Merge pull request #370 from telemt/bump

Update Cargo.toml
2026-04-14 17:14:09 +03:00 · 2026-03-08 03:09:45 +03:00 · 2026-03-08 03:09:33 +03:00 · 2026-03-08 03:07:38 +03:00 · 2026-03-08 03:06:45 +03:00 · 2026-03-08 03:05:47 +03:00
82 changed files with 23052 additions and 1785 deletions
--- a/CONTRIBUTING.md
+++ b/CONTRIBUTING.md
@@ -1,3 +1,8 @@
+# Issues - Rules
+## What it is not
+- NOT Question and Answer
+- NOT Helpdesk
+
 # Pull Requests - Rules
 ## General
 - ONLY signed and verified commits
--- a/Cargo.lock
+++ b/Cargo.lock
@@ -2087,7 +2087,7 @@ dependencies = [

 [[package]]
 name = "telemt"
-version = "3.0.13"
+version = "3.1.3"
 dependencies = [
 "aes",
 "anyhow",
--- a/Cargo.toml
+++ b/Cargo.toml
@@ -1,6 +1,6 @@
 [package]
 name = "telemt"
-version = "3.1.2"
+version = "3.3.11"
 edition = "2024"

 [dependencies]
--- a/README.md
+++ b/README.md
@@ -1,6 +1,13 @@
 # Telemt - MTProxy on Rust + Tokio

-**Telemt** is a fast, secure, and feature-rich server written in Rust: it fully implements the official Telegram proxy algo and adds many production-ready improvements such as connection pooling, replay protection, detailed statistics, masking from "prying" eyes
+***Löst Probleme, bevor andere überhaupt wissen, dass sie existieren*** / ***It solves problems before others even realize they exist***
+
+**Telemt** is a fast, secure, and feature-rich server written in Rust: it fully implements the official Telegram proxy algo and adds many production-ready improvements such as:
+- [ME Pool + Reader/Writer + Registry + Refill + Adaptive Floor + Trio-State + Generation Lifecycle](https://github.com/telemt/telemt/blob/main/docs/model/MODEL.en.md)
+- [Full-covered API w/ management](https://github.com/telemt/telemt/blob/main/docs/API.md)
+- Anti-Replay on Sliding Window
+- Prometheus-format Metrics
+- TLS-Fronting and TCP-Splicing for masking from "prying" eyes

 [**Telemt Chat in Telegram**](https://t.me/telemtrs)

@@ -12,18 +19,24 @@

 ### 🇷🇺 RU

-#### Релиз 3.0.15 — 25 февраля
+#### Релиз 3.3.5 LTS - 6 марта

-25 февраля мы выпустили версию **3.0.15**
+6 марта мы выпустили Telemt **3.3.5**

-Мы предполагаем, что она станет завершающей версией поколения 3.0 и уже сейчас мы рассматриваем её как **LTS-кандидата** для версии **3.1.0**!
+Это [3.3.5 - первая LTS-версия telemt](https://github.com/telemt/telemt/releases/tag/3.3.5)!

-После нескольких дней детального анализа особенностей работы Middle-End мы спроектировали и реализовали продуманный режим **ротации ME Writer**. Данный режим позволяет поддерживать стабильно высокую производительность в long-run сценариях без возникновения ошибок, связанных с некорректной конфигурацией прокси
+В ней используется:
+- новый алгоритм ME NoWait для непревзойдённо быстрого восстановления пула
+- Adaptive Floor, поддерживающий количество ME Writer на оптимальном уровне
+- модель усовершенствованного доступа к KDF Fingerprint на RwLock
+- строгая привязка Middle-End к DC-ID с предсказуемым алгоритмом деградации и самовосстановления

-Будем рады вашему фидбеку и предложениям по улучшению — особенно в части **статистики** и **UX**
+Telemt Control API V1 в 3.3.5 включает:
+- несколько режимов работы в зависимости от доступных ресурсов
+- снапшот-модель для живых метрик без вмешательства в hot-path
+- минималистичный набор запросов для управления пользователями

-Релиз:  
-[3.0.15](https://github.com/telemt/telemt/releases/tag/3.0.15)
+Будем рады вашему фидбеку и предложениям по улучшению — особенно в части **API**, **статистики**, **UX**

 ---

@@ -40,18 +53,24 @@

 ### 🇬🇧 EN

-#### Release 3.0.15 — February 25
+#### Release 3.3.5 LTS - March 6

-On February 25, we released version **3.0.15**
+On March 6, we released Telemt **3.3.3**

-We expect this to become the final release of the 3.0 generation and at this point, we already see it as a strong **LTS candidate** for the upcoming **3.1.0** release!
+This is [3.3.5 - the first LTS release of telemt](https://github.com/telemt/telemt/releases/tag/3.3.5)

-After several days of deep analysis of Middle-End behavior, we designed and implemented a well-engineered **ME Writer rotation mode**. This mode enables sustained high throughput in long-run scenarios while preventing proxy misconfiguration errors
+It introduces:
+- the new ME NoWait algorithm for exceptionally fast pool recovery
+- Adaptive Floor, which maintains the number of ME Writers at an optimal level
+- an improved KDF Fingerprint access model based on RwLock
+- strict binding of Middle-End instances to DC-ID with a predictable degradation and self-recovery algorithm

-We are looking forward to your feedback and improvement proposals — especially regarding **statistics** and **UX**
+Telemt Control API V1 in version 3.3.5 includes:
+- multiple operating modes depending on available resources
+- a snapshot-based model for live metrics without interfering with the hot path
+- a minimalistic request set for user management

-Release:  
-[3.0.15](https://github.com/telemt/telemt/releases/tag/3.0.15)
+We are looking forward to your feedback and improvement proposals — especially regarding **API**, **statistics**, **UX**

 ---

@@ -74,31 +93,6 @@ We welcome ideas, architectural feedback, and pull requests.

 ⚓ Our ***Middle-End Pool*** is fastest by design in standard scenarios, compared to other implementations of connecting to the Middle-End Proxy: non dramatically, but usual

-# GOTO
- [Features](#features)
- [Quick Start Guide](#quick-start-guide)
- [How to use?](#how-to-use)
-  - [Systemd Method](#telemt-via-systemd)
- [Configuration](#configuration)
-  - [Minimal Configuration](#minimal-configuration-for-first-start)
-  - [Advanced](#advanced)
-    - [Adtag](#adtag)
-    - [Listening and Announce IPs](#listening-and-announce-ips)
-    - [Upstream Manager](#upstream-manager)
-      - [IP](#bind-on-ip)
-      - [SOCKS](#socks45-as-upstream)
- [FAQ](#faq)
-  - [Recognizability for DPI + crawler](#recognizability-for-dpi-and-crawler)
-  - [Telegram Calls](#telegram-calls-via-mtproxy)
-  - [DPI](#how-does-dpi-see-mtproxy-tls)
-  - [Whitelist on Network Level](#whitelist-on-ip)
-  - [Too many open files](#too-many-open-files)
- [Build](#build)
- [Docker](#docker)
- [Why Rust?](#why-rust)
-
-## Features
-
 - Full support for all official MTProto proxy modes:
  - Classic
  - Secure - with `dd` prefix
@@ -109,154 +103,40 @@ We welcome ideas, architectural feedback, and pull requests.
 - Graceful shutdown on Ctrl+C
 - Extensive logging via `trace` and `debug` with `RUST_LOG` method

+# GOTO
+- [Telemt - MTProxy on Rust + Tokio](#telemt---mtproxy-on-rust--tokio)
+  - [NEWS and EMERGENCY](#news-and-emergency)
+    - [✈️ Telemt 3 is released!](#️-telemt-3-is-released)
+    - [🇷🇺 RU](#-ru)
+      - [Релиз 3.3.5 LTS - 6 марта](#релиз-335-lts---6-марта)
+    - [🇬🇧 EN](#-en)
+      - [Release 3.3.5 LTS - March 6](#release-335-lts---march-6)
+- [Features](#features)
+- [GOTO](#goto)
+  - [Quick Start Guide](#quick-start-guide)
+  - [FAQ](#faq)
+    - [Recognizability for DPI and crawler](#recognizability-for-dpi-and-crawler)
+      - [Client WITH secret-key accesses the MTProxy resource:](#client-with-secret-key-accesses-the-mtproxy-resource)
+      - [Client WITHOUT secret-key gets transparent access to the specified resource:](#client-without-secret-key-gets-transparent-access-to-the-specified-resource)
+    - [Telegram Calls via MTProxy](#telegram-calls-via-mtproxy)
+    - [How does DPI see MTProxy TLS?](#how-does-dpi-see-mtproxy-tls)
+    - [Whitelist on IP](#whitelist-on-ip)
+    - [Too many open files](#too-many-open-files)
+  - [Build](#build)
+  - [Why Rust?](#why-rust)
+  - [Issues](#issues)
+  - [Roadmap](#roadmap)
+
+
 ## Quick Start Guide
-**This software is designed for Debian-based OS: in addition to Debian, these are Ubuntu, Mint, Kali, MX and many other Linux**
-1. Download release
-```bash
-wget -qO- "https://github.com/telemt/telemt/releases/latest/download/telemt-$(uname -m)-linux-$(ldd --version 2>&1 | grep -iq musl && echo musl || echo gnu).tar.gz" | tar -xz
-```
-2. Move to Bin Folder
-```bash
-mv telemt /bin
-```
-4. Make Executable
-```bash
-chmod +x /bin/telemt
-```
-5. Go to [How to use?](#how-to-use) section for for further steps
-
-## How to use?
-### Telemt via Systemd
-**This instruction "assume" that you:**
- logged in as root or executed `su -` / `sudo su`
- you already have an assembled and executable `telemt` in /bin folder as a result of the [Quick Start Guide](#quick-start-guide) or [Build](#build)
-
-**0. Check port and generate secrets**
-
-The port you have selected for use should be MISSING from the list, when:
-```bash
-netstat -lnp
-```
-
-Generate 16 bytes/32 characters HEX with OpenSSL or another way:
-```bash
-openssl rand -hex 16
-```
-OR
-```bash
-xxd -l 16 -p /dev/urandom
-```
-OR
-```bash
-python3 -c 'import os; print(os.urandom(16).hex())'
-```
-
-**1. Place your config to /etc/telemt.toml**
-
-Open nano
-```bash
-nano /etc/telemt.toml
-```
-paste your config from [Configuration](#configuration) section
-
-then Ctrl+X -> Y -> Enter to save
-
-**2. Create service on /etc/systemd/system/telemt.service**
-
-Open nano
-```bash
-nano /etc/systemd/system/telemt.service
-```
-paste this Systemd Module
-```bash
-[Unit]
-Description=Telemt
-After=network.target
-
-[Service]
-Type=simple
-WorkingDirectory=/bin
-ExecStart=/bin/telemt /etc/telemt.toml
-Restart=on-failure
-LimitNOFILE=65536
-
-[Install]
-WantedBy=multi-user.target
-```
-then Ctrl+X -> Y -> Enter to save
-
-**3.**  In Shell type `systemctl start telemt` - it must start with zero exit-code
-
-**4.** In Shell type `systemctl status telemt` - there you can reach info about current MTProxy status
-
-**5.** In Shell type `systemctl enable telemt` - then telemt will start with system startup, after the network is up
-
-## Configuration
-### Minimal Configuration for First Start
-```toml
-# === General Settings ===
-[general]
-# ad_tag = "00000000000000000000000000000000"
-
-[general.modes]
-classic = false
-secure = false
-tls = true
-
-# === Anti-Censorship & Masking ===
-[censorship]
-tls_domain = "petrovich.ru"
-
-[access.users]
-# format: "username" = "32_hex_chars_secret"
-hello = "00000000000000000000000000000000"
-
-```
-### Advanced
-#### Adtag
-To use channel advertising and usage statistics from Telegram, get Adtag from [@mtproxybot](https://t.me/mtproxybot), add this parameter to section `[General]`
-```toml
-ad_tag = "00000000000000000000000000000000" # Replace zeros to your adtag from @mtproxybot
-```
-#### Listening and Announce IPs
-To specify listening address and/or address in links, add to section `[[server.listeners]]` of config.toml:
-```toml
-[[server.listeners]]
-ip = "0.0.0.0"          # 0.0.0.0 = all IPs; your IP = specific listening
-announce_ip = "1.2.3.4" # IP in links; comment with # if not used
-```
-#### Upstream Manager
-To specify upstream, add to section `[[upstreams]]` of config.toml:
-##### Bind on IP
-```toml
-[[upstreams]]
-type = "direct"
-weight = 1
-enabled = true
-interface = "192.168.1.100" # Change to your outgoing IP
-```
-##### SOCKS4/5 as Upstream
- Without Auth:
-```toml
-[[upstreams]]
-type = "socks5"            # Specify SOCKS4 or SOCKS5
-address = "1.2.3.4:1234"   # SOCKS-server Address
-weight = 1                 # Set Weight for Scenarios
-enabled = true
-```
-
- With Auth:
-```toml
-[[upstreams]]
-type = "socks5"            # Specify SOCKS4 or SOCKS5
-address = "1.2.3.4:1234"   # SOCKS-server Address
-username = "user"          # Username for Auth on SOCKS-server
-password = "pass"          # Password for Auth on SOCKS-server
-weight = 1                 # Set Weight for Scenarios
-enabled = true
-```
+- [Quick Start Guide RU](docs/QUICK_START_GUIDE.ru.md)
+- [Quick Start Guide EN](docs/QUICK_START_GUIDE.en.md)

