Delete proxy-secret

Co-Authored-By: brekotis <93345790+brekotis@users.noreply.github.com>
Update Cargo.toml
2026-04-15 01:24:09 +03:00 · 2026-02-25 00:31:12 +03:00 · 2026-02-25 00:29:58 +03:00 · 2026-02-25 00:29:07 +03:00 · 2026-02-25 00:28:40 +03:00 · 2026-02-25 00:28:26 +03:00
92 changed files with 14894 additions and 3027 deletions
--- a/.github/codeql/codeql-config.yml
+++ b/.github/codeql/codeql-config.yml
@@ -0,0 +1,19 @@
 name: "Rust without tests"
 disable-default-queries: false
 queries:
  - uses: security-extended
  - uses: security-and-quality
  - uses: ./.github/codeql/queries
 query-filters:
  - exclude:
      id:
        - rust/unwrap-on-option
        - rust/unwrap-on-result
        - rust/expect-used
 analysis:
  dataflow:
    default-precision: high
--- a/.github/workflows/queries/common/ProductionOnly.qll
+++ b/.github/workflows/queries/common/ProductionOnly.qll
--- a/.github/workflows/queries/qlpack.yml
+++ b/.github/workflows/queries/qlpack.yml
--- a/.github/workflows/codeql.yml
+++ b/.github/workflows/codeql.yml
@@ -2,9 +2,9 @@ name: "CodeQL Advanced"
 on:
  push:
-    branches: [ "main" ]
+    branches: [ "*" ]
  pull_request:
-    branches: [ "main" ]
+    branches: [ "*" ]
  schedule:
    - cron: '0 0 * * 0'
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -0,0 +1,139 @@
 name: Release
 on:
  push:
    tags:
      - '[0-9]+.[0-9]+.[0-9]+'
  workflow_dispatch:
 permissions:
  contents: read
  packages: write
 env:
  CARGO_TERM_COLOR: always
 jobs:
  build:
    name: Build ${{ matrix.target }}
    runs-on: ubuntu-latest
    permissions:
      contents: read
    strategy:
      fail-fast: false
      matrix:
        include:
          - target: x86_64-unknown-linux-gnu
            artifact_name: telemt
            asset_name: telemt-x86_64-linux-gnu
          - target: aarch64-unknown-linux-gnu
            artifact_name: telemt
            asset_name: telemt-aarch64-linux-gnu
          - target: x86_64-unknown-linux-musl
            artifact_name: telemt
            asset_name: telemt-x86_64-linux-musl
          - target: aarch64-unknown-linux-musl
            artifact_name: telemt
            asset_name: telemt-aarch64-linux-musl
    steps:
      - uses: actions/checkout@v4
      - uses: dtolnay/rust-toolchain@v1
        with:
          toolchain: stable
          targets: ${{ matrix.target }}
      - name: Install cross-compilation tools
        run: |
          sudo apt-get update
          sudo apt-get install -y gcc-aarch64-linux-gnu
      - uses: actions/cache@v4
        with:
          path: |
            ~/.cargo/registry
            ~/.cargo/git
            target
          key: ${{ runner.os }}-${{ matrix.target }}-cargo-${{ hashFiles('**/Cargo.lock') }}
          restore-keys: |
            ${{ runner.os }}-${{ matrix.target }}-cargo-
      - name: Install cross
        run: cargo install cross --git https://github.com/cross-rs/cross
      - name: Build Release
        env:
          RUSTFLAGS: ${{ contains(matrix.target, 'musl') && '-C target-feature=+crt-static' || '' }}
        run: cross build --release --target ${{ matrix.target }}
      - name: Package binary
        run: |
          cd target/${{ matrix.target }}/release
          tar -czvf ${{ matrix.asset_name }}.tar.gz ${{ matrix.artifact_name }}
          sha256sum ${{ matrix.asset_name }}.tar.gz > ${{ matrix.asset_name }}.sha256
      - uses: actions/upload-artifact@v4
        with:
          name: ${{ matrix.asset_name }}
          path: |
            target/${{ matrix.target }}/release/${{ matrix.asset_name }}.tar.gz
            target/${{ matrix.target }}/release/${{ matrix.asset_name }}.sha256
  build-docker-image:
    needs: build
    runs-on: ubuntu-latest
    permissions:
      contents: read
      packages: write
    steps:
      - uses: actions/checkout@v4
      - uses: docker/setup-qemu-action@v3
      - uses: docker/setup-buildx-action@v3
      - name: Login to GHCR
        uses: docker/login-action@v3
        with:
          registry: ghcr.io
          username: ${{ github.actor }}
          password: ${{ secrets.GITHUB_TOKEN }}
      - name: Extract version
        id: vars
        run: echo "VERSION=${GITHUB_REF#refs/tags/}" >> $GITHUB_OUTPUT
      - name: Build and push
        uses: docker/build-push-action@v6
        with:
          context: .
          push: true
          tags: |
            ghcr.io/${{ github.repository }}:${{ steps.vars.outputs.VERSION }}
            ghcr.io/${{ github.repository }}:latest
  release:
    name: Create Release
    needs: build
    runs-on: ubuntu-latest
    permissions:
      contents: write
    steps:
      - uses: actions/checkout@v4
        with:
          fetch-depth: 0
      - uses: actions/download-artifact@v4
        with:
          path: artifacts
      - name: Create Release
        uses: softprops/action-gh-release@v2
        with:
          files: artifacts/**/*
          generate_release_notes: true
          draft: false
          prerelease: ${{ contains(github.ref, '-rc') || contains(github.ref, '-beta') || contains(github.ref, '-alpha') }}
--- a/.github/workflows/rust.yml
+++ b/.github/workflows/rust.yml
@@ -2,9 +2,9 @@ name: Rust
 on:
  push:
-    branches: [ main ]
+    branches: [ "*" ]
  pull_request:
-    branches: [ main ]
+    branches: [ "*" ]
 env:
  CARGO_TERM_COLOR: always
@@ -42,5 +42,13 @@ jobs:
    - name: Build Release
      run: cargo build --release --verbose
    - name: Run tests
      run: cargo test --verbose
 # clippy dont fail on warnings because of active development of telemt 
 # and many warnings
    - name: Run clippy
      run: cargo clippy -- --cap-lints warn
    - name: Check for unused dependencies
      run: cargo udeps || true
--- a/.gitignore
+++ b/.gitignore
@@ -19,3 +19,7 @@ target
 #  and can be added to the global gitignore or merged into this file.  For a more nuclear
 #  option (not recommended) you can uncomment the following to ignore the entire idea folder.
 #.idea/
 *.rs
 target
 Cargo.lock
 src
--- a/.kilocode/rules-architect/AGENTS.md
+++ b/.kilocode/rules-architect/AGENTS.md
@@ -0,0 +1,58 @@
 # Architect Mode Rules for Telemt
 ## Architecture Overview
 ```mermaid
 graph TB
    subgraph Entry
        Client[Clients] --> Listener[TCP/Unix Listener]
    end
    subgraph Proxy Layer
        Listener --> ClientHandler[ClientHandler]
        ClientHandler --> Handshake[Handshake Validator]
        Handshake --> |Valid| Relay[Relay Layer]
        Handshake --> |Invalid| Masking[Masking/TLS Fronting]
    end
    subgraph Transport
        Relay --> MiddleProxy[Middle-End Proxy Pool]
        Relay --> DirectRelay[Direct DC Relay]
        MiddleProxy --> TelegramDC[Telegram DCs]
        DirectRelay --> TelegramDC
    end
 ```
 ## Module Dependencies
 - [`src/main.rs`](src/main.rs) - Entry point, spawns all async tasks
 - [`src/config/`](src/config/) - Configuration loading with auto-migration
 - [`src/error.rs`](src/error.rs) - Error types, must be used by all modules
 - [`src/crypto/`](src/crypto/) - AES, SHA, random number generation
 - [`src/protocol/`](src/protocol/) - MTProto constants, frame encoding, obfuscation
 - [`src/stream/`](src/stream/) - Stream wrappers, buffer pool, frame codecs
 - [`src/proxy/`](src/proxy/) - Client handling, handshake, relay logic
 - [`src/transport/`](src/transport/) - Upstream management, middle-proxy, SOCKS support
 - [`src/stats/`](src/stats/) - Statistics and replay protection
 - [`src/ip_tracker.rs`](src/ip_tracker.rs) - Per-user IP tracking
 ## Key Architectural Constraints
 ### Middle-End Proxy Mode
 - Requires public IP on interface OR 1:1 NAT with STUN probing
 - Uses separate `proxy-secret` from Telegram (NOT user secrets)
 - Falls back to direct mode automatically on STUN mismatch
 ### TLS Fronting
 - Invalid handshakes are transparently proxied to `mask_host`
 - This is critical for DPI evasion - do not change this behavior
 - `mask_unix_sock` and `mask_host` are mutually exclusive
 ### Stream Architecture
 - Buffer pool is shared globally via Arc - prevents allocation storms
 - Frame codecs implement tokio-util Encoder/Decoder traits
 - State machine in [`src/stream/state.rs`](src/stream/state.rs) manages stream transitions
 ### Configuration Migration
 - [`ProxyConfig::load()`](src/config/mod.rs:641) mutates config in-place
 - New fields must have sensible defaults
 - DC203 override is auto-injected for CDN/media support
--- a/.kilocode/rules-code/AGENTS.md
+++ b/.kilocode/rules-code/AGENTS.md
@@ -0,0 +1,23 @@
 # Code Mode Rules for Telemt
 ## Error Handling
 - Always use [`ProxyError`](src/error.rs:168) from [`src/error.rs`](src/error.rs) for proxy operations
 - [`HandshakeResult<T,R,W>`](src/error.rs:292) returns streams on bad client - these MUST be returned for masking, never dropped
 - Use [`Recoverable`](src/error.rs:110) trait to check if errors are retryable
 ## Configuration Changes
 - [`ProxyConfig::load()`](src/config/mod.rs:641) auto-mutates config - new fields should have defaults
 - DC203 override is auto-injected if missing - do not remove this behavior
 - When adding config fields, add migration logic in [`ProxyConfig::load()`](src/config/mod.rs:641)
 ## Crypto Code
 - [`SecureRandom`](src/crypto/random.rs) from [`src/crypto/random.rs`](src/crypto/random.rs) must be used for all crypto operations
 - Never use `rand::thread_rng()` directly - use the shared `Arc<SecureRandom>`
 ## Stream Handling
 - Buffer pool [`BufferPool`](src/stream/buffer_pool.rs) is shared via Arc - always use it instead of allocating
 - Frame codecs in [`src/stream/frame_codec.rs`](src/stream/frame_codec.rs) implement tokio-util's Encoder/Decoder traits
 ## Testing
 - Tests are inline in modules using `#[cfg(test)]`
 - Use `cargo test --lib <module_name>` to run tests for specific modules
--- a/.kilocode/rules-debug/AGENTS.md
+++ b/.kilocode/rules-debug/AGENTS.md
@@ -0,0 +1,27 @@
 # Debug Mode Rules for Telemt
 ## Logging
 - `RUST_LOG` environment variable takes absolute priority over all config log levels
 - Log levels: `trace`, `debug`, `info`, `warn`, `error`
 - Use `RUST_LOG=debug cargo run` for detailed operational logs
 - Use `RUST_LOG=trace cargo run` for full protocol-level debugging
 ## Middle-End Proxy Debugging
 - Set `ME_DIAG=1` environment variable for high-precision cryptography diagnostics
 - STUN probe results are logged at startup - check for mismatch between local and reflected IP
 - If Middle-End fails, check `proxy_secret_path` points to valid file from https://core.telegram.org/getProxySecret
 ## Connection Issues
 - DC connectivity is logged at startup with RTT measurements
 - If DC ping fails, check `dc_overrides` for custom addresses
 - Use `prefer_ipv6=false` in config if IPv6 is unreliable
 ## TLS Fronting Issues
 - Invalid handshakes are proxied to `mask_host` - check this host is reachable
 - `mask_unix_sock` and `mask_host` are mutually exclusive - only one can be set
 - If `mask_unix_sock` is set, socket must exist before connections arrive
 ## Common Errors
 - `ReplayAttack` - client replayed a handshake nonce, potential attack
 - `TimeSkew` - client clock is off, can disable with `ignore_time_skew=true`
 - `TgHandshakeTimeout` - upstream DC connection failed, check network
--- a/AGENTS.md
+++ b/AGENTS.md
@@ -0,0 +1,410 @@
 ## System Prompt — Production Rust Codebase: Modification and Architecture Guidelines
 You are a senior Rust Engineer and pricipal Rust Architect acting as a strict code reviewer and implementation partner. 
 Your responses are precise, minimal, and architecturally sound. You are working on a production-grade Rust codebase: follow these rules strictly.
 ---
 ### 0. Priority Resolution — Scope Control
 This section resolves conflicts between code quality enforcement and scope limitation.
 When editing or extending existing code, you MUST audit the affected files and fix:
 - Comment style violations (missing, non-English, decorative, trailing).
 - Missing or incorrect documentation on public items.
 - Comment placement issues (trailing comments → move above the code).
 These are **coordinated changes** — they are always in scope.
 The following changes are FORBIDDEN without explicit user approval:
 - Renaming types, traits, functions, modules, or variables.
 - Altering business logic, control flow, or data transformations.
 - Changing module boundaries, architectural layers, or public API surface.
 - Adding or removing functions, structs, enums, or trait implementations.
 - Fixing compiler warnings or removing unused code.
 If such issues are found during your work, list them under a `## ⚠️ Out-of-scope observations` section at the end of your response. Include file path, context, and a brief description. Do not apply these changes.
 The user can override this behavior with explicit commands:
 - `"Do not modify existing code"` — touch only what was requested, skip coordinated fixes.
 - `"Make minimal changes"` — no coordinated fixes, narrowest possible diff.
 - `"Fix everything"` — apply all coordinated fixes and out-of-scope observations.
 ### Core Rule
 The codebase must never enter an invalid intermediate state.
 No response may leave the repository in a condition that requires follow-up fixes.
 ---
 ### 1. Comments and Documentation
 - All comments MUST be written in English.
 - Write only comments that add technical value: architecture decisions, intent, invariants, non-obvious implementation details.
 - Place all comments on separate lines above the relevant code.
 - Use `///` doc-comments for public items. Use `//` for internal clarifications.
 Correct example:
 ```rust
 // Handles MTProto client authentication and establishes encrypted session state.
 fn handle_authenticated_client(...) { ... }
 ```
 Incorrect examples:
 ```rust
 let x = 5; // set x to 5
 ```
 ```rust
 // This function does stuff
 fn do_stuff() { ... }
 ```
 ---
 ### 2. File Size and Module Structure
 - Files MUST NOT exceed 350–550 lines.
 - If a file exceeds this limit, split it into submodules organized by responsibility (e.g., protocol, transport, state, handlers).
 - Parent modules MUST declare and describe their submodules.
 - Maintain clear architectural boundaries between modules.
 Correct example:
 ```rust
 // Client connection handling logic.
 // Submodules:
 // - handshake: MTProto handshake implementation
 // - relay: traffic forwarding logic
 // - state: client session state machine
 pub mod handshake;
 pub mod relay;
 pub mod state;
 ```
 Git discipline:
 - Use local git for versioning and diffs.
 - Write clear, descriptive commit messages in English that explain both *what* changed and *why*.
 ---
 ### 3. Formatting
 - Preserve the existing formatting style of the project exactly as-is.
 - Reformat code only when explicitly instructed to do so.
 - Do not run `cargo fmt` unless explicitly instructed.
 ---
 ### 4. Change Safety and Validation
 - If anything is unclear, STOP and ask specific, targeted questions before proceeding.
 - List exactly what is ambiguous and offer possible interpretations for the user to choose from.
 - Prefer clarification over assumptions. Do not guess intent, behavior, or missing requirements.
 - Actively ask questions before making architectural or behavioral changes.
 ---
 ### 5. Warnings and Unused Code
 - Leave all warnings, unused variables, functions, imports, and dead code untouched unless explicitly instructed to modify them.
 - These may be intentional or part of work-in-progress code.
 - `todo!()` and `unimplemented!()` are permitted and should not be removed or replaced unless explicitly instructed.
 ---
 ### 6. Architectural Integrity
 - Preserve existing architecture unless explicitly instructed to refactor.
 - Do not introduce hidden behavioral changes.
 - Do not introduce implicit refactors.
 - Keep changes minimal, isolated, and intentional.
 ---
 ### 7. When Modifying Code
 You MUST:
 - Maintain architectural consistency with the existing codebase.
 - Document non-obvious logic with comments that describe *why*, not *what*.
 - Limit changes strictly to the requested scope (plus coordinated fixes per Section 0).
 - Keep all existing symbol names unless renaming is explicitly requested.
 - Preserve global formatting as-is
 - Result every modification in a self-contained, compilable, runnable state of the codebase
 You MUST NOT:
 - Use placeholders: no `// ... rest of code`, no `// implement here`, no `/* TODO */` stubs that replace existing working code. Write full, working implementation. If the implementation is unclear, ask first
 - Refactor code outside the requested scope
 - Make speculative improvements
 - Spawn multiple agents for EDITING
 - Produce partial changes
 - Introduce references to entities that are not yet implemented
 - Leave TODO placeholders in production paths
 Note: `todo!()` and `unimplemented!()` are allowed as idiomatic Rust markers for genuinely unfinished code paths.
 Every change must:
   - compile,
   - pass type checks,
   - have no broken imports,
   - preserve invariants,
   - not rely on future patches.
 If the task requires multiple phases:
   - either implement all required phases,
   - or explicitly refuse and explain missing dependencies.
 ---
 ### 8. Decision Process for Complex Changes
 When facing a non-trivial modification, follow this sequence:
 1. **Clarify**: Restate the task in one sentence to confirm understanding.
 2. **Assess impact**: Identify which modules, types, and invariants are affected.
 3. **Propose**: Describe the intended change before implementing it.
 4. **Implement**: Make the minimal, isolated change.
 5. **Verify**: Explain why the change preserves existing behavior and architectural integrity.
 ---
 ### 9. Context Awareness
 - When provided with partial code, assume the rest of the codebase exists and functions correctly unless stated otherwise.
 - Reference existing types, functions, and module structures by their actual names as shown in the provided code.
 - When the provided context is insufficient to make a safe change, request the missing context explicitly.
 - Spawn multiple agents for SEARCHING information, code, functions
 ---
 ### 10. Response Format
 #### Language Policy
 - Code, comments, commit messages, documentation ONLY ON **English**!
 - Reasoning and explanations in response text on language from promt
 #### Response Structure
 Your response MUST consist of two sections:
 **Section 1: `## Reasoning`**
 - What needs to be done and why.
 - Which files and modules are affected.
 - Architectural decisions and their rationale.
 - Potential risks or side effects.
 **Section 2: `## Changes`**
 - For each modified or created file: the filename on a separate line in backticks, followed by the code block.
 - For files **under 200 lines**: return the full file with all changes applied.
 - For files **over 200 lines**: return only the changed functions/blocks with at least 3 lines of surrounding context above and below. If the user requests the full file, provide it.
 - New files: full file content.
 - End with a suggested git commit message in English.
 #### Reporting Out-of-Scope Issues
 If during modification you discover issues outside the requested scope (potential bugs, unsafe code, architectural concerns, missing error handling, unused imports, dead code):
 - Do not fix them silently.
 - List them under `## ⚠️ Out-of-scope observations` at the end of your response.
 - Include: file path, line/function context, brief description of the issue, and severity estimate.
 #### Splitting Protocol
 If the response exceeds the output limit:
 1. End the current part with: **SPLIT: PART N — CONTINUE? (remaining: file_list)**
 2. List the files that will be provided in subsequent parts.
 3. Wait for user confirmation before continuing.
 4. No single file may be split across parts.
 ## 11. Anti-LLM Degeneration Safeguards (Principal-Paranoid, Visionary)
 This section exists to prevent common LLM failure modes: scope creep, semantic drift, cargo-cult refactors, performance regressions, contract breakage, and hidden behavior changes.
 ### 11.1 Non-Negotiable Invariants
 - **No semantic drift:** Do not reinterpret requirements, rename concepts, or change meaning of existing terms.
 - **No “helpful refactors”:** Any refactor not explicitly requested is forbidden.
 - **No architectural drift:** Do not introduce new layers, patterns, abstractions, or “clean architecture” migrations unless requested.
 - **No dependency drift:** Do not add crates, features, or versions unless explicitly requested.
 - **No behavior drift:** If a change could alter runtime behavior, you MUST call it out explicitly in `## Reasoning` and justify it.
 ### 11.2 Minimal Surface Area Rule
 - Touch the smallest number of files possible.
 - Prefer local changes over cross-cutting edits.
 - Do not “align style” across a file/module—only adjust the modified region.
 - Do not reorder items, imports, or code unless required for correctness.
 ### 11.3 No Implicit Contract Changes
 Contracts include:
 - public APIs, trait bounds, visibility, error types, timeouts/retries, logging semantics, metrics semantics,
 - protocol formats, framing, padding, keepalive cadence, state machine transitions,
 - concurrency guarantees, cancellation behavior, backpressure behavior.
 Rule:
 - If you change a contract, you MUST update all dependents in the same patch AND document the contract delta explicitly.
 ### 11.4 Hot-Path Preservation (Performance Paranoia)
 - Do not introduce extra allocations, cloning, or formatting in hot paths.
 - Do not add logging/metrics on hot paths unless requested.
 - Do not add new locks or broaden lock scope.
 - Prefer `&str` / slices / borrowed data where the codebase already does so.
 - Avoid `String` building for errors/logs if it changes current patterns.
 If you cannot prove performance neutrality, label it as risk in `## Reasoning`.
 ### 11.5 Async / Concurrency Safety (Cancellation & Backpressure)
 - No blocking calls inside async contexts.
 - Preserve cancellation safety: do not introduce `await` between lock acquisition and critical invariants unless already present.
 - Preserve backpressure: do not replace bounded channels with unbounded, do not remove flow control.
 - Do not change task lifecycle semantics (spawn patterns, join handles, shutdown order) unless requested.
 - Do not introduce `tokio::spawn` / background tasks unless explicitly requested.
 ### 11.6 Error Semantics Integrity
 - Do not replace structured errors with generic strings.
 - Do not widen/narrow error types or change error categories without explicit approval.
 - Avoid introducing panics in production paths (`unwrap`, `expect`) unless the codebase already treats that path as impossible and documented.
 ### 11.7 “No New Abstractions” Default
 Default stance:
 - No new traits, generics, macros, builder patterns, type-level cleverness, or “frameworking”.
 - If abstraction is necessary, prefer the smallest possible local helper (private function) and justify it.
 ### 11.8 Negative-Diff Protection
 Avoid “diff inflation” patterns:
 - mass edits,
 - moving code between files,
 - rewrapping long lines,
 - rearranging module order,
 - renaming for aesthetics.
 If a diff becomes large, STOP and ask before proceeding.
 ### 11.9 Consistency with Existing Style (But Not Style Refactors)
 - Follow existing conventions of the touched module (naming, error style, return patterns).
 - Do not enforce global “best practices” that the codebase does not already use.
 ### 11.10 Two-Phase Safety Gate (Plan → Patch)
 For non-trivial changes:
 1) Provide a micro-plan (1–5 bullets): what files, what functions, what invariants, what risks.
 2) Implement exactly that plan—no extra improvements.
 ### 11.11 Pre-Response Checklist (Hard Gate)
 Before final output, verify internally:
 - No unresolved symbols / broken imports.
 - No partially updated call sites.
 - No new public surface changes unless requested.
 - No transitional states / TODO placeholders replacing working code.
 - Changes are atomic: the repository remains buildable and runnable.
 - Any behavior change is explicitly stated.
 If any check fails: fix it before responding.
 ### 11.12 Truthfulness Policy (No Hallucinated Claims)
 - Do not claim “this compiles” or “tests pass” unless you actually verified with the available tooling/context.
 - If verification is not possible, state: “Not executed; reasoning-based consistency check only.”
 ### 11.13 Visionary Guardrail: Preserve Optionality
 When multiple valid designs exist, prefer the one that:
 - minimally constrains future evolution,
 - preserves existing extension points,
 - avoids locking the project into a new paradigm,
 - keeps interfaces stable and implementation local.
 Default to reversible changes.
 ### 11.14 Stop Conditions
 STOP and ask targeted questions if:
 - required context is missing,
 - a change would cross module boundaries,
 - a contract might change,
 - concurrency/protocol invariants are unclear,
 - the diff is growing beyond a minimal patch.
 No guessing.
 ### 12. Invariant Preservation
 You MUST explicitly preserve:
 - Thread-safety guarantees (`Send` / `Sync` expectations).
 - Memory safety assumptions (no hidden `unsafe` expansions).
 - Lock ordering and deadlock invariants.
 - State machine correctness (no new invalid transitions).
 - Backward compatibility of serialized formats (if applicable).
 If a change touches concurrency, networking, protocol logic, or state machines,
 you MUST explain why existing invariants remain valid.
 ### 13. Error Handling Policy
 - Do not replace structured errors with generic strings.
 - Preserve existing error propagation semantics.
 - Do not widen or narrow error types without approval.
 - Avoid introducing panics in production paths.
 - Prefer explicit error mapping over implicit conversions.
 ### 14. Test Safety
 - Do not modify existing tests unless the task explicitly requires it.
 - Do not weaken assertions.
 - Preserve determinism in testable components.
 ### 15. Security Constraints
 - Do not weaken cryptographic assumptions.
 - Do not modify key derivation logic without explicit request.
 - Do not change constant-time behavior.
 - Do not introduce logging of secrets.
 - Preserve TLS/MTProto protocol correctness.
 ### 16. Logging Policy
 - Do not introduce excessive logging in hot paths.
 - Do not log sensitive data.
 - Preserve existing log levels and style.
 ### 17. Pre-Response Verification Checklist
 Before producing the final answer, verify internally:
 - The change compiles conceptually.
 - No unresolved symbols exist.
 - All modified call sites are updated.
 - No accidental behavioral changes were introduced.
 - Architectural boundaries remain intact.
 ### 18. Atomic Change Principle
 Every patch must be **atomic and production-safe**.
 * **Self-contained** — no dependency on future patches or unimplemented components.
 * **Build-safe** — the project must compile successfully after the change.
 * **Contract-consistent** — no partial interface or behavioral changes; all dependent code must be updated within the same patch.
 * **No transitional states** — no placeholders, incomplete refactors, or temporary inconsistencies.
 **Invariant:** After any single patch, the repository remains fully functional and buildable.
--- a/CONTRIBUTING.md
+++ b/CONTRIBUTING.md
@@ -0,0 +1,14 @@
 # Pull Requests - Rules
 ## General
 - ONLY signed and verified commits
 - ONLY from your name
 - DO NOT commit with `codex` or `claude` as author/commiter
 - PREFER `flow` branch for development, not `main`
 ## AI
 We are not against modern tools, like AI, where you act as a principal or architect, but we consider it important:
 - you really understand what you're doing
 - you understand the relationships and dependencies of the components being modified
 - you understand the architecture of Telegram MTProto, MTProxy, Middle-End KDF at least generically
 - you DO NOT commit for the sake of commits, but to help the community, core-developers and ordinary users
--- a/Cargo.lock
+++ b/Cargo.lock
--- a/Cargo.toml
+++ b/Cargo.toml
@@ -1,6 +1,6 @@
 [package]
 name = "telemt"
-version = "1.2.0"
+version = "3.0.15"
 edition = "2024"
 [dependencies]
@@ -9,7 +9,7 @@ libc = "0.2"
 # Async runtime
 tokio = { version = "1.42", features = ["full", "tracing"] }
-tokio-util = { version = "0.7", features = ["codec"] }
+tokio-util = { version = "0.7", features = ["full"] }
 # Crypto
 aes = "0.8"
@@ -20,15 +20,18 @@ sha1 = "0.10"
 md-5 = "0.10"
 hmac = "0.12"
 crc32fast = "1.4"
 crc32c = "0.6"
 zeroize = { version = "1.8", features = ["derive"] }
 # Network
 socket2 = { version = "0.5", features = ["all"] }
 nix = { version = "0.28", default-features = false, features = ["net"] }
 # Serialization
 serde = { version = "1.0", features = ["derive"] }
 serde_json = "1.0"
 toml = "0.8"
 x509-parser = "0.15"
 # Utils
 bytes = "1.9"
@@ -37,7 +40,7 @@ tracing = "0.1"
 tracing-subscriber = { version = "0.3", features = ["env-filter"] }
 parking_lot = "0.12"
 dashmap = "5.5"
-lru = "0.12"
+lru = "0.16"
 rand = "0.9"
 chrono = { version = "0.4", features = ["serde"] }
 hex = "0.4"
@@ -45,9 +48,21 @@ base64 = "0.22"
 url = "2.5"
 regex = "1.11"
 crossbeam-queue = "0.3"
 num-bigint = "0.4"
 num-traits = "0.2"
 anyhow = "1.0"
 # HTTP
 reqwest = { version = "0.12", features = ["rustls-tls"], default-features = false }
 notify = { version = "6", features = ["macos_fsevent"] }
 ipnetwork = "0.20"
 hyper = { version = "1", features = ["server", "http1"] }
 hyper-util = { version = "0.1", features = ["tokio", "server-auto"] }
 http-body-util = "0.1"
 httpdate = "1.0"
 tokio-rustls = { version = "0.26", default-features = false, features = ["tls12"] }
 rustls = { version = "0.23", default-features = false, features = ["std", "tls12", "ring"] }
 webpki-roots = "0.26"
 [dev-dependencies]
 tokio-test = "0.4"
@@ -57,4 +72,4 @@ futures = "0.3"
 [[bench]]
 name = "crypto_bench"
-harness = false
+harness = false
--- a/43
+++ b/43
@@ -0,0 +1,43 @@
 # ==========================
 # Stage 1: Build
 # ==========================
 FROM rust:1.88-slim-bookworm AS builder
 RUN apt-get update && apt-get install -y --no-install-recommends \
    pkg-config \
    && rm -rf /var/lib/apt/lists/*
 WORKDIR /build
 COPY Cargo.toml Cargo.lock* ./
 RUN mkdir src && echo 'fn main() {}' > src/main.rs && \
    cargo build --release 2>/dev/null || true && \
    rm -rf src
 COPY . .
 RUN cargo build --release && strip target/release/telemt
 # ==========================
 # Stage 2: Runtime
 # ==========================
 FROM debian:bookworm-slim
 RUN apt-get update && apt-get install -y --no-install-recommends \
    ca-certificates \
    && rm -rf /var/lib/apt/lists/*
 RUN useradd -r -s /usr/sbin/nologin telemt
 WORKDIR /app
 COPY --from=builder /build/target/release/telemt /app/telemt
 COPY config.toml /app/config.toml
 RUN chown -R telemt:telemt /app
 USER telemt
 EXPOSE 443
 EXPOSE 9090
 ENTRYPOINT ["/app/telemt"]
 CMD ["config.toml"]
--- a/LICENSING.md
+++ b/LICENSING.md
@@ -0,0 +1,17 @@
 # LICENSING
 ## Licenses for Versions
 | Version | License       |
 |---------|---------------|
 | 1.0     | NO LICNESE    |
 | 1.1     | NO LICENSE    |
 | 1.2     | NO LICENSE    |
 | 2.0     | NO LICENSE    |
 | 3.0     | TELEMT UL 1   |
 ### License Types
 - **NO LICENSE** = ***ALL RIGHT RESERVED***
 - **TELEMT UL1** - work in progress license for source code of `telemt`, which encourages:
  - fair use, 
  - contributions, 
  - distribution, 
  - but prohibits NOT mentioning the authors
--- a/README.md
+++ b/README.md
@@ -2,29 +2,95 @@
 **Telemt** is a fast, secure, and feature-rich server written in Rust: it fully implements the official Telegram proxy algo and adds many production-ready improvements such as connection pooling, replay protection, detailed statistics, masking from "prying" eyes
-## Emergency
+## NEWS and EMERGENCY
-**Важное сообщение для пользователей из России**
+### ✈️ Telemt 3 is released!
 <table>
 <tr>
 <td width="50%" valign="top">
-Мы работаем над проектом с Нового года и сейчас готовим новый релиз - 1.2
+### 🇷🇺 RU
-В нём имплементируется поддержка Middle Proxy Protocol - основного терминатора для Ad Tag:
+#### Драфтинг LTS и текущие улучшения
 работа над ним идёт с 6 ферваля, а уже 10 февраля произошли "громкие события"...
-Если у вас есть компетенции в асинхронных сетевых приложениях - мы открыты к предложениям и pull requests
+С 21 февраля мы начали подготовку LTS-версии.
-**Important message for users from Russia**
+Мы внимательно анализируем весь доступный фидбек.  
 Наша цель — сделать LTS-кандидаты максимально стабильными, тщательно отлаженными и готовыми к long-run и highload production-сценариям.
-We've been working on the project since December 30 and are currently preparing a new release – 1.2
+---
-It implements support for the Middle Proxy Protocol – the primary point for the Ad Tag:
+#### Улучшения от 23 февраля
 development on it started on February 6th, and by February 10th, "big activity" in Russia had already "taken place"...
-If you have expertise in asynchronous network applications – we are open to ideas and pull requests!
+23 февраля были внесены улучшения производительности в режимах **DC** и **Middle-End (ME)**, с акцентом на обратный канал (путь клиент → DC / ME).
 Дополнительно реализован ряд изменений, направленных на повышение устойчивости системы:
 - Смягчение сетевой нестабильности  
 - Повышение устойчивости к десинхронизации криптографии  
 - Снижение дрейфа сессий при неблагоприятных условиях  
 - Улучшение обработки ошибок в edge-case транспортных сценариях  
 Релиз:  
 [3.0.12](https://github.com/telemt/telemt/releases/tag/3.0.12)
 ---
 Если у вас есть компетенции в:
 - Асинхронных сетевых приложениях  
 - Анализе трафика  
 - Реверс-инжиниринге  
 - Сетевых расследованиях  
 Мы открыты к архитектурным предложениям, идеям и pull requests
 </td>
 <td width="50%" valign="top">
 ### 🇬🇧 EN
 #### LTS Drafting and Ongoing Improvements
 Starting February 21, we began drafting the upcoming LTS version.
 We are carefully reviewing and analyzing all available feedback.  
 The goal is to ensure that LTS candidates are максимально stable, thoroughly debugged, and ready for long-run and high-load production scenarios.
 ---
 #### February 23 Improvements
 On February 23, we introduced performance improvements for both **DC** and **Middle-End (ME)** modes, specifically optimizing the reverse channel (client → DC / ME data path).
 Additionally, we implemented a set of robustness enhancements designed to:
 - Mitigate network-related instability
 - Improve resilience against cryptographic desynchronization
 - Reduce session drift under adverse conditions
 - Improve error handling in edge-case transport scenarios
 Release:  
 [3.0.12](https://github.com/telemt/telemt/releases/tag/3.0.12)
 ---
 If you have expertise in:
 - Asynchronous network applications  
 - Traffic analysis  
 - Reverse engineering  
 - Network forensics  
 We welcome ideas, architectural feedback, and pull requests.
 </td>
 </tr>
 </table>
 # Features
-💥 The configuration structure has changed since version 1.1.0.0, change it in your environment!
+💥 The configuration structure has changed since version 1.1.0.0. change it in your environment!
-⚓ Our implementation of **TLS-fronting** is one of the most deeply debugged, focused, advanced and *almost* **"behaviorally consistent to real"**:  we are confident we have it right - [see evidence on our validation and traces](#recognizability-for-dpi-and-crawler) 
+⚓ Our implementation of **TLS-fronting** is one of the most deeply debugged, focused, advanced and *almost* **"behaviorally consistent to real"**:  we are confident we have it right - [see evidence on our validation and traces](#recognizability-for-dpi-and-crawler)
 ⚓ Our ***Middle-End Pool*** is fastest by design in standard scenarios, compared to other implementations of connecting to the Middle-End Proxy: non dramatically, but usual
 # GOTO
 - [Features](#features)
@@ -44,7 +110,9 @@ If you have expertise in asynchronous network applications – we are open to id
  - [Telegram Calls](#telegram-calls-via-mtproxy)
  - [DPI](#how-does-dpi-see-mtproxy-tls)
  - [Whitelist on Network Level](#whitelist-on-ip)
  - [Too many open files](#too-many-open-files)
 - [Build](#build)
 - [Docker](#docker)
 - [Why Rust?](#why-rust)
 ## Features
@@ -63,7 +131,7 @@ If you have expertise in asynchronous network applications – we are open to id
 **This software is designed for Debian-based OS: in addition to Debian, these are Ubuntu, Mint, Kali, MX and many other Linux**
 1. Download release
 ```bash
-wget https://github.com/telemt/telemt/releases/latest/download/telemt
+wget -qO- "https://github.com/telemt/telemt/releases/latest/download/telemt-$(uname -m)-linux-$(ldd --version 2>&1 | grep -iq musl && echo musl || echo gnu).tar.gz" | tar -xz
 ```
 2. Move to Bin Folder
 ```bash
@@ -128,6 +196,7 @@ Type=simple
 WorkingDirectory=/bin
 ExecStart=/bin/telemt /etc/telemt.toml
 Restart=on-failure
 LimitNOFILE=65536
 [Install]
 WantedBy=multi-user.target
@@ -143,85 +212,23 @@ then Ctrl+X -> Y -> Enter to save
 ## Configuration
 ### Minimal Configuration for First Start
 ```toml
 # === UI ===
 # Users to show in the startup log (tg:// links)
 show_link = ["hello"]
 # === General Settings ===
 [general]
-prefer_ipv6 = false
+# ad_tag = "00000000000000000000000000000000"
 fast_mode = true
 use_middle_proxy = false
 # ad_tag = "..."
 [general.modes]
 classic = false
 secure = false
 tls = true
 # === Server Binding ===
 [server]
 port = 443
 listen_addr_ipv4 = "0.0.0.0"
 listen_addr_ipv6 = "::"
 # metrics_port = 9090
 # metrics_whitelist = ["127.0.0.1", "::1"]
 # Listen on multiple interfaces/IPs (overrides listen_addr_*)
 [[server.listeners]]
 ip = "0.0.0.0"
 # announce_ip = "1.2.3.4" # Optional: Public IP for tg:// links
 [[server.listeners]]
 ip = "::"
 # === Timeouts (in seconds) ===
 [timeouts]
 client_handshake = 15
 tg_connect = 10
 client_keepalive = 60
 client_ack = 300
 # === Anti-Censorship & Masking ===
 [censorship]
 tls_domain = "petrovich.ru"
 mask = true
 mask_port = 443
 # mask_host = "petrovich.ru" # Defaults to tls_domain if not set
 # mask_unix_sock = "/var/run/nginx.sock" # Unix socket (mutually exclusive with mask_host)
 fake_cert_len = 2048
 # === Access Control & Users ===
 # username "hello" is used for example
 [access]
 replay_check_len = 65536
 ignore_time_skew = false
 [access.users]
 # format: "username" = "32_hex_chars_secret"
 hello = "00000000000000000000000000000000"
 # [access.user_max_tcp_conns]
 # hello = 50
 # [access.user_data_quota]
 # hello = 1073741824 # 1 GB
 # === Upstreams & Routing ===
 # By default, direct connection is used, but you can add SOCKS proxy
 # Direct - Default
 [[upstreams]]
 type = "direct"
 enabled = true
 weight = 10
 # SOCKS5
 # [[upstreams]]
 # type = "socks5"
 # address = "127.0.0.1:9050"
 # enabled = false
 # weight = 1
 ```
 ### Advanced
 #### Adtag
@@ -377,6 +384,23 @@ Keep-Alive: timeout=60
  - in China behind the Great Firewall
  - in Russia on mobile networks, less in wired networks
  - in Iran during "activity"
 ### Too many open files
 - On a fresh Linux install the default open file limit is low; under load `telemt` may fail with `Accept error: Too many open files`
 - **Systemd**: add `LimitNOFILE=65536` to the `[Service]` section (already included in the example above)
 - **Docker**: add `--ulimit nofile=65536:65536` to your `docker run` command, or in `docker-compose.yml`:
 ```yaml
 ulimits:
  nofile:
    soft: 65536
    hard: 65536
 ```
 - **System-wide** (optional): add to `/etc/security/limits.conf`:
 ```
 *       soft    nofile  1048576
 *       hard    nofile  1048576
 root    soft    nofile  1048576
 root    hard    nofile  1048576
 ```
 ## Build
@@ -395,9 +419,44 @@ chmod +x /bin/telemt
 telemt config.toml
 ```
 ## Docker
 **Quick start (Docker Compose)**
 1. Edit `config.toml` in repo root (at least: port, users secrets, tls_domain)
 2. Start container:
 ```bash
 docker compose up -d --build
 ```
 3. Check logs:
 ```bash
 docker compose logs -f telemt
 ```
 4. Stop:
 ```bash
 docker compose down
 ```
 **Notes**
 - `docker-compose.yml` maps `./config.toml` to `/app/config.toml` (read-only)
 - By default it publishes `443:443` and runs with dropped capabilities (only `NET_BIND_SERVICE` is added)
 - If you really need host networking (usually only for some IPv6 setups) uncomment `network_mode: host`
 **Run without Compose**
 ```bash
 docker build -t telemt:local .
 docker run --name telemt --restart unless-stopped \
  -p 443:443 \
  -e RUST_LOG=info \
  -v "$PWD/config.toml:/app/config.toml:ro" \
  --read-only \
  --cap-drop ALL --cap-add NET_BIND_SERVICE \
  --ulimit nofile=65536:65536 \
  telemt:local
 ```
 ## Why Rust?
 - Long-running reliability and idempotent behavior
- Rust’s deterministic resource management - RAII 
+- Rust's deterministic resource management - RAII 
 - No garbage collector
 - Memory safety and reduced attack surface
 - Tokio's asynchronous architecture
--- a/ROADMAP.md
+++ b/ROADMAP.md
@@ -0,0 +1,34 @@
 ### 3.0.0 Anschluss
 - **Middle Proxy now is stable**, confirmed on canary-deploy over ~20 users
 - Ad-tag now is working
 - DC=203/CDN now is working over ME
 - `getProxyConfig` and `ProxySecret` are automated
 - Version order is now in format `3.0.0` - without Windows-style "microfixes"
 ### 3.0.1 Kabelsammler
 - Handshake timeouts fixed
 - Connectivity logging refactored
 - Docker: tmpfs for ProxyConfig and ProxySecret
 - Public Host and Port in config
 - ME Relays Head-of-Line Blocking fixed
 - ME Ping
 ### 3.0.2 Microtrencher
 - New [network] section
 - ME Fixes
 - Small bugs coverage
 ### 3.0.3 Ausrutscher
 - ME as stateful, no conn-id migration
 - No `flush()` on datapath after RpcWriter
 - Hightech parser for IPv6 without regexp
 - `nat_probe = true` by default
 - Timeout for `recv()` in STUN-client
 - ConnRegistry review
 - Dualstack emergency reconnect
 ### 3.0.4 Schneeflecken
 - Only WARN and Links in Normal log
 - Consistent IP-family detection
 - Includes for config
 - `nonce_frame_hex` in log only with `DEBUG`
--- a/config.toml
+++ b/config.toml
@@ -1,55 +1,124 @@
 # === UI ===
 # Users to show in the startup log (tg:// links)
 show_link = ["hello"]
 # === General Settings ===
 [general]
 prefer_ipv6 = false
 fast_mode = true
 use_middle_proxy = true
-ad_tag = "00000000000000000000000000000000"
+# ad_tag = "00000000000000000000000000000000"
 # Path to proxy-secret binary (auto-downloaded if missing).
 proxy_secret_path = "proxy-secret"
 # disable_colors = false  # Disable colored output in logs (useful for files/systemd)
 # === Log Level ===
 # Log level: debug | verbose | normal | silent
 # Can be overridden with --silent or --log-level CLI flags
 # RUST_LOG env var takes absolute priority over all of these
 log_level = "normal"
 # === Middle Proxy - ME ===
 # Public IP override for ME KDF when behind NAT; leave unset to auto-detect.
 # middle_proxy_nat_ip = "203.0.113.10"
 # Enable STUN probing to discover public IP:port for ME.
 middle_proxy_nat_probe = true
 # Primary STUN server (host:port); defaults to Telegram STUN when empty.
 middle_proxy_nat_stun = "stun.l.google.com:19302"
 # Optional fallback STUN servers list.
 middle_proxy_nat_stun_servers = ["stun1.l.google.com:19302", "stun2.l.google.com:19302"]
 # Desired number of concurrent ME writers in pool.
 middle_proxy_pool_size = 8
 # Pre-initialized warm-standby ME connections kept idle.
 middle_proxy_warm_standby = 8
 # Ignore STUN/interface mismatch and keep ME enabled even if IP differs.
 stun_iface_mismatch_ignore = false
 # Keepalive padding frames - fl==4
 me_keepalive_enabled = true
 me_keepalive_interval_secs = 25           # Period between keepalives
 me_keepalive_jitter_secs = 5              # Jitter added to interval
 me_keepalive_payload_random = true        # Randomize 4-byte payload (vs zeros)
 # Stagger extra ME connections on warmup to de-phase lifecycles.
 me_warmup_stagger_enabled = true
 me_warmup_step_delay_ms = 500             # Base delay between extra connects
 me_warmup_step_jitter_ms = 300            # Jitter for warmup delay
 # Reconnect policy knobs.
 me_reconnect_max_concurrent_per_dc = 4    # Parallel reconnects per DC - EXPERIMENTAL! UNSTABLE!
 me_reconnect_backoff_base_ms = 500        # Backoff start
 me_reconnect_backoff_cap_ms = 30000       # Backoff cap
 me_reconnect_fast_retry_count = 11        # Quick retries before backoff
 update_every = 7200                       # Resolve the active updater interval for ME infrastructure refresh tasks.
 crypto_pending_buffer = 262144            # Max pending ciphertext buffer per client writer (bytes). Controls FakeTLS backpressure vs throughput.
 max_client_frame = 16777216               # Maximum allowed client MTProto frame size (bytes).
 desync_all_full = false                   # Emit full crypto-desync forensic logs for every event. When false, full forensic details are emitted once per key window.
 auto_degradation_enabled = true           # Enable auto-degradation from ME to Direct-DC.
 degradation_min_unavailable_dc_groups = 2 # Minimum unavailable ME DC groups before degrading.
 hardswap = true                           # Enable C-like hard-swap for ME pool generations. When true, Telemt prewarms a new generation and switches once full coverage is reached.
 me_pool_drain_ttl_secs = 90               # Drain-TTL in seconds for stale ME writers after endpoint map changes. During TTL, stale writers may be used only as fallback for new bindings.
 me_pool_min_fresh_ratio = 0.8             # Minimum desired-DC coverage ratio required before draining stale writers. Range: 0.0..=1.0.
 me_reinit_drain_timeout_secs = 120        # Drain timeout in seconds for stale ME writers after endpoint map changes. Set to 0 to keep stale writers draining indefinitely (no force-close).
 me_config_stable_snapshots = 2            # Number of identical getProxyConfig snapshots required before applying ME map updates.
 me_config_apply_cooldown_secs = 300       # Cooldown in seconds between applied ME map updates.
 proxy_secret_rotate_runtime = true        # Enable runtime proxy-secret rotation from getProxySecret.
 proxy_secret_stable_snapshots = 2         # Number of identical getProxySecret snapshots required before runtime secret rotation.
 proxy_secret_len_max = 256                # Maximum allowed proxy-secret length in bytes for startup and runtime refresh.
 [general.modes]
 classic = false
 secure = false
 tls = true
 [general.links]
 show = "*"
 # show = ["alice", "bob"] # Only show links for alice and bob
 # show = "*"              # Show links for all users
 # public_host = "proxy.example.com"  # Host (IP or domain) for tg:// links
 # public_port = 443                  # Port for tg:// links (default: server.port)
 # === Network Parameters ===
 [network]
 # Enable/disable families: true/false/auto(None)
 ipv4 = true
 ipv6 = false # UNSTABLE WITH ME
 # prefer = 4 or 6
 prefer = 4
 multipath = false # EXPERIMENTAL!
 # === Server Binding ===
 [server]
 port = 443
 listen_addr_ipv4 = "0.0.0.0"
 listen_addr_ipv6 = "::"
 # listen_unix_sock = "/var/run/telemt.sock" # Unix socket
 # listen_unix_sock_perm = "0666" # Socket file permissions
 # proxy_protocol = false           # Enable if behind HAProxy/nginx with PROXY protocol
 # metrics_port = 9090
 # metrics_whitelist = ["127.0.0.1", "::1"]
-# Listen on multiple interfaces/IPs (overrides listen_addr_*)
+# Listen on multiple interfaces/IPs - IPv4
 [[server.listeners]]
 ip = "0.0.0.0"
 # announce_ip = "1.2.3.4" # Optional: Public IP for tg:// links
 # Listen on multiple interfaces/IPs - IPv6
 [[server.listeners]]
 ip = "::"
 # === Timeouts (in seconds) ===
 [timeouts]
-client_handshake = 15
+client_handshake = 30
 tg_connect = 10
 client_keepalive = 60
 client_ack = 300
 # Quick ME reconnects for single-address DCs (count and per-attempt timeout, ms).
 me_one_retry = 12
 me_one_timeout_ms = 1200
 # === Anti-Censorship & Masking ===
 [censorship]
 tls_domain = "petrovich.ru"
 # tls_domains = ["example.com", "cdn.example.net"] # Additional domains for EE links
 mask = true
 mask_port = 443
 # mask_host = "petrovich.ru" # Defaults to tls_domain if not set
 # mask_unix_sock = "/var/run/nginx.sock" # Unix socket (mutually exclusive with mask_host)
 fake_cert_len = 2048
 # tls_emulation = false        # Fetch real cert lengths and emulate TLS records
 # tls_front_dir = "tlsfront"   # Cache directory for TLS emulation
 # === Access Control & Users ===
 [access]
@@ -64,17 +133,30 @@ hello = "00000000000000000000000000000000"
 # [access.user_max_tcp_conns]
 # hello = 50
 # [access.user_max_unique_ips]
 # hello = 5
 # [access.user_data_quota]
 # hello = 1073741824 # 1 GB
 # [access.user_expirations]
 # format: username = "[year]-[month]-[day]T[hour]:[minute]:[second]Z" UTC
 # hello = "2027-01-01T00:00:00Z"
 # === Upstreams & Routing ===
 [[upstreams]]
 type = "direct"
 enabled = true
 weight = 10
 # interface = "192.168.1.100"           # Bind outgoing to specific IP or iface name
 # bind_addresses = ["192.168.1.100"]    # List for round-robin binding (family must match target)
 # [[upstreams]]
 # type = "socks5"
 # address = "127.0.0.1:1080"
 # enabled = false
-# weight = 1
+# weight = 1
 # === DC Address Overrides ===
 # [dc_overrides]
 # "203" = "91.105.192.100:443"
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -0,0 +1,29 @@
 services:
  telemt:
    build: .
    container_name: telemt
    restart: unless-stopped
    ports:
      - "443:443"
      - "9090:9090"
    # Allow caching 'proxy-secret' in read-only container
    working_dir: /run/telemt
    volumes:
      - ./config.toml:/run/telemt/config.toml:ro
    tmpfs:
      - /run/telemt:rw,mode=1777,size=1m
    environment:
      - RUST_LOG=info
    # Uncomment this line if you want to use host network for IPv6, but bridge is default and usually better
    # network_mode: host
    cap_drop:
      - ALL
    cap_add:
      - NET_BIND_SERVICE   # allow binding to port 443
    read_only: true
    security_opt:
      - no-new-privileges:true
    ulimits:
      nofile:
        soft: 65536
        hard: 65536
--- a/src/cli.rs
+++ b/src/cli.rs
@@ -189,10 +189,23 @@ r#"# Telemt MTProxy — auto-generated config
 show_link = ["{username}"]
 [general]
 # prefer_ipv6 is deprecated; use [network].prefer
 prefer_ipv6 = false
 fast_mode = true
 use_middle_proxy = false
 log_level = "normal"
 desync_all_full = false
 update_every = 43200
 hardswap = false
 me_pool_drain_ttl_secs = 90
 me_pool_min_fresh_ratio = 0.8
 me_reinit_drain_timeout_secs = 120
 [network]
 ipv4 = true
 ipv6 = true
 prefer = 4
 multipath = false
 [general.modes]
 classic = false
@@ -206,6 +219,7 @@ listen_addr_ipv6 = "::"
 [[server.listeners]]
 ip = "0.0.0.0"
 # reuse_allow = false # Set true only when intentionally running multiple telemt instances on same port
 [[server.listeners]]
 ip = "::"
@@ -221,6 +235,7 @@ tls_domain = "{domain}"
 mask = true
 mask_port = 443
 fake_cert_len = 2048
 tls_full_cert_ttl_secs = 90
 [access]
 replay_check_len = 65536
@@ -297,4 +312,4 @@ fn print_links(username: &str, secret: &str, port: u16, domain: &str) {
    println!("The proxy will auto-detect and display the correct link on startup.");
    println!("Check: journalctl -u telemt.service | head -30");
    println!("===================");
-}
+}
--- a/src/config/defaults.rs
+++ b/src/config/defaults.rs
@@ -0,0 +1,285 @@
 use std::collections::HashMap;
 use ipnetwork::IpNetwork;
 use serde::Deserialize;
 // Helper defaults kept private to the config module.
 pub(crate) fn default_true() -> bool {
    true
 }
 pub(crate) fn default_port() -> u16 {
    443
 }
 pub(crate) fn default_tls_domain() -> String {
    "www.google.com".to_string()
 }
 pub(crate) fn default_mask_port() -> u16 {
    443
 }
 pub(crate) fn default_fake_cert_len() -> usize {
    2048
 }
 pub(crate) fn default_tls_front_dir() -> String {
    "tlsfront".to_string()
 }
 pub(crate) fn default_replay_check_len() -> usize {
    65_536
 }
 pub(crate) fn default_replay_window_secs() -> u64 {
    1800
 }
 pub(crate) fn default_handshake_timeout() -> u64 {
    15
 }
 pub(crate) fn default_connect_timeout() -> u64 {
    10
 }
 pub(crate) fn default_keepalive() -> u64 {
    60
 }
 pub(crate) fn default_ack_timeout() -> u64 {
    300
 }
 pub(crate) fn default_me_one_retry() -> u8 {
    3
 }
 pub(crate) fn default_me_one_timeout() -> u64 {
    1500
 }
 pub(crate) fn default_listen_addr() -> String {
    "0.0.0.0".to_string()
 }
 pub(crate) fn default_weight() -> u16 {
    1
 }
 pub(crate) fn default_metrics_whitelist() -> Vec<IpNetwork> {
    vec![
        "127.0.0.1/32".parse().unwrap(),
        "::1/128".parse().unwrap(),
    ]
 }
 pub(crate) fn default_prefer_4() -> u8 {
    4
 }
 pub(crate) fn default_unknown_dc_log_path() -> Option<String> {
    Some("unknown-dc.txt".to_string())
 }
 pub(crate) fn default_pool_size() -> usize {
    8
 }
 pub(crate) fn default_keepalive_interval() -> u64 {
    25
 }
 pub(crate) fn default_keepalive_jitter() -> u64 {
    5
 }
 pub(crate) fn default_warmup_step_delay_ms() -> u64 {
    500
 }
 pub(crate) fn default_warmup_step_jitter_ms() -> u64 {
    300
 }
 pub(crate) fn default_reconnect_backoff_base_ms() -> u64 {
    500
 }
 pub(crate) fn default_reconnect_backoff_cap_ms() -> u64 {
    30_000
 }
 pub(crate) fn default_crypto_pending_buffer() -> usize {
    256 * 1024
 }
 pub(crate) fn default_max_client_frame() -> usize {
    16 * 1024 * 1024
 }
 pub(crate) fn default_desync_all_full() -> bool {
    false
 }
 pub(crate) fn default_tls_new_session_tickets() -> u8 {
    0
 }
 pub(crate) fn default_tls_full_cert_ttl_secs() -> u64 {
    90
 }
 pub(crate) fn default_server_hello_delay_min_ms() -> u64 {
    0
 }
 pub(crate) fn default_server_hello_delay_max_ms() -> u64 {
    0
 }
 pub(crate) fn default_alpn_enforce() -> bool {
    true
 }
 pub(crate) fn default_stun_servers() -> Vec<String> {
    vec![
        "stun.l.google.com:5349".to_string(),
        "stun1.l.google.com:3478".to_string(),
        "stun.gmx.net:3478".to_string(),
        "stun.l.google.com:19302".to_string(),
        "stun.1und1.de:3478".to_string(),
        "stun1.l.google.com:19302".to_string(),
        "stun2.l.google.com:19302".to_string(),
        "stun3.l.google.com:19302".to_string(),
        "stun4.l.google.com:19302".to_string(),
        "stun.services.mozilla.com:3478".to_string(),
        "stun.stunprotocol.org:3478".to_string(),
        "stun.nextcloud.com:3478".to_string(),
        "stun.voip.eutelia.it:3478".to_string(),
    ]
 }
 pub(crate) fn default_http_ip_detect_urls() -> Vec<String> {
    vec![
        "https://ifconfig.me/ip".to_string(),
        "https://api.ipify.org".to_string(),
    ]
 }
 pub(crate) fn default_cache_public_ip_path() -> String {
    "cache/public_ip.txt".to_string()
 }
 pub(crate) fn default_proxy_secret_reload_secs() -> u64 {
    60 * 60
 }
 pub(crate) fn default_proxy_config_reload_secs() -> u64 {
    60 * 60
 }
 pub(crate) fn default_update_every_secs() -> u64 {
    30 * 60
 }
 pub(crate) fn default_me_reinit_every_secs() -> u64 {
    15 * 60
 }
 pub(crate) fn default_me_hardswap_warmup_delay_min_ms() -> u64 {
    1000
 }
 pub(crate) fn default_me_hardswap_warmup_delay_max_ms() -> u64 {
    2000
 }
 pub(crate) fn default_me_hardswap_warmup_extra_passes() -> u8 {
    3
 }
 pub(crate) fn default_me_hardswap_warmup_pass_backoff_base_ms() -> u64 {
    500
 }
 pub(crate) fn default_me_config_stable_snapshots() -> u8 {
    2
 }
 pub(crate) fn default_me_config_apply_cooldown_secs() -> u64 {
    300
 }
 pub(crate) fn default_proxy_secret_stable_snapshots() -> u8 {
    2
 }
 pub(crate) fn default_proxy_secret_rotate_runtime() -> bool {
    true
 }
 pub(crate) fn default_proxy_secret_len_max() -> usize {
    256
 }
 pub(crate) fn default_me_reinit_drain_timeout_secs() -> u64 {
    120
 }
 pub(crate) fn default_me_pool_drain_ttl_secs() -> u64 {
    90
 }
 pub(crate) fn default_me_pool_min_fresh_ratio() -> f32 {
    0.8
 }
 pub(crate) fn default_hardswap() -> bool {
    true
 }
 pub(crate) fn default_ntp_check() -> bool {
    true
 }
 pub(crate) fn default_ntp_servers() -> Vec<String> {
    vec!["pool.ntp.org".to_string()]
 }
 pub(crate) fn default_fast_mode_min_tls_record() -> usize {
    0
 }
 pub(crate) fn default_degradation_min_unavailable_dc_groups() -> u8 {
    2
 }
 // Custom deserializer helpers
 #[derive(Deserialize)]
 #[serde(untagged)]
 pub(crate) enum OneOrMany {
    One(String),
    Many(Vec<String>),
 }
 pub(crate) fn deserialize_dc_overrides<'de, D>(
    deserializer: D,
 ) -> std::result::Result<HashMap<String, Vec<String>>, D::Error>
 where
    D: serde::de::Deserializer<'de>,
 {
    let raw: HashMap<String, OneOrMany> = HashMap::deserialize(deserializer)?;
    let mut out = HashMap::new();
    for (dc, val) in raw {
        let mut addrs = match val {
            OneOrMany::One(s) => vec![s],
            OneOrMany::Many(v) => v,
        };
        addrs.retain(|s| !s.trim().is_empty());
        if !addrs.is_empty() {
            out.insert(dc, addrs);
        }
    }
    Ok(out)
 }
--- a/src/config/hot_reload.rs
+++ b/src/config/hot_reload.rs
@@ -0,0 +1,481 @@
 //! Hot-reload: watches the config file via inotify (Linux) / FSEvents (macOS)
 //! / ReadDirectoryChangesW (Windows) using the `notify` crate.
 //! SIGHUP is also supported on Unix as an additional manual trigger.
 //!
 //! # What can be reloaded without restart
 //!
 //! | Section   | Field                         | Effect                            |
 //! |-----------|-------------------------------|-----------------------------------|
 //! | `general` | `log_level`                   | Filter updated via `log_level_tx` |
 //! | `general` | `ad_tag`                      | Passed on next connection         |
 //! | `general` | `middle_proxy_pool_size`      | Passed on next connection         |
 //! | `general` | `me_keepalive_*`              | Passed on next connection         |
 //! | `general` | `desync_all_full`             | Applied immediately               |
 //! | `general` | `update_every`                | Applied to ME updater immediately |
 //! | `general` | `hardswap`                    | Applied on next ME map update     |
 //! | `general` | `me_pool_drain_ttl_secs`      | Applied on next ME map update     |
 //! | `general` | `me_pool_min_fresh_ratio`     | Applied on next ME map update     |
 //! | `general` | `me_reinit_drain_timeout_secs`| Applied on next ME map update     |
 //! | `access`  | All user/quota fields         | Effective immediately             |
 //!
 //! Fields that require re-binding sockets (`server.port`, `censorship.*`,
 //! `network.*`, `use_middle_proxy`) are **not** applied; a warning is emitted.
 use std::net::IpAddr;
 use std::path::PathBuf;
 use std::sync::Arc;
 use notify::{EventKind, RecursiveMode, Watcher, recommended_watcher};
 use tokio::sync::{mpsc, watch};
 use tracing::{error, info, warn};
 use crate::config::LogLevel;
 use super::load::ProxyConfig;
 // ── Hot fields ────────────────────────────────────────────────────────────────
 /// Fields that are safe to swap without restarting listeners.
 #[derive(Debug, Clone, PartialEq)]
 pub struct HotFields {
    pub log_level:               LogLevel,
    pub ad_tag:                  Option<String>,
    pub middle_proxy_pool_size:  usize,
    pub desync_all_full:         bool,
    pub update_every_secs:       u64,
    pub hardswap:                bool,
    pub me_pool_drain_ttl_secs:  u64,
    pub me_pool_min_fresh_ratio: f32,
    pub me_reinit_drain_timeout_secs: u64,
    pub me_keepalive_enabled:    bool,
    pub me_keepalive_interval_secs: u64,
    pub me_keepalive_jitter_secs:   u64,
    pub me_keepalive_payload_random: bool,
    pub access:                  crate::config::AccessConfig,
 }
 impl HotFields {
    pub fn from_config(cfg: &ProxyConfig) -> Self {
        Self {
            log_level:               cfg.general.log_level.clone(),
            ad_tag:                  cfg.general.ad_tag.clone(),
            middle_proxy_pool_size:  cfg.general.middle_proxy_pool_size,
            desync_all_full:         cfg.general.desync_all_full,
            update_every_secs:       cfg.general.effective_update_every_secs(),
            hardswap:                cfg.general.hardswap,
            me_pool_drain_ttl_secs:  cfg.general.me_pool_drain_ttl_secs,
            me_pool_min_fresh_ratio: cfg.general.me_pool_min_fresh_ratio,
            me_reinit_drain_timeout_secs: cfg.general.me_reinit_drain_timeout_secs,
            me_keepalive_enabled:    cfg.general.me_keepalive_enabled,
            me_keepalive_interval_secs: cfg.general.me_keepalive_interval_secs,
            me_keepalive_jitter_secs:   cfg.general.me_keepalive_jitter_secs,
            me_keepalive_payload_random: cfg.general.me_keepalive_payload_random,
            access:                  cfg.access.clone(),
        }
    }
 }
 // ── Helpers ───────────────────────────────────────────────────────────────────
 /// Warn if any non-hot fields changed (require restart).
 fn warn_non_hot_changes(old: &ProxyConfig, new: &ProxyConfig) {
    if old.server.port != new.server.port {
        warn!(
            "config reload: server.port changed ({} → {}); restart required",
            old.server.port, new.server.port
        );
    }
    if old.censorship.tls_domain != new.censorship.tls_domain {
        warn!(
            "config reload: censorship.tls_domain changed ('{}' → '{}'); restart required",
            old.censorship.tls_domain, new.censorship.tls_domain
        );
    }
    if old.network.ipv4 != new.network.ipv4 || old.network.ipv6 != new.network.ipv6 {
        warn!("config reload: network.ipv4/ipv6 changed; restart required");
    }
    if old.general.use_middle_proxy != new.general.use_middle_proxy {
        warn!("config reload: use_middle_proxy changed; restart required");
    }
 }
 /// Resolve the public host for link generation — mirrors the logic in main.rs.
 ///
 /// Priority:
 /// 1. `[general.links] public_host` — explicit override in config
 /// 2. `detected_ip_v4` — from STUN/interface probe at startup
 /// 3. `detected_ip_v6` — fallback
 /// 4. `"UNKNOWN"` — warn the user to set `public_host`
 fn resolve_link_host(
    cfg: &ProxyConfig,
    detected_ip_v4: Option<IpAddr>,
    detected_ip_v6: Option<IpAddr>,
 ) -> String {
    if let Some(ref h) = cfg.general.links.public_host {
        return h.clone();
    }
    detected_ip_v4
        .or(detected_ip_v6)
        .map(|ip| ip.to_string())
        .unwrap_or_else(|| {
            warn!(
                "config reload: could not determine public IP for proxy links. \
                 Set [general.links] public_host in config."
            );
            "UNKNOWN".to_string()
        })
 }
 /// Print TG proxy links for a single user — mirrors print_proxy_links() in main.rs.
 fn print_user_links(user: &str, secret: &str, host: &str, port: u16, cfg: &ProxyConfig) {
    info!(target: "telemt::links", "--- New user: {} ---", user);
    if cfg.general.modes.classic {
        info!(
            target: "telemt::links",
            "  Classic: tg://proxy?server={}&port={}&secret={}",
            host, port, secret
        );
    }
    if cfg.general.modes.secure {
        info!(
            target: "telemt::links",
            "  DD:      tg://proxy?server={}&port={}&secret=dd{}",
            host, port, secret
        );
    }
    if cfg.general.modes.tls {
        let mut domains = vec![cfg.censorship.tls_domain.clone()];
        for d in &cfg.censorship.tls_domains {
            if !domains.contains(d) {
                domains.push(d.clone());
            }
        }
        for domain in &domains {
            let domain_hex = hex::encode(domain.as_bytes());
            info!(
                target: "telemt::links",
                "  EE-TLS:  tg://proxy?server={}&port={}&secret=ee{}{}",
                host, port, secret, domain_hex
            );
        }
    }
    info!(target: "telemt::links", "--------------------");
 }
 /// Log all detected changes and emit TG links for new users.
 fn log_changes(
    old_hot: &HotFields,
    new_hot: &HotFields,
    new_cfg: &ProxyConfig,
    log_tx: &watch::Sender<LogLevel>,
    detected_ip_v4: Option<IpAddr>,
    detected_ip_v6: Option<IpAddr>,
 ) {
    if old_hot.log_level != new_hot.log_level {
        info!(
            "config reload: log_level: '{}' → '{}'",
            old_hot.log_level, new_hot.log_level
        );
        log_tx.send(new_hot.log_level.clone()).ok();
    }
    if old_hot.ad_tag != new_hot.ad_tag {
        info!(
            "config reload: ad_tag: {} → {}",
            old_hot.ad_tag.as_deref().unwrap_or("none"),
            new_hot.ad_tag.as_deref().unwrap_or("none"),
        );
    }
    if old_hot.middle_proxy_pool_size != new_hot.middle_proxy_pool_size {
        info!(
            "config reload: middle_proxy_pool_size: {} → {}",
            old_hot.middle_proxy_pool_size, new_hot.middle_proxy_pool_size,
        );
    }
    if old_hot.desync_all_full != new_hot.desync_all_full {
        info!(
            "config reload: desync_all_full: {} → {}",
            old_hot.desync_all_full, new_hot.desync_all_full,
        );
    }
    if old_hot.update_every_secs != new_hot.update_every_secs {
        info!(
            "config reload: update_every(effective): {}s → {}s",
            old_hot.update_every_secs, new_hot.update_every_secs,
        );
    }
    if old_hot.hardswap != new_hot.hardswap {
        info!(
            "config reload: hardswap: {} → {}",
            old_hot.hardswap, new_hot.hardswap,
        );
    }
    if old_hot.me_pool_drain_ttl_secs != new_hot.me_pool_drain_ttl_secs {
        info!(
            "config reload: me_pool_drain_ttl_secs: {}s → {}s",
            old_hot.me_pool_drain_ttl_secs, new_hot.me_pool_drain_ttl_secs,
        );
    }
    if (old_hot.me_pool_min_fresh_ratio - new_hot.me_pool_min_fresh_ratio).abs() > f32::EPSILON {
        info!(
            "config reload: me_pool_min_fresh_ratio: {:.3} → {:.3}",
            old_hot.me_pool_min_fresh_ratio, new_hot.me_pool_min_fresh_ratio,
        );
    }
    if old_hot.me_reinit_drain_timeout_secs != new_hot.me_reinit_drain_timeout_secs {
        info!(
            "config reload: me_reinit_drain_timeout_secs: {}s → {}s",
            old_hot.me_reinit_drain_timeout_secs, new_hot.me_reinit_drain_timeout_secs,
        );
    }
    if old_hot.me_keepalive_enabled        != new_hot.me_keepalive_enabled
    || old_hot.me_keepalive_interval_secs  != new_hot.me_keepalive_interval_secs
    || old_hot.me_keepalive_jitter_secs    != new_hot.me_keepalive_jitter_secs
    || old_hot.me_keepalive_payload_random != new_hot.me_keepalive_payload_random
    {
        info!(
            "config reload: me_keepalive: enabled={} interval={}s jitter={}s random_payload={}",
            new_hot.me_keepalive_enabled,
            new_hot.me_keepalive_interval_secs,
            new_hot.me_keepalive_jitter_secs,
            new_hot.me_keepalive_payload_random,
        );
    }
    if old_hot.access.users != new_hot.access.users {
        let mut added: Vec<&String> = new_hot.access.users.keys()
            .filter(|u| !old_hot.access.users.contains_key(*u))
            .collect();
        added.sort();
        let mut removed: Vec<&String> = old_hot.access.users.keys()
            .filter(|u| !new_hot.access.users.contains_key(*u))
            .collect();
        removed.sort();
        let mut changed: Vec<&String> = new_hot.access.users.keys()
            .filter(|u| {
                old_hot.access.users.get(*u)
                    .map(|s| s != &new_hot.access.users[*u])
                    .unwrap_or(false)
            })
            .collect();
        changed.sort();
        if !added.is_empty() {
            info!(
                "config reload: users added: [{}]",
                added.iter().map(|s| s.as_str()).collect::<Vec<_>>().join(", ")
            );
            let host = resolve_link_host(new_cfg, detected_ip_v4, detected_ip_v6);
            let port = new_cfg.general.links.public_port.unwrap_or(new_cfg.server.port);
            for user in &added {
                if let Some(secret) = new_hot.access.users.get(*user) {
                    print_user_links(user, secret, &host, port, new_cfg);
                }
            }
        }
        if !removed.is_empty() {
            info!(
                "config reload: users removed: [{}]",
                removed.iter().map(|s| s.as_str()).collect::<Vec<_>>().join(", ")
            );
        }
        if !changed.is_empty() {
            info!(
                "config reload: users secret changed: [{}]",
                changed.iter().map(|s| s.as_str()).collect::<Vec<_>>().join(", ")
            );
        }
    }
    if old_hot.access.user_max_tcp_conns != new_hot.access.user_max_tcp_conns {
        info!(
            "config reload: user_max_tcp_conns updated ({} entries)",
            new_hot.access.user_max_tcp_conns.len()
        );
    }
    if old_hot.access.user_expirations != new_hot.access.user_expirations {
        info!(
            "config reload: user_expirations updated ({} entries)",
            new_hot.access.user_expirations.len()
        );
    }
    if old_hot.access.user_data_quota != new_hot.access.user_data_quota {
        info!(
            "config reload: user_data_quota updated ({} entries)",
            new_hot.access.user_data_quota.len()
        );
    }
    if old_hot.access.user_max_unique_ips != new_hot.access.user_max_unique_ips {
        info!(
            "config reload: user_max_unique_ips updated ({} entries)",
            new_hot.access.user_max_unique_ips.len()
        );
    }
 }
 /// Load config, validate, diff against current, and broadcast if changed.
 fn reload_config(
    config_path: &PathBuf,
    config_tx: &watch::Sender<Arc<ProxyConfig>>,
    log_tx: &watch::Sender<LogLevel>,
    detected_ip_v4: Option<IpAddr>,
    detected_ip_v6: Option<IpAddr>,
 ) {
    let new_cfg = match ProxyConfig::load(config_path) {
        Ok(c) => c,
        Err(e) => {
            error!("config reload: failed to parse {:?}: {}", config_path, e);
            return;
        }
    };
    if let Err(e) = new_cfg.validate() {
        error!("config reload: validation failed: {}; keeping old config", e);
        return;
    }
    let old_cfg = config_tx.borrow().clone();
    let old_hot = HotFields::from_config(&old_cfg);
    let new_hot = HotFields::from_config(&new_cfg);
    if old_hot == new_hot {
        return;
    }
    warn_non_hot_changes(&old_cfg, &new_cfg);
    log_changes(&old_hot, &new_hot, &new_cfg, log_tx, detected_ip_v4, detected_ip_v6);
    config_tx.send(Arc::new(new_cfg)).ok();
 }
 // ── Public API ────────────────────────────────────────────────────────────────
 /// Spawn the hot-reload watcher task.
 ///
 /// Uses `notify` (inotify on Linux) to detect file changes instantly.
 /// SIGHUP is also handled on Unix as an additional manual trigger.
 ///
 /// `detected_ip_v4` / `detected_ip_v6` are the IPs discovered during the
 /// startup probe — used when generating proxy links for newly added users,
 /// matching the same logic as the startup output.
 pub fn spawn_config_watcher(
    config_path: PathBuf,
    initial: Arc<ProxyConfig>,
    detected_ip_v4: Option<IpAddr>,
    detected_ip_v6: Option<IpAddr>,
 ) -> (watch::Receiver<Arc<ProxyConfig>>, watch::Receiver<LogLevel>) {
    let initial_level = initial.general.log_level.clone();
    let (config_tx, config_rx) = watch::channel(initial);
    let (log_tx, log_rx)       = watch::channel(initial_level);
    // Bridge: sync notify callbacks → async task via mpsc.
    let (notify_tx, mut notify_rx) = mpsc::channel::<()>(4);
    // Canonicalize so path matches what notify returns (absolute) in events.
    let config_path = match config_path.canonicalize() {
        Ok(p) => p,
        Err(_) => config_path.to_path_buf(),
    };
    // Watch the parent directory rather than the file itself, because many
    // editors (vim, nano) and systemd write via rename, which would cause
    // inotify to lose track of the original inode.
    let watch_dir = config_path
        .parent()
        .unwrap_or_else(|| std::path::Path::new("."))
        .to_path_buf();
    // ── inotify watcher (instant on local fs) ────────────────────────────
    let config_file = config_path.clone();
    let tx_inotify  = notify_tx.clone();
    let inotify_ok = match recommended_watcher(move |res: notify::Result<notify::Event>| {
        let Ok(event) = res else { return };
        let is_our_file = event.paths.iter().any(|p| p == &config_file);
        if !is_our_file { return; }
        if matches!(event.kind, EventKind::Modify(_) | EventKind::Create(_) | EventKind::Remove(_)) {
            let _ = tx_inotify.try_send(());
        }
    }) {
        Ok(mut w) => match w.watch(&watch_dir, RecursiveMode::NonRecursive) {
            Ok(()) => {
                info!("config watcher: inotify active on {:?}", config_path);
                Box::leak(Box::new(w));
                true
            }
            Err(e) => { warn!("config watcher: inotify watch failed: {}", e); false }
        },
        Err(e) => { warn!("config watcher: inotify unavailable: {}", e); false }
    };
    // ── poll watcher (always active, fixes Docker bind mounts / NFS) ─────
    // inotify does not receive events for files mounted from the host into
    // a container. PollWatcher compares file contents every 3 s and fires
    // on any change regardless of the underlying fs.
    let config_file2 = config_path.clone();
    let tx_poll      = notify_tx.clone();
    match notify::poll::PollWatcher::new(
        move |res: notify::Result<notify::Event>| {
            let Ok(event) = res else { return };
            let is_our_file = event.paths.iter().any(|p| p == &config_file2);
            if !is_our_file { return; }
            if matches!(event.kind, EventKind::Modify(_) | EventKind::Create(_) | EventKind::Remove(_)) {
                let _ = tx_poll.try_send(());
            }
        },
        notify::Config::default()
            .with_poll_interval(std::time::Duration::from_secs(3))
            .with_compare_contents(true),
    ) {
        Ok(mut w) => match w.watch(&config_path, RecursiveMode::NonRecursive) {
            Ok(()) => {
                if inotify_ok {
                    info!("config watcher: poll watcher also active (Docker/NFS safe)");
                } else {
                    info!("config watcher: poll watcher active on {:?} (3s interval)", config_path);
                }
                Box::leak(Box::new(w));
            }
            Err(e) => warn!("config watcher: poll watch failed: {}", e),
        },
        Err(e) => warn!("config watcher: poll watcher unavailable: {}", e),
    }
    // ── event loop ───────────────────────────────────────────────────────
    tokio::spawn(async move {
        #[cfg(unix)]
        let mut sighup = {
            use tokio::signal::unix::{SignalKind, signal};
            signal(SignalKind::hangup()).expect("Failed to register SIGHUP handler")
        };
        loop {
            #[cfg(unix)]
            tokio::select! {
                msg = notify_rx.recv() => {
                    if msg.is_none() { break; }
                }
                _ = sighup.recv() => {
                    info!("SIGHUP received — reloading {:?}", config_path);
                }
            }
            #[cfg(not(unix))]
            if notify_rx.recv().await.is_none() { break; }
            // Debounce: drain extra events that arrive within 50 ms.
            tokio::time::sleep(std::time::Duration::from_millis(50)).await;
            while notify_rx.try_recv().is_ok() {}
            reload_config(&config_path, &config_tx, &log_tx, detected_ip_v4, detected_ip_v6);
        }
    });
    (config_rx, log_rx)
 }
--- a/src/config/load.rs
+++ b/src/config/load.rs
@@ -0,0 +1,770 @@
 #![allow(deprecated)]
 use std::collections::HashMap;
 use std::net::IpAddr;
 use std::path::Path;
 use rand::Rng;
 use tracing::warn;
 use serde::{Serialize, Deserialize};
 use crate::error::{ProxyError, Result};
 use super::defaults::*;
 use super::types::*;
 fn preprocess_includes(content: &str, base_dir: &Path, depth: u8) -> Result<String> {
    if depth > 10 {
        return Err(ProxyError::Config("Include depth > 10".into()));
    }
    let mut output = String::with_capacity(content.len());
    for line in content.lines() {
        let trimmed = line.trim();
        if let Some(rest) = trimmed.strip_prefix("include") {
            let rest = rest.trim();
            if let Some(rest) = rest.strip_prefix('=') {
                let path_str = rest.trim().trim_matches('"');
                let resolved = base_dir.join(path_str);
                let included = std::fs::read_to_string(&resolved)
                    .map_err(|e| ProxyError::Config(e.to_string()))?;
                let included_dir = resolved.parent().unwrap_or(base_dir);
                output.push_str(&preprocess_includes(&included, included_dir, depth + 1)?);
                output.push('\n');
                continue;
            }
        }
        output.push_str(line);
        output.push('\n');
    }
    Ok(output)
 }
 fn validate_network_cfg(net: &mut NetworkConfig) -> Result<()> {
    if !net.ipv4 && matches!(net.ipv6, Some(false)) {
        return Err(ProxyError::Config(
            "Both ipv4 and ipv6 are disabled in [network]".to_string(),
        ));
    }
    if net.prefer != 4 && net.prefer != 6 {
        return Err(ProxyError::Config(
            "network.prefer must be 4 or 6".to_string(),
        ));
    }
    if !net.ipv4 && net.prefer == 4 {
        warn!("prefer=4 but ipv4=false; forcing prefer=6");
        net.prefer = 6;
    }
    if matches!(net.ipv6, Some(false)) && net.prefer == 6 {
        warn!("prefer=6 but ipv6=false; forcing prefer=4");
        net.prefer = 4;
    }
    Ok(())
 }
 // ============= Main Config =============
 #[derive(Debug, Clone, Serialize, Deserialize, Default)]
 pub struct ProxyConfig {
    #[serde(default)]
    pub general: GeneralConfig,
    #[serde(default)]
    pub network: NetworkConfig,
    #[serde(default)]
    pub server: ServerConfig,
    #[serde(default)]
    pub timeouts: TimeoutsConfig,
    #[serde(default)]
    pub censorship: AntiCensorshipConfig,
    #[serde(default)]
    pub access: AccessConfig,
    #[serde(default)]
    pub upstreams: Vec<UpstreamConfig>,
    #[serde(default)]
    pub show_link: ShowLink,
    /// DC address overrides for non-standard DCs (CDN, media, test, etc.)
