://` links are encrypted; happwn reverses the scheme entirely on-device.
+
+| Scheme | Pipeline |
+| ------ | -------- |
+| `crypt` · `crypt2` · `crypt3` · `crypt4` | base64 → RSA PKCS#1 v1.5 |
+| `crypt5` | CDAB permutation → RSA key recovery → ChaCha20-Poly1305 → base64 |
+
+The decrypted payload is usually a **subscription URL**. Fetching it with the Happ
+`User-Agent` + `X-HWID` returns the actual configs (`vless`, `vmess`, `trojan`, `ss`,
+`ssr`, `hysteria2`, `tuic`, `wireguard`).
+
+## Two implementations, one result
+
+| Platform | Crypto |
+| -------- | ------ |
+| iOS | Rust core (`rsa`, `chacha20poly1305`, `base64`) shipped as a static `.xcframework` |
+| Web | JavaScript (`node-forge` for RSA, `@noble/ciphers` for ChaCha20-Poly1305) |
+
+Both embed the same keys and produce identical output. CI verifies each against the same
+real `crypt4` and `crypt5` vectors on every push, so the two implementations can't drift.
+
+## Keys
+
+The RSA keys (4 PKCS#1 keys for `crypt`–`crypt4`, 34 marker-indexed PKCS#8 keys for
+`crypt5`) are bundled with the app and site — they are what makes offline decryption
+possible. They live in `rust/data/` (iOS) and `web/` (browser).
diff --git a/docs/faq.md b/docs/faq.md
@@ -0,0 +1,27 @@
+# FAQ & troubleshooting
+
+**“Server rejected — check User-Agent and X-HWID”**
+The subscription server requires the exact Happ `User-Agent` and your device's `X-HWID`.
+Set both in Settings and try again.
+
+**A client shows “App not supported”**
+That client has no HWID support, so it can't load the link directly. Use happwn (app or
+web) to decrypt and pull the configs, or run the manual `curl` command from
+[web.md](web.md#manual-extraction-no-worker).
+
+**“Decrypt failed”**
+The link isn't a supported `happ://` scheme (`crypt`–`crypt5`) or it's malformed/truncated.
+Copy the full link again.
+
+**Web: “Forge failed” / network error**
+Your `Worker URL` isn't set, or the Worker can't reach the subscription server. Confirm
+the Worker is deployed with the `SUBS` KV binding and the URL is pasted in Settings.
+See [worker/README.md](../worker/README.md).
+
+**Nothing parsed — only a raw response**
+The server returned something that isn't a recognized config list. The raw body is shown
+so you can inspect it; the link or your headers may be wrong.
+
+**Is my data private?**
+Decryption happens on your device. The web subscription is stored in **your own**
+Cloudflare KV under a random, unguessable token (7-day expiry). Nothing is sent to us.
diff --git a/docs/ios.md b/docs/ios.md
@@ -0,0 +1,40 @@
+# iOS app
+
+A config extractor, distributed as an unsigned `.ipa` and sideloaded — no App Store.
+
+## Install
+
+1. Download the latest `happwn-*.ipa` from [Releases](../../../releases/latest).
+2. Sideload it with **AltStore**, **Sideloadly**, or **TrollStore**.
+3. Open the app → **Settings** → set your `User-Agent` and `X-HWID`.
+4. Paste a `happ://` link and tap **Extract**.
+
+## Using it
+
+- Paste a `happ://crypt…` link → the app decrypts it and follows the embedded
+  subscription URL using your `User-Agent` + `X-HWID`.
+- The configs (`vless`, `vmess`, `trojan`, `ss`, …) are listed — tap to copy one,
+  copy all, share, or export.
+- If a server returns nothing recognizable, the raw response is shown for inspection.
+
+## Settings
+
+| Field | Meaning |
+| ----- | ------- |
+| `User-Agent` | The value the subscription server expects (e.g. `Happ/x.y`). |
+| `X-HWID` | Your device id; the server binds the subscription to it. |
+
+Both are stored locally on the device only.
+
+## How it builds
+
+CI on GitHub Actions (macOS) compiles the Rust crypto core into an `.xcframework`,
+builds the SwiftUI app, runs the tests, and publishes a versioned unsigned `.ipa` to
+Releases on every push to `main`. No Mac required to get a build.
+
+Local build (macOS):
+
+```bash
+bash scripts/build-xcframework.sh
+cd ios && xcodegen generate && open happwn.xcodeproj
+```
diff --git a/docs/web.md b/docs/web.md
@@ -0,0 +1,36 @@
+# Web console
+
+**https://useruserdev.github.io/happwn/**
+
+Decrypts `happ://` links right in the browser — nothing leaves your device. Decryption
+needs no setup. To turn the configs into a subscription URL, deploy your own Worker.
+
+## Flow
+
+1. Paste a `happ://` link → **Decrypt** (runs locally). The decrypted value (usually a
+   subscription URL) appears with a copy button.
+2. **Forge subscription** → sends the URL to your Worker, which fetches it with the right
+   headers and returns a hosted `…workers.dev/sub/<token>` link, with a QR and the
+   config list.
+
+Settings (gear): `User-Agent`, `X-HWID`, and your `Worker URL` — all stored in the
+browser's localStorage.
+
+## Why a Worker is needed
+
+A browser **cannot** set the `User-Agent` header (it's a forbidden header) and is blocked
+by **CORS** from fetching the subscription server directly. So the authenticated fetch
+runs server-side on a small Cloudflare Worker that you deploy and own. Setup:
+[worker/README.md](../worker/README.md).
+
+## Manual extraction (no Worker)
+
+When a client shows **“App not supported”** (it lacks HWID support), pull the configs
+yourself in a terminal:
+
+```bash
+curl -fsSL -H "User-Agent: Happ/1.0" -H "X-HWID: <your-hwid>" "<sub-url>" | base64 -d
+```
+
+The web console builds this exact command for you from the decrypted link and your
+settings — just copy it.