 ## FAQ
+
+- [FAQ RU](docs/FAQ.ru.md)
+- [FAQ EN](docs/FAQ.en.md)
+
 ### Recognizability for DPI and crawler
 Since version 1.1.0.0, we have debugged masking perfectly: for all clients without "presenting" a key, 
 we transparently direct traffic to the target host!
@@ -401,41 +281,6 @@ chmod +x /bin/telemt
 telemt config.toml
 ```

-## Docker
-**Quick start (Docker Compose)**
-
-1. Edit `config.toml` in repo root (at least: port, users secrets, tls_domain)
-2. Start container:
-```bash
-docker compose up -d --build
-```
-3. Check logs:
-```bash
-docker compose logs -f telemt
-```
-4. Stop:
-```bash
-docker compose down
-```
-
-**Notes**
- `docker-compose.yml` maps `./config.toml` to `/app/config.toml` (read-only)
- By default it publishes `443:443` and runs with dropped capabilities (only `NET_BIND_SERVICE` is added)
- If you really need host networking (usually only for some IPv6 setups) uncomment `network_mode: host`
-
-**Run without Compose**
-```bash
-docker build -t telemt:local .
-docker run --name telemt --restart unless-stopped \
-  -p 443:443 \
-  -e RUST_LOG=info \
-  -v "$PWD/config.toml:/app/config.toml:ro" \
-  --read-only \
-  --cap-drop ALL --cap-add NET_BIND_SERVICE \
-  --ulimit nofile=65536:65536 \
-  telemt:local
-```
-
 ## Why Rust?
 - Long-running reliability and idempotent behavior
 - Rust's deterministic resource management - RAII 
--- a/config.full.toml
+++ b/config.full.toml
@@ -1,176 +1,669 @@
-# Telemt full config with default values.
-# Examples are kept in comments after '#'.
+# ==============================================================================
+#
+#   TELEMT — Advanced Rust-based Telegram MTProto Proxy
+#   Full Configuration Reference
+#
+#   This file is both a working config and a complete documentation.
+#   Every parameter is explained. Read it top to bottom before deploying.
+#
+#   Quick Start:
+#     1. Set [server].port to your desired port (443 recommended)
+#     2. Generate a secret: openssl rand -hex 16
+#     3. Put it in [access.users] under a name you choose
+#     4. Set [censorship].tls_domain to a popular unblocked HTTPS site
+#     5. Set your public IP in [general].middle_proxy_nat_ip
+#        and [general.links].public_host
+#     6. Set announce IP in [[server.listeners]]
+#     7. Run Telemt. It prints a tg:// link. Send it to your users.
+#
+#   Modes of Operation:
+#     Direct Mode  (use_middle_proxy = false)
+#       Connects straight to Telegram DCs via TCP. Simple, fast, low overhead.
+#       No ad_tag support. No CDN DC support (203, etc).
+#
+#     Middle-Proxy Mode  (use_middle_proxy = true)
+#       Connects to Telegram Middle-End servers via RPC protocol.
+#       Required for ad_tag monetization and CDN support.
+#       Requires proxy_secret_path and a valid public IP.
+#
+# ==============================================================================

-# Top-level legacy field.
-show_link = [] # example: "*" or ["alice", "bob"]
-# default_dc = 2 # example: default DC for unmapped non-standard DCs
+
+# ==============================================================================
+# LEGACY TOP-LEVEL FIELDS
+# ==============================================================================
+
+# Deprecated. Use [general.links].show instead.
+# Accepts "*" for all users, or an array like ["alice", "bob"].
+show_link = ["0"]
+
+# Fallback Datacenter index (1-5) when a client requests an unknown DC ID.
+# DC 2 is Amsterdam (Europe), closest for most CIS users.
+# default_dc = 2
+
+
+# ==============================================================================
+# GENERAL SETTINGS
+# ==============================================================================

 [general]
+
+# ------------------------------------------------------------------------------
+# Core Protocol
+# ------------------------------------------------------------------------------
+
+# Coalesce the MTProto handshake and first data payload into a single TCP packet.
+# Significantly reduces connection latency. No reason to disable.
 fast_mode = true
-use_middle_proxy = false
-# ad_tag = "00000000000000000000000000000000" # example
-# proxy_secret_path = "proxy-secret" # example custom path
-# middle_proxy_nat_ip = "203.0.113.10" # example public NAT IP override
+
+# How the proxy connects to Telegram servers.
+# false = Direct TCP to Telegram DCs (simple, low overhead)
+# true  = Middle-End RPC protocol (required for ad_tag and CDN DCs)
+use_middle_proxy = true
+
+# 32-char hex Ad-Tag from @MTProxybot for sponsored channel injection.
+# Only works when use_middle_proxy = true.
+# Obtain yours: message @MTProxybot on Telegram, register your proxy.
+# ad_tag = "00000000000000000000000000000000"
+
+# ------------------------------------------------------------------------------
+# Middle-End Authentication
+# ------------------------------------------------------------------------------
+
+# Path to the Telegram infrastructure AES key file.
+# Auto-downloaded from https://core.telegram.org/getProxySecret on first run.
+# This key authenticates your proxy with Middle-End servers.
+proxy_secret_path = "proxy-secret"
+
+# ------------------------------------------------------------------------------
+# Public IP Configuration (Critical for Middle-Proxy Mode)
+# ------------------------------------------------------------------------------
+
+# Your server's PUBLIC IPv4 address.
+# Middle-End servers need this for the cryptographic Key Derivation Function.
+# If your server has a direct public IP, set it here.
+# If behind NAT (AWS, Docker, etc.), this MUST be your external IP.
+# If omitted, Telemt uses STUN to auto-detect (see middle_proxy_nat_probe).
+# middle_proxy_nat_ip = "203.0.113.10"
+
+# Auto-detect public IP via STUN servers defined in [network].
+# Set to false if you hardcoded middle_proxy_nat_ip above.
+# Set to true if you want automatic detection.
 middle_proxy_nat_probe = true
-# middle_proxy_nat_stun = "stun.l.google.com:19302" # example
-# middle_proxy_nat_stun_servers = [] # example: ["stun1.l.google.com:19302", "stun2.l.google.com:19302"]
+
+# ------------------------------------------------------------------------------
+# Middle-End Connection Pool
+# ------------------------------------------------------------------------------
+
+# Number of persistent multiplexed RPC connections to ME servers.
+# All client traffic is routed through these "fat pipes".
+# 8 handles thousands of concurrent users comfortably.
 middle_proxy_pool_size = 8
+
+# Legacy field. Connections kept initialized but idle as warm standby.
 middle_proxy_warm_standby = 16
+
+# ------------------------------------------------------------------------------
+# Middle-End Keepalive
+# Telegram ME servers aggressively kill idle TCP connections.
+# These settings send periodic RPC_PING frames to keep pipes alive.
+# ------------------------------------------------------------------------------
+
 me_keepalive_enabled = true
+
+# Base interval between pings in seconds.
 me_keepalive_interval_secs = 25
+
+# Random jitter added to interval to prevent all connections pinging simultaneously.
 me_keepalive_jitter_secs = 5
+
+# Randomize ping payload bytes to prevent DPI from fingerprinting ping patterns.
 me_keepalive_payload_random = true
+
+# ------------------------------------------------------------------------------
+# Client-Side Limits
+# ------------------------------------------------------------------------------
+
+# Max buffered ciphertext per client (bytes) when upstream is slow.
+# Acts as backpressure to prevent memory exhaustion. 256KB is safe.
 crypto_pending_buffer = 262144
+
+# Maximum single MTProto frame size from client. 16MB is protocol standard.
 max_client_frame = 16777216
-desync_all_full = false
+
+# ------------------------------------------------------------------------------
+# Crypto Desynchronization Logging
+# Desync errors usually mean DPI/GFW is tampering with connections.
+# ------------------------------------------------------------------------------
+
+# true  = full forensics (trace ID, IP hash, hex dumps) for EVERY desync event
+# false = deduplicated logging, one entry per time window (prevents log spam)
+# Set true if you are actively debugging DPI interference.
+desync_all_full = true
+
+# ------------------------------------------------------------------------------
+# Beobachten — Built-in Honeypot / Active Probe Tracker
+# Tracks IPs that fail handshakes or behave like TLS scanners.
+# Output file can be fed into fail2ban or iptables for auto-blocking.
+# ------------------------------------------------------------------------------
+
 beobachten = true
-beobachten_minutes = 10
+
+# How long (minutes) to remember a suspicious IP before expiring it.
+beobachten_minutes = 30
+
+# How often (seconds) to flush tracker state to disk.
 beobachten_flush_secs = 15
+
+# File path for the tracker output.
 beobachten_file = "cache/beobachten.txt"
+
+# ------------------------------------------------------------------------------
+# Hardswap — Zero-Downtime ME Pool Rotation
+# When Telegram updates ME server IPs, Hardswap creates a completely new pool,
+# waits until it is fully ready, migrates traffic, then kills the old pool.
+# Users experience zero interruption.
+# ------------------------------------------------------------------------------
+
 hardswap = true
+
+# ------------------------------------------------------------------------------
+# ME Pool Warmup Staggering
+# When creating a new pool, connections are opened one by one with delays
+# to avoid a burst of SYN packets that could trigger ISP flood protection.
+# ------------------------------------------------------------------------------
+
 me_warmup_stagger_enabled = true
+
+# Delay between each connection creation (milliseconds).
 me_warmup_step_delay_ms = 500
+
+# Random jitter added to the delay (milliseconds).
 me_warmup_step_jitter_ms = 300
+
+# ------------------------------------------------------------------------------
+# ME Reconnect Backoff
+# If an ME server drops the connection, Telemt retries with this strategy.
+# ------------------------------------------------------------------------------
+
+# Max simultaneous reconnect attempts per DC.
 me_reconnect_max_concurrent_per_dc = 8
+
+# Exponential backoff base (milliseconds).
 me_reconnect_backoff_base_ms = 500
+
+# Backoff ceiling (milliseconds). Will never wait longer than this.
 me_reconnect_backoff_cap_ms = 30000
+
+# Number of instant retries before switching to exponential backoff.
 me_reconnect_fast_retry_count = 12
+
+# ------------------------------------------------------------------------------
+# NAT Mismatch Behavior
+# If STUN-detected IP differs from local interface IP (you are behind NAT).
+# false = abort ME mode (safe default)
+# true  = force ME mode anyway (use if you know your NAT setup is correct)
+# ------------------------------------------------------------------------------
+
 stun_iface_mismatch_ignore = false
-unknown_dc_log_path = "unknown-dc.txt" # to disable: set to null
-log_level = "normal" # debug | verbose | normal | silent
+
+# ------------------------------------------------------------------------------
+# Logging
+# ------------------------------------------------------------------------------
+
+# File to log unknown DC requests (DC IDs outside standard 1-5).
+unknown_dc_log_path = "unknown-dc.txt"
+
+# Verbosity: "debug" | "verbose" | "normal" | "silent"
+log_level = "normal"
+
+# Disable ANSI color codes in log output (useful for file logging).
 disable_colors = false
-fast_mode_min_tls_record = 0
+
+# ------------------------------------------------------------------------------
+# FakeTLS Record Sizing
+# Buffer small MTProto packets into larger TLS records to mimic real HTTPS.
+# Real HTTPS servers send records close to MTU size (~1400 bytes).
+# A stream of tiny TLS records is a strong DPI signal.
+# Set to 0 to disable. Set to 1400 for realistic HTTPS emulation.
+# ------------------------------------------------------------------------------
+
+fast_mode_min_tls_record = 1400
+
+# ------------------------------------------------------------------------------
+# Periodic Updates
+# ------------------------------------------------------------------------------
+
+# How often (seconds) to re-fetch ME server lists and proxy secrets
+# from core.telegram.org. Keeps your proxy in sync with Telegram infrastructure.
 update_every = 300
-me_reinit_every_secs = 900
+
+# How often (seconds) to force a Hardswap even if the ME map is unchanged.
+# Shorter intervals mean shorter-lived TCP flows, harder for DPI to profile.
+me_reinit_every_secs = 600
+
+# ------------------------------------------------------------------------------
+# Hardswap Warmup Tuning
+# Fine-grained control over how the new pool is warmed up before traffic switch.
+# ------------------------------------------------------------------------------
+
 me_hardswap_warmup_delay_min_ms = 1000
 me_hardswap_warmup_delay_max_ms = 2000
 me_hardswap_warmup_extra_passes = 3
 me_hardswap_warmup_pass_backoff_base_ms = 500
+
+# ------------------------------------------------------------------------------
+# Config Update Debouncing
+# Telegram sometimes pushes transient/broken configs. Debouncing requires
+# N consecutive identical fetches before applying a change.
+# ------------------------------------------------------------------------------
+
+# ME server list must be identical for this many fetches before applying.
 me_config_stable_snapshots = 2
+
+# Minimum seconds between config applications.
 me_config_apply_cooldown_secs = 300
+
+# Proxy secret must be identical for this many fetches before applying.
 proxy_secret_stable_snapshots = 2
+
+# ------------------------------------------------------------------------------
+# Proxy Secret Rotation
+# ------------------------------------------------------------------------------
+
+# Apply newly downloaded secrets at runtime without restart.
 proxy_secret_rotate_runtime = true
+
+# Maximum acceptable secret length (bytes). Rejects abnormally large secrets.
 proxy_secret_len_max = 256
+
+# ------------------------------------------------------------------------------
+# Hardswap Drain Settings
+# Controls graceful shutdown of old ME connections during pool rotation.
+# ------------------------------------------------------------------------------
+
+# Seconds to keep old connections alive for in-flight data before force-closing.
 me_pool_drain_ttl_secs = 90
+
+# Minimum ratio of healthy connections in new pool before draining old pool.
+# 0.8 = at least 80% of new pool must be ready.
 me_pool_min_fresh_ratio = 0.8
+
+# Maximum seconds to wait for drain to complete before force-killing.
 me_reinit_drain_timeout_secs = 120
-# Legacy compatibility fields used when update_every is omitted.
-proxy_secret_auto_reload_secs = 3600
-proxy_config_auto_reload_secs = 3600
+
+# ------------------------------------------------------------------------------
+# NTP Clock Check
+# MTProto uses timestamps. Clock drift > 30 seconds breaks handshakes.
+# Telemt checks on startup and warns if out of sync.
+# ------------------------------------------------------------------------------
+
 ntp_check = true
-ntp_servers = ["pool.ntp.org"] # example: ["pool.ntp.org", "time.cloudflare.com"]
+ntp_servers = ["pool.ntp.org"]
+
+# ------------------------------------------------------------------------------
+# Auto-Degradation
+# If ME servers become completely unreachable (ISP blocking),
+# automatically fall back to Direct Mode so users stay connected.
+# ------------------------------------------------------------------------------
+
 auto_degradation_enabled = true
+
+# Number of DC groups that must be unreachable before triggering fallback.
 degradation_min_unavailable_dc_groups = 2

+
+# ==============================================================================
+# ALLOWED CLIENT PROTOCOLS
+# Only enable what you need. In censored regions, TLS-only is safest.
+# ==============================================================================
+
 [general.modes]
+
+# Classic MTProto. Unobfuscated length prefixes. Trivially detected by DPI.
+# No reason to enable unless you have ancient clients.
 classic = false
+
+# Obfuscated MTProto with randomized padding. Better than classic, but
+# still detectable by statistical analysis of packet sizes.
 secure = false
+
+# FakeTLS (ee-secrets). Wraps MTProto in TLS 1.3 framing.
+# To DPI, it looks like a normal HTTPS connection.
+# This should be the ONLY enabled mode in censored environments.
 tls = true

+
+# ==============================================================================
+# STARTUP LINK GENERATION
+# Controls what tg:// invite links are printed to console on startup.
+# ==============================================================================
+
 [general.links]
-show ="*" # example: "*" or ["alice", "bob"]
-# public_host = "proxy.example.com" # example explicit host/IP for tg:// links
-# public_port = 443 # example explicit port for tg:// links
+
+# Which users to generate links for.
+# "*" = all users, or an array like ["alice", "bob"].
+show = "*"
+
+# IP or domain to embed in the tg:// link.
+# If omitted, Telemt uses STUN to auto-detect.
+# Set this to your server's public IP or domain for reliable links.
+# public_host = "proxy.example.com"
+
+# Port to embed in the tg:// link.
+# If omitted, uses [server].port.
+# public_port = 443
+
+
+# ==============================================================================
+# NETWORK & IP RESOLUTION
+# ==============================================================================

 [network]
+
+# Enable IPv4 for outbound connections to Telegram.
 ipv4 = true
-ipv6 = false # set true to enable IPv6
-prefer = 4 # 4 or 6
+
+# Enable IPv6 for outbound connections to Telegram.
+ipv6 = false
+
+# Prefer IPv4 (4) or IPv6 (6) when both are available.
+prefer = 4
+
+# Experimental: use both IPv4 and IPv6 ME servers simultaneously.
+# May improve reliability but doubles connection count.
 multipath = false
+
+# STUN servers for external IP discovery.
+# Used for Middle-Proxy KDF (if nat_probe=true) and link generation.
 stun_servers = [
-  "stun.l.google.com:5349",
-  "stun1.l.google.com:3478",
-  "stun.gmx.net:3478",
-  "stun.l.google.com:19302",
-  "stun.1und1.de:3478",
-  "stun1.l.google.com:19302",
-  "stun2.l.google.com:19302",
-  "stun3.l.google.com:19302",
-  "stun4.l.google.com:19302",
-  "stun.services.mozilla.com:3478",
-  "stun.stunprotocol.org:3478",
-  "stun.nextcloud.com:3478",
-  "stun.voip.eutelia.it:3478",
+    "stun.l.google.com:5349",
+    "stun1.l.google.com:3478",
+    "stun.gmx.net:3478",
+    "stun.l.google.com:19302"
 ]
+
+# If UDP STUN is blocked, attempt TCP-based STUN as fallback.
 stun_tcp_fallback = true
-http_ip_detect_urls = ["https://ifconfig.me/ip", "https://api.ipify.org"]
+
+# If all STUN fails, use HTTP APIs to discover public IP.
+http_ip_detect_urls = [
+    "https://ifconfig.me/ip",
+    "https://api.ipify.org"
+]
+
+# Cache discovered public IP to this file to survive restarts.
 cache_public_ip_path = "cache/public_ip.txt"

+
+# ==============================================================================
+# SERVER BINDING & METRICS
+# ==============================================================================
+
 [server]
+
+# TCP port to listen on.
+# 443 is recommended (looks like normal HTTPS traffic).
 port = 443
+
+# IPv4 bind address. "0.0.0.0" = all interfaces.
 listen_addr_ipv4 = "0.0.0.0"
+
+# IPv6 bind address. "::" = all interfaces.
 listen_addr_ipv6 = "::"
-# listen_unix_sock = "/var/run/telemt.sock" # example
-# listen_unix_sock_perm = "0660" # example unix socket mode
-# listen_tcp = true # example explicit override (auto-detected when omitted)
+
+# Unix socket listener (for reverse proxy setups with Nginx/HAProxy).
+# listen_unix_sock = "/var/run/telemt.sock"
+# listen_unix_sock_perm = "0660"
+
+# Enable PROXY protocol header parsing.
+# Set true ONLY if Telemt is behind HAProxy/Nginx that injects PROXY headers.
+# If enabled without a proxy in front, clients will fail to connect.
 proxy_protocol = false
-# metrics_port = 9090 # example
-metrics_whitelist = ["127.0.0.1/32", "::1/128"]
-# Example explicit listeners (default: omitted, auto-generated from listen_addr_*):
+
+# Prometheus metrics HTTP endpoint port.
+# Uncomment to enable. Access at http://your-server:9090/metrics
+# metrics_port = 9090
+
+# IP ranges allowed to access the metrics endpoint.
+metrics_whitelist = [
+    "127.0.0.1/32",
+    "::1/128"
+]
+
+# ------------------------------------------------------------------------------
+# Listener Overrides
+# Define explicit listeners with specific bind IPs and announce IPs.
+# The announce IP is what gets embedded in tg:// links and sent to ME servers.
+# You MUST set announce to your server's public IP for ME mode to work.
+# ------------------------------------------------------------------------------
+
 # [[server.listeners]]
 # ip = "0.0.0.0"
-# announce = "proxy-v4.example.com"
-# # announce_ip = "203.0.113.10" # deprecated alias
-# proxy_protocol = false
-# reuse_allow = false
-#
-# [[server.listeners]]
-# ip = "::"
-# announce = "proxy-v6.example.com"
-# proxy_protocol = false
+# announce = "203.0.113.10"
 # reuse_allow = false

+
+# ==============================================================================
+# TIMEOUTS (seconds unless noted)
+# ==============================================================================
+
 [timeouts]
+
+# Maximum time for client to complete FakeTLS + MTProto handshake.
 client_handshake = 15
+
+# Maximum time to establish TCP connection to upstream Telegram DC.
 tg_connect = 10
+
+# TCP keepalive interval for client connections.
 client_keepalive = 60
+
+# Maximum client inactivity before dropping the connection.
 client_ack = 300
+
+# Instant retry count for a single ME endpoint before giving up on it.
 me_one_retry = 3
+
+# Timeout (milliseconds) for a single ME endpoint connection attempt.
 me_one_timeout_ms = 1500

+
+# ==============================================================================
+# ANTI-CENSORSHIP / FAKETLS / MASKING
+# This is where Telemt becomes invisible to Deep Packet Inspection.
+# ==============================================================================
+
 [censorship]
-tls_domain = "petrovich.ru"
-# tls_domains = ["example.com", "cdn.example.net"] # Additional domains for EE links
+
+# ------------------------------------------------------------------------------
+# TLS Domain Fronting
+# The SNI (Server Name Indication) your proxy presents to connecting clients.
+# Must be a popular, unblocked HTTPS website in your target country.
+# DPI sees traffic to this domain. Choose carefully.
+# Good choices: major CDNs, banks, government sites, search engines.
+# Bad choices: obscure sites, already-blocked domains.
+# ------------------------------------------------------------------------------
+
+tls_domain = "www.google.com"
+
+# ------------------------------------------------------------------------------
+# Active Probe Masking
+# When someone connects but fails the MTProto handshake (wrong secret),
+# they might be an ISP active prober testing if this is a proxy.
+#
+# mask = false: drop the connection (prober knows something is here)
+# mask = true:  transparently proxy them to mask_host (prober sees a real website)
+#
+# With mask enabled, your server is indistinguishable from a real web server
+# to anyone who doesn't have the correct secret.
+# ------------------------------------------------------------------------------
+
 mask = true
-# mask_host = "www.google.com" # example, defaults to tls_domain when both mask_host/mask_unix_sock are unset
-# mask_unix_sock = "/var/run/nginx.sock" # example, mutually exclusive with mask_host
+
+# The real web server to forward failed handshakes to.
+# If omitted, defaults to tls_domain.
+# mask_host = "www.google.com"
+
+# Port on the mask host to connect to.
 mask_port = 443
-# mask_proxy_protocol = 0 # Send PROXY protocol header to mask_host: 0 = off, 1 = v1 (text), 2 = v2 (binary)
-fake_cert_len = 2048 # if tls_emulation=false and default value is used, loader may randomize this value at runtime
+
+# Inject PROXY protocol header when forwarding to mask host.
+# 0 = disabled, 1 = v1, 2 = v2. Leave disabled unless mask_host expects it.
+# mask_proxy_protocol = 0
+
+# ------------------------------------------------------------------------------
+# TLS Certificate Emulation
+# ------------------------------------------------------------------------------
+
+# Size (bytes) of the locally generated fake TLS certificate.
+# Only used when tls_emulation is disabled.
+fake_cert_len = 2048
+
+# KILLER FEATURE: Real-Time TLS Emulation.
+# Telemt connects to tls_domain, fetches its actual TLS 1.3 certificate chain,
+# and exactly replicates the byte sizes of ServerHello and Certificate records.
+# Defeats DPI that uses TLS record length heuristics to detect proxies.
+# Strongly recommended in censored environments.
 tls_emulation = true
+
+# Directory to cache fetched TLS certificates.
 tls_front_dir = "tlsfront"
-server_hello_delay_min_ms = 0
-server_hello_delay_max_ms = 0
-tls_new_session_tickets = 0
-tls_full_cert_ttl_secs = 90
+
+# ------------------------------------------------------------------------------
+# ServerHello Timing
+# Real web servers take 30-150ms to respond to ClientHello due to network
+# latency and crypto processing. A proxy responding in <1ms is suspicious.
+# These settings add realistic delay to mimic genuine server behavior.
+# ------------------------------------------------------------------------------
+
+# Minimum delay before sending ServerHello (milliseconds).
+server_hello_delay_min_ms = 50
+
+# Maximum delay before sending ServerHello (milliseconds).
+server_hello_delay_max_ms = 150
+
+# ------------------------------------------------------------------------------
+# TLS Session Tickets
+# Real TLS 1.3 servers send 1-2 NewSessionTicket messages after handshake.
+# A server that sends zero tickets is anomalous and may trigger DPI flags.
+# Set this to match your tls_domain's behavior (usually 2).
+# ------------------------------------------------------------------------------
+
+# tls_new_session_tickets = 0
+
+# ------------------------------------------------------------------------------
+# Full Certificate Frequency
+# When tls_emulation is enabled, this controls how often (per client IP)
+# to send the complete emulated certificate chain.
+#
+# > 0: Subsequent connections within TTL seconds get a smaller cached version.
+#       Saves bandwidth but creates a detectable size difference between
+#       first and repeat connections.
+#
+# = 0: Every connection gets the full certificate. More bandwidth but
+#       perfectly consistent behavior, no anomalies for DPI to detect.
+# ------------------------------------------------------------------------------
+
+tls_full_cert_ttl_secs = 0
+
+# ------------------------------------------------------------------------------
+# ALPN Enforcement
+# Ensure ServerHello responds with the exact ALPN protocol the client requested.
+# Mismatched ALPN (e.g., client asks h2, server says http/1.1) is a DPI red flag.
+# ------------------------------------------------------------------------------
+
 alpn_enforce = true

+
+# ==============================================================================
+# ACCESS CONTROL & USERS
+# ==============================================================================
+
 [access]
+
+# ------------------------------------------------------------------------------
+# Replay Attack Protection
+# DPI can record a legitimate user's handshake and replay it later to probe
+# whether the server is a proxy. Telemt remembers recent handshake nonces
+# and rejects duplicates.
+# ------------------------------------------------------------------------------
+
+# Number of nonce slots in the replay detection buffer.
 replay_check_len = 65536
+
+# How long (seconds) to remember nonces before expiring them.
 replay_window_secs = 1800
+
+# Allow clients with incorrect system clocks to connect.
+# false = reject clients with significant time skew (more secure)
+# true  = accept anyone regardless of clock (more permissive)
 ignore_time_skew = false

+# ------------------------------------------------------------------------------
+# User Secrets
+# Each user needs a unique 32-character hex string as their secret.
+# Generate with: openssl rand -hex 16
+#
+# This secret is embedded in the tg:// link. Anyone with it can connect.
+# Format: username = "hex_secret"
+# ------------------------------------------------------------------------------
+
 [access.users]
-# format: "username" = "32_hex_chars_secret"
-hello = "00000000000000000000000000000000"
-# alice = "11111111111111111111111111111111" # example
+# alice = "0123456789abcdef0123456789abcdef"
+# bob = "fedcba9876543210fedcba9876543210"
+
+# ------------------------------------------------------------------------------
+# Per-User Connection Limits
+# Limits concurrent TCP connections per user to prevent secret sharing.
+# Uncomment and set for each user as needed.
+# ------------------------------------------------------------------------------

 [access.user_max_tcp_conns]
-# alice = 100 # example
+# alice = 100
+# bob = 50
+
+# ------------------------------------------------------------------------------
+# Per-User Expiration Dates
+# Automatically revoke access after the specified date (ISO 8601 format).
+# ------------------------------------------------------------------------------

 [access.user_expirations]
-# alice = "2078-01-01T00:00:00Z" # example
+# alice = "2025-12-31T23:59:59Z"
+# bob = "2026-06-15T00:00:00Z"
+
+# ------------------------------------------------------------------------------
+# Per-User Data Quotas
+# Maximum total bytes transferred per user. Connection refused after limit.
+# ------------------------------------------------------------------------------

 [access.user_data_quota]
-# hello = 10737418240 # example bytes
-# alice = 10737418240 # example bytes
+# alice = 107374182400
+# bob = 53687091200
+
+# ------------------------------------------------------------------------------
+# Per-User Unique IP Limits
+# Maximum number of different IP addresses that can use this secret
+# at the same time. Highly effective against secret leaking/sharing.
+# Set to 1 for single-device, 2-3 for phone+desktop, etc.
+# ------------------------------------------------------------------------------

 [access.user_max_unique_ips]
-# hello = 10 # example
-# alice = 100 # example
+# alice = 3
+# bob = 2
+
+
+# ==============================================================================
+# UPSTREAM ROUTING
+# Controls how Telemt connects to Telegram servers (or ME servers).
+# If omitted entirely, uses the OS default route.
+# ==============================================================================
+
+# ------------------------------------------------------------------------------
+# Direct upstream: use the server's own network interface.
+# You can optionally bind to a specific interface or local IP.
+# ------------------------------------------------------------------------------

-# Default behavior if [[upstreams]] is omitted: loader injects one direct upstream.
-# Example explicit upstreams:
 # [[upstreams]]
 # type = "direct"
 # interface = "eth0"
@@ -178,28 +671,27 @@ hello = "00000000000000000000000000000000"
 # weight = 1
 # enabled = true
 # scopes = "*"
-#
-# [[upstreams]]
-# type = "socks4"
-# address = "198.51.100.20:1080"
-# interface = "eth0"
-# user_id = "telemt"
-# weight = 1
-# enabled = true
-# scopes = "*"
-#
+
+# ------------------------------------------------------------------------------
+# SOCKS5 upstream: route Telegram traffic through a SOCKS5 proxy.
+# Useful if your server's IP is blocked from reaching Telegram DCs.
+# ------------------------------------------------------------------------------
+
 # [[upstreams]]
 # type = "socks5"
 # address = "198.51.100.30:1080"
-# interface = "eth0"
 # username = "proxy-user"
 # password = "proxy-pass"
 # weight = 1
 # enabled = true
-# scopes = "*"

-# === DC Address Overrides ===
+
+# ==============================================================================
+# DATACENTER OVERRIDES
+# Force specific DC IDs to route to specific IP:Port combinations.
+# DC 203 (CDN) is auto-injected by Telemt if not specified here.
+# ==============================================================================
+
 # [dc_overrides]
-# "201" = "149.154.175.50:443" # example
-# "202" = ["149.154.167.51:443", "149.154.175.100:443"] # example
-# "203" = "91.105.192.100:443" # loader auto-adds this one when omitted
+# "201" = "149.154.175.50:443"
+# "202" = ["149.154.167.51:443", "149.154.175.100:443"]
--- a/config.toml
+++ b/config.toml
@@ -4,8 +4,10 @@

 # === General Settings ===
 [general]
-use_middle_proxy = false
+use_middle_proxy = true
+# Global ad_tag fallback when user has no per-user tag in [access.user_ad_tags]
 # ad_tag = "00000000000000000000000000000000"
+# Per-user ad_tag in [access.user_ad_tags] (32 hex from @MTProxybot)

 # === Log Level ===
 # Log level: debug | verbose | normal | silent
@@ -32,6 +34,13 @@ port = 443
 # metrics_port = 9090
 # metrics_whitelist = ["127.0.0.1", "::1", "0.0.0.0/0"]

+[server.api]
+enabled = true
+listen = "0.0.0.0:9091"
+whitelist = ["127.0.0.0/8"]
+minimal_runtime_enabled = false
+minimal_runtime_cache_ttl_ms = 1000
+
 # Listen on multiple interfaces/IPs - IPv4
 [[server.listeners]]
 ip = "0.0.0.0"
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -1,11 +1,12 @@
 services:
  telemt:
+    image: ghcr.io/telemt/telemt:latest
    build: .
    container_name: telemt
    restart: unless-stopped
    ports:
      - "443:443"
-      - "9090:9090"
+      - "127.0.0.1:9090:9090"
    # Allow caching 'proxy-secret' in read-only container
    working_dir: /run/telemt
    volumes:
--- a/docs/API.md
+++ b/docs/API.md
@@ -0,0 +1,673 @@
+# Telemt Control API
+
+## Purpose
+Control-plane HTTP API for runtime visibility and user/config management.
+Data-plane MTProto traffic is out of scope.
+
+## Runtime Configuration
+API runtime is configured in `[server.api]`.
+
+| Field | Type | Default | Description |
+| --- | --- | --- | --- |
+| `enabled` | `bool` | `false` | Enables REST API listener. |
+| `listen` | `string` (`IP:PORT`) | `127.0.0.1:9091` | API bind address. |
+| `whitelist` | `CIDR[]` | `127.0.0.1/32, ::1/128` | Source IP allowlist. Empty list means allow all. |
+| `auth_header` | `string` | `""` | Exact value for `Authorization` header. Empty disables header auth. |
+| `request_body_limit_bytes` | `usize` | `65536` | Maximum request body size. Must be `> 0`. |
+| `minimal_runtime_enabled` | `bool` | `false` | Enables runtime snapshot endpoints requiring ME pool read-lock aggregation. |
+| `minimal_runtime_cache_ttl_ms` | `u64` | `1000` | Cache TTL for minimal snapshots. `0` disables cache; valid range is `[0, 60000]`. |
+| `runtime_edge_enabled` | `bool` | `false` | Enables runtime edge endpoints with cached aggregation payloads. |
+| `runtime_edge_cache_ttl_ms` | `u64` | `1000` | Cache TTL for runtime edge summary payloads. `0` disables cache. |
+| `runtime_edge_top_n` | `usize` | `10` | Top-N rows for runtime edge leaderboard payloads. |
+| `runtime_edge_events_capacity` | `usize` | `256` | Ring-buffer size for `/v1/runtime/events/recent`. |
+| `read_only` | `bool` | `false` | Disables mutating endpoints. |
+
+`server.admin_api` is accepted as an alias for backward compatibility.
+
+Runtime validation for API config:
+- `server.api.listen` must be a valid `IP:PORT`.
+- `server.api.request_body_limit_bytes` must be `> 0`.
+- `server.api.minimal_runtime_cache_ttl_ms` must be within `[0, 60000]`.
+- `server.api.runtime_edge_cache_ttl_ms` must be within `[0, 60000]`.
+- `server.api.runtime_edge_top_n` must be within `[1, 1000]`.
+- `server.api.runtime_edge_events_capacity` must be within `[16, 4096]`.
+
+## Protocol Contract
+
+| Item | Value |
+| --- | --- |
+| Transport | HTTP/1.1 |
+| Content type | `application/json; charset=utf-8` |
+| Prefix | `/v1` |
+| Optimistic concurrency | `If-Match: <revision>` on mutating requests (optional) |
+| Revision format | SHA-256 hex of current `config.toml` content |
+
+### Success Envelope
+```json
+{
+  "ok": true,
+  "data": {},
+  "revision": "sha256-hex"
+}
+```
+
+### Error Envelope
+```json
+{
+  "ok": false,
+  "error": {
+    "code": "machine_code",
+    "message": "human-readable"
+  },
+  "request_id": 1
+}
+```
+
+## Request Processing Order
+
+Requests are processed in this order:
+1. `api_enabled` gate (`503 api_disabled` if disabled).
+2. Source IP whitelist gate (`403 forbidden`).
+3. `Authorization` header gate when configured (`401 unauthorized`).
+4. Route and method matching (`404 not_found` or `405 method_not_allowed`).
+5. `read_only` gate for mutating routes (`403 read_only`).
+6. Request body read/limit/JSON decode (`413 payload_too_large`, `400 bad_request`).
+7. Business validation and config write path.
+
+Notes:
+- Whitelist is evaluated against the direct TCP peer IP (`SocketAddr::ip`), without `X-Forwarded-For` support.
+- `Authorization` check is exact string equality against configured `auth_header`.
+
+## Endpoint Matrix
+
+| Method | Path | Body | Success | `data` contract |
+| --- | --- | --- | --- | --- |
+| `GET` | `/v1/health` | none | `200` | `HealthData` |
+| `GET` | `/v1/system/info` | none | `200` | `SystemInfoData` |
+| `GET` | `/v1/runtime/gates` | none | `200` | `RuntimeGatesData` |
+| `GET` | `/v1/limits/effective` | none | `200` | `EffectiveLimitsData` |
+| `GET` | `/v1/security/posture` | none | `200` | `SecurityPostureData` |
+| `GET` | `/v1/security/whitelist` | none | `200` | `SecurityWhitelistData` |
+| `GET` | `/v1/stats/summary` | none | `200` | `SummaryData` |
+| `GET` | `/v1/stats/zero/all` | none | `200` | `ZeroAllData` |
+| `GET` | `/v1/stats/upstreams` | none | `200` | `UpstreamsData` |
+| `GET` | `/v1/stats/minimal/all` | none | `200` | `MinimalAllData` |
+| `GET` | `/v1/stats/me-writers` | none | `200` | `MeWritersData` |
+| `GET` | `/v1/stats/dcs` | none | `200` | `DcStatusData` |
+| `GET` | `/v1/runtime/me_pool_state` | none | `200` | `RuntimeMePoolStateData` |
+| `GET` | `/v1/runtime/me_quality` | none | `200` | `RuntimeMeQualityData` |
+| `GET` | `/v1/runtime/upstream_quality` | none | `200` | `RuntimeUpstreamQualityData` |
+| `GET` | `/v1/runtime/nat_stun` | none | `200` | `RuntimeNatStunData` |
+| `GET` | `/v1/runtime/connections/summary` | none | `200` | `RuntimeEdgeConnectionsSummaryData` |
+| `GET` | `/v1/runtime/events/recent` | none | `200` | `RuntimeEdgeEventsData` |
+| `GET` | `/v1/stats/users` | none | `200` | `UserInfo[]` |
+| `GET` | `/v1/users` | none | `200` | `UserInfo[]` |
+| `POST` | `/v1/users` | `CreateUserRequest` | `201` | `CreateUserResponse` |
+| `GET` | `/v1/users/{username}` | none | `200` | `UserInfo` |
+| `PATCH` | `/v1/users/{username}` | `PatchUserRequest` | `200` | `UserInfo` |
+| `DELETE` | `/v1/users/{username}` | none | `200` | `string` (deleted username) |
+| `POST` | `/v1/users/{username}/rotate-secret` | `RotateSecretRequest` or empty body | `404` | `ErrorResponse` (`not_found`, current runtime behavior) |
+
+## Common Error Codes
+
+| HTTP | `error.code` | Trigger |
+| --- | --- | --- |
+| `400` | `bad_request` | Invalid JSON, validation failures, malformed request body. |
+| `401` | `unauthorized` | Missing/invalid `Authorization` when `auth_header` is configured. |
+| `403` | `forbidden` | Source IP is not allowed by whitelist. |
+| `403` | `read_only` | Mutating endpoint called while `read_only=true`. |
+| `404` | `not_found` | Unknown route, unknown user, or unsupported sub-route (including current `rotate-secret` route). |
+| `405` | `method_not_allowed` | Unsupported method for `/v1/users/{username}` route shape. |
+| `409` | `revision_conflict` | `If-Match` revision mismatch. |
+| `409` | `user_exists` | User already exists on create. |
+| `409` | `last_user_forbidden` | Attempt to delete last configured user. |
+| `413` | `payload_too_large` | Body exceeds `request_body_limit_bytes`. |
+| `500` | `internal_error` | Internal error (I/O, serialization, config load/save). |
+| `503` | `api_disabled` | API disabled in config. |
+
+## Routing and Method Edge Cases
+
+| Case | Behavior |
+| --- | --- |
+| Path matching | Exact match on `req.uri().path()`. Query string does not affect route matching. |
+| Trailing slash | Not normalized. Example: `/v1/users/` is `404`. |
+| Username route with extra slash | `/v1/users/{username}/...` is not treated as user route and returns `404`. |
+| `PUT /v1/users/{username}` | `405 method_not_allowed`. |
+| `POST /v1/users/{username}` | `404 not_found`. |
+| `POST /v1/users/{username}/rotate-secret` | `404 not_found` in current release due route matcher limitation. |
+
+## Body and JSON Semantics
+
+- Request body is read only for mutating routes that define a body contract.
+- Body size limit is enforced during streaming read (`413 payload_too_large`).
+- Invalid transport body frame returns `400 bad_request` (`Invalid request body`).
+- Invalid JSON returns `400 bad_request` (`Invalid JSON body`).
+- `Content-Type` is not required for JSON parsing.
+- Unknown JSON fields are ignored by deserialization.
+- `PATCH` updates only provided fields and does not support explicit clearing of optional fields.
+- `If-Match` supports both quoted and unquoted values; surrounding whitespace is trimmed.
+
+## Request Contracts
+
+### `CreateUserRequest`
+| Field | Type | Required | Description |
+| --- | --- | --- | --- |
+| `username` | `string` | yes | `[A-Za-z0-9_.-]`, length `1..64`. |
+| `secret` | `string` | no | Exactly 32 hex chars. If missing, generated automatically. |
+| `user_ad_tag` | `string` | no | Exactly 32 hex chars. |
+| `max_tcp_conns` | `usize` | no | Per-user concurrent TCP limit. |
+| `expiration_rfc3339` | `string` | no | RFC3339 expiration timestamp. |
+| `data_quota_bytes` | `u64` | no | Per-user traffic quota. |
+| `max_unique_ips` | `usize` | no | Per-user unique source IP limit. |
+
+### `PatchUserRequest`
+| Field | Type | Required | Description |
+| --- | --- | --- | --- |
+| `secret` | `string` | no | Exactly 32 hex chars. |
+| `user_ad_tag` | `string` | no | Exactly 32 hex chars. |
+| `max_tcp_conns` | `usize` | no | Per-user concurrent TCP limit. |
+| `expiration_rfc3339` | `string` | no | RFC3339 expiration timestamp. |
+| `data_quota_bytes` | `u64` | no | Per-user traffic quota. |
+| `max_unique_ips` | `usize` | no | Per-user unique source IP limit. |
+
+### `RotateSecretRequest`
+| Field | Type | Required | Description |
+| --- | --- | --- | --- |
+| `secret` | `string` | no | Exactly 32 hex chars. If missing, generated automatically. |
+
+Note: the request contract is defined, but the corresponding route currently returns `404` (see routing edge cases).
+
+## Response Data Contracts
+
+### `HealthData`
+| Field | Type | Description |
+| --- | --- | --- |
+| `status` | `string` | Always `"ok"`. |
+| `read_only` | `bool` | Mirrors current API `read_only` mode. |
+
+### `SummaryData`
+| Field | Type | Description |
+| --- | --- | --- |
+| `uptime_seconds` | `f64` | Process uptime in seconds. |
+| `connections_total` | `u64` | Total accepted client connections. |
+| `connections_bad_total` | `u64` | Failed/invalid client connections. |
+| `handshake_timeouts_total` | `u64` | Handshake timeout count. |
+| `configured_users` | `usize` | Number of configured users in config. |
+
+### `SystemInfoData`
+| Field | Type | Description |
+| --- | --- | --- |
+| `version` | `string` | Binary version (`CARGO_PKG_VERSION`). |
+| `target_arch` | `string` | Target architecture (`std::env::consts::ARCH`). |
+| `target_os` | `string` | Target OS (`std::env::consts::OS`). |
+| `build_profile` | `string` | Build profile (`PROFILE` env when available). |
+| `git_commit` | `string?` | Optional commit hash from build env metadata. |
+| `build_time_utc` | `string?` | Optional build timestamp from build env metadata. |
+| `rustc_version` | `string?` | Optional compiler version from build env metadata. |
+| `process_started_at_epoch_secs` | `u64` | Process start time as Unix epoch seconds. |
+| `uptime_seconds` | `f64` | Process uptime in seconds. |
+| `config_path` | `string` | Active config file path used by runtime. |
+| `config_hash` | `string` | SHA-256 hash of current config content (same value as envelope `revision`). |
+| `config_reload_count` | `u64` | Number of successfully observed config updates since process start. |
+| `last_config_reload_epoch_secs` | `u64?` | Unix epoch seconds of the latest observed config reload; null/absent before first reload. |
+
+### `RuntimeGatesData`
+| Field | Type | Description |
+| --- | --- | --- |
+| `accepting_new_connections` | `bool` | Current admission-gate state for new listener accepts. |
+| `conditional_cast_enabled` | `bool` | Whether conditional ME admission logic is enabled (`general.use_middle_proxy`). |
+| `me_runtime_ready` | `bool` | Current ME runtime readiness status used for conditional gate decisions. |
+| `me2dc_fallback_enabled` | `bool` | Whether ME -> direct fallback is enabled. |
+| `use_middle_proxy` | `bool` | Current transport mode preference. |
+
+### `EffectiveLimitsData`
+| Field | Type | Description |
+| --- | --- | --- |
+| `update_every_secs` | `u64` | Effective unified updater interval. |
+| `me_reinit_every_secs` | `u64` | Effective ME periodic reinit interval. |
+| `me_pool_force_close_secs` | `u64` | Effective stale-writer force-close timeout. |
+| `timeouts` | `EffectiveTimeoutLimits` | Effective timeout policy snapshot. |
+| `upstream` | `EffectiveUpstreamLimits` | Effective upstream connect/retry limits. |
+| `middle_proxy` | `EffectiveMiddleProxyLimits` | Effective ME pool/floor/reconnect limits. |
+| `user_ip_policy` | `EffectiveUserIpPolicyLimits` | Effective unique-IP policy mode/window. |
+
+#### `EffectiveTimeoutLimits`
+| Field | Type | Description |
+| --- | --- | --- |
+| `client_handshake_secs` | `u64` | Client handshake timeout. |
+| `tg_connect_secs` | `u64` | Upstream Telegram connect timeout. |
+| `client_keepalive_secs` | `u64` | Client keepalive interval. |
+| `client_ack_secs` | `u64` | ACK timeout. |
+| `me_one_retry` | `u8` | Fast retry count for single-endpoint ME DC. |
+| `me_one_timeout_ms` | `u64` | Fast retry timeout per attempt for single-endpoint ME DC. |
+
+#### `EffectiveUpstreamLimits`
+| Field | Type | Description |
+| --- | --- | --- |
+| `connect_retry_attempts` | `u32` | Upstream connect retry attempts. |
+| `connect_retry_backoff_ms` | `u64` | Upstream retry backoff delay. |
+| `connect_budget_ms` | `u64` | Total connect wall-clock budget across retries. |
+| `unhealthy_fail_threshold` | `u32` | Consecutive fail threshold for unhealthy marking. |
+| `connect_failfast_hard_errors` | `bool` | Whether hard errors skip additional retries. |
+
+#### `EffectiveMiddleProxyLimits`
+| Field | Type | Description |
+| --- | --- | --- |
+| `floor_mode` | `string` | Effective floor mode (`static` or `adaptive`). |
+| `adaptive_floor_idle_secs` | `u64` | Adaptive floor idle threshold. |
+| `adaptive_floor_min_writers_single_endpoint` | `u8` | Adaptive floor minimum for single-endpoint DCs. |
+| `adaptive_floor_recover_grace_secs` | `u64` | Adaptive floor recovery grace period. |
+| `reconnect_max_concurrent_per_dc` | `u32` | Max concurrent reconnects per DC. |
+| `reconnect_backoff_base_ms` | `u64` | Reconnect base backoff. |
+| `reconnect_backoff_cap_ms` | `u64` | Reconnect backoff cap. |
+| `reconnect_fast_retry_count` | `u32` | Number of fast retries before standard backoff strategy. |
+| `me2dc_fallback` | `bool` | Effective ME -> direct fallback flag. |
+
+#### `EffectiveUserIpPolicyLimits`
+| Field | Type | Description |
+| --- | --- | --- |
+| `mode` | `string` | Unique-IP policy mode (`active_window`, `time_window`, `combined`). |
+| `window_secs` | `u64` | Time window length used by unique-IP policy. |
+
+### `SecurityPostureData`
+| Field | Type | Description |
+| --- | --- | --- |
+| `api_read_only` | `bool` | Current API read-only state. |
+| `api_whitelist_enabled` | `bool` | Whether whitelist filtering is active. |
+| `api_whitelist_entries` | `usize` | Number of configured whitelist CIDRs. |
+| `api_auth_header_enabled` | `bool` | Whether `Authorization` header validation is active. |
+| `proxy_protocol_enabled` | `bool` | Global PROXY protocol accept setting. |
+| `log_level` | `string` | Effective log level (`debug`, `verbose`, `normal`, `silent`). |
+| `telemetry_core_enabled` | `bool` | Core telemetry toggle. |
+| `telemetry_user_enabled` | `bool` | Per-user telemetry toggle. |
+| `telemetry_me_level` | `string` | ME telemetry level (`silent`, `normal`, `debug`). |
+
+### `SecurityWhitelistData`
+| Field | Type | Description |
+| --- | --- | --- |
+| `generated_at_epoch_secs` | `u64` | Snapshot generation timestamp. |
+| `enabled` | `bool` | `true` when whitelist has at least one CIDR entry. |
+| `entries_total` | `usize` | Number of whitelist CIDR entries. |
+| `entries` | `string[]` | Whitelist CIDR entries as strings. |
+
+### Runtime Min Endpoints
+- `/v1/runtime/me_pool_state`: generations, hardswap state, writer contour/health counts, refill inflight snapshot.
+- `/v1/runtime/me_quality`: ME error/drift/reconnect counters and per-DC RTT coverage snapshot.
+- `/v1/runtime/upstream_quality`: upstream runtime policy, connect counters, health summary and per-upstream DC latency/IP preference.
+- `/v1/runtime/nat_stun`: NAT/STUN runtime flags, server lists, reflection cache state and backoff remaining.
+
+### Runtime Edge Endpoints
+- `/v1/runtime/connections/summary`: cached connection totals (`total/me/direct`), active users and top-N users by connections/traffic.
+- `/v1/runtime/events/recent?limit=N`: bounded control-plane ring-buffer events (`limit` clamped to `[1, 1000]`).
+- If `server.api.runtime_edge_enabled=false`, runtime edge endpoints return `enabled=false` with `reason=feature_disabled`.
+
+### `ZeroAllData`
+| Field | Type | Description |
+| --- | --- | --- |
+| `generated_at_epoch_secs` | `u64` | Snapshot time (Unix epoch seconds). |
+| `core` | `ZeroCoreData` | Core counters and telemetry policy snapshot. |
+| `upstream` | `ZeroUpstreamData` | Upstream connect counters/histogram buckets. |
+| `middle_proxy` | `ZeroMiddleProxyData` | ME protocol/health counters. |
+| `pool` | `ZeroPoolData` | ME pool lifecycle counters. |
+| `desync` | `ZeroDesyncData` | Frame desync counters. |
+
+#### `ZeroCoreData`
+| Field | Type | Description |
+| --- | --- | --- |
+| `uptime_seconds` | `f64` | Process uptime. |
+| `connections_total` | `u64` | Total accepted connections. |
+| `connections_bad_total` | `u64` | Failed/invalid connections. |
+| `handshake_timeouts_total` | `u64` | Handshake timeouts. |
+| `configured_users` | `usize` | Configured user count. |
+| `telemetry_core_enabled` | `bool` | Core telemetry toggle. |
+| `telemetry_user_enabled` | `bool` | User telemetry toggle. |
+| `telemetry_me_level` | `string` | ME telemetry level (`off|normal|verbose`). |
+
+#### `ZeroUpstreamData`
+| Field | Type | Description |
+| --- | --- | --- |
+| `connect_attempt_total` | `u64` | Total upstream connect attempts. |
+| `connect_success_total` | `u64` | Successful upstream connects. |
