Delete proxy-secret

Co-Authored-By: brekotis <93345790+brekotis@users.noreply.github.com>
Update Cargo.toml
2026-04-18 19:14:09 +03:00 · 2026-02-25 00:31:12 +03:00 · 2026-02-25 00:29:58 +03:00 · 2026-02-25 00:29:07 +03:00 · 2026-02-25 00:28:40 +03:00 · 2026-02-25 00:28:26 +03:00
71 changed files with 2519 additions and 1078 deletions
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -3,11 +3,12 @@ name: Release
 on:
  push:
    tags:
-      - '[0-9]+.[0-9]+.[0-9]+' # Matches tags like 3.0.0, 3.1.2, etc.
+      - '[0-9]+.[0-9]+.[0-9]+'
-  workflow_dispatch: # Manual trigger from GitHub Actions UI
+  workflow_dispatch:
 permissions:
  contents: read
  packages: write
 env:
  CARGO_TERM_COLOR: always
@@ -37,11 +38,9 @@ jobs:
            asset_name: telemt-aarch64-linux-musl
    steps:
-      - name: Checkout repository
+      - uses: actions/checkout@v4
        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
-      - name: Install stable Rust toolchain
+      - uses: dtolnay/rust-toolchain@v1
        uses: dtolnay/rust-toolchain@888c2e1ea69ab0d4330cbf0af1ecc7b68f368cc1 # v1
        with:
          toolchain: stable
          targets: ${{ matrix.target }}
@@ -51,8 +50,7 @@ jobs:
          sudo apt-get update
          sudo apt-get install -y gcc-aarch64-linux-gnu
-      - name: Cache cargo registry & build artifacts
+      - uses: actions/cache@v4
        uses: actions/cache@d4323d4df104b026a6aa633fdb11d772146be0bf # v4.2.2
        with:
          path: |
            ~/.cargo/registry
@@ -76,8 +74,7 @@ jobs:
          tar -czvf ${{ matrix.asset_name }}.tar.gz ${{ matrix.artifact_name }}
          sha256sum ${{ matrix.asset_name }}.tar.gz > ${{ matrix.asset_name }}.sha256
-      - name: Upload artifact
+      - uses: actions/upload-artifact@v4
        uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.0
        with:
          name: ${{ matrix.asset_name }}
          path: |
@@ -85,30 +82,37 @@ jobs:
            target/${{ matrix.target }}/release/${{ matrix.asset_name }}.sha256
  build-docker-image:
    needs: build
    runs-on: ubuntu-latest
    permissions:
      contents: read
      packages: write
    steps:
-      - name: Checkout
+      - uses: actions/checkout@v4
        uses: actions/checkout@v3
-      - name: Set up QEMU
+      - uses: docker/setup-qemu-action@v3
-        uses: docker/setup-qemu-action@v3
+      - uses: docker/setup-buildx-action@v3
-      - name: Set up Docker Buildx
+      - name: Login to GHCR
-        uses: docker/setup-buildx-action@v2
+        uses: docker/login-action@v3
      - name: Login to GitHub Container Registry
        uses: docker/login-action@v2
        with:
          registry: ghcr.io
-          username: ${{ github.repository_owner }}
+          username: ${{ github.actor }}
-          password: ${{ secrets.TOKEN_GH_DEPLOY }}
+          password: ${{ secrets.GITHUB_TOKEN }}
      - name: Extract version
        id: vars
        run: echo "VERSION=${GITHUB_REF#refs/tags/}" >> $GITHUB_OUTPUT
      - name: Build and push
        uses: docker/build-push-action@v6
        with:
          context: .
          push: true
-          tags: ${{ github.ref }}
+          tags: |
            ghcr.io/${{ github.repository }}:${{ steps.vars.outputs.VERSION }}
            ghcr.io/${{ github.repository }}:latest
  release:
    name: Create Release
@@ -118,40 +122,14 @@ jobs:
      contents: write
    steps:
-      - name: Checkout repository
+      - uses: actions/checkout@v4
        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
        with:
          fetch-depth: 0
          token: ${{ secrets.GITHUB_TOKEN }}
-      - name: Download all artifacts
+      - uses: actions/download-artifact@v4
        uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
        with:
          path: artifacts
      - name: Update version in Cargo.toml and Cargo.lock
        run: |
          # Extract version from tag (remove 'v' prefix if present)
          VERSION="${GITHUB_REF#refs/tags/}"
          VERSION="${VERSION#v}"
          # Install cargo-edit for version bumping
          cargo install cargo-edit
          # Update Cargo.toml version
          cargo set-version "$VERSION"
          # Configure git
          git config user.name "github-actions[bot]"
          git config user.email "github-actions[bot]@users.noreply.github.com"
          # Commit and push changes
          #git add Cargo.toml Cargo.lock
          #git commit -m "chore: bump version to $VERSION" || echo "No changes to commit"
          #git push origin HEAD:main
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
      - name: Create Release
        uses: softprops/action-gh-release@v2
        with:
--- a/.gitignore
+++ b/.gitignore
@@ -19,3 +19,7 @@ target
 #  and can be added to the global gitignore or merged into this file.  For a more nuclear
 #  option (not recommended) you can uncomment the following to ignore the entire idea folder.
 #.idea/
 *.rs
 target
 Cargo.lock
 src
--- a/AGENTS.md
+++ b/AGENTS.md
@@ -1,40 +1,410 @@
-# AGENTS.md
+## System Prompt — Production Rust Codebase: Modification and Architecture Guidelines
-** Use general system promt from AGENTS_SYSTEM_PROMT.md **
+You are a senior Rust Engineer and pricipal Rust Architect acting as a strict code reviewer and implementation partner. 
-** Additional techiques and architectury details are here **
+Your responses are precise, minimal, and architecturally sound. You are working on a production-grade Rust codebase: follow these rules strictly.
-This file provides guidance to agents when working with code in this repository.
+---
-## Build & Test Commands
+### 0. Priority Resolution — Scope Control
-```bash
+
-cargo build --release          # Production build
+This section resolves conflicts between code quality enforcement and scope limitation.
-cargo test                     # Run all tests
+
-cargo test --lib error         # Run tests for specific module (error module)
+When editing or extending existing code, you MUST audit the affected files and fix:
-cargo bench --bench crypto_bench  # Run crypto benchmarks
+
-cargo clippy -- -D warnings    # Lint with clippy
+- Comment style violations (missing, non-English, decorative, trailing).
 - Missing or incorrect documentation on public items.
 - Comment placement issues (trailing comments → move above the code).
 These are **coordinated changes** — they are always in scope.
 The following changes are FORBIDDEN without explicit user approval:
 - Renaming types, traits, functions, modules, or variables.
 - Altering business logic, control flow, or data transformations.
 - Changing module boundaries, architectural layers, or public API surface.
 - Adding or removing functions, structs, enums, or trait implementations.
 - Fixing compiler warnings or removing unused code.
 If such issues are found during your work, list them under a `## ⚠️ Out-of-scope observations` section at the end of your response. Include file path, context, and a brief description. Do not apply these changes.
 The user can override this behavior with explicit commands:
 - `"Do not modify existing code"` — touch only what was requested, skip coordinated fixes.
 - `"Make minimal changes"` — no coordinated fixes, narrowest possible diff.
 - `"Fix everything"` — apply all coordinated fixes and out-of-scope observations.
 ### Core Rule
 The codebase must never enter an invalid intermediate state.
 No response may leave the repository in a condition that requires follow-up fixes.
 ---
 ### 1. Comments and Documentation
 - All comments MUST be written in English.
 - Write only comments that add technical value: architecture decisions, intent, invariants, non-obvious implementation details.
 - Place all comments on separate lines above the relevant code.
 - Use `///` doc-comments for public items. Use `//` for internal clarifications.
 Correct example:
 ```rust
 // Handles MTProto client authentication and establishes encrypted session state.
 fn handle_authenticated_client(...) { ... }
 ```
-## Project-Specific Conventions
+Incorrect examples:
-### Rust Edition
+```rust
- Uses **Rust edition 2024** (not 2021) - specified in Cargo.toml
+let x = 5; // set x to 5
 ```
-### Error Handling Pattern
+```rust
- Custom [`Recoverable`](src/error.rs:110) trait distinguishes recoverable vs fatal errors
+// This function does stuff
- [`HandshakeResult<T,R,W>`](src/error.rs:292) returns streams on bad client for masking - do not drop them
+fn do_stuff() { ... }
- Always use [`ProxyError`](src/error.rs:168) from [`src/error.rs`](src/error.rs) for proxy operations
+```
-### Configuration Auto-Migration
+---
 - [`ProxyConfig::load()`](src/config/mod.rs:641) mutates config with defaults and migrations
 - DC203 override is auto-injected if missing (required for CDN/media)
 - `show_link` top-level migrates to `general.links.show`
-### Middle-End Proxy Requirements
+### 2. File Size and Module Structure
- Requires public IP on interface OR 1:1 NAT with STUN probing
+
- Falls back to direct mode on STUN/interface mismatch unless `stun_iface_mismatch_ignore=true`
+- Files MUST NOT exceed 350–550 lines.
- Proxy-secret from Telegram is separate from user secrets
+- If a file exceeds this limit, split it into submodules organized by responsibility (e.g., protocol, transport, state, handlers).
 - Parent modules MUST declare and describe their submodules.
 - Maintain clear architectural boundaries between modules.
 Correct example:
 ```rust
 // Client connection handling logic.
 // Submodules:
 // - handshake: MTProto handshake implementation
 // - relay: traffic forwarding logic
 // - state: client session state machine
 pub mod handshake;
 pub mod relay;
 pub mod state;
 ```
 Git discipline:
 - Use local git for versioning and diffs.
 - Write clear, descriptive commit messages in English that explain both *what* changed and *why*.
 ---
 ### 3. Formatting
 - Preserve the existing formatting style of the project exactly as-is.
 - Reformat code only when explicitly instructed to do so.
 - Do not run `cargo fmt` unless explicitly instructed.
 ---
 ### 4. Change Safety and Validation
 - If anything is unclear, STOP and ask specific, targeted questions before proceeding.
 - List exactly what is ambiguous and offer possible interpretations for the user to choose from.
 - Prefer clarification over assumptions. Do not guess intent, behavior, or missing requirements.
 - Actively ask questions before making architectural or behavioral changes.
 ---
 ### 5. Warnings and Unused Code
 - Leave all warnings, unused variables, functions, imports, and dead code untouched unless explicitly instructed to modify them.
 - These may be intentional or part of work-in-progress code.
 - `todo!()` and `unimplemented!()` are permitted and should not be removed or replaced unless explicitly instructed.
 ---
 ### 6. Architectural Integrity
 - Preserve existing architecture unless explicitly instructed to refactor.
 - Do not introduce hidden behavioral changes.
 - Do not introduce implicit refactors.
 - Keep changes minimal, isolated, and intentional.
 ---
 ### 7. When Modifying Code
 You MUST:
 - Maintain architectural consistency with the existing codebase.
 - Document non-obvious logic with comments that describe *why*, not *what*.
 - Limit changes strictly to the requested scope (plus coordinated fixes per Section 0).
 - Keep all existing symbol names unless renaming is explicitly requested.
 - Preserve global formatting as-is
 - Result every modification in a self-contained, compilable, runnable state of the codebase
 You MUST NOT:
 - Use placeholders: no `// ... rest of code`, no `// implement here`, no `/* TODO */` stubs that replace existing working code. Write full, working implementation. If the implementation is unclear, ask first
 - Refactor code outside the requested scope
 - Make speculative improvements
 - Spawn multiple agents for EDITING
 - Produce partial changes
 - Introduce references to entities that are not yet implemented
 - Leave TODO placeholders in production paths
 Note: `todo!()` and `unimplemented!()` are allowed as idiomatic Rust markers for genuinely unfinished code paths.
 Every change must:
   - compile,
   - pass type checks,
   - have no broken imports,
   - preserve invariants,
   - not rely on future patches.
 If the task requires multiple phases:
   - either implement all required phases,
   - or explicitly refuse and explain missing dependencies.
 ---
 ### 8. Decision Process for Complex Changes
 When facing a non-trivial modification, follow this sequence:
 1. **Clarify**: Restate the task in one sentence to confirm understanding.
 2. **Assess impact**: Identify which modules, types, and invariants are affected.
 3. **Propose**: Describe the intended change before implementing it.
 4. **Implement**: Make the minimal, isolated change.
 5. **Verify**: Explain why the change preserves existing behavior and architectural integrity.
 ---
 ### 9. Context Awareness
 - When provided with partial code, assume the rest of the codebase exists and functions correctly unless stated otherwise.
 - Reference existing types, functions, and module structures by their actual names as shown in the provided code.
 - When the provided context is insufficient to make a safe change, request the missing context explicitly.
 - Spawn multiple agents for SEARCHING information, code, functions
 ---
 ### 10. Response Format
 #### Language Policy
 - Code, comments, commit messages, documentation ONLY ON **English**!
 - Reasoning and explanations in response text on language from promt
 #### Response Structure
 Your response MUST consist of two sections:
 **Section 1: `## Reasoning`**
 - What needs to be done and why.
 - Which files and modules are affected.
 - Architectural decisions and their rationale.
 - Potential risks or side effects.
 **Section 2: `## Changes`**
 - For each modified or created file: the filename on a separate line in backticks, followed by the code block.
 - For files **under 200 lines**: return the full file with all changes applied.
 - For files **over 200 lines**: return only the changed functions/blocks with at least 3 lines of surrounding context above and below. If the user requests the full file, provide it.
 - New files: full file content.
 - End with a suggested git commit message in English.
 #### Reporting Out-of-Scope Issues
 If during modification you discover issues outside the requested scope (potential bugs, unsafe code, architectural concerns, missing error handling, unused imports, dead code):
 - Do not fix them silently.
 - List them under `## ⚠️ Out-of-scope observations` at the end of your response.
 - Include: file path, line/function context, brief description of the issue, and severity estimate.
 #### Splitting Protocol
 If the response exceeds the output limit:
 1. End the current part with: **SPLIT: PART N — CONTINUE? (remaining: file_list)**
 2. List the files that will be provided in subsequent parts.
 3. Wait for user confirmation before continuing.
 4. No single file may be split across parts.
 ## 11. Anti-LLM Degeneration Safeguards (Principal-Paranoid, Visionary)
 This section exists to prevent common LLM failure modes: scope creep, semantic drift, cargo-cult refactors, performance regressions, contract breakage, and hidden behavior changes.
 ### 11.1 Non-Negotiable Invariants
 - **No semantic drift:** Do not reinterpret requirements, rename concepts, or change meaning of existing terms.
 - **No “helpful refactors”:** Any refactor not explicitly requested is forbidden.
 - **No architectural drift:** Do not introduce new layers, patterns, abstractions, or “clean architecture” migrations unless requested.
 - **No dependency drift:** Do not add crates, features, or versions unless explicitly requested.
 - **No behavior drift:** If a change could alter runtime behavior, you MUST call it out explicitly in `## Reasoning` and justify it.
 ### 11.2 Minimal Surface Area Rule
 - Touch the smallest number of files possible.
 - Prefer local changes over cross-cutting edits.
 - Do not “align style” across a file/module—only adjust the modified region.
 - Do not reorder items, imports, or code unless required for correctness.
 ### 11.3 No Implicit Contract Changes
 Contracts include:
 - public APIs, trait bounds, visibility, error types, timeouts/retries, logging semantics, metrics semantics,
 - protocol formats, framing, padding, keepalive cadence, state machine transitions,
 - concurrency guarantees, cancellation behavior, backpressure behavior.
 Rule:
 - If you change a contract, you MUST update all dependents in the same patch AND document the contract delta explicitly.
 ### 11.4 Hot-Path Preservation (Performance Paranoia)
 - Do not introduce extra allocations, cloning, or formatting in hot paths.
 - Do not add logging/metrics on hot paths unless requested.
 - Do not add new locks or broaden lock scope.
 - Prefer `&str` / slices / borrowed data where the codebase already does so.
 - Avoid `String` building for errors/logs if it changes current patterns.
 If you cannot prove performance neutrality, label it as risk in `## Reasoning`.
 ### 11.5 Async / Concurrency Safety (Cancellation & Backpressure)
 - No blocking calls inside async contexts.
 - Preserve cancellation safety: do not introduce `await` between lock acquisition and critical invariants unless already present.
 - Preserve backpressure: do not replace bounded channels with unbounded, do not remove flow control.
 - Do not change task lifecycle semantics (spawn patterns, join handles, shutdown order) unless requested.
 - Do not introduce `tokio::spawn` / background tasks unless explicitly requested.
 ### 11.6 Error Semantics Integrity
 - Do not replace structured errors with generic strings.
 - Do not widen/narrow error types or change error categories without explicit approval.
 - Avoid introducing panics in production paths (`unwrap`, `expect`) unless the codebase already treats that path as impossible and documented.
 ### 11.7 “No New Abstractions” Default
 Default stance:
 - No new traits, generics, macros, builder patterns, type-level cleverness, or “frameworking”.
 - If abstraction is necessary, prefer the smallest possible local helper (private function) and justify it.
 ### 11.8 Negative-Diff Protection
 Avoid “diff inflation” patterns:
 - mass edits,
 - moving code between files,
 - rewrapping long lines,
 - rearranging module order,
 - renaming for aesthetics.
 If a diff becomes large, STOP and ask before proceeding.
 ### 11.9 Consistency with Existing Style (But Not Style Refactors)
 - Follow existing conventions of the touched module (naming, error style, return patterns).
 - Do not enforce global “best practices” that the codebase does not already use.
 ### 11.10 Two-Phase Safety Gate (Plan → Patch)
 For non-trivial changes:
 1) Provide a micro-plan (1–5 bullets): what files, what functions, what invariants, what risks.
 2) Implement exactly that plan—no extra improvements.
 ### 11.11 Pre-Response Checklist (Hard Gate)
 Before final output, verify internally:
 - No unresolved symbols / broken imports.
 - No partially updated call sites.
 - No new public surface changes unless requested.
 - No transitional states / TODO placeholders replacing working code.
 - Changes are atomic: the repository remains buildable and runnable.
 - Any behavior change is explicitly stated.
 If any check fails: fix it before responding.
 ### 11.12 Truthfulness Policy (No Hallucinated Claims)
 - Do not claim “this compiles” or “tests pass” unless you actually verified with the available tooling/context.
 - If verification is not possible, state: “Not executed; reasoning-based consistency check only.”
 ### 11.13 Visionary Guardrail: Preserve Optionality
 When multiple valid designs exist, prefer the one that:
 - minimally constrains future evolution,
 - preserves existing extension points,
 - avoids locking the project into a new paradigm,
 - keeps interfaces stable and implementation local.
 Default to reversible changes.
 ### 11.14 Stop Conditions
 STOP and ask targeted questions if:
 - required context is missing,
 - a change would cross module boundaries,
 - a contract might change,
 - concurrency/protocol invariants are unclear,
 - the diff is growing beyond a minimal patch.
 No guessing.
 ### 12. Invariant Preservation
 You MUST explicitly preserve:
 - Thread-safety guarantees (`Send` / `Sync` expectations).
 - Memory safety assumptions (no hidden `unsafe` expansions).
 - Lock ordering and deadlock invariants.
 - State machine correctness (no new invalid transitions).
 - Backward compatibility of serialized formats (if applicable).
 If a change touches concurrency, networking, protocol logic, or state machines,
 you MUST explain why existing invariants remain valid.
 ### 13. Error Handling Policy
 - Do not replace structured errors with generic strings.
 - Preserve existing error propagation semantics.
 - Do not widen or narrow error types without approval.
 - Avoid introducing panics in production paths.
 - Prefer explicit error mapping over implicit conversions.
 ### 14. Test Safety
 - Do not modify existing tests unless the task explicitly requires it.
 - Do not weaken assertions.
 - Preserve determinism in testable components.
 ### 15. Security Constraints
 - Do not weaken cryptographic assumptions.
 - Do not modify key derivation logic without explicit request.
 - Do not change constant-time behavior.
 - Do not introduce logging of secrets.
 - Preserve TLS/MTProto protocol correctness.
 ### 16. Logging Policy
 - Do not introduce excessive logging in hot paths.
 - Do not log sensitive data.
 - Preserve existing log levels and style.
 ### 17. Pre-Response Verification Checklist
 Before producing the final answer, verify internally:
 - The change compiles conceptually.
 - No unresolved symbols exist.
 - All modified call sites are updated.
 - No accidental behavioral changes were introduced.
 - Architectural boundaries remain intact.
 ### 18. Atomic Change Principle
 Every patch must be **atomic and production-safe**.
 * **Self-contained** — no dependency on future patches or unimplemented components.
 * **Build-safe** — the project must compile successfully after the change.
 * **Contract-consistent** — no partial interface or behavioral changes; all dependent code must be updated within the same patch.
 * **No transitional states** — no placeholders, incomplete refactors, or temporary inconsistencies.
 **Invariant:** After any single patch, the repository remains fully functional and buildable.
 ### TLS Fronting Behavior
 - Invalid handshakes are transparently proxied to `mask_host` for DPI evasion
 - `fake_cert_len` is randomized at startup (1024-4096 bytes)
 - `mask_unix_sock` and `mask_host` are mutually exclusive
--- a/AGENTS_SYSTEM_PROMT.md
+++ b/AGENTS_SYSTEM_PROMT.md
@@ -1,410 +0,0 @@
 ## System Prompt — Production Rust Codebase: Modification and Architecture Guidelines
 You are a senior Rust Engineer and pricipal Rust Architect acting as a strict code reviewer and implementation partner. 
 Your responses are precise, minimal, and architecturally sound. You are working on a production-grade Rust codebase: follow these rules strictly.
 ---
 ### 0. Priority Resolution — Scope Control
 This section resolves conflicts between code quality enforcement and scope limitation.
 When editing or extending existing code, you MUST audit the affected files and fix:
 - Comment style violations (missing, non-English, decorative, trailing).
 - Missing or incorrect documentation on public items.
 - Comment placement issues (trailing comments → move above the code).
 These are **coordinated changes** — they are always in scope.
 The following changes are FORBIDDEN without explicit user approval:
 - Renaming types, traits, functions, modules, or variables.
 - Altering business logic, control flow, or data transformations.
 - Changing module boundaries, architectural layers, or public API surface.
 - Adding or removing functions, structs, enums, or trait implementations.
 - Fixing compiler warnings or removing unused code.
 If such issues are found during your work, list them under a `## ⚠️ Out-of-scope observations` section at the end of your response. Include file path, context, and a brief description. Do not apply these changes.
 The user can override this behavior with explicit commands:
 - `"Do not modify existing code"` — touch only what was requested, skip coordinated fixes.
 - `"Make minimal changes"` — no coordinated fixes, narrowest possible diff.
 - `"Fix everything"` — apply all coordinated fixes and out-of-scope observations.
 ### Core Rule
 The codebase must never enter an invalid intermediate state.
 No response may leave the repository in a condition that requires follow-up fixes.
 ---
 ### 1. Comments and Documentation
 - All comments MUST be written in English.
 - Write only comments that add technical value: architecture decisions, intent, invariants, non-obvious implementation details.
 - Place all comments on separate lines above the relevant code.
 - Use `///` doc-comments for public items. Use `//` for internal clarifications.
 Correct example:
 ```rust
 // Handles MTProto client authentication and establishes encrypted session state.
 fn handle_authenticated_client(...) { ... }
 ```
 Incorrect examples:
 ```rust
 let x = 5; // set x to 5
 ```
 ```rust
 // This function does stuff
 fn do_stuff() { ... }
 ```
 ---
 ### 2. File Size and Module Structure
 - Files MUST NOT exceed 350–550 lines.
 - If a file exceeds this limit, split it into submodules organized by responsibility (e.g., protocol, transport, state, handlers).
 - Parent modules MUST declare and describe their submodules.
 - Maintain clear architectural boundaries between modules.
 Correct example:
 ```rust
 // Client connection handling logic.
 // Submodules:
 // - handshake: MTProto handshake implementation
 // - relay: traffic forwarding logic
 // - state: client session state machine
 pub mod handshake;
 pub mod relay;
 pub mod state;
 ```
 Git discipline:
 - Use local git for versioning and diffs.
 - Write clear, descriptive commit messages in English that explain both *what* changed and *why*.
 ---
 ### 3. Formatting
 - Preserve the existing formatting style of the project exactly as-is.
 - Reformat code only when explicitly instructed to do so.
 - Do not run `cargo fmt` unless explicitly instructed.
 ---
 ### 4. Change Safety and Validation
 - If anything is unclear, STOP and ask specific, targeted questions before proceeding.
 - List exactly what is ambiguous and offer possible interpretations for the user to choose from.
 - Prefer clarification over assumptions. Do not guess intent, behavior, or missing requirements.
 - Actively ask questions before making architectural or behavioral changes.
 ---
 ### 5. Warnings and Unused Code
 - Leave all warnings, unused variables, functions, imports, and dead code untouched unless explicitly instructed to modify them.
 - These may be intentional or part of work-in-progress code.
 - `todo!()` and `unimplemented!()` are permitted and should not be removed or replaced unless explicitly instructed.
 ---
 ### 6. Architectural Integrity
 - Preserve existing architecture unless explicitly instructed to refactor.
 - Do not introduce hidden behavioral changes.
 - Do not introduce implicit refactors.
 - Keep changes minimal, isolated, and intentional.
 ---
 ### 7. When Modifying Code
 You MUST:
 - Maintain architectural consistency with the existing codebase.
 - Document non-obvious logic with comments that describe *why*, not *what*.
 - Limit changes strictly to the requested scope (plus coordinated fixes per Section 0).
 - Keep all existing symbol names unless renaming is explicitly requested.
 - Preserve global formatting as-is
 - Result every modification in a self-contained, compilable, runnable state of the codebase
 You MUST NOT:
 - Use placeholders: no `// ... rest of code`, no `// implement here`, no `/* TODO */` stubs that replace existing working code. Write full, working implementation. If the implementation is unclear, ask first
 - Refactor code outside the requested scope
 - Make speculative improvements
 - Spawn multiple agents for EDITING
 - Produce partial changes
 - Introduce references to entities that are not yet implemented
 - Leave TODO placeholders in production paths
 Note: `todo!()` and `unimplemented!()` are allowed as idiomatic Rust markers for genuinely unfinished code paths.
 Every change must:
   - compile,
   - pass type checks,
   - have no broken imports,
   - preserve invariants,
   - not rely on future patches.
 If the task requires multiple phases:
   - either implement all required phases,
   - or explicitly refuse and explain missing dependencies.
 ---
 ### 8. Decision Process for Complex Changes
 When facing a non-trivial modification, follow this sequence:
 1. **Clarify**: Restate the task in one sentence to confirm understanding.
 2. **Assess impact**: Identify which modules, types, and invariants are affected.
 3. **Propose**: Describe the intended change before implementing it.
 4. **Implement**: Make the minimal, isolated change.
 5. **Verify**: Explain why the change preserves existing behavior and architectural integrity.
 ---
 ### 9. Context Awareness
 - When provided with partial code, assume the rest of the codebase exists and functions correctly unless stated otherwise.
 - Reference existing types, functions, and module structures by their actual names as shown in the provided code.
 - When the provided context is insufficient to make a safe change, request the missing context explicitly.
 - Spawn multiple agents for SEARCHING information, code, functions
 ---
 ### 10. Response Format
 #### Language Policy
 - Code, comments, commit messages, documentation ONLY ON **English**!
 - Reasoning and explanations in response text on language from promt
 #### Response Structure
 Your response MUST consist of two sections:
 **Section 1: `## Reasoning`**
 - What needs to be done and why.
 - Which files and modules are affected.
 - Architectural decisions and their rationale.
 - Potential risks or side effects.
 **Section 2: `## Changes`**
 - For each modified or created file: the filename on a separate line in backticks, followed by the code block.
 - For files **under 200 lines**: return the full file with all changes applied.
 - For files **over 200 lines**: return only the changed functions/blocks with at least 3 lines of surrounding context above and below. If the user requests the full file, provide it.
 - New files: full file content.
 - End with a suggested git commit message in English.
 #### Reporting Out-of-Scope Issues
 If during modification you discover issues outside the requested scope (potential bugs, unsafe code, architectural concerns, missing error handling, unused imports, dead code):
 - Do not fix them silently.
 - List them under `## ⚠️ Out-of-scope observations` at the end of your response.
 - Include: file path, line/function context, brief description of the issue, and severity estimate.
 #### Splitting Protocol
 If the response exceeds the output limit:
 1. End the current part with: **SPLIT: PART N — CONTINUE? (remaining: file_list)**
 2. List the files that will be provided in subsequent parts.
 3. Wait for user confirmation before continuing.
 4. No single file may be split across parts.
 ## 11. Anti-LLM Degeneration Safeguards (Principal-Paranoid, Visionary)
 This section exists to prevent common LLM failure modes: scope creep, semantic drift, cargo-cult refactors, performance regressions, contract breakage, and hidden behavior changes.