    /// Keys are DC indices as strings, values are one or more "ip:port" addresses.
    /// Matches the C implementation's `proxy_for <dc_id> <ip>:<port>` config directive.
    /// Example in config.toml:
    ///   [dc_overrides]
    ///   "203" = ["149.154.175.100:443", "91.105.192.100:443"]
    #[serde(default, deserialize_with = "deserialize_dc_overrides")]
    pub dc_overrides: HashMap<String, Vec<String>>,
    /// Default DC index (1-5) for unmapped non-standard DCs.
    /// Matches the C implementation's `default <dc_id>` config directive.
    /// If not set, defaults to 2 (matching Telegram's official `default 2;` in proxy-multi.conf).
    #[serde(default)]
    pub default_dc: Option<u8>,
 }
 impl ProxyConfig {
    pub fn load<P: AsRef<Path>>(path: P) -> Result<Self> {
        let content =
            std::fs::read_to_string(&path).map_err(|e| ProxyError::Config(e.to_string()))?;
        let base_dir = path.as_ref().parent().unwrap_or(Path::new("."));
        let processed = preprocess_includes(&content, base_dir, 0)?;
        let mut config: ProxyConfig =
            toml::from_str(&processed).map_err(|e| ProxyError::Config(e.to_string()))?;
        if let Some(update_every) = config.general.update_every {
            if update_every == 0 {
                return Err(ProxyError::Config(
                    "general.update_every must be > 0".to_string(),
                ));
            }
        } else {
            let legacy_secret = config.general.proxy_secret_auto_reload_secs;
            let legacy_config = config.general.proxy_config_auto_reload_secs;
            let effective = legacy_secret.min(legacy_config);
            if effective == 0 {
                return Err(ProxyError::Config(
                    "legacy proxy_*_auto_reload_secs values must be > 0 when general.update_every is not set".to_string(),
                ));
            }
            if legacy_secret != default_proxy_secret_reload_secs()
                || legacy_config != default_proxy_config_reload_secs()
            {
                warn!(
                    proxy_secret_auto_reload_secs = legacy_secret,
                    proxy_config_auto_reload_secs = legacy_config,
                    effective_update_every_secs = effective,
                    "proxy_*_auto_reload_secs are deprecated; set general.update_every"
                );
            }
        }
        if config.general.me_reinit_every_secs == 0 {
            return Err(ProxyError::Config(
                "general.me_reinit_every_secs must be > 0".to_string(),
            ));
        }
        if config.general.me_hardswap_warmup_delay_max_ms == 0 {
            return Err(ProxyError::Config(
                "general.me_hardswap_warmup_delay_max_ms must be > 0".to_string(),
            ));
        }
        if config.general.me_hardswap_warmup_delay_min_ms
            > config.general.me_hardswap_warmup_delay_max_ms
        {
            return Err(ProxyError::Config(
                "general.me_hardswap_warmup_delay_min_ms must be <= general.me_hardswap_warmup_delay_max_ms".to_string(),
            ));
        }
        if config.general.me_hardswap_warmup_extra_passes > 10 {
            return Err(ProxyError::Config(
                "general.me_hardswap_warmup_extra_passes must be within [0, 10]".to_string(),
            ));
        }
        if config.general.me_hardswap_warmup_pass_backoff_base_ms == 0 {
            return Err(ProxyError::Config(
                "general.me_hardswap_warmup_pass_backoff_base_ms must be > 0".to_string(),
            ));
        }
        if config.general.me_config_stable_snapshots == 0 {
            return Err(ProxyError::Config(
                "general.me_config_stable_snapshots must be > 0".to_string(),
            ));
        }
        if config.general.proxy_secret_stable_snapshots == 0 {
            return Err(ProxyError::Config(
                "general.proxy_secret_stable_snapshots must be > 0".to_string(),
            ));
        }
        if !(32..=4096).contains(&config.general.proxy_secret_len_max) {
            return Err(ProxyError::Config(
                "general.proxy_secret_len_max must be within [32, 4096]".to_string(),
            ));
        }
        if !(0.0..=1.0).contains(&config.general.me_pool_min_fresh_ratio) {
            return Err(ProxyError::Config(
                "general.me_pool_min_fresh_ratio must be within [0.0, 1.0]".to_string(),
            ));
        }
        if config.general.effective_me_pool_force_close_secs() > 0
            && config.general.effective_me_pool_force_close_secs()
                < config.general.me_pool_drain_ttl_secs
        {
            warn!(
                me_pool_drain_ttl_secs = config.general.me_pool_drain_ttl_secs,
                me_reinit_drain_timeout_secs = config.general.effective_me_pool_force_close_secs(),
                "force-close timeout is lower than drain TTL; bumping force-close timeout to TTL"
            );
            config.general.me_reinit_drain_timeout_secs = config.general.me_pool_drain_ttl_secs;
        }
        // Validate secrets.
        for (user, secret) in &config.access.users {
            if !secret.chars().all(|c| c.is_ascii_hexdigit()) || secret.len() != 32 {
                return Err(ProxyError::InvalidSecret {
                    user: user.clone(),
                    reason: "Must be 32 hex characters".to_string(),
                });
            }
        }
        // Validate tls_domain.
        if config.censorship.tls_domain.is_empty() {
            return Err(ProxyError::Config("tls_domain cannot be empty".to_string()));
        }
        // Validate mask_unix_sock.
        if let Some(ref sock_path) = config.censorship.mask_unix_sock {
            if sock_path.is_empty() {
                return Err(ProxyError::Config(
                    "mask_unix_sock cannot be empty".to_string(),
                ));
            }
            #[cfg(unix)]
            if sock_path.len() > 107 {
                return Err(ProxyError::Config(format!(
                    "mask_unix_sock path too long: {} bytes (max 107)",
                    sock_path.len()
                )));
            }
            #[cfg(not(unix))]
            return Err(ProxyError::Config(
                "mask_unix_sock is only supported on Unix platforms".to_string(),
            ));
            if config.censorship.mask_host.is_some() {
                return Err(ProxyError::Config(
                    "mask_unix_sock and mask_host are mutually exclusive".to_string(),
                ));
            }
        }
        // Default mask_host to tls_domain if not set and no unix socket configured.
        if config.censorship.mask_host.is_none() && config.censorship.mask_unix_sock.is_none() {
            config.censorship.mask_host = Some(config.censorship.tls_domain.clone());
        }
        // Merge primary + extra TLS domains, deduplicate (primary always first).
        if !config.censorship.tls_domains.is_empty() {
            let mut all = Vec::with_capacity(1 + config.censorship.tls_domains.len());
            all.push(config.censorship.tls_domain.clone());
            for d in std::mem::take(&mut config.censorship.tls_domains) {
                if !d.is_empty() && !all.contains(&d) {
                    all.push(d);
                }
            }
            // keep primary as tls_domain; store remaining back to tls_domains
            if all.len() > 1 {
                config.censorship.tls_domains = all[1..].to_vec();
            }
        }
        // Migration: prefer_ipv6 -> network.prefer.
        if config.general.prefer_ipv6 {
            if config.network.prefer == 4 {
                config.network.prefer = 6;
            }
            warn!("prefer_ipv6 is deprecated, use [network].prefer = 6");
        }
        // Auto-enable NAT probe when Middle Proxy is requested.
        if config.general.use_middle_proxy && !config.general.middle_proxy_nat_probe {
            config.general.middle_proxy_nat_probe = true;
            warn!("Auto-enabled middle_proxy_nat_probe for middle proxy mode");
        }
        validate_network_cfg(&mut config.network)?;
        if config.general.use_middle_proxy && config.network.ipv6 == Some(true) {
            warn!("IPv6 with Middle Proxy is experimental and may cause KDF address mismatch; consider disabling IPv6 or ME");
        }
        // Random fake_cert_len only when default is in use.
        if !config.censorship.tls_emulation && config.censorship.fake_cert_len == default_fake_cert_len() {
            config.censorship.fake_cert_len = rand::rng().gen_range(1024..4096);
        }
        // Resolve listen_tcp: explicit value wins, otherwise auto-detect.
        // If unix socket is set → TCP only when listen_addr_ipv4 or listeners are explicitly provided.
        // If no unix socket → TCP always (backward compat).
        let listen_tcp = config.server.listen_tcp.unwrap_or_else(|| {
            if config.server.listen_unix_sock.is_some() {
                // Unix socket present: TCP only if user explicitly set addresses or listeners.
                config.server.listen_addr_ipv4.is_some()
                    || !config.server.listeners.is_empty()
            } else {
                true
            }
        });
        // Migration: Populate listeners if empty (skip when listen_tcp = false).
        if config.server.listeners.is_empty() && listen_tcp {
            let ipv4_str = config.server.listen_addr_ipv4
                .as_deref()
                .unwrap_or("0.0.0.0");
            if let Ok(ipv4) = ipv4_str.parse::<IpAddr>() {
                config.server.listeners.push(ListenerConfig {
                    ip: ipv4,
                    announce: None,
                    announce_ip: None,
                    proxy_protocol: None,
                    reuse_allow: false,
                });
            }
            if let Some(ipv6_str) = &config.server.listen_addr_ipv6
                && let Ok(ipv6) = ipv6_str.parse::<IpAddr>()
            {
                config.server.listeners.push(ListenerConfig {
                    ip: ipv6,
                    announce: None,
                    announce_ip: None,
                    proxy_protocol: None,
                    reuse_allow: false,
                });
            }
        }
        // Migration: announce_ip → announce for each listener.
        for listener in &mut config.server.listeners {
            if listener.announce.is_none()
                && let Some(ip) = listener.announce_ip.take()
            {
                listener.announce = Some(ip.to_string());
            }
        }
        // Migration: show_link (top-level) → general.links.show.
        if !config.show_link.is_empty() && config.general.links.show.is_empty() {
            config.general.links.show = config.show_link.clone();
        }
        // Migration: Populate upstreams if empty (Default Direct).
        if config.upstreams.is_empty() {
            config.upstreams.push(UpstreamConfig {
                upstream_type: UpstreamType::Direct { interface: None, bind_addresses: None },
                weight: 1,
                enabled: true,
                scopes: String::new(),
                selected_scope: String::new(),
            });
        }
        // Ensure default DC203 override is present.
        config
            .dc_overrides
            .entry("203".to_string())
            .or_insert_with(|| vec!["91.105.192.100:443".to_string()]);
        Ok(config)
    }
    pub fn validate(&self) -> Result<()> {
        if self.access.users.is_empty() {
            return Err(ProxyError::Config("No users configured".to_string()));
        }
        if !self.general.modes.classic && !self.general.modes.secure && !self.general.modes.tls {
            return Err(ProxyError::Config("No modes enabled".to_string()));
        }
        if self.censorship.tls_domain.contains(' ') || self.censorship.tls_domain.contains('/') {
            return Err(ProxyError::Config(format!(
                "Invalid tls_domain: '{}'. Must be a valid domain name",
                self.censorship.tls_domain
            )));
        }
        if let Some(tag) = &self.general.ad_tag {
            let zeros = "00000000000000000000000000000000";
            if tag == zeros {
                warn!("ad_tag is all zeros; register a valid proxy tag via @MTProxybot to enable sponsored channel");
            }
            if tag.len() != 32 || tag.chars().any(|c| !c.is_ascii_hexdigit()) {
                warn!("ad_tag is not a 32-char hex string; ensure you use value issued by @MTProxybot");
            }
        }
        Ok(())
    }
 }
 #[cfg(test)]
 mod tests {
    use super::*;
    #[test]
    fn dc_overrides_allow_string_and_array() {
        let toml = r#"
            [dc_overrides]
            "201" = "149.154.175.50:443"
            "202" = ["149.154.167.51:443", "149.154.175.100:443"]
        "#;
        let cfg: ProxyConfig = toml::from_str(toml).unwrap();
        assert_eq!(cfg.dc_overrides["201"], vec!["149.154.175.50:443"]);
        assert_eq!(
            cfg.dc_overrides["202"],
            vec!["149.154.167.51:443", "149.154.175.100:443"]
        );
    }
    #[test]
    fn dc_overrides_inject_dc203_default() {
        let toml = r#"
            [general]
            use_middle_proxy = false
            [censorship]
            tls_domain = "example.com"
            [access.users]
            user = "00000000000000000000000000000000"
        "#;
        let dir = std::env::temp_dir();
        let path = dir.join("telemt_dc_override_test.toml");
        std::fs::write(&path, toml).unwrap();
        let cfg = ProxyConfig::load(&path).unwrap();
        assert!(cfg
            .dc_overrides
            .get("203")
            .map(|v| v.contains(&"91.105.192.100:443".to_string()))
            .unwrap_or(false));
        let _ = std::fs::remove_file(path);
    }
    #[test]
    fn update_every_overrides_legacy_fields() {
        let toml = r#"
            [general]
            update_every = 123
            proxy_secret_auto_reload_secs = 700
            proxy_config_auto_reload_secs = 800
            [censorship]
            tls_domain = "example.com"
            [access.users]
            user = "00000000000000000000000000000000"
        "#;
        let dir = std::env::temp_dir();
        let path = dir.join("telemt_update_every_override_test.toml");
        std::fs::write(&path, toml).unwrap();
        let cfg = ProxyConfig::load(&path).unwrap();
        assert_eq!(cfg.general.effective_update_every_secs(), 123);
        let _ = std::fs::remove_file(path);
    }
    #[test]
    fn update_every_fallback_to_legacy_min() {
        let toml = r#"
            [general]
            proxy_secret_auto_reload_secs = 600
            proxy_config_auto_reload_secs = 120
            [censorship]
            tls_domain = "example.com"
            [access.users]
            user = "00000000000000000000000000000000"
        "#;
        let dir = std::env::temp_dir();
        let path = dir.join("telemt_update_every_legacy_min_test.toml");
        std::fs::write(&path, toml).unwrap();
        let cfg = ProxyConfig::load(&path).unwrap();
        assert_eq!(cfg.general.update_every, None);
        assert_eq!(cfg.general.effective_update_every_secs(), 120);
        let _ = std::fs::remove_file(path);
    }
    #[test]
    fn update_every_zero_is_rejected() {
        let toml = r#"
            [general]
            update_every = 0
            [censorship]
            tls_domain = "example.com"
            [access.users]
            user = "00000000000000000000000000000000"
        "#;
        let dir = std::env::temp_dir();
        let path = dir.join("telemt_update_every_zero_test.toml");
        std::fs::write(&path, toml).unwrap();
        let err = ProxyConfig::load(&path).unwrap_err().to_string();
        assert!(err.contains("general.update_every must be > 0"));
        let _ = std::fs::remove_file(path);
    }
    #[test]
    fn me_reinit_every_default_is_set() {
        let toml = r#"
            [censorship]
            tls_domain = "example.com"
            [access.users]
            user = "00000000000000000000000000000000"
        "#;
        let dir = std::env::temp_dir();
        let path = dir.join("telemt_me_reinit_every_default_test.toml");
        std::fs::write(&path, toml).unwrap();
        let cfg = ProxyConfig::load(&path).unwrap();
        assert_eq!(
            cfg.general.me_reinit_every_secs,
            default_me_reinit_every_secs()
        );
        let _ = std::fs::remove_file(path);
    }
    #[test]
    fn me_reinit_every_zero_is_rejected() {
        let toml = r#"
            [general]
            me_reinit_every_secs = 0
            [censorship]
            tls_domain = "example.com"
            [access.users]
            user = "00000000000000000000000000000000"
        "#;
        let dir = std::env::temp_dir();
        let path = dir.join("telemt_me_reinit_every_zero_test.toml");
        std::fs::write(&path, toml).unwrap();
        let err = ProxyConfig::load(&path).unwrap_err().to_string();
        assert!(err.contains("general.me_reinit_every_secs must be > 0"));
        let _ = std::fs::remove_file(path);
    }
    #[test]
    fn me_hardswap_warmup_defaults_are_set() {
        let toml = r#"
            [censorship]
            tls_domain = "example.com"
            [access.users]
            user = "00000000000000000000000000000000"
        "#;
        let dir = std::env::temp_dir();
        let path = dir.join("telemt_me_hardswap_warmup_defaults_test.toml");
        std::fs::write(&path, toml).unwrap();
        let cfg = ProxyConfig::load(&path).unwrap();
        assert_eq!(
            cfg.general.me_hardswap_warmup_delay_min_ms,
            default_me_hardswap_warmup_delay_min_ms()
        );
        assert_eq!(
            cfg.general.me_hardswap_warmup_delay_max_ms,
            default_me_hardswap_warmup_delay_max_ms()
        );
        assert_eq!(
            cfg.general.me_hardswap_warmup_extra_passes,
            default_me_hardswap_warmup_extra_passes()
        );
        assert_eq!(
            cfg.general.me_hardswap_warmup_pass_backoff_base_ms,
            default_me_hardswap_warmup_pass_backoff_base_ms()
        );
        let _ = std::fs::remove_file(path);
    }
    #[test]
    fn me_hardswap_warmup_delay_range_is_validated() {
        let toml = r#"
            [general]
            me_hardswap_warmup_delay_min_ms = 2001
            me_hardswap_warmup_delay_max_ms = 2000
            [censorship]
            tls_domain = "example.com"
            [access.users]
            user = "00000000000000000000000000000000"
        "#;
        let dir = std::env::temp_dir();
        let path = dir.join("telemt_me_hardswap_warmup_delay_range_test.toml");
        std::fs::write(&path, toml).unwrap();
        let err = ProxyConfig::load(&path).unwrap_err().to_string();
        assert!(err.contains(
            "general.me_hardswap_warmup_delay_min_ms must be <= general.me_hardswap_warmup_delay_max_ms"
        ));
        let _ = std::fs::remove_file(path);
    }
    #[test]
    fn me_hardswap_warmup_delay_max_zero_is_rejected() {
        let toml = r#"
            [general]
            me_hardswap_warmup_delay_max_ms = 0
            [censorship]
            tls_domain = "example.com"
            [access.users]
            user = "00000000000000000000000000000000"
        "#;
        let dir = std::env::temp_dir();
        let path = dir.join("telemt_me_hardswap_warmup_delay_max_zero_test.toml");
        std::fs::write(&path, toml).unwrap();
        let err = ProxyConfig::load(&path).unwrap_err().to_string();
        assert!(err.contains("general.me_hardswap_warmup_delay_max_ms must be > 0"));
        let _ = std::fs::remove_file(path);
    }
    #[test]
    fn me_hardswap_warmup_extra_passes_out_of_range_is_rejected() {
        let toml = r#"
            [general]
            me_hardswap_warmup_extra_passes = 11
            [censorship]
            tls_domain = "example.com"
            [access.users]
            user = "00000000000000000000000000000000"
        "#;
        let dir = std::env::temp_dir();
        let path = dir.join("telemt_me_hardswap_warmup_extra_passes_test.toml");
        std::fs::write(&path, toml).unwrap();
        let err = ProxyConfig::load(&path).unwrap_err().to_string();
        assert!(err.contains("general.me_hardswap_warmup_extra_passes must be within [0, 10]"));
        let _ = std::fs::remove_file(path);
    }
    #[test]
    fn me_hardswap_warmup_pass_backoff_zero_is_rejected() {
        let toml = r#"
            [general]
            me_hardswap_warmup_pass_backoff_base_ms = 0
            [censorship]
            tls_domain = "example.com"
            [access.users]
            user = "00000000000000000000000000000000"
        "#;
        let dir = std::env::temp_dir();
        let path = dir.join("telemt_me_hardswap_warmup_backoff_zero_test.toml");
        std::fs::write(&path, toml).unwrap();
        let err = ProxyConfig::load(&path).unwrap_err().to_string();
        assert!(err.contains("general.me_hardswap_warmup_pass_backoff_base_ms must be > 0"));
        let _ = std::fs::remove_file(path);
    }
    #[test]
    fn me_config_stable_snapshots_zero_is_rejected() {
        let toml = r#"
            [general]
            me_config_stable_snapshots = 0
            [censorship]
            tls_domain = "example.com"
            [access.users]
            user = "00000000000000000000000000000000"
        "#;
        let dir = std::env::temp_dir();
        let path = dir.join("telemt_me_config_stable_snapshots_zero_test.toml");
        std::fs::write(&path, toml).unwrap();
        let err = ProxyConfig::load(&path).unwrap_err().to_string();
        assert!(err.contains("general.me_config_stable_snapshots must be > 0"));
        let _ = std::fs::remove_file(path);
    }
    #[test]
    fn proxy_secret_stable_snapshots_zero_is_rejected() {
        let toml = r#"
            [general]
            proxy_secret_stable_snapshots = 0
            [censorship]
            tls_domain = "example.com"
            [access.users]
            user = "00000000000000000000000000000000"
        "#;
        let dir = std::env::temp_dir();
        let path = dir.join("telemt_proxy_secret_stable_snapshots_zero_test.toml");
        std::fs::write(&path, toml).unwrap();
        let err = ProxyConfig::load(&path).unwrap_err().to_string();
        assert!(err.contains("general.proxy_secret_stable_snapshots must be > 0"));
        let _ = std::fs::remove_file(path);
    }
    #[test]
    fn proxy_secret_len_max_out_of_range_is_rejected() {
        let toml = r#"
            [general]
            proxy_secret_len_max = 16
            [censorship]
            tls_domain = "example.com"
            [access.users]
            user = "00000000000000000000000000000000"
        "#;
        let dir = std::env::temp_dir();
        let path = dir.join("telemt_proxy_secret_len_max_out_of_range_test.toml");
        std::fs::write(&path, toml).unwrap();
        let err = ProxyConfig::load(&path).unwrap_err().to_string();
        assert!(err.contains("general.proxy_secret_len_max must be within [32, 4096]"));
        let _ = std::fs::remove_file(path);
    }
    #[test]
    fn me_pool_min_fresh_ratio_out_of_range_is_rejected() {
        let toml = r#"
            [general]
            me_pool_min_fresh_ratio = 1.5
            [censorship]
            tls_domain = "example.com"
            [access.users]
            user = "00000000000000000000000000000000"
        "#;
        let dir = std::env::temp_dir();
        let path = dir.join("telemt_me_pool_min_ratio_invalid_test.toml");
        std::fs::write(&path, toml).unwrap();
        let err = ProxyConfig::load(&path).unwrap_err().to_string();
        assert!(err.contains("general.me_pool_min_fresh_ratio must be within [0.0, 1.0]"));
        let _ = std::fs::remove_file(path);
    }
    #[test]
    fn force_close_bumped_when_below_drain_ttl() {
        let toml = r#"
            [general]
            me_pool_drain_ttl_secs = 90
            me_reinit_drain_timeout_secs = 30
            [censorship]
            tls_domain = "example.com"
            [access.users]
            user = "00000000000000000000000000000000"
        "#;
        let dir = std::env::temp_dir();
        let path = dir.join("telemt_force_close_bump_test.toml");
        std::fs::write(&path, toml).unwrap();
        let cfg = ProxyConfig::load(&path).unwrap();
        assert_eq!(cfg.general.me_reinit_drain_timeout_secs, 90);
        let _ = std::fs::remove_file(path);
    }
 }
--- a/src/config/mod.rs
+++ b/src/config/mod.rs
@@ -1,518 +1,9 @@
-//! Configuration
+//! Configuration.
-use crate::error::{ProxyError, Result};
+pub(crate) mod defaults;
-use chrono::{DateTime, Utc};
+mod types;
-use serde::{Deserialize, Serialize};
+mod load;
-use std::collections::HashMap;
+pub mod hot_reload;
 use std::net::{IpAddr, SocketAddr};
 use std::path::Path;
-// ============= Helper Defaults =============
+pub use load::ProxyConfig;
-
+pub use types::*;
 fn default_true() -> bool {
    true
 }
 fn default_port() -> u16 {
    443
 }
 fn default_tls_domain() -> String {
    "www.google.com".to_string()
 }
 fn default_mask_port() -> u16 {
    443
 }
 fn default_replay_check_len() -> usize {
    65536
 }
 fn default_replay_window_secs() -> u64 {
    1800
 }
 fn default_handshake_timeout() -> u64 {
    15
 }
 fn default_connect_timeout() -> u64 {
    10
 }
 fn default_keepalive() -> u64 {
    60
 }
 fn default_ack_timeout() -> u64 {
    300
 }
 fn default_listen_addr() -> String {
    "0.0.0.0".to_string()
 }
 fn default_fake_cert_len() -> usize {
    2048
 }
 fn default_weight() -> u16 {
    1
 }
 fn default_metrics_whitelist() -> Vec<IpAddr> {
    vec!["127.0.0.1".parse().unwrap(), "::1".parse().unwrap()]
 }
 // ============= Log Level =============
 /// Logging verbosity level
 #[derive(Debug, Clone, PartialEq, Serialize, Deserialize, Default)]
 #[serde(rename_all = "lowercase")]
 pub enum LogLevel {
    /// All messages including trace (trace + debug + info + warn + error)
    Debug,
    /// Detailed operational logs (debug + info + warn + error)
    Verbose,
    /// Standard operational logs (info + warn + error)
    #[default]
    Normal,
    /// Minimal output: only warnings and errors (warn + error).
    /// Startup messages (config, DC connectivity, proxy links) are always shown
    /// via info! before the filter is applied.
    Silent,
 }
 impl LogLevel {
    /// Convert to tracing EnvFilter directive string
    pub fn to_filter_str(&self) -> &'static str {
        match self {
            LogLevel::Debug => "trace",
            LogLevel::Verbose => "debug",
            LogLevel::Normal => "info",
            LogLevel::Silent => "warn",
        }
    }
    /// Parse from a loose string (CLI argument)
    pub fn from_str_loose(s: &str) -> Self {
        match s.to_lowercase().as_str() {
            "debug" | "trace" => LogLevel::Debug,
            "verbose" => LogLevel::Verbose,
            "normal" | "info" => LogLevel::Normal,
            "silent" | "quiet" | "error" | "warn" => LogLevel::Silent,
            _ => LogLevel::Normal,
        }
    }
 }
 impl std::fmt::Display for LogLevel {
    fn fmt(&self, f: &mut std::fmt::Formatter<'_>) -> std::fmt::Result {
        match self {
            LogLevel::Debug => write!(f, "debug"),
            LogLevel::Verbose => write!(f, "verbose"),
            LogLevel::Normal => write!(f, "normal"),
            LogLevel::Silent => write!(f, "silent"),
        }
    }
 }
 // ============= Sub-Configs =============
 #[derive(Debug, Clone, Serialize, Deserialize)]
 pub struct ProxyModes {
    #[serde(default)]
    pub classic: bool,
    #[serde(default)]
    pub secure: bool,
    #[serde(default = "default_true")]
    pub tls: bool,
 }
 impl Default for ProxyModes {
    fn default() -> Self {
        Self {
            classic: true,
            secure: true,
            tls: true,
        }
    }
 }
 #[derive(Debug, Clone, Serialize, Deserialize)]
 pub struct GeneralConfig {
    #[serde(default)]
    pub modes: ProxyModes,
    #[serde(default)]
    pub prefer_ipv6: bool,
    #[serde(default = "default_true")]
    pub fast_mode: bool,
    #[serde(default)]
    pub use_middle_proxy: bool,
    #[serde(default)]
    pub ad_tag: Option<String>,
    /// Path to proxy-secret binary file (auto-downloaded if absent).
    /// Infrastructure secret from https://core.telegram.org/getProxySecret
    #[serde(default)]
    pub proxy_secret_path: Option<String>,
    /// Public IP override for middle-proxy NAT environments.
    /// When set, this IP is used in ME key derivation and RPC_PROXY_REQ "our_addr".
    #[serde(default)]
    pub middle_proxy_nat_ip: Option<IpAddr>,
    /// Enable STUN-based NAT probing to discover public IP:port for ME KDF.
    #[serde(default)]
    pub middle_proxy_nat_probe: bool,
    /// Optional STUN server address (host:port) for NAT probing.
    #[serde(default)]
    pub middle_proxy_nat_stun: Option<String>,
    #[serde(default)]
    pub log_level: LogLevel,
 }
 impl Default for GeneralConfig {
    fn default() -> Self {
        Self {
            modes: ProxyModes::default(),
            prefer_ipv6: false,
            fast_mode: true,
            use_middle_proxy: false,
            ad_tag: None,
            proxy_secret_path: None,
            middle_proxy_nat_ip: None,
            middle_proxy_nat_probe: false,
            middle_proxy_nat_stun: None,
            log_level: LogLevel::Normal,
        }
    }
 }
 #[derive(Debug, Clone, Serialize, Deserialize)]
 pub struct ServerConfig {
    #[serde(default = "default_port")]
    pub port: u16,
    #[serde(default = "default_listen_addr")]
    pub listen_addr_ipv4: String,
    #[serde(default)]
    pub listen_addr_ipv6: Option<String>,
    #[serde(default)]
    pub listen_unix_sock: Option<String>,
    #[serde(default)]
    pub metrics_port: Option<u16>,
    #[serde(default = "default_metrics_whitelist")]
    pub metrics_whitelist: Vec<IpAddr>,
    #[serde(default)]
    pub listeners: Vec<ListenerConfig>,
 }
 impl Default for ServerConfig {
    fn default() -> Self {
        Self {
            port: default_port(),
            listen_addr_ipv4: default_listen_addr(),
            listen_addr_ipv6: Some("::".to_string()),
            listen_unix_sock: None,
            metrics_port: None,
            metrics_whitelist: default_metrics_whitelist(),
            listeners: Vec::new(),
        }
    }
 }
 #[derive(Debug, Clone, Serialize, Deserialize)]
 pub struct TimeoutsConfig {
    #[serde(default = "default_handshake_timeout")]
    pub client_handshake: u64,
    #[serde(default = "default_connect_timeout")]
    pub tg_connect: u64,
    #[serde(default = "default_keepalive")]
    pub client_keepalive: u64,
    #[serde(default = "default_ack_timeout")]
    pub client_ack: u64,
 }
 impl Default for TimeoutsConfig {
    fn default() -> Self {
        Self {
            client_handshake: default_handshake_timeout(),
            tg_connect: default_connect_timeout(),
            client_keepalive: default_keepalive(),
            client_ack: default_ack_timeout(),
        }
    }
 }
 #[derive(Debug, Clone, Serialize, Deserialize)]
 pub struct AntiCensorshipConfig {
    #[serde(default = "default_tls_domain")]
    pub tls_domain: String,
    #[serde(default = "default_true")]
    pub mask: bool,
    #[serde(default)]
    pub mask_host: Option<String>,
    #[serde(default = "default_mask_port")]
    pub mask_port: u16,
    #[serde(default)]
    pub mask_unix_sock: Option<String>,
    #[serde(default = "default_fake_cert_len")]
    pub fake_cert_len: usize,
 }
 impl Default for AntiCensorshipConfig {
    fn default() -> Self {
        Self {
            tls_domain: default_tls_domain(),
            mask: true,
            mask_host: None,
            mask_port: default_mask_port(),
            mask_unix_sock: None,
            fake_cert_len: default_fake_cert_len(),
        }
    }
 }
 #[derive(Debug, Clone, Serialize, Deserialize)]
 pub struct AccessConfig {
    #[serde(default)]
    pub users: HashMap<String, String>,
    #[serde(default)]
    pub user_max_tcp_conns: HashMap<String, usize>,
    #[serde(default)]
    pub user_expirations: HashMap<String, DateTime<Utc>>,
    #[serde(default)]
    pub user_data_quota: HashMap<String, u64>,
    #[serde(default = "default_replay_check_len")]
    pub replay_check_len: usize,
    #[serde(default = "default_replay_window_secs")]
    pub replay_window_secs: u64,
    #[serde(default)]
    pub ignore_time_skew: bool,
 }
 impl Default for AccessConfig {
    fn default() -> Self {
        let mut users = HashMap::new();
        users.insert(
            "default".to_string(),
            "00000000000000000000000000000000".to_string(),
        );
        Self {
            users,
            user_max_tcp_conns: HashMap::new(),
            user_expirations: HashMap::new(),
            user_data_quota: HashMap::new(),
            replay_check_len: default_replay_check_len(),
            replay_window_secs: default_replay_window_secs(),
            ignore_time_skew: false,
        }
    }
 }
 // ============= Aux Structures =============
 #[derive(Debug, Clone, Serialize, Deserialize, PartialEq)]
 #[serde(tag = "type", rename_all = "lowercase")]
 pub enum UpstreamType {
    Direct {
        #[serde(default)]
        interface: Option<String>,
    },
    Socks4 {
        address: String,
        #[serde(default)]
        interface: Option<String>,
        #[serde(default)]
        user_id: Option<String>,
    },
    Socks5 {
        address: String,
        #[serde(default)]
        interface: Option<String>,
        #[serde(default)]
        username: Option<String>,
        #[serde(default)]
        password: Option<String>,
    },
 }
 #[derive(Debug, Clone, Serialize, Deserialize)]
 pub struct UpstreamConfig {
    #[serde(flatten)]
    pub upstream_type: UpstreamType,
    #[serde(default = "default_weight")]
    pub weight: u16,
    #[serde(default = "default_true")]
    pub enabled: bool,
 }
 #[derive(Debug, Clone, Serialize, Deserialize)]
 pub struct ListenerConfig {
    pub ip: IpAddr,
    #[serde(default)]
    pub announce_ip: Option<IpAddr>,
 }
 // ============= Main Config =============
 #[derive(Debug, Clone, Serialize, Deserialize, Default)]
 pub struct ProxyConfig {
    #[serde(default)]
    pub general: GeneralConfig,
    #[serde(default)]
    pub server: ServerConfig,
    #[serde(default)]
    pub timeouts: TimeoutsConfig,
    #[serde(default)]
    pub censorship: AntiCensorshipConfig,
    #[serde(default)]
    pub access: AccessConfig,
    #[serde(default)]
    pub upstreams: Vec<UpstreamConfig>,
    #[serde(default)]
    pub show_link: Vec<String>,
    /// DC address overrides for non-standard DCs (CDN, media, test, etc.)
    /// Keys are DC indices as strings, values are "ip:port" addresses.
    /// Matches the C implementation's `proxy_for <dc_id> <ip>:<port>` config directive.
    /// Example in config.toml:
    ///   [dc_overrides]
    ///   "203" = "149.154.175.100:443"
    #[serde(default)]
    pub dc_overrides: HashMap<String, String>,
    /// Default DC index (1-5) for unmapped non-standard DCs.
    /// Matches the C implementation's `default <dc_id>` config directive.
    /// If not set, defaults to 2 (matching Telegram's official `default 2;` in proxy-multi.conf).
    #[serde(default)]
    pub default_dc: Option<u8>,
 }
 impl ProxyConfig {
    pub fn load<P: AsRef<Path>>(path: P) -> Result<Self> {
        let content =
            std::fs::read_to_string(path).map_err(|e| ProxyError::Config(e.to_string()))?;
        let mut config: ProxyConfig =
            toml::from_str(&content).map_err(|e| ProxyError::Config(e.to_string()))?;
        // Validate secrets
        for (user, secret) in &config.access.users {
            if !secret.chars().all(|c| c.is_ascii_hexdigit()) || secret.len() != 32 {
                return Err(ProxyError::InvalidSecret {
                    user: user.clone(),
                    reason: "Must be 32 hex characters".to_string(),
                });
            }
        }
        // Validate tls_domain
        if config.censorship.tls_domain.is_empty() {
            return Err(ProxyError::Config("tls_domain cannot be empty".to_string()));
        }
        // Validate mask_unix_sock
        if let Some(ref sock_path) = config.censorship.mask_unix_sock {
            if sock_path.is_empty() {
                return Err(ProxyError::Config(
                    "mask_unix_sock cannot be empty".to_string(),
                ));
            }
            #[cfg(unix)]
            if sock_path.len() > 107 {
                return Err(ProxyError::Config(format!(
                    "mask_unix_sock path too long: {} bytes (max 107)",
                    sock_path.len()
                )));
            }
            #[cfg(not(unix))]
            return Err(ProxyError::Config(
                "mask_unix_sock is only supported on Unix platforms".to_string(),
            ));
            if config.censorship.mask_host.is_some() {
                return Err(ProxyError::Config(
                    "mask_unix_sock and mask_host are mutually exclusive".to_string(),
                ));
            }
        }
        // Default mask_host to tls_domain if not set and no unix socket configured
        if config.censorship.mask_host.is_none() && config.censorship.mask_unix_sock.is_none() {
            config.censorship.mask_host = Some(config.censorship.tls_domain.clone());
        }
        // Random fake_cert_len
        use rand::Rng;
        config.censorship.fake_cert_len = rand::rng().gen_range(1024..4096);
        // Migration: Populate listeners if empty
        if config.server.listeners.is_empty() {
            if let Ok(ipv4) = config.server.listen_addr_ipv4.parse::<IpAddr>() {
                config.server.listeners.push(ListenerConfig {
                    ip: ipv4,
                    announce_ip: None,
                });
            }
            if let Some(ipv6_str) = &config.server.listen_addr_ipv6 {
                if let Ok(ipv6) = ipv6_str.parse::<IpAddr>() {
                    config.server.listeners.push(ListenerConfig {
                        ip: ipv6,
                        announce_ip: None,
                    });
                }
            }
        }
        // Migration: Populate upstreams if empty (Default Direct)
        if config.upstreams.is_empty() {
            config.upstreams.push(UpstreamConfig {
                upstream_type: UpstreamType::Direct { interface: None },
                weight: 1,
                enabled: true,
            });
        }
        Ok(config)
    }
    pub fn validate(&self) -> Result<()> {
        if self.access.users.is_empty() {
            return Err(ProxyError::Config("No users configured".to_string()));
        }
        if !self.general.modes.classic && !self.general.modes.secure && !self.general.modes.tls {
            return Err(ProxyError::Config("No modes enabled".to_string()));
        }
        if self.censorship.tls_domain.contains(' ') || self.censorship.tls_domain.contains('/') {
            return Err(ProxyError::Config(format!(
                "Invalid tls_domain: '{}'. Must be a valid domain name",
                self.censorship.tls_domain
            )));
        }
        Ok(())
    }
 }
--- a/src/config/types.rs
+++ b/src/config/types.rs
@@ -0,0 +1,815 @@
 use chrono::{DateTime, Utc};
 use ipnetwork::IpNetwork;
 use serde::{Deserialize, Serialize};
 use std::collections::HashMap;
 use std::net::IpAddr;
 use super::defaults::*;
 // ============= Log Level =============
 /// Logging verbosity level.
 #[derive(Debug, Clone, PartialEq, Serialize, Deserialize, Default)]
 #[serde(rename_all = "lowercase")]
 pub enum LogLevel {
    /// All messages including trace (trace + debug + info + warn + error).
    Debug,
    /// Detailed operational logs (debug + info + warn + error).
    Verbose,
    /// Standard operational logs (info + warn + error).
    #[default]
    Normal,
    /// Minimal output: only warnings and errors (warn + error).
    /// Startup messages (config, DC connectivity, proxy links) are always shown
    /// via info! before the filter is applied.
    Silent,
 }
 impl LogLevel {
    /// Convert to tracing EnvFilter directive string.
    pub fn to_filter_str(&self) -> &'static str {
        match self {
            LogLevel::Debug => "trace",
            LogLevel::Verbose => "debug",
            LogLevel::Normal => "info",
            LogLevel::Silent => "warn",
        }
    }
    /// Parse from a loose string (CLI argument).
    pub fn from_str_loose(s: &str) -> Self {
        match s.to_lowercase().as_str() {
            "debug" | "trace" => LogLevel::Debug,
            "verbose" => LogLevel::Verbose,
            "normal" | "info" => LogLevel::Normal,
            "silent" | "quiet" | "error" | "warn" => LogLevel::Silent,
            _ => LogLevel::Normal,
        }
    }
 }
 impl std::fmt::Display for LogLevel {
    fn fmt(&self, f: &mut std::fmt::Formatter<'_>) -> std::fmt::Result {
        match self {
            LogLevel::Debug => write!(f, "debug"),
            LogLevel::Verbose => write!(f, "verbose"),
            LogLevel::Normal => write!(f, "normal"),
            LogLevel::Silent => write!(f, "silent"),
        }
    }
 }
 // ============= Sub-Configs =============
 #[derive(Debug, Clone, Serialize, Deserialize)]
 pub struct ProxyModes {
    #[serde(default)]
    pub classic: bool,
    #[serde(default)]
    pub secure: bool,
    #[serde(default = "default_true")]
    pub tls: bool,
 }
 impl Default for ProxyModes {
    fn default() -> Self {
        Self {
            classic: false,
            secure: false,
            tls: true,
        }
    }
 }
 #[derive(Debug, Clone, Serialize, Deserialize)]
 pub struct NetworkConfig {
    #[serde(default = "default_true")]
    pub ipv4: bool,
    /// None = auto-detect IPv6 availability.
    #[serde(default)]
    pub ipv6: Option<bool>,
    /// 4 or 6.
    #[serde(default = "default_prefer_4")]
    pub prefer: u8,
    #[serde(default)]
    pub multipath: bool,
    /// STUN servers list for public IP discovery.
    #[serde(default = "default_stun_servers")]
    pub stun_servers: Vec<String>,
    /// Enable TCP STUN fallback when UDP is blocked.
    #[serde(default)]
    pub stun_tcp_fallback: bool,
    /// HTTP-based public IP detection endpoints (fallback after STUN).
    #[serde(default = "default_http_ip_detect_urls")]
    pub http_ip_detect_urls: Vec<String>,
    /// Cache file path for detected public IP.
    #[serde(default = "default_cache_public_ip_path")]
    pub cache_public_ip_path: String,
 }
 impl Default for NetworkConfig {
    fn default() -> Self {
        Self {
            ipv4: true,
            ipv6: Some(false),
            prefer: 4,
            multipath: false,
            stun_servers: default_stun_servers(),
            stun_tcp_fallback: true,
            http_ip_detect_urls: default_http_ip_detect_urls(),
            cache_public_ip_path: default_cache_public_ip_path(),
        }
    }
 }
 #[derive(Debug, Clone, Serialize, Deserialize)]
 pub struct GeneralConfig {
    #[serde(default)]
    pub modes: ProxyModes,
    #[serde(default)]
    pub prefer_ipv6: bool,
    #[serde(default = "default_true")]
    pub fast_mode: bool,
    #[serde(default)]
    pub use_middle_proxy: bool,
    #[serde(default)]
    pub ad_tag: Option<String>,
    /// Path to proxy-secret binary file (auto-downloaded if absent).
    /// Infrastructure secret from https://core.telegram.org/getProxySecret.
    #[serde(default)]
    pub proxy_secret_path: Option<String>,
    /// Public IP override for middle-proxy NAT environments.
    /// When set, this IP is used in ME key derivation and RPC_PROXY_REQ "our_addr".
    #[serde(default)]
    pub middle_proxy_nat_ip: Option<IpAddr>,
    /// Enable STUN-based NAT probing to discover public IP:port for ME KDF.
    #[serde(default)]
    pub middle_proxy_nat_probe: bool,
    /// Optional STUN server address (host:port) for NAT probing.
    #[serde(default)]
    pub middle_proxy_nat_stun: Option<String>,
    /// Optional list of STUN servers for NAT probing fallback.
    #[serde(default)]
    pub middle_proxy_nat_stun_servers: Vec<String>,
    /// Desired size of active Middle-Proxy writer pool.
    #[serde(default = "default_pool_size")]
    pub middle_proxy_pool_size: usize,
    /// Number of warm standby ME connections kept pre-initialized.
    #[serde(default)]
    pub middle_proxy_warm_standby: usize,
    /// Enable ME keepalive padding frames.
    #[serde(default = "default_true")]
    pub me_keepalive_enabled: bool,
    /// Keepalive interval in seconds.
    #[serde(default = "default_keepalive_interval")]
    pub me_keepalive_interval_secs: u64,
    /// Keepalive jitter in seconds.
    #[serde(default = "default_keepalive_jitter")]
    pub me_keepalive_jitter_secs: u64,
    /// Keepalive payload randomized (4 bytes); otherwise zeros.
    #[serde(default = "default_true")]
    pub me_keepalive_payload_random: bool,
    /// Max pending ciphertext buffer per client writer (bytes).
    /// Controls FakeTLS backpressure vs throughput.
    #[serde(default = "default_crypto_pending_buffer")]
    pub crypto_pending_buffer: usize,
    /// Maximum allowed client MTProto frame size (bytes).
    #[serde(default = "default_max_client_frame")]
    pub max_client_frame: usize,
    /// Emit full crypto-desync forensic logs for every event.
    /// When false, full forensic details are emitted once per key window.
    #[serde(default = "default_desync_all_full")]
    pub desync_all_full: bool,
    /// Enable C-like hard-swap for ME pool generations.
    /// When true, Telemt prewarms a new generation and switches once full coverage is reached.
    #[serde(default = "default_hardswap")]
    pub hardswap: bool,
    /// Enable staggered warmup of extra ME writers.
    #[serde(default = "default_true")]
    pub me_warmup_stagger_enabled: bool,
    /// Base delay between warmup connections in ms.
    #[serde(default = "default_warmup_step_delay_ms")]
    pub me_warmup_step_delay_ms: u64,
    /// Jitter for warmup delay in ms.
    #[serde(default = "default_warmup_step_jitter_ms")]
    pub me_warmup_step_jitter_ms: u64,
    /// Max concurrent reconnect attempts per DC.
    #[serde(default)]
    pub me_reconnect_max_concurrent_per_dc: u32,
    /// Base backoff in ms for reconnect.
    #[serde(default = "default_reconnect_backoff_base_ms")]
    pub me_reconnect_backoff_base_ms: u64,
    /// Cap backoff in ms for reconnect.
    #[serde(default = "default_reconnect_backoff_cap_ms")]
    pub me_reconnect_backoff_cap_ms: u64,
    /// Fast retry attempts before backoff.
    #[serde(default)]
    pub me_reconnect_fast_retry_count: u32,
    /// Ignore STUN/interface IP mismatch (keep using Middle Proxy even if NAT detected).
    #[serde(default)]
    pub stun_iface_mismatch_ignore: bool,
    /// Log unknown (non-standard) DC requests to a file (default: unknown-dc.txt). Set to null to disable.
    #[serde(default = "default_unknown_dc_log_path")]
    pub unknown_dc_log_path: Option<String>,
    #[serde(default)]
    pub log_level: LogLevel,
    /// Disable colored output in logs (useful for files/systemd).
    #[serde(default)]
    pub disable_colors: bool,
    /// [general.links] — proxy link generation overrides.
    #[serde(default)]
    pub links: LinksConfig,
    /// Minimum TLS record size when fast_mode coalescing is enabled (0 = disabled).
    #[serde(default = "default_fast_mode_min_tls_record")]
    pub fast_mode_min_tls_record: usize,
    /// Unified ME updater interval in seconds for getProxyConfig/getProxyConfigV6/getProxySecret.
    /// When omitted, effective value falls back to legacy proxy_*_auto_reload_secs fields.
    #[serde(default)]
    pub update_every: Option<u64>,
    /// Periodic ME pool reinitialization interval in seconds.
    #[serde(default = "default_me_reinit_every_secs")]
    pub me_reinit_every_secs: u64,
    /// Minimum delay in ms between hardswap warmup connect attempts.
    #[serde(default = "default_me_hardswap_warmup_delay_min_ms")]
    pub me_hardswap_warmup_delay_min_ms: u64,
    /// Maximum delay in ms between hardswap warmup connect attempts.
    #[serde(default = "default_me_hardswap_warmup_delay_max_ms")]
    pub me_hardswap_warmup_delay_max_ms: u64,
    /// Additional warmup passes in the same hardswap cycle after the base pass.
    #[serde(default = "default_me_hardswap_warmup_extra_passes")]
    pub me_hardswap_warmup_extra_passes: u8,
    /// Base backoff in ms between hardswap warmup passes when floor is still incomplete.
    #[serde(default = "default_me_hardswap_warmup_pass_backoff_base_ms")]
    pub me_hardswap_warmup_pass_backoff_base_ms: u64,
    /// Number of identical getProxyConfig snapshots required before applying ME map updates.
    #[serde(default = "default_me_config_stable_snapshots")]
    pub me_config_stable_snapshots: u8,
    /// Cooldown in seconds between applied ME map updates.
    #[serde(default = "default_me_config_apply_cooldown_secs")]
    pub me_config_apply_cooldown_secs: u64,
    /// Number of identical getProxySecret snapshots required before runtime secret rotation.
    #[serde(default = "default_proxy_secret_stable_snapshots")]
    pub proxy_secret_stable_snapshots: u8,
    /// Enable runtime proxy-secret rotation from getProxySecret.
    #[serde(default = "default_proxy_secret_rotate_runtime")]
    pub proxy_secret_rotate_runtime: bool,
    /// Maximum allowed proxy-secret length in bytes for startup and runtime refresh.
    #[serde(default = "default_proxy_secret_len_max")]
    pub proxy_secret_len_max: usize,
    /// Drain-TTL in seconds for stale ME writers after endpoint map changes.
    /// During TTL, stale writers may be used only as fallback for new bindings.
    #[serde(default = "default_me_pool_drain_ttl_secs")]
    pub me_pool_drain_ttl_secs: u64,
    /// Minimum desired-DC coverage ratio required before draining stale writers.
    /// Range: 0.0..=1.0.
    #[serde(default = "default_me_pool_min_fresh_ratio")]
    pub me_pool_min_fresh_ratio: f32,
    /// Drain timeout in seconds for stale ME writers after endpoint map changes.
    /// Set to 0 to keep stale writers draining indefinitely (no force-close).
    #[serde(default = "default_me_reinit_drain_timeout_secs")]
    pub me_reinit_drain_timeout_secs: u64,
    /// Deprecated legacy setting; kept for backward compatibility fallback.
    /// Use `update_every` instead.
    #[serde(default = "default_proxy_secret_reload_secs")]
    pub proxy_secret_auto_reload_secs: u64,
    /// Deprecated legacy setting; kept for backward compatibility fallback.
    /// Use `update_every` instead.
    #[serde(default = "default_proxy_config_reload_secs")]
    pub proxy_config_auto_reload_secs: u64,
    /// Enable NTP drift check at startup.
    #[serde(default = "default_ntp_check")]
    pub ntp_check: bool,
    /// NTP servers for drift check.
    #[serde(default = "default_ntp_servers")]
    pub ntp_servers: Vec<String>,
    /// Enable auto-degradation from ME to Direct-DC.
    #[serde(default = "default_true")]
    pub auto_degradation_enabled: bool,
    /// Minimum unavailable ME DC groups before degrading.
    #[serde(default = "default_degradation_min_unavailable_dc_groups")]
    pub degradation_min_unavailable_dc_groups: u8,
 }
 impl Default for GeneralConfig {
    fn default() -> Self {
        Self {
            modes: ProxyModes::default(),
            prefer_ipv6: false,
            fast_mode: true,
            use_middle_proxy: false,
            ad_tag: None,
            proxy_secret_path: None,
            middle_proxy_nat_ip: None,
            middle_proxy_nat_probe: false,
            middle_proxy_nat_stun: None,
            middle_proxy_nat_stun_servers: Vec::new(),
            middle_proxy_pool_size: default_pool_size(),
            middle_proxy_warm_standby: 16,
            me_keepalive_enabled: true,
            me_keepalive_interval_secs: default_keepalive_interval(),
            me_keepalive_jitter_secs: default_keepalive_jitter(),
            me_keepalive_payload_random: true,
            me_warmup_stagger_enabled: true,
            me_warmup_step_delay_ms: default_warmup_step_delay_ms(),
            me_warmup_step_jitter_ms: default_warmup_step_jitter_ms(),
            me_reconnect_max_concurrent_per_dc: 8,
            me_reconnect_backoff_base_ms: default_reconnect_backoff_base_ms(),
            me_reconnect_backoff_cap_ms: default_reconnect_backoff_cap_ms(),
            me_reconnect_fast_retry_count: 8,
            stun_iface_mismatch_ignore: false,
            unknown_dc_log_path: default_unknown_dc_log_path(),
            log_level: LogLevel::Normal,
            disable_colors: false,
            links: LinksConfig::default(),
            crypto_pending_buffer: default_crypto_pending_buffer(),
            max_client_frame: default_max_client_frame(),
            desync_all_full: default_desync_all_full(),
            hardswap: default_hardswap(),
            fast_mode_min_tls_record: default_fast_mode_min_tls_record(),
            update_every: Some(default_update_every_secs()),
            me_reinit_every_secs: default_me_reinit_every_secs(),
            me_hardswap_warmup_delay_min_ms: default_me_hardswap_warmup_delay_min_ms(),
            me_hardswap_warmup_delay_max_ms: default_me_hardswap_warmup_delay_max_ms(),
            me_hardswap_warmup_extra_passes: default_me_hardswap_warmup_extra_passes(),
            me_hardswap_warmup_pass_backoff_base_ms: default_me_hardswap_warmup_pass_backoff_base_ms(),
            me_config_stable_snapshots: default_me_config_stable_snapshots(),
            me_config_apply_cooldown_secs: default_me_config_apply_cooldown_secs(),
            proxy_secret_stable_snapshots: default_proxy_secret_stable_snapshots(),
            proxy_secret_rotate_runtime: default_proxy_secret_rotate_runtime(),
            proxy_secret_len_max: default_proxy_secret_len_max(),
            me_pool_drain_ttl_secs: default_me_pool_drain_ttl_secs(),
            me_pool_min_fresh_ratio: default_me_pool_min_fresh_ratio(),
            me_reinit_drain_timeout_secs: default_me_reinit_drain_timeout_secs(),
            proxy_secret_auto_reload_secs: default_proxy_secret_reload_secs(),
            proxy_config_auto_reload_secs: default_proxy_config_reload_secs(),
            ntp_check: default_ntp_check(),
            ntp_servers: default_ntp_servers(),
            auto_degradation_enabled: true,
            degradation_min_unavailable_dc_groups: default_degradation_min_unavailable_dc_groups(),
        }
    }
 }
 impl GeneralConfig {
    /// Resolve the active updater interval for ME infrastructure refresh tasks.
    /// `update_every` has priority, otherwise legacy proxy_*_auto_reload_secs are used.
    pub fn effective_update_every_secs(&self) -> u64 {
        self.update_every
            .unwrap_or_else(|| self.proxy_secret_auto_reload_secs.min(self.proxy_config_auto_reload_secs))
    }
    /// Resolve periodic zero-downtime reinit interval for ME writers.
    pub fn effective_me_reinit_every_secs(&self) -> u64 {
        self.me_reinit_every_secs
    }
    /// Resolve force-close timeout for stale writers.
    /// `me_reinit_drain_timeout_secs` remains backward-compatible alias.
    pub fn effective_me_pool_force_close_secs(&self) -> u64 {
        self.me_reinit_drain_timeout_secs
    }
 }
 /// `[general.links]` — proxy link generation settings.
 #[derive(Debug, Clone, Serialize, Deserialize, Default)]
 pub struct LinksConfig {
    /// List of usernames whose tg:// links to display at startup.
    /// `"*"` = all users, `["alice", "bob"]` = specific users.
    #[serde(default)]
    pub show: ShowLink,
    /// Public hostname/IP for tg:// link generation (overrides detected IP).
    #[serde(default)]
    pub public_host: Option<String>,
    /// Public port for tg:// link generation (overrides server.port).
    #[serde(default)]
    pub public_port: Option<u16>,
 }
 #[derive(Debug, Clone, Serialize, Deserialize)]
 pub struct ServerConfig {
    #[serde(default = "default_port")]
    pub port: u16,
    #[serde(default)]
    pub listen_addr_ipv4: Option<String>,
    #[serde(default)]
    pub listen_addr_ipv6: Option<String>,
    #[serde(default)]
    pub listen_unix_sock: Option<String>,
    /// Unix socket file permissions (octal, e.g. "0666" or "0777").
    /// Applied via chmod after bind. Default: no change (inherits umask).
    #[serde(default)]
    pub listen_unix_sock_perm: Option<String>,
    /// Enable TCP listening. Default: true when no unix socket, false when
    /// listen_unix_sock is set. Set explicitly to override auto-detection.
    #[serde(default)]
    pub listen_tcp: Option<bool>,
    /// Accept HAProxy PROXY protocol headers on incoming connections.
    /// When enabled, real client IPs are extracted from PROXY v1/v2 headers.
    #[serde(default)]
    pub proxy_protocol: bool,
    #[serde(default)]
    pub metrics_port: Option<u16>,
    #[serde(default = "default_metrics_whitelist")]
    pub metrics_whitelist: Vec<IpNetwork>,
    #[serde(default)]
    pub listeners: Vec<ListenerConfig>,
 }
 impl Default for ServerConfig {
    fn default() -> Self {
        Self {
            port: default_port(),
            listen_addr_ipv4: Some(default_listen_addr()),
            listen_addr_ipv6: Some("::".to_string()),
            listen_unix_sock: None,
            listen_unix_sock_perm: None,
            listen_tcp: None,
            proxy_protocol: false,
            metrics_port: None,
            metrics_whitelist: default_metrics_whitelist(),
            listeners: Vec::new(),
        }
    }
 }
 #[derive(Debug, Clone, Serialize, Deserialize)]
 pub struct TimeoutsConfig {
    #[serde(default = "default_handshake_timeout")]
    pub client_handshake: u64,
    #[serde(default = "default_connect_timeout")]
    pub tg_connect: u64,
    #[serde(default = "default_keepalive")]
    pub client_keepalive: u64,
    #[serde(default = "default_ack_timeout")]
    pub client_ack: u64,
    /// Number of quick ME reconnect attempts for single-address DC.
    #[serde(default = "default_me_one_retry")]
    pub me_one_retry: u8,
    /// Timeout per quick attempt in milliseconds for single-address DC.
    #[serde(default = "default_me_one_timeout")]
    pub me_one_timeout_ms: u64,
 }
 impl Default for TimeoutsConfig {
    fn default() -> Self {
        Self {
            client_handshake: default_handshake_timeout(),
            tg_connect: default_connect_timeout(),
            client_keepalive: default_keepalive(),
            client_ack: default_ack_timeout(),
            me_one_retry: default_me_one_retry(),
            me_one_timeout_ms: default_me_one_timeout(),
        }
    }
 }
 #[derive(Debug, Clone, Serialize, Deserialize)]
 pub struct AntiCensorshipConfig {
    #[serde(default = "default_tls_domain")]
    pub tls_domain: String,
    /// Additional TLS domains for generating multiple proxy links.
    #[serde(default)]
    pub tls_domains: Vec<String>,
    #[serde(default = "default_true")]
    pub mask: bool,
    #[serde(default)]
    pub mask_host: Option<String>,
    #[serde(default = "default_mask_port")]
    pub mask_port: u16,
    #[serde(default)]
    pub mask_unix_sock: Option<String>,
    #[serde(default = "default_fake_cert_len")]
    pub fake_cert_len: usize,
    /// Enable TLS certificate emulation using cached real certificates.
    #[serde(default)]
    pub tls_emulation: bool,
    /// Directory to store TLS front cache (on disk).
    #[serde(default = "default_tls_front_dir")]
    pub tls_front_dir: String,
    /// Minimum server_hello delay in milliseconds (anti-fingerprint).
    #[serde(default = "default_server_hello_delay_min_ms")]
    pub server_hello_delay_min_ms: u64,
    /// Maximum server_hello delay in milliseconds.
    #[serde(default = "default_server_hello_delay_max_ms")]
    pub server_hello_delay_max_ms: u64,
    /// Number of NewSessionTicket messages to emit post-handshake.
    #[serde(default = "default_tls_new_session_tickets")]
    pub tls_new_session_tickets: u8,
    /// TTL in seconds for sending full certificate payload per client IP.
    /// First client connection per (SNI domain, client IP) gets full cert payload.
    /// Subsequent handshakes within TTL use compact cert metadata payload.
    #[serde(default = "default_tls_full_cert_ttl_secs")]
    pub tls_full_cert_ttl_secs: u64,
    /// Enforce ALPN echo of client preference.
    #[serde(default = "default_alpn_enforce")]
    pub alpn_enforce: bool,
 }
 impl Default for AntiCensorshipConfig {
    fn default() -> Self {
        Self {
            tls_domain: default_tls_domain(),
            tls_domains: Vec::new(),
            mask: true,
            mask_host: None,
            mask_port: default_mask_port(),
            mask_unix_sock: None,
            fake_cert_len: default_fake_cert_len(),
            tls_emulation: false,
            tls_front_dir: default_tls_front_dir(),
            server_hello_delay_min_ms: default_server_hello_delay_min_ms(),
            server_hello_delay_max_ms: default_server_hello_delay_max_ms(),
            tls_new_session_tickets: default_tls_new_session_tickets(),
            tls_full_cert_ttl_secs: default_tls_full_cert_ttl_secs(),
            alpn_enforce: default_alpn_enforce(),
        }
    }
 }
 #[derive(Debug, Clone, PartialEq, Serialize, Deserialize)]
 pub struct AccessConfig {
    #[serde(default)]
    pub users: HashMap<String, String>,
    #[serde(default)]
    pub user_max_tcp_conns: HashMap<String, usize>,
    #[serde(default)]
    pub user_expirations: HashMap<String, DateTime<Utc>>,
    #[serde(default)]
    pub user_data_quota: HashMap<String, u64>,
    #[serde(default)]
    pub user_max_unique_ips: HashMap<String, usize>,
    #[serde(default = "default_replay_check_len")]
    pub replay_check_len: usize,
    #[serde(default = "default_replay_window_secs")]
    pub replay_window_secs: u64,
    #[serde(default)]
    pub ignore_time_skew: bool,
 }
 impl Default for AccessConfig {
    fn default() -> Self {
        let mut users = HashMap::new();
        users.insert(
            "default".to_string(),
            "00000000000000000000000000000000".to_string(),
        );
        Self {
            users,
            user_max_tcp_conns: HashMap::new(),
            user_expirations: HashMap::new(),
            user_data_quota: HashMap::new(),
            user_max_unique_ips: HashMap::new(),
            replay_check_len: default_replay_check_len(),
            replay_window_secs: default_replay_window_secs(),
            ignore_time_skew: false,
        }
    }
 }
 // ============= Aux Structures =============
 #[derive(Debug, Clone, Serialize, Deserialize, PartialEq)]
 #[serde(tag = "type", rename_all = "lowercase")]
 pub enum UpstreamType {
    Direct {
        #[serde(default)]
        interface: Option<String>,
        #[serde(default)]
        bind_addresses: Option<Vec<String>>,
    },
    Socks4 {
        address: String,
        #[serde(default)]
        interface: Option<String>,
        #[serde(default)]
        user_id: Option<String>,
    },
    Socks5 {
        address: String,
        #[serde(default)]
        interface: Option<String>,
        #[serde(default)]
        username: Option<String>,
        #[serde(default)]
        password: Option<String>,
    },
 }
 #[derive(Debug, Clone, Serialize, Deserialize)]
 pub struct UpstreamConfig {
    #[serde(flatten)]
    pub upstream_type: UpstreamType,
    #[serde(default = "default_weight")]
    pub weight: u16,
    #[serde(default = "default_true")]
    pub enabled: bool,
    #[serde(default)]
    pub scopes: String,
    #[serde(skip)]
    pub selected_scope: String,
 }
 #[derive(Debug, Clone, Serialize, Deserialize)]
 pub struct ListenerConfig {
    pub ip: IpAddr,
    /// IP address or hostname to announce in proxy links.
    /// Takes precedence over `announce_ip` if both are set.
    #[serde(default)]
    pub announce: Option<String>,
    /// Deprecated: Use `announce` instead. IP address to announce in proxy links.
    /// Migrated to `announce` automatically if `announce` is not set.
    #[serde(default)]
    pub announce_ip: Option<IpAddr>,
    /// Per-listener PROXY protocol override. When set, overrides global server.proxy_protocol.
    #[serde(default)]
    pub proxy_protocol: Option<bool>,
    /// Allow multiple telemt instances to listen on the same IP:port (SO_REUSEPORT).
    /// Default is false for safety.
    #[serde(default)]
    pub reuse_allow: bool,
 }
 // ============= ShowLink =============
 /// Controls which users' proxy links are displayed at startup.
 ///
 /// In TOML, this can be:
 /// - `show_link = "*"`          — show links for all users
 /// - `show_link = ["a", "b"]`   — show links for specific users
 /// - omitted                    — show no links (default)
 #[derive(Debug, Clone, Default)]
 pub enum ShowLink {
    /// Don't show any links (default when omitted).
    #[default]
    None,
    /// Show links for all configured users.
    All,
    /// Show links for specific users.
    Specific(Vec<String>),
 }
 impl ShowLink {
    /// Returns true if no links should be shown.
    pub fn is_empty(&self) -> bool {
        matches!(self, ShowLink::None) || matches!(self, ShowLink::Specific(v) if v.is_empty())
    }
    /// Resolve the list of user names to display, given all configured users.
    pub fn resolve_users<'a>(&'a self, all_users: &'a HashMap<String, String>) -> Vec<&'a String> {
        match self {
            ShowLink::None => vec![],
            ShowLink::All => {
                let mut names: Vec<&String> = all_users.keys().collect();
                names.sort();
                names
            }
            ShowLink::Specific(names) => names.iter().collect(),
        }
    }
 }
 impl Serialize for ShowLink {
    fn serialize<S: serde::Serializer>(&self, serializer: S) -> std::result::Result<S::Ok, S::Error> {
        match self {
            ShowLink::None => Vec::<String>::new().serialize(serializer),
            ShowLink::All => serializer.serialize_str("*"),
            ShowLink::Specific(v) => v.serialize(serializer),
        }
    }
 }
 impl<'de> Deserialize<'de> for ShowLink {
    fn deserialize<D: serde::Deserializer<'de>>(deserializer: D) -> std::result::Result<Self, D::Error> {
        use serde::de;
        struct ShowLinkVisitor;
        impl<'de> de::Visitor<'de> for ShowLinkVisitor {
            type Value = ShowLink;
            fn expecting(&self, formatter: &mut std::fmt::Formatter) -> std::fmt::Result {
                formatter.write_str(r#""*" or an array of user names"#)
            }
            fn visit_str<E: de::Error>(self, v: &str) -> std::result::Result<ShowLink, E> {
                if v == "*" {
                    Ok(ShowLink::All)
                } else {
                    Err(de::Error::invalid_value(
                        de::Unexpected::Str(v),
                        &r#""*""#,
                    ))
                }
            }
            fn visit_seq<A: de::SeqAccess<'de>>(self, mut seq: A) -> std::result::Result<ShowLink, A::Error> {
                let mut names = Vec::new();
                while let Some(name) = seq.next_element::<String>()? {
                    names.push(name);
                }
                if names.is_empty() {
                    Ok(ShowLink::None)
                } else {
                    Ok(ShowLink::Specific(names))
                }
            }
        }
        deserializer.deserialize_any(ShowLinkVisitor)
    }
 }
--- a/src/crypto/aes.rs
+++ b/src/crypto/aes.rs
@@ -11,6 +11,8 @@
 //!   `HandshakeSuccess`, `ObfuscationParams`) are responsible for
 //!   zeroizing their own copies.
 #![allow(dead_code)]
 use aes::Aes256;
 use ctr::{Ctr128BE, cipher::{KeyIvInit, StreamCipher}};
 use zeroize::Zeroize;
@@ -21,13 +23,13 @@ type Aes256Ctr = Ctr128BE<Aes256>;
 // ============= AES-256-CTR =============
 /// AES-256-CTR encryptor/decryptor
-/// 
+///
 /// CTR mode is symmetric — encryption and decryption are the same operation.
 ///
 /// **Zeroize note:** The inner `Aes256Ctr` cipher state (expanded key schedule
-/// + counter) is opaque and cannot be zeroized. If you need to protect key
+///     + counter) is opaque and cannot be zeroized. If you need to protect key
-/// material, zeroize the `[u8; 32]` key and `u128` IV at the call site
+///     material, zeroize the `[u8; 32]` key and `u128` IV at the call site
-/// before dropping them.
+///     before dropping them.
 pub struct AesCtr {
    cipher: Aes256Ctr,
 }
@@ -147,7 +149,7 @@ impl AesCbc {
    ///
    /// CBC Encryption: C[i] = AES_Encrypt(P[i] XOR C[i-1]), where C[-1] = IV
    pub fn encrypt(&self, data: &[u8]) -> Result<Vec<u8>> {
-        if data.len() % Self::BLOCK_SIZE != 0 {
+        if !data.len().is_multiple_of(Self::BLOCK_SIZE) {
            return Err(ProxyError::Crypto(
                format!("CBC data must be aligned to 16 bytes, got {}", data.len())
            ));
@@ -178,7 +180,7 @@ impl AesCbc {
    ///
    /// CBC Decryption: P[i] = AES_Decrypt(C[i]) XOR C[i-1], where C[-1] = IV
    pub fn decrypt(&self, data: &[u8]) -> Result<Vec<u8>> {
-        if data.len() % Self::BLOCK_SIZE != 0 {
+        if !data.len().is_multiple_of(Self::BLOCK_SIZE) {
            return Err(ProxyError::Crypto(
                format!("CBC data must be aligned to 16 bytes, got {}", data.len())
            ));
@@ -207,7 +209,7 @@ impl AesCbc {
    /// Encrypt data in-place
    pub fn encrypt_in_place(&self, data: &mut [u8]) -> Result<()> {
-        if data.len() % Self::BLOCK_SIZE != 0 {
+        if !data.len().is_multiple_of(Self::BLOCK_SIZE) {
            return Err(ProxyError::Crypto(
                format!("CBC data must be aligned to 16 bytes, got {}", data.len())
            ));
@@ -240,7 +242,7 @@ impl AesCbc {
    /// Decrypt data in-place
    pub fn decrypt_in_place(&self, data: &mut [u8]) -> Result<()> {
-        if data.len() % Self::BLOCK_SIZE != 0 {
+        if !data.len().is_multiple_of(Self::BLOCK_SIZE) {
            return Err(ProxyError::Crypto(
                format!("CBC data must be aligned to 16 bytes, got {}", data.len())
            ));
--- a/src/crypto/hash.rs
+++ b/src/crypto/hash.rs
@@ -55,10 +55,16 @@ pub fn crc32(data: &[u8]) -> u32 {
    crc32fast::hash(data)
 }
 /// CRC32C (Castagnoli)
 pub fn crc32c(data: &[u8]) -> u32 {
    crc32c::crc32c(data)
 }
 /// Build the exact prekey buffer used by Telegram Middle Proxy KDF.
 ///
 /// Returned buffer layout (IPv4):
 /// nonce_srv | nonce_clt | clt_ts | srv_ip | clt_port | purpose | clt_ip | srv_port | secret | nonce_srv | [clt_v6 | srv_v6] | nonce_clt
 #[allow(clippy::too_many_arguments)]
 pub fn build_middleproxy_prekey(
    nonce_srv: &[u8; 16],
    nonce_clt: &[u8; 16],
@@ -103,6 +109,7 @@ pub fn build_middleproxy_prekey(
 /// Uses MD5 + SHA-1 as mandated by the Telegram Middle Proxy protocol.
 /// These algorithms are NOT replaceable here — changing them would break
 /// interoperability with Telegram's middle proxy infrastructure.
 #[allow(clippy::too_many_arguments)]
 pub fn derive_middleproxy_keys(
    nonce_srv: &[u8; 16],
    nonce_clt: &[u8; 16],
@@ -172,7 +179,7 @@ mod tests {
        let digest = sha256(&prekey);
        assert_eq!(
            hex::encode(digest),
-            "a4595b75f1f610f2575ace802ddc65c91b5acef3b0e0d18189e0c7c9f787d15c"
+            "934f5facdafd65a44d5c2df90d2f35ddc81faaaeb337949dfeef817c8a7c1e00"
        );
    }
 }
--- a/src/crypto/mod.rs
+++ b/src/crypto/mod.rs
@@ -5,5 +5,7 @@ pub mod hash;
 pub mod random;
 pub use aes::{AesCtr, AesCbc};
-pub use hash::{sha256, sha256_hmac, sha1, md5, crc32, derive_middleproxy_keys, build_middleproxy_prekey};
+pub use hash::{
    build_middleproxy_prekey, crc32, crc32c, derive_middleproxy_keys, sha256, sha256_hmac,
 };
 pub use random::SecureRandom;
--- a/src/crypto/random.rs
+++ b/src/crypto/random.rs
@@ -1,5 +1,8 @@
 //! Pseudorandom
 #![allow(deprecated)]
 #![allow(dead_code)]
 use rand::{Rng, RngCore, SeedableRng};
 use rand::rngs::StdRng;
 use parking_lot::Mutex;
@@ -11,6 +14,9 @@ pub struct SecureRandom {
    inner: Mutex<SecureRandomInner>,
 }
 unsafe impl Send for SecureRandom {}
 unsafe impl Sync for SecureRandom {}
 struct SecureRandomInner {
    rng: StdRng,
    cipher: AesCtr,
@@ -46,19 +52,32 @@ impl SecureRandom {
        }
    }
-    /// Generate random bytes
+    /// Fill a caller-provided buffer with random bytes.