+| `connect_fail_total` | `u64` | Failed upstream connects. |
+| `connect_failfast_hard_error_total` | `u64` | Fail-fast hard errors. |
+| `connect_attempts_bucket_1` | `u64` | Connect attempts resolved in 1 try. |
+| `connect_attempts_bucket_2` | `u64` | Connect attempts resolved in 2 tries. |
+| `connect_attempts_bucket_3_4` | `u64` | Connect attempts resolved in 3-4 tries. |
+| `connect_attempts_bucket_gt_4` | `u64` | Connect attempts requiring more than 4 tries. |
+| `connect_duration_success_bucket_le_100ms` | `u64` | Successful connects <=100 ms. |
+| `connect_duration_success_bucket_101_500ms` | `u64` | Successful connects 101-500 ms. |
+| `connect_duration_success_bucket_501_1000ms` | `u64` | Successful connects 501-1000 ms. |
+| `connect_duration_success_bucket_gt_1000ms` | `u64` | Successful connects >1000 ms. |
+| `connect_duration_fail_bucket_le_100ms` | `u64` | Failed connects <=100 ms. |
+| `connect_duration_fail_bucket_101_500ms` | `u64` | Failed connects 101-500 ms. |
+| `connect_duration_fail_bucket_501_1000ms` | `u64` | Failed connects 501-1000 ms. |
+| `connect_duration_fail_bucket_gt_1000ms` | `u64` | Failed connects >1000 ms. |
+
+### `UpstreamsData`
+| Field | Type | Description |
+| --- | --- | --- |
+| `enabled` | `bool` | Runtime upstream snapshot availability according to API config. |
+| `reason` | `string?` | `feature_disabled` or `source_unavailable` when runtime snapshot is unavailable. |
+| `generated_at_epoch_secs` | `u64` | Snapshot generation time. |
+| `zero` | `ZeroUpstreamData` | Always available zero-cost upstream counters block. |
+| `summary` | `UpstreamSummaryData?` | Runtime upstream aggregate view, null when unavailable. |
+| `upstreams` | `UpstreamStatus[]?` | Per-upstream runtime status rows, null when unavailable. |
+
+#### `UpstreamSummaryData`
+| Field | Type | Description |
+| --- | --- | --- |
+| `configured_total` | `usize` | Total configured upstream entries. |
+| `healthy_total` | `usize` | Upstreams currently marked healthy. |
+| `unhealthy_total` | `usize` | Upstreams currently marked unhealthy. |
+| `direct_total` | `usize` | Number of direct upstream entries. |
+| `socks4_total` | `usize` | Number of SOCKS4 upstream entries. |
+| `socks5_total` | `usize` | Number of SOCKS5 upstream entries. |
+
+#### `UpstreamStatus`
+| Field | Type | Description |
+| --- | --- | --- |
+| `upstream_id` | `usize` | Runtime upstream index. |
+| `route_kind` | `string` | Upstream route kind: `direct`, `socks4`, `socks5`. |
+| `address` | `string` | Upstream address (`direct` for direct route kind). Authentication fields are intentionally omitted. |
+| `weight` | `u16` | Selection weight. |
+| `scopes` | `string` | Configured scope selector string. |
+| `healthy` | `bool` | Current health flag. |
+| `fails` | `u32` | Consecutive fail counter. |
+| `last_check_age_secs` | `u64` | Seconds since the last health-check update. |
+| `effective_latency_ms` | `f64?` | Effective upstream latency used by selector. |
+| `dc` | `UpstreamDcStatus[]` | Per-DC latency/IP preference snapshot. |
+
+#### `UpstreamDcStatus`
+| Field | Type | Description |
+| --- | --- | --- |
+| `dc` | `i16` | Telegram DC id. |
+| `latency_ema_ms` | `f64?` | Per-DC latency EMA value. |
+| `ip_preference` | `string` | Per-DC IP family preference: `unknown`, `prefer_v4`, `prefer_v6`, `both_work`, `unavailable`. |
+
+#### `ZeroMiddleProxyData`
+| Field | Type | Description |
+| --- | --- | --- |
+| `keepalive_sent_total` | `u64` | ME keepalive packets sent. |
+| `keepalive_failed_total` | `u64` | ME keepalive send failures. |
+| `keepalive_pong_total` | `u64` | Keepalive pong responses received. |
+| `keepalive_timeout_total` | `u64` | Keepalive timeout events. |
+| `rpc_proxy_req_signal_sent_total` | `u64` | RPC proxy activity signals sent. |
+| `rpc_proxy_req_signal_failed_total` | `u64` | RPC proxy activity signal failures. |
+| `rpc_proxy_req_signal_skipped_no_meta_total` | `u64` | Signals skipped due to missing metadata. |
+| `rpc_proxy_req_signal_response_total` | `u64` | RPC proxy signal responses received. |
+| `rpc_proxy_req_signal_close_sent_total` | `u64` | RPC proxy close signals sent. |
+| `reconnect_attempt_total` | `u64` | ME reconnect attempts. |
+| `reconnect_success_total` | `u64` | Successful reconnects. |
+| `handshake_reject_total` | `u64` | ME handshake rejects. |
+| `handshake_error_codes` | `ZeroCodeCount[]` | Handshake rejects grouped by code. |
+| `reader_eof_total` | `u64` | ME reader EOF events. |
+| `idle_close_by_peer_total` | `u64` | Idle closes initiated by peer. |
+| `route_drop_no_conn_total` | `u64` | Route drops due to missing bound connection. |
+| `route_drop_channel_closed_total` | `u64` | Route drops due to closed channel. |
+| `route_drop_queue_full_total` | `u64` | Route drops due to full queue (total). |
+| `route_drop_queue_full_base_total` | `u64` | Route drops in base queue mode. |
+| `route_drop_queue_full_high_total` | `u64` | Route drops in high queue mode. |
+| `socks_kdf_strict_reject_total` | `u64` | SOCKS KDF strict rejects. |
+| `socks_kdf_compat_fallback_total` | `u64` | SOCKS KDF compat fallbacks. |
+| `endpoint_quarantine_total` | `u64` | Endpoint quarantine activations. |
+| `kdf_drift_total` | `u64` | KDF drift detections. |
+| `kdf_port_only_drift_total` | `u64` | KDF port-only drift detections. |
+| `hardswap_pending_reuse_total` | `u64` | Pending hardswap reused events. |
+| `hardswap_pending_ttl_expired_total` | `u64` | Pending hardswap TTL expiry events. |
+| `single_endpoint_outage_enter_total` | `u64` | Entered single-endpoint outage mode. |
+| `single_endpoint_outage_exit_total` | `u64` | Exited single-endpoint outage mode. |
+| `single_endpoint_outage_reconnect_attempt_total` | `u64` | Reconnect attempts in outage mode. |
+| `single_endpoint_outage_reconnect_success_total` | `u64` | Reconnect successes in outage mode. |
+| `single_endpoint_quarantine_bypass_total` | `u64` | Quarantine bypasses in outage mode. |
+| `single_endpoint_shadow_rotate_total` | `u64` | Shadow writer rotations. |
+| `single_endpoint_shadow_rotate_skipped_quarantine_total` | `u64` | Shadow rotations skipped because of quarantine. |
+| `floor_mode_switch_total` | `u64` | Total floor mode switches. |
+| `floor_mode_switch_static_to_adaptive_total` | `u64` | Static -> adaptive switches. |
+| `floor_mode_switch_adaptive_to_static_total` | `u64` | Adaptive -> static switches. |
+
+#### `ZeroCodeCount`
+| Field | Type | Description |
+| --- | --- | --- |
+| `code` | `i32` | Handshake error code. |
+| `total` | `u64` | Events with this code. |
+
+#### `ZeroPoolData`
+| Field | Type | Description |
+| --- | --- | --- |
+| `pool_swap_total` | `u64` | Pool swap count. |
+| `pool_drain_active` | `u64` | Current active draining pools. |
+| `pool_force_close_total` | `u64` | Forced pool closes by timeout. |
+| `pool_stale_pick_total` | `u64` | Stale writer picks for binding. |
+| `writer_removed_total` | `u64` | Writer removals total. |
+| `writer_removed_unexpected_total` | `u64` | Unexpected writer removals. |
+| `refill_triggered_total` | `u64` | Refill triggers. |
+| `refill_skipped_inflight_total` | `u64` | Refill skipped because refill already in-flight. |
+| `refill_failed_total` | `u64` | Refill failures. |
+| `writer_restored_same_endpoint_total` | `u64` | Restores on same endpoint. |
+| `writer_restored_fallback_total` | `u64` | Restores on fallback endpoint. |
+
+#### `ZeroDesyncData`
+| Field | Type | Description |
+| --- | --- | --- |
+| `secure_padding_invalid_total` | `u64` | Invalid secure padding events. |
+| `desync_total` | `u64` | Desync events total. |
+| `desync_full_logged_total` | `u64` | Fully logged desync events. |
+| `desync_suppressed_total` | `u64` | Suppressed desync logs. |
+| `desync_frames_bucket_0` | `u64` | Desync frames bucket 0. |
+| `desync_frames_bucket_1_2` | `u64` | Desync frames bucket 1-2. |
+| `desync_frames_bucket_3_10` | `u64` | Desync frames bucket 3-10. |
+| `desync_frames_bucket_gt_10` | `u64` | Desync frames bucket >10. |
+
+### `MinimalAllData`
+| Field | Type | Description |
+| --- | --- | --- |
+| `enabled` | `bool` | Whether minimal runtime snapshots are enabled by config. |
+| `reason` | `string?` | `feature_disabled` or `source_unavailable` when applicable. |
+| `generated_at_epoch_secs` | `u64` | Snapshot generation time. |
+| `data` | `MinimalAllPayload?` | Null when disabled; fallback payload when source unavailable. |
+
+#### `MinimalAllPayload`
+| Field | Type | Description |
+| --- | --- | --- |
+| `me_writers` | `MeWritersData` | ME writer status block. |
+| `dcs` | `DcStatusData` | DC aggregate status block. |
+| `me_runtime` | `MinimalMeRuntimeData?` | Runtime ME control snapshot. |
+| `network_path` | `MinimalDcPathData[]` | Active IP path selection per DC. |
+
+#### `MinimalMeRuntimeData`
+| Field | Type | Description |
+| --- | --- | --- |
+| `active_generation` | `u64` | Active pool generation. |
+| `warm_generation` | `u64` | Warm pool generation. |
+| `pending_hardswap_generation` | `u64` | Pending hardswap generation. |
+| `pending_hardswap_age_secs` | `u64?` | Pending hardswap age in seconds. |
+| `hardswap_enabled` | `bool` | Hardswap mode toggle. |
+| `floor_mode` | `string` | Writer floor mode. |
+| `adaptive_floor_idle_secs` | `u64` | Idle threshold for adaptive floor. |
+| `adaptive_floor_min_writers_single_endpoint` | `u8` | Minimum writers for single-endpoint DC in adaptive mode. |
+| `adaptive_floor_recover_grace_secs` | `u64` | Grace period for floor recovery. |
+| `me_keepalive_enabled` | `bool` | ME keepalive toggle. |
+| `me_keepalive_interval_secs` | `u64` | Keepalive period. |
+| `me_keepalive_jitter_secs` | `u64` | Keepalive jitter. |
+| `me_keepalive_payload_random` | `bool` | Randomized keepalive payload toggle. |
+| `rpc_proxy_req_every_secs` | `u64` | Period for RPC proxy request signal. |
+| `me_reconnect_max_concurrent_per_dc` | `u32` | Reconnect concurrency per DC. |
+| `me_reconnect_backoff_base_ms` | `u64` | Base reconnect backoff. |
+| `me_reconnect_backoff_cap_ms` | `u64` | Max reconnect backoff. |
+| `me_reconnect_fast_retry_count` | `u32` | Fast retry attempts before normal backoff. |
+| `me_pool_drain_ttl_secs` | `u64` | Pool drain TTL. |
+| `me_pool_force_close_secs` | `u64` | Hard close timeout for draining writers. |
+| `me_pool_min_fresh_ratio` | `f32` | Minimum fresh ratio before swap. |
+| `me_bind_stale_mode` | `string` | Stale writer bind policy. |
+| `me_bind_stale_ttl_secs` | `u64` | Stale writer TTL. |
+| `me_single_endpoint_shadow_writers` | `u8` | Shadow writers for single-endpoint DCs. |
+| `me_single_endpoint_outage_mode_enabled` | `bool` | Outage mode toggle for single-endpoint DCs. |
+| `me_single_endpoint_outage_disable_quarantine` | `bool` | Quarantine behavior in outage mode. |
+| `me_single_endpoint_outage_backoff_min_ms` | `u64` | Outage mode min reconnect backoff. |
+| `me_single_endpoint_outage_backoff_max_ms` | `u64` | Outage mode max reconnect backoff. |
+| `me_single_endpoint_shadow_rotate_every_secs` | `u64` | Shadow rotation interval. |
+| `me_deterministic_writer_sort` | `bool` | Deterministic writer ordering toggle. |
+| `me_socks_kdf_policy` | `string` | Current SOCKS KDF policy mode. |
+| `quarantined_endpoints_total` | `usize` | Total quarantined endpoints. |
+| `quarantined_endpoints` | `MinimalQuarantineData[]` | Quarantine details. |
+
+#### `MinimalQuarantineData`
+| Field | Type | Description |
+| --- | --- | --- |
+| `endpoint` | `string` | Endpoint (`ip:port`). |
+| `remaining_ms` | `u64` | Remaining quarantine duration. |
+
+#### `MinimalDcPathData`
+| Field | Type | Description |
+| --- | --- | --- |
+| `dc` | `i16` | Telegram DC identifier. |
+| `ip_preference` | `string?` | Runtime IP family preference. |
+| `selected_addr_v4` | `string?` | Selected IPv4 endpoint for this DC. |
+| `selected_addr_v6` | `string?` | Selected IPv6 endpoint for this DC. |
+
+### `MeWritersData`
+| Field | Type | Description |
+| --- | --- | --- |
+| `middle_proxy_enabled` | `bool` | `false` when minimal runtime is disabled or source unavailable. |
+| `reason` | `string?` | `feature_disabled` or `source_unavailable` when not fully available. |
+| `generated_at_epoch_secs` | `u64` | Snapshot generation time. |
+| `summary` | `MeWritersSummary` | Coverage/availability summary. |
+| `writers` | `MeWriterStatus[]` | Per-writer statuses. |
+
+#### `MeWritersSummary`
+| Field | Type | Description |
+| --- | --- | --- |
+| `configured_dc_groups` | `usize` | Number of configured DC groups. |
+| `configured_endpoints` | `usize` | Total configured ME endpoints. |
+| `available_endpoints` | `usize` | Endpoints currently available. |
+| `available_pct` | `f64` | `available_endpoints / configured_endpoints * 100`. |
+| `required_writers` | `usize` | Required writers based on current floor policy. |
+| `alive_writers` | `usize` | Writers currently alive. |
+| `coverage_pct` | `f64` | `alive_writers / required_writers * 100`. |
+
+#### `MeWriterStatus`
+| Field | Type | Description |
+| --- | --- | --- |
+| `writer_id` | `u64` | Runtime writer identifier. |
+| `dc` | `i16?` | DC id if mapped. |
+| `endpoint` | `string` | Endpoint (`ip:port`). |
+| `generation` | `u64` | Pool generation owning this writer. |
+| `state` | `string` | Writer state (`warm`, `active`, `draining`). |
+| `draining` | `bool` | Draining flag. |
+| `degraded` | `bool` | Degraded flag. |
+| `bound_clients` | `usize` | Number of currently bound clients. |
+| `idle_for_secs` | `u64?` | Idle age in seconds if idle. |
+| `rtt_ema_ms` | `f64?` | RTT exponential moving average. |
+
+### `DcStatusData`
+| Field | Type | Description |
+| --- | --- | --- |
+| `middle_proxy_enabled` | `bool` | `false` when minimal runtime is disabled or source unavailable. |
+| `reason` | `string?` | `feature_disabled` or `source_unavailable` when not fully available. |
+| `generated_at_epoch_secs` | `u64` | Snapshot generation time. |
+| `dcs` | `DcStatus[]` | Per-DC status rows. |
+
+#### `DcStatus`
+| Field | Type | Description |
+| --- | --- | --- |
+| `dc` | `i16` | Telegram DC id. |
+| `endpoints` | `string[]` | Endpoints in this DC (`ip:port`). |
+| `available_endpoints` | `usize` | Endpoints currently available in this DC. |
+| `available_pct` | `f64` | `available_endpoints / endpoints_total * 100`. |
+| `required_writers` | `usize` | Required writer count for this DC. |
+| `alive_writers` | `usize` | Alive writers in this DC. |
+| `coverage_pct` | `f64` | `alive_writers / required_writers * 100`. |
+| `rtt_ms` | `f64?` | Aggregated RTT for DC. |
+| `load` | `usize` | Active client sessions bound to this DC. |
+
+### `UserInfo`
+| Field | Type | Description |
+| --- | --- | --- |
+| `username` | `string` | Username. |
+| `user_ad_tag` | `string?` | Optional ad tag (32 hex chars). |
+| `max_tcp_conns` | `usize?` | Optional max concurrent TCP limit. |
+| `expiration_rfc3339` | `string?` | Optional expiration timestamp. |
+| `data_quota_bytes` | `u64?` | Optional data quota. |
+| `max_unique_ips` | `usize?` | Optional unique IP limit. |
+| `current_connections` | `u64` | Current live connections. |
+| `active_unique_ips` | `usize` | Current active unique source IPs. |
+| `total_octets` | `u64` | Total traffic octets for this user. |
+| `links` | `UserLinks` | Active connection links derived from current config. |
+
+#### `UserLinks`
+| Field | Type | Description |
+| --- | --- | --- |
+| `classic` | `string[]` | Active `tg://proxy` links for classic mode. |
+| `secure` | `string[]` | Active `tg://proxy` links for secure/DD mode. |
+| `tls` | `string[]` | Active `tg://proxy` links for EE-TLS mode (for each host+TLS domain). |
+
+Link generation uses active config and enabled modes:
+- `[general.links].public_host/public_port` have priority.
+- If `public_host` is not set, startup-detected public IPs are used (`IPv4`, `IPv6`, or both when available).
+- Fallback host sources: listener `announce`, `announce_ip`, explicit listener `ip`.
+- Legacy fallback: `listen_addr_ipv4` and `listen_addr_ipv6` when routable.
+- Startup-detected IPs are fixed for process lifetime and refreshed on restart.
+- User rows are sorted by `username` in ascending lexical order.
+
+### `CreateUserResponse`
+| Field | Type | Description |
+| --- | --- | --- |
+| `user` | `UserInfo` | Created or updated user view. |
+| `secret` | `string` | Effective user secret. |
+
+## Mutation Semantics
+
+| Endpoint | Notes |
+| --- | --- |
+| `POST /v1/users` | Creates user and validates resulting config before atomic save. |
+| `PATCH /v1/users/{username}` | Partial update of provided fields only. Missing fields remain unchanged. |
+| `POST /v1/users/{username}/rotate-secret` | Currently returns `404` in runtime route matcher; request schema is reserved for intended behavior. |
+| `DELETE /v1/users/{username}` | Deletes user and related optional settings. Last user deletion is blocked. |
+
+All mutating endpoints:
+- Respect `read_only` mode.
+- Accept optional `If-Match` for optimistic concurrency.
+- Return new `revision` after successful write.
+- Use process-local mutation lock + atomic write (`tmp + rename`) for config persistence.
+
+## Runtime State Matrix
+
+| Endpoint | `minimal_runtime_enabled=false` | `minimal_runtime_enabled=true` + source unavailable | `minimal_runtime_enabled=true` + source available |
+| --- | --- | --- | --- |
+| `/v1/stats/minimal/all` | `enabled=false`, `reason=feature_disabled`, `data=null` | `enabled=true`, `reason=source_unavailable`, fallback `data` with disabled ME blocks | `enabled=true`, `reason` omitted, full payload |
+| `/v1/stats/me-writers` | `middle_proxy_enabled=false`, `reason=feature_disabled` | `middle_proxy_enabled=false`, `reason=source_unavailable` | `middle_proxy_enabled=true`, runtime snapshot |
+| `/v1/stats/dcs` | `middle_proxy_enabled=false`, `reason=feature_disabled` | `middle_proxy_enabled=false`, `reason=source_unavailable` | `middle_proxy_enabled=true`, runtime snapshot |
+| `/v1/stats/upstreams` | `enabled=false`, `reason=feature_disabled`, `summary/upstreams` omitted, `zero` still present | `enabled=true`, `reason=source_unavailable`, `summary/upstreams` omitted, `zero` present | `enabled=true`, `reason` omitted, `summary/upstreams` present, `zero` present |
+
+`source_unavailable` conditions:
+- ME endpoints: ME pool is absent (for example direct-only mode or failed ME initialization).
+- Upstreams endpoint: non-blocking upstream snapshot lock is unavailable at request time.
+
+## Serialization Rules
+
+- Success responses always include `revision`.
+- Error responses never include `revision`; they include `request_id`.
+- Optional fields with `skip_serializing_if` are omitted when absent.
+- Nullable payload fields may still be `null` where contract uses `?` (for example `UserInfo` option fields).
+- For `/v1/stats/upstreams`, authentication details of SOCKS upstreams are intentionally omitted.
+
+## Operational Notes
+
+| Topic | Details |
+| --- | --- |
+| API startup | API listener is spawned only when `[server.api].enabled=true`. |
+| `listen` port `0` | API spawn is skipped when parsed listen port is `0` (treated as disabled bind target). |
+| Bind failure | Failed API bind logs warning and API task exits (no auto-retry loop). |
+| ME runtime status endpoints | `/v1/stats/me-writers`, `/v1/stats/dcs`, `/v1/stats/minimal/all` require `[server.api].minimal_runtime_enabled=true`; otherwise they return disabled payload with `reason=feature_disabled`. |
+| Upstream runtime endpoint | `/v1/stats/upstreams` always returns `zero`, but runtime fields (`summary`, `upstreams`) require `[server.api].minimal_runtime_enabled=true`. |
+| Restart requirements | `server.api` changes are restart-required for predictable behavior. |
+| Hot-reload nuance | A pure `server.api`-only config change may not propagate through watcher broadcast; a mixed change (with hot fields) may propagate API flags while still warning that restart is required. |
+| Runtime apply path | Successful writes are picked up by existing config watcher/hot-reload path. |
+| Exposure | Built-in TLS/mTLS is not provided. Use loopback bind + reverse proxy if needed. |
+| Pagination | User list currently has no pagination/filtering. |
+| Serialization side effect | Config comments/manual formatting are not preserved on write. |
+
+## Known Limitations (Current Release)
+
+- `POST /v1/users/{username}/rotate-secret` is currently unreachable in route matcher and returns `404`.
+- API runtime controls under `server.api` are documented as restart-required; hot-reload behavior for these fields is not strictly uniform in all change combinations.
--- a/docs/FAQ.en.md
+++ b/docs/FAQ.en.md
@@ -0,0 +1,112 @@
+## How to set up "proxy sponsor" channel and statistics via @MTProxybot bot
+
+1. Go to @MTProxybot bot.
+2. Enter the command `/newproxy`
+3. Send the server IP and port. For example: 1.2.3.4:443
+4. Open the config `nano /etc/telemt.toml`.
+5. Copy and send the user secret from the [access.users] section to the bot.
+6. Copy the tag received from the bot. For example 1234567890abcdef1234567890abcdef.
+> [!WARNING]
+> The link provided by the bot will not work. Do not copy or use it!
+7. Uncomment the ad_tag parameter and enter the tag received from the bot.
+8. Uncomment/add the parameter `use_middle_proxy = true`.
+
+Config example:
+```toml
+[general]
+ad_tag = "1234567890abcdef1234567890abcdef"
+use_middle_proxy = true
+```
+9. Save the config. Ctrl+S -> Ctrl+X.
+10. Restart telemt `systemctl restart telemt`.
+11. In the bot, send the command /myproxies and select the added server.
+12. Click the "Set promotion" button.
+13. Send a **public link** to the channel. Private channels cannot be added!
+14. Wait approximately 1 hour for the information to update on Telegram servers.
+> [!WARNING]
+> You will not see the "proxy sponsor" if you are already subscribed to the channel.
+
+**You can also set up different channels for different users.**
+```toml
+[access.user_ad_tags]
+hello = "ad_tag"
+hello2 = "ad_tag2"
+```
+
+## How many people can use 1 link
+
+By default, 1 link can be used by any number of people.  
+You can limit the number of IPs using the proxy.
+```toml
+[access.user_max_unique_ips]
+hello = 1
+```
+This parameter limits how many unique IPs can use 1 link simultaneously. If one user disconnects, a second user can connect. Also, multiple users can sit behind the same IP.
+
+## How to create multiple different links
+
+1. Generate the required number of secrets `openssl rand -hex 16`
+2. Open the config `nano /etc/telemt.toml`
+3. Add new users.
+```toml
+[access.users]
+user1 = "00000000000000000000000000000001"
+user2 = "00000000000000000000000000000002"
+user3 = "00000000000000000000000000000003"
+```
+4. Save the config. Ctrl+S -> Ctrl+X. You don't need to restart telemt.
+5. Get the links via `journalctl -u telemt -n -g "links" --no-pager -o cat | tac`
+
+## How to view metrics
+
+1. Open the config `nano /etc/telemt.toml`
+2. Add the following parameters
+```toml
+[server]
+metrics_port = 9090
+metrics_whitelist = ["127.0.0.1/32", "::1/128", "0.0.0.0/0"]
+```
+3. Save the config. Ctrl+S -> Ctrl+X.
+4. Metrics are available at SERVER_IP:9090/metrics.
+> [!WARNING]
+> "0.0.0.0/0" in metrics_whitelist opens access from any IP. Replace with your own IP. For example "1.2.3.4"
+
+## Additional parameters
+
+### Domain in link instead of IP
+To specify a domain in the links, add to the `[general.links]` section of the config file.
+```toml
+[general.links]
+public_host = "proxy.example.com"
+```
+
+### Upstream Manager
+To specify an upstream, add to the `[[upstreams]]` section of the config.toml file:
+#### Binding to IP
+```toml
+[[upstreams]]
+type = "direct"
+weight = 1
+enabled = true
+interface = "192.168.1.100" # Change to your outgoing IP
+```
+#### SOCKS4/5 as Upstream
+- Without authentication:
+```toml
+[[upstreams]]
+type = "socks5"            # Specify SOCKS4 or SOCKS5
+address = "1.2.3.4:1234"   # SOCKS-server Address
+weight = 1                 # Set Weight for Scenarios
+enabled = true
+```
+
+- With authentication:
+```toml
+[[upstreams]]
+type = "socks5"            # Specify SOCKS4 or SOCKS5
+address = "1.2.3.4:1234"   # SOCKS-server Address
+username = "user"          # Username for Auth on SOCKS-server
+password = "pass"          # Password for Auth on SOCKS-server
+weight = 1                 # Set Weight for Scenarios
+enabled = true
+```
--- a/docs/FAQ.ru.md
+++ b/docs/FAQ.ru.md
@@ -0,0 +1,112 @@
+## Как настроить канал "спонсор прокси" и статистику через бота @MTProxybot
+
+1. Зайти в бота @MTProxybot.
+2. Ввести команду `/newproxy`
+3. Отправить IP и порт сервера. Например: 1.2.3.4:443
+4. Открыть конфиг `nano /etc/telemt.toml`.
+5. Скопировать и отправить боту секрет пользователя из раздела [access.users].
+6. Скопировать полученный tag у бота. Например 1234567890abcdef1234567890abcdef.
+> [!WARNING]
+> Ссылка, которую выдает бот, не будет работать. Не копируйте и не используйте её!
+7. Раскомментировать параметр ad_tag и вписать tag, полученный у бота.
+8. Раскомментировать/добавить параметр use_middle_proxy = true.
+
+Пример конфига:
+```toml
+[general]
+ad_tag = "1234567890abcdef1234567890abcdef"
+use_middle_proxy = true
+```
+9.  Сохранить конфиг. Ctrl+S -> Ctrl+X.
+10. Перезапустить telemt `systemctl restart telemt`.
+11. В боте отправить команду /myproxies и выбрать добавленный сервер.
+12. Нажать кнопку "Set promotion".
+13. Отправить **публичную ссылку** на канал. Приватный канал добавить нельзя!
+14. Подождать примерно 1 час, пока информация обновится на серверах Telegram.
+> [!WARNING]
+> У вас не будет отображаться "спонсор прокси" если вы уже подписаны на канал.
+
+**Также вы можете настроить разные каналы для разных пользователей.**
+```toml
+[access.user_ad_tags]
+hello = "ad_tag"
+hello2 = "ad_tag2"
+```
+
+## Сколько человек может пользоваться 1 ссылкой
+
+По умолчанию 1 ссылкой может пользоваться сколько угодно человек.  
+Вы можете ограничить число IP, использующих прокси.
+```toml
+[access.user_max_unique_ips]
+hello = 1
+```
+Этот параметр ограничивает, сколько уникальных IP может использовать 1 ссылку одновременно. Если один пользователь отключится, второй сможет подключиться. Также с одного IP может сидеть несколько пользователей.
+
+## Как сделать несколько разных ссылок
+
+1. Сгенерируйте нужное число секретов `openssl rand -hex 16`
+2. Открыть конфиг `nano /etc/telemt.toml`
+3. Добавить новых пользователей.
+```toml
+[access.users]
+user1 = "00000000000000000000000000000001"
+user2 = "00000000000000000000000000000002"
+user3 = "00000000000000000000000000000003"
+```
+4. Сохранить конфиг. Ctrl+S -> Ctrl+X. Перезапускать telemt не нужно.
+5. Получить ссылки через `journalctl -u telemt -n -g "links" --no-pager -o cat | tac`
+
+## Как посмотреть метрики
+
+1. Открыть конфиг `nano /etc/telemt.toml`
+2. Добавить следующие параметры
+```toml
+[server]
+metrics_port = 9090
+metrics_whitelist = ["127.0.0.1/32", "::1/128", "0.0.0.0/0"]
+```
+3. Сохранить конфиг. Ctrl+S -> Ctrl+X.
+4. Метрики доступны по адресу SERVER_IP:9090/metrics. 
+> [!WARNING]
+> "0.0.0.0/0" в metrics_whitelist открывает доступ с любого IP. Замените на свой ip. Например "1.2.3.4"
+
+## Дополнительные параметры
+
+### Домен в ссылке вместо IP
+Чтобы указать домен в ссылках, добавьте в секцию `[general.links]` файла config.
+```toml
+[general.links]
+public_host = "proxy.example.com"
+```
+
+### Upstream Manager
+Чтобы указать апстрим, добавьте в секцию `[[upstreams]]` файла config.toml:
+#### Привязка к IP
+```toml
+[[upstreams]]
+type = "direct"
+weight = 1
+enabled = true
+interface = "192.168.1.100" # Change to your outgoing IP
+```
+#### SOCKS4/5 как Upstream
+- Без авторизации:
+```toml
+[[upstreams]]
+type = "socks5"            # Specify SOCKS4 or SOCKS5
+address = "1.2.3.4:1234"   # SOCKS-server Address
+weight = 1                 # Set Weight for Scenarios
+enabled = true
+```
+
+- С авторизацией:
+```toml
+[[upstreams]]
+type = "socks5"            # Specify SOCKS4 or SOCKS5
+address = "1.2.3.4:1234"   # SOCKS-server Address
+username = "user"          # Username for Auth on SOCKS-server
+password = "pass"          # Password for Auth on SOCKS-server
+weight = 1                 # Set Weight for Scenarios
+enabled = true
+```
--- a/docs/MIDDLE-END-KDF.de.md
+++ b/docs/MIDDLE-END-KDF.de.md
@@ -0,0 +1,40 @@
+# Middle-End Proxy
+
+## KDF-Adressierung — Implementierungs-FAQ
+
+### Benötigt die C-Referenzimplementierung sowohl externe IP-Adresse als auch Port für die KDF?
+
+Ja.
+
+In der C-Referenzimplementierung werden **sowohl IP-Adresse als auch Port in die KDF einbezogen** — auf beiden Seiten der Verbindung.
+
+In `aes_create_keys()` enthält der KDF-Input:
+
+- `server_ip + client_port`
+- `client_ip + server_port`
+- sowie Secret / Nonces
+
+Für IPv6:
+
+- IPv4-Felder werden auf 0 gesetzt
+- IPv6-Adressen werden ergänzt
+
+Die **Ports bleiben weiterhin Bestandteil der KDF**.
+
+> Wenn sich externe IP oder Port (z. B. durch NAT, SOCKS oder Proxy) von den erwarteten Werten unterscheiden, entstehen unterschiedliche Schlüssel — der Handshake schlägt fehl.
+
+---
+
+### Kann der Port aus der KDF ausgeschlossen werden (z. B. durch Port = 0)?
+
+**Nein!**
+
+Die C-Referenzimplementierung enthält **keine Möglichkeit, den Port zu ignorieren**:
+- `client_port` und `server_port` sind fester Bestandteil der KDF
+- Es werden immer reale Socket-Ports übergeben:
+  - `c->our_port`
+  - `c->remote_port`
+
+Falls ein Port den Wert `0` hat, wird er dennoch als `0` in die KDF übernommen.
+
+Eine „Port-Ignore“-Logik existiert nicht.
--- a/docs/MIDDLE-END-KDF.en.md
+++ b/docs/MIDDLE-END-KDF.en.md
@@ -0,0 +1,41 @@
+# Middle-End Proxy
+
+## KDF Addressing — Implementation FAQ
+
+### Does the C-implementation require both external IP address and port for the KDF?
+
+**Yes!**
+
+In the C reference implementation, **both IP address and port are included in the KDF input** from both sides of the connection.
+
+Inside `aes_create_keys()`, the KDF input explicitly contains:
+
+- `server_ip + client_port`
+- `client_ip + server_port`
+- followed by shared secret / nonces
+
+For IPv6:
+
+- IPv4 fields are zeroed
+- IPv6 addresses are inserted
+
+However, **client_port and server_port remain part of the KDF regardless of IP version**.
+
+> If externally observed IP or port (e.g. due to NAT, SOCKS, or proxy traversal) differs from what the peer expects, the derived keys will not match and the handshake will fail.
+
+---
+
+### Can port be excluded from KDF (e.g. by using port = 0)?
+
+**No!**
+
+The C-implementation provides **no mechanism to ignore the port**:
+
+- `client_port` and `server_port` are explicitly included in the KDF input
+- Real socket ports are always passed:
+  - `c->our_port`
+  - `c->remote_port`
+
+If a port is `0`, it is still incorporated into the KDF as `0`.
+
+There is **no conditional logic to exclude ports**
--- a/docs/MIDDLE-END-KDF.ru.md
+++ b/docs/MIDDLE-END-KDF.ru.md
@@ -0,0 +1,41 @@
+# Middle-End Proxy
+
+## KDF Addressing — FAQ по реализации
+
+### Требует ли C-референсная реализация KDF внешний IP и порт?
+
+**Да**
+
+В C-референсе **в KDF участвуют и IP-адрес, и порт** — с обеих сторон соединения.
+
+В `aes_create_keys()` в строку KDF входят:
+
+- `server_ip + client_port`
+- `client_ip + server_port`
+- далее secret / nonces
+
+Для IPv6:
+
+- IPv4-поля заполняются нулями
+- добавляются IPv6-адреса
+
+Однако **порты client_port и server_port всё равно участвуют в KDF**.
+
+> Если внешний IP или порт (например, из-за NAT, SOCKS или прокси) не совпадает с ожидаемым другой стороной — ключи расходятся и handshake ломается.
+
+---
+
+### Можно ли исключить порт из KDF (например, установив порт = 0)?
+
+**Нет.**
+
+В C-референсе **нет механики отключения порта**.
+
+- `client_port` и `server_port` явно включены в KDF
+- Передаются реальные порты сокета:
+  - `c->our_port`
+  - `c->remote_port`
+
+Если порт равен `0`, он всё равно попадёт в KDF как `0`.
+
+Отдельной логики «игнорировать порт» не предусмотрено.
--- a/docs/QUICK_START_GUIDE.en.md
+++ b/docs/QUICK_START_GUIDE.en.md
@@ -0,0 +1,165 @@
+# Telemt via Systemd
+
+## Installation
+
+This software is designed for Debian-based OS: in addition to Debian, these are Ubuntu, Mint, Kali, MX and many other Linux
+
+**1. Download**
+```bash
+wget -qO- "https://github.com/telemt/telemt/releases/latest/download/telemt-$(uname -m)-linux-$(ldd --version 2>&1 | grep -iq musl && echo musl || echo gnu).tar.gz" | tar -xz
+```
+**2. Move to the Bin folder**
+```bash
+mv telemt /bin
+```
+**3. Make the file executable**
+```bash
+chmod +x /bin/telemt
+```
+
+## How to use?
+
+**This guide "assumes" that you:**
+- logged in as root or executed `su -` / `sudo su`
+- Already have the "telemt" executable file in the /bin folder. Read the **[Installation](#Installation)** section.
+
+---
+
+**0. Check port and generate secrets**
+
+The port you have selected for use should be MISSING from the list, when:
+```bash
+netstat -lnp
+```
+
+Generate 16 bytes/32 characters HEX with OpenSSL or another way:
+```bash
+openssl rand -hex 16
+```
+OR
+```bash
+xxd -l 16 -p /dev/urandom
+```
+OR
+```bash
+python3 -c 'import os; print(os.urandom(16).hex())'
+```
+Save the obtained result somewhere. You will need it later!
+
+---
+
+**1. Place your config to /etc/telemt.toml**
+
+Open nano
+```bash
+nano /etc/telemt.toml
+```
+paste your config
+
+```toml
+# === General Settings ===
+[general]
+# ad_tag = "00000000000000000000000000000000"
+use_middle_proxy = false
+
+[general.modes]
+classic = false
+secure = false
+tls = true
+
+[server.api]
+enabled = true
+# listen = "127.0.0.1:9091"
+# whitelist = ["127.0.0.1/32"]
+# read_only = true
+
+# === Anti-Censorship & Masking ===
+[censorship]
+tls_domain = "petrovich.ru"
+
+[access.users]
+# format: "username" = "32_hex_chars_secret"
+hello = "00000000000000000000000000000000"
+```
+
+then Ctrl+S -> Ctrl+X to save
+
+> [!WARNING]
+> Replace the value of the hello parameter with the value you obtained in step 0. 
+> Replace the value of the tls_domain parameter with another website.
+
+---
+
+**2. Create service on /etc/systemd/system/telemt.service**
+
+Open nano
+```bash
+nano /etc/systemd/system/telemt.service
+```
+
+paste this Systemd Module
+```bash
+[Unit]
+Description=Telemt
+After=network.target
+
+[Service]
+Type=simple
+WorkingDirectory=/bin
+ExecStart=/bin/telemt /etc/telemt.toml
+Restart=on-failure
+LimitNOFILE=65536
+
+[Install]
+WantedBy=multi-user.target
+```
+then Ctrl+S -> Ctrl+X to save
+
+
+**3.** To start it, enter the command `systemctl start telemt`
+
+**4.** To get status information, enter `systemctl status telemt`
+
+**5.** For automatic startup at system boot, enter `systemctl enable telemt`
+
+**6.** To get the link(s), enter
+```bash
+curl -s http://127.0.0.1:9091/v1/users | jq
+```
+
+> Any number of people can use one link.
+
+---
+
+# Telemt via Docker Compose
+
+**1. Edit `config.toml` in repo root (at least: port, users secrets, tls_domain)**  
+**2. Start container:**
+```bash
+docker compose up -d --build
+```
+**3. Check logs:**
+```bash
+docker compose logs -f telemt
+```
+**4. Stop:**
+```bash
+docker compose down
+```
+> [!NOTE]
+> - `docker-compose.yml` maps `./config.toml` to `/app/config.toml` (read-only)
+> - By default it publishes `443:443` and runs with dropped capabilities (only `NET_BIND_SERVICE` is added)
+> - If you really need host networking (usually only for some IPv6 setups) uncomment `network_mode: host`
+
+**Run without Compose**
+```bash
+docker build -t telemt:local .
+docker run --name telemt --restart unless-stopped \
+  -p 443:443 \
+  -e RUST_LOG=info \
+  -v "$PWD/config.toml:/app/config.toml:ro" \
+  --read-only \
+  --cap-drop ALL --cap-add NET_BIND_SERVICE \
+  --ulimit nofile=65536:65536 \
+  telemt:local
+```
--- a/docs/QUICK_START_GUIDE.ru.md
+++ b/docs/QUICK_START_GUIDE.ru.md
@@ -0,0 +1,167 @@
+# Telemt через Systemd
+
+## Установка
+
+Это программное обеспечение разработано для ОС на базе Debian: помимо Debian, это Ubuntu, Mint, Kali, MX и многие другие Linux
+
+**1. Скачать**
+```bash
+wget -qO- "https://github.com/telemt/telemt/releases/latest/download/telemt-$(uname -m)-linux-$(ldd --version 2>&1 | grep -iq musl && echo musl || echo gnu).tar.gz" | tar -xz
+```
+**2. Переместить в папку Bin**
+```bash
+mv telemt /bin
+```
+**3. Сделать файл исполняемым**
+```bash
+chmod +x /bin/telemt
+```
+
+## Как правильно использовать?
+
+**Эта инструкция "предполагает", что вы:**
+- Авторизовались как пользователь root или выполнил `su -` / `sudo su`
+- У вас уже есть исполняемый файл "telemt" в папке /bin. Читайте раздел **[Установка](#установка)**
+
+---
+
+**0. Проверьте порт и сгенерируйте секреты**
+
+Порт, который вы выбрали для использования, должен отсутствовать в списке:
+```bash
+netstat -lnp
+```
+
+Сгенерируйте 16 bytes/32 символа в шестнадцатеричном формате с помощью OpenSSL или другим способом:
+```bash
+openssl rand -hex 16
+```
+ИЛИ
+```bash
+xxd -l 16 -p /dev/urandom
+```
+ИЛИ
+```bash
+python3 -c 'import os; print(os.urandom(16).hex())'
+```
+Полученный результат сохраняем где-нибудь. Он понадобиться вам дальше!
+
+---
+
+**1. Поместите свою конфигурацию в файл /etc/telemt.toml**
+
+Открываем nano
+```bash
+nano /etc/telemt.toml
+```
+Вставьте свою конфигурацию
+
+```toml
+# === General Settings ===
+[general]
+# ad_tag = "00000000000000000000000000000000"
+use_middle_proxy = false
+
+[general.modes]
+classic = false
+secure = false
+tls = true
+
+[server.api]
+enabled = true
+# listen = "127.0.0.1:9091"
+# whitelist = ["127.0.0.1/32"]
+# read_only = true
+
+# === Anti-Censorship & Masking ===
+[censorship]
+tls_domain = "petrovich.ru"
+
+[access.users]
+# format: "username" = "32_hex_chars_secret"
+hello = "00000000000000000000000000000000"
+```
+
+Затем нажмите Ctrl+S -> Ctrl+X, чтобы сохранить
+
+> [!WARNING]
+> Замените значение параметра hello на значение, которое вы получили в пункте 0.  
+> Так же замените значение параметра tls_domain на другой сайт.
+
+---
+
+**2. Создайте службу в /etc/systemd/system/telemt.service**
+
+Открываем nano
+```bash
+nano /etc/systemd/system/telemt.service
+```
+
+Вставьте этот модуль Systemd
+```bash
+[Unit]
+Description=Telemt
+After=network.target
+
+[Service]
+Type=simple
+WorkingDirectory=/bin
+ExecStart=/bin/telemt /etc/telemt.toml
+Restart=on-failure
+LimitNOFILE=65536
+
+[Install]
+WantedBy=multi-user.target
+```
+Затем нажмите Ctrl+S -> Ctrl+X, чтобы сохранить
+
+
+**3.** Для запуска введите команду `systemctl start telemt`
+
+**4.** Для получения информации о статусе введите `systemctl status telemt`
+
+**5.** Для автоматического запуска при запуске системы в введите `systemctl enable telemt`
+
+**6.** Для получения ссылки/ссылок введите 
+```bash
+curl -s http://127.0.0.1:9091/v1/users | jq
+```
+> Одной ссылкой может пользоваться сколько угодно человек.
+
+> [!WARNING]
+> Рабочую ссылку может выдать только команда из 6 пункта. Не пытайтесь делать ее самостоятельно или копировать откуда-либо если вы не уверены в том, что делаете!
+
+---
+
+# Telemt через Docker Compose
+
+**1. Отредактируйте `config.toml` в корневом каталоге репозитория (как минимум: порт, пользовательские секреты, tls_domain)**  
+**2. Запустите контейнер:**
+```bash
+docker compose up -d --build
+```
+**3. Проверьте логи:**
+```bash
+docker compose logs -f telemt
+```
+**4. Остановите контейнер:**
+```bash
+docker compose down
+```
+> [!NOTE]
+> - В `docker-compose.yml` файл `./config.toml` монтируется в `/app/config.toml` (доступно только для чтения)  
+> - По умолчанию публикуются порты 443:443, а контейнер запускается со сброшенными привилегиями (добавлена только `NET_BIND_SERVICE`)  
+> - Если вам действительно нужна сеть хоста (обычно это требуется только для некоторых конфигураций IPv6), раскомментируйте `network_mode: host`
+
+**Запуск в Docker Compose**
+```bash
+docker build -t telemt:local .
+docker run --name telemt --restart unless-stopped \
+  -p 443:443 \
+  -e RUST_LOG=info \
+  -v "$PWD/config.toml:/app/config.toml:ro" \
+  --read-only \
+  --cap-drop ALL --cap-add NET_BIND_SERVICE \
+  --ulimit nofile=65536:65536 \
+  telemt:local
+```
--- a/docs/TUNING.de.md
+++ b/docs/TUNING.de.md
@@ -0,0 +1,219 @@
+# Telemt Tuning-Leitfaden: Middle-End und Upstreams
+
+Dieses Dokument beschreibt das aktuelle Laufzeitverhalten für Middle-End (ME) und Upstream-Routing basierend auf:
+- `src/config/types.rs`
+- `src/config/defaults.rs`
+- `src/config/load.rs`
+- `src/transport/upstream.rs`
+
+Die unten angegebenen `Default`-Werte sind Code-Defaults (bei fehlendem Schlüssel), nicht zwingend die Werte aus `config.full.toml`.
+
+## Middle-End-Parameter
+
+### 1) ME-Grundmodus, NAT und STUN
+
+| Parameter | Typ | Default | Einschränkungen / Validierung | Laufzeiteffekt | Beispiel |
+|---|---|---:|---|---|---|
+| `general.use_middle_proxy` | `bool` | `true` | keine | Aktiviert den ME-Transportmodus. Bei `false` wird Direct-Modus verwendet. | `use_middle_proxy = true` |
+| `general.proxy_secret_path` | `Option<String>` | `"proxy-secret"` | Pfad kann `null` sein | Pfad zur Telegram-Infrastrukturdatei `proxy-secret`. | `proxy_secret_path = "proxy-secret"` |
+| `general.middle_proxy_nat_ip` | `Option<IpAddr>` | `null` | gültige IP bei gesetztem Wert | Manueller Override der öffentlichen NAT-IP für ME-Adressmaterial. | `middle_proxy_nat_ip = "203.0.113.10"` |
+| `general.middle_proxy_nat_probe` | `bool` | `true` | wird auf `true` erzwungen, wenn `use_middle_proxy=true` | Aktiviert NAT-Probing für ME. | `middle_proxy_nat_probe = true` |
+| `general.stun_nat_probe_concurrency` | `usize` | `8` | muss `> 0` sein | Maximale parallele STUN-Probes während NAT-Erkennung. | `stun_nat_probe_concurrency = 16` |
+| `network.stun_use` | `bool` | `true` | keine | Globaler STUN-Schalter. Bei `false` wird STUN deaktiviert. | `stun_use = true` |
+| `network.stun_servers` | `Vec<String>` | integrierter öffentlicher Pool | Duplikate/leer werden entfernt | Primäre STUN-Serverliste für NAT/Public-Endpoint-Erkennung. | `stun_servers = ["stun1.l.google.com:19302"]` |
+| `network.stun_tcp_fallback` | `bool` | `true` | keine | Aktiviert TCP-Fallback, wenn UDP-STUN blockiert ist. | `stun_tcp_fallback = true` |
+| `network.http_ip_detect_urls` | `Vec<String>` | `ifconfig.me` + `api.ipify.org` | keine | HTTP-Fallback zur öffentlichen IPv4-Erkennung, falls STUN ausfällt. | `http_ip_detect_urls = ["https://api.ipify.org"]` |
+| `general.stun_iface_mismatch_ignore` | `bool` | `false` | keine | Reserviertes Feld in der aktuellen Revision (derzeit kein aktiver Runtime-Verbrauch). | `stun_iface_mismatch_ignore = false` |
+| `timeouts.me_one_retry` | `u8` | `12` | keine | Anzahl schneller Reconnect-Versuche bei Single-Endpoint-DC-Fällen. | `me_one_retry = 6` |
+| `timeouts.me_one_timeout_ms` | `u64` | `1200` | keine | Timeout pro schnellem Einzelversuch (ms). | `me_one_timeout_ms = 1500` |
+
+### 2) Poolgröße, Keepalive und Reconnect-Policy
+
+| Parameter | Typ | Default | Einschränkungen / Validierung | Laufzeiteffekt | Beispiel |
+|---|---|---:|---|---|---|
+| `general.middle_proxy_pool_size` | `usize` | `8` | keine | Zielgröße des aktiven ME-Writer-Pools. | `middle_proxy_pool_size = 12` |
+| `general.middle_proxy_warm_standby` | `usize` | `16` | keine | Reserviertes Kompatibilitätsfeld in der aktuellen Revision (kein aktiver Runtime-Consumer). | `middle_proxy_warm_standby = 16` |
+| `general.me_keepalive_enabled` | `bool` | `true` | keine | Aktiviert periodischen ME-Keepalive/Ping-Traffic. | `me_keepalive_enabled = true` |
+| `general.me_keepalive_interval_secs` | `u64` | `25` | keine | Basisintervall für Keepalive (Sekunden). | `me_keepalive_interval_secs = 20` |
+| `general.me_keepalive_jitter_secs` | `u64` | `5` | keine | Keepalive-Jitter zur Vermeidung synchroner Peaks. | `me_keepalive_jitter_secs = 3` |
+| `general.me_keepalive_payload_random` | `bool` | `true` | keine | Randomisiert Keepalive-Payload-Bytes. | `me_keepalive_payload_random = true` |
+| `general.me_warmup_stagger_enabled` | `bool` | `true` | keine | Aktiviert gestaffeltes Warmup zusätzlicher ME-Verbindungen. | `me_warmup_stagger_enabled = true` |
+| `general.me_warmup_step_delay_ms` | `u64` | `500` | keine | Basisverzögerung zwischen Warmup-Schritten (ms). | `me_warmup_step_delay_ms = 300` |
+| `general.me_warmup_step_jitter_ms` | `u64` | `300` | keine | Zusätzlicher zufälliger Warmup-Jitter (ms). | `me_warmup_step_jitter_ms = 200` |
+| `general.me_reconnect_max_concurrent_per_dc` | `u32` | `8` | keine | Begrenzung paralleler Reconnect-Worker pro DC. | `me_reconnect_max_concurrent_per_dc = 12` |
+| `general.me_reconnect_backoff_base_ms` | `u64` | `500` | keine | Initiales Reconnect-Backoff (ms). | `me_reconnect_backoff_base_ms = 250` |
+| `general.me_reconnect_backoff_cap_ms` | `u64` | `30000` | keine | Maximales Reconnect-Backoff (ms). | `me_reconnect_backoff_cap_ms = 10000` |
+| `general.me_reconnect_fast_retry_count` | `u32` | `16` | keine | Budget für Sofort-Retries vor längerem Backoff. | `me_reconnect_fast_retry_count = 8` |
+
+### 3) Reinit/Hardswap, Secret-Rotation und Degradation
+
+| Parameter | Typ | Default | Einschränkungen / Validierung | Laufzeiteffekt | Beispiel |
+|---|---|---:|---|---|---|
+| `general.hardswap` | `bool` | `true` | keine | Aktiviert generation-basierte Hardswap-Strategie für den ME-Pool. | `hardswap = true` |
+| `general.me_reinit_every_secs` | `u64` | `900` | muss `> 0` sein | Intervall für periodische ME-Reinitialisierung. | `me_reinit_every_secs = 600` |
+| `general.me_hardswap_warmup_delay_min_ms` | `u64` | `1000` | muss `<= me_hardswap_warmup_delay_max_ms` sein | Untere Grenze für Warmup-Dial-Abstände. | `me_hardswap_warmup_delay_min_ms = 500` |
+| `general.me_hardswap_warmup_delay_max_ms` | `u64` | `2000` | muss `> 0` sein | Obere Grenze für Warmup-Dial-Abstände. | `me_hardswap_warmup_delay_max_ms = 1200` |
+| `general.me_hardswap_warmup_extra_passes` | `u8` | `3` | Bereich `[0,10]` | Zusätzliche Warmup-Pässe nach dem Basispass. | `me_hardswap_warmup_extra_passes = 2` |
+| `general.me_hardswap_warmup_pass_backoff_base_ms` | `u64` | `500` | muss `> 0` sein | Basis-Backoff zwischen zusätzlichen Warmup-Pässen. | `me_hardswap_warmup_pass_backoff_base_ms = 400` |
+| `general.me_config_stable_snapshots` | `u8` | `2` | muss `> 0` sein | Anzahl identischer ME-Config-Snapshots vor Apply. | `me_config_stable_snapshots = 3` |
+| `general.me_config_apply_cooldown_secs` | `u64` | `300` | keine | Cooldown zwischen angewendeten ME-Map-Updates. | `me_config_apply_cooldown_secs = 120` |
+| `general.proxy_secret_stable_snapshots` | `u8` | `2` | muss `> 0` sein | Anzahl identischer Secret-Snapshots vor Rotation. | `proxy_secret_stable_snapshots = 3` |
+| `general.proxy_secret_rotate_runtime` | `bool` | `true` | keine | Aktiviert Runtime-Rotation des Proxy-Secrets. | `proxy_secret_rotate_runtime = true` |
+| `general.proxy_secret_len_max` | `usize` | `256` | Bereich `[32,4096]` | Obergrenze für akzeptierte Secret-Länge. | `proxy_secret_len_max = 512` |
+| `general.update_every` | `Option<u64>` | `300` | wenn gesetzt: `> 0`; bei `null`: Legacy-Min-Fallback | Einheitliches Refresh-Intervall für ME-Config + Secret-Updater. | `update_every = 300` |
+| `general.me_pool_drain_ttl_secs` | `u64` | `90` | keine | Zeitraum, in dem stale Writer noch als Fallback zulässig sind. | `me_pool_drain_ttl_secs = 120` |
+| `general.me_pool_min_fresh_ratio` | `f32` | `0.8` | Bereich `[0.0,1.0]` | Coverage-Schwelle vor Drain der alten Generation. | `me_pool_min_fresh_ratio = 0.9` |
+| `general.me_reinit_drain_timeout_secs` | `u64` | `120` | `0` = kein Force-Close; wenn `>0 && < TTL`, dann auf TTL angehoben | Force-Close-Timeout für draining stale Writer. | `me_reinit_drain_timeout_secs = 0` |
+| `general.auto_degradation_enabled` | `bool` | `true` | keine | Reserviertes Kompatibilitätsfeld in aktueller Revision (kein aktiver Runtime-Consumer). | `auto_degradation_enabled = true` |
+| `general.degradation_min_unavailable_dc_groups` | `u8` | `2` | keine | Reservierter Kompatibilitäts-Schwellenwert in aktueller Revision (kein aktiver Runtime-Consumer). | `degradation_min_unavailable_dc_groups = 2` |
+
+## Deprecated / Legacy Parameter
+
+| Parameter | Status | Ersatz | Aktuelles Verhalten | Migrationshinweis |
+|---|---|---|---|---|
+| `general.middle_proxy_nat_stun` | Deprecated | `network.stun_servers` | Wird nur dann in `network.stun_servers` gemerged, wenn `network.stun_servers` nicht explizit gesetzt ist. | Wert nach `network.stun_servers` verschieben, Legacy-Key entfernen. |
+| `general.middle_proxy_nat_stun_servers` | Deprecated | `network.stun_servers` | Wird nur dann in `network.stun_servers` gemerged, wenn `network.stun_servers` nicht explizit gesetzt ist. | Werte nach `network.stun_servers` verschieben, Legacy-Key entfernen. |
+| `general.proxy_secret_auto_reload_secs` | Deprecated | `general.update_every` | Nur aktiv, wenn `update_every = null` (Legacy-Fallback). | `general.update_every` explizit setzen, Legacy-Key entfernen. |
+| `general.proxy_config_auto_reload_secs` | Deprecated | `general.update_every` | Nur aktiv, wenn `update_every = null` (Legacy-Fallback). | `general.update_every` explizit setzen, Legacy-Key entfernen. |
+
+## Wie Upstreams konfiguriert werden
+
+### Upstream-Schema
+
+| Feld | Gilt für | Typ | Pflicht | Default | Bedeutung |
+|---|---|---|---|---|---|
+| `[[upstreams]].type` | alle Upstreams | `"direct" \| "socks4" \| "socks5"` | ja | n/a | Upstream-Transporttyp. |
+| `[[upstreams]].weight` | alle Upstreams | `u16` | nein | `1` | Basisgewicht für weighted-random Auswahl. |
+| `[[upstreams]].enabled` | alle Upstreams | `bool` | nein | `true` | Deaktivierte Einträge werden beim Start ignoriert. |
+| `[[upstreams]].scopes` | alle Upstreams | `String` | nein | `""` | Komma-separierte Scope-Tags für Request-Routing. |
+| `interface` | `direct` | `Option<String>` | nein | `null` | Interface-Name (z. B. `eth0`) oder lokale Literal-IP. |
+| `bind_addresses` | `direct` | `Option<Vec<IpAddr>>` | nein | `null` | Explizite Source-IP-Kandidaten (strikter Vorrang vor `interface`). |
+| `address` | `socks4` | `String` | ja | n/a | SOCKS4-Server (`ip:port` oder `host:port`). |
+| `interface` | `socks4` | `Option<String>` | nein | `null` | Wird nur genutzt, wenn `address` als `ip:port` angegeben ist. |
+| `user_id` | `socks4` | `Option<String>` | nein | `null` | SOCKS4 User-ID für CONNECT. |
+| `address` | `socks5` | `String` | ja | n/a | SOCKS5-Server (`ip:port` oder `host:port`). |
+| `interface` | `socks5` | `Option<String>` | nein | `null` | Wird nur genutzt, wenn `address` als `ip:port` angegeben ist. |
+| `username` | `socks5` | `Option<String>` | nein | `null` | SOCKS5 Benutzername. |
+| `password` | `socks5` | `Option<String>` | nein | `null` | SOCKS5 Passwort. |
+
+### Runtime-Regeln (wichtig)
+
+1. Wenn `[[upstreams]]` fehlt, injiziert der Loader einen Default-`direct`-Upstream.
+2. Scope-Filterung basiert auf exaktem Token-Match:
+- mit Request-Scope -> nur Einträge, deren `scopes` genau dieses Token enthält;
+- ohne Request-Scope -> nur Einträge mit leerem `scopes`.
+3. Unter healthy Upstreams erfolgt die Auswahl per weighted random: `weight * latency_factor`.
+4. Gibt es im gefilterten Set keinen healthy Upstream, wird zufällig aus dem gefilterten Set gewählt.
+5. `direct`-Bind-Auflösung:
+- zuerst `bind_addresses` (nur gleiche IP-Familie wie Target);
+- bei `interface` (Name) + `bind_addresses` wird jede Candidate-IP gegen Interface-Adressen validiert;
+- ungültige Kandidaten werden mit `WARN` verworfen;