 ### 11.1 Non-Negotiable Invariants
 - **No semantic drift:** Do not reinterpret requirements, rename concepts, or change meaning of existing terms.
 - **No “helpful refactors”:** Any refactor not explicitly requested is forbidden.
 - **No architectural drift:** Do not introduce new layers, patterns, abstractions, or “clean architecture” migrations unless requested.
 - **No dependency drift:** Do not add crates, features, or versions unless explicitly requested.
 - **No behavior drift:** If a change could alter runtime behavior, you MUST call it out explicitly in `## Reasoning` and justify it.
 ### 11.2 Minimal Surface Area Rule
 - Touch the smallest number of files possible.
 - Prefer local changes over cross-cutting edits.
 - Do not “align style” across a file/module—only adjust the modified region.
 - Do not reorder items, imports, or code unless required for correctness.
 ### 11.3 No Implicit Contract Changes
 Contracts include:
 - public APIs, trait bounds, visibility, error types, timeouts/retries, logging semantics, metrics semantics,
 - protocol formats, framing, padding, keepalive cadence, state machine transitions,
 - concurrency guarantees, cancellation behavior, backpressure behavior.
 Rule:
 - If you change a contract, you MUST update all dependents in the same patch AND document the contract delta explicitly.
 ### 11.4 Hot-Path Preservation (Performance Paranoia)
 - Do not introduce extra allocations, cloning, or formatting in hot paths.
 - Do not add logging/metrics on hot paths unless requested.
 - Do not add new locks or broaden lock scope.
 - Prefer `&str` / slices / borrowed data where the codebase already does so.
 - Avoid `String` building for errors/logs if it changes current patterns.
 If you cannot prove performance neutrality, label it as risk in `## Reasoning`.
 ### 11.5 Async / Concurrency Safety (Cancellation & Backpressure)
 - No blocking calls inside async contexts.
 - Preserve cancellation safety: do not introduce `await` between lock acquisition and critical invariants unless already present.
 - Preserve backpressure: do not replace bounded channels with unbounded, do not remove flow control.
 - Do not change task lifecycle semantics (spawn patterns, join handles, shutdown order) unless requested.
 - Do not introduce `tokio::spawn` / background tasks unless explicitly requested.
 ### 11.6 Error Semantics Integrity
 - Do not replace structured errors with generic strings.
 - Do not widen/narrow error types or change error categories without explicit approval.
 - Avoid introducing panics in production paths (`unwrap`, `expect`) unless the codebase already treats that path as impossible and documented.
 ### 11.7 “No New Abstractions” Default
 Default stance:
 - No new traits, generics, macros, builder patterns, type-level cleverness, or “frameworking”.
 - If abstraction is necessary, prefer the smallest possible local helper (private function) and justify it.
 ### 11.8 Negative-Diff Protection
 Avoid “diff inflation” patterns:
 - mass edits,
 - moving code between files,
 - rewrapping long lines,
 - rearranging module order,
 - renaming for aesthetics.
 If a diff becomes large, STOP and ask before proceeding.
 ### 11.9 Consistency with Existing Style (But Not Style Refactors)
 - Follow existing conventions of the touched module (naming, error style, return patterns).
 - Do not enforce global “best practices” that the codebase does not already use.
 ### 11.10 Two-Phase Safety Gate (Plan → Patch)
 For non-trivial changes:
 1) Provide a micro-plan (1–5 bullets): what files, what functions, what invariants, what risks.
 2) Implement exactly that plan—no extra improvements.
 ### 11.11 Pre-Response Checklist (Hard Gate)
 Before final output, verify internally:
 - No unresolved symbols / broken imports.
 - No partially updated call sites.
 - No new public surface changes unless requested.
 - No transitional states / TODO placeholders replacing working code.
 - Changes are atomic: the repository remains buildable and runnable.
 - Any behavior change is explicitly stated.
 If any check fails: fix it before responding.
 ### 11.12 Truthfulness Policy (No Hallucinated Claims)
 - Do not claim “this compiles” or “tests pass” unless you actually verified with the available tooling/context.
 - If verification is not possible, state: “Not executed; reasoning-based consistency check only.”
 ### 11.13 Visionary Guardrail: Preserve Optionality
 When multiple valid designs exist, prefer the one that:
 - minimally constrains future evolution,
 - preserves existing extension points,
 - avoids locking the project into a new paradigm,
 - keeps interfaces stable and implementation local.
 Default to reversible changes.
 ### 11.14 Stop Conditions
 STOP and ask targeted questions if:
 - required context is missing,
 - a change would cross module boundaries,
 - a contract might change,
 - concurrency/protocol invariants are unclear,
 - the diff is growing beyond a minimal patch.
 No guessing.
 ### 12. Invariant Preservation
 You MUST explicitly preserve:
 - Thread-safety guarantees (`Send` / `Sync` expectations).
 - Memory safety assumptions (no hidden `unsafe` expansions).
 - Lock ordering and deadlock invariants.
 - State machine correctness (no new invalid transitions).
 - Backward compatibility of serialized formats (if applicable).
 If a change touches concurrency, networking, protocol logic, or state machines,
 you MUST explain why existing invariants remain valid.
 ### 13. Error Handling Policy
 - Do not replace structured errors with generic strings.
 - Preserve existing error propagation semantics.
 - Do not widen or narrow error types without approval.
 - Avoid introducing panics in production paths.
 - Prefer explicit error mapping over implicit conversions.
 ### 14. Test Safety
 - Do not modify existing tests unless the task explicitly requires it.
 - Do not weaken assertions.
 - Preserve determinism in testable components.
 ### 15. Security Constraints
 - Do not weaken cryptographic assumptions.
 - Do not modify key derivation logic without explicit request.
 - Do not change constant-time behavior.
 - Do not introduce logging of secrets.
 - Preserve TLS/MTProto protocol correctness.
 ### 16. Logging Policy
 - Do not introduce excessive logging in hot paths.
 - Do not log sensitive data.
 - Preserve existing log levels and style.
 ### 17. Pre-Response Verification Checklist
 Before producing the final answer, verify internally:
 - The change compiles conceptually.
 - No unresolved symbols exist.
 - All modified call sites are updated.
 - No accidental behavioral changes were introduced.
 - Architectural boundaries remain intact.
 ### 18. Atomic Change Principle
 Every patch must be **atomic and production-safe**.
 * **Self-contained** — no dependency on future patches or unimplemented components.
 * **Build-safe** — the project must compile successfully after the change.
 * **Contract-consistent** — no partial interface or behavioral changes; all dependent code must be updated within the same patch.
 * **No transitional states** — no placeholders, incomplete refactors, or temporary inconsistencies.
 **Invariant:** After any single patch, the repository remains fully functional and buildable.
--- a/Cargo.lock
+++ b/Cargo.lock
@@ -2087,7 +2087,7 @@ dependencies = [
 [[package]]
 name = "telemt"
-version = "3.0.10"
+version = "3.0.13"
 dependencies = [
 "aes",
 "anyhow",
--- a/Cargo.toml
+++ b/Cargo.toml
@@ -1,6 +1,6 @@
 [package]
 name = "telemt"
-version = "3.0.12"
+version = "3.0.15"
 edition = "2024"
 [dependencies]
--- a/4
+++ b/4
@@ -1,7 +1,7 @@
 # ==========================
 # Stage 1: Build
 # ==========================
-FROM rust:1.85-slim-bookworm AS builder
+FROM rust:1.88-slim-bookworm AS builder
 RUN apt-get update && apt-get install -y --no-install-recommends \
    pkg-config \
@@ -40,4 +40,4 @@ EXPOSE 443
 EXPOSE 9090
 ENTRYPOINT ["/app/telemt"]
-CMD ["config.toml"]
+CMD ["config.toml"]
--- a/README.md
+++ b/README.md
@@ -31,7 +31,7 @@
 - Улучшение обработки ошибок в edge-case транспортных сценариях  
 Релиз:  
-[3.0.9](https://github.com/telemt/telemt/releases/tag/3.0.9)
+[3.0.12](https://github.com/telemt/telemt/releases/tag/3.0.12)
 ---
@@ -69,7 +69,7 @@ Additionally, we implemented a set of robustness enhancements designed to:
 - Improve error handling in edge-case transport scenarios
 Release:  
-[3.0.9](https://github.com/telemt/telemt/releases/tag/3.0.9)
+[3.0.12](https://github.com/telemt/telemt/releases/tag/3.0.12)
 ---
--- a/config.toml
+++ b/config.toml
@@ -23,7 +23,7 @@ middle_proxy_nat_stun = "stun.l.google.com:19302"
 # Optional fallback STUN servers list.
 middle_proxy_nat_stun_servers = ["stun1.l.google.com:19302", "stun2.l.google.com:19302"]
 # Desired number of concurrent ME writers in pool.
-middle_proxy_pool_size = 16
+middle_proxy_pool_size = 8
 # Pre-initialized warm-standby ME connections kept idle.
 middle_proxy_warm_standby = 8
 # Ignore STUN/interface mismatch and keep ME enabled even if IP differs.
@@ -38,10 +38,25 @@ me_warmup_stagger_enabled = true
 me_warmup_step_delay_ms = 500             # Base delay between extra connects
 me_warmup_step_jitter_ms = 300            # Jitter for warmup delay
 # Reconnect policy knobs.
-me_reconnect_max_concurrent_per_dc = 1    # Parallel reconnects per DC - EXPERIMENTAL! UNSTABLE!
+me_reconnect_max_concurrent_per_dc = 4    # Parallel reconnects per DC - EXPERIMENTAL! UNSTABLE!
 me_reconnect_backoff_base_ms = 500        # Backoff start
 me_reconnect_backoff_cap_ms = 30000       # Backoff cap
 me_reconnect_fast_retry_count = 11        # Quick retries before backoff
 update_every = 7200                       # Resolve the active updater interval for ME infrastructure refresh tasks.
 crypto_pending_buffer = 262144            # Max pending ciphertext buffer per client writer (bytes). Controls FakeTLS backpressure vs throughput.
 max_client_frame = 16777216               # Maximum allowed client MTProto frame size (bytes).
 desync_all_full = false                   # Emit full crypto-desync forensic logs for every event. When false, full forensic details are emitted once per key window.
 auto_degradation_enabled = true           # Enable auto-degradation from ME to Direct-DC.
 degradation_min_unavailable_dc_groups = 2 # Minimum unavailable ME DC groups before degrading.
 hardswap = true                           # Enable C-like hard-swap for ME pool generations. When true, Telemt prewarms a new generation and switches once full coverage is reached.
 me_pool_drain_ttl_secs = 90               # Drain-TTL in seconds for stale ME writers after endpoint map changes. During TTL, stale writers may be used only as fallback for new bindings.
 me_pool_min_fresh_ratio = 0.8             # Minimum desired-DC coverage ratio required before draining stale writers. Range: 0.0..=1.0.
 me_reinit_drain_timeout_secs = 120        # Drain timeout in seconds for stale ME writers after endpoint map changes. Set to 0 to keep stale writers draining indefinitely (no force-close).
 me_config_stable_snapshots = 2            # Number of identical getProxyConfig snapshots required before applying ME map updates.
 me_config_apply_cooldown_secs = 300       # Cooldown in seconds between applied ME map updates.
 proxy_secret_rotate_runtime = true        # Enable runtime proxy-secret rotation from getProxySecret.
 proxy_secret_stable_snapshots = 2         # Number of identical getProxySecret snapshots required before runtime secret rotation.
 proxy_secret_len_max = 256                # Maximum allowed proxy-secret length in bytes for startup and runtime refresh.
 [general.modes]
 classic = false
--- a/src/cli.rs
+++ b/src/cli.rs
@@ -196,7 +196,10 @@ use_middle_proxy = false
 log_level = "normal"
 desync_all_full = false
 update_every = 43200
-me_reinit_drain_timeout_secs = 300
+hardswap = false
 me_pool_drain_ttl_secs = 90
 me_pool_min_fresh_ratio = 0.8
 me_reinit_drain_timeout_secs = 120
 [network]
 ipv4 = true
--- a/src/config/defaults.rs
+++ b/src/config/defaults.rs
@@ -1,4 +1,3 @@
 use std::net::IpAddr;
 use std::collections::HashMap;
 use ipnetwork::IpNetwork;
 use serde::Deserialize;
@@ -83,7 +82,7 @@ pub(crate) fn default_unknown_dc_log_path() -> Option<String> {
 }
 pub(crate) fn default_pool_size() -> usize {
-    2
+    8
 }
 pub(crate) fn default_keepalive_interval() -> u64 {
@@ -144,10 +143,18 @@ pub(crate) fn default_alpn_enforce() -> bool {
 pub(crate) fn default_stun_servers() -> Vec<String> {
    vec![
        "stun.l.google.com:5349".to_string(),
        "stun1.l.google.com:3478".to_string(),
        "stun.gmx.net:3478".to_string(),
        "stun.l.google.com:19302".to_string(),
        "stun.1und1.de:3478".to_string(),
        "stun1.l.google.com:19302".to_string(),
        "stun2.l.google.com:19302".to_string(),
        "stun3.l.google.com:19302".to_string(),
        "stun4.l.google.com:19302".to_string(),
        "stun.services.mozilla.com:3478".to_string(),
        "stun.stunprotocol.org:3478".to_string(),
        "stun.nextcloud.com:3478".to_string(),
        "stun.voip.eutelia.it:3478".to_string(),
    ]
 }
@@ -164,19 +171,71 @@ pub(crate) fn default_cache_public_ip_path() -> String {
 }
 pub(crate) fn default_proxy_secret_reload_secs() -> u64 {
-    12 * 60 * 60
+    60 * 60
 }
 pub(crate) fn default_proxy_config_reload_secs() -> u64 {
-    12 * 60 * 60
+    60 * 60
 }
 pub(crate) fn default_update_every_secs() -> u64 {
-    2 * 60 * 60
+    30 * 60
 }
 pub(crate) fn default_me_reinit_every_secs() -> u64 {
    15 * 60
 }
 pub(crate) fn default_me_hardswap_warmup_delay_min_ms() -> u64 {
    1000
 }
 pub(crate) fn default_me_hardswap_warmup_delay_max_ms() -> u64 {
    2000
 }
 pub(crate) fn default_me_hardswap_warmup_extra_passes() -> u8 {
    3
 }
 pub(crate) fn default_me_hardswap_warmup_pass_backoff_base_ms() -> u64 {
    500
 }
 pub(crate) fn default_me_config_stable_snapshots() -> u8 {
    2
 }
 pub(crate) fn default_me_config_apply_cooldown_secs() -> u64 {
    300
 }
 pub(crate) fn default_proxy_secret_stable_snapshots() -> u8 {
    2
 }
 pub(crate) fn default_proxy_secret_rotate_runtime() -> bool {
    true
 }
 pub(crate) fn default_proxy_secret_len_max() -> usize {
    256
 }
 pub(crate) fn default_me_reinit_drain_timeout_secs() -> u64 {
-    300
+    120
 }
 pub(crate) fn default_me_pool_drain_ttl_secs() -> u64 {
    90
 }
 pub(crate) fn default_me_pool_min_fresh_ratio() -> f32 {
    0.8
 }
 pub(crate) fn default_hardswap() -> bool {
    true
 }
 pub(crate) fn default_ntp_check() -> bool {
--- a/src/config/hot_reload.rs
+++ b/src/config/hot_reload.rs
@@ -12,6 +12,9 @@
 //! | `general` | `me_keepalive_*`              | Passed on next connection         |
 //! | `general` | `desync_all_full`             | Applied immediately               |
 //! | `general` | `update_every`                | Applied to ME updater immediately |
 //! | `general` | `hardswap`                    | Applied on next ME map update     |
 //! | `general` | `me_pool_drain_ttl_secs`      | Applied on next ME map update     |
 //! | `general` | `me_pool_min_fresh_ratio`     | Applied on next ME map update     |
 //! | `general` | `me_reinit_drain_timeout_secs`| Applied on next ME map update     |
 //! | `access`  | All user/quota fields         | Effective immediately             |
 //!
@@ -39,6 +42,9 @@ pub struct HotFields {
    pub middle_proxy_pool_size:  usize,
    pub desync_all_full:         bool,
    pub update_every_secs:       u64,
    pub hardswap:                bool,
    pub me_pool_drain_ttl_secs:  u64,
    pub me_pool_min_fresh_ratio: f32,
    pub me_reinit_drain_timeout_secs: u64,
    pub me_keepalive_enabled:    bool,
    pub me_keepalive_interval_secs: u64,
@@ -55,6 +61,9 @@ impl HotFields {
            middle_proxy_pool_size:  cfg.general.middle_proxy_pool_size,
            desync_all_full:         cfg.general.desync_all_full,
            update_every_secs:       cfg.general.effective_update_every_secs(),
            hardswap:                cfg.general.hardswap,
            me_pool_drain_ttl_secs:  cfg.general.me_pool_drain_ttl_secs,
            me_pool_min_fresh_ratio: cfg.general.me_pool_min_fresh_ratio,
            me_reinit_drain_timeout_secs: cfg.general.me_reinit_drain_timeout_secs,
            me_keepalive_enabled:    cfg.general.me_keepalive_enabled,
            me_keepalive_interval_secs: cfg.general.me_keepalive_interval_secs,
@@ -198,6 +207,27 @@ fn log_changes(
        );
    }
    if old_hot.hardswap != new_hot.hardswap {
        info!(
            "config reload: hardswap: {} → {}",
            old_hot.hardswap, new_hot.hardswap,
        );
    }
    if old_hot.me_pool_drain_ttl_secs != new_hot.me_pool_drain_ttl_secs {
        info!(
            "config reload: me_pool_drain_ttl_secs: {}s → {}s",
            old_hot.me_pool_drain_ttl_secs, new_hot.me_pool_drain_ttl_secs,
        );
    }
    if (old_hot.me_pool_min_fresh_ratio - new_hot.me_pool_min_fresh_ratio).abs() > f32::EPSILON {
        info!(
            "config reload: me_pool_min_fresh_ratio: {:.3} → {:.3}",
            old_hot.me_pool_min_fresh_ratio, new_hot.me_pool_min_fresh_ratio,
        );
    }
    if old_hot.me_reinit_drain_timeout_secs != new_hot.me_reinit_drain_timeout_secs {
        info!(
            "config reload: me_reinit_drain_timeout_secs: {}s → {}s",
--- a/src/config/load.rs
+++ b/src/config/load.rs
@@ -1,3 +1,5 @@
 #![allow(deprecated)]
 use std::collections::HashMap;
 use std::net::IpAddr;
 use std::path::Path;
@@ -145,6 +147,74 @@ impl ProxyConfig {
            }
        }
        if config.general.me_reinit_every_secs == 0 {
            return Err(ProxyError::Config(
                "general.me_reinit_every_secs must be > 0".to_string(),
            ));
        }
        if config.general.me_hardswap_warmup_delay_max_ms == 0 {
            return Err(ProxyError::Config(
                "general.me_hardswap_warmup_delay_max_ms must be > 0".to_string(),
            ));
        }
        if config.general.me_hardswap_warmup_delay_min_ms
            > config.general.me_hardswap_warmup_delay_max_ms
        {
            return Err(ProxyError::Config(
                "general.me_hardswap_warmup_delay_min_ms must be <= general.me_hardswap_warmup_delay_max_ms".to_string(),
            ));
        }
        if config.general.me_hardswap_warmup_extra_passes > 10 {
            return Err(ProxyError::Config(
                "general.me_hardswap_warmup_extra_passes must be within [0, 10]".to_string(),
            ));
        }
        if config.general.me_hardswap_warmup_pass_backoff_base_ms == 0 {
            return Err(ProxyError::Config(
                "general.me_hardswap_warmup_pass_backoff_base_ms must be > 0".to_string(),
            ));
        }
        if config.general.me_config_stable_snapshots == 0 {
            return Err(ProxyError::Config(
                "general.me_config_stable_snapshots must be > 0".to_string(),
            ));
        }
        if config.general.proxy_secret_stable_snapshots == 0 {
            return Err(ProxyError::Config(
                "general.proxy_secret_stable_snapshots must be > 0".to_string(),
            ));
        }
        if !(32..=4096).contains(&config.general.proxy_secret_len_max) {
            return Err(ProxyError::Config(
                "general.proxy_secret_len_max must be within [32, 4096]".to_string(),
            ));
        }
        if !(0.0..=1.0).contains(&config.general.me_pool_min_fresh_ratio) {
            return Err(ProxyError::Config(
                "general.me_pool_min_fresh_ratio must be within [0.0, 1.0]".to_string(),
            ));
        }
        if config.general.effective_me_pool_force_close_secs() > 0
            && config.general.effective_me_pool_force_close_secs()
                < config.general.me_pool_drain_ttl_secs
        {
            warn!(
                me_pool_drain_ttl_secs = config.general.me_pool_drain_ttl_secs,
                me_reinit_drain_timeout_secs = config.general.effective_me_pool_force_close_secs(),
                "force-close timeout is lower than drain TTL; bumping force-close timeout to TTL"
            );
            config.general.me_reinit_drain_timeout_secs = config.general.me_pool_drain_ttl_secs;
        }
        // Validate secrets.
        for (user, secret) in &config.access.users {
            if !secret.chars().all(|c| c.is_ascii_hexdigit()) || secret.len() != 32 {
@@ -258,23 +328,25 @@ impl ProxyConfig {
                    reuse_allow: false,
                });
            }
-            if let Some(ipv6_str) = &config.server.listen_addr_ipv6 {
+            if let Some(ipv6_str) = &config.server.listen_addr_ipv6
-                if let Ok(ipv6) = ipv6_str.parse::<IpAddr>() {
+                && let Ok(ipv6) = ipv6_str.parse::<IpAddr>()
-                    config.server.listeners.push(ListenerConfig {
+            {
-                        ip: ipv6,
+                config.server.listeners.push(ListenerConfig {
-                        announce: None,
+                    ip: ipv6,
-                        announce_ip: None,
+                    announce: None,
-                        proxy_protocol: None,
+                    announce_ip: None,
-                        reuse_allow: false,
+                    proxy_protocol: None,
-                    });
+                    reuse_allow: false,
-                }
+                });
            }
        }
        // Migration: announce_ip → announce for each listener.
        for listener in &mut config.server.listeners {
-            if listener.announce.is_none() && listener.announce_ip.is_some() {
+            if listener.announce.is_none()
-                listener.announce = Some(listener.announce_ip.unwrap().to_string());
+                && let Some(ip) = listener.announce_ip.take()
            {
                listener.announce = Some(ip.to_string());
            }
        }
@@ -439,4 +511,260 @@ mod tests {
        assert!(err.contains("general.update_every must be > 0"));
        let _ = std::fs::remove_file(path);
    }
    #[test]
    fn me_reinit_every_default_is_set() {
        let toml = r#"
            [censorship]
            tls_domain = "example.com"
            [access.users]
            user = "00000000000000000000000000000000"
        "#;
        let dir = std::env::temp_dir();
        let path = dir.join("telemt_me_reinit_every_default_test.toml");
        std::fs::write(&path, toml).unwrap();
        let cfg = ProxyConfig::load(&path).unwrap();
        assert_eq!(
            cfg.general.me_reinit_every_secs,
            default_me_reinit_every_secs()
        );
        let _ = std::fs::remove_file(path);
    }
    #[test]
    fn me_reinit_every_zero_is_rejected() {
        let toml = r#"
            [general]
            me_reinit_every_secs = 0
            [censorship]
            tls_domain = "example.com"
            [access.users]
            user = "00000000000000000000000000000000"
        "#;
        let dir = std::env::temp_dir();
        let path = dir.join("telemt_me_reinit_every_zero_test.toml");
        std::fs::write(&path, toml).unwrap();
        let err = ProxyConfig::load(&path).unwrap_err().to_string();
        assert!(err.contains("general.me_reinit_every_secs must be > 0"));
        let _ = std::fs::remove_file(path);
    }
    #[test]
    fn me_hardswap_warmup_defaults_are_set() {
        let toml = r#"
            [censorship]
            tls_domain = "example.com"
            [access.users]
            user = "00000000000000000000000000000000"
        "#;
        let dir = std::env::temp_dir();
        let path = dir.join("telemt_me_hardswap_warmup_defaults_test.toml");
        std::fs::write(&path, toml).unwrap();
        let cfg = ProxyConfig::load(&path).unwrap();
        assert_eq!(
            cfg.general.me_hardswap_warmup_delay_min_ms,
            default_me_hardswap_warmup_delay_min_ms()
        );
        assert_eq!(
            cfg.general.me_hardswap_warmup_delay_max_ms,
            default_me_hardswap_warmup_delay_max_ms()
        );
        assert_eq!(
            cfg.general.me_hardswap_warmup_extra_passes,
            default_me_hardswap_warmup_extra_passes()
        );
        assert_eq!(
            cfg.general.me_hardswap_warmup_pass_backoff_base_ms,
            default_me_hardswap_warmup_pass_backoff_base_ms()
        );
        let _ = std::fs::remove_file(path);
    }
    #[test]
    fn me_hardswap_warmup_delay_range_is_validated() {
        let toml = r#"
            [general]
            me_hardswap_warmup_delay_min_ms = 2001
            me_hardswap_warmup_delay_max_ms = 2000
            [censorship]
            tls_domain = "example.com"
            [access.users]
            user = "00000000000000000000000000000000"
        "#;
        let dir = std::env::temp_dir();
        let path = dir.join("telemt_me_hardswap_warmup_delay_range_test.toml");
        std::fs::write(&path, toml).unwrap();
        let err = ProxyConfig::load(&path).unwrap_err().to_string();
        assert!(err.contains(
            "general.me_hardswap_warmup_delay_min_ms must be <= general.me_hardswap_warmup_delay_max_ms"
        ));
        let _ = std::fs::remove_file(path);
    }
    #[test]
    fn me_hardswap_warmup_delay_max_zero_is_rejected() {
        let toml = r#"
            [general]
            me_hardswap_warmup_delay_max_ms = 0
            [censorship]
            tls_domain = "example.com"
            [access.users]
            user = "00000000000000000000000000000000"
        "#;
        let dir = std::env::temp_dir();
        let path = dir.join("telemt_me_hardswap_warmup_delay_max_zero_test.toml");
        std::fs::write(&path, toml).unwrap();
        let err = ProxyConfig::load(&path).unwrap_err().to_string();
        assert!(err.contains("general.me_hardswap_warmup_delay_max_ms must be > 0"));
        let _ = std::fs::remove_file(path);
    }
    #[test]
    fn me_hardswap_warmup_extra_passes_out_of_range_is_rejected() {
        let toml = r#"
            [general]
            me_hardswap_warmup_extra_passes = 11
            [censorship]
            tls_domain = "example.com"
            [access.users]
            user = "00000000000000000000000000000000"
        "#;
        let dir = std::env::temp_dir();
        let path = dir.join("telemt_me_hardswap_warmup_extra_passes_test.toml");
        std::fs::write(&path, toml).unwrap();
        let err = ProxyConfig::load(&path).unwrap_err().to_string();
        assert!(err.contains("general.me_hardswap_warmup_extra_passes must be within [0, 10]"));
        let _ = std::fs::remove_file(path);
    }
    #[test]
    fn me_hardswap_warmup_pass_backoff_zero_is_rejected() {
        let toml = r#"
            [general]
            me_hardswap_warmup_pass_backoff_base_ms = 0
            [censorship]
            tls_domain = "example.com"
            [access.users]
            user = "00000000000000000000000000000000"
        "#;
        let dir = std::env::temp_dir();
        let path = dir.join("telemt_me_hardswap_warmup_backoff_zero_test.toml");
        std::fs::write(&path, toml).unwrap();
        let err = ProxyConfig::load(&path).unwrap_err().to_string();
        assert!(err.contains("general.me_hardswap_warmup_pass_backoff_base_ms must be > 0"));
        let _ = std::fs::remove_file(path);
    }
    #[test]
    fn me_config_stable_snapshots_zero_is_rejected() {
        let toml = r#"
            [general]
            me_config_stable_snapshots = 0
            [censorship]
            tls_domain = "example.com"
            [access.users]
            user = "00000000000000000000000000000000"
        "#;
        let dir = std::env::temp_dir();
        let path = dir.join("telemt_me_config_stable_snapshots_zero_test.toml");
        std::fs::write(&path, toml).unwrap();
        let err = ProxyConfig::load(&path).unwrap_err().to_string();
        assert!(err.contains("general.me_config_stable_snapshots must be > 0"));
        let _ = std::fs::remove_file(path);
    }
    #[test]
    fn proxy_secret_stable_snapshots_zero_is_rejected() {
        let toml = r#"
            [general]
            proxy_secret_stable_snapshots = 0
            [censorship]
            tls_domain = "example.com"
            [access.users]
            user = "00000000000000000000000000000000"
        "#;
        let dir = std::env::temp_dir();
        let path = dir.join("telemt_proxy_secret_stable_snapshots_zero_test.toml");
        std::fs::write(&path, toml).unwrap();
        let err = ProxyConfig::load(&path).unwrap_err().to_string();
        assert!(err.contains("general.proxy_secret_stable_snapshots must be > 0"));
        let _ = std::fs::remove_file(path);
    }
    #[test]
    fn proxy_secret_len_max_out_of_range_is_rejected() {
        let toml = r#"
            [general]
            proxy_secret_len_max = 16
            [censorship]
            tls_domain = "example.com"
            [access.users]
            user = "00000000000000000000000000000000"
        "#;
        let dir = std::env::temp_dir();
        let path = dir.join("telemt_proxy_secret_len_max_out_of_range_test.toml");
        std::fs::write(&path, toml).unwrap();
        let err = ProxyConfig::load(&path).unwrap_err().to_string();
        assert!(err.contains("general.proxy_secret_len_max must be within [32, 4096]"));
        let _ = std::fs::remove_file(path);
    }
    #[test]
    fn me_pool_min_fresh_ratio_out_of_range_is_rejected() {
        let toml = r#"
            [general]
            me_pool_min_fresh_ratio = 1.5
            [censorship]
            tls_domain = "example.com"
            [access.users]
            user = "00000000000000000000000000000000"
        "#;
        let dir = std::env::temp_dir();
        let path = dir.join("telemt_me_pool_min_ratio_invalid_test.toml");
        std::fs::write(&path, toml).unwrap();
        let err = ProxyConfig::load(&path).unwrap_err().to_string();
        assert!(err.contains("general.me_pool_min_fresh_ratio must be within [0.0, 1.0]"));
        let _ = std::fs::remove_file(path);
    }
    #[test]
    fn force_close_bumped_when_below_drain_ttl() {
        let toml = r#"
            [general]
            me_pool_drain_ttl_secs = 90
            me_reinit_drain_timeout_secs = 30
            [censorship]
            tls_domain = "example.com"
            [access.users]
            user = "00000000000000000000000000000000"
        "#;
        let dir = std::env::temp_dir();
        let path = dir.join("telemt_force_close_bump_test.toml");
        std::fs::write(&path, toml).unwrap();
        let cfg = ProxyConfig::load(&path).unwrap();
        assert_eq!(cfg.general.me_reinit_drain_timeout_secs, 90);
        let _ = std::fs::remove_file(path);
    }
 }
--- a/src/config/types.rs
+++ b/src/config/types.rs
@@ -206,6 +206,11 @@ pub struct GeneralConfig {
    #[serde(default = "default_desync_all_full")]
    pub desync_all_full: bool,
    /// Enable C-like hard-swap for ME pool generations.