-    pub fn bytes(&self, len: usize) -> Vec<u8> {
+    pub fn fill(&self, out: &mut [u8]) {
        let mut inner = self.inner.lock();
        const CHUNK_SIZE: usize = 512;
-        
+
-        while inner.buffer.len() < len {
+        let mut written = 0usize;
-            let mut chunk = vec![0u8; CHUNK_SIZE];
+        while written < out.len() {
-            inner.rng.fill_bytes(&mut chunk);
+            if inner.buffer.is_empty() {
-            inner.cipher.apply(&mut chunk);
+                let mut chunk = vec![0u8; CHUNK_SIZE];
-            inner.buffer.extend_from_slice(&chunk);
+                inner.rng.fill_bytes(&mut chunk);
                inner.cipher.apply(&mut chunk);
                inner.buffer.extend_from_slice(&chunk);
            }
            let take = (out.len() - written).min(inner.buffer.len());
            out[written..written + take].copy_from_slice(&inner.buffer[..take]);
            inner.buffer.drain(..take);
            written += take;
        }
-        
+    }
-        inner.buffer.drain(..len).collect()
+
    /// Generate random bytes
    pub fn bytes(&self, len: usize) -> Vec<u8> {
        let mut out = vec![0u8; len];
        self.fill(&mut out);
        out
    }
    /// Generate random number in range [0, max)
@@ -76,7 +95,7 @@ impl SecureRandom {
            return 0;
        }
-        let bytes_needed = (k + 7) / 8;
+        let bytes_needed = k.div_ceil(8);
        let bytes = self.bytes(bytes_needed.min(8));
        let mut result = 0u64;
@@ -211,4 +230,4 @@ mod tests {
        assert_ne!(shuffled, original);
    }
-}
+}
--- a/src/error.rs
+++ b/src/error.rs
@@ -1,5 +1,7 @@
 //! Error Types
 #![allow(dead_code)]
 use std::fmt;
 use std::net::SocketAddr;
 use thiserror::Error;
@@ -89,7 +91,7 @@ impl From<StreamError> for std::io::Error {
                std::io::Error::new(std::io::ErrorKind::UnexpectedEof, err)
            }
            StreamError::Poisoned { .. } => {
-                std::io::Error::new(std::io::ErrorKind::Other, err)
+                std::io::Error::other(err)
            }
            StreamError::BufferOverflow { .. } => {
                std::io::Error::new(std::io::ErrorKind::OutOfMemory, err)
@@ -98,7 +100,7 @@ impl From<StreamError> for std::io::Error {
                std::io::Error::new(std::io::ErrorKind::InvalidData, err)
            }
            StreamError::PartialRead { .. } | StreamError::PartialWrite { .. } => {
-                std::io::Error::new(std::io::ErrorKind::Other, err)
+                std::io::Error::other(err)
            }
        }
    }
@@ -133,12 +135,7 @@ impl Recoverable for StreamError {
    }
    fn can_continue(&self) -> bool {
-        match self {
+        !matches!(self, Self::Poisoned { .. } | Self::UnexpectedEof | Self::BufferOverflow { .. })
            Self::Poisoned { .. } => false,
            Self::UnexpectedEof => false,
            Self::BufferOverflow { .. } => false,
            _ => true,
        }
    }
 }
--- a/src/ip_tracker.rs
+++ b/src/ip_tracker.rs
@@ -0,0 +1,464 @@
 // src/ip_tracker.rs
 // IP address tracking and limiting for users
 #![allow(dead_code)]
 use std::collections::{HashMap, HashSet};
 use std::net::IpAddr;
 use std::sync::Arc;
 use tokio::sync::RwLock;
 /// Трекер уникальных IP-адресов для каждого пользователя MTProxy
 /// 
 /// Предоставляет thread-safe механизм для:
 /// - Отслеживания активных IP-адресов каждого пользователя
 /// - Ограничения количества уникальных IP на пользователя
 /// - Автоматической очистки при отключении клиентов
 #[derive(Debug, Clone)]
 pub struct UserIpTracker {
    /// Маппинг: Имя пользователя -> Множество активных IP-адресов
    active_ips: Arc<RwLock<HashMap<String, HashSet<IpAddr>>>>,
    /// Маппинг: Имя пользователя -> Максимально разрешенное количество уникальных IP
    max_ips: Arc<RwLock<HashMap<String, usize>>>,
 }
 impl UserIpTracker {
    /// Создать новый пустой трекер
    pub fn new() -> Self {
        Self {
            active_ips: Arc::new(RwLock::new(HashMap::new())),
            max_ips: Arc::new(RwLock::new(HashMap::new())),
        }
    }
    /// Установить лимит уникальных IP для конкретного пользователя
    /// 
    /// # Arguments
    /// * `username` - Имя пользователя
    /// * `max_ips` - Максимальное количество одновременно активных IP-адресов
    pub async fn set_user_limit(&self, username: &str, max_ips: usize) {
        let mut limits = self.max_ips.write().await;
        limits.insert(username.to_string(), max_ips);
    }
    /// Загрузить лимиты из конфигурации
    /// 
    /// # Arguments
    /// * `limits` - HashMap с лимитами из config.toml
    pub async fn load_limits(&self, limits: &HashMap<String, usize>) {
        let mut max_ips = self.max_ips.write().await;
        for (user, limit) in limits {
            max_ips.insert(user.clone(), *limit);
        }
    }
    /// Проверить, может ли пользователь подключиться с данного IP-адреса
    /// и добавить IP в список активных, если проверка успешна
    /// 
    /// # Arguments
    /// * `username` - Имя пользователя
    /// * `ip` - IP-адрес клиента
    /// 
    /// # Returns
    /// * `Ok(())` - Подключение разрешено, IP добавлен в активные
    /// * `Err(String)` - Подключение отклонено с описанием причины
    pub async fn check_and_add(&self, username: &str, ip: IpAddr) -> Result<(), String> {
        // Получаем лимит для пользователя
        let max_ips = self.max_ips.read().await;
        let limit = match max_ips.get(username) {
            Some(limit) => *limit,
            None => {
                // Если лимит не задан - разрешаем безлимитный доступ
                drop(max_ips);
                let mut active_ips = self.active_ips.write().await;
                let user_ips = active_ips
                    .entry(username.to_string())
                    .or_insert_with(HashSet::new);
                user_ips.insert(ip);
                return Ok(());
            }
        };
        drop(max_ips);
        // Проверяем и обновляем активные IP
        let mut active_ips = self.active_ips.write().await;
        let user_ips = active_ips
            .entry(username.to_string())
            .or_insert_with(HashSet::new);
        // Если IP уже есть в списке - это повторное подключение, разрешаем
        if user_ips.contains(&ip) {
            return Ok(());
        }
        // Проверяем, не превышен ли лимит
        if user_ips.len() >= limit {
            return Err(format!(
                "IP limit reached for user '{}': {}/{} unique IPs already connected",
                username,
                user_ips.len(),
                limit
            ));
        }
        // Лимит не превышен - добавляем новый IP
        user_ips.insert(ip);
        Ok(())
    }
    /// Удалить IP-адрес из списка активных при отключении клиента
    /// 
    /// # Arguments
    /// * `username` - Имя пользователя
    /// * `ip` - IP-адрес отключившегося клиента
    pub async fn remove_ip(&self, username: &str, ip: IpAddr) {
        let mut active_ips = self.active_ips.write().await;
        if let Some(user_ips) = active_ips.get_mut(username) {
            user_ips.remove(&ip);
            // Если у пользователя не осталось активных IP - удаляем запись
            // для экономии памяти
            if user_ips.is_empty() {
                active_ips.remove(username);
            }
        }
    }
    /// Получить текущее количество активных IP-адресов для пользователя
    /// 
    /// # Arguments
    /// * `username` - Имя пользователя
    /// 
    /// # Returns
    /// Количество уникальных активных IP-адресов
    pub async fn get_active_ip_count(&self, username: &str) -> usize {
        let active_ips = self.active_ips.read().await;
        active_ips
            .get(username)
            .map(|ips| ips.len())
            .unwrap_or(0)
    }
    /// Получить список всех активных IP-адресов для пользователя
    /// 
    /// # Arguments
    /// * `username` - Имя пользователя
    /// 
    /// # Returns
    /// Вектор с активными IP-адресами
    pub async fn get_active_ips(&self, username: &str) -> Vec<IpAddr> {
        let active_ips = self.active_ips.read().await;
        active_ips
            .get(username)
            .map(|ips| ips.iter().copied().collect())
            .unwrap_or_else(Vec::new)
    }
    /// Получить статистику по всем пользователям
    /// 
    /// # Returns
    /// Вектор кортежей: (имя_пользователя, количество_активных_IP, лимит)
    pub async fn get_stats(&self) -> Vec<(String, usize, usize)> {
        let active_ips = self.active_ips.read().await;
        let max_ips = self.max_ips.read().await;
        let mut stats = Vec::new();
        // Собираем статистику по пользователям с активными подключениями
        for (username, user_ips) in active_ips.iter() {
            let limit = max_ips.get(username).copied().unwrap_or(0);
            stats.push((username.clone(), user_ips.len(), limit));
        }
        stats.sort_by(|a, b| a.0.cmp(&b.0)); // Сортируем по имени пользователя
        stats
    }
    /// Очистить все активные IP для пользователя (при необходимости)
    /// 
    /// # Arguments
    /// * `username` - Имя пользователя
    pub async fn clear_user_ips(&self, username: &str) {
        let mut active_ips = self.active_ips.write().await;
        active_ips.remove(username);
    }
    /// Очистить всю статистику (использовать с осторожностью!)
    pub async fn clear_all(&self) {
        let mut active_ips = self.active_ips.write().await;
        active_ips.clear();
    }
    /// Проверить, подключен ли пользователь с данного IP
    /// 
    /// # Arguments
    /// * `username` - Имя пользователя
    /// * `ip` - IP-адрес для проверки
    /// 
    /// # Returns
    /// `true` если IP активен, `false` если нет
    pub async fn is_ip_active(&self, username: &str, ip: IpAddr) -> bool {
        let active_ips = self.active_ips.read().await;
        active_ips
            .get(username)
            .map(|ips| ips.contains(&ip))
            .unwrap_or(false)
    }
    /// Получить лимит для пользователя
    /// 
    /// # Arguments
    /// * `username` - Имя пользователя
    /// 
    /// # Returns
    /// Лимит IP-адресов или None, если лимит не установлен
    pub async fn get_user_limit(&self, username: &str) -> Option<usize> {
        let max_ips = self.max_ips.read().await;
        max_ips.get(username).copied()
    }
    /// Форматировать статистику в читаемый текст
    /// 
    /// # Returns
    /// Строка со статистикой для логов или мониторинга
    pub async fn format_stats(&self) -> String {
        let stats = self.get_stats().await;
        if stats.is_empty() {
            return String::from("No active users");
        }
        let mut output = String::from("User IP Statistics:\n");
        output.push_str("==================\n");
        for (username, active_count, limit) in stats {
            output.push_str(&format!(
                "User: {:<20} Active IPs: {}/{}\n",
                username,
                active_count,
                if limit > 0 { limit.to_string() } else { "unlimited".to_string() }
            ));
            let ips = self.get_active_ips(&username).await;
            for ip in ips {
                output.push_str(&format!("  └─ {}\n", ip));
            }
        }
        output
    }
 }
 impl Default for UserIpTracker {
    fn default() -> Self {
        Self::new()
    }
 }
 // ============================================================================
 // ТЕСТЫ
 // ============================================================================
 #[cfg(test)]
 mod tests {
    use super::*;
    use std::net::{IpAddr, Ipv4Addr, Ipv6Addr};
    fn test_ipv4(oct1: u8, oct2: u8, oct3: u8, oct4: u8) -> IpAddr {
        IpAddr::V4(Ipv4Addr::new(oct1, oct2, oct3, oct4))
    }
    fn test_ipv6() -> IpAddr {
        IpAddr::V6(Ipv6Addr::new(0x2001, 0xdb8, 0, 0, 0, 0, 0, 1))
    }
    #[tokio::test]
    async fn test_basic_ip_limit() {
        let tracker = UserIpTracker::new();
        tracker.set_user_limit("test_user", 2).await;
        let ip1 = test_ipv4(192, 168, 1, 1);
        let ip2 = test_ipv4(192, 168, 1, 2);
        let ip3 = test_ipv4(192, 168, 1, 3);
        // Первые два IP должны быть приняты
        assert!(tracker.check_and_add("test_user", ip1).await.is_ok());
        assert!(tracker.check_and_add("test_user", ip2).await.is_ok());
        // Третий IP должен быть отклонен
        assert!(tracker.check_and_add("test_user", ip3).await.is_err());
        // Проверяем счетчик
        assert_eq!(tracker.get_active_ip_count("test_user").await, 2);
    }
    #[tokio::test]
    async fn test_reconnection_from_same_ip() {
        let tracker = UserIpTracker::new();
        tracker.set_user_limit("test_user", 2).await;
        let ip1 = test_ipv4(192, 168, 1, 1);
        // Первое подключение
        assert!(tracker.check_and_add("test_user", ip1).await.is_ok());
        // Повторное подключение с того же IP должно пройти
        assert!(tracker.check_and_add("test_user", ip1).await.is_ok());
        // Счетчик не должен увеличиться
        assert_eq!(tracker.get_active_ip_count("test_user").await, 1);
    }
    #[tokio::test]
    async fn test_ip_removal() {
        let tracker = UserIpTracker::new();
        tracker.set_user_limit("test_user", 2).await;
        let ip1 = test_ipv4(192, 168, 1, 1);
        let ip2 = test_ipv4(192, 168, 1, 2);
        let ip3 = test_ipv4(192, 168, 1, 3);
        // Добавляем два IP
        assert!(tracker.check_and_add("test_user", ip1).await.is_ok());
        assert!(tracker.check_and_add("test_user", ip2).await.is_ok());
        // Третий не должен пройти
        assert!(tracker.check_and_add("test_user", ip3).await.is_err());
        // Удаляем первый IP
        tracker.remove_ip("test_user", ip1).await;
        // Теперь третий должен пройти
        assert!(tracker.check_and_add("test_user", ip3).await.is_ok());
        assert_eq!(tracker.get_active_ip_count("test_user").await, 2);
    }
    #[tokio::test]
    async fn test_no_limit() {
        let tracker = UserIpTracker::new();
        // Не устанавливаем лимит для test_user
        let ip1 = test_ipv4(192, 168, 1, 1);
        let ip2 = test_ipv4(192, 168, 1, 2);
        let ip3 = test_ipv4(192, 168, 1, 3);
        // Без лимита все IP должны проходить
        assert!(tracker.check_and_add("test_user", ip1).await.is_ok());
        assert!(tracker.check_and_add("test_user", ip2).await.is_ok());
        assert!(tracker.check_and_add("test_user", ip3).await.is_ok());
        assert_eq!(tracker.get_active_ip_count("test_user").await, 3);
    }
    #[tokio::test]
    async fn test_multiple_users() {
        let tracker = UserIpTracker::new();
        tracker.set_user_limit("user1", 2).await;
        tracker.set_user_limit("user2", 1).await;
        let ip1 = test_ipv4(192, 168, 1, 1);
        let ip2 = test_ipv4(192, 168, 1, 2);
        // user1 может использовать 2 IP
        assert!(tracker.check_and_add("user1", ip1).await.is_ok());
        assert!(tracker.check_and_add("user1", ip2).await.is_ok());
        // user2 может использовать только 1 IP
        assert!(tracker.check_and_add("user2", ip1).await.is_ok());
        assert!(tracker.check_and_add("user2", ip2).await.is_err());
    }
    #[tokio::test]
    async fn test_ipv6_support() {
        let tracker = UserIpTracker::new();
        tracker.set_user_limit("test_user", 2).await;
        let ipv4 = test_ipv4(192, 168, 1, 1);
        let ipv6 = test_ipv6();
        // Должны работать оба типа адресов
        assert!(tracker.check_and_add("test_user", ipv4).await.is_ok());
        assert!(tracker.check_and_add("test_user", ipv6).await.is_ok());
        assert_eq!(tracker.get_active_ip_count("test_user").await, 2);
    }
    #[tokio::test]
    async fn test_get_active_ips() {
        let tracker = UserIpTracker::new();
        tracker.set_user_limit("test_user", 3).await;
        let ip1 = test_ipv4(192, 168, 1, 1);
        let ip2 = test_ipv4(192, 168, 1, 2);
        tracker.check_and_add("test_user", ip1).await.unwrap();
        tracker.check_and_add("test_user", ip2).await.unwrap();
        let active_ips = tracker.get_active_ips("test_user").await;
        assert_eq!(active_ips.len(), 2);
        assert!(active_ips.contains(&ip1));
        assert!(active_ips.contains(&ip2));
    }
    #[tokio::test]
    async fn test_stats() {
        let tracker = UserIpTracker::new();
        tracker.set_user_limit("user1", 3).await;
        tracker.set_user_limit("user2", 2).await;
        let ip1 = test_ipv4(192, 168, 1, 1);
        let ip2 = test_ipv4(192, 168, 1, 2);
        tracker.check_and_add("user1", ip1).await.unwrap();
        tracker.check_and_add("user2", ip2).await.unwrap();
        let stats = tracker.get_stats().await;
        assert_eq!(stats.len(), 2);
        // Проверяем наличие обоих пользователей в статистике
        assert!(stats.iter().any(|(name, _, _)| name == "user1"));
        assert!(stats.iter().any(|(name, _, _)| name == "user2"));
    }
    #[tokio::test]
    async fn test_clear_user_ips() {
        let tracker = UserIpTracker::new();
        let ip1 = test_ipv4(192, 168, 1, 1);
        tracker.check_and_add("test_user", ip1).await.unwrap();
        assert_eq!(tracker.get_active_ip_count("test_user").await, 1);
        tracker.clear_user_ips("test_user").await;
        assert_eq!(tracker.get_active_ip_count("test_user").await, 0);
    }
    #[tokio::test]
    async fn test_is_ip_active() {
        let tracker = UserIpTracker::new();
        let ip1 = test_ipv4(192, 168, 1, 1);
        let ip2 = test_ipv4(192, 168, 1, 2);
        tracker.check_and_add("test_user", ip1).await.unwrap();
        assert!(tracker.is_ip_active("test_user", ip1).await);
        assert!(!tracker.is_ip_active("test_user", ip2).await);
    }
    #[tokio::test]
    async fn test_load_limits_from_config() {
        let tracker = UserIpTracker::new();
        let mut config_limits = HashMap::new();
        config_limits.insert("user1".to_string(), 5);
        config_limits.insert("user2".to_string(), 3);
        tracker.load_limits(&config_limits).await;
        assert_eq!(tracker.get_user_limit("user1").await, Some(5));
        assert_eq!(tracker.get_user_limit("user2").await, Some(3));
        assert_eq!(tracker.get_user_limit("user3").await, None);
    }
 }
--- a/src/main.rs
+++ b/src/main.rs
--- a/src/metrics.rs
+++ b/src/metrics.rs
@@ -0,0 +1,305 @@
 use std::convert::Infallible;
 use std::net::SocketAddr;
 use std::sync::Arc;
 use http_body_util::Full;
 use hyper::body::Bytes;
 use hyper::server::conn::http1;
 use hyper::service::service_fn;
 use hyper::{Request, Response, StatusCode};
 use ipnetwork::IpNetwork;
 use tokio::net::TcpListener;
 use tracing::{info, warn, debug};
 use crate::stats::Stats;
 pub async fn serve(port: u16, stats: Arc<Stats>, whitelist: Vec<IpNetwork>) {
    let addr = SocketAddr::from(([0, 0, 0, 0], port));
    let listener = match TcpListener::bind(addr).await {
        Ok(l) => l,
        Err(e) => {
            warn!(error = %e, "Failed to bind metrics on {}", addr);
            return;
        }
    };
    info!("Metrics endpoint: http://{}/metrics", addr);
    loop {
        let (stream, peer) = match listener.accept().await {
            Ok(v) => v,
            Err(e) => {
                warn!(error = %e, "Metrics accept error");
                continue;
            }
        };
        if !whitelist.is_empty() && !whitelist.iter().any(|net| net.contains(peer.ip())) {
            debug!(peer = %peer, "Metrics request denied by whitelist");
            continue;
        }
        let stats = stats.clone();
        tokio::spawn(async move {
            let svc = service_fn(move |req| {
                let stats = stats.clone();
                async move { handle(req, &stats) }
            });
            if let Err(e) = http1::Builder::new()
                .serve_connection(hyper_util::rt::TokioIo::new(stream), svc)
                .await
            {
                debug!(error = %e, "Metrics connection error");
            }
        });
    }
 }
 fn handle<B>(req: Request<B>, stats: &Stats) -> Result<Response<Full<Bytes>>, Infallible> {
    if req.uri().path() != "/metrics" {
        let resp = Response::builder()
            .status(StatusCode::NOT_FOUND)
            .body(Full::new(Bytes::from("Not Found\n")))
            .unwrap();
        return Ok(resp);
    }
    let body = render_metrics(stats);
    let resp = Response::builder()
        .status(StatusCode::OK)
        .header("content-type", "text/plain; version=0.0.4; charset=utf-8")
        .body(Full::new(Bytes::from(body)))
        .unwrap();
    Ok(resp)
 }
 fn render_metrics(stats: &Stats) -> String {
    use std::fmt::Write;
    let mut out = String::with_capacity(4096);
    let _ = writeln!(out, "# HELP telemt_uptime_seconds Proxy uptime");
    let _ = writeln!(out, "# TYPE telemt_uptime_seconds gauge");
    let _ = writeln!(out, "telemt_uptime_seconds {:.1}", stats.uptime_secs());
    let _ = writeln!(out, "# HELP telemt_connections_total Total accepted connections");
    let _ = writeln!(out, "# TYPE telemt_connections_total counter");
    let _ = writeln!(out, "telemt_connections_total {}", stats.get_connects_all());
    let _ = writeln!(out, "# HELP telemt_connections_bad_total Bad/rejected connections");
    let _ = writeln!(out, "# TYPE telemt_connections_bad_total counter");
    let _ = writeln!(out, "telemt_connections_bad_total {}", stats.get_connects_bad());
    let _ = writeln!(out, "# HELP telemt_handshake_timeouts_total Handshake timeouts");
    let _ = writeln!(out, "# TYPE telemt_handshake_timeouts_total counter");
    let _ = writeln!(out, "telemt_handshake_timeouts_total {}", stats.get_handshake_timeouts());
    let _ = writeln!(out, "# HELP telemt_me_keepalive_sent_total ME keepalive frames sent");
    let _ = writeln!(out, "# TYPE telemt_me_keepalive_sent_total counter");
    let _ = writeln!(out, "telemt_me_keepalive_sent_total {}", stats.get_me_keepalive_sent());
    let _ = writeln!(out, "# HELP telemt_me_keepalive_failed_total ME keepalive send failures");
    let _ = writeln!(out, "# TYPE telemt_me_keepalive_failed_total counter");
    let _ = writeln!(out, "telemt_me_keepalive_failed_total {}", stats.get_me_keepalive_failed());
    let _ = writeln!(out, "# HELP telemt_me_keepalive_pong_total ME keepalive pong replies");
    let _ = writeln!(out, "# TYPE telemt_me_keepalive_pong_total counter");
    let _ = writeln!(out, "telemt_me_keepalive_pong_total {}", stats.get_me_keepalive_pong());
    let _ = writeln!(out, "# HELP telemt_me_keepalive_timeout_total ME keepalive ping timeouts");
    let _ = writeln!(out, "# TYPE telemt_me_keepalive_timeout_total counter");
    let _ = writeln!(out, "telemt_me_keepalive_timeout_total {}", stats.get_me_keepalive_timeout());
    let _ = writeln!(out, "# HELP telemt_me_reconnect_attempts_total ME reconnect attempts");
    let _ = writeln!(out, "# TYPE telemt_me_reconnect_attempts_total counter");
    let _ = writeln!(out, "telemt_me_reconnect_attempts_total {}", stats.get_me_reconnect_attempts());
    let _ = writeln!(out, "# HELP telemt_me_reconnect_success_total ME reconnect successes");
    let _ = writeln!(out, "# TYPE telemt_me_reconnect_success_total counter");
    let _ = writeln!(out, "telemt_me_reconnect_success_total {}", stats.get_me_reconnect_success());
    let _ = writeln!(out, "# HELP telemt_me_crc_mismatch_total ME CRC mismatches");
    let _ = writeln!(out, "# TYPE telemt_me_crc_mismatch_total counter");
    let _ = writeln!(out, "telemt_me_crc_mismatch_total {}", stats.get_me_crc_mismatch());
    let _ = writeln!(out, "# HELP telemt_me_seq_mismatch_total ME sequence mismatches");
    let _ = writeln!(out, "# TYPE telemt_me_seq_mismatch_total counter");
    let _ = writeln!(out, "telemt_me_seq_mismatch_total {}", stats.get_me_seq_mismatch());
    let _ = writeln!(out, "# HELP telemt_me_route_drop_no_conn_total ME route drops: no conn");
    let _ = writeln!(out, "# TYPE telemt_me_route_drop_no_conn_total counter");
    let _ = writeln!(out, "telemt_me_route_drop_no_conn_total {}", stats.get_me_route_drop_no_conn());
    let _ = writeln!(out, "# HELP telemt_me_route_drop_channel_closed_total ME route drops: channel closed");
    let _ = writeln!(out, "# TYPE telemt_me_route_drop_channel_closed_total counter");
    let _ = writeln!(out, "telemt_me_route_drop_channel_closed_total {}", stats.get_me_route_drop_channel_closed());
    let _ = writeln!(out, "# HELP telemt_me_route_drop_queue_full_total ME route drops: queue full");
    let _ = writeln!(out, "# TYPE telemt_me_route_drop_queue_full_total counter");
    let _ = writeln!(out, "telemt_me_route_drop_queue_full_total {}", stats.get_me_route_drop_queue_full());
    let _ = writeln!(out, "# HELP telemt_secure_padding_invalid_total Invalid secure frame lengths");
    let _ = writeln!(out, "# TYPE telemt_secure_padding_invalid_total counter");
    let _ = writeln!(out, "telemt_secure_padding_invalid_total {}", stats.get_secure_padding_invalid());
    let _ = writeln!(out, "# HELP telemt_desync_total Total crypto-desync detections");
    let _ = writeln!(out, "# TYPE telemt_desync_total counter");
    let _ = writeln!(out, "telemt_desync_total {}", stats.get_desync_total());
    let _ = writeln!(out, "# HELP telemt_desync_full_logged_total Full forensic desync logs emitted");
    let _ = writeln!(out, "# TYPE telemt_desync_full_logged_total counter");
    let _ = writeln!(out, "telemt_desync_full_logged_total {}", stats.get_desync_full_logged());
    let _ = writeln!(out, "# HELP telemt_desync_suppressed_total Suppressed desync forensic events");
    let _ = writeln!(out, "# TYPE telemt_desync_suppressed_total counter");
    let _ = writeln!(out, "telemt_desync_suppressed_total {}", stats.get_desync_suppressed());
    let _ = writeln!(out, "# HELP telemt_desync_frames_bucket_total Desync count by frames_ok bucket");
    let _ = writeln!(out, "# TYPE telemt_desync_frames_bucket_total counter");
    let _ = writeln!(
        out,
        "telemt_desync_frames_bucket_total{{bucket=\"0\"}} {}",
        stats.get_desync_frames_bucket_0()
    );
    let _ = writeln!(
        out,
        "telemt_desync_frames_bucket_total{{bucket=\"1_2\"}} {}",
        stats.get_desync_frames_bucket_1_2()
    );
    let _ = writeln!(
        out,
        "telemt_desync_frames_bucket_total{{bucket=\"3_10\"}} {}",
        stats.get_desync_frames_bucket_3_10()
    );
    let _ = writeln!(
        out,
        "telemt_desync_frames_bucket_total{{bucket=\"gt_10\"}} {}",
        stats.get_desync_frames_bucket_gt_10()
    );
    let _ = writeln!(out, "# HELP telemt_pool_swap_total Successful ME pool swaps");
    let _ = writeln!(out, "# TYPE telemt_pool_swap_total counter");
    let _ = writeln!(out, "telemt_pool_swap_total {}", stats.get_pool_swap_total());
    let _ = writeln!(out, "# HELP telemt_pool_drain_active Active draining ME writers");
    let _ = writeln!(out, "# TYPE telemt_pool_drain_active gauge");
    let _ = writeln!(out, "telemt_pool_drain_active {}", stats.get_pool_drain_active());
    let _ = writeln!(out, "# HELP telemt_pool_force_close_total Forced close events for draining writers");
    let _ = writeln!(out, "# TYPE telemt_pool_force_close_total counter");
    let _ = writeln!(
        out,
        "telemt_pool_force_close_total {}",
        stats.get_pool_force_close_total()
    );
    let _ = writeln!(out, "# HELP telemt_pool_stale_pick_total Stale writer fallback picks for new binds");
    let _ = writeln!(out, "# TYPE telemt_pool_stale_pick_total counter");
    let _ = writeln!(
        out,
        "telemt_pool_stale_pick_total {}",
        stats.get_pool_stale_pick_total()
    );
    let _ = writeln!(out, "# HELP telemt_user_connections_total Per-user total connections");
    let _ = writeln!(out, "# TYPE telemt_user_connections_total counter");
    let _ = writeln!(out, "# HELP telemt_user_connections_current Per-user active connections");
    let _ = writeln!(out, "# TYPE telemt_user_connections_current gauge");
    let _ = writeln!(out, "# HELP telemt_user_octets_from_client Per-user bytes received");
    let _ = writeln!(out, "# TYPE telemt_user_octets_from_client counter");
    let _ = writeln!(out, "# HELP telemt_user_octets_to_client Per-user bytes sent");
    let _ = writeln!(out, "# TYPE telemt_user_octets_to_client counter");
    let _ = writeln!(out, "# HELP telemt_user_msgs_from_client Per-user messages received");
    let _ = writeln!(out, "# TYPE telemt_user_msgs_from_client counter");
    let _ = writeln!(out, "# HELP telemt_user_msgs_to_client Per-user messages sent");
    let _ = writeln!(out, "# TYPE telemt_user_msgs_to_client counter");
    for entry in stats.iter_user_stats() {
        let user = entry.key();
        let s = entry.value();
        let _ = writeln!(out, "telemt_user_connections_total{{user=\"{}\"}} {}", user, s.connects.load(std::sync::atomic::Ordering::Relaxed));
        let _ = writeln!(out, "telemt_user_connections_current{{user=\"{}\"}} {}", user, s.curr_connects.load(std::sync::atomic::Ordering::Relaxed));
        let _ = writeln!(out, "telemt_user_octets_from_client{{user=\"{}\"}} {}", user, s.octets_from_client.load(std::sync::atomic::Ordering::Relaxed));
        let _ = writeln!(out, "telemt_user_octets_to_client{{user=\"{}\"}} {}", user, s.octets_to_client.load(std::sync::atomic::Ordering::Relaxed));
        let _ = writeln!(out, "telemt_user_msgs_from_client{{user=\"{}\"}} {}", user, s.msgs_from_client.load(std::sync::atomic::Ordering::Relaxed));
        let _ = writeln!(out, "telemt_user_msgs_to_client{{user=\"{}\"}} {}", user, s.msgs_to_client.load(std::sync::atomic::Ordering::Relaxed));
    }
    out
 }
 #[cfg(test)]
 mod tests {
    use super::*;
    use http_body_util::BodyExt;
    #[test]
    fn test_render_metrics_format() {
        let stats = Arc::new(Stats::new());
        stats.increment_connects_all();
        stats.increment_connects_all();
        stats.increment_connects_bad();
        stats.increment_handshake_timeouts();
        stats.increment_user_connects("alice");
        stats.increment_user_curr_connects("alice");
        stats.add_user_octets_from("alice", 1024);
        stats.add_user_octets_to("alice", 2048);
        stats.increment_user_msgs_from("alice");
        stats.increment_user_msgs_to("alice");
        stats.increment_user_msgs_to("alice");
        let output = render_metrics(&stats);
        assert!(output.contains("telemt_connections_total 2"));
        assert!(output.contains("telemt_connections_bad_total 1"));
        assert!(output.contains("telemt_handshake_timeouts_total 1"));
        assert!(output.contains("telemt_user_connections_total{user=\"alice\"} 1"));
        assert!(output.contains("telemt_user_connections_current{user=\"alice\"} 1"));
        assert!(output.contains("telemt_user_octets_from_client{user=\"alice\"} 1024"));
        assert!(output.contains("telemt_user_octets_to_client{user=\"alice\"} 2048"));
        assert!(output.contains("telemt_user_msgs_from_client{user=\"alice\"} 1"));
        assert!(output.contains("telemt_user_msgs_to_client{user=\"alice\"} 2"));
    }
    #[test]
    fn test_render_empty_stats() {
        let stats = Stats::new();
        let output = render_metrics(&stats);
        assert!(output.contains("telemt_connections_total 0"));
        assert!(output.contains("telemt_connections_bad_total 0"));
        assert!(output.contains("telemt_handshake_timeouts_total 0"));
        assert!(!output.contains("user="));
    }
    #[test]
    fn test_render_has_type_annotations() {
        let stats = Stats::new();
        let output = render_metrics(&stats);
        assert!(output.contains("# TYPE telemt_uptime_seconds gauge"));
        assert!(output.contains("# TYPE telemt_connections_total counter"));
        assert!(output.contains("# TYPE telemt_connections_bad_total counter"));
        assert!(output.contains("# TYPE telemt_handshake_timeouts_total counter"));
    }
    #[tokio::test]
    async fn test_endpoint_integration() {
        let stats = Arc::new(Stats::new());
        stats.increment_connects_all();
        stats.increment_connects_all();
        stats.increment_connects_all();
        let req = Request::builder()
            .uri("/metrics")
            .body(())
            .unwrap();
        let resp = handle(req, &stats).unwrap();
        assert_eq!(resp.status(), StatusCode::OK);
        let body = resp.into_body().collect().await.unwrap().to_bytes();
        assert!(std::str::from_utf8(body.as_ref()).unwrap().contains("telemt_connections_total 3"));
        let req404 = Request::builder()
            .uri("/other")
            .body(())
            .unwrap();
        let resp404 = handle(req404, &stats).unwrap();
        assert_eq!(resp404.status(), StatusCode::NOT_FOUND);
    }
 }
--- a/src/network/mod.rs
+++ b/src/network/mod.rs
@@ -0,0 +1,4 @@
 pub mod probe;
 pub mod stun;
 pub use stun::IpFamily;
--- a/src/network/probe.rs
+++ b/src/network/probe.rs
@@ -0,0 +1,238 @@
 #![allow(dead_code)]
 use std::net::{IpAddr, Ipv4Addr, Ipv6Addr, SocketAddr, UdpSocket};
 use tracing::{info, warn};
 use crate::config::NetworkConfig;
 use crate::error::Result;
 use crate::network::stun::{stun_probe_dual, DualStunResult, IpFamily};
 #[derive(Debug, Clone, Default)]
 pub struct NetworkProbe {
    pub detected_ipv4: Option<Ipv4Addr>,
    pub detected_ipv6: Option<Ipv6Addr>,
    pub reflected_ipv4: Option<SocketAddr>,
    pub reflected_ipv6: Option<SocketAddr>,
    pub ipv4_is_bogon: bool,
    pub ipv6_is_bogon: bool,
    pub ipv4_nat_detected: bool,
    pub ipv6_nat_detected: bool,
    pub ipv4_usable: bool,
    pub ipv6_usable: bool,
 }
 #[derive(Debug, Clone, Default)]
 pub struct NetworkDecision {
    pub ipv4_dc: bool,
    pub ipv6_dc: bool,
    pub ipv4_me: bool,
    pub ipv6_me: bool,
    pub effective_prefer: u8,
    pub effective_multipath: bool,
 }
 impl NetworkDecision {
    pub fn prefer_ipv6(&self) -> bool {
        self.effective_prefer == 6
    }
    pub fn me_families(&self) -> Vec<IpFamily> {
        let mut res = Vec::new();
        if self.ipv4_me {
            res.push(IpFamily::V4);
        }
        if self.ipv6_me {
            res.push(IpFamily::V6);
        }
        res
    }
 }
 pub async fn run_probe(config: &NetworkConfig, stun_addr: Option<String>, nat_probe: bool) -> Result<NetworkProbe> {
    let mut probe = NetworkProbe::default();
    probe.detected_ipv4 = detect_local_ip_v4();
    probe.detected_ipv6 = detect_local_ip_v6();
    probe.ipv4_is_bogon = probe.detected_ipv4.map(is_bogon_v4).unwrap_or(false);
    probe.ipv6_is_bogon = probe.detected_ipv6.map(is_bogon_v6).unwrap_or(false);
    let stun_server = stun_addr.unwrap_or_else(|| "stun.l.google.com:19302".to_string());
    let stun_res = if nat_probe {
        match stun_probe_dual(&stun_server).await {
            Ok(res) => res,
            Err(e) => {
                warn!(error = %e, "STUN probe failed, continuing without reflection");
                DualStunResult::default()
            }
        }
    } else {
        DualStunResult::default()
    };
    probe.reflected_ipv4 = stun_res.v4.map(|r| r.reflected_addr);
    probe.reflected_ipv6 = stun_res.v6.map(|r| r.reflected_addr);
    probe.ipv4_nat_detected = match (probe.detected_ipv4, probe.reflected_ipv4) {
        (Some(det), Some(reflected)) => det != reflected.ip(),
        _ => false,
    };
    probe.ipv6_nat_detected = match (probe.detected_ipv6, probe.reflected_ipv6) {
        (Some(det), Some(reflected)) => det != reflected.ip(),
        _ => false,
    };
    probe.ipv4_usable = config.ipv4
        && probe.detected_ipv4.is_some()
        && (!probe.ipv4_is_bogon || probe.reflected_ipv4.map(|r| !is_bogon(r.ip())).unwrap_or(false));
    let ipv6_enabled = config.ipv6.unwrap_or(probe.detected_ipv6.is_some());
    probe.ipv6_usable = ipv6_enabled
        && probe.detected_ipv6.is_some()
        && (!probe.ipv6_is_bogon || probe.reflected_ipv6.map(|r| !is_bogon(r.ip())).unwrap_or(false));
    Ok(probe)
 }
 pub fn decide_network_capabilities(config: &NetworkConfig, probe: &NetworkProbe) -> NetworkDecision {
    let ipv4_dc = config.ipv4 && probe.detected_ipv4.is_some();
    let ipv6_dc = config.ipv6.unwrap_or(probe.detected_ipv6.is_some()) && probe.detected_ipv6.is_some();
    let ipv4_me = config.ipv4
        && probe.detected_ipv4.is_some()
        && (!probe.ipv4_is_bogon || probe.reflected_ipv4.is_some());
    let ipv6_enabled = config.ipv6.unwrap_or(probe.detected_ipv6.is_some());
    let ipv6_me = ipv6_enabled
        && probe.detected_ipv6.is_some()
        && (!probe.ipv6_is_bogon || probe.reflected_ipv6.is_some());
    let effective_prefer = match config.prefer {
        6 if ipv6_me || ipv6_dc => 6,
        4 if ipv4_me || ipv4_dc => 4,
        6 => {
            warn!("prefer=6 requested but IPv6 unavailable; falling back to IPv4");
            4
        }
        _ => 4,
    };
    let me_families = ipv4_me as u8 + ipv6_me as u8;
    let effective_multipath = config.multipath && me_families >= 2;
    NetworkDecision {
        ipv4_dc,
        ipv6_dc,
        ipv4_me,
        ipv6_me,
        effective_prefer,
        effective_multipath,
    }
 }
 fn detect_local_ip_v4() -> Option<Ipv4Addr> {
    let socket = UdpSocket::bind("0.0.0.0:0").ok()?;
    socket.connect("8.8.8.8:80").ok()?;
    match socket.local_addr().ok()?.ip() {
        IpAddr::V4(v4) => Some(v4),
        _ => None,
    }
 }
 fn detect_local_ip_v6() -> Option<Ipv6Addr> {
    let socket = UdpSocket::bind("[::]:0").ok()?;
    socket.connect("[2001:4860:4860::8888]:80").ok()?;
    match socket.local_addr().ok()?.ip() {
        IpAddr::V6(v6) => Some(v6),
        _ => None,
    }
 }
 pub fn is_bogon(ip: IpAddr) -> bool {
    match ip {
        IpAddr::V4(v4) => is_bogon_v4(v4),
        IpAddr::V6(v6) => is_bogon_v6(v6),
    }
 }
 pub fn is_bogon_v4(ip: Ipv4Addr) -> bool {
    let octets = ip.octets();
    if ip.is_private() || ip.is_loopback() || ip.is_link_local() {
        return true;
    }
    if octets[0] == 0 {
        return true;
    }
    if octets[0] == 100 && (octets[1] & 0xC0) == 64 {
        return true;
    }
    if octets[0] == 192 && octets[1] == 0 && octets[2] == 0 {
        return true;
    }
    if octets[0] == 192 && octets[1] == 0 && octets[2] == 2 {
        return true;
    }
    if octets[0] == 198 && (octets[1] & 0xFE) == 18 {
        return true;
    }
    if octets[0] == 198 && octets[1] == 51 && octets[2] == 100 {
        return true;
    }
    if octets[0] == 203 && octets[1] == 0 && octets[2] == 113 {
        return true;
    }
    if ip.is_multicast() {
        return true;
    }
    if octets[0] >= 240 {
        return true;
    }
    if ip.is_broadcast() {
        return true;
    }
    false
 }
 pub fn is_bogon_v6(ip: Ipv6Addr) -> bool {
    if ip.is_unspecified() || ip.is_loopback() || ip.is_unique_local() {
        return true;
    }
    let segs = ip.segments();
    if (segs[0] & 0xFFC0) == 0xFE80 {
        return true;
    }
    if segs[0..5] == [0, 0, 0, 0, 0] && segs[5] == 0xFFFF {
        return true;
    }
    if segs[0] == 0x0100 && segs[1..4] == [0, 0, 0] {
        return true;
    }
    if segs[0] == 0x2001 && segs[1] == 0x0db8 {
        return true;
    }
    if segs[0] == 0x2002 {
        return true;
    }
    if ip.is_multicast() {
        return true;
    }
    false
 }
 pub fn log_probe_result(probe: &NetworkProbe, decision: &NetworkDecision) {
    info!(
        ipv4 = probe.detected_ipv4.as_ref().map(|v| v.to_string()).unwrap_or_else(|| "-".into()),
        ipv6 = probe.detected_ipv6.as_ref().map(|v| v.to_string()).unwrap_or_else(|| "-".into()),
        reflected_v4 = probe.reflected_ipv4.as_ref().map(|v| v.ip().to_string()).unwrap_or_else(|| "-".into()),
        reflected_v6 = probe.reflected_ipv6.as_ref().map(|v| v.ip().to_string()).unwrap_or_else(|| "-".into()),
        ipv4_bogon = probe.ipv4_is_bogon,
        ipv6_bogon = probe.ipv6_is_bogon,
        ipv4_me = decision.ipv4_me,
        ipv6_me = decision.ipv6_me,
        ipv4_dc = decision.ipv4_dc,
        ipv6_dc = decision.ipv6_dc,
        prefer = decision.effective_prefer,
        multipath = decision.effective_multipath,
        "Network capabilities resolved"
    );
 }
--- a/src/network/stun.rs
+++ b/src/network/stun.rs
@@ -0,0 +1,208 @@
 #![allow(unreachable_code)]
 #![allow(dead_code)]
 use std::net::{IpAddr, Ipv4Addr, Ipv6Addr, SocketAddr};
 use tokio::net::{lookup_host, UdpSocket};
 use tokio::time::{timeout, Duration, sleep};
 use crate::error::{ProxyError, Result};
 #[derive(Debug, Clone, Copy, PartialEq, Eq, Hash)]
 pub enum IpFamily {
    V4,
    V6,
 }
 #[derive(Debug, Clone, Copy)]
 pub struct StunProbeResult {
    pub local_addr: SocketAddr,
    pub reflected_addr: SocketAddr,
    pub family: IpFamily,
 }
 #[derive(Debug, Default, Clone)]
 pub struct DualStunResult {
    pub v4: Option<StunProbeResult>,
    pub v6: Option<StunProbeResult>,
 }
 pub async fn stun_probe_dual(stun_addr: &str) -> Result<DualStunResult> {
    let (v4, v6) = tokio::join!(
        stun_probe_family(stun_addr, IpFamily::V4),
        stun_probe_family(stun_addr, IpFamily::V6),
    );
    Ok(DualStunResult {
        v4: v4?,
        v6: v6?,
    })
 }
 pub async fn stun_probe_family(stun_addr: &str, family: IpFamily) -> Result<Option<StunProbeResult>> {
    use rand::RngCore;
    let bind_addr = match family {
        IpFamily::V4 => "0.0.0.0:0",
        IpFamily::V6 => "[::]:0",
    };
    let socket = UdpSocket::bind(bind_addr)
        .await
        .map_err(|e| ProxyError::Proxy(format!("STUN bind failed: {e}")))?;
    let target_addr = resolve_stun_addr(stun_addr, family).await?;
    if let Some(addr) = target_addr {
        match socket.connect(addr).await {
            Ok(()) => {}
            Err(e) if family == IpFamily::V6 && matches!(
                e.kind(),
                std::io::ErrorKind::NetworkUnreachable
                | std::io::ErrorKind::HostUnreachable
                | std::io::ErrorKind::Unsupported
                | std::io::ErrorKind::NetworkDown
            ) => return Ok(None),
            Err(e) => return Err(ProxyError::Proxy(format!("STUN connect failed: {e}"))),
        }
    } else {
        return Ok(None);
    }
    let mut req = [0u8; 20];
    req[0..2].copy_from_slice(&0x0001u16.to_be_bytes()); // Binding Request
    req[2..4].copy_from_slice(&0u16.to_be_bytes()); // length
    req[4..8].copy_from_slice(&0x2112A442u32.to_be_bytes()); // magic cookie
    rand::rng().fill_bytes(&mut req[8..20]); // transaction ID
    let mut buf = [0u8; 256];
    let mut attempt = 0;
    let mut backoff = Duration::from_secs(1);
    loop {
        socket
            .send(&req)
            .await
            .map_err(|e| ProxyError::Proxy(format!("STUN send failed: {e}")))?;
        let recv_res = timeout(Duration::from_secs(3), socket.recv(&mut buf)).await;
        let n = match recv_res {
            Ok(Ok(n)) => n,
            Ok(Err(e)) => return Err(ProxyError::Proxy(format!("STUN recv failed: {e}"))),
            Err(_) => {
                attempt += 1;
                if attempt >= 3 {
                    return Ok(None);
                }
                sleep(backoff).await;
                backoff *= 2;
                continue;
            }
        };
        if n < 20 {
            return Ok(None);
        }
        let magic = 0x2112A442u32.to_be_bytes();
        let txid = &req[8..20];
    let mut idx = 20;
    while idx + 4 <= n {
        let atype = u16::from_be_bytes(buf[idx..idx + 2].try_into().unwrap());
        let alen = u16::from_be_bytes(buf[idx + 2..idx + 4].try_into().unwrap()) as usize;
        idx += 4;
        if idx + alen > n {
            break;
        }
        match atype {
            0x0020 /* XOR-MAPPED-ADDRESS */ | 0x0001 /* MAPPED-ADDRESS */ => {
                if alen < 8 {
                    break;
                }
                let family_byte = buf[idx + 1];
                let port_bytes = [buf[idx + 2], buf[idx + 3]];
                let len_check = match family_byte {
                    0x01 => 4,
                    0x02 => 16,
                    _ => 0,
                };
                if len_check == 0 || alen < 4 + len_check {
                    break;
                }
                let raw_ip = &buf[idx + 4..idx + 4 + len_check];
                let mut port = u16::from_be_bytes(port_bytes);
                let reflected_ip = if atype == 0x0020 {
                    port ^= ((magic[0] as u16) << 8) | magic[1] as u16;
                    match family_byte {
                        0x01 => {
                            let ip = [
                                raw_ip[0] ^ magic[0],
                                raw_ip[1] ^ magic[1],
                                raw_ip[2] ^ magic[2],
                                raw_ip[3] ^ magic[3],
                            ];
                            IpAddr::V4(Ipv4Addr::new(ip[0], ip[1], ip[2], ip[3]))
                        }
                        0x02 => {
                            let mut ip = [0u8; 16];
                            let xor_key = [magic.as_slice(), txid].concat();
                            for (i, b) in raw_ip.iter().enumerate().take(16) {
                                ip[i] = *b ^ xor_key[i];
                            }
                            IpAddr::V6(Ipv6Addr::from(ip))
                        }
                        _ => {
                            idx += (alen + 3) & !3;
                            continue;
                        }
                    }
                } else {
                    match family_byte {
                        0x01 => IpAddr::V4(Ipv4Addr::new(raw_ip[0], raw_ip[1], raw_ip[2], raw_ip[3])),
                        0x02 => IpAddr::V6(Ipv6Addr::from(<[u8; 16]>::try_from(raw_ip).unwrap())),
                        _ => {
                            idx += (alen + 3) & !3;
                            continue;
                        }
                    }
                };
                let reflected_addr = SocketAddr::new(reflected_ip, port);
                let local_addr = socket
                    .local_addr()
                    .map_err(|e| ProxyError::Proxy(format!("STUN local_addr failed: {e}")))?;
                return Ok(Some(StunProbeResult {
                    local_addr,
                    reflected_addr,
                    family,
                }));
            }
            _ => {}
        }
        idx += (alen + 3) & !3;
    }
    }
    Ok(None)
 }
 async fn resolve_stun_addr(stun_addr: &str, family: IpFamily) -> Result<Option<SocketAddr>> {
    if let Ok(addr) = stun_addr.parse::<SocketAddr>() {
        return Ok(match (addr.is_ipv4(), family) {
            (true, IpFamily::V4) | (false, IpFamily::V6) => Some(addr),
            _ => None,
        });
    }
    let mut addrs = lookup_host(stun_addr)
        .await
        .map_err(|e| ProxyError::Proxy(format!("STUN resolve failed: {e}")))?;
    let target = addrs
        .find(|a| matches!((a.is_ipv4(), family), (true, IpFamily::V4) | (false, IpFamily::V6)));
    Ok(target)
 }
--- a/src/protocol/constants.rs
+++ b/src/protocol/constants.rs
@@ -1,6 +1,10 @@
 //! Protocol constants and datacenter addresses
-use std::net::{IpAddr, Ipv4Addr, Ipv6Addr};
+#![allow(dead_code)]
 use std::net::{IpAddr, Ipv4Addr};
 use crate::crypto::SecureRandom;
 use std::sync::LazyLock;
 // ============= Telegram Datacenters =============
@@ -151,7 +155,32 @@ pub const TLS_RECORD_ALERT: u8 = 0x15;
 /// Maximum TLS record size
 pub const MAX_TLS_RECORD_SIZE: usize = 16384;
 /// Maximum TLS chunk size (with overhead)
-pub const MAX_TLS_CHUNK_SIZE: usize = 16384 + 24;
+/// RFC 8446 §5.2 allows up to 16384 + 256 bytes of ciphertext
 pub const MAX_TLS_CHUNK_SIZE: usize = 16384 + 256;
 /// Secure Intermediate payload is expected to be 4-byte aligned.
 pub fn is_valid_secure_payload_len(data_len: usize) -> bool {
    data_len.is_multiple_of(4)
 }
 /// Compute Secure Intermediate payload length from wire length.
 /// Secure mode strips up to 3 random tail bytes by truncating to 4-byte boundary.
 pub fn secure_payload_len_from_wire_len(wire_len: usize) -> Option<usize> {
    if wire_len < 4 {
        return None;
    }
    Some(wire_len - (wire_len % 4))
 }
 /// Generate padding length for Secure Intermediate protocol.
 /// Data must be 4-byte aligned; padding is 1..=3 so total is never divisible by 4.
 pub fn secure_padding_len(data_len: usize, rng: &SecureRandom) -> usize {
    debug_assert!(
        is_valid_secure_payload_len(data_len),
        "Secure payload must be 4-byte aligned, got {data_len}"
    );
    rng.range(3) + 1
 }
 // ============= Timeouts =============
@@ -202,7 +231,6 @@ pub static RESERVED_NONCE_CONTINUES: &[[u8; 4]] = &[
 // ============= RPC Constants (for Middle Proxy) =============
 /// RPC Proxy Request
 /// RPC Flags (from Erlang mtp_rpc.erl)
 pub const RPC_FLAG_NOT_ENCRYPTED: u32 = 0x2;
 pub const RPC_FLAG_HAS_AD_TAG: u32    = 0x8;
@@ -284,6 +312,10 @@ pub mod rpc_flags {
        pub const FLAG_ABRIDGED: u32      = 0x40000000;
        pub const FLAG_QUICKACK: u32      = 0x80000000;
    }
    pub mod rpc_crypto_flags {
        pub const USE_CRC32C: u32 = 0x800;
    }
    pub const ME_CONNECT_TIMEOUT_SECS: u64 = 5;
    pub const ME_HANDSHAKE_TIMEOUT_SECS: u64 = 10;
@@ -319,4 +351,43 @@ mod tests {
        assert_eq!(TG_DATACENTERS_V4.len(), 5);
        assert_eq!(TG_DATACENTERS_V6.len(), 5);
    }
-}
+
    #[test]
    fn secure_padding_never_produces_aligned_total() {
        let rng = SecureRandom::new();
        for data_len in (0..1000).step_by(4) {
            for _ in 0..100 {
                let padding = secure_padding_len(data_len, &rng);
                assert!(
                    padding <= 3,
                    "padding out of range: data_len={data_len}, padding={padding}"
                );
                assert_ne!(
                    (data_len + padding) % 4,
                    0,
                    "invariant violated: data_len={data_len}, padding={padding}, total={}",
                    data_len + padding
                );
            }
        }
    }
    #[test]
    fn secure_wire_len_roundtrip_for_aligned_payload() {
        for payload_len in (4..4096).step_by(4) {
            for padding in 0..=3usize {
                let wire_len = payload_len + padding;
                let recovered = secure_payload_len_from_wire_len(wire_len);
                assert_eq!(recovered, Some(payload_len));
            }
        }
    }
    #[test]
    fn secure_wire_len_rejects_too_short_frames() {
        assert_eq!(secure_payload_len_from_wire_len(0), None);
        assert_eq!(secure_payload_len_from_wire_len(1), None);
        assert_eq!(secure_payload_len_from_wire_len(2), None);
        assert_eq!(secure_payload_len_from_wire_len(3), None);
    }
 }
--- a/src/protocol/frame.rs
+++ b/src/protocol/frame.rs
@@ -1,5 +1,7 @@
 //! MTProto frame types and metadata
 #![allow(dead_code)]
 use std::collections::HashMap;
 /// Extra metadata associated with a frame
@@ -83,7 +85,7 @@ impl FrameMode {
 pub fn validate_message_length(len: usize) -> bool {
    use super::constants::{MIN_MSG_LEN, MAX_MSG_LEN, PADDING_FILLER};
-    len >= MIN_MSG_LEN && len <= MAX_MSG_LEN && len % PADDING_FILLER.len() == 0
+    (MIN_MSG_LEN..=MAX_MSG_LEN).contains(&len) && len.is_multiple_of(PADDING_FILLER.len())
 }
 #[cfg(test)]
--- a/src/protocol/mod.rs
+++ b/src/protocol/mod.rs
@@ -5,7 +5,11 @@ pub mod frame;
 pub mod obfuscation;
 pub mod tls;
 #[allow(unused_imports)]
 pub use constants::*;
 #[allow(unused_imports)]
 pub use frame::*;
 #[allow(unused_imports)]
 pub use obfuscation::*;
 #[allow(unused_imports)]
 pub use tls::*;
--- a/src/protocol/obfuscation.rs
+++ b/src/protocol/obfuscation.rs
@@ -1,8 +1,9 @@
 //! MTProto Obfuscation
 #![allow(dead_code)]
 use zeroize::Zeroize;
 use crate::crypto::{sha256, AesCtr};
 use crate::error::Result;
 use super::constants::*;
 /// Obfuscation parameters from handshake
@@ -160,6 +161,12 @@ pub fn prepare_tg_nonce(
 }
 /// Encrypt the outgoing nonce for Telegram
 /// Legacy helper — **do not use**.
 /// WARNING: logic diverges from Python/C reference (SHA256 of 48 bytes, IV from head).
 /// Kept only to avoid breaking external callers; prefer `encrypt_tg_nonce_with_ciphers`.
 #[deprecated(
    note = "Incorrect MTProto obfuscation KDF; use proxy::handshake::encrypt_tg_nonce_with_ciphers"
 )]
 pub fn encrypt_nonce(nonce: &[u8; HANDSHAKE_LEN]) -> Vec<u8> {
    let key_iv = &nonce[SKIP_LEN..SKIP_LEN + KEY_LEN + IV_LEN];
    let enc_key = sha256(key_iv);
@@ -208,4 +215,4 @@ mod tests {
        assert!(is_valid_nonce(&nonce));
        assert_eq!(nonce.len(), HANDSHAKE_LEN);
    }
-}
+}
--- a/src/protocol/tls.rs
+++ b/src/protocol/tls.rs
@@ -4,10 +4,15 @@
 //! for domain fronting. The handshake looks like valid TLS 1.3 but
 //! actually carries MTProto authentication data.
 #![allow(dead_code)]
 use crate::crypto::{sha256_hmac, SecureRandom};
-use crate::error::{ProxyError, Result};
+#[cfg(test)]
 use crate::error::ProxyError;
 use super::constants::*;
 use std::time::{SystemTime, UNIX_EPOCH};
 use num_bigint::BigUint;
 use num_traits::One;
 // ============= Public Constants =============
@@ -30,6 +35,7 @@ pub const TIME_SKEW_MAX: i64 = 10 * 60;  // 10 minutes after
 mod extension_type {
    pub const KEY_SHARE: u16 = 0x0033;
    pub const SUPPORTED_VERSIONS: u16 = 0x002b;
    pub const ALPN: u16 = 0x0010;
 }
 /// TLS Cipher Suites
@@ -60,6 +66,7 @@ pub struct TlsValidation {
 // ============= TLS Extension Builder =============
 /// Builder for TLS extensions with correct length calculation
 #[derive(Clone)]
 struct TlsExtensionBuilder {
    extensions: Vec<u8>,
 }
@@ -106,6 +113,27 @@ impl TlsExtensionBuilder {
        self
    }
    /// Add ALPN extension with a single selected protocol.
    fn add_alpn(&mut self, proto: &[u8]) -> &mut Self {
        // Extension type: ALPN (0x0010)
        self.extensions.extend_from_slice(&extension_type::ALPN.to_be_bytes());
        // ALPN extension format:
        // extension_data length (2 bytes)
        //   protocols length (2 bytes)
        //     protocol name length (1 byte)
        //     protocol name bytes
        let proto_len = proto.len() as u8;
        let list_len: u16 = 1 + proto_len as u16;
        let ext_len: u16 = 2 + list_len;
        self.extensions.extend_from_slice(&ext_len.to_be_bytes());
        self.extensions.extend_from_slice(&list_len.to_be_bytes());
        self.extensions.push(proto_len);
        self.extensions.extend_from_slice(proto);
        self
    }
    /// Build final extensions with length prefix
    fn build(self) -> Vec<u8> {
@@ -142,6 +170,8 @@ struct ServerHelloBuilder {
    compression: u8,
    /// Extensions
    extensions: TlsExtensionBuilder,
    /// Selected ALPN protocol (if any)
    alpn: Option<Vec<u8>>,
 }
 impl ServerHelloBuilder {
@@ -152,6 +182,7 @@ impl ServerHelloBuilder {
            cipher_suite: cipher_suite::TLS_AES_128_GCM_SHA256,
            compression: 0x00,
            extensions: TlsExtensionBuilder::new(),
            alpn: None,
        }
    }
@@ -165,10 +196,19 @@ impl ServerHelloBuilder {
        self.extensions.add_supported_versions(0x0304);
        self
    }
    fn with_alpn(mut self, proto: Option<Vec<u8>>) -> Self {
        self.alpn = proto;
        self
    }
    /// Build ServerHello message (without record header)
    fn build_message(&self) -> Vec<u8> {
-        let extensions = self.extensions.extensions.clone();
+        let mut ext_builder = self.extensions.clone();
        if let Some(ref alpn) = self.alpn {
            ext_builder.add_alpn(alpn);
        }
        let extensions = ext_builder.extensions.clone();
        let extensions_len = extensions.len() as u16;
        // Calculate total length
@@ -295,7 +335,7 @@ pub fn validate_tls_handshake(
            // This is a quirk in some clients that use uptime instead of real time
            let is_boot_time = timestamp < 60 * 60 * 24 * 1000; // < ~2.7 years in seconds
-            if !is_boot_time && (time_diff < TIME_SKEW_MIN || time_diff > TIME_SKEW_MAX) {
+            if !is_boot_time && !(TIME_SKEW_MIN..=TIME_SKEW_MAX).contains(&time_diff) {
                continue;
            }
        }
@@ -311,13 +351,27 @@ pub fn validate_tls_handshake(
    None
 }
 fn curve25519_prime() -> BigUint {
    (BigUint::one() << 255) - BigUint::from(19u32)
 }
 /// Generate a fake X25519 public key for TLS
 ///
-/// This generates random bytes that look like a valid X25519 public key.
+/// Produces a quadratic residue mod p = 2^255 - 19 by computing n² mod p,
-/// Since we're not doing real TLS, the actual cryptographic properties don't matter.
+/// which matches Python/C behavior and avoids DPI fingerprinting.
 pub fn gen_fake_x25519_key(rng: &SecureRandom) -> [u8; 32] {
-    let bytes = rng.bytes(32);
+    let mut n_bytes = [0u8; 32];
-    bytes.try_into().unwrap()
+    n_bytes.copy_from_slice(&rng.bytes(32));
    let n = BigUint::from_bytes_le(&n_bytes);
    let p = curve25519_prime();
    let pk = (&n * &n) % &p;
    let mut out = pk.to_bytes_le();
    out.resize(32, 0);
    let mut result = [0u8; 32];
    result.copy_from_slice(&out[..32]);
    result
 }
 /// Build TLS ServerHello response
@@ -334,13 +388,19 @@ pub fn build_server_hello(
    session_id: &[u8],
    fake_cert_len: usize,
    rng: &SecureRandom,
    alpn: Option<Vec<u8>>,
    new_session_tickets: u8,
 ) -> Vec<u8> {
    const MIN_APP_DATA: usize = 64;
    const MAX_APP_DATA: usize = 16640; // RFC 8446 §5.2 upper bound
    let fake_cert_len = fake_cert_len.clamp(MIN_APP_DATA, MAX_APP_DATA);
    let x25519_key = gen_fake_x25519_key(rng);
    // Build ServerHello
    let server_hello = ServerHelloBuilder::new(session_id.to_vec())
        .with_x25519_key(&x25519_key)
        .with_tls13_version()
        .with_alpn(alpn)
        .build_record();
    // Build Change Cipher Spec record
@@ -357,15 +417,35 @@ pub fn build_server_hello(
    app_data_record.push(TLS_RECORD_APPLICATION);
    app_data_record.extend_from_slice(&TLS_VERSION);
    app_data_record.extend_from_slice(&(fake_cert_len as u16).to_be_bytes());
    // Fill ApplicationData with fully random bytes of desired length to avoid
    // deterministic DPI fingerprints (fixed inner content type markers).
    app_data_record.extend_from_slice(&fake_cert);
    // Build optional NewSessionTicket records (TLS 1.3 handshake messages are encrypted;
    // here we mimic with opaque ApplicationData records of plausible size).
    let mut tickets = Vec::new();
    if new_session_tickets > 0 {
        for _ in 0..new_session_tickets {
            let ticket_len: usize = rng.range(48) + 48; // 48-95 bytes
            let mut record = Vec::with_capacity(5 + ticket_len);
            record.push(TLS_RECORD_APPLICATION);
            record.extend_from_slice(&TLS_VERSION);
            record.extend_from_slice(&(ticket_len as u16).to_be_bytes());
            record.extend_from_slice(&rng.bytes(ticket_len));
            tickets.push(record);
        }
    }
    // Combine all records
    let mut response = Vec::with_capacity(
-        server_hello.len() + change_cipher_spec.len() + app_data_record.len()
+        server_hello.len() + change_cipher_spec.len() + app_data_record.len() + tickets.iter().map(|r| r.len()).sum::<usize>()
    );
    response.extend_from_slice(&server_hello);
    response.extend_from_slice(&change_cipher_spec);
    response.extend_from_slice(&app_data_record);
    for t in &tickets {
        response.extend_from_slice(t);
    }
    // Compute HMAC for the response
    let mut hmac_input = Vec::with_capacity(TLS_DIGEST_LEN + response.len());
@@ -381,6 +461,131 @@ pub fn build_server_hello(
    response
 }
 /// Extract SNI (server_name) from a TLS ClientHello.
 pub fn extract_sni_from_client_hello(handshake: &[u8]) -> Option<String> {
    if handshake.len() < 43 || handshake[0] != TLS_RECORD_HANDSHAKE {
        return None;
    }
    let mut pos = 5; // after record header
    if handshake.get(pos).copied()? != 0x01 {
        return None; // not ClientHello
    }
    // Handshake length bytes
    pos += 4; // type + len (3)
    // version (2) + random (32)
    pos += 2 + 32;
    if pos + 1 > handshake.len() {
        return None;
    }
    let session_id_len = *handshake.get(pos)? as usize;
    pos += 1 + session_id_len;
    if pos + 2 > handshake.len() {
        return None;
    }
    let cipher_suites_len = u16::from_be_bytes([handshake[pos], handshake[pos + 1]]) as usize;
    pos += 2 + cipher_suites_len;
    if pos + 1 > handshake.len() {
        return None;
    }
    let comp_len = *handshake.get(pos)? as usize;
    pos += 1 + comp_len;
    if pos + 2 > handshake.len() {
        return None;
    }
    let ext_len = u16::from_be_bytes([handshake[pos], handshake[pos + 1]]) as usize;
    pos += 2;
    let ext_end = pos + ext_len;
    if ext_end > handshake.len() {
        return None;
    }
    while pos + 4 <= ext_end {
        let etype = u16::from_be_bytes([handshake[pos], handshake[pos + 1]]);
        let elen = u16::from_be_bytes([handshake[pos + 2], handshake[pos + 3]]) as usize;
        pos += 4;
        if pos + elen > ext_end {
            break;
        }
        if etype == 0x0000 && elen >= 5 {
            // server_name extension
            let list_len = u16::from_be_bytes([handshake[pos], handshake[pos + 1]]) as usize;
            let mut sn_pos = pos + 2;
            let sn_end = std::cmp::min(sn_pos + list_len, pos + elen);
            while sn_pos + 3 <= sn_end {
                let name_type = handshake[sn_pos];
                let name_len = u16::from_be_bytes([handshake[sn_pos + 1], handshake[sn_pos + 2]]) as usize;
                sn_pos += 3;
                if sn_pos + name_len > sn_end {
                    break;
                }
                if name_type == 0 && name_len > 0
                    && let Ok(host) = std::str::from_utf8(&handshake[sn_pos..sn_pos + name_len])
                {
                    return Some(host.to_string());
                }
                sn_pos += name_len;
            }
        }
        pos += elen;
    }
    None
 }
 /// Extract ALPN protocol list from ClientHello, return in offered order.
 pub fn extract_alpn_from_client_hello(handshake: &[u8]) -> Vec<Vec<u8>> {
    let mut pos = 5; // after record header
    if handshake.get(pos) != Some(&0x01) {
        return Vec::new();
    }
    pos += 4; // type + len
    pos += 2 + 32; // version + random
    if pos >= handshake.len() { return Vec::new(); }
    let session_id_len = *handshake.get(pos).unwrap_or(&0) as usize;
    pos += 1 + session_id_len;
    if pos + 2 > handshake.len() { return Vec::new(); }
    let cipher_len = u16::from_be_bytes([handshake[pos], handshake[pos+1]]) as usize;
    pos += 2 + cipher_len;
    if pos >= handshake.len() { return Vec::new(); }
    let comp_len = *handshake.get(pos).unwrap_or(&0) as usize;
    pos += 1 + comp_len;
    if pos + 2 > handshake.len() { return Vec::new(); }
    let ext_len = u16::from_be_bytes([handshake[pos], handshake[pos+1]]) as usize;
    pos += 2;
    let ext_end = pos + ext_len;
    if ext_end > handshake.len() { return Vec::new(); }
    let mut out = Vec::new();
    while pos + 4 <= ext_end {
        let etype = u16::from_be_bytes([handshake[pos], handshake[pos+1]]);
        let elen = u16::from_be_bytes([handshake[pos+2], handshake[pos+3]]) as usize;
        pos += 4;
        if pos + elen > ext_end { break; }
        if etype == extension_type::ALPN && elen >= 3 {
            let list_len = u16::from_be_bytes([handshake[pos], handshake[pos+1]]) as usize;
            let mut lp = pos + 2;
            let list_end = (pos + 2).saturating_add(list_len).min(pos + elen);
            while lp < list_end {
                let plen = handshake[lp] as usize;
                lp += 1;
                if lp + plen > list_end { break; }
                out.push(handshake[lp..lp+plen].to_vec());
                lp += plen;
            }
            break;
        }
        pos += elen;
    }
    out
 }
 /// Check if bytes look like a TLS ClientHello
 pub fn is_tls_handshake(first_bytes: &[u8]) -> bool {
    if first_bytes.len() < 3 {
@@ -411,7 +616,7 @@ pub fn parse_tls_record_header(header: &[u8; 5]) -> Option<(u8, u16)> {
 ///
 /// This is useful for testing that our ServerHello is well-formed.
 #[cfg(test)]
-fn validate_server_hello_structure(data: &[u8]) -> Result<()> {
+fn validate_server_hello_structure(data: &[u8]) -> Result<(), ProxyError> {
    if data.len() < 5 {
        return Err(ProxyError::InvalidTlsRecord {
            record_type: 0,
@@ -498,6 +703,17 @@ mod tests {
        assert_eq!(key2.len(), 32);
        assert_ne!(key1, key2); // Should be random
    }
    #[test]
    fn test_fake_x25519_key_is_quadratic_residue() {
        let rng = SecureRandom::new();
        let key = gen_fake_x25519_key(&rng);
        let p = curve25519_prime();
        let k_num = BigUint::from_bytes_le(&key);
        let exponent = (&p - BigUint::one()) >> 1;
        let legendre = k_num.modpow(&exponent, &p);
        assert_eq!(legendre, BigUint::one());
    }
    #[test]
    fn test_tls_extension_builder() {
@@ -548,7 +764,7 @@ mod tests {
        let session_id = vec![0xAA; 32];
        let rng = SecureRandom::new();
-        let response = build_server_hello(secret, &client_digest, &session_id, 2048, &rng);
+        let response = build_server_hello(secret, &client_digest, &session_id, 2048, &rng, None, 0);
        // Should have at least 3 records
        assert!(response.len() > 100);
@@ -581,8 +797,8 @@ mod tests {
        let session_id = vec![0xAA; 32];
        let rng = SecureRandom::new();
-        let response1 = build_server_hello(secret, &client_digest, &session_id, 1024, &rng);
+        let response1 = build_server_hello(secret, &client_digest, &session_id, 1024, &rng, None, 0);
-        let response2 = build_server_hello(secret, &client_digest, &session_id, 1024, &rng);
+        let response2 = build_server_hello(secret, &client_digest, &session_id, 1024, &rng, None, 0);
        // Digest position should have non-zero data
        let digest1 = &response1[TLS_DIGEST_POS..TLS_DIGEST_POS + TLS_DIGEST_LEN];
@@ -641,4 +857,101 @@ mod tests {
        // Should return None (no match) but not panic
        assert!(result.is_none());
    }
-}
+
    fn build_client_hello_with_exts(exts: Vec<(u16, Vec<u8>)>, host: &str) -> Vec<u8> {
        let mut body = Vec::new();
        body.extend_from_slice(&TLS_VERSION); // legacy version
        body.extend_from_slice(&[0u8; 32]); // random
        body.push(0); // session id len
        body.extend_from_slice(&2u16.to_be_bytes()); // cipher suites len
        body.extend_from_slice(&[0x13, 0x01]); // TLS_AES_128_GCM_SHA256
        body.push(1); // compression len
        body.push(0); // null compression
        // Build SNI extension
        let host_bytes = host.as_bytes();
        let mut sni_ext = Vec::new();
        sni_ext.extend_from_slice(&(host_bytes.len() as u16 + 3).to_be_bytes());
        sni_ext.push(0);
        sni_ext.extend_from_slice(&(host_bytes.len() as u16).to_be_bytes());
        sni_ext.extend_from_slice(host_bytes);
        let mut ext_blob = Vec::new();
        for (typ, data) in exts {
            ext_blob.extend_from_slice(&typ.to_be_bytes());
            ext_blob.extend_from_slice(&(data.len() as u16).to_be_bytes());
            ext_blob.extend_from_slice(&data);
        }
        // SNI last
        ext_blob.extend_from_slice(&0x0000u16.to_be_bytes());
        ext_blob.extend_from_slice(&(sni_ext.len() as u16).to_be_bytes());
        ext_blob.extend_from_slice(&sni_ext);
        body.extend_from_slice(&(ext_blob.len() as u16).to_be_bytes());
        body.extend_from_slice(&ext_blob);
        let mut handshake = Vec::new();
        handshake.push(0x01); // ClientHello
        let len_bytes = (body.len() as u32).to_be_bytes();
        handshake.extend_from_slice(&len_bytes[1..4]);
        handshake.extend_from_slice(&body);
        let mut record = Vec::new();
        record.push(TLS_RECORD_HANDSHAKE);
        record.extend_from_slice(&[0x03, 0x01]);
        record.extend_from_slice(&(handshake.len() as u16).to_be_bytes());
        record.extend_from_slice(&handshake);
        record
    }
    #[test]
    fn test_extract_sni_with_grease_extension() {
        // GREASE type 0x0a0a with zero length before SNI
        let ch = build_client_hello_with_exts(vec![(0x0a0a, Vec::new())], "example.com");
        let sni = extract_sni_from_client_hello(&ch);
        assert_eq!(sni.as_deref(), Some("example.com"));
    }
    #[test]
    fn test_extract_sni_tolerates_empty_unknown_extension() {
        let ch = build_client_hello_with_exts(vec![(0x1234, Vec::new())], "test.local");
        let sni = extract_sni_from_client_hello(&ch);
        assert_eq!(sni.as_deref(), Some("test.local"));
    }
    #[test]
    fn test_extract_alpn_single() {
        let mut alpn_data = Vec::new();
        // list length = 3 (1 length byte + "h2")
        alpn_data.extend_from_slice(&3u16.to_be_bytes());
        alpn_data.push(2);
        alpn_data.extend_from_slice(b"h2");
        let ch = build_client_hello_with_exts(vec![(0x0010, alpn_data)], "alpn.test");
        let alpn = extract_alpn_from_client_hello(&ch);
        let alpn_str: Vec<String> = alpn
            .iter()
            .map(|p| std::str::from_utf8(p).unwrap().to_string())
            .collect();
        assert_eq!(alpn_str, vec!["h2"]);
    }
    #[test]
    fn test_extract_alpn_multiple() {
        let mut alpn_data = Vec::new();
        // list length = 11 (sum of per-proto lengths including length bytes)
        alpn_data.extend_from_slice(&11u16.to_be_bytes());
        alpn_data.push(2);
        alpn_data.extend_from_slice(b"h2");
        alpn_data.push(4);
        alpn_data.extend_from_slice(b"spdy");
        alpn_data.push(2);
        alpn_data.extend_from_slice(b"h3");
        let ch = build_client_hello_with_exts(vec![(0x0010, alpn_data)], "alpn.test");
        let alpn = extract_alpn_from_client_hello(&ch);
        let alpn_str: Vec<String> = alpn
            .iter()
            .map(|p| std::str::from_utf8(p).unwrap().to_string())
            .collect();
        assert_eq!(alpn_str, vec!["h2", "spdy", "h3"]);
    }
 }
--- a/src/proxy/client.rs
+++ b/src/proxy/client.rs
@@ -1,6 +1,8 @@
 //! Client Handler
 use std::future::Future;
 use std::net::SocketAddr;
 use std::pin::Pin;
 use std::sync::Arc;
 use std::time::Duration;
 use tokio::io::{AsyncRead, AsyncReadExt, AsyncWrite};
@@ -8,21 +10,212 @@ use tokio::net::TcpStream;
 use tokio::time::timeout;
 use tracing::{debug, warn};
 /// Post-handshake future (relay phase, runs outside handshake timeout)
 type PostHandshakeFuture = Pin<Box<dyn Future<Output = Result<()>> + Send>>;
 /// Result of the handshake phase
 enum HandshakeOutcome {
    /// Handshake succeeded, relay work to do (outside timeout)
    NeedsRelay(PostHandshakeFuture),
    /// Already fully handled (bad client masking, etc.)