+- bleiben keine gültigen Kandidaten übrig, erfolgt unbound direct connect (`bind_ip=None`);
+- wenn `bind_addresses` nicht passt, wird `interface` verwendet (Literal-IP oder Interface-Primäradresse).
+6. Für `socks4/socks5` mit Hostname-`address` ist Interface-Binding nicht unterstützt und wird mit Warnung ignoriert.
+7. Runtime DNS Overrides werden für Hostname-Auflösung bei Upstream-Verbindungen genutzt.
+8. Im ME-Modus wird der gewählte Upstream auch für den ME-TCP-Dial-Pfad verwendet.
+9. Im ME-Modus ist bei `direct` mit bind/interface die STUN-Reflection bind-aware für KDF-Adressmaterial.
+10. Im ME-Modus werden bei SOCKS-Upstream `BND.ADDR/BND.PORT` für KDF verwendet, wenn gültig/öffentlich und gleiche IP-Familie.
+
+## Upstream-Konfigurationsbeispiele
+
+### Beispiel 1: Minimaler direct Upstream
+
+```toml
+[[upstreams]]
+type = "direct"
+weight = 1
+enabled = true
+```
+
+### Beispiel 2: direct mit Interface + expliziten bind IPs
+
+```toml
+[[upstreams]]
+type = "direct"
+interface = "eth0"
+bind_addresses = ["192.168.1.100", "192.168.1.101"]
+weight = 3
+enabled = true
+```
+
+### Beispiel 3: SOCKS5 Upstream mit Authentifizierung
+
+```toml
+[[upstreams]]
+type = "socks5"
+address = "198.51.100.30:1080"
+username = "proxy-user"
+password = "proxy-pass"
+weight = 2
+enabled = true
+```
+
+### Beispiel 4: Gemischte Upstreams mit Scopes
+
+```toml
+[[upstreams]]
+type = "direct"
+weight = 5
+enabled = true
+scopes = ""
+
+[[upstreams]]
+type = "socks5"
+address = "203.0.113.40:1080"
+username = "edge"
+password = "edgepass"
+weight = 3
+enabled = true
+scopes = "premium,me"
+```
+
+### Beispiel 5: ME-orientiertes Tuning-Profil
+
+```toml
+[general]
+use_middle_proxy = true
+proxy_secret_path = "proxy-secret"
+middle_proxy_nat_probe = true
+stun_nat_probe_concurrency = 16
+middle_proxy_pool_size = 12
+me_keepalive_enabled = true
+me_keepalive_interval_secs = 20
+me_keepalive_jitter_secs = 4
+me_reconnect_max_concurrent_per_dc = 12
+me_reconnect_backoff_base_ms = 300
+me_reconnect_backoff_cap_ms = 10000
+me_reconnect_fast_retry_count = 10
+hardswap = true
+me_reinit_every_secs = 600
+me_hardswap_warmup_delay_min_ms = 500
+me_hardswap_warmup_delay_max_ms = 1200
+me_hardswap_warmup_extra_passes = 2
+me_hardswap_warmup_pass_backoff_base_ms = 400
+me_config_stable_snapshots = 3
+me_config_apply_cooldown_secs = 120
+proxy_secret_stable_snapshots = 3
+proxy_secret_rotate_runtime = true
+proxy_secret_len_max = 512
+update_every = 300
+me_pool_drain_ttl_secs = 120
+me_pool_min_fresh_ratio = 0.9
+me_reinit_drain_timeout_secs = 180
+
+[timeouts]
+me_one_retry = 8
+me_one_timeout_ms = 1200
+
+[network]
+stun_use = true
+stun_tcp_fallback = true
+stun_servers = [
+  "stun1.l.google.com:19302",
+  "stun2.l.google.com:19302"
+]
+http_ip_detect_urls = [
+  "https://api.ipify.org",
+  "https://ifconfig.me/ip"
+]
+```
--- a/docs/TUNING.en.md
+++ b/docs/TUNING.en.md
@@ -0,0 +1,219 @@
+# Telemt Tuning Guide: Middle-End and Upstreams
+
+This document describes the current runtime behavior for Middle-End (ME) and upstream routing based on:
+- `src/config/types.rs`
+- `src/config/defaults.rs`
+- `src/config/load.rs`
+- `src/transport/upstream.rs`
+
+Defaults below are code defaults (used when a key is omitted), not necessarily values from `config.full.toml` examples.
+
+## Middle-End Parameters
+
+### 1) Core ME mode, NAT, and STUN
+
+| Parameter | Type | Default | Constraints / validation | Runtime effect | Example |
+|---|---|---:|---|---|---|
+| `general.use_middle_proxy` | `bool` | `true` | none | Enables ME transport mode. If `false`, Direct mode is used. | `use_middle_proxy = true` |
+| `general.proxy_secret_path` | `Option<String>` | `"proxy-secret"` | path may be `null` | Path to Telegram infrastructure proxy-secret file. | `proxy_secret_path = "proxy-secret"` |
+| `general.middle_proxy_nat_ip` | `Option<IpAddr>` | `null` | valid IP when set | Manual public NAT IP override for ME address material. | `middle_proxy_nat_ip = "203.0.113.10"` |
+| `general.middle_proxy_nat_probe` | `bool` | `true` | auto-forced to `true` when `use_middle_proxy=true` | Enables ME NAT probing. | `middle_proxy_nat_probe = true` |
+| `general.stun_nat_probe_concurrency` | `usize` | `8` | must be `> 0` | Max parallel STUN probes during NAT discovery. | `stun_nat_probe_concurrency = 16` |
+| `network.stun_use` | `bool` | `true` | none | Global STUN switch. If `false`, STUN probing is disabled. | `stun_use = true` |
+| `network.stun_servers` | `Vec<String>` | built-in public pool | deduplicated + empty values removed | Primary STUN server list for NAT/public endpoint discovery. | `stun_servers = ["stun1.l.google.com:19302"]` |
+| `network.stun_tcp_fallback` | `bool` | `true` | none | Enables TCP fallback path when UDP STUN is blocked. | `stun_tcp_fallback = true` |
+| `network.http_ip_detect_urls` | `Vec<String>` | `ifconfig.me` + `api.ipify.org` | none | HTTP fallback for public IPv4 detection if STUN is unavailable. | `http_ip_detect_urls = ["https://api.ipify.org"]` |
+| `general.stun_iface_mismatch_ignore` | `bool` | `false` | none | Reserved flag in current revision (not consumed by runtime path). | `stun_iface_mismatch_ignore = false` |
+| `timeouts.me_one_retry` | `u8` | `12` | none | Fast reconnect attempts for single-endpoint DC cases. | `me_one_retry = 6` |
+| `timeouts.me_one_timeout_ms` | `u64` | `1200` | none | Timeout per quick single-endpoint attempt (ms). | `me_one_timeout_ms = 1500` |
+
+### 2) Pool size, keepalive, and reconnect policy
+
+| Parameter | Type | Default | Constraints / validation | Runtime effect | Example |
+|---|---|---:|---|---|---|
+| `general.middle_proxy_pool_size` | `usize` | `8` | none | Target active ME writer pool size. | `middle_proxy_pool_size = 12` |
+| `general.middle_proxy_warm_standby` | `usize` | `16` | none | Reserved compatibility field in current revision (no active runtime consumer). | `middle_proxy_warm_standby = 16` |
+| `general.me_keepalive_enabled` | `bool` | `true` | none | Enables periodic ME keepalive/ping traffic. | `me_keepalive_enabled = true` |
+| `general.me_keepalive_interval_secs` | `u64` | `25` | none | Base keepalive interval (seconds). | `me_keepalive_interval_secs = 20` |
+| `general.me_keepalive_jitter_secs` | `u64` | `5` | none | Keepalive jitter to avoid synchronization bursts. | `me_keepalive_jitter_secs = 3` |
+| `general.me_keepalive_payload_random` | `bool` | `true` | none | Randomizes keepalive payload bytes. | `me_keepalive_payload_random = true` |
+| `general.me_warmup_stagger_enabled` | `bool` | `true` | none | Staggers extra ME warmup dials to avoid spikes. | `me_warmup_stagger_enabled = true` |
+| `general.me_warmup_step_delay_ms` | `u64` | `500` | none | Base delay between warmup dial steps (ms). | `me_warmup_step_delay_ms = 300` |
+| `general.me_warmup_step_jitter_ms` | `u64` | `300` | none | Additional random delay for warmup steps (ms). | `me_warmup_step_jitter_ms = 200` |
+| `general.me_reconnect_max_concurrent_per_dc` | `u32` | `8` | none | Limits concurrent reconnect workers per DC in health recovery. | `me_reconnect_max_concurrent_per_dc = 12` |
+| `general.me_reconnect_backoff_base_ms` | `u64` | `500` | none | Initial reconnect backoff (ms). | `me_reconnect_backoff_base_ms = 250` |
+| `general.me_reconnect_backoff_cap_ms` | `u64` | `30000` | none | Maximum reconnect backoff (ms). | `me_reconnect_backoff_cap_ms = 10000` |
+| `general.me_reconnect_fast_retry_count` | `u32` | `16` | none | Immediate retry budget before long backoff behavior. | `me_reconnect_fast_retry_count = 8` |
+
+### 3) Reinit/hardswap, secret rotation, and degradation
+
+| Parameter | Type | Default | Constraints / validation | Runtime effect | Example |
+|---|---|---:|---|---|---|
+| `general.hardswap` | `bool` | `true` | none | Enables generation-based ME hardswap strategy. | `hardswap = true` |
+| `general.me_reinit_every_secs` | `u64` | `900` | must be `> 0` | Periodic ME reinit interval. | `me_reinit_every_secs = 600` |
+| `general.me_hardswap_warmup_delay_min_ms` | `u64` | `1000` | must be `<= me_hardswap_warmup_delay_max_ms` | Lower bound for hardswap warmup dial spacing. | `me_hardswap_warmup_delay_min_ms = 500` |
+| `general.me_hardswap_warmup_delay_max_ms` | `u64` | `2000` | must be `> 0` | Upper bound for hardswap warmup dial spacing. | `me_hardswap_warmup_delay_max_ms = 1200` |
+| `general.me_hardswap_warmup_extra_passes` | `u8` | `3` | must be within `[0,10]` | Additional warmup passes after base pass. | `me_hardswap_warmup_extra_passes = 2` |
+| `general.me_hardswap_warmup_pass_backoff_base_ms` | `u64` | `500` | must be `> 0` | Base backoff between extra warmup passes. | `me_hardswap_warmup_pass_backoff_base_ms = 400` |
+| `general.me_config_stable_snapshots` | `u8` | `2` | must be `> 0` | Number of identical ME config snapshots required before apply. | `me_config_stable_snapshots = 3` |
+| `general.me_config_apply_cooldown_secs` | `u64` | `300` | none | Cooldown between applied ME map updates. | `me_config_apply_cooldown_secs = 120` |
+| `general.proxy_secret_stable_snapshots` | `u8` | `2` | must be `> 0` | Number of identical proxy-secret snapshots required before rotation. | `proxy_secret_stable_snapshots = 3` |
+| `general.proxy_secret_rotate_runtime` | `bool` | `true` | none | Enables runtime proxy-secret rotation. | `proxy_secret_rotate_runtime = true` |
+| `general.proxy_secret_len_max` | `usize` | `256` | must be within `[32,4096]` | Upper limit for accepted proxy-secret length. | `proxy_secret_len_max = 512` |
+| `general.update_every` | `Option<u64>` | `300` | if set: must be `> 0`; if `null`: legacy min fallback | Unified refresh interval for ME config + secret updater. | `update_every = 300` |
+| `general.me_pool_drain_ttl_secs` | `u64` | `90` | none | Time window where stale writers remain fallback-eligible. | `me_pool_drain_ttl_secs = 120` |
+| `general.me_pool_min_fresh_ratio` | `f32` | `0.8` | must be within `[0.0,1.0]` | Coverage threshold before stale generation can be drained. | `me_pool_min_fresh_ratio = 0.9` |
+| `general.me_reinit_drain_timeout_secs` | `u64` | `120` | `0` means no force-close; if `>0 && < TTL` it is bumped to TTL | Force-close timeout for draining stale writers. | `me_reinit_drain_timeout_secs = 0` |
+| `general.auto_degradation_enabled` | `bool` | `true` | none | Reserved compatibility flag in current revision (no active runtime consumer). | `auto_degradation_enabled = true` |
+| `general.degradation_min_unavailable_dc_groups` | `u8` | `2` | none | Reserved compatibility threshold in current revision (no active runtime consumer). | `degradation_min_unavailable_dc_groups = 2` |
+
+## Deprecated / Legacy Parameters
+
+| Parameter | Status | Replacement | Current behavior | Migration recommendation |
+|---|---|---|---|---|
+| `general.middle_proxy_nat_stun` | Deprecated | `network.stun_servers` | Merged into `network.stun_servers` only when `network.stun_servers` is not explicitly set. | Move value into `network.stun_servers` and remove legacy key. |
+| `general.middle_proxy_nat_stun_servers` | Deprecated | `network.stun_servers` | Merged into `network.stun_servers` only when `network.stun_servers` is not explicitly set. | Move values into `network.stun_servers` and remove legacy key. |
+| `general.proxy_secret_auto_reload_secs` | Deprecated | `general.update_every` | Used only when `update_every = null` (legacy fallback path). | Set `general.update_every` explicitly and remove legacy key. |
+| `general.proxy_config_auto_reload_secs` | Deprecated | `general.update_every` | Used only when `update_every = null` (legacy fallback path). | Set `general.update_every` explicitly and remove legacy key. |
+
+## How Upstreams Are Configured
+
+### Upstream schema
+
+| Field | Applies to | Type | Required | Default | Meaning |
+|---|---|---|---|---|---|
+| `[[upstreams]].type` | all upstreams | `"direct" \| "socks4" \| "socks5"` | yes | n/a | Upstream transport type. |
+| `[[upstreams]].weight` | all upstreams | `u16` | no | `1` | Base weight for weighted-random selection. |
+| `[[upstreams]].enabled` | all upstreams | `bool` | no | `true` | Disabled entries are ignored at startup. |
+| `[[upstreams]].scopes` | all upstreams | `String` | no | `""` | Comma-separated scope tags for request-level routing. |
+| `interface` | `direct` | `Option<String>` | no | `null` | Interface name (e.g. `eth0`) or literal local IP for bind selection. |
+| `bind_addresses` | `direct` | `Option<Vec<IpAddr>>` | no | `null` | Explicit local source IP candidates (strict priority over `interface`). |
+| `address` | `socks4` | `String` | yes | n/a | SOCKS4 server endpoint (`ip:port` or `host:port`). |
+| `interface` | `socks4` | `Option<String>` | no | `null` | Used only for SOCKS server `ip:port` dial path. |
+| `user_id` | `socks4` | `Option<String>` | no | `null` | SOCKS4 user ID for CONNECT request. |
+| `address` | `socks5` | `String` | yes | n/a | SOCKS5 server endpoint (`ip:port` or `host:port`). |
+| `interface` | `socks5` | `Option<String>` | no | `null` | Used only for SOCKS server `ip:port` dial path. |
+| `username` | `socks5` | `Option<String>` | no | `null` | SOCKS5 username auth. |
+| `password` | `socks5` | `Option<String>` | no | `null` | SOCKS5 password auth. |
+
+### Runtime rules (important)
+
+1. If `[[upstreams]]` is omitted, loader injects one default `direct` upstream.
+2. Scope filtering is exact-token based:
+- when request scope is set -> only entries whose `scopes` contains that exact token;
+- when request scope is not set -> only entries with empty `scopes`.
+3. Healthy upstreams are selected by weighted random using: `weight * latency_factor`.
+4. If no healthy upstream exists in filtered set, random selection is used among filtered entries.
+5. `direct` bind resolution order:
+- `bind_addresses` candidates (same IP family as target) first;
+- if `interface` is an interface name and `bind_addresses` is set, each candidate IP is validated against addresses currently assigned to that interface;
+- invalid candidates are dropped with `WARN`;
+- if no valid candidate remains, connection falls back to unbound direct connect (`bind_ip=None`);
+- if no `bind_addresses` candidate, `interface` is used (literal IP or resolved interface primary IP).
+6. For `socks4/socks5` with `address` as hostname, interface binding is not supported and is ignored with warning.
+7. Runtime DNS overrides are used for upstream hostname resolution.
+8. In ME mode, the selected upstream is also used for ME TCP dial path.
+9. In ME mode for `direct` upstream with bind/interface, STUN reflection logic is bind-aware for KDF source material.
+10. In ME mode for SOCKS upstream, SOCKS `BND.ADDR/BND.PORT` is used for KDF when it is valid/public for the same family.
+
+## Upstream Configuration Examples
+
+### Example 1: Minimal direct upstream
+
+```toml
+[[upstreams]]
+type = "direct"
+weight = 1
+enabled = true
+```
+
+### Example 2: Direct with interface + explicit bind addresses
+
+```toml
+[[upstreams]]
+type = "direct"
+interface = "eth0"
+bind_addresses = ["192.168.1.100", "192.168.1.101"]
+weight = 3
+enabled = true
+```
+
+### Example 3: SOCKS5 upstream with authentication
+
+```toml
+[[upstreams]]
+type = "socks5"
+address = "198.51.100.30:1080"
+username = "proxy-user"
+password = "proxy-pass"
+weight = 2
+enabled = true
+```
+
+### Example 4: Mixed upstreams with scopes
+
+```toml
+[[upstreams]]
+type = "direct"
+weight = 5
+enabled = true
+scopes = ""
+
+[[upstreams]]
+type = "socks5"
+address = "203.0.113.40:1080"
+username = "edge"
+password = "edgepass"
+weight = 3
+enabled = true
+scopes = "premium,me"
+```
+
+### Example 5: ME-focused tuning profile
+
+```toml
+[general]
+use_middle_proxy = true
+proxy_secret_path = "proxy-secret"
+middle_proxy_nat_probe = true
+stun_nat_probe_concurrency = 16
+middle_proxy_pool_size = 12
+me_keepalive_enabled = true
+me_keepalive_interval_secs = 20
+me_keepalive_jitter_secs = 4
+me_reconnect_max_concurrent_per_dc = 12
+me_reconnect_backoff_base_ms = 300
+me_reconnect_backoff_cap_ms = 10000
+me_reconnect_fast_retry_count = 10
+hardswap = true
+me_reinit_every_secs = 600
+me_hardswap_warmup_delay_min_ms = 500
+me_hardswap_warmup_delay_max_ms = 1200
+me_hardswap_warmup_extra_passes = 2
+me_hardswap_warmup_pass_backoff_base_ms = 400
+me_config_stable_snapshots = 3
+me_config_apply_cooldown_secs = 120
+proxy_secret_stable_snapshots = 3
+proxy_secret_rotate_runtime = true
+proxy_secret_len_max = 512
+update_every = 300
+me_pool_drain_ttl_secs = 120
+me_pool_min_fresh_ratio = 0.9
+me_reinit_drain_timeout_secs = 180
+
+[timeouts]
+me_one_retry = 8
+me_one_timeout_ms = 1200
+
+[network]
+stun_use = true
+stun_tcp_fallback = true
+stun_servers = [
+  "stun1.l.google.com:19302",
+  "stun2.l.google.com:19302"
+]
+http_ip_detect_urls = [
+  "https://api.ipify.org",
+  "https://ifconfig.me/ip"
+]
+```
--- a/docs/TUNING.ru.md
+++ b/docs/TUNING.ru.md
@@ -0,0 +1,219 @@
+# Руководство по тюнингу Telemt: Middle-End и Upstreams
+
+Документ описывает актуальное поведение Middle-End (ME) и маршрутизации через upstream на основе:
+- `src/config/types.rs`
+- `src/config/defaults.rs`
+- `src/config/load.rs`
+- `src/transport/upstream.rs`
+
+Значения `Default` ниже — это значения из кода при отсутствии ключа в конфиге, а не обязательно значения из примеров `config.full.toml`.
+
+## Параметры Middle-End
+
+### 1) Базовый режим ME, NAT и STUN
+
+| Параметр | Тип | Default | Ограничения / валидация | Влияние на runtime | Пример |
+|---|---|---:|---|---|---|
+| `general.use_middle_proxy` | `bool` | `true` | нет | Включает транспорт ME. При `false` используется Direct-режим. | `use_middle_proxy = true` |
+| `general.proxy_secret_path` | `Option<String>` | `"proxy-secret"` | путь может быть `null` | Путь к инфраструктурному proxy-secret Telegram. | `proxy_secret_path = "proxy-secret"` |
+| `general.middle_proxy_nat_ip` | `Option<IpAddr>` | `null` | валидный IP при задании | Ручной override публичного NAT IP для адресного материала ME. | `middle_proxy_nat_ip = "203.0.113.10"` |
+| `general.middle_proxy_nat_probe` | `bool` | `true` | авто-принудительно `true`, если `use_middle_proxy=true` | Включает NAT probing для ME. | `middle_proxy_nat_probe = true` |
+| `general.stun_nat_probe_concurrency` | `usize` | `8` | должно быть `> 0` | Максимум параллельных STUN-проб при NAT-детекте. | `stun_nat_probe_concurrency = 16` |
+| `network.stun_use` | `bool` | `true` | нет | Глобальный переключатель STUN. При `false` STUN отключен. | `stun_use = true` |
+| `network.stun_servers` | `Vec<String>` | встроенный публичный пул | удаляются дубликаты и пустые значения | Основной список STUN-серверов для NAT/public endpoint discovery. | `stun_servers = ["stun1.l.google.com:19302"]` |
+| `network.stun_tcp_fallback` | `bool` | `true` | нет | Включает TCP fallback, если UDP STUN недоступен. | `stun_tcp_fallback = true` |
+| `network.http_ip_detect_urls` | `Vec<String>` | `ifconfig.me` + `api.ipify.org` | нет | HTTP fallback для определения публичного IPv4 при недоступности STUN. | `http_ip_detect_urls = ["https://api.ipify.org"]` |
+| `general.stun_iface_mismatch_ignore` | `bool` | `false` | нет | Зарезервированный флаг в текущей ревизии (runtime его не использует). | `stun_iface_mismatch_ignore = false` |
+| `timeouts.me_one_retry` | `u8` | `12` | нет | Количество быстрых reconnect-попыток для DC с одним endpoint. | `me_one_retry = 6` |
+| `timeouts.me_one_timeout_ms` | `u64` | `1200` | нет | Таймаут одной быстрой попытки (мс). | `me_one_timeout_ms = 1500` |
+
+### 2) Размер пула, keepalive и reconnect-политика
+
+| Параметр | Тип | Default | Ограничения / валидация | Влияние на runtime | Пример |
+|---|---|---:|---|---|---|
+| `general.middle_proxy_pool_size` | `usize` | `8` | нет | Целевой размер активного пула ME-writer соединений. | `middle_proxy_pool_size = 12` |
+| `general.middle_proxy_warm_standby` | `usize` | `16` | нет | Зарезервированное поле совместимости в текущей ревизии (активного runtime-consumer нет). | `middle_proxy_warm_standby = 16` |
+| `general.me_keepalive_enabled` | `bool` | `true` | нет | Включает периодические keepalive/ping кадры ME. | `me_keepalive_enabled = true` |
+| `general.me_keepalive_interval_secs` | `u64` | `25` | нет | Базовый интервал keepalive (сек). | `me_keepalive_interval_secs = 20` |
+| `general.me_keepalive_jitter_secs` | `u64` | `5` | нет | Джиттер keepalive для предотвращения синхронных всплесков. | `me_keepalive_jitter_secs = 3` |
+| `general.me_keepalive_payload_random` | `bool` | `true` | нет | Рандомизирует payload keepalive-кадров. | `me_keepalive_payload_random = true` |
+| `general.me_warmup_stagger_enabled` | `bool` | `true` | нет | Включает staggered warmup дополнительных ME-коннектов. | `me_warmup_stagger_enabled = true` |
+| `general.me_warmup_step_delay_ms` | `u64` | `500` | нет | Базовая задержка между шагами warmup (мс). | `me_warmup_step_delay_ms = 300` |
+| `general.me_warmup_step_jitter_ms` | `u64` | `300` | нет | Дополнительный случайный warmup-джиттер (мс). | `me_warmup_step_jitter_ms = 200` |
+| `general.me_reconnect_max_concurrent_per_dc` | `u32` | `8` | нет | Ограничивает параллельные reconnect worker'ы на один DC. | `me_reconnect_max_concurrent_per_dc = 12` |
+| `general.me_reconnect_backoff_base_ms` | `u64` | `500` | нет | Начальный backoff reconnect (мс). | `me_reconnect_backoff_base_ms = 250` |
+| `general.me_reconnect_backoff_cap_ms` | `u64` | `30000` | нет | Верхняя граница backoff reconnect (мс). | `me_reconnect_backoff_cap_ms = 10000` |
+| `general.me_reconnect_fast_retry_count` | `u32` | `16` | нет | Бюджет быстрых retry до длинного backoff. | `me_reconnect_fast_retry_count = 8` |
+
+### 3) Reinit/hardswap, ротация секрета и деградация
+
+| Параметр | Тип | Default | Ограничения / валидация | Влияние на runtime | Пример |
+|---|---|---:|---|---|---|
+| `general.hardswap` | `bool` | `true` | нет | Включает generation-based стратегию hardswap для ME-пула. | `hardswap = true` |
+| `general.me_reinit_every_secs` | `u64` | `900` | должно быть `> 0` | Интервал периодического reinit ME-пула. | `me_reinit_every_secs = 600` |
+| `general.me_hardswap_warmup_delay_min_ms` | `u64` | `1000` | должно быть `<= me_hardswap_warmup_delay_max_ms` | Нижняя граница пауз между warmup dial попытками. | `me_hardswap_warmup_delay_min_ms = 500` |
+| `general.me_hardswap_warmup_delay_max_ms` | `u64` | `2000` | должно быть `> 0` | Верхняя граница пауз между warmup dial попытками. | `me_hardswap_warmup_delay_max_ms = 1200` |
+| `general.me_hardswap_warmup_extra_passes` | `u8` | `3` | диапазон `[0,10]` | Дополнительные warmup-проходы после базового. | `me_hardswap_warmup_extra_passes = 2` |
+| `general.me_hardswap_warmup_pass_backoff_base_ms` | `u64` | `500` | должно быть `> 0` | Базовый backoff между extra-pass в warmup. | `me_hardswap_warmup_pass_backoff_base_ms = 400` |
+| `general.me_config_stable_snapshots` | `u8` | `2` | должно быть `> 0` | Количество одинаковых snapshot перед применением ME map update. | `me_config_stable_snapshots = 3` |
+| `general.me_config_apply_cooldown_secs` | `u64` | `300` | нет | Cooldown между применёнными обновлениями ME map. | `me_config_apply_cooldown_secs = 120` |
+| `general.proxy_secret_stable_snapshots` | `u8` | `2` | должно быть `> 0` | Количество одинаковых snapshot перед runtime-rotation proxy-secret. | `proxy_secret_stable_snapshots = 3` |
+| `general.proxy_secret_rotate_runtime` | `bool` | `true` | нет | Включает runtime-ротацию proxy-secret. | `proxy_secret_rotate_runtime = true` |
+| `general.proxy_secret_len_max` | `usize` | `256` | диапазон `[32,4096]` | Верхний лимит длины принимаемого proxy-secret. | `proxy_secret_len_max = 512` |
+| `general.update_every` | `Option<u64>` | `300` | если задано: `> 0`; если `null`: fallback на legacy минимум | Единый интервал refresh для ME config + secret updater. | `update_every = 300` |
+| `general.me_pool_drain_ttl_secs` | `u64` | `90` | нет | Время, когда stale writer ещё может использоваться как fallback. | `me_pool_drain_ttl_secs = 120` |
+| `general.me_pool_min_fresh_ratio` | `f32` | `0.8` | диапазон `[0.0,1.0]` | Порог покрытия fresh-поколения перед drain старого поколения. | `me_pool_min_fresh_ratio = 0.9` |
+| `general.me_reinit_drain_timeout_secs` | `u64` | `120` | `0` = без force-close; если `>0 && < TTL`, поднимается до TTL | Таймаут force-close для draining stale writer. | `me_reinit_drain_timeout_secs = 0` |
+| `general.auto_degradation_enabled` | `bool` | `true` | нет | Зарезервированный флаг совместимости в текущей ревизии (активного runtime-consumer нет). | `auto_degradation_enabled = true` |
+| `general.degradation_min_unavailable_dc_groups` | `u8` | `2` | нет | Зарезервированный порог совместимости в текущей ревизии (активного runtime-consumer нет). | `degradation_min_unavailable_dc_groups = 2` |
+
+## Устаревшие / legacy параметры
+
+| Параметр | Статус | Замена | Текущее поведение | Рекомендация миграции |
+|---|---|---|---|---|
+| `general.middle_proxy_nat_stun` | Deprecated | `network.stun_servers` | Добавляется в `network.stun_servers`, только если `network.stun_servers` не задан явно. | Перенести значение в `network.stun_servers`, legacy-ключ удалить. |
+| `general.middle_proxy_nat_stun_servers` | Deprecated | `network.stun_servers` | Добавляется в `network.stun_servers`, только если `network.stun_servers` не задан явно. | Перенести значения в `network.stun_servers`, legacy-ключ удалить. |
+| `general.proxy_secret_auto_reload_secs` | Deprecated | `general.update_every` | Используется только если `update_every = null` (legacy fallback). | Явно задать `general.update_every`, legacy-ключ удалить. |
+| `general.proxy_config_auto_reload_secs` | Deprecated | `general.update_every` | Используется только если `update_every = null` (legacy fallback). | Явно задать `general.update_every`, legacy-ключ удалить. |
+
+## Как конфигурируются Upstreams
+
+### Схема upstream
+
+| Поле | Применимость | Тип | Обязательно | Default | Назначение |
+|---|---|---|---|---|---|
+| `[[upstreams]].type` | все upstream | `"direct" \| "socks4" \| "socks5"` | да | n/a | Тип upstream транспорта. |
+| `[[upstreams]].weight` | все upstream | `u16` | нет | `1` | Базовый вес в weighted-random выборе. |
+| `[[upstreams]].enabled` | все upstream | `bool` | нет | `true` | Выключенные записи игнорируются на старте. |
+| `[[upstreams]].scopes` | все upstream | `String` | нет | `""` | Список scope-токенов через запятую для маршрутизации. |
+| `interface` | `direct` | `Option<String>` | нет | `null` | Имя интерфейса (например `eth0`) или literal локальный IP. |
+| `bind_addresses` | `direct` | `Option<Vec<IpAddr>>` | нет | `null` | Явные кандидаты source IP (имеют приоритет над `interface`). |
+| `address` | `socks4` | `String` | да | n/a | Адрес SOCKS4 сервера (`ip:port` или `host:port`). |
+| `interface` | `socks4` | `Option<String>` | нет | `null` | Используется только если `address` задан как `ip:port`. |
+| `user_id` | `socks4` | `Option<String>` | нет | `null` | SOCKS4 user ID в CONNECT-запросе. |
+| `address` | `socks5` | `String` | да | n/a | Адрес SOCKS5 сервера (`ip:port` или `host:port`). |
+| `interface` | `socks5` | `Option<String>` | нет | `null` | Используется только если `address` задан как `ip:port`. |
+| `username` | `socks5` | `Option<String>` | нет | `null` | Логин SOCKS5 auth. |
+| `password` | `socks5` | `Option<String>` | нет | `null` | Пароль SOCKS5 auth. |
+
+### Runtime-правила
+
+1. Если `[[upstreams]]` отсутствует, loader добавляет один upstream `direct` по умолчанию.
+2. Scope-фильтрация — по точному совпадению токена:
+- если scope запроса задан -> используются только записи, где `scopes` содержит такой же токен;
+- если scope запроса не задан -> используются только записи с пустым `scopes`.
+3. Среди healthy upstream используется weighted-random выбор: `weight * latency_factor`.
+4. Если в отфильтрованном наборе нет healthy upstream, выбирается случайный из отфильтрованных.
+5. Порядок выбора bind для `direct`:
+- сначала `bind_addresses` (только IP нужного семейства);
+- если одновременно заданы `interface` (имя) и `bind_addresses`, каждый IP проверяется на принадлежность интерфейсу;
+- несовпадающие IP отбрасываются с `WARN`;
+- если валидных IP не осталось, используется unbound direct connect (`bind_ip=None`);
+- если `bind_addresses` не подходит, применяется `interface` (literal IP или адрес интерфейса).
+6. Для `socks4/socks5` с `address` в виде hostname интерфейсный bind не поддерживается и игнорируется с предупреждением.
+7. Runtime DNS overrides применяются к резолвингу hostname в upstream-подключениях.
+8. В ME-режиме выбранный upstream также используется для ME TCP dial path.
+9. В ME-режиме для `direct` upstream с bind/interface STUN-рефлексия выполняется bind-aware для KDF материала.
+10. В ME-режиме для SOCKS upstream используются `BND.ADDR/BND.PORT` для KDF, если адрес валиден/публичен и соответствует IP family.
+
+## Примеры конфигурации Upstreams
+
+### Пример 1: минимальный direct upstream
+
+```toml
+[[upstreams]]
+type = "direct"
+weight = 1
+enabled = true
+```
+
+### Пример 2: direct с interface + явными bind IP
+
+```toml
+[[upstreams]]
+type = "direct"
+interface = "eth0"
+bind_addresses = ["192.168.1.100", "192.168.1.101"]
+weight = 3
+enabled = true
+```
+
+### Пример 3: SOCKS5 upstream с аутентификацией
+
+```toml
+[[upstreams]]
+type = "socks5"
+address = "198.51.100.30:1080"
+username = "proxy-user"
+password = "proxy-pass"
+weight = 2
+enabled = true
+```
+
+### Пример 4: смешанные upstream с scopes
+
+```toml
+[[upstreams]]
+type = "direct"
+weight = 5
+enabled = true
+scopes = ""
+
+[[upstreams]]
+type = "socks5"
+address = "203.0.113.40:1080"
+username = "edge"
+password = "edgepass"
+weight = 3
+enabled = true
+scopes = "premium,me"
+```
+
+### Пример 5: профиль тюнинга под ME
+
+```toml
+[general]
+use_middle_proxy = true
+proxy_secret_path = "proxy-secret"
+middle_proxy_nat_probe = true
+stun_nat_probe_concurrency = 16
+middle_proxy_pool_size = 12
+me_keepalive_enabled = true
+me_keepalive_interval_secs = 20
+me_keepalive_jitter_secs = 4
+me_reconnect_max_concurrent_per_dc = 12
+me_reconnect_backoff_base_ms = 300
+me_reconnect_backoff_cap_ms = 10000
+me_reconnect_fast_retry_count = 10
+hardswap = true
+me_reinit_every_secs = 600
+me_hardswap_warmup_delay_min_ms = 500
+me_hardswap_warmup_delay_max_ms = 1200
+me_hardswap_warmup_extra_passes = 2
+me_hardswap_warmup_pass_backoff_base_ms = 400
+me_config_stable_snapshots = 3
+me_config_apply_cooldown_secs = 120
+proxy_secret_stable_snapshots = 3
+proxy_secret_rotate_runtime = true
+proxy_secret_len_max = 512
+update_every = 300
+me_pool_drain_ttl_secs = 120
+me_pool_min_fresh_ratio = 0.9
+me_reinit_drain_timeout_secs = 180
+
+[timeouts]
+me_one_retry = 8
+me_one_timeout_ms = 1200
+
+[network]
+stun_use = true
+stun_tcp_fallback = true
+stun_servers = [
+  "stun1.l.google.com:19302",
+  "stun2.l.google.com:19302"
+]
+http_ip_detect_urls = [
+  "https://api.ipify.org",
+  "https://ifconfig.me/ip"
+]
+```
--- a/docs/XRAY-SINGBOX-ROUTING.ru.md
+++ b/docs/XRAY-SINGBOX-ROUTING.ru.md
@@ -0,0 +1,321 @@
+# SNI-маршрутизация в xray-core / sing-box + TLS-fronting
+
+## Термины (в контексте этого кейса)
+
+- **TLS-fronting домен** — домен, который фигурирует в TLS ClientHello как **SNI** (например, `petrovich.ru`): он используется как "маска" на L7 и как ключ маршрутизации в прокси-роутере.
+- **xray-core / sing-box** — локальный или удалённый L7/TLS-роутер (прокси), который:
+  1) принимает входящее TCP/TLS-соединение,
+  2) читает TLS ClientHello,
+  3) извлекает SNI,
+  4) по SNI выбирает outbound/апстрим,
+  5) устанавливает новое TCP-соединение к целевому хосту уже **от себя**.
+- **SNI (Server Name Indication)** — поле в TLS ClientHello, где клиент Telegram сообщает доменное имя для "маскировки"
+- **DNS-resolve на стороне L7-роутера** — если выходной адрес задан доменом (или роутер решил "всё равно идти по SNI"), то DNS резолвится **на стороне xray/sing-box**, а не на стороне Telegram-клиента
+
+---
+
+## Ключевая идея: куда на самом деле идёт соединение решает не то, что вы указали клиенту, а то как L7-роутер трактует SNI
+
+Механика:
+
+1) Telegram-клиенту вы можете указать **IP/домен telemt**,как "сервер".
+2) Между клиентом и telemt стоит xray-core/sing-box, который принимает TCP, читает TLS ClientHello и видит **SNI=petrovich.ru**
+3) Дальше роутер говорит: "Вижу SNI - направить на апстрим/маршрут N"
+4) И устанавливает исходящее соединение не "по тому IP, который пользователь подразумевал", а **по домену из SNI** (или по сопоставлению SNI→outbound), используя для определния его IP собственный DNS-кеш или резолвер
+5) `petrovich.ru` по A-записи указывает **не на IP telemt**, а значит при L7-маршрутизации трафик уйдёт на "оригинальный" сайт за этим доменом, а не в telemt: Telegram-клиент, естественно, не сможет получить ожидаемое поведение, потому что ответить с handshake на той стороне некому
+
+---
+
+## Схема №1 "Как это НЕ работает"
+
+```text
+Telegram Client
+   |
+   |  (указан IP/домен telemt)
+   v
+telemt instance
+````
+
+Ожидание: "я указал telemt -> значит трафик попадёт в telemt" - **нет!**
+
+---
+
+## Схема №2. "Как это реально работает с TLS/L7-роутером и SNI"
+
+```text
+Telegram Client
+   |
+   | 1) TCP/TLS connection: 
+   |    - ClientHello: 
+   |      - SNI=petrovich.ru
+   v
+xray-core / sing-box / любой L7 router
+   |
+   | 2) читает ClientHello -> вытаскивает SNI
+   | 3) выбирает маршрут по SNI
+   | 4) делает DNS для petrovich.ru 
+   | 5) подключается к полученному IP по TLS с этим SNI
+   v
+"Оригинальный" сайт, A-запись которого не на telemt
+   |
+   X  не telemt -> Telegram-клиент не коннектится как ожидалось
+```
+
+---
+
+## Почему указанный в клиенте IP/домен telemt "не спасает"
+
+Потому что в таком режиме xray/sing-box выступает как **точка терминации TCP/TLS**, можно сказать - TLS-инспектор на уровне ClientHello, это означает:
+
+* TCP-сессия от Telegram-клиента заканчивается на xray/sing-box
+* Дальше создаётся **новая** TCP-сессия "от имени" xray/sing-box к апстриму
+* Выбор апстрима делается правилами роутинга, а в TLS-сценариях самый удобный и распространённый ключ — **SNI**
+
+То есть, "куда идти дальше" определяется логикой L7-роутера:
+
+* либо правилами вида `if SNI == petrovich.ru -> outbound X`,
+* либо более "автоматическим" поведением: `подключаться к тому хосту, который указан в SNI`,
+* плюс кэш DNS и собственные резолверы роутера
+
+---
+
+## Что именно извлекается из TLS ClientHello и почему этого достаточно
+
+TLS ClientHello отправляется **в начале** TLS-сессии и, в классическом TLS без ECH, содержит SNI в открытом виде.
+
+Упрощённо:
+
+```text
+ClientHello:
+  - supported_versions
+  - cipher_suites
+  - extensions:
+      - server_name: petrovich.ru   <-- SNI
+      - alpn: h2/http1.1/...
+      - ...
+```
+
+Роутеру не нужно расшифровывать трафик и завершать TLS "как сервер" — часто достаточно просто прочитать первые пакеты и распарсить ClientHello, чтобы получить SNI и принять решение
+
+---
+
+## Типовой алгоритм SNI-роутинга
+
+1. Принять входящий TCP.
+2. Подождать первые байты.
+3. Определить протокол:
+
+   * если видим TLS ClientHello → парсим SNI/ALPN
+4. Применить route rules:
+
+   * match по `server_name` / `domain` / `tls.sni`
+5. Выбрать outbound:
+
+   * direct / proxy / specific upstream / detour
+6. Установить исходящее соединение:
+
+   * либо на фиксированный IP:порт,
+   * либо на домен через DNS-resolve на стороне роутера
+7. Начать проксирование данных между входом и выходом
+
+---
+
+## Почему "A-запись фронтинг-домена не на telemt" ломает кейс
+
+### Ситуация
+
+* В ClientHello: `SNI = petrovich.ru`
+* DNS: `petrovich.ru -> 203.0.113.77`  - "оригинальный" сайт
+* telemt живёт на: `198.51.100.10`
+
+### Что делает роутер
+
+* Видит SNI `petrovich.ru`
+* Либо:
+
+  * (а) напрямую коннектится к `petrovich.ru:443`, резолвя A-запись в `203.0.113.77`,
+  * либо:
+  * (б) выбирает outbound, который указывает на `petrovich.ru` как destination,
+  * либо:
+  * (в) делает sniffing/override destination по SNI
+
+В итоге исходящий коннект идёт на `203.0.113.77:443`, а не на telemt!
+Другой сервер, другой протокол, другая логика, где telemt не участвует
+
+---
+
+## "Где именно происходит подмена destination на SNI"
+
+Это зависит от конфигурации, но типовые варианты:
+
+### Вариант A: outbound задан доменом (и он совпадает с SNI)
+
+Правило по SNI выбирает outbound, у которого destination задан доменом фронтинга, 
+тогда DNS резолвится на стороне роутера и вы уходите на "оригинальный" хост
+
+### Вариант B: destination override / sniffing
+
+Роутер "снифает" SNI и **перезаписывает** destination на домен из SNI (даже если вход изначально был на IP telemt),
+это особенно коварно: пользователь видит "я подключаюсь к IP telemt", но роутер после sniffing решает иначе
+
+### Вариант C: split DNS / кеш / независимый резолвер
+
+Даже если клиент "где-то" резолвит иначе, это не важно: конечный DNS для исходящего коннекта — на стороне xray/sing-box,
+который может иметь:
+
+* свой DoH/DoT,
+* свой кеш,
+* свои правила fake-ip / system resolver,
+* и, как следствие, своя "карта" **домен/SNI -> IP**
+
+---
+
+## Признаки того, что трафик "утёк на оригинал", а не попал в telemt
+
+* На стороне telemt отсутствуют входящие соединения/логи
+* На стороне роутера видно, что destination — домен фронтинга, а IP соответствует публичному сайту
+* TLS-метрики/сертификат на выходе соответствует "оригинальному" сайту в записах трафика
+* Telegram-клиент получает неожиданный тип ответов/ошибку handshaking/timeout в debug-режиме
+
+---
+
+## Best-practice решение для этого кейса: свой домен фронтинга + заглушка на telemt + Let's Encrypt
+
+### Цель
+
+Сделать так, чтобы:
+
+* SNI (фронтинг-домен) **резолвился в IP telemt**,
+* на IP telemt реально был TLS-сервис с валидным сертификатом под этот домен,
+* даже если кто-то "попробует открыть домен как сайт", он увидит нормальную заглушку, а не "пустоту"
+
+### Что это даёт
+
+* xray/sing-box, маршрутизируя по SNI, будет неизбежно приходить на telemt, потому что DNS(SNI-домен) → IP telemt
+* Внешний вид будет правдоподобным: обычный домен с обычным сертификатом
+* Устойчивость: меньше сюрпризов от DNS-кеша/перерезолва/"умных" правил роутера
+
+---
+
+## Рекомендуемая схема (целевое состояние)
+
+```text
+Telegram Client
+   |
+   | TLS ClientHello: SNI = hello.example.com
+   v
+xray-core / sing-box
+   |
+   | Route by SNI -> outbound -> connect to hello.example.com:443
+   | DNS(hello.example.com) = IP telemt
+   v
+telemt instance (IP telemt)
+   |
+   | TLS cert for hello.example.com (Let's Encrypt)
+   | + сайт-заглушка / health endpoint
+   v
+OK
+```
+
+---
+
+## Практический чеклист (минимальный)
+
+1. Купить/иметь домен: `hello.example.com`
+2. В DNS:
+
+   * `A hello.example.com -> <IP telemt>`
+   * (опционально) AAAA, если используете IPv6 и он стабилен
+3. На telemt-хосте:
+
+   * поднять TLS endpoint на 443 с валидным сертификатом LE под `hello.example.com`
+   * отдать "заглушку" (например, статический сайт), чтобы домен выглядел как обычный веб-сервис
+4. В xray/sing-box правилах:
+
+   * маршрутизировать нужный трафик по SNI = `hello.example.com` в "правильный" outbound (к telemt)
+   * избегать конфигураций, где destination override уводит на чужой домен
+5. Важно:
+
+   * если вы используете кеш DNS на роутере — сбросить/обновить его после смены A-записи
+
+---
+
+## Пояснение про сайт-заглушку
+
+Для эмуляции TLS, telemt имеет подсистему TLS-F в `src/tls_front`:
+- её модуль - fetcher, собирает TLS-профили, чтоб максимально поведенчески корректно повторять TLS конкретно указанного сайта
+
+Когда вы указываете сайт, который не отвечает по TLS:
+- fetcher не может собрать TLS-профиль и происходит fallback на `fake_cert_len` - примитивный алгоритм,
+- он забивает служебную информацию TLS рандомными байтами,
+- простые системы DPI не распознают это
+- однако, продвинутые системы, такие как nEdge или Fraud Control в сетях мобильной связи легко заблокируют или замедлят такой трафик
+
+Создав сайт-заглушку с Let's Encrypt сертификатом, вы даёте TLS-F возможность получить данные сертификата и корректно его "повторять" в дальнейшем
+
+---
+
+## Вариант конфиг-подхода: "SNI строго привязываем к telemt - фиксированный IP"
+
+Чтобы полностью исключить зависимость от DNS если вам это нужно, можно сделать outbound, который ходит на **фиксированный IP telemt**, но при этом выставляет SNI/Host как `hello.example.com`.
+
+Идея:
+
+* destination: `IP:443`
+* SNI: `hello.example.com`
+* сертификат на telemt именно под `hello.example.com`
+
+Так вы получаете:
+
+* TLS выглядит корректно, ведь SNI совпадает с сертификатом,
+* а routing никогда не уйдёт на "оригинал", потому что A-запись указывает на telemt и контроллируется вами!
+
+Но в вашем описании проблема как раз в том, что роутер "сам решает по SNI и резолвит домен", поэтому самый универсальный вариант — сделать так, чтобы DNS всегда приводил в telemt
+
+---
+
+## Пример логики правил на псевдоконфиге L7-роутера
+
+```text
+if inbound is TLS and sni == "hello.example.com":
+    route -> outbound "telemt"
+else:
+    route -> outbound "default"
+```
+
+Outbound `telemt`:
+
+* destination: `hello.example.com:443`
+* TLS enabled
+* SNI: `hello.example.com`
+
+---
+
+## Отдельно: что может неожиданно сломать даже "правильный" DNS
+
+* **Кеширование DNS** на xray/sing-box или на системном резолвере, особенно при смене A-записи
+* **Split-horizon DNS**: разные ответы внутри/снаружи, попытки подмены/терминирования в других точках
+* **IPv6**: если есть AAAA и он указывает не туда, роутер может предпочесть IPv6: помните, что поддержка v6 нестабильна и не рекомендуется в prod
+* **DoH/DoT** на роутере: он может резолвить не тем резолвером, которым вы проверяли
+
+Минимальная гигиена:
+
+* контролировать A/AAAA,
+* держать TTL разумным,
+* проверять, каким резолвером пользуется именно роутер,
+* при необходимости отключить/ограничить destination override
+
+---
+
+## Итог
+
+В режиме TLS-fronting с xray-core/sing-box как L7/TLS-роутером **SNI становится приоритетным "source-of-truth" для маршрутизации**
+
+Если фронтинг-домен по DNS указывает не на IP telemt, роутер честно уводит трафик на "оригинальный" сайт, потому что он строит исходящее соединение "по SNI"
+
+Надёжное решение для этого кейса:
+
+* использовать **свой домен** для фронтинга,
+* направить его **A/AAAA** на IP telemt,
+* поднять на telemt **TLS-сервис с Let’s Encrypt сертификатом** под этот домен,
+* (желательно) держать **сайт-заглушку**, чтобы 443 выглядел как обычный HTTPS
--- a/docs/model/MODEL.en.md
+++ b/docs/model/MODEL.en.md
@@ -0,0 +1,285 @@
+# Telemt Runtime Model
+
+## Scope
+This document defines runtime concepts used by the Middle-End (ME) transport pipeline and the orchestration logic around it.
+
+It focuses on:
+- `ME Pool / Reader / Writer / Refill / Registry`
+- `Adaptive Floor`
+- `Trio-State`
+- `Generation Lifecycle`
+
+## Core Entities
+
+### ME Pool
+`ME Pool` is the runtime orchestrator for all Middle-End writers.
+
+Responsibilities:
+- Holds writer inventory by DC/family/endpoint.
+- Maintains routing primitives and writer selection policy.
+- Tracks generation state (`active`, `warm`, `draining` context).
+- Applies runtime policies (floor mode, refill, reconnect, reinit, fallback behavior).
+- Exposes readiness gates used by admission logic (for conditional accept/cast behavior).
+
+Non-goals:
+- It does not own client protocol decoding.
+- It does not own per-client business policy (quotas/limits).
+
+### ME Writer
+`ME Writer` is a long-lived ME RPC tunnel bound to one concrete ME endpoint (`ip:port`), with:
+- Outbound command channel (send path).
+- Associated reader loop (inbound path).
+- Health/degraded flags.
+- Contour/state and generation metadata.
+
+A writer is the actual data plane carrier for client sessions once bound.
+
+### ME Reader
+`ME Reader` is the inbound parser/dispatcher for one writer:
+- Reads/decrypts ME RPC frames.
+- Validates sequence/checksum.
+- Routes payloads to client-connection channels via `Registry`.
+- Emits close/ack/data events and updates telemetry.
+
+Design intent:
+- Reader must stay non-blocking as much as possible.
+- Backpressure on a single client route must not stall the whole writer stream.
+
+### Refill
+`Refill` is the recovery mechanism that restores writer coverage when capacity drops:
+- Per-endpoint restore (same endpoint first).
+- Per-DC restore to satisfy required floor.
+- Optional outage-mode/shadow behavior for fragile single-endpoint DCs.
+
+Refill works asynchronously and should not block hot routing paths.
+
+### Registry
+`Registry` is the routing index between ME and client sessions:
+- `conn_id -> client response channel`
+- `conn_id <-> writer_id` binding map
+- writer activity snapshots and idle tracking
+
+Main invariants:
+- A `conn_id` routes to at most one active response channel.
+- Writer loss triggers safe unbind/cleanup and close propagation.
+- Registry state is the source of truth for active ME-bound session mapping.
+
+## Adaptive Floor
+
+### What it is
+`Adaptive Floor` is a runtime policy that changes target writer count per DC based on observed activity, instead of always holding static peak floor.
+
+### Why it exists
+Goals:
+- Reduce idle writer churn under low traffic.
+- Keep enough warm capacity to avoid client-visible stalls on burst recovery.
+- Limit needless reconnect storms on unstable endpoints.
+
+### Behavioral model
+- Under activity: floor converges toward configured static requirement.
+- Under prolonged idle: floor can shrink to a safe minimum.
+- Recovery/grace windows prevent aggressive oscillation.
+
+### Safety constraints
+- Never violate minimal survivability floor for a DC group.
+- Refill must still restore quickly on demand.
+- Floor adaptation must not force-drop already bound healthy sessions.
+
+## Trio-State
+
+`Trio-State` is writer contouring:
+- `Warm`
+- `Active`
+- `Draining`
+
+### State semantics
+- `Warm`: connected and validated, not primary for new binds.
+- `Active`: preferred for new binds and normal traffic.
+- `Draining`: no new regular binds; existing sessions continue until graceful retirement rules apply.
+
+### Transition intent
+- `Warm -> Active`: when coverage/readiness conditions are satisfied.
+- `Active -> Draining`: on generation swap, endpoint replacement, or controlled retirement.
+- `Draining -> removed`: after drain TTL/force-close policy (or when naturally empty).
+
+This separation reduces SPOF and keeps cutovers predictable.
+
+## Generation Lifecycle
+
+Generation isolates pool epochs during reinit/reconfiguration.
+
+### Lifecycle phases
+1. `Bootstrap`: initial writers are established.
+2. `Warmup`: next generation writers are created and validated.
+3. `Activation`: generation promoted to active when coverage gate passes.
+4. `Drain`: previous generation becomes draining, existing sessions are allowed to finish.
+5. `Retire`: old generation writers are removed after graceful rules.
+
+### Operational guarantees
+- No partial generation activation without minimum coverage.
+- Existing healthy client sessions should not be dropped just because a new generation appears.
+- Draining generation exists to absorb in-flight traffic during swap.
+
+### Readiness and admission
+Pool readiness is not equivalent to “all endpoints fully saturated”.
+Typical gating strategy:
+- Open admission when per-DC minimal alive coverage exists.
+- Continue background saturation for multi-endpoint DCs.
+
+This keeps startup latency low while preserving eventual full capacity.
+
+## Interactions Between Concepts
+
+- `Generation` defines pool epochs.
+- `Trio-State` defines per-writer role inside/around those epochs.
+- `Adaptive Floor` defines how much capacity should be maintained right now.
+- `Refill` is the actuator that closes the gap between desired and current capacity.
+- `Registry` keeps per-session routing correctness while all of the above changes over time.
+
+## Architectural Approach
+
+### Layered Design
+The runtime is intentionally split into two planes:
+- `Control Plane`: decides desired topology and policy (`floor`, `generation swap`, `refill`, `fallback`).
+- `Data Plane`: executes packet/session transport (`reader`, `writer`, routing, acks, close propagation).
+
+Architectural rule:
+- Control Plane may change writer inventory and policy.
+- Data Plane must remain stable and low-latency while those changes happen.
+
+### Ownership Model
+Ownership is centered around explicit state domains:
+- `MePool` owns writer lifecycle and policy state.
+- `Registry` owns per-connection routing bindings.
+- `Writer task` owns outbound ME socket send progression.
+- `Reader task` owns inbound ME socket parsing and event dispatch.
+
+This prevents accidental cross-layer mutation and keeps invariants local.
+
+### Control Plane Responsibilities
+Control Plane is event-driven and policy-driven:
+- Startup initialization and readiness gates.
+- Runtime reinit (periodic or config-triggered).
+- Coverage checks per DC/family/endpoint group.
+- Floor enforcement (static/adaptive).
+- Refill scheduling and retry orchestration.
+- Generation transition (`warm -> active`, previous `active -> draining`).
+
+Control Plane must prioritize determinism over short-term aggressiveness.
+
+### Data Plane Responsibilities
+Data Plane is throughput-first and allocation-sensitive:
+- Session bind to writer.
+- Per-frame parsing/validation and dispatch.
+- Ack and close signal propagation.
+- Route drop behavior under missing connection or closed channel.
+- Minimal critical logging in hot path.
+
+Data Plane should avoid waiting on operations that are not strictly required for frame correctness.
+
+## Concurrency and Synchronization
+
+### Concurrency Principles
+- Per-writer isolation: each writer has independent send/read task loops.
+- Per-connection isolation: client channel state is scoped by `conn_id`.
+- Asynchronous recovery: refill/reconnect runs outside the packet hot path.
+
+### Synchronization Strategy
+- Shared maps use fine-grained, short-lived locking.
+- Read-mostly paths avoid broad write-lock windows.
+- Backpressure decisions are localized at route/channel boundary.
+
+Design target:
+- A slow consumer should degrade only itself (or its route), not global writer progress.
+
+### Cancellation and Shutdown
+Writer and reader loops are cancellation-aware:
+- explicit cancel token / close command support;
+- safe unbind and cleanup via registry;
+- deterministic order: stop admission -> drain/close -> release resources.
+
+## Consistency Model
+
+### Session Consistency
+For one `conn_id`:
+- exactly one active route target at a time;
+- close and unbind must be idempotent;
+- writer loss must not leave dangling bindings.
+
+### Generation Consistency
+Generational consistency guarantees:
+- New generation is not promoted before minimum coverage gate.
+- Previous generation remains available in `draining` state during handover.
+- Forced retirement is policy-bound (`drain ttl`, optional force-close), not immediate.
+
+### Policy Consistency
+Policy changes (`adaptive/static floor`, fallback mode, retries) should apply without violating established active-session routing invariants.
+
+## Backpressure and Flow Control
+
+### Route-Level Backpressure
+Route channels are bounded by design.
+When pressure increases:
+- short burst absorption is allowed;
+- prolonged congestion triggers controlled drop semantics;
+- drop accounting is explicit via metrics/counters.
+
+### Reader Non-Blocking Priority