    /// When true, Telemt prewarms a new generation and switches once full coverage is reached.
    #[serde(default = "default_hardswap")]
    pub hardswap: bool,
    /// Enable staggered warmup of extra ME writers.
    #[serde(default = "default_true")]
    pub me_warmup_stagger_enabled: bool,
@@ -262,6 +267,56 @@ pub struct GeneralConfig {
    #[serde(default)]
    pub update_every: Option<u64>,
    /// Periodic ME pool reinitialization interval in seconds.
    #[serde(default = "default_me_reinit_every_secs")]
    pub me_reinit_every_secs: u64,
    /// Minimum delay in ms between hardswap warmup connect attempts.
    #[serde(default = "default_me_hardswap_warmup_delay_min_ms")]
    pub me_hardswap_warmup_delay_min_ms: u64,
    /// Maximum delay in ms between hardswap warmup connect attempts.
    #[serde(default = "default_me_hardswap_warmup_delay_max_ms")]
    pub me_hardswap_warmup_delay_max_ms: u64,
    /// Additional warmup passes in the same hardswap cycle after the base pass.
    #[serde(default = "default_me_hardswap_warmup_extra_passes")]
    pub me_hardswap_warmup_extra_passes: u8,
    /// Base backoff in ms between hardswap warmup passes when floor is still incomplete.
    #[serde(default = "default_me_hardswap_warmup_pass_backoff_base_ms")]
    pub me_hardswap_warmup_pass_backoff_base_ms: u64,
    /// Number of identical getProxyConfig snapshots required before applying ME map updates.
    #[serde(default = "default_me_config_stable_snapshots")]
    pub me_config_stable_snapshots: u8,
    /// Cooldown in seconds between applied ME map updates.
    #[serde(default = "default_me_config_apply_cooldown_secs")]
    pub me_config_apply_cooldown_secs: u64,
    /// Number of identical getProxySecret snapshots required before runtime secret rotation.
    #[serde(default = "default_proxy_secret_stable_snapshots")]
    pub proxy_secret_stable_snapshots: u8,
    /// Enable runtime proxy-secret rotation from getProxySecret.
    #[serde(default = "default_proxy_secret_rotate_runtime")]
    pub proxy_secret_rotate_runtime: bool,
    /// Maximum allowed proxy-secret length in bytes for startup and runtime refresh.
    #[serde(default = "default_proxy_secret_len_max")]
    pub proxy_secret_len_max: usize,
    /// Drain-TTL in seconds for stale ME writers after endpoint map changes.
    /// During TTL, stale writers may be used only as fallback for new bindings.
    #[serde(default = "default_me_pool_drain_ttl_secs")]
    pub me_pool_drain_ttl_secs: u64,
    /// Minimum desired-DC coverage ratio required before draining stale writers.
    /// Range: 0.0..=1.0.
    #[serde(default = "default_me_pool_min_fresh_ratio")]
    pub me_pool_min_fresh_ratio: f32,
    /// Drain timeout in seconds for stale ME writers after endpoint map changes.
    /// Set to 0 to keep stale writers draining indefinitely (no force-close).
    #[serde(default = "default_me_reinit_drain_timeout_secs")]
@@ -308,7 +363,7 @@ impl Default for GeneralConfig {
            middle_proxy_nat_stun: None,
            middle_proxy_nat_stun_servers: Vec::new(),
            middle_proxy_pool_size: default_pool_size(),
-            middle_proxy_warm_standby: 8,
+            middle_proxy_warm_standby: 16,
            me_keepalive_enabled: true,
            me_keepalive_interval_secs: default_keepalive_interval(),
            me_keepalive_jitter_secs: default_keepalive_jitter(),
@@ -316,7 +371,7 @@ impl Default for GeneralConfig {
            me_warmup_stagger_enabled: true,
            me_warmup_step_delay_ms: default_warmup_step_delay_ms(),
            me_warmup_step_jitter_ms: default_warmup_step_jitter_ms(),
-            me_reconnect_max_concurrent_per_dc: 4,
+            me_reconnect_max_concurrent_per_dc: 8,
            me_reconnect_backoff_base_ms: default_reconnect_backoff_base_ms(),
            me_reconnect_backoff_cap_ms: default_reconnect_backoff_cap_ms(),
            me_reconnect_fast_retry_count: 8,
@@ -328,8 +383,21 @@ impl Default for GeneralConfig {
            crypto_pending_buffer: default_crypto_pending_buffer(),
            max_client_frame: default_max_client_frame(),
            desync_all_full: default_desync_all_full(),
            hardswap: default_hardswap(),
            fast_mode_min_tls_record: default_fast_mode_min_tls_record(),
            update_every: Some(default_update_every_secs()),
            me_reinit_every_secs: default_me_reinit_every_secs(),
            me_hardswap_warmup_delay_min_ms: default_me_hardswap_warmup_delay_min_ms(),
            me_hardswap_warmup_delay_max_ms: default_me_hardswap_warmup_delay_max_ms(),
            me_hardswap_warmup_extra_passes: default_me_hardswap_warmup_extra_passes(),
            me_hardswap_warmup_pass_backoff_base_ms: default_me_hardswap_warmup_pass_backoff_base_ms(),
            me_config_stable_snapshots: default_me_config_stable_snapshots(),
            me_config_apply_cooldown_secs: default_me_config_apply_cooldown_secs(),
            proxy_secret_stable_snapshots: default_proxy_secret_stable_snapshots(),
            proxy_secret_rotate_runtime: default_proxy_secret_rotate_runtime(),
            proxy_secret_len_max: default_proxy_secret_len_max(),
            me_pool_drain_ttl_secs: default_me_pool_drain_ttl_secs(),
            me_pool_min_fresh_ratio: default_me_pool_min_fresh_ratio(),
            me_reinit_drain_timeout_secs: default_me_reinit_drain_timeout_secs(),
            proxy_secret_auto_reload_secs: default_proxy_secret_reload_secs(),
            proxy_config_auto_reload_secs: default_proxy_config_reload_secs(),
@@ -348,6 +416,17 @@ impl GeneralConfig {
        self.update_every
            .unwrap_or_else(|| self.proxy_secret_auto_reload_secs.min(self.proxy_config_auto_reload_secs))
    }
    /// Resolve periodic zero-downtime reinit interval for ME writers.
    pub fn effective_me_reinit_every_secs(&self) -> u64 {
        self.me_reinit_every_secs
    }
    /// Resolve force-close timeout for stale writers.
    /// `me_reinit_drain_timeout_secs` remains backward-compatible alias.
    pub fn effective_me_pool_force_close_secs(&self) -> u64 {
        self.me_reinit_drain_timeout_secs
    }
 }
 /// `[general.links]` — proxy link generation settings.
@@ -653,9 +732,10 @@ pub struct ListenerConfig {
 /// - `show_link = "*"`          — show links for all users
 /// - `show_link = ["a", "b"]`   — show links for specific users
 /// - omitted                    — show no links (default)
-#[derive(Debug, Clone)]
+#[derive(Debug, Clone, Default)]
 pub enum ShowLink {
    /// Don't show any links (default when omitted).
    #[default]
    None,
    /// Show links for all configured users.
    All,
@@ -663,12 +743,6 @@ pub enum ShowLink {
    Specific(Vec<String>),
 }
 impl Default for ShowLink {
    fn default() -> Self {
        ShowLink::None
    }
 }
 impl ShowLink {
    /// Returns true if no links should be shown.
    pub fn is_empty(&self) -> bool {
--- a/src/crypto/aes.rs
+++ b/src/crypto/aes.rs
@@ -11,6 +11,8 @@
 //!   `HandshakeSuccess`, `ObfuscationParams`) are responsible for
 //!   zeroizing their own copies.
 #![allow(dead_code)]
 use aes::Aes256;
 use ctr::{Ctr128BE, cipher::{KeyIvInit, StreamCipher}};
 use zeroize::Zeroize;
@@ -21,13 +23,13 @@ type Aes256Ctr = Ctr128BE<Aes256>;
 // ============= AES-256-CTR =============
 /// AES-256-CTR encryptor/decryptor
-/// 
+///
 /// CTR mode is symmetric — encryption and decryption are the same operation.
 ///
 /// **Zeroize note:** The inner `Aes256Ctr` cipher state (expanded key schedule
-/// + counter) is opaque and cannot be zeroized. If you need to protect key
+///     + counter) is opaque and cannot be zeroized. If you need to protect key
-/// material, zeroize the `[u8; 32]` key and `u128` IV at the call site
+///     material, zeroize the `[u8; 32]` key and `u128` IV at the call site
-/// before dropping them.
+///     before dropping them.
 pub struct AesCtr {
    cipher: Aes256Ctr,
 }
@@ -147,7 +149,7 @@ impl AesCbc {
    ///
    /// CBC Encryption: C[i] = AES_Encrypt(P[i] XOR C[i-1]), where C[-1] = IV
    pub fn encrypt(&self, data: &[u8]) -> Result<Vec<u8>> {
-        if data.len() % Self::BLOCK_SIZE != 0 {
+        if !data.len().is_multiple_of(Self::BLOCK_SIZE) {
            return Err(ProxyError::Crypto(
                format!("CBC data must be aligned to 16 bytes, got {}", data.len())
            ));
@@ -178,7 +180,7 @@ impl AesCbc {
    ///
    /// CBC Decryption: P[i] = AES_Decrypt(C[i]) XOR C[i-1], where C[-1] = IV
    pub fn decrypt(&self, data: &[u8]) -> Result<Vec<u8>> {
-        if data.len() % Self::BLOCK_SIZE != 0 {
+        if !data.len().is_multiple_of(Self::BLOCK_SIZE) {
            return Err(ProxyError::Crypto(
                format!("CBC data must be aligned to 16 bytes, got {}", data.len())
            ));
@@ -207,7 +209,7 @@ impl AesCbc {
    /// Encrypt data in-place
    pub fn encrypt_in_place(&self, data: &mut [u8]) -> Result<()> {
-        if data.len() % Self::BLOCK_SIZE != 0 {
+        if !data.len().is_multiple_of(Self::BLOCK_SIZE) {
            return Err(ProxyError::Crypto(
                format!("CBC data must be aligned to 16 bytes, got {}", data.len())
            ));
@@ -240,7 +242,7 @@ impl AesCbc {
    /// Decrypt data in-place
    pub fn decrypt_in_place(&self, data: &mut [u8]) -> Result<()> {
-        if data.len() % Self::BLOCK_SIZE != 0 {
+        if !data.len().is_multiple_of(Self::BLOCK_SIZE) {
            return Err(ProxyError::Crypto(
                format!("CBC data must be aligned to 16 bytes, got {}", data.len())
            ));
--- a/src/crypto/hash.rs
+++ b/src/crypto/hash.rs
@@ -64,6 +64,7 @@ pub fn crc32c(data: &[u8]) -> u32 {
 ///
 /// Returned buffer layout (IPv4):
 /// nonce_srv | nonce_clt | clt_ts | srv_ip | clt_port | purpose | clt_ip | srv_port | secret | nonce_srv | [clt_v6 | srv_v6] | nonce_clt
 #[allow(clippy::too_many_arguments)]
 pub fn build_middleproxy_prekey(
    nonce_srv: &[u8; 16],
    nonce_clt: &[u8; 16],
@@ -108,6 +109,7 @@ pub fn build_middleproxy_prekey(
 /// Uses MD5 + SHA-1 as mandated by the Telegram Middle Proxy protocol.
 /// These algorithms are NOT replaceable here — changing them would break
 /// interoperability with Telegram's middle proxy infrastructure.
 #[allow(clippy::too_many_arguments)]
 pub fn derive_middleproxy_keys(
    nonce_srv: &[u8; 16],
    nonce_clt: &[u8; 16],
--- a/src/crypto/mod.rs
+++ b/src/crypto/mod.rs
@@ -6,7 +6,6 @@ pub mod random;
 pub use aes::{AesCtr, AesCbc};
 pub use hash::{
-    build_middleproxy_prekey, crc32, crc32c, derive_middleproxy_keys, md5, sha1, sha256,
+    build_middleproxy_prekey, crc32, crc32c, derive_middleproxy_keys, sha256, sha256_hmac,
    sha256_hmac,
 };
 pub use random::SecureRandom;
--- a/src/crypto/random.rs
+++ b/src/crypto/random.rs
@@ -1,5 +1,8 @@
 //! Pseudorandom
 #![allow(deprecated)]
 #![allow(dead_code)]
 use rand::{Rng, RngCore, SeedableRng};
 use rand::rngs::StdRng;
 use parking_lot::Mutex;
@@ -92,7 +95,7 @@ impl SecureRandom {
            return 0;
        }
-        let bytes_needed = (k + 7) / 8;
+        let bytes_needed = k.div_ceil(8);
        let bytes = self.bytes(bytes_needed.min(8));
        let mut result = 0u64;
--- a/src/error.rs
+++ b/src/error.rs
@@ -1,5 +1,7 @@
 //! Error Types
 #![allow(dead_code)]
 use std::fmt;
 use std::net::SocketAddr;
 use thiserror::Error;
@@ -89,7 +91,7 @@ impl From<StreamError> for std::io::Error {
                std::io::Error::new(std::io::ErrorKind::UnexpectedEof, err)
            }
            StreamError::Poisoned { .. } => {
-                std::io::Error::new(std::io::ErrorKind::Other, err)
+                std::io::Error::other(err)
            }
            StreamError::BufferOverflow { .. } => {
                std::io::Error::new(std::io::ErrorKind::OutOfMemory, err)
@@ -98,7 +100,7 @@ impl From<StreamError> for std::io::Error {
                std::io::Error::new(std::io::ErrorKind::InvalidData, err)
            }
            StreamError::PartialRead { .. } | StreamError::PartialWrite { .. } => {
-                std::io::Error::new(std::io::ErrorKind::Other, err)
+                std::io::Error::other(err)
            }
        }
    }
@@ -133,12 +135,7 @@ impl Recoverable for StreamError {
    }
    fn can_continue(&self) -> bool {
-        match self {
+        !matches!(self, Self::Poisoned { .. } | Self::UnexpectedEof | Self::BufferOverflow { .. })
            Self::Poisoned { .. } => false,
            Self::UnexpectedEof => false,
            Self::BufferOverflow { .. } => false,
            _ => true,
        }
    }
 }
--- a/src/ip_tracker.rs
+++ b/src/ip_tracker.rs
@@ -1,5 +1,7 @@
 // src/ip_tracker.rs
-// Модуль для отслеживания и ограничения уникальных IP-адресов пользователей
+// IP address tracking and limiting for users
 #![allow(dead_code)]
 use std::collections::{HashMap, HashSet};
 use std::net::IpAddr;
--- a/src/main.rs
+++ b/src/main.rs
@@ -1,5 +1,7 @@
 //! telemt — Telegram MTProto Proxy
 #![allow(unused_assignments)]
 use std::net::SocketAddr;
 use std::sync::Arc;
 use std::time::Duration;
@@ -296,25 +298,30 @@ async fn main() -> std::result::Result<(), Box<dyn std::error::Error>> {
        // proxy-secret is from: https://core.telegram.org/getProxySecret
        // =============================================================
        let proxy_secret_path = config.general.proxy_secret_path.as_deref();
-match crate::transport::middle_proxy::fetch_proxy_secret(proxy_secret_path).await {
+        match crate::transport::middle_proxy::fetch_proxy_secret(
-    Ok(proxy_secret) => {
+            proxy_secret_path,
-        info!(
+            config.general.proxy_secret_len_max,
-            secret_len = proxy_secret.len() as usize,  // ← ЯВНЫЙ ТИП usize
+        )
-            key_sig = format_args!(
+        .await
-                "0x{:08x}",
+        {
-                if proxy_secret.len() >= 4 {
+            Ok(proxy_secret) => {
-                    u32::from_le_bytes([
+                info!(
-                        proxy_secret[0],
+                    secret_len = proxy_secret.len(),
-                        proxy_secret[1],
+                    key_sig = format_args!(
-                        proxy_secret[2],
+                        "0x{:08x}",
-                        proxy_secret[3],
+                        if proxy_secret.len() >= 4 {
-                    ])
+                            u32::from_le_bytes([
-                } else {
+                                proxy_secret[0],
-                    0
+                                proxy_secret[1],
-                }
+                                proxy_secret[2],
-            ),
+                                proxy_secret[3],
-            "Proxy-secret loaded"
+                            ])
-        );
+                        } else {
                            0
                        }
                    ),
                    "Proxy-secret loaded"
                );
                // Load ME config (v4/v6) + default DC
                let mut cfg_v4 = fetch_proxy_config(
@@ -362,6 +369,14 @@ match crate::transport::middle_proxy::fetch_proxy_secret(proxy_secret_path).awai
                    config.general.me_reconnect_backoff_base_ms,
                    config.general.me_reconnect_backoff_cap_ms,
                    config.general.me_reconnect_fast_retry_count,
                    config.general.hardswap,
                    config.general.me_pool_drain_ttl_secs,
                    config.general.effective_me_pool_force_close_secs(),
                    config.general.me_pool_min_fresh_ratio,
                    config.general.me_hardswap_warmup_delay_min_ms,
                    config.general.me_hardswap_warmup_delay_max_ms,
                    config.general.me_hardswap_warmup_extra_passes,
                    config.general.me_hardswap_warmup_pass_backoff_base_ms,
                );
                let pool_size = config.general.middle_proxy_pool_size.max(1);
@@ -380,18 +395,6 @@ match crate::transport::middle_proxy::fetch_proxy_secret(proxy_secret_path).awai
                            .await;
                        });
                        // Periodic ME connection rotation
                        let pool_clone_rot = pool.clone();
                        let rng_clone_rot = rng.clone();
                        tokio::spawn(async move {
                            crate::transport::middle_proxy::me_rotation_task(
                                pool_clone_rot,
                                rng_clone_rot,
                                std::time::Duration::from_secs(1800),
                            )
                            .await;
                        });
                        Some(pool)
                    }
                    Err(e) => {
@@ -413,6 +416,7 @@ match crate::transport::middle_proxy::fetch_proxy_secret(proxy_secret_path).awai
    if me_pool.is_some() {
        info!("Transport: Middle-End Proxy - all DC-over-RPC");
    } else {
        let _ = use_middle_proxy;
        use_middle_proxy = false;
        // Make runtime config reflect direct-only mode for handlers.
        config.general.use_middle_proxy = false;
@@ -590,14 +594,12 @@ match crate::transport::middle_proxy::fetch_proxy_secret(proxy_secret_path).awai
 			} else {
 				info!("  IPv4 in use / IPv6 is fallback");
 			}
-		} else {
+		} else if v6_works && !v4_works {
-			if v6_works && !v4_works {
+			info!("  IPv6 only / IPv4 unavailable)");
-				info!("  IPv6 only / IPv4 unavailable)");
+		} else if v4_works && !v6_works {
-			} else if v4_works && !v6_works {
+			info!("  IPv4 only / IPv6 unavailable)");
-				info!("  IPv4 only / IPv6 unavailable)");
+		} else if !v6_works && !v4_works {
-			} else if !v6_works && !v4_works {
+			info!("  No DC connectivity");
 				info!("  No DC connectivity");
 			}
 		}
 		info!("  via {}", upstream_result.upstream_name);
@@ -702,6 +704,18 @@ match crate::transport::middle_proxy::fetch_proxy_secret(proxy_secret_path).awai
            )
            .await;
        });
        let pool_clone_rot = pool.clone();
        let rng_clone_rot = rng.clone();
        let config_rx_clone_rot = config_rx.clone();
        tokio::spawn(async move {
            crate::transport::middle_proxy::me_rotation_task(
                pool_clone_rot,
                rng_clone_rot,
                config_rx_clone_rot,
            )
            .await;
        });
    }
    let mut listeners = Vec::new();
--- a/src/metrics.rs
+++ b/src/metrics.rs
@@ -2,7 +2,7 @@ use std::convert::Infallible;
 use std::net::SocketAddr;
 use std::sync::Arc;
-use http_body_util::{Full, BodyExt};
+use http_body_util::Full;
 use hyper::body::Bytes;
 use hyper::server::conn::http1;
 use hyper::service::service_fn;
@@ -175,6 +175,30 @@ fn render_metrics(stats: &Stats) -> String {
        stats.get_desync_frames_bucket_gt_10()
    );
    let _ = writeln!(out, "# HELP telemt_pool_swap_total Successful ME pool swaps");
    let _ = writeln!(out, "# TYPE telemt_pool_swap_total counter");
    let _ = writeln!(out, "telemt_pool_swap_total {}", stats.get_pool_swap_total());
    let _ = writeln!(out, "# HELP telemt_pool_drain_active Active draining ME writers");
    let _ = writeln!(out, "# TYPE telemt_pool_drain_active gauge");
    let _ = writeln!(out, "telemt_pool_drain_active {}", stats.get_pool_drain_active());
    let _ = writeln!(out, "# HELP telemt_pool_force_close_total Forced close events for draining writers");
    let _ = writeln!(out, "# TYPE telemt_pool_force_close_total counter");
    let _ = writeln!(
        out,
        "telemt_pool_force_close_total {}",
        stats.get_pool_force_close_total()
    );
    let _ = writeln!(out, "# HELP telemt_pool_stale_pick_total Stale writer fallback picks for new binds");
    let _ = writeln!(out, "# TYPE telemt_pool_stale_pick_total counter");
    let _ = writeln!(
        out,
        "telemt_pool_stale_pick_total {}",
        stats.get_pool_stale_pick_total()
    );
    let _ = writeln!(out, "# HELP telemt_user_connections_total Per-user total connections");
    let _ = writeln!(out, "# TYPE telemt_user_connections_total counter");
    let _ = writeln!(out, "# HELP telemt_user_connections_current Per-user active connections");
@@ -205,6 +229,7 @@ fn render_metrics(stats: &Stats) -> String {
 #[cfg(test)]
 mod tests {
    use super::*;
    use http_body_util::BodyExt;
    #[test]
    fn test_render_metrics_format() {
--- a/src/network/probe.rs
+++ b/src/network/probe.rs
@@ -1,3 +1,5 @@
 #![allow(dead_code)]
 use std::net::{IpAddr, Ipv4Addr, Ipv6Addr, SocketAddr, UdpSocket};
 use tracing::{info, warn};
@@ -93,23 +95,21 @@ pub async fn run_probe(config: &NetworkConfig, stun_addr: Option<String>, nat_pr
 }
 pub fn decide_network_capabilities(config: &NetworkConfig, probe: &NetworkProbe) -> NetworkDecision {
-    let mut decision = NetworkDecision::default();
+    let ipv4_dc = config.ipv4 && probe.detected_ipv4.is_some();
    let ipv6_dc = config.ipv6.unwrap_or(probe.detected_ipv6.is_some()) && probe.detected_ipv6.is_some();
-    decision.ipv4_dc = config.ipv4 && probe.detected_ipv4.is_some();
+    let ipv4_me = config.ipv4
    decision.ipv6_dc = config.ipv6.unwrap_or(probe.detected_ipv6.is_some()) && probe.detected_ipv6.is_some();
    decision.ipv4_me = config.ipv4
        && probe.detected_ipv4.is_some()
        && (!probe.ipv4_is_bogon || probe.reflected_ipv4.is_some());
    let ipv6_enabled = config.ipv6.unwrap_or(probe.detected_ipv6.is_some());
-    decision.ipv6_me = ipv6_enabled
+    let ipv6_me = ipv6_enabled
        && probe.detected_ipv6.is_some()
        && (!probe.ipv6_is_bogon || probe.reflected_ipv6.is_some());
-    decision.effective_prefer = match config.prefer {
+    let effective_prefer = match config.prefer {
-        6 if decision.ipv6_me || decision.ipv6_dc => 6,
+        6 if ipv6_me || ipv6_dc => 6,
-        4 if decision.ipv4_me || decision.ipv4_dc => 4,
+        4 if ipv4_me || ipv4_dc => 4,
        6 => {
            warn!("prefer=6 requested but IPv6 unavailable; falling back to IPv4");
            4
@@ -117,10 +117,17 @@ pub fn decide_network_capabilities(config: &NetworkConfig, probe: &NetworkProbe)
        _ => 4,
    };
-    let me_families = decision.ipv4_me as u8 + decision.ipv6_me as u8;
+    let me_families = ipv4_me as u8 + ipv6_me as u8;
-    decision.effective_multipath = config.multipath && me_families >= 2;
+    let effective_multipath = config.multipath && me_families >= 2;
-    decision
+    NetworkDecision {
        ipv4_dc,
        ipv6_dc,
        ipv4_me,
        ipv6_me,
        effective_prefer,
        effective_multipath,
    }
 }
 fn detect_local_ip_v4() -> Option<Ipv4Addr> {
--- a/src/network/stun.rs
+++ b/src/network/stun.rs
@@ -1,3 +1,6 @@
 #![allow(unreachable_code)]
 #![allow(dead_code)]
 use std::net::{IpAddr, Ipv4Addr, Ipv6Addr, SocketAddr};
 use tokio::net::{lookup_host, UdpSocket};
@@ -195,16 +198,11 @@ async fn resolve_stun_addr(stun_addr: &str, family: IpFamily) -> Result<Option<S
        });
    }
-    let addrs = lookup_host(stun_addr)
+    let mut addrs = lookup_host(stun_addr)
        .await
        .map_err(|e| ProxyError::Proxy(format!("STUN resolve failed: {e}")))?;
    let target = addrs
-        .filter(|a| match (a.is_ipv4(), family) {
+        .find(|a| matches!((a.is_ipv4(), family), (true, IpFamily::V4) | (false, IpFamily::V6)));
            (true, IpFamily::V4) => true,
            (false, IpFamily::V6) => true,
            _ => false,
        })
        .next();
    Ok(target)
 }
--- a/src/protocol/constants.rs
+++ b/src/protocol/constants.rs
@@ -1,6 +1,8 @@
 //! Protocol constants and datacenter addresses
-use std::net::{IpAddr, Ipv4Addr, Ipv6Addr};
+#![allow(dead_code)]
 use std::net::{IpAddr, Ipv4Addr};
 use crate::crypto::SecureRandom;
 use std::sync::LazyLock;
@@ -158,7 +160,7 @@ pub const MAX_TLS_CHUNK_SIZE: usize = 16384 + 256;
 /// Secure Intermediate payload is expected to be 4-byte aligned.
 pub fn is_valid_secure_payload_len(data_len: usize) -> bool {
-    data_len % 4 == 0
+    data_len.is_multiple_of(4)
 }
 /// Compute Secure Intermediate payload length from wire length.