    Handled,
 }
 use crate::config::ProxyConfig;
 use crate::crypto::SecureRandom;
 use crate::error::{HandshakeResult, ProxyError, Result};
 use crate::ip_tracker::UserIpTracker;
 use crate::protocol::constants::*;
 use crate::protocol::tls;
 use crate::stats::{ReplayChecker, Stats};
 use crate::stream::{BufferPool, CryptoReader, CryptoWriter};
 use crate::transport::middle_proxy::MePool;
-use crate::transport::{UpstreamManager, configure_client_socket};
+use crate::transport::{UpstreamManager, configure_client_socket, parse_proxy_protocol};
 use crate::transport::socket::normalize_ip;
 use crate::tls_front::TlsFrontCache;
 use crate::proxy::direct_relay::handle_via_direct;
 use crate::proxy::handshake::{HandshakeSuccess, handle_mtproto_handshake, handle_tls_handshake};
 use crate::proxy::masking::handle_bad_client;
 use crate::proxy::middle_relay::handle_via_middle_proxy;
 pub async fn handle_client_stream<S>(
    mut stream: S,
    peer: SocketAddr,
    config: Arc<ProxyConfig>,
    stats: Arc<Stats>,
    upstream_manager: Arc<UpstreamManager>,
    replay_checker: Arc<ReplayChecker>,
    buffer_pool: Arc<BufferPool>,
    rng: Arc<SecureRandom>,
    me_pool: Option<Arc<MePool>>,
    tls_cache: Option<Arc<TlsFrontCache>>,
    ip_tracker: Arc<UserIpTracker>,
    proxy_protocol_enabled: bool,
 ) -> Result<()>
 where
    S: AsyncRead + AsyncWrite + Unpin + Send + 'static,
 {
    stats.increment_connects_all();
    let mut real_peer = normalize_ip(peer);
    if proxy_protocol_enabled {
        match parse_proxy_protocol(&mut stream, peer).await {
            Ok(info) => {
                debug!(
                    peer = %peer,
                    client = %info.src_addr,
                    version = info.version,
                    "PROXY protocol header parsed"
                );
                real_peer = normalize_ip(info.src_addr);
            }
            Err(e) => {
                stats.increment_connects_bad();
                warn!(peer = %peer, error = %e, "Invalid PROXY protocol header");
                return Err(e);
            }
        }
    }
    debug!(peer = %real_peer, "New connection (generic stream)");
    let handshake_timeout = Duration::from_secs(config.timeouts.client_handshake);
    let stats_for_timeout = stats.clone();
    // For non-TCP streams, use a synthetic local address
    let local_addr: SocketAddr = format!("0.0.0.0:{}", config.server.port)
        .parse()
        .unwrap_or_else(|_| "0.0.0.0:443".parse().unwrap());
    // Phase 1: handshake (with timeout)
    let outcome = match timeout(handshake_timeout, async {
        let mut first_bytes = [0u8; 5];
        stream.read_exact(&mut first_bytes).await?;
        let is_tls = tls::is_tls_handshake(&first_bytes[..3]);
        debug!(peer = %real_peer, is_tls = is_tls, "Handshake type detected");
        if is_tls {
            let tls_len = u16::from_be_bytes([first_bytes[3], first_bytes[4]]) as usize;
            if tls_len < 512 {
                debug!(peer = %real_peer, tls_len = tls_len, "TLS handshake too short");
                stats.increment_connects_bad();
                let (reader, writer) = tokio::io::split(stream);
                handle_bad_client(reader, writer, &first_bytes, &config).await;
                return Ok(HandshakeOutcome::Handled);
            }
            let mut handshake = vec![0u8; 5 + tls_len];
            handshake[..5].copy_from_slice(&first_bytes);
            stream.read_exact(&mut handshake[5..]).await?;
            let (read_half, write_half) = tokio::io::split(stream);
            let (mut tls_reader, tls_writer, _tls_user) = match handle_tls_handshake(
                &handshake, read_half, write_half, real_peer,
                &config, &replay_checker, &rng, tls_cache.clone(),
            ).await {
                HandshakeResult::Success(result) => result,
                HandshakeResult::BadClient { reader, writer } => {
                    stats.increment_connects_bad();
                    handle_bad_client(reader, writer, &handshake, &config).await;
                    return Ok(HandshakeOutcome::Handled);
                }
                HandshakeResult::Error(e) => return Err(e),
            };
            debug!(peer = %peer, "Reading MTProto handshake through TLS");
            let mtproto_data = tls_reader.read_exact(HANDSHAKE_LEN).await?;
            let mtproto_handshake: [u8; HANDSHAKE_LEN] = mtproto_data[..].try_into()
                .map_err(|_| ProxyError::InvalidHandshake("Short MTProto handshake".into()))?;
            let (crypto_reader, crypto_writer, success) = match handle_mtproto_handshake(
                &mtproto_handshake, tls_reader, tls_writer, real_peer,
                &config, &replay_checker, true,
            ).await {
                HandshakeResult::Success(result) => result,
                HandshakeResult::BadClient { reader: _, writer: _ } => {
                    stats.increment_connects_bad();
                    debug!(peer = %peer, "Valid TLS but invalid MTProto handshake");
                    return Ok(HandshakeOutcome::Handled);
                }
                HandshakeResult::Error(e) => return Err(e),
            };
            Ok(HandshakeOutcome::NeedsRelay(Box::pin(
                RunningClientHandler::handle_authenticated_static(
                    crypto_reader, crypto_writer, success,
                    upstream_manager, stats, config, buffer_pool, rng, me_pool,
                    local_addr, real_peer, ip_tracker.clone(),
                ),
            )))
        } else {
            if !config.general.modes.classic && !config.general.modes.secure {
                debug!(peer = %real_peer, "Non-TLS modes disabled");
                stats.increment_connects_bad();
                let (reader, writer) = tokio::io::split(stream);
                handle_bad_client(reader, writer, &first_bytes, &config).await;
                return Ok(HandshakeOutcome::Handled);
            }
            let mut handshake = [0u8; HANDSHAKE_LEN];
            handshake[..5].copy_from_slice(&first_bytes);
            stream.read_exact(&mut handshake[5..]).await?;
            let (read_half, write_half) = tokio::io::split(stream);
            let (crypto_reader, crypto_writer, success) = match handle_mtproto_handshake(
                &handshake, read_half, write_half, real_peer,
                &config, &replay_checker, false,
            ).await {
                HandshakeResult::Success(result) => result,
                HandshakeResult::BadClient { reader, writer } => {
                    stats.increment_connects_bad();
                    handle_bad_client(reader, writer, &handshake, &config).await;
                    return Ok(HandshakeOutcome::Handled);
                }
                HandshakeResult::Error(e) => return Err(e),
            };
            Ok(HandshakeOutcome::NeedsRelay(Box::pin(
                RunningClientHandler::handle_authenticated_static(
                    crypto_reader,
                    crypto_writer,
                    success,
                    upstream_manager,
                    stats,
                    config,
                    buffer_pool,
                    rng,
                    me_pool,
                    local_addr,
                    real_peer,
                    ip_tracker.clone(),
                )
            )))
        }
    }).await {
        Ok(Ok(outcome)) => outcome,
        Ok(Err(e)) => {
            debug!(peer = %peer, error = %e, "Handshake failed");
            return Err(e);
        }
        Err(_) => {
            stats_for_timeout.increment_handshake_timeouts();
            debug!(peer = %peer, "Handshake timeout");
            return Err(ProxyError::TgHandshakeTimeout);
        }
    };
    // Phase 2: relay (WITHOUT handshake timeout — relay has its own activity timeouts)
    match outcome {
        HandshakeOutcome::NeedsRelay(fut) => fut.await,
        HandshakeOutcome::Handled => Ok(()),
    }
 }
 pub struct ClientHandler;
 pub struct RunningClientHandler {
@@ -35,6 +228,9 @@ pub struct RunningClientHandler {
    buffer_pool: Arc<BufferPool>,
    rng: Arc<SecureRandom>,
    me_pool: Option<Arc<MePool>>,
    tls_cache: Option<Arc<TlsFrontCache>>,
    ip_tracker: Arc<UserIpTracker>,
    proxy_protocol_enabled: bool,
 }
 impl ClientHandler {
@@ -48,6 +244,9 @@ impl ClientHandler {
        buffer_pool: Arc<BufferPool>,
        rng: Arc<SecureRandom>,
        me_pool: Option<Arc<MePool>>,
        tls_cache: Option<Arc<TlsFrontCache>>,
        ip_tracker: Arc<UserIpTracker>,
        proxy_protocol_enabled: bool,
    ) -> RunningClientHandler {
        RunningClientHandler {
            stream,
@@ -59,6 +258,9 @@ impl ClientHandler {
            buffer_pool,
            rng,
            me_pool,
            tls_cache,
            ip_tracker,
            proxy_protocol_enabled,
        }
    }
 }
@@ -67,7 +269,9 @@ impl RunningClientHandler {
    pub async fn run(mut self) -> Result<()> {
        self.stats.increment_connects_all();
        self.peer = normalize_ip(self.peer);
        let peer = self.peer;
        let _ip_tracker = self.ip_tracker.clone();
        debug!(peer = %peer, "New connection");
        if let Err(e) = configure_client_socket(
@@ -81,31 +285,53 @@ impl RunningClientHandler {
        let handshake_timeout = Duration::from_secs(self.config.timeouts.client_handshake);
        let stats = self.stats.clone();
-        let result = timeout(handshake_timeout, self.do_handshake()).await;
+        // Phase 1: handshake (with timeout)
-
+        let outcome = match timeout(handshake_timeout, self.do_handshake()).await {
-        match result {
+            Ok(Ok(outcome)) => outcome,
            Ok(Ok(())) => {
                debug!(peer = %peer, "Connection handled successfully");
                Ok(())
            }
            Ok(Err(e)) => {
                debug!(peer = %peer, error = %e, "Handshake failed");
-                Err(e)
+                return Err(e);
            }
            Err(_) => {
                stats.increment_handshake_timeouts();
                debug!(peer = %peer, "Handshake timeout");
-                Err(ProxyError::TgHandshakeTimeout)
+                return Err(ProxyError::TgHandshakeTimeout);
            }
        };
        // Phase 2: relay (WITHOUT handshake timeout — relay has its own activity timeouts)
        match outcome {
            HandshakeOutcome::NeedsRelay(fut) => fut.await,
            HandshakeOutcome::Handled => Ok(()),
        }
    }
-    async fn do_handshake(mut self) -> Result<()> {
+    async fn do_handshake(mut self) -> Result<HandshakeOutcome> {
        if self.proxy_protocol_enabled {
            match parse_proxy_protocol(&mut self.stream, self.peer).await {
                Ok(info) => {
                    debug!(
                        peer = %self.peer,
                        client = %info.src_addr,
                        version = info.version,
                        "PROXY protocol header parsed"
                    );
                    self.peer = normalize_ip(info.src_addr);
                }
                Err(e) => {
                    self.stats.increment_connects_bad();
                    warn!(peer = %self.peer, error = %e, "Invalid PROXY protocol header");
                    return Err(e);
                }
            }
        }
        let mut first_bytes = [0u8; 5];
        self.stream.read_exact(&mut first_bytes).await?;
        let is_tls = tls::is_tls_handshake(&first_bytes[..3]);
        let peer = self.peer;
        let _ip_tracker = self.ip_tracker.clone();
        debug!(peer = %peer, is_tls = is_tls, "Handshake type detected");
@@ -116,8 +342,9 @@ impl RunningClientHandler {
        }
    }
-    async fn handle_tls_client(mut self, first_bytes: [u8; 5]) -> Result<()> {
+    async fn handle_tls_client(mut self, first_bytes: [u8; 5]) -> Result<HandshakeOutcome> {
        let peer = self.peer;
        let _ip_tracker = self.ip_tracker.clone();
        let tls_len = u16::from_be_bytes([first_bytes[3], first_bytes[4]]) as usize;
@@ -128,7 +355,7 @@ impl RunningClientHandler {
            self.stats.increment_connects_bad();
            let (reader, writer) = self.stream.into_split();
            handle_bad_client(reader, writer, &first_bytes, &self.config).await;
-            return Ok(());
+            return Ok(HandshakeOutcome::Handled);
        }
        let mut handshake = vec![0u8; 5 + tls_len];
@@ -151,6 +378,7 @@ impl RunningClientHandler {
            &config,
            &replay_checker,
            &self.rng,
            self.tls_cache.clone(),
        )
        .await
        {
@@ -158,7 +386,7 @@ impl RunningClientHandler {
            HandshakeResult::BadClient { reader, writer } => {
                stats.increment_connects_bad();
                handle_bad_client(reader, writer, &handshake, &config).await;
-                return Ok(());
+                return Ok(HandshakeOutcome::Handled);
            }
            HandshakeResult::Error(e) => return Err(e),
        };
@@ -187,35 +415,39 @@ impl RunningClientHandler {
            } => {
                stats.increment_connects_bad();
                debug!(peer = %peer, "Valid TLS but invalid MTProto handshake");
-                return Ok(());
+                return Ok(HandshakeOutcome::Handled);
            }
            HandshakeResult::Error(e) => return Err(e),
        };
-        Self::handle_authenticated_static(
+        Ok(HandshakeOutcome::NeedsRelay(Box::pin(
-            crypto_reader,
+            Self::handle_authenticated_static(
-            crypto_writer,
+                crypto_reader,
-            success,
+                crypto_writer,
-            self.upstream_manager,
+                success,
-            self.stats,
+                self.upstream_manager,
-            self.config,
+                self.stats,
-            buffer_pool,
+                self.config,
-            self.rng,
+                buffer_pool,
-            self.me_pool,
+                self.rng,
-            local_addr,
+                self.me_pool,
-        )
+                local_addr,
-        .await
+                peer,
                self.ip_tracker,
            ),
        )))
    }
-    async fn handle_direct_client(mut self, first_bytes: [u8; 5]) -> Result<()> {
+    async fn handle_direct_client(mut self, first_bytes: [u8; 5]) -> Result<HandshakeOutcome> {
        let peer = self.peer;
        let _ip_tracker = self.ip_tracker.clone();
        if !self.config.general.modes.classic && !self.config.general.modes.secure {
            debug!(peer = %peer, "Non-TLS modes disabled");
            self.stats.increment_connects_bad();
            let (reader, writer) = self.stream.into_split();
            handle_bad_client(reader, writer, &first_bytes, &self.config).await;
-            return Ok(());
+            return Ok(HandshakeOutcome::Handled);
        }
        let mut handshake = [0u8; HANDSHAKE_LEN];
@@ -245,24 +477,27 @@ impl RunningClientHandler {
            HandshakeResult::BadClient { reader, writer } => {
                stats.increment_connects_bad();
                handle_bad_client(reader, writer, &handshake, &config).await;
-                return Ok(());
+                return Ok(HandshakeOutcome::Handled);
            }
            HandshakeResult::Error(e) => return Err(e),
        };
-        Self::handle_authenticated_static(
+        Ok(HandshakeOutcome::NeedsRelay(Box::pin(
-            crypto_reader,
+            Self::handle_authenticated_static(
-            crypto_writer,
+                crypto_reader,
-            success,
+                crypto_writer,
-            self.upstream_manager,
+                success,
-            self.stats,
+                self.upstream_manager,
-            self.config,
+                self.stats,
-            buffer_pool,
+                self.config,
-            self.rng,
+                buffer_pool,
-            self.me_pool,
+                self.rng,
-            local_addr,
+                self.me_pool,
-        )
+                local_addr,
-        .await
+                peer,
                self.ip_tracker,
            ),
        )))
    }
    /// Main dispatch after successful handshake.
@@ -280,6 +515,8 @@ impl RunningClientHandler {
        rng: Arc<SecureRandom>,
        me_pool: Option<Arc<MePool>>,
        local_addr: SocketAddr,
        peer_addr: SocketAddr,
        ip_tracker: Arc<UserIpTracker>,
    ) -> Result<()>
    where
        R: AsyncRead + Unpin + Send + 'static,
@@ -287,11 +524,36 @@ impl RunningClientHandler {
    {
        let user = &success.user;
-        if let Err(e) = Self::check_user_limits_static(user, &config, &stats) {
+        if let Err(e) = Self::check_user_limits_static(user, &config, &stats, peer_addr, &ip_tracker).await {
            warn!(user = %user, error = %e, "User limit exceeded");
            return Err(e);
        }
        // IP Cleanup Guard: автоматически удаляет IP при выходе из scope
        struct IpCleanupGuard {
            tracker: Arc<UserIpTracker>,
            user: String,
            ip: std::net::IpAddr,
        }
        impl Drop for IpCleanupGuard {
            fn drop(&mut self) {
                let tracker = self.tracker.clone();
                let user = self.user.clone();
                let ip = self.ip;
                tokio::spawn(async move {
                    tracker.remove_ip(&user, ip).await;
                    debug!(user = %user, ip = %ip, "IP cleaned up on disconnect");
                });
            }
        }
        let _cleanup = IpCleanupGuard {
            tracker: ip_tracker,
            user: user.clone(),
            ip: peer_addr.ip(),
        };
        // Decide: middle proxy or direct
        if config.general.use_middle_proxy {
            if let Some(ref pool) = me_pool {
@@ -304,6 +566,7 @@ impl RunningClientHandler {
                    config,
                    buffer_pool,
                    local_addr,
                    rng,
                )
                .await;
            }
@@ -324,29 +587,48 @@ impl RunningClientHandler {
        .await
    }
-    fn check_user_limits_static(user: &str, config: &ProxyConfig, stats: &Stats) -> Result<()> {
+    async fn check_user_limits_static(
-        if let Some(expiration) = config.access.user_expirations.get(user) {
+        user: &str, 
-            if chrono::Utc::now() > *expiration {
+        config: &ProxyConfig, 
-                return Err(ProxyError::UserExpired {
+        stats: &Stats,
-                    user: user.to_string(),
+        peer_addr: SocketAddr,
-                });
+        ip_tracker: &UserIpTracker,
-            }
+    ) -> Result<()> {
        if let Some(expiration) = config.access.user_expirations.get(user)
            && chrono::Utc::now() > *expiration
        {
            return Err(ProxyError::UserExpired {
                user: user.to_string(),
            });
        }
-        if let Some(limit) = config.access.user_max_tcp_conns.get(user) {
+        // IP limit check
-            if stats.get_user_curr_connects(user) >= *limit as u64 {
+        if let Err(reason) = ip_tracker.check_and_add(user, peer_addr.ip()).await {
-                return Err(ProxyError::ConnectionLimitExceeded {
+            warn!(
-                    user: user.to_string(),
+                user = %user,
-                });
+                ip = %peer_addr.ip(),
-            }
+                reason = %reason,
                "IP limit exceeded"
            );
            return Err(ProxyError::ConnectionLimitExceeded {
                user: user.to_string(),
            });
        }
-        if let Some(quota) = config.access.user_data_quota.get(user) {
+        if let Some(limit) = config.access.user_max_tcp_conns.get(user)
-            if stats.get_user_total_octets(user) >= *quota {
+            && stats.get_user_curr_connects(user) >= *limit as u64
-                return Err(ProxyError::DataQuotaExceeded {
+        {
-                    user: user.to_string(),
+            return Err(ProxyError::ConnectionLimitExceeded {
-                });
+                user: user.to_string(),
-            }
+            });
        }
        if let Some(quota) = config.access.user_data_quota.get(user)
            && stats.get_user_total_octets(user) >= *quota
        {
            return Err(ProxyError::DataQuotaExceeded {
                user: user.to_string(),
            });
        }
        Ok(())
--- a/src/proxy/direct_relay.rs
+++ b/src/proxy/direct_relay.rs
@@ -1,3 +1,5 @@
 use std::fs::OpenOptions;
 use std::io::Write;
 use std::net::SocketAddr;
 use std::sync::Arc;
@@ -43,7 +45,7 @@ where
    );
    let tg_stream = upstream_manager
-        .connect(dc_addr, Some(success.dc_idx))
+        .connect(dc_addr, Some(success.dc_idx), user.strip_prefix("scope_").filter(|s| !s.is_empty()))
        .await?;
    debug!(peer = %success.peer, dc_addr = %dc_addr, "Connected, performing TG handshake");
@@ -78,7 +80,8 @@ where
 }
 fn get_dc_addr_static(dc_idx: i16, config: &ProxyConfig) -> Result<SocketAddr> {
-    let datacenters = if config.general.prefer_ipv6 {
+    let prefer_v6 = config.network.prefer == 6 && config.network.ipv6.unwrap_or(true);
    let datacenters = if prefer_v6 {
        &*TG_DATACENTERS_V6
    } else {
        &*TG_DATACENTERS_V4
@@ -87,17 +90,24 @@ fn get_dc_addr_static(dc_idx: i16, config: &ProxyConfig) -> Result<SocketAddr> {
    let num_dcs = datacenters.len();
    let dc_key = dc_idx.to_string();
-    if let Some(addr_str) = config.dc_overrides.get(&dc_key) {
+    if let Some(addrs) = config.dc_overrides.get(&dc_key) {
-        match addr_str.parse::<SocketAddr>() {
+        let mut parsed = Vec::new();
-            Ok(addr) => {
+        for addr_str in addrs {
-                debug!(dc_idx = dc_idx, addr = %addr, "Using DC override from config");
+            match addr_str.parse::<SocketAddr>() {
-                return Ok(addr);
+                Ok(addr) => parsed.push(addr),
-            }
+                Err(_) => warn!(dc_idx = dc_idx, addr_str = %addr_str, "Invalid DC override address in config, ignoring"),
            Err(_) => {
                warn!(dc_idx = dc_idx, addr_str = %addr_str,
                        "Invalid DC override address in config, ignoring");
            }
        }
        if let Some(addr) = parsed
            .iter()
            .find(|a| a.is_ipv6() == prefer_v6)
            .or_else(|| parsed.first())
            .copied()
        {
            debug!(dc_idx = dc_idx, addr = %addr, count = parsed.len(), "Using DC override from config");
            return Ok(addr);
        }
    }
    let abs_dc = dc_idx.unsigned_abs() as usize;
@@ -105,6 +115,16 @@ fn get_dc_addr_static(dc_idx: i16, config: &ProxyConfig) -> Result<SocketAddr> {
        return Ok(SocketAddr::new(datacenters[abs_dc - 1], TG_DATACENTER_PORT));
    }
    // Unknown DC requested by client without override: log and fall back.
    if !config.dc_overrides.contains_key(&dc_key) {
        warn!(dc_idx = dc_idx, "Requested non-standard DC with no override; falling back to default cluster");
        if let Some(path) = &config.general.unknown_dc_log_path
            && let Ok(mut file) = OpenOptions::new().create(true).append(true).open(path)
        {
            let _ = writeln!(file, "dc_idx={dc_idx}");
        }
    }
    let default_dc = config.default_dc.unwrap_or(2) as usize;
    let fallback_idx = if default_dc >= 1 && default_dc <= num_dcs {
        default_dc - 1
@@ -139,6 +159,8 @@ async fn do_tg_handshake_static(
        success.dc_idx,
        &success.dec_key,
        success.dec_iv,
        &success.enc_key,
        success.enc_iv,
        rng,
        config.general.fast_mode,
    );
@@ -156,8 +178,9 @@ async fn do_tg_handshake_static(
    let (read_half, write_half) = stream.into_split();
    let max_pending = config.general.crypto_pending_buffer;
    Ok((
        CryptoReader::new(read_half, tg_decryptor),
-        CryptoWriter::new(write_half, tg_encryptor),
+        CryptoWriter::new(write_half, tg_encryptor, max_pending),
    ))
 }
--- a/src/proxy/handshake.rs
+++ b/src/proxy/handshake.rs
@@ -1,17 +1,23 @@
 //! MTProto Handshake
 #![allow(dead_code)]
 use std::net::SocketAddr;
 use std::sync::Arc;
 use std::time::Duration;
 use tokio::io::{AsyncRead, AsyncWrite, AsyncWriteExt};
 use tracing::{debug, warn, trace, info};
 use zeroize::Zeroize;
 use crate::crypto::{sha256, AesCtr, SecureRandom};
 use rand::Rng;
 use crate::protocol::constants::*;
 use crate::protocol::tls;
 use crate::stream::{FakeTlsReader, FakeTlsWriter, CryptoReader, CryptoWriter};
 use crate::error::{ProxyError, HandshakeResult};
 use crate::stats::ReplayChecker;
 use crate::config::ProxyConfig;
 use crate::tls_front::{TlsFrontCache, emulator};
 /// Result of successful handshake
 ///
@@ -55,6 +61,7 @@ pub async fn handle_tls_handshake<R, W>(
    config: &ProxyConfig,
    replay_checker: &ReplayChecker,
    rng: &SecureRandom,
    tls_cache: Option<Arc<TlsFrontCache>>,
 ) -> HandshakeResult<(FakeTlsReader<R>, FakeTlsWriter<W>, String), R, W>
 where
    R: AsyncRead + Unpin,
@@ -70,7 +77,7 @@ where
    let digest = &handshake[tls::TLS_DIGEST_POS..tls::TLS_DIGEST_POS + tls::TLS_DIGEST_LEN];
    let digest_half = &digest[..tls::TLS_DIGEST_HALF_LEN];
-    if replay_checker.check_tls_digest(digest_half) {
+    if replay_checker.check_and_add_tls_digest(digest_half) {
        warn!(peer = %peer, "TLS replay attack detected (duplicate digest)");
        return HandshakeResult::BadClient { reader, writer };
    }
@@ -102,13 +109,85 @@ where
        None => return HandshakeResult::BadClient { reader, writer },
    };
-    let response = tls::build_server_hello(
+    let cached = if config.censorship.tls_emulation {
-        secret,
+        if let Some(cache) = tls_cache.as_ref() {
-        &validation.digest,
+            let selected_domain = if let Some(sni) = tls::extract_sni_from_client_hello(handshake) {
-        &validation.session_id,
+                if cache.contains_domain(&sni).await {
-        config.censorship.fake_cert_len,
+                    sni
-        rng,
+                } else {
-    );
+                    config.censorship.tls_domain.clone()
                }
            } else {
                config.censorship.tls_domain.clone()
            };
            let cached_entry = cache.get(&selected_domain).await;
            let use_full_cert_payload = cache
                .take_full_cert_budget_for_ip(
                    peer.ip(),
                    Duration::from_secs(config.censorship.tls_full_cert_ttl_secs),
                )
                .await;
            Some((cached_entry, use_full_cert_payload))
        } else {
            None
        }
    } else {
        None
    };
    let alpn_list = if config.censorship.alpn_enforce {
        tls::extract_alpn_from_client_hello(handshake)
    } else {
        Vec::new()
    };
    let selected_alpn = if config.censorship.alpn_enforce {
        if alpn_list.iter().any(|p| p == b"h2") {
            Some(b"h2".to_vec())
        } else if alpn_list.iter().any(|p| p == b"http/1.1") {
            Some(b"http/1.1".to_vec())
        } else {
            None
        }
    } else {
        None
    };
    let response = if let Some((cached_entry, use_full_cert_payload)) = cached {
        emulator::build_emulated_server_hello(
            secret,
            &validation.digest,
            &validation.session_id,
            &cached_entry,
            use_full_cert_payload,
            rng,
            selected_alpn.clone(),
            config.censorship.tls_new_session_tickets,
        )
    } else {
        tls::build_server_hello(
            secret,
            &validation.digest,
            &validation.session_id,
            config.censorship.fake_cert_len,
            rng,
            selected_alpn.clone(),
            config.censorship.tls_new_session_tickets,
        )
    };
    // Optional anti-fingerprint delay before sending ServerHello.
    if config.censorship.server_hello_delay_max_ms > 0 {
        let min = config.censorship.server_hello_delay_min_ms;
        let max = config.censorship.server_hello_delay_max_ms.max(min);
        let delay_ms = if max == min {
            max
        } else {
            rand::rng().random_range(min..=max)
        };
        if delay_ms > 0 {
            tokio::time::sleep(std::time::Duration::from_millis(delay_ms)).await;
        }
    }
    debug!(peer = %peer, response_len = response.len(), "Sending TLS ServerHello");
@@ -122,8 +201,6 @@ where
        return HandshakeResult::Error(ProxyError::Io(e));
    }
    replay_checker.add_tls_digest(digest_half);
    info!(
        peer = %peer,
        user = %validation.user,
@@ -155,7 +232,7 @@ where
    let dec_prekey_iv = &handshake[SKIP_LEN..SKIP_LEN + PREKEY_LEN + IV_LEN];
-    if replay_checker.check_handshake(dec_prekey_iv) {
+    if replay_checker.check_and_add_handshake(dec_prekey_iv) {
        warn!(peer = %peer, "MTProto replay attack detected");
        return HandshakeResult::BadClient { reader, writer };
    }
@@ -192,7 +269,11 @@ where
        let mode_ok = match proto_tag {
            ProtoTag::Secure => {
-                if is_tls { config.general.modes.tls } else { config.general.modes.secure }
+                if is_tls {
                    config.general.modes.tls || config.general.modes.secure
                } else {
                    config.general.modes.secure || config.general.modes.tls
                }
            }
            ProtoTag::Intermediate | ProtoTag::Abridged => config.general.modes.classic,
        };
@@ -216,8 +297,6 @@ where
        let enc_iv = u128::from_be_bytes(enc_iv_bytes.try_into().unwrap());
        replay_checker.add_handshake(dec_prekey_iv);
        let encryptor = AesCtr::new(&enc_key, enc_iv);
        let success = HandshakeSuccess {
@@ -241,9 +320,10 @@ where
            "MTProto handshake successful"
        );
        let max_pending = config.general.crypto_pending_buffer;
        return HandshakeResult::Success((
            CryptoReader::new(reader, decryptor),
-            CryptoWriter::new(writer, encryptor),
+            CryptoWriter::new(writer, encryptor, max_pending),
            success,
        ));
    }
@@ -256,8 +336,10 @@ where
 pub fn generate_tg_nonce(
    proto_tag: ProtoTag, 
    dc_idx: i16,
-    client_dec_key: &[u8; 32],
+    _client_dec_key: &[u8; 32],
-    client_dec_iv: u128,
+    _client_dec_iv: u128,
    client_enc_key: &[u8; 32],
    client_enc_iv: u128,
    rng: &SecureRandom,
    fast_mode: bool,
 ) -> ([u8; HANDSHAKE_LEN], [u8; 32], u128, [u8; 32], u128) {
@@ -278,9 +360,11 @@ pub fn generate_tg_nonce(
        nonce[DC_IDX_POS..DC_IDX_POS + 2].copy_from_slice(&dc_idx.to_le_bytes());
        if fast_mode {
-            nonce[SKIP_LEN..SKIP_LEN + KEY_LEN].copy_from_slice(client_dec_key);
+            let mut key_iv = Vec::with_capacity(KEY_LEN + IV_LEN);
-            nonce[SKIP_LEN + KEY_LEN..SKIP_LEN + KEY_LEN + IV_LEN]
+            key_iv.extend_from_slice(client_enc_key);
-                .copy_from_slice(&client_dec_iv.to_be_bytes());
+            key_iv.extend_from_slice(&client_enc_iv.to_be_bytes());
            key_iv.reverse(); // Python/C behavior: reversed enc_key+enc_iv in nonce
            nonce[SKIP_LEN..SKIP_LEN + KEY_LEN + IV_LEN].copy_from_slice(&key_iv);
        }
        let enc_key_iv = &nonce[SKIP_LEN..SKIP_LEN + KEY_LEN + IV_LEN];
@@ -332,10 +416,21 @@ mod tests {
    fn test_generate_tg_nonce() {
        let client_dec_key = [0x42u8; 32];
        let client_dec_iv = 12345u128;
        let client_enc_key = [0x24u8; 32];
        let client_enc_iv = 54321u128;
        let rng = SecureRandom::new();
        let (nonce, _tg_enc_key, _tg_enc_iv, _tg_dec_key, _tg_dec_iv) = 
-            generate_tg_nonce(ProtoTag::Secure, 2, &client_dec_key, client_dec_iv, &rng, false);
+            generate_tg_nonce(
                ProtoTag::Secure,
                2,
                &client_dec_key,
                client_dec_iv,
                &client_enc_key,
                client_enc_iv,
                &rng,
                false,
            );
        assert_eq!(nonce.len(), HANDSHAKE_LEN);
@@ -347,10 +442,21 @@ mod tests {
    fn test_encrypt_tg_nonce() {
        let client_dec_key = [0x42u8; 32];
        let client_dec_iv = 12345u128;
        let client_enc_key = [0x24u8; 32];
        let client_enc_iv = 54321u128;
        let rng = SecureRandom::new();
        let (nonce, _, _, _, _) = 
-            generate_tg_nonce(ProtoTag::Secure, 2, &client_dec_key, client_dec_iv, &rng, false);
+            generate_tg_nonce(
                ProtoTag::Secure,
                2,
                &client_dec_key,
                client_dec_iv,
                &client_enc_key,
                client_enc_iv,
                &rng,
                false,
            );
        let encrypted = encrypt_tg_nonce(&nonce);
@@ -379,4 +485,4 @@ mod tests {
        drop(success);
        // Drop impl zeroizes key material without panic
    }
-}
+}
--- a/src/proxy/masking.rs
+++ b/src/proxy/masking.rs
@@ -1,7 +1,7 @@
 //! Masking - forward unrecognized traffic to mask host
 use std::time::Duration;
 use std::str;
 use std::time::Duration;
 use tokio::net::TcpStream;
 #[cfg(unix)]
 use tokio::net::UnixStream;
@@ -11,20 +11,20 @@ use tracing::debug;
 use crate::config::ProxyConfig;
 const MASK_TIMEOUT: Duration = Duration::from_secs(5);
-    /// Maximum duration for the entire masking relay.
+/// Maximum duration for the entire masking relay.
-    /// Limits resource consumption from slow-loris attacks and port scanners.
+/// Limits resource consumption from slow-loris attacks and port scanners.
-    const MASK_RELAY_TIMEOUT: Duration = Duration::from_secs(60);
+const MASK_RELAY_TIMEOUT: Duration = Duration::from_secs(60);
 const MASK_BUFFER_SIZE: usize = 8192;
 /// Detect client type based on initial data
 fn detect_client_type(data: &[u8]) -> &'static str {
    // Check for HTTP request
-    if data.len() > 4 {
+    if data.len() > 4
-        if data.starts_with(b"GET ") || data.starts_with(b"POST") ||
+        && (data.starts_with(b"GET ") || data.starts_with(b"POST") ||
           data.starts_with(b"HEAD") || data.starts_with(b"PUT ") ||
-           data.starts_with(b"DELETE") || data.starts_with(b"OPTIONS") {
+           data.starts_with(b"DELETE") || data.starts_with(b"OPTIONS"))
-            return "HTTP";
+    {
-        }
+        return "HTTP";
    }
    // Check for TLS ClientHello (0x16 = handshake, 0x03 0x01-0x03 = TLS version)
@@ -78,7 +78,9 @@ where
        match connect_result {
            Ok(Ok(stream)) => {
                let (mask_read, mask_write) = stream.into_split();
-                relay_to_mask(reader, writer, mask_read, mask_write, initial_data).await;
+                if timeout(MASK_RELAY_TIMEOUT, relay_to_mask(reader, writer, mask_read, mask_write, initial_data)).await.is_err() {
                    debug!("Mask relay timed out (unix socket)");
                }
            }
            Ok(Err(e)) => {
                debug!(error = %e, "Failed to connect to mask unix socket");
@@ -110,7 +112,9 @@ where
    match connect_result {
        Ok(Ok(stream)) => {
            let (mask_read, mask_write) = stream.into_split();
-            relay_to_mask(reader, writer, mask_read, mask_write, initial_data).await;
+            if timeout(MASK_RELAY_TIMEOUT, relay_to_mask(reader, writer, mask_read, mask_write, initial_data)).await.is_err() {
                debug!("Mask relay timed out");
            }
        }
        Ok(Err(e)) => {
            debug!(error = %e, "Failed to connect to mask host");
--- a/src/proxy/middle_relay.rs
+++ b/src/proxy/middle_relay.rs
@@ -1,26 +1,181 @@
-use std::net::SocketAddr;
+use std::collections::HashMap;
-use std::sync::Arc;
+use std::collections::hash_map::DefaultHasher;
 use std::hash::{Hash, Hasher};
 use std::net::{IpAddr, SocketAddr};
 use std::sync::atomic::{AtomicU64, Ordering};
 use std::sync::{Arc, Mutex, OnceLock};
 use std::time::{Duration, Instant};
 use tokio::io::{AsyncRead, AsyncReadExt, AsyncWrite, AsyncWriteExt};
-use tracing::{debug, info, trace};
+use tokio::sync::{mpsc, oneshot};
 use tracing::{debug, info, trace, warn};
 use crate::config::ProxyConfig;
 use crate::crypto::SecureRandom;
 use crate::error::{ProxyError, Result};
-use crate::protocol::constants::*;
+use crate::protocol::constants::{*, secure_padding_len};
 use crate::proxy::handshake::HandshakeSuccess;
 use crate::stats::Stats;
 use crate::stream::{BufferPool, CryptoReader, CryptoWriter};
 use crate::transport::middle_proxy::{MePool, MeResponse, proto_flags_for_tag};
 enum C2MeCommand {
    Data { payload: Vec<u8>, flags: u32 },
    Close,
 }
 const DESYNC_DEDUP_WINDOW: Duration = Duration::from_secs(60);
 const DESYNC_ERROR_CLASS: &str = "frame_too_large_crypto_desync";
 static DESYNC_DEDUP: OnceLock<Mutex<HashMap<u64, Instant>>> = OnceLock::new();
 struct RelayForensicsState {
    trace_id: u64,
    conn_id: u64,
    user: String,
    peer: SocketAddr,
    peer_hash: u64,
    started_at: Instant,
    bytes_c2me: u64,
    bytes_me2c: Arc<AtomicU64>,
    desync_all_full: bool,
 }
 fn hash_value<T: Hash>(value: &T) -> u64 {
    let mut hasher = DefaultHasher::new();
    value.hash(&mut hasher);
    hasher.finish()
 }
 fn hash_ip(ip: IpAddr) -> u64 {
    hash_value(&ip)
 }
 fn should_emit_full_desync(key: u64, all_full: bool, now: Instant) -> bool {
    if all_full {
        return true;
    }
    let dedup = DESYNC_DEDUP.get_or_init(|| Mutex::new(HashMap::new()));
    let mut guard = dedup.lock().expect("desync dedup mutex poisoned");
    guard.retain(|_, seen_at| now.duration_since(*seen_at) < DESYNC_DEDUP_WINDOW);
    match guard.get_mut(&key) {
        Some(seen_at) => {
            if now.duration_since(*seen_at) >= DESYNC_DEDUP_WINDOW {
                *seen_at = now;
                true
            } else {
                false
            }
        }
        None => {
            guard.insert(key, now);
            true
        }
    }
 }
 fn report_desync_frame_too_large(
    state: &RelayForensicsState,
    proto_tag: ProtoTag,
    frame_counter: u64,
    max_frame: usize,
    len: usize,
    raw_len_bytes: Option<[u8; 4]>,
    stats: &Stats,
 ) -> ProxyError {
    let len_buf = raw_len_bytes.unwrap_or((len as u32).to_le_bytes());
    let looks_like_tls = raw_len_bytes
        .map(|b| b[0] == 0x16 && b[1] == 0x03)
        .unwrap_or(false);
    let looks_like_http = raw_len_bytes
        .map(|b| matches!(b[0], b'G' | b'P' | b'H' | b'C' | b'D'))
        .unwrap_or(false);
    let now = Instant::now();
    let dedup_key = hash_value(&(
        state.user.as_str(),
        state.peer_hash,
        proto_tag,
        DESYNC_ERROR_CLASS,
    ));
    let emit_full = should_emit_full_desync(dedup_key, state.desync_all_full, now);
    let duration_ms = state.started_at.elapsed().as_millis() as u64;
    let bytes_me2c = state.bytes_me2c.load(Ordering::Relaxed);
    stats.increment_desync_total();
    stats.observe_desync_frames_ok(frame_counter);
    if emit_full {
        stats.increment_desync_full_logged();
        warn!(
            trace_id = format_args!("0x{:016x}", state.trace_id),
            conn_id = state.conn_id,
            user = %state.user,
            peer_hash = format_args!("0x{:016x}", state.peer_hash),
            proto = ?proto_tag,
            mode = "middle_proxy",
            is_tls = true,
            duration_ms,
            bytes_c2me = state.bytes_c2me,
            bytes_me2c,
            raw_len = len,
            raw_len_hex = format_args!("0x{:08x}", len),
            raw_bytes = format_args!(
                "{:02x} {:02x} {:02x} {:02x}",
                len_buf[0], len_buf[1], len_buf[2], len_buf[3]
            ),
            max_frame,
            tls_like = looks_like_tls,
            http_like = looks_like_http,
            frames_ok = frame_counter,
            dedup_window_secs = DESYNC_DEDUP_WINDOW.as_secs(),
            desync_all_full = state.desync_all_full,
            full_reason = if state.desync_all_full { "desync_all_full" } else { "first_in_dedup_window" },
            error_class = DESYNC_ERROR_CLASS,
            "Frame too large — crypto desync forensics"
        );
        debug!(
            trace_id = format_args!("0x{:016x}", state.trace_id),
            conn_id = state.conn_id,
            user = %state.user,
            peer = %state.peer,
            "Frame too large forensic peer detail"
        );
    } else {
        stats.increment_desync_suppressed();
        debug!(
            trace_id = format_args!("0x{:016x}", state.trace_id),
            conn_id = state.conn_id,
            user = %state.user,
            peer_hash = format_args!("0x{:016x}", state.peer_hash),
            proto = ?proto_tag,
            duration_ms,
            bytes_c2me = state.bytes_c2me,
            bytes_me2c,
            raw_len = len,
            frames_ok = frame_counter,
            dedup_window_secs = DESYNC_DEDUP_WINDOW.as_secs(),
            error_class = DESYNC_ERROR_CLASS,
            "Frame too large — crypto desync forensic suppressed"
        );
    }
    ProxyError::Proxy(format!(
        "Frame too large: {len} (max {max_frame}), frames_ok={frame_counter}, conn_id={}, trace_id=0x{:016x}",
        state.conn_id,
        state.trace_id
    ))
 }
 pub(crate) async fn handle_via_middle_proxy<R, W>(
    mut crypto_reader: CryptoReader<R>,
-    mut crypto_writer: CryptoWriter<W>,
+    crypto_writer: CryptoWriter<W>,
    success: HandshakeSuccess,
    me_pool: Arc<MePool>,
    stats: Arc<Stats>,
-    _config: Arc<ProxyConfig>,
+    config: Arc<ProxyConfig>,
    _buffer_pool: Arc<BufferPool>,
    local_addr: SocketAddr,
    rng: Arc<SecureRandom>,
 ) -> Result<()>
 where
    R: AsyncRead + Unpin + Send + 'static,
@@ -29,6 +184,7 @@ where
    let user = success.user.clone();
    let peer = success.peer;
    let proto_tag = success.proto_tag;
    let pool_generation = me_pool.current_generation();
    info!(
        user = %user,
@@ -36,73 +192,233 @@ where
        dc = success.dc_idx,
        proto = ?proto_tag,
        mode = "middle_proxy",
        pool_generation,
        "Routing via Middle-End"
    );
-    let (conn_id, mut me_rx) = me_pool.registry().register().await;
+    let (conn_id, me_rx) = me_pool.registry().register().await;
    let trace_id = conn_id;
    let bytes_me2c = Arc::new(AtomicU64::new(0));
    let mut forensics = RelayForensicsState {
        trace_id,
        conn_id,
        user: user.clone(),
        peer,
        peer_hash: hash_ip(peer.ip()),
        started_at: Instant::now(),
        bytes_c2me: 0,
        bytes_me2c: bytes_me2c.clone(),
        desync_all_full: config.general.desync_all_full,
    };
    stats.increment_user_connects(&user);
    stats.increment_user_curr_connects(&user);
    let proto_flags = proto_flags_for_tag(proto_tag, me_pool.has_proxy_tag());
    debug!(
        trace_id = format_args!("0x{:016x}", trace_id),
        user = %user,
        conn_id,
        peer_hash = format_args!("0x{:016x}", forensics.peer_hash),
        desync_all_full = forensics.desync_all_full,
        proto_flags = format_args!("0x{:08x}", proto_flags),
        pool_generation,
        "ME relay started"
    );
    let translated_local_addr = me_pool.translate_our_addr(local_addr);
-    let result: Result<()> = loop {
+    let frame_limit = config.general.max_client_frame;
-        tokio::select! {
+
-            client_frame = read_client_payload(&mut crypto_reader, proto_tag) => {
+    let (c2me_tx, mut c2me_rx) = mpsc::channel::<C2MeCommand>(1024);
-                match client_frame {
+    let me_pool_c2me = me_pool.clone();
-                    Ok(Some(payload)) => {
+    let c2me_sender = tokio::spawn(async move {
-                        trace!(conn_id, bytes = payload.len(), "C->ME frame");
+        while let Some(cmd) = c2me_rx.recv().await {
-                        stats.add_user_octets_from(&user, payload.len() as u64);
+            match cmd {
-                        me_pool.send_proxy_req(
+                C2MeCommand::Data { payload, flags } => {
-                            conn_id,
+                    me_pool_c2me.send_proxy_req(
-                            success.dc_idx,
+                        conn_id,
-                            peer,
+                        success.dc_idx,
-                            translated_local_addr,
+                        peer,
-                            &payload,
+                        translated_local_addr,
-                            proto_flags,
+                        &payload,
-                        ).await?;
+                        flags,
-                    }
+                    ).await?;
                    Ok(None) => {
                        debug!(conn_id, "Client EOF");
                        let _ = me_pool.send_close(conn_id).await;
                        break Ok(());
                    }
                    Err(e) => break Err(e),
                }
-            }
+                C2MeCommand::Close => {
-            me_msg = me_rx.recv() => {
+                    let _ = me_pool_c2me.send_close(conn_id).await;
-                match me_msg {
+                    return Ok(());
                    Some(MeResponse::Data { flags, data }) => {
                        trace!(conn_id, bytes = data.len(), flags, "ME->C data");
                        stats.add_user_octets_to(&user, data.len() as u64);
                        write_client_payload(&mut crypto_writer, proto_tag, flags, &data).await?;
                    }
                    Some(MeResponse::Ack(confirm)) => {
                        trace!(conn_id, confirm, "ME->C quickack");
                        write_client_ack(&mut crypto_writer, proto_tag, confirm).await?;
                    }
                    Some(MeResponse::Close) => {
                        debug!(conn_id, "ME sent close");
                        break Ok(());
                    }
                    None => {
                        debug!(conn_id, "ME channel closed");
                        break Err(ProxyError::Proxy("ME connection lost".into()));
                    }
                }
            }
        }
        Ok(())
    });
    let (stop_tx, mut stop_rx) = oneshot::channel::<()>();
    let mut me_rx_task = me_rx;
    let stats_clone = stats.clone();
    let rng_clone = rng.clone();
    let user_clone = user.clone();
    let bytes_me2c_clone = bytes_me2c.clone();
    let me_writer = tokio::spawn(async move {
        let mut writer = crypto_writer;
        let mut frame_buf = Vec::with_capacity(16 * 1024);
        loop {
            tokio::select! {
                msg = me_rx_task.recv() => {
                    match msg {
                        Some(MeResponse::Data { flags, data }) => {
                            trace!(conn_id, bytes = data.len(), flags, "ME->C data");
                            bytes_me2c_clone.fetch_add(data.len() as u64, Ordering::Relaxed);
                            stats_clone.add_user_octets_to(&user_clone, data.len() as u64);
                            write_client_payload(
                                &mut writer,
                                proto_tag,
                                flags,
                                &data,
                                rng_clone.as_ref(),
                                &mut frame_buf,
                            )
                            .await?;
                            // Drain all immediately queued ME responses and flush once.
                            while let Ok(next) = me_rx_task.try_recv() {
                                match next {
                                    MeResponse::Data { flags, data } => {
                                        trace!(conn_id, bytes = data.len(), flags, "ME->C data (batched)");
                                        bytes_me2c_clone.fetch_add(data.len() as u64, Ordering::Relaxed);
                                        stats_clone.add_user_octets_to(&user_clone, data.len() as u64);
                                        write_client_payload(
                                            &mut writer,
                                            proto_tag,
                                            flags,
                                            &data,
                                            rng_clone.as_ref(),
                                            &mut frame_buf,
                                        ).await?;
                                    }
                                    MeResponse::Ack(confirm) => {
                                        trace!(conn_id, confirm, "ME->C quickack (batched)");
                                        write_client_ack(&mut writer, proto_tag, confirm).await?;
                                    }
                                    MeResponse::Close => {
                                        debug!(conn_id, "ME sent close (batched)");
                                        let _ = writer.flush().await;
                                        return Ok(());
                                    }
                                }
                            }
                            writer.flush().await.map_err(ProxyError::Io)?;
                        }
                        Some(MeResponse::Ack(confirm)) => {
                            trace!(conn_id, confirm, "ME->C quickack");
                            write_client_ack(&mut writer, proto_tag, confirm).await?;
                        }
                        Some(MeResponse::Close) => {
                            debug!(conn_id, "ME sent close");
                            let _ = writer.flush().await;
                            return Ok(());
                        }
                        None => {
                            debug!(conn_id, "ME channel closed");
                            return Err(ProxyError::Proxy("ME connection lost".into()));
                        }
                    }
                }
                _ = &mut stop_rx => {
                    debug!(conn_id, "ME writer stop signal");
                    return Ok(());
                }
            }
        }
    });
    let mut main_result: Result<()> = Ok(());
    let mut client_closed = false;
    let mut frame_counter: u64 = 0;
    loop {
        match read_client_payload(
            &mut crypto_reader,
            proto_tag,
            frame_limit,
            &forensics,
            &mut frame_counter,
            &stats,
        ).await {
            Ok(Some((payload, quickack))) => {
                trace!(conn_id, bytes = payload.len(), "C->ME frame");
                forensics.bytes_c2me = forensics
                    .bytes_c2me
                    .saturating_add(payload.len() as u64);
                stats.add_user_octets_from(&user, payload.len() as u64);
                let mut flags = proto_flags;
                if quickack {
                    flags |= RPC_FLAG_QUICKACK;
                }
                if payload.len() >= 8 && payload[..8].iter().all(|b| *b == 0) {
                    flags |= RPC_FLAG_NOT_ENCRYPTED;
                }
                // Keep client read loop lightweight: route heavy ME send path via a dedicated task.
                if c2me_tx
                    .send(C2MeCommand::Data { payload, flags })
                    .await
                    .is_err()
                {
                    main_result = Err(ProxyError::Proxy("ME sender channel closed".into()));
                    break;
                }
            }
            Ok(None) => {
                debug!(conn_id, "Client EOF");
                client_closed = true;
                let _ = c2me_tx.send(C2MeCommand::Close).await;
                break;
            }
            Err(e) => {
                main_result = Err(e);
                break;
            }
        }
    }
    drop(c2me_tx);
    let c2me_result = c2me_sender
        .await
        .unwrap_or_else(|e| Err(ProxyError::Proxy(format!("ME sender join error: {e}"))));
    let _ = stop_tx.send(());
    let mut writer_result = me_writer
        .await
        .unwrap_or_else(|e| Err(ProxyError::Proxy(format!("ME writer join error: {e}"))));
    // When client closes, but ME channel stopped as unregistered - it isnt error
    if client_closed
        && matches!(
            writer_result,
            Err(ProxyError::Proxy(ref msg)) if msg == "ME connection lost"
        )
    {
        writer_result = Ok(());
    }
    let result = match (main_result, c2me_result, writer_result) {
        (Ok(()), Ok(()), Ok(())) => Ok(()),
        (Err(e), _, _) => Err(e),
        (_, Err(e), _) => Err(e),
        (_, _, Err(e)) => Err(e),
    };
-    debug!(user = %user, conn_id, "ME relay cleanup");
+    debug!(
        user = %user,
        conn_id,
        trace_id = format_args!("0x{:016x}", trace_id),
        duration_ms = forensics.started_at.elapsed().as_millis() as u64,
        bytes_c2me = forensics.bytes_c2me,
        bytes_me2c = forensics.bytes_me2c.load(Ordering::Relaxed),
        frames_ok = frame_counter,
        "ME relay cleanup"
    );
    me_pool.registry().unregister(conn_id).await;
    stats.decrement_user_curr_connects(&user);
    result
@@ -111,55 +427,111 @@ where
 async fn read_client_payload<R>(
    client_reader: &mut CryptoReader<R>,
    proto_tag: ProtoTag,
-) -> Result<Option<Vec<u8>>>
+    max_frame: usize,
    forensics: &RelayForensicsState,
    frame_counter: &mut u64,
    stats: &Stats,
 ) -> Result<Option<(Vec<u8>, bool)>>
 where
    R: AsyncRead + Unpin + Send + 'static,
 {
-    let len = match proto_tag {
+    loop {
-        ProtoTag::Abridged => {
+        let (len, quickack, raw_len_bytes) = match proto_tag {
-            let mut first = [0u8; 1];
+            ProtoTag::Abridged => {
-            match client_reader.read_exact(&mut first).await {
+                let mut first = [0u8; 1];
-                Ok(_) => {}
+                match client_reader.read_exact(&mut first).await {
-                Err(e) if e.kind() == std::io::ErrorKind::UnexpectedEof => return Ok(None),
+                    Ok(_) => {}
-                Err(e) => return Err(ProxyError::Io(e)),
+                    Err(e) if e.kind() == std::io::ErrorKind::UnexpectedEof => return Ok(None),
                    Err(e) => return Err(ProxyError::Io(e)),
                }
                let quickack = (first[0] & 0x80) != 0;
                let len_words = if (first[0] & 0x7f) == 0x7f {
                    let mut ext = [0u8; 3];
                    client_reader
                        .read_exact(&mut ext)
                        .await
                        .map_err(ProxyError::Io)?;
                    u32::from_le_bytes([ext[0], ext[1], ext[2], 0]) as usize
                } else {
                    (first[0] & 0x7f) as usize
                };
                let len = len_words
                    .checked_mul(4)
                    .ok_or_else(|| ProxyError::Proxy("Abridged frame length overflow".into()))?;
                (len, quickack, None)
            }
-
+            ProtoTag::Intermediate | ProtoTag::Secure => {
-            let len_words = if (first[0] & 0x7f) == 0x7f {
+                let mut len_buf = [0u8; 4];
-                let mut ext = [0u8; 3];
+                match client_reader.read_exact(&mut len_buf).await {
-                client_reader
+                    Ok(_) => {}
-                    .read_exact(&mut ext)
+                    Err(e) if e.kind() == std::io::ErrorKind::UnexpectedEof => return Ok(None),
-                    .await
+                    Err(e) => return Err(ProxyError::Io(e)),
-                    .map_err(ProxyError::Io)?;
+                }
-                u32::from_le_bytes([ext[0], ext[1], ext[2], 0]) as usize
+                let quickack = (len_buf[3] & 0x80) != 0;
-            } else {
+                (
-                (first[0] & 0x7f) as usize
+                    (u32::from_le_bytes(len_buf) & 0x7fff_ffff) as usize,
-            };
+                    quickack,
-
+                    Some(len_buf),
-            len_words
+                )
                .checked_mul(4)
                .ok_or_else(|| ProxyError::Proxy("Abridged frame length overflow".into()))?
        }
        ProtoTag::Intermediate | ProtoTag::Secure => {
            let mut len_buf = [0u8; 4];
            match client_reader.read_exact(&mut len_buf).await {
                Ok(_) => {}
                Err(e) if e.kind() == std::io::ErrorKind::UnexpectedEof => return Ok(None),
                Err(e) => return Err(ProxyError::Io(e)),
            }
-            (u32::from_le_bytes(len_buf) & 0x7fff_ffff) as usize
+        };
        }
    };
-    if len > 16 * 1024 * 1024 {
+        if len == 0 {
-        return Err(ProxyError::Proxy(format!("Frame too large: {len}")));
+            continue;
        }
        if len < 4 && proto_tag != ProtoTag::Abridged {
            warn!(
                trace_id = format_args!("0x{:016x}", forensics.trace_id),
                conn_id = forensics.conn_id,
                user = %forensics.user,
                len,
                proto = ?proto_tag,
                "Frame too small — corrupt or probe"
            );
            return Err(ProxyError::Proxy(format!("Frame too small: {len}")));
        }
        if len > max_frame {
            return Err(report_desync_frame_too_large(
                forensics,
                proto_tag,
                *frame_counter,
                max_frame,
                len,
                raw_len_bytes,
                stats,
            ));
        }
        let secure_payload_len = if proto_tag == ProtoTag::Secure {
            match secure_payload_len_from_wire_len(len) {
                Some(payload_len) => payload_len,
                None => {
                    stats.increment_secure_padding_invalid();
                    return Err(ProxyError::Proxy(format!(
                        "Invalid secure frame length: {len}"
                    )));
                }
            }
        } else {
            len
        };
        let mut payload = vec![0u8; len];
        client_reader
            .read_exact(&mut payload)
            .await
            .map_err(ProxyError::Io)?;
        // Secure Intermediate: strip validated trailing padding bytes.
        if proto_tag == ProtoTag::Secure {
            payload.truncate(secure_payload_len);
        }
        *frame_counter += 1;
        return Ok(Some((payload, quickack)));
    }
    let mut payload = vec![0u8; len];
    client_reader
        .read_exact(&mut payload)
        .await
        .map_err(ProxyError::Io)?;
    Ok(Some(payload))
 }
 async fn write_client_payload<W>(
@@ -167,6 +539,8 @@ async fn write_client_payload<W>(
    proto_tag: ProtoTag,
    flags: u32,
    data: &[u8],
    rng: &SecureRandom,
    frame_buf: &mut Vec<u8>,
 ) -> Result<()>
 where
    W: AsyncWrite + Unpin + Send + 'static,
@@ -175,7 +549,7 @@ where
    match proto_tag {
        ProtoTag::Abridged => {
-            if data.len() % 4 != 0 {
+            if !data.len().is_multiple_of(4) {
                return Err(ProxyError::Proxy(format!(
                    "Abridged payload must be 4-byte aligned, got {}",
                    data.len()
@@ -188,8 +562,12 @@ where
                if quickack {
                    first |= 0x80;
                }
                frame_buf.clear();
                frame_buf.reserve(1 + data.len());
                frame_buf.push(first);
                frame_buf.extend_from_slice(data);
                client_writer
-                    .write_all(&[first])
+                    .write_all(frame_buf)
                    .await
                    .map_err(ProxyError::Io)?;
            } else if len_words < (1 << 24) {
@@ -198,8 +576,12 @@ where
                    first |= 0x80;
                }
                let lw = (len_words as u32).to_le_bytes();
                frame_buf.clear();
                frame_buf.reserve(4 + data.len());
                frame_buf.extend_from_slice(&[first, lw[0], lw[1], lw[2]]);
                frame_buf.extend_from_slice(data);
                client_writer
-                    .write_all(&[first, lw[0], lw[1], lw[2]])
+                    .write_all(frame_buf)
                    .await
                    .map_err(ProxyError::Io)?;
            } else {
@@ -208,29 +590,41 @@ where
                    data.len()
                )));
            }
            client_writer
                .write_all(data)
                .await
                .map_err(ProxyError::Io)?;
        }
        ProtoTag::Intermediate | ProtoTag::Secure => {
-            let mut len = data.len() as u32;
+            let padding_len = if proto_tag == ProtoTag::Secure {
                if !is_valid_secure_payload_len(data.len()) {
                    return Err(ProxyError::Proxy(format!(
                        "Secure payload must be 4-byte aligned, got {}",
                        data.len()
                    )));
                }
                secure_padding_len(data.len(), rng)
            } else {
                0
            };
            let mut len_val = (data.len() + padding_len) as u32;
            if quickack {
-                len |= 0x8000_0000;
+                len_val |= 0x8000_0000;
            }
            let total = 4 + data.len() + padding_len;
            frame_buf.clear();
            frame_buf.reserve(total);
            frame_buf.extend_from_slice(&len_val.to_le_bytes());
            frame_buf.extend_from_slice(data);
            if padding_len > 0 {
                let start = frame_buf.len();
                frame_buf.resize(start + padding_len, 0);
                rng.fill(&mut frame_buf[start..]);
            }
            client_writer
-                .write_all(&len.to_le_bytes())
+                .write_all(frame_buf)
                .await
                .map_err(ProxyError::Io)?;
            client_writer
                .write_all(data)
                .await
                .map_err(ProxyError::Io)?;
        }
    }
-    client_writer.flush().await.map_err(ProxyError::Io)
+    Ok(())
 }
 async fn write_client_ack<W>(
@@ -250,5 +644,6 @@ where
        .write_all(&bytes)
        .await
        .map_err(ProxyError::Io)?;
    // ACK should remain low-latency.
    client_writer.flush().await.map_err(ProxyError::Io)
 }
--- a/src/proxy/mod.rs
+++ b/src/proxy/mod.rs
@@ -8,6 +8,9 @@ pub mod middle_relay;
 pub mod relay;
 pub use client::ClientHandler;
 #[allow(unused_imports)]
 pub use handshake::*;
 #[allow(unused_imports)]
 pub use masking::*;
 #[allow(unused_imports)]
 pub use relay::*;
--- a/src/stats/mod.rs
+++ b/src/stats/mod.rs
@@ -1,7 +1,8 @@
 //! Statistics and replay protection
 #![allow(dead_code)]
 use std::sync::atomic::{AtomicU64, Ordering};
 use std::sync::Arc;
 use std::time::{Instant, Duration};
 use dashmap::DashMap;
 use parking_lot::Mutex;
@@ -19,6 +20,29 @@ pub struct Stats {
    connects_all: AtomicU64,
    connects_bad: AtomicU64,
    handshake_timeouts: AtomicU64,
    me_keepalive_sent: AtomicU64,
    me_keepalive_failed: AtomicU64,
    me_keepalive_pong: AtomicU64,
    me_keepalive_timeout: AtomicU64,
    me_reconnect_attempts: AtomicU64,
    me_reconnect_success: AtomicU64,
    me_crc_mismatch: AtomicU64,
    me_seq_mismatch: AtomicU64,
    me_route_drop_no_conn: AtomicU64,
    me_route_drop_channel_closed: AtomicU64,
    me_route_drop_queue_full: AtomicU64,
    secure_padding_invalid: AtomicU64,
    desync_total: AtomicU64,
    desync_full_logged: AtomicU64,
    desync_suppressed: AtomicU64,
    desync_frames_bucket_0: AtomicU64,
    desync_frames_bucket_1_2: AtomicU64,
    desync_frames_bucket_3_10: AtomicU64,
    desync_frames_bucket_gt_10: AtomicU64,
    pool_swap_total: AtomicU64,
    pool_drain_active: AtomicU64,
    pool_force_close_total: AtomicU64,
    pool_stale_pick_total: AtomicU64,
    user_stats: DashMap<String, UserStats>,
    start_time: parking_lot::RwLock<Option<Instant>>,
 }
@@ -43,8 +67,134 @@ impl Stats {
    pub fn increment_connects_all(&self) { self.connects_all.fetch_add(1, Ordering::Relaxed); }
    pub fn increment_connects_bad(&self) { self.connects_bad.fetch_add(1, Ordering::Relaxed); }
    pub fn increment_handshake_timeouts(&self) { self.handshake_timeouts.fetch_add(1, Ordering::Relaxed); }
    pub fn increment_me_keepalive_sent(&self) { self.me_keepalive_sent.fetch_add(1, Ordering::Relaxed); }
    pub fn increment_me_keepalive_failed(&self) { self.me_keepalive_failed.fetch_add(1, Ordering::Relaxed); }
    pub fn increment_me_keepalive_pong(&self) { self.me_keepalive_pong.fetch_add(1, Ordering::Relaxed); }
    pub fn increment_me_keepalive_timeout(&self) { self.me_keepalive_timeout.fetch_add(1, Ordering::Relaxed); }
    pub fn increment_me_keepalive_timeout_by(&self, value: u64) {
        self.me_keepalive_timeout.fetch_add(value, Ordering::Relaxed);
    }
    pub fn increment_me_reconnect_attempt(&self) { self.me_reconnect_attempts.fetch_add(1, Ordering::Relaxed); }
    pub fn increment_me_reconnect_success(&self) { self.me_reconnect_success.fetch_add(1, Ordering::Relaxed); }
    pub fn increment_me_crc_mismatch(&self) { self.me_crc_mismatch.fetch_add(1, Ordering::Relaxed); }
    pub fn increment_me_seq_mismatch(&self) { self.me_seq_mismatch.fetch_add(1, Ordering::Relaxed); }
    pub fn increment_me_route_drop_no_conn(&self) { self.me_route_drop_no_conn.fetch_add(1, Ordering::Relaxed); }
    pub fn increment_me_route_drop_channel_closed(&self) {
        self.me_route_drop_channel_closed.fetch_add(1, Ordering::Relaxed);
    }
    pub fn increment_me_route_drop_queue_full(&self) {
        self.me_route_drop_queue_full.fetch_add(1, Ordering::Relaxed);
    }
    pub fn increment_secure_padding_invalid(&self) {
        self.secure_padding_invalid.fetch_add(1, Ordering::Relaxed);
    }
    pub fn increment_desync_total(&self) {
        self.desync_total.fetch_add(1, Ordering::Relaxed);
    }
    pub fn increment_desync_full_logged(&self) {
        self.desync_full_logged.fetch_add(1, Ordering::Relaxed);
    }
    pub fn increment_desync_suppressed(&self) {
        self.desync_suppressed.fetch_add(1, Ordering::Relaxed);
    }
    pub fn observe_desync_frames_ok(&self, frames_ok: u64) {
        match frames_ok {
            0 => {
                self.desync_frames_bucket_0.fetch_add(1, Ordering::Relaxed);
            }
            1..=2 => {
                self.desync_frames_bucket_1_2.fetch_add(1, Ordering::Relaxed);
            }
            3..=10 => {
                self.desync_frames_bucket_3_10.fetch_add(1, Ordering::Relaxed);
            }
            _ => {
                self.desync_frames_bucket_gt_10.fetch_add(1, Ordering::Relaxed);
            }
        }
    }
    pub fn increment_pool_swap_total(&self) {
        self.pool_swap_total.fetch_add(1, Ordering::Relaxed);
    }
    pub fn increment_pool_drain_active(&self) {
        self.pool_drain_active.fetch_add(1, Ordering::Relaxed);
    }
    pub fn decrement_pool_drain_active(&self) {
        let mut current = self.pool_drain_active.load(Ordering::Relaxed);
        loop {
            if current == 0 {
                break;
            }
            match self.pool_drain_active.compare_exchange_weak(
                current,
                current - 1,
                Ordering::Relaxed,
                Ordering::Relaxed,
            ) {
                Ok(_) => break,
                Err(actual) => current = actual,
            }
        }
    }
    pub fn increment_pool_force_close_total(&self) {
        self.pool_force_close_total.fetch_add(1, Ordering::Relaxed);
    }
    pub fn increment_pool_stale_pick_total(&self) {
        self.pool_stale_pick_total.fetch_add(1, Ordering::Relaxed);
    }
    pub fn get_connects_all(&self) -> u64 { self.connects_all.load(Ordering::Relaxed) }
    pub fn get_connects_bad(&self) -> u64 { self.connects_bad.load(Ordering::Relaxed) }
    pub fn get_me_keepalive_sent(&self) -> u64 { self.me_keepalive_sent.load(Ordering::Relaxed) }
    pub fn get_me_keepalive_failed(&self) -> u64 { self.me_keepalive_failed.load(Ordering::Relaxed) }
    pub fn get_me_keepalive_pong(&self) -> u64 { self.me_keepalive_pong.load(Ordering::Relaxed) }
    pub fn get_me_keepalive_timeout(&self) -> u64 { self.me_keepalive_timeout.load(Ordering::Relaxed) }
    pub fn get_me_reconnect_attempts(&self) -> u64 { self.me_reconnect_attempts.load(Ordering::Relaxed) }
    pub fn get_me_reconnect_success(&self) -> u64 { self.me_reconnect_success.load(Ordering::Relaxed) }
    pub fn get_me_crc_mismatch(&self) -> u64 { self.me_crc_mismatch.load(Ordering::Relaxed) }
    pub fn get_me_seq_mismatch(&self) -> u64 { self.me_seq_mismatch.load(Ordering::Relaxed) }
    pub fn get_me_route_drop_no_conn(&self) -> u64 { self.me_route_drop_no_conn.load(Ordering::Relaxed) }
    pub fn get_me_route_drop_channel_closed(&self) -> u64 {
        self.me_route_drop_channel_closed.load(Ordering::Relaxed)
    }
    pub fn get_me_route_drop_queue_full(&self) -> u64 {
        self.me_route_drop_queue_full.load(Ordering::Relaxed)
    }
    pub fn get_secure_padding_invalid(&self) -> u64 {
        self.secure_padding_invalid.load(Ordering::Relaxed)
    }
    pub fn get_desync_total(&self) -> u64 {
        self.desync_total.load(Ordering::Relaxed)
    }
    pub fn get_desync_full_logged(&self) -> u64 {
        self.desync_full_logged.load(Ordering::Relaxed)
    }
    pub fn get_desync_suppressed(&self) -> u64 {
        self.desync_suppressed.load(Ordering::Relaxed)
    }
    pub fn get_desync_frames_bucket_0(&self) -> u64 {
        self.desync_frames_bucket_0.load(Ordering::Relaxed)
    }
    pub fn get_desync_frames_bucket_1_2(&self) -> u64 {
        self.desync_frames_bucket_1_2.load(Ordering::Relaxed)
    }
    pub fn get_desync_frames_bucket_3_10(&self) -> u64 {
        self.desync_frames_bucket_3_10.load(Ordering::Relaxed)
    }
    pub fn get_desync_frames_bucket_gt_10(&self) -> u64 {
        self.desync_frames_bucket_gt_10.load(Ordering::Relaxed)
    }
    pub fn get_pool_swap_total(&self) -> u64 {
        self.pool_swap_total.load(Ordering::Relaxed)
    }
    pub fn get_pool_drain_active(&self) -> u64 {
        self.pool_drain_active.load(Ordering::Relaxed)
    }
    pub fn get_pool_force_close_total(&self) -> u64 {
        self.pool_force_close_total.load(Ordering::Relaxed)
    }
    pub fn get_pool_stale_pick_total(&self) -> u64 {
        self.pool_stale_pick_total.load(Ordering::Relaxed)
    }
    pub fn increment_user_connects(&self, user: &str) {
        self.user_stats.entry(user.to_string()).or_default()
@@ -58,7 +208,22 @@ impl Stats {
    pub fn decrement_user_curr_connects(&self, user: &str) {
        if let Some(stats) = self.user_stats.get(user) {
-            stats.curr_connects.fetch_sub(1, Ordering::Relaxed);
+            let counter = &stats.curr_connects;
            let mut current = counter.load(Ordering::Relaxed);
            loop {
                if current == 0 {
                    break;
                }
                match counter.compare_exchange_weak(
                    current,
                    current - 1,
                    Ordering::Relaxed,
                    Ordering::Relaxed,
                ) {
                    Ok(_) => break,
                    Err(actual) => current = actual,
                }
            }
        }
    }
@@ -97,6 +262,12 @@ impl Stats {
            .unwrap_or(0)
    }
    pub fn get_handshake_timeouts(&self) -> u64 { self.handshake_timeouts.load(Ordering::Relaxed) }
    pub fn iter_user_stats(&self) -> dashmap::iter::Iter<'_, String, UserStats> {
        self.user_stats.iter()
    }
    pub fn uptime_secs(&self) -> f64 {
        self.start_time.read()
            .map(|t| t.elapsed().as_secs_f64())
@@ -155,10 +326,10 @@ impl ReplayShard {
            // Use key.as_ref() to get &[u8] — avoids Borrow<Q> ambiguity
            // between Borrow<[u8]> and Borrow<Box<[u8]>>
-            if let Some(entry) = self.cache.peek(key.as_ref()) {
+            if let Some(entry) = self.cache.peek(key.as_ref())
-                if entry.seq == queue_seq {
+                && entry.seq == queue_seq
-                    self.cache.pop(key.as_ref());
+            {
-                }
+                self.cache.pop(key.as_ref());
            }
        }
    }
@@ -212,28 +383,41 @@ impl ReplayChecker {
        (hasher.finish() as usize) & self.shard_mask
    }
-    fn check(&self, data: &[u8]) -> bool {
+    fn check_and_add_internal(&self, data: &[u8]) -> bool {
        self.checks.fetch_add(1, Ordering::Relaxed);
        let idx = self.get_shard_idx(data);
        let mut shard = self.shards[idx].lock();
-        let found = shard.check(data, Instant::now(), self.window);
+        let now = Instant::now();
        let found = shard.check(data, now, self.window);
        if found {
            self.hits.fetch_add(1, Ordering::Relaxed);
        } else {
            shard.add(data, now, self.window);
            self.additions.fetch_add(1, Ordering::Relaxed);
        }
        found
    }
-    fn add(&self, data: &[u8]) {
+    fn add_only(&self, data: &[u8]) {
        self.additions.fetch_add(1, Ordering::Relaxed);
        let idx = self.get_shard_idx(data);
        let mut shard = self.shards[idx].lock();
        shard.add(data, Instant::now(), self.window);
    }
-    pub fn check_handshake(&self, data: &[u8]) -> bool { self.check(data) }
+    pub fn check_and_add_handshake(&self, data: &[u8]) -> bool {
-    pub fn add_handshake(&self, data: &[u8]) { self.add(data) }
+        self.check_and_add_internal(data)
-    pub fn check_tls_digest(&self, data: &[u8]) -> bool { self.check(data) }
+    }
-    pub fn add_tls_digest(&self, data: &[u8]) { self.add(data) }
+
    pub fn check_and_add_tls_digest(&self, data: &[u8]) -> bool {
        self.check_and_add_internal(data)
    }
    // Compatibility helpers (non-atomic split operations) — prefer check_and_add_*.
    pub fn check_handshake(&self, data: &[u8]) -> bool { self.check_and_add_handshake(data) }
    pub fn add_handshake(&self, data: &[u8]) { self.add_only(data) }
    pub fn check_tls_digest(&self, data: &[u8]) -> bool { self.check_and_add_tls_digest(data) }
    pub fn add_tls_digest(&self, data: &[u8]) { self.add_only(data) }
    pub fn stats(&self) -> ReplayStats {
        let mut total_entries = 0;
@@ -313,6 +497,7 @@ impl ReplayStats {
 #[cfg(test)]
 mod tests {
    use super::*;
    use std::sync::Arc;
    #[test]
    fn test_stats_shared_counters() {
@@ -326,10 +511,9 @@ mod tests {
    #[test]
    fn test_replay_checker_basic() {
        let checker = ReplayChecker::new(100, Duration::from_secs(60));
-        assert!(!checker.check_handshake(b"test1"));
+        assert!(!checker.check_handshake(b"test1")); // first time, inserts
-        checker.add_handshake(b"test1");
+        assert!(checker.check_handshake(b"test1"));  // duplicate
-        assert!(checker.check_handshake(b"test1"));
+        assert!(!checker.check_handshake(b"test2")); // new key inserts
        assert!(!checker.check_handshake(b"test2"));
    }
    #[test]
@@ -343,7 +527,7 @@ mod tests {
    #[test]
    fn test_replay_checker_expiration() {
        let checker = ReplayChecker::new(100, Duration::from_millis(50));
-        checker.add_handshake(b"expire");
+        assert!(!checker.check_handshake(b"expire"));
        assert!(checker.check_handshake(b"expire"));
        std::thread::sleep(Duration::from_millis(100));
        assert!(!checker.check_handshake(b"expire"));
@@ -352,25 +536,25 @@ mod tests {
    #[test]
    fn test_replay_checker_stats() {
        let checker = ReplayChecker::new(100, Duration::from_secs(60));
-        checker.add_handshake(b"k1");
+        assert!(!checker.check_handshake(b"k1"));
-        checker.add_handshake(b"k2");
+        assert!(!checker.check_handshake(b"k2"));
-        checker.check_handshake(b"k1");
+        assert!(checker.check_handshake(b"k1"));
-        checker.check_handshake(b"k3");
+        assert!(!checker.check_handshake(b"k3"));
        let stats = checker.stats();
-        assert_eq!(stats.total_additions, 2);
+        assert_eq!(stats.total_additions, 3);
-        assert_eq!(stats.total_checks, 2);
+        assert_eq!(stats.total_checks, 4);
        assert_eq!(stats.total_hits, 1);
    }
    #[test]
    fn test_replay_checker_many_keys() {
-        let checker = ReplayChecker::new(1000, Duration::from_secs(60));
+        let checker = ReplayChecker::new(10_000, Duration::from_secs(60));
        for i in 0..500u32 {
-            checker.add(&i.to_le_bytes());
+            checker.add_only(&i.to_le_bytes());
        }
        for i in 0..500u32 {
-            assert!(checker.check(&i.to_le_bytes()));
+            assert!(checker.check_handshake(&i.to_le_bytes()));
        }
        assert_eq!(checker.stats().total_entries, 500);
    }
-}
+}
--- a/src/stream/buffer_pool.rs
+++ b/src/stream/buffer_pool.rs
@@ -3,6 +3,8 @@
 //! This module provides a thread-safe pool of BytesMut buffers
 //! that can be reused across connections to reduce allocation pressure.
 #![allow(dead_code)]
 use bytes::BytesMut;
 use crossbeam_queue::ArrayQueue;
 use std::ops::{Deref, DerefMut};
@@ -381,9 +383,14 @@ mod tests {
        // Add a buffer to pool
        pool.preallocate(1);
-        // Now try_get should succeed
+        // Now try_get should succeed once while the buffer is held
-        assert!(pool.try_get().is_some());
+        let buf = pool.try_get();
        assert!(buf.is_some());
        // While buffer is held, pool is empty
        assert!(pool.try_get().is_none());
        // Drop buffer -> returns to pool, should be obtainable again
        drop(buf);
        assert!(pool.try_get().is_some());
    }
    #[test]
@@ -448,4 +455,4 @@ mod tests {
        // All buffers should be returned
        assert!(stats.pooled > 0);
    }
-}
+}
--- a/src/stream/crypto_stream.rs
+++ b/src/stream/crypto_stream.rs
@@ -18,6 +18,8 @@
 //!   is either written to upstream or stored in our pending buffer
 //! - when upstream is pending -> ciphertext is buffered/bounded and backpressure is applied
 //!
 #![allow(dead_code)]
 //! =======================
 //! Writer state machine
 //! =======================
@@ -34,7 +36,7 @@
 //! └────────────────────────────────────────┘
 //!
 //! Backpressure
-//! - pending ciphertext buffer is bounded (MAX_PENDING_WRITE)
+//! - pending ciphertext buffer is bounded (configurable per connection)
 //! - pending is full and upstream is pending 
 //!   -> poll_write returns Poll::Pending
 //!   -> do not accept any plaintext
@@ -45,7 +47,7 @@
 //! - when upstream is Pending but pending still has room: accept `to_accept` bytes and
 //!   encrypt+append ciphertext directly into pending (in-place encryption of appended range)
-//! Encrypted stream wrappers using AES-CTR
+//!   Encrypted stream wrappers using AES-CTR
 //!
 //! This module provides stateful async stream wrappers that handle
 //! encryption/decryption with proper partial read/write handling.
@@ -55,17 +57,16 @@ use std::io::{self, ErrorKind, Result};
 use std::pin::Pin;
 use std::task::{Context, Poll};
 use tokio::io::{AsyncRead, AsyncWrite, ReadBuf};
-use tracing::{debug, trace, warn};
+use tracing::{debug, trace};
 use crate::crypto::AesCtr;
 use super::state::{StreamState, YieldBuffer};
 // ============= Constants =============
-/// Maximum size for pending ciphertext buffer (bounded backpressure).
+/// Default size for pending ciphertext buffer (bounded backpressure).
-/// Reduced to 64KB to prevent bufferbloat on mobile networks.
+/// Actual limit is supplied at runtime from configuration.
-/// 512KB was causing high latency on 3G/LTE connections.
+const DEFAULT_MAX_PENDING_WRITE: usize = 64 * 1024;
 const MAX_PENDING_WRITE: usize = 64 * 1024;
 /// Default read buffer capacity (reader mostly decrypts in-place into caller buffer).
 const DEFAULT_READ_CAPACITY: usize = 16 * 1024;
@@ -152,9 +153,9 @@ impl<R> CryptoReader<R> {
    fn take_poison_error(&mut self) -> io::Error {
        match &mut self.state {
            CryptoReaderState::Poisoned { error } => error.take().unwrap_or_else(|| {
-                io::Error::new(ErrorKind::Other, "stream previously poisoned")
+                io::Error::other("stream previously poisoned")
            }),
-            _ => io::Error::new(ErrorKind::Other, "stream not poisoned"),
+            _ => io::Error::other("stream not poisoned"),
        }
    }
 }
@@ -167,6 +168,7 @@ impl<R: AsyncRead + Unpin> AsyncRead for CryptoReader<R> {
    ) -> Poll<Result<()>> {
        let this = self.get_mut();
        #[allow(clippy::never_loop)]
        loop {
            match &mut this.state {
                CryptoReaderState::Poisoned { .. } => {
@@ -427,15 +429,22 @@ pub struct CryptoWriter<W> {
    encryptor: AesCtr,
    state: CryptoWriterState,
    scratch: BytesMut,
    max_pending_write: usize,
 }
 impl<W> CryptoWriter<W> {
-    pub fn new(upstream: W, encryptor: AesCtr) -> Self {
+    pub fn new(upstream: W, encryptor: AesCtr, max_pending_write: usize) -> Self {
        let max_pending = if max_pending_write == 0 {
            DEFAULT_MAX_PENDING_WRITE
        } else {
            max_pending_write
        };
        Self {
            upstream,
            encryptor,
            state: CryptoWriterState::Idle,
            scratch: BytesMut::with_capacity(16 * 1024),
            max_pending_write: max_pending.max(4 * 1024),
        }
    }
@@ -477,17 +486,17 @@ impl<W> CryptoWriter<W> {
    fn take_poison_error(&mut self) -> io::Error {
        match &mut self.state {
            CryptoWriterState::Poisoned { error } => error.take().unwrap_or_else(|| {
-                io::Error::new(ErrorKind::Other, "stream previously poisoned")
+                io::Error::other("stream previously poisoned")
            }),
-            _ => io::Error::new(ErrorKind::Other, "stream not poisoned"),
+            _ => io::Error::other("stream not poisoned"),
        }
    }
    /// Ensure we are in Flushing state and return mutable pending buffer.