+Inbound ME reader path should never be serialized behind one congested client route.
+Practical implication:
+- prefer non-blocking route attempt in the parser loop;
+- move heavy recovery to async side paths.
+
+## Failure Domain Strategy
+
+### Endpoint-Level Failure
+Failure of one endpoint should trigger endpoint-scoped recovery first:
+- same endpoint reconnect;
+- endpoint replacement within same DC group if applicable.
+
+### DC-Level Degradation
+If a DC group cannot satisfy floor:
+- keep service via remaining coverage if policy allows;
+- continue asynchronous refill saturation in background.
+
+### Whole-Pool Readiness Loss
+If no sufficient ME coverage exists:
+- admission gate can hold new accepts (conditional policy);
+- existing sessions should continue when their path remains healthy.
+
+## Performance Architecture Notes
+
+### Hotpath Discipline
+Allowed in hotpath:
+- fixed-size parsing and cheap validation;
+- bounded channel operations;
+- precomputed or low-allocation access patterns.
+
+Avoid in hotpath:
+- repeated expensive decoding;
+- broad locks with awaits inside critical sections;
+- verbose high-frequency logging.
+
+### Throughput Stability Over Peak Spikes
+Architecture prefers stable throughput and predictable latency over short peak gains that increase churn or long-tail reconnect times.
+
+## Evolution and Extension Rules
+
+To evolve this model safely:
+- Add new policy knobs in Control Plane first.
+- Keep Data Plane contracts stable (`conn_id`, route semantics, close semantics).
+- Validate generation and registry invariants before enabling by default.
+- Introduce new retry/recovery strategies behind explicit config.
+
+## Failure and Recovery Notes
+
+- Single-endpoint DC failure is a normal degraded mode case; policy should prioritize fast reconnect and optional shadow/probing strategies.
+- Idle close by peer should be treated as expected when upstream enforces idle timeout.
+- Reconnect backoff must protect against synchronized churn while still allowing fast first retries.
+- Fallback (`ME -> direct DC`) is a policy switch, not a transport bug by itself.
+
+## Terminology Summary
+- `Coverage`: enough live writers to satisfy per-DC acceptance policy.
+- `Floor`: target minimum writer count policy.
+- `Churn`: frequent writer reconnect/remove cycles.
+- `Hotpath`: per-packet/per-connection data path where extra waits/allocations are expensive.
--- a/docs/model/MODEL.ru.md
+++ b/docs/model/MODEL.ru.md
@@ -0,0 +1,285 @@
+# Runtime-модель Telemt
+
+## Область описания
+Документ фиксирует ключевые runtime-понятия пайплайна Middle-End (ME) и оркестрации вокруг него.
+
+Фокус:
+- `ME Pool / Reader / Writer / Refill / Registry`
+- `Adaptive Floor`
+- `Trio-State`
+- `Generation Lifecycle`
+
+## Базовые сущности
+
+### ME Pool
+`ME Pool` — центральный оркестратор всех Middle-End writer-ов.
+
+Зона ответственности:
+- хранит инвентарь writer-ов по DC/family/endpoint;
+- управляет выбором writer-а и маршрутизацией;
+- ведёт состояние поколений (`active`, `warm`, `draining` контекст);
+- применяет runtime-политики (floor, refill, reconnect, reinit, fallback);
+- отдаёт сигналы готовности для admission-логики (conditional accept/cast).
+
+Что не делает:
+- не декодирует клиентский протокол;
+- не реализует бизнес-политику пользователя (квоты/лимиты).
+
+### ME Writer
+`ME Writer` — долгоживущий ME RPC-канал к конкретному endpoint (`ip:port`), у которого есть:
+- канал команд на отправку;
+- связанный reader loop для входящего потока;
+- флаги состояния/деградации;
+- метаданные contour/state и generation.
+
+Writer — это фактический data-plane носитель клиентских сессий после бинда.
+
+### ME Reader
+`ME Reader` — входной parser/dispatcher одного writer-а:
+- читает и расшифровывает ME RPC-фреймы;
+- проверяет sequence/checksum;
+- маршрутизирует payload в client-каналы через `Registry`;
+- обрабатывает close/ack/data и обновляет телеметрию.
+
+Инженерный принцип:
+- Reader должен оставаться неблокирующим.
+- Backpressure одной клиентской сессии не должен останавливать весь поток writer-а.
+
+### Refill
+`Refill` — механизм восстановления покрытия writer-ов при просадке:
+- восстановление на том же endpoint в первую очередь;
+- восстановление по DC до требуемого floor;
+- опциональные outage/shadow-режимы для хрупких single-endpoint DC.
+
+Refill работает асинхронно и не должен блокировать hotpath.
+
+### Registry
+`Registry` — маршрутизационный индекс между ME и клиентскими сессиями:
+- `conn_id -> канал ответа клиенту`;
+- map биндов `conn_id <-> writer_id`;
+- снимки активности writer-ов и idle-трекинг.
+
+Ключевые инварианты:
+- один `conn_id` маршрутизируется максимум в один активный канал ответа;
+- потеря writer-а приводит к безопасному unbind/cleanup и отправке close;
+- именно `Registry` является источником истины по активным ME-биндам.
+
+## Adaptive Floor
+
+### Что это
+`Adaptive Floor` — runtime-политика, которая динамически меняет целевое число writer-ов на DC в зависимости от активности, а не держит всегда фиксированный статический floor.
+
+### Зачем
+Цели:
+- уменьшить churn на idle-трафике;
+- сохранить достаточную прогретую ёмкость для быстрых всплесков;
+- снизить лишние reconnect-штормы на нестабильных endpoint.
+
+### Модель поведения
+- при активности floor стремится к статическому требованию;
+- при длительном idle floor может снижаться до безопасного минимума;
+- grace/recovery окна не дают системе "флапать" слишком резко.
+
+### Ограничения безопасности
+- нельзя нарушать минимальный floor выживаемости DC-группы;
+- refill обязан быстро нарастить покрытие по запросу;
+- адаптация не должна принудительно ронять уже привязанные healthy-сессии.
+
+## Trio-State
+
+`Trio-State` — контурная роль writer-а:
+- `Warm`
+- `Active`
+- `Draining`
+
+### Семантика состояний
+- `Warm`: writer подключён и валиден, но не основной для новых биндов.
+- `Active`: приоритетный для новых биндов и обычного трафика.
+- `Draining`: новые обычные бинды не назначаются; текущие сессии живут до правил graceful-вывода.
+
+### Логика переходов
+- `Warm -> Active`: когда достигнуты условия покрытия/готовности.
+- `Active -> Draining`: при swap поколения, замене endpoint или контролируемом выводе.
+- `Draining -> removed`: после drain TTL/force-close политики (или естественного опустошения).
+
+Такое разделение снижает SPOF-риски и делает cutover предсказуемым.
+
+## Generation Lifecycle
+
+Generation изолирует эпохи пула при reinit/reconfiguration.
+
+### Фазы жизненного цикла
+1. `Bootstrap`: поднимается начальный набор writer-ов.
+2. `Warmup`: создаётся и валидируется новое поколение.
+3. `Activation`: новое поколение становится active после прохождения coverage-gate.
+4. `Drain`: предыдущее поколение переводится в draining, текущим сессиям дают завершиться.
+5. `Retire`: старое поколение удаляется по graceful-правилам.
+
+### Операционные гарантии
+- нельзя активировать поколение частично без минимального покрытия;
+- healthy-клиенты не должны теряться только из-за появления нового поколения;
+- draining-поколение служит буфером для in-flight трафика во время swap.
+
+### Готовность и приём клиентов
+Готовность пула не равна "все endpoint полностью насыщены".
+Типичная стратегия:
+- открыть admission при минимально достаточном alive-покрытии по DC;
+- параллельно продолжать saturation для multi-endpoint DC.
+
+Это уменьшает startup latency и сохраняет выход на полную ёмкость.
+
+## Как понятия связаны между собой
+
+- `Generation` задаёт эпохи пула.
+- `Trio-State` задаёт роль каждого writer-а внутри/между эпохами.
+- `Adaptive Floor` задаёт, сколько ёмкости нужно сейчас.
+- `Refill` — исполнитель, который закрывает разницу между desired и current capacity.
+- `Registry` гарантирует корректную маршрутизацию сессий, пока всё выше меняется.
+
+## Архитектурный подход
+
+### Слоистая модель
+Runtime специально разделён на две плоскости:
+- `Control Plane`: принимает решения о целевой топологии и политиках (`floor`, `generation swap`, `refill`, `fallback`).
+- `Data Plane`: исполняет транспорт сессий и пакетов (`reader`, `writer`, маршрутизация, ack, close).
+
+Ключевое правило:
+- Control Plane может менять состав writer-ов и policy.
+- Data Plane должен оставаться стабильным и низколатентным в момент этих изменений.
+
+### Модель владения состоянием
+Владение разделено по доменам:
+- `MePool` владеет жизненным циклом writer-ов и policy-state.
+- `Registry` владеет routing-биндами клиентских сессий.
+- `Writer task` владеет исходящей прогрессией ME-сокета.
+- `Reader task` владеет входящим парсингом и dispatch-событиями.
+
+Это ограничивает побочные мутации и локализует инварианты.
+
+### Обязанности Control Plane
+Control Plane работает событийно и policy-ориентированно:
+- стартовая инициализация и readiness-gate;
+- runtime reinit (периодический и/или по изменению конфигурации);
+- проверки покрытия по DC/family/endpoint group;
+- применение floor-политики (static/adaptive);
+- планирование refill и orchestration retry;
+- переходы поколений (`warm -> active`, прежний `active -> draining`).
+
+Для него важнее детерминизм, чем агрессивная краткосрочная реакция.
+
+### Обязанности Data Plane
+Data Plane ориентирован на пропускную способность и предсказуемую задержку:
+- bind клиентской сессии к writer-у;
+- per-frame parsing/validation/dispatch;
+- распространение ack/close;
+- корректная реакция на missing conn/closed channel;
+- минимальный лог-шум в hotpath.
+
+Data Plane не должен ждать операций, не критичных для корректности текущего фрейма.
+
+## Конкурентность и синхронизация
+
+### Принципы конкурентности
+- Изоляция по writer-у: у каждого writer-а независимые send/read loop.
+- Изоляция по сессии: состояние канала локально для `conn_id`.
+- Асинхронное восстановление: refill/reconnect выполняются вне пакетного hotpath.
+
+### Стратегия синхронизации
+- Для shared map используются короткие и узкие lock-секции.
+- Read-heavy пути избегают длительных write-lock окон.
+- Решения по backpressure локализованы на границе route/channel.
+
+Цель:
+- медленный consumer должен деградировать локально, не останавливая глобальный прогресс writer-а.
+
+### Cancellation и shutdown
+Reader/Writer loop должны быть cancellation-aware:
+- явные cancel token / close command;
+- безопасный unbind/cleanup через registry;
+- детерминированный порядок: stop admission -> drain/close -> release resources.
+
+## Модель согласованности
+
+### Согласованность сессии
+Для одного `conn_id`:
+- одновременно ровно один активный route-target;
+- close/unbind операции идемпотентны;
+- потеря writer-а не оставляет dangling-бинды.
+
+### Согласованность поколения
+Гарантии generation:
+- новое поколение не активируется до прохождения минимального coverage-gate;
+- предыдущее поколение остаётся в `draining` на время handover;
+- принудительный вывод writer-ов ограничен policy (`drain ttl`, optional force-close), а не мгновенный.
+
+### Согласованность политик
+Изменение policy (`adaptive/static floor`, fallback mode, retries) не должно ломать инварианты маршрутизации уже активных сессий.
+
+## Backpressure и управление потоком
+
+### Route-level backpressure
+Route-каналы намеренно bounded.
+При росте нагрузки:
+- кратковременный burst поглощается;
+- длительная перегрузка переходит в контролируемую drop-семантику;
+- все drop-сценарии должны быть прозрачно видны в метриках.
+
+### Приоритет неблокирующего Reader
+Входящий ME-reader path не должен сериализоваться из-за одной перегруженной клиентской сессии.
+Практически это означает:
+- использовать неблокирующую попытку route в parser loop;
+- выносить тяжёлое восстановление в асинхронные side-path.
+
+## Стратегия доменов отказа
+
+### Отказ отдельного endpoint
+Сначала применяется endpoint-local recovery:
+- reconnect в тот же endpoint;
+- затем замена endpoint внутри той же DC-группы (если доступно).
+
+### Деградация уровня DC
+Если DC-группа не набирает floor:
+- сервис сохраняется на остаточном покрытии (если policy разрешает);
+- saturation refill продолжается асинхронно в фоне.
+
+### Потеря готовности всего пула
+Если достаточного ME-покрытия нет:
+- admission gate может временно закрыть приём новых подключений (conditional policy);
+- уже активные сессии продолжают работать, пока их маршрут остаётся healthy.
+
+## Архитектурные заметки по производительности
+
+### Дисциплина hotpath
+Допустимо в hotpath:
+- фиксированный и дешёвый parsing/validation;
+- bounded channel operations;
+- precomputed/low-allocation доступ к данным.
+
+Нежелательно в hotpath:
+- повторные дорогие decode;
+- широкие lock-секции с `await` внутри;
+- высокочастотный подробный logging.
+
+### Стабильность важнее пиков
+Архитектура приоритетно выбирает стабильную пропускную способность и предсказуемую latency, а не краткосрочные пики ценой churn и long-tail reconnect.
+
+## Правила эволюции модели
+
+Чтобы расширять модель безопасно:
+- новые policy knobs сначала внедрять в Control Plane;
+- контракты Data Plane (`conn_id`, route/close семантика) держать стабильными;
+- перед дефолтным включением проверять generation/registry инварианты;
+- новые recovery/retry стратегии вводить через явный config-флаг.
+
+## Нюансы отказов и восстановления
+
+- падение single-endpoint DC — штатный деградированный сценарий; приоритет: быстрый reconnect и, при необходимости, shadow/probing;
+- idle-close со стороны peer должен считаться нормальным событием при upstream idle-timeout;
+- backoff reconnect-логики должен ограничивать синхронный churn, но сохранять быстрые первые попытки;
+- fallback (`ME -> direct DC`) — это переключаемая policy-ветка, а не автоматический признак бага транспорта.
+
+## Краткий словарь
+- `Coverage`: достаточное число живых writer-ов для политики приёма по DC.
+- `Floor`: целевая минимальная ёмкость writer-ов.
+- `Churn`: частые циклы reconnect/remove writer-ов.
+- `Hotpath`: пер-пакетный/пер-коннектный путь, где любые лишние ожидания и аллокации особенно дороги.
--- a/install.sh
+++ b/install.sh
@@ -0,0 +1,93 @@
+#!/bin/sh
+set -eu
+
+REPO="${REPO:-telemt/telemt}"
+BIN_NAME="${BIN_NAME:-telemt}"
+VERSION="${1:-${VERSION:-latest}}"
+INSTALL_DIR="${INSTALL_DIR:-/usr/local/bin}"
+
+say() {
+    printf '%s\n' "$*"
+}
+
+die() {
+    printf 'Error: %s\n' "$*" >&2
+    exit 1
+}
+
+need_cmd() {
+    command -v "$1" >/dev/null 2>&1 || die "required command not found: $1"
+}
+
+detect_arch() {
+    arch="$(uname -m)"
+    case "$arch" in
+        x86_64|amd64) printf 'x86_64\n' ;;
+        aarch64|arm64) printf 'aarch64\n' ;;
+        *) die "unsupported architecture: $arch" ;;
+    esac
+}
+
+detect_libc() {
+    case "$(ldd --version 2>&1 || true)" in
+        *musl*) printf 'musl\n' ;;
+        *) printf 'gnu\n' ;;
+    esac
+}
+
+fetch_to_stdout() {
+    url="$1"
+    if command -v curl >/dev/null 2>&1; then
+        curl -fsSL "$url"
+    elif command -v wget >/dev/null 2>&1; then
+        wget -qO- "$url"
+    else
+        die "neither curl nor wget is installed"
+    fi
+}
+
+install_binary() {
+    src="$1"
+    dst="$2"
+
+    if [ -w "$INSTALL_DIR" ] || { [ ! -e "$INSTALL_DIR" ] && [ -w "$(dirname "$INSTALL_DIR")" ]; }; then
+        mkdir -p "$INSTALL_DIR"
+        install -m 0755 "$src" "$dst"
+    elif command -v sudo >/dev/null 2>&1; then
+        sudo mkdir -p "$INSTALL_DIR"
+        sudo install -m 0755 "$src" "$dst"
+    else
+        die "cannot write to $INSTALL_DIR and sudo is not available"
+    fi
+}
+
+need_cmd uname
+need_cmd tar
+need_cmd mktemp
+need_cmd grep
+need_cmd install
+
+ARCH="$(detect_arch)"
+LIBC="$(detect_libc)"
+
+case "$VERSION" in
+    latest)
+        URL="https://github.com/$REPO/releases/latest/download/${BIN_NAME}-${ARCH}-linux-${LIBC}.tar.gz"
+        ;;
+    *)
+        URL="https://github.com/$REPO/releases/download/${VERSION}/${BIN_NAME}-${ARCH}-linux-${LIBC}.tar.gz"
+        ;;
+esac
+
+TMPDIR="$(mktemp -d)"
+trap 'rm -rf "$TMPDIR"' EXIT INT TERM
+
+say "Installing $BIN_NAME ($VERSION) for $ARCH-linux-$LIBC..."
+fetch_to_stdout "$URL" | tar -xzf - -C "$TMPDIR"
+
+[ -f "$TMPDIR/$BIN_NAME" ] || die "archive did not contain $BIN_NAME"
+
+install_binary "$TMPDIR/$BIN_NAME" "$INSTALL_DIR/$BIN_NAME"
+
+say "Installed: $INSTALL_DIR/$BIN_NAME"
+"$INSTALL_DIR/$BIN_NAME" --version 2>/dev/null || true
--- a/src/api/config_store.rs
+++ b/src/api/config_store.rs
@@ -0,0 +1,107 @@
+use std::io::Write;
+use std::path::{Path, PathBuf};
+
+use hyper::header::IF_MATCH;
+use sha2::{Digest, Sha256};
+
+use crate::config::ProxyConfig;
+
+use super::model::ApiFailure;
+
+pub(super) fn parse_if_match(headers: &hyper::HeaderMap) -> Option<String> {
+    headers
+        .get(IF_MATCH)
+        .and_then(|value| value.to_str().ok())
+        .map(str::trim)
+        .filter(|value| !value.is_empty())
+        .map(|value| value.trim_matches('"').to_string())
+}
+
+pub(super) async fn ensure_expected_revision(
+    config_path: &Path,
+    expected_revision: Option<&str>,
+) -> Result<(), ApiFailure> {
+    let Some(expected) = expected_revision else {
+        return Ok(());
+    };
+    let current = current_revision(config_path).await?;
+    if current != expected {
+        return Err(ApiFailure::new(
+            hyper::StatusCode::CONFLICT,
+            "revision_conflict",
+            "Config revision mismatch",
+        ));
+    }
+    Ok(())
+}
+
+pub(super) async fn current_revision(config_path: &Path) -> Result<String, ApiFailure> {
+    let content = tokio::fs::read_to_string(config_path)
+        .await
+        .map_err(|e| ApiFailure::internal(format!("failed to read config: {}", e)))?;
+    Ok(compute_revision(&content))
+}
+
+pub(super) fn compute_revision(content: &str) -> String {
+    let mut hasher = Sha256::new();
+    hasher.update(content.as_bytes());
+    hex::encode(hasher.finalize())
+}
+
+pub(super) async fn load_config_from_disk(config_path: &Path) -> Result<ProxyConfig, ApiFailure> {
+    let config_path = config_path.to_path_buf();
+    tokio::task::spawn_blocking(move || ProxyConfig::load(config_path))
+        .await
+        .map_err(|e| ApiFailure::internal(format!("failed to join config loader: {}", e)))?
+        .map_err(|e| ApiFailure::internal(format!("failed to load config: {}", e)))
+}
+
+pub(super) async fn save_config_to_disk(
+    config_path: &Path,
+    cfg: &ProxyConfig,
+) -> Result<String, ApiFailure> {
+    let serialized = toml::to_string_pretty(cfg)
+        .map_err(|e| ApiFailure::internal(format!("failed to serialize config: {}", e)))?;
+    write_atomic(config_path.to_path_buf(), serialized.clone()).await?;
+    Ok(compute_revision(&serialized))
+}
+
+async fn write_atomic(path: PathBuf, contents: String) -> Result<(), ApiFailure> {
+    tokio::task::spawn_blocking(move || write_atomic_sync(&path, &contents))
+        .await
+        .map_err(|e| ApiFailure::internal(format!("failed to join writer: {}", e)))?
+        .map_err(|e| ApiFailure::internal(format!("failed to write config: {}", e)))
+}
+
+fn write_atomic_sync(path: &Path, contents: &str) -> std::io::Result<()> {
+    let parent = path.parent().unwrap_or_else(|| Path::new("."));
+    std::fs::create_dir_all(parent)?;
+
+    let tmp_name = format!(
+        ".{}.tmp-{}",
+        path.file_name()
+            .and_then(|s| s.to_str())
+            .unwrap_or("config.toml"),
+        rand::random::<u64>()
+    );
+    let tmp_path = parent.join(tmp_name);
+
+    let write_result = (|| {
+        let mut file = std::fs::OpenOptions::new()
+            .create_new(true)
+            .write(true)
+            .open(&tmp_path)?;
+        file.write_all(contents.as_bytes())?;
+        file.sync_all()?;
+        std::fs::rename(&tmp_path, path)?;
+        if let Ok(dir) = std::fs::File::open(parent) {
+            let _ = dir.sync_all();
+        }
+        Ok(())
+    })();
+
+    if write_result.is_err() {
+        let _ = std::fs::remove_file(&tmp_path);
+    }
+    write_result
+}
--- a/src/api/events.rs
+++ b/src/api/events.rs
@@ -0,0 +1,90 @@
+use std::collections::VecDeque;
+use std::sync::Mutex;
+use std::time::{SystemTime, UNIX_EPOCH};
+
+use serde::Serialize;
+
+#[derive(Clone, Serialize)]
+pub(super) struct ApiEventRecord {
+    pub(super) seq: u64,
+    pub(super) ts_epoch_secs: u64,
+    pub(super) event_type: String,
+    pub(super) context: String,
+}
+
+#[derive(Clone, Serialize)]
+pub(super) struct ApiEventSnapshot {
+    pub(super) capacity: usize,
+    pub(super) dropped_total: u64,
+    pub(super) events: Vec<ApiEventRecord>,
+}
+
+struct ApiEventsInner {
+    capacity: usize,
+    dropped_total: u64,
+    next_seq: u64,
+    events: VecDeque<ApiEventRecord>,
+}
+
+/// Bounded ring-buffer for control-plane API/runtime events.
+pub(crate) struct ApiEventStore {
+    inner: Mutex<ApiEventsInner>,
+}
+
+impl ApiEventStore {
+    pub(super) fn new(capacity: usize) -> Self {
+        let bounded = capacity.max(16);
+        Self {
+            inner: Mutex::new(ApiEventsInner {
+                capacity: bounded,
+                dropped_total: 0,
+                next_seq: 1,
+                events: VecDeque::with_capacity(bounded),
+            }),
+        }
+    }
+
+    pub(super) fn record(&self, event_type: &str, context: impl Into<String>) {
+        let now_epoch_secs = SystemTime::now()
+            .duration_since(UNIX_EPOCH)
+            .unwrap_or_default()
+            .as_secs();
+        let mut context = context.into();
+        if context.len() > 256 {
+            context.truncate(256);
+        }
+
+        let mut guard = self.inner.lock().expect("api event store mutex poisoned");
+        if guard.events.len() == guard.capacity {
+            guard.events.pop_front();
+            guard.dropped_total = guard.dropped_total.saturating_add(1);
+        }
+        let seq = guard.next_seq;
+        guard.next_seq = guard.next_seq.saturating_add(1);
+        guard.events.push_back(ApiEventRecord {
+            seq,
+            ts_epoch_secs: now_epoch_secs,
+            event_type: event_type.to_string(),
+            context,
+        });
+    }
+
+    pub(super) fn snapshot(&self, limit: usize) -> ApiEventSnapshot {
+        let guard = self.inner.lock().expect("api event store mutex poisoned");
+        let bounded_limit = limit.clamp(1, guard.capacity.max(1));
+        let mut items: Vec<ApiEventRecord> = guard
+            .events
+            .iter()
+            .rev()
+            .take(bounded_limit)
+            .cloned()
+            .collect();
+        items.reverse();
+
+        ApiEventSnapshot {
+            capacity: guard.capacity,
+            dropped_total: guard.dropped_total,
+            events: items,
+        }
+    }
+}
--- a/src/api/http_utils.rs
+++ b/src/api/http_utils.rs
@@ -0,0 +1,91 @@
+use http_body_util::{BodyExt, Full};
+use hyper::StatusCode;
+use hyper::body::{Bytes, Incoming};
+use serde::Serialize;
+use serde::de::DeserializeOwned;
+
+use super::model::{ApiFailure, ErrorBody, ErrorResponse, SuccessResponse};
+
+pub(super) fn success_response<T: Serialize>(
+    status: StatusCode,
+    data: T,
+    revision: String,
+) -> hyper::Response<Full<Bytes>> {
+    let payload = SuccessResponse {
+        ok: true,
+        data,
+        revision,
+    };
+    let body = serde_json::to_vec(&payload).unwrap_or_else(|_| b"{\"ok\":false}".to_vec());
+    hyper::Response::builder()
+        .status(status)
+        .header("content-type", "application/json; charset=utf-8")
+        .body(Full::new(Bytes::from(body)))
+        .unwrap()
+}
+
+pub(super) fn error_response(
+    request_id: u64,
+    failure: ApiFailure,
+) -> hyper::Response<Full<Bytes>> {
+    let payload = ErrorResponse {
+        ok: false,
+        error: ErrorBody {
+            code: failure.code,
+            message: failure.message,
+        },
+        request_id,
+    };
+    let body = serde_json::to_vec(&payload).unwrap_or_else(|_| {
+        format!(
+            "{{\"ok\":false,\"error\":{{\"code\":\"internal_error\",\"message\":\"serialization failed\"}},\"request_id\":{}}}",
+            request_id
+        )
+        .into_bytes()
+    });
+    hyper::Response::builder()
+        .status(failure.status)
+        .header("content-type", "application/json; charset=utf-8")
+        .body(Full::new(Bytes::from(body)))
+        .unwrap()
+}
+
+pub(super) async fn read_json<T: DeserializeOwned>(
+    body: Incoming,
+    limit: usize,
+) -> Result<T, ApiFailure> {
+    let bytes = read_body_with_limit(body, limit).await?;
+    serde_json::from_slice(&bytes).map_err(|_| ApiFailure::bad_request("Invalid JSON body"))
+}
+
+pub(super) async fn read_optional_json<T: DeserializeOwned>(
+    body: Incoming,
+    limit: usize,
+) -> Result<Option<T>, ApiFailure> {
+    let bytes = read_body_with_limit(body, limit).await?;
+    if bytes.is_empty() {
+        return Ok(None);
+    }
+    serde_json::from_slice(&bytes)
+        .map(Some)
+        .map_err(|_| ApiFailure::bad_request("Invalid JSON body"))
+}
+
+async fn read_body_with_limit(body: Incoming, limit: usize) -> Result<Vec<u8>, ApiFailure> {
+    let mut collected = Vec::new();
+    let mut body = body;
+    while let Some(frame_result) = body.frame().await {
+        let frame = frame_result.map_err(|_| ApiFailure::bad_request("Invalid request body"))?;
+        if let Some(chunk) = frame.data_ref() {
+            if collected.len().saturating_add(chunk.len()) > limit {
+                return Err(ApiFailure::new(
+                    StatusCode::PAYLOAD_TOO_LARGE,
+                    "payload_too_large",
+                    format!("Body exceeds {} bytes", limit),
+                ));
+            }
+            collected.extend_from_slice(chunk);
+        }
+    }
+    Ok(collected)
+}
--- a/src/api/mod.rs
+++ b/src/api/mod.rs
@@ -0,0 +1,540 @@
+use std::convert::Infallible;
+use std::net::{IpAddr, SocketAddr};
+use std::path::PathBuf;
+use std::sync::Arc;
+use std::sync::atomic::{AtomicBool, AtomicU64, Ordering};
+
+use http_body_util::Full;
+use hyper::body::{Bytes, Incoming};
+use hyper::header::AUTHORIZATION;
+use hyper::server::conn::http1;
+use hyper::service::service_fn;
+use hyper::{Method, Request, Response, StatusCode};
+use tokio::net::TcpListener;
+use tokio::sync::{Mutex, RwLock, watch};
+use tracing::{debug, info, warn};
+
+use crate::config::ProxyConfig;
+use crate::ip_tracker::UserIpTracker;
+use crate::startup::StartupTracker;
+use crate::stats::Stats;
+use crate::transport::middle_proxy::MePool;
+use crate::transport::UpstreamManager;
+
+mod config_store;
+mod events;
+mod http_utils;
+mod model;
+mod runtime_edge;
+mod runtime_init;
+mod runtime_min;
+mod runtime_stats;
+mod runtime_watch;
+mod runtime_zero;
+mod users;
+
+use config_store::{current_revision, parse_if_match};
+use http_utils::{error_response, read_json, read_optional_json, success_response};
+use events::ApiEventStore;
+use model::{
+    ApiFailure, CreateUserRequest, HealthData, PatchUserRequest, RotateSecretRequest, SummaryData,
+};
+use runtime_edge::{
+    EdgeConnectionsCacheEntry, build_runtime_connections_summary_data,
+    build_runtime_events_recent_data,
+};
+use runtime_init::build_runtime_initialization_data;
+use runtime_min::{
+    build_runtime_me_pool_state_data, build_runtime_me_quality_data, build_runtime_nat_stun_data,
+    build_runtime_upstream_quality_data, build_security_whitelist_data,
+};
+use runtime_stats::{
+    MinimalCacheEntry, build_dcs_data, build_me_writers_data, build_minimal_all_data,
+    build_upstreams_data, build_zero_all_data,
+};
+use runtime_zero::{
+    build_limits_effective_data, build_runtime_gates_data, build_security_posture_data,
+    build_system_info_data,
+};
+use runtime_watch::spawn_runtime_watchers;
+use users::{create_user, delete_user, patch_user, rotate_secret, users_from_config};
+
+pub(super) struct ApiRuntimeState {
+    pub(super) process_started_at_epoch_secs: u64,
+    pub(super) config_reload_count: AtomicU64,
+    pub(super) last_config_reload_epoch_secs: AtomicU64,
+    pub(super) admission_open: AtomicBool,
+}
+
+#[derive(Clone)]
+pub(super) struct ApiShared {
+    pub(super) stats: Arc<Stats>,
+    pub(super) ip_tracker: Arc<UserIpTracker>,
+    pub(super) me_pool: Arc<RwLock<Option<Arc<MePool>>>>,
+    pub(super) upstream_manager: Arc<UpstreamManager>,
+    pub(super) config_path: PathBuf,
+    pub(super) startup_detected_ip_v4: Option<IpAddr>,
+    pub(super) startup_detected_ip_v6: Option<IpAddr>,
+    pub(super) mutation_lock: Arc<Mutex<()>>,
+    pub(super) minimal_cache: Arc<Mutex<Option<MinimalCacheEntry>>>,
+    pub(super) runtime_edge_connections_cache: Arc<Mutex<Option<EdgeConnectionsCacheEntry>>>,
+    pub(super) runtime_edge_recompute_lock: Arc<Mutex<()>>,
+    pub(super) runtime_events: Arc<ApiEventStore>,
+    pub(super) request_id: Arc<AtomicU64>,
+    pub(super) runtime_state: Arc<ApiRuntimeState>,
+    pub(super) startup_tracker: Arc<StartupTracker>,
+}
+
+impl ApiShared {
+    fn next_request_id(&self) -> u64 {
+        self.request_id.fetch_add(1, Ordering::Relaxed)
+    }
+}
+
+pub async fn serve(
+    listen: SocketAddr,
+    stats: Arc<Stats>,
+    ip_tracker: Arc<UserIpTracker>,
+    me_pool: Arc<RwLock<Option<Arc<MePool>>>>,
+    upstream_manager: Arc<UpstreamManager>,
+    config_rx: watch::Receiver<Arc<ProxyConfig>>,
+    admission_rx: watch::Receiver<bool>,
+    config_path: PathBuf,
+    startup_detected_ip_v4: Option<IpAddr>,
+    startup_detected_ip_v6: Option<IpAddr>,
+    process_started_at_epoch_secs: u64,
+    startup_tracker: Arc<StartupTracker>,
+) {
+    let listener = match TcpListener::bind(listen).await {
+        Ok(listener) => listener,
+        Err(error) => {
+            warn!(
+                error = %error,
+                listen = %listen,
+                "Failed to bind API listener"
+            );
+            return;
+        }
+    };
+
+    info!("API endpoint: http://{}/v1/*", listen);
+
+    let runtime_state = Arc::new(ApiRuntimeState {
+        process_started_at_epoch_secs,
+        config_reload_count: AtomicU64::new(0),
+        last_config_reload_epoch_secs: AtomicU64::new(0),
+        admission_open: AtomicBool::new(*admission_rx.borrow()),
+    });
+
+    let shared = Arc::new(ApiShared {
+        stats,
+        ip_tracker,
+        me_pool,
+        upstream_manager,
+        config_path,
+        startup_detected_ip_v4,
+        startup_detected_ip_v6,
+        mutation_lock: Arc::new(Mutex::new(())),
+        minimal_cache: Arc::new(Mutex::new(None)),
+        runtime_edge_connections_cache: Arc::new(Mutex::new(None)),
+        runtime_edge_recompute_lock: Arc::new(Mutex::new(())),
+        runtime_events: Arc::new(ApiEventStore::new(
+            config_rx.borrow().server.api.runtime_edge_events_capacity,
+        )),
+        request_id: Arc::new(AtomicU64::new(1)),
+        runtime_state: runtime_state.clone(),
+        startup_tracker,
+    });
+
+    spawn_runtime_watchers(
+        config_rx.clone(),
+        admission_rx.clone(),
+        runtime_state.clone(),
+        shared.runtime_events.clone(),
+    );
+
+    loop {
+        let (stream, peer) = match listener.accept().await {
+            Ok(v) => v,
+            Err(error) => {
+                warn!(error = %error, "API accept error");
+                continue;
+            }
+        };
+
+        let shared_conn = shared.clone();
+        let config_rx_conn = config_rx.clone();
+        tokio::spawn(async move {
+            let svc = service_fn(move |req: Request<Incoming>| {
+                let shared_req = shared_conn.clone();
+                let config_rx_req = config_rx_conn.clone();
+                async move { handle(req, peer, shared_req, config_rx_req).await }
+            });
+            if let Err(error) = http1::Builder::new()
+                .serve_connection(hyper_util::rt::TokioIo::new(stream), svc)
+                .await
+            {
+                debug!(error = %error, "API connection error");
+            }
+        });
+    }
+}
+
+async fn handle(
+    req: Request<Incoming>,
+    peer: SocketAddr,
+    shared: Arc<ApiShared>,
+    config_rx: watch::Receiver<Arc<ProxyConfig>>,
+) -> Result<Response<Full<Bytes>>, Infallible> {
+    let request_id = shared.next_request_id();
+    let cfg = config_rx.borrow().clone();
+    let api_cfg = &cfg.server.api;
+
+    if !api_cfg.enabled {
+        return Ok(error_response(
+            request_id,
+            ApiFailure::new(
+                StatusCode::SERVICE_UNAVAILABLE,
+                "api_disabled",
+                "API is disabled",
+            ),
+        ));
+    }
+
+    if !api_cfg.whitelist.is_empty()
+        && !api_cfg
+            .whitelist
+            .iter()
+            .any(|net| net.contains(peer.ip()))
+    {
+        return Ok(error_response(
+            request_id,
+            ApiFailure::new(StatusCode::FORBIDDEN, "forbidden", "Source IP is not allowed"),
+        ));
+    }
+
+    if !api_cfg.auth_header.is_empty() {
+        let auth_ok = req
+            .headers()
+            .get(AUTHORIZATION)
+            .and_then(|v| v.to_str().ok())
+            .map(|v| v == api_cfg.auth_header)
+            .unwrap_or(false);
+        if !auth_ok {
+            return Ok(error_response(
+                request_id,
+                ApiFailure::new(
+                    StatusCode::UNAUTHORIZED,
+                    "unauthorized",
+                    "Missing or invalid Authorization header",
+                ),
+            ));
+        }
+    }
+
+    let method = req.method().clone();
+    let path = req.uri().path().to_string();
+    let query = req.uri().query().map(str::to_string);
+    let body_limit = api_cfg.request_body_limit_bytes;
+
+    let result: Result<Response<Full<Bytes>>, ApiFailure> = async {
+        match (method.as_str(), path.as_str()) {
+            ("GET", "/v1/health") => {
+                let revision = current_revision(&shared.config_path).await?;
+                let data = HealthData {
+                    status: "ok",
+                    read_only: api_cfg.read_only,
+                };
+                Ok(success_response(StatusCode::OK, data, revision))
+            }
+            ("GET", "/v1/system/info") => {
+                let revision = current_revision(&shared.config_path).await?;
+                let data = build_system_info_data(shared.as_ref(), cfg.as_ref(), &revision);
+                Ok(success_response(StatusCode::OK, data, revision))
+            }
+            ("GET", "/v1/runtime/gates") => {
+                let revision = current_revision(&shared.config_path).await?;
+                let data = build_runtime_gates_data(shared.as_ref(), cfg.as_ref()).await;
+                Ok(success_response(StatusCode::OK, data, revision))
+            }
+            ("GET", "/v1/runtime/initialization") => {
+                let revision = current_revision(&shared.config_path).await?;
+                let data = build_runtime_initialization_data(shared.as_ref()).await;
+                Ok(success_response(StatusCode::OK, data, revision))
+            }
+            ("GET", "/v1/limits/effective") => {
+                let revision = current_revision(&shared.config_path).await?;
+                let data = build_limits_effective_data(cfg.as_ref());
+                Ok(success_response(StatusCode::OK, data, revision))
+            }
+            ("GET", "/v1/security/posture") => {
+                let revision = current_revision(&shared.config_path).await?;
+                let data = build_security_posture_data(cfg.as_ref());
+                Ok(success_response(StatusCode::OK, data, revision))
+            }
+            ("GET", "/v1/security/whitelist") => {
+                let revision = current_revision(&shared.config_path).await?;
+                let data = build_security_whitelist_data(cfg.as_ref());
+                Ok(success_response(StatusCode::OK, data, revision))
+            }
+            ("GET", "/v1/stats/summary") => {
+                let revision = current_revision(&shared.config_path).await?;
+                let data = SummaryData {
+                    uptime_seconds: shared.stats.uptime_secs(),
+                    connections_total: shared.stats.get_connects_all(),
+                    connections_bad_total: shared.stats.get_connects_bad(),
+                    handshake_timeouts_total: shared.stats.get_handshake_timeouts(),
+                    configured_users: cfg.access.users.len(),
+                };
+                Ok(success_response(StatusCode::OK, data, revision))
+            }
+            ("GET", "/v1/stats/zero/all") => {
+                let revision = current_revision(&shared.config_path).await?;
+                let data = build_zero_all_data(&shared.stats, cfg.access.users.len());
+                Ok(success_response(StatusCode::OK, data, revision))
+            }
+            ("GET", "/v1/stats/upstreams") => {
+                let revision = current_revision(&shared.config_path).await?;
+                let data = build_upstreams_data(shared.as_ref(), api_cfg);
+                Ok(success_response(StatusCode::OK, data, revision))
+            }
+            ("GET", "/v1/stats/minimal/all") => {
+                let revision = current_revision(&shared.config_path).await?;
+                let data = build_minimal_all_data(shared.as_ref(), api_cfg).await;
+                Ok(success_response(StatusCode::OK, data, revision))
+            }
+            ("GET", "/v1/stats/me-writers") => {
+                let revision = current_revision(&shared.config_path).await?;
+                let data = build_me_writers_data(shared.as_ref(), api_cfg).await;
+                Ok(success_response(StatusCode::OK, data, revision))
+            }
+            ("GET", "/v1/stats/dcs") => {
+                let revision = current_revision(&shared.config_path).await?;
+                let data = build_dcs_data(shared.as_ref(), api_cfg).await;
+                Ok(success_response(StatusCode::OK, data, revision))
+            }
+            ("GET", "/v1/runtime/me_pool_state") => {
+                let revision = current_revision(&shared.config_path).await?;
+                let data = build_runtime_me_pool_state_data(shared.as_ref()).await;
+                Ok(success_response(StatusCode::OK, data, revision))
+            }
+            ("GET", "/v1/runtime/me_quality") => {
+                let revision = current_revision(&shared.config_path).await?;
+                let data = build_runtime_me_quality_data(shared.as_ref()).await;
+                Ok(success_response(StatusCode::OK, data, revision))
+            }
+            ("GET", "/v1/runtime/upstream_quality") => {
+                let revision = current_revision(&shared.config_path).await?;
+                let data = build_runtime_upstream_quality_data(shared.as_ref()).await;
+                Ok(success_response(StatusCode::OK, data, revision))
+            }
+            ("GET", "/v1/runtime/nat_stun") => {
+                let revision = current_revision(&shared.config_path).await?;
+                let data = build_runtime_nat_stun_data(shared.as_ref()).await;
+                Ok(success_response(StatusCode::OK, data, revision))
+            }
+            ("GET", "/v1/runtime/connections/summary") => {
+                let revision = current_revision(&shared.config_path).await?;
+                let data = build_runtime_connections_summary_data(shared.as_ref(), cfg.as_ref()).await;
+                Ok(success_response(StatusCode::OK, data, revision))
+            }
+            ("GET", "/v1/runtime/events/recent") => {
+                let revision = current_revision(&shared.config_path).await?;
+                let data = build_runtime_events_recent_data(
+                    shared.as_ref(),
+                    cfg.as_ref(),
+                    query.as_deref(),
+                );
+                Ok(success_response(StatusCode::OK, data, revision))
+            }
+            ("GET", "/v1/stats/users") | ("GET", "/v1/users") => {
+                let revision = current_revision(&shared.config_path).await?;
+                let users = users_from_config(
+                    &cfg,
+                    &shared.stats,
+                    &shared.ip_tracker,
+                    shared.startup_detected_ip_v4,
+                    shared.startup_detected_ip_v6,
+                )
+                .await;
+                Ok(success_response(StatusCode::OK, users, revision))
+            }
+            ("POST", "/v1/users") => {
+                if api_cfg.read_only {
+                    return Ok(error_response(
+                        request_id,
+                        ApiFailure::new(
+                            StatusCode::FORBIDDEN,
+                            "read_only",
+                            "API runs in read-only mode",
+                        ),
+                    ));
+                }
+                let expected_revision = parse_if_match(req.headers());
+                let body = read_json::<CreateUserRequest>(req.into_body(), body_limit).await?;
+                let result = create_user(body, expected_revision, &shared).await;
+                let (data, revision) = match result {
+                    Ok(ok) => ok,
+                    Err(error) => {
+                        shared.runtime_events.record("api.user.create.failed", error.code);
+                        return Err(error);
+                    }
+                };
+                shared
+                    .runtime_events
+                    .record("api.user.create.ok", format!("username={}", data.user.username));
+                Ok(success_response(StatusCode::CREATED, data, revision))
+            }
+            _ => {
+                if let Some(user) = path.strip_prefix("/v1/users/")
+                    && !user.is_empty()
+                    && !user.contains('/')
+                {
+                    if method == Method::GET {
+                        let revision = current_revision(&shared.config_path).await?;
+                        let users = users_from_config(
+                            &cfg,
+                            &shared.stats,
+                            &shared.ip_tracker,
+                            shared.startup_detected_ip_v4,
+                            shared.startup_detected_ip_v6,
+                        )
+                        .await;
+                        if let Some(user_info) = users.into_iter().find(|entry| entry.username == user)
+                        {
+                            return Ok(success_response(StatusCode::OK, user_info, revision));
+                        }
+                        return Ok(error_response(
+                            request_id,
+                            ApiFailure::new(StatusCode::NOT_FOUND, "not_found", "User not found"),
+                        ));
+                    }
+                    if method == Method::PATCH {
+                        if api_cfg.read_only {
+                            return Ok(error_response(
+                                request_id,
+                                ApiFailure::new(
+                                    StatusCode::FORBIDDEN,
+                                    "read_only",
+                                    "API runs in read-only mode",
+                                ),
+                            ));
+                        }
+                        let expected_revision = parse_if_match(req.headers());
+                        let body = read_json::<PatchUserRequest>(req.into_body(), body_limit).await?;
+                        let result = patch_user(user, body, expected_revision, &shared).await;
+                        let (data, revision) = match result {
+                            Ok(ok) => ok,
+                            Err(error) => {
+                                shared.runtime_events.record(
+                                    "api.user.patch.failed",
+                                    format!("username={} code={}", user, error.code),
+                                );
+                                return Err(error);
+                            }
+                        };
+                        shared
+                            .runtime_events
+                            .record("api.user.patch.ok", format!("username={}", data.username));
+                        return Ok(success_response(StatusCode::OK, data, revision));
+                    }
+                    if method == Method::DELETE {
+                        if api_cfg.read_only {
+                            return Ok(error_response(
+                                request_id,
+                                ApiFailure::new(
+                                    StatusCode::FORBIDDEN,
+                                    "read_only",
+                                    "API runs in read-only mode",
+                                ),
+                            ));
+                        }
+                        let expected_revision = parse_if_match(req.headers());
+                        let result = delete_user(user, expected_revision, &shared).await;
+                        let (deleted_user, revision) = match result {
+                            Ok(ok) => ok,
+                            Err(error) => {
+                                shared.runtime_events.record(
+                                    "api.user.delete.failed",
+                                    format!("username={} code={}", user, error.code),
+                                );
+                                return Err(error);
+                            }
+                        };
+                        shared.runtime_events.record(
+                            "api.user.delete.ok",
+                            format!("username={}", deleted_user),
+                        );
+                        return Ok(success_response(StatusCode::OK, deleted_user, revision));
+                    }
+                    if method == Method::POST
+                        && let Some(base_user) = user.strip_suffix("/rotate-secret")
+                        && !base_user.is_empty()
+                        && !base_user.contains('/')
+                    {
+                        if api_cfg.read_only {
+                            return Ok(error_response(
+                                request_id,
+                                ApiFailure::new(
+                                    StatusCode::FORBIDDEN,
+                                    "read_only",
+                                    "API runs in read-only mode",
+                                ),
+                            ));
+                        }
+                        let expected_revision = parse_if_match(req.headers());
+                        let body =
+                            read_optional_json::<RotateSecretRequest>(req.into_body(), body_limit)
+                                .await?;
+                        let result = rotate_secret(
+                            base_user,
+                            body.unwrap_or_default(),
+                            expected_revision,
+                            &shared,
+                        )
+                        .await;
+                        let (data, revision) = match result {
+                            Ok(ok) => ok,
+                            Err(error) => {
+                                shared.runtime_events.record(
+                                    "api.user.rotate_secret.failed",
+                                    format!("username={} code={}", base_user, error.code),
+                                );
+                                return Err(error);
+                            }
+                        };
+                        shared.runtime_events.record(
+                            "api.user.rotate_secret.ok",
+                            format!("username={}", base_user),
+                        );
+                        return Ok(success_response(StatusCode::OK, data, revision));
+                    }
+                    if method == Method::POST {
+                        return Ok(error_response(
+                            request_id,
+                            ApiFailure::new(StatusCode::NOT_FOUND, "not_found", "Route not found"),
+                        ));
+                    }
+                    return Ok(error_response(
+                        request_id,
+                        ApiFailure::new(
+                            StatusCode::METHOD_NOT_ALLOWED,
+                            "method_not_allowed",
+                            "Unsupported HTTP method for this route",
+                        ),
+                    ));
+                }
+                Ok(error_response(
+                    request_id,
+                    ApiFailure::new(StatusCode::NOT_FOUND, "not_found", "Route not found"),
+                ))
+            }
+        }
+    }
+    .await;
+
+    match result {
+        Ok(resp) => Ok(resp),
+        Err(error) => Ok(error_response(request_id, error)),
+    }
+}
--- a/src/api/model.rs
+++ b/src/api/model.rs
@@ -0,0 +1,477 @@
+use std::net::IpAddr;
+
+use chrono::{DateTime, Utc};
+use hyper::StatusCode;
+use rand::Rng;
+use serde::{Deserialize, Serialize};
+
+const MAX_USERNAME_LEN: usize = 64;
+
+#[derive(Debug)]
+pub(super) struct ApiFailure {
+    pub(super) status: StatusCode,
+    pub(super) code: &'static str,
+    pub(super) message: String,
+}
+
+impl ApiFailure {
+    pub(super) fn new(status: StatusCode, code: &'static str, message: impl Into<String>) -> Self {
+        Self {
+            status,
+            code,
+            message: message.into(),
+        }
+    }
+
+    pub(super) fn internal(message: impl Into<String>) -> Self {
+        Self::new(StatusCode::INTERNAL_SERVER_ERROR, "internal_error", message)
+    }
+
+    pub(super) fn bad_request(message: impl Into<String>) -> Self {
+        Self::new(StatusCode::BAD_REQUEST, "bad_request", message)
+    }
+}
+
+#[derive(Serialize)]
+pub(super) struct ErrorBody {
+    pub(super) code: &'static str,
+    pub(super) message: String,
+}
+
+#[derive(Serialize)]
+pub(super) struct ErrorResponse {
+    pub(super) ok: bool,
+    pub(super) error: ErrorBody,
+    pub(super) request_id: u64,
+}
+
+#[derive(Serialize)]
+pub(super) struct SuccessResponse<T> {
+    pub(super) ok: bool,
+    pub(super) data: T,
+    pub(super) revision: String,
+}
+
+#[derive(Serialize)]
+pub(super) struct HealthData {
+    pub(super) status: &'static str,
+    pub(super) read_only: bool,
+}
+
+#[derive(Serialize)]
+pub(super) struct SummaryData {
+    pub(super) uptime_seconds: f64,
+    pub(super) connections_total: u64,
+    pub(super) connections_bad_total: u64,
+    pub(super) handshake_timeouts_total: u64,
+    pub(super) configured_users: usize,
+}
+
+#[derive(Serialize, Clone)]
+pub(super) struct ZeroCodeCount {
+    pub(super) code: i32,
+    pub(super) total: u64,
+}
+
+#[derive(Serialize, Clone)]
+pub(super) struct ZeroCoreData {
+    pub(super) uptime_seconds: f64,
+    pub(super) connections_total: u64,
+    pub(super) connections_bad_total: u64,
+    pub(super) handshake_timeouts_total: u64,
+    pub(super) configured_users: usize,
+    pub(super) telemetry_core_enabled: bool,
+    pub(super) telemetry_user_enabled: bool,
+    pub(super) telemetry_me_level: String,
+}
+
+#[derive(Serialize, Clone)]
+pub(super) struct ZeroUpstreamData {
+    pub(super) connect_attempt_total: u64,
+    pub(super) connect_success_total: u64,