@@ -177,7 +179,7 @@ pub fn secure_padding_len(data_len: usize, rng: &SecureRandom) -> usize {
        is_valid_secure_payload_len(data_len),
        "Secure payload must be 4-byte aligned, got {data_len}"
    );
-    (rng.range(3) + 1) as usize
+    rng.range(3) + 1
 }
 // ============= Timeouts =============
@@ -229,7 +231,6 @@ pub static RESERVED_NONCE_CONTINUES: &[[u8; 4]] = &[
 // ============= RPC Constants (for Middle Proxy) =============
 /// RPC Proxy Request
 /// RPC Flags (from Erlang mtp_rpc.erl)
 pub const RPC_FLAG_NOT_ENCRYPTED: u32 = 0x2;
 pub const RPC_FLAG_HAS_AD_TAG: u32    = 0x8;
--- a/src/protocol/frame.rs
+++ b/src/protocol/frame.rs
@@ -1,5 +1,7 @@
 //! MTProto frame types and metadata
 #![allow(dead_code)]
 use std::collections::HashMap;
 /// Extra metadata associated with a frame
@@ -83,7 +85,7 @@ impl FrameMode {
 pub fn validate_message_length(len: usize) -> bool {
    use super::constants::{MIN_MSG_LEN, MAX_MSG_LEN, PADDING_FILLER};
-    len >= MIN_MSG_LEN && len <= MAX_MSG_LEN && len % PADDING_FILLER.len() == 0
+    (MIN_MSG_LEN..=MAX_MSG_LEN).contains(&len) && len.is_multiple_of(PADDING_FILLER.len())
 }
 #[cfg(test)]
--- a/src/protocol/mod.rs
+++ b/src/protocol/mod.rs
@@ -5,7 +5,11 @@ pub mod frame;
 pub mod obfuscation;
 pub mod tls;
 #[allow(unused_imports)]
 pub use constants::*;
 #[allow(unused_imports)]
 pub use frame::*;
 #[allow(unused_imports)]
 pub use obfuscation::*;
 #[allow(unused_imports)]
 pub use tls::*;
--- a/src/protocol/obfuscation.rs
+++ b/src/protocol/obfuscation.rs
@@ -1,8 +1,9 @@
 //! MTProto Obfuscation
 #![allow(dead_code)]
 use zeroize::Zeroize;
 use crate::crypto::{sha256, AesCtr};
 use crate::error::Result;
 use super::constants::*;
 /// Obfuscation parameters from handshake
--- a/src/protocol/tls.rs
+++ b/src/protocol/tls.rs
@@ -4,8 +4,11 @@
 //! for domain fronting. The handshake looks like valid TLS 1.3 but
 //! actually carries MTProto authentication data.
 #![allow(dead_code)]
 use crate::crypto::{sha256_hmac, SecureRandom};
-use crate::error::{ProxyError, Result};
+#[cfg(test)]
 use crate::error::ProxyError;
 use super::constants::*;
 use std::time::{SystemTime, UNIX_EPOCH};
 use num_bigint::BigUint;
@@ -332,7 +335,7 @@ pub fn validate_tls_handshake(
            // This is a quirk in some clients that use uptime instead of real time
            let is_boot_time = timestamp < 60 * 60 * 24 * 1000; // < ~2.7 years in seconds
-            if !is_boot_time && (time_diff < TIME_SKEW_MIN || time_diff > TIME_SKEW_MAX) {
+            if !is_boot_time && !(TIME_SKEW_MIN..=TIME_SKEW_MAX).contains(&time_diff) {
                continue;
            }
        }
@@ -390,7 +393,7 @@ pub fn build_server_hello(
 ) -> Vec<u8> {
    const MIN_APP_DATA: usize = 64;
    const MAX_APP_DATA: usize = 16640; // RFC 8446 §5.2 upper bound
-    let fake_cert_len = fake_cert_len.max(MIN_APP_DATA).min(MAX_APP_DATA);
+    let fake_cert_len = fake_cert_len.clamp(MIN_APP_DATA, MAX_APP_DATA);
    let x25519_key = gen_fake_x25519_key(rng);
    // Build ServerHello
@@ -522,10 +525,10 @@ pub fn extract_sni_from_client_hello(handshake: &[u8]) -> Option<String> {
                if sn_pos + name_len > sn_end {
                    break;
                }
-                if name_type == 0 && name_len > 0 {
+                if name_type == 0 && name_len > 0
-                    if let Ok(host) = std::str::from_utf8(&handshake[sn_pos..sn_pos + name_len]) {
+                    && let Ok(host) = std::str::from_utf8(&handshake[sn_pos..sn_pos + name_len])
-                        return Some(host.to_string());
+                {
-                    }
+                    return Some(host.to_string());
                }
                sn_pos += name_len;
            }
@@ -568,7 +571,7 @@ pub fn extract_alpn_from_client_hello(handshake: &[u8]) -> Vec<Vec<u8>> {
            let list_len = u16::from_be_bytes([handshake[pos], handshake[pos+1]]) as usize;
            let mut lp = pos + 2;
            let list_end = (pos + 2).saturating_add(list_len).min(pos + elen);
-            while lp + 1 <= list_end {
+            while lp < list_end {
                let plen = handshake[lp] as usize;
                lp += 1;
                if lp + plen > list_end { break; }
@@ -613,7 +616,7 @@ pub fn parse_tls_record_header(header: &[u8; 5]) -> Option<(u8, u16)> {
 ///
 /// This is useful for testing that our ServerHello is well-formed.
 #[cfg(test)]
-fn validate_server_hello_structure(data: &[u8]) -> Result<()> {
+fn validate_server_hello_structure(data: &[u8]) -> Result<(), ProxyError> {
    if data.len() < 5 {
        return Err(ProxyError::InvalidTlsRecord {
            record_type: 0,
--- a/src/proxy/client.rs
+++ b/src/proxy/client.rs
@@ -271,7 +271,7 @@ impl RunningClientHandler {
        self.peer = normalize_ip(self.peer);
        let peer = self.peer;
-        let ip_tracker = self.ip_tracker.clone();
+        let _ip_tracker = self.ip_tracker.clone();
        debug!(peer = %peer, "New connection");
        if let Err(e) = configure_client_socket(
@@ -331,7 +331,7 @@ impl RunningClientHandler {
        let is_tls = tls::is_tls_handshake(&first_bytes[..3]);
        let peer = self.peer;
-        let ip_tracker = self.ip_tracker.clone();
+        let _ip_tracker = self.ip_tracker.clone();
        debug!(peer = %peer, is_tls = is_tls, "Handshake type detected");
@@ -344,7 +344,7 @@ impl RunningClientHandler {
    async fn handle_tls_client(mut self, first_bytes: [u8; 5]) -> Result<HandshakeOutcome> {
        let peer = self.peer;
-        let ip_tracker = self.ip_tracker.clone();
+        let _ip_tracker = self.ip_tracker.clone();
        let tls_len = u16::from_be_bytes([first_bytes[3], first_bytes[4]]) as usize;
@@ -440,7 +440,7 @@ impl RunningClientHandler {
    async fn handle_direct_client(mut self, first_bytes: [u8; 5]) -> Result<HandshakeOutcome> {
        let peer = self.peer;
-        let ip_tracker = self.ip_tracker.clone();
+        let _ip_tracker = self.ip_tracker.clone();
        if !self.config.general.modes.classic && !self.config.general.modes.secure {
            debug!(peer = %peer, "Non-TLS modes disabled");
@@ -594,18 +594,18 @@ impl RunningClientHandler {
        peer_addr: SocketAddr,
        ip_tracker: &UserIpTracker,
    ) -> Result<()> {
-        if let Some(expiration) = config.access.user_expirations.get(user) {
+        if let Some(expiration) = config.access.user_expirations.get(user)
-            if chrono::Utc::now() > *expiration {
+            && chrono::Utc::now() > *expiration
-                return Err(ProxyError::UserExpired {
+        {
-                    user: user.to_string(),
+            return Err(ProxyError::UserExpired {
-                });
+                user: user.to_string(),
-            }
+            });
        }
        // IP limit check
        if let Err(reason) = ip_tracker.check_and_add(user, peer_addr.ip()).await {
            warn!(
-                user = %user, 
+                user = %user,
                ip = %peer_addr.ip(),
                reason = %reason,
                "IP limit exceeded"
@@ -615,20 +615,20 @@ impl RunningClientHandler {
            });
        }
-        if let Some(limit) = config.access.user_max_tcp_conns.get(user) {
+        if let Some(limit) = config.access.user_max_tcp_conns.get(user)
-            if stats.get_user_curr_connects(user) >= *limit as u64 {
+            && stats.get_user_curr_connects(user) >= *limit as u64
-                return Err(ProxyError::ConnectionLimitExceeded {
+        {
-                    user: user.to_string(),
+            return Err(ProxyError::ConnectionLimitExceeded {
-                });
+                user: user.to_string(),
-            }
+            });
        }
-        if let Some(quota) = config.access.user_data_quota.get(user) {
+        if let Some(quota) = config.access.user_data_quota.get(user)
-            if stats.get_user_total_octets(user) >= *quota {
+            && stats.get_user_total_octets(user) >= *quota
-                return Err(ProxyError::DataQuotaExceeded {
+        {
-                    user: user.to_string(),
+            return Err(ProxyError::DataQuotaExceeded {
-                });
+                user: user.to_string(),
-            }
+            });
        }
        Ok(())
--- a/src/proxy/direct_relay.rs
+++ b/src/proxy/direct_relay.rs
@@ -118,10 +118,10 @@ fn get_dc_addr_static(dc_idx: i16, config: &ProxyConfig) -> Result<SocketAddr> {
    // Unknown DC requested by client without override: log and fall back.
    if !config.dc_overrides.contains_key(&dc_key) {
        warn!(dc_idx = dc_idx, "Requested non-standard DC with no override; falling back to default cluster");
-        if let Some(path) = &config.general.unknown_dc_log_path {
+        if let Some(path) = &config.general.unknown_dc_log_path
-            if let Ok(mut file) = OpenOptions::new().create(true).append(true).open(path) {
+            && let Ok(mut file) = OpenOptions::new().create(true).append(true).open(path)
-                let _ = writeln!(file, "dc_idx={dc_idx}");
+        {
-            }
+            let _ = writeln!(file, "dc_idx={dc_idx}");
        }
    }
--- a/src/proxy/handshake.rs
+++ b/src/proxy/handshake.rs
@@ -1,5 +1,7 @@
 //! MTProto Handshake
 #![allow(dead_code)]
 use std::net::SocketAddr;
 use std::sync::Arc;
 use std::time::Duration;
--- a/src/proxy/masking.rs
+++ b/src/proxy/masking.rs
@@ -19,12 +19,12 @@ const MASK_BUFFER_SIZE: usize = 8192;
 /// Detect client type based on initial data
 fn detect_client_type(data: &[u8]) -> &'static str {
    // Check for HTTP request
-    if data.len() > 4 {
+    if data.len() > 4
-        if data.starts_with(b"GET ") || data.starts_with(b"POST") ||
+        && (data.starts_with(b"GET ") || data.starts_with(b"POST") ||
           data.starts_with(b"HEAD") || data.starts_with(b"PUT ") ||
-           data.starts_with(b"DELETE") || data.starts_with(b"OPTIONS") {
+           data.starts_with(b"DELETE") || data.starts_with(b"OPTIONS"))
-            return "HTTP";
+    {
-        }
+        return "HTTP";
    }
    // Check for TLS ClientHello (0x16 = handshake, 0x03 0x01-0x03 = TLS version)
--- a/src/proxy/middle_relay.rs
+++ b/src/proxy/middle_relay.rs
@@ -184,6 +184,7 @@ where
    let user = success.user.clone();
    let peer = success.peer;
    let proto_tag = success.proto_tag;
    let pool_generation = me_pool.current_generation();
    info!(
        user = %user,
@@ -191,6 +192,7 @@ where
        dc = success.dc_idx,
        proto = ?proto_tag,
        mode = "middle_proxy",
        pool_generation,
        "Routing via Middle-End"
    );
@@ -220,6 +222,7 @@ where
        peer_hash = format_args!("0x{:016x}", forensics.peer_hash),
        desync_all_full = forensics.desync_all_full,
        proto_flags = format_args!("0x{:08x}", proto_flags),
        pool_generation,
        "ME relay started"
    );
@@ -390,13 +393,13 @@ where
        .unwrap_or_else(|e| Err(ProxyError::Proxy(format!("ME writer join error: {e}"))));
    // When client closes, but ME channel stopped as unregistered - it isnt error
-    if client_closed {
+    if client_closed
-        if matches!(
+        && matches!(
            writer_result,
            Err(ProxyError::Proxy(ref msg)) if msg == "ME connection lost"
-        ) {
+        )
-            writer_result = Ok(());
+    {
-        }
+        writer_result = Ok(());
    }
    let result = match (main_result, c2me_result, writer_result) {
@@ -546,7 +549,7 @@ where
    match proto_tag {
        ProtoTag::Abridged => {
-            if data.len() % 4 != 0 {
+            if !data.len().is_multiple_of(4) {
                return Err(ProxyError::Proxy(format!(
                    "Abridged payload must be 4-byte aligned, got {}",
                    data.len()
@@ -564,7 +567,7 @@ where
                frame_buf.push(first);
                frame_buf.extend_from_slice(data);
                client_writer
-                    .write_all(&frame_buf)
+                    .write_all(frame_buf)
                    .await
                    .map_err(ProxyError::Io)?;
            } else if len_words < (1 << 24) {
@@ -578,7 +581,7 @@ where
                frame_buf.extend_from_slice(&[first, lw[0], lw[1], lw[2]]);
                frame_buf.extend_from_slice(data);
                client_writer
-                    .write_all(&frame_buf)
+                    .write_all(frame_buf)
                    .await
                    .map_err(ProxyError::Io)?;
            } else {
@@ -615,7 +618,7 @@ where
                rng.fill(&mut frame_buf[start..]);
            }
            client_writer
-                .write_all(&frame_buf)
+                .write_all(frame_buf)
                .await
                .map_err(ProxyError::Io)?;
        }
--- a/src/proxy/mod.rs
+++ b/src/proxy/mod.rs
@@ -8,6 +8,9 @@ pub mod middle_relay;
 pub mod relay;
 pub use client::ClientHandler;
 #[allow(unused_imports)]
 pub use handshake::*;
 #[allow(unused_imports)]
 pub use masking::*;
 #[allow(unused_imports)]
 pub use relay::*;
--- a/src/stats/mod.rs
+++ b/src/stats/mod.rs
@@ -1,7 +1,8 @@
 //! Statistics and replay protection
 #![allow(dead_code)]
 use std::sync::atomic::{AtomicU64, Ordering};
 use std::sync::Arc;
 use std::time::{Instant, Duration};
 use dashmap::DashMap;
 use parking_lot::Mutex;
@@ -38,6 +39,10 @@ pub struct Stats {
    desync_frames_bucket_1_2: AtomicU64,
    desync_frames_bucket_3_10: AtomicU64,
    desync_frames_bucket_gt_10: AtomicU64,
    pool_swap_total: AtomicU64,
    pool_drain_active: AtomicU64,
    pool_force_close_total: AtomicU64,
    pool_stale_pick_total: AtomicU64,
    user_stats: DashMap<String, UserStats>,
    start_time: parking_lot::RwLock<Option<Instant>>,
 }
@@ -108,6 +113,35 @@ impl Stats {
            }
        }
    }
    pub fn increment_pool_swap_total(&self) {
        self.pool_swap_total.fetch_add(1, Ordering::Relaxed);
    }
    pub fn increment_pool_drain_active(&self) {
        self.pool_drain_active.fetch_add(1, Ordering::Relaxed);
    }
    pub fn decrement_pool_drain_active(&self) {
        let mut current = self.pool_drain_active.load(Ordering::Relaxed);
        loop {
            if current == 0 {
                break;
            }
            match self.pool_drain_active.compare_exchange_weak(
                current,
                current - 1,
                Ordering::Relaxed,
                Ordering::Relaxed,
            ) {
                Ok(_) => break,
                Err(actual) => current = actual,
            }
        }
    }
    pub fn increment_pool_force_close_total(&self) {
        self.pool_force_close_total.fetch_add(1, Ordering::Relaxed);
    }
    pub fn increment_pool_stale_pick_total(&self) {
        self.pool_stale_pick_total.fetch_add(1, Ordering::Relaxed);
    }
    pub fn get_connects_all(&self) -> u64 { self.connects_all.load(Ordering::Relaxed) }
    pub fn get_connects_bad(&self) -> u64 { self.connects_bad.load(Ordering::Relaxed) }
    pub fn get_me_keepalive_sent(&self) -> u64 { self.me_keepalive_sent.load(Ordering::Relaxed) }
@@ -149,6 +183,18 @@ impl Stats {
    pub fn get_desync_frames_bucket_gt_10(&self) -> u64 {
        self.desync_frames_bucket_gt_10.load(Ordering::Relaxed)
    }
    pub fn get_pool_swap_total(&self) -> u64 {
        self.pool_swap_total.load(Ordering::Relaxed)
    }
    pub fn get_pool_drain_active(&self) -> u64 {
        self.pool_drain_active.load(Ordering::Relaxed)
    }
    pub fn get_pool_force_close_total(&self) -> u64 {
        self.pool_force_close_total.load(Ordering::Relaxed)
    }
    pub fn get_pool_stale_pick_total(&self) -> u64 {
        self.pool_stale_pick_total.load(Ordering::Relaxed)
    }
    pub fn increment_user_connects(&self, user: &str) {
        self.user_stats.entry(user.to_string()).or_default()
@@ -280,10 +326,10 @@ impl ReplayShard {
            // Use key.as_ref() to get &[u8] — avoids Borrow<Q> ambiguity
            // between Borrow<[u8]> and Borrow<Box<[u8]>>
-            if let Some(entry) = self.cache.peek(key.as_ref()) {
+            if let Some(entry) = self.cache.peek(key.as_ref())
-                if entry.seq == queue_seq {
+                && entry.seq == queue_seq
-                    self.cache.pop(key.as_ref());
+            {
-                }
+                self.cache.pop(key.as_ref());
            }
        }
    }
@@ -451,6 +497,7 @@ impl ReplayStats {
 #[cfg(test)]
 mod tests {
    use super::*;
    use std::sync::Arc;
    #[test]
    fn test_stats_shared_counters() {
--- a/src/stream/buffer_pool.rs
+++ b/src/stream/buffer_pool.rs
@@ -3,6 +3,8 @@
 //! This module provides a thread-safe pool of BytesMut buffers
 //! that can be reused across connections to reduce allocation pressure.
 #![allow(dead_code)]
 use bytes::BytesMut;
 use crossbeam_queue::ArrayQueue;
 use std::ops::{Deref, DerefMut};
--- a/src/stream/crypto_stream.rs
+++ b/src/stream/crypto_stream.rs
@@ -18,6 +18,8 @@
 //!   is either written to upstream or stored in our pending buffer
 //! - when upstream is pending -> ciphertext is buffered/bounded and backpressure is applied
 //!
 #![allow(dead_code)]
 //! =======================
 //! Writer state machine
 //! =======================
@@ -45,7 +47,7 @@
 //! - when upstream is Pending but pending still has room: accept `to_accept` bytes and
 //!   encrypt+append ciphertext directly into pending (in-place encryption of appended range)
-//! Encrypted stream wrappers using AES-CTR
+//!   Encrypted stream wrappers using AES-CTR
 //!
 //! This module provides stateful async stream wrappers that handle
 //! encryption/decryption with proper partial read/write handling.
@@ -55,7 +57,7 @@ use std::io::{self, ErrorKind, Result};
 use std::pin::Pin;
 use std::task::{Context, Poll};
 use tokio::io::{AsyncRead, AsyncWrite, ReadBuf};
-use tracing::{debug, trace, warn};
+use tracing::{debug, trace};
 use crate::crypto::AesCtr;
 use super::state::{StreamState, YieldBuffer};
@@ -151,9 +153,9 @@ impl<R> CryptoReader<R> {
    fn take_poison_error(&mut self) -> io::Error {
        match &mut self.state {
            CryptoReaderState::Poisoned { error } => error.take().unwrap_or_else(|| {
-                io::Error::new(ErrorKind::Other, "stream previously poisoned")
+                io::Error::other("stream previously poisoned")
            }),
-            _ => io::Error::new(ErrorKind::Other, "stream not poisoned"),
+            _ => io::Error::other("stream not poisoned"),
        }
    }
 }
@@ -166,6 +168,7 @@ impl<R: AsyncRead + Unpin> AsyncRead for CryptoReader<R> {
    ) -> Poll<Result<()>> {
        let this = self.get_mut();
        #[allow(clippy::never_loop)]
        loop {
            match &mut this.state {
                CryptoReaderState::Poisoned { .. } => {
@@ -483,14 +486,14 @@ impl<W> CryptoWriter<W> {
    fn take_poison_error(&mut self) -> io::Error {
        match &mut self.state {
            CryptoWriterState::Poisoned { error } => error.take().unwrap_or_else(|| {
-                io::Error::new(ErrorKind::Other, "stream previously poisoned")
+                io::Error::other("stream previously poisoned")
            }),
-            _ => io::Error::new(ErrorKind::Other, "stream not poisoned"),
+            _ => io::Error::other("stream not poisoned"),
        }
    }
    /// Ensure we are in Flushing state and return mutable pending buffer.
-    fn ensure_pending<'a>(state: &'a mut CryptoWriterState, max_pending: usize) -> &'a mut PendingCiphertext {
+    fn ensure_pending(state: &mut CryptoWriterState, max_pending: usize) -> &mut PendingCiphertext {
        if matches!(state, CryptoWriterState::Idle) {
            *state = CryptoWriterState::Flushing {
                pending: PendingCiphertext::new(max_pending),
--- a/src/stream/frame.rs
+++ b/src/stream/frame.rs
@@ -3,6 +3,8 @@
 //! This module defines the common types and traits used by all
 //! frame encoding/decoding implementations.
 #![allow(dead_code)]
 use bytes::{Bytes, BytesMut};
 use std::io::Result;
 use std::sync::Arc;
--- a/src/stream/frame_codec.rs
+++ b/src/stream/frame_codec.rs
@@ -3,6 +3,8 @@
 //! This module provides Encoder/Decoder implementations compatible
 //! with tokio-util's Framed wrapper for easy async frame I/O.
 #![allow(dead_code)]
 use bytes::{Bytes, BytesMut, BufMut};
 use std::io::{self, Error, ErrorKind};
 use std::sync::Arc;
@@ -137,7 +139,7 @@ fn encode_abridged(frame: &Frame, dst: &mut BytesMut) -> io::Result<()> {
    let data = &frame.data;
    // Validate alignment
-    if data.len() % 4 != 0 {
+    if !data.len().is_multiple_of(4) {
        return Err(Error::new(
            ErrorKind::InvalidInput,
            format!("abridged frame must be 4-byte aligned, got {} bytes", data.len())
--- a/src/stream/frame_stream.rs
+++ b/src/stream/frame_stream.rs
@@ -1,6 +1,8 @@
 //! MTProto frame stream wrappers
-use bytes::{Bytes, BytesMut};
+#![allow(dead_code)]
 use bytes::Bytes;
 use std::io::{Error, ErrorKind, Result};
 use tokio::io::{AsyncRead, AsyncWrite, AsyncReadExt, AsyncWriteExt};
 use crate::protocol::constants::*;
@@ -76,7 +78,7 @@ impl<W> AbridgedFrameWriter<W> {
 impl<W: AsyncWrite + Unpin> AbridgedFrameWriter<W> {
    /// Write a frame
    pub async fn write_frame(&mut self, data: &[u8], meta: &FrameMeta) -> Result<()> {
-        if data.len() % 4 != 0 {
+        if !data.len().is_multiple_of(4) {
            return Err(Error::new(
                ErrorKind::InvalidInput,
                format!("Abridged frame must be aligned to 4 bytes, got {}", data.len()),
@@ -329,7 +331,7 @@ impl<R: AsyncRead + Unpin> MtprotoFrameReader<R> {
            }
            // Validate length
-            if len < MIN_MSG_LEN || len > MAX_MSG_LEN || len % PADDING_FILLER.len() != 0 {
+            if !(MIN_MSG_LEN..=MAX_MSG_LEN).contains(&len) || !len.is_multiple_of(PADDING_FILLER.len()) {
                return Err(Error::new(
                    ErrorKind::InvalidData,
                    format!("Invalid message length: {}", len),
--- a/src/stream/mod.rs
+++ b/src/stream/mod.rs
@@ -12,28 +12,34 @@ pub mod frame_codec;
 pub mod frame_stream;
 // Re-export state machine types
 #[allow(unused_imports)]
 pub use state::{
    StreamState, Transition, PollResult,
    ReadBuffer, WriteBuffer, HeaderBuffer, YieldBuffer,
 };
 // Re-export buffer pool
 #[allow(unused_imports)]
 pub use buffer_pool::{BufferPool, PooledBuffer, PoolStats};
 // Re-export stream implementations
 #[allow(unused_imports)]
 pub use crypto_stream::{CryptoReader, CryptoWriter, PassthroughStream};
 pub use tls_stream::{FakeTlsReader, FakeTlsWriter};
 // Re-export frame types
 #[allow(unused_imports)]
 pub use frame::{Frame, FrameMeta, FrameCodec as FrameCodecTrait, create_codec};
-// Re-export tokio-util compatible codecs  
+// Re-export tokio-util compatible codecs
 #[allow(unused_imports)]
 pub use frame_codec::{
    FrameCodec,
    AbridgedCodec, IntermediateCodec, SecureCodec,
 };
 // Legacy re-exports for compatibility
 #[allow(unused_imports)]
 pub use frame_stream::{
    AbridgedFrameReader, AbridgedFrameWriter,
    IntermediateFrameReader, IntermediateFrameWriter,
--- a/src/stream/state.rs
+++ b/src/stream/state.rs
@@ -3,6 +3,8 @@
 //! This module provides core types and traits for implementing
 //! stateful async streams with proper partial read/write handling.
 #![allow(dead_code)]
 use bytes::{Bytes, BytesMut};
 use std::io;
--- a/src/stream/tls_stream.rs
+++ b/src/stream/tls_stream.rs
@@ -18,6 +18,8 @@
 //! - Explicit state machines for all async operations
 //! - Never lose data on partial reads
 //! - Atomic TLS record formation for writes
 #![allow(dead_code)]
 //! - Proper handling of all TLS record types
 //!