-    fn ensure_pending<'a>(state: &'a mut CryptoWriterState) -> &'a mut PendingCiphertext {
+    fn ensure_pending(state: &mut CryptoWriterState, max_pending: usize) -> &mut PendingCiphertext {
        if matches!(state, CryptoWriterState::Idle) {
            *state = CryptoWriterState::Flushing {
-                pending: PendingCiphertext::new(MAX_PENDING_WRITE),
+                pending: PendingCiphertext::new(max_pending),
            };
        }
@@ -498,14 +507,14 @@ impl<W> CryptoWriter<W> {
    }
    /// Select how many plaintext bytes can be accepted in buffering path
-    fn select_to_accept_for_buffering(state: &CryptoWriterState, buf_len: usize) -> usize {
+    fn select_to_accept_for_buffering(state: &CryptoWriterState, buf_len: usize, max_pending: usize) -> usize {
        if buf_len == 0 {
            return 0;
        }
        match state {
            CryptoWriterState::Flushing { pending } => buf_len.min(pending.remaining_capacity()),
-            CryptoWriterState::Idle => buf_len.min(MAX_PENDING_WRITE),
+            CryptoWriterState::Idle => buf_len.min(max_pending),
            CryptoWriterState::Poisoned { .. } => 0,
        }
    }
@@ -603,7 +612,7 @@ impl<W: AsyncWrite + Unpin> AsyncWrite for CryptoWriter<W> {
                Poll::Pending => {
                    // Upstream blocked. Apply ideal backpressure
                    let to_accept =
-                        Self::select_to_accept_for_buffering(&this.state, buf.len());
+                        Self::select_to_accept_for_buffering(&this.state, buf.len(), this.max_pending_write);
                    if to_accept == 0 {
                        trace!(
@@ -618,7 +627,7 @@ impl<W: AsyncWrite + Unpin> AsyncWrite for CryptoWriter<W> {
                    // Disjoint borrows
                    let encryptor = &mut this.encryptor;
-                    let pending = Self::ensure_pending(&mut this.state);
+                    let pending = Self::ensure_pending(&mut this.state, this.max_pending_write);
                    if let Err(e) = pending.push_encrypted(encryptor, plaintext) {
                        if e.kind() == ErrorKind::WouldBlock {
@@ -635,7 +644,7 @@ impl<W: AsyncWrite + Unpin> AsyncWrite for CryptoWriter<W> {
        // 2) Fast path: pending empty -> write-through
        debug_assert!(matches!(this.state, CryptoWriterState::Idle));
-        let to_accept = buf.len().min(MAX_PENDING_WRITE);
+        let to_accept = buf.len().min(this.max_pending_write);
        let plaintext = &buf[..to_accept];
        Self::encrypt_into_scratch(&mut this.encryptor, &mut this.scratch, plaintext);
@@ -645,7 +654,7 @@ impl<W: AsyncWrite + Unpin> AsyncWrite for CryptoWriter<W> {
                // Upstream blocked: buffer FULL ciphertext for accepted bytes.
                let ciphertext = std::mem::take(&mut this.scratch);
-                let pending = Self::ensure_pending(&mut this.state);
+                let pending = Self::ensure_pending(&mut this.state, this.max_pending_write);
                pending.replace_with(ciphertext);
                Poll::Ready(Ok(to_accept))
@@ -672,7 +681,7 @@ impl<W: AsyncWrite + Unpin> AsyncWrite for CryptoWriter<W> {
                let remainder = this.scratch.split_off(n);
                this.scratch.clear();
-                let pending = Self::ensure_pending(&mut this.state);
+                let pending = Self::ensure_pending(&mut this.state, this.max_pending_write);
                pending.replace_with(remainder);
                Poll::Ready(Ok(to_accept))
@@ -767,4 +776,4 @@ impl<S: AsyncWrite + Unpin> AsyncWrite for PassthroughStream<S> {
    fn poll_shutdown(mut self: Pin<&mut Self>, cx: &mut Context<'_>) -> Poll<Result<()>> {
        Pin::new(&mut self.inner).poll_shutdown(cx)
    }
-}
+}
--- a/src/stream/frame.rs
+++ b/src/stream/frame.rs
@@ -3,6 +3,8 @@
 //! This module defines the common types and traits used by all
 //! frame encoding/decoding implementations.
 #![allow(dead_code)]
 use bytes::{Bytes, BytesMut};
 use std::io::Result;
 use std::sync::Arc;
--- a/src/stream/frame_codec.rs
+++ b/src/stream/frame_codec.rs
@@ -3,12 +3,16 @@
 //! This module provides Encoder/Decoder implementations compatible
 //! with tokio-util's Framed wrapper for easy async frame I/O.
 #![allow(dead_code)]
 use bytes::{Bytes, BytesMut, BufMut};
 use std::io::{self, Error, ErrorKind};
 use std::sync::Arc;
 use tokio_util::codec::{Decoder, Encoder};
-use crate::protocol::constants::ProtoTag;
+use crate::protocol::constants::{
    ProtoTag, is_valid_secure_payload_len, secure_padding_len, secure_payload_len_from_wire_len,
 };
 use crate::crypto::SecureRandom;
 use super::frame::{Frame, FrameMeta, FrameCodec as FrameCodecTrait};
@@ -135,7 +139,7 @@ fn encode_abridged(frame: &Frame, dst: &mut BytesMut) -> io::Result<()> {
    let data = &frame.data;
    // Validate alignment
-    if data.len() % 4 != 0 {
+    if !data.len().is_multiple_of(4) {
        return Err(Error::new(
            ErrorKind::InvalidInput,
            format!("abridged frame must be 4-byte aligned, got {} bytes", data.len())
@@ -274,13 +278,13 @@ fn decode_secure(src: &mut BytesMut, max_size: usize) -> io::Result<Option<Frame
        return Ok(None);
    }
-    // Calculate padding (indicated by length not divisible by 4)
+    let data_len = secure_payload_len_from_wire_len(len).ok_or_else(|| {
-    let padding_len = len % 4;
+        Error::new(
-    let data_len = if padding_len != 0 {
+            ErrorKind::InvalidData,
-        len - padding_len
+            format!("invalid secure frame length: {len}"),
-    } else {
+        )
-        len
+    })?;
-    };
+    let padding_len = len - data_len;
    meta.padding_len = padding_len as u8;
@@ -303,14 +307,15 @@ fn encode_secure(frame: &Frame, dst: &mut BytesMut, rng: &SecureRandom) -> io::R
        return Ok(());
    }
-    // Generate padding to make length not divisible by 4
+    if !is_valid_secure_payload_len(data.len()) {
-    let padding_len = if data.len() % 4 == 0 {
+        return Err(Error::new(
-        // Add 1-3 bytes to make it non-aligned
+            ErrorKind::InvalidData,
-        (rng.range(3) + 1) as usize
+            format!("secure payload must be 4-byte aligned, got {}", data.len()),
-    } else {
+        ));
-        // Already non-aligned, can add 0-3
+    }
-        rng.range(4) as usize
+
-    };
+    // Generate padding that keeps total length non-divisible by 4.
    let padding_len = secure_padding_len(data.len(), rng);
    let total_len = data.len() + padding_len;
    dst.reserve(4 + total_len);
@@ -625,4 +630,4 @@ mod tests {
        let result = codec.decode(&mut buf);
        assert!(result.is_err());
    }
-}
+}
--- a/src/stream/frame_stream.rs
+++ b/src/stream/frame_stream.rs
@@ -1,6 +1,8 @@
 //! MTProto frame stream wrappers
-use bytes::{Bytes, BytesMut};
+#![allow(dead_code)]
 use bytes::Bytes;
 use std::io::{Error, ErrorKind, Result};
 use tokio::io::{AsyncRead, AsyncWrite, AsyncReadExt, AsyncWriteExt};
 use crate::protocol::constants::*;
@@ -76,7 +78,7 @@ impl<W> AbridgedFrameWriter<W> {
 impl<W: AsyncWrite + Unpin> AbridgedFrameWriter<W> {
    /// Write a frame
    pub async fn write_frame(&mut self, data: &[u8], meta: &FrameMeta) -> Result<()> {
-        if data.len() % 4 != 0 {
+        if !data.len().is_multiple_of(4) {
            return Err(Error::new(
                ErrorKind::InvalidInput,
                format!("Abridged frame must be aligned to 4 bytes, got {}", data.len()),
@@ -232,11 +234,13 @@ impl<R: AsyncRead + Unpin> SecureIntermediateFrameReader<R> {
        let mut data = vec![0u8; len];
        self.upstream.read_exact(&mut data).await?;
-        // Strip padding (not aligned to 4)
+        let payload_len = secure_payload_len_from_wire_len(len).ok_or_else(|| {
-        if len % 4 != 0 {
+            Error::new(
-            let actual_len = len - (len % 4);
+                ErrorKind::InvalidData,
-            data.truncate(actual_len);
+                format!("Invalid secure frame length: {len}"),
-        }
+            )
        })?;
        data.truncate(payload_len);
        Ok((Bytes::from(data), meta))
    }
@@ -267,8 +271,15 @@ impl<W: AsyncWrite + Unpin> SecureIntermediateFrameWriter<W> {
            return Ok(());
        }
-        // Add random padding (0-3 bytes)
+        if !is_valid_secure_payload_len(data.len()) {
-        let padding_len = self.rng.range(4);
+            return Err(Error::new(
                ErrorKind::InvalidData,
                format!("Secure payload must be 4-byte aligned, got {}", data.len()),
            ));
        }
        // Add padding so total length is never divisible by 4 (MTProto Secure)
        let padding_len = secure_padding_len(data.len(), &self.rng);
        let padding = self.rng.bytes(padding_len);
        let total_len = data.len() + padding_len;
@@ -320,7 +331,7 @@ impl<R: AsyncRead + Unpin> MtprotoFrameReader<R> {
            }
            // Validate length
-            if len < MIN_MSG_LEN || len > MAX_MSG_LEN || len % PADDING_FILLER.len() != 0 {
+            if !(MIN_MSG_LEN..=MAX_MSG_LEN).contains(&len) || !len.is_multiple_of(PADDING_FILLER.len()) {
                return Err(Error::new(
                    ErrorKind::InvalidData,
                    format!("Invalid message length: {}", len),
@@ -550,9 +561,7 @@ mod tests {
        writer.flush().await.unwrap();
        let (received, _meta) = reader.read_frame().await.unwrap();
-        // Received should have padding stripped to align to 4
+        assert_eq!(received.len(), data.len());
        let expected_len = (data.len() / 4) * 4;
        assert_eq!(received.len(), expected_len);
    }
    #[tokio::test]
@@ -585,4 +594,4 @@ mod tests {
        let (received, _) = reader.read_frame().await.unwrap();
        assert_eq!(&received[..], &data[..]);
    }
-}
+}
--- a/src/stream/mod.rs
+++ b/src/stream/mod.rs
@@ -12,32 +12,38 @@ pub mod frame_codec;
 pub mod frame_stream;
 // Re-export state machine types
 #[allow(unused_imports)]
 pub use state::{
    StreamState, Transition, PollResult,
    ReadBuffer, WriteBuffer, HeaderBuffer, YieldBuffer,
 };
 // Re-export buffer pool
 #[allow(unused_imports)]
 pub use buffer_pool::{BufferPool, PooledBuffer, PoolStats};
 // Re-export stream implementations
 #[allow(unused_imports)]
 pub use crypto_stream::{CryptoReader, CryptoWriter, PassthroughStream};
 pub use tls_stream::{FakeTlsReader, FakeTlsWriter};
 // Re-export frame types
 #[allow(unused_imports)]
 pub use frame::{Frame, FrameMeta, FrameCodec as FrameCodecTrait, create_codec};
-// Re-export tokio-util compatible codecs  
+// Re-export tokio-util compatible codecs
 #[allow(unused_imports)]
 pub use frame_codec::{
    FrameCodec,
    AbridgedCodec, IntermediateCodec, SecureCodec,
 };
 // Legacy re-exports for compatibility
 #[allow(unused_imports)]
 pub use frame_stream::{
    AbridgedFrameReader, AbridgedFrameWriter,
    IntermediateFrameReader, IntermediateFrameWriter,
    SecureIntermediateFrameReader, SecureIntermediateFrameWriter,
    MtprotoFrameReader, MtprotoFrameWriter,
    FrameReaderKind, FrameWriterKind,
-};
+};
--- a/src/stream/state.rs
+++ b/src/stream/state.rs
@@ -3,6 +3,8 @@
 //! This module provides core types and traits for implementing
 //! stateful async streams with proper partial read/write handling.
 #![allow(dead_code)]
 use bytes::{Bytes, BytesMut};
 use std::io;
--- a/src/stream/tls_stream.rs
+++ b/src/stream/tls_stream.rs
@@ -18,6 +18,8 @@
 //! - Explicit state machines for all async operations
 //! - Never lose data on partial reads
 //! - Atomic TLS record formation for writes
 #![allow(dead_code)]
 //! - Proper handling of all TLS record types
 //!
 //! Important nuance (Telegram FakeTLS):
@@ -25,14 +27,15 @@
 //! - However, the on-the-wire record length can exceed 16384 because TLS 1.3
 //!   uses AEAD and can include tag/overhead/padding.
 //! - Telegram FakeTLS clients (notably iOS) may send Application Data records
-//!   with length up to 16384 + 24 bytes. We accept that as MAX_TLS_CHUNK_SIZE.
+//!   with length up to 16384 + 256 bytes (RFC 8446 §5.2). We accept that as
 //!   MAX_TLS_CHUNK_SIZE.
 //!
 //! If you reject those (e.g. validate length <= 16384), you will see errors like:
 //!   "TLS record too large: 16408 bytes"
 //! and uploads from iOS will break (media/file sending), while small traffic
 //! may still work.
-use bytes::{Bytes, BytesMut, BufMut};
+use bytes::{Bytes, BytesMut};
 use std::io::{self, Error, ErrorKind, Result};
 use std::pin::Pin;
 use std::task::{Context, Poll};
@@ -51,9 +54,9 @@ use super::state::{StreamState, HeaderBuffer, YieldBuffer, WriteBuffer};
 /// TLS record header size (type + version + length)
 const TLS_HEADER_SIZE: usize = 5;
-/// Maximum TLS fragment size per spec (plaintext fragment).
+/// Maximum TLS fragment size we emit for Application Data.
-/// We use this for *outgoing* chunking, because we build plain ApplicationData records.
+/// Real TLS 1.3 allows up to 16384 + 256 bytes of ciphertext (incl. tag).
-const MAX_TLS_PAYLOAD: usize = 16384;
+const MAX_TLS_PAYLOAD: usize = 16384 + 256;
 /// Maximum pending write buffer for one record remainder.
 /// Note: we never queue unlimited amount of data here; state holds at most one record.
@@ -90,7 +93,7 @@ impl TlsRecordHeader {
    /// - We accept TLS 1.0 header version for ClientHello-like records (0x03 0x01),
    ///   and TLS 1.2/1.3 style version bytes for the rest (we use TLS_VERSION = 0x03 0x03).
    /// - For Application Data, Telegram FakeTLS may send payload length up to
-    ///   MAX_TLS_CHUNK_SIZE (16384 + 24).
+    ///   MAX_TLS_CHUNK_SIZE (16384 + 256).
    /// - For other record types we keep stricter bounds to avoid memory abuse.
    fn validate(&self) -> Result<()> {
        // Version: accept TLS 1.0 header (ClientHello quirk) and TLS_VERSION (0x0303).
@@ -104,7 +107,7 @@ impl TlsRecordHeader {
        let len = self.length as usize;
        // Length checks depend on record type.
-        // Telegram FakeTLS: ApplicationData length may be 16384 + 24.
+        // Telegram FakeTLS: ApplicationData length may be 16384 + 256.
        match self.record_type {
            TLS_RECORD_APPLICATION => {
                if len > MAX_TLS_CHUNK_SIZE {
@@ -132,7 +135,7 @@ impl TlsRecordHeader {
    }
    /// Build header bytes
-    fn to_bytes(&self) -> [u8; 5] {
+    fn to_bytes(self) -> [u8; 5] {
        [
            self.record_type,
            self.version[0],
@@ -257,9 +260,9 @@ impl<R> FakeTlsReader<R> {
    fn take_poison_error(&mut self) -> io::Error {
        match &mut self.state {
            TlsReaderState::Poisoned { error } => error.take().unwrap_or_else(|| {
-                io::Error::new(ErrorKind::Other, "stream previously poisoned")
+                io::Error::other("stream previously poisoned")
            }),
-            _ => io::Error::new(ErrorKind::Other, "stream not poisoned"),
+            _ => io::Error::other("stream not poisoned"),
        }
    }
 }
@@ -294,7 +297,7 @@ impl<R: AsyncRead + Unpin> AsyncRead for FakeTlsReader<R> {
                TlsReaderState::Poisoned { error } => {
                    this.state = TlsReaderState::Poisoned { error: None };
                    let err = error.unwrap_or_else(|| {
-                        io::Error::new(ErrorKind::Other, "stream previously poisoned")
+                        io::Error::other("stream previously poisoned")
                    });
                    return Poll::Ready(Err(err));
                }
@@ -613,9 +616,9 @@ impl<W> FakeTlsWriter<W> {
    fn take_poison_error(&mut self) -> io::Error {
        match &mut self.state {
            TlsWriterState::Poisoned { error } => error.take().unwrap_or_else(|| {
-                io::Error::new(ErrorKind::Other, "stream previously poisoned")
+                io::Error::other("stream previously poisoned")
            }),
-            _ => io::Error::new(ErrorKind::Other, "stream not poisoned"),
+            _ => io::Error::other("stream not poisoned"),
        }
    }
@@ -679,7 +682,7 @@ impl<W: AsyncWrite + Unpin> AsyncWrite for FakeTlsWriter<W> {
            TlsWriterState::Poisoned { error } => {
                this.state = TlsWriterState::Poisoned { error: None };
                let err = error.unwrap_or_else(|| {
-                    Error::new(ErrorKind::Other, "stream previously poisoned")
+                    Error::other("stream previously poisoned")
                });
                return Poll::Ready(Err(err));
            }
@@ -754,9 +757,6 @@ impl<W: AsyncWrite + Unpin> AsyncWrite for FakeTlsWriter<W> {
                    payload_size: chunk_size,
                };
                // Wake to retry flushing soon.
                cx.waker().wake_by_ref();
                Poll::Ready(Ok(chunk_size))
            }
        }
@@ -771,7 +771,7 @@ impl<W: AsyncWrite + Unpin> AsyncWrite for FakeTlsWriter<W> {
            TlsWriterState::Poisoned { error } => {
                this.state = TlsWriterState::Poisoned { error: None };
                let err = error.unwrap_or_else(|| {
-                    Error::new(ErrorKind::Other, "stream previously poisoned")
+                    Error::other("stream previously poisoned")
                });
                return Poll::Ready(Err(err));
            }
@@ -918,10 +918,8 @@ mod tests {
        let reader = ChunkedReader::new(&record, 100);
        let mut tls_reader = FakeTlsReader::new(reader);
-        let mut buf = vec![0u8; payload.len()];
+        let buf = tls_reader.read_exact(payload.len()).await.unwrap();
-        tls_reader.read_exact(&mut buf).await.unwrap();
+        assert_eq!(&buf[..], payload);
        assert_eq!(&buf, payload);
    }
    #[tokio::test]
@@ -935,13 +933,11 @@ mod tests {
        let reader = ChunkedReader::new(&data, 100);
        let mut tls_reader = FakeTlsReader::new(reader);
-        let mut buf1 = vec![0u8; payload1.len()];
+        let buf1 = tls_reader.read_exact(payload1.len()).await.unwrap();
-        tls_reader.read_exact(&mut buf1).await.unwrap();
+        assert_eq!(&buf1[..], payload1);
        assert_eq!(&buf1, payload1);
-        let mut buf2 = vec![0u8; payload2.len()];
+        let buf2 = tls_reader.read_exact(payload2.len()).await.unwrap();
-        tls_reader.read_exact(&mut buf2).await.unwrap();
+        assert_eq!(&buf2[..], payload2);
        assert_eq!(&buf2, payload2);
    }
    #[tokio::test]
@@ -953,10 +949,9 @@ mod tests {
        let reader = ChunkedReader::new(&record, 1); // 1 byte at a time!
        let mut tls_reader = FakeTlsReader::new(reader);
-        let mut buf = vec![0u8; payload.len()];
+        let buf = tls_reader.read_exact(payload.len()).await.unwrap();
        tls_reader.read_exact(&mut buf).await.unwrap();
-        assert_eq!(&buf, payload);
+        assert_eq!(&buf[..], payload);
    }
    #[tokio::test]
@@ -967,10 +962,9 @@ mod tests {
        let reader = ChunkedReader::new(&record, 7); // Awkward chunk size
        let mut tls_reader = FakeTlsReader::new(reader);
-        let mut buf = vec![0u8; payload.len()];
+        let buf = tls_reader.read_exact(payload.len()).await.unwrap();
        tls_reader.read_exact(&mut buf).await.unwrap();
-        assert_eq!(&buf, payload);
+        assert_eq!(&buf[..], payload);
    }
    #[tokio::test]
@@ -983,10 +977,9 @@ mod tests {
        let reader = ChunkedReader::new(&data, 100);
        let mut tls_reader = FakeTlsReader::new(reader);
-        let mut buf = vec![0u8; payload.len()];
+        let buf = tls_reader.read_exact(payload.len()).await.unwrap();
        tls_reader.read_exact(&mut buf).await.unwrap();
-        assert_eq!(&buf, payload);
+        assert_eq!(&buf[..], payload);
    }
    #[tokio::test]
@@ -1000,10 +993,9 @@ mod tests {
        let reader = ChunkedReader::new(&data, 3); // Small chunks
        let mut tls_reader = FakeTlsReader::new(reader);
-        let mut buf = vec![0u8; payload.len()];
+        let buf = tls_reader.read_exact(payload.len()).await.unwrap();
        tls_reader.read_exact(&mut buf).await.unwrap();
-        assert_eq!(&buf, payload);
+        assert_eq!(&buf[..], payload);
    }
    #[tokio::test]
@@ -1244,4 +1236,4 @@ mod tests {
        let bytes = header.to_bytes();
        assert_eq!(bytes, [0x17, 0x03, 0x03, 0x12, 0x34]);
    }
-}
+}
--- a/src/stream/traits.rs
+++ b/src/stream/traits.rs
@@ -1,5 +1,7 @@
 //! Stream traits and common types
 #![allow(dead_code)]
 use bytes::Bytes;
 use std::io::Result;
 use std::pin::Pin;
--- a/src/tls_front/cache.rs
+++ b/src/tls_front/cache.rs
@@ -0,0 +1,255 @@
 use std::collections::HashMap;
 use std::net::IpAddr;
 use std::path::{Path, PathBuf};
 use std::sync::Arc;
 use std::time::{Duration, Instant, SystemTime};
 use tokio::sync::RwLock;
 use tokio::time::sleep;
 use tracing::{debug, warn, info};
 use crate::tls_front::types::{CachedTlsData, ParsedServerHello, TlsFetchResult};
 /// Lightweight in-memory + optional on-disk cache for TLS fronting data.
 #[derive(Debug)]
 pub struct TlsFrontCache {
    memory: RwLock<HashMap<String, Arc<CachedTlsData>>>,
    default: Arc<CachedTlsData>,
    full_cert_sent: RwLock<HashMap<IpAddr, Instant>>,
    disk_path: PathBuf,
 }
 #[allow(dead_code)]
 impl TlsFrontCache {
    pub fn new(domains: &[String], default_len: usize, disk_path: impl AsRef<Path>) -> Self {
        let default_template = ParsedServerHello {
            version: [0x03, 0x03],
            random: [0u8; 32],
            session_id: Vec::new(),
            cipher_suite: [0x13, 0x01],
            compression: 0,
            extensions: Vec::new(),
        };
        let default = Arc::new(CachedTlsData {
            server_hello_template: default_template,
            cert_info: None,
            cert_payload: None,
            app_data_records_sizes: vec![default_len],
            total_app_data_len: default_len,
            fetched_at: SystemTime::now(),
            domain: "default".to_string(),
        });
        let mut map = HashMap::new();
        for d in domains {
            map.insert(d.clone(), default.clone());
        }
        Self {
            memory: RwLock::new(map),
            default,
            full_cert_sent: RwLock::new(HashMap::new()),
            disk_path: disk_path.as_ref().to_path_buf(),
        }
    }
    pub async fn get(&self, sni: &str) -> Arc<CachedTlsData> {
        let guard = self.memory.read().await;
        guard.get(sni).cloned().unwrap_or_else(|| self.default.clone())
    }
    pub async fn contains_domain(&self, domain: &str) -> bool {
        self.memory.read().await.contains_key(domain)
    }
    /// Returns true when full cert payload should be sent for client_ip
    /// according to TTL policy.
    pub async fn take_full_cert_budget_for_ip(
        &self,
        client_ip: IpAddr,
        ttl: Duration,
    ) -> bool {
        if ttl.is_zero() {
            self.full_cert_sent
                .write()
                .await
                .insert(client_ip, Instant::now());
            return true;
        }
        let now = Instant::now();
        let mut guard = self.full_cert_sent.write().await;
        guard.retain(|_, seen_at| now.duration_since(*seen_at) < ttl);
        match guard.get_mut(&client_ip) {
            Some(seen_at) => {
                if now.duration_since(*seen_at) >= ttl {
                    *seen_at = now;
                    true
                } else {
                    false
                }
            }
            None => {
                guard.insert(client_ip, now);
                true
            }
        }
    }
    pub async fn set(&self, domain: &str, data: CachedTlsData) {
        let mut guard = self.memory.write().await;
        guard.insert(domain.to_string(), Arc::new(data));
    }
    pub async fn load_from_disk(&self) {
        let path = self.disk_path.clone();
        if tokio::fs::create_dir_all(&path).await.is_err() {
            return;
        }
        let mut loaded = 0usize;
        if let Ok(mut dir) = tokio::fs::read_dir(&path).await {
            while let Ok(Some(entry)) = dir.next_entry().await {
                if let Ok(name) = entry.file_name().into_string() {
                    if !name.ends_with(".json") {
                        continue;
                    }
                    if let Ok(data) = tokio::fs::read(entry.path()).await
                        && let Ok(mut cached) = serde_json::from_slice::<CachedTlsData>(&data)
                    {
                        if cached.domain.is_empty()
                            || cached.domain.len() > 255
                            || !cached.domain.chars().all(|c| c.is_ascii_alphanumeric() || c == '.' || c == '-')
                        {
                            warn!(file = %name, "Skipping TLS cache entry with invalid domain");
                            continue;
                        }
                        // fetched_at is skipped during deserialization; approximate with file mtime if available.
                        if let Ok(meta) = entry.metadata().await
                            && let Ok(modified) = meta.modified()
                        {
                            cached.fetched_at = modified;
                        }
                        // Drop entries older than 72h
                        if let Ok(age) = cached.fetched_at.elapsed()
                            && age > Duration::from_secs(72 * 3600)
                        {
                            warn!(domain = %cached.domain, "Skipping stale TLS cache entry (>72h)");
                            continue;
                        }
                        let domain = cached.domain.clone();
                        self.set(&domain, cached).await;
                        loaded += 1;
                    }
                }
            }
        }
        if loaded > 0 {
            info!(count = loaded, "Loaded TLS cache entries from disk");
        }
    }
    async fn persist(&self, domain: &str, data: &CachedTlsData) {
        if tokio::fs::create_dir_all(&self.disk_path).await.is_err() {
            return;
        }
        let fname = format!("{}.json", domain.replace(['/', '\\'], "_"));
        let path = self.disk_path.join(fname);
        if let Ok(json) = serde_json::to_vec_pretty(data) {
            // best-effort write
            let _ = tokio::fs::write(path, json).await;
        }
    }
    /// Spawn background updater that periodically refreshes cached domains using provided fetcher.
    pub fn spawn_updater<F>(
        self: Arc<Self>,
        domains: Vec<String>,
        interval: Duration,
        fetcher: F,
    ) where
        F: Fn(String) -> tokio::task::JoinHandle<()> + Send + Sync + 'static,
    {
        tokio::spawn(async move {
            loop {
                for domain in &domains {
                    let _ = fetcher(domain.clone()).await;
                }
                sleep(interval).await;
            }
        });
    }
    /// Replace cached entry from a fetch result.
    pub async fn update_from_fetch(&self, domain: &str, fetched: TlsFetchResult) {
        let data = CachedTlsData {
            server_hello_template: fetched.server_hello_parsed,
            cert_info: fetched.cert_info,
            cert_payload: fetched.cert_payload,
            app_data_records_sizes: fetched.app_data_records_sizes.clone(),
            total_app_data_len: fetched.total_app_data_len,
            fetched_at: SystemTime::now(),
            domain: domain.to_string(),
        };
        self.set(domain, data.clone()).await;
        self.persist(domain, &data).await;
        debug!(domain = %domain, len = fetched.total_app_data_len, "TLS cache updated");
    }
    pub fn default_entry(&self) -> Arc<CachedTlsData> {
        self.default.clone()
    }
    pub fn disk_path(&self) -> &Path {
        &self.disk_path
    }
 }
 #[cfg(test)]
 mod tests {
    use super::*;
    #[tokio::test]
    async fn test_take_full_cert_budget_for_ip_uses_ttl() {
        let cache = TlsFrontCache::new(
            &["example.com".to_string()],
            1024,
            "tlsfront-test-cache",
        );
        let ip: IpAddr = "127.0.0.1".parse().expect("ip");
        let ttl = Duration::from_millis(80);
        assert!(cache
            .take_full_cert_budget_for_ip(ip, ttl)
            .await);
        assert!(!cache
            .take_full_cert_budget_for_ip(ip, ttl)
            .await);
        tokio::time::sleep(Duration::from_millis(90)).await;
        assert!(cache
            .take_full_cert_budget_for_ip(ip, ttl)
            .await);
    }
    #[tokio::test]
    async fn test_take_full_cert_budget_for_ip_zero_ttl_always_allows_full_payload() {
        let cache = TlsFrontCache::new(
            &["example.com".to_string()],
            1024,
            "tlsfront-test-cache",
        );
        let ip: IpAddr = "127.0.0.1".parse().expect("ip");
        let ttl = Duration::ZERO;
        assert!(cache
            .take_full_cert_budget_for_ip(ip, ttl)
            .await);
        assert!(cache
            .take_full_cert_budget_for_ip(ip, ttl)
            .await);
    }
 }
--- a/src/tls_front/emulator.rs
+++ b/src/tls_front/emulator.rs
@@ -0,0 +1,388 @@
 use crate::crypto::{sha256_hmac, SecureRandom};
 use crate::protocol::constants::{
    TLS_RECORD_APPLICATION, TLS_RECORD_CHANGE_CIPHER, TLS_RECORD_HANDSHAKE, TLS_VERSION,
 };
 use crate::protocol::tls::{TLS_DIGEST_LEN, TLS_DIGEST_POS, gen_fake_x25519_key};
 use crate::tls_front::types::{CachedTlsData, ParsedCertificateInfo};
 const MIN_APP_DATA: usize = 64;
 const MAX_APP_DATA: usize = 16640; // RFC 8446 §5.2 allows up to 2^14 + 256
 fn jitter_and_clamp_sizes(sizes: &[usize], rng: &SecureRandom) -> Vec<usize> {
    sizes
        .iter()
        .map(|&size| {
            let base = size.clamp(MIN_APP_DATA, MAX_APP_DATA);
            let jitter_range = ((base as f64) * 0.03).round() as i64;
            if jitter_range == 0 {
                return base;
            }
            let mut rand_bytes = [0u8; 2];
            rand_bytes.copy_from_slice(&rng.bytes(2));
            let span = 2 * jitter_range + 1;
            let delta = (u16::from_le_bytes(rand_bytes) as i64 % span) - jitter_range;
            let adjusted = (base as i64 + delta).clamp(MIN_APP_DATA as i64, MAX_APP_DATA as i64);
            adjusted as usize
        })
        .collect()
 }
 fn app_data_body_capacity(sizes: &[usize]) -> usize {
    sizes.iter().map(|&size| size.saturating_sub(17)).sum()
 }
 fn ensure_payload_capacity(mut sizes: Vec<usize>, payload_len: usize) -> Vec<usize> {
    if payload_len == 0 {
        return sizes;
    }
    let mut body_total = app_data_body_capacity(&sizes);
    if body_total >= payload_len {
        return sizes;
    }
    if let Some(last) = sizes.last_mut() {
        let free = MAX_APP_DATA.saturating_sub(*last);
        let grow = free.min(payload_len - body_total);
        *last += grow;
        body_total += grow;
    }
    while body_total < payload_len {
        let remaining = payload_len - body_total;
        let chunk = (remaining + 17).clamp(MIN_APP_DATA, MAX_APP_DATA);
        sizes.push(chunk);
        body_total += chunk.saturating_sub(17);
    }
    sizes
 }
 fn build_compact_cert_info_payload(cert_info: &ParsedCertificateInfo) -> Option<Vec<u8>> {
    let mut fields = Vec::new();
    if let Some(subject) = cert_info.subject_cn.as_deref() {
        fields.push(format!("CN={subject}"));
    }
    if let Some(issuer) = cert_info.issuer_cn.as_deref() {
        fields.push(format!("ISSUER={issuer}"));
    }
    if let Some(not_before) = cert_info.not_before_unix {
        fields.push(format!("NB={not_before}"));
    }
    if let Some(not_after) = cert_info.not_after_unix {
        fields.push(format!("NA={not_after}"));
    }
    if !cert_info.san_names.is_empty() {
        let san = cert_info
            .san_names
            .iter()
            .take(8)
            .map(String::as_str)
            .collect::<Vec<_>>()
            .join(",");
        fields.push(format!("SAN={san}"));
    }
    if fields.is_empty() {
        return None;
    }
    let mut payload = fields.join(";").into_bytes();
    if payload.len() > 512 {
        payload.truncate(512);
    }
    Some(payload)
 }
 /// Build a ServerHello + CCS + ApplicationData sequence using cached TLS metadata.
 pub fn build_emulated_server_hello(
    secret: &[u8],
    client_digest: &[u8; TLS_DIGEST_LEN],
    session_id: &[u8],
    cached: &CachedTlsData,
    use_full_cert_payload: bool,
    rng: &SecureRandom,
    alpn: Option<Vec<u8>>,
    new_session_tickets: u8,
 ) -> Vec<u8> {
    // --- ServerHello ---
    let mut extensions = Vec::new();
    // KeyShare (x25519)
    let key = gen_fake_x25519_key(rng);
    extensions.extend_from_slice(&0x0033u16.to_be_bytes()); // key_share
    extensions.extend_from_slice(&(2 + 2 + 32u16).to_be_bytes()); // len
    extensions.extend_from_slice(&0x001du16.to_be_bytes()); // X25519
    extensions.extend_from_slice(&(32u16).to_be_bytes());
    extensions.extend_from_slice(&key);
    // supported_versions (TLS1.3)
    extensions.extend_from_slice(&0x002bu16.to_be_bytes());
    extensions.extend_from_slice(&(2u16).to_be_bytes());
    extensions.extend_from_slice(&0x0304u16.to_be_bytes());
    if let Some(alpn_proto) = &alpn {
        extensions.extend_from_slice(&0x0010u16.to_be_bytes());
        let list_len: u16 = 1 + alpn_proto.len() as u16;
        let ext_len: u16 = 2 + list_len;
        extensions.extend_from_slice(&ext_len.to_be_bytes());
        extensions.extend_from_slice(&list_len.to_be_bytes());
        extensions.push(alpn_proto.len() as u8);
        extensions.extend_from_slice(alpn_proto);
    }
    let extensions_len = extensions.len() as u16;
    let body_len = 2 + // version
        32 + // random
        1 + session_id.len() + // session id
        2 + // cipher
        1 + // compression
        2 + extensions.len(); // extensions
    let mut message = Vec::with_capacity(4 + body_len);
    message.push(0x02); // ServerHello
    let len_bytes = (body_len as u32).to_be_bytes();
    message.extend_from_slice(&len_bytes[1..4]);
    message.extend_from_slice(&cached.server_hello_template.version); // 0x0303
    message.extend_from_slice(&[0u8; 32]); // random placeholder
    message.push(session_id.len() as u8);
    message.extend_from_slice(session_id);
    let cipher = if cached.server_hello_template.cipher_suite == [0, 0] {
        [0x13, 0x01]
    } else {
        cached.server_hello_template.cipher_suite
    };
    message.extend_from_slice(&cipher);
    message.push(cached.server_hello_template.compression);
    message.extend_from_slice(&extensions_len.to_be_bytes());
    message.extend_from_slice(&extensions);
    let mut server_hello = Vec::with_capacity(5 + message.len());
    server_hello.push(TLS_RECORD_HANDSHAKE);
    server_hello.extend_from_slice(&TLS_VERSION);
    server_hello.extend_from_slice(&(message.len() as u16).to_be_bytes());
    server_hello.extend_from_slice(&message);
    // --- ChangeCipherSpec ---
    let change_cipher_spec = [
        TLS_RECORD_CHANGE_CIPHER,
        TLS_VERSION[0],
        TLS_VERSION[1],
        0x00,
        0x01,
        0x01,
    ];
    // --- ApplicationData (fake encrypted records) ---
    // Use the same number and sizes of ApplicationData records as the cached server.
    let mut sizes = cached.app_data_records_sizes.clone();
    if sizes.is_empty() {
        sizes.push(cached.total_app_data_len.max(1024));
    }
    let mut sizes = jitter_and_clamp_sizes(&sizes, rng);
    let compact_payload = cached
        .cert_info
        .as_ref()
        .and_then(build_compact_cert_info_payload);
    let selected_payload: Option<&[u8]> = if use_full_cert_payload {
        cached
            .cert_payload
            .as_ref()
            .map(|payload| payload.certificate_message.as_slice())
            .filter(|payload| !payload.is_empty())
            .or(compact_payload.as_deref())
    } else {
        compact_payload.as_deref()
    };
    if let Some(payload) = selected_payload {
        sizes = ensure_payload_capacity(sizes, payload.len());
    }
    let mut app_data = Vec::new();
    let mut payload_offset = 0usize;
    for size in sizes {
        let mut rec = Vec::with_capacity(5 + size);
        rec.push(TLS_RECORD_APPLICATION);
        rec.extend_from_slice(&TLS_VERSION);
        rec.extend_from_slice(&(size as u16).to_be_bytes());
        if let Some(payload) = selected_payload {
            if size > 17 {
                let body_len = size - 17;
                let remaining = payload.len().saturating_sub(payload_offset);
                let copy_len = remaining.min(body_len);
                if copy_len > 0 {
                    rec.extend_from_slice(&payload[payload_offset..payload_offset + copy_len]);
                    payload_offset += copy_len;
                }
                if body_len > copy_len {
                    rec.extend_from_slice(&rng.bytes(body_len - copy_len));
                }
                rec.push(0x16); // inner content type marker (handshake)
                rec.extend_from_slice(&rng.bytes(16)); // AEAD-like tag
            } else {
                rec.extend_from_slice(&rng.bytes(size));
            }
        } else if size > 17 {
            let body_len = size - 17;
            rec.extend_from_slice(&rng.bytes(body_len));
            rec.push(0x16); // inner content type marker (handshake)
            rec.extend_from_slice(&rng.bytes(16)); // AEAD-like tag
        } else {
            rec.extend_from_slice(&rng.bytes(size));
        }
        app_data.extend_from_slice(&rec);
    }
    // --- Combine ---
    // Optional NewSessionTicket mimic records (opaque ApplicationData for fingerprint).
    let mut tickets = Vec::new();
    if new_session_tickets > 0 {
        for _ in 0..new_session_tickets {
            let ticket_len: usize = rng.range(48) + 48;
            let mut rec = Vec::with_capacity(5 + ticket_len);
            rec.push(TLS_RECORD_APPLICATION);
            rec.extend_from_slice(&TLS_VERSION);
            rec.extend_from_slice(&(ticket_len as u16).to_be_bytes());
            rec.extend_from_slice(&rng.bytes(ticket_len));
            tickets.extend_from_slice(&rec);
        }
    }
    let mut response = Vec::with_capacity(server_hello.len() + change_cipher_spec.len() + app_data.len() + tickets.len());
    response.extend_from_slice(&server_hello);
    response.extend_from_slice(&change_cipher_spec);
    response.extend_from_slice(&app_data);
    response.extend_from_slice(&tickets);
    // --- HMAC ---
    let mut hmac_input = Vec::with_capacity(TLS_DIGEST_LEN + response.len());
    hmac_input.extend_from_slice(client_digest);
    hmac_input.extend_from_slice(&response);
    let digest = sha256_hmac(secret, &hmac_input);
    response[TLS_DIGEST_POS..TLS_DIGEST_POS + TLS_DIGEST_LEN].copy_from_slice(&digest);
    response
 }
 #[cfg(test)]
 mod tests {
    use std::time::SystemTime;
    use crate::tls_front::types::{CachedTlsData, ParsedServerHello, TlsCertPayload};
    use super::build_emulated_server_hello;
    use crate::crypto::SecureRandom;
    use crate::protocol::constants::{
        TLS_RECORD_APPLICATION, TLS_RECORD_CHANGE_CIPHER, TLS_RECORD_HANDSHAKE,
    };
    fn first_app_data_payload(response: &[u8]) -> &[u8] {
        let hello_len = u16::from_be_bytes([response[3], response[4]]) as usize;
        let ccs_start = 5 + hello_len;
        let ccs_len = u16::from_be_bytes([response[ccs_start + 3], response[ccs_start + 4]]) as usize;
        let app_start = ccs_start + 5 + ccs_len;
        let app_len = u16::from_be_bytes([response[app_start + 3], response[app_start + 4]]) as usize;
        &response[app_start + 5..app_start + 5 + app_len]
    }
    fn make_cached(cert_payload: Option<TlsCertPayload>) -> CachedTlsData {
        CachedTlsData {
            server_hello_template: ParsedServerHello {
                version: [0x03, 0x03],
                random: [0u8; 32],
                session_id: Vec::new(),
                cipher_suite: [0x13, 0x01],
                compression: 0,
                extensions: Vec::new(),
            },
            cert_info: None,
            cert_payload,
            app_data_records_sizes: vec![64],
            total_app_data_len: 64,
            fetched_at: SystemTime::now(),
            domain: "example.com".to_string(),
        }
    }
    #[test]
    fn test_build_emulated_server_hello_uses_cached_cert_payload() {
        let cert_msg = vec![0x0b, 0x00, 0x00, 0x05, 0x00, 0xaa, 0xbb, 0xcc, 0xdd];
        let cached = make_cached(Some(TlsCertPayload {
            cert_chain_der: vec![vec![0x30, 0x01, 0x00]],
            certificate_message: cert_msg.clone(),
        }));
        let rng = SecureRandom::new();
        let response = build_emulated_server_hello(
            b"secret",
            &[0x11; 32],
            &[0x22; 16],
            &cached,
            true,
            &rng,
            None,
            0,
        );
        assert_eq!(response[0], TLS_RECORD_HANDSHAKE);
        let hello_len = u16::from_be_bytes([response[3], response[4]]) as usize;
        let ccs_start = 5 + hello_len;
        assert_eq!(response[ccs_start], TLS_RECORD_CHANGE_CIPHER);
        let app_start = ccs_start + 6;
        assert_eq!(response[app_start], TLS_RECORD_APPLICATION);
        let payload = first_app_data_payload(&response);
        assert!(payload.starts_with(&cert_msg));
    }
    #[test]
    fn test_build_emulated_server_hello_random_fallback_when_no_cert_payload() {
        let cached = make_cached(None);
        let rng = SecureRandom::new();
        let response = build_emulated_server_hello(
            b"secret",
            &[0x22; 32],
            &[0x33; 16],
            &cached,
            true,
            &rng,
            None,
            0,
        );
        let payload = first_app_data_payload(&response);
        assert!(payload.len() >= 64);
        assert_eq!(payload[payload.len() - 17], 0x16);
    }
    #[test]
    fn test_build_emulated_server_hello_uses_compact_payload_after_first() {
        let cert_msg = vec![0x0b, 0x00, 0x00, 0x05, 0x00, 0xaa, 0xbb, 0xcc, 0xdd];
        let mut cached = make_cached(Some(TlsCertPayload {
            cert_chain_der: vec![vec![0x30, 0x01, 0x00]],
            certificate_message: cert_msg,
        }));
        cached.cert_info = Some(crate::tls_front::types::ParsedCertificateInfo {
            not_after_unix: Some(1_900_000_000),
            not_before_unix: Some(1_700_000_000),
            issuer_cn: Some("Issuer".to_string()),
            subject_cn: Some("example.com".to_string()),
            san_names: vec!["example.com".to_string(), "www.example.com".to_string()],
        });
        let rng = SecureRandom::new();
        let response = build_emulated_server_hello(
            b"secret",
            &[0x44; 32],
            &[0x55; 16],
            &cached,
            false,
            &rng,
            None,
            0,
        );
        let payload = first_app_data_payload(&response);
        assert!(payload.starts_with(b"CN=example.com"));
    }
 }
--- a/src/tls_front/fetcher.rs
+++ b/src/tls_front/fetcher.rs
@@ -0,0 +1,591 @@
 use std::sync::Arc;
 use std::time::Duration;
 use anyhow::{Result, anyhow};
 use tokio::io::{AsyncReadExt, AsyncWriteExt};
 use tokio::net::TcpStream;
 use tokio::time::timeout;
 use tokio_rustls::client::TlsStream;
 use tokio_rustls::TlsConnector;
 use tracing::{debug, warn};
 use rustls::client::danger::{HandshakeSignatureValid, ServerCertVerified, ServerCertVerifier};
 use rustls::client::ClientConfig;
 use rustls::pki_types::{CertificateDer, ServerName, UnixTime};
 use rustls::{DigitallySignedStruct, Error as RustlsError};
 use x509_parser::prelude::FromDer;
 use x509_parser::certificate::X509Certificate;
 use crate::crypto::SecureRandom;
 use crate::protocol::constants::{TLS_RECORD_APPLICATION, TLS_RECORD_HANDSHAKE};
 use crate::tls_front::types::{
    ParsedCertificateInfo,
    ParsedServerHello,
    TlsCertPayload,
    TlsExtension,
    TlsFetchResult,
 };
 /// No-op verifier: accept any certificate (we only need lengths and metadata).
 #[derive(Debug)]
 struct NoVerify;
 impl ServerCertVerifier for NoVerify {
    fn verify_server_cert(
        &self,
        _end_entity: &CertificateDer<'_>,
        _intermediates: &[CertificateDer<'_>],
        _server_name: &ServerName<'_>,
        _ocsp: &[u8],
        _now: UnixTime,
    ) -> Result<ServerCertVerified, RustlsError> {
        Ok(ServerCertVerified::assertion())
    }
    fn verify_tls12_signature(
        &self,
        _message: &[u8],
        _cert: &CertificateDer<'_>,
        _dss: &DigitallySignedStruct,
    ) -> Result<HandshakeSignatureValid, RustlsError> {
        Ok(HandshakeSignatureValid::assertion())
    }
    fn verify_tls13_signature(
        &self,
        _message: &[u8],
        _cert: &CertificateDer<'_>,
        _dss: &DigitallySignedStruct,
    ) -> Result<HandshakeSignatureValid, RustlsError> {
        Ok(HandshakeSignatureValid::assertion())
    }
    fn supported_verify_schemes(&self) -> Vec<rustls::SignatureScheme> {
        use rustls::SignatureScheme::*;
        vec![
            RSA_PKCS1_SHA256,
            RSA_PSS_SHA256,
            ECDSA_NISTP256_SHA256,
            ECDSA_NISTP384_SHA384,
        ]
    }
 }
 fn build_client_config() -> Arc<ClientConfig> {
    let root = rustls::RootCertStore::empty();
    let provider = rustls::crypto::ring::default_provider();
    let mut config = ClientConfig::builder_with_provider(Arc::new(provider))
        .with_protocol_versions(&[&rustls::version::TLS13, &rustls::version::TLS12])
        .expect("protocol versions")
        .with_root_certificates(root)
        .with_no_client_auth();
    config
        .dangerous()
        .set_certificate_verifier(Arc::new(NoVerify));
    Arc::new(config)
 }
 fn build_client_hello(sni: &str, rng: &SecureRandom) -> Vec<u8> {
    // === ClientHello body ===
    let mut body = Vec::new();
    // Legacy version (TLS 1.0) as in real ClientHello headers
    body.extend_from_slice(&[0x03, 0x03]);
    // Random
    body.extend_from_slice(&rng.bytes(32));
    // Session ID: empty
    body.push(0);
    // Cipher suites (common minimal set, TLS1.3 + a few 1.2 fallbacks)
    let cipher_suites: [u8; 10] = [
        0x13, 0x01, // TLS_AES_128_GCM_SHA256
        0x13, 0x02, // TLS_AES_256_GCM_SHA384
        0x13, 0x03, // TLS_CHACHA20_POLY1305_SHA256
        0x00, 0x2f, // TLS_RSA_WITH_AES_128_CBC_SHA (legacy)
        0x00, 0xff, // RENEGOTIATION_INFO_SCSV
    ];
    body.extend_from_slice(&(cipher_suites.len() as u16).to_be_bytes());
    body.extend_from_slice(&cipher_suites);
    // Compression methods: null only
    body.push(1);
    body.push(0);
    // === Extensions ===
    let mut exts = Vec::new();
    // server_name (SNI)
    let sni_bytes = sni.as_bytes();
    let mut sni_ext = Vec::with_capacity(5 + sni_bytes.len());
    sni_ext.extend_from_slice(&(sni_bytes.len() as u16 + 3).to_be_bytes());
    sni_ext.push(0); // host_name
    sni_ext.extend_from_slice(&(sni_bytes.len() as u16).to_be_bytes());
    sni_ext.extend_from_slice(sni_bytes);
    exts.extend_from_slice(&0x0000u16.to_be_bytes());
    exts.extend_from_slice(&(sni_ext.len() as u16).to_be_bytes());
    exts.extend_from_slice(&sni_ext);
    // supported_groups
    let groups: [u16; 2] = [0x001d, 0x0017]; // x25519, secp256r1
    exts.extend_from_slice(&0x000au16.to_be_bytes());
    exts.extend_from_slice(&((2 + groups.len() * 2) as u16).to_be_bytes());
    exts.extend_from_slice(&(groups.len() as u16 * 2).to_be_bytes());
    for g in groups { exts.extend_from_slice(&g.to_be_bytes()); }
    // signature_algorithms
    let sig_algs: [u16; 4] = [0x0804, 0x0805, 0x0403, 0x0503]; // rsa_pss_rsae_sha256/384, ecdsa_secp256r1_sha256, rsa_pkcs1_sha256
    exts.extend_from_slice(&0x000du16.to_be_bytes());
    exts.extend_from_slice(&((2 + sig_algs.len() * 2) as u16).to_be_bytes());
    exts.extend_from_slice(&(sig_algs.len() as u16 * 2).to_be_bytes());
    for a in sig_algs { exts.extend_from_slice(&a.to_be_bytes()); }
    // supported_versions (TLS1.3 + TLS1.2)
    let versions: [u16; 2] = [0x0304, 0x0303];
    exts.extend_from_slice(&0x002bu16.to_be_bytes());
    exts.extend_from_slice(&((1 + versions.len() * 2) as u16).to_be_bytes());
    exts.push((versions.len() * 2) as u8);
    for v in versions { exts.extend_from_slice(&v.to_be_bytes()); }
    // key_share (x25519)
    let key = gen_key_share(rng);
    let mut keyshare = Vec::with_capacity(4 + key.len());
    keyshare.extend_from_slice(&0x001du16.to_be_bytes()); // group
    keyshare.extend_from_slice(&(key.len() as u16).to_be_bytes());
    keyshare.extend_from_slice(&key);
    exts.extend_from_slice(&0x0033u16.to_be_bytes());
    exts.extend_from_slice(&((2 + keyshare.len()) as u16).to_be_bytes());
    exts.extend_from_slice(&(keyshare.len() as u16).to_be_bytes());
    exts.extend_from_slice(&keyshare);
    // ALPN (http/1.1)
    let alpn_proto = b"http/1.1";
    exts.extend_from_slice(&0x0010u16.to_be_bytes());
    exts.extend_from_slice(&((2 + 1 + alpn_proto.len()) as u16).to_be_bytes());
    exts.extend_from_slice(&((1 + alpn_proto.len()) as u16).to_be_bytes());
    exts.push(alpn_proto.len() as u8);
    exts.extend_from_slice(alpn_proto);
    // padding to reduce recognizability and keep length ~500 bytes
    const TARGET_EXT_LEN: usize = 180;
    if exts.len() < TARGET_EXT_LEN {
        let remaining = TARGET_EXT_LEN - exts.len();
        if remaining > 4 {
            let pad_len = remaining - 4; // minus type+len
            exts.extend_from_slice(&0x0015u16.to_be_bytes()); // padding extension
            exts.extend_from_slice(&(pad_len as u16).to_be_bytes());
            exts.resize(exts.len() + pad_len, 0);
        }
    }
    // Extensions length prefix
    body.extend_from_slice(&(exts.len() as u16).to_be_bytes());
    body.extend_from_slice(&exts);
    // === Handshake wrapper ===
    let mut handshake = Vec::new();
    handshake.push(0x01); // ClientHello
    let len_bytes = (body.len() as u32).to_be_bytes();
    handshake.extend_from_slice(&len_bytes[1..4]);
    handshake.extend_from_slice(&body);
    // === Record ===
    let mut record = Vec::new();
    record.push(TLS_RECORD_HANDSHAKE);
    record.extend_from_slice(&[0x03, 0x01]); // legacy record version
    record.extend_from_slice(&(handshake.len() as u16).to_be_bytes());
    record.extend_from_slice(&handshake);
    record
 }
 fn gen_key_share(rng: &SecureRandom) -> [u8; 32] {
    let mut key = [0u8; 32];
    key.copy_from_slice(&rng.bytes(32));
    key
 }
 async fn read_tls_record(stream: &mut TcpStream) -> Result<(u8, Vec<u8>)> {
    let mut header = [0u8; 5];
    stream.read_exact(&mut header).await?;
    let len = u16::from_be_bytes([header[3], header[4]]) as usize;
    let mut body = vec![0u8; len];
    stream.read_exact(&mut body).await?;
    Ok((header[0], body))
 }
 fn parse_server_hello(body: &[u8]) -> Option<ParsedServerHello> {
    if body.len() < 4 || body[0] != 0x02 {
        return None;
    }
    let msg_len = u32::from_be_bytes([0, body[1], body[2], body[3]]) as usize;
    if msg_len + 4 > body.len() {
        return None;
    }
    let mut pos = 4;
    let version = [*body.get(pos)?, *body.get(pos + 1)?];
    pos += 2;
    let mut random = [0u8; 32];
    random.copy_from_slice(body.get(pos..pos + 32)?);
    pos += 32;
    let session_len = *body.get(pos)? as usize;
    pos += 1;
    let session_id = body.get(pos..pos + session_len)?.to_vec();
    pos += session_len;
    let cipher_suite = [*body.get(pos)?, *body.get(pos + 1)?];
    pos += 2;
    let compression = *body.get(pos)?;
    pos += 1;
    let ext_len = u16::from_be_bytes([*body.get(pos)?, *body.get(pos + 1)?]) as usize;
    pos += 2;
    let ext_end = pos.checked_add(ext_len)?;
    if ext_end > body.len() {
        return None;
    }
    let mut extensions = Vec::new();
    while pos + 4 <= ext_end {
        let etype = u16::from_be_bytes([body[pos], body[pos + 1]]);
        let elen = u16::from_be_bytes([body[pos + 2], body[pos + 3]]) as usize;
        pos += 4;
        let data = body.get(pos..pos + elen)?.to_vec();
        pos += elen;
        extensions.push(TlsExtension { ext_type: etype, data });
    }
    Some(ParsedServerHello {
        version,
        random,
        session_id,
        cipher_suite,
        compression,
        extensions,
    })
 }
 fn parse_cert_info(certs: &[CertificateDer<'static>]) -> Option<ParsedCertificateInfo> {
    let first = certs.first()?;
    let (_rem, cert) = X509Certificate::from_der(first.as_ref()).ok()?;
    let not_before = Some(cert.validity().not_before.to_datetime().unix_timestamp());
    let not_after = Some(cert.validity().not_after.to_datetime().unix_timestamp());
    let issuer_cn = cert
        .issuer()
        .iter_common_name()
        .next()
        .and_then(|cn| cn.as_str().ok())
        .map(|s| s.to_string());
    let subject_cn = cert
        .subject()
        .iter_common_name()
        .next()
        .and_then(|cn| cn.as_str().ok())
        .map(|s| s.to_string());
    let san_names = cert
        .subject_alternative_name()
        .ok()
        .flatten()
        .map(|san| {
            san.value
                .general_names
                .iter()
                .filter_map(|gn| match gn {
                    x509_parser::extensions::GeneralName::DNSName(n) => Some(n.to_string()),
                    _ => None,
                })
                .collect::<Vec<_>>()
        })
        .unwrap_or_default();
    Some(ParsedCertificateInfo {
        not_after_unix: not_after,
        not_before_unix: not_before,
        issuer_cn,
        subject_cn,
        san_names,
    })
 }
 fn u24_bytes(value: usize) -> Option<[u8; 3]> {
    if value > 0x00ff_ffff {
        return None;
    }
    Some([
        ((value >> 16) & 0xff) as u8,
        ((value >> 8) & 0xff) as u8,
        (value & 0xff) as u8,
    ])
 }
 fn encode_tls13_certificate_message(cert_chain_der: &[Vec<u8>]) -> Option<Vec<u8>> {
    if cert_chain_der.is_empty() {
        return None;
    }
    let mut certificate_list = Vec::new();
    for cert in cert_chain_der {
        if cert.is_empty() {
            return None;
        }
        certificate_list.extend_from_slice(&u24_bytes(cert.len())?);
        certificate_list.extend_from_slice(cert);
        certificate_list.extend_from_slice(&0u16.to_be_bytes()); // cert_entry extensions
    }
    // Certificate = context_len(1) + certificate_list_len(3) + entries
    let body_len = 1usize
        .checked_add(3)?
        .checked_add(certificate_list.len())?;
    let mut message = Vec::with_capacity(4 + body_len);
    message.push(0x0b); // HandshakeType::certificate
    message.extend_from_slice(&u24_bytes(body_len)?);
    message.push(0x00); // certificate_request_context length
    message.extend_from_slice(&u24_bytes(certificate_list.len())?);
    message.extend_from_slice(&certificate_list);
    Some(message)
 }
 async fn fetch_via_raw_tls(
    host: &str,
    port: u16,
    sni: &str,
    connect_timeout: Duration,
 ) -> Result<TlsFetchResult> {
    let addr = format!("{host}:{port}");
    let mut stream = timeout(connect_timeout, TcpStream::connect(addr)).await??;
    let rng = SecureRandom::new();
    let client_hello = build_client_hello(sni, &rng);
    timeout(connect_timeout, async {
        stream.write_all(&client_hello).await?;
        stream.flush().await?;
        Ok::<(), std::io::Error>(())
    })
    .await??;
    let mut records = Vec::new();
    // Read up to 4 records: ServerHello, CCS, and up to two ApplicationData.
    for _ in 0..4 {
        match timeout(connect_timeout, read_tls_record(&mut stream)).await {
            Ok(Ok(rec)) => records.push(rec),
            Ok(Err(e)) => return Err(e),
            Err(_) => break,
        }
        if records.len() >= 3 && records.iter().any(|(t, _)| *t == TLS_RECORD_APPLICATION) {
            break;
        }
    }
    let mut app_sizes = Vec::new();
    let mut server_hello = None;
    for (t, body) in &records {
        if *t == TLS_RECORD_HANDSHAKE && server_hello.is_none() {
            server_hello = parse_server_hello(body);
        } else if *t == TLS_RECORD_APPLICATION {
            app_sizes.push(body.len());
        }
    }
    let parsed = server_hello.ok_or_else(|| anyhow!("ServerHello not received"))?;
    let total_app_data_len = app_sizes.iter().sum::<usize>().max(1024);
    Ok(TlsFetchResult {
        server_hello_parsed: parsed,
        app_data_records_sizes: if app_sizes.is_empty() {
            vec![total_app_data_len]
        } else {
            app_sizes
        },
        total_app_data_len,
        cert_info: None,
        cert_payload: None,
    })
 }
 async fn fetch_via_rustls(
    host: &str,
    port: u16,
    sni: &str,
    connect_timeout: Duration,
    upstream: Option<std::sync::Arc<crate::transport::UpstreamManager>>,
 ) -> Result<TlsFetchResult> {
    // rustls handshake path for certificate and basic negotiated metadata.
    let stream = if let Some(manager) = upstream {
        // Resolve host to SocketAddr
        if let Ok(mut addrs) = tokio::net::lookup_host((host, port)).await {
            if let Some(addr) = addrs.find(|a| a.is_ipv4()) {
                match manager.connect(addr, None, None).await {
                    Ok(s) => s,
                    Err(e) => {
                        warn!(sni = %sni, error = %e, "Upstream connect failed, using direct connect");
                        timeout(connect_timeout, TcpStream::connect((host, port))).await??
                    }
                }
            } else {
                timeout(connect_timeout, TcpStream::connect((host, port))).await??
            }
        } else {
            timeout(connect_timeout, TcpStream::connect((host, port))).await??
        }
    } else {
        timeout(connect_timeout, TcpStream::connect((host, port))).await??
    };
    let config = build_client_config();
    let connector = TlsConnector::from(config);
    let server_name = ServerName::try_from(sni.to_owned())
        .or_else(|_| ServerName::try_from(host.to_owned()))
        .map_err(|_| RustlsError::General("invalid SNI".into()))?;
    let tls_stream: TlsStream<TcpStream> = connector.connect(server_name, stream).await?;
    // Extract negotiated parameters and certificates
    let (_io, session) = tls_stream.get_ref();
    let cipher_suite = session
        .negotiated_cipher_suite()
        .map(|s| u16::from(s.suite()).to_be_bytes())
        .unwrap_or([0x13, 0x01]);
    let certs: Vec<CertificateDer<'static>> = session
        .peer_certificates()
        .map(|slice| slice.to_vec())
        .unwrap_or_default();
    let cert_chain_der: Vec<Vec<u8>> = certs.iter().map(|c| c.as_ref().to_vec()).collect();
    let cert_payload = encode_tls13_certificate_message(&cert_chain_der).map(|certificate_message| {
        TlsCertPayload {
            cert_chain_der: cert_chain_der.clone(),
            certificate_message,
        }
    });
    let total_cert_len = cert_payload
        .as_ref()
        .map(|payload| payload.certificate_message.len())
        .unwrap_or_else(|| cert_chain_der.iter().map(Vec::len).sum::<usize>())
        .max(1024);
    let cert_info = parse_cert_info(&certs);
    // Heuristic: split across two records if large to mimic real servers a bit.
    let app_data_records_sizes = if total_cert_len > 3000 {
        vec![total_cert_len / 2, total_cert_len - total_cert_len / 2]
    } else {
        vec![total_cert_len]
    };
    let parsed = ParsedServerHello {
        version: [0x03, 0x03],
        random: [0u8; 32],
        session_id: Vec::new(),
        cipher_suite,
        compression: 0,
        extensions: Vec::new(),
    };
    debug!(
        sni = %sni,
        len = total_cert_len,
        cipher = format!("0x{:04x}", u16::from_be_bytes(cipher_suite)),
        has_cert_payload = cert_payload.is_some(),
        "Fetched TLS metadata via rustls"
    );
    Ok(TlsFetchResult {
        server_hello_parsed: parsed,
        app_data_records_sizes: app_data_records_sizes.clone(),
        total_app_data_len: app_data_records_sizes.iter().sum(),
        cert_info,
        cert_payload,
    })
 }
 /// Fetch real TLS metadata for the given SNI.
 ///
 /// Strategy:
 /// 1) Probe raw TLS for realistic ServerHello and ApplicationData record sizes.
 /// 2) Fetch certificate chain via rustls to build cert payload.
 /// 3) Merge both when possible; otherwise auto-fallback to whichever succeeded.
 pub async fn fetch_real_tls(
    host: &str,
    port: u16,
    sni: &str,
    connect_timeout: Duration,
    upstream: Option<std::sync::Arc<crate::transport::UpstreamManager>>,
 ) -> Result<TlsFetchResult> {
    let raw_result = match fetch_via_raw_tls(host, port, sni, connect_timeout).await {
        Ok(res) => Some(res),
        Err(e) => {
            warn!(sni = %sni, error = %e, "Raw TLS fetch failed");
            None
        }
    };
    match fetch_via_rustls(host, port, sni, connect_timeout, upstream).await {
        Ok(rustls_result) => {
            if let Some(mut raw) = raw_result {
                raw.cert_info = rustls_result.cert_info;
                raw.cert_payload = rustls_result.cert_payload;
                debug!(sni = %sni, "Fetched TLS metadata via raw probe + rustls cert chain");
                Ok(raw)
            } else {
                Ok(rustls_result)
            }
        }
        Err(e) => {
            if let Some(raw) = raw_result {
                warn!(sni = %sni, error = %e, "Rustls cert fetch failed, using raw TLS metadata only");
                Ok(raw)
            } else {
                Err(e)
            }
        }
    }
 }
 #[cfg(test)]
 mod tests {
    use super::encode_tls13_certificate_message;
    fn read_u24(bytes: &[u8]) -> usize {
        ((bytes[0] as usize) << 16) | ((bytes[1] as usize) << 8) | (bytes[2] as usize)
    }
    #[test]
    fn test_encode_tls13_certificate_message_single_cert() {
        let cert = vec![0x30, 0x03, 0x02, 0x01, 0x01];
        let message = encode_tls13_certificate_message(&[cert.clone()]).expect("message");
        assert_eq!(message[0], 0x0b);
        assert_eq!(read_u24(&message[1..4]), message.len() - 4);
        assert_eq!(message[4], 0x00);
        let cert_list_len = read_u24(&message[5..8]);
        assert_eq!(cert_list_len, cert.len() + 5);
        let cert_len = read_u24(&message[8..11]);
        assert_eq!(cert_len, cert.len());
        assert_eq!(&message[11..11 + cert.len()], cert.as_slice());
        assert_eq!(&message[11 + cert.len()..13 + cert.len()], &[0x00, 0x00]);
    }
    #[test]
    fn test_encode_tls13_certificate_message_empty_chain() {
        assert!(encode_tls13_certificate_message(&[]).is_none());
    }
 }
--- a/src/tls_front/mod.rs
+++ b/src/tls_front/mod.rs
@@ -0,0 +1,8 @@
 pub mod types;
 pub mod cache;
 pub mod fetcher;
 pub mod emulator;
 pub use cache::TlsFrontCache;
 #[allow(unused_imports)]
 pub use types::{CachedTlsData, TlsFetchResult};
--- a/src/tls_front/types.rs
+++ b/src/tls_front/types.rs
@@ -0,0 +1,68 @@
 use std::time::SystemTime;
 use serde::{Serialize, Deserialize};
 /// Parsed representation of an unencrypted TLS ServerHello.
 #[derive(Debug, Clone, Serialize, Deserialize)]
 pub struct ParsedServerHello {
    pub version: [u8; 2],
    pub random: [u8; 32],
    pub session_id: Vec<u8>,
    pub cipher_suite: [u8; 2],
    pub compression: u8,
    pub extensions: Vec<TlsExtension>,
 }
 /// Generic TLS extension container.
 #[derive(Debug, Clone, Serialize, Deserialize)]
 pub struct TlsExtension {
    pub ext_type: u16,
    pub data: Vec<u8>,
 }
 /// Basic certificate metadata (optional, informative).
 #[derive(Debug, Clone, Serialize, Deserialize)]
 pub struct ParsedCertificateInfo {
    pub not_after_unix: Option<i64>,
    pub not_before_unix: Option<i64>,
    pub issuer_cn: Option<String>,
    pub subject_cn: Option<String>,
    pub san_names: Vec<String>,
 }
 /// TLS certificate payload captured from profiled upstream.
 ///
 /// `certificate_message` stores an encoded TLS 1.3 Certificate handshake
 /// message body that can be replayed as opaque ApplicationData bytes in FakeTLS.
 #[derive(Debug, Clone, Serialize, Deserialize)]
 pub struct TlsCertPayload {
    pub cert_chain_der: Vec<Vec<u8>>,
    pub certificate_message: Vec<u8>,
 }
 /// Cached data per SNI used by the emulator.
 #[derive(Debug, Clone, Serialize, Deserialize)]
 pub struct CachedTlsData {
    pub server_hello_template: ParsedServerHello,
    pub cert_info: Option<ParsedCertificateInfo>,
    #[serde(default)]
    pub cert_payload: Option<TlsCertPayload>,
    pub app_data_records_sizes: Vec<usize>,
    pub total_app_data_len: usize,
    #[serde(default = "now_system_time", skip_serializing, skip_deserializing)]
    pub fetched_at: SystemTime,
    pub domain: String,
 }
 fn now_system_time() -> SystemTime {
    SystemTime::now()
 }
 /// Result of attempting to fetch real TLS artifacts.
 #[derive(Debug, Clone, Serialize, Deserialize)]
 pub struct TlsFetchResult {
    pub server_hello_parsed: ParsedServerHello,
    pub app_data_records_sizes: Vec<usize>,
    pub total_app_data_len: usize,
    pub cert_info: Option<ParsedCertificateInfo>,
    pub cert_payload: Option<TlsCertPayload>,
 }
--- a/src/transport/middle_proxy.rs
+++ b/src/transport/middle_proxy.rs
@@ -1,925 +0,0 @@
 //! Middle Proxy RPC Transport
 //!
 //! Implements Telegram Middle-End RPC protocol for routing to ALL DCs (including CDN).
 //!
 //! ## Phase 3 fixes:
 //! - ROOT CAUSE: Use Telegram proxy-secret (binary file) not user secret
 //! - Streaming handshake response (no fixed-size read deadlock)
 //! - Health monitoring + reconnection
 //! - Hex diagnostics for debugging
 use std::collections::HashMap;
 use std::net::{IpAddr, Ipv4Addr, SocketAddr};
 use std::sync::Arc;
 use std::sync::atomic::{AtomicU64, Ordering};
 use std::time::Duration;
 use bytes::{Bytes, BytesMut};
 use tokio::io::{AsyncReadExt, AsyncWriteExt};
 use tokio::net::TcpStream;
 use tokio::sync::{mpsc, Mutex, RwLock};
 use tokio::time::{timeout, Instant};
 use tracing::{debug, info, trace, warn, error};
 use crate::crypto::{crc32, derive_middleproxy_keys, AesCbc, SecureRandom};
 use crate::error::{ProxyError, Result};
 use crate::protocol::constants::*;
 // ========== Proxy Secret Fetching ==========
 /// Fetch the Telegram proxy-secret binary file.
 ///
 /// This is NOT the user secret (-S flag, 16 bytes hex for clients).
 /// This is the infrastructure secret (--aes-pwd in C MTProxy),
 /// a binary file of 32-512 bytes used for ME RPC key derivation.
 ///
 /// Strategy: try local cache, then download from Telegram.
 pub async fn fetch_proxy_secret(cache_path: Option<&str>) -> Result<Vec<u8>> {
    let cache = cache_path.unwrap_or("proxy-secret");
    // 1. Try local cache (< 24h old)
    if let Ok(metadata) = tokio::fs::metadata(cache).await {
        if let Ok(modified) = metadata.modified() {
            let age = std::time::SystemTime::now()
                .duration_since(modified)
                .unwrap_or(Duration::from_secs(u64::MAX));
            if age < Duration::from_secs(86400) {
                if let Ok(data) = tokio::fs::read(cache).await {
                    if data.len() >= 32 {
                        info!(
                            path = cache,
                            len = data.len(),
                            age_hours = age.as_secs() / 3600,
                            "Loaded proxy-secret from cache"
                        );
                        return Ok(data);
                    }
                    warn!(path = cache, len = data.len(), "Cached proxy-secret too short");
                }
            }
        }
    }
    // 2. Download from Telegram
    info!("Downloading proxy-secret from core.telegram.org...");
    let data = download_proxy_secret().await?;
    // 3. Cache locally (best-effort)
    if let Err(e) = tokio::fs::write(cache, &data).await {
        warn!(error = %e, "Failed to cache proxy-secret (non-fatal)");
    } else {
        debug!(path = cache, len = data.len(), "Cached proxy-secret");
    }
    Ok(data)
 }
 async fn download_proxy_secret() -> Result<Vec<u8>> {
    let url = "https://core.telegram.org/getProxySecret";
    let resp = reqwest::get(url)
        .await
        .map_err(|e| ProxyError::Proxy(format!("Failed to download proxy-secret: {}", e)))?;
    if !resp.status().is_success() {
        return Err(ProxyError::Proxy(format!(
            "proxy-secret download HTTP {}", resp.status()
        )));
    }
    let data = resp.bytes().await
        .map_err(|e| ProxyError::Proxy(format!("Read proxy-secret body: {}", e)))?