+    pub(super) connect_fail_total: u64,
+    pub(super) connect_failfast_hard_error_total: u64,
+    pub(super) connect_attempts_bucket_1: u64,
+    pub(super) connect_attempts_bucket_2: u64,
+    pub(super) connect_attempts_bucket_3_4: u64,
+    pub(super) connect_attempts_bucket_gt_4: u64,
+    pub(super) connect_duration_success_bucket_le_100ms: u64,
+    pub(super) connect_duration_success_bucket_101_500ms: u64,
+    pub(super) connect_duration_success_bucket_501_1000ms: u64,
+    pub(super) connect_duration_success_bucket_gt_1000ms: u64,
+    pub(super) connect_duration_fail_bucket_le_100ms: u64,
+    pub(super) connect_duration_fail_bucket_101_500ms: u64,
+    pub(super) connect_duration_fail_bucket_501_1000ms: u64,
+    pub(super) connect_duration_fail_bucket_gt_1000ms: u64,
+}
+
+#[derive(Serialize, Clone)]
+pub(super) struct UpstreamDcStatus {
+    pub(super) dc: i16,
+    pub(super) latency_ema_ms: Option<f64>,
+    pub(super) ip_preference: &'static str,
+}
+
+#[derive(Serialize, Clone)]
+pub(super) struct UpstreamStatus {
+    pub(super) upstream_id: usize,
+    pub(super) route_kind: &'static str,
+    pub(super) address: String,
+    pub(super) weight: u16,
+    pub(super) scopes: String,
+    pub(super) healthy: bool,
+    pub(super) fails: u32,
+    pub(super) last_check_age_secs: u64,
+    pub(super) effective_latency_ms: Option<f64>,
+    pub(super) dc: Vec<UpstreamDcStatus>,
+}
+
+#[derive(Serialize, Clone)]
+pub(super) struct UpstreamSummaryData {
+    pub(super) configured_total: usize,
+    pub(super) healthy_total: usize,
+    pub(super) unhealthy_total: usize,
+    pub(super) direct_total: usize,
+    pub(super) socks4_total: usize,
+    pub(super) socks5_total: usize,
+}
+
+#[derive(Serialize, Clone)]
+pub(super) struct UpstreamsData {
+    pub(super) enabled: bool,
+    #[serde(skip_serializing_if = "Option::is_none")]
+    pub(super) reason: Option<&'static str>,
+    pub(super) generated_at_epoch_secs: u64,
+    pub(super) zero: ZeroUpstreamData,
+    #[serde(skip_serializing_if = "Option::is_none")]
+    pub(super) summary: Option<UpstreamSummaryData>,
+    #[serde(skip_serializing_if = "Option::is_none")]
+    pub(super) upstreams: Option<Vec<UpstreamStatus>>,
+}
+
+#[derive(Serialize, Clone)]
+pub(super) struct ZeroMiddleProxyData {
+    pub(super) keepalive_sent_total: u64,
+    pub(super) keepalive_failed_total: u64,
+    pub(super) keepalive_pong_total: u64,
+    pub(super) keepalive_timeout_total: u64,
+    pub(super) rpc_proxy_req_signal_sent_total: u64,
+    pub(super) rpc_proxy_req_signal_failed_total: u64,
+    pub(super) rpc_proxy_req_signal_skipped_no_meta_total: u64,
+    pub(super) rpc_proxy_req_signal_response_total: u64,
+    pub(super) rpc_proxy_req_signal_close_sent_total: u64,
+    pub(super) reconnect_attempt_total: u64,
+    pub(super) reconnect_success_total: u64,
+    pub(super) handshake_reject_total: u64,
+    pub(super) handshake_error_codes: Vec<ZeroCodeCount>,
+    pub(super) reader_eof_total: u64,
+    pub(super) idle_close_by_peer_total: u64,
+    pub(super) route_drop_no_conn_total: u64,
+    pub(super) route_drop_channel_closed_total: u64,
+    pub(super) route_drop_queue_full_total: u64,
+    pub(super) route_drop_queue_full_base_total: u64,
+    pub(super) route_drop_queue_full_high_total: u64,
+    pub(super) socks_kdf_strict_reject_total: u64,
+    pub(super) socks_kdf_compat_fallback_total: u64,
+    pub(super) endpoint_quarantine_total: u64,
+    pub(super) kdf_drift_total: u64,
+    pub(super) kdf_port_only_drift_total: u64,
+    pub(super) hardswap_pending_reuse_total: u64,
+    pub(super) hardswap_pending_ttl_expired_total: u64,
+    pub(super) single_endpoint_outage_enter_total: u64,
+    pub(super) single_endpoint_outage_exit_total: u64,
+    pub(super) single_endpoint_outage_reconnect_attempt_total: u64,
+    pub(super) single_endpoint_outage_reconnect_success_total: u64,
+    pub(super) single_endpoint_quarantine_bypass_total: u64,
+    pub(super) single_endpoint_shadow_rotate_total: u64,
+    pub(super) single_endpoint_shadow_rotate_skipped_quarantine_total: u64,
+    pub(super) floor_mode_switch_total: u64,
+    pub(super) floor_mode_switch_static_to_adaptive_total: u64,
+    pub(super) floor_mode_switch_adaptive_to_static_total: u64,
+}
+
+#[derive(Serialize, Clone)]
+pub(super) struct ZeroPoolData {
+    pub(super) pool_swap_total: u64,
+    pub(super) pool_drain_active: u64,
+    pub(super) pool_force_close_total: u64,
+    pub(super) pool_stale_pick_total: u64,
+    pub(super) writer_removed_total: u64,
+    pub(super) writer_removed_unexpected_total: u64,
+    pub(super) refill_triggered_total: u64,
+    pub(super) refill_skipped_inflight_total: u64,
+    pub(super) refill_failed_total: u64,
+    pub(super) writer_restored_same_endpoint_total: u64,
+    pub(super) writer_restored_fallback_total: u64,
+}
+
+#[derive(Serialize, Clone)]
+pub(super) struct ZeroDesyncData {
+    pub(super) secure_padding_invalid_total: u64,
+    pub(super) desync_total: u64,
+    pub(super) desync_full_logged_total: u64,
+    pub(super) desync_suppressed_total: u64,
+    pub(super) desync_frames_bucket_0: u64,
+    pub(super) desync_frames_bucket_1_2: u64,
+    pub(super) desync_frames_bucket_3_10: u64,
+    pub(super) desync_frames_bucket_gt_10: u64,
+}
+
+#[derive(Serialize, Clone)]
+pub(super) struct ZeroAllData {
+    pub(super) generated_at_epoch_secs: u64,
+    pub(super) core: ZeroCoreData,
+    pub(super) upstream: ZeroUpstreamData,
+    pub(super) middle_proxy: ZeroMiddleProxyData,
+    pub(super) pool: ZeroPoolData,
+    pub(super) desync: ZeroDesyncData,
+}
+
+#[derive(Serialize, Clone)]
+pub(super) struct MeWritersSummary {
+    pub(super) configured_dc_groups: usize,
+    pub(super) configured_endpoints: usize,
+    pub(super) available_endpoints: usize,
+    pub(super) available_pct: f64,
+    pub(super) required_writers: usize,
+    pub(super) alive_writers: usize,
+    pub(super) coverage_pct: f64,
+}
+
+#[derive(Serialize, Clone)]
+pub(super) struct MeWriterStatus {
+    pub(super) writer_id: u64,
+    pub(super) dc: Option<i16>,
+    pub(super) endpoint: String,
+    pub(super) generation: u64,
+    pub(super) state: &'static str,
+    pub(super) draining: bool,
+    pub(super) degraded: bool,
+    pub(super) bound_clients: usize,
+    pub(super) idle_for_secs: Option<u64>,
+    pub(super) rtt_ema_ms: Option<f64>,
+}
+
+#[derive(Serialize, Clone)]
+pub(super) struct MeWritersData {
+    pub(super) middle_proxy_enabled: bool,
+    #[serde(skip_serializing_if = "Option::is_none")]
+    pub(super) reason: Option<&'static str>,
+    pub(super) generated_at_epoch_secs: u64,
+    pub(super) summary: MeWritersSummary,
+    pub(super) writers: Vec<MeWriterStatus>,
+}
+
+#[derive(Serialize, Clone)]
+pub(super) struct DcStatus {
+    pub(super) dc: i16,
+    pub(super) endpoints: Vec<String>,
+    pub(super) endpoint_writers: Vec<DcEndpointWriters>,
+    pub(super) available_endpoints: usize,
+    pub(super) available_pct: f64,
+    pub(super) required_writers: usize,
+    pub(super) floor_min: usize,
+    pub(super) floor_target: usize,
+    pub(super) floor_max: usize,
+    pub(super) floor_capped: bool,
+    pub(super) alive_writers: usize,
+    pub(super) coverage_pct: f64,
+    pub(super) rtt_ms: Option<f64>,
+    pub(super) load: usize,
+}
+
+#[derive(Serialize, Clone)]
+pub(super) struct DcEndpointWriters {
+    pub(super) endpoint: String,
+    pub(super) active_writers: usize,
+}
+
+#[derive(Serialize, Clone)]
+pub(super) struct DcStatusData {
+    pub(super) middle_proxy_enabled: bool,
+    #[serde(skip_serializing_if = "Option::is_none")]
+    pub(super) reason: Option<&'static str>,
+    pub(super) generated_at_epoch_secs: u64,
+    pub(super) dcs: Vec<DcStatus>,
+}
+
+#[derive(Serialize, Clone)]
+pub(super) struct MinimalQuarantineData {
+    pub(super) endpoint: String,
+    pub(super) remaining_ms: u64,
+}
+
+#[derive(Serialize, Clone)]
+pub(super) struct MinimalDcPathData {
+    pub(super) dc: i16,
+    pub(super) ip_preference: Option<&'static str>,
+    pub(super) selected_addr_v4: Option<String>,
+    pub(super) selected_addr_v6: Option<String>,
+}
+
+#[derive(Serialize, Clone)]
+pub(super) struct MinimalMeRuntimeData {
+    pub(super) active_generation: u64,
+    pub(super) warm_generation: u64,
+    pub(super) pending_hardswap_generation: u64,
+    pub(super) pending_hardswap_age_secs: Option<u64>,
+    pub(super) hardswap_enabled: bool,
+    pub(super) floor_mode: &'static str,
+    pub(super) adaptive_floor_idle_secs: u64,
+    pub(super) adaptive_floor_min_writers_single_endpoint: u8,
+    pub(super) adaptive_floor_min_writers_multi_endpoint: u8,
+    pub(super) adaptive_floor_recover_grace_secs: u64,
+    pub(super) adaptive_floor_writers_per_core_total: u16,
+    pub(super) adaptive_floor_cpu_cores_override: u16,
+    pub(super) adaptive_floor_max_extra_writers_single_per_core: u16,
+    pub(super) adaptive_floor_max_extra_writers_multi_per_core: u16,
+    pub(super) adaptive_floor_max_active_writers_per_core: u16,
+    pub(super) adaptive_floor_max_warm_writers_per_core: u16,
+    pub(super) adaptive_floor_max_active_writers_global: u32,
+    pub(super) adaptive_floor_max_warm_writers_global: u32,
+    pub(super) adaptive_floor_cpu_cores_detected: u32,
+    pub(super) adaptive_floor_cpu_cores_effective: u32,
+    pub(super) adaptive_floor_global_cap_raw: u64,
+    pub(super) adaptive_floor_global_cap_effective: u64,
+    pub(super) adaptive_floor_target_writers_total: u64,
+    pub(super) adaptive_floor_active_cap_configured: u64,
+    pub(super) adaptive_floor_active_cap_effective: u64,
+    pub(super) adaptive_floor_warm_cap_configured: u64,
+    pub(super) adaptive_floor_warm_cap_effective: u64,
+    pub(super) adaptive_floor_active_writers_current: u64,
+    pub(super) adaptive_floor_warm_writers_current: u64,
+    pub(super) me_keepalive_enabled: bool,
+    pub(super) me_keepalive_interval_secs: u64,
+    pub(super) me_keepalive_jitter_secs: u64,
+    pub(super) me_keepalive_payload_random: bool,
+    pub(super) rpc_proxy_req_every_secs: u64,
+    pub(super) me_reconnect_max_concurrent_per_dc: u32,
+    pub(super) me_reconnect_backoff_base_ms: u64,
+    pub(super) me_reconnect_backoff_cap_ms: u64,
+    pub(super) me_reconnect_fast_retry_count: u32,
+    pub(super) me_pool_drain_ttl_secs: u64,
+    pub(super) me_pool_force_close_secs: u64,
+    pub(super) me_pool_min_fresh_ratio: f32,
+    pub(super) me_bind_stale_mode: &'static str,
+    pub(super) me_bind_stale_ttl_secs: u64,
+    pub(super) me_single_endpoint_shadow_writers: u8,
+    pub(super) me_single_endpoint_outage_mode_enabled: bool,
+    pub(super) me_single_endpoint_outage_disable_quarantine: bool,
+    pub(super) me_single_endpoint_outage_backoff_min_ms: u64,
+    pub(super) me_single_endpoint_outage_backoff_max_ms: u64,
+    pub(super) me_single_endpoint_shadow_rotate_every_secs: u64,
+    pub(super) me_deterministic_writer_sort: bool,
+    pub(super) me_writer_pick_mode: &'static str,
+    pub(super) me_writer_pick_sample_size: u8,
+    pub(super) me_socks_kdf_policy: &'static str,
+    pub(super) quarantined_endpoints_total: usize,
+    pub(super) quarantined_endpoints: Vec<MinimalQuarantineData>,
+}
+
+#[derive(Serialize, Clone)]
+pub(super) struct MinimalAllPayload {
+    pub(super) me_writers: MeWritersData,
+    pub(super) dcs: DcStatusData,
+    #[serde(skip_serializing_if = "Option::is_none")]
+    pub(super) me_runtime: Option<MinimalMeRuntimeData>,
+    pub(super) network_path: Vec<MinimalDcPathData>,
+}
+
+#[derive(Serialize, Clone)]
+pub(super) struct MinimalAllData {
+    pub(super) enabled: bool,
+    #[serde(skip_serializing_if = "Option::is_none")]
+    pub(super) reason: Option<&'static str>,
+    pub(super) generated_at_epoch_secs: u64,
+    #[serde(skip_serializing_if = "Option::is_none")]
+    pub(super) data: Option<MinimalAllPayload>,
+}
+
+#[derive(Serialize)]
+pub(super) struct UserLinks {
+    pub(super) classic: Vec<String>,
+    pub(super) secure: Vec<String>,
+    pub(super) tls: Vec<String>,
+}
+
+#[derive(Serialize)]
+pub(super) struct UserInfo {
+    pub(super) username: String,
+    pub(super) user_ad_tag: Option<String>,
+    pub(super) max_tcp_conns: Option<usize>,
+    pub(super) expiration_rfc3339: Option<String>,
+    pub(super) data_quota_bytes: Option<u64>,
+    pub(super) max_unique_ips: Option<usize>,
+    pub(super) current_connections: u64,
+    pub(super) active_unique_ips: usize,
+    pub(super) active_unique_ips_list: Vec<IpAddr>,
+    pub(super) recent_unique_ips: usize,
+    pub(super) recent_unique_ips_list: Vec<IpAddr>,
+    pub(super) total_octets: u64,
+    pub(super) links: UserLinks,
+}
+
+#[derive(Serialize)]
+pub(super) struct CreateUserResponse {
+    pub(super) user: UserInfo,
+    pub(super) secret: String,
+}
+
+#[derive(Deserialize)]
+pub(super) struct CreateUserRequest {
+    pub(super) username: String,
+    pub(super) secret: Option<String>,
+    pub(super) user_ad_tag: Option<String>,
+    pub(super) max_tcp_conns: Option<usize>,
+    pub(super) expiration_rfc3339: Option<String>,
+    pub(super) data_quota_bytes: Option<u64>,
+    pub(super) max_unique_ips: Option<usize>,
+}
+
+#[derive(Deserialize)]
+pub(super) struct PatchUserRequest {
+    pub(super) secret: Option<String>,
+    pub(super) user_ad_tag: Option<String>,
+    pub(super) max_tcp_conns: Option<usize>,
+    pub(super) expiration_rfc3339: Option<String>,
+    pub(super) data_quota_bytes: Option<u64>,
+    pub(super) max_unique_ips: Option<usize>,
+}
+
+#[derive(Default, Deserialize)]
+pub(super) struct RotateSecretRequest {
+    pub(super) secret: Option<String>,
+}
+
+pub(super) fn parse_optional_expiration(
+    value: Option<&str>,
+) -> Result<Option<DateTime<Utc>>, ApiFailure> {
+    let Some(raw) = value else {
+        return Ok(None);
+    };
+    let parsed = DateTime::parse_from_rfc3339(raw)
+        .map_err(|_| ApiFailure::bad_request("expiration_rfc3339 must be valid RFC3339"))?;
+    Ok(Some(parsed.with_timezone(&Utc)))
+}
+
+pub(super) fn is_valid_user_secret(secret: &str) -> bool {
+    secret.len() == 32 && secret.chars().all(|c| c.is_ascii_hexdigit())
+}
+
+pub(super) fn is_valid_ad_tag(tag: &str) -> bool {
+    tag.len() == 32 && tag.chars().all(|c| c.is_ascii_hexdigit())
+}
+
+pub(super) fn is_valid_username(user: &str) -> bool {
+    !user.is_empty()
+        && user.len() <= MAX_USERNAME_LEN
+        && user
+            .chars()
+            .all(|ch| ch.is_ascii_alphanumeric() || matches!(ch, '_' | '-' | '.'))
+}
+
+pub(super) fn random_user_secret() -> String {
+    let mut bytes = [0u8; 16];
+    rand::rng().fill(&mut bytes);
+    hex::encode(bytes)
+}
--- a/src/api/runtime_edge.rs
+++ b/src/api/runtime_edge.rs
@@ -0,0 +1,294 @@
+use std::cmp::Reverse;
+use std::time::{Duration, Instant, SystemTime, UNIX_EPOCH};
+
+use serde::Serialize;
+
+use crate::config::ProxyConfig;
+
+use super::ApiShared;
+use super::events::ApiEventRecord;
+
+const FEATURE_DISABLED_REASON: &str = "feature_disabled";
+const SOURCE_UNAVAILABLE_REASON: &str = "source_unavailable";
+const EVENTS_DEFAULT_LIMIT: usize = 50;
+const EVENTS_MAX_LIMIT: usize = 1000;
+
+#[derive(Clone, Serialize)]
+pub(super) struct RuntimeEdgeConnectionUserData {
+    pub(super) username: String,
+    pub(super) current_connections: u64,
+    pub(super) total_octets: u64,
+}
+
+#[derive(Clone, Serialize)]
+pub(super) struct RuntimeEdgeConnectionTotalsData {
+    pub(super) current_connections: u64,
+    pub(super) current_connections_me: u64,
+    pub(super) current_connections_direct: u64,
+    pub(super) active_users: usize,
+}
+
+#[derive(Clone, Serialize)]
+pub(super) struct RuntimeEdgeConnectionTopData {
+    pub(super) limit: usize,
+    pub(super) by_connections: Vec<RuntimeEdgeConnectionUserData>,
+    pub(super) by_throughput: Vec<RuntimeEdgeConnectionUserData>,
+}
+
+#[derive(Clone, Serialize)]
+pub(super) struct RuntimeEdgeConnectionCacheData {
+    pub(super) ttl_ms: u64,
+    pub(super) served_from_cache: bool,
+    pub(super) stale_cache_used: bool,
+}
+
+#[derive(Clone, Serialize)]
+pub(super) struct RuntimeEdgeConnectionTelemetryData {
+    pub(super) user_enabled: bool,
+    pub(super) throughput_is_cumulative: bool,
+}
+
+#[derive(Clone, Serialize)]
+pub(super) struct RuntimeEdgeConnectionsSummaryPayload {
+    pub(super) cache: RuntimeEdgeConnectionCacheData,
+    pub(super) totals: RuntimeEdgeConnectionTotalsData,
+    pub(super) top: RuntimeEdgeConnectionTopData,
+    pub(super) telemetry: RuntimeEdgeConnectionTelemetryData,
+}
+
+#[derive(Serialize)]
+pub(super) struct RuntimeEdgeConnectionsSummaryData {
+    pub(super) enabled: bool,
+    #[serde(skip_serializing_if = "Option::is_none")]
+    pub(super) reason: Option<&'static str>,
+    pub(super) generated_at_epoch_secs: u64,
+    #[serde(skip_serializing_if = "Option::is_none")]
+    pub(super) data: Option<RuntimeEdgeConnectionsSummaryPayload>,
+}
+
+#[derive(Clone)]
+pub(crate) struct EdgeConnectionsCacheEntry {
+    pub(super) expires_at: Instant,
+    pub(super) payload: RuntimeEdgeConnectionsSummaryPayload,
+    pub(super) generated_at_epoch_secs: u64,
+}
+
+#[derive(Serialize)]
+pub(super) struct RuntimeEdgeEventsPayload {
+    pub(super) capacity: usize,
+    pub(super) dropped_total: u64,
+    pub(super) events: Vec<ApiEventRecord>,
+}
+
+#[derive(Serialize)]
+pub(super) struct RuntimeEdgeEventsData {
+    pub(super) enabled: bool,
+    #[serde(skip_serializing_if = "Option::is_none")]
+    pub(super) reason: Option<&'static str>,
+    pub(super) generated_at_epoch_secs: u64,
+    #[serde(skip_serializing_if = "Option::is_none")]
+    pub(super) data: Option<RuntimeEdgeEventsPayload>,
+}
+
+pub(super) async fn build_runtime_connections_summary_data(
+    shared: &ApiShared,
+    cfg: &ProxyConfig,
+) -> RuntimeEdgeConnectionsSummaryData {
+    let now_epoch_secs = now_epoch_secs();
+    let api_cfg = &cfg.server.api;
+    if !api_cfg.runtime_edge_enabled {
+        return RuntimeEdgeConnectionsSummaryData {
+            enabled: false,
+            reason: Some(FEATURE_DISABLED_REASON),
+            generated_at_epoch_secs: now_epoch_secs,
+            data: None,
+        };
+    }
+
+    let (generated_at_epoch_secs, payload) = match get_connections_payload_cached(
+        shared,
+        api_cfg.runtime_edge_cache_ttl_ms,
+        api_cfg.runtime_edge_top_n,
+    )
+    .await
+    {
+        Some(v) => v,
+        None => {
+            return RuntimeEdgeConnectionsSummaryData {
+                enabled: true,
+                reason: Some(SOURCE_UNAVAILABLE_REASON),
+                generated_at_epoch_secs: now_epoch_secs,
+                data: None,
+            };
+        }
+    };
+
+    RuntimeEdgeConnectionsSummaryData {
+        enabled: true,
+        reason: None,
+        generated_at_epoch_secs,
+        data: Some(payload),
+    }
+}
+
+pub(super) fn build_runtime_events_recent_data(
+    shared: &ApiShared,
+    cfg: &ProxyConfig,
+    query: Option<&str>,
+) -> RuntimeEdgeEventsData {
+    let now_epoch_secs = now_epoch_secs();
+    let api_cfg = &cfg.server.api;
+    if !api_cfg.runtime_edge_enabled {
+        return RuntimeEdgeEventsData {
+            enabled: false,
+            reason: Some(FEATURE_DISABLED_REASON),
+            generated_at_epoch_secs: now_epoch_secs,
+            data: None,
+        };
+    }
+
+    let limit = parse_recent_events_limit(query, EVENTS_DEFAULT_LIMIT, EVENTS_MAX_LIMIT);
+    let snapshot = shared.runtime_events.snapshot(limit);
+
+    RuntimeEdgeEventsData {
+        enabled: true,
+        reason: None,
+        generated_at_epoch_secs: now_epoch_secs,
+        data: Some(RuntimeEdgeEventsPayload {
+            capacity: snapshot.capacity,
+            dropped_total: snapshot.dropped_total,
+            events: snapshot.events,
+        }),
+    }
+}
+
+async fn get_connections_payload_cached(
+    shared: &ApiShared,
+    cache_ttl_ms: u64,
+    top_n: usize,
+) -> Option<(u64, RuntimeEdgeConnectionsSummaryPayload)> {
+    if cache_ttl_ms > 0 {
+        let now = Instant::now();
+        let cached = shared.runtime_edge_connections_cache.lock().await.clone();
+        if let Some(entry) = cached
+            && now < entry.expires_at
+        {
+            let mut payload = entry.payload;
+            payload.cache.served_from_cache = true;
+            payload.cache.stale_cache_used = false;
+            return Some((entry.generated_at_epoch_secs, payload));
+        }
+    }
+
+    let Ok(_guard) = shared.runtime_edge_recompute_lock.try_lock() else {
+        let cached = shared.runtime_edge_connections_cache.lock().await.clone();
+        if let Some(entry) = cached {
+            let mut payload = entry.payload;
+            payload.cache.served_from_cache = true;
+            payload.cache.stale_cache_used = true;
+            return Some((entry.generated_at_epoch_secs, payload));
+        }
+        return None;
+    };
+
+    let generated_at_epoch_secs = now_epoch_secs();
+    let payload = recompute_connections_payload(shared, cache_ttl_ms, top_n).await;
+
+    if cache_ttl_ms > 0 {
+        let entry = EdgeConnectionsCacheEntry {
+            expires_at: Instant::now() + Duration::from_millis(cache_ttl_ms),
+            payload: payload.clone(),
+            generated_at_epoch_secs,
+        };
+        *shared.runtime_edge_connections_cache.lock().await = Some(entry);
+    }
+
+    Some((generated_at_epoch_secs, payload))
+}
+
+async fn recompute_connections_payload(
+    shared: &ApiShared,
+    cache_ttl_ms: u64,
+    top_n: usize,
+) -> RuntimeEdgeConnectionsSummaryPayload {
+    let mut rows = Vec::<RuntimeEdgeConnectionUserData>::new();
+    let mut active_users = 0usize;
+    for entry in shared.stats.iter_user_stats() {
+        let user_stats = entry.value();
+        let current_connections = user_stats
+            .curr_connects
+            .load(std::sync::atomic::Ordering::Relaxed);
+        let total_octets = user_stats
+            .octets_from_client
+            .load(std::sync::atomic::Ordering::Relaxed)
+            .saturating_add(
+                user_stats
+                    .octets_to_client
+                    .load(std::sync::atomic::Ordering::Relaxed),
+            );
+        if current_connections > 0 {
+            active_users = active_users.saturating_add(1);
+        }
+        rows.push(RuntimeEdgeConnectionUserData {
+            username: entry.key().clone(),
+            current_connections,
+            total_octets,
+        });
+    }
+
+    let limit = top_n.max(1);
+    let mut by_connections = rows.clone();
+    by_connections.sort_by_key(|row| (Reverse(row.current_connections), row.username.clone()));
+    by_connections.truncate(limit);
+
+    let mut by_throughput = rows;
+    by_throughput.sort_by_key(|row| (Reverse(row.total_octets), row.username.clone()));
+    by_throughput.truncate(limit);
+
+    let telemetry = shared.stats.telemetry_policy();
+    RuntimeEdgeConnectionsSummaryPayload {
+        cache: RuntimeEdgeConnectionCacheData {
+            ttl_ms: cache_ttl_ms,
+            served_from_cache: false,
+            stale_cache_used: false,
+        },
+        totals: RuntimeEdgeConnectionTotalsData {
+            current_connections: shared.stats.get_current_connections_total(),
+            current_connections_me: shared.stats.get_current_connections_me(),
+            current_connections_direct: shared.stats.get_current_connections_direct(),
+            active_users,
+        },
+        top: RuntimeEdgeConnectionTopData {
+            limit,
+            by_connections,
+            by_throughput,
+        },
+        telemetry: RuntimeEdgeConnectionTelemetryData {
+            user_enabled: telemetry.user_enabled,
+            throughput_is_cumulative: true,
+        },
+    }
+}
+
+fn parse_recent_events_limit(query: Option<&str>, default_limit: usize, max_limit: usize) -> usize {
+    let Some(query) = query else {
+        return default_limit;
+    };
+    for pair in query.split('&') {
+        let mut split = pair.splitn(2, '=');
+        if split.next() == Some("limit")
+            && let Some(raw) = split.next()
+            && let Ok(parsed) = raw.parse::<usize>()
+        {
+            return parsed.clamp(1, max_limit);
+        }
+    }
+    default_limit
+}
+
+fn now_epoch_secs() -> u64 {
+    SystemTime::now()
+        .duration_since(UNIX_EPOCH)
+        .unwrap_or_default()
+        .as_secs()
+}
--- a/src/api/runtime_init.rs
+++ b/src/api/runtime_init.rs
@@ -0,0 +1,186 @@
+use serde::Serialize;
+
+use crate::startup::{
+    COMPONENT_ME_CONNECTIVITY_PING, COMPONENT_ME_POOL_CONSTRUCT, COMPONENT_ME_POOL_INIT_STAGE1,
+    COMPONENT_ME_PROXY_CONFIG_V4, COMPONENT_ME_PROXY_CONFIG_V6, COMPONENT_ME_SECRET_FETCH,
+    StartupComponentStatus, StartupMeStatus, compute_progress_pct,
+};
+
+use super::ApiShared;
+
+#[derive(Serialize)]
+pub(super) struct RuntimeInitializationComponentData {
+    pub(super) id: &'static str,
+    pub(super) title: &'static str,
+    pub(super) status: &'static str,
+    pub(super) started_at_epoch_ms: Option<u64>,
+    pub(super) finished_at_epoch_ms: Option<u64>,
+    pub(super) duration_ms: Option<u64>,
+    pub(super) attempts: u32,
+    #[serde(skip_serializing_if = "Option::is_none")]
+    pub(super) details: Option<String>,
+}
+
+#[derive(Serialize)]
+pub(super) struct RuntimeInitializationMeData {
+    pub(super) status: &'static str,
+    pub(super) current_stage: String,
+    pub(super) progress_pct: f64,
+    pub(super) init_attempt: u32,
+    pub(super) retry_limit: String,
+    #[serde(skip_serializing_if = "Option::is_none")]
+    pub(super) last_error: Option<String>,
+}
+
+#[derive(Serialize)]
+pub(super) struct RuntimeInitializationData {
+    pub(super) status: &'static str,
+    pub(super) degraded: bool,
+    pub(super) current_stage: String,
+    pub(super) progress_pct: f64,
+    pub(super) started_at_epoch_secs: u64,
+    #[serde(skip_serializing_if = "Option::is_none")]
+    pub(super) ready_at_epoch_secs: Option<u64>,
+    pub(super) total_elapsed_ms: u64,
+    pub(super) transport_mode: String,
+    pub(super) me: RuntimeInitializationMeData,
+    pub(super) components: Vec<RuntimeInitializationComponentData>,
+}
+
+#[derive(Clone)]
+pub(super) struct RuntimeStartupSummaryData {
+    pub(super) status: &'static str,
+    pub(super) stage: String,
+    pub(super) progress_pct: f64,
+}
+
+pub(super) async fn build_runtime_startup_summary(shared: &ApiShared) -> RuntimeStartupSummaryData {
+    let snapshot = shared.startup_tracker.snapshot().await;
+    let me_pool_progress = current_me_pool_stage_progress(shared).await;
+    let progress_pct = compute_progress_pct(&snapshot, me_pool_progress);
+    RuntimeStartupSummaryData {
+        status: snapshot.status.as_str(),
+        stage: snapshot.current_stage,
+        progress_pct,
+    }
+}
+
+pub(super) async fn build_runtime_initialization_data(
+    shared: &ApiShared,
+) -> RuntimeInitializationData {
+    let snapshot = shared.startup_tracker.snapshot().await;
+    let me_pool_progress = current_me_pool_stage_progress(shared).await;
+    let progress_pct = compute_progress_pct(&snapshot, me_pool_progress);
+    let me_progress_pct = compute_me_progress_pct(&snapshot, me_pool_progress);
+
+    RuntimeInitializationData {
+        status: snapshot.status.as_str(),
+        degraded: snapshot.degraded,
+        current_stage: snapshot.current_stage,
+        progress_pct,
+        started_at_epoch_secs: snapshot.started_at_epoch_secs,
+        ready_at_epoch_secs: snapshot.ready_at_epoch_secs,
+        total_elapsed_ms: snapshot.total_elapsed_ms,
+        transport_mode: snapshot.transport_mode,
+        me: RuntimeInitializationMeData {
+            status: snapshot.me.status.as_str(),
+            current_stage: snapshot.me.current_stage,
+            progress_pct: me_progress_pct,
+            init_attempt: snapshot.me.init_attempt,
+            retry_limit: snapshot.me.retry_limit,
+            last_error: snapshot.me.last_error,
+        },
+        components: snapshot
+            .components
+            .into_iter()
+            .map(|component| RuntimeInitializationComponentData {
+                id: component.id,
+                title: component.title,
+                status: component.status.as_str(),
+                started_at_epoch_ms: component.started_at_epoch_ms,
+                finished_at_epoch_ms: component.finished_at_epoch_ms,
+                duration_ms: component.duration_ms,
+                attempts: component.attempts,
+                details: component.details,
+            })
+            .collect(),
+    }
+}
+
+fn compute_me_progress_pct(
+    snapshot: &crate::startup::StartupSnapshot,
+    me_pool_progress: Option<f64>,
+) -> f64 {
+    match snapshot.me.status {
+        StartupMeStatus::Pending => 0.0,
+        StartupMeStatus::Ready | StartupMeStatus::Failed | StartupMeStatus::Skipped => 100.0,
+        StartupMeStatus::Initializing => {
+            let mut total_weight = 0.0f64;
+            let mut completed_weight = 0.0f64;
+            for component in &snapshot.components {
+                if !is_me_component(component.id) {
+                    continue;
+                }
+                total_weight += component.weight;
+                let unit_progress = match component.status {
+                    StartupComponentStatus::Pending => 0.0,
+                    StartupComponentStatus::Running => {
+                        if component.id == COMPONENT_ME_POOL_INIT_STAGE1 {
+                            me_pool_progress.unwrap_or(0.0).clamp(0.0, 1.0)
+                        } else {
+                            0.0
+                        }
+                    }
+                    StartupComponentStatus::Ready
+                    | StartupComponentStatus::Failed
+                    | StartupComponentStatus::Skipped => 1.0,
+                };
+                completed_weight += component.weight * unit_progress;
+            }
+            if total_weight <= f64::EPSILON {
+                0.0
+            } else {
+                ((completed_weight / total_weight) * 100.0).clamp(0.0, 100.0)
+            }
+        }
+    }
+}
+
+fn is_me_component(component_id: &str) -> bool {
+    matches!(
+        component_id,
+        COMPONENT_ME_SECRET_FETCH
+            | COMPONENT_ME_PROXY_CONFIG_V4
+            | COMPONENT_ME_PROXY_CONFIG_V6
+            | COMPONENT_ME_POOL_CONSTRUCT
+            | COMPONENT_ME_POOL_INIT_STAGE1
+            | COMPONENT_ME_CONNECTIVITY_PING
+    )
+}
+
+async fn current_me_pool_stage_progress(shared: &ApiShared) -> Option<f64> {
+    let snapshot = shared.startup_tracker.snapshot().await;
+    if snapshot.me.status != StartupMeStatus::Initializing {
+        return None;
+    }
+
+    let pool = shared.me_pool.read().await.clone()?;
+    let status = pool.api_status_snapshot().await;
+    let configured_dc_groups = status.configured_dc_groups;
+    let covered_dc_groups = status
+        .dcs
+        .iter()
+        .filter(|dc| dc.alive_writers > 0)
+        .count();
+
+    let dc_coverage = ratio_01(covered_dc_groups, configured_dc_groups);
+    let writer_coverage = ratio_01(status.alive_writers, status.required_writers);
+    Some((0.7 * dc_coverage + 0.3 * writer_coverage).clamp(0.0, 1.0))
+}
+
+fn ratio_01(part: usize, total: usize) -> f64 {
+    if total == 0 {
+        return 0.0;
+    }
+    ((part as f64) / (total as f64)).clamp(0.0, 1.0)
+}
--- a/src/api/runtime_min.rs
+++ b/src/api/runtime_min.rs
@@ -0,0 +1,534 @@
+use std::collections::BTreeSet;
+use std::time::{SystemTime, UNIX_EPOCH};
+
+use serde::Serialize;
+
+use crate::config::ProxyConfig;
+
+use super::ApiShared;
+
+const SOURCE_UNAVAILABLE_REASON: &str = "source_unavailable";
+
+#[derive(Serialize)]
+pub(super) struct SecurityWhitelistData {
+    pub(super) generated_at_epoch_secs: u64,
+    pub(super) enabled: bool,
+    pub(super) entries_total: usize,
+    pub(super) entries: Vec<String>,
+}
+
+#[derive(Serialize)]
+pub(super) struct RuntimeMePoolStateGenerationData {
+    pub(super) active_generation: u64,
+    pub(super) warm_generation: u64,
+    pub(super) pending_hardswap_generation: u64,
+    pub(super) pending_hardswap_age_secs: Option<u64>,
+    pub(super) draining_generations: Vec<u64>,
+}
+
+#[derive(Serialize)]
+pub(super) struct RuntimeMePoolStateHardswapData {
+    pub(super) enabled: bool,
+    pub(super) pending: bool,
+}
+
+#[derive(Serialize)]
+pub(super) struct RuntimeMePoolStateWriterContourData {
+    pub(super) warm: usize,
+    pub(super) active: usize,
+    pub(super) draining: usize,
+}
+
+#[derive(Serialize)]
+pub(super) struct RuntimeMePoolStateWriterHealthData {
+    pub(super) healthy: usize,
+    pub(super) degraded: usize,
+    pub(super) draining: usize,
+}
+
+#[derive(Serialize)]
+pub(super) struct RuntimeMePoolStateWriterData {
+    pub(super) total: usize,
+    pub(super) alive_non_draining: usize,
+    pub(super) draining: usize,
+    pub(super) degraded: usize,
+    pub(super) contour: RuntimeMePoolStateWriterContourData,
+    pub(super) health: RuntimeMePoolStateWriterHealthData,
+}
+
+#[derive(Serialize)]
+pub(super) struct RuntimeMePoolStateRefillDcData {
+    pub(super) dc: i16,
+    pub(super) family: &'static str,
+    pub(super) inflight: usize,
+}
+
+#[derive(Serialize)]
+pub(super) struct RuntimeMePoolStateRefillData {
+    pub(super) inflight_endpoints_total: usize,
+    pub(super) inflight_dc_total: usize,
+    pub(super) by_dc: Vec<RuntimeMePoolStateRefillDcData>,
+}
+
+#[derive(Serialize)]
+pub(super) struct RuntimeMePoolStatePayload {
+    pub(super) generations: RuntimeMePoolStateGenerationData,
+    pub(super) hardswap: RuntimeMePoolStateHardswapData,
+    pub(super) writers: RuntimeMePoolStateWriterData,
+    pub(super) refill: RuntimeMePoolStateRefillData,
+}
+
+#[derive(Serialize)]
+pub(super) struct RuntimeMePoolStateData {
+    pub(super) enabled: bool,
+    #[serde(skip_serializing_if = "Option::is_none")]
+    pub(super) reason: Option<&'static str>,
+    pub(super) generated_at_epoch_secs: u64,
+    #[serde(skip_serializing_if = "Option::is_none")]
+    pub(super) data: Option<RuntimeMePoolStatePayload>,
+}
+
+#[derive(Serialize)]
+pub(super) struct RuntimeMeQualityCountersData {
+    pub(super) idle_close_by_peer_total: u64,
+    pub(super) reader_eof_total: u64,
+    pub(super) kdf_drift_total: u64,
+    pub(super) kdf_port_only_drift_total: u64,
+    pub(super) reconnect_attempt_total: u64,
+    pub(super) reconnect_success_total: u64,
+}
+
+#[derive(Serialize)]
+pub(super) struct RuntimeMeQualityRouteDropData {
+    pub(super) no_conn_total: u64,
+    pub(super) channel_closed_total: u64,
+    pub(super) queue_full_total: u64,
+    pub(super) queue_full_base_total: u64,
+    pub(super) queue_full_high_total: u64,
+}
+
+#[derive(Serialize)]
+pub(super) struct RuntimeMeQualityDcRttData {
+    pub(super) dc: i16,
+    pub(super) rtt_ema_ms: Option<f64>,
+    pub(super) alive_writers: usize,
+    pub(super) required_writers: usize,
+    pub(super) coverage_pct: f64,
+}
+
+#[derive(Serialize)]
+pub(super) struct RuntimeMeQualityPayload {
+    pub(super) counters: RuntimeMeQualityCountersData,
+    pub(super) route_drops: RuntimeMeQualityRouteDropData,
+    pub(super) dc_rtt: Vec<RuntimeMeQualityDcRttData>,
+}
+
+#[derive(Serialize)]
+pub(super) struct RuntimeMeQualityData {
+    pub(super) enabled: bool,
+    #[serde(skip_serializing_if = "Option::is_none")]
+    pub(super) reason: Option<&'static str>,
+    pub(super) generated_at_epoch_secs: u64,
+    #[serde(skip_serializing_if = "Option::is_none")]
+    pub(super) data: Option<RuntimeMeQualityPayload>,
+}
+
+#[derive(Serialize)]
+pub(super) struct RuntimeUpstreamQualityPolicyData {
+    pub(super) connect_retry_attempts: u32,
+    pub(super) connect_retry_backoff_ms: u64,
+    pub(super) connect_budget_ms: u64,
+    pub(super) unhealthy_fail_threshold: u32,
+    pub(super) connect_failfast_hard_errors: bool,
+}
+
+#[derive(Serialize)]
+pub(super) struct RuntimeUpstreamQualityCountersData {
+    pub(super) connect_attempt_total: u64,
+    pub(super) connect_success_total: u64,
+    pub(super) connect_fail_total: u64,
+    pub(super) connect_failfast_hard_error_total: u64,
+}
+
+#[derive(Serialize)]
+pub(super) struct RuntimeUpstreamQualitySummaryData {
+    pub(super) configured_total: usize,
+    pub(super) healthy_total: usize,
+    pub(super) unhealthy_total: usize,
+    pub(super) direct_total: usize,
+    pub(super) socks4_total: usize,
+    pub(super) socks5_total: usize,
+}
+
+#[derive(Serialize)]
+pub(super) struct RuntimeUpstreamQualityDcData {
+    pub(super) dc: i16,
+    pub(super) latency_ema_ms: Option<f64>,
+    pub(super) ip_preference: &'static str,
+}
+
+#[derive(Serialize)]
+pub(super) struct RuntimeUpstreamQualityUpstreamData {
+    pub(super) upstream_id: usize,
+    pub(super) route_kind: &'static str,
+    pub(super) address: String,
+    pub(super) weight: u16,
+    pub(super) scopes: String,
+    pub(super) healthy: bool,
+    pub(super) fails: u32,
+    pub(super) last_check_age_secs: u64,
+    pub(super) effective_latency_ms: Option<f64>,
+    pub(super) dc: Vec<RuntimeUpstreamQualityDcData>,
+}
+
+#[derive(Serialize)]
+pub(super) struct RuntimeUpstreamQualityData {
+    pub(super) enabled: bool,
+    #[serde(skip_serializing_if = "Option::is_none")]
+    pub(super) reason: Option<&'static str>,
+    pub(super) generated_at_epoch_secs: u64,
+    pub(super) policy: RuntimeUpstreamQualityPolicyData,
+    pub(super) counters: RuntimeUpstreamQualityCountersData,
+    #[serde(skip_serializing_if = "Option::is_none")]
+    pub(super) summary: Option<RuntimeUpstreamQualitySummaryData>,
+    #[serde(skip_serializing_if = "Option::is_none")]
+    pub(super) upstreams: Option<Vec<RuntimeUpstreamQualityUpstreamData>>,
+}
+
+#[derive(Serialize)]
+pub(super) struct RuntimeNatStunReflectionData {
+    pub(super) addr: String,
+    pub(super) age_secs: u64,
+}
+
+#[derive(Serialize)]
+pub(super) struct RuntimeNatStunFlagsData {
+    pub(super) nat_probe_enabled: bool,
+    pub(super) nat_probe_disabled_runtime: bool,
+    pub(super) nat_probe_attempts: u8,
+}
+
+#[derive(Serialize)]
+pub(super) struct RuntimeNatStunServersData {
+    pub(super) configured: Vec<String>,
+    pub(super) live: Vec<String>,
+    pub(super) live_total: usize,
+}
+
+#[derive(Serialize)]
+pub(super) struct RuntimeNatStunReflectionBlockData {
+    #[serde(skip_serializing_if = "Option::is_none")]
+    pub(super) v4: Option<RuntimeNatStunReflectionData>,
+    #[serde(skip_serializing_if = "Option::is_none")]
+    pub(super) v6: Option<RuntimeNatStunReflectionData>,
+}
+
+#[derive(Serialize)]
+pub(super) struct RuntimeNatStunPayload {
+    pub(super) flags: RuntimeNatStunFlagsData,
+    pub(super) servers: RuntimeNatStunServersData,
+    pub(super) reflection: RuntimeNatStunReflectionBlockData,
+    #[serde(skip_serializing_if = "Option::is_none")]
+    pub(super) stun_backoff_remaining_ms: Option<u64>,
+}
+
+#[derive(Serialize)]
+pub(super) struct RuntimeNatStunData {
+    pub(super) enabled: bool,
+    #[serde(skip_serializing_if = "Option::is_none")]
+    pub(super) reason: Option<&'static str>,
+    pub(super) generated_at_epoch_secs: u64,
+    #[serde(skip_serializing_if = "Option::is_none")]
+    pub(super) data: Option<RuntimeNatStunPayload>,
+}
+
+pub(super) fn build_security_whitelist_data(cfg: &ProxyConfig) -> SecurityWhitelistData {
+    let entries = cfg
+        .server
+        .api
+        .whitelist
+        .iter()
+        .map(ToString::to_string)
+        .collect::<Vec<_>>();
+    SecurityWhitelistData {
+        generated_at_epoch_secs: now_epoch_secs(),
+        enabled: !entries.is_empty(),
+        entries_total: entries.len(),
+        entries,
+    }
+}
+
+pub(super) async fn build_runtime_me_pool_state_data(shared: &ApiShared) -> RuntimeMePoolStateData {
+    let now_epoch_secs = now_epoch_secs();
+    let Some(pool) = shared.me_pool.read().await.clone() else {
+        return RuntimeMePoolStateData {
+            enabled: false,
+            reason: Some(SOURCE_UNAVAILABLE_REASON),
+            generated_at_epoch_secs: now_epoch_secs,
+            data: None,
+        };
+    };
+
+    let status = pool.api_status_snapshot().await;
+    let runtime = pool.api_runtime_snapshot().await;
+    let refill = pool.api_refill_snapshot().await;
+
+    let mut draining_generations = BTreeSet::<u64>::new();
+    let mut contour_warm = 0usize;
+    let mut contour_active = 0usize;
+    let mut contour_draining = 0usize;
+    let mut draining = 0usize;
+    let mut degraded = 0usize;
+    let mut healthy = 0usize;
+
+    for writer in &status.writers {
+        if writer.draining {
+            draining_generations.insert(writer.generation);
+            draining += 1;
+        }
+        if writer.degraded && !writer.draining {
+            degraded += 1;
+        }
+        if !writer.degraded && !writer.draining {
+            healthy += 1;
+        }
+        match writer.state {
+            "warm" => contour_warm += 1,
+            "active" => contour_active += 1,
+            _ => contour_draining += 1,
+        }
+    }
+
+    RuntimeMePoolStateData {
+        enabled: true,
+        reason: None,
+        generated_at_epoch_secs: status.generated_at_epoch_secs,
+        data: Some(RuntimeMePoolStatePayload {
+            generations: RuntimeMePoolStateGenerationData {
+                active_generation: runtime.active_generation,
+                warm_generation: runtime.warm_generation,
+                pending_hardswap_generation: runtime.pending_hardswap_generation,
+                pending_hardswap_age_secs: runtime.pending_hardswap_age_secs,
+                draining_generations: draining_generations.into_iter().collect(),
+            },
+            hardswap: RuntimeMePoolStateHardswapData {
+                enabled: runtime.hardswap_enabled,
+                pending: runtime.pending_hardswap_generation != 0,
+            },
+            writers: RuntimeMePoolStateWriterData {
+                total: status.writers.len(),
+                alive_non_draining: status.writers.len().saturating_sub(draining),
+                draining,
+                degraded,
+                contour: RuntimeMePoolStateWriterContourData {
+                    warm: contour_warm,
+                    active: contour_active,
+                    draining: contour_draining,
+                },
+                health: RuntimeMePoolStateWriterHealthData {
+                    healthy,
+                    degraded,
+                    draining,
+                },
+            },
+            refill: RuntimeMePoolStateRefillData {
+                inflight_endpoints_total: refill.inflight_endpoints_total,
+                inflight_dc_total: refill.inflight_dc_total,
+                by_dc: refill
+                    .by_dc
+                    .into_iter()
+                    .map(|entry| RuntimeMePoolStateRefillDcData {
+                        dc: entry.dc,
+                        family: entry.family,
+                        inflight: entry.inflight,
+                    })
+                    .collect(),
+            },
+        }),
+    }
+}
+
+pub(super) async fn build_runtime_me_quality_data(shared: &ApiShared) -> RuntimeMeQualityData {
+    let now_epoch_secs = now_epoch_secs();
+    let Some(pool) = shared.me_pool.read().await.clone() else {
+        return RuntimeMeQualityData {
+            enabled: false,
+            reason: Some(SOURCE_UNAVAILABLE_REASON),
+            generated_at_epoch_secs: now_epoch_secs,
+            data: None,
+        };
+    };
+
+    let status = pool.api_status_snapshot().await;
+    RuntimeMeQualityData {
+        enabled: true,
+        reason: None,
+        generated_at_epoch_secs: status.generated_at_epoch_secs,
+        data: Some(RuntimeMeQualityPayload {
+            counters: RuntimeMeQualityCountersData {
+                idle_close_by_peer_total: shared.stats.get_me_idle_close_by_peer_total(),
+                reader_eof_total: shared.stats.get_me_reader_eof_total(),
+                kdf_drift_total: shared.stats.get_me_kdf_drift_total(),
+                kdf_port_only_drift_total: shared.stats.get_me_kdf_port_only_drift_total(),
+                reconnect_attempt_total: shared.stats.get_me_reconnect_attempts(),
+                reconnect_success_total: shared.stats.get_me_reconnect_success(),
+            },
+            route_drops: RuntimeMeQualityRouteDropData {
+                no_conn_total: shared.stats.get_me_route_drop_no_conn(),
+                channel_closed_total: shared.stats.get_me_route_drop_channel_closed(),
+                queue_full_total: shared.stats.get_me_route_drop_queue_full(),
+                queue_full_base_total: shared.stats.get_me_route_drop_queue_full_base(),
+                queue_full_high_total: shared.stats.get_me_route_drop_queue_full_high(),
+            },
+            dc_rtt: status
+                .dcs
+                .into_iter()
+                .map(|dc| RuntimeMeQualityDcRttData {
+                    dc: dc.dc,
+                    rtt_ema_ms: dc.rtt_ms,
+                    alive_writers: dc.alive_writers,
+                    required_writers: dc.required_writers,
+                    coverage_pct: dc.coverage_pct,
+                })
+                .collect(),
+        }),
+    }
+}
+
+pub(super) async fn build_runtime_upstream_quality_data(
+    shared: &ApiShared,
+) -> RuntimeUpstreamQualityData {
+    let generated_at_epoch_secs = now_epoch_secs();
+    let policy = shared.upstream_manager.api_policy_snapshot();
+    let counters = RuntimeUpstreamQualityCountersData {
+        connect_attempt_total: shared.stats.get_upstream_connect_attempt_total(),
+        connect_success_total: shared.stats.get_upstream_connect_success_total(),
+        connect_fail_total: shared.stats.get_upstream_connect_fail_total(),
+        connect_failfast_hard_error_total: shared.stats.get_upstream_connect_failfast_hard_error_total(),
+    };
+
+    let Some(snapshot) = shared.upstream_manager.try_api_snapshot() else {
+        return RuntimeUpstreamQualityData {
+            enabled: false,
+            reason: Some(SOURCE_UNAVAILABLE_REASON),
+            generated_at_epoch_secs,
+            policy: RuntimeUpstreamQualityPolicyData {
+                connect_retry_attempts: policy.connect_retry_attempts,
+                connect_retry_backoff_ms: policy.connect_retry_backoff_ms,
+                connect_budget_ms: policy.connect_budget_ms,
+                unhealthy_fail_threshold: policy.unhealthy_fail_threshold,
+                connect_failfast_hard_errors: policy.connect_failfast_hard_errors,
+            },
+            counters,
+            summary: None,
+            upstreams: None,
+        };
+    };
+
+    RuntimeUpstreamQualityData {
+        enabled: true,
+        reason: None,
+        generated_at_epoch_secs,
+        policy: RuntimeUpstreamQualityPolicyData {
+            connect_retry_attempts: policy.connect_retry_attempts,
+            connect_retry_backoff_ms: policy.connect_retry_backoff_ms,
+            connect_budget_ms: policy.connect_budget_ms,
+            unhealthy_fail_threshold: policy.unhealthy_fail_threshold,
+            connect_failfast_hard_errors: policy.connect_failfast_hard_errors,
+        },
+        counters,
+        summary: Some(RuntimeUpstreamQualitySummaryData {
+            configured_total: snapshot.summary.configured_total,
+            healthy_total: snapshot.summary.healthy_total,
+            unhealthy_total: snapshot.summary.unhealthy_total,
+            direct_total: snapshot.summary.direct_total,
+            socks4_total: snapshot.summary.socks4_total,
+            socks5_total: snapshot.summary.socks5_total,
+        }),
+        upstreams: Some(
+            snapshot
+                .upstreams
+                .into_iter()
+                .map(|upstream| RuntimeUpstreamQualityUpstreamData {
+                    upstream_id: upstream.upstream_id,
+                    route_kind: match upstream.route_kind {
+                        crate::transport::UpstreamRouteKind::Direct => "direct",
+                        crate::transport::UpstreamRouteKind::Socks4 => "socks4",
+                        crate::transport::UpstreamRouteKind::Socks5 => "socks5",
+                    },
+                    address: upstream.address,
+                    weight: upstream.weight,
+                    scopes: upstream.scopes,
+                    healthy: upstream.healthy,
+                    fails: upstream.fails,
+                    last_check_age_secs: upstream.last_check_age_secs,
+                    effective_latency_ms: upstream.effective_latency_ms,
+                    dc: upstream
+                        .dc
+                        .into_iter()
+                        .map(|dc| RuntimeUpstreamQualityDcData {
+                            dc: dc.dc,
+                            latency_ema_ms: dc.latency_ema_ms,
+                            ip_preference: match dc.ip_preference {
+                                crate::transport::upstream::IpPreference::Unknown => "unknown",
+                                crate::transport::upstream::IpPreference::PreferV6 => "prefer_v6",
+                                crate::transport::upstream::IpPreference::PreferV4 => "prefer_v4",
+                                crate::transport::upstream::IpPreference::BothWork => "both_work",
+                                crate::transport::upstream::IpPreference::Unavailable => "unavailable",
+                            },
+                        })
+                        .collect(),
+                })
+                .collect(),
+        ),
+    }
+}
+
+pub(super) async fn build_runtime_nat_stun_data(shared: &ApiShared) -> RuntimeNatStunData {
+    let now_epoch_secs = now_epoch_secs();
+    let Some(pool) = shared.me_pool.read().await.clone() else {
+        return RuntimeNatStunData {
+            enabled: false,
+            reason: Some(SOURCE_UNAVAILABLE_REASON),
+            generated_at_epoch_secs: now_epoch_secs,
+            data: None,
+        };
+    };
+
+    let snapshot = pool.api_nat_stun_snapshot().await;
+    RuntimeNatStunData {
+        enabled: true,
+        reason: None,
+        generated_at_epoch_secs: now_epoch_secs,
+        data: Some(RuntimeNatStunPayload {
+            flags: RuntimeNatStunFlagsData {
+                nat_probe_enabled: snapshot.nat_probe_enabled,
+                nat_probe_disabled_runtime: snapshot.nat_probe_disabled_runtime,
+                nat_probe_attempts: snapshot.nat_probe_attempts,
+            },
+            servers: RuntimeNatStunServersData {
+                configured: snapshot.configured_servers,
+                live: snapshot.live_servers.clone(),
+                live_total: snapshot.live_servers.len(),
+            },
+            reflection: RuntimeNatStunReflectionBlockData {
+                v4: snapshot.reflection_v4.map(|entry| RuntimeNatStunReflectionData {
+                    addr: entry.addr.to_string(),
+                    age_secs: entry.age_secs,
+                }),
+                v6: snapshot.reflection_v6.map(|entry| RuntimeNatStunReflectionData {
+                    addr: entry.addr.to_string(),
+                    age_secs: entry.age_secs,
+                }),
+            },
+            stun_backoff_remaining_ms: snapshot.stun_backoff_remaining_ms,