 //! Important nuance (Telegram FakeTLS):
@@ -133,7 +135,7 @@ impl TlsRecordHeader {
    }
    /// Build header bytes
-    fn to_bytes(&self) -> [u8; 5] {
+    fn to_bytes(self) -> [u8; 5] {
        [
            self.record_type,
            self.version[0],
@@ -258,9 +260,9 @@ impl<R> FakeTlsReader<R> {
    fn take_poison_error(&mut self) -> io::Error {
        match &mut self.state {
            TlsReaderState::Poisoned { error } => error.take().unwrap_or_else(|| {
-                io::Error::new(ErrorKind::Other, "stream previously poisoned")
+                io::Error::other("stream previously poisoned")
            }),
-            _ => io::Error::new(ErrorKind::Other, "stream not poisoned"),
+            _ => io::Error::other("stream not poisoned"),
        }
    }
 }
@@ -295,7 +297,7 @@ impl<R: AsyncRead + Unpin> AsyncRead for FakeTlsReader<R> {
                TlsReaderState::Poisoned { error } => {
                    this.state = TlsReaderState::Poisoned { error: None };
                    let err = error.unwrap_or_else(|| {
-                        io::Error::new(ErrorKind::Other, "stream previously poisoned")
+                        io::Error::other("stream previously poisoned")
                    });
                    return Poll::Ready(Err(err));
                }
@@ -614,9 +616,9 @@ impl<W> FakeTlsWriter<W> {
    fn take_poison_error(&mut self) -> io::Error {
        match &mut self.state {
            TlsWriterState::Poisoned { error } => error.take().unwrap_or_else(|| {
-                io::Error::new(ErrorKind::Other, "stream previously poisoned")
+                io::Error::other("stream previously poisoned")
            }),
-            _ => io::Error::new(ErrorKind::Other, "stream not poisoned"),
+            _ => io::Error::other("stream not poisoned"),
        }
    }
@@ -680,7 +682,7 @@ impl<W: AsyncWrite + Unpin> AsyncWrite for FakeTlsWriter<W> {
            TlsWriterState::Poisoned { error } => {
                this.state = TlsWriterState::Poisoned { error: None };
                let err = error.unwrap_or_else(|| {
-                    Error::new(ErrorKind::Other, "stream previously poisoned")
+                    Error::other("stream previously poisoned")
                });
                return Poll::Ready(Err(err));
            }
@@ -769,7 +771,7 @@ impl<W: AsyncWrite + Unpin> AsyncWrite for FakeTlsWriter<W> {
            TlsWriterState::Poisoned { error } => {
                this.state = TlsWriterState::Poisoned { error: None };
                let err = error.unwrap_or_else(|| {
-                    Error::new(ErrorKind::Other, "stream previously poisoned")
+                    Error::other("stream previously poisoned")
                });
                return Poll::Ready(Err(err));
            }
--- a/src/stream/traits.rs
+++ b/src/stream/traits.rs
@@ -1,5 +1,7 @@
 //! Stream traits and common types
 #![allow(dead_code)]
 use bytes::Bytes;
 use std::io::Result;
 use std::pin::Pin;
--- a/src/tls_front/cache.rs
+++ b/src/tls_front/cache.rs
@@ -19,6 +19,7 @@ pub struct TlsFrontCache {
    disk_path: PathBuf,
 }
 #[allow(dead_code)]
 impl TlsFrontCache {
    pub fn new(domains: &[String], default_len: usize, disk_path: impl AsRef<Path>) -> Self {
        let default_template = ParsedServerHello {
@@ -114,32 +115,32 @@ impl TlsFrontCache {
                    if !name.ends_with(".json") {
                        continue;
                    }
-                    if let Ok(data) = tokio::fs::read(entry.path()).await {
+                    if let Ok(data) = tokio::fs::read(entry.path()).await
-                        if let Ok(mut cached) = serde_json::from_slice::<CachedTlsData>(&data) {
+                        && let Ok(mut cached) = serde_json::from_slice::<CachedTlsData>(&data)
-                            if cached.domain.is_empty()
+                    {
-                                || cached.domain.len() > 255
+                        if cached.domain.is_empty()
-                                || !cached.domain.chars().all(|c| c.is_ascii_alphanumeric() || c == '.' || c == '-')
+                            || cached.domain.len() > 255
-                            {
+                            || !cached.domain.chars().all(|c| c.is_ascii_alphanumeric() || c == '.' || c == '-')
-                                warn!(file = %name, "Skipping TLS cache entry with invalid domain");
+                        {
-                                continue;
+                            warn!(file = %name, "Skipping TLS cache entry with invalid domain");
-                            }
+                            continue;
                            // fetched_at is skipped during deserialization; approximate with file mtime if available.
                            if let Ok(meta) = entry.metadata().await {
                                if let Ok(modified) = meta.modified() {
                                    cached.fetched_at = modified;
                                }
                            }
                            // Drop entries older than 72h
                            if let Ok(age) = cached.fetched_at.elapsed() {
                                if age > Duration::from_secs(72 * 3600) {
                                    warn!(domain = %cached.domain, "Skipping stale TLS cache entry (>72h)");
                                    continue;
                                }
                            }
                            let domain = cached.domain.clone();
                            self.set(&domain, cached).await;
                            loaded += 1;
                        }
                        // fetched_at is skipped during deserialization; approximate with file mtime if available.
                        if let Ok(meta) = entry.metadata().await
                            && let Ok(modified) = meta.modified()
                        {
                            cached.fetched_at = modified;
                        }
                        // Drop entries older than 72h
                        if let Ok(age) = cached.fetched_at.elapsed()
                            && age > Duration::from_secs(72 * 3600)
                        {
                            warn!(domain = %cached.domain, "Skipping stale TLS cache entry (>72h)");
                            continue;
                        }
                        let domain = cached.domain.clone();
                        self.set(&domain, cached).await;
                        loaded += 1;
                    }
                }
            }
@@ -173,7 +174,7 @@ impl TlsFrontCache {
        tokio::spawn(async move {
            loop {
                for domain in &domains {
-                    fetcher(domain.clone()).await;
+                    let _ = fetcher(domain.clone()).await;
                }
                sleep(interval).await;
            }
--- a/src/tls_front/emulator.rs
+++ b/src/tls_front/emulator.rs
@@ -12,7 +12,7 @@ fn jitter_and_clamp_sizes(sizes: &[usize], rng: &SecureRandom) -> Vec<usize> {
    sizes
        .iter()
        .map(|&size| {
-            let base = size.max(MIN_APP_DATA).min(MAX_APP_DATA);
+            let base = size.clamp(MIN_APP_DATA, MAX_APP_DATA);
            let jitter_range = ((base as f64) * 0.03).round() as i64;
            if jitter_range == 0 {
                return base;
@@ -50,7 +50,7 @@ fn ensure_payload_capacity(mut sizes: Vec<usize>, payload_len: usize) -> Vec<usi
    while body_total < payload_len {
        let remaining = payload_len - body_total;
-        let chunk = (remaining + 17).min(MAX_APP_DATA).max(MIN_APP_DATA);
+        let chunk = (remaining + 17).clamp(MIN_APP_DATA, MAX_APP_DATA);
        sizes.push(chunk);
        body_total += chunk.saturating_sub(17);
    }
@@ -189,7 +189,7 @@ pub fn build_emulated_server_hello(
            .as_ref()
            .map(|payload| payload.certificate_message.as_slice())
            .filter(|payload| !payload.is_empty())
-            .or_else(|| compact_payload.as_deref())
+            .or(compact_payload.as_deref())
    } else {
        compact_payload.as_deref()
    };
@@ -223,15 +223,13 @@ pub fn build_emulated_server_hello(
            } else {
                rec.extend_from_slice(&rng.bytes(size));
            }
        } else if size > 17 {
            let body_len = size - 17;
            rec.extend_from_slice(&rng.bytes(body_len));
            rec.push(0x16); // inner content type marker (handshake)
            rec.extend_from_slice(&rng.bytes(16)); // AEAD-like tag
        } else {
-            if size > 17 {
+            rec.extend_from_slice(&rng.bytes(size));
                let body_len = size - 17;
                rec.extend_from_slice(&rng.bytes(body_len));
                rec.push(0x16); // inner content type marker (handshake)
                rec.extend_from_slice(&rng.bytes(16)); // AEAD-like tag
            } else {
                rec.extend_from_slice(&rng.bytes(size));
            }
        }
        app_data.extend_from_slice(&rec);
    }
--- a/src/tls_front/fetcher.rs
+++ b/src/tls_front/fetcher.rs
@@ -384,7 +384,7 @@ async fn fetch_via_raw_tls(
    for _ in 0..4 {
        match timeout(connect_timeout, read_tls_record(&mut stream)).await {
            Ok(Ok(rec)) => records.push(rec),
-            Ok(Err(e)) => return Err(e.into()),
+            Ok(Err(e)) => return Err(e),
            Err(_) => break,
        }
        if records.len() >= 3 && records.iter().any(|(t, _)| *t == TLS_RECORD_APPLICATION) {
--- a/src/tls_front/mod.rs
+++ b/src/tls_front/mod.rs
@@ -4,4 +4,5 @@ pub mod fetcher;
 pub mod emulator;
 pub use cache::TlsFrontCache;
 #[allow(unused_imports)]
 pub use types::{CachedTlsData, TlsFetchResult};
--- a/src/transport/middle_proxy/codec.rs
+++ b/src/transport/middle_proxy/codec.rs
@@ -165,11 +165,10 @@ fn process_pid16() -> u16 {
 }
 fn process_utime() -> u32 {
-    let utime = std::time::SystemTime::now()
+    std::time::SystemTime::now()
        .duration_since(std::time::UNIX_EPOCH)
        .unwrap_or_default()
-        .as_secs() as u32;
+        .as_secs() as u32
    utime
 }
 pub(crate) fn cbc_encrypt_padded(
--- a/src/transport/middle_proxy/config_updater.rs
+++ b/src/transport/middle_proxy/config_updater.rs
@@ -1,4 +1,5 @@
 use std::collections::HashMap;
 use std::hash::{DefaultHasher, Hash, Hasher};
 use std::net::IpAddr;
 use std::sync::Arc;
 use std::time::Duration;
@@ -11,7 +12,7 @@ use crate::config::ProxyConfig;
 use crate::error::Result;
 use super::MePool;
-use super::secret::download_proxy_secret;
+use super::secret::download_proxy_secret_with_max_len;
 use crate::crypto::SecureRandom;
 use std::time::SystemTime;
@@ -39,15 +40,103 @@ pub struct ProxyConfigData {
    pub default_dc: Option<i32>,
 }
-fn parse_host_port(s: &str) -> Option<(IpAddr, u16)> {
+#[derive(Debug, Default)]
-    if let Some(bracket_end) = s.rfind(']') {
+struct StableSnapshot {
-        if s.starts_with('[') && bracket_end + 1 < s.len() && s.as_bytes().get(bracket_end + 1) == Some(&b':') {
+    candidate_hash: Option<u64>,
-            let host = &s[1..bracket_end];
+    candidate_hits: u8,
-            let port_str = &s[bracket_end + 2..];
+    applied_hash: Option<u64>,
-            let ip = host.parse::<IpAddr>().ok()?;
+}
-            let port = port_str.parse::<u16>().ok()?;
+
-            return Some((ip, port));
+impl StableSnapshot {
    fn observe(&mut self, hash: u64) -> u8 {
        if self.candidate_hash == Some(hash) {
            self.candidate_hits = self.candidate_hits.saturating_add(1);
        } else {
            self.candidate_hash = Some(hash);
            self.candidate_hits = 1;
        }
        self.candidate_hits
    }
    fn is_applied(&self, hash: u64) -> bool {
        self.applied_hash == Some(hash)
    }
    fn mark_applied(&mut self, hash: u64) {
        self.applied_hash = Some(hash);
    }
 }
 #[derive(Debug, Default)]
 struct UpdaterState {
    config_v4: StableSnapshot,
    config_v6: StableSnapshot,
    secret: StableSnapshot,
    last_map_apply_at: Option<tokio::time::Instant>,
 }
 fn hash_proxy_config(cfg: &ProxyConfigData) -> u64 {
    let mut hasher = DefaultHasher::new();
    cfg.default_dc.hash(&mut hasher);
    let mut by_dc: Vec<(i32, Vec<(IpAddr, u16)>)> =
        cfg.map.iter().map(|(dc, addrs)| (*dc, addrs.clone())).collect();
    by_dc.sort_by_key(|(dc, _)| *dc);
    for (dc, mut addrs) in by_dc {
        dc.hash(&mut hasher);
        addrs.sort_unstable();
        for (ip, port) in addrs {
            ip.hash(&mut hasher);
            port.hash(&mut hasher);
        }
    }
    hasher.finish()
 }
 fn hash_secret(secret: &[u8]) -> u64 {
    let mut hasher = DefaultHasher::new();
    secret.hash(&mut hasher);
    hasher.finish()
 }
 fn map_apply_cooldown_ready(
    last_applied: Option<tokio::time::Instant>,
    cooldown: Duration,
 ) -> bool {
    if cooldown.is_zero() {
        return true;
    }
    match last_applied {
        Some(ts) => ts.elapsed() >= cooldown,
        None => true,
    }
 }
 fn map_apply_cooldown_remaining_secs(
    last_applied: tokio::time::Instant,
    cooldown: Duration,
 ) -> u64 {
    if cooldown.is_zero() {
        return 0;
    }
    cooldown
        .checked_sub(last_applied.elapsed())
        .map(|d| d.as_secs())
        .unwrap_or(0)
 }
 fn parse_host_port(s: &str) -> Option<(IpAddr, u16)> {
    if let Some(bracket_end) = s.rfind(']')
        && s.starts_with('[')
        && bracket_end + 1 < s.len()
        && s.as_bytes().get(bracket_end + 1) == Some(&b':')
    {
        let host = &s[1..bracket_end];
        let port_str = &s[bracket_end + 2..];
        let ip = host.parse::<IpAddr>().ok()?;
        let port = port_str.parse::<u16>().ok()?;
        return Some((ip, port));
    }
    let idx = s.rfind(':')?;
@@ -84,20 +173,18 @@ pub async fn fetch_proxy_config(url: &str) -> Result<ProxyConfigData> {
        .map_err(|e| crate::error::ProxyError::Proxy(format!("fetch_proxy_config GET failed: {e}")))?
        ;
-    if let Some(date) = resp.headers().get(reqwest::header::DATE) {
+    if let Some(date) = resp.headers().get(reqwest::header::DATE)
-        if let Ok(date_str) = date.to_str() {
+        && let Ok(date_str) = date.to_str()
-            if let Ok(server_time) = httpdate::parse_http_date(date_str) {
+        && let Ok(server_time) = httpdate::parse_http_date(date_str)
-                if let Ok(skew) = SystemTime::now().duration_since(server_time).or_else(|e| {
+        && let Ok(skew) = SystemTime::now().duration_since(server_time).or_else(|e| {
-                    server_time.duration_since(SystemTime::now()).map_err(|_| e)
+            server_time.duration_since(SystemTime::now()).map_err(|_| e)
-                }) {
+        })
-                    let skew_secs = skew.as_secs();
+    {
-                    if skew_secs > 60 {
+        let skew_secs = skew.as_secs();
-                        warn!(skew_secs, "Time skew >60s detected from fetch_proxy_config Date header");
+        if skew_secs > 60 {
-                    } else if skew_secs > 30 {
+            warn!(skew_secs, "Time skew >60s detected from fetch_proxy_config Date header");
-                        warn!(skew_secs, "Time skew >30s detected from fetch_proxy_config Date header");
+        } else if skew_secs > 30 {
-                    }
+            warn!(skew_secs, "Time skew >30s detected from fetch_proxy_config Date header");
                }
            }
        }
    }
@@ -130,57 +217,151 @@ pub async fn fetch_proxy_config(url: &str) -> Result<ProxyConfigData> {
    Ok(ProxyConfigData { map, default_dc })
 }
-async fn run_update_cycle(pool: &Arc<MePool>, rng: &Arc<SecureRandom>, cfg: &ProxyConfig) {
+async fn run_update_cycle(
    pool: &Arc<MePool>,
    rng: &Arc<SecureRandom>,
    cfg: &ProxyConfig,
    state: &mut UpdaterState,
 ) {
    pool.update_runtime_reinit_policy(
        cfg.general.hardswap,
        cfg.general.me_pool_drain_ttl_secs,
        cfg.general.effective_me_pool_force_close_secs(),
        cfg.general.me_pool_min_fresh_ratio,
        cfg.general.me_hardswap_warmup_delay_min_ms,
        cfg.general.me_hardswap_warmup_delay_max_ms,
        cfg.general.me_hardswap_warmup_extra_passes,
        cfg.general.me_hardswap_warmup_pass_backoff_base_ms,
    );
    let required_cfg_snapshots = cfg.general.me_config_stable_snapshots.max(1);
    let required_secret_snapshots = cfg.general.proxy_secret_stable_snapshots.max(1);
    let apply_cooldown = Duration::from_secs(cfg.general.me_config_apply_cooldown_secs);
    let mut maps_changed = false;
-    // Update proxy config v4
+    let mut ready_v4: Option<(ProxyConfigData, u64)> = None;
    let cfg_v4 = retry_fetch("https://core.telegram.org/getProxyConfig").await;
    if let Some(cfg_v4) = cfg_v4 {
-        let changed = pool.update_proxy_maps(cfg_v4.map.clone(), None).await;
+        let cfg_v4_hash = hash_proxy_config(&cfg_v4);
-        if let Some(dc) = cfg_v4.default_dc {
+        let stable_hits = state.config_v4.observe(cfg_v4_hash);
-            pool.default_dc
+        if stable_hits < required_cfg_snapshots {
-                .store(dc, std::sync::atomic::Ordering::Relaxed);
+            debug!(
-        }
+                stable_hits,
-        if changed {
+                required_cfg_snapshots,
-            maps_changed = true;
+                snapshot = format_args!("0x{cfg_v4_hash:016x}"),
-            info!("ME config updated (v4)");
+                "ME config v4 candidate observed"
            );
        } else if state.config_v4.is_applied(cfg_v4_hash) {
            debug!(
                snapshot = format_args!("0x{cfg_v4_hash:016x}"),
                "ME config v4 stable snapshot already applied"
            );
        } else {
-            debug!("ME config v4 unchanged");
+            ready_v4 = Some((cfg_v4, cfg_v4_hash));
        }
    }
-    // Update proxy config v6 (optional)
+    let mut ready_v6: Option<(ProxyConfigData, u64)> = None;
    let cfg_v6 = retry_fetch("https://core.telegram.org/getProxyConfigV6").await;
    if let Some(cfg_v6) = cfg_v6 {
-        let changed = pool.update_proxy_maps(HashMap::new(), Some(cfg_v6.map)).await;
+        let cfg_v6_hash = hash_proxy_config(&cfg_v6);
-        if changed {
+        let stable_hits = state.config_v6.observe(cfg_v6_hash);
-            maps_changed = true;
+        if stable_hits < required_cfg_snapshots {
-            info!("ME config updated (v6)");
+            debug!(
                stable_hits,
                required_cfg_snapshots,
                snapshot = format_args!("0x{cfg_v6_hash:016x}"),
                "ME config v6 candidate observed"
            );
        } else if state.config_v6.is_applied(cfg_v6_hash) {
            debug!(
                snapshot = format_args!("0x{cfg_v6_hash:016x}"),
                "ME config v6 stable snapshot already applied"
            );
        } else {
-            debug!("ME config v6 unchanged");
+            ready_v6 = Some((cfg_v6, cfg_v6_hash));
        }
    }
    if ready_v4.is_some() || ready_v6.is_some() {
        if map_apply_cooldown_ready(state.last_map_apply_at, apply_cooldown) {
            let update_v4 = ready_v4
                .as_ref()
                .map(|(snapshot, _)| snapshot.map.clone())
                .unwrap_or_default();
            let update_v6 = ready_v6
                .as_ref()
                .map(|(snapshot, _)| snapshot.map.clone());
            let changed = pool.update_proxy_maps(update_v4, update_v6).await;
            if let Some((snapshot, hash)) = ready_v4 {
                if let Some(dc) = snapshot.default_dc {
                    pool.default_dc
                        .store(dc, std::sync::atomic::Ordering::Relaxed);
                }
                state.config_v4.mark_applied(hash);
            }
            if let Some((_snapshot, hash)) = ready_v6 {
                state.config_v6.mark_applied(hash);
            }
            state.last_map_apply_at = Some(tokio::time::Instant::now());
            if changed {
                maps_changed = true;
                info!("ME config update applied after stable-gate");
            } else {
                debug!("ME config stable-gate applied with no map delta");
            }
        } else if let Some(last) = state.last_map_apply_at {
            let wait_secs = map_apply_cooldown_remaining_secs(last, apply_cooldown);
            debug!(
                wait_secs,
                "ME config stable snapshot deferred by cooldown"
            );
        }
    }
    if maps_changed {
-        let drain_timeout = if cfg.general.me_reinit_drain_timeout_secs == 0 {
+        pool.zero_downtime_reinit_after_map_change(rng.as_ref())
            None
        } else {
            Some(Duration::from_secs(cfg.general.me_reinit_drain_timeout_secs))
        };
        pool.zero_downtime_reinit_after_map_change(rng.as_ref(), drain_timeout)
            .await;
    }
    pool.reset_stun_state();
-    // Update proxy-secret
+    if cfg.general.proxy_secret_rotate_runtime {
-    match download_proxy_secret().await {
+        match download_proxy_secret_with_max_len(cfg.general.proxy_secret_len_max).await {
-        Ok(secret) => {
+            Ok(secret) => {
-            if pool.update_secret(secret).await {
+                let secret_hash = hash_secret(&secret);
-                info!("proxy-secret updated and pool reconnect scheduled");
+                let stable_hits = state.secret.observe(secret_hash);
                if stable_hits < required_secret_snapshots {
                    debug!(
                        stable_hits,
                        required_secret_snapshots,
                        snapshot = format_args!("0x{secret_hash:016x}"),
                        "proxy-secret candidate observed"
                    );
                } else if state.secret.is_applied(secret_hash) {
                    debug!(
                        snapshot = format_args!("0x{secret_hash:016x}"),
                        "proxy-secret stable snapshot already applied"
                    );
                } else {
                    let rotated = pool.update_secret(secret).await;
                    state.secret.mark_applied(secret_hash);
                    if rotated {
                        info!("proxy-secret rotated after stable-gate");
                    } else {
                        debug!("proxy-secret stable snapshot confirmed as unchanged");
                    }
                }
            }
            Err(e) => warn!(error = %e, "proxy-secret update failed"),
        }
-        Err(e) => warn!(error = %e, "proxy-secret update failed"),
+    } else {
        debug!("proxy-secret runtime rotation disabled by config");
    }
 }
@@ -189,6 +370,7 @@ pub async fn me_config_updater(
    rng: Arc<SecureRandom>,
    mut config_rx: watch::Receiver<Arc<ProxyConfig>>,
 ) {
    let mut state = UpdaterState::default();
    let mut update_every_secs = config_rx
        .borrow()
        .general
@@ -205,7 +387,7 @@ pub async fn me_config_updater(
        tokio::select! {
            _ = &mut sleep => {
                let cfg = config_rx.borrow().clone();
-                run_update_cycle(&pool, &rng, cfg.as_ref()).await;
+                run_update_cycle(&pool, &rng, cfg.as_ref(), &mut state).await;
                let refreshed_secs = cfg.general.effective_update_every_secs().max(1);
                if refreshed_secs != update_every_secs {
                    info!(
@@ -224,6 +406,16 @@ pub async fn me_config_updater(
                    break;
                }
                let cfg = config_rx.borrow().clone();
                pool.update_runtime_reinit_policy(
                    cfg.general.hardswap,
                    cfg.general.me_pool_drain_ttl_secs,
                    cfg.general.effective_me_pool_force_close_secs(),
                    cfg.general.me_pool_min_fresh_ratio,
                    cfg.general.me_hardswap_warmup_delay_min_ms,
                    cfg.general.me_hardswap_warmup_delay_max_ms,
                    cfg.general.me_hardswap_warmup_extra_passes,
                    cfg.general.me_hardswap_warmup_pass_backoff_base_ms,
                );
                let new_secs = cfg.general.effective_update_every_secs().max(1);
                if new_secs == update_every_secs {
                    continue;
@@ -237,7 +429,7 @@ pub async fn me_config_updater(
                    );
                    update_every_secs = new_secs;
                    update_every = Duration::from_secs(update_every_secs);
-                    run_update_cycle(&pool, &rng, cfg.as_ref()).await;
+                    run_update_cycle(&pool, &rng, cfg.as_ref(), &mut state).await;
                    next_tick = tokio::time::Instant::now() + update_every;
                } else {
                    info!(
--- a/src/transport/middle_proxy/handshake.rs
+++ b/src/transport/middle_proxy/handshake.rs
@@ -47,21 +47,21 @@ impl MePool {
    pub(crate) async fn connect_tcp(&self, addr: SocketAddr) -> Result<(TcpStream, f64)> {
        let start = Instant::now();
        let connect_fut = async {
-            if addr.is_ipv6() {
+            if addr.is_ipv6()
-                if let Some(v6) = self.detected_ipv6 {
+                && let Some(v6) = self.detected_ipv6
-                    match TcpSocket::new_v6() {
+            {
-                        Ok(sock) => {
+                match TcpSocket::new_v6() {
-                            if let Err(e) = sock.bind(SocketAddr::new(IpAddr::V6(v6), 0)) {
+                    Ok(sock) => {
-                                debug!(error = %e, bind_ip = %v6, "ME IPv6 bind failed, falling back to default bind");