        .to_vec();
    if data.len() < 32 {
        return Err(ProxyError::Proxy(format!(
            "proxy-secret too short: {} bytes (need >= 32)", data.len()
        )));
    }
    info!(len = data.len(), "Downloaded proxy-secret OK");
    Ok(data)
 }
 // ========== RPC Frame helpers ==========
 /// Build an RPC frame: [len(4) | seq_no(4) | payload | crc32(4)]
 fn build_rpc_frame(seq_no: i32, payload: &[u8]) -> Vec<u8> {
    let total_len = (4 + 4 + payload.len() + 4) as u32;
    let mut f = Vec::with_capacity(total_len as usize);
    f.extend_from_slice(&total_len.to_le_bytes());
    f.extend_from_slice(&seq_no.to_le_bytes());
    f.extend_from_slice(payload);
    let c = crc32(&f);
    f.extend_from_slice(&c.to_le_bytes());
    f
 }
 /// Read one plaintext RPC frame. Returns (seq_no, payload).
 async fn read_rpc_frame_plaintext(
    rd: &mut (impl AsyncReadExt + Unpin),
 ) -> Result<(i32, Vec<u8>)> {
    let mut len_buf = [0u8; 4];
    rd.read_exact(&mut len_buf).await.map_err(ProxyError::Io)?;
    let total_len = u32::from_le_bytes(len_buf) as usize;
    if total_len < 12 || total_len > (1 << 24) {
        return Err(ProxyError::InvalidHandshake(
            format!("Bad RPC frame length: {}", total_len),
        ));
    }
    let mut rest = vec![0u8; total_len - 4];
    rd.read_exact(&mut rest).await.map_err(ProxyError::Io)?;
    let mut full = Vec::with_capacity(total_len);
    full.extend_from_slice(&len_buf);
    full.extend_from_slice(&rest);
    let crc_offset = total_len - 4;
    let expected_crc = u32::from_le_bytes([
        full[crc_offset], full[crc_offset + 1],
        full[crc_offset + 2], full[crc_offset + 3],
    ]);
    let actual_crc = crc32(&full[..crc_offset]);
    if expected_crc != actual_crc {
        return Err(ProxyError::InvalidHandshake(
            format!("CRC mismatch: 0x{:08x} vs 0x{:08x}", expected_crc, actual_crc),
        ));
    }
    let seq_no = i32::from_le_bytes([full[4], full[5], full[6], full[7]]);
    let payload = full[8..crc_offset].to_vec();
    Ok((seq_no, payload))
 }
 // ========== RPC Nonce (32 bytes payload) ==========
 fn build_nonce_payload(key_selector: u32, crypto_ts: u32, nonce: &[u8; 16]) -> [u8; 32] {
    let mut p = [0u8; 32];
    p[0..4].copy_from_slice(&RPC_NONCE_U32.to_le_bytes());
    p[4..8].copy_from_slice(&key_selector.to_le_bytes());
    p[8..12].copy_from_slice(&RPC_CRYPTO_AES_U32.to_le_bytes());
    p[12..16].copy_from_slice(&crypto_ts.to_le_bytes());
    p[16..32].copy_from_slice(nonce);
    p
 }
 fn parse_nonce_payload(d: &[u8]) -> Result<(u32, u32, [u8; 16])> {
    if d.len() < 32 {
        return Err(ProxyError::InvalidHandshake(
            format!("Nonce payload too short: {} bytes", d.len()),
        ));
    }
    let t = u32::from_le_bytes([d[0], d[1], d[2], d[3]]);
    if t != RPC_NONCE_U32 {
        return Err(ProxyError::InvalidHandshake(
            format!("Expected RPC_NONCE 0x{:08x}, got 0x{:08x}", RPC_NONCE_U32, t),
        ));
    }
    let schema = u32::from_le_bytes([d[8], d[9], d[10], d[11]]);
    let ts = u32::from_le_bytes([d[12], d[13], d[14], d[15]]);
    let mut nonce = [0u8; 16];
    nonce.copy_from_slice(&d[16..32]);
    Ok((schema, ts, nonce))
 }
 // ========== RPC Handshake (32 bytes payload) ==========
 fn build_handshake_payload(our_ip: u32, our_port: u16, peer_ip: u32, peer_port: u16) -> [u8; 32] {
    let mut p = [0u8; 32];
    p[0..4].copy_from_slice(&RPC_HANDSHAKE_U32.to_le_bytes());
    // flags = 0 at offset 4..8
    // sender_pid: {ip(4), port(2), pid(2), utime(4)} at offset 8..20
    p[8..12].copy_from_slice(&our_ip.to_le_bytes());
    p[12..14].copy_from_slice(&our_port.to_le_bytes());
    let pid = (std::process::id() & 0xFFFF) as u16;
    p[14..16].copy_from_slice(&pid.to_le_bytes());
    let utime = std::time::SystemTime::now()
        .duration_since(std::time::UNIX_EPOCH)
        .unwrap_or_default()
        .as_secs() as u32;
    p[16..20].copy_from_slice(&utime.to_le_bytes());
    // peer_pid: {ip(4), port(2), pid(2), utime(4)} at offset 20..32
    p[20..24].copy_from_slice(&peer_ip.to_le_bytes());
    p[24..26].copy_from_slice(&peer_port.to_le_bytes());
    p
 }
 // ========== CBC helpers ==========
 fn cbc_encrypt_padded(key: &[u8; 32], iv: &[u8; 16], plaintext: &[u8]) -> Result<(Vec<u8>, [u8; 16])> {
    let pad = (16 - (plaintext.len() % 16)) % 16;
    let mut buf = plaintext.to_vec();
    let pad_pattern: [u8; 4] = [0x04, 0x00, 0x00, 0x00];
    for i in 0..pad {
        buf.push(pad_pattern[i % 4]);
    }
    let cipher = AesCbc::new(*key, *iv);
    cipher.encrypt_in_place(&mut buf)
        .map_err(|e| ProxyError::Crypto(format!("CBC encrypt: {}", e)))?;
    let mut new_iv = [0u8; 16];
    if buf.len() >= 16 {
        new_iv.copy_from_slice(&buf[buf.len() - 16..]);
    }
    Ok((buf, new_iv))
 }
 fn cbc_decrypt_inplace(key: &[u8; 32], iv: &[u8; 16], data: &mut [u8]) -> Result<[u8; 16]> {
    let mut new_iv = [0u8; 16];
    if data.len() >= 16 {
        new_iv.copy_from_slice(&data[data.len() - 16..]);
    }
    AesCbc::new(*key, *iv)
        .decrypt_in_place(data)
        .map_err(|e| ProxyError::Crypto(format!("CBC decrypt: {}", e)))?;
    Ok(new_iv)
 }
 // ========== IPv4 helpers ==========
 fn ipv4_to_mapped_v6(ip: Ipv4Addr) -> [u8; 16] {
    let mut buf = [0u8; 16];
    buf[10] = 0xFF;
    buf[11] = 0xFF;
    let o = ip.octets();
    buf[12] = o[0]; buf[13] = o[1]; buf[14] = o[2]; buf[15] = o[3];
    buf
 }
 fn addr_to_ip_u32(addr: &SocketAddr) -> u32 {
    match addr.ip() {
        IpAddr::V4(v4) => u32::from_be_bytes(v4.octets()),
        IpAddr::V6(v6) => {
            if let Some(v4) = v6.to_ipv4_mapped() {
                u32::from_be_bytes(v4.octets())
            } else { 0 }
        }
    }
 }
 // ========== ME Response ==========
 #[derive(Debug)]
 pub enum MeResponse {
    Data(Bytes),
    Ack(u32),
    Close,
 }
 // ========== Connection Registry ==========
 pub struct ConnRegistry {
    map: RwLock<HashMap<u64, mpsc::Sender<MeResponse>>>,
    next_id: AtomicU64,
 }
 impl ConnRegistry {
    pub fn new() -> Self {
        Self {
            map: RwLock::new(HashMap::new()),
            next_id: AtomicU64::new(1),
        }
    }
    pub async fn register(&self) -> (u64, mpsc::Receiver<MeResponse>) {
        let id = self.next_id.fetch_add(1, Ordering::Relaxed);
        let (tx, rx) = mpsc::channel(256);
        self.map.write().await.insert(id, tx);
        (id, rx)
    }
    pub async fn unregister(&self, id: u64) {
        self.map.write().await.remove(&id);
    }
    pub async fn route(&self, id: u64, resp: MeResponse) -> bool {
        let m = self.map.read().await;
        if let Some(tx) = m.get(&id) {
            tx.send(resp).await.is_ok()
        } else { false }
    }
 }
 // ========== RPC Writer (streaming CBC) ==========
 struct RpcWriter {
    writer: tokio::io::WriteHalf<TcpStream>,
    key: [u8; 32],
    iv: [u8; 16],
    seq_no: i32,
 }
 impl RpcWriter {
    async fn send(&mut self, payload: &[u8]) -> Result<()> {
        let frame = build_rpc_frame(self.seq_no, payload);
        self.seq_no += 1;
        let pad = (16 - (frame.len() % 16)) % 16;
        let mut buf = frame;
        let pad_pattern: [u8; 4] = [0x04, 0x00, 0x00, 0x00];
        for i in 0..pad {
            buf.push(pad_pattern[i % 4]);
        }
        let cipher = AesCbc::new(self.key, self.iv);
        cipher.encrypt_in_place(&mut buf)
            .map_err(|e| ProxyError::Crypto(format!("{}", e)))?;
        if buf.len() >= 16 {
            self.iv.copy_from_slice(&buf[buf.len() - 16..]);
        }
        self.writer.write_all(&buf).await.map_err(ProxyError::Io)
    }
 }
 // ========== RPC_PROXY_REQ ==========
 fn build_proxy_req_payload(
    conn_id: u64,
    client_addr: SocketAddr,
    our_addr: SocketAddr,
    data: &[u8],
    proxy_tag: Option<&[u8]>,
    proto_flags: u32,
 ) -> Vec<u8> {
    // flags are pre-calculated by proto_flags_for_tag
    // We just need to ensure FLAG_HAS_AD_TAG is set if we have a tag (it is set by default in our new function, but let's be safe)
    let mut flags = proto_flags;
    // The C code logic:
    // flags = (transport_flags) | 0x1000 | 0x20000 | 0x8 (if tag)
    // Our proto_flags_for_tag returns: 0x8 | 0x1000 | 0x20000 | transport_flags
    // So we are good.
    let b_cap = 128 + data.len();
    let mut b = Vec::with_capacity(b_cap);
    b.extend_from_slice(&RPC_PROXY_REQ_U32.to_le_bytes());
    b.extend_from_slice(&flags.to_le_bytes());
    b.extend_from_slice(&conn_id.to_le_bytes());
    // Client IP (16 bytes IPv4-mapped-v6) + port (4 bytes)
    match client_addr.ip() {
        IpAddr::V4(v4) => b.extend_from_slice(&ipv4_to_mapped_v6(v4)),
        IpAddr::V6(v6) => b.extend_from_slice(&v6.octets()),
    }
    b.extend_from_slice(&(client_addr.port() as u32).to_le_bytes());
    // Our IP (16 bytes) + port (4 bytes)
    match our_addr.ip() {
        IpAddr::V4(v4) => b.extend_from_slice(&ipv4_to_mapped_v6(v4)),
        IpAddr::V6(v6) => b.extend_from_slice(&v6.octets()),
    }
    b.extend_from_slice(&(our_addr.port() as u32).to_le_bytes());
    // Extra section (proxy_tag)
    if flags & 12 != 0 {
        let extra_start = b.len();
        b.extend_from_slice(&0u32.to_le_bytes()); // placeholder
        if let Some(tag) = proxy_tag {
            b.extend_from_slice(&TL_PROXY_TAG_U32.to_le_bytes());
            // TL string encoding
            if tag.len() < 254 {
                b.push(tag.len() as u8);
                b.extend_from_slice(tag);
                let pad = (4 - ((1 + tag.len()) % 4)) % 4;
                b.extend(std::iter::repeat(0u8).take(pad));
            } else {
                b.push(0xfe);
                let len_bytes = (tag.len() as u32).to_le_bytes();
                b.extend_from_slice(&len_bytes[..3]);
                b.extend_from_slice(tag);
                let pad = (4 - (tag.len() % 4)) % 4;
                b.extend(std::iter::repeat(0u8).take(pad));
            }
        }
        let extra_bytes = (b.len() - extra_start - 4) as u32;
        let eb = extra_bytes.to_le_bytes();
        b[extra_start..extra_start + 4].copy_from_slice(&eb);
    }
    b.extend_from_slice(data);
    b
 }
 // ========== ME Pool ==========
 pub struct MePool {
    registry: Arc<ConnRegistry>,
    writers: Arc<RwLock<Vec<Arc<Mutex<RpcWriter>>>>>,
    rr: AtomicU64,
    proxy_tag: Option<Vec<u8>>,
    /// Telegram proxy-secret (binary, 32-512 bytes)
    proxy_secret: Vec<u8>,
    pool_size: usize,
 }
 impl MePool {
    pub fn new(proxy_tag: Option<Vec<u8>>, proxy_secret: Vec<u8>) -> Arc<Self> {
        Arc::new(Self {
            registry: Arc::new(ConnRegistry::new()),
            writers: Arc::new(RwLock::new(Vec::new())),
            rr: AtomicU64::new(0),
            proxy_tag,
            proxy_secret,
            pool_size: 2,
        })
    }
    pub fn registry(&self) -> &Arc<ConnRegistry> {
        &self.registry
    }
    fn writers_arc(&self) -> Arc<RwLock<Vec<Arc<Mutex<RpcWriter>>>>> {
        self.writers.clone()
    }
    /// key_selector = first 4 bytes of proxy-secret as LE u32
    /// C: main_secret.key_signature via union { char secret[]; int key_signature; }
    fn key_selector(&self) -> u32 {
        if self.proxy_secret.len() >= 4 {
            u32::from_le_bytes([
                self.proxy_secret[0], self.proxy_secret[1],
                self.proxy_secret[2], self.proxy_secret[3],
            ])
        } else { 0 }
    }
    pub async fn init(
        self: &Arc<Self>,
        pool_size: usize,
        rng: &SecureRandom,
    ) -> Result<()> {
        let addrs = &*TG_MIDDLE_PROXIES_FLAT_V4;
        let ks = self.key_selector();
        info!(
            me_servers = addrs.len(),
            pool_size,
            key_selector = format_args!("0x{:08x}", ks),
            secret_len = self.proxy_secret.len(),
            "Initializing ME pool"
        );
        for &(ip, port) in addrs.iter() {
            for i in 0..pool_size {
                let addr = SocketAddr::new(ip, port);
                match self.connect_one(addr, rng).await {
                    Ok(()) => info!(%addr, idx = i, "ME connected"),
                    Err(e) => warn!(%addr, idx = i, error = %e, "ME connect failed"),
                }
            }
            if self.writers.read().await.len() >= pool_size {
                break;
            }
        }
        if self.writers.read().await.is_empty() {
            return Err(ProxyError::Proxy("No ME connections".into()));
        }
        Ok(())
    }
    async fn connect_one(
        self: &Arc<Self>,
        addr: SocketAddr,
        rng: &SecureRandom,
    ) -> Result<()> {
        let secret = &self.proxy_secret;
        if secret.len() < 32 {
            return Err(ProxyError::Proxy("proxy-secret too short for ME auth".into()));
        }
        // ===== TCP connect =====
        let stream = timeout(
            Duration::from_secs(ME_CONNECT_TIMEOUT_SECS),
            TcpStream::connect(addr),
        )
        .await
        .map_err(|_| ProxyError::ConnectionTimeout { addr: addr.to_string() })?
        .map_err(ProxyError::Io)?;
        stream.set_nodelay(true).ok();
        let local_addr = stream.local_addr().map_err(ProxyError::Io)?;
        let peer_addr = stream.peer_addr().map_err(ProxyError::Io)?;
        let (mut rd, mut wr) = tokio::io::split(stream);
        // ===== 1. Send RPC nonce (plaintext, seq=-2) =====
        let my_nonce: [u8; 16] = rng.bytes(16).try_into().unwrap();
        let crypto_ts = std::time::SystemTime::now()
            .duration_since(std::time::UNIX_EPOCH)
            .unwrap_or_default()
            .as_secs() as u32;
        let ks = self.key_selector();
        let nonce_payload = build_nonce_payload(ks, crypto_ts, &my_nonce);
        let nonce_frame = build_rpc_frame(-2, &nonce_payload);
        debug!(
            %addr,
            frame_len = nonce_frame.len(),
            key_sel = format_args!("0x{:08x}", ks),
            crypto_ts,
            "Sending nonce"
        );
        wr.write_all(&nonce_frame).await.map_err(ProxyError::Io)?;
        wr.flush().await.map_err(ProxyError::Io)?;
        // ===== 2. Read server nonce (plaintext, seq=-2) =====
        let (srv_seq, srv_nonce_payload) = timeout(
            Duration::from_secs(ME_HANDSHAKE_TIMEOUT_SECS),
            read_rpc_frame_plaintext(&mut rd),
        )
        .await
        .map_err(|_| ProxyError::TgHandshakeTimeout)??;
        if srv_seq != -2 {
            return Err(ProxyError::InvalidHandshake(
                format!("Expected seq=-2, got {}", srv_seq),
            ));
        }
        let (schema, _srv_ts, srv_nonce) = parse_nonce_payload(&srv_nonce_payload)?;
        if schema != RPC_CRYPTO_AES_U32 {
            return Err(ProxyError::InvalidHandshake(
                format!("Unsupported crypto schema: 0x{:x}", schema),
            ));
        }
        debug!(%addr, "Nonce exchange OK, deriving keys");
        // ===== 3. Derive AES-256-CBC keys =====
        // C buffer layout:
        //   [0..16]  nonce_server (srv_nonce)
        //   [16..32] nonce_client (my_nonce)
        //   [32..36] client_timestamp
        //   [36..40] server_ip
        //   [40..42] client_port
        //   [42..48] "CLIENT" or "SERVER"
        //   [48..52] client_ip
        //   [52..54] server_port
        //   [54..54+N] secret (proxy-secret binary)
        //   [54+N..70+N] nonce_server
        //   nonce_client(16)
        let ts_bytes = crypto_ts.to_le_bytes();
        let server_ip = addr_to_ip_u32(&peer_addr);
        let client_ip = addr_to_ip_u32(&local_addr);
        let server_ip_bytes = server_ip.to_le_bytes();
        let client_ip_bytes = client_ip.to_le_bytes();
        let server_port_bytes = peer_addr.port().to_le_bytes();
        let client_port_bytes = local_addr.port().to_le_bytes();
        let (wk, wi) = derive_middleproxy_keys(
            &srv_nonce, &my_nonce, &ts_bytes,
            Some(&server_ip_bytes), &client_port_bytes,
            b"CLIENT",
            Some(&client_ip_bytes), &server_port_bytes,
            secret, None, None,
        );
        let (rk, ri) = derive_middleproxy_keys(
            &srv_nonce, &my_nonce, &ts_bytes,
            Some(&server_ip_bytes), &client_port_bytes,
            b"SERVER",
            Some(&client_ip_bytes), &server_port_bytes,
            secret, None, None,
        );
        debug!(
            %addr,
            write_key = %hex::encode(&wk[..8]),
            read_key = %hex::encode(&rk[..8]),
            "Keys derived"
        );
        // ===== 4. Send encrypted handshake (seq=-1) =====
        let hs_payload = build_handshake_payload(
            client_ip, local_addr.port(),
            server_ip, peer_addr.port(),
        );
        let hs_frame = build_rpc_frame(-1, &hs_payload);
        let (encrypted_hs, write_iv) = cbc_encrypt_padded(&wk, &wi, &hs_frame)?;
        wr.write_all(&encrypted_hs).await.map_err(ProxyError::Io)?;
        wr.flush().await.map_err(ProxyError::Io)?;
        debug!(%addr, enc_len = encrypted_hs.len(), "Sent encrypted handshake");
        // ===== 5. Read encrypted handshake response (STREAMING) =====
        // Server sends encrypted handshake. C crypto layer may send partial
        // blocks (only complete 16-byte blocks get encrypted at a time).
        // We read incrementally and decrypt block-by-block.
        let deadline = Instant::now() + Duration::from_secs(ME_HANDSHAKE_TIMEOUT_SECS);
        let mut enc_buf = BytesMut::with_capacity(256);
        let mut dec_buf = BytesMut::with_capacity(256);
        let mut read_iv = ri;
        let mut handshake_ok = false;
        while Instant::now() < deadline && !handshake_ok {
            let remaining = deadline - Instant::now();
            let mut tmp = [0u8; 256];
            let n = match timeout(remaining, rd.read(&mut tmp)).await {
                Ok(Ok(0)) => return Err(ProxyError::Io(std::io::Error::new(
                    std::io::ErrorKind::UnexpectedEof, "ME closed during handshake",
                ))),
                Ok(Ok(n)) => n,
                Ok(Err(e)) => return Err(ProxyError::Io(e)),
                Err(_) => return Err(ProxyError::TgHandshakeTimeout),
            };
            enc_buf.extend_from_slice(&tmp[..n]);
            // Decrypt complete 16-byte blocks
            let blocks = enc_buf.len() / 16 * 16;
            if blocks > 0 {
                let mut chunk = vec![0u8; blocks];
                chunk.copy_from_slice(&enc_buf[..blocks]);
                let new_iv = cbc_decrypt_inplace(&rk, &read_iv, &mut chunk)?;
                read_iv = new_iv;
                dec_buf.extend_from_slice(&chunk);
                let _ = enc_buf.split_to(blocks);
            }
            // Try to parse RPC frame from decrypted data
            while dec_buf.len() >= 4 {
                let fl = u32::from_le_bytes([
                    dec_buf[0], dec_buf[1], dec_buf[2], dec_buf[3],
                ]) as usize;
                // Skip noop padding
                if fl == 4 {
                    let _ = dec_buf.split_to(4);
                    continue;
                }
                if fl < 12 || fl > (1 << 24) {
                    return Err(ProxyError::InvalidHandshake(
                        format!("Bad HS response frame len: {}", fl),
                    ));
                }
                if dec_buf.len() < fl {
                    break; // need more data
                }
                let frame = dec_buf.split_to(fl);
                // CRC32 check
                let pe = fl - 4;
                let ec = u32::from_le_bytes([
                    frame[pe], frame[pe + 1], frame[pe + 2], frame[pe + 3],
                ]);
                let ac = crc32(&frame[..pe]);
                if ec != ac {
                    return Err(ProxyError::InvalidHandshake(
                        format!("HS CRC mismatch: 0x{:08x} vs 0x{:08x}", ec, ac),
                    ));
                }
                // Check type
                let hs_type = u32::from_le_bytes([
                    frame[8], frame[9], frame[10], frame[11],
                ]);
                if hs_type == RPC_HANDSHAKE_ERROR_U32 {
                    let err_code = if frame.len() >= 16 {
                        i32::from_le_bytes([frame[12], frame[13], frame[14], frame[15]])
                    } else { -1 };
                    return Err(ProxyError::InvalidHandshake(
                        format!("ME rejected handshake (error={})", err_code),
                    ));
                }
                if hs_type != RPC_HANDSHAKE_U32 {
                    return Err(ProxyError::InvalidHandshake(
                        format!("Expected HANDSHAKE 0x{:08x}, got 0x{:08x}", RPC_HANDSHAKE_U32, hs_type),
                    ));
                }
                handshake_ok = true;
                break;
            }
        }
        if !handshake_ok {
            return Err(ProxyError::TgHandshakeTimeout);
        }
        info!(%addr, "RPC handshake OK");
        // ===== 6. Setup writer + reader =====
        let rpc_w = Arc::new(Mutex::new(RpcWriter {
            writer: wr,
            key: wk,
            iv: write_iv,
            seq_no: 0,
        }));
        self.writers.write().await.push(rpc_w.clone());
        let reg = self.registry.clone();
        let w_pong = rpc_w.clone();
        let w_pool = self.writers_arc();
        tokio::spawn(async move {
            if let Err(e) = reader_loop(rd, rk, read_iv, reg, enc_buf, dec_buf, w_pong.clone()).await {
                warn!(error = %e, "ME reader ended");
            }
            // Remove dead writer from pool
            let mut ws = w_pool.write().await;
            ws.retain(|w| !Arc::ptr_eq(w, &w_pong));
            info!(remaining = ws.len(), "Dead ME writer removed from pool");
        });
        Ok(())
    }
    pub async fn send_proxy_req(
        &self,
        conn_id: u64,
        client_addr: SocketAddr,
        our_addr: SocketAddr,
        data: &[u8],
        proto_flags: u32,
    ) -> Result<()> {
        let payload = build_proxy_req_payload(
            conn_id, client_addr, our_addr, data,
            self.proxy_tag.as_deref(), proto_flags,
        );
        loop {
            let ws = self.writers.read().await;
            if ws.is_empty() {
                return Err(ProxyError::Proxy("All ME connections dead".into()));
            }
            let idx = self.rr.fetch_add(1, Ordering::Relaxed) as usize % ws.len();
            let w = ws[idx].clone();
            drop(ws);
            match w.lock().await.send(&payload).await {
                Ok(()) => return Ok(()),
                Err(e) => {
                    warn!(error = %e, "ME write failed, removing dead conn");
                    let mut ws = self.writers.write().await;
                    ws.retain(|o| !Arc::ptr_eq(o, &w));
                    if ws.is_empty() {
                        return Err(ProxyError::Proxy("All ME connections dead".into()));
                    }
                }
            }
        }
    }
    pub async fn send_close(&self, conn_id: u64) -> Result<()> {
        let ws = self.writers.read().await;
        if !ws.is_empty() {
            let w = ws[0].clone();
            drop(ws);
            let mut p = Vec::with_capacity(12);
            p.extend_from_slice(&RPC_CLOSE_EXT_U32.to_le_bytes());
            p.extend_from_slice(&conn_id.to_le_bytes());
            if let Err(e) = w.lock().await.send(&p).await {
                debug!(error = %e, "ME close write failed");
                let mut ws = self.writers.write().await;
                ws.retain(|o| !Arc::ptr_eq(o, &w));
            }
        }
        self.registry.unregister(conn_id).await;
        Ok(())
    }
    pub fn connection_count(&self) -> usize {
        self.writers.try_read().map(|w| w.len()).unwrap_or(0)
    }
 }
 // ========== Reader Loop ==========
 async fn reader_loop(
    mut rd: tokio::io::ReadHalf<TcpStream>,
    dk: [u8; 32],
    mut div: [u8; 16],
    reg: Arc<ConnRegistry>,
    mut enc_leftover: BytesMut,
    mut dec: BytesMut,
    writer: Arc<Mutex<RpcWriter>>,
 ) -> Result<()> {
    let mut raw = enc_leftover;
    loop {
        let mut tmp = [0u8; 16384];
        let n = rd.read(&mut tmp).await.map_err(ProxyError::Io)?;
        if n == 0 { return Ok(()); }
        raw.extend_from_slice(&tmp[..n]);
        // Decrypt complete 16-byte blocks
        let blocks = raw.len() / 16 * 16;
        if blocks > 0 {
            let mut new_iv = [0u8; 16];
            new_iv.copy_from_slice(&raw[blocks - 16..blocks]);
            let mut chunk = vec![0u8; blocks];
            chunk.copy_from_slice(&raw[..blocks]);
            AesCbc::new(dk, div)
                .decrypt_in_place(&mut chunk)
                .map_err(|e| ProxyError::Crypto(format!("{}", e)))?;
            div = new_iv;
            dec.extend_from_slice(&chunk);
            let _ = raw.split_to(blocks);
        }
        // Parse RPC frames
        while dec.len() >= 12 {
            let fl = u32::from_le_bytes([dec[0], dec[1], dec[2], dec[3]]) as usize;
            if fl == 4 { let _ = dec.split_to(4); continue; }
            if fl < 12 || fl > (1 << 24) {
                warn!(frame_len = fl, "Invalid RPC frame len");
                dec.clear();
                break;
            }
            if dec.len() < fl { break; }
            let frame = dec.split_to(fl);
            let pe = fl - 4;
            let ec = u32::from_le_bytes([frame[pe], frame[pe+1], frame[pe+2], frame[pe+3]]);
            if crc32(&frame[..pe]) != ec {
                warn!("CRC mismatch in data frame");
                continue;
            }
            let payload = &frame[8..pe];
            if payload.len() < 4 { continue; }
            let pt = u32::from_le_bytes([payload[0], payload[1], payload[2], payload[3]]);
            let body = &payload[4..];
            if pt == RPC_PROXY_ANS_U32 && body.len() >= 12 {
                let flags = u32::from_le_bytes(body[0..4].try_into().unwrap());
                let cid = u64::from_le_bytes(body[4..12].try_into().unwrap());
                let data = Bytes::copy_from_slice(&body[12..]);
                trace!(cid, len = data.len(), flags, "ANS");
                reg.route(cid, MeResponse::Data(data)).await;
            } else if pt == RPC_SIMPLE_ACK_U32 && body.len() >= 12 {
                let cid = u64::from_le_bytes(body[0..8].try_into().unwrap());
                let cfm = u32::from_le_bytes(body[8..12].try_into().unwrap());
                trace!(cid, cfm, "ACK");
                reg.route(cid, MeResponse::Ack(cfm)).await;
            } else if pt == RPC_CLOSE_EXT_U32 && body.len() >= 8 {
                let cid = u64::from_le_bytes(body[0..8].try_into().unwrap());
                debug!(cid, "CLOSE_EXT from ME");
                reg.route(cid, MeResponse::Close).await;
                reg.unregister(cid).await;
            } else if pt == RPC_CLOSE_CONN_U32 && body.len() >= 8 {
                let cid = u64::from_le_bytes(body[0..8].try_into().unwrap());
                debug!(cid, "CLOSE_CONN from ME");
                reg.route(cid, MeResponse::Close).await;
                reg.unregister(cid).await;
            } else if pt == RPC_PING_U32 && body.len() >= 8 {
                let ping_id = i64::from_le_bytes(body[0..8].try_into().unwrap());
                trace!(ping_id, "RPC_PING -> PONG");
                let mut pong = Vec::with_capacity(12);
                pong.extend_from_slice(&RPC_PONG_U32.to_le_bytes());
                pong.extend_from_slice(&ping_id.to_le_bytes());
                if let Err(e) = writer.lock().await.send(&pong).await {
                    warn!(error = %e, "PONG send failed");
                    break;
                }
            } else {
                debug!(rpc_type = format_args!("0x{:08x}", pt), len = body.len(), "Unknown RPC");
            }
        }
    }
 }
 // ========== Proto flags ==========
 /// Map ProtoTag to C-compatible RPC_PROXY_REQ transport flags.
 /// C: RPC_F_COMPACT(0x40000000)=abridged, RPC_F_MEDIUM(0x20000000)=intermediate/secure
 /// The 0x1000(magic) and 0x8(proxy_tag) are added inside build_proxy_req_payload.
 pub fn proto_flags_for_tag(tag: crate::protocol::constants::ProtoTag) -> u32 {
    use crate::protocol::constants::*;
    let mut flags = RPC_FLAG_HAS_AD_TAG | RPC_FLAG_MAGIC | RPC_FLAG_EXTMODE2;
    match tag {
        ProtoTag::Abridged     => flags | RPC_FLAG_ABRIDGED,
        ProtoTag::Intermediate => flags | RPC_FLAG_INTERMEDIATE,
        ProtoTag::Secure       => flags | RPC_FLAG_PAD | RPC_FLAG_INTERMEDIATE,
    }
 }
 // ========== Health Monitor (Phase 4) ==========
 pub async fn me_health_monitor(
    pool: Arc<MePool>,
    rng: Arc<SecureRandom>,
    min_connections: usize,
 ) {
    loop {
        tokio::time::sleep(Duration::from_secs(30)).await;
        let current = pool.writers.read().await.len();
        if current < min_connections {
            warn!(current, min = min_connections, "ME pool below minimum, reconnecting...");
            let addrs = TG_MIDDLE_PROXIES_FLAT_V4.clone();
            for &(ip, port) in addrs.iter() {
                let needed = min_connections.saturating_sub(pool.writers.read().await.len());
                if needed == 0 { break; }
                for _ in 0..needed {
                    let addr = SocketAddr::new(ip, port);
                    match pool.connect_one(addr, &rng).await {
                        Ok(()) => info!(%addr, "ME reconnected"),
                        Err(e) => debug!(%addr, error = %e, "ME reconnect failed"),
                    }
                }
            }
        }
    }
 }
--- a/src/transport/middle_proxy/codec.rs
+++ b/src/transport/middle_proxy/codec.rs
@@ -1,16 +1,53 @@
 use tokio::io::{AsyncReadExt, AsyncWriteExt};
-use crate::crypto::{AesCbc, crc32};
+use crate::crypto::{AesCbc, crc32, crc32c};
 use crate::error::{ProxyError, Result};
 use crate::protocol::constants::*;
-pub(crate) fn build_rpc_frame(seq_no: i32, payload: &[u8]) -> Vec<u8> {
+/// Commands sent to dedicated writer tasks to avoid mutex contention on TCP writes.
 pub(crate) enum WriterCommand {
    Data(Vec<u8>),
    DataAndFlush(Vec<u8>),
    Close,
 }
 #[derive(Debug, Clone, Copy, PartialEq, Eq)]
 pub(crate) enum RpcChecksumMode {
    Crc32,
    Crc32c,
 }
 impl RpcChecksumMode {
    pub(crate) fn from_handshake_flags(flags: u32) -> Self {
        if (flags & rpc_crypto_flags::USE_CRC32C) != 0 {
            Self::Crc32c
        } else {
            Self::Crc32
        }
    }
    pub(crate) fn advertised_flags(self) -> u32 {
        match self {
            Self::Crc32 => 0,
            Self::Crc32c => rpc_crypto_flags::USE_CRC32C,
        }
    }
 }
 pub(crate) fn rpc_crc(mode: RpcChecksumMode, data: &[u8]) -> u32 {
    match mode {
        RpcChecksumMode::Crc32 => crc32(data),
        RpcChecksumMode::Crc32c => crc32c(data),
    }
 }
 pub(crate) fn build_rpc_frame(seq_no: i32, payload: &[u8], crc_mode: RpcChecksumMode) -> Vec<u8> {
    let total_len = (4 + 4 + payload.len() + 4) as u32;
    let mut frame = Vec::with_capacity(total_len as usize);
    frame.extend_from_slice(&total_len.to_le_bytes());
    frame.extend_from_slice(&seq_no.to_le_bytes());
    frame.extend_from_slice(payload);
-    let c = crc32(&frame);
+    let c = rpc_crc(crc_mode, &frame);
    frame.extend_from_slice(&c.to_le_bytes());
    frame
 }
@@ -37,7 +74,7 @@ pub(crate) async fn read_rpc_frame_plaintext(
    let crc_offset = total_len - 4;
    let expected_crc = u32::from_le_bytes(full[crc_offset..crc_offset + 4].try_into().unwrap());
-    let actual_crc = crc32(&full[..crc_offset]);
+    let actual_crc = rpc_crc(RpcChecksumMode::Crc32, &full[..crc_offset]);
    if expected_crc != actual_crc {
        return Err(ProxyError::InvalidHandshake(format!(
            "CRC mismatch: 0x{expected_crc:08x} vs 0x{actual_crc:08x}"
@@ -87,26 +124,53 @@ pub(crate) fn build_handshake_payload(
    our_port: u16,
    peer_ip: [u8; 4],
    peer_port: u16,
    flags: u32,
 ) -> [u8; 32] {
    let mut p = [0u8; 32];
    p[0..4].copy_from_slice(&RPC_HANDSHAKE_U32.to_le_bytes());
    p[4..8].copy_from_slice(&flags.to_le_bytes());
-    // Keep C memory layout compatibility for PID IPv4 bytes.
+    // process_id sender_pid
    p[8..12].copy_from_slice(&our_ip);
    p[12..14].copy_from_slice(&our_port.to_le_bytes());
-    let pid = (std::process::id() & 0xffff) as u16;
+    p[14..16].copy_from_slice(&process_pid16().to_le_bytes());
-    p[14..16].copy_from_slice(&pid.to_le_bytes());
+    p[16..20].copy_from_slice(&process_utime().to_le_bytes());
    let utime = std::time::SystemTime::now()
        .duration_since(std::time::UNIX_EPOCH)
        .unwrap_or_default()
        .as_secs() as u32;
    p[16..20].copy_from_slice(&utime.to_le_bytes());
    // process_id peer_pid
    p[20..24].copy_from_slice(&peer_ip);
    p[24..26].copy_from_slice(&peer_port.to_le_bytes());
    p[26..28].copy_from_slice(&0u16.to_le_bytes());
    p[28..32].copy_from_slice(&0u32.to_le_bytes());
    p
 }
 pub(crate) fn parse_handshake_flags(payload: &[u8]) -> Result<u32> {
    if payload.len() != 32 {
        return Err(ProxyError::InvalidHandshake(format!(
            "Bad handshake payload len: {}",
            payload.len()
        )));
    }
    let hs_type = u32::from_le_bytes(payload[0..4].try_into().unwrap());
    if hs_type != RPC_HANDSHAKE_U32 {
        return Err(ProxyError::InvalidHandshake(format!(
            "Expected HANDSHAKE 0x{RPC_HANDSHAKE_U32:08x}, got 0x{hs_type:08x}"
        )));
    }
    Ok(u32::from_le_bytes(payload[4..8].try_into().unwrap()))
 }
 fn process_pid16() -> u16 {
    (std::process::id() & 0xffff) as u16
 }
 fn process_utime() -> u32 {
    std::time::SystemTime::now()
        .duration_since(std::time::UNIX_EPOCH)
        .unwrap_or_default()
        .as_secs() as u32
 }
 pub(crate) fn cbc_encrypt_padded(
    key: &[u8; 32],
    iv: &[u8; 16],
@@ -152,12 +216,13 @@ pub(crate) struct RpcWriter {
    pub(crate) key: [u8; 32],
    pub(crate) iv: [u8; 16],
    pub(crate) seq_no: i32,
    pub(crate) crc_mode: RpcChecksumMode,
 }
 impl RpcWriter {
    pub(crate) async fn send(&mut self, payload: &[u8]) -> Result<()> {
-        let frame = build_rpc_frame(self.seq_no, payload);
+        let frame = build_rpc_frame(self.seq_no, payload, self.crc_mode);
-        self.seq_no += 1;
+        self.seq_no = self.seq_no.wrapping_add(1);
        let pad = (16 - (frame.len() % 16)) % 16;
        let mut buf = frame;
@@ -176,4 +241,9 @@ impl RpcWriter {
        }
        self.writer.write_all(&buf).await.map_err(ProxyError::Io)
    }
    pub(crate) async fn send_and_flush(&mut self, payload: &[u8]) -> Result<()> {
        self.send(payload).await?;
        self.writer.flush().await.map_err(ProxyError::Io)
    }
 }
--- a/src/transport/middle_proxy/config_updater.rs
+++ b/src/transport/middle_proxy/config_updater.rs
@@ -0,0 +1,479 @@
 use std::collections::HashMap;
 use std::hash::{DefaultHasher, Hash, Hasher};
 use std::net::IpAddr;
 use std::sync::Arc;
 use std::time::Duration;
 use httpdate;
 use tokio::sync::watch;
 use tracing::{debug, info, warn};
 use crate::config::ProxyConfig;
 use crate::error::Result;
 use super::MePool;
 use super::secret::download_proxy_secret_with_max_len;
 use crate::crypto::SecureRandom;
 use std::time::SystemTime;
 async fn retry_fetch(url: &str) -> Option<ProxyConfigData> {
    let delays = [1u64, 5, 15];
    for (i, d) in delays.iter().enumerate() {
        match fetch_proxy_config(url).await {
            Ok(cfg) => return Some(cfg),
            Err(e) => {
                if i == delays.len() - 1 {
                    warn!(error = %e, url, "fetch_proxy_config failed");
                } else {
                    debug!(error = %e, url, "fetch_proxy_config retrying");
                    tokio::time::sleep(Duration::from_secs(*d)).await;
                }
            }
        }
    }
    None
 }
 #[derive(Debug, Clone, Default)]
 pub struct ProxyConfigData {
    pub map: HashMap<i32, Vec<(IpAddr, u16)>>,
    pub default_dc: Option<i32>,
 }
 #[derive(Debug, Default)]
 struct StableSnapshot {
    candidate_hash: Option<u64>,
    candidate_hits: u8,
    applied_hash: Option<u64>,
 }
 impl StableSnapshot {
    fn observe(&mut self, hash: u64) -> u8 {
        if self.candidate_hash == Some(hash) {
            self.candidate_hits = self.candidate_hits.saturating_add(1);
        } else {
            self.candidate_hash = Some(hash);
            self.candidate_hits = 1;
        }
        self.candidate_hits
    }
    fn is_applied(&self, hash: u64) -> bool {
        self.applied_hash == Some(hash)
    }
    fn mark_applied(&mut self, hash: u64) {
        self.applied_hash = Some(hash);
    }
 }
 #[derive(Debug, Default)]
 struct UpdaterState {
    config_v4: StableSnapshot,
    config_v6: StableSnapshot,
    secret: StableSnapshot,
    last_map_apply_at: Option<tokio::time::Instant>,
 }
 fn hash_proxy_config(cfg: &ProxyConfigData) -> u64 {
    let mut hasher = DefaultHasher::new();
    cfg.default_dc.hash(&mut hasher);
    let mut by_dc: Vec<(i32, Vec<(IpAddr, u16)>)> =
        cfg.map.iter().map(|(dc, addrs)| (*dc, addrs.clone())).collect();
    by_dc.sort_by_key(|(dc, _)| *dc);
    for (dc, mut addrs) in by_dc {
        dc.hash(&mut hasher);
        addrs.sort_unstable();
        for (ip, port) in addrs {
            ip.hash(&mut hasher);
            port.hash(&mut hasher);
        }
    }
    hasher.finish()
 }
 fn hash_secret(secret: &[u8]) -> u64 {
    let mut hasher = DefaultHasher::new();
    secret.hash(&mut hasher);
    hasher.finish()
 }
 fn map_apply_cooldown_ready(
    last_applied: Option<tokio::time::Instant>,
    cooldown: Duration,
 ) -> bool {
    if cooldown.is_zero() {
        return true;
    }
    match last_applied {
        Some(ts) => ts.elapsed() >= cooldown,
        None => true,
    }
 }
 fn map_apply_cooldown_remaining_secs(
    last_applied: tokio::time::Instant,
    cooldown: Duration,
 ) -> u64 {
    if cooldown.is_zero() {
        return 0;
    }
    cooldown
        .checked_sub(last_applied.elapsed())
        .map(|d| d.as_secs())
        .unwrap_or(0)
 }
 fn parse_host_port(s: &str) -> Option<(IpAddr, u16)> {
    if let Some(bracket_end) = s.rfind(']')
        && s.starts_with('[')
        && bracket_end + 1 < s.len()
        && s.as_bytes().get(bracket_end + 1) == Some(&b':')
    {
        let host = &s[1..bracket_end];
        let port_str = &s[bracket_end + 2..];
        let ip = host.parse::<IpAddr>().ok()?;
        let port = port_str.parse::<u16>().ok()?;
        return Some((ip, port));
    }
    let idx = s.rfind(':')?;
    let host = &s[..idx];
    let port_str = &s[idx + 1..];
    let ip = host.parse::<IpAddr>().ok()?;
    let port = port_str.parse::<u16>().ok()?;
    Some((ip, port))
 }
 fn parse_proxy_line(line: &str) -> Option<(i32, IpAddr, u16)> {
    // Accepts lines like:
    // proxy_for 4 91.108.4.195:8888;
    // proxy_for 2 [2001:67c:04e8:f002::d]:80;
    // proxy_for 2 2001:67c:04e8:f002::d:80;
    let trimmed = line.trim();
    if !trimmed.starts_with("proxy_for") {
        return None;
    }
    // Capture everything between dc and trailing ';'
    let without_prefix = trimmed.trim_start_matches("proxy_for").trim();
    let mut parts = without_prefix.split_whitespace();
    let dc_str = parts.next()?;
    let rest = parts.next()?;
    let host_port = rest.trim_end_matches(';');
    let dc = dc_str.parse::<i32>().ok()?;
    let (ip, port) = parse_host_port(host_port)?;
    Some((dc, ip, port))
 }
 pub async fn fetch_proxy_config(url: &str) -> Result<ProxyConfigData> {
    let resp = reqwest::get(url)
        .await
        .map_err(|e| crate::error::ProxyError::Proxy(format!("fetch_proxy_config GET failed: {e}")))?
        ;
    if let Some(date) = resp.headers().get(reqwest::header::DATE)
        && let Ok(date_str) = date.to_str()
        && let Ok(server_time) = httpdate::parse_http_date(date_str)
        && let Ok(skew) = SystemTime::now().duration_since(server_time).or_else(|e| {
            server_time.duration_since(SystemTime::now()).map_err(|_| e)
        })
    {
        let skew_secs = skew.as_secs();
        if skew_secs > 60 {
            warn!(skew_secs, "Time skew >60s detected from fetch_proxy_config Date header");
        } else if skew_secs > 30 {
            warn!(skew_secs, "Time skew >30s detected from fetch_proxy_config Date header");
        }
    }
    let text = resp
        .text()
        .await
        .map_err(|e| crate::error::ProxyError::Proxy(format!("fetch_proxy_config read failed: {e}")))?;
    let mut map: HashMap<i32, Vec<(IpAddr, u16)>> = HashMap::new();
    for line in text.lines() {
        if let Some((dc, ip, port)) = parse_proxy_line(line) {
            map.entry(dc).or_default().push((ip, port));
        }
    }
    let default_dc = text
        .lines()
        .find_map(|l| {
            let t = l.trim();
            if let Some(rest) = t.strip_prefix("default") {
                return rest
                    .trim()
                    .trim_end_matches(';')
                    .parse::<i32>()
                    .ok();
            }
            None
        });
    Ok(ProxyConfigData { map, default_dc })
 }
 async fn run_update_cycle(
    pool: &Arc<MePool>,
    rng: &Arc<SecureRandom>,
    cfg: &ProxyConfig,
    state: &mut UpdaterState,
 ) {
    pool.update_runtime_reinit_policy(
        cfg.general.hardswap,
        cfg.general.me_pool_drain_ttl_secs,
        cfg.general.effective_me_pool_force_close_secs(),
        cfg.general.me_pool_min_fresh_ratio,
        cfg.general.me_hardswap_warmup_delay_min_ms,
        cfg.general.me_hardswap_warmup_delay_max_ms,
        cfg.general.me_hardswap_warmup_extra_passes,
        cfg.general.me_hardswap_warmup_pass_backoff_base_ms,
    );
    let required_cfg_snapshots = cfg.general.me_config_stable_snapshots.max(1);
    let required_secret_snapshots = cfg.general.proxy_secret_stable_snapshots.max(1);
    let apply_cooldown = Duration::from_secs(cfg.general.me_config_apply_cooldown_secs);
    let mut maps_changed = false;
    let mut ready_v4: Option<(ProxyConfigData, u64)> = None;
    let cfg_v4 = retry_fetch("https://core.telegram.org/getProxyConfig").await;
    if let Some(cfg_v4) = cfg_v4 {
        let cfg_v4_hash = hash_proxy_config(&cfg_v4);
        let stable_hits = state.config_v4.observe(cfg_v4_hash);
        if stable_hits < required_cfg_snapshots {
            debug!(
                stable_hits,
                required_cfg_snapshots,
                snapshot = format_args!("0x{cfg_v4_hash:016x}"),
                "ME config v4 candidate observed"
            );
        } else if state.config_v4.is_applied(cfg_v4_hash) {
            debug!(
                snapshot = format_args!("0x{cfg_v4_hash:016x}"),
                "ME config v4 stable snapshot already applied"
            );
        } else {
            ready_v4 = Some((cfg_v4, cfg_v4_hash));
        }
    }
    let mut ready_v6: Option<(ProxyConfigData, u64)> = None;
    let cfg_v6 = retry_fetch("https://core.telegram.org/getProxyConfigV6").await;
    if let Some(cfg_v6) = cfg_v6 {
        let cfg_v6_hash = hash_proxy_config(&cfg_v6);
        let stable_hits = state.config_v6.observe(cfg_v6_hash);
        if stable_hits < required_cfg_snapshots {
            debug!(
                stable_hits,
                required_cfg_snapshots,
                snapshot = format_args!("0x{cfg_v6_hash:016x}"),
                "ME config v6 candidate observed"
            );
        } else if state.config_v6.is_applied(cfg_v6_hash) {
            debug!(
                snapshot = format_args!("0x{cfg_v6_hash:016x}"),
                "ME config v6 stable snapshot already applied"
            );
        } else {
            ready_v6 = Some((cfg_v6, cfg_v6_hash));
        }
    }
    if ready_v4.is_some() || ready_v6.is_some() {
        if map_apply_cooldown_ready(state.last_map_apply_at, apply_cooldown) {
            let update_v4 = ready_v4
                .as_ref()
                .map(|(snapshot, _)| snapshot.map.clone())
                .unwrap_or_default();
            let update_v6 = ready_v6
                .as_ref()
                .map(|(snapshot, _)| snapshot.map.clone());
            let changed = pool.update_proxy_maps(update_v4, update_v6).await;
            if let Some((snapshot, hash)) = ready_v4 {
                if let Some(dc) = snapshot.default_dc {
                    pool.default_dc
                        .store(dc, std::sync::atomic::Ordering::Relaxed);
                }
                state.config_v4.mark_applied(hash);
            }
            if let Some((_snapshot, hash)) = ready_v6 {
                state.config_v6.mark_applied(hash);
            }
            state.last_map_apply_at = Some(tokio::time::Instant::now());
            if changed {
                maps_changed = true;
                info!("ME config update applied after stable-gate");
            } else {
                debug!("ME config stable-gate applied with no map delta");
            }
        } else if let Some(last) = state.last_map_apply_at {
            let wait_secs = map_apply_cooldown_remaining_secs(last, apply_cooldown);
            debug!(
                wait_secs,
                "ME config stable snapshot deferred by cooldown"
            );
        }
    }
    if maps_changed {
        pool.zero_downtime_reinit_after_map_change(rng.as_ref())
            .await;
    }
    pool.reset_stun_state();
    if cfg.general.proxy_secret_rotate_runtime {
        match download_proxy_secret_with_max_len(cfg.general.proxy_secret_len_max).await {
            Ok(secret) => {
                let secret_hash = hash_secret(&secret);
                let stable_hits = state.secret.observe(secret_hash);
                if stable_hits < required_secret_snapshots {
                    debug!(
                        stable_hits,
                        required_secret_snapshots,
                        snapshot = format_args!("0x{secret_hash:016x}"),
                        "proxy-secret candidate observed"
                    );
                } else if state.secret.is_applied(secret_hash) {
                    debug!(
                        snapshot = format_args!("0x{secret_hash:016x}"),
                        "proxy-secret stable snapshot already applied"
                    );
                } else {
                    let rotated = pool.update_secret(secret).await;
                    state.secret.mark_applied(secret_hash);
                    if rotated {
                        info!("proxy-secret rotated after stable-gate");
                    } else {
                        debug!("proxy-secret stable snapshot confirmed as unchanged");
                    }
                }
            }
            Err(e) => warn!(error = %e, "proxy-secret update failed"),
        }
    } else {
        debug!("proxy-secret runtime rotation disabled by config");
    }
 }
 pub async fn me_config_updater(
    pool: Arc<MePool>,
    rng: Arc<SecureRandom>,
    mut config_rx: watch::Receiver<Arc<ProxyConfig>>,
 ) {
    let mut state = UpdaterState::default();
    let mut update_every_secs = config_rx
        .borrow()
        .general
        .effective_update_every_secs()
        .max(1);
    let mut update_every = Duration::from_secs(update_every_secs);
    let mut next_tick = tokio::time::Instant::now() + update_every;
    info!(update_every_secs, "ME config updater started");
    loop {
        let sleep = tokio::time::sleep_until(next_tick);
        tokio::pin!(sleep);
        tokio::select! {
            _ = &mut sleep => {
                let cfg = config_rx.borrow().clone();
                run_update_cycle(&pool, &rng, cfg.as_ref(), &mut state).await;
                let refreshed_secs = cfg.general.effective_update_every_secs().max(1);
                if refreshed_secs != update_every_secs {
                    info!(
                        old_update_every_secs = update_every_secs,
                        new_update_every_secs = refreshed_secs,
                        "ME config updater interval changed"
                    );
                    update_every_secs = refreshed_secs;
                    update_every = Duration::from_secs(update_every_secs);
                }
                next_tick = tokio::time::Instant::now() + update_every;
            }
            changed = config_rx.changed() => {
                if changed.is_err() {
                    warn!("ME config updater stopped: config channel closed");
                    break;
                }
                let cfg = config_rx.borrow().clone();
                pool.update_runtime_reinit_policy(
                    cfg.general.hardswap,
                    cfg.general.me_pool_drain_ttl_secs,
                    cfg.general.effective_me_pool_force_close_secs(),
                    cfg.general.me_pool_min_fresh_ratio,
                    cfg.general.me_hardswap_warmup_delay_min_ms,
                    cfg.general.me_hardswap_warmup_delay_max_ms,
                    cfg.general.me_hardswap_warmup_extra_passes,
                    cfg.general.me_hardswap_warmup_pass_backoff_base_ms,
                );
                let new_secs = cfg.general.effective_update_every_secs().max(1);
                if new_secs == update_every_secs {
                    continue;
                }
                if new_secs < update_every_secs {
                    info!(
                        old_update_every_secs = update_every_secs,
                        new_update_every_secs = new_secs,
                        "ME config updater interval decreased, running immediate refresh"
                    );
                    update_every_secs = new_secs;
                    update_every = Duration::from_secs(update_every_secs);
                    run_update_cycle(&pool, &rng, cfg.as_ref(), &mut state).await;
                    next_tick = tokio::time::Instant::now() + update_every;
                } else {
                    info!(
                        old_update_every_secs = update_every_secs,
                        new_update_every_secs = new_secs,
                        "ME config updater interval increased"
                    );
                    update_every_secs = new_secs;
                    update_every = Duration::from_secs(update_every_secs);
                    next_tick = tokio::time::Instant::now() + update_every;
                }
            }
        }
    }
 }
 #[cfg(test)]
 mod tests {
    use super::*;
    #[test]
    fn parse_ipv6_bracketed() {
        let line = "proxy_for 2 [2001:67c:04e8:f002::d]:80;";
        let res = parse_proxy_line(line).unwrap();
        assert_eq!(res.0, 2);
        assert_eq!(res.1, "2001:67c:04e8:f002::d".parse::<IpAddr>().unwrap());
        assert_eq!(res.2, 80);
    }
    #[test]
    fn parse_ipv6_plain() {
        let line = "proxy_for 2 2001:67c:04e8:f002::d:80;";
        let res = parse_proxy_line(line).unwrap();
        assert_eq!(res.0, 2);
        assert_eq!(res.1, "2001:67c:04e8:f002::d".parse::<IpAddr>().unwrap());
        assert_eq!(res.2, 80);
    }
    #[test]
    fn parse_ipv4() {
        let line = "proxy_for 4 91.108.4.195:8888;";
        let res = parse_proxy_line(line).unwrap();
        assert_eq!(res.0, 4);
        assert_eq!(res.1, "91.108.4.195".parse::<IpAddr>().unwrap());
        assert_eq!(res.2, 8888);
    }
 }
--- a/src/transport/middle_proxy/handshake.rs
+++ b/src/transport/middle_proxy/handshake.rs
@@ -0,0 +1,466 @@
 use std::net::{IpAddr, SocketAddr};
 use std::time::{Duration, Instant};
 use socket2::{SockRef, TcpKeepalive};
 #[cfg(target_os = "linux")]
 use libc;
 #[cfg(target_os = "linux")]
 use std::os::fd::{AsRawFd, RawFd};
 #[cfg(target_os = "linux")]
 use std::os::raw::c_int;
 use bytes::BytesMut;
 use tokio::io::{AsyncReadExt, AsyncWriteExt, ReadHalf, WriteHalf};
 use tokio::net::{TcpStream, TcpSocket};
 use tokio::time::timeout;
 use tracing::{debug, info, warn};
 use crate::crypto::{SecureRandom, build_middleproxy_prekey, derive_middleproxy_keys, sha256};
 use crate::error::{ProxyError, Result};
 use crate::network::IpFamily;
 use crate::protocol::constants::{
    ME_CONNECT_TIMEOUT_SECS, ME_HANDSHAKE_TIMEOUT_SECS, RPC_CRYPTO_AES_U32,
    RPC_HANDSHAKE_ERROR_U32, rpc_crypto_flags,
 };
 use super::codec::{
    RpcChecksumMode, build_handshake_payload, build_nonce_payload, build_rpc_frame,
    cbc_decrypt_inplace, cbc_encrypt_padded, parse_handshake_flags, parse_nonce_payload,
    read_rpc_frame_plaintext, rpc_crc,
 };
 use super::wire::{extract_ip_material, IpMaterial};
 use super::MePool;
 /// Result of a successful ME handshake with timings.
 pub(crate) struct HandshakeOutput {
    pub rd: ReadHalf<TcpStream>,
    pub wr: WriteHalf<TcpStream>,
    pub read_key: [u8; 32],
    pub read_iv: [u8; 16],
    pub write_key: [u8; 32],
    pub write_iv: [u8; 16],
    pub crc_mode: RpcChecksumMode,
    pub handshake_ms: f64,
 }
 impl MePool {
    /// TCP connect with timeout + return RTT in milliseconds.
    pub(crate) async fn connect_tcp(&self, addr: SocketAddr) -> Result<(TcpStream, f64)> {
        let start = Instant::now();
        let connect_fut = async {
            if addr.is_ipv6()
                && let Some(v6) = self.detected_ipv6
            {
                match TcpSocket::new_v6() {
                    Ok(sock) => {
                        if let Err(e) = sock.bind(SocketAddr::new(IpAddr::V6(v6), 0)) {
                            debug!(error = %e, bind_ip = %v6, "ME IPv6 bind failed, falling back to default bind");
                        } else {
                            match sock.connect(addr).await {
                                Ok(stream) => return Ok(stream),
                                Err(e) => debug!(error = %e, target = %addr, "ME IPv6 bound connect failed, retrying default connect"),
                            }
                        }
                    }
                    Err(e) => debug!(error = %e, "ME IPv6 socket creation failed, falling back to default connect"),
                }
            }
            TcpStream::connect(addr).await
        };
        let stream = timeout(Duration::from_secs(ME_CONNECT_TIMEOUT_SECS), connect_fut)
            .await
            .map_err(|_| ProxyError::ConnectionTimeout { addr: addr.to_string() })??;
        let connect_ms = start.elapsed().as_secs_f64() * 1000.0;
        stream.set_nodelay(true).ok();
        if let Err(e) = Self::configure_keepalive(&stream) {
            warn!(error = %e, "ME keepalive setup failed");
        }
        #[cfg(target_os = "linux")]
        if let Err(e) = Self::configure_user_timeout(stream.as_raw_fd()) {
            warn!(error = %e, "ME TCP_USER_TIMEOUT setup failed");
        }
        Ok((stream, connect_ms))
    }
    fn configure_keepalive(stream: &TcpStream) -> std::io::Result<()> {
        let sock = SockRef::from(stream);
        let ka = TcpKeepalive::new()
            .with_time(Duration::from_secs(30))
            .with_interval(Duration::from_secs(10))
            .with_retries(3);
        sock.set_tcp_keepalive(&ka)?;
        sock.set_keepalive(true)?;
        Ok(())
    }
    #[cfg(target_os = "linux")]
    fn configure_user_timeout(fd: RawFd) -> std::io::Result<()> {
        let timeout_ms: c_int = 30_000;
        let rc = unsafe {
            libc::setsockopt(
                fd,
                libc::IPPROTO_TCP,
                libc::TCP_USER_TIMEOUT,
                &timeout_ms as *const _ as *const libc::c_void,
                std::mem::size_of_val(&timeout_ms) as libc::socklen_t,
            )
        };
        if rc != 0 {
            return Err(std::io::Error::last_os_error());
        }
        Ok(())
    }
    /// Perform full ME RPC handshake on an established TCP stream.
    /// Returns cipher keys/ivs and split halves; does not register writer.
    pub(crate) async fn handshake_only(
        &self,
        stream: TcpStream,
        addr: SocketAddr,
        rng: &SecureRandom,
    ) -> Result<HandshakeOutput> {
        let hs_start = Instant::now();
        let local_addr = stream.local_addr().map_err(ProxyError::Io)?;
        let peer_addr = stream.peer_addr().map_err(ProxyError::Io)?;
        let _ = self.maybe_detect_nat_ip(local_addr.ip()).await;
        let family = if local_addr.ip().is_ipv4() {
            IpFamily::V4
        } else {
            IpFamily::V6
        };
        let reflected = if self.nat_probe {
            self.maybe_reflect_public_addr(family).await
        } else {
            None
        };
        let local_addr_nat = self.translate_our_addr_with_reflection(local_addr, reflected);
        let peer_addr_nat = SocketAddr::new(self.translate_ip_for_nat(peer_addr.ip()), peer_addr.port());
        let (mut rd, mut wr) = tokio::io::split(stream);
        let my_nonce: [u8; 16] = rng.bytes(16).try_into().unwrap();
        let crypto_ts = std::time::SystemTime::now()
            .duration_since(std::time::UNIX_EPOCH)
            .unwrap_or_default()
            .as_secs() as u32;
        let ks = self.key_selector().await;
        let nonce_payload = build_nonce_payload(ks, crypto_ts, &my_nonce);
        let nonce_frame = build_rpc_frame(-2, &nonce_payload, RpcChecksumMode::Crc32);
        let dump = hex_dump(&nonce_frame[..nonce_frame.len().min(44)]);
        debug!(
            key_selector = format_args!("0x{ks:08x}"),
            crypto_ts,
            frame_len = nonce_frame.len(),
            nonce_frame_hex = %dump,
            "Sending ME nonce frame"
        );
        wr.write_all(&nonce_frame).await.map_err(ProxyError::Io)?;
        wr.flush().await.map_err(ProxyError::Io)?;
        let (srv_seq, srv_nonce_payload) = timeout(
            Duration::from_secs(ME_HANDSHAKE_TIMEOUT_SECS),
            read_rpc_frame_plaintext(&mut rd),
        )
        .await
        .map_err(|_| ProxyError::TgHandshakeTimeout)??;
        if srv_seq != -2 {
            return Err(ProxyError::InvalidHandshake(format!("Expected seq=-2, got {srv_seq}")));
        }
        let (srv_key_select, schema, srv_ts, srv_nonce) = parse_nonce_payload(&srv_nonce_payload)?;
        if schema != RPC_CRYPTO_AES_U32 {
            warn!(schema = format_args!("0x{schema:08x}"), "Unsupported ME crypto schema");
            return Err(ProxyError::InvalidHandshake(format!(
                "Unsupported crypto schema: 0x{schema:x}"
            )));
        }
        if srv_key_select != ks {
            return Err(ProxyError::InvalidHandshake(format!(
                "Server key_select 0x{srv_key_select:08x} != client 0x{ks:08x}"
            )));
        }
        let skew = crypto_ts.abs_diff(srv_ts);
        if skew > 30 {
            return Err(ProxyError::InvalidHandshake(format!(
                "nonce crypto_ts skew too large: client={crypto_ts}, server={srv_ts}, skew={skew}s"
            )));
        }
        info!(
            %local_addr,
            %local_addr_nat,
            reflected_ip = reflected.map(|r| r.ip()).as_ref().map(ToString::to_string),
            %peer_addr,
            %peer_addr_nat,
            key_selector = format_args!("0x{ks:08x}"),
            crypto_schema = format_args!("0x{schema:08x}"),
            skew_secs = skew,
            "ME key derivation parameters"
        );
        let ts_bytes = crypto_ts.to_le_bytes();
        let server_port_bytes = peer_addr_nat.port().to_le_bytes();
        let client_port_bytes = local_addr_nat.port().to_le_bytes();
        let server_ip = extract_ip_material(peer_addr_nat);
        let client_ip = extract_ip_material(local_addr_nat);
        let (srv_ip_opt, clt_ip_opt, clt_v6_opt, srv_v6_opt, hs_our_ip, hs_peer_ip) = match (server_ip, client_ip) {
            (IpMaterial::V4(mut srv), IpMaterial::V4(mut clt)) => {
                srv.reverse();
                clt.reverse();
                (Some(srv), Some(clt), None, None, clt, srv)
            }
            (IpMaterial::V6(srv), IpMaterial::V6(clt)) => {
                let zero = [0u8; 4];
                (None, None, Some(clt), Some(srv), zero, zero)
            }
            _ => {
                return Err(ProxyError::InvalidHandshake(
                    "mixed IPv4/IPv6 endpoints are not supported for ME key derivation".to_string(),
                ));
            }
        };
        let diag_level: u8 = std::env::var("ME_DIAG").ok().and_then(|v| v.parse().ok()).unwrap_or(0);
        let secret: Vec<u8> = self.proxy_secret.read().await.clone();
        let prekey_client = build_middleproxy_prekey(
            &srv_nonce,
            &my_nonce,
            &ts_bytes,
            srv_ip_opt.as_ref().map(|x| &x[..]),
            &client_port_bytes,
            b"CLIENT",
            clt_ip_opt.as_ref().map(|x| &x[..]),
            &server_port_bytes,
            &secret,
            clt_v6_opt.as_ref(),
            srv_v6_opt.as_ref(),
        );
        let prekey_server = build_middleproxy_prekey(
            &srv_nonce,
            &my_nonce,
            &ts_bytes,
            srv_ip_opt.as_ref().map(|x| &x[..]),
            &client_port_bytes,
            b"SERVER",
            clt_ip_opt.as_ref().map(|x| &x[..]),
            &server_port_bytes,
            &secret,
            clt_v6_opt.as_ref(),
            srv_v6_opt.as_ref(),
        );
        let (wk, wi) = derive_middleproxy_keys(
            &srv_nonce,
            &my_nonce,
            &ts_bytes,
            srv_ip_opt.as_ref().map(|x| &x[..]),
            &client_port_bytes,
            b"CLIENT",
            clt_ip_opt.as_ref().map(|x| &x[..]),
            &server_port_bytes,
            &secret,
            clt_v6_opt.as_ref(),
            srv_v6_opt.as_ref(),
        );
        let (rk, ri) = derive_middleproxy_keys(
            &srv_nonce,
            &my_nonce,
            &ts_bytes,
            srv_ip_opt.as_ref().map(|x| &x[..]),
            &client_port_bytes,
            b"SERVER",
            clt_ip_opt.as_ref().map(|x| &x[..]),
            &server_port_bytes,
            &secret,
            clt_v6_opt.as_ref(),
            srv_v6_opt.as_ref(),
        );
        let requested_crc_mode = RpcChecksumMode::Crc32c;
        let hs_payload = build_handshake_payload(
            hs_our_ip,
            local_addr.port(),
            hs_peer_ip,
            peer_addr.port(),
            requested_crc_mode.advertised_flags(),
        );
        let hs_frame = build_rpc_frame(-1, &hs_payload, RpcChecksumMode::Crc32);
        if diag_level >= 1 {
            info!(
                write_key = %hex_dump(&wk),
                write_iv = %hex_dump(&wi),
                read_key = %hex_dump(&rk),
                read_iv = %hex_dump(&ri),
                srv_ip = %srv_ip_opt.map(|ip| hex_dump(&ip)).unwrap_or_default(),
                clt_ip = %clt_ip_opt.map(|ip| hex_dump(&ip)).unwrap_or_default(),
                srv_port = %hex_dump(&server_port_bytes),
                clt_port = %hex_dump(&client_port_bytes),
                crypto_ts = %hex_dump(&ts_bytes),
                nonce_srv = %hex_dump(&srv_nonce),
                nonce_clt = %hex_dump(&my_nonce),
                prekey_sha256_client = %hex_dump(&sha256(&prekey_client)),
                prekey_sha256_server = %hex_dump(&sha256(&prekey_server)),
                hs_plain = %hex_dump(&hs_frame),
                proxy_secret_sha256 = %hex_dump(&sha256(&secret)),
                "ME diag: derived keys and handshake plaintext"
            );
        }
        if diag_level >= 2 {
            info!(
                prekey_client = %hex_dump(&prekey_client),
                prekey_server = %hex_dump(&prekey_server),
                "ME diag: full prekey buffers"
            );
        }
        let (encrypted_hs, write_iv) = cbc_encrypt_padded(&wk, &wi, &hs_frame)?;
        if diag_level >= 1 {
            info!(
                hs_cipher = %hex_dump(&encrypted_hs),
                "ME diag: handshake ciphertext"
            );
        }
        wr.write_all(&encrypted_hs).await.map_err(ProxyError::Io)?;
        wr.flush().await.map_err(ProxyError::Io)?;
        let deadline = Instant::now() + Duration::from_secs(ME_HANDSHAKE_TIMEOUT_SECS);
        let mut enc_buf = BytesMut::with_capacity(256);
        let mut dec_buf = BytesMut::with_capacity(256);
        let mut read_iv = ri;
        let mut negotiated_crc_mode = RpcChecksumMode::Crc32;
        let mut handshake_ok = false;
        while Instant::now() < deadline && !handshake_ok {
            let remaining = deadline - Instant::now();
            let mut tmp = [0u8; 256];
            let n = match timeout(remaining, rd.read(&mut tmp)).await {
                Ok(Ok(0)) => {
                    return Err(ProxyError::Io(std::io::Error::new(
                        std::io::ErrorKind::UnexpectedEof,
                        "ME closed during handshake",
                    )));
                }
                Ok(Ok(n)) => n,
                Ok(Err(e)) => return Err(ProxyError::Io(e)),
                Err(_) => return Err(ProxyError::TgHandshakeTimeout),
            };
            enc_buf.extend_from_slice(&tmp[..n]);
            let blocks = enc_buf.len() / 16 * 16;
            if blocks > 0 {
                let mut chunk = vec![0u8; blocks];
                chunk.copy_from_slice(&enc_buf[..blocks]);
                read_iv = cbc_decrypt_inplace(&rk, &read_iv, &mut chunk)?;
                dec_buf.extend_from_slice(&chunk);
                let _ = enc_buf.split_to(blocks);
            }
            while dec_buf.len() >= 4 {
                let fl = u32::from_le_bytes(dec_buf[0..4].try_into().unwrap()) as usize;
                if fl == 4 {
                    let _ = dec_buf.split_to(4);
                    continue;
                }
                if !(12..=(1 << 24)).contains(&fl) {
                    return Err(ProxyError::InvalidHandshake(format!(
                        "Bad HS response frame len: {fl}"
                    )));
                }
                if dec_buf.len() < fl {
                    break;
                }
                let frame = dec_buf.split_to(fl);
                let pe = fl - 4;
                let ec = u32::from_le_bytes(frame[pe..pe + 4].try_into().unwrap());
                let ac = rpc_crc(RpcChecksumMode::Crc32, &frame[..pe]);
                if ec != ac {
                    return Err(ProxyError::InvalidHandshake(format!(
                        "HS CRC mismatch: 0x{ec:08x} vs 0x{ac:08x}"
                    )));
                }
                let hs_payload = &frame[8..pe];
                if hs_payload.len() < 4 {
                    return Err(ProxyError::InvalidHandshake(
                        "Handshake payload too short".to_string(),
                    ));
                }
                let hs_type = u32::from_le_bytes(hs_payload[0..4].try_into().unwrap());
                if hs_type == RPC_HANDSHAKE_ERROR_U32 {
                    let err_code = if hs_payload.len() >= 8 {
                        i32::from_le_bytes(hs_payload[4..8].try_into().unwrap())
                    } else {
                        -1
                    };
                    return Err(ProxyError::InvalidHandshake(format!(
                        "ME rejected handshake (error={err_code})"
                    )));
                }
                let hs_flags = parse_handshake_flags(hs_payload)?;
                if hs_flags & 0xff != 0 {
                    return Err(ProxyError::InvalidHandshake(format!(
                        "Unsupported handshake flags: 0x{hs_flags:08x}"
                    )));
                }
                negotiated_crc_mode = if (hs_flags & requested_crc_mode.advertised_flags()) != 0 {
                    RpcChecksumMode::from_handshake_flags(hs_flags)
                } else if (hs_flags & rpc_crypto_flags::USE_CRC32C) != 0 {
                    return Err(ProxyError::InvalidHandshake(format!(
                        "Peer negotiated unsupported CRC flags: 0x{hs_flags:08x}"
                    )));
                } else {
                    RpcChecksumMode::Crc32
                };
                handshake_ok = true;
                break;
            }
        }
        if !handshake_ok {
            return Err(ProxyError::TgHandshakeTimeout);
        }
        let handshake_ms = hs_start.elapsed().as_secs_f64() * 1000.0;
        info!(%addr, "RPC handshake OK");
        Ok(HandshakeOutput {
            rd,
            wr,
            read_key: rk,
            read_iv,
            write_key: wk,
            write_iv,
            crc_mode: negotiated_crc_mode,
            handshake_ms,
        })
    }
 }
 fn hex_dump(data: &[u8]) -> String {
    const MAX: usize = 64;
    let mut out = String::with_capacity(data.len() * 2 + 3);
    for (i, b) in data.iter().take(MAX).enumerate() {
        if i > 0 {
            out.push(' ');
        }
        out.push_str(&format!("{b:02x}"));
    }
    if data.len() > MAX {
        out.push_str(" …");
    }
    out
 }
--- a/src/transport/middle_proxy/health.rs
+++ b/src/transport/middle_proxy/health.rs
@@ -1,38 +1,178 @@
 use std::collections::HashMap;
 use std::net::SocketAddr;
 use std::sync::Arc;
-use std::time::Duration;
+use std::time::{Duration, Instant};
 use tracing::{debug, info, warn};
 use rand::Rng;
 use crate::crypto::SecureRandom;
-use crate::protocol::constants::TG_MIDDLE_PROXIES_FLAT_V4;
+use crate::network::IpFamily;
 use super::MePool;
-pub async fn me_health_monitor(pool: Arc<MePool>, rng: Arc<SecureRandom>, min_connections: usize) {
+const HEALTH_INTERVAL_SECS: u64 = 1;
 const JITTER_FRAC_NUM: u64 = 2; // jitter up to 50% of backoff
 #[allow(dead_code)]
 const MAX_CONCURRENT_PER_DC_DEFAULT: usize = 1;
 pub async fn me_health_monitor(pool: Arc<MePool>, rng: Arc<SecureRandom>, _min_connections: usize) {
    let mut backoff: HashMap<(i32, IpFamily), u64> = HashMap::new();
    let mut next_attempt: HashMap<(i32, IpFamily), Instant> = HashMap::new();
    let mut inflight: HashMap<(i32, IpFamily), usize> = HashMap::new();
    loop {
-        tokio::time::sleep(Duration::from_secs(30)).await;
+        tokio::time::sleep(Duration::from_secs(HEALTH_INTERVAL_SECS)).await;
-        let current = pool.connection_count();
+        check_family(
-        if current < min_connections {
+            IpFamily::V4,
-            warn!(
+            &pool,
-                current,
+            &rng,
-                min = min_connections,
+            &mut backoff,
-                "ME pool below minimum, reconnecting..."
+            &mut next_attempt,
-            );
+            &mut inflight,
-            let addrs = TG_MIDDLE_PROXIES_FLAT_V4.clone();
+        )
-            for &(ip, port) in addrs.iter() {
+        .await;
-                let needed = min_connections.saturating_sub(pool.connection_count());
+        check_family(
-                if needed == 0 {
+            IpFamily::V6,
-                    break;
+            &pool,
            &rng,
            &mut backoff,
            &mut next_attempt,
            &mut inflight,
        )
        .await;
    }
 }
 async fn check_family(
    family: IpFamily,
    pool: &Arc<MePool>,
    rng: &Arc<SecureRandom>,
    backoff: &mut HashMap<(i32, IpFamily), u64>,
    next_attempt: &mut HashMap<(i32, IpFamily), Instant>,
    inflight: &mut HashMap<(i32, IpFamily), usize>,
 ) {
    let enabled = match family {
        IpFamily::V4 => pool.decision.ipv4_me,
        IpFamily::V6 => pool.decision.ipv6_me,
    };
    if !enabled {
        return;
    }
    let map = match family {
        IpFamily::V4 => pool.proxy_map_v4.read().await.clone(),
        IpFamily::V6 => pool.proxy_map_v6.read().await.clone(),
    };
    let mut dc_endpoints = HashMap::<i32, Vec<SocketAddr>>::new();
    for (dc, addrs) in map {
        let entry = dc_endpoints.entry(dc.abs()).or_default();
        for (ip, port) in addrs {
            entry.push(SocketAddr::new(ip, port));
        }
    }
    for endpoints in dc_endpoints.values_mut() {
        endpoints.sort_unstable();
        endpoints.dedup();
    }
    let mut live_addr_counts = HashMap::<SocketAddr, usize>::new();
    for writer in pool
        .writers
        .read()
        .await
        .iter()
        .filter(|w| !w.draining.load(std::sync::atomic::Ordering::Relaxed))
    {
        *live_addr_counts.entry(writer.addr).or_insert(0) += 1;
    }
    for (dc, endpoints) in dc_endpoints {
        if endpoints.is_empty() {
            continue;
        }
        let required = MePool::required_writers_for_dc(endpoints.len());
        let alive = endpoints
            .iter()
            .map(|addr| *live_addr_counts.get(addr).unwrap_or(&0))
            .sum::<usize>();
        if alive >= required {
            continue;
        }
        let missing = required - alive;
        let key = (dc, family);
        let now = Instant::now();
        if let Some(ts) = next_attempt.get(&key)
            && now < *ts
        {
            continue;
        }
        let max_concurrent = pool.me_reconnect_max_concurrent_per_dc.max(1) as usize;
        if *inflight.get(&key).unwrap_or(&0) >= max_concurrent {
            return;
        }
        *inflight.entry(key).or_insert(0) += 1;
        let mut restored = 0usize;
        for _ in 0..missing {
            let res = tokio::time::timeout(
                pool.me_one_timeout,
                pool.connect_endpoints_round_robin(&endpoints, rng.as_ref()),
            )
            .await;
            match res {
                Ok(true) => {
                    restored += 1;
                    pool.stats.increment_me_reconnect_success();
                }
-                for _ in 0..needed {
+                Ok(false) => {
-                    let addr = SocketAddr::new(ip, port);
+                    pool.stats.increment_me_reconnect_attempt();
-                    match pool.connect_one(addr, &rng).await {
+                    debug!(dc = %dc, ?family, "ME round-robin reconnect failed")
-                        Ok(()) => info!(%addr, "ME reconnected"),
+                }
-                        Err(e) => debug!(%addr, error = %e, "ME reconnect failed"),
+                Err(_) => {
-                    }
+                    pool.stats.increment_me_reconnect_attempt();
                    debug!(dc = %dc, ?family, "ME reconnect timed out");
                }
            }
        }
        let now_alive = alive + restored;
        if now_alive >= required {
            info!(
                dc = %dc,
                ?family,
                alive = now_alive,
                required,
                endpoint_count = endpoints.len(),
                "ME writer floor restored for DC"
            );
            backoff.insert(key, pool.me_reconnect_backoff_base.as_millis() as u64);
            let jitter = pool.me_reconnect_backoff_base.as_millis() as u64 / JITTER_FRAC_NUM;
            let wait = pool.me_reconnect_backoff_base
                + Duration::from_millis(rand::rng().random_range(0..=jitter.max(1)));
            next_attempt.insert(key, now + wait);
        } else {
            let curr = *backoff.get(&key).unwrap_or(&(pool.me_reconnect_backoff_base.as_millis() as u64));
            let next_ms = (curr.saturating_mul(2)).min(pool.me_reconnect_backoff_cap.as_millis() as u64);
            backoff.insert(key, next_ms);
            let jitter = next_ms / JITTER_FRAC_NUM;
            let wait = Duration::from_millis(next_ms)
                + Duration::from_millis(rand::rng().random_range(0..=jitter.max(1)));
            next_attempt.insert(key, now + wait);
            warn!(
                dc = %dc,
                ?family,
                alive = now_alive,
                required,
                endpoint_count = endpoints.len(),
                backoff_ms = next_ms,
                "DC writer floor is below required level, scheduled reconnect"
            );
        }
        if let Some(v) = inflight.get_mut(&key) {
            *v = v.saturating_sub(1);
        }
    }
 }
--- a/src/transport/middle_proxy/mod.rs
+++ b/src/transport/middle_proxy/mod.rs
@@ -1,21 +1,31 @@
 //! Middle Proxy RPC transport.
 mod codec;
 mod handshake;
 mod health;
 mod pool;
 mod pool_nat;
 mod ping;
 mod reader;
 mod registry;
 mod send;
 mod secret;
 mod rotation;
 mod config_updater;
 mod wire;
 use bytes::Bytes;
 pub use health::me_health_monitor;
 #[allow(unused_imports)]
 pub use ping::{run_me_ping, format_sample_line, MePingReport, MePingSample, MePingFamily};
 pub use pool::MePool;
 #[allow(unused_imports)]
 pub use pool_nat::{stun_probe, detect_public_ip};
 pub use registry::ConnRegistry;
 pub use secret::fetch_proxy_secret;
 pub use config_updater::{fetch_proxy_config, me_config_updater};
 pub use rotation::me_rotation_task;
 pub use wire::proto_flags_for_tag;
 #[derive(Debug)]
--- a/src/transport/middle_proxy/ping.rs
+++ b/src/transport/middle_proxy/ping.rs
@@ -0,0 +1,174 @@
 use std::collections::HashMap;
 use std::net::{IpAddr, SocketAddr};
 use std::sync::Arc;
 use crate::crypto::SecureRandom;
 use crate::error::ProxyError;
 use super::MePool;
 #[derive(Debug, Clone, Copy, PartialEq, Eq)]
 pub enum MePingFamily {
    V4,
    V6,
 }
 #[derive(Debug, Clone)]
 pub struct MePingSample {
    pub dc: i32,
    pub addr: SocketAddr,
    pub connect_ms: Option<f64>,
    pub handshake_ms: Option<f64>,
    pub error: Option<String>,
    pub family: MePingFamily,
 }
 #[derive(Debug, Clone)]
 #[allow(dead_code)]
 pub struct MePingReport {
    pub dc: i32,
    pub family: MePingFamily,
    pub samples: Vec<MePingSample>,
 }
 pub fn format_sample_line(sample: &MePingSample) -> String {
    let sign = if sample.dc >= 0 { "+" } else { "-" };
    let addr = format!("{}:{}", sample.addr.ip(), sample.addr.port());
    match (sample.connect_ms, sample.handshake_ms.as_ref(), sample.error.as_ref()) {
        (Some(conn), Some(hs), None) => format!(
            "     {sign} {addr}\tPing: {:.0} ms / RPC: {:.0} ms / OK",
            conn, hs
        ),
        (Some(conn), None, Some(err)) => format!(
            "     {sign} {addr}\tPing: {:.0} ms / RPC: FAIL ({err})",
            conn
        ),
        (None, _, Some(err)) => format!("     {sign} {addr}\tPing: FAIL ({err})"),
        (Some(conn), None, None) => format!("     {sign} {addr}\tPing: {:.0} ms / RPC: FAIL", conn),
        _ => format!("     {sign} {addr}\tPing: FAIL"),
    }
 }
 #[cfg(test)]
 mod tests {
    use super::*;
    use std::net::{IpAddr, Ipv4Addr, SocketAddr};
    fn sample(base: MePingSample) -> MePingSample {
        base
    }
    #[test]
    fn ok_line_contains_both_timings() {
        let s = sample(MePingSample {
            dc: 4,
            addr: SocketAddr::new(IpAddr::V4(Ipv4Addr::new(1, 2, 3, 4)), 8888),
            connect_ms: Some(12.3),
            handshake_ms: Some(34.7),
            error: None,
            family: MePingFamily::V4,
        });
        let line = format_sample_line(&s);
        assert!(line.contains("Ping: 12 ms"));
        assert!(line.contains("RPC: 35 ms"));
        assert!(line.contains("OK"));
    }
    #[test]
    fn error_line_mentions_reason() {
        let s = sample(MePingSample {
            dc: -5,
            addr: SocketAddr::new(IpAddr::V4(Ipv4Addr::new(5, 6, 7, 8)), 80),
            connect_ms: Some(10.0),
            handshake_ms: None,
            error: Some("handshake timeout".to_string()),
            family: MePingFamily::V4,
        });
        let line = format_sample_line(&s);
        assert!(line.contains("- 5.6.7.8:80"));
        assert!(line.contains("handshake timeout"));
    }
 }
 pub async fn run_me_ping(pool: &Arc<MePool>, rng: &SecureRandom) -> Vec<MePingReport> {
    let mut reports = Vec::new();
    let v4_map = if pool.decision.ipv4_me {
        pool.proxy_map_v4.read().await.clone()
    } else {
        HashMap::new()
    };
    let v6_map = if pool.decision.ipv6_me {
        pool.proxy_map_v6.read().await.clone()
    } else {
        HashMap::new()
    };
    let mut grouped: Vec<(MePingFamily, i32, Vec<(IpAddr, u16)>)> = Vec::new();
    for (dc, addrs) in v4_map {
        grouped.push((MePingFamily::V4, dc, addrs));
    }
    for (dc, addrs) in v6_map {
        grouped.push((MePingFamily::V6, dc, addrs));
    }
    for (family, dc, addrs) in grouped {
        let mut samples = Vec::new();
        for (ip, port) in addrs {
            let addr = SocketAddr::new(ip, port);
            let mut connect_ms = None;
            let mut handshake_ms = None;
            let mut error = None;
            match pool.connect_tcp(addr).await {
                Ok((stream, conn_rtt)) => {
                    connect_ms = Some(conn_rtt);
                    match pool.handshake_only(stream, addr, rng).await {
                        Ok(hs) => {
                            handshake_ms = Some(hs.handshake_ms);
                            // drop halves to close
                            drop(hs.rd);
                            drop(hs.wr);
                        }
                        Err(e) => {
                            error = Some(short_err(&e));
                        }
                    }
                }
                Err(e) => {
                    error = Some(short_err(&e));
                }
            }
            samples.push(MePingSample {
                dc,
                addr,
                connect_ms,
                handshake_ms,
                error,
                family,
            });
        }
        reports.push(MePingReport {
            dc,
            family,
            samples,
        });
    }
    reports
 }
 fn short_err(err: &ProxyError) -> String {
    match err {
        ProxyError::ConnectionTimeout { .. } => "connect timeout".to_string(),
        ProxyError::TgHandshakeTimeout => "handshake timeout".to_string(),
        ProxyError::InvalidHandshake(e) => format!("bad handshake: {e}"),
        ProxyError::Crypto(e) => format!("crypto: {e}"),
        ProxyError::Proxy(e) => format!("proxy: {e}"),
        ProxyError::Io(e) => format!("io: {e}"),
        _ => format!("{err}"),
    }
 }
--- a/src/transport/middle_proxy/pool.rs
+++ b/src/transport/middle_proxy/pool.rs
--- a/src/transport/middle_proxy/pool_nat.rs
+++ b/src/transport/middle_proxy/pool_nat.rs
@@ -1,16 +1,31 @@
 use std::net::{IpAddr, Ipv4Addr};
 use std::time::Duration;
 use tracing::{info, warn};
 use crate::error::{ProxyError, Result};
 use crate::network::probe::is_bogon;
 use crate::network::stun::{stun_probe_dual, IpFamily, StunProbeResult};
 use super::MePool;
 use std::time::Instant;
 #[allow(dead_code)]
 pub async fn stun_probe(stun_addr: Option<String>) -> Result<crate::network::stun::DualStunResult> {
    let stun_addr = stun_addr.unwrap_or_else(|| "stun.l.google.com:19302".to_string());
    stun_probe_dual(&stun_addr).await
 }
 #[allow(dead_code)]
 pub async fn detect_public_ip() -> Option<IpAddr> {
    fetch_public_ipv4_with_retry().await.ok().flatten().map(IpAddr::V4)
 }
 impl MePool {
    pub(super) fn translate_ip_for_nat(&self, ip: IpAddr) -> IpAddr {
        let nat_ip = self
            .nat_ip_cfg
-            .or_else(|| self.nat_ip_detected.get().copied());
+            .or_else(|| self.nat_ip_detected.try_read().ok().and_then(|g| *g));
        let Some(nat_ip) = nat_ip else {
            return ip;
@@ -18,7 +33,7 @@ impl MePool {
        match (ip, nat_ip) {
            (IpAddr::V4(src), IpAddr::V4(dst))
-                if is_privateish(IpAddr::V4(src))
+                if is_bogon(IpAddr::V4(src))
                    || src.is_loopback()
                    || src.is_unspecified() =>
            {
@@ -38,7 +53,7 @@ impl MePool {
    ) -> std::net::SocketAddr {
        let ip = if let Some(r) = reflected {
            // Use reflected IP (not port) only when local address is non-public.