+        }),
+    }
+}
+
+fn now_epoch_secs() -> u64 {
+    SystemTime::now()
+        .duration_since(UNIX_EPOCH)
+        .unwrap_or_default()
+        .as_secs()
+}
--- a/src/api/runtime_stats.rs
+++ b/src/api/runtime_stats.rs
@@ -0,0 +1,526 @@
+use std::time::{Duration, Instant, SystemTime, UNIX_EPOCH};
+
+use crate::config::ApiConfig;
+use crate::stats::Stats;
+use crate::transport::upstream::IpPreference;
+use crate::transport::UpstreamRouteKind;
+
+use super::ApiShared;
+use super::model::{
+    DcEndpointWriters, DcStatus, DcStatusData, MeWriterStatus, MeWritersData, MeWritersSummary,
+    MinimalAllData, MinimalAllPayload, MinimalDcPathData, MinimalMeRuntimeData,
+    MinimalQuarantineData, UpstreamDcStatus, UpstreamStatus, UpstreamSummaryData, UpstreamsData,
+    ZeroAllData, ZeroCodeCount, ZeroCoreData, ZeroDesyncData, ZeroMiddleProxyData, ZeroPoolData,
+    ZeroUpstreamData,
+};
+
+const FEATURE_DISABLED_REASON: &str = "feature_disabled";
+const SOURCE_UNAVAILABLE_REASON: &str = "source_unavailable";
+
+#[derive(Clone)]
+pub(crate) struct MinimalCacheEntry {
+    pub(super) expires_at: Instant,
+    pub(super) payload: MinimalAllPayload,
+    pub(super) generated_at_epoch_secs: u64,
+}
+
+pub(super) fn build_zero_all_data(stats: &Stats, configured_users: usize) -> ZeroAllData {
+    let telemetry = stats.telemetry_policy();
+    let handshake_error_codes = stats
+        .get_me_handshake_error_code_counts()
+        .into_iter()
+        .map(|(code, total)| ZeroCodeCount { code, total })
+        .collect();
+
+    ZeroAllData {
+        generated_at_epoch_secs: now_epoch_secs(),
+        core: ZeroCoreData {
+            uptime_seconds: stats.uptime_secs(),
+            connections_total: stats.get_connects_all(),
+            connections_bad_total: stats.get_connects_bad(),
+            handshake_timeouts_total: stats.get_handshake_timeouts(),
+            configured_users,
+            telemetry_core_enabled: telemetry.core_enabled,
+            telemetry_user_enabled: telemetry.user_enabled,
+            telemetry_me_level: telemetry.me_level.to_string(),
+        },
+        upstream: build_zero_upstream_data(stats),
+        middle_proxy: ZeroMiddleProxyData {
+            keepalive_sent_total: stats.get_me_keepalive_sent(),
+            keepalive_failed_total: stats.get_me_keepalive_failed(),
+            keepalive_pong_total: stats.get_me_keepalive_pong(),
+            keepalive_timeout_total: stats.get_me_keepalive_timeout(),
+            rpc_proxy_req_signal_sent_total: stats.get_me_rpc_proxy_req_signal_sent_total(),
+            rpc_proxy_req_signal_failed_total: stats.get_me_rpc_proxy_req_signal_failed_total(),
+            rpc_proxy_req_signal_skipped_no_meta_total: stats
+                .get_me_rpc_proxy_req_signal_skipped_no_meta_total(),
+            rpc_proxy_req_signal_response_total: stats.get_me_rpc_proxy_req_signal_response_total(),
+            rpc_proxy_req_signal_close_sent_total: stats
+                .get_me_rpc_proxy_req_signal_close_sent_total(),
+            reconnect_attempt_total: stats.get_me_reconnect_attempts(),
+            reconnect_success_total: stats.get_me_reconnect_success(),
+            handshake_reject_total: stats.get_me_handshake_reject_total(),
+            handshake_error_codes,
+            reader_eof_total: stats.get_me_reader_eof_total(),
+            idle_close_by_peer_total: stats.get_me_idle_close_by_peer_total(),
+            route_drop_no_conn_total: stats.get_me_route_drop_no_conn(),
+            route_drop_channel_closed_total: stats.get_me_route_drop_channel_closed(),
+            route_drop_queue_full_total: stats.get_me_route_drop_queue_full(),
+            route_drop_queue_full_base_total: stats.get_me_route_drop_queue_full_base(),
+            route_drop_queue_full_high_total: stats.get_me_route_drop_queue_full_high(),
+            socks_kdf_strict_reject_total: stats.get_me_socks_kdf_strict_reject(),
+            socks_kdf_compat_fallback_total: stats.get_me_socks_kdf_compat_fallback(),
+            endpoint_quarantine_total: stats.get_me_endpoint_quarantine_total(),
+            kdf_drift_total: stats.get_me_kdf_drift_total(),
+            kdf_port_only_drift_total: stats.get_me_kdf_port_only_drift_total(),
+            hardswap_pending_reuse_total: stats.get_me_hardswap_pending_reuse_total(),
+            hardswap_pending_ttl_expired_total: stats.get_me_hardswap_pending_ttl_expired_total(),
+            single_endpoint_outage_enter_total: stats.get_me_single_endpoint_outage_enter_total(),
+            single_endpoint_outage_exit_total: stats.get_me_single_endpoint_outage_exit_total(),
+            single_endpoint_outage_reconnect_attempt_total: stats
+                .get_me_single_endpoint_outage_reconnect_attempt_total(),
+            single_endpoint_outage_reconnect_success_total: stats
+                .get_me_single_endpoint_outage_reconnect_success_total(),
+            single_endpoint_quarantine_bypass_total: stats
+                .get_me_single_endpoint_quarantine_bypass_total(),
+            single_endpoint_shadow_rotate_total: stats.get_me_single_endpoint_shadow_rotate_total(),
+            single_endpoint_shadow_rotate_skipped_quarantine_total: stats
+                .get_me_single_endpoint_shadow_rotate_skipped_quarantine_total(),
+            floor_mode_switch_total: stats.get_me_floor_mode_switch_total(),
+            floor_mode_switch_static_to_adaptive_total: stats
+                .get_me_floor_mode_switch_static_to_adaptive_total(),
+            floor_mode_switch_adaptive_to_static_total: stats
+                .get_me_floor_mode_switch_adaptive_to_static_total(),
+        },
+        pool: ZeroPoolData {
+            pool_swap_total: stats.get_pool_swap_total(),
+            pool_drain_active: stats.get_pool_drain_active(),
+            pool_force_close_total: stats.get_pool_force_close_total(),
+            pool_stale_pick_total: stats.get_pool_stale_pick_total(),
+            writer_removed_total: stats.get_me_writer_removed_total(),
+            writer_removed_unexpected_total: stats.get_me_writer_removed_unexpected_total(),
+            refill_triggered_total: stats.get_me_refill_triggered_total(),
+            refill_skipped_inflight_total: stats.get_me_refill_skipped_inflight_total(),
+            refill_failed_total: stats.get_me_refill_failed_total(),
+            writer_restored_same_endpoint_total: stats.get_me_writer_restored_same_endpoint_total(),
+            writer_restored_fallback_total: stats.get_me_writer_restored_fallback_total(),
+        },
+        desync: ZeroDesyncData {
+            secure_padding_invalid_total: stats.get_secure_padding_invalid(),
+            desync_total: stats.get_desync_total(),
+            desync_full_logged_total: stats.get_desync_full_logged(),
+            desync_suppressed_total: stats.get_desync_suppressed(),
+            desync_frames_bucket_0: stats.get_desync_frames_bucket_0(),
+            desync_frames_bucket_1_2: stats.get_desync_frames_bucket_1_2(),
+            desync_frames_bucket_3_10: stats.get_desync_frames_bucket_3_10(),
+            desync_frames_bucket_gt_10: stats.get_desync_frames_bucket_gt_10(),
+        },
+    }
+}
+
+fn build_zero_upstream_data(stats: &Stats) -> ZeroUpstreamData {
+    ZeroUpstreamData {
+        connect_attempt_total: stats.get_upstream_connect_attempt_total(),
+        connect_success_total: stats.get_upstream_connect_success_total(),
+        connect_fail_total: stats.get_upstream_connect_fail_total(),
+        connect_failfast_hard_error_total: stats.get_upstream_connect_failfast_hard_error_total(),
+        connect_attempts_bucket_1: stats.get_upstream_connect_attempts_bucket_1(),
+        connect_attempts_bucket_2: stats.get_upstream_connect_attempts_bucket_2(),
+        connect_attempts_bucket_3_4: stats.get_upstream_connect_attempts_bucket_3_4(),
+        connect_attempts_bucket_gt_4: stats.get_upstream_connect_attempts_bucket_gt_4(),
+        connect_duration_success_bucket_le_100ms: stats
+            .get_upstream_connect_duration_success_bucket_le_100ms(),
+        connect_duration_success_bucket_101_500ms: stats
+            .get_upstream_connect_duration_success_bucket_101_500ms(),
+        connect_duration_success_bucket_501_1000ms: stats
+            .get_upstream_connect_duration_success_bucket_501_1000ms(),
+        connect_duration_success_bucket_gt_1000ms: stats
+            .get_upstream_connect_duration_success_bucket_gt_1000ms(),
+        connect_duration_fail_bucket_le_100ms: stats.get_upstream_connect_duration_fail_bucket_le_100ms(),
+        connect_duration_fail_bucket_101_500ms: stats
+            .get_upstream_connect_duration_fail_bucket_101_500ms(),
+        connect_duration_fail_bucket_501_1000ms: stats
+            .get_upstream_connect_duration_fail_bucket_501_1000ms(),
+        connect_duration_fail_bucket_gt_1000ms: stats
+            .get_upstream_connect_duration_fail_bucket_gt_1000ms(),
+    }
+}
+
+pub(super) fn build_upstreams_data(shared: &ApiShared, api_cfg: &ApiConfig) -> UpstreamsData {
+    let generated_at_epoch_secs = now_epoch_secs();
+    let zero = build_zero_upstream_data(&shared.stats);
+    if !api_cfg.minimal_runtime_enabled {
+        return UpstreamsData {
+            enabled: false,
+            reason: Some(FEATURE_DISABLED_REASON),
+            generated_at_epoch_secs,
+            zero,
+            summary: None,
+            upstreams: None,
+        };
+    }
+
+    let Some(snapshot) = shared.upstream_manager.try_api_snapshot() else {
+        return UpstreamsData {
+            enabled: true,
+            reason: Some(SOURCE_UNAVAILABLE_REASON),
+            generated_at_epoch_secs,
+            zero,
+            summary: None,
+            upstreams: None,
+        };
+    };
+
+    let summary = UpstreamSummaryData {
+        configured_total: snapshot.summary.configured_total,
+        healthy_total: snapshot.summary.healthy_total,
+        unhealthy_total: snapshot.summary.unhealthy_total,
+        direct_total: snapshot.summary.direct_total,
+        socks4_total: snapshot.summary.socks4_total,
+        socks5_total: snapshot.summary.socks5_total,
+    };
+    let upstreams = snapshot
+        .upstreams
+        .into_iter()
+        .map(|upstream| UpstreamStatus {
+            upstream_id: upstream.upstream_id,
+            route_kind: map_route_kind(upstream.route_kind),
+            address: upstream.address,
+            weight: upstream.weight,
+            scopes: upstream.scopes,
+            healthy: upstream.healthy,
+            fails: upstream.fails,
+            last_check_age_secs: upstream.last_check_age_secs,
+            effective_latency_ms: upstream.effective_latency_ms,
+            dc: upstream
+                .dc
+                .into_iter()
+                .map(|dc| UpstreamDcStatus {
+                    dc: dc.dc,
+                    latency_ema_ms: dc.latency_ema_ms,
+                    ip_preference: map_ip_preference(dc.ip_preference),
+                })
+                .collect(),
+        })
+        .collect();
+
+    UpstreamsData {
+        enabled: true,
+        reason: None,
+        generated_at_epoch_secs,
+        zero,
+        summary: Some(summary),
+        upstreams: Some(upstreams),
+    }
+}
+
+pub(super) async fn build_minimal_all_data(
+    shared: &ApiShared,
+    api_cfg: &ApiConfig,
+) -> MinimalAllData {
+    let now = now_epoch_secs();
+    if !api_cfg.minimal_runtime_enabled {
+        return MinimalAllData {
+            enabled: false,
+            reason: Some(FEATURE_DISABLED_REASON),
+            generated_at_epoch_secs: now,
+            data: None,
+        };
+    }
+
+    let Some((generated_at_epoch_secs, payload)) =
+        get_minimal_payload_cached(shared, api_cfg.minimal_runtime_cache_ttl_ms).await
+    else {
+        return MinimalAllData {
+            enabled: true,
+            reason: Some(SOURCE_UNAVAILABLE_REASON),
+            generated_at_epoch_secs: now,
+            data: Some(MinimalAllPayload {
+                me_writers: disabled_me_writers(now, SOURCE_UNAVAILABLE_REASON),
+                dcs: disabled_dcs(now, SOURCE_UNAVAILABLE_REASON),
+                me_runtime: None,
+                network_path: Vec::new(),
+            }),
+        };
+    };
+
+    MinimalAllData {
+        enabled: true,
+        reason: None,
+        generated_at_epoch_secs,
+        data: Some(payload),
+    }
+}
+
+pub(super) async fn build_me_writers_data(
+    shared: &ApiShared,
+    api_cfg: &ApiConfig,
+) -> MeWritersData {
+    let now = now_epoch_secs();
+    if !api_cfg.minimal_runtime_enabled {
+        return disabled_me_writers(now, FEATURE_DISABLED_REASON);
+    }
+
+    let Some((_, payload)) =
+        get_minimal_payload_cached(shared, api_cfg.minimal_runtime_cache_ttl_ms).await
+    else {
+        return disabled_me_writers(now, SOURCE_UNAVAILABLE_REASON);
+    };
+    payload.me_writers
+}
+
+pub(super) async fn build_dcs_data(shared: &ApiShared, api_cfg: &ApiConfig) -> DcStatusData {
+    let now = now_epoch_secs();
+    if !api_cfg.minimal_runtime_enabled {
+        return disabled_dcs(now, FEATURE_DISABLED_REASON);
+    }
+
+    let Some((_, payload)) =
+        get_minimal_payload_cached(shared, api_cfg.minimal_runtime_cache_ttl_ms).await
+    else {
+        return disabled_dcs(now, SOURCE_UNAVAILABLE_REASON);
+    };
+    payload.dcs
+}
+
+async fn get_minimal_payload_cached(
+    shared: &ApiShared,
+    cache_ttl_ms: u64,
+) -> Option<(u64, MinimalAllPayload)> {
+    if cache_ttl_ms > 0 {
+        let now = Instant::now();
+        let cached = shared.minimal_cache.lock().await.clone();
+        if let Some(entry) = cached
+            && now < entry.expires_at
+        {
+            return Some((entry.generated_at_epoch_secs, entry.payload));
+        }
+    }
+
+    let pool = shared.me_pool.read().await.clone()?;
+    let status = pool.api_status_snapshot().await;
+    let runtime = pool.api_runtime_snapshot().await;
+    let generated_at_epoch_secs = status.generated_at_epoch_secs;
+
+    let me_writers = MeWritersData {
+        middle_proxy_enabled: true,
+        reason: None,
+        generated_at_epoch_secs,
+        summary: MeWritersSummary {
+            configured_dc_groups: status.configured_dc_groups,
+            configured_endpoints: status.configured_endpoints,
+            available_endpoints: status.available_endpoints,
+            available_pct: status.available_pct,
+            required_writers: status.required_writers,
+            alive_writers: status.alive_writers,
+            coverage_pct: status.coverage_pct,
+        },
+        writers: status
+            .writers
+            .into_iter()
+            .map(|entry| MeWriterStatus {
+                writer_id: entry.writer_id,
+                dc: entry.dc,
+                endpoint: entry.endpoint.to_string(),
+                generation: entry.generation,
+                state: entry.state,
+                draining: entry.draining,
+                degraded: entry.degraded,
+                bound_clients: entry.bound_clients,
+                idle_for_secs: entry.idle_for_secs,
+                rtt_ema_ms: entry.rtt_ema_ms,
+            })
+            .collect(),
+    };
+    let dcs = DcStatusData {
+        middle_proxy_enabled: true,
+        reason: None,
+        generated_at_epoch_secs,
+        dcs: status
+            .dcs
+            .into_iter()
+            .map(|entry| DcStatus {
+                dc: entry.dc,
+                endpoints: entry
+                    .endpoints
+                    .into_iter()
+                    .map(|value| value.to_string())
+                    .collect(),
+                endpoint_writers: entry
+                    .endpoint_writers
+                    .into_iter()
+                    .map(|coverage| DcEndpointWriters {
+                        endpoint: coverage.endpoint.to_string(),
+                        active_writers: coverage.active_writers,
+                    })
+                    .collect(),
+                available_endpoints: entry.available_endpoints,
+                available_pct: entry.available_pct,
+                required_writers: entry.required_writers,
+                floor_min: entry.floor_min,
+                floor_target: entry.floor_target,
+                floor_max: entry.floor_max,
+                floor_capped: entry.floor_capped,
+                alive_writers: entry.alive_writers,
+                coverage_pct: entry.coverage_pct,
+                rtt_ms: entry.rtt_ms,
+                load: entry.load,
+            })
+            .collect(),
+    };
+    let me_runtime = MinimalMeRuntimeData {
+        active_generation: runtime.active_generation,
+        warm_generation: runtime.warm_generation,
+        pending_hardswap_generation: runtime.pending_hardswap_generation,
+        pending_hardswap_age_secs: runtime.pending_hardswap_age_secs,
+        hardswap_enabled: runtime.hardswap_enabled,
+        floor_mode: runtime.floor_mode,
+        adaptive_floor_idle_secs: runtime.adaptive_floor_idle_secs,
+        adaptive_floor_min_writers_single_endpoint: runtime
+            .adaptive_floor_min_writers_single_endpoint,
+        adaptive_floor_min_writers_multi_endpoint: runtime
+            .adaptive_floor_min_writers_multi_endpoint,
+        adaptive_floor_recover_grace_secs: runtime.adaptive_floor_recover_grace_secs,
+        adaptive_floor_writers_per_core_total: runtime
+            .adaptive_floor_writers_per_core_total,
+        adaptive_floor_cpu_cores_override: runtime.adaptive_floor_cpu_cores_override,
+        adaptive_floor_max_extra_writers_single_per_core: runtime
+            .adaptive_floor_max_extra_writers_single_per_core,
+        adaptive_floor_max_extra_writers_multi_per_core: runtime
+            .adaptive_floor_max_extra_writers_multi_per_core,
+        adaptive_floor_max_active_writers_per_core: runtime
+            .adaptive_floor_max_active_writers_per_core,
+        adaptive_floor_max_warm_writers_per_core: runtime
+            .adaptive_floor_max_warm_writers_per_core,
+        adaptive_floor_max_active_writers_global: runtime
+            .adaptive_floor_max_active_writers_global,
+        adaptive_floor_max_warm_writers_global: runtime
+            .adaptive_floor_max_warm_writers_global,
+        adaptive_floor_cpu_cores_detected: runtime.adaptive_floor_cpu_cores_detected,
+        adaptive_floor_cpu_cores_effective: runtime.adaptive_floor_cpu_cores_effective,
+        adaptive_floor_global_cap_raw: runtime.adaptive_floor_global_cap_raw,
+        adaptive_floor_global_cap_effective: runtime.adaptive_floor_global_cap_effective,
+        adaptive_floor_target_writers_total: runtime.adaptive_floor_target_writers_total,
+        adaptive_floor_active_cap_configured: runtime.adaptive_floor_active_cap_configured,
+        adaptive_floor_active_cap_effective: runtime.adaptive_floor_active_cap_effective,
+        adaptive_floor_warm_cap_configured: runtime.adaptive_floor_warm_cap_configured,
+        adaptive_floor_warm_cap_effective: runtime.adaptive_floor_warm_cap_effective,
+        adaptive_floor_active_writers_current: runtime.adaptive_floor_active_writers_current,
+        adaptive_floor_warm_writers_current: runtime.adaptive_floor_warm_writers_current,
+        me_keepalive_enabled: runtime.me_keepalive_enabled,
+        me_keepalive_interval_secs: runtime.me_keepalive_interval_secs,
+        me_keepalive_jitter_secs: runtime.me_keepalive_jitter_secs,
+        me_keepalive_payload_random: runtime.me_keepalive_payload_random,
+        rpc_proxy_req_every_secs: runtime.rpc_proxy_req_every_secs,
+        me_reconnect_max_concurrent_per_dc: runtime.me_reconnect_max_concurrent_per_dc,
+        me_reconnect_backoff_base_ms: runtime.me_reconnect_backoff_base_ms,
+        me_reconnect_backoff_cap_ms: runtime.me_reconnect_backoff_cap_ms,
+        me_reconnect_fast_retry_count: runtime.me_reconnect_fast_retry_count,
+        me_pool_drain_ttl_secs: runtime.me_pool_drain_ttl_secs,
+        me_pool_force_close_secs: runtime.me_pool_force_close_secs,
+        me_pool_min_fresh_ratio: runtime.me_pool_min_fresh_ratio,
+        me_bind_stale_mode: runtime.me_bind_stale_mode,
+        me_bind_stale_ttl_secs: runtime.me_bind_stale_ttl_secs,
+        me_single_endpoint_shadow_writers: runtime.me_single_endpoint_shadow_writers,
+        me_single_endpoint_outage_mode_enabled: runtime.me_single_endpoint_outage_mode_enabled,
+        me_single_endpoint_outage_disable_quarantine: runtime
+            .me_single_endpoint_outage_disable_quarantine,
+        me_single_endpoint_outage_backoff_min_ms: runtime.me_single_endpoint_outage_backoff_min_ms,
+        me_single_endpoint_outage_backoff_max_ms: runtime.me_single_endpoint_outage_backoff_max_ms,
+        me_single_endpoint_shadow_rotate_every_secs: runtime
+            .me_single_endpoint_shadow_rotate_every_secs,
+        me_deterministic_writer_sort: runtime.me_deterministic_writer_sort,
+        me_writer_pick_mode: runtime.me_writer_pick_mode,
+        me_writer_pick_sample_size: runtime.me_writer_pick_sample_size,
+        me_socks_kdf_policy: runtime.me_socks_kdf_policy,
+        quarantined_endpoints_total: runtime.quarantined_endpoints.len(),
+        quarantined_endpoints: runtime
+            .quarantined_endpoints
+            .into_iter()
+            .map(|entry| MinimalQuarantineData {
+                endpoint: entry.endpoint.to_string(),
+                remaining_ms: entry.remaining_ms,
+            })
+            .collect(),
+    };
+    let network_path = runtime
+        .network_path
+        .into_iter()
+        .map(|entry| MinimalDcPathData {
+            dc: entry.dc,
+            ip_preference: entry.ip_preference,
+            selected_addr_v4: entry.selected_addr_v4.map(|value| value.to_string()),
+            selected_addr_v6: entry.selected_addr_v6.map(|value| value.to_string()),
+        })
+        .collect();
+
+    let payload = MinimalAllPayload {
+        me_writers,
+        dcs,
+        me_runtime: Some(me_runtime),
+        network_path,
+    };
+
+    if cache_ttl_ms > 0 {
+        let entry = MinimalCacheEntry {
+            expires_at: Instant::now() + Duration::from_millis(cache_ttl_ms),
+            payload: payload.clone(),
+            generated_at_epoch_secs,
+        };
+        *shared.minimal_cache.lock().await = Some(entry);
+    }
+
+    Some((generated_at_epoch_secs, payload))
+}
+
+fn disabled_me_writers(now_epoch_secs: u64, reason: &'static str) -> MeWritersData {
+    MeWritersData {
+        middle_proxy_enabled: false,
+        reason: Some(reason),
+        generated_at_epoch_secs: now_epoch_secs,
+        summary: MeWritersSummary {
+            configured_dc_groups: 0,
+            configured_endpoints: 0,
+            available_endpoints: 0,
+            available_pct: 0.0,
+            required_writers: 0,
+            alive_writers: 0,
+            coverage_pct: 0.0,
+        },
+        writers: Vec::new(),
+    }
+}
+
+fn disabled_dcs(now_epoch_secs: u64, reason: &'static str) -> DcStatusData {
+    DcStatusData {
+        middle_proxy_enabled: false,
+        reason: Some(reason),
+        generated_at_epoch_secs: now_epoch_secs,
+        dcs: Vec::new(),
+    }
+}
+
+fn map_route_kind(value: UpstreamRouteKind) -> &'static str {
+    match value {
+        UpstreamRouteKind::Direct => "direct",
+        UpstreamRouteKind::Socks4 => "socks4",
+        UpstreamRouteKind::Socks5 => "socks5",
+    }
+}
+
+fn map_ip_preference(value: IpPreference) -> &'static str {
+    match value {
+        IpPreference::Unknown => "unknown",
+        IpPreference::PreferV6 => "prefer_v6",
+        IpPreference::PreferV4 => "prefer_v4",
+        IpPreference::BothWork => "both_work",
+        IpPreference::Unavailable => "unavailable",
+    }
+}
+
+fn now_epoch_secs() -> u64 {
+    SystemTime::now()
+        .duration_since(UNIX_EPOCH)
+        .unwrap_or_default()
+        .as_secs()
+}
--- a/src/api/runtime_watch.rs
+++ b/src/api/runtime_watch.rs
@@ -0,0 +1,66 @@
+use std::sync::Arc;
+use std::sync::atomic::Ordering;
+use std::time::{SystemTime, UNIX_EPOCH};
+
+use tokio::sync::watch;
+
+use crate::config::ProxyConfig;
+
+use super::ApiRuntimeState;
+use super::events::ApiEventStore;
+
+pub(super) fn spawn_runtime_watchers(
+    config_rx: watch::Receiver<Arc<ProxyConfig>>,
+    admission_rx: watch::Receiver<bool>,
+    runtime_state: Arc<ApiRuntimeState>,
+    runtime_events: Arc<ApiEventStore>,
+) {
+    let mut config_rx_reload = config_rx;
+    let runtime_state_reload = runtime_state.clone();
+    let runtime_events_reload = runtime_events.clone();
+    tokio::spawn(async move {
+        loop {
+            if config_rx_reload.changed().await.is_err() {
+                break;
+            }
+            runtime_state_reload
+                .config_reload_count
+                .fetch_add(1, Ordering::Relaxed);
+            runtime_state_reload
+                .last_config_reload_epoch_secs
+                .store(now_epoch_secs(), Ordering::Relaxed);
+            runtime_events_reload.record("config.reload.applied", "config receiver updated");
+        }
+    });
+
+    let mut admission_rx_watch = admission_rx;
+    tokio::spawn(async move {
+        runtime_state
+            .admission_open
+            .store(*admission_rx_watch.borrow(), Ordering::Relaxed);
+        runtime_events.record(
+            "admission.state",
+            format!("accepting_new_connections={}", *admission_rx_watch.borrow()),
+        );
+        loop {
+            if admission_rx_watch.changed().await.is_err() {
+                break;
+            }
+            let admission_open = *admission_rx_watch.borrow();
+            runtime_state
+                .admission_open
+                .store(admission_open, Ordering::Relaxed);
+            runtime_events.record(
+                "admission.state",
+                format!("accepting_new_connections={}", admission_open),
+            );
+        }
+    });
+}
+
+fn now_epoch_secs() -> u64 {
+    SystemTime::now()
+        .duration_since(UNIX_EPOCH)
+        .unwrap_or_default()
+        .as_secs()
+}
--- a/src/api/runtime_zero.rs
+++ b/src/api/runtime_zero.rs
@@ -0,0 +1,287 @@
+use std::sync::atomic::Ordering;
+
+use serde::Serialize;
+
+use crate::config::{MeFloorMode, MeWriterPickMode, ProxyConfig, UserMaxUniqueIpsMode};
+
+use super::ApiShared;
+use super::runtime_init::build_runtime_startup_summary;
+
+#[derive(Serialize)]
+pub(super) struct SystemInfoData {
+    pub(super) version: String,
+    pub(super) target_arch: String,
+    pub(super) target_os: String,
+    pub(super) build_profile: String,
+    #[serde(skip_serializing_if = "Option::is_none")]
+    pub(super) git_commit: Option<String>,
+    #[serde(skip_serializing_if = "Option::is_none")]
+    pub(super) build_time_utc: Option<String>,
+    #[serde(skip_serializing_if = "Option::is_none")]
+    pub(super) rustc_version: Option<String>,
+    pub(super) process_started_at_epoch_secs: u64,
+    pub(super) uptime_seconds: f64,
+    pub(super) config_path: String,
+    pub(super) config_hash: String,
+    pub(super) config_reload_count: u64,
+    #[serde(skip_serializing_if = "Option::is_none")]
+    pub(super) last_config_reload_epoch_secs: Option<u64>,
+}
+
+#[derive(Serialize)]
+pub(super) struct RuntimeGatesData {
+    pub(super) accepting_new_connections: bool,
+    pub(super) conditional_cast_enabled: bool,
+    pub(super) me_runtime_ready: bool,
+    pub(super) me2dc_fallback_enabled: bool,
+    pub(super) use_middle_proxy: bool,
+    pub(super) startup_status: &'static str,
+    pub(super) startup_stage: String,
+    pub(super) startup_progress_pct: f64,
+}
+
+#[derive(Serialize)]
+pub(super) struct EffectiveTimeoutLimits {
+    pub(super) client_handshake_secs: u64,
+    pub(super) tg_connect_secs: u64,
+    pub(super) client_keepalive_secs: u64,
+    pub(super) client_ack_secs: u64,
+    pub(super) me_one_retry: u8,
+    pub(super) me_one_timeout_ms: u64,
+}
+
+#[derive(Serialize)]
+pub(super) struct EffectiveUpstreamLimits {
+    pub(super) connect_retry_attempts: u32,
+    pub(super) connect_retry_backoff_ms: u64,
+    pub(super) connect_budget_ms: u64,
+    pub(super) unhealthy_fail_threshold: u32,
+    pub(super) connect_failfast_hard_errors: bool,
+}
+
+#[derive(Serialize)]
+pub(super) struct EffectiveMiddleProxyLimits {
+    pub(super) floor_mode: &'static str,
+    pub(super) adaptive_floor_idle_secs: u64,
+    pub(super) adaptive_floor_min_writers_single_endpoint: u8,
+    pub(super) adaptive_floor_min_writers_multi_endpoint: u8,
+    pub(super) adaptive_floor_recover_grace_secs: u64,
+    pub(super) adaptive_floor_writers_per_core_total: u16,
+    pub(super) adaptive_floor_cpu_cores_override: u16,
+    pub(super) adaptive_floor_max_extra_writers_single_per_core: u16,
+    pub(super) adaptive_floor_max_extra_writers_multi_per_core: u16,
+    pub(super) adaptive_floor_max_active_writers_per_core: u16,
+    pub(super) adaptive_floor_max_warm_writers_per_core: u16,
+    pub(super) adaptive_floor_max_active_writers_global: u32,
+    pub(super) adaptive_floor_max_warm_writers_global: u32,
+    pub(super) reconnect_max_concurrent_per_dc: u32,
+    pub(super) reconnect_backoff_base_ms: u64,
+    pub(super) reconnect_backoff_cap_ms: u64,
+    pub(super) reconnect_fast_retry_count: u32,
+    pub(super) writer_pick_mode: &'static str,
+    pub(super) writer_pick_sample_size: u8,
+    pub(super) me2dc_fallback: bool,
+}
+
+#[derive(Serialize)]
+pub(super) struct EffectiveUserIpPolicyLimits {
+    pub(super) mode: &'static str,
+    pub(super) window_secs: u64,
+}
+
+#[derive(Serialize)]
+pub(super) struct EffectiveLimitsData {
+    pub(super) update_every_secs: u64,
+    pub(super) me_reinit_every_secs: u64,
+    pub(super) me_pool_force_close_secs: u64,
+    pub(super) timeouts: EffectiveTimeoutLimits,
+    pub(super) upstream: EffectiveUpstreamLimits,
+    pub(super) middle_proxy: EffectiveMiddleProxyLimits,
+    pub(super) user_ip_policy: EffectiveUserIpPolicyLimits,
+}
+
+#[derive(Serialize)]
+pub(super) struct SecurityPostureData {
+    pub(super) api_read_only: bool,
+    pub(super) api_whitelist_enabled: bool,
+    pub(super) api_whitelist_entries: usize,
+    pub(super) api_auth_header_enabled: bool,
+    pub(super) proxy_protocol_enabled: bool,
+    pub(super) log_level: String,
+    pub(super) telemetry_core_enabled: bool,
+    pub(super) telemetry_user_enabled: bool,
+    pub(super) telemetry_me_level: String,
+}
+
+pub(super) fn build_system_info_data(
+    shared: &ApiShared,
+    _cfg: &ProxyConfig,
+    revision: &str,
+) -> SystemInfoData {
+    let last_reload_epoch_secs = shared
+        .runtime_state
+        .last_config_reload_epoch_secs
+        .load(Ordering::Relaxed);
+    let last_config_reload_epoch_secs = (last_reload_epoch_secs > 0).then_some(last_reload_epoch_secs);
+
+    let git_commit = option_env!("TELEMT_GIT_COMMIT")
+        .or(option_env!("VERGEN_GIT_SHA"))
+        .or(option_env!("GIT_COMMIT"))
+        .map(ToString::to_string);
+    let build_time_utc = option_env!("BUILD_TIME_UTC")
+        .or(option_env!("VERGEN_BUILD_TIMESTAMP"))
+        .map(ToString::to_string);
+    let rustc_version = option_env!("RUSTC_VERSION")
+        .or(option_env!("VERGEN_RUSTC_SEMVER"))
+        .map(ToString::to_string);
+
+    SystemInfoData {
+        version: env!("CARGO_PKG_VERSION").to_string(),
+        target_arch: std::env::consts::ARCH.to_string(),
+        target_os: std::env::consts::OS.to_string(),
+        build_profile: option_env!("PROFILE").unwrap_or("unknown").to_string(),
+        git_commit,
+        build_time_utc,
+        rustc_version,
+        process_started_at_epoch_secs: shared.runtime_state.process_started_at_epoch_secs,
+        uptime_seconds: shared.stats.uptime_secs(),
+        config_path: shared.config_path.display().to_string(),
+        config_hash: revision.to_string(),
+        config_reload_count: shared.runtime_state.config_reload_count.load(Ordering::Relaxed),
+        last_config_reload_epoch_secs,
+    }
+}
+
+pub(super) async fn build_runtime_gates_data(
+    shared: &ApiShared,
+    cfg: &ProxyConfig,
+) -> RuntimeGatesData {
+    let startup_summary = build_runtime_startup_summary(shared).await;
+    let me_runtime_ready = if !cfg.general.use_middle_proxy {
+        true
+    } else {
+        shared
+            .me_pool
+            .read()
+            .await
+            .as_ref()
+            .map(|pool| pool.is_runtime_ready())
+            .unwrap_or(false)
+    };
+
+    RuntimeGatesData {
+        accepting_new_connections: shared.runtime_state.admission_open.load(Ordering::Relaxed),
+        conditional_cast_enabled: cfg.general.use_middle_proxy,
+        me_runtime_ready,
+        me2dc_fallback_enabled: cfg.general.me2dc_fallback,
+        use_middle_proxy: cfg.general.use_middle_proxy,
+        startup_status: startup_summary.status,
+        startup_stage: startup_summary.stage,
+        startup_progress_pct: startup_summary.progress_pct,
+    }
+}
+
+pub(super) fn build_limits_effective_data(cfg: &ProxyConfig) -> EffectiveLimitsData {
+    EffectiveLimitsData {
+        update_every_secs: cfg.general.effective_update_every_secs(),
+        me_reinit_every_secs: cfg.general.effective_me_reinit_every_secs(),
+        me_pool_force_close_secs: cfg.general.effective_me_pool_force_close_secs(),
+        timeouts: EffectiveTimeoutLimits {
+            client_handshake_secs: cfg.timeouts.client_handshake,
+            tg_connect_secs: cfg.timeouts.tg_connect,
+            client_keepalive_secs: cfg.timeouts.client_keepalive,
+            client_ack_secs: cfg.timeouts.client_ack,
+            me_one_retry: cfg.timeouts.me_one_retry,
+            me_one_timeout_ms: cfg.timeouts.me_one_timeout_ms,
+        },
+        upstream: EffectiveUpstreamLimits {
+            connect_retry_attempts: cfg.general.upstream_connect_retry_attempts,
+            connect_retry_backoff_ms: cfg.general.upstream_connect_retry_backoff_ms,
+            connect_budget_ms: cfg.general.upstream_connect_budget_ms,
+            unhealthy_fail_threshold: cfg.general.upstream_unhealthy_fail_threshold,
+            connect_failfast_hard_errors: cfg.general.upstream_connect_failfast_hard_errors,
+        },
+        middle_proxy: EffectiveMiddleProxyLimits {
+            floor_mode: me_floor_mode_label(cfg.general.me_floor_mode),
+            adaptive_floor_idle_secs: cfg.general.me_adaptive_floor_idle_secs,
+            adaptive_floor_min_writers_single_endpoint: cfg
+                .general
+                .me_adaptive_floor_min_writers_single_endpoint,
+            adaptive_floor_min_writers_multi_endpoint: cfg
+                .general
+                .me_adaptive_floor_min_writers_multi_endpoint,
+            adaptive_floor_recover_grace_secs: cfg.general.me_adaptive_floor_recover_grace_secs,
+            adaptive_floor_writers_per_core_total: cfg
+                .general
+                .me_adaptive_floor_writers_per_core_total,
+            adaptive_floor_cpu_cores_override: cfg
+                .general
+                .me_adaptive_floor_cpu_cores_override,
+            adaptive_floor_max_extra_writers_single_per_core: cfg
+                .general
+                .me_adaptive_floor_max_extra_writers_single_per_core,
+            adaptive_floor_max_extra_writers_multi_per_core: cfg
+                .general
+                .me_adaptive_floor_max_extra_writers_multi_per_core,
+            adaptive_floor_max_active_writers_per_core: cfg
+                .general
+                .me_adaptive_floor_max_active_writers_per_core,
+            adaptive_floor_max_warm_writers_per_core: cfg
+                .general
+                .me_adaptive_floor_max_warm_writers_per_core,
+            adaptive_floor_max_active_writers_global: cfg
+                .general
+                .me_adaptive_floor_max_active_writers_global,
+            adaptive_floor_max_warm_writers_global: cfg
+                .general
+                .me_adaptive_floor_max_warm_writers_global,
+            reconnect_max_concurrent_per_dc: cfg.general.me_reconnect_max_concurrent_per_dc,
+            reconnect_backoff_base_ms: cfg.general.me_reconnect_backoff_base_ms,
+            reconnect_backoff_cap_ms: cfg.general.me_reconnect_backoff_cap_ms,
+            reconnect_fast_retry_count: cfg.general.me_reconnect_fast_retry_count,
+            writer_pick_mode: me_writer_pick_mode_label(cfg.general.me_writer_pick_mode),
+            writer_pick_sample_size: cfg.general.me_writer_pick_sample_size,
+            me2dc_fallback: cfg.general.me2dc_fallback,
+        },
+        user_ip_policy: EffectiveUserIpPolicyLimits {
+            mode: user_max_unique_ips_mode_label(cfg.access.user_max_unique_ips_mode),
+            window_secs: cfg.access.user_max_unique_ips_window_secs,
+        },
+    }
+}
+
+pub(super) fn build_security_posture_data(cfg: &ProxyConfig) -> SecurityPostureData {
+    SecurityPostureData {
+        api_read_only: cfg.server.api.read_only,
+        api_whitelist_enabled: !cfg.server.api.whitelist.is_empty(),
+        api_whitelist_entries: cfg.server.api.whitelist.len(),
+        api_auth_header_enabled: !cfg.server.api.auth_header.is_empty(),
+        proxy_protocol_enabled: cfg.server.proxy_protocol,
+        log_level: cfg.general.log_level.to_string(),
+        telemetry_core_enabled: cfg.general.telemetry.core_enabled,
+        telemetry_user_enabled: cfg.general.telemetry.user_enabled,
+        telemetry_me_level: cfg.general.telemetry.me_level.to_string(),
+    }
+}
+
+fn user_max_unique_ips_mode_label(mode: UserMaxUniqueIpsMode) -> &'static str {
+    match mode {
+        UserMaxUniqueIpsMode::ActiveWindow => "active_window",
+        UserMaxUniqueIpsMode::TimeWindow => "time_window",
+        UserMaxUniqueIpsMode::Combined => "combined",
+    }
+}
+
+fn me_floor_mode_label(mode: MeFloorMode) -> &'static str {
+    match mode {
+        MeFloorMode::Static => "static",
+        MeFloorMode::Adaptive => "adaptive",
+    }
+}
+
+fn me_writer_pick_mode_label(mode: MeWriterPickMode) -> &'static str {
+    match mode {
+        MeWriterPickMode::SortedRr => "sorted_rr",
+        MeWriterPickMode::P2c => "p2c",
+    }
+}
--- a/src/api/users.rs
+++ b/src/api/users.rs
@@ -0,0 +1,499 @@
+use std::net::IpAddr;
+
+use hyper::StatusCode;
+
+use crate::config::ProxyConfig;
+use crate::ip_tracker::UserIpTracker;
+use crate::stats::Stats;
+
+use super::ApiShared;
+use super::config_store::{
+    ensure_expected_revision, load_config_from_disk, save_config_to_disk,
+};
+use super::model::{
+    ApiFailure, CreateUserRequest, CreateUserResponse, PatchUserRequest, RotateSecretRequest,
+    UserInfo, UserLinks, is_valid_ad_tag, is_valid_user_secret, is_valid_username,
+    parse_optional_expiration, random_user_secret,
+};
+
+pub(super) async fn create_user(
+    body: CreateUserRequest,
+    expected_revision: Option<String>,
+    shared: &ApiShared,
+) -> Result<(CreateUserResponse, String), ApiFailure> {
+    if !is_valid_username(&body.username) {
+        return Err(ApiFailure::bad_request(
+            "username must match [A-Za-z0-9_.-] and be 1..64 chars",
+        ));
+    }
+
+    let secret = match body.secret {
+        Some(secret) => {
+            if !is_valid_user_secret(&secret) {
+                return Err(ApiFailure::bad_request(
+                    "secret must be exactly 32 hex characters",
+                ));
+            }
+            secret
+        }
+        None => random_user_secret(),
+    };
+
+    if let Some(ad_tag) = body.user_ad_tag.as_ref() && !is_valid_ad_tag(ad_tag) {
+        return Err(ApiFailure::bad_request(
+            "user_ad_tag must be exactly 32 hex characters",
+        ));
+    }
+
+    let expiration = parse_optional_expiration(body.expiration_rfc3339.as_deref())?;
+    let _guard = shared.mutation_lock.lock().await;
+    let mut cfg = load_config_from_disk(&shared.config_path).await?;
+    ensure_expected_revision(&shared.config_path, expected_revision.as_deref()).await?;
+
+    if cfg.access.users.contains_key(&body.username) {
+        return Err(ApiFailure::new(
+            StatusCode::CONFLICT,
+            "user_exists",
+            "User already exists",
+        ));
+    }
+
+    cfg.access.users.insert(body.username.clone(), secret.clone());
+    if let Some(ad_tag) = body.user_ad_tag {
+        cfg.access.user_ad_tags.insert(body.username.clone(), ad_tag);
+    }
+    if let Some(limit) = body.max_tcp_conns {
+        cfg.access.user_max_tcp_conns.insert(body.username.clone(), limit);
+    }
+    if let Some(expiration) = expiration {
+        cfg.access
+            .user_expirations
+            .insert(body.username.clone(), expiration);
+    }
+    if let Some(quota) = body.data_quota_bytes {
+        cfg.access.user_data_quota.insert(body.username.clone(), quota);
+    }
+
+    let updated_limit = body.max_unique_ips;
+    if let Some(limit) = updated_limit {
+        cfg.access
+            .user_max_unique_ips
+            .insert(body.username.clone(), limit);
+    }
+
+    cfg.validate()
+        .map_err(|e| ApiFailure::bad_request(format!("config validation failed: {}", e)))?;
+
+    let revision = save_config_to_disk(&shared.config_path, &cfg).await?;
+    drop(_guard);
+
+    if let Some(limit) = updated_limit {
+        shared.ip_tracker.set_user_limit(&body.username, limit).await;
+    }
+
+    let users = users_from_config(
+        &cfg,
+        &shared.stats,
+        &shared.ip_tracker,
+        shared.startup_detected_ip_v4,
+        shared.startup_detected_ip_v6,
+    )
+    .await;
+    let user = users
+        .into_iter()
+        .find(|entry| entry.username == body.username)
+        .unwrap_or(UserInfo {
+            username: body.username.clone(),
+            user_ad_tag: None,
+            max_tcp_conns: None,
+            expiration_rfc3339: None,
+            data_quota_bytes: None,
+            max_unique_ips: updated_limit,
+            current_connections: 0,
+            active_unique_ips: 0,
+            active_unique_ips_list: Vec::new(),
+            recent_unique_ips: 0,
+            recent_unique_ips_list: Vec::new(),
+            total_octets: 0,
+            links: build_user_links(
+                &cfg,
+                &secret,
+                shared.startup_detected_ip_v4,
+                shared.startup_detected_ip_v6,
+            ),
+        });
+
+    Ok((CreateUserResponse { user, secret }, revision))
+}
+
+pub(super) async fn patch_user(
+    user: &str,
+    body: PatchUserRequest,
+    expected_revision: Option<String>,
+    shared: &ApiShared,
+) -> Result<(UserInfo, String), ApiFailure> {
+    if let Some(secret) = body.secret.as_ref() && !is_valid_user_secret(secret) {
+        return Err(ApiFailure::bad_request(
+            "secret must be exactly 32 hex characters",
+        ));
+    }
+    if let Some(ad_tag) = body.user_ad_tag.as_ref() && !is_valid_ad_tag(ad_tag) {
+        return Err(ApiFailure::bad_request(
+            "user_ad_tag must be exactly 32 hex characters",
+        ));
+    }
+    let expiration = parse_optional_expiration(body.expiration_rfc3339.as_deref())?;
+    let _guard = shared.mutation_lock.lock().await;
+    let mut cfg = load_config_from_disk(&shared.config_path).await?;
+    ensure_expected_revision(&shared.config_path, expected_revision.as_deref()).await?;
+
+    if !cfg.access.users.contains_key(user) {
+        return Err(ApiFailure::new(
+            StatusCode::NOT_FOUND,
+            "not_found",
+            "User not found",
+        ));
+    }
+
+    if let Some(secret) = body.secret {
+        cfg.access.users.insert(user.to_string(), secret);
+    }
+    if let Some(ad_tag) = body.user_ad_tag {
+        cfg.access.user_ad_tags.insert(user.to_string(), ad_tag);
+    }
+    if let Some(limit) = body.max_tcp_conns {
+        cfg.access.user_max_tcp_conns.insert(user.to_string(), limit);
+    }
+    if let Some(expiration) = expiration {
+        cfg.access.user_expirations.insert(user.to_string(), expiration);
+    }
+    if let Some(quota) = body.data_quota_bytes {
+        cfg.access.user_data_quota.insert(user.to_string(), quota);
+    }
+
+    let mut updated_limit = None;
+    if let Some(limit) = body.max_unique_ips {
+        cfg.access.user_max_unique_ips.insert(user.to_string(), limit);
+        updated_limit = Some(limit);
+    }
+
+    cfg.validate()
+        .map_err(|e| ApiFailure::bad_request(format!("config validation failed: {}", e)))?;
+
+    let revision = save_config_to_disk(&shared.config_path, &cfg).await?;
+    drop(_guard);
+    if let Some(limit) = updated_limit {
+        shared.ip_tracker.set_user_limit(user, limit).await;
+    }
+    let users = users_from_config(
+        &cfg,
+        &shared.stats,
+        &shared.ip_tracker,
+        shared.startup_detected_ip_v4,
+        shared.startup_detected_ip_v6,
+    )
+    .await;
+    let user_info = users
+        .into_iter()
+        .find(|entry| entry.username == user)
+        .ok_or_else(|| ApiFailure::internal("failed to build updated user view"))?;
+
+    Ok((user_info, revision))
+}
+
+pub(super) async fn rotate_secret(
+    user: &str,
+    body: RotateSecretRequest,
+    expected_revision: Option<String>,
+    shared: &ApiShared,
+) -> Result<(CreateUserResponse, String), ApiFailure> {
+    let secret = body.secret.unwrap_or_else(random_user_secret);
+    if !is_valid_user_secret(&secret) {
+        return Err(ApiFailure::bad_request(
+            "secret must be exactly 32 hex characters",
+        ));
+    }
+
+    let _guard = shared.mutation_lock.lock().await;
+    let mut cfg = load_config_from_disk(&shared.config_path).await?;
+    ensure_expected_revision(&shared.config_path, expected_revision.as_deref()).await?;
+
+    if !cfg.access.users.contains_key(user) {
+        return Err(ApiFailure::new(
+            StatusCode::NOT_FOUND,
+            "not_found",
+            "User not found",
+        ));
+    }
+
+    cfg.access.users.insert(user.to_string(), secret.clone());
+    cfg.validate()
+        .map_err(|e| ApiFailure::bad_request(format!("config validation failed: {}", e)))?;
+    let revision = save_config_to_disk(&shared.config_path, &cfg).await?;
+    drop(_guard);
+
+    let users = users_from_config(
+        &cfg,
+        &shared.stats,
+        &shared.ip_tracker,
+        shared.startup_detected_ip_v4,
+        shared.startup_detected_ip_v6,
+    )
+    .await;
+    let user_info = users
+        .into_iter()
+        .find(|entry| entry.username == user)
+        .ok_or_else(|| ApiFailure::internal("failed to build updated user view"))?;
+
+    Ok((
+        CreateUserResponse {
+            user: user_info,
+            secret,
+        },
+        revision,
+    ))
+}
+
+pub(super) async fn delete_user(
+    user: &str,
+    expected_revision: Option<String>,
+    shared: &ApiShared,
+) -> Result<(String, String), ApiFailure> {
+    let _guard = shared.mutation_lock.lock().await;
+    let mut cfg = load_config_from_disk(&shared.config_path).await?;
+    ensure_expected_revision(&shared.config_path, expected_revision.as_deref()).await?;
+
+    if !cfg.access.users.contains_key(user) {
+        return Err(ApiFailure::new(
+            StatusCode::NOT_FOUND,
+            "not_found",
+            "User not found",
+        ));
+    }
+    if cfg.access.users.len() <= 1 {
+        return Err(ApiFailure::new(
+            StatusCode::CONFLICT,
+            "last_user_forbidden",
+            "Cannot delete the last configured user",
+        ));
+    }
+
+    cfg.access.users.remove(user);
+    cfg.access.user_ad_tags.remove(user);
+    cfg.access.user_max_tcp_conns.remove(user);
+    cfg.access.user_expirations.remove(user);
+    cfg.access.user_data_quota.remove(user);
+    cfg.access.user_max_unique_ips.remove(user);
+
+    cfg.validate()
+        .map_err(|e| ApiFailure::bad_request(format!("config validation failed: {}", e)))?;
+    let revision = save_config_to_disk(&shared.config_path, &cfg).await?;
+    drop(_guard);
+    shared.ip_tracker.remove_user_limit(user).await;
+    shared.ip_tracker.clear_user_ips(user).await;
+
+    Ok((user.to_string(), revision))
+}
+
+pub(super) async fn users_from_config(
+    cfg: &ProxyConfig,
+    stats: &Stats,
+    ip_tracker: &UserIpTracker,
+    startup_detected_ip_v4: Option<IpAddr>,
+    startup_detected_ip_v6: Option<IpAddr>,
+) -> Vec<UserInfo> {
+    let mut names = cfg.access.users.keys().cloned().collect::<Vec<_>>();
+    names.sort();
+    let active_ip_lists = ip_tracker.get_active_ips_for_users(&names).await;
+    let recent_ip_lists = ip_tracker.get_recent_ips_for_users(&names).await;
+
+    let mut users = Vec::with_capacity(names.len());
+    for username in names {
+        let active_ip_list = active_ip_lists
+            .get(&username)
+            .cloned()
+            .unwrap_or_else(Vec::new);
+        let recent_ip_list = recent_ip_lists
+            .get(&username)
+            .cloned()
+            .unwrap_or_else(Vec::new);
+        let links = cfg
+            .access
+            .users
+            .get(&username)
+            .map(|secret| {
+                build_user_links(
+                    cfg,
+                    secret,
+                    startup_detected_ip_v4,
+                    startup_detected_ip_v6,
+                )
+            })
+            .unwrap_or(UserLinks {
+                classic: Vec::new(),
+                secure: Vec::new(),
+                tls: Vec::new(),
+            });
+        users.push(UserInfo {
+            user_ad_tag: cfg.access.user_ad_tags.get(&username).cloned(),
+            max_tcp_conns: cfg.access.user_max_tcp_conns.get(&username).copied(),
+            expiration_rfc3339: cfg
+                .access
+                .user_expirations
+                .get(&username)
+                .map(chrono::DateTime::<chrono::Utc>::to_rfc3339),
+            data_quota_bytes: cfg.access.user_data_quota.get(&username).copied(),
+            max_unique_ips: cfg.access.user_max_unique_ips.get(&username).copied(),
+            current_connections: stats.get_user_curr_connects(&username),
+            active_unique_ips: active_ip_list.len(),
+            active_unique_ips_list: active_ip_list,
+            recent_unique_ips: recent_ip_list.len(),
+            recent_unique_ips_list: recent_ip_list,
+            total_octets: stats.get_user_total_octets(&username),
+            links,
+            username,
+        });
+    }
+    users
+}
+
+fn build_user_links(
+    cfg: &ProxyConfig,
+    secret: &str,
+    startup_detected_ip_v4: Option<IpAddr>,
+    startup_detected_ip_v6: Option<IpAddr>,
+) -> UserLinks {
+    let hosts = resolve_link_hosts(cfg, startup_detected_ip_v4, startup_detected_ip_v6);
+    let port = cfg.general.links.public_port.unwrap_or(cfg.server.port);
+    let tls_domains = resolve_tls_domains(cfg);
+
+    let mut classic = Vec::new();
+    let mut secure = Vec::new();
+    let mut tls = Vec::new();
+
+    for host in &hosts {
+        if cfg.general.modes.classic {
+            classic.push(format!(
+                "tg://proxy?server={}&port={}&secret={}",
+                host, port, secret
+            ));
+        }
+        if cfg.general.modes.secure {
+            secure.push(format!(
+                "tg://proxy?server={}&port={}&secret=dd{}",
+                host, port, secret
+            ));
+        }