+                        if let Err(e) = sock.bind(SocketAddr::new(IpAddr::V6(v6), 0)) {
-                            } else {
+                            debug!(error = %e, bind_ip = %v6, "ME IPv6 bind failed, falling back to default bind");
-                                match sock.connect(addr).await {
+                        } else {
-                                    Ok(stream) => return Ok(stream),
+                            match sock.connect(addr).await {
-                                    Err(e) => debug!(error = %e, target = %addr, "ME IPv6 bound connect failed, retrying default connect"),
+                                Ok(stream) => return Ok(stream),
-                                }
+                                Err(e) => debug!(error = %e, target = %addr, "ME IPv6 bound connect failed, retrying default connect"),
                            }
                        }
                        Err(e) => debug!(error = %e, "ME IPv6 socket creation failed, falling back to default connect"),
                    }
                    Err(e) => debug!(error = %e, "ME IPv6 socket creation failed, falling back to default connect"),
                }
            }
            TcpStream::connect(addr).await
--- a/src/transport/middle_proxy/health.rs
+++ b/src/transport/middle_proxy/health.rs
@@ -1,10 +1,9 @@
-use std::collections::{HashMap, HashSet};
+use std::collections::HashMap;
 use std::net::SocketAddr;
 use std::sync::Arc;
 use std::time::{Duration, Instant};
 use tracing::{debug, info, warn};
 use rand::seq::SliceRandom;
 use rand::Rng;
 use crate::crypto::SecureRandom;
@@ -14,6 +13,7 @@ use super::MePool;
 const HEALTH_INTERVAL_SECS: u64 = 1;
 const JITTER_FRAC_NUM: u64 = 2; // jitter up to 50% of backoff
 #[allow(dead_code)]
 const MAX_CONCURRENT_PER_DC_DEFAULT: usize = 1;
 pub async fn me_health_monitor(pool: Arc<MePool>, rng: Arc<SecureRandom>, _min_connections: usize) {
@@ -63,37 +63,50 @@ async fn check_family(
        IpFamily::V4 => pool.proxy_map_v4.read().await.clone(),
        IpFamily::V6 => pool.proxy_map_v6.read().await.clone(),
    };
-    let writer_addrs: HashSet<SocketAddr> = pool
+
    let mut dc_endpoints = HashMap::<i32, Vec<SocketAddr>>::new();
    for (dc, addrs) in map {
        let entry = dc_endpoints.entry(dc.abs()).or_default();
        for (ip, port) in addrs {
            entry.push(SocketAddr::new(ip, port));
        }
    }
    for endpoints in dc_endpoints.values_mut() {
        endpoints.sort_unstable();
        endpoints.dedup();
    }
    let mut live_addr_counts = HashMap::<SocketAddr, usize>::new();
    for writer in pool
        .writers
        .read()
        .await
        .iter()
-        .map(|w| w.addr)
+        .filter(|w| !w.draining.load(std::sync::atomic::Ordering::Relaxed))
-        .collect();
+    {
        *live_addr_counts.entry(writer.addr).or_insert(0) += 1;
    }
-    let entries: Vec<(i32, Vec<SocketAddr>)> = map
+    for (dc, endpoints) in dc_endpoints {
-        .iter()
+        if endpoints.is_empty() {
        .map(|(dc, addrs)| {
            let list = addrs
                .iter()
                .map(|(ip, port)| SocketAddr::new(*ip, *port))
                .collect::<Vec<_>>();
            (*dc, list)
        })
        .collect();
    for (dc, dc_addrs) in entries {
        let has_coverage = dc_addrs.iter().any(|a| writer_addrs.contains(a));
        if has_coverage {
            continue;
        }
        let required = MePool::required_writers_for_dc(endpoints.len());
        let alive = endpoints
            .iter()
            .map(|addr| *live_addr_counts.get(addr).unwrap_or(&0))
            .sum::<usize>();
        if alive >= required {
            continue;
        }
        let missing = required - alive;
        let key = (dc, family);
        let now = Instant::now();
-        if let Some(ts) = next_attempt.get(&key) {
+        if let Some(ts) = next_attempt.get(&key)
-            if now < *ts {
+            && now < *ts
-                continue;
+        {
-            }
+            continue;
        }
        let max_concurrent = pool.me_reconnect_max_concurrent_per_dc.max(1) as usize;
@@ -102,32 +115,45 @@ async fn check_family(
        }
        *inflight.entry(key).or_insert(0) += 1;
-        let mut shuffled = dc_addrs.clone();
+        let mut restored = 0usize;
-        shuffled.shuffle(&mut rand::rng());
+        for _ in 0..missing {
-        let mut success = false;
+            let res = tokio::time::timeout(
-        for addr in shuffled {
+                pool.me_one_timeout,
-            let res = tokio::time::timeout(pool.me_one_timeout, pool.connect_one(addr, rng.as_ref())).await;
+                pool.connect_endpoints_round_robin(&endpoints, rng.as_ref()),
            )
            .await;
            match res {
-                Ok(Ok(())) => {
+                Ok(true) => {
-                    info!(%addr, dc = %dc, ?family, "ME reconnected for DC coverage");
+                    restored += 1;
                    pool.stats.increment_me_reconnect_success();
                    backoff.insert(key, pool.me_reconnect_backoff_base.as_millis() as u64);
                    let jitter = pool.me_reconnect_backoff_base.as_millis() as u64 / JITTER_FRAC_NUM;
                    let wait = pool.me_reconnect_backoff_base
                        + Duration::from_millis(rand::rng().random_range(0..=jitter.max(1)));
                    next_attempt.insert(key, now + wait);
                    success = true;
                    break;
                }
-                Ok(Err(e)) => {
+                Ok(false) => {
                    pool.stats.increment_me_reconnect_attempt();
-                    debug!(%addr, dc = %dc, error = %e, ?family, "ME reconnect failed")
+                    debug!(dc = %dc, ?family, "ME round-robin reconnect failed")
                }
                Err(_) => {
                    pool.stats.increment_me_reconnect_attempt();
                    debug!(dc = %dc, ?family, "ME reconnect timed out");
                }
                Err(_) => debug!(%addr, dc = %dc, ?family, "ME reconnect timed out"),
            }
        }
-        if !success {
+
-            pool.stats.increment_me_reconnect_attempt();
+        let now_alive = alive + restored;
        if now_alive >= required {
            info!(
                dc = %dc,
                ?family,
                alive = now_alive,
                required,
                endpoint_count = endpoints.len(),
                "ME writer floor restored for DC"
            );
            backoff.insert(key, pool.me_reconnect_backoff_base.as_millis() as u64);
            let jitter = pool.me_reconnect_backoff_base.as_millis() as u64 / JITTER_FRAC_NUM;
            let wait = pool.me_reconnect_backoff_base
                + Duration::from_millis(rand::rng().random_range(0..=jitter.max(1)));
            next_attempt.insert(key, now + wait);
        } else {
            let curr = *backoff.get(&key).unwrap_or(&(pool.me_reconnect_backoff_base.as_millis() as u64));
            let next_ms = (curr.saturating_mul(2)).min(pool.me_reconnect_backoff_cap.as_millis() as u64);
            backoff.insert(key, next_ms);
@@ -135,7 +161,15 @@ async fn check_family(
            let wait = Duration::from_millis(next_ms)
                + Duration::from_millis(rand::rng().random_range(0..=jitter.max(1)));
            next_attempt.insert(key, now + wait);
-            warn!(dc = %dc, backoff_ms = next_ms, ?family, "DC has no ME coverage, scheduled reconnect");
+            warn!(
                dc = %dc,
                ?family,
                alive = now_alive,
                required,
                endpoint_count = endpoints.len(),
                backoff_ms = next_ms,
                "DC writer floor is below required level, scheduled reconnect"
            );
        }
        if let Some(v) = inflight.get_mut(&key) {
            *v = v.saturating_sub(1);
--- a/src/transport/middle_proxy/mod.rs
+++ b/src/transport/middle_proxy/mod.rs
@@ -17,8 +17,10 @@ mod wire;
 use bytes::Bytes;
 pub use health::me_health_monitor;
 #[allow(unused_imports)]
 pub use ping::{run_me_ping, format_sample_line, MePingReport, MePingSample, MePingFamily};
 pub use pool::MePool;
 #[allow(unused_imports)]
 pub use pool_nat::{stun_probe, detect_public_ip};
 pub use registry::ConnRegistry;
 pub use secret::fetch_proxy_secret;
--- a/src/transport/middle_proxy/ping.rs
+++ b/src/transport/middle_proxy/ping.rs
@@ -24,6 +24,7 @@ pub struct MePingSample {
 }
 #[derive(Debug, Clone)]
 #[allow(dead_code)]
 pub struct MePingReport {
    pub dc: i32,
    pub family: MePingFamily,
--- a/src/transport/middle_proxy/pool.rs
+++ b/src/transport/middle_proxy/pool.rs
@@ -1,14 +1,14 @@
 use std::collections::{HashMap, HashSet};
 use std::net::{IpAddr, Ipv6Addr, SocketAddr};
 use std::sync::Arc;
-use std::sync::atomic::{AtomicBool, AtomicI32, AtomicU64, AtomicUsize, Ordering};
+use std::sync::atomic::{AtomicBool, AtomicI32, AtomicU32, AtomicU64, AtomicUsize, Ordering};
 use bytes::BytesMut;
 use rand::Rng;
 use rand::seq::SliceRandom;
 use tokio::sync::{Mutex, RwLock, mpsc, Notify};
 use tokio_util::sync::CancellationToken;
 use tracing::{debug, info, warn};
-use std::time::{Duration, Instant};
+use std::time::{Duration, Instant, SystemTime, UNIX_EPOCH};
 use crate::crypto::SecureRandom;
 use crate::error::{ProxyError, Result};
@@ -27,12 +27,16 @@ const ME_ACTIVE_PING_JITTER_SECS: i64 = 5;
 pub struct MeWriter {
    pub id: u64,
    pub addr: SocketAddr,
    pub generation: u64,
    pub tx: mpsc::Sender<WriterCommand>,
    pub cancel: CancellationToken,
    pub degraded: Arc<AtomicBool>,
    pub draining: Arc<AtomicBool>,
    pub draining_started_at_epoch_secs: Arc<AtomicU64>,
    pub allow_drain_fallback: Arc<AtomicBool>,
 }
 #[allow(dead_code)]
 pub struct MePool {
    pub(super) registry: Arc<ConnRegistry>,
    pub(super) writers: Arc<RwLock<Vec<MeWriter>>>,
@@ -71,8 +75,18 @@ pub struct MePool {
    pub(super) rtt_stats: Arc<Mutex<HashMap<u64, (f64, f64)>>>,
    pub(super) nat_reflection_cache: Arc<Mutex<NatReflectionCache>>,
    pub(super) writer_available: Arc<Notify>,
    pub(super) refill_inflight: Arc<Mutex<HashSet<SocketAddr>>>,
    pub(super) conn_count: AtomicUsize,
    pub(super) stats: Arc<crate::stats::Stats>,
    pub(super) generation: AtomicU64,
    pub(super) hardswap: AtomicBool,
    pub(super) me_pool_drain_ttl_secs: AtomicU64,
    pub(super) me_pool_force_close_secs: AtomicU64,
    pub(super) me_pool_min_fresh_ratio_permille: AtomicU32,
    pub(super) me_hardswap_warmup_delay_min_ms: AtomicU64,
    pub(super) me_hardswap_warmup_delay_max_ms: AtomicU64,
    pub(super) me_hardswap_warmup_extra_passes: AtomicU32,
    pub(super) me_hardswap_warmup_pass_backoff_base_ms: AtomicU64,
    pool_size: usize,
 }
@@ -83,6 +97,22 @@ pub struct NatReflectionCache {
 }
 impl MePool {
    fn ratio_to_permille(ratio: f32) -> u32 {
        let clamped = ratio.clamp(0.0, 1.0);
        (clamped * 1000.0).round() as u32
    }
    fn permille_to_ratio(permille: u32) -> f32 {
        (permille.min(1000) as f32) / 1000.0
    }
    fn now_epoch_secs() -> u64 {
        SystemTime::now()
            .duration_since(UNIX_EPOCH)
            .unwrap_or_default()
            .as_secs()
    }
    pub fn new(
        proxy_tag: Option<Vec<u8>>,
        proxy_secret: Vec<u8>,
@@ -110,6 +140,14 @@ impl MePool {
        me_reconnect_backoff_base_ms: u64,
        me_reconnect_backoff_cap_ms: u64,
        me_reconnect_fast_retry_count: u32,
        hardswap: bool,
        me_pool_drain_ttl_secs: u64,
        me_pool_force_close_secs: u64,
        me_pool_min_fresh_ratio: f32,
        me_hardswap_warmup_delay_min_ms: u64,
        me_hardswap_warmup_delay_max_ms: u64,
        me_hardswap_warmup_extra_passes: u8,
        me_hardswap_warmup_pass_backoff_base_ms: u64,
    ) -> Arc<Self> {
        Arc::new(Self {
            registry: Arc::new(ConnRegistry::new()),
@@ -151,7 +189,17 @@ impl MePool {
            rtt_stats: Arc::new(Mutex::new(HashMap::new())),
            nat_reflection_cache: Arc::new(Mutex::new(NatReflectionCache::default())),
            writer_available: Arc::new(Notify::new()),
            refill_inflight: Arc::new(Mutex::new(HashSet::new())),
            conn_count: AtomicUsize::new(0),
            generation: AtomicU64::new(1),
            hardswap: AtomicBool::new(hardswap),
            me_pool_drain_ttl_secs: AtomicU64::new(me_pool_drain_ttl_secs),
            me_pool_force_close_secs: AtomicU64::new(me_pool_force_close_secs),
            me_pool_min_fresh_ratio_permille: AtomicU32::new(Self::ratio_to_permille(me_pool_min_fresh_ratio)),
            me_hardswap_warmup_delay_min_ms: AtomicU64::new(me_hardswap_warmup_delay_min_ms),
            me_hardswap_warmup_delay_max_ms: AtomicU64::new(me_hardswap_warmup_delay_max_ms),
            me_hardswap_warmup_extra_passes: AtomicU32::new(me_hardswap_warmup_extra_passes as u32),
            me_hardswap_warmup_pass_backoff_base_ms: AtomicU64::new(me_hardswap_warmup_pass_backoff_base_ms),
        })
    }
@@ -159,6 +207,37 @@ impl MePool {
        self.proxy_tag.is_some()
    }
    pub fn current_generation(&self) -> u64 {
        self.generation.load(Ordering::Relaxed)
    }
    pub fn update_runtime_reinit_policy(
        &self,
        hardswap: bool,
        drain_ttl_secs: u64,
        force_close_secs: u64,
        min_fresh_ratio: f32,
        hardswap_warmup_delay_min_ms: u64,
        hardswap_warmup_delay_max_ms: u64,
        hardswap_warmup_extra_passes: u8,
        hardswap_warmup_pass_backoff_base_ms: u64,
    ) {
        self.hardswap.store(hardswap, Ordering::Relaxed);
        self.me_pool_drain_ttl_secs.store(drain_ttl_secs, Ordering::Relaxed);
        self.me_pool_force_close_secs
            .store(force_close_secs, Ordering::Relaxed);
        self.me_pool_min_fresh_ratio_permille
            .store(Self::ratio_to_permille(min_fresh_ratio), Ordering::Relaxed);
        self.me_hardswap_warmup_delay_min_ms
            .store(hardswap_warmup_delay_min_ms, Ordering::Relaxed);
        self.me_hardswap_warmup_delay_max_ms
            .store(hardswap_warmup_delay_max_ms, Ordering::Relaxed);
        self.me_hardswap_warmup_extra_passes
            .store(hardswap_warmup_extra_passes as u32, Ordering::Relaxed);
        self.me_hardswap_warmup_pass_backoff_base_ms
            .store(hardswap_warmup_pass_backoff_base_ms, Ordering::Relaxed);
    }
    pub fn reset_stun_state(&self) {
        self.nat_probe_attempts.store(0, Ordering::Relaxed);
        self.nat_probe_disabled.store(false, Ordering::Relaxed);
@@ -177,6 +256,42 @@ impl MePool {
        self.writers.clone()
    }
    fn force_close_timeout(&self) -> Option<Duration> {
        let secs = self.me_pool_force_close_secs.load(Ordering::Relaxed);
        if secs == 0 {
            None
        } else {
            Some(Duration::from_secs(secs))
        }
    }
    fn coverage_ratio(
        desired_by_dc: &HashMap<i32, HashSet<SocketAddr>>,
        active_writer_addrs: &HashSet<SocketAddr>,
    ) -> (f32, Vec<i32>) {
        if desired_by_dc.is_empty() {
            return (1.0, Vec::new());
        }
        let mut missing_dc = Vec::<i32>::new();
        let mut covered = 0usize;
        for (dc, endpoints) in desired_by_dc {
            if endpoints.is_empty() {
                continue;
            }
            if endpoints.iter().any(|addr| active_writer_addrs.contains(addr)) {
                covered += 1;
            } else {
                missing_dc.push(*dc);
            }
        }
        missing_dc.sort_unstable();
        let total = desired_by_dc.len().max(1);
        let ratio = (covered as f32) / (total as f32);
        (ratio, missing_dc)
    }
    pub async fn reconcile_connections(self: &Arc<Self>, rng: &SecureRandom) {
        let writers = self.writers.read().await;
        let current: HashSet<SocketAddr> = writers
@@ -235,43 +350,251 @@ impl MePool {
        out
    }
    pub(super) fn required_writers_for_dc(endpoint_count: usize) -> usize {
        endpoint_count.max(3)
    }
    fn hardswap_warmup_connect_delay_ms(&self) -> u64 {
        let min_ms = self
            .me_hardswap_warmup_delay_min_ms
            .load(Ordering::Relaxed);
        let max_ms = self
            .me_hardswap_warmup_delay_max_ms
            .load(Ordering::Relaxed);
        let (min_ms, max_ms) = if min_ms <= max_ms {
            (min_ms, max_ms)
        } else {
            (max_ms, min_ms)
        };
        if min_ms == max_ms {
            return min_ms;
        }
        rand::rng().random_range(min_ms..=max_ms)
    }
    fn hardswap_warmup_backoff_ms(&self, pass_idx: usize) -> u64 {
        let base_ms = self
            .me_hardswap_warmup_pass_backoff_base_ms
            .load(Ordering::Relaxed);
        let cap_ms = (self.me_reconnect_backoff_cap.as_millis() as u64).max(base_ms);
        let shift = (pass_idx as u32).min(20);
        let scaled = base_ms.saturating_mul(1u64 << shift);
        let core = scaled.min(cap_ms);
        let jitter = (core / 2).max(1);
        core.saturating_add(rand::rng().random_range(0..=jitter))
    }
    async fn fresh_writer_count_for_endpoints(
        &self,
        generation: u64,
        endpoints: &HashSet<SocketAddr>,
    ) -> usize {
        let ws = self.writers.read().await;
        ws.iter()
            .filter(|w| !w.draining.load(Ordering::Relaxed))
            .filter(|w| w.generation == generation)
            .filter(|w| endpoints.contains(&w.addr))
            .count()
    }
    pub(super) async fn connect_endpoints_round_robin(
        self: &Arc<Self>,
        endpoints: &[SocketAddr],
        rng: &SecureRandom,
    ) -> bool {
        if endpoints.is_empty() {
            return false;
        }
        let start = (self.rr.fetch_add(1, Ordering::Relaxed) as usize) % endpoints.len();
        for offset in 0..endpoints.len() {
            let idx = (start + offset) % endpoints.len();
            let addr = endpoints[idx];
            match self.connect_one(addr, rng).await {
                Ok(()) => return true,
                Err(e) => debug!(%addr, error = %e, "ME connect failed during round-robin warmup"),
            }
        }
        false
    }
    async fn warmup_generation_for_all_dcs(
        self: &Arc<Self>,
        rng: &SecureRandom,
        generation: u64,
        desired_by_dc: &HashMap<i32, HashSet<SocketAddr>>,
    ) {
        let extra_passes = self
            .me_hardswap_warmup_extra_passes
            .load(Ordering::Relaxed)
            .min(10) as usize;
        let total_passes = 1 + extra_passes;
        for (dc, endpoints) in desired_by_dc {
            if endpoints.is_empty() {
                continue;
            }
            let mut endpoint_list: Vec<SocketAddr> = endpoints.iter().copied().collect();
            endpoint_list.sort_unstable();
            let required = Self::required_writers_for_dc(endpoint_list.len());
            let mut completed = false;
            let mut last_fresh_count = self
                .fresh_writer_count_for_endpoints(generation, endpoints)
                .await;
            for pass_idx in 0..total_passes {
                if last_fresh_count >= required {
                    completed = true;
                    break;
                }
                let missing = required.saturating_sub(last_fresh_count);
                debug!(
                    dc = *dc,
                    pass = pass_idx + 1,
                    total_passes,
                    fresh_count = last_fresh_count,
                    required,
                    missing,
                    endpoint_count = endpoint_list.len(),
                    "ME hardswap warmup pass started"
                );
                for attempt_idx in 0..missing {
                    let delay_ms = self.hardswap_warmup_connect_delay_ms();
                    tokio::time::sleep(Duration::from_millis(delay_ms)).await;
                    let connected = self.connect_endpoints_round_robin(&endpoint_list, rng).await;
                    debug!(
                        dc = *dc,
                        pass = pass_idx + 1,
                        total_passes,
                        attempt = attempt_idx + 1,
                        delay_ms,
                        connected,
                        "ME hardswap warmup connect attempt finished"
                    );
                }
                last_fresh_count = self
                    .fresh_writer_count_for_endpoints(generation, endpoints)
                    .await;
                if last_fresh_count >= required {
                    completed = true;
                    info!(
                        dc = *dc,
                        pass = pass_idx + 1,
                        total_passes,
                        fresh_count = last_fresh_count,
                        required,
                        "ME hardswap warmup floor reached for DC"
                    );
                    break;
                }
                if pass_idx + 1 < total_passes {
                    let backoff_ms = self.hardswap_warmup_backoff_ms(pass_idx);
                    debug!(
                        dc = *dc,
                        pass = pass_idx + 1,
                        total_passes,
                        fresh_count = last_fresh_count,
                        required,
                        backoff_ms,
                        "ME hardswap warmup pass incomplete, delaying next pass"
                    );
                    tokio::time::sleep(Duration::from_millis(backoff_ms)).await;
                }
            }
            if !completed {
                warn!(
                    dc = *dc,
                    fresh_count = last_fresh_count,
                    required,
                    endpoint_count = endpoint_list.len(),
                    total_passes,
                    "ME warmup stopped: unable to reach required writer floor for DC"
                );
            }
        }
    }
    pub async fn zero_downtime_reinit_after_map_change(
        self: &Arc<Self>,
        rng: &SecureRandom,
        drain_timeout: Option<Duration>,
    ) {
        // Stage 1: prewarm writers for new endpoint maps before draining old ones.
        self.reconcile_connections(rng).await;
        let desired_by_dc = self.desired_dc_endpoints().await;
        if desired_by_dc.is_empty() {
-            warn!("ME endpoint map is empty after update; skipping stale writer drain");
+            warn!("ME endpoint map is empty; skipping stale writer drain");
            return;
        }
        let previous_generation = self.current_generation();
        let generation = self.generation.fetch_add(1, Ordering::Relaxed) + 1;
        let hardswap = self.hardswap.load(Ordering::Relaxed);
        if hardswap {
            self.warmup_generation_for_all_dcs(rng, generation, &desired_by_dc)
                .await;
        } else {
            self.reconcile_connections(rng).await;
        }
        let writers = self.writers.read().await;
        let active_writer_addrs: HashSet<SocketAddr> = writers
            .iter()
            .filter(|w| !w.draining.load(Ordering::Relaxed))
            .map(|w| w.addr)
            .collect();
-
+        let min_ratio = Self::permille_to_ratio(
-        let mut missing_dc = Vec::<i32>::new();
+            self.me_pool_min_fresh_ratio_permille
-        for (dc, endpoints) in &desired_by_dc {
+                .load(Ordering::Relaxed),
-            if endpoints.is_empty() {
+        );
-                continue;
+        let (coverage_ratio, missing_dc) = Self::coverage_ratio(&desired_by_dc, &active_writer_addrs);
-            }
+        if !hardswap && coverage_ratio < min_ratio {
-            if !endpoints.iter().any(|addr| active_writer_addrs.contains(addr)) {
+            warn!(
-                missing_dc.push(*dc);
+                previous_generation,
-            }
+                generation,
                coverage_ratio = format_args!("{coverage_ratio:.3}"),
                min_ratio = format_args!("{min_ratio:.3}"),
                missing_dc = ?missing_dc,
                "ME reinit coverage below threshold; keeping stale writers"
            );
            return;
        }
-        if !missing_dc.is_empty() {
+        if hardswap {
-            missing_dc.sort_unstable();
+            let mut fresh_missing_dc = Vec::<(i32, usize, usize)>::new();
            for (dc, endpoints) in &desired_by_dc {
                if endpoints.is_empty() {
                    continue;
                }
                let required = Self::required_writers_for_dc(endpoints.len());
                let fresh_count = writers
                    .iter()
                    .filter(|w| !w.draining.load(Ordering::Relaxed))
                    .filter(|w| w.generation == generation)
                    .filter(|w| endpoints.contains(&w.addr))
                    .count();
                if fresh_count < required {
                    fresh_missing_dc.push((*dc, fresh_count, required));
                }
            }
            if !fresh_missing_dc.is_empty() {
                warn!(
                    previous_generation,
                    generation,
                    missing_dc = ?fresh_missing_dc,
                    "ME hardswap pending: fresh generation coverage incomplete"
                );
                return;
            }
        } else if !missing_dc.is_empty() {
            warn!(
                missing_dc = ?missing_dc,
                // Keep stale writers alive when fresh coverage is incomplete.