-            if is_privateish(addr.ip()) || addr.ip().is_loopback() || addr.ip().is_unspecified() {
+            if is_bogon(addr.ip()) || addr.ip().is_loopback() || addr.ip().is_unspecified() {
                r.ip()
            } else {
                self.translate_ip_for_nat(addr.ip())
@@ -56,17 +71,20 @@ impl MePool {
            return self.nat_ip_cfg;
        }
-        if !(is_privateish(local_ip) || local_ip.is_loopback() || local_ip.is_unspecified()) {
+        if !(is_bogon(local_ip) || local_ip.is_loopback() || local_ip.is_unspecified()) {
            return None;
        }
-        if let Some(ip) = self.nat_ip_detected.get().copied() {
+        if let Some(ip) = *self.nat_ip_detected.read().await {
            return Some(ip);
        }
-        match fetch_public_ipv4().await {
+        match fetch_public_ipv4_with_retry().await {
            Ok(Some(ip)) => {
-                let _ = self.nat_ip_detected.set(IpAddr::V4(ip));
+                {
                    let mut guard = self.nat_ip_detected.write().await;
                    *guard = Some(IpAddr::V4(ip));
                }
                info!(public_ip = %ip, "Auto-detected public IP for NAT translation");
                Some(IpAddr::V4(ip))
            }
@@ -78,28 +96,93 @@ impl MePool {
        }
    }
-    pub(super) async fn maybe_reflect_public_addr(&self) -> Option<std::net::SocketAddr> {
+    pub(super) async fn maybe_reflect_public_addr(
-        let stun_addr = self
+        &self,
-            .nat_stun
+        family: IpFamily,
-            .clone()
+    ) -> Option<std::net::SocketAddr> {
-            .unwrap_or_else(|| "stun.l.google.com:19302".to_string());
+        const STUN_CACHE_TTL: Duration = Duration::from_secs(600);
-        match fetch_stun_binding(&stun_addr).await {
+        // Backoff window
-            Ok(sa) => {
+        if let Some(until) = *self.stun_backoff_until.read().await
-                if let Some(sa) = sa {
+            && Instant::now() < until
-                    info!(%sa, "NAT probe: reflected address");
+        {
-                }
+            if let Ok(cache) = self.nat_reflection_cache.try_lock() {
-                sa
+                let slot = match family {
                    IpFamily::V4 => cache.v4,
                    IpFamily::V6 => cache.v6,
                };
                return slot.map(|(_, addr)| addr);
            }
-            Err(e) => {
+            return None;
-                warn!(error = %e, "NAT probe failed");
+        }
-                None
+
        if let Ok(mut cache) = self.nat_reflection_cache.try_lock() {
            let slot = match family {
                IpFamily::V4 => &mut cache.v4,
                IpFamily::V6 => &mut cache.v6,
            };
            if let Some((ts, addr)) = slot
                && ts.elapsed() < STUN_CACHE_TTL
            {
                return Some(*addr);
            }
        }
        let attempt = self.nat_probe_attempts.fetch_add(1, std::sync::atomic::Ordering::Relaxed);
        let servers = if !self.nat_stun_servers.is_empty() {
            self.nat_stun_servers.clone()
        } else if let Some(s) = &self.nat_stun {
            vec![s.clone()]
        } else {
            vec!["stun.l.google.com:19302".to_string()]
        };
        for stun_addr in servers {
            match stun_probe_dual(&stun_addr).await {
                Ok(res) => {
                    let picked: Option<StunProbeResult> = match family {
                        IpFamily::V4 => res.v4,
                        IpFamily::V6 => res.v6,
                    };
                    if let Some(result) = picked {
                        info!(local = %result.local_addr, reflected = %result.reflected_addr, family = ?family, stun = %stun_addr, "NAT probe: reflected address");
                        self.nat_probe_attempts.store(0, std::sync::atomic::Ordering::Relaxed);
                        if let Ok(mut cache) = self.nat_reflection_cache.try_lock() {
                            let slot = match family {
                                IpFamily::V4 => &mut cache.v4,
                                IpFamily::V6 => &mut cache.v6,
                            };
                            *slot = Some((Instant::now(), result.reflected_addr));
                        }
                        return Some(result.reflected_addr);
                    }
                }
                Err(e) => {
                    warn!(error = %e, stun = %stun_addr, attempt = attempt + 1, "NAT probe failed, trying next server");
                }
            }
        }
        let backoff = Duration::from_secs(60 * 2u64.pow((attempt as u32).min(6)));
        *self.stun_backoff_until.write().await = Some(Instant::now() + backoff);
        None
    }
 }
-async fn fetch_public_ipv4() -> Result<Option<Ipv4Addr>> {
+async fn fetch_public_ipv4_with_retry() -> Result<Option<Ipv4Addr>> {
-    let res = reqwest::get("https://checkip.amazonaws.com").await.map_err(|e| {
+    let providers = [
        "https://checkip.amazonaws.com",
        "http://v4.ident.me",
        "http://ipv4.icanhazip.com",
    ];
    for url in providers {
        if let Ok(Some(ip)) = fetch_public_ipv4_once(url).await {
            return Ok(Some(ip));
        }
    }
    Ok(None)
 }
 async fn fetch_public_ipv4_once(url: &str) -> Result<Option<Ipv4Addr>> {
    let res = reqwest::get(url).await.map_err(|e| {
        ProxyError::Proxy(format!("public IP detection request failed: {e}"))
    })?;
@@ -110,91 +193,3 @@ async fn fetch_public_ipv4() -> Result<Option<Ipv4Addr>> {
    let ip = text.trim().parse().ok();
    Ok(ip)
 }
 async fn fetch_stun_binding(stun_addr: &str) -> Result<Option<std::net::SocketAddr>> {
    use rand::RngCore;
    use tokio::net::UdpSocket;
    let socket = UdpSocket::bind("0.0.0.0:0")
        .await
        .map_err(|e| ProxyError::Proxy(format!("STUN bind failed: {e}")))?;
    socket
        .connect(stun_addr)
        .await
        .map_err(|e| ProxyError::Proxy(format!("STUN connect failed: {e}")))?;
    // Build minimal Binding Request.
    let mut req = vec![0u8; 20];
    req[0..2].copy_from_slice(&0x0001u16.to_be_bytes()); // Binding Request
    req[2..4].copy_from_slice(&0u16.to_be_bytes()); // length
    req[4..8].copy_from_slice(&0x2112A442u32.to_be_bytes()); // magic cookie
    rand::thread_rng().fill_bytes(&mut req[8..20]);
    socket
        .send(&req)
        .await
        .map_err(|e| ProxyError::Proxy(format!("STUN send failed: {e}")))?;
    let mut buf = [0u8; 128];
    let n = socket
        .recv(&mut buf)
        .await
        .map_err(|e| ProxyError::Proxy(format!("STUN recv failed: {e}")))?;
    if n < 20 {
        return Ok(None);
    }
    // Parse attributes.
    let mut idx = 20;
    while idx + 4 <= n {
        let atype = u16::from_be_bytes(buf[idx..idx + 2].try_into().unwrap());
        let alen = u16::from_be_bytes(buf[idx + 2..idx + 4].try_into().unwrap()) as usize;
        idx += 4;
        if idx + alen > n {
            break;
        }
        match atype {
            0x0020 /* XOR-MAPPED-ADDRESS */ | 0x0001 /* MAPPED-ADDRESS */ => {
                if alen < 8 {
                    break;
                }
                let family = buf[idx + 1];
                if family != 0x01 {
                    // only IPv4 supported here
                    break;
                }
                let port_bytes = [buf[idx + 2], buf[idx + 3]];
                let ip_bytes = [buf[idx + 4], buf[idx + 5], buf[idx + 6], buf[idx + 7]];
                let (port, ip) = if atype == 0x0020 {
                    let magic = 0x2112A442u32.to_be_bytes();
                    let port = u16::from_be_bytes(port_bytes) ^ ((magic[0] as u16) << 8 | magic[1] as u16);
                    let ip = [
                        ip_bytes[0] ^ magic[0],
                        ip_bytes[1] ^ magic[1],
                        ip_bytes[2] ^ magic[2],
                        ip_bytes[3] ^ magic[3],
                    ];
                    (port, ip)
                } else {
                    (u16::from_be_bytes(port_bytes), ip_bytes)
                };
                return Ok(Some(std::net::SocketAddr::new(
                    IpAddr::V4(Ipv4Addr::new(ip[0], ip[1], ip[2], ip[3])),
                    port,
                )));
            }
            _ => {}
        }
        idx += (alen + 3) & !3; // 4-byte alignment
    }
    Ok(None)
 }
 fn is_privateish(ip: IpAddr) -> bool {
    match ip {
        IpAddr::V4(v4) => v4.is_private() || v4.is_link_local(),
        IpAddr::V6(v6) => v6.is_unique_local(),
    }
 }
--- a/src/transport/middle_proxy/reader.rs
+++ b/src/transport/middle_proxy/reader.rs
@@ -1,32 +1,49 @@
 use std::collections::HashMap;
 use std::sync::Arc;
 use std::sync::atomic::{AtomicBool, Ordering};
 use std::time::Instant;
 use bytes::{Bytes, BytesMut};
 use tokio::io::AsyncReadExt;
 use tokio::net::TcpStream;
-use tokio::sync::Mutex;
+use tokio::sync::{Mutex, mpsc};
 use tokio_util::sync::CancellationToken;
 use tracing::{debug, trace, warn};
-use crate::crypto::{AesCbc, crc32};
+use crate::crypto::AesCbc;
 use crate::error::{ProxyError, Result};
 use crate::protocol::constants::*;
 use crate::stats::Stats;
-use super::codec::RpcWriter;
+use super::codec::{RpcChecksumMode, WriterCommand, rpc_crc};
 use super::registry::RouteResult;
 use super::{ConnRegistry, MeResponse};
 pub(crate) async fn reader_loop(
    mut rd: tokio::io::ReadHalf<TcpStream>,
    dk: [u8; 32],
    mut div: [u8; 16],
    crc_mode: RpcChecksumMode,
    reg: Arc<ConnRegistry>,
    enc_leftover: BytesMut,
    mut dec: BytesMut,
-    writer: Arc<Mutex<RpcWriter>>,
+    tx: mpsc::Sender<WriterCommand>,
    ping_tracker: Arc<Mutex<HashMap<i64, (Instant, u64)>>>,
    rtt_stats: Arc<Mutex<HashMap<u64, (f64, f64)>>>,
    stats: Arc<Stats>,
    _writer_id: u64,
    degraded: Arc<AtomicBool>,
    cancel: CancellationToken,
 ) -> Result<()> {
    let mut raw = enc_leftover;
    let mut expected_seq: i32 = 0;
    loop {
        let mut tmp = [0u8; 16_384];
-        let n = rd.read(&mut tmp).await.map_err(ProxyError::Io)?;
+        let n = tokio::select! {
            res = rd.read(&mut tmp) => res.map_err(ProxyError::Io)?,
            _ = cancel.cancelled() => return Ok(()),
        };
        if n == 0 {
            return Ok(());
        }
@@ -65,11 +82,29 @@ pub(crate) async fn reader_loop(
            let frame = dec.split_to(fl);
            let pe = fl - 4;
            let ec = u32::from_le_bytes(frame[pe..pe + 4].try_into().unwrap());
-            if crc32(&frame[..pe]) != ec {
+            let actual_crc = rpc_crc(crc_mode, &frame[..pe]);
-                warn!("CRC mismatch in data frame");
+            if actual_crc != ec {
-                continue;
+                stats.increment_me_crc_mismatch();
                warn!(
                    frame_len = fl,
                    expected_crc = format_args!("0x{ec:08x}"),
                    actual_crc = format_args!("0x{actual_crc:08x}"),
                    "CRC mismatch — CBC crypto desync, aborting ME connection"
                );
                return Err(ProxyError::Proxy("CRC mismatch (crypto desync)".into()));
            }
            let seq_no = i32::from_le_bytes(frame[4..8].try_into().unwrap());
            if seq_no != expected_seq {
                stats.increment_me_seq_mismatch();
                warn!(seq_no, expected = expected_seq, "ME RPC seq mismatch");
                return Err(ProxyError::SeqNoMismatch {
                    expected: expected_seq,
                    got: seq_no,
                });
            }
            expected_seq = expected_seq.wrapping_add(1);
            let payload = &frame[8..pe];
            if payload.len() < 4 {
                continue;
@@ -85,9 +120,15 @@ pub(crate) async fn reader_loop(
                trace!(cid, flags, len = data.len(), "RPC_PROXY_ANS");
                let routed = reg.route(cid, MeResponse::Data { flags, data }).await;
-                if !routed {
+                if !matches!(routed, RouteResult::Routed) {
                    match routed {
                        RouteResult::NoConn => stats.increment_me_route_drop_no_conn(),
                        RouteResult::ChannelClosed => stats.increment_me_route_drop_channel_closed(),
                        RouteResult::QueueFull => stats.increment_me_route_drop_queue_full(),
                        RouteResult::Routed => {}
                    }
                    reg.unregister(cid).await;
-                    send_close_conn(&writer, cid).await;
+                    send_close_conn(&tx, cid).await;
                }
            } else if pt == RPC_SIMPLE_ACK_U32 && body.len() >= 12 {
                let cid = u64::from_le_bytes(body[0..8].try_into().unwrap());
@@ -95,9 +136,15 @@ pub(crate) async fn reader_loop(
                trace!(cid, cfm, "RPC_SIMPLE_ACK");
                let routed = reg.route(cid, MeResponse::Ack(cfm)).await;
-                if !routed {
+                if !matches!(routed, RouteResult::Routed) {
                    match routed {
                        RouteResult::NoConn => stats.increment_me_route_drop_no_conn(),
                        RouteResult::ChannelClosed => stats.increment_me_route_drop_channel_closed(),
                        RouteResult::QueueFull => stats.increment_me_route_drop_queue_full(),
                        RouteResult::Routed => {}
                    }
                    reg.unregister(cid).await;
-                    send_close_conn(&writer, cid).await;
+                    send_close_conn(&tx, cid).await;
                }
            } else if pt == RPC_CLOSE_EXT_U32 && body.len() >= 8 {
                let cid = u64::from_le_bytes(body[0..8].try_into().unwrap());
@@ -115,10 +162,31 @@ pub(crate) async fn reader_loop(
                let mut pong = Vec::with_capacity(12);
                pong.extend_from_slice(&RPC_PONG_U32.to_le_bytes());
                pong.extend_from_slice(&ping_id.to_le_bytes());
-                if let Err(e) = writer.lock().await.send(&pong).await {
+                if tx.send(WriterCommand::DataAndFlush(pong)).await.is_err() {
-                    warn!(error = %e, "PONG send failed");
+                    warn!("PONG send failed");
                    break;
                }
            } else if pt == RPC_PONG_U32 && body.len() >= 8 {
                let ping_id = i64::from_le_bytes(body[0..8].try_into().unwrap());
                stats.increment_me_keepalive_pong();
                if let Some((sent, wid)) = {
                    let mut guard = ping_tracker.lock().await;
                    guard.remove(&ping_id)
                } {
                    let rtt = sent.elapsed().as_secs_f64() * 1000.0;
                    let mut stats = rtt_stats.lock().await;
                    let entry = stats.entry(wid).or_insert((rtt, rtt));
                    entry.1 = entry.1 * 0.8 + rtt * 0.2;
                    if rtt < entry.0 {
                        entry.0 = rtt;
                    } else {
                        // allow slow baseline drift upward to avoid stale minimum
                        entry.0 = entry.0 * 0.99 + rtt * 0.01;
                    }
                    let degraded_now = entry.1 > entry.0 * 2.0;
                    degraded.store(degraded_now, Ordering::Relaxed);
                    trace!(writer_id = wid, rtt_ms = rtt, ema_ms = entry.1, base_ms = entry.0, degraded = degraded_now, "ME RTT sample");
                }
            } else {
                debug!(
                    rpc_type = format_args!("0x{pt:08x}"),
@@ -130,12 +198,10 @@ pub(crate) async fn reader_loop(
    }
 }
-async fn send_close_conn(writer: &Arc<Mutex<RpcWriter>>, conn_id: u64) {
+async fn send_close_conn(tx: &mpsc::Sender<WriterCommand>, conn_id: u64) {
    let mut p = Vec::with_capacity(12);
    p.extend_from_slice(&RPC_CLOSE_CONN_U32.to_le_bytes());
    p.extend_from_slice(&conn_id.to_le_bytes());
-    if let Err(e) = writer.lock().await.send(&p).await {
+    let _ = tx.send(WriterCommand::DataAndFlush(p)).await;
        debug!(conn_id, error = %e, "Failed to send RPC_CLOSE_CONN");
    }
 }
--- a/src/transport/middle_proxy/registry.rs
+++ b/src/transport/middle_proxy/registry.rs
@@ -1,42 +1,186 @@
-use std::collections::HashMap;
+use std::collections::{HashMap, HashSet};
 use std::net::SocketAddr;
 use std::sync::atomic::{AtomicU64, Ordering};
 use std::time::Duration;
-use tokio::sync::{RwLock, mpsc};
+use tokio::sync::{mpsc, RwLock};
 use tokio::sync::mpsc::error::TrySendError;
 use super::codec::WriterCommand;
 use super::MeResponse;
 const ROUTE_CHANNEL_CAPACITY: usize = 4096;
 const ROUTE_BACKPRESSURE_TIMEOUT: Duration = Duration::from_millis(25);
 #[derive(Debug, Clone, Copy, PartialEq, Eq)]
 pub enum RouteResult {
    Routed,
    NoConn,
    ChannelClosed,
    QueueFull,
 }
 #[derive(Clone)]
 #[allow(dead_code)]
 pub struct ConnMeta {
    pub target_dc: i16,
    pub client_addr: SocketAddr,
    pub our_addr: SocketAddr,
    pub proto_flags: u32,
 }
 #[derive(Clone)]
 #[allow(dead_code)]
 pub struct BoundConn {
    pub conn_id: u64,
    pub meta: ConnMeta,
 }
 #[derive(Clone)]
 pub struct ConnWriter {
    pub writer_id: u64,
    pub tx: mpsc::Sender<WriterCommand>,
 }
 struct RegistryInner {
    map: HashMap<u64, mpsc::Sender<MeResponse>>,
    writers: HashMap<u64, mpsc::Sender<WriterCommand>>,
    writer_for_conn: HashMap<u64, u64>,
    conns_for_writer: HashMap<u64, HashSet<u64>>,
    meta: HashMap<u64, ConnMeta>,
 }
 impl RegistryInner {
    fn new() -> Self {
        Self {
            map: HashMap::new(),
            writers: HashMap::new(),
            writer_for_conn: HashMap::new(),
            conns_for_writer: HashMap::new(),
            meta: HashMap::new(),
        }
    }
 }
 pub struct ConnRegistry {
-    map: RwLock<HashMap<u64, mpsc::Sender<MeResponse>>>,
+    inner: RwLock<RegistryInner>,
    next_id: AtomicU64,
 }
 impl ConnRegistry {
    pub fn new() -> Self {
        // Avoid fully predictable conn_id sequence from 1.
        let start = rand::random::<u64>() | 1;
        Self {
-            map: RwLock::new(HashMap::new()),
+            inner: RwLock::new(RegistryInner::new()),
            next_id: AtomicU64::new(start),
        }
    }
    pub async fn register(&self) -> (u64, mpsc::Receiver<MeResponse>) {
        let id = self.next_id.fetch_add(1, Ordering::Relaxed);
-        let (tx, rx) = mpsc::channel(256);
+        let (tx, rx) = mpsc::channel(ROUTE_CHANNEL_CAPACITY);
-        self.map.write().await.insert(id, tx);
+        self.inner.write().await.map.insert(id, tx);
        (id, rx)
    }
-    pub async fn unregister(&self, id: u64) {
+    /// Unregister connection, returning associated writer_id if any.
-        self.map.write().await.remove(&id);
+    pub async fn unregister(&self, id: u64) -> Option<u64> {
        let mut inner = self.inner.write().await;
        inner.map.remove(&id);
        inner.meta.remove(&id);
        if let Some(writer_id) = inner.writer_for_conn.remove(&id) {
            if let Some(set) = inner.conns_for_writer.get_mut(&writer_id) {
                set.remove(&id);
            }
            return Some(writer_id);
        }
        None
    }
-    pub async fn route(&self, id: u64, resp: MeResponse) -> bool {
+    pub async fn route(&self, id: u64, resp: MeResponse) -> RouteResult {
-        let m = self.map.read().await;
+        let tx = {
-        if let Some(tx) = m.get(&id) {
+            let inner = self.inner.read().await;
-            tx.send(resp).await.is_ok()
+            inner.map.get(&id).cloned()
-        } else {
+        };
-            false
+
        let Some(tx) = tx else {
            return RouteResult::NoConn;
        };
        match tx.try_send(resp) {
            Ok(()) => RouteResult::Routed,
            Err(TrySendError::Closed(_)) => RouteResult::ChannelClosed,
            Err(TrySendError::Full(resp)) => {
                // Absorb short bursts without dropping/closing the session immediately.
                match tokio::time::timeout(ROUTE_BACKPRESSURE_TIMEOUT, tx.send(resp)).await {
                    Ok(Ok(())) => RouteResult::Routed,
                    Ok(Err(_)) => RouteResult::ChannelClosed,
                    Err(_) => RouteResult::QueueFull,
                }
            }
        }
    }
    pub async fn bind_writer(
        &self,
        conn_id: u64,
        writer_id: u64,
        tx: mpsc::Sender<WriterCommand>,
        meta: ConnMeta,
    ) {
        let mut inner = self.inner.write().await;
        inner.meta.entry(conn_id).or_insert(meta);
        inner.writer_for_conn.insert(conn_id, writer_id);
        inner.writers.entry(writer_id).or_insert_with(|| tx.clone());
        inner
            .conns_for_writer
            .entry(writer_id)
            .or_insert_with(HashSet::new)
            .insert(conn_id);
    }
    pub async fn get_writer(&self, conn_id: u64) -> Option<ConnWriter> {
        let inner = self.inner.read().await;
        let writer_id = inner.writer_for_conn.get(&conn_id).cloned()?;
        let writer = inner.writers.get(&writer_id).cloned()?;
        Some(ConnWriter { writer_id, tx: writer })
    }
    pub async fn writer_lost(&self, writer_id: u64) -> Vec<BoundConn> {
        let mut inner = self.inner.write().await;
        inner.writers.remove(&writer_id);
        let conns = inner
            .conns_for_writer
            .remove(&writer_id)
            .unwrap_or_default()
            .into_iter()
            .collect::<Vec<_>>();
        let mut out = Vec::new();
        for conn_id in conns {
            inner.writer_for_conn.remove(&conn_id);
            if let Some(m) = inner.meta.get(&conn_id) {
                out.push(BoundConn {
                    conn_id,
                    meta: m.clone(),
                });
            }
        }
        out
    }
    #[allow(dead_code)]
    pub async fn get_meta(&self, conn_id: u64) -> Option<ConnMeta> {
        let inner = self.inner.read().await;
        inner.meta.get(&conn_id).cloned()
    }
    pub async fn is_writer_empty(&self, writer_id: u64) -> bool {
        let inner = self.inner.read().await;
        inner
            .conns_for_writer
            .get(&writer_id)
            .map(|s| s.is_empty())
            .unwrap_or(true)
    }
 }
--- a/src/transport/middle_proxy/rotation.rs
+++ b/src/transport/middle_proxy/rotation.rs
@@ -0,0 +1,88 @@
 use std::sync::Arc;
 use std::time::Duration;
 use tokio::sync::watch;
 use tracing::{info, warn};
 use crate::config::ProxyConfig;
 use crate::crypto::SecureRandom;
 use super::MePool;
 /// Periodically reinitialize ME generations and swap them after full warmup.
 pub async fn me_rotation_task(
    pool: Arc<MePool>,
    rng: Arc<SecureRandom>,
    mut config_rx: watch::Receiver<Arc<ProxyConfig>>,
 ) {
    let mut interval_secs = config_rx
        .borrow()
        .general
        .effective_me_reinit_every_secs()
        .max(1);
    let mut interval = Duration::from_secs(interval_secs);
    let mut next_tick = tokio::time::Instant::now() + interval;
    info!(interval_secs, "ME periodic reinit task started");
    loop {
        let sleep = tokio::time::sleep_until(next_tick);
        tokio::pin!(sleep);
        tokio::select! {
            _ = &mut sleep => {
                pool.zero_downtime_reinit_periodic(rng.as_ref()).await;
                let refreshed_secs = config_rx
                    .borrow()
                    .general
                    .effective_me_reinit_every_secs()
                    .max(1);
                if refreshed_secs != interval_secs {
                    info!(
                        old_me_reinit_every_secs = interval_secs,
                        new_me_reinit_every_secs = refreshed_secs,
                        "ME periodic reinit interval changed"
                    );
                    interval_secs = refreshed_secs;
                    interval = Duration::from_secs(interval_secs);
                }
                next_tick = tokio::time::Instant::now() + interval;
            }
            changed = config_rx.changed() => {
                if changed.is_err() {
                    warn!("ME periodic reinit task stopped: config channel closed");
                    break;
                }
                let new_secs = config_rx
                    .borrow()
                    .general
                    .effective_me_reinit_every_secs()
                    .max(1);
                if new_secs == interval_secs {
                    continue;
                }
                if new_secs < interval_secs {
                    info!(
                        old_me_reinit_every_secs = interval_secs,
                        new_me_reinit_every_secs = new_secs,
                        "ME periodic reinit interval decreased, running immediate reinit"
                    );
                    interval_secs = new_secs;
                    interval = Duration::from_secs(interval_secs);
                    pool.zero_downtime_reinit_periodic(rng.as_ref()).await;
                    next_tick = tokio::time::Instant::now() + interval;
                } else {
                    info!(
                        old_me_reinit_every_secs = interval_secs,
                        new_me_reinit_every_secs = new_secs,
                        "ME periodic reinit interval increased"
                    );
                    interval_secs = new_secs;
                    interval = Duration::from_secs(interval_secs);
                    next_tick = tokio::time::Instant::now() + interval;
                }
            }
        }
    }
 }
--- a/src/transport/middle_proxy/secret.rs
+++ b/src/transport/middle_proxy/secret.rs
@@ -1,15 +1,45 @@
 use std::time::Duration;
 use tracing::{debug, info, warn};
 use std::time::SystemTime;
 use httpdate;
 use crate::error::{ProxyError, Result};
 pub const PROXY_SECRET_MIN_LEN: usize = 32;
 pub(super) fn validate_proxy_secret_len(data_len: usize, max_len: usize) -> Result<()> {
    if max_len < PROXY_SECRET_MIN_LEN {
        return Err(ProxyError::Proxy(format!(
            "proxy-secret max length is invalid: {} bytes (must be >= {})",
            max_len,
            PROXY_SECRET_MIN_LEN
        )));
    }
    if data_len < PROXY_SECRET_MIN_LEN {
        return Err(ProxyError::Proxy(format!(
            "proxy-secret too short: {} bytes (need >= {})",
            data_len,
            PROXY_SECRET_MIN_LEN
        )));
    }
    if data_len > max_len {
        return Err(ProxyError::Proxy(format!(
            "proxy-secret too long: {} bytes (limit = {})",
            data_len,
            max_len
        )));
    }
    Ok(())
 }
 /// Fetch Telegram proxy-secret binary.
-pub async fn fetch_proxy_secret(cache_path: Option<&str>) -> Result<Vec<u8>> {
+pub async fn fetch_proxy_secret(cache_path: Option<&str>, max_len: usize) -> Result<Vec<u8>> {
    let cache = cache_path.unwrap_or("proxy-secret");
    // 1) Try fresh download first.
-    match download_proxy_secret().await {
+    match download_proxy_secret_with_max_len(max_len).await {
        Ok(data) => {
            if let Err(e) = tokio::fs::write(cache, &data).await {
                warn!(error = %e, "Failed to cache proxy-secret (non-fatal)");
@@ -24,9 +54,9 @@ pub async fn fetch_proxy_secret(cache_path: Option<&str>) -> Result<Vec<u8>> {
        }
    }
-    // 2) Fallback to cache/file regardless of age; require len>=32.
+    // 2) Fallback to cache/file regardless of age; require len in bounds.
    match tokio::fs::read(cache).await {
-        Ok(data) if data.len() >= 32 => {
+        Ok(data) if validate_proxy_secret_len(data.len(), max_len).is_ok() => {
            let age_hours = tokio::fs::metadata(cache)
                .await
                .ok()
@@ -41,17 +71,14 @@ pub async fn fetch_proxy_secret(cache_path: Option<&str>) -> Result<Vec<u8>> {
            );
            Ok(data)
        }
-        Ok(data) => Err(ProxyError::Proxy(format!(
+        Ok(data) => validate_proxy_secret_len(data.len(), max_len).map(|_| data),
            "Cached proxy-secret too short: {} bytes (need >= 32)",
            data.len()
        ))),
        Err(e) => Err(ProxyError::Proxy(format!(
            "Failed to read proxy-secret cache after download failure: {e}"
        ))),
    }
 }
-async fn download_proxy_secret() -> Result<Vec<u8>> {
+pub async fn download_proxy_secret_with_max_len(max_len: usize) -> Result<Vec<u8>> {
    let resp = reqwest::get("https://core.telegram.org/getProxySecret")
        .await
        .map_err(|e| ProxyError::Proxy(format!("Failed to download proxy-secret: {e}")))?;
@@ -63,18 +90,28 @@ async fn download_proxy_secret() -> Result<Vec<u8>> {
        )));
    }
    if let Some(date) = resp.headers().get(reqwest::header::DATE)
        && let Ok(date_str) = date.to_str()
        && let Ok(server_time) = httpdate::parse_http_date(date_str)
        && let Ok(skew) = SystemTime::now().duration_since(server_time).or_else(|e| {
            server_time.duration_since(SystemTime::now()).map_err(|_| e)
        })
    {
        let skew_secs = skew.as_secs();
        if skew_secs > 60 {
            warn!(skew_secs, "Time skew >60s detected from proxy-secret Date header");
        } else if skew_secs > 30 {
            warn!(skew_secs, "Time skew >30s detected from proxy-secret Date header");
        }
    }
    let data = resp
        .bytes()
        .await
        .map_err(|e| ProxyError::Proxy(format!("Read proxy-secret body: {e}")))?
        .to_vec();
-    if data.len() < 32 {
+    validate_proxy_secret_len(data.len(), max_len)?;
        return Err(ProxyError::Proxy(format!(
            "proxy-secret too short: {} bytes (need >= 32)",
            data.len()
        )));
    }
    info!(len = data.len(), "Downloaded proxy-secret OK");
    Ok(data)
--- a/src/transport/middle_proxy/send.rs
+++ b/src/transport/middle_proxy/send.rs
@@ -1,20 +1,23 @@
 use std::net::SocketAddr;
 use std::sync::Arc;
 use std::sync::atomic::Ordering;
 use std::time::Duration;
 use tokio::sync::Mutex;
 use tracing::{debug, warn};
 use crate::error::{ProxyError, Result};
-use crate::protocol::constants::{RPC_CLOSE_EXT_U32, TG_MIDDLE_PROXIES_V4};
+use crate::network::IpFamily;
 use crate::protocol::constants::RPC_CLOSE_EXT_U32;
 use super::MePool;
-use super::codec::RpcWriter;
+use super::codec::WriterCommand;
 use super::wire::build_proxy_req_payload;
 use rand::seq::SliceRandom;
 use super::registry::ConnMeta;
 impl MePool {
    pub async fn send_proxy_req(
-        &self,
+        self: &Arc<Self>,
        conn_id: u64,
        target_dc: i16,
        client_addr: SocketAddr,
@@ -30,73 +33,174 @@ impl MePool {
            self.proxy_tag.as_deref(),
            proto_flags,
        );
        let meta = ConnMeta {
            target_dc,
            client_addr,
            our_addr,
            proto_flags,
        };
        let mut emergency_attempts = 0;
        loop {
-            let ws = self.writers.read().await;
+            if let Some(current) = self.registry.get_writer(conn_id).await {
-            if ws.is_empty() {
+                let send_res = {
-                return Err(ProxyError::Proxy("All ME connections dead".into()));
+                    current
-            }
+                        .tx
-            let writers: Vec<(SocketAddr, Arc<Mutex<RpcWriter>>)> = ws.iter().cloned().collect();
+                        .send(WriterCommand::Data(payload.clone()))
-            drop(ws);
+                        .await
-
+                };
-            let candidate_indices = candidate_indices_for_dc(&writers, target_dc);
+                match send_res {
-            if candidate_indices.is_empty() {
+                    Ok(()) => return Ok(()),
-                return Err(ProxyError::Proxy("No ME writers available for target DC".into()));
+                    Err(_) => {
-            }
+                        warn!(writer_id = current.writer_id, "ME writer channel closed");
-            let start = self.rr.fetch_add(1, Ordering::Relaxed) as usize % candidate_indices.len();
+                        self.remove_writer_and_close_clients(current.writer_id).await;
-
+                        continue;
            // Prefer immediately available writer to avoid waiting on stalled connection.
            for offset in 0..candidate_indices.len() {
                let cidx = (start + offset) % candidate_indices.len();
                let idx = candidate_indices[cidx];
                let w = writers[idx].1.clone();
                if let Ok(mut guard) = w.try_lock() {
                    let send_res = guard.send(&payload).await;
                    drop(guard);
                    match send_res {
                        Ok(()) => return Ok(()),
                        Err(e) => {
                            warn!(error = %e, "ME write failed, removing dead conn");
                            let mut ws = self.writers.write().await;
                            ws.retain(|(_, o)| !Arc::ptr_eq(o, &w));
                            if ws.is_empty() {
                                return Err(ProxyError::Proxy("All ME connections dead".into()));
                            }
                            continue;
                        }
                    }
                }
            }
-            // All writers are currently busy, wait for the selected one.
+            let mut writers_snapshot = {
-            let w = writers[candidate_indices[start]].1.clone();
+                let ws = self.writers.read().await;
-            match w.lock().await.send(&payload).await {
+                if ws.is_empty() {
-                Ok(()) => return Ok(()),
+                    // Create waiter before recovery attempts so notify_one permits are not missed.
-                Err(e) => {
+                    let waiter = self.writer_available.notified();
-                    warn!(error = %e, "ME write failed, removing dead conn");
+                    drop(ws);
-                    let mut ws = self.writers.write().await;
+                    for family in self.family_order() {
-                    ws.retain(|(_, o)| !Arc::ptr_eq(o, &w));
+                        let map = match family {
-                    if ws.is_empty() {
+                            IpFamily::V4 => self.proxy_map_v4.read().await.clone(),
-                        return Err(ProxyError::Proxy("All ME connections dead".into()));
+                            IpFamily::V6 => self.proxy_map_v6.read().await.clone(),
                        };
                        for (_dc, addrs) in map.iter() {
                            for (ip, port) in addrs {
                                let addr = SocketAddr::new(*ip, *port);
                                if self.connect_one(addr, self.rng.as_ref()).await.is_ok() {
                                    self.writer_available.notify_one();
                                    break;
                                }
                            }
                        }
                    }
                    if !self.writers.read().await.is_empty() {
                        continue;
                    }
                    if tokio::time::timeout(Duration::from_secs(3), waiter).await.is_err() {
                        if !self.writers.read().await.is_empty() {
                            continue;
                        }
                        return Err(ProxyError::Proxy("All ME connections dead (waited 3s)".into()));
                    }
                    continue;
                }
                ws.clone()
            };
            let mut candidate_indices = self.candidate_indices_for_dc(&writers_snapshot, target_dc).await;
            if candidate_indices.is_empty() {
                // Emergency connect-on-demand
                if emergency_attempts >= 3 {
                    return Err(ProxyError::Proxy("No ME writers available for target DC".into()));
                }
                emergency_attempts += 1;
                for family in self.family_order() {
                    let map_guard = match family {
                        IpFamily::V4 => self.proxy_map_v4.read().await,
                        IpFamily::V6 => self.proxy_map_v6.read().await,
                    };
                    if let Some(addrs) = map_guard.get(&(target_dc as i32)) {
                        let mut shuffled = addrs.clone();
                        shuffled.shuffle(&mut rand::rng());
                        drop(map_guard);
                        for (ip, port) in shuffled {
                            let addr = SocketAddr::new(ip, port);
                            if self.connect_one(addr, self.rng.as_ref()).await.is_ok() {
                                break;
                            }
                        }
                        tokio::time::sleep(Duration::from_millis(100 * emergency_attempts)).await;
                        let ws2 = self.writers.read().await;
                        writers_snapshot = ws2.clone();
                        drop(ws2);
                        candidate_indices = self.candidate_indices_for_dc(&writers_snapshot, target_dc).await;
                        if !candidate_indices.is_empty() {
                            break;
                        }
                    }
                }
                if candidate_indices.is_empty() {
                    return Err(ProxyError::Proxy("No ME writers available for target DC".into()));
                }
            }
            candidate_indices.sort_by_key(|idx| {
                let w = &writers_snapshot[*idx];
                let degraded = w.degraded.load(Ordering::Relaxed);
                let stale = (w.generation < self.current_generation()) as usize;
                (stale, degraded as usize)
            });
            let start = self.rr.fetch_add(1, Ordering::Relaxed) as usize % candidate_indices.len();
            for offset in 0..candidate_indices.len() {
                let idx = candidate_indices[(start + offset) % candidate_indices.len()];
                let w = &writers_snapshot[idx];
                if !self.writer_accepts_new_binding(w) {
                    continue;
                }
                if w.tx.send(WriterCommand::Data(payload.clone())).await.is_ok() {
                    self.registry
                        .bind_writer(conn_id, w.id, w.tx.clone(), meta.clone())
                        .await;
                    if w.generation < self.current_generation() {
                        self.stats.increment_pool_stale_pick_total();
                        debug!(
                            conn_id,
                            writer_id = w.id,
                            writer_generation = w.generation,
                            current_generation = self.current_generation(),
                            "Selected stale ME writer for fallback bind"
                        );
                    }
                    return Ok(());
                } else {
                    warn!(writer_id = w.id, "ME writer channel closed");
                    self.remove_writer_and_close_clients(w.id).await;
                    continue;
                }
            }
            let w = writers_snapshot[candidate_indices[start]].clone();
            if !self.writer_accepts_new_binding(&w) {
                continue;
            }
            match w.tx.send(WriterCommand::Data(payload.clone())).await {
                Ok(()) => {
                    self.registry
                        .bind_writer(conn_id, w.id, w.tx.clone(), meta.clone())
                        .await;
                    if w.generation < self.current_generation() {
                        self.stats.increment_pool_stale_pick_total();
                    }
                    return Ok(());
                }
                Err(_) => {
                    warn!(writer_id = w.id, "ME writer channel closed (blocking)");
                    self.remove_writer_and_close_clients(w.id).await;
                }
            }
        }
    }
-    pub async fn send_close(&self, conn_id: u64) -> Result<()> {
+    pub async fn send_close(self: &Arc<Self>, conn_id: u64) -> Result<()> {
-        let ws = self.writers.read().await;
+        if let Some(w) = self.registry.get_writer(conn_id).await {
        if !ws.is_empty() {
            let w = ws[0].1.clone();
            drop(ws);
            let mut p = Vec::with_capacity(12);
            p.extend_from_slice(&RPC_CLOSE_EXT_U32.to_le_bytes());
            p.extend_from_slice(&conn_id.to_le_bytes());
-            if let Err(e) = w.lock().await.send(&p).await {
+            if w.tx.send(WriterCommand::DataAndFlush(p)).await.is_err() {
-                debug!(error = %e, "ME close write failed");
+                debug!("ME close write failed");
-                let mut ws = self.writers.write().await;
+                self.remove_writer_and_close_clients(w.writer_id).await;
                ws.retain(|(_, o)| !Arc::ptr_eq(o, &w));
            }
        } else {
            debug!(conn_id, "ME close skipped (writer missing)");
        }
        self.registry.unregister(conn_id).await;
@@ -104,43 +208,75 @@ impl MePool {
    }
    pub fn connection_count(&self) -> usize {
-        self.writers.try_read().map(|w| w.len()).unwrap_or(0)
+        self.conn_count.load(Ordering::Relaxed)
    }
-}
+    
    pub(super) async fn candidate_indices_for_dc(
        &self,
        writers: &[super::pool::MeWriter],
        target_dc: i16,
    ) -> Vec<usize> {
        let key = target_dc as i32;
        let mut preferred = Vec::<SocketAddr>::new();
-fn candidate_indices_for_dc(
+        for family in self.family_order() {
-    writers: &[(SocketAddr, Arc<Mutex<RpcWriter>>)],
+            let map_guard = match family {
-    target_dc: i16,
+                IpFamily::V4 => self.proxy_map_v4.read().await,
-) -> Vec<usize> {
+                IpFamily::V6 => self.proxy_map_v6.read().await,
-    let mut preferred = Vec::<SocketAddr>::new();
+            };
-    let key = target_dc as i32;
+
-    if let Some(v) = TG_MIDDLE_PROXIES_V4.get(&key) {
+            if let Some(v) = map_guard.get(&key) {
-        preferred.extend(v.iter().map(|(ip, port)| SocketAddr::new(*ip, *port)));
+                preferred.extend(v.iter().map(|(ip, port)| SocketAddr::new(*ip, *port)));
-    }
+            }
-    if preferred.is_empty() {
+            if preferred.is_empty() {
-        let abs = key.abs();
+                let abs = key.abs();
-        if let Some(v) = TG_MIDDLE_PROXIES_V4.get(&abs) {
+                if let Some(v) = map_guard.get(&abs) {
-            preferred.extend(v.iter().map(|(ip, port)| SocketAddr::new(*ip, *port)));
+                    preferred.extend(v.iter().map(|(ip, port)| SocketAddr::new(*ip, *port)));
                }
            }
            if preferred.is_empty() {
                let abs = key.abs();
                if let Some(v) = map_guard.get(&-abs) {
                    preferred.extend(v.iter().map(|(ip, port)| SocketAddr::new(*ip, *port)));
                }
            }
            if preferred.is_empty() {
                let def = self.default_dc.load(Ordering::Relaxed);
                if def != 0
                    && let Some(v) = map_guard.get(&def)
                {
                    preferred.extend(v.iter().map(|(ip, port)| SocketAddr::new(*ip, *port)));
                }
            }
            drop(map_guard);
            if !preferred.is_empty() && !self.decision.effective_multipath {
                break;
            }
        }
-    }
+
-    if preferred.is_empty() {
+        if preferred.is_empty() {
-        let abs = key.abs();
+            return (0..writers.len())
-        if let Some(v) = TG_MIDDLE_PROXIES_V4.get(&-abs) {
+                .filter(|i| self.writer_accepts_new_binding(&writers[*i]))
-            preferred.extend(v.iter().map(|(ip, port)| SocketAddr::new(*ip, *port)));
+                .collect();
        }
-    }
+
-    if preferred.is_empty() {
+        let mut out = Vec::new();
-        return (0..writers.len()).collect();
+        for (idx, w) in writers.iter().enumerate() {
            if !self.writer_accepts_new_binding(w) {
                continue;
            }
            if preferred.contains(&w.addr) {
                out.push(idx);
            }
        }
        if out.is_empty() {
            return (0..writers.len())
                .filter(|i| self.writer_accepts_new_binding(&writers[*i]))
                .collect();
        }
        out
    }
    let mut out = Vec::new();
    for (idx, (addr, _)) in writers.iter().enumerate() {
        if preferred.iter().any(|p| p == addr) {
            out.push(idx);
        }
    }
    if out.is_empty() {
        return (0..writers.len()).collect();
    }
    out
 }
--- a/src/transport/middle_proxy/wire.rs
+++ b/src/transport/middle_proxy/wire.rs
@@ -28,9 +28,7 @@ fn ipv4_to_mapped_v6_c_compat(ip: Ipv4Addr) -> [u8; 16] {
    buf[8..12].copy_from_slice(&(-0x10000i32).to_le_bytes());
    // Matches tl_store_int(htonl(remote_ip_host_order)).
-    let host_order = u32::from_ne_bytes(ip.octets());
+    buf[12..16].copy_from_slice(&ip.octets());
    let network_order = host_order.to_be();
    buf[12..16].copy_from_slice(&network_order.to_le_bytes());
    buf
 }
@@ -60,7 +58,7 @@ pub(crate) fn build_proxy_req_payload(
    append_mapped_addr_and_port(&mut b, client_addr);
    append_mapped_addr_and_port(&mut b, our_addr);
-    if proto_flags & 12 != 0 {
+    if proto_flags & RPC_FLAG_HAS_AD_TAG != 0 {
        let extra_start = b.len();
        b.extend_from_slice(&0u32.to_le_bytes());
@@ -104,3 +102,17 @@ pub fn proto_flags_for_tag(tag: crate::protocol::constants::ProtoTag, has_proxy_
        ProtoTag::Secure => flags | RPC_FLAG_PAD | RPC_FLAG_INTERMEDIATE,
    }
 }
 #[cfg(test)]
 mod tests {
    use super::*;
    #[test]
    fn test_ipv4_mapped_encoding() {
        let ip = Ipv4Addr::new(149, 154, 175, 50);
        let buf = ipv4_to_mapped_v6_c_compat(ip);
        assert_eq!(&buf[0..10], &[0u8; 10]);
        assert_eq!(&buf[10..12], &[0xff, 0xff]);
        assert_eq!(&buf[12..16], &[149, 154, 175, 50]);
    }
 }
--- a/src/transport/mod.rs
+++ b/src/transport/mod.rs
@@ -6,9 +6,13 @@ pub mod socket;
 pub mod socks;
 pub mod upstream;
 #[allow(unused_imports)]
 pub use pool::ConnectionPool;
 #[allow(unused_imports)]
 pub use proxy_protocol::{ProxyProtocolInfo, parse_proxy_protocol};
 pub use socket::*;
 #[allow(unused_imports)]
 pub use socks::*;
 #[allow(unused_imports)]
 pub use upstream::{DcPingResult, StartupPingResult, UpstreamManager};
 pub mod middle_proxy;
--- a/src/transport/pool.rs
+++ b/src/transport/pool.rs
@@ -1,5 +1,7 @@
 //! Connection Pool
 #![allow(dead_code)]
 use std::collections::HashMap;
 use std::net::SocketAddr;
 use std::sync::Arc;
@@ -8,7 +10,7 @@ use tokio::net::TcpStream;
 use tokio::sync::Mutex;
 use tokio::time::timeout;
 use parking_lot::RwLock;
-use tracing::{debug, warn};
+use tracing::debug;
 use crate::error::{ProxyError, Result};
 use super::socket::configure_tcp_socket;
@@ -285,12 +287,17 @@ where
 #[cfg(test)]
 mod tests {
    use super::*;
    use std::io::ErrorKind;
    use tokio::net::TcpListener;
    #[tokio::test]
    async fn test_pool_basic() {
        // Start a test server
-        let listener = TcpListener::bind("127.0.0.1:0").await.unwrap();
+        let listener = match TcpListener::bind("127.0.0.1:0").await {
            Ok(l) => l,
            Err(e) if e.kind() == ErrorKind::PermissionDenied => return,
            Err(e) => panic!("bind failed: {e}"),
        };
        let addr = listener.local_addr().unwrap();
        // Accept connections in background
@@ -303,7 +310,11 @@ mod tests {
        let pool = ConnectionPool::new();
        // Get a connection
-        let conn1 = pool.get(addr).await.unwrap();
+        let conn1 = match pool.get(addr).await {
            Ok(c) => c,
            Err(ProxyError::Io(e)) if e.kind() == ErrorKind::PermissionDenied => return,
            Err(e) => panic!("connect failed: {e}"),
        };
        // Return it to pool
        pool.put(addr, conn1).await;
@@ -335,4 +346,4 @@ mod tests {
        assert_eq!(stats.endpoints, 0);
        assert_eq!(stats.total_connections, 0);
    }
-}
+}
--- a/src/transport/proxy_protocol.rs
+++ b/src/transport/proxy_protocol.rs
@@ -28,6 +28,7 @@ mod address_family {
 /// Information extracted from PROXY protocol header
 #[derive(Debug, Clone)]
 #[allow(dead_code)]
 pub struct ProxyProtocolInfo {
    /// Source (client) address
    pub src_addr: SocketAddr,
@@ -37,6 +38,7 @@ pub struct ProxyProtocolInfo {
    pub version: u8,
 }
 #[allow(dead_code)]
 impl ProxyProtocolInfo {
    /// Create info with just source address
    pub fn new(src_addr: SocketAddr) -> Self {
@@ -231,12 +233,14 @@ async fn parse_v2<R: AsyncRead + Unpin>(
 }
 /// Builder for PROXY protocol v1 header
 #[allow(dead_code)]
 pub struct ProxyProtocolV1Builder {
    family: &'static str,
    src_addr: Option<SocketAddr>,
    dst_addr: Option<SocketAddr>,
 }
 #[allow(dead_code)]
 impl ProxyProtocolV1Builder {
    pub fn new() -> Self {
        Self {
@@ -283,6 +287,60 @@ impl Default for ProxyProtocolV1Builder {
    }
 }
 /// Builder for PROXY protocol v2 header
 #[allow(dead_code)]
 pub struct ProxyProtocolV2Builder {
    src: Option<SocketAddr>,
    dst: Option<SocketAddr>,
 }
 #[allow(dead_code)]
 impl ProxyProtocolV2Builder {
    pub fn new() -> Self {
        Self { src: None, dst: None }
    }
    pub fn with_addrs(mut self, src: SocketAddr, dst: SocketAddr) -> Self {
        self.src = Some(src);
        self.dst = Some(dst);
        self
    }
    pub fn build(&self) -> Vec<u8> {
        let mut header = Vec::new();
        header.extend_from_slice(PROXY_V2_SIGNATURE);
        // version 2, PROXY command
        header.push(0x21);
        match (self.src, self.dst) {
            (Some(SocketAddr::V4(src)), Some(SocketAddr::V4(dst))) => {
                header.push(0x11); // INET + STREAM
                header.extend_from_slice(&(12u16).to_be_bytes());
                header.extend_from_slice(&src.ip().octets());
                header.extend_from_slice(&dst.ip().octets());
                header.extend_from_slice(&src.port().to_be_bytes());
                header.extend_from_slice(&dst.port().to_be_bytes());
            }
            (Some(SocketAddr::V6(src)), Some(SocketAddr::V6(dst))) => {
                header.push(0x21); // INET6 + STREAM
                header.extend_from_slice(&(36u16).to_be_bytes());
                header.extend_from_slice(&src.ip().octets());
                header.extend_from_slice(&dst.ip().octets());
                header.extend_from_slice(&src.port().to_be_bytes());
                header.extend_from_slice(&dst.port().to_be_bytes());
            }
            _ => {
                // LOCAL/UNSPEC: no address information
                header[12] = 0x20; // version 2, LOCAL command
                header.push(0x00);
                header.extend_from_slice(&0u16.to_be_bytes());
            }
        }
        header
    }
 }
 #[cfg(test)]
 mod tests {
    use super::*;
@@ -378,4 +436,4 @@ mod tests {
        let header = ProxyProtocolV1Builder::new().build();
        assert_eq!(header, b"PROXY UNKNOWN\r\n");
    }
-}
+}
--- a/src/transport/socket.rs
+++ b/src/transport/socket.rs
@@ -1,5 +1,7 @@
 //! TCP Socket Configuration
 use std::collections::HashSet;
 use std::fs;
 use std::io::Result;
 use std::net::{SocketAddr, IpAddr};
 use std::time::Duration;
@@ -8,6 +10,7 @@ use socket2::{Socket, TcpKeepalive, Domain, Type, Protocol};
 use tracing::debug;
 /// Configure TCP socket with recommended settings for proxy use
 #[allow(dead_code)]
 pub fn configure_tcp_socket(
    stream: &TcpStream,
    keepalive: bool,
@@ -80,6 +83,7 @@ pub fn configure_client_socket(
 }
 /// Set socket to send RST on close (for masking)
 #[allow(dead_code)]
 pub fn set_linger_zero(stream: &TcpStream) -> Result<()> {
    let socket = socket2::SockRef::from(stream);
    socket.set_linger(Some(Duration::ZERO))?;
@@ -87,6 +91,7 @@ pub fn set_linger_zero(stream: &TcpStream) -> Result<()> {
 }
 /// Create a new TCP socket for outgoing connections
 #[allow(dead_code)]
 pub fn create_outgoing_socket(addr: SocketAddr) -> Result<Socket> {
    create_outgoing_socket_bound(addr, None)
 }
@@ -118,16 +123,51 @@ pub fn create_outgoing_socket_bound(addr: SocketAddr, bind_addr: Option<IpAddr>)
 /// Get local address of a socket
 #[allow(dead_code)]
 pub fn get_local_addr(stream: &TcpStream) -> Option<SocketAddr> {
    stream.local_addr().ok()
 }
 /// Resolve primary IP address of a network interface by name.
 /// Returns the first address matching the requested family (IPv4/IPv6).
 #[cfg(unix)]
 pub fn resolve_interface_ip(name: &str, want_ipv6: bool) -> Option<IpAddr> {
    use nix::ifaddrs::getifaddrs;
    if let Ok(addrs) = getifaddrs() {
        for iface in addrs {
            if iface.interface_name == name
                && let Some(address) = iface.address
            {
                if let Some(v4) = address.as_sockaddr_in() {
                    if !want_ipv6 {
                        return Some(IpAddr::V4(v4.ip()));
                    }
                } else if let Some(v6) = address.as_sockaddr_in6()
                    && want_ipv6
                {
                    return Some(IpAddr::V6(v6.ip()));
                }
            }
        }
    }
    None
 }
 /// Stub for non-Unix platforms: interface name resolution unsupported.
 #[cfg(not(unix))]
 pub fn resolve_interface_ip(_name: &str, _want_ipv6: bool) -> Option<IpAddr> {
    None
 }
 /// Get peer address of a socket
 #[allow(dead_code)]
 pub fn get_peer_addr(stream: &TcpStream) -> Option<SocketAddr> {
    stream.peer_addr().ok()
 }
 /// Check if address is IPv6
 #[allow(dead_code)]
 pub fn is_ipv6(addr: &SocketAddr) -> bool {
    addr.is_ipv6()
 }
@@ -202,18 +242,159 @@ pub fn create_listener(addr: SocketAddr, options: &ListenOptions) -> Result<Sock
    Ok(socket)
 }
 /// Best-effort process list for listeners occupying the same local TCP port.
 #[derive(Debug, Clone)]
 pub struct ListenerProcessInfo {
    pub pid: u32,
    pub process: String,
 }
 /// Find processes currently listening on the local TCP port of `addr`.
 /// Returns an empty list when unsupported or when no owners can be resolved.
 pub fn find_listener_processes(addr: SocketAddr) -> Vec<ListenerProcessInfo> {
    #[cfg(target_os = "linux")]
    {
        find_listener_processes_linux(addr)
    }
    #[cfg(not(target_os = "linux"))]
    {
        let _ = addr;
        Vec::new()
    }
 }
 #[cfg(target_os = "linux")]
 fn find_listener_processes_linux(addr: SocketAddr) -> Vec<ListenerProcessInfo> {
    let inodes = listening_inodes_for_port(addr);
    if inodes.is_empty() {
        return Vec::new();
    }
    let mut out = Vec::new();
    let proc_entries = match fs::read_dir("/proc") {
        Ok(entries) => entries,
        Err(_) => return out,
    };
    for entry in proc_entries.flatten() {
        let pid = match entry.file_name().to_string_lossy().parse::<u32>() {
            Ok(pid) => pid,
            Err(_) => continue,
        };
        let fd_dir = entry.path().join("fd");
        let fd_entries = match fs::read_dir(fd_dir) {
            Ok(entries) => entries,
            Err(_) => continue,
        };
        let mut matched = false;
        for fd in fd_entries.flatten() {
            let link_target = match fs::read_link(fd.path()) {
                Ok(link) => link,
                Err(_) => continue,
            };
            let link_str = link_target.to_string_lossy();
            let Some(rest) = link_str.strip_prefix("socket:[") else {
                continue;
            };
            let Some(inode_str) = rest.strip_suffix(']') else {
                continue;
            };
            let Ok(inode) = inode_str.parse::<u64>() else {
                continue;
            };
            if inodes.contains(&inode) {
                matched = true;
                break;
            }
        }
        if matched {
            let process = fs::read_to_string(entry.path().join("comm"))
                .ok()
                .map(|s| s.trim().to_string())
                .filter(|s| !s.is_empty())
                .unwrap_or_else(|| "unknown".to_string());
            out.push(ListenerProcessInfo { pid, process });
        }
    }
    out.sort_by_key(|p| p.pid);
    out.dedup_by_key(|p| p.pid);
    out
 }
 #[cfg(target_os = "linux")]
 fn listening_inodes_for_port(addr: SocketAddr) -> HashSet<u64> {
    let path = match addr {
        SocketAddr::V4(_) => "/proc/net/tcp",
        SocketAddr::V6(_) => "/proc/net/tcp6",
    };
    let mut inodes = HashSet::new();
    let Ok(data) = fs::read_to_string(path) else {
        return inodes;
    };
    for line in data.lines().skip(1) {
        let cols: Vec<&str> = line.split_whitespace().collect();
        if cols.len() < 10 {
            continue;
        }
        // LISTEN state in /proc/net/tcp*
        if cols[3] != "0A" {
            continue;
        }
        let Some(port_hex) = cols[1].split(':').nth(1) else {
            continue;
        };
        let Ok(port) = u16::from_str_radix(port_hex, 16) else {
            continue;
        };
        if port != addr.port() {
            continue;
        }
        if let Ok(inode) = cols[9].parse::<u64>() {
            inodes.insert(inode);
        }
    }
    inodes
 }
 #[cfg(test)]
 mod tests {
    use super::*;
    use std::io::ErrorKind;
    use tokio::net::TcpListener;
    #[tokio::test]
    async fn test_configure_socket() {
-        let listener = TcpListener::bind("127.0.0.1:0").await.unwrap();
+        let listener = match TcpListener::bind("127.0.0.1:0").await {
            Ok(l) => l,
            Err(e) if e.kind() == ErrorKind::PermissionDenied => return,
            Err(e) => panic!("bind failed: {e}"),
        };
        let addr = listener.local_addr().unwrap();
-        let stream = TcpStream::connect(addr).await.unwrap();
+        let stream = match TcpStream::connect(addr).await {
-        configure_tcp_socket(&stream, true, Duration::from_secs(30)).unwrap();
+            Ok(s) => s,
            Err(e) if e.kind() == ErrorKind::PermissionDenied => return,
            Err(e) => panic!("connect failed: {e}"),
        };
        if let Err(e) = configure_tcp_socket(&stream, true, Duration::from_secs(30)) {
            if e.kind() == ErrorKind::PermissionDenied {
                return;
            }
            panic!("configure_tcp_socket failed: {e}");
        }
    }
    #[test]
@@ -234,4 +415,4 @@ mod tests {
        assert!(opts.reuse_port);
        assert_eq!(opts.backlog, 1024);
    }
-}
+}
--- a/src/transport/socks.rs
+++ b/src/transport/socks.rs
@@ -1,7 +1,7 @@
 //! SOCKS4/5 Client Implementation
 use std::net::{IpAddr, SocketAddr};
-use tokio::io::{AsyncRead, AsyncReadExt, AsyncWrite, AsyncWriteExt};
+use tokio::io::{AsyncReadExt, AsyncWriteExt};
 use tokio::net::TcpStream;
 use crate::error::{ProxyError, Result};
@@ -27,11 +27,11 @@ pub async fn connect_socks4(
    buf.extend_from_slice(user);
    buf.push(0); // NULL
-    stream.write_all(&buf).await.map_err(|e| ProxyError::Io(e))?;
+    stream.write_all(&buf).await.map_err(ProxyError::Io)?;
    // Response: VN (1) | CD (1) | DSTPORT (2) | DSTIP (4)
    let mut resp = [0u8; 8];
-    stream.read_exact(&mut resp).await.map_err(|e| ProxyError::Io(e))?;
+    stream.read_exact(&mut resp).await.map_err(ProxyError::Io)?;
    if resp[1] != 90 {
        return Err(ProxyError::Proxy(format!("SOCKS4 request rejected: code {}", resp[1])));
@@ -56,10 +56,10 @@ pub async fn connect_socks5(
    let mut buf = vec![5u8, methods.len() as u8];
    buf.extend_from_slice(&methods);
-    stream.write_all(&buf).await.map_err(|e| ProxyError::Io(e))?;
+    stream.write_all(&buf).await.map_err(ProxyError::Io)?;
    let mut resp = [0u8; 2];
-    stream.read_exact(&mut resp).await.map_err(|e| ProxyError::Io(e))?;
+    stream.read_exact(&mut resp).await.map_err(ProxyError::Io)?;
    if resp[0] != 5 {
        return Err(ProxyError::Proxy("Invalid SOCKS5 version".to_string()));
@@ -80,10 +80,10 @@ pub async fn connect_socks5(
                auth_buf.push(p_bytes.len() as u8);
                auth_buf.extend_from_slice(p_bytes);
-                stream.write_all(&auth_buf).await.map_err(|e| ProxyError::Io(e))?;
+                stream.write_all(&auth_buf).await.map_err(ProxyError::Io)?;
                let mut auth_resp = [0u8; 2];
-                stream.read_exact(&mut auth_resp).await.map_err(|e| ProxyError::Io(e))?;
+                stream.read_exact(&mut auth_resp).await.map_err(ProxyError::Io)?;
                if auth_resp[1] != 0 {
                    return Err(ProxyError::Proxy("SOCKS5 authentication failed".to_string()));
@@ -112,11 +112,11 @@ pub async fn connect_socks5(
    req.extend_from_slice(&target.port().to_be_bytes());
-    stream.write_all(&req).await.map_err(|e| ProxyError::Io(e))?;
+    stream.write_all(&req).await.map_err(ProxyError::Io)?;
    // Response
    let mut head = [0u8; 4];
-    stream.read_exact(&mut head).await.map_err(|e| ProxyError::Io(e))?;
+    stream.read_exact(&mut head).await.map_err(ProxyError::Io)?;
    if head[1] != 0 {
        return Err(ProxyError::Proxy(format!("SOCKS5 request failed: code {}", head[1])));
@@ -126,17 +126,17 @@ pub async fn connect_socks5(
    match head[3] {
        1 => { // IPv4
            let mut addr = [0u8; 4 + 2];
-            stream.read_exact(&mut addr).await.map_err(|e| ProxyError::Io(e))?;
+            stream.read_exact(&mut addr).await.map_err(ProxyError::Io)?;
        },
        3 => { // Domain
            let mut len = [0u8; 1];
-            stream.read_exact(&mut len).await.map_err(|e| ProxyError::Io(e))?;
+            stream.read_exact(&mut len).await.map_err(ProxyError::Io)?;
            let mut addr = vec![0u8; len[0] as usize + 2];
-            stream.read_exact(&mut addr).await.map_err(|e| ProxyError::Io(e))?;
+            stream.read_exact(&mut addr).await.map_err(ProxyError::Io)?;
        },
        4 => { // IPv6
            let mut addr = [0u8; 16 + 2];
-            stream.read_exact(&mut addr).await.map_err(|e| ProxyError::Io(e))?;
+            stream.read_exact(&mut addr).await.map_err(ProxyError::Io)?;
        },
        _ => return Err(ProxyError::Proxy("Invalid address type in SOCKS5 response".to_string())),
    }
--- a/src/transport/upstream.rs
+++ b/src/transport/upstream.rs
@@ -1,9 +1,13 @@
 //! Upstream Management with per-DC latency-weighted selection
-//! 
+//!
 //! IPv6/IPv4 connectivity checks with configurable preference.
 #![allow(deprecated)]
 use std::collections::HashMap;
 use std::net::{SocketAddr, IpAddr};
 use std::sync::Arc;
 use std::sync::atomic::{AtomicUsize, Ordering};
 use std::time::Duration;
 use tokio::net::TcpStream;
 use tokio::sync::RwLock;
@@ -14,7 +18,7 @@ use tracing::{debug, warn, info, trace};
 use crate::config::{UpstreamConfig, UpstreamType};
 use crate::error::{Result, ProxyError};
 use crate::protocol::constants::{TG_DATACENTERS_V4, TG_DATACENTERS_V6, TG_DATACENTER_PORT};
-use crate::transport::socket::create_outgoing_socket_bound;
+use crate::transport::socket::{create_outgoing_socket_bound, resolve_interface_ip};
 use crate::transport::socks::{connect_socks4, connect_socks5};
 /// Number of Telegram datacenters
@@ -22,6 +26,8 @@ const NUM_DCS: usize = 5;
 /// Timeout for individual DC ping attempt
 const DC_PING_TIMEOUT_SECS: u64 = 5;
 /// Timeout for direct TG DC TCP connect readiness.
 const DIRECT_CONNECT_TIMEOUT_SECS: u64 = 10;
 // ============= RTT Tracking =============
@@ -51,9 +57,10 @@ impl LatencyEma {
 // ============= Per-DC IP Preference Tracking =============
 /// Tracks which IP version works for each DC
-#[derive(Debug, Clone, Copy, PartialEq, Eq)]
+#[derive(Debug, Clone, Copy, PartialEq, Eq, Default)]
 pub enum IpPreference {
    /// Not yet tested
    #[default]
    Unknown,
    /// IPv6 works
    PreferV6,
@@ -65,12 +72,6 @@ pub enum IpPreference {
    Unavailable,
 }
 impl Default for IpPreference {
    fn default() -> Self {
        Self::Unknown
    }
 }
 // ============= Upstream State =============
 #[derive(Debug)]
@@ -83,6 +84,8 @@ struct UpstreamState {
    dc_latency: [LatencyEma; NUM_DCS],
    /// Per-DC IP version preference (learned from connectivity tests)
    dc_ip_pref: [IpPreference; NUM_DCS],
    /// Round-robin counter for bind_addresses selection
    bind_rr: Arc<AtomicUsize>,
 }
 impl UpstreamState {
@@ -94,6 +97,7 @@ impl UpstreamState {
            last_check: std::time::Instant::now(),
            dc_latency: [LatencyEma::new(0.3); NUM_DCS],
            dc_ip_pref: [IpPreference::Unknown; NUM_DCS],
            bind_rr: Arc::new(AtomicUsize::new(0)),
        }
    }
@@ -103,7 +107,7 @@ impl UpstreamState {
        if abs_dc == 0 {
            return None;
        }
-        if abs_dc >= 1 && abs_dc <= NUM_DCS {
+        if (1..=NUM_DCS).contains(&abs_dc) {
            Some(abs_dc - 1)
        } else {
            // Unknown DC → default cluster (DC 2, index 1)
@@ -113,10 +117,10 @@ impl UpstreamState {
    /// Get latency for a specific DC, falling back to average across all known DCs
    fn effective_latency(&self, dc_idx: Option<i16>) -> Option<f64> {
-        if let Some(di) = dc_idx.and_then(Self::dc_array_idx) {
+        if let Some(di) = dc_idx.and_then(Self::dc_array_idx)
-            if let Some(ms) = self.dc_latency[di].get() {
+            && let Some(ms) = self.dc_latency[di].get()
-                return Some(ms);
+        {
-            }
+            return Some(ms);
        }
        let (sum, count) = self.dc_latency.iter()
@@ -165,21 +169,85 @@ impl UpstreamManager {
        }
    }
    fn resolve_bind_address(
        interface: &Option<String>,
        bind_addresses: &Option<Vec<String>>,
        target: SocketAddr,
        rr: Option<&AtomicUsize>,
    ) -> Option<IpAddr> {
        let want_ipv6 = target.is_ipv6();
        if let Some(addrs) = bind_addresses {
            let candidates: Vec<IpAddr> = addrs
                .iter()
                .filter_map(|s| s.parse::<IpAddr>().ok())
                .filter(|ip| ip.is_ipv6() == want_ipv6)
                .collect();
            if !candidates.is_empty() {
                if let Some(counter) = rr {
                    let idx = counter.fetch_add(1, Ordering::Relaxed) % candidates.len();
                    return Some(candidates[idx]);
                }
                return candidates.first().copied();
            }
        }
        if let Some(iface) = interface {
            if let Ok(ip) = iface.parse::<IpAddr>() {
                if ip.is_ipv6() == want_ipv6 {
                    return Some(ip);
                }
            } else {
                #[cfg(unix)]
                if let Some(ip) = resolve_interface_ip(iface, want_ipv6) {
                    return Some(ip);
                }
            }
        }
        None
    }
    /// Select upstream using latency-weighted random selection.
-    async fn select_upstream(&self, dc_idx: Option<i16>) -> Option<usize> {
+    async fn select_upstream(&self, dc_idx: Option<i16>, scope: Option<&str>) -> Option<usize> {
        let upstreams = self.upstreams.read().await;
        if upstreams.is_empty() {
            return None;
        }
-
+        // Scope filter:
-        let healthy: Vec<usize> = upstreams.iter()
+        //   If scope is set: only scoped and matched items
        //   If scope is not set: only unscoped items
        let filtered_upstreams : Vec<usize> = upstreams.iter()
            .enumerate()
-            .filter(|(_, u)| u.healthy)
+            .filter(|(_, u)| {
                scope.map_or(
                    u.config.scopes.is_empty(),
                    |req_scope| {
                        u.config.scopes
                            .split(',')
                            .map(str::trim)
                            .any(|s| s == req_scope)
                    }
                )
            })
            .map(|(i, _)| i)
            .collect();
        // Healthy filter
        let healthy: Vec<usize> = filtered_upstreams.iter()
            .filter(|&&i| upstreams[i].healthy)
            .copied()
            .collect();
        if filtered_upstreams.is_empty() {
            warn!(scope = scope, "No upstreams available! Using first (direct?)");
            return None;
        }
        if healthy.is_empty() {
-            return Some(rand::rng().gen_range(0..upstreams.len()));
+            warn!(scope = scope, "No healthy upstreams available! Using random.");
            return Some(filtered_upstreams[rand::rng().gen_range(0..filtered_upstreams.len())]);
        }
        if healthy.len() == 1 {
@@ -221,18 +289,28 @@ impl UpstreamManager {
    }
    /// Connect to target through a selected upstream.
-    pub async fn connect(&self, target: SocketAddr, dc_idx: Option<i16>) -> Result<TcpStream> {
+    pub async fn connect(&self, target: SocketAddr, dc_idx: Option<i16>, scope: Option<&str>) -> Result<TcpStream> {
-        let idx = self.select_upstream(dc_idx).await
+        let idx = self.select_upstream(dc_idx, scope).await
            .ok_or_else(|| ProxyError::Config("No upstreams available".to_string()))?;
-        let upstream = {
+        let mut upstream = {
            let guard = self.upstreams.read().await;
            guard[idx].config.clone()
        };
        // Set scope for configuration copy
        if let Some(s) = scope {
            upstream.selected_scope = s.to_string();
        }
        let start = Instant::now();
-        match self.connect_via_upstream(&upstream, target).await {
+        let bind_rr = {
            let guard = self.upstreams.read().await;
            guard.get(idx).map(|u| u.bind_rr.clone())
        };
        match self.connect_via_upstream(&upstream, target, bind_rr).await {
            Ok(stream) => {
                let rtt_ms = start.elapsed().as_secs_f64() * 1000.0;
                let mut guard = self.upstreams.write().await;
@@ -264,13 +342,27 @@ impl UpstreamManager {
        }
    }
-    async fn connect_via_upstream(&self, config: &UpstreamConfig, target: SocketAddr) -> Result<TcpStream> {
+    async fn connect_via_upstream(
        &self,
        config: &UpstreamConfig,
        target: SocketAddr,
        bind_rr: Option<Arc<AtomicUsize>>,
    ) -> Result<TcpStream> {
        match &config.upstream_type {
-            UpstreamType::Direct { interface } => {
+            UpstreamType::Direct { interface, bind_addresses } => {
-                let bind_ip = interface.as_ref()
+                let bind_ip = Self::resolve_bind_address(
-                    .and_then(|s| s.parse::<IpAddr>().ok());
+                    interface,
                    bind_addresses,
                    target,
                    bind_rr.as_deref(),
                );
                let socket = create_outgoing_socket_bound(target, bind_ip)?;
                if let Some(ip) = bind_ip {
                    debug!(bind = %ip, target = %target, "Bound outgoing socket");
                } else if interface.is_some() || bind_addresses.is_some() {
                    debug!(target = %target, "No matching bind address for target family");
                }
                socket.set_nonblocking(true)?;
                match socket.connect(&target.into()) {
@@ -282,7 +374,16 @@ impl UpstreamManager {
                let std_stream: std::net::TcpStream = socket.into();
                let stream = TcpStream::from_std(std_stream)?;
-                stream.writable().await?;
+                let connect_timeout = Duration::from_secs(DIRECT_CONNECT_TIMEOUT_SECS);
                match tokio::time::timeout(connect_timeout, stream.writable()).await {
                    Ok(Ok(())) => {}
                    Ok(Err(e)) => return Err(ProxyError::Io(e)),
                    Err(_) => {
                        return Err(ProxyError::ConnectionTimeout {
                            addr: target.to_string(),
                        });
                    }
                }
                if let Some(e) = stream.take_error()? {
                    return Err(ProxyError::Io(e));
                }
@@ -290,57 +391,150 @@ impl UpstreamManager {
                Ok(stream)
            },
            UpstreamType::Socks4 { address, interface, user_id } => {
-                let proxy_addr: SocketAddr = address.parse()
+                let connect_timeout = Duration::from_secs(DIRECT_CONNECT_TIMEOUT_SECS);
-                    .map_err(|_| ProxyError::Config("Invalid SOCKS4 address".to_string()))?;
+                // Try to parse as SocketAddr first (IP:port), otherwise treat as hostname:port
                let mut stream = if let Ok(proxy_addr) = address.parse::<SocketAddr>() {
                    // IP:port format - use socket with optional interface binding
                    let bind_ip = Self::resolve_bind_address(
                        interface,
                        &None,
                        proxy_addr,
                        bind_rr.as_deref(),
                    );
-                let bind_ip = interface.as_ref()
+                    let socket = create_outgoing_socket_bound(proxy_addr, bind_ip)?;
                    .and_then(|s| s.parse::<IpAddr>().ok());
-                let socket = create_outgoing_socket_bound(proxy_addr, bind_ip)?;
+                    socket.set_nonblocking(true)?;
                    match socket.connect(&proxy_addr.into()) {
                        Ok(()) => {},
                        Err(err) if err.raw_os_error() == Some(libc::EINPROGRESS) || err.kind() == std::io::ErrorKind::WouldBlock => {},
                        Err(err) => return Err(ProxyError::Io(err)),
                    }
-                socket.set_nonblocking(true)?;
+                    let std_stream: std::net::TcpStream = socket.into();
-                match socket.connect(&proxy_addr.into()) {
+                    let stream = TcpStream::from_std(std_stream)?;
-                    Ok(()) => {},
+
-                    Err(err) if err.raw_os_error() == Some(libc::EINPROGRESS) || err.kind() == std::io::ErrorKind::WouldBlock => {},
+                    match tokio::time::timeout(connect_timeout, stream.writable()).await {
-                    Err(err) => return Err(ProxyError::Io(err)),
+                        Ok(Ok(())) => {}
                        Ok(Err(e)) => return Err(ProxyError::Io(e)),
                        Err(_) => {
                            return Err(ProxyError::ConnectionTimeout {
                                addr: proxy_addr.to_string(),
                            });
                        }
                    }
                    if let Some(e) = stream.take_error()? {
                        return Err(ProxyError::Io(e));
                    }
                    stream
                } else {
                    // Hostname:port format - use tokio DNS resolution
                    // Note: interface binding is not supported for hostnames
                    if interface.is_some() {
                        warn!("SOCKS4 interface binding is not supported for hostname addresses, ignoring");
                    }
                    match tokio::time::timeout(connect_timeout, TcpStream::connect(address)).await {
                        Ok(Ok(stream)) => stream,
                        Ok(Err(e)) => return Err(ProxyError::Io(e)),
                        Err(_) => {
                            return Err(ProxyError::ConnectionTimeout {
                                addr: address.clone(),
                            });
                        }
                    }
                };
                // replace socks user_id with config.selected_scope, if set
                let scope: Option<&str> = Some(config.selected_scope.as_str())
                    .filter(|s| !s.is_empty());
                let _user_id: Option<&str> = scope.or(user_id.as_deref());
                match tokio::time::timeout(connect_timeout, connect_socks4(&mut stream, target, _user_id)).await {
                    Ok(Ok(())) => {}
                    Ok(Err(e)) => return Err(e),
                    Err(_) => {
                        return Err(ProxyError::ConnectionTimeout {
                            addr: target.to_string(),
                        });
                    }
                }
                let std_stream: std::net::TcpStream = socket.into();
                let mut stream = TcpStream::from_std(std_stream)?;
                stream.writable().await?;
                if let Some(e) = stream.take_error()? {
                    return Err(ProxyError::Io(e));
                }
                connect_socks4(&mut stream, target, user_id.as_deref()).await?;
                Ok(stream)
            },
            UpstreamType::Socks5 { address, interface, username, password } => {
-                let proxy_addr: SocketAddr = address.parse()
+                let connect_timeout = Duration::from_secs(DIRECT_CONNECT_TIMEOUT_SECS);
-                    .map_err(|_| ProxyError::Config("Invalid SOCKS5 address".to_string()))?;
+                // Try to parse as SocketAddr first (IP:port), otherwise treat as hostname:port
                let mut stream = if let Ok(proxy_addr) = address.parse::<SocketAddr>() {
                    // IP:port format - use socket with optional interface binding
                    let bind_ip = Self::resolve_bind_address(
                        interface,
                        &None,
                        proxy_addr,
                        bind_rr.as_deref(),
                    );
-                let bind_ip = interface.as_ref()
+                    let socket = create_outgoing_socket_bound(proxy_addr, bind_ip)?;
                    .and_then(|s| s.parse::<IpAddr>().ok());
-                let socket = create_outgoing_socket_bound(proxy_addr, bind_ip)?;
+                    socket.set_nonblocking(true)?;
                    match socket.connect(&proxy_addr.into()) {
                        Ok(()) => {},
                        Err(err) if err.raw_os_error() == Some(libc::EINPROGRESS) || err.kind() == std::io::ErrorKind::WouldBlock => {},
                        Err(err) => return Err(ProxyError::Io(err)),
                    }
-                socket.set_nonblocking(true)?;
+                    let std_stream: std::net::TcpStream = socket.into();
-                match socket.connect(&proxy_addr.into()) {
+                    let stream = TcpStream::from_std(std_stream)?;
-                    Ok(()) => {},
+
-                    Err(err) if err.raw_os_error() == Some(libc::EINPROGRESS) || err.kind() == std::io::ErrorKind::WouldBlock => {},
+                    match tokio::time::timeout(connect_timeout, stream.writable()).await {
-                    Err(err) => return Err(ProxyError::Io(err)),
+                        Ok(Ok(())) => {}
                        Ok(Err(e)) => return Err(ProxyError::Io(e)),
                        Err(_) => {
                            return Err(ProxyError::ConnectionTimeout {
                                addr: proxy_addr.to_string(),
                            });
                        }
                    }
                    if let Some(e) = stream.take_error()? {
                        return Err(ProxyError::Io(e));
                    }
                    stream
                } else {
                    // Hostname:port format - use tokio DNS resolution
                    // Note: interface binding is not supported for hostnames
                    if interface.is_some() {
                        warn!("SOCKS5 interface binding is not supported for hostname addresses, ignoring");
                    }
                    match tokio::time::timeout(connect_timeout, TcpStream::connect(address)).await {
                        Ok(Ok(stream)) => stream,
                        Ok(Err(e)) => return Err(ProxyError::Io(e)),
                        Err(_) => {
                            return Err(ProxyError::ConnectionTimeout {
                                addr: address.clone(),
                            });
                        }
                    }
                };
                debug!(config = ?config, "Socks5 connection");
                // replace socks user:pass with config.selected_scope, if set
                let scope: Option<&str> = Some(config.selected_scope.as_str())
                    .filter(|s| !s.is_empty());
                let _username: Option<&str> = scope.or(username.as_deref());
                let _password: Option<&str> = scope.or(password.as_deref());
                match tokio::time::timeout(
                    connect_timeout,
                    connect_socks5(&mut stream, target, _username, _password),
                )
                .await
                {
                    Ok(Ok(())) => {}
                    Ok(Err(e)) => return Err(e),
                    Err(_) => {
                        return Err(ProxyError::ConnectionTimeout {
                            addr: target.to_string(),
                        });
                    }
                }
                let std_stream: std::net::TcpStream = socket.into();
                let mut stream = TcpStream::from_std(std_stream)?;
                stream.writable().await?;
                if let Some(e) = stream.take_error()? {
                    return Err(ProxyError::Io(e));
                }
                connect_socks5(&mut stream, target, username.as_deref(), password.as_deref()).await?;
                Ok(stream)
            },
        }
@@ -350,104 +544,186 @@ impl UpstreamManager {
    /// Ping all Telegram DCs through all upstreams.
    /// Tests BOTH IPv6 and IPv4, returns separate results for each.
-    pub async fn ping_all_dcs(&self, prefer_ipv6: bool) -> Vec<StartupPingResult> {
+    pub async fn ping_all_dcs(
-        let upstreams: Vec<(usize, UpstreamConfig)> = {
+        &self,
        _prefer_ipv6: bool,
        dc_overrides: &HashMap<String, Vec<String>>,
        ipv4_enabled: bool,
        ipv6_enabled: bool,
    ) -> Vec<StartupPingResult> {
        let upstreams: Vec<(usize, UpstreamConfig, Arc<AtomicUsize>)> = {
            let guard = self.upstreams.read().await;
            guard.iter().enumerate()
-                .map(|(i, u)| (i, u.config.clone()))
+                .map(|(i, u)| (i, u.config.clone(), u.bind_rr.clone()))
                .collect()
        };
        let mut all_results = Vec::new();
-        for (upstream_idx, upstream_config) in &upstreams {
+        for (upstream_idx, upstream_config, bind_rr) in &upstreams {
            let upstream_name = match &upstream_config.upstream_type {
-                UpstreamType::Direct { interface } => {
+                UpstreamType::Direct { interface, .. } => {
                    format!("direct{}", interface.as_ref().map(|i| format!(" ({})", i)).unwrap_or_default())
                }
                UpstreamType::Socks4 { address, .. } => format!("socks4://{}", address),
                UpstreamType::Socks5 { address, .. } => format!("socks5://{}", address),
            };
-            let mut v6_results = Vec::new();
+            let mut v6_results = Vec::with_capacity(NUM_DCS);
-            let mut v4_results = Vec::new();
+            if ipv6_enabled {
                for dc_zero_idx in 0..NUM_DCS {
                    let dc_v6 = TG_DATACENTERS_V6[dc_zero_idx];
                    let addr_v6 = SocketAddr::new(dc_v6, TG_DATACENTER_PORT);
-            // === Ping IPv6 first ===
+                    let result = tokio::time::timeout(
-            for dc_zero_idx in 0..NUM_DCS {
+                        Duration::from_secs(DC_PING_TIMEOUT_SECS),
-                let dc_v6 = TG_DATACENTERS_V6[dc_zero_idx];
+                        self.ping_single_dc(upstream_config, Some(bind_rr.clone()), addr_v6)
-                let addr_v6 = SocketAddr::new(dc_v6, TG_DATACENTER_PORT);
+                    ).await;
-                let result = tokio::time::timeout(
+                    let ping_result = match result {
-                    Duration::from_secs(DC_PING_TIMEOUT_SECS),
+                        Ok(Ok(rtt_ms)) => {
-                    self.ping_single_dc(&upstream_config, addr_v6)
+                            let mut guard = self.upstreams.write().await;
-                ).await;
+                            if let Some(u) = guard.get_mut(*upstream_idx) {
-
+                                u.dc_latency[dc_zero_idx].update(rtt_ms);
-                let ping_result = match result {
+                            }
-                    Ok(Ok(rtt_ms)) => {
+                            DcPingResult {
-                        let mut guard = self.upstreams.write().await;
+                                dc_idx: dc_zero_idx + 1,
-                        if let Some(u) = guard.get_mut(*upstream_idx) {
+                                dc_addr: addr_v6,
-                            u.dc_latency[dc_zero_idx].update(rtt_ms);
+                                rtt_ms: Some(rtt_ms),
                                error: None,
                            }
                        }
-                        DcPingResult {
+                        Ok(Err(e)) => DcPingResult {
                            dc_idx: dc_zero_idx + 1,
                            dc_addr: addr_v6,
-                            rtt_ms: Some(rtt_ms),
+                            rtt_ms: None,
-                            error: None,
+                            error: Some(e.to_string()),
-                        }
+                        },
-                    }
+                        Err(_) => DcPingResult {
-                    Ok(Err(e)) => DcPingResult {
+                            dc_idx: dc_zero_idx + 1,
                            dc_addr: addr_v6,
                            rtt_ms: None,
                            error: Some("timeout".to_string()),
                        },
                    };
                    v6_results.push(ping_result);
                }
            } else {
                for dc_zero_idx in 0..NUM_DCS {
                    let dc_v6 = TG_DATACENTERS_V6[dc_zero_idx];
                    v6_results.push(DcPingResult {
                        dc_idx: dc_zero_idx + 1,
-                        dc_addr: addr_v6,
+                        dc_addr: SocketAddr::new(dc_v6, TG_DATACENTER_PORT),
                        rtt_ms: None,
-                        error: Some(e.to_string()),
+                        error: Some("ipv6 disabled".to_string()),
-                    },
+                    });
-                    Err(_) => DcPingResult {
+                }
                        dc_idx: dc_zero_idx + 1,
                        dc_addr: addr_v6,
                        rtt_ms: None,
                        error: Some("timeout".to_string()),
                    },
                };
                v6_results.push(ping_result);
            }
-            // === Then ping IPv4 ===
+            let mut v4_results = Vec::with_capacity(NUM_DCS);
-            for dc_zero_idx in 0..NUM_DCS {
+            if ipv4_enabled {
-                let dc_v4 = TG_DATACENTERS_V4[dc_zero_idx];
+                for dc_zero_idx in 0..NUM_DCS {
-                let addr_v4 = SocketAddr::new(dc_v4, TG_DATACENTER_PORT);
+                    let dc_v4 = TG_DATACENTERS_V4[dc_zero_idx];
                    let addr_v4 = SocketAddr::new(dc_v4, TG_DATACENTER_PORT);
-                let result = tokio::time::timeout(
+                    let result = tokio::time::timeout(
-                    Duration::from_secs(DC_PING_TIMEOUT_SECS),
+                        Duration::from_secs(DC_PING_TIMEOUT_SECS),
-                    self.ping_single_dc(&upstream_config, addr_v4)
+                        self.ping_single_dc(upstream_config, Some(bind_rr.clone()), addr_v4)
-                ).await;
+                    ).await;
-                let ping_result = match result {
+                    let ping_result = match result {
-                    Ok(Ok(rtt_ms)) => {
+                        Ok(Ok(rtt_ms)) => {
-                        let mut guard = self.upstreams.write().await;
+                            let mut guard = self.upstreams.write().await;
-                        if let Some(u) = guard.get_mut(*upstream_idx) {
+                            if let Some(u) = guard.get_mut(*upstream_idx) {
-                            u.dc_latency[dc_zero_idx].update(rtt_ms);
+                                u.dc_latency[dc_zero_idx].update(rtt_ms);
                            }
                            DcPingResult {
                                dc_idx: dc_zero_idx + 1,
                                dc_addr: addr_v4,
                                rtt_ms: Some(rtt_ms),
                                error: None,
                            }
                        }
-                        DcPingResult {
+                        Ok(Err(e)) => DcPingResult {
                            dc_idx: dc_zero_idx + 1,
                            dc_addr: addr_v4,
-                            rtt_ms: Some(rtt_ms),
+                            rtt_ms: None,
-                            error: None,
+                            error: Some(e.to_string()),
-                        }
+                        },
-                    }
+                        Err(_) => DcPingResult {
-                    Ok(Err(e)) => DcPingResult {
+                            dc_idx: dc_zero_idx + 1,
                            dc_addr: addr_v4,
                            rtt_ms: None,
                            error: Some("timeout".to_string()),
                        },
                    };
                    v4_results.push(ping_result);
                }
            } else {
                for dc_zero_idx in 0..NUM_DCS {
                    let dc_v4 = TG_DATACENTERS_V4[dc_zero_idx];
                    v4_results.push(DcPingResult {
                        dc_idx: dc_zero_idx + 1,
-                        dc_addr: addr_v4,
+                        dc_addr: SocketAddr::new(dc_v4, TG_DATACENTER_PORT),
                        rtt_ms: None,
-                        error: Some(e.to_string()),
+                        error: Some("ipv4 disabled".to_string()),
-                    },
+                    });
-                    Err(_) => DcPingResult {
+                }
-                        dc_idx: dc_zero_idx + 1,
+            }
-                        dc_addr: addr_v4,
+
-                        rtt_ms: None,
+            // === Ping DC overrides (v4/v6) ===
-                        error: Some("timeout".to_string()),
+            for (dc_key, addrs) in dc_overrides {
                let dc_num: i16 = match dc_key.parse::<i16>() {
                    Ok(v) if v > 0 => v,
                    Err(_) => {
                        warn!(dc = %dc_key, "Invalid dc_overrides key, skipping");
                        continue;
                    },
                    _ => continue,
                };
-                v4_results.push(ping_result);
+                let dc_idx = dc_num as usize;
                for addr_str in addrs {
                    match addr_str.parse::<SocketAddr>() {
                        Ok(addr) => {
                            let is_v6 = addr.is_ipv6();
                            if (is_v6 && !ipv6_enabled) || (!is_v6 && !ipv4_enabled) {
                                continue;
                            }
                            let result = tokio::time::timeout(
                                Duration::from_secs(DC_PING_TIMEOUT_SECS),
                                self.ping_single_dc(upstream_config, Some(bind_rr.clone()), addr)
                            ).await;
                            let ping_result = match result {
                                Ok(Ok(rtt_ms)) => DcPingResult {
                                    dc_idx,
                                    dc_addr: addr,
                                    rtt_ms: Some(rtt_ms),
                                    error: None,
                                },
                                Ok(Err(e)) => DcPingResult {
                                    dc_idx,
                                    dc_addr: addr,
                                    rtt_ms: None,
                                    error: Some(e.to_string()),
                                },
                                Err(_) => DcPingResult {
                                    dc_idx,
                                    dc_addr: addr,
                                    rtt_ms: None,
                                    error: Some("timeout".to_string()),
                                },
                            };
                            if is_v6 {
                                v6_results.push(ping_result);
                            } else {
                                v4_results.push(ping_result);
                            }
                        }
                        Err(_) => warn!(dc = %dc_idx, addr = %addr_str, "Invalid dc_overrides address, skipping"),
                    }
                }
            }
            // Check if both IP versions have at least one working DC
@@ -484,9 +760,14 @@ impl UpstreamManager {
        all_results
    }
-    async fn ping_single_dc(&self, config: &UpstreamConfig, target: SocketAddr) -> Result<f64> {
+    async fn ping_single_dc(
        &self,
        config: &UpstreamConfig,
        bind_rr: Option<Arc<AtomicUsize>>,
        target: SocketAddr,
    ) -> Result<f64> {
        let start = Instant::now();
-        let _stream = self.connect_via_upstream(config, target).await?;
+        let _stream = self.connect_via_upstream(config, target, bind_rr).await?;
        Ok(start.elapsed().as_secs_f64() * 1000.0)
    }
@@ -494,7 +775,7 @@ impl UpstreamManager {
    /// Background health check: rotates through DCs, 30s interval.
    /// Uses preferred IP version based on config.
-    pub async fn run_health_checks(&self, prefer_ipv6: bool) {
+    pub async fn run_health_checks(&self, prefer_ipv6: bool, ipv4_enabled: bool, ipv6_enabled: bool) {
        let mut dc_rotation = 0usize;
        loop {
@@ -503,30 +784,39 @@ impl UpstreamManager {
            let dc_zero_idx = dc_rotation % NUM_DCS;
            dc_rotation += 1;
-            let dc_addr = if prefer_ipv6 {
+            let primary_v6 = SocketAddr::new(TG_DATACENTERS_V6[dc_zero_idx], TG_DATACENTER_PORT);
-                SocketAddr::new(TG_DATACENTERS_V6[dc_zero_idx], TG_DATACENTER_PORT)
+            let primary_v4 = SocketAddr::new(TG_DATACENTERS_V4[dc_zero_idx], TG_DATACENTER_PORT);
            let dc_addr = if prefer_ipv6 && ipv6_enabled {
                primary_v6
            } else if ipv4_enabled {
                primary_v4
            } else if ipv6_enabled {
                primary_v6
            } else {
-                SocketAddr::new(TG_DATACENTERS_V4[dc_zero_idx], TG_DATACENTER_PORT)
+                continue;
            };
-            let fallback_addr = if prefer_ipv6 {
+            let fallback_addr = if dc_addr.is_ipv6() && ipv4_enabled {
-                SocketAddr::new(TG_DATACENTERS_V4[dc_zero_idx], TG_DATACENTER_PORT)
+                Some(primary_v4)
            } else if dc_addr.is_ipv4() && ipv6_enabled {
                Some(primary_v6)
            } else {
-                SocketAddr::new(TG_DATACENTERS_V6[dc_zero_idx], TG_DATACENTER_PORT)
+                None
            };
            let count = self.upstreams.read().await.len();
            for i in 0..count {
-                let config = {
+                let (config, bind_rr) = {
                    let guard = self.upstreams.read().await;
-                    guard[i].config.clone()
+                    let u = &guard[i];
                    (u.config.clone(), u.bind_rr.clone())
                };
                let start = Instant::now();
                let result = tokio::time::timeout(
                    Duration::from_secs(10),
-                    self.connect_via_upstream(&config, dc_addr)
+                    self.connect_via_upstream(&config, dc_addr, Some(bind_rr.clone()))
                ).await;
                match result {
@@ -551,48 +841,60 @@ impl UpstreamManager {
                        // Try fallback
                        debug!(dc = dc_zero_idx + 1, "Health check failed, trying fallback");
-                        let start2 = Instant::now();
+                        if let Some(fallback_addr) = fallback_addr {
-                        let result2 = tokio::time::timeout(
+                            let start2 = Instant::now();
-                            Duration::from_secs(10),
+                            let result2 = tokio::time::timeout(
-                            self.connect_via_upstream(&config, fallback_addr)
+                                Duration::from_secs(10),
-                        ).await;
+                                self.connect_via_upstream(&config, fallback_addr, Some(bind_rr.clone()))
                            ).await;
                            let mut guard = self.upstreams.write().await;
                            let u = &mut guard[i];
                            match result2 {
                                Ok(Ok(_stream)) => {
                                    let rtt_ms = start2.elapsed().as_secs_f64() * 1000.0;
                                    u.dc_latency[dc_zero_idx].update(rtt_ms);
                                    if !u.healthy {
                                        info!(
                                            rtt = format!("{:.0} ms", rtt_ms),
                                            dc = dc_zero_idx + 1,
                                            "Upstream recovered (fallback)"
                                        );
                                    }
                                    u.healthy = true;
                                    u.fails = 0;
                                }
                                Ok(Err(e)) => {
                                    u.fails += 1;
                                    debug!(dc = dc_zero_idx + 1, fails = u.fails,
                                        "Health check failed (both): {}", e);
                                    if u.fails > 3 {
                                        u.healthy = false;
                                        warn!("Upstream unhealthy (fails)");
                                    }
                                }
                                Err(_) => {
                                    u.fails += 1;
                                    debug!(dc = dc_zero_idx + 1, fails = u.fails,
                                        "Health check timeout (both)");
                                    if u.fails > 3 {
                                        u.healthy = false;
                                        warn!("Upstream unhealthy (timeout)");
                                    }
                                }
                            }
                            u.last_check = std::time::Instant::now();
                            continue;
                        }
                        let mut guard = self.upstreams.write().await;
                        let u = &mut guard[i];
-
+                        u.fails += 1;
-                        match result2 {
+                        if u.fails > 3 {
-                            Ok(Ok(_stream)) => {
+                            u.healthy = false;
-                                let rtt_ms = start2.elapsed().as_secs_f64() * 1000.0;
+                            warn!("Upstream unhealthy (no fallback family)");
                                u.dc_latency[dc_zero_idx].update(rtt_ms);
                                if !u.healthy {
                                    info!(
                                        rtt = format!("{:.0} ms", rtt_ms),
                                        dc = dc_zero_idx + 1,
                                        "Upstream recovered (fallback)"
                                    );
                                }
                                u.healthy = true;
                                u.fails = 0;
                            }
                            Ok(Err(e)) => {
                                u.fails += 1;
                                debug!(dc = dc_zero_idx + 1, fails = u.fails,
                                    "Health check failed (both): {}", e);
                                if u.fails > 3 {
                                    u.healthy = false;
                                    warn!("Upstream unhealthy (fails)");
                                }
                            }
                            Err(_) => {
                                u.fails += 1;
                                debug!(dc = dc_zero_idx + 1, fails = u.fails,
                                    "Health check timeout (both)");
                                if u.fails > 3 {
                                    u.healthy = false;
                                    warn!("Upstream unhealthy (timeout)");
                                }
                            }
                        }
                        u.last_check = std::time::Instant::now();
                    }
@@ -602,6 +904,7 @@ impl UpstreamManager {
    }
    /// Get the preferred IP for a DC (for use by other components)
    #[allow(dead_code)]
    pub async fn get_dc_ip_preference(&self, dc_idx: i16) -> Option<IpPreference> {
        let guard = self.upstreams.read().await;
        if guard.is_empty() {
@@ -613,6 +916,7 @@ impl UpstreamManager {
    }
    /// Get preferred DC address based on config preference
    #[allow(dead_code)]
    pub async fn get_dc_addr(&self, dc_idx: i16, prefer_ipv6: bool) -> Option<SocketAddr> {
        let arr_idx = UpstreamState::dc_array_idx(dc_idx)?;
@@ -624,4 +928,4 @@ impl UpstreamManager {
        Some(SocketAddr::new(ip, TG_DATACENTER_PORT))
    }
-}
+}
--- a/src/util/ip.rs
+++ b/src/util/ip.rs
@@ -1,22 +1,24 @@
 //! IP Addr Detect
-use std::net::{IpAddr, SocketAddr, UdpSocket};
+use std::net::{IpAddr, UdpSocket};
 use std::time::Duration;
 use tracing::{debug, warn};
 /// Detected IP addresses
 #[derive(Debug, Clone, Default)]
 #[allow(dead_code)]
 pub struct IpInfo {
    pub ipv4: Option<IpAddr>,
    pub ipv6: Option<IpAddr>,
 }
 #[allow(dead_code)]
 impl IpInfo {
    /// Check if any IP is detected
    pub fn has_any(&self) -> bool {
        self.ipv4.is_some() || self.ipv6.is_some()
    }
-    
+
    /// Get preferred IP (IPv6 if available and preferred)
    pub fn preferred(&self, prefer_ipv6: bool) -> Option<IpAddr> {
        if prefer_ipv6 {
@@ -28,12 +30,14 @@ impl IpInfo {
 }
 /// URLs for IP detection
 #[allow(dead_code)]
 const IPV4_URLS: &[&str] = &[
    "http://v4.ident.me/",
    "http://ipv4.icanhazip.com/",
    "http://api.ipify.org/",
 ];
 #[allow(dead_code)]
 const IPV6_URLS: &[&str] = &[
    "http://v6.ident.me/",
    "http://ipv6.icanhazip.com/",
@@ -42,12 +46,14 @@ const IPV6_URLS: &[&str] = &[
 /// Detect local IP address by connecting to a public DNS
 /// This does not actually send any packets
 #[allow(dead_code)]
 fn get_local_ip(target: &str) -> Option<IpAddr> {
    let socket = UdpSocket::bind("0.0.0.0:0").ok()?;
    socket.connect(target).ok()?;
    socket.local_addr().ok().map(|addr| addr.ip())
 }
 #[allow(dead_code)]
 fn get_local_ipv6(target: &str) -> Option<IpAddr> {
    let socket = UdpSocket::bind("[::]:0").ok()?;
    socket.connect(target).ok()?;
@@ -55,59 +61,62 @@ fn get_local_ipv6(target: &str) -> Option<IpAddr> {
 }
 /// Detect public IP addresses
 #[allow(dead_code)]
 pub async fn detect_ip() -> IpInfo {
    let mut info = IpInfo::default();
    // Try to get local interface IP first (default gateway interface)
    // We connect to Google DNS to find out which interface is used for routing
-    if let Some(ip) = get_local_ip("8.8.8.8:80") {
+    if let Some(ip) = get_local_ip("8.8.8.8:80")
-        if ip.is_ipv4() && !ip.is_loopback() {
+        && ip.is_ipv4()
-             info.ipv4 = Some(ip);
+        && !ip.is_loopback()
-             debug!(ip = %ip, "Detected local IPv4 address via routing");
+    {
-        }
+        info.ipv4 = Some(ip);
        debug!(ip = %ip, "Detected local IPv4 address via routing");
    }
-    if let Some(ip) = get_local_ipv6("[2001:4860:4860::8888]:80") {
+    if let Some(ip) = get_local_ipv6("[2001:4860:4860::8888]:80")
-        if ip.is_ipv6() && !ip.is_loopback() {
+        && ip.is_ipv6()
-            info.ipv6 = Some(ip);
+        && !ip.is_loopback()
-            debug!(ip = %ip, "Detected local IPv6 address via routing");
+    {
-        }
+        info.ipv6 = Some(ip);
        debug!(ip = %ip, "Detected local IPv6 address via routing");
    }
-    
+
-    // If local detection failed or returned private IP (and we want public), 
+    // If local detection failed or returned private IP (and we want public),
    // or just as a fallback/verification, we might want to check external services.
-    // However, the requirement is: "if IP for listening is not set... it should be IP from interface... 
+    // However, the requirement is: "if IP for listening is not set... it should be IP from interface...
    // if impossible - request external resources".
-    
+
    // So if we found a local IP, we might be good. But often servers are behind NAT.
    // If the local IP is private, we probably want the public IP for the tg:// link.
    // Let's check if the detected IPs are private.
-    
+
-    let need_external_v4 = info.ipv4.map_or(true, |ip| is_private_ip(ip));
+    let need_external_v4 = info.ipv4.is_none_or(is_private_ip);
-    let need_external_v6 = info.ipv6.map_or(true, |ip| is_private_ip(ip));
+    let need_external_v6 = info.ipv6.is_none_or(is_private_ip);
    if need_external_v4 {
        debug!("Local IPv4 is private or missing, checking external services...");
        for url in IPV4_URLS {
-            if let Some(ip) = fetch_ip(url).await {
+            if let Some(ip) = fetch_ip(url).await
-                if ip.is_ipv4() {
+                && ip.is_ipv4()
-                    info.ipv4 = Some(ip);
+            {
-                    debug!(ip = %ip, "Detected public IPv4 address");
+                info.ipv4 = Some(ip);
-                    break;
+                debug!(ip = %ip, "Detected public IPv4 address");
-                }
+                break;
            }
        }
    }
-    
+
    if need_external_v6 {
        debug!("Local IPv6 is private or missing, checking external services...");
        for url in IPV6_URLS {
-            if let Some(ip) = fetch_ip(url).await {
+            if let Some(ip) = fetch_ip(url).await
-                if ip.is_ipv6() {
+                && ip.is_ipv6()
-                    info.ipv6 = Some(ip);
+            {
-                    debug!(ip = %ip, "Detected public IPv6 address");
+                info.ipv6 = Some(ip);
-                    break;
+                debug!(ip = %ip, "Detected public IPv6 address");
-                }
+                break;
            }
        }
    }
@@ -119,6 +128,7 @@ pub async fn detect_ip() -> IpInfo {
    info
 }
 #[allow(dead_code)]
 fn is_private_ip(ip: IpAddr) -> bool {
    match ip {
        IpAddr::V4(ipv4) => {
@@ -131,19 +141,21 @@ fn is_private_ip(ip: IpAddr) -> bool {
 }
 /// Fetch IP from URL
 #[allow(dead_code)]
 async fn fetch_ip(url: &str) -> Option<IpAddr> {
    let client = reqwest::Client::builder()
        .timeout(Duration::from_secs(5))
        .build()
        .ok()?;
-    
+
    let response = client.get(url).send().await.ok()?;
    let text = response.text().await.ok()?;
-    
+
    text.trim().parse().ok()
 }
 /// Synchronous IP detection (for startup)
 #[allow(dead_code)]
 pub fn detect_ip_sync() -> IpInfo {
    tokio::runtime::Handle::current().block_on(detect_ip())
 }
--- a/src/util/mod.rs
+++ b/src/util/mod.rs
@@ -3,5 +3,7 @@
 pub mod ip;
 pub mod time;
 #[allow(unused_imports)]
 pub use ip::*;
 #[allow(unused_imports)]
 pub use time::*;
--- a/src/util/time.rs
+++ b/src/util/time.rs
@@ -4,11 +4,14 @@ use std::time::Duration;
 use chrono::{DateTime, Utc};
 use tracing::{debug, warn, error};
 #[allow(dead_code)]
 const TIME_SYNC_URL: &str = "https://core.telegram.org/getProxySecret";
 #[allow(dead_code)]
 const MAX_TIME_SKEW_SECS: i64 = 30;
 /// Time sync result
 #[derive(Debug, Clone)]
 #[allow(dead_code)]
 pub struct TimeSyncResult {
    pub server_time: DateTime<Utc>,
    pub local_time: DateTime<Utc>,
@@ -17,6 +20,7 @@ pub struct TimeSyncResult {
 }
 /// Check time synchronization with Telegram servers
 #[allow(dead_code)]
 pub async fn check_time_sync() -> Option<TimeSyncResult> {
    let client = reqwest::Client::builder()
        .timeout(Duration::from_secs(10))
@@ -60,17 +64,18 @@ pub async fn check_time_sync() -> Option<TimeSyncResult> {
 }
 /// Background time sync task
 #[allow(dead_code)]
 pub async fn time_sync_task(check_interval: Duration) -> ! {
    loop {
-        if let Some(result) = check_time_sync().await {
+        if let Some(result) = check_time_sync().await
-            if result.is_skewed {
+            && result.is_skewed
-                error!(
+        {
-                    "System clock is off by {} seconds. Please sync your clock.",
+            error!(
-                    result.skew_secs
+                "System clock is off by {} seconds. Please sync your clock.",
-                );
+                result.skew_secs
-            }
+            );
        }
-        
+
        tokio::time::sleep(check_interval).await;
    }
 }
--- a/telemt.service
+++ b/telemt.service
@@ -7,6 +7,7 @@ Type=simple
 WorkingDirectory=/bin
 ExecStart=/bin/telemt /etc/telemt.toml
 Restart=on-failure
 LimitNOFILE=65536
 [Install]
 WantedBy=multi-user.target
--- a/tools/dc.py
+++ b/tools/dc.py
@@ -0,0 +1,204 @@
 """Telegram datacenter server checker."""
 from __future__ import annotations
 import asyncio
 from dataclasses import dataclass, field
 from itertools import groupby
 from operator import attrgetter
 from pathlib import Path
 from typing import TYPE_CHECKING
 from telethon import TelegramClient
 from telethon.tl.functions.help import GetConfigRequest
 if TYPE_CHECKING:
    from telethon.tl.types import DcOption
 API_ID: int = 123456
 API_HASH: str = ""
 SESSION_NAME: str = "session"
 OUTPUT_FILE: Path = Path("telegram_servers.txt")
 _CONSOLE_FLAG_MAP: dict[str, str] = {
    "IPv6": "IPv6",
    "MEDIA-ONLY": "🎬 MEDIA-ONLY",
    "CDN": "📦 CDN",
    "TCPO": "🔒 TCPO",
    "STATIC": "📌 STATIC",
 }
@dataclass(frozen=True, slots=True)
 class DCServer:
    """Typed representation of a Telegram DC server.
    Attributes:
        dc_id: Datacenter identifier.
        ip: Server IP address.
        port: Server port.
        flags: Active flag labels (plain, without emoji).
    """
    dc_id: int
    ip: str
    port: int
    flags: frozenset[str] = field(default_factory=frozenset)
    @classmethod
    def from_option(cls, dc: DcOption) -> DCServer:
        """Create from a Telethon DcOption.
        Args:
            dc: Raw DcOption object.
        Returns:
            Parsed DCServer instance.
        """
        checks: dict[str, bool] = {
            "IPv6": dc.ipv6,
            "MEDIA-ONLY": dc.media_only,
            "CDN": dc.cdn,
            "TCPO": dc.tcpo_only,
            "STATIC": dc.static,
        }
        return cls(
            dc_id=dc.id,
            ip=dc.ip_address,
            port=dc.port,
            flags=frozenset(k for k, v in checks.items() if v),
        )
    def flags_display(self, *, emoji: bool = False) -> str:
        """Formatted flags string.
        Args:
            emoji: Whether to include emoji prefixes.
        Returns:
            Bracketed flags or '[STANDARD]'.
        """
        if not self.flags:
            return "[STANDARD]"
        labels = sorted(
            _CONSOLE_FLAG_MAP[f] if emoji else f for f in self.flags
        )
        return f"[{', '.join(labels)}]"
 class TelegramDCChecker:
    """Fetches and displays Telegram DC configuration.
    Attributes:
        _client: Telethon client instance.
        _servers: Parsed server list.
    """
    def __init__(self) -> None:
        """Initialize the checker."""
        self._client = TelegramClient(SESSION_NAME, API_ID, API_HASH)
        self._servers: list[DCServer] = []
    async def run(self) -> None:
        """Connect, fetch config, display and save results."""
        print("🔄 Подключаемся к Telegram...")  # noqa: T201
        try:
            await self._client.start()
            print("✅ Подключение установлено!\n")  # noqa: T201
            print("📡 Запрашиваем конфигурацию серверов...")  # noqa: T201
            config = await self._client(GetConfigRequest())
            self._servers = [DCServer.from_option(dc) for dc in config.dc_options]
            self._print(config)
            self._save(config)
        finally:
            await self._client.disconnect()
            print("\n👋 Отключились от Telegram")  # noqa: T201
    def _grouped(self) -> dict[int, list[DCServer]]:
        """Group servers by DC ID.
        Returns:
            Ordered mapping of DC ID to servers.
        """
        ordered = sorted(self._servers, key=attrgetter("dc_id"))
        return {k: list(g) for k, g in groupby(ordered, key=attrgetter("dc_id"))}
    def _print(self, config: object) -> None:
        """Print results to stdout in original format.
        Args:
            config: Raw Telegram config.
        """
        sep = "=" * 80
        dash = "-" * 80
        total = len(self._servers)
        print(f"📊 Получено серверов: {total}\n")  # noqa: T201
        print(sep)  # noqa: T201
        for dc_id, servers in self._grouped().items():
            print(f"\n🌐 DATACENTER {dc_id} ({len(servers)} серверов)")  # noqa: T201
            print(dash)  # noqa: T201
            for s in servers:
                print(f"  {s.ip:45}:{s.port:5} {s.flags_display(emoji=True)}")  # noqa: T201
        ipv4 = total - self._flag_count("IPv6")
        print(f"\n{sep}")  # noqa: T201
        print("📈 СТАТИСТИКА:")  # noqa: T201
        print(sep)  # noqa: T201
        print(f"  Всего серверов:      {total}")  # noqa: T201
        print(f"  IPv4 серверы:        {ipv4}")  # noqa: T201
        print(f"  IPv6 серверы:        {self._flag_count('IPv6')}")  # noqa: T201
        print(f"  Media-only:          {self._flag_count('MEDIA-ONLY')}")  # noqa: T201
        print(f"  CDN серверы:         {self._flag_count('CDN')}")  # noqa: T201
        print(f"  TCPO-only:           {self._flag_count('TCPO')}")  # noqa: T201
        print(f"  Static:              {self._flag_count('STATIC')}")  # noqa: T201
        print(f"\n{sep}")  # noqa: T201
        print("ℹ️  ДОПОЛНИТЕЛЬНАЯ ИНФОРМАЦИЯ:")  # noqa: T201
        print(sep)  # noqa: T201
        print(f"  Дата конфигурации:   {config.date}")  # noqa: T201  # type: ignore[attr-defined]
        print(f"  Expires:             {config.expires}")  # noqa: T201  # type: ignore[attr-defined]
        print(f"  Test mode:           {config.test_mode}")  # noqa: T201  # type: ignore[attr-defined]
        print(f"  This DC:             {config.this_dc}")  # noqa: T201  # type: ignore[attr-defined]
    def _flag_count(self, flag: str) -> int:
        """Count servers with a given flag.
        Args:
            flag: Flag name.
        Returns:
            Count of matching servers.
        """
        return sum(1 for s in self._servers if flag in s.flags)
    def _save(self, config: object) -> None:
        """Save results to file in original format.
        Args:
            config: Raw Telegram config.
        """
        parts: list[str] = []
        parts.append("TELEGRAM DATACENTER SERVERS\n")
        parts.append("=" * 80 + "\n\n")
        for dc_id, servers in self._grouped().items():
            parts.append(f"\nDATACENTER {dc_id} ({len(servers)} servers)\n")
            parts.append("-" * 80 + "\n")
            for s in servers:
                parts.append(f"  {s.ip}:{s.port} {s.flags_display(emoji=False)}\n")
        parts.append(f"\n\nTotal servers: {len(self._servers)}\n")
        parts.append(f"Generated: {config.date}\n")  # type: ignore[attr-defined]
        OUTPUT_FILE.write_text("".join(parts), encoding="utf-8")
        print(f"\n💾 Сохраняем результаты в файл {OUTPUT_FILE}...")  # noqa: T201
        print(f"✅ Результаты сохранены в {OUTPUT_FILE}")  # noqa: T201
 if __name__ == "__main__":
    asyncio.run(TelegramDCChecker().run())
--- a/tools/grafana-dashboard.json
+++ b/tools/grafana-dashboard.json
@@ -0,0 +1,804 @@
 {
  "apiVersion": "dashboard.grafana.app/v1beta1",
  "kind": "Dashboard",
  "metadata": {
    "annotations": {
      "grafana.app/folder": "afd9kjusw2jnkb",
      "grafana.app/saved-from-ui": "Grafana v12.4.0-21693836646 (f059795f04)"
    },
    "labels": {},
    "name": "pi9trh5",
    "namespace": "default"
  },
  "spec": {
    "annotations": {
      "list": [
        {
          "builtIn": 1,
          "datasource": {
            "type": "prometheus",
            "uid": "${datasource}"
          },
          "enable": true,
          "hide": true,
          "iconColor": "rgba(0, 211, 255, 1)",
          "name": "Annotations & Alerts",
          "type": "dashboard"
        }
      ]
    },
    "editable": true,
    "fiscalYearStartMonth": 0,
    "graphTooltip": 0,
    "links": [],
    "panels": [
      {
        "collapsed": false,
        "gridPos": {
          "h": 1,
          "w": 24,
          "x": 0,
          "y": 0
        },
        "id": 5,
        "panels": [],
        "title": "Common",
        "type": "row"
      },
      {
        "datasource": {
          "type": "prometheus",
          "uid": "${datasource}"
        },
        "fieldConfig": {
          "defaults": {
            "color": {
              "mode": "thresholds"
            },
            "mappings": [],
            "thresholds": {
              "mode": "absolute",
              "steps": [
                {
                  "color": "red",
                  "value": 0
                },
                {
                  "color": "green",
                  "value": 300
                }
              ]
            },
            "unit": "s"
          },
          "overrides": []
        },
        "gridPos": {
          "h": 8,
          "w": 6,
          "x": 0,
          "y": 1
        },
        "id": 1,
        "options": {
          "colorMode": "value",
          "graphMode": "area",
          "justifyMode": "auto",
          "orientation": "auto",
          "percentChangeColorMode": "standard",
          "reduceOptions": {
            "calcs": [
              "lastNotNull"
            ],
            "fields": "",
            "values": false
          },
          "showPercentChange": false,
          "textMode": "auto",
          "wideLayout": true
        },
        "pluginVersion": "12.4.0-21693836646",
        "targets": [
          {
            "datasource": {
              "type": "prometheus",
              "uid": "${datasource}"
            },
            "editorMode": "code",
            "expr": "max(telemt_uptime_seconds) by (service)",
            "format": "time_series",
            "legendFormat": "__auto",
            "range": true,
            "refId": "A"
          }
        ],
        "title": "uptime",
        "type": "stat"
      },
      {
        "datasource": {
          "type": "prometheus",
          "uid": "${datasource}"
        },
        "fieldConfig": {
          "defaults": {
            "color": {
              "mode": "thresholds"
            },
            "mappings": [],
            "thresholds": {
              "mode": "absolute",
              "steps": [
                {
                  "color": "green",
                  "value": 0
                },
                {
                  "color": "red",
                  "value": 80
                }
              ]
            },
            "unit": "none"
          },
          "overrides": []
        },
        "gridPos": {
          "h": 8,
          "w": 6,
          "x": 6,
          "y": 1
        },
        "id": 2,
        "options": {
          "colorMode": "value",
          "graphMode": "area",
          "justifyMode": "auto",
          "orientation": "auto",
          "percentChangeColorMode": "standard",
          "reduceOptions": {
            "calcs": [
              "lastNotNull"
            ],
            "fields": "",
            "values": false
          },
          "showPercentChange": false,
          "textMode": "auto",
          "wideLayout": true
        },
        "pluginVersion": "12.4.0-21693836646",
        "targets": [
          {
            "datasource": {
              "type": "prometheus",
              "uid": "${datasource}"
            },
            "editorMode": "code",
            "expr": "max(telemt_connections_total) by (service)",
            "format": "time_series",
            "legendFormat": "__auto",
            "range": true,
            "refId": "A"
          }
        ],
        "title": "connections_total",
        "type": "stat"
      },
      {
        "datasource": {
          "type": "prometheus",
          "uid": "${datasource}"
        },
        "fieldConfig": {
          "defaults": {
            "color": {
              "mode": "thresholds"
            },
            "mappings": [],
            "thresholds": {
              "mode": "absolute",
              "steps": [
                {
                  "color": "green",
                  "value": 0
                },
                {
                  "color": "red",
                  "value": 80
                }
              ]
            },
            "unit": "none"
          },
          "overrides": []
        },
        "gridPos": {
          "h": 8,
          "w": 6,
          "x": 12,
          "y": 1
        },
        "id": 3,
        "options": {
          "colorMode": "value",
          "graphMode": "area",
          "justifyMode": "auto",
          "orientation": "auto",
          "percentChangeColorMode": "standard",
          "reduceOptions": {
            "calcs": [
              "lastNotNull"
            ],
            "fields": "",
            "values": false
          },
          "showPercentChange": false,
          "textMode": "auto",
          "wideLayout": true
        },
        "pluginVersion": "12.4.0-21693836646",
        "targets": [
          {
            "datasource": {
              "type": "prometheus",
              "uid": "${datasource}"
            },
            "editorMode": "code",
            "expr": "max(telemt_connections_bad_total) by (service)",
            "format": "time_series",
            "legendFormat": "__auto",
            "range": true,
            "refId": "A"
          }
        ],
        "title": "connections_bad",
        "type": "stat"
      },
      {
        "datasource": {
          "type": "prometheus",
          "uid": "${datasource}"
        },
        "fieldConfig": {
          "defaults": {
            "color": {
              "mode": "thresholds"
            },
            "mappings": [],
            "thresholds": {
              "mode": "absolute",
              "steps": [
                {
                  "color": "green",
                  "value": 0
                },
                {
                  "color": "red",
                  "value": 80
                }
              ]
            },
            "unit": "none"
          },
          "overrides": []
        },
        "gridPos": {
          "h": 8,
          "w": 6,
          "x": 18,
          "y": 1
        },
        "id": 4,
        "options": {
          "colorMode": "value",
          "graphMode": "area",
          "justifyMode": "auto",
          "orientation": "auto",
          "percentChangeColorMode": "standard",
          "reduceOptions": {
            "calcs": [
              "lastNotNull"
            ],
            "fields": "",
            "values": false
          },
          "showPercentChange": false,
          "textMode": "auto",
          "wideLayout": true
        },
        "pluginVersion": "12.4.0-21693836646",
        "targets": [
          {
            "datasource": {
              "type": "prometheus",
              "uid": "${datasource}"
            },
            "editorMode": "code",
            "expr": "max(telemt_handshake_timeouts_total) by (service)",
            "format": "time_series",
            "legendFormat": "__auto",
            "range": true,
            "refId": "A"
          }
        ],
        "title": "handshake_timeouts",
        "type": "stat"
      },
      {
        "collapsed": false,
        "gridPos": {
          "h": 1,
          "w": 24,
          "x": 0,
          "y": 9
        },
        "id": 6,
        "panels": [],
        "repeat": "user",
        "title": "$user",
        "type": "row"
      },
      {
        "datasource": {
          "type": "prometheus",
          "uid": "${datasource}"
        },
        "fieldConfig": {
          "defaults": {
            "color": {
              "mode": "palette-classic"
            },
            "custom": {
              "axisBorderShow": false,
              "axisCenteredZero": false,
              "axisColorMode": "text",
              "axisLabel": "",
              "axisPlacement": "auto",
              "barAlignment": 0,
              "barWidthFactor": 0.6,
              "drawStyle": "line",
              "fillOpacity": 0,
              "gradientMode": "none",
              "hideFrom": {
                "legend": false,
                "tooltip": false,
                "viz": false
              },
              "insertNulls": false,
              "lineInterpolation": "linear",
              "lineWidth": 1,
              "pointSize": 5,
              "scaleDistribution": {
                "type": "linear"
              },
              "showPoints": "auto",
              "showValues": false,
              "spanNulls": false,
              "stacking": {
                "group": "A",
                "mode": "none"
              },
              "thresholdsStyle": {
                "mode": "off"
              }
            },
            "mappings": [],
            "thresholds": {
              "mode": "absolute",
              "steps": [
                {
                  "color": "green",
                  "value": 0
                },
                {
                  "color": "red",
                  "value": 80
                }
              ]
            },
            "unit": "none"
          },
          "overrides": []
        },
        "gridPos": {
          "h": 8,
          "w": 12,
          "x": 0,
          "y": 10
        },
        "id": 7,
        "options": {
          "legend": {
            "calcs": [],
            "displayMode": "list",
            "placement": "bottom",
            "showLegend": false
          },
          "tooltip": {
            "hideZeros": false,
            "mode": "single",
            "sort": "none"
          }
        },
        "pluginVersion": "12.4.0-21693836646",
        "targets": [
          {
            "editorMode": "code",
            "expr": "sum(telemt_user_connections_total{user=\"$user\"}) by (user)",
            "format": "time_series",
            "legendFormat": "{{ user }}",
            "range": true,
            "refId": "A"
          }
        ],
        "title": "user_connections",
        "type": "timeseries"
      },
      {
        "datasource": {
          "type": "prometheus",
          "uid": "${datasource}"
        },
        "fieldConfig": {
          "defaults": {
            "color": {
              "mode": "palette-classic"
            },
            "custom": {
              "axisBorderShow": false,
              "axisCenteredZero": false,
              "axisColorMode": "text",
              "axisLabel": "",
              "axisPlacement": "auto",
              "barAlignment": 0,
              "barWidthFactor": 0.6,
              "drawStyle": "line",
              "fillOpacity": 0,
              "gradientMode": "none",
              "hideFrom": {
                "legend": false,
                "tooltip": false,
                "viz": false
              },
              "insertNulls": false,
              "lineInterpolation": "linear",
              "lineWidth": 1,
              "pointSize": 5,
              "scaleDistribution": {
                "type": "linear"
              },
              "showPoints": "auto",
              "showValues": false,
              "spanNulls": false,
              "stacking": {
                "group": "A",
                "mode": "none"
              },
              "thresholdsStyle": {
                "mode": "off"
              }
            },
            "mappings": [],
            "thresholds": {
              "mode": "absolute",
              "steps": [
                {
                  "color": "green",
                  "value": 0
                },
                {
                  "color": "red",
                  "value": 80
                }
              ]
            },
            "unit": "none"
          },
          "overrides": []
        },
        "gridPos": {
          "h": 8,
          "w": 12,
          "x": 12,
          "y": 10
        },
        "id": 8,
        "options": {
          "legend": {
            "calcs": [],
            "displayMode": "list",
            "placement": "bottom",
            "showLegend": false
          },
          "tooltip": {
            "hideZeros": false,
            "mode": "single",
            "sort": "none"
          }
        },
        "pluginVersion": "12.4.0-21693836646",
        "targets": [
          {
            "editorMode": "code",
            "expr": "sum(telemt_user_connections_current{user=\"$user\"}) by (user)",
            "format": "time_series",
            "legendFormat": "{{ user }}",
            "range": true,
            "refId": "A"
          }
        ],
        "title": "user_connections_current",
        "type": "timeseries"
      },
      {
        "datasource": {
          "type": "prometheus",
          "uid": "${datasource}"
        },
        "fieldConfig": {
          "defaults": {
            "color": {
              "mode": "palette-classic"
            },
            "custom": {
              "axisBorderShow": false,
              "axisCenteredZero": false,
              "axisColorMode": "text",
              "axisLabel": "",
              "axisPlacement": "auto",
              "barAlignment": 0,
              "barWidthFactor": 0.6,
              "drawStyle": "line",
              "fillOpacity": 0,
              "gradientMode": "none",
              "hideFrom": {
                "legend": false,
                "tooltip": false,
                "viz": false
              },
              "insertNulls": false,
              "lineInterpolation": "linear",
              "lineWidth": 1,
              "pointSize": 5,
              "scaleDistribution": {
                "type": "linear"
              },
              "showPoints": "auto",
              "showValues": false,
              "spanNulls": false,
              "stacking": {
                "group": "A",
                "mode": "none"
              },
              "thresholdsStyle": {
                "mode": "off"
              }
            },
            "mappings": [],
            "thresholds": {
              "mode": "absolute",
              "steps": [
                {
                  "color": "green",
                  "value": 0
                },
                {
                  "color": "red",
                  "value": 80
                }
              ]
            },
            "unit": "binBps"
          },
          "overrides": []
        },
        "gridPos": {
          "h": 8,
          "w": 12,
          "x": 0,
          "y": 18
        },
        "id": 9,
        "options": {
          "legend": {
            "calcs": [],
            "displayMode": "list",
            "placement": "bottom",
            "showLegend": false
          },
          "tooltip": {
            "hideZeros": false,
            "mode": "single",
            "sort": "none"
          }
        },
        "pluginVersion": "12.4.0-21693836646",
        "targets": [
          {
            "editorMode": "code",
            "expr": "- sum(rate(telemt_user_octets_from_client{user=\"$user\"}[$__rate_interval])) by (user)",
            "format": "time_series",
            "legendFormat": "{{ user }} TX",
            "range": true,
            "refId": "A"
          },
          {
            "datasource": {
              "type": "prometheus",
              "uid": "${datasource}"
            },
            "editorMode": "code",
            "expr": "sum(rate(telemt_user_octets_to_client{user=\"$user\"}[$__rate_interval])) by (user)",
            "format": "time_series",
            "legendFormat": "{{ user }} RX",
            "range": true,
            "refId": "B"
          }
        ],
        "title": "user_octets",
        "type": "timeseries"
      },
      {
        "datasource": {
          "type": "prometheus",
          "uid": "${datasource}"
        },
        "fieldConfig": {
          "defaults": {
            "color": {
              "mode": "palette-classic"
            },
            "custom": {
              "axisBorderShow": false,
              "axisCenteredZero": false,
              "axisColorMode": "text",
              "axisLabel": "",
              "axisPlacement": "auto",
              "barAlignment": 0,
              "barWidthFactor": 0.6,
              "drawStyle": "line",
              "fillOpacity": 0,
              "gradientMode": "none",
              "hideFrom": {
                "legend": false,
                "tooltip": false,
                "viz": false
              },
              "insertNulls": false,
              "lineInterpolation": "linear",
              "lineWidth": 1,
              "pointSize": 5,
              "scaleDistribution": {
                "type": "linear"
              },
              "showPoints": "auto",
              "showValues": false,
              "spanNulls": false,
              "stacking": {
                "group": "A",
                "mode": "none"
              },
              "thresholdsStyle": {
                "mode": "off"
              }
            },
            "mappings": [],
            "thresholds": {
              "mode": "absolute",
              "steps": [
                {
                  "color": "green",
                  "value": 0
                },
                {
                  "color": "red",
                  "value": 80
                }
              ]
            },
            "unit": "pps"
          },
          "overrides": []
        },
        "gridPos": {
          "h": 8,
          "w": 12,
          "x": 12,
          "y": 18
        },
        "id": 10,
        "options": {
          "legend": {
            "calcs": [],
            "displayMode": "list",
            "placement": "bottom",
            "showLegend": false
          },
          "tooltip": {
            "hideZeros": false,
            "mode": "single",
            "sort": "none"
          }
        },
        "pluginVersion": "12.4.0-21693836646",
        "targets": [
          {
            "editorMode": "code",
            "expr": "- sum(rate(telemt_user_msgs_from_client{user=\"$user\"}[$__rate_interval])) by (user)",
            "format": "time_series",
            "legendFormat": "{{ user }} TX",
            "range": true,
            "refId": "A"
          },
          {
            "datasource": {
              "type": "prometheus",
              "uid": "${datasource}"
            },
            "editorMode": "code",
            "expr": "sum(rate(telemt_user_msgs_to_client{user=\"$user\"}[$__rate_interval])) by (user)",
            "format": "time_series",
            "legendFormat": "{{ user }} RX",
            "range": true,
            "refId": "B"
          }
        ],
        "title": "user_msgs",
        "type": "timeseries"
      }
    ],
    "preload": false,
    "schemaVersion": 42,
    "tags": [],
    "templating": {
      "list": [
        {
          "current": {
            "text": "docker",
            "value": "docker"
          },
          "datasource": {
            "type": "prometheus",
            "uid": "${datasource}"
          },
          "definition": "label_values(telemt_user_connections_total,user)",
          "hide": 2,
          "multi": true,
          "name": "user",
          "options": [],
          "query": {
            "qryType": 1,
            "query": "label_values(telemt_user_connections_total,user)",
            "refId": "VariableQueryEditor-VariableQuery"
          },
          "refresh": 1,
          "regex": "",
          "regexApplyTo": "value",
          "sort": 1,
          "type": "query"
        },
        {
          "current": {
            "text": "VM long-term",
            "value": "P7D3016A027385E71"
          },
          "name": "datasource",
          "options": [],
          "query": "prometheus",
          "refresh": 1,
          "regex": "",
          "type": "datasource"
        }
      ]
    },
    "time": {
      "from": "now-6h",
      "to": "now"
    },
    "timepicker": {},
    "timezone": "browser",
    "title": "Telemt MtProto proxy",
    "weekStart": ""
  }
 }
--- a/tools/tlsearch.py
+++ b/tools/tlsearch.py
@@ -0,0 +1,396 @@
 #!/usr/bin/env python3
 """
 TLS Profile Inspector
 Usage:
  python3 tools/tlsearch.py
  python3 tools/tlsearch.py tlsfront
  python3 tools/tlsearch.py tlsfront/petrovich.ru.json
  python3 tools/tlsearch.py tlsfront --only-current
 """
 from __future__ import annotations
 import argparse
 import datetime as dt
 import json
 from dataclasses import dataclass
 from pathlib import Path
 from typing import Any, Iterable
 TLS_VERSIONS = {
    0x0301: "TLS 1.0",
    0x0302: "TLS 1.1",
    0x0303: "TLS 1.2",
    0x0304: "TLS 1.3",
 }
 EXT_NAMES = {
    0: "server_name",
    5: "status_request",
    10: "supported_groups",
    11: "ec_point_formats",
    13: "signature_algorithms",
    16: "alpn",
    18: "signed_certificate_timestamp",
    21: "padding",
    23: "extended_master_secret",
    35: "session_ticket",
    43: "supported_versions",
    45: "psk_key_exchange_modes",
    51: "key_share",
 }
 CIPHER_NAMES = {
    0x1301: "TLS_AES_128_GCM_SHA256",
    0x1302: "TLS_AES_256_GCM_SHA384",
    0x1303: "TLS_CHACHA20_POLY1305_SHA256",
    0x1304: "TLS_AES_128_CCM_SHA256",
    0x1305: "TLS_AES_128_CCM_8_SHA256",
    0x009C: "TLS_RSA_WITH_AES_128_GCM_SHA256",
    0x009D: "TLS_RSA_WITH_AES_256_GCM_SHA384",
    0xC02F: "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
    0xC030: "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
    0xCCA8: "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256",
    0xCCA9: "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256",
 }
 NAMED_GROUPS = {
    0x001D: "x25519",
    0x0017: "secp256r1",
    0x0018: "secp384r1",
    0x0019: "secp521r1",
    0x0100: "ffdhe2048",
    0x0101: "ffdhe3072",
    0x0102: "ffdhe4096",
 }
@dataclass
 class ProfileRecognition:
    schema: str
    mode: str
    has_cert_info: bool
    has_full_cert_payload: bool
    cert_message_len: int
    cert_chain_count: int
    cert_chain_total_len: int
    issues: list[str]
 def to_hex(data: Iterable[int]) -> str:
    return "".join(f"{b:02x}" for b in data)
 def read_u16be(data: list[int], off: int = 0) -> int:
    return (data[off] << 8) | data[off + 1]
 def normalize_u8_list(value: Any) -> list[int]:
    if not isinstance(value, list):
        return []
    out: list[int] = []
    for item in value:
        if isinstance(item, int) and 0 <= item <= 0xFF:
            out.append(item)
        else:
            return []
    return out
 def as_dict(value: Any) -> dict[str, Any]:
    return value if isinstance(value, dict) else {}
 def as_int(value: Any, default: int = 0) -> int:
    return value if isinstance(value, int) else default
 def decode_version_pair(v: list[int]) -> str:
    if len(v) != 2:
        return f"invalid({v})"
    ver = read_u16be(v)
    return f"0x{ver:04x} ({TLS_VERSIONS.get(ver, 'unknown')})"
 def decode_cipher_suite(v: list[int]) -> str:
    if len(v) != 2:
        return f"invalid({v})"
    cs = read_u16be(v)
    name = CIPHER_NAMES.get(cs, "unknown")
    return f"0x{cs:04x} ({name})"
 def decode_supported_versions(data: list[int]) -> str:
    if len(data) == 2:
        ver = read_u16be(data)
        return f"selected=0x{ver:04x} ({TLS_VERSIONS.get(ver, 'unknown')})"
    if not data:
        return "empty"
    if len(data) < 3:
        return f"raw={to_hex(data)}"
    vec_len = data[0]
    versions: list[str] = []
    for i in range(1, min(1 + vec_len, len(data)), 2):
        if i + 1 >= len(data):
            break
        ver = read_u16be(data, i)
        versions.append(f"0x{ver:04x}({TLS_VERSIONS.get(ver, 'unknown')})")
    return "offered=[" + ", ".join(versions) + "]"
 def decode_key_share(data: list[int]) -> str:
    if len(data) < 4:
        return f"raw={to_hex(data)}"
    group = read_u16be(data, 0)
    key_len = read_u16be(data, 2)
    key_hex = to_hex(data[4 : 4 + min(key_len, len(data) - 4)])
    gname = NAMED_GROUPS.get(group, "unknown_group")
    return f"group=0x{group:04x}({gname}), key_len={key_len}, key={key_hex}"
 def decode_alpn(data: list[int]) -> str:
    if len(data) < 3:
        return f"raw={to_hex(data)}"
    total = read_u16be(data, 0)
    pos = 2
    vals: list[str] = []
    limit = min(len(data), 2 + total)
    while pos < limit:
        ln = data[pos]
        pos += 1
        if pos + ln > limit:
            break
        raw = bytes(data[pos : pos + ln])
        pos += ln
        try:
            vals.append(raw.decode("ascii"))
        except UnicodeDecodeError:
            vals.append(raw.hex())
    return "protocols=[" + ", ".join(vals) + "]"
 def decode_extension(ext_type: int, data: list[int]) -> str:
    if ext_type == 43:
        return decode_supported_versions(data)
    if ext_type == 51:
        return decode_key_share(data)
    if ext_type == 16:
        return decode_alpn(data)
    return f"raw={to_hex(data)}"
 def ts_to_iso(ts: Any) -> str:
    if not isinstance(ts, int):
        return "-"
    return dt.datetime.fromtimestamp(ts, tz=dt.timezone.utc).isoformat()
 def recognize_profile(obj: dict[str, Any]) -> ProfileRecognition:
    issues: list[str] = []
    sh = as_dict(obj.get("server_hello_template"))
    if not sh:
        issues.append("missing server_hello_template")
    version = normalize_u8_list(sh.get("version"))
    if version and len(version) != 2:
        issues.append("server_hello_template.version must have 2 bytes")
    app_sizes = obj.get("app_data_records_sizes")
    if not isinstance(app_sizes, list) or not app_sizes:
        issues.append("missing app_data_records_sizes")
    elif any((not isinstance(v, int) or v <= 0) for v in app_sizes):
        issues.append("app_data_records_sizes contains invalid values")
    if not isinstance(obj.get("total_app_data_len"), int):
        issues.append("missing total_app_data_len")
    cert_info = as_dict(obj.get("cert_info"))
    has_cert_info = bool(
        cert_info.get("subject_cn")
        or cert_info.get("issuer_cn")
        or cert_info.get("san_names")
        or isinstance(cert_info.get("not_before_unix"), int)
        or isinstance(cert_info.get("not_after_unix"), int)
    )
    cert_payload = as_dict(obj.get("cert_payload"))
    cert_message_len = 0
    cert_chain_count = 0
    cert_chain_total_len = 0
    has_full_cert_payload = False
    if cert_payload:
        cert_msg = normalize_u8_list(cert_payload.get("certificate_message"))
        if not cert_msg:
            issues.append("cert_payload.certificate_message is missing or invalid")
        else:
            cert_message_len = len(cert_msg)
        chain_raw = cert_payload.get("cert_chain_der")
        if not isinstance(chain_raw, list):
            issues.append("cert_payload.cert_chain_der is missing or invalid")
        else:
            for entry in chain_raw:
                cert = normalize_u8_list(entry)
                if cert:
                    cert_chain_count += 1
                    cert_chain_total_len += len(cert)
                else:
                    issues.append("cert_payload.cert_chain_der has invalid certificate entry")
                    break
        has_full_cert_payload = cert_message_len > 0 and cert_chain_count > 0
    elif obj.get("cert_payload") is not None:
        issues.append("cert_payload is not an object")
    if has_full_cert_payload:
        schema = "current"
        mode = "full-cert-payload"
    elif has_cert_info:
        schema = "current-compact"
        mode = "compact-cert-info"
    else:
        schema = "legacy"
        mode = "random-fallback"
    if issues:
        schema = f"{schema}+issues"
    return ProfileRecognition(
        schema=schema,
        mode=mode,
        has_cert_info=has_cert_info,
        has_full_cert_payload=has_full_cert_payload,
        cert_message_len=cert_message_len,
        cert_chain_count=cert_chain_count,
        cert_chain_total_len=cert_chain_total_len,
        issues=issues,
    )
 def decode_profile(path: Path) -> tuple[str, ProfileRecognition]:
    obj: dict[str, Any] = json.loads(path.read_text(encoding="utf-8"))
    recognition = recognize_profile(obj)
    sh = as_dict(obj.get("server_hello_template"))
    version = normalize_u8_list(sh.get("version"))
    cipher = normalize_u8_list(sh.get("cipher_suite"))
    random_bytes = normalize_u8_list(sh.get("random"))
    session_id = normalize_u8_list(sh.get("session_id"))
    lines: list[str] = []
    lines.append(f"[{path.name}]")
    lines.append(f"  domain: {obj.get('domain', '-')}")
    lines.append(f"  profile.schema: {recognition.schema}")
    lines.append(f"  profile.mode: {recognition.mode}")
    lines.append(f"  profile.has_full_cert_payload: {recognition.has_full_cert_payload}")
    lines.append(f"  profile.has_cert_info: {recognition.has_cert_info}")
    if recognition.has_full_cert_payload:
        lines.append(f"  profile.cert_message_len: {recognition.cert_message_len}")
        lines.append(f"  profile.cert_chain_count: {recognition.cert_chain_count}")
        lines.append(f"  profile.cert_chain_total_len: {recognition.cert_chain_total_len}")
    if recognition.issues:
        lines.append("  profile.issues:")
        for issue in recognition.issues:
            lines.append(f"    - {issue}")
    lines.append(f"  tls.version: {decode_version_pair(version)}")
    lines.append(f"  tls.cipher: {decode_cipher_suite(cipher)}")
    lines.append(f"  tls.compression: {sh.get('compression', '-')}")
    lines.append(f"  tls.random: {to_hex(random_bytes)}")
    lines.append(f"  tls.session_id_len: {len(session_id)}")
    if session_id:
        lines.append(f"  tls.session_id: {to_hex(session_id)}")
    app_sizes = obj.get("app_data_records_sizes", [])
    if isinstance(app_sizes, list):
        lines.append("  app_data_records_sizes: " + ", ".join(str(v) for v in app_sizes))
    else:
        lines.append("  app_data_records_sizes: -")
    lines.append(f"  total_app_data_len: {obj.get('total_app_data_len', '-')}")
    cert = as_dict(obj.get("cert_info"))
    if cert:
        lines.append("  cert_info:")
        lines.append(f"    subject_cn: {cert.get('subject_cn') or '-'}")
        lines.append(f"    issuer_cn: {cert.get('issuer_cn') or '-'}")
        lines.append(f"    not_before: {ts_to_iso(cert.get('not_before_unix'))}")
        lines.append(f"    not_after:  {ts_to_iso(cert.get('not_after_unix'))}")
        sans = cert.get("san_names")
        if isinstance(sans, list) and sans:
            lines.append("    san_names: " + ", ".join(str(v) for v in sans))
        else:
            lines.append("    san_names: -")
    else:
        lines.append("  cert_info: -")
    exts = sh.get("extensions", [])
    if not isinstance(exts, list):
        exts = []
    lines.append(f"  extensions[{len(exts)}]:")
    for ext in exts:
        ext_obj = as_dict(ext)
        ext_type = as_int(ext_obj.get("ext_type"), -1)
        data = normalize_u8_list(ext_obj.get("data"))
        name = EXT_NAMES.get(ext_type, "unknown")
        decoded = decode_extension(ext_type, data)
        lines.append(f"    - type={ext_type} ({name}), len={len(data)}: {decoded}")
    lines.append("")
    return ("\n".join(lines), recognition)
 def collect_files(input_path: Path) -> list[Path]:
    if input_path.is_file():
        return [input_path]
    return sorted(p for p in input_path.glob("*.json") if p.is_file())
 def main() -> int:
    parser = argparse.ArgumentParser(
        description="Decode TLS profile JSON files and recognize current schema."
    )
    parser.add_argument(
        "path",
        nargs="?",
        default="tlsfront",
        help="Path to tlsfront directory or a single JSON file.",
    )
    parser.add_argument(
        "--only-current",
        action="store_true",
        help="Show only profiles recognized as current/full-cert-payload.",
    )
    args = parser.parse_args()
    base = Path(args.path)
    if not base.exists():
        print(f"Path not found: {base}")
        return 1
    files = collect_files(base)
    if not files:
        print(f"No JSON files found in: {base}")
        return 1
    printed = 0
    for path in files:
        try:
            rendered, recognition = decode_profile(path)
            if args.only_current and recognition.schema != "current":
                continue
            print(rendered, end="")
            printed += 1
        except Exception as e:  # noqa: BLE001
            print(f"[{path.name}] decode error: {e}\n")
    if args.only_current and printed == 0:
        print("No current profiles found.")
    return 0
 if __name__ == "__main__":
    raise SystemExit(main())
--- a/tools/zbx_telemt_template.yaml
+++ b/tools/zbx_telemt_template.yaml
@@ -0,0 +1,276 @@
 zabbix_export:
  version: '7.0'
  template_groups:
    - uuid: 43d0fe04c7094000829b0d28c6e3470c
      name: 'Custom Templates'
  templates:
    - uuid: f2a694213c3d49d88cc03bffb111429e
      template: Telemt
      name: Telemt
      description: |
        A simple template using Prometheus metrics.
        Set the {$TELEMT_URL} macro with the metrics URL
      groups:
        - name: 'Custom Templates'
      items:
        - uuid: fb95391c7f894e3eb6984b92885813a2
          name: 'Connections bad total'
          type: DEPENDENT
          key: telemt.conn_bad_total
          delay: '0'
          trends: '0'
          preprocessing:
            - type: PROMETHEUS_PATTERN
              parameters:
                - telemt_connections_bad_total
                - value
                - ''
          master_item:
            key: telemt.prom_metrics
          tags:
            - tag: Application
              value: 'Server connections'
        - uuid: f36c9632394a4af3853583857ca8dbf1
          name: 'Connections total'
          type: DEPENDENT
          key: telemt.conn_total
          delay: '0'
          trends: '0'
          preprocessing:
            - type: PROMETHEUS_PATTERN
              parameters:
                - telemt_connections_total
                - value
                - ''
          master_item:
            key: telemt.prom_metrics
          tags:
            - tag: Application
              value: 'Server connections'
        - uuid: 1618272cf68e44509425f5fab029db7b
          name: 'Handshake timeouts total'
          type: DEPENDENT
          key: telemt.handshake_timeouts_total
          delay: '0'
          trends: '0'
          preprocessing:
            - type: PROMETHEUS_PATTERN
              parameters:
                - telemt_handshake_timeouts_total
                - value
                - ''
          master_item:
            key: telemt.prom_metrics
          tags:
            - tag: Application
              value: 'Server connections'
        - uuid: fb95391c7f894e3eb6984b92885813d2
          name: 'ME keepalive send failures'
          type: DEPENDENT
          key: telemt.me_keepalive_failed_total
          delay: '0'
          trends: '0'
          preprocessing:
            - type: PROMETHEUS_PATTERN
              parameters:
                - telemt_me_keepalive_failed_total
                - value
                - ''
          master_item:
            key: telemt.prom_metrics
          tags:
            - tag: Application
              value: 'Middle-End connections'
        - uuid: fb95391c7f894e3eb6984b92885813c2
          name: 'ME keepalive frames sent'
          type: DEPENDENT
          key: telemt.me_keepalive_sent_total
          delay: '0'
          trends: '0'
          preprocessing:
            - type: PROMETHEUS_PATTERN
              parameters:
                - telemt_me_keepalive_sent_total
                - value
                - ''
          master_item:
            key: telemt.prom_metrics
          tags:
            - tag: Application
              value: 'Middle-End connections'
        - uuid: fb95391c7f894e3eb6984b92885811a2
          name: 'ME reconnect attempts'
          type: DEPENDENT
          key: telemt.me_reconnect_attempts_total
          delay: '0'
          trends: '0'
          preprocessing:
            - type: PROMETHEUS_PATTERN
              parameters:
                - telemt_me_reconnect_attempts_total
                - value
                - ''
          master_item:
            key: telemt.prom_metrics
          tags:
            - tag: Application
              value: 'Middle-End connections'
        - uuid: fb95391c7f894e3eb6984b92885812a2
          name: 'ME reconnect successes'
          type: DEPENDENT
          key: telemt.me_reconnect_success_total
          delay: '0'
          trends: '0'
          preprocessing:
            - type: PROMETHEUS_PATTERN
              parameters:
                - telemt_me_reconnect_success_total
                - value
                - ''
          master_item:
            key: telemt.prom_metrics
          tags:
            - tag: Application
              value: 'Middle-End connections'
        - uuid: 991b1858e3f94b3098ff0f84859efc41
          name: 'Prometheus metrics'
          type: HTTP_AGENT
          key: telemt.prom_metrics
          value_type: TEXT
          trends: '0'
          url: '{$TELEMT_URL}'
        - uuid: fb95391c7f894e3eb6984b92885813b2
          name: 'Telemt Uptime'
          type: DEPENDENT
          key: telemt.uptime
          delay: '0'
          trends: '0'
          units: s
          preprocessing:
            - type: PROMETHEUS_PATTERN
              parameters:
                - telemt_uptime_seconds
                - value
                - ''
          master_item:
            key: telemt.prom_metrics
          tags:
            - tag: Application
              value: 'Server connections'
      discovery_rules:
        - uuid: 22727585c14049fbb0863c15dd68634c
          name: 'Get users'
          type: DEPENDENT
          key: telemt.users
          delay: '0'
          item_prototypes:
            - uuid: 137e371a47714a21b5c0c89d535dd717
              name: 'Active connections by {#TELEMT_USER}'
              type: DEPENDENT
              key: 'telemt.active_conn_[{#TELEMT_USER}]'
              delay: '0'
              preprocessing:
                - type: PROMETHEUS_PATTERN
                  parameters:
                    - 'telemt_user_connections_current{user="{#TELEMT_USER}"}'
                    - value
                    - ''
              master_item:
                key: telemt.prom_metrics
              tags:
                - tag: Application
                  value: 'Users connections'
            - uuid: 3ccce91ab5d54b4d972280c7b7bda910
              name: 'Messages received from {#TELEMT_USER}'
              type: DEPENDENT
              key: 'telemt.msgs_from_[{#TELEMT_USER}]'
              delay: '0'
              preprocessing:
                - type: PROMETHEUS_PATTERN
                  parameters:
                    - 'telemt_user_msgs_from_client{user="{#TELEMT_USER}"}'
                    - value
                    - ''
              master_item:
                key: telemt.prom_metrics
              tags:
                - tag: Application
                  value: 'Users connections'
            - uuid: e539126215f2419bbfd0d8099aabe1cb
              name: 'Messages sent to {#TELEMT_USER}'
              type: DEPENDENT
              key: 'telemt.msgs_to_[{#TELEMT_USER}]'
              delay: '0'
              preprocessing:
                - type: PROMETHEUS_PATTERN
                  parameters:
                    - 'telemt_user_msgs_to_client{user="{#TELEMT_USER}"}'
                    - value
                    - ''
              master_item:
                key: telemt.prom_metrics
              tags:
                - tag: Application
                  value: 'Users connections'
            - uuid: 810a8f6346a44ae7bd79a357dbfe2b3c
              name: 'Bytes received from {#TELEMT_USER}'
              type: DEPENDENT
              key: 'telemt.octets_from_[{#TELEMT_USER}]'
              delay: '0'
              units: B
              preprocessing:
                - type: PROMETHEUS_PATTERN
                  parameters:
                    - 'telemt_user_octets_from_client{user="{#TELEMT_USER}"}'
                    - value
                    - ''
              master_item:
                key: telemt.prom_metrics
              tags:
                - tag: Application
                  value: 'Users connections'
            - uuid: d0cc3b4d618b4f0d97f8127b51f872c8
              name: 'Bytes sent to {#TELEMT_USER}'
              type: DEPENDENT
              key: 'telemt.octets_to_[{#TELEMT_USER}]'
              delay: '0'
              units: B
              preprocessing:
                - type: PROMETHEUS_PATTERN
                  parameters:
                    - 'telemt_user_octets_to_client{user="{#TELEMT_USER}"}'
                    - value
                    - ''
              master_item:
                key: telemt.prom_metrics
              tags:
                - tag: Application
                  value: 'Users connections'
            - uuid: e9735aef967b4af28ed59f6c76ad493d
              name: 'Total connections by {#TELEMT_USER}'
              type: DEPENDENT
              key: 'telemt.total_conn_[{#TELEMT_USER}]'
              delay: '0'
              preprocessing:
                - type: PROMETHEUS_PATTERN
                  parameters:
                    - 'telemt_user_connections_total{user="{#TELEMT_USER}"}'
                    - value
                    - ''
              master_item:
                key: telemt.prom_metrics
              tags:
                - tag: Application
                  value: 'Users connections'
          master_item:
            key: telemt.prom_metrics
          lld_macro_paths:
            - lld_macro: '{#TELEMT_USER}'
              path: '$.labels[''user'']'
          preprocessing:
            - type: PROMETHEUS_TO_JSON
              parameters:
                - ''
      tags:
        - tag: target
          value: Telemt