+        if cfg.general.modes.tls {
+            for domain in &tls_domains {
+                let domain_hex = hex::encode(domain);
+                tls.push(format!(
+                    "tg://proxy?server={}&port={}&secret=ee{}{}",
+                    host, port, secret, domain_hex
+                ));
+            }
+        }
+    }
+
+    UserLinks {
+        classic,
+        secure,
+        tls,
+    }
+}
+
+fn resolve_link_hosts(
+    cfg: &ProxyConfig,
+    startup_detected_ip_v4: Option<IpAddr>,
+    startup_detected_ip_v6: Option<IpAddr>,
+) -> Vec<String> {
+    if let Some(host) = cfg
+        .general
+        .links
+        .public_host
+        .as_deref()
+        .map(str::trim)
+        .filter(|value| !value.is_empty())
+    {
+        return vec![host.to_string()];
+    }
+
+    let mut startup_hosts = Vec::new();
+    if let Some(ip) = startup_detected_ip_v4 {
+        push_unique_host(&mut startup_hosts, &ip.to_string());
+    }
+    if let Some(ip) = startup_detected_ip_v6 {
+        push_unique_host(&mut startup_hosts, &ip.to_string());
+    }
+    if !startup_hosts.is_empty() {
+        return startup_hosts;
+    }
+
+    let mut hosts = Vec::new();
+    for listener in &cfg.server.listeners {
+        if let Some(host) = listener
+            .announce
+            .as_deref()
+            .map(str::trim)
+            .filter(|value| !value.is_empty())
+        {
+            push_unique_host(&mut hosts, host);
+            continue;
+        }
+        if let Some(ip) = listener.announce_ip {
+            if !ip.is_unspecified() {
+                push_unique_host(&mut hosts, &ip.to_string());
+            }
+            continue;
+        }
+        if !listener.ip.is_unspecified() {
+            push_unique_host(&mut hosts, &listener.ip.to_string());
+        }
+    }
+
+    if hosts.is_empty() {
+        if let Some(host) = cfg.server.listen_addr_ipv4.as_deref() {
+            push_host_from_legacy_listen(&mut hosts, host);
+        }
+        if let Some(host) = cfg.server.listen_addr_ipv6.as_deref() {
+            push_host_from_legacy_listen(&mut hosts, host);
+        }
+    }
+
+    hosts
+}
+
+fn push_host_from_legacy_listen(hosts: &mut Vec<String>, raw: &str) {
+    let candidate = raw.trim();
+    if candidate.is_empty() {
+        return;
+    }
+
+    match candidate.parse::<IpAddr>() {
+        Ok(ip) if ip.is_unspecified() => {}
+        Ok(ip) => push_unique_host(hosts, &ip.to_string()),
+        Err(_) => push_unique_host(hosts, candidate),
+    }
+}
+
+fn push_unique_host(hosts: &mut Vec<String>, candidate: &str) {
+    if !hosts.iter().any(|existing| existing == candidate) {
+        hosts.push(candidate.to_string());
+    }
+}
+
+fn resolve_tls_domains(cfg: &ProxyConfig) -> Vec<&str> {
+    let mut domains = Vec::with_capacity(1 + cfg.censorship.tls_domains.len());
+    let primary = cfg.censorship.tls_domain.as_str();
+    if !primary.is_empty() {
+        domains.push(primary);
+    }
+    for domain in &cfg.censorship.tls_domains {
+        let value = domain.as_str();
+        if value.is_empty() || domains.contains(&value) {
+            continue;
+        }
+        domains.push(value);
+    }
+    domains
+}
--- a/src/config/defaults.rs
+++ b/src/config/defaults.rs
@@ -8,6 +8,31 @@ const DEFAULT_STUN_TCP_FALLBACK: bool = true;
 const DEFAULT_MIDDLE_PROXY_WARM_STANDBY: usize = 16;
 const DEFAULT_ME_RECONNECT_MAX_CONCURRENT_PER_DC: u32 = 8;
 const DEFAULT_ME_RECONNECT_FAST_RETRY_COUNT: u32 = 16;
+const DEFAULT_ME_SINGLE_ENDPOINT_SHADOW_WRITERS: u8 = 2;
+const DEFAULT_ME_ADAPTIVE_FLOOR_IDLE_SECS: u64 = 90;
+const DEFAULT_ME_ADAPTIVE_FLOOR_MIN_WRITERS_SINGLE_ENDPOINT: u8 = 1;
+const DEFAULT_ME_ADAPTIVE_FLOOR_MIN_WRITERS_MULTI_ENDPOINT: u8 = 1;
+const DEFAULT_ME_ADAPTIVE_FLOOR_RECOVER_GRACE_SECS: u64 = 180;
+const DEFAULT_ME_ADAPTIVE_FLOOR_WRITERS_PER_CORE_TOTAL: u16 = 48;
+const DEFAULT_ME_ADAPTIVE_FLOOR_CPU_CORES_OVERRIDE: u16 = 0;
+const DEFAULT_ME_ADAPTIVE_FLOOR_MAX_EXTRA_WRITERS_SINGLE_PER_CORE: u16 = 1;
+const DEFAULT_ME_ADAPTIVE_FLOOR_MAX_EXTRA_WRITERS_MULTI_PER_CORE: u16 = 2;
+const DEFAULT_ME_ADAPTIVE_FLOOR_MAX_ACTIVE_WRITERS_PER_CORE: u16 = 64;
+const DEFAULT_ME_ADAPTIVE_FLOOR_MAX_WARM_WRITERS_PER_CORE: u16 = 64;
+const DEFAULT_ME_ADAPTIVE_FLOOR_MAX_ACTIVE_WRITERS_GLOBAL: u32 = 256;
+const DEFAULT_ME_ADAPTIVE_FLOOR_MAX_WARM_WRITERS_GLOBAL: u32 = 256;
+const DEFAULT_ME_WRITER_CMD_CHANNEL_CAPACITY: usize = 1024;
+const DEFAULT_ME_ROUTE_CHANNEL_CAPACITY: usize = 512;
+const DEFAULT_ME_C2ME_CHANNEL_CAPACITY: usize = 256;
+const DEFAULT_ME_WRITER_PICK_SAMPLE_SIZE: u8 = 3;
+const DEFAULT_ME_HEALTH_INTERVAL_MS_UNHEALTHY: u64 = 1000;
+const DEFAULT_ME_HEALTH_INTERVAL_MS_HEALTHY: u64 = 3000;
+const DEFAULT_ME_ADMISSION_POLL_MS: u64 = 1000;
+const DEFAULT_ME_WARN_RATE_LIMIT_MS: u64 = 5000;
+const DEFAULT_USER_MAX_UNIQUE_IPS_WINDOW_SECS: u64 = 30;
+const DEFAULT_UPSTREAM_CONNECT_RETRY_ATTEMPTS: u32 = 2;
+const DEFAULT_UPSTREAM_UNHEALTHY_FAIL_THRESHOLD: u32 = 5;
+const DEFAULT_UPSTREAM_CONNECT_BUDGET_MS: u64 = 3000;
 const DEFAULT_LISTEN_ADDR_IPV6: &str = "::";
 const DEFAULT_ACCESS_USER: &str = "default";
 const DEFAULT_ACCESS_SECRET: &str = "00000000000000000000000000000000";
@@ -86,6 +111,35 @@ pub(crate) fn default_metrics_whitelist() -> Vec<IpNetwork> {
    ]
 }

+pub(crate) fn default_api_listen() -> String {
+    "127.0.0.1:9091".to_string()
+}
+
+pub(crate) fn default_api_whitelist() -> Vec<IpNetwork> {
+    default_metrics_whitelist()
+}
+
+pub(crate) fn default_api_request_body_limit_bytes() -> usize {
+    64 * 1024
+}
+
+pub(crate) fn default_api_minimal_runtime_enabled() -> bool {
+    false
+}
+
+pub(crate) fn default_api_minimal_runtime_cache_ttl_ms() -> u64 {
+    1000
+}
+
+pub(crate) fn default_api_runtime_edge_enabled() -> bool { false }
+pub(crate) fn default_api_runtime_edge_cache_ttl_ms() -> u64 { 1000 }
+pub(crate) fn default_api_runtime_edge_top_n() -> usize { 10 }
+pub(crate) fn default_api_runtime_edge_events_capacity() -> usize { 256 }
+
+pub(crate) fn default_proxy_protocol_header_timeout_ms() -> u64 {
+    500
+}
+
 pub(crate) fn default_prefer_4() -> u8 {
    4
 }
@@ -102,6 +156,10 @@ pub(crate) fn default_unknown_dc_log_path() -> Option<String> {
    Some("unknown-dc.txt".to_string())
 }

+pub(crate) fn default_unknown_dc_file_log_enabled() -> bool {
+    false
+}
+
 pub(crate) fn default_pool_size() -> usize {
    8
 }
@@ -110,6 +168,14 @@ pub(crate) fn default_proxy_secret_path() -> Option<String> {
    Some("proxy-secret".to_string())
 }

+pub(crate) fn default_proxy_config_v4_cache_path() -> Option<String> {
+    Some("cache/proxy-config-v4.txt".to_string())
+}
+
+pub(crate) fn default_proxy_config_v6_cache_path() -> Option<String> {
+    Some("cache/proxy-config-v6.txt".to_string())
+}
+
 pub(crate) fn default_middle_proxy_nat_stun() -> Option<String> {
    None
 }
@@ -126,12 +192,20 @@ pub(crate) fn default_middle_proxy_warm_standby() -> usize {
    DEFAULT_MIDDLE_PROXY_WARM_STANDBY
 }

+pub(crate) fn default_me_init_retry_attempts() -> u32 {
+    0
+}
+
+pub(crate) fn default_me2dc_fallback() -> bool {
+    true
+}
+
 pub(crate) fn default_keepalive_interval() -> u64 {
-    25
+    8
 }

 pub(crate) fn default_keepalive_jitter() -> u64 {
-    5
+    2
 }

 pub(crate) fn default_warmup_step_delay_ms() -> u64 {
@@ -158,6 +232,134 @@ pub(crate) fn default_me_reconnect_fast_retry_count() -> u32 {
    DEFAULT_ME_RECONNECT_FAST_RETRY_COUNT
 }

+pub(crate) fn default_me_single_endpoint_shadow_writers() -> u8 {
+    DEFAULT_ME_SINGLE_ENDPOINT_SHADOW_WRITERS
+}
+
+pub(crate) fn default_me_single_endpoint_outage_mode_enabled() -> bool {
+    true
+}
+
+pub(crate) fn default_me_single_endpoint_outage_disable_quarantine() -> bool {
+    true
+}
+
+pub(crate) fn default_me_single_endpoint_outage_backoff_min_ms() -> u64 {
+    250
+}
+
+pub(crate) fn default_me_single_endpoint_outage_backoff_max_ms() -> u64 {
+    3000
+}
+
+pub(crate) fn default_me_single_endpoint_shadow_rotate_every_secs() -> u64 {
+    900
+}
+
+pub(crate) fn default_me_adaptive_floor_idle_secs() -> u64 {
+    DEFAULT_ME_ADAPTIVE_FLOOR_IDLE_SECS
+}
+
+pub(crate) fn default_me_adaptive_floor_min_writers_single_endpoint() -> u8 {
+    DEFAULT_ME_ADAPTIVE_FLOOR_MIN_WRITERS_SINGLE_ENDPOINT
+}
+
+pub(crate) fn default_me_adaptive_floor_min_writers_multi_endpoint() -> u8 {
+    DEFAULT_ME_ADAPTIVE_FLOOR_MIN_WRITERS_MULTI_ENDPOINT
+}
+
+pub(crate) fn default_me_adaptive_floor_recover_grace_secs() -> u64 {
+    DEFAULT_ME_ADAPTIVE_FLOOR_RECOVER_GRACE_SECS
+}
+
+pub(crate) fn default_me_adaptive_floor_writers_per_core_total() -> u16 {
+    DEFAULT_ME_ADAPTIVE_FLOOR_WRITERS_PER_CORE_TOTAL
+}
+
+pub(crate) fn default_me_adaptive_floor_cpu_cores_override() -> u16 {
+    DEFAULT_ME_ADAPTIVE_FLOOR_CPU_CORES_OVERRIDE
+}
+
+pub(crate) fn default_me_adaptive_floor_max_extra_writers_single_per_core() -> u16 {
+    DEFAULT_ME_ADAPTIVE_FLOOR_MAX_EXTRA_WRITERS_SINGLE_PER_CORE
+}
+
+pub(crate) fn default_me_adaptive_floor_max_extra_writers_multi_per_core() -> u16 {
+    DEFAULT_ME_ADAPTIVE_FLOOR_MAX_EXTRA_WRITERS_MULTI_PER_CORE
+}
+
+pub(crate) fn default_me_adaptive_floor_max_active_writers_per_core() -> u16 {
+    DEFAULT_ME_ADAPTIVE_FLOOR_MAX_ACTIVE_WRITERS_PER_CORE
+}
+
+pub(crate) fn default_me_adaptive_floor_max_warm_writers_per_core() -> u16 {
+    DEFAULT_ME_ADAPTIVE_FLOOR_MAX_WARM_WRITERS_PER_CORE
+}
+
+pub(crate) fn default_me_adaptive_floor_max_active_writers_global() -> u32 {
+    DEFAULT_ME_ADAPTIVE_FLOOR_MAX_ACTIVE_WRITERS_GLOBAL
+}
+
+pub(crate) fn default_me_adaptive_floor_max_warm_writers_global() -> u32 {
+    DEFAULT_ME_ADAPTIVE_FLOOR_MAX_WARM_WRITERS_GLOBAL
+}
+
+pub(crate) fn default_me_writer_cmd_channel_capacity() -> usize {
+    DEFAULT_ME_WRITER_CMD_CHANNEL_CAPACITY
+}
+
+pub(crate) fn default_me_route_channel_capacity() -> usize {
+    DEFAULT_ME_ROUTE_CHANNEL_CAPACITY
+}
+
+pub(crate) fn default_me_c2me_channel_capacity() -> usize {
+    DEFAULT_ME_C2ME_CHANNEL_CAPACITY
+}
+
+pub(crate) fn default_me_writer_pick_sample_size() -> u8 {
+    DEFAULT_ME_WRITER_PICK_SAMPLE_SIZE
+}
+
+pub(crate) fn default_me_health_interval_ms_unhealthy() -> u64 {
+    DEFAULT_ME_HEALTH_INTERVAL_MS_UNHEALTHY
+}
+
+pub(crate) fn default_me_health_interval_ms_healthy() -> u64 {
+    DEFAULT_ME_HEALTH_INTERVAL_MS_HEALTHY
+}
+
+pub(crate) fn default_me_admission_poll_ms() -> u64 {
+    DEFAULT_ME_ADMISSION_POLL_MS
+}
+
+pub(crate) fn default_me_warn_rate_limit_ms() -> u64 {
+    DEFAULT_ME_WARN_RATE_LIMIT_MS
+}
+
+pub(crate) fn default_upstream_connect_retry_attempts() -> u32 {
+    DEFAULT_UPSTREAM_CONNECT_RETRY_ATTEMPTS
+}
+
+pub(crate) fn default_upstream_connect_retry_backoff_ms() -> u64 {
+    100
+}
+
+pub(crate) fn default_upstream_unhealthy_fail_threshold() -> u32 {
+    DEFAULT_UPSTREAM_UNHEALTHY_FAIL_THRESHOLD
+}
+
+pub(crate) fn default_upstream_connect_budget_ms() -> u64 {
+    DEFAULT_UPSTREAM_CONNECT_BUDGET_MS
+}
+
+pub(crate) fn default_upstream_connect_failfast_hard_errors() -> bool {
+    false
+}
+
+pub(crate) fn default_rpc_proxy_req_every() -> u64 {
+    0
+}
+
 pub(crate) fn default_crypto_pending_buffer() -> usize {
    256 * 1024
 }
@@ -170,6 +372,30 @@ pub(crate) fn default_desync_all_full() -> bool {
    false
 }

+pub(crate) fn default_me_route_backpressure_base_timeout_ms() -> u64 {
+    25
+}
+
+pub(crate) fn default_me_route_backpressure_high_timeout_ms() -> u64 {
+    120
+}
+
+pub(crate) fn default_me_route_backpressure_high_watermark_pct() -> u8 {
+    80
+}
+
+pub(crate) fn default_me_route_no_writer_wait_ms() -> u64 {
+    250
+}
+
+pub(crate) fn default_me_route_inline_recovery_attempts() -> u32 {
+    3
+}
+
+pub(crate) fn default_me_route_inline_recovery_wait_ms() -> u64 {
+    3000
+}
+
 pub(crate) fn default_beobachten_minutes() -> u64 {
    10
 }
@@ -251,6 +477,18 @@ pub(crate) fn default_me_reinit_every_secs() -> u64 {
    15 * 60
 }

+pub(crate) fn default_me_reinit_singleflight() -> bool {
+    true
+}
+
+pub(crate) fn default_me_reinit_trigger_channel() -> usize {
+    64
+}
+
+pub(crate) fn default_me_reinit_coalesce_window_ms() -> u64 {
+    200
+}
+
 pub(crate) fn default_me_hardswap_warmup_delay_min_ms() -> u64 {
    1000
 }
@@ -275,6 +513,18 @@ pub(crate) fn default_me_config_apply_cooldown_secs() -> u64 {
    300
 }

+pub(crate) fn default_me_snapshot_require_http_2xx() -> bool {
+    true
+}
+
+pub(crate) fn default_me_snapshot_reject_empty_map() -> bool {
+    true
+}
+
+pub(crate) fn default_me_snapshot_min_proxy_for_lines() -> u32 {
+    1
+}
+
 pub(crate) fn default_proxy_secret_stable_snapshots() -> u8 {
    2
 }
@@ -283,6 +533,10 @@ pub(crate) fn default_proxy_secret_rotate_runtime() -> bool {
    true
 }

+pub(crate) fn default_me_secret_atomic_snapshot() -> bool {
+    true
+}
+
 pub(crate) fn default_proxy_secret_len_max() -> usize {
    256
 }
@@ -295,10 +549,18 @@ pub(crate) fn default_me_pool_drain_ttl_secs() -> u64 {
    90
 }

+pub(crate) fn default_me_bind_stale_ttl_secs() -> u64 {
+    default_me_pool_drain_ttl_secs()
+}
+
 pub(crate) fn default_me_pool_min_fresh_ratio() -> f32 {
    0.8
 }

+pub(crate) fn default_me_deterministic_writer_sort() -> bool {
+    true
+}
+
 pub(crate) fn default_hardswap() -> bool {
    true
 }
@@ -334,6 +596,10 @@ pub(crate) fn default_access_users() -> HashMap<String, String> {
    )])
 }

+pub(crate) fn default_user_max_unique_ips_window_secs() -> u64 {
+    DEFAULT_USER_MAX_UNIQUE_IPS_WINDOW_SECS
+}
+
 // Custom deserializer helpers

 #[derive(Deserialize)]
--- a/src/config/hot_reload.rs
+++ b/src/config/hot_reload.rs
@@ -4,22 +4,22 @@
 //!
 //! # What can be reloaded without restart
 //!
-//! | Section   | Field                         | Effect                            |
-//! |-----------|-------------------------------|-----------------------------------|
-//! | `general` | `log_level`                   | Filter updated via `log_level_tx` |
-//! | `general` | `ad_tag`                      | Passed on next connection         |
-//! | `general` | `middle_proxy_pool_size`      | Passed on next connection         |
-//! | `general` | `me_keepalive_*`              | Passed on next connection         |
-//! | `general` | `desync_all_full`             | Applied immediately               |
-//! | `general` | `update_every`                | Applied to ME updater immediately |
-//! | `general` | `hardswap`                    | Applied on next ME map update     |
-//! | `general` | `me_pool_drain_ttl_secs`      | Applied on next ME map update     |
-//! | `general` | `me_pool_min_fresh_ratio`     | Applied on next ME map update     |
-//! | `general` | `me_reinit_drain_timeout_secs`| Applied on next ME map update     |
-//! | `access`  | All user/quota fields         | Effective immediately             |
+//! | Section   | Field                          | Effect                                         |
+//! |-----------|--------------------------------|------------------------------------------------|
+//! | `general` | `log_level`                    | Filter updated via `log_level_tx`              |
+//! | `access`  | `user_ad_tags`                 | Passed on next connection                      |
+//! | `general` | `ad_tag`                       | Passed on next connection (fallback per-user)  |
+//! | `general` | `desync_all_full`              | Applied immediately                            |
+//! | `general` | `update_every`                 | Applied to ME updater immediately              |
+//! | `general` | `me_reinit_*`                  | Applied to ME reinit scheduler immediately     |
+//! | `general` | `hardswap` / `me_*_reinit`     | Applied on next ME map update                  |
+//! | `general` | `telemetry` / `me_*_policy`    | Applied immediately                            |
+//! | `network` | `dns_overrides`                | Applied immediately                            |
+//! | `access`  | All user/quota fields          | Effective immediately                          |
 //!
 //! Fields that require re-binding sockets (`server.port`, `censorship.*`,
 //! `network.*`, `use_middle_proxy`) are **not** applied; a warning is emitted.
+//! Non-hot changes are never mixed into the runtime config snapshot.

 use std::net::IpAddr;
 use std::path::PathBuf;
@@ -29,7 +29,10 @@ use notify::{EventKind, RecursiveMode, Watcher, recommended_watcher};
 use tokio::sync::{mpsc, watch};
 use tracing::{error, info, warn};

-use crate::config::LogLevel;
+use crate::config::{
+    LogLevel, MeBindStaleMode, MeFloorMode, MeSocksKdfPolicy, MeTelemetryLevel,
+    MeWriterPickMode,
+};
 use super::load::ProxyConfig;

 // ── Hot fields ────────────────────────────────────────────────────────────────
@@ -39,18 +42,72 @@ use super::load::ProxyConfig;
 pub struct HotFields {
    pub log_level:               LogLevel,
    pub ad_tag:                  Option<String>,
-    pub middle_proxy_pool_size:  usize,
+    pub dns_overrides:           Vec<String>,
    pub desync_all_full:         bool,
    pub update_every_secs:       u64,
+    pub me_reinit_every_secs:    u64,
+    pub me_reinit_singleflight:  bool,
+    pub me_reinit_coalesce_window_ms: u64,
    pub hardswap:                bool,
    pub me_pool_drain_ttl_secs:  u64,
    pub me_pool_min_fresh_ratio: f32,
    pub me_reinit_drain_timeout_secs: u64,
-    pub me_keepalive_enabled:    bool,
-    pub me_keepalive_interval_secs: u64,
-    pub me_keepalive_jitter_secs:   u64,
-    pub me_keepalive_payload_random: bool,
-    pub access:                  crate::config::AccessConfig,
+    pub me_hardswap_warmup_delay_min_ms: u64,
+    pub me_hardswap_warmup_delay_max_ms: u64,
+    pub me_hardswap_warmup_extra_passes: u8,
+    pub me_hardswap_warmup_pass_backoff_base_ms: u64,
+    pub me_bind_stale_mode: MeBindStaleMode,
+    pub me_bind_stale_ttl_secs: u64,
+    pub me_secret_atomic_snapshot: bool,
+    pub me_deterministic_writer_sort: bool,
+    pub me_writer_pick_mode: MeWriterPickMode,
+    pub me_writer_pick_sample_size: u8,
+    pub me_single_endpoint_shadow_writers: u8,
+    pub me_single_endpoint_outage_mode_enabled: bool,
+    pub me_single_endpoint_outage_disable_quarantine: bool,
+    pub me_single_endpoint_outage_backoff_min_ms: u64,
+    pub me_single_endpoint_outage_backoff_max_ms: u64,
+    pub me_single_endpoint_shadow_rotate_every_secs: u64,
+    pub me_config_stable_snapshots: u8,
+    pub me_config_apply_cooldown_secs: u64,
+    pub me_snapshot_require_http_2xx: bool,
+    pub me_snapshot_reject_empty_map: bool,
+    pub me_snapshot_min_proxy_for_lines: u32,
+    pub proxy_secret_stable_snapshots: u8,
+    pub proxy_secret_rotate_runtime: bool,
+    pub proxy_secret_len_max: usize,
+    pub telemetry_core_enabled: bool,
+    pub telemetry_user_enabled: bool,
+    pub telemetry_me_level: MeTelemetryLevel,
+    pub me_socks_kdf_policy: MeSocksKdfPolicy,
+    pub me_floor_mode: MeFloorMode,
+    pub me_adaptive_floor_idle_secs: u64,
+    pub me_adaptive_floor_min_writers_single_endpoint: u8,
+    pub me_adaptive_floor_min_writers_multi_endpoint: u8,
+    pub me_adaptive_floor_recover_grace_secs: u64,
+    pub me_adaptive_floor_writers_per_core_total: u16,
+    pub me_adaptive_floor_cpu_cores_override: u16,
+    pub me_adaptive_floor_max_extra_writers_single_per_core: u16,
+    pub me_adaptive_floor_max_extra_writers_multi_per_core: u16,
+    pub me_adaptive_floor_max_active_writers_per_core: u16,
+    pub me_adaptive_floor_max_warm_writers_per_core: u16,
+    pub me_adaptive_floor_max_active_writers_global: u32,
+    pub me_adaptive_floor_max_warm_writers_global: u32,
+    pub me_route_backpressure_base_timeout_ms: u64,
+    pub me_route_backpressure_high_timeout_ms: u64,
+    pub me_route_backpressure_high_watermark_pct: u8,
+    pub me_health_interval_ms_unhealthy: u64,
+    pub me_health_interval_ms_healthy: u64,
+    pub me_admission_poll_ms: u64,
+    pub me_warn_rate_limit_ms: u64,
+    pub users:                   std::collections::HashMap<String, String>,
+    pub user_ad_tags:            std::collections::HashMap<String, String>,
+    pub user_max_tcp_conns:      std::collections::HashMap<String, usize>,
+    pub user_expirations:        std::collections::HashMap<String, chrono::DateTime<chrono::Utc>>,
+    pub user_data_quota:         std::collections::HashMap<String, u64>,
+    pub user_max_unique_ips:     std::collections::HashMap<String, usize>,
+    pub user_max_unique_ips_mode: crate::config::UserMaxUniqueIpsMode,
+    pub user_max_unique_ips_window_secs: u64,
 }

 impl HotFields {
@@ -58,47 +115,406 @@ impl HotFields {
        Self {
            log_level:               cfg.general.log_level.clone(),
            ad_tag:                  cfg.general.ad_tag.clone(),
-            middle_proxy_pool_size:  cfg.general.middle_proxy_pool_size,
+            dns_overrides:           cfg.network.dns_overrides.clone(),
            desync_all_full:         cfg.general.desync_all_full,
            update_every_secs:       cfg.general.effective_update_every_secs(),
+            me_reinit_every_secs:    cfg.general.me_reinit_every_secs,
+            me_reinit_singleflight:  cfg.general.me_reinit_singleflight,
+            me_reinit_coalesce_window_ms: cfg.general.me_reinit_coalesce_window_ms,
            hardswap:                cfg.general.hardswap,
            me_pool_drain_ttl_secs:  cfg.general.me_pool_drain_ttl_secs,
            me_pool_min_fresh_ratio: cfg.general.me_pool_min_fresh_ratio,
            me_reinit_drain_timeout_secs: cfg.general.me_reinit_drain_timeout_secs,
-            me_keepalive_enabled:    cfg.general.me_keepalive_enabled,
-            me_keepalive_interval_secs: cfg.general.me_keepalive_interval_secs,
-            me_keepalive_jitter_secs:   cfg.general.me_keepalive_jitter_secs,
-            me_keepalive_payload_random: cfg.general.me_keepalive_payload_random,
-            access:                  cfg.access.clone(),
+            me_hardswap_warmup_delay_min_ms: cfg.general.me_hardswap_warmup_delay_min_ms,
+            me_hardswap_warmup_delay_max_ms: cfg.general.me_hardswap_warmup_delay_max_ms,
+            me_hardswap_warmup_extra_passes: cfg.general.me_hardswap_warmup_extra_passes,
+            me_hardswap_warmup_pass_backoff_base_ms: cfg
+                .general
+                .me_hardswap_warmup_pass_backoff_base_ms,
+            me_bind_stale_mode: cfg.general.me_bind_stale_mode,
+            me_bind_stale_ttl_secs: cfg.general.me_bind_stale_ttl_secs,
+            me_secret_atomic_snapshot: cfg.general.me_secret_atomic_snapshot,
+            me_deterministic_writer_sort: cfg.general.me_deterministic_writer_sort,
+            me_writer_pick_mode: cfg.general.me_writer_pick_mode,
+            me_writer_pick_sample_size: cfg.general.me_writer_pick_sample_size,
+            me_single_endpoint_shadow_writers: cfg.general.me_single_endpoint_shadow_writers,
+            me_single_endpoint_outage_mode_enabled: cfg
+                .general
+                .me_single_endpoint_outage_mode_enabled,
+            me_single_endpoint_outage_disable_quarantine: cfg
+                .general
+                .me_single_endpoint_outage_disable_quarantine,
+            me_single_endpoint_outage_backoff_min_ms: cfg
+                .general
+                .me_single_endpoint_outage_backoff_min_ms,
+            me_single_endpoint_outage_backoff_max_ms: cfg
+                .general
+                .me_single_endpoint_outage_backoff_max_ms,
+            me_single_endpoint_shadow_rotate_every_secs: cfg
+                .general
+                .me_single_endpoint_shadow_rotate_every_secs,
+            me_config_stable_snapshots: cfg.general.me_config_stable_snapshots,
+            me_config_apply_cooldown_secs: cfg.general.me_config_apply_cooldown_secs,
+            me_snapshot_require_http_2xx: cfg.general.me_snapshot_require_http_2xx,
+            me_snapshot_reject_empty_map: cfg.general.me_snapshot_reject_empty_map,
+            me_snapshot_min_proxy_for_lines: cfg.general.me_snapshot_min_proxy_for_lines,
+            proxy_secret_stable_snapshots: cfg.general.proxy_secret_stable_snapshots,
+            proxy_secret_rotate_runtime: cfg.general.proxy_secret_rotate_runtime,
+            proxy_secret_len_max: cfg.general.proxy_secret_len_max,
+            telemetry_core_enabled: cfg.general.telemetry.core_enabled,
+            telemetry_user_enabled: cfg.general.telemetry.user_enabled,
+            telemetry_me_level: cfg.general.telemetry.me_level,
+            me_socks_kdf_policy: cfg.general.me_socks_kdf_policy,
+            me_floor_mode: cfg.general.me_floor_mode,
+            me_adaptive_floor_idle_secs: cfg.general.me_adaptive_floor_idle_secs,
+            me_adaptive_floor_min_writers_single_endpoint: cfg
+                .general
+                .me_adaptive_floor_min_writers_single_endpoint,
+            me_adaptive_floor_min_writers_multi_endpoint: cfg
+                .general
+                .me_adaptive_floor_min_writers_multi_endpoint,
+            me_adaptive_floor_recover_grace_secs: cfg
+                .general
+                .me_adaptive_floor_recover_grace_secs,
+            me_adaptive_floor_writers_per_core_total: cfg
+                .general
+                .me_adaptive_floor_writers_per_core_total,
+            me_adaptive_floor_cpu_cores_override: cfg
+                .general
+                .me_adaptive_floor_cpu_cores_override,
+            me_adaptive_floor_max_extra_writers_single_per_core: cfg
+                .general
+                .me_adaptive_floor_max_extra_writers_single_per_core,
+            me_adaptive_floor_max_extra_writers_multi_per_core: cfg
+                .general
+                .me_adaptive_floor_max_extra_writers_multi_per_core,
+            me_adaptive_floor_max_active_writers_per_core: cfg
+                .general
+                .me_adaptive_floor_max_active_writers_per_core,
+            me_adaptive_floor_max_warm_writers_per_core: cfg
+                .general
+                .me_adaptive_floor_max_warm_writers_per_core,
+            me_adaptive_floor_max_active_writers_global: cfg
+                .general
+                .me_adaptive_floor_max_active_writers_global,
+            me_adaptive_floor_max_warm_writers_global: cfg
+                .general
+                .me_adaptive_floor_max_warm_writers_global,
+            me_route_backpressure_base_timeout_ms: cfg.general.me_route_backpressure_base_timeout_ms,
+            me_route_backpressure_high_timeout_ms: cfg.general.me_route_backpressure_high_timeout_ms,
+            me_route_backpressure_high_watermark_pct: cfg.general.me_route_backpressure_high_watermark_pct,
+            me_health_interval_ms_unhealthy: cfg.general.me_health_interval_ms_unhealthy,
+            me_health_interval_ms_healthy: cfg.general.me_health_interval_ms_healthy,
+            me_admission_poll_ms: cfg.general.me_admission_poll_ms,
+            me_warn_rate_limit_ms: cfg.general.me_warn_rate_limit_ms,
+            users:                   cfg.access.users.clone(),
+            user_ad_tags:            cfg.access.user_ad_tags.clone(),
+            user_max_tcp_conns:      cfg.access.user_max_tcp_conns.clone(),
+            user_expirations:        cfg.access.user_expirations.clone(),
+            user_data_quota:         cfg.access.user_data_quota.clone(),
+            user_max_unique_ips:     cfg.access.user_max_unique_ips.clone(),
+            user_max_unique_ips_mode: cfg.access.user_max_unique_ips_mode,
+            user_max_unique_ips_window_secs: cfg.access.user_max_unique_ips_window_secs,
        }
    }
 }

 // ── Helpers ───────────────────────────────────────────────────────────────────

+fn canonicalize_json(value: &mut serde_json::Value) {
+    match value {
+        serde_json::Value::Object(map) => {
+            let mut pairs: Vec<(String, serde_json::Value)> =
+                std::mem::take(map).into_iter().collect();
+            pairs.sort_by(|a, b| a.0.cmp(&b.0));
+            for (_, item) in pairs.iter_mut() {
+                canonicalize_json(item);
+            }
+            for (key, item) in pairs {
+                map.insert(key, item);
+            }
+        }
+        serde_json::Value::Array(items) => {
+            for item in items {
+                canonicalize_json(item);
+            }
+        }
+        _ => {}
+    }
+}
+
+fn config_equal(lhs: &ProxyConfig, rhs: &ProxyConfig) -> bool {
+    let mut left = match serde_json::to_value(lhs) {
+        Ok(value) => value,
+        Err(_) => return false,
+    };
+    let mut right = match serde_json::to_value(rhs) {
+        Ok(value) => value,
+        Err(_) => return false,
+    };
+    canonicalize_json(&mut left);
+    canonicalize_json(&mut right);
+    left == right
+}
+
+fn listeners_equal(
+    lhs: &[crate::config::ListenerConfig],
+    rhs: &[crate::config::ListenerConfig],
+) -> bool {
+    if lhs.len() != rhs.len() {
+        return false;
+    }
+    lhs.iter().zip(rhs.iter()).all(|(a, b)| {
+        a.ip == b.ip
+            && a.announce == b.announce
+            && a.announce_ip == b.announce_ip
+            && a.proxy_protocol == b.proxy_protocol
+            && a.reuse_allow == b.reuse_allow
+    })
+}
+
+fn overlay_hot_fields(old: &ProxyConfig, new: &ProxyConfig) -> ProxyConfig {
+    let mut cfg = old.clone();
+
+    cfg.general.log_level = new.general.log_level.clone();
+    cfg.general.ad_tag = new.general.ad_tag.clone();
+    cfg.network.dns_overrides = new.network.dns_overrides.clone();
+    cfg.general.desync_all_full = new.general.desync_all_full;
+    cfg.general.update_every = new.general.update_every;
+    cfg.general.proxy_secret_auto_reload_secs = new.general.proxy_secret_auto_reload_secs;
+    cfg.general.proxy_config_auto_reload_secs = new.general.proxy_config_auto_reload_secs;
+    cfg.general.me_reinit_every_secs = new.general.me_reinit_every_secs;
+    cfg.general.me_reinit_singleflight = new.general.me_reinit_singleflight;
+    cfg.general.me_reinit_coalesce_window_ms = new.general.me_reinit_coalesce_window_ms;
+    cfg.general.hardswap = new.general.hardswap;
+    cfg.general.me_pool_drain_ttl_secs = new.general.me_pool_drain_ttl_secs;
+    cfg.general.me_pool_min_fresh_ratio = new.general.me_pool_min_fresh_ratio;
+    cfg.general.me_reinit_drain_timeout_secs = new.general.me_reinit_drain_timeout_secs;
+    cfg.general.me_hardswap_warmup_delay_min_ms = new.general.me_hardswap_warmup_delay_min_ms;
+    cfg.general.me_hardswap_warmup_delay_max_ms = new.general.me_hardswap_warmup_delay_max_ms;
+    cfg.general.me_hardswap_warmup_extra_passes = new.general.me_hardswap_warmup_extra_passes;
+    cfg.general.me_hardswap_warmup_pass_backoff_base_ms =
+        new.general.me_hardswap_warmup_pass_backoff_base_ms;
+    cfg.general.me_bind_stale_mode = new.general.me_bind_stale_mode;
+    cfg.general.me_bind_stale_ttl_secs = new.general.me_bind_stale_ttl_secs;
+    cfg.general.me_secret_atomic_snapshot = new.general.me_secret_atomic_snapshot;
+    cfg.general.me_deterministic_writer_sort = new.general.me_deterministic_writer_sort;
+    cfg.general.me_writer_pick_mode = new.general.me_writer_pick_mode;
+    cfg.general.me_writer_pick_sample_size = new.general.me_writer_pick_sample_size;
+    cfg.general.me_single_endpoint_shadow_writers = new.general.me_single_endpoint_shadow_writers;
+    cfg.general.me_single_endpoint_outage_mode_enabled =
+        new.general.me_single_endpoint_outage_mode_enabled;
+    cfg.general.me_single_endpoint_outage_disable_quarantine =
+        new.general.me_single_endpoint_outage_disable_quarantine;
+    cfg.general.me_single_endpoint_outage_backoff_min_ms =
+        new.general.me_single_endpoint_outage_backoff_min_ms;
+    cfg.general.me_single_endpoint_outage_backoff_max_ms =
+        new.general.me_single_endpoint_outage_backoff_max_ms;
+    cfg.general.me_single_endpoint_shadow_rotate_every_secs =
+        new.general.me_single_endpoint_shadow_rotate_every_secs;
+    cfg.general.me_config_stable_snapshots = new.general.me_config_stable_snapshots;
+    cfg.general.me_config_apply_cooldown_secs = new.general.me_config_apply_cooldown_secs;
+    cfg.general.me_snapshot_require_http_2xx = new.general.me_snapshot_require_http_2xx;
+    cfg.general.me_snapshot_reject_empty_map = new.general.me_snapshot_reject_empty_map;
+    cfg.general.me_snapshot_min_proxy_for_lines = new.general.me_snapshot_min_proxy_for_lines;
+    cfg.general.proxy_secret_stable_snapshots = new.general.proxy_secret_stable_snapshots;
+    cfg.general.proxy_secret_rotate_runtime = new.general.proxy_secret_rotate_runtime;
+    cfg.general.proxy_secret_len_max = new.general.proxy_secret_len_max;
+    cfg.general.telemetry = new.general.telemetry.clone();
+    cfg.general.me_socks_kdf_policy = new.general.me_socks_kdf_policy;
+    cfg.general.me_floor_mode = new.general.me_floor_mode;
+    cfg.general.me_adaptive_floor_idle_secs = new.general.me_adaptive_floor_idle_secs;
+    cfg.general.me_adaptive_floor_min_writers_single_endpoint =
+        new.general.me_adaptive_floor_min_writers_single_endpoint;
+    cfg.general.me_adaptive_floor_min_writers_multi_endpoint =
+        new.general.me_adaptive_floor_min_writers_multi_endpoint;
+    cfg.general.me_adaptive_floor_recover_grace_secs =
+        new.general.me_adaptive_floor_recover_grace_secs;
+    cfg.general.me_adaptive_floor_writers_per_core_total =
+        new.general.me_adaptive_floor_writers_per_core_total;
+    cfg.general.me_adaptive_floor_cpu_cores_override =
+        new.general.me_adaptive_floor_cpu_cores_override;
+    cfg.general.me_adaptive_floor_max_extra_writers_single_per_core =
+        new.general.me_adaptive_floor_max_extra_writers_single_per_core;
+    cfg.general.me_adaptive_floor_max_extra_writers_multi_per_core =
+        new.general.me_adaptive_floor_max_extra_writers_multi_per_core;
+    cfg.general.me_adaptive_floor_max_active_writers_per_core =
+        new.general.me_adaptive_floor_max_active_writers_per_core;
+    cfg.general.me_adaptive_floor_max_warm_writers_per_core =
+        new.general.me_adaptive_floor_max_warm_writers_per_core;
+    cfg.general.me_adaptive_floor_max_active_writers_global =
+        new.general.me_adaptive_floor_max_active_writers_global;
+    cfg.general.me_adaptive_floor_max_warm_writers_global =
+        new.general.me_adaptive_floor_max_warm_writers_global;
+    cfg.general.me_route_backpressure_base_timeout_ms =
+        new.general.me_route_backpressure_base_timeout_ms;
+    cfg.general.me_route_backpressure_high_timeout_ms =
+        new.general.me_route_backpressure_high_timeout_ms;
+    cfg.general.me_route_backpressure_high_watermark_pct =
+        new.general.me_route_backpressure_high_watermark_pct;
+    cfg.general.me_health_interval_ms_unhealthy = new.general.me_health_interval_ms_unhealthy;
+    cfg.general.me_health_interval_ms_healthy = new.general.me_health_interval_ms_healthy;
+    cfg.general.me_admission_poll_ms = new.general.me_admission_poll_ms;
+    cfg.general.me_warn_rate_limit_ms = new.general.me_warn_rate_limit_ms;
+
+    cfg.access.users = new.access.users.clone();
+    cfg.access.user_ad_tags = new.access.user_ad_tags.clone();
+    cfg.access.user_max_tcp_conns = new.access.user_max_tcp_conns.clone();
+    cfg.access.user_expirations = new.access.user_expirations.clone();
+    cfg.access.user_data_quota = new.access.user_data_quota.clone();
+    cfg.access.user_max_unique_ips = new.access.user_max_unique_ips.clone();
+    cfg.access.user_max_unique_ips_mode = new.access.user_max_unique_ips_mode;
+    cfg.access.user_max_unique_ips_window_secs = new.access.user_max_unique_ips_window_secs;
+
+    cfg
+}
+
 /// Warn if any non-hot fields changed (require restart).
-fn warn_non_hot_changes(old: &ProxyConfig, new: &ProxyConfig) {
+fn warn_non_hot_changes(old: &ProxyConfig, new: &ProxyConfig, non_hot_changed: bool) {
+    let mut warned = false;
    if old.server.port != new.server.port {
+        warned = true;
        warn!(
            "config reload: server.port changed ({} → {}); restart required",
            old.server.port, new.server.port
        );
    }
+    if old.server.api.enabled != new.server.api.enabled
+        || old.server.api.listen != new.server.api.listen
+        || old.server.api.whitelist != new.server.api.whitelist
+        || old.server.api.auth_header != new.server.api.auth_header
+        || old.server.api.request_body_limit_bytes != new.server.api.request_body_limit_bytes
+        || old.server.api.minimal_runtime_enabled != new.server.api.minimal_runtime_enabled
+        || old.server.api.minimal_runtime_cache_ttl_ms
+            != new.server.api.minimal_runtime_cache_ttl_ms
+        || old.server.api.runtime_edge_enabled != new.server.api.runtime_edge_enabled
+        || old.server.api.runtime_edge_cache_ttl_ms
+            != new.server.api.runtime_edge_cache_ttl_ms
+        || old.server.api.runtime_edge_top_n != new.server.api.runtime_edge_top_n
+        || old.server.api.runtime_edge_events_capacity
+            != new.server.api.runtime_edge_events_capacity
+        || old.server.api.read_only != new.server.api.read_only
+    {
+        warned = true;
+        warn!("config reload: server.api changed; restart required");
+    }
+    if old.server.proxy_protocol != new.server.proxy_protocol
+        || !listeners_equal(&old.server.listeners, &new.server.listeners)
+        || old.server.listen_addr_ipv4 != new.server.listen_addr_ipv4
+        || old.server.listen_addr_ipv6 != new.server.listen_addr_ipv6
+        || old.server.listen_tcp != new.server.listen_tcp
+        || old.server.listen_unix_sock != new.server.listen_unix_sock
+        || old.server.listen_unix_sock_perm != new.server.listen_unix_sock_perm
+    {
+        warned = true;
+        warn!("config reload: server listener settings changed; restart required");
+    }
+    if old.censorship.tls_domain != new.censorship.tls_domain
+        || old.censorship.tls_domains != new.censorship.tls_domains
+        || old.censorship.mask != new.censorship.mask
+        || old.censorship.mask_host != new.censorship.mask_host
+        || old.censorship.mask_port != new.censorship.mask_port
+        || old.censorship.mask_unix_sock != new.censorship.mask_unix_sock
+        || old.censorship.fake_cert_len != new.censorship.fake_cert_len
+        || old.censorship.tls_emulation != new.censorship.tls_emulation
+        || old.censorship.tls_front_dir != new.censorship.tls_front_dir
+        || old.censorship.server_hello_delay_min_ms != new.censorship.server_hello_delay_min_ms
+        || old.censorship.server_hello_delay_max_ms != new.censorship.server_hello_delay_max_ms
+        || old.censorship.tls_new_session_tickets != new.censorship.tls_new_session_tickets
+        || old.censorship.tls_full_cert_ttl_secs != new.censorship.tls_full_cert_ttl_secs
+        || old.censorship.alpn_enforce != new.censorship.alpn_enforce
+        || old.censorship.mask_proxy_protocol != new.censorship.mask_proxy_protocol
+    {
+        warned = true;
+        warn!("config reload: censorship settings changed; restart required");
+    }
    if old.censorship.tls_domain != new.censorship.tls_domain {
+        warned = true;
        warn!(
            "config reload: censorship.tls_domain changed ('{}' → '{}'); restart required",
            old.censorship.tls_domain, new.censorship.tls_domain
        );
    }
    if old.network.ipv4 != new.network.ipv4 || old.network.ipv6 != new.network.ipv6 {
+        warned = true;
        warn!("config reload: network.ipv4/ipv6 changed; restart required");
    }
+    if old.network.prefer != new.network.prefer
+        || old.network.multipath != new.network.multipath
+        || old.network.stun_use != new.network.stun_use
+        || old.network.stun_servers != new.network.stun_servers
+        || old.network.stun_tcp_fallback != new.network.stun_tcp_fallback
+        || old.network.http_ip_detect_urls != new.network.http_ip_detect_urls
+        || old.network.cache_public_ip_path != new.network.cache_public_ip_path
+    {
+        warned = true;
+        warn!("config reload: non-hot network settings changed; restart required");
+    }
    if old.general.use_middle_proxy != new.general.use_middle_proxy {
+        warned = true;
        warn!("config reload: use_middle_proxy changed; restart required");
    }
    if old.general.stun_nat_probe_concurrency != new.general.stun_nat_probe_concurrency {
+        warned = true;
        warn!("config reload: general.stun_nat_probe_concurrency changed; restart required");
    }
+    if old.general.middle_proxy_pool_size != new.general.middle_proxy_pool_size {
+        warned = true;
+        warn!("config reload: general.middle_proxy_pool_size changed; restart required");
+    }
+    if old.general.me_route_no_writer_mode != new.general.me_route_no_writer_mode
+        || old.general.me_route_no_writer_wait_ms != new.general.me_route_no_writer_wait_ms
+        || old.general.me_route_inline_recovery_attempts
+            != new.general.me_route_inline_recovery_attempts
+        || old.general.me_route_inline_recovery_wait_ms
+            != new.general.me_route_inline_recovery_wait_ms
+    {
+        warned = true;
+        warn!("config reload: general.me_route_no_writer_* changed; restart required");
+    }
+    if old.general.unknown_dc_log_path != new.general.unknown_dc_log_path
+        || old.general.unknown_dc_file_log_enabled != new.general.unknown_dc_file_log_enabled
+    {
+        warned = true;
+        warn!("config reload: general.unknown_dc_* changed; restart required");
+    }
+    if old.general.me_init_retry_attempts != new.general.me_init_retry_attempts {
+        warned = true;
+        warn!("config reload: general.me_init_retry_attempts changed; restart required");
+    }
+    if old.general.me2dc_fallback != new.general.me2dc_fallback {
+        warned = true;
+        warn!("config reload: general.me2dc_fallback changed; restart required");
+    }
+    if old.general.proxy_config_v4_cache_path != new.general.proxy_config_v4_cache_path
+        || old.general.proxy_config_v6_cache_path != new.general.proxy_config_v6_cache_path
+    {
+        warned = true;
+        warn!("config reload: general.proxy_config_*_cache_path changed; restart required");
+    }
+    if old.general.me_keepalive_enabled != new.general.me_keepalive_enabled
+        || old.general.me_keepalive_interval_secs != new.general.me_keepalive_interval_secs
+        || old.general.me_keepalive_jitter_secs != new.general.me_keepalive_jitter_secs
+        || old.general.me_keepalive_payload_random != new.general.me_keepalive_payload_random
+    {
+        warned = true;
+        warn!("config reload: general.me_keepalive_* changed; restart required");
+    }
+    if old.general.upstream_connect_retry_attempts != new.general.upstream_connect_retry_attempts
+        || old.general.upstream_connect_retry_backoff_ms
+            != new.general.upstream_connect_retry_backoff_ms
+        || old.general.upstream_unhealthy_fail_threshold
+            != new.general.upstream_unhealthy_fail_threshold
+        || old.general.upstream_connect_failfast_hard_errors
+            != new.general.upstream_connect_failfast_hard_errors
+        || old.general.rpc_proxy_req_every != new.general.rpc_proxy_req_every
+    {
+        warned = true;
+        warn!("config reload: general.upstream_* changed; restart required");
+    }
+    if non_hot_changed && !warned {
+        warn!("config reload: one or more non-hot fields changed; restart required");
+    }
 }

 /// Resolve the public host for link generation — mirrors the logic in main.rs.
@@ -181,18 +597,21 @@ fn log_changes(
        log_tx.send(new_hot.log_level.clone()).ok();
    }

-    if old_hot.ad_tag != new_hot.ad_tag {
+    if old_hot.user_ad_tags != new_hot.user_ad_tags {
        info!(
-            "config reload: ad_tag: {} → {}",
-            old_hot.ad_tag.as_deref().unwrap_or("none"),
-            new_hot.ad_tag.as_deref().unwrap_or("none"),
+            "config reload: user_ad_tags updated ({} entries)",
+            new_hot.user_ad_tags.len(),
        );
    }

-    if old_hot.middle_proxy_pool_size != new_hot.middle_proxy_pool_size {
+    if old_hot.ad_tag != new_hot.ad_tag {
+        info!("config reload: general.ad_tag updated (applied on next connection)");
+    }
+
+    if old_hot.dns_overrides != new_hot.dns_overrides {
        info!(
-            "config reload: middle_proxy_pool_size: {} → {}",
-            old_hot.middle_proxy_pool_size, new_hot.middle_proxy_pool_size,
+            "config reload: network.dns_overrides updated ({} entries)",
+            new_hot.dns_overrides.len()
        );
    }

@@ -209,6 +628,17 @@ fn log_changes(
            old_hot.update_every_secs, new_hot.update_every_secs,
        );
    }
+    if old_hot.me_reinit_every_secs != new_hot.me_reinit_every_secs
+        || old_hot.me_reinit_singleflight != new_hot.me_reinit_singleflight
+        || old_hot.me_reinit_coalesce_window_ms != new_hot.me_reinit_coalesce_window_ms
+    {
+        info!(
+            "config reload: me_reinit: interval={}s singleflight={} coalesce={}ms",
+            new_hot.me_reinit_every_secs,
+            new_hot.me_reinit_singleflight,
+            new_hot.me_reinit_coalesce_window_ms
+        );
+    }

    if old_hot.hardswap != new_hot.hardswap {
        info!(
@@ -237,36 +667,193 @@ fn log_changes(
            old_hot.me_reinit_drain_timeout_secs, new_hot.me_reinit_drain_timeout_secs,
        );
    }
-
-    if old_hot.me_keepalive_enabled        != new_hot.me_keepalive_enabled
-    || old_hot.me_keepalive_interval_secs  != new_hot.me_keepalive_interval_secs
-    || old_hot.me_keepalive_jitter_secs    != new_hot.me_keepalive_jitter_secs
-    || old_hot.me_keepalive_payload_random != new_hot.me_keepalive_payload_random
+    if old_hot.me_hardswap_warmup_delay_min_ms != new_hot.me_hardswap_warmup_delay_min_ms
+        || old_hot.me_hardswap_warmup_delay_max_ms != new_hot.me_hardswap_warmup_delay_max_ms
+        || old_hot.me_hardswap_warmup_extra_passes != new_hot.me_hardswap_warmup_extra_passes
+        || old_hot.me_hardswap_warmup_pass_backoff_base_ms
+            != new_hot.me_hardswap_warmup_pass_backoff_base_ms
    {
        info!(
-            "config reload: me_keepalive: enabled={} interval={}s jitter={}s random_payload={}",
-            new_hot.me_keepalive_enabled,
-            new_hot.me_keepalive_interval_secs,
-            new_hot.me_keepalive_jitter_secs,
-            new_hot.me_keepalive_payload_random,
+            "config reload: me_hardswap_warmup: min={}ms max={}ms extra_passes={} pass_backoff={}ms",
+            new_hot.me_hardswap_warmup_delay_min_ms,
+            new_hot.me_hardswap_warmup_delay_max_ms,
+            new_hot.me_hardswap_warmup_extra_passes,
+            new_hot.me_hardswap_warmup_pass_backoff_base_ms
+        );
+    }
+    if old_hot.me_bind_stale_mode != new_hot.me_bind_stale_mode
+        || old_hot.me_bind_stale_ttl_secs != new_hot.me_bind_stale_ttl_secs
+    {
+        info!(
+            "config reload: me_bind_stale: mode={:?} ttl={}s",
+            new_hot.me_bind_stale_mode,
+            new_hot.me_bind_stale_ttl_secs
+        );
+    }
+    if old_hot.me_secret_atomic_snapshot != new_hot.me_secret_atomic_snapshot
+        || old_hot.me_deterministic_writer_sort != new_hot.me_deterministic_writer_sort
+        || old_hot.me_writer_pick_mode != new_hot.me_writer_pick_mode
+        || old_hot.me_writer_pick_sample_size != new_hot.me_writer_pick_sample_size
+    {
+        info!(
+            "config reload: me_runtime_flags: secret_atomic_snapshot={} deterministic_sort={} writer_pick_mode={:?} writer_pick_sample_size={}",
+            new_hot.me_secret_atomic_snapshot,
+            new_hot.me_deterministic_writer_sort,
+            new_hot.me_writer_pick_mode,
+            new_hot.me_writer_pick_sample_size,
+        );
+    }
+    if old_hot.me_single_endpoint_shadow_writers != new_hot.me_single_endpoint_shadow_writers
+        || old_hot.me_single_endpoint_outage_mode_enabled
+            != new_hot.me_single_endpoint_outage_mode_enabled
+        || old_hot.me_single_endpoint_outage_disable_quarantine
+            != new_hot.me_single_endpoint_outage_disable_quarantine
+        || old_hot.me_single_endpoint_outage_backoff_min_ms
+            != new_hot.me_single_endpoint_outage_backoff_min_ms
+        || old_hot.me_single_endpoint_outage_backoff_max_ms
+            != new_hot.me_single_endpoint_outage_backoff_max_ms
+        || old_hot.me_single_endpoint_shadow_rotate_every_secs
+            != new_hot.me_single_endpoint_shadow_rotate_every_secs
+    {
+        info!(
+            "config reload: me_single_endpoint: shadow={} outage_enabled={} disable_quarantine={} backoff=[{}..{}]ms rotate={}s",
+            new_hot.me_single_endpoint_shadow_writers,
+            new_hot.me_single_endpoint_outage_mode_enabled,
+            new_hot.me_single_endpoint_outage_disable_quarantine,
+            new_hot.me_single_endpoint_outage_backoff_min_ms,
+            new_hot.me_single_endpoint_outage_backoff_max_ms,
+            new_hot.me_single_endpoint_shadow_rotate_every_secs
+        );
+    }
+    if old_hot.me_config_stable_snapshots != new_hot.me_config_stable_snapshots
+        || old_hot.me_config_apply_cooldown_secs != new_hot.me_config_apply_cooldown_secs
+        || old_hot.me_snapshot_require_http_2xx != new_hot.me_snapshot_require_http_2xx
+        || old_hot.me_snapshot_reject_empty_map != new_hot.me_snapshot_reject_empty_map
+        || old_hot.me_snapshot_min_proxy_for_lines != new_hot.me_snapshot_min_proxy_for_lines
+    {
+        info!(
+            "config reload: me_snapshot_guard: stable={} cooldown={}s require_2xx={} reject_empty={} min_proxy_for={}",
+            new_hot.me_config_stable_snapshots,
+            new_hot.me_config_apply_cooldown_secs,
+            new_hot.me_snapshot_require_http_2xx,
+            new_hot.me_snapshot_reject_empty_map,
+            new_hot.me_snapshot_min_proxy_for_lines
+        );
+    }
+    if old_hot.proxy_secret_stable_snapshots != new_hot.proxy_secret_stable_snapshots
+        || old_hot.proxy_secret_rotate_runtime != new_hot.proxy_secret_rotate_runtime
+        || old_hot.proxy_secret_len_max != new_hot.proxy_secret_len_max
+    {
+        info!(
+            "config reload: proxy_secret_runtime: stable={} rotate={} len_max={}",
+            new_hot.proxy_secret_stable_snapshots,
+            new_hot.proxy_secret_rotate_runtime,
+            new_hot.proxy_secret_len_max
        );
    }

-    if old_hot.access.users != new_hot.access.users {
-        let mut added: Vec<&String> = new_hot.access.users.keys()
-            .filter(|u| !old_hot.access.users.contains_key(*u))
+    if old_hot.telemetry_core_enabled != new_hot.telemetry_core_enabled
+        || old_hot.telemetry_user_enabled != new_hot.telemetry_user_enabled
+        || old_hot.telemetry_me_level != new_hot.telemetry_me_level
+    {
+        info!(
+            "config reload: telemetry: core_enabled={} user_enabled={} me_level={}",
+            new_hot.telemetry_core_enabled,
+            new_hot.telemetry_user_enabled,
+            new_hot.telemetry_me_level,
+        );
+    }
+
+    if old_hot.me_socks_kdf_policy != new_hot.me_socks_kdf_policy {
+        info!(
+            "config reload: me_socks_kdf_policy: {:?} → {:?}",
+            old_hot.me_socks_kdf_policy,
+            new_hot.me_socks_kdf_policy,
+        );
+    }
+
+    if old_hot.me_floor_mode != new_hot.me_floor_mode
+        || old_hot.me_adaptive_floor_idle_secs != new_hot.me_adaptive_floor_