-                "ME reinit coverage incomplete after map update; keeping stale writers"
+                "ME reinit coverage incomplete; keeping stale writers"
            );
            return;
        }
@@ -284,28 +607,169 @@ impl MePool {
        let stale_writer_ids: Vec<u64> = writers
            .iter()
            .filter(|w| !w.draining.load(Ordering::Relaxed))
-            .filter(|w| !desired_addrs.contains(&w.addr))
+            .filter(|w| {
                if hardswap {
                    w.generation < generation
                } else {
                    !desired_addrs.contains(&w.addr)
                }
            })
            .map(|w| w.id)
            .collect();
        drop(writers);
        if stale_writer_ids.is_empty() {
-            debug!("ME map update completed with no stale writers");
+            debug!("ME reinit cycle completed with no stale writers");
            return;
        }
        let drain_timeout = self.force_close_timeout();
        let drain_timeout_secs = drain_timeout.map(|d| d.as_secs()).unwrap_or(0);
        info!(
            stale_writers = stale_writer_ids.len(),
            previous_generation,
            generation,
            hardswap,
            coverage_ratio = format_args!("{coverage_ratio:.3}"),
            min_ratio = format_args!("{min_ratio:.3}"),
            drain_timeout_secs,
-            "ME map update covered; draining stale writers"
+            "ME reinit cycle covered; draining stale writers"
        );
        self.stats.increment_pool_swap_total();
        for writer_id in stale_writer_ids {
-            self.mark_writer_draining_with_timeout(writer_id, drain_timeout)
+            self.mark_writer_draining_with_timeout(writer_id, drain_timeout, !hardswap)
                .await;
        }
    }
    pub async fn zero_downtime_reinit_periodic(
        self: &Arc<Self>,
        rng: &SecureRandom,
    ) {
        self.zero_downtime_reinit_after_map_change(rng).await;
    }
    async fn endpoints_for_same_dc(&self, addr: SocketAddr) -> Vec<SocketAddr> {
        let mut target_dc = HashSet::<i32>::new();
        let mut endpoints = HashSet::<SocketAddr>::new();
        if self.decision.ipv4_me {
            let map = self.proxy_map_v4.read().await.clone();
            for (dc, addrs) in &map {
                if addrs
                    .iter()
                    .any(|(ip, port)| SocketAddr::new(*ip, *port) == addr)
                {
                    target_dc.insert(dc.abs());
                }
            }
            for dc in &target_dc {
                for key in [*dc, -*dc] {
                    if let Some(addrs) = map.get(&key) {
                        for (ip, port) in addrs {
                            endpoints.insert(SocketAddr::new(*ip, *port));
                        }
                    }
                }
            }
        }
        if self.decision.ipv6_me {
            let map = self.proxy_map_v6.read().await.clone();
            for (dc, addrs) in &map {
                if addrs
                    .iter()
                    .any(|(ip, port)| SocketAddr::new(*ip, *port) == addr)
                {
                    target_dc.insert(dc.abs());
                }
            }
            for dc in &target_dc {
                for key in [*dc, -*dc] {
                    if let Some(addrs) = map.get(&key) {
                        for (ip, port) in addrs {
                            endpoints.insert(SocketAddr::new(*ip, *port));
                        }
                    }
                }
            }
        }
        let mut sorted: Vec<SocketAddr> = endpoints.into_iter().collect();
        sorted.sort_unstable();
        sorted
    }
    async fn refill_writer_after_loss(self: &Arc<Self>, addr: SocketAddr) -> bool {
        let fast_retries = self.me_reconnect_fast_retry_count.max(1);
        for attempt in 0..fast_retries {
            self.stats.increment_me_reconnect_attempt();
            match self.connect_one(addr, self.rng.as_ref()).await {
                Ok(()) => {
                    self.stats.increment_me_reconnect_success();
                    info!(
                        %addr,
                        attempt = attempt + 1,
                        "ME writer restored on the same endpoint"
                    );
                    return true;
                }
                Err(e) => {
                    debug!(
                        %addr,
                        attempt = attempt + 1,
                        error = %e,
                        "ME immediate same-endpoint reconnect failed"
                    );
                }
            }
        }
        let dc_endpoints = self.endpoints_for_same_dc(addr).await;
        if dc_endpoints.is_empty() {
            return false;
        }
        for attempt in 0..fast_retries {
            self.stats.increment_me_reconnect_attempt();
            if self
                .connect_endpoints_round_robin(&dc_endpoints, self.rng.as_ref())
                .await
            {
                self.stats.increment_me_reconnect_success();
                info!(
                    %addr,
                    attempt = attempt + 1,
                    "ME writer restored via DC fallback endpoint"
                );
                return true;
            }
        }
        false
    }
    pub(crate) fn trigger_immediate_refill(self: &Arc<Self>, addr: SocketAddr) {
        let pool = Arc::clone(self);
        tokio::spawn(async move {
            {
                let mut guard = pool.refill_inflight.lock().await;
                if !guard.insert(addr) {
                    return;
                }
            }
            let restored = pool.refill_writer_after_loss(addr).await;
            if !restored {
                warn!(%addr, "ME immediate refill failed");
            }
            let mut guard = pool.refill_inflight.lock().await;
            guard.remove(&addr);
        });
    }
    pub async fn update_proxy_maps(
        &self,
        new_v4: HashMap<i32, Vec<(IpAddr, u16)>>,
@@ -331,10 +795,10 @@ impl MePool {
            let mut guard = self.proxy_map_v4.write().await;
            let keys: Vec<i32> = guard.keys().cloned().collect();
            for k in keys.iter().cloned().filter(|k| *k > 0) {
-                if !guard.contains_key(&-k) {
+                if !guard.contains_key(&-k)
-                    if let Some(addrs) = guard.get(&k).cloned() {
+                    && let Some(addrs) = guard.get(&k).cloned()
-                        guard.insert(-k, addrs);
+                {
-                    }
+                    guard.insert(-k, addrs);
                }
            }
        }
@@ -342,10 +806,10 @@ impl MePool {
            let mut guard = self.proxy_map_v6.write().await;
            let keys: Vec<i32> = guard.keys().cloned().collect();
            for k in keys.iter().cloned().filter(|k| *k > 0) {
-                if !guard.contains_key(&-k) {
+                if !guard.contains_key(&-k)
-                    if let Some(addrs) = guard.get(&k).cloned() {
+                    && let Some(addrs) = guard.get(&k).cloned()
-                        guard.insert(-k, addrs);
+                {
-                    }
+                    guard.insert(-k, addrs);
                }
            }
        }
@@ -507,9 +971,12 @@ impl MePool {
        let hs = self.handshake_only(stream, addr, rng).await?;
        let writer_id = self.next_writer_id.fetch_add(1, Ordering::Relaxed);
        let generation = self.current_generation();
        let cancel = CancellationToken::new();
        let degraded = Arc::new(AtomicBool::new(false));
        let draining = Arc::new(AtomicBool::new(false));
        let draining_started_at_epoch_secs = Arc::new(AtomicU64::new(0));
        let allow_drain_fallback = Arc::new(AtomicBool::new(false));
        let (tx, mut rx) = mpsc::channel::<WriterCommand>(4096);
        let mut rpc_writer = RpcWriter {
            writer: hs.wr,
@@ -540,10 +1007,13 @@ impl MePool {
        let writer = MeWriter {
            id: writer_id,
            addr,
            generation,
            tx: tx.clone(),
            cancel: cancel.clone(),
            degraded: degraded.clone(),
            draining: draining.clone(),
            draining_started_at_epoch_secs: draining_started_at_epoch_secs.clone(),
            allow_drain_fallback: allow_drain_fallback.clone(),
        };
        self.writers.write().await.push(writer.clone());
        self.conn_count.fetch_add(1, Ordering::Relaxed);
@@ -587,13 +1057,12 @@ impl MePool {
                cancel_reader_token.clone(),
            )
            .await;
-            if let Some(pool) = pool.upgrade() {
+            if let Some(pool) = pool.upgrade()
-                if cleanup_for_reader
+                && cleanup_for_reader
                    .compare_exchange(false, true, Ordering::AcqRel, Ordering::Relaxed)
                    .is_ok()
-                {
+            {
-                    pool.remove_writer_and_close_clients(writer_id).await;
+                pool.remove_writer_and_close_clients(writer_id).await;
                }
            }
            if let Err(e) = res {
                warn!(error = %e, "ME reader ended");
@@ -661,13 +1130,12 @@ impl MePool {
                    stats_ping.increment_me_keepalive_failed();
                    debug!("ME ping failed, removing dead writer");
                    cancel_ping.cancel();
-                    if let Some(pool) = pool_ping.upgrade() {
+                    if let Some(pool) = pool_ping.upgrade()
-                        if cleanup_for_ping
+                        && cleanup_for_ping
                            .compare_exchange(false, true, Ordering::AcqRel, Ordering::Relaxed)
                            .is_ok()
-                        {
+                    {
-                            pool.remove_writer_and_close_clients(writer_id).await;
+                        pool.remove_writer_and_close_clients(writer_id).await;
                        }
                    }
                    break;
                }
@@ -709,13 +1177,21 @@ impl MePool {
        }
    }
-    async fn remove_writer_only(&self, writer_id: u64) -> Vec<BoundConn> {
+    async fn remove_writer_only(self: &Arc<Self>, writer_id: u64) -> Vec<BoundConn> {
        let mut close_tx: Option<mpsc::Sender<WriterCommand>> = None;
        let mut removed_addr: Option<SocketAddr> = None;
        let mut trigger_refill = false;
        {
            let mut ws = self.writers.write().await;
            if let Some(pos) = ws.iter().position(|w| w.id == writer_id) {
                let w = ws.remove(pos);
                let was_draining = w.draining.load(Ordering::Relaxed);
                if was_draining {
                    self.stats.decrement_pool_drain_active();
                }
                w.cancel.cancel();
                removed_addr = Some(w.addr);
                trigger_refill = !was_draining;
                close_tx = Some(w.tx.clone());
                self.conn_count.fetch_sub(1, Ordering::Relaxed);
            }
@@ -723,6 +1199,11 @@ impl MePool {
        if let Some(tx) = close_tx {
            let _ = tx.send(WriterCommand::Close).await;
        }
        if trigger_refill
            && let Some(addr) = removed_addr
        {
            self.trigger_immediate_refill(addr);
        }
        self.rtt_stats.lock().await.remove(&writer_id);
        self.registry.writer_lost(writer_id).await
    }
@@ -731,11 +1212,20 @@ impl MePool {
        self: &Arc<Self>,
        writer_id: u64,
        timeout: Option<Duration>,
        allow_drain_fallback: bool,
    ) {
        let timeout = timeout.filter(|d| !d.is_zero());
        let found = {
            let mut ws = self.writers.write().await;
            if let Some(w) = ws.iter_mut().find(|w| w.id == writer_id) {
                let already_draining = w.draining.swap(true, Ordering::Relaxed);
                w.allow_drain_fallback
                    .store(allow_drain_fallback, Ordering::Relaxed);
                w.draining_started_at_epoch_secs
                    .store(Self::now_epoch_secs(), Ordering::Relaxed);
                if !already_draining {
                    self.stats.increment_pool_drain_active();
                }
                w.draining.store(true, Ordering::Relaxed);
                true
            } else {
@@ -748,39 +1238,63 @@ impl MePool {
        }
        let timeout_secs = timeout.map(|d| d.as_secs()).unwrap_or(0);
-        debug!(writer_id, timeout_secs, "ME writer marked draining");
+        debug!(
            writer_id,
            timeout_secs,
            allow_drain_fallback,
            "ME writer marked draining"
        );
        let pool = Arc::downgrade(self);
        tokio::spawn(async move {
            let deadline = timeout.map(|t| Instant::now() + t);
-            loop {
+            while let Some(p) = pool.upgrade() {
-                if let Some(p) = pool.upgrade() {
+                if let Some(deadline_at) = deadline
-                    if let Some(deadline_at) = deadline {
+                    && Instant::now() >= deadline_at
-                        if Instant::now() >= deadline_at {
+                {
-                            warn!(writer_id, "Drain timeout, force-closing");
+                    warn!(writer_id, "Drain timeout, force-closing");
-                            let _ = p.remove_writer_and_close_clients(writer_id).await;
+                    p.stats.increment_pool_force_close_total();
-                            break;
+                    let _ = p.remove_writer_and_close_clients(writer_id).await;
                        }
                    }
                    if p.registry.is_writer_empty(writer_id).await {
                        let _ = p.remove_writer_only(writer_id).await;
                        break;
                    }
                    tokio::time::sleep(Duration::from_secs(1)).await;
                } else {
                    break;
                }
                if p.registry.is_writer_empty(writer_id).await {
                    let _ = p.remove_writer_only(writer_id).await;
                    break;
                }
                tokio::time::sleep(Duration::from_secs(1)).await;
            }
        });
    }
    pub(crate) async fn mark_writer_draining(self: &Arc<Self>, writer_id: u64) {
-        self.mark_writer_draining_with_timeout(writer_id, Some(Duration::from_secs(300)))
+        self.mark_writer_draining_with_timeout(writer_id, Some(Duration::from_secs(300)), false)
            .await;
    }
    pub(super) fn writer_accepts_new_binding(&self, writer: &MeWriter) -> bool {
        if !writer.draining.load(Ordering::Relaxed) {
            return true;
        }
        if !writer.allow_drain_fallback.load(Ordering::Relaxed) {
            return false;
        }
        let ttl_secs = self.me_pool_drain_ttl_secs.load(Ordering::Relaxed);
        if ttl_secs == 0 {
            return true;
        }
        let started = writer.draining_started_at_epoch_secs.load(Ordering::Relaxed);
        if started == 0 {
            return false;
        }
        Self::now_epoch_secs().saturating_sub(started) <= ttl_secs
    }
 }
 #[allow(dead_code)]
 fn hex_dump(data: &[u8]) -> String {
    const MAX: usize = 64;
    let mut out = String::with_capacity(data.len() * 2 + 3);
--- a/src/transport/middle_proxy/pool_nat.rs
+++ b/src/transport/middle_proxy/pool_nat.rs
@@ -1,7 +1,7 @@
 use std::net::{IpAddr, Ipv4Addr};
 use std::time::Duration;
-use tracing::{info, warn, debug};
+use tracing::{info, warn};
 use crate::error::{ProxyError, Result};
 use crate::network::probe::is_bogon;
@@ -9,11 +9,14 @@ use crate::network::stun::{stun_probe_dual, IpFamily, StunProbeResult};
 use super::MePool;
 use std::time::Instant;
 #[allow(dead_code)]
 pub async fn stun_probe(stun_addr: Option<String>) -> Result<crate::network::stun::DualStunResult> {
    let stun_addr = stun_addr.unwrap_or_else(|| "stun.l.google.com:19302".to_string());
    stun_probe_dual(&stun_addr).await
 }
 #[allow(dead_code)]
 pub async fn detect_public_ip() -> Option<IpAddr> {
    fetch_public_ipv4_with_retry().await.ok().flatten().map(IpAddr::V4)
 }
@@ -22,7 +25,7 @@ impl MePool {
    pub(super) fn translate_ip_for_nat(&self, ip: IpAddr) -> IpAddr {
        let nat_ip = self
            .nat_ip_cfg
-            .or_else(|| self.nat_ip_detected.try_read().ok().and_then(|g| (*g).clone()));
+            .or_else(|| self.nat_ip_detected.try_read().ok().and_then(|g| *g));
        let Some(nat_ip) = nat_ip else {
            return ip;
@@ -72,7 +75,7 @@ impl MePool {
            return None;
        }
-        if let Some(ip) = self.nat_ip_detected.read().await.clone() {
+        if let Some(ip) = *self.nat_ip_detected.read().await {
            return Some(ip);
        }
@@ -99,17 +102,17 @@ impl MePool {
    ) -> Option<std::net::SocketAddr> {
        const STUN_CACHE_TTL: Duration = Duration::from_secs(600);
        // Backoff window
-        if let Some(until) = *self.stun_backoff_until.read().await {
+        if let Some(until) = *self.stun_backoff_until.read().await
-            if Instant::now() < until {
+            && Instant::now() < until
-                if let Ok(cache) = self.nat_reflection_cache.try_lock() {
+        {
-                    let slot = match family {
+            if let Ok(cache) = self.nat_reflection_cache.try_lock() {
-                        IpFamily::V4 => cache.v4,
+                let slot = match family {
-                        IpFamily::V6 => cache.v6,
+                    IpFamily::V4 => cache.v4,
-                    };
+                    IpFamily::V6 => cache.v6,
-                    return slot.map(|(_, addr)| addr);
+                };
-                }
+                return slot.map(|(_, addr)| addr);
                return None;
            }
            return None;
        }
        if let Ok(mut cache) = self.nat_reflection_cache.try_lock() {
@@ -117,10 +120,10 @@ impl MePool {
                IpFamily::V4 => &mut cache.v4,
                IpFamily::V6 => &mut cache.v6,
            };
-            if let Some((ts, addr)) = slot {
+            if let Some((ts, addr)) = slot
-                if ts.elapsed() < STUN_CACHE_TTL {
+                && ts.elapsed() < STUN_CACHE_TTL
-                    return Some(*addr);
+            {
-                }
+                return Some(*addr);
            }
        }
--- a/src/transport/middle_proxy/registry.rs
+++ b/src/transport/middle_proxy/registry.rs
@@ -21,6 +21,7 @@ pub enum RouteResult {
 }
 #[derive(Clone)]
 #[allow(dead_code)]
 pub struct ConnMeta {
    pub target_dc: i16,
    pub client_addr: SocketAddr,
@@ -29,6 +30,7 @@ pub struct ConnMeta {
 }
 #[derive(Clone)]
 #[allow(dead_code)]
 pub struct BoundConn {
    pub conn_id: u64,
    pub meta: ConnMeta,
@@ -167,6 +169,7 @@ impl ConnRegistry {
        out
    }
    #[allow(dead_code)]
    pub async fn get_meta(&self, conn_id: u64) -> Option<ConnMeta> {
        let inner = self.inner.read().await;
        inner.meta.get(&conn_id).cloned()
--- a/src/transport/middle_proxy/rotation.rs
+++ b/src/transport/middle_proxy/rotation.rs
@@ -1,50 +1,87 @@
 use std::sync::Arc;
 use std::sync::atomic::Ordering;
 use std::time::Duration;
 use tokio::sync::watch;
 use tracing::{info, warn};
 use crate::config::ProxyConfig;
 use crate::crypto::SecureRandom;
 use super::MePool;
-/// Periodically refresh ME connections to avoid long-lived degradation.
+/// Periodically reinitialize ME generations and swap them after full warmup.
-pub async fn me_rotation_task(pool: Arc<MePool>, rng: Arc<SecureRandom>, interval: Duration) {
+pub async fn me_rotation_task(
-    let interval = interval.max(Duration::from_secs(600));
+    pool: Arc<MePool>,
    rng: Arc<SecureRandom>,
    mut config_rx: watch::Receiver<Arc<ProxyConfig>>,
 ) {
    let mut interval_secs = config_rx
        .borrow()
        .general
        .effective_me_reinit_every_secs()
        .max(1);
    let mut interval = Duration::from_secs(interval_secs);
    let mut next_tick = tokio::time::Instant::now() + interval;
    info!(interval_secs, "ME periodic reinit task started");
    loop {
-        tokio::time::sleep(interval).await;
+        let sleep = tokio::time::sleep_until(next_tick);
        tokio::pin!(sleep);
-        let candidate = {
+        tokio::select! {
-            let ws = pool.writers.read().await;
+            _ = &mut sleep => {
-            if ws.is_empty() {
+                pool.zero_downtime_reinit_periodic(rng.as_ref()).await;
-                None
+                let refreshed_secs = config_rx
-            } else {
+                    .borrow()
-                let idx = (pool.rr.load(std::sync::atomic::Ordering::Relaxed) as usize) % ws.len();
+                    .general
-                ws.get(idx).cloned()
+                    .effective_me_reinit_every_secs()
-            }
+                    .max(1);
-        };
+                if refreshed_secs != interval_secs {
-
+                    info!(
-        let Some(w) = candidate else {
+                        old_me_reinit_every_secs = interval_secs,
-            continue;
+                        new_me_reinit_every_secs = refreshed_secs,
-        };
+                        "ME periodic reinit interval changed"
-
+                    );
-        info!(addr = %w.addr, writer_id = w.id, "Rotating ME connection");
+                    interval_secs = refreshed_secs;
-        match pool.connect_one(w.addr, rng.as_ref()).await {
+                    interval = Duration::from_secs(interval_secs);
            Ok(()) => {
                tokio::time::sleep(Duration::from_secs(2)).await;
                let ws = pool.writers.read().await;
                let new_alive = ws.iter().any(|nw|
                    nw.id != w.id && nw.addr == w.addr && !nw.degraded.load(Ordering::Relaxed) && !nw.draining.load(Ordering::Relaxed)
                );
                drop(ws);
                if new_alive {
                    pool.mark_writer_draining(w.id).await;
                } else {
                    warn!(addr = %w.addr, writer_id = w.id, "New writer died, keeping old");
                }
                next_tick = tokio::time::Instant::now() + interval;
            }
-            Err(e) => {
+            changed = config_rx.changed() => {
-                warn!(addr = %w.addr, writer_id = w.id, error = %e, "ME rotation connect failed");
+                if changed.is_err() {
                    warn!("ME periodic reinit task stopped: config channel closed");
                    break;
                }
                let new_secs = config_rx
                    .borrow()
                    .general
                    .effective_me_reinit_every_secs()
                    .max(1);
                if new_secs == interval_secs {
                    continue;
                }
                if new_secs < interval_secs {
                    info!(
                        old_me_reinit_every_secs = interval_secs,
                        new_me_reinit_every_secs = new_secs,
                        "ME periodic reinit interval decreased, running immediate reinit"
                    );
                    interval_secs = new_secs;
                    interval = Duration::from_secs(interval_secs);
                    pool.zero_downtime_reinit_periodic(rng.as_ref()).await;
                    next_tick = tokio::time::Instant::now() + interval;
                } else {
                    info!(
                        old_me_reinit_every_secs = interval_secs,
                        new_me_reinit_every_secs = new_secs,
                        "ME periodic reinit interval increased"
                    );
                    interval_secs = new_secs;
                    interval = Duration::from_secs(interval_secs);
                    next_tick = tokio::time::Instant::now() + interval;
                }
            }
        }
    }
--- a/src/transport/middle_proxy/secret.rs
+++ b/src/transport/middle_proxy/secret.rs
@@ -1,17 +1,45 @@
 use std::time::Duration;
 use tracing::{debug, info, warn};
 use std::time::SystemTime;
 use httpdate;
 use crate::error::{ProxyError, Result};
 pub const PROXY_SECRET_MIN_LEN: usize = 32;
 pub(super) fn validate_proxy_secret_len(data_len: usize, max_len: usize) -> Result<()> {
    if max_len < PROXY_SECRET_MIN_LEN {
        return Err(ProxyError::Proxy(format!(
            "proxy-secret max length is invalid: {} bytes (must be >= {})",
            max_len,
            PROXY_SECRET_MIN_LEN
        )));
    }
    if data_len < PROXY_SECRET_MIN_LEN {
        return Err(ProxyError::Proxy(format!(
            "proxy-secret too short: {} bytes (need >= {})",
            data_len,
            PROXY_SECRET_MIN_LEN
        )));
    }
    if data_len > max_len {
        return Err(ProxyError::Proxy(format!(
            "proxy-secret too long: {} bytes (limit = {})",
            data_len,
            max_len
        )));
    }
    Ok(())
 }
 /// Fetch Telegram proxy-secret binary.
-pub async fn fetch_proxy_secret(cache_path: Option<&str>) -> Result<Vec<u8>> {
+pub async fn fetch_proxy_secret(cache_path: Option<&str>, max_len: usize) -> Result<Vec<u8>> {
    let cache = cache_path.unwrap_or("proxy-secret");
    // 1) Try fresh download first.
-    match download_proxy_secret().await {
+    match download_proxy_secret_with_max_len(max_len).await {
        Ok(data) => {
            if let Err(e) = tokio::fs::write(cache, &data).await {
                warn!(error = %e, "Failed to cache proxy-secret (non-fatal)");
@@ -26,9 +54,9 @@ pub async fn fetch_proxy_secret(cache_path: Option<&str>) -> Result<Vec<u8>> {
        }
    }
-    // 2) Fallback to cache/file regardless of age; require len>=32.
+    // 2) Fallback to cache/file regardless of age; require len in bounds.
    match tokio::fs::read(cache).await {
-        Ok(data) if data.len() >= 32 => {
+        Ok(data) if validate_proxy_secret_len(data.len(), max_len).is_ok() => {
            let age_hours = tokio::fs::metadata(cache)
                .await
                .ok()
@@ -43,17 +71,14 @@ pub async fn fetch_proxy_secret(cache_path: Option<&str>) -> Result<Vec<u8>> {
            );
            Ok(data)
        }
-        Ok(data) => Err(ProxyError::Proxy(format!(
+        Ok(data) => validate_proxy_secret_len(data.len(), max_len).map(|_| data),
            "Cached proxy-secret too short: {} bytes (need >= 32)",
            data.len()
        ))),
        Err(e) => Err(ProxyError::Proxy(format!(
            "Failed to read proxy-secret cache after download failure: {e}"
        ))),
    }
 }
-pub async fn download_proxy_secret() -> Result<Vec<u8>> {
+pub async fn download_proxy_secret_with_max_len(max_len: usize) -> Result<Vec<u8>> {
    let resp = reqwest::get("https://core.telegram.org/getProxySecret")
        .await
        .map_err(|e| ProxyError::Proxy(format!("Failed to download proxy-secret: {e}")))?;
@@ -65,20 +90,18 @@ pub async fn download_proxy_secret() -> Result<Vec<u8>> {
        )));
    }
-    if let Some(date) = resp.headers().get(reqwest::header::DATE) {
+    if let Some(date) = resp.headers().get(reqwest::header::DATE)
-        if let Ok(date_str) = date.to_str() {
+        && let Ok(date_str) = date.to_str()
-            if let Ok(server_time) = httpdate::parse_http_date(date_str) {
+        && let Ok(server_time) = httpdate::parse_http_date(date_str)
-                if let Ok(skew) = SystemTime::now().duration_since(server_time).or_else(|e| {
+        && let Ok(skew) = SystemTime::now().duration_since(server_time).or_else(|e| {
-                    server_time.duration_since(SystemTime::now()).map_err(|_| e)
+            server_time.duration_since(SystemTime::now()).map_err(|_| e)
-                }) {
+        })
-                    let skew_secs = skew.as_secs();
+    {
-                    if skew_secs > 60 {
+        let skew_secs = skew.as_secs();
-                        warn!(skew_secs, "Time skew >60s detected from proxy-secret Date header");
+        if skew_secs > 60 {
-                    } else if skew_secs > 30 {
+            warn!(skew_secs, "Time skew >60s detected from proxy-secret Date header");
-                        warn!(skew_secs, "Time skew >30s detected from proxy-secret Date header");
+        } else if skew_secs > 30 {
-                    }
+            warn!(skew_secs, "Time skew >30s detected from proxy-secret Date header");
                }
            }
        }
    }
@@ -88,12 +111,7 @@ pub async fn download_proxy_secret() -> Result<Vec<u8>> {
        .map_err(|e| ProxyError::Proxy(format!("Read proxy-secret body: {e}")))?
        .to_vec();
-    if data.len() < 32 {
+    validate_proxy_secret_len(data.len(), max_len)?;
        return Err(ProxyError::Proxy(format!(
            "proxy-secret too short: {} bytes (need >= 32)",
            data.len()
        )));
    }
    info!(len = data.len(), "Downloaded proxy-secret OK");
    Ok(data)
--- a/src/transport/middle_proxy/send.rs
+++ b/src/transport/middle_proxy/send.rs
@@ -134,8 +134,8 @@ impl MePool {
            candidate_indices.sort_by_key(|idx| {
                let w = &writers_snapshot[*idx];
                let degraded = w.degraded.load(Ordering::Relaxed);
-                let draining = w.draining.load(Ordering::Relaxed);
+                let stale = (w.generation < self.current_generation()) as usize;
-                (draining as usize, degraded as usize)
+                (stale, degraded as usize)
            });
            let start = self.rr.fetch_add(1, Ordering::Relaxed) as usize % candidate_indices.len();
@@ -143,13 +143,23 @@ impl MePool {
            for offset in 0..candidate_indices.len() {
                let idx = candidate_indices[(start + offset) % candidate_indices.len()];
                let w = &writers_snapshot[idx];
-                if w.draining.load(Ordering::Relaxed) {
+                if !self.writer_accepts_new_binding(w) {
                    continue;
                }
                if w.tx.send(WriterCommand::Data(payload.clone())).await.is_ok() {
                    self.registry
                        .bind_writer(conn_id, w.id, w.tx.clone(), meta.clone())
                        .await;
                    if w.generation < self.current_generation() {
                        self.stats.increment_pool_stale_pick_total();
                        debug!(
                            conn_id,
                            writer_id = w.id,
                            writer_generation = w.generation,
                            current_generation = self.current_generation(),
                            "Selected stale ME writer for fallback bind"
                        );
                    }
                    return Ok(());
                } else {
                    warn!(writer_id = w.id, "ME writer channel closed");
@@ -159,7 +169,7 @@ impl MePool {
            }
            let w = writers_snapshot[candidate_indices[start]].clone();
-            if w.draining.load(Ordering::Relaxed) {
+            if !self.writer_accepts_new_binding(&w) {
                continue;
            }
            match w.tx.send(WriterCommand::Data(payload.clone())).await {
@@ -167,6 +177,9 @@ impl MePool {
                    self.registry
                        .bind_writer(conn_id, w.id, w.tx.clone(), meta.clone())
                        .await;
                    if w.generation < self.current_generation() {
                        self.stats.increment_pool_stale_pick_total();
                    }
                    return Ok(());
                }
                Err(_) => {
@@ -229,10 +242,10 @@ impl MePool {
            }
            if preferred.is_empty() {
                let def = self.default_dc.load(Ordering::Relaxed);
-                if def != 0 {
+                if def != 0
-                    if let Some(v) = map_guard.get(&def) {
+                    && let Some(v) = map_guard.get(&def)
-                        preferred.extend(v.iter().map(|(ip, port)| SocketAddr::new(*ip, *port)));
+                {
-                    }
+                    preferred.extend(v.iter().map(|(ip, port)| SocketAddr::new(*ip, *port)));
                }
            }
@@ -245,22 +258,22 @@ impl MePool {
        if preferred.is_empty() {
            return (0..writers.len())
-                .filter(|i| !writers[*i].draining.load(Ordering::Relaxed))
+                .filter(|i| self.writer_accepts_new_binding(&writers[*i]))
                .collect();
        }
        let mut out = Vec::new();
        for (idx, w) in writers.iter().enumerate() {
-            if w.draining.load(Ordering::Relaxed) {
+            if !self.writer_accepts_new_binding(w) {
                continue;
            }
-            if preferred.iter().any(|p| *p == w.addr) {
+            if preferred.contains(&w.addr) {
                out.push(idx);
            }
        }
        if out.is_empty() {
            return (0..writers.len())
-                .filter(|i| !writers[*i].draining.load(Ordering::Relaxed))
+                .filter(|i| self.writer_accepts_new_binding(&writers[*i]))
                .collect();
        }
        out
--- a/src/transport/mod.rs
+++ b/src/transport/mod.rs
@@ -6,9 +6,13 @@ pub mod socket;
 pub mod socks;
 pub mod upstream;
 #[allow(unused_imports)]
 pub use pool::ConnectionPool;
 #[allow(unused_imports)]
 pub use proxy_protocol::{ProxyProtocolInfo, parse_proxy_protocol};
 pub use socket::*;
 #[allow(unused_imports)]
 pub use socks::*;
 #[allow(unused_imports)]
 pub use upstream::{DcPingResult, StartupPingResult, UpstreamManager};
 pub mod middle_proxy;
--- a/src/transport/pool.rs
+++ b/src/transport/pool.rs
@@ -1,5 +1,7 @@
 //! Connection Pool
 #![allow(dead_code)]
 use std::collections::HashMap;
 use std::net::SocketAddr;
 use std::sync::Arc;
@@ -8,7 +10,7 @@ use tokio::net::TcpStream;
 use tokio::sync::Mutex;
 use tokio::time::timeout;
 use parking_lot::RwLock;
-use tracing::{debug, warn};
+use tracing::debug;
 use crate::error::{ProxyError, Result};
 use super::socket::configure_tcp_socket;
--- a/src/transport/proxy_protocol.rs
+++ b/src/transport/proxy_protocol.rs
@@ -28,6 +28,7 @@ mod address_family {
 /// Information extracted from PROXY protocol header
 #[derive(Debug, Clone)]
 #[allow(dead_code)]
 pub struct ProxyProtocolInfo {
    /// Source (client) address
    pub src_addr: SocketAddr,
@@ -37,6 +38,7 @@ pub struct ProxyProtocolInfo {
    pub version: u8,
 }
 #[allow(dead_code)]
 impl ProxyProtocolInfo {
    /// Create info with just source address
    pub fn new(src_addr: SocketAddr) -> Self {
@@ -231,12 +233,14 @@ async fn parse_v2<R: AsyncRead + Unpin>(
 }
 /// Builder for PROXY protocol v1 header
 #[allow(dead_code)]
 pub struct ProxyProtocolV1Builder {
    family: &'static str,
    src_addr: Option<SocketAddr>,
    dst_addr: Option<SocketAddr>,
 }
 #[allow(dead_code)]
 impl ProxyProtocolV1Builder {
    pub fn new() -> Self {
        Self {
@@ -284,11 +288,13 @@ impl Default for ProxyProtocolV1Builder {
 }
 /// Builder for PROXY protocol v2 header
 #[allow(dead_code)]
 pub struct ProxyProtocolV2Builder {
    src: Option<SocketAddr>,
    dst: Option<SocketAddr>,
 }
 #[allow(dead_code)]
 impl ProxyProtocolV2Builder {
    pub fn new() -> Self {
        Self { src: None, dst: None }
--- a/src/transport/socket.rs
+++ b/src/transport/socket.rs
@@ -10,6 +10,7 @@ use socket2::{Socket, TcpKeepalive, Domain, Type, Protocol};
 use tracing::debug;
 /// Configure TCP socket with recommended settings for proxy use
 #[allow(dead_code)]
 pub fn configure_tcp_socket(
    stream: &TcpStream,
    keepalive: bool,
@@ -82,6 +83,7 @@ pub fn configure_client_socket(
 }
 /// Set socket to send RST on close (for masking)
 #[allow(dead_code)]
 pub fn set_linger_zero(stream: &TcpStream) -> Result<()> {
    let socket = socket2::SockRef::from(stream);
    socket.set_linger(Some(Duration::ZERO))?;
@@ -89,6 +91,7 @@ pub fn set_linger_zero(stream: &TcpStream) -> Result<()> {
 }
 /// Create a new TCP socket for outgoing connections
 #[allow(dead_code)]
 pub fn create_outgoing_socket(addr: SocketAddr) -> Result<Socket> {
    create_outgoing_socket_bound(addr, None)
 }
@@ -120,6 +123,7 @@ pub fn create_outgoing_socket_bound(addr: SocketAddr, bind_addr: Option<IpAddr>)
 /// Get local address of a socket
 #[allow(dead_code)]
 pub fn get_local_addr(stream: &TcpStream) -> Option<SocketAddr> {
    stream.local_addr().ok()
 }
@@ -132,17 +136,17 @@ pub fn resolve_interface_ip(name: &str, want_ipv6: bool) -> Option<IpAddr> {
    if let Ok(addrs) = getifaddrs() {
        for iface in addrs {
-            if iface.interface_name == name {
+            if iface.interface_name == name
-                if let Some(address) = iface.address {
+                && let Some(address) = iface.address
-                    if let Some(v4) = address.as_sockaddr_in() {
+            {
-                        if !want_ipv6 {
+                if let Some(v4) = address.as_sockaddr_in() {
-                            return Some(IpAddr::V4(v4.ip()));
+                    if !want_ipv6 {
-                        }
+                        return Some(IpAddr::V4(v4.ip()));
                    } else if let Some(v6) = address.as_sockaddr_in6() {
                        if want_ipv6 {
                            return Some(IpAddr::V6(v6.ip().clone()));
                        }
                    }
                } else if let Some(v6) = address.as_sockaddr_in6()
                    && want_ipv6
                {
                    return Some(IpAddr::V6(v6.ip()));
                }
            }
        }
@@ -157,11 +161,13 @@ pub fn resolve_interface_ip(_name: &str, _want_ipv6: bool) -> Option<IpAddr> {
 }
 /// Get peer address of a socket
 #[allow(dead_code)]
 pub fn get_peer_addr(stream: &TcpStream) -> Option<SocketAddr> {
    stream.peer_addr().ok()
 }
 /// Check if address is IPv6
 #[allow(dead_code)]
 pub fn is_ipv6(addr: &SocketAddr) -> bool {
    addr.is_ipv6()
 }
--- a/src/transport/socks.rs
+++ b/src/transport/socks.rs
@@ -1,7 +1,7 @@
 //! SOCKS4/5 Client Implementation
 use std::net::{IpAddr, SocketAddr};
-use tokio::io::{AsyncRead, AsyncReadExt, AsyncWrite, AsyncWriteExt};
+use tokio::io::{AsyncReadExt, AsyncWriteExt};
 use tokio::net::TcpStream;
 use crate::error::{ProxyError, Result};
@@ -27,11 +27,11 @@ pub async fn connect_socks4(
    buf.extend_from_slice(user);
    buf.push(0); // NULL
-    stream.write_all(&buf).await.map_err(|e| ProxyError::Io(e))?;
+    stream.write_all(&buf).await.map_err(ProxyError::Io)?;
    // Response: VN (1) | CD (1) | DSTPORT (2) | DSTIP (4)
    let mut resp = [0u8; 8];
-    stream.read_exact(&mut resp).await.map_err(|e| ProxyError::Io(e))?;
+    stream.read_exact(&mut resp).await.map_err(ProxyError::Io)?;
    if resp[1] != 90 {
        return Err(ProxyError::Proxy(format!("SOCKS4 request rejected: code {}", resp[1])));
@@ -56,10 +56,10 @@ pub async fn connect_socks5(
    let mut buf = vec![5u8, methods.len() as u8];
    buf.extend_from_slice(&methods);
-    stream.write_all(&buf).await.map_err(|e| ProxyError::Io(e))?;
+    stream.write_all(&buf).await.map_err(ProxyError::Io)?;
    let mut resp = [0u8; 2];
-    stream.read_exact(&mut resp).await.map_err(|e| ProxyError::Io(e))?;
+    stream.read_exact(&mut resp).await.map_err(ProxyError::Io)?;
    if resp[0] != 5 {
        return Err(ProxyError::Proxy("Invalid SOCKS5 version".to_string()));
@@ -80,10 +80,10 @@ pub async fn connect_socks5(
                auth_buf.push(p_bytes.len() as u8);
                auth_buf.extend_from_slice(p_bytes);
-                stream.write_all(&auth_buf).await.map_err(|e| ProxyError::Io(e))?;
+                stream.write_all(&auth_buf).await.map_err(ProxyError::Io)?;
                let mut auth_resp = [0u8; 2];
-                stream.read_exact(&mut auth_resp).await.map_err(|e| ProxyError::Io(e))?;
+                stream.read_exact(&mut auth_resp).await.map_err(ProxyError::Io)?;
                if auth_resp[1] != 0 {
                    return Err(ProxyError::Proxy("SOCKS5 authentication failed".to_string()));
@@ -112,11 +112,11 @@ pub async fn connect_socks5(
    req.extend_from_slice(&target.port().to_be_bytes());
-    stream.write_all(&req).await.map_err(|e| ProxyError::Io(e))?;
+    stream.write_all(&req).await.map_err(ProxyError::Io)?;
    // Response
    let mut head = [0u8; 4];
-    stream.read_exact(&mut head).await.map_err(|e| ProxyError::Io(e))?;
+    stream.read_exact(&mut head).await.map_err(ProxyError::Io)?;
    if head[1] != 0 {
        return Err(ProxyError::Proxy(format!("SOCKS5 request failed: code {}", head[1])));
@@ -126,17 +126,17 @@ pub async fn connect_socks5(
    match head[3] {
        1 => { // IPv4
            let mut addr = [0u8; 4 + 2];
-            stream.read_exact(&mut addr).await.map_err(|e| ProxyError::Io(e))?;
+            stream.read_exact(&mut addr).await.map_err(ProxyError::Io)?;
        },
        3 => { // Domain
            let mut len = [0u8; 1];
-            stream.read_exact(&mut len).await.map_err(|e| ProxyError::Io(e))?;
+            stream.read_exact(&mut len).await.map_err(ProxyError::Io)?;
            let mut addr = vec![0u8; len[0] as usize + 2];
-            stream.read_exact(&mut addr).await.map_err(|e| ProxyError::Io(e))?;
+            stream.read_exact(&mut addr).await.map_err(ProxyError::Io)?;
        },
        4 => { // IPv6
            let mut addr = [0u8; 16 + 2];
-            stream.read_exact(&mut addr).await.map_err(|e| ProxyError::Io(e))?;
+            stream.read_exact(&mut addr).await.map_err(ProxyError::Io)?;
        },
        _ => return Err(ProxyError::Proxy("Invalid address type in SOCKS5 response".to_string())),
    }
--- a/src/transport/upstream.rs
+++ b/src/transport/upstream.rs
@@ -1,7 +1,9 @@
 //! Upstream Management with per-DC latency-weighted selection
-//! 
+//!
 //! IPv6/IPv4 connectivity checks with configurable preference.
 #![allow(deprecated)]
 use std::collections::HashMap;
 use std::net::{SocketAddr, IpAddr};
 use std::sync::Arc;
@@ -55,9 +57,10 @@ impl LatencyEma {
 // ============= Per-DC IP Preference Tracking =============
 /// Tracks which IP version works for each DC
-#[derive(Debug, Clone, Copy, PartialEq, Eq)]
+#[derive(Debug, Clone, Copy, PartialEq, Eq, Default)]
 pub enum IpPreference {
    /// Not yet tested
    #[default]
    Unknown,
    /// IPv6 works
    PreferV6,
@@ -69,12 +72,6 @@ pub enum IpPreference {
    Unavailable,
 }
 impl Default for IpPreference {
    fn default() -> Self {
        Self::Unknown
    }
 }
 // ============= Upstream State =============
 #[derive(Debug)]
@@ -110,7 +107,7 @@ impl UpstreamState {
        if abs_dc == 0 {
            return None;
        }
-        if abs_dc >= 1 && abs_dc <= NUM_DCS {
+        if (1..=NUM_DCS).contains(&abs_dc) {
            Some(abs_dc - 1)
        } else {
            // Unknown DC → default cluster (DC 2, index 1)
@@ -120,10 +117,10 @@ impl UpstreamState {
    /// Get latency for a specific DC, falling back to average across all known DCs
    fn effective_latency(&self, dc_idx: Option<i16>) -> Option<f64> {
-        if let Some(di) = dc_idx.and_then(Self::dc_array_idx) {
+        if let Some(di) = dc_idx.and_then(Self::dc_array_idx)
-            if let Some(ms) = self.dc_latency[di].get() {
+            && let Some(ms) = self.dc_latency[di].get()
-                return Some(ms);
+        {
-            }
+            return Some(ms);
        }
        let (sum, count) = self.dc_latency.iter()
@@ -549,7 +546,7 @@ impl UpstreamManager {
    /// Tests BOTH IPv6 and IPv4, returns separate results for each.
    pub async fn ping_all_dcs(
        &self,
-        prefer_ipv6: bool,
+        _prefer_ipv6: bool,
        dc_overrides: &HashMap<String, Vec<String>>,
        ipv4_enabled: bool,
        ipv6_enabled: bool,
@@ -580,7 +577,7 @@ impl UpstreamManager {
                    let result = tokio::time::timeout(
                        Duration::from_secs(DC_PING_TIMEOUT_SECS),
-                        self.ping_single_dc(&upstream_config, Some(bind_rr.clone()), addr_v6)
+                        self.ping_single_dc(upstream_config, Some(bind_rr.clone()), addr_v6)
                    ).await;
                    let ping_result = match result {
@@ -631,7 +628,7 @@ impl UpstreamManager {
                    let result = tokio::time::timeout(
                        Duration::from_secs(DC_PING_TIMEOUT_SECS),
-                        self.ping_single_dc(&upstream_config, Some(bind_rr.clone()), addr_v4)
+                        self.ping_single_dc(upstream_config, Some(bind_rr.clone()), addr_v4)
                    ).await;
                    let ping_result = match result {
@@ -694,7 +691,7 @@ impl UpstreamManager {
                            }
                            let result = tokio::time::timeout(
                                Duration::from_secs(DC_PING_TIMEOUT_SECS),
-                                self.ping_single_dc(&upstream_config, Some(bind_rr.clone()), addr)
+                                self.ping_single_dc(upstream_config, Some(bind_rr.clone()), addr)
                            ).await;
                            let ping_result = match result {
@@ -907,6 +904,7 @@ impl UpstreamManager {
    }
    /// Get the preferred IP for a DC (for use by other components)
    #[allow(dead_code)]
    pub async fn get_dc_ip_preference(&self, dc_idx: i16) -> Option<IpPreference> {
        let guard = self.upstreams.read().await;
        if guard.is_empty() {
@@ -918,6 +916,7 @@ impl UpstreamManager {
    }
    /// Get preferred DC address based on config preference
    #[allow(dead_code)]
    pub async fn get_dc_addr(&self, dc_idx: i16, prefer_ipv6: bool) -> Option<SocketAddr> {
        let arr_idx = UpstreamState::dc_array_idx(dc_idx)?;
--- a/src/util/ip.rs
+++ b/src/util/ip.rs
@@ -1,22 +1,24 @@
 //! IP Addr Detect
-use std::net::{IpAddr, SocketAddr, UdpSocket};
+use std::net::{IpAddr, UdpSocket};
 use std::time::Duration;
 use tracing::{debug, warn};
 /// Detected IP addresses
 #[derive(Debug, Clone, Default)]
 #[allow(dead_code)]
 pub struct IpInfo {
    pub ipv4: Option<IpAddr>,
    pub ipv6: Option<IpAddr>,
 }
 #[allow(dead_code)]
 impl IpInfo {
    /// Check if any IP is detected
    pub fn has_any(&self) -> bool {
        self.ipv4.is_some() || self.ipv6.is_some()
    }
-    
+
    /// Get preferred IP (IPv6 if available and preferred)
    pub fn preferred(&self, prefer_ipv6: bool) -> Option<IpAddr> {
        if prefer_ipv6 {
@@ -28,12 +30,14 @@ impl IpInfo {
 }
 /// URLs for IP detection
 #[allow(dead_code)]
 const IPV4_URLS: &[&str] = &[
    "http://v4.ident.me/",
    "http://ipv4.icanhazip.com/",
    "http://api.ipify.org/",
 ];
 #[allow(dead_code)]
 const IPV6_URLS: &[&str] = &[
    "http://v6.ident.me/",
    "http://ipv6.icanhazip.com/",
@@ -42,12 +46,14 @@ const IPV6_URLS: &[&str] = &[
 /// Detect local IP address by connecting to a public DNS
 /// This does not actually send any packets
 #[allow(dead_code)]
 fn get_local_ip(target: &str) -> Option<IpAddr> {
    let socket = UdpSocket::bind("0.0.0.0:0").ok()?;
    socket.connect(target).ok()?;
    socket.local_addr().ok().map(|addr| addr.ip())
 }
 #[allow(dead_code)]
 fn get_local_ipv6(target: &str) -> Option<IpAddr> {
    let socket = UdpSocket::bind("[::]:0").ok()?;
    socket.connect(target).ok()?;
@@ -55,59 +61,62 @@ fn get_local_ipv6(target: &str) -> Option<IpAddr> {
 }
 /// Detect public IP addresses
 #[allow(dead_code)]
 pub async fn detect_ip() -> IpInfo {
    let mut info = IpInfo::default();
    // Try to get local interface IP first (default gateway interface)
    // We connect to Google DNS to find out which interface is used for routing
-    if let Some(ip) = get_local_ip("8.8.8.8:80") {
+    if let Some(ip) = get_local_ip("8.8.8.8:80")
-        if ip.is_ipv4() && !ip.is_loopback() {
+        && ip.is_ipv4()
-             info.ipv4 = Some(ip);
+        && !ip.is_loopback()
-             debug!(ip = %ip, "Detected local IPv4 address via routing");
+    {
-        }
+        info.ipv4 = Some(ip);
        debug!(ip = %ip, "Detected local IPv4 address via routing");
    }
-    if let Some(ip) = get_local_ipv6("[2001:4860:4860::8888]:80") {
+    if let Some(ip) = get_local_ipv6("[2001:4860:4860::8888]:80")
-        if ip.is_ipv6() && !ip.is_loopback() {
+        && ip.is_ipv6()
-            info.ipv6 = Some(ip);
+        && !ip.is_loopback()
-            debug!(ip = %ip, "Detected local IPv6 address via routing");
+    {
-        }
+        info.ipv6 = Some(ip);
        debug!(ip = %ip, "Detected local IPv6 address via routing");
    }
-    
+
-    // If local detection failed or returned private IP (and we want public), 
+    // If local detection failed or returned private IP (and we want public),
    // or just as a fallback/verification, we might want to check external services.
-    // However, the requirement is: "if IP for listening is not set... it should be IP from interface... 
+    // However, the requirement is: "if IP for listening is not set... it should be IP from interface...
    // if impossible - request external resources".
-    
+
    // So if we found a local IP, we might be good. But often servers are behind NAT.
    // If the local IP is private, we probably want the public IP for the tg:// link.
    // Let's check if the detected IPs are private.
-    
+
-    let need_external_v4 = info.ipv4.map_or(true, |ip| is_private_ip(ip));
+    let need_external_v4 = info.ipv4.is_none_or(is_private_ip);
-    let need_external_v6 = info.ipv6.map_or(true, |ip| is_private_ip(ip));
+    let need_external_v6 = info.ipv6.is_none_or(is_private_ip);
    if need_external_v4 {
        debug!("Local IPv4 is private or missing, checking external services...");
        for url in IPV4_URLS {
-            if let Some(ip) = fetch_ip(url).await {
+            if let Some(ip) = fetch_ip(url).await
-                if ip.is_ipv4() {
+                && ip.is_ipv4()
-                    info.ipv4 = Some(ip);
+            {
-                    debug!(ip = %ip, "Detected public IPv4 address");
+                info.ipv4 = Some(ip);
-                    break;
+                debug!(ip = %ip, "Detected public IPv4 address");
-                }
+                break;
            }
        }
    }
-    
+
    if need_external_v6 {
        debug!("Local IPv6 is private or missing, checking external services...");
        for url in IPV6_URLS {
-            if let Some(ip) = fetch_ip(url).await {
+            if let Some(ip) = fetch_ip(url).await
-                if ip.is_ipv6() {
+                && ip.is_ipv6()
-                    info.ipv6 = Some(ip);
+            {
-                    debug!(ip = %ip, "Detected public IPv6 address");
+                info.ipv6 = Some(ip);
-                    break;
+                debug!(ip = %ip, "Detected public IPv6 address");
-                }
+                break;
            }
        }
    }
@@ -119,6 +128,7 @@ pub async fn detect_ip() -> IpInfo {
    info
 }
 #[allow(dead_code)]
 fn is_private_ip(ip: IpAddr) -> bool {
    match ip {
        IpAddr::V4(ipv4) => {
@@ -131,19 +141,21 @@ fn is_private_ip(ip: IpAddr) -> bool {
 }
 /// Fetch IP from URL
 #[allow(dead_code)]
 async fn fetch_ip(url: &str) -> Option<IpAddr> {
    let client = reqwest::Client::builder()
        .timeout(Duration::from_secs(5))
        .build()
        .ok()?;
-    
+
    let response = client.get(url).send().await.ok()?;
    let text = response.text().await.ok()?;
-    
+
    text.trim().parse().ok()
 }
 /// Synchronous IP detection (for startup)
 #[allow(dead_code)]
 pub fn detect_ip_sync() -> IpInfo {
    tokio::runtime::Handle::current().block_on(detect_ip())
 }
--- a/src/util/mod.rs
+++ b/src/util/mod.rs
@@ -3,5 +3,7 @@
 pub mod ip;
 pub mod time;
 #[allow(unused_imports)]
 pub use ip::*;
 #[allow(unused_imports)]
 pub use time::*;
--- a/src/util/time.rs
+++ b/src/util/time.rs
@@ -4,11 +4,14 @@ use std::time::Duration;
 use chrono::{DateTime, Utc};
 use tracing::{debug, warn, error};
 #[allow(dead_code)]
 const TIME_SYNC_URL: &str = "https://core.telegram.org/getProxySecret";
 #[allow(dead_code)]
 const MAX_TIME_SKEW_SECS: i64 = 30;
 /// Time sync result
 #[derive(Debug, Clone)]
 #[allow(dead_code)]
 pub struct TimeSyncResult {
    pub server_time: DateTime<Utc>,
    pub local_time: DateTime<Utc>,
@@ -17,6 +20,7 @@ pub struct TimeSyncResult {
 }
 /// Check time synchronization with Telegram servers
 #[allow(dead_code)]
 pub async fn check_time_sync() -> Option<TimeSyncResult> {
    let client = reqwest::Client::builder()
        .timeout(Duration::from_secs(10))
@@ -60,17 +64,18 @@ pub async fn check_time_sync() -> Option<TimeSyncResult> {
 }
 /// Background time sync task
 #[allow(dead_code)]
 pub async fn time_sync_task(check_interval: Duration) -> ! {
    loop {
-        if let Some(result) = check_time_sync().await {
+        if let Some(result) = check_time_sync().await
-            if result.is_skewed {
+            && result.is_skewed
-                error!(
+        {
-                    "System clock is off by {} seconds. Please sync your clock.",
+            error!(
-                    result.skew_secs
+                "System clock is off by {} seconds. Please sync your clock.",
-                );
+                result.skew_secs
-            }
+            );
        }
-        
+
        tokio::time::sleep(check_interval).await;
    }
 }
--- a/tools/zbx_telemt_template.yaml
+++ b/tools/zbx_telemt_template.yaml
@@ -172,7 +172,7 @@ zabbix_export:
              preprocessing:
                - type: PROMETHEUS_PATTERN
                  parameters:
-                    - 'telemt_user_connections_current{user=~"{#TELEMT_USER}"}'
+                    - 'telemt_user_connections_current{user="{#TELEMT_USER}"}'
                    - value
                    - ''
              master_item:
@@ -188,7 +188,7 @@ zabbix_export:
              preprocessing:
                - type: PROMETHEUS_PATTERN
                  parameters:
-                    - 'telemt_user_msgs_from_client{user=~"{#TELEMT_USER}"}'
+                    - 'telemt_user_msgs_from_client{user="{#TELEMT_USER}"}'
                    - value
                    - ''
              master_item:
@@ -204,7 +204,7 @@ zabbix_export:
              preprocessing:
                - type: PROMETHEUS_PATTERN
                  parameters:
-                    - 'telemt_user_msgs_to_client{user=~"{#TELEMT_USER}"}'
+                    - 'telemt_user_msgs_to_client{user="{#TELEMT_USER}"}'
                    - value
                    - ''
              master_item:
@@ -221,7 +221,7 @@ zabbix_export:
              preprocessing:
                - type: PROMETHEUS_PATTERN
                  parameters:
-                    - 'telemt_user_octets_from_client{user=~"{#TELEMT_USER}"}'
+                    - 'telemt_user_octets_from_client{user="{#TELEMT_USER}"}'
                    - value
                    - ''
              master_item:
@@ -238,7 +238,7 @@ zabbix_export:
              preprocessing:
                - type: PROMETHEUS_PATTERN
                  parameters:
-                    - 'telemt_user_octets_to_client{user=~"{#TELEMT_USER}"}'
+                    - 'telemt_user_octets_to_client{user="{#TELEMT_USER}"}'
                    - value
                    - ''
              master_item:
@@ -254,7 +254,7 @@ zabbix_export:
              preprocessing:
                - type: PROMETHEUS_PATTERN
                  parameters:
-                    - 'telemt_user_connections_total{user=~"{#TELEMT_USER}"}'
+                    - 'telemt_user_connections_total{user="{#TELEMT_USER}"}'
                    - value
                    - ''
              master_item:
Author	SHA1	Message	Date
Alexey	e9a4281015	Delete proxy-secret Co-Authored-By: brekotis <93345790+brekotis@users.noreply.github.com>	2026-02-25 00:31:12 +03:00
Alexey	866c2fbd96	Update Cargo.toml	2026-02-25 00:29:58 +03:00
Alexey	086c85d851	Merge pull request #236 from telemt/flow-mep Flow mep	2026-02-25 00:29:07 +03:00
Alexey	ce4e21c996	Merge pull request #235 from telemt/bump Update Cargo.toml	2026-02-25 00:28:40 +03:00
Alexey	25ab79406f	Update Cargo.toml	2026-02-25 00:28:26 +03:00
Alexey	7538967d3c	ME Hardswap being softer Co-Authored-By: brekotis <93345790+brekotis@users.noreply.github.com>	2026-02-24 23:36:33 +03:00
Alexey	4a95f6d195	ME Pool Health + Rotation Co-Authored-By: brekotis <93345790+brekotis@users.noreply.github.com>	2026-02-24 22:59:59 +03:00
Alexey	7d7ef84868	Merge pull request #232 from Dimasssss/main Update config.toml	2026-02-24 22:28:31 +03:00
Dimasssss	692d9476b9	Update config.toml	2026-02-24 22:11:15 +03:00
Dimasssss	b00b87032b	Update config.toml	2026-02-24 22:10:49 +03:00
Alexey	ee07325eba	Update Cargo.toml	2026-02-24 21:12:44 +03:00
Alexey	1b3a17aedc	Merge pull request #230 from badcdd/patch-1 Fix similar username in discovered items in zabbix template	2026-02-24 19:44:02 +03:00
Alexey	6fdb568381	Merge pull request #229 from Dimasssss/main Update config.toml	2026-02-24 19:43:44 +03:00
Alexey	bb97ff0df9	Merge pull request #228 from telemt/flow-mep ME Soft Reinit tuning	2026-02-24 19:43:13 +03:00
badcdd	b1cd7f9727	fix similar username in discovered items	2026-02-24 18:59:37 +03:00
Dimasssss	c13c1cf7e3	Update config.toml	2026-02-24 18:39:46 +03:00
Alexey	d2f08fb707	ME Soft Reinit tuning Co-Authored-By: brekotis <93345790+brekotis@users.noreply.github.com>	2026-02-24 18:19:39 +03:00
Alexey	2356ae5584	Merge pull request #223 from vladon/fix/clippy-warnings fix: resolve clippy warnings	2026-02-24 10:15:47 +03:00
Alexey	429fa63c95	Merge pull request #224 from Dimasssss/main Update config.toml	2026-02-24 10:14:30 +03:00
Dimasssss	50e15896b3	Update config.toml 2 раза добавил параметр me_reinit_drain_timeout_secs	2026-02-24 09:02:47 +03:00
Vladislav Yaroslavlev	09f56dede2	fix: resolve clippy warnings Reduce clippy warnings from54 to16 by fixing mechanical issues: - collapsible_if: collapse nested if-let chains with let-chains - clone_on_copy: remove unnecessary .clone() on Copy types - manual_clamp: replace .max().min() with .clamp() - unnecessary_cast: remove redundant type casts - collapsible_else_if: flatten else-if chains - contains_vs_iter_any: replace .iter().any() with .contains() - unnecessary_closure: replace .or_else(\|\| x) with .or(x) - useless_conversion: remove redundant .into() calls - is_none_or: replace .map_or(true, ...) with .is_none_or(...) - while_let_loop: convert loop with if-let-break to while-let Remaining16 warnings are design-level issues (too_many_arguments, await_holding_lock, type_complexity, new_ret_no_self) that require architectural changes to fix.	2026-02-24 05:57:53 +03:00
Alexey	d9ae7bb044	Merge pull request #222 from vladon/fix/unused-import-warning fix: add #[cfg(test)] to unused ProxyError import	2026-02-24 04:37:00 +03:00
Vladislav Yaroslavlev	d6214c6bbf	fix: add #[cfg(test)] to unused ProxyError import The ProxyError import in tls.rs is only used in test code (validate_server_hello_structure function), so guard it with #[cfg(test)] to eliminate the unused import warning.	2026-02-24 04:20:30 +03:00
Alexey	3d3ddd37d7	Merge pull request #221 from vladon/fix/test-compilation-errors fix: add missing imports in test code	2026-02-24 04:08:01 +03:00
Vladislav Yaroslavlev	1d71b7e90c	fix: add missing imports in test code - Add ProxyError import and fix Result type annotation in tls.rs - Add Arc import in stats/mod.rs test module - Add BodyExt import in metrics.rs test module These imports were missing causing compilation failures in cargo test --release with 10 errors.	2026-02-24 04:07:14 +03:00
Alexey	8ba7bc9052	Merge pull request #219 from Dimasssss/main Update config.toml	2026-02-24 03:54:54 +03:00
Alexey	3397d82924	Apply suggestion from @axkurcom	2026-02-24 03:54:17 +03:00
Alexey	78c45626e1	Merge pull request #220 from vladon/fix-compiler-warnings fix: eliminate all compiler warnings	2026-02-24 03:49:46 +03:00
Vladislav Yaroslavlev	68c3abee6c	fix: eliminate all compiler warnings - Remove unused imports across multiple modules - Add #![allow(dead_code)] for public API items preserved for future use - Add #![allow(deprecated)] for rand::Rng::gen_range usage - Add #![allow(unused_assignments)] in main.rs - Add #![allow(unreachable_code)] in network/stun.rs - Prefix unused variables with underscore (_ip_tracker, _prefer_ipv6) - Fix unused_must_use warning in tls_front/cache.rs This ensures clean compilation without warnings while preserving public API items that may be used in the future.	2026-02-24 03:40:59 +03:00
Dimasssss	267c8bf2f1	Update config.toml	2026-02-24 03:03:19 +03:00
Alexey	d38d7f2bee	Update release.yml	2026-02-24 02:31:12 +03:00
Alexey	8b47fc3575	Update defaults.rs	2026-02-24 02:12:44 +03:00
Alexey	122e4729c5	Update defaults.rs	2026-02-24 00:17:33 +03:00
Alexey	08138451d8	Update types.rs	2026-02-24 00:15:37 +03:00
Alexey	267619d276	Merge pull request #218 from telemt/mep-naughty Update types.rs	2026-02-24 00:08:29 +03:00
Alexey	f710a2192a	Update types.rs	2026-02-24 00:08:03 +03:00
Alexey	b40eed126d	Merge pull request #217 from telemt/flow-mep ME Pool Hardswap	2026-02-24 00:06:38 +03:00
Alexey	0e2d42624f	ME Pool Hardswap	2026-02-24 00:04:12 +03:00
Alexey	1f486e0df2	Update README.md	2026-02-23 21:30:22 +03:00
Alexey	a4af254107	Merge pull request #216 from Dimasssss/main Update config.toml	2026-02-23 21:23:56 +03:00
Dimasssss	3f0c53b010	Update config.toml	2026-02-23 21:10:53 +03:00
Dimasssss	890bd98b17	Update types.rs	2026-02-23 21:10:25 +03:00
Dimasssss	02cfe1305c	Update config.toml	2026-02-23 20:50:39 +03:00
Dimasssss	81843cc56c	Update types.rs По умолчанию использовало me_reconnect_max_concurrent_per_dc = 4	2026-02-23 20:46:56 +03:00
Alexey	f86ced8e62	Rename AGENTS_SYSTEM_PROMT.md to AGENTS.md	2026-02-23 19:43:34 +03:00
Alexey	e2e471a78c	Delete AGENTS.md	2026-02-23 19:43:03 +03:00
Alexey	9aed6c8631	Update Cargo.toml	2026-02-23 18:47:26 +03:00
Alexey	5a0e44e311	Merge pull request #215 from vladon/improve-cli-help Improve CLI help text with comprehensive options	2026-02-23 18:47:04 +03:00
Alexey	a917dcc162	Update Dockerfile	2026-02-23 18:34:23 +03:00
Vladislav Yaroslavlev	872b47067a	Improve CLI help text with comprehensive options - Add version number to help header - Restructure help into USAGE, ARGS, OPTIONS, INIT OPTIONS, EXAMPLES sections - Include all command-line options with descriptions - Add usage examples for common scenarios	2026-02-23 17:22:56 +03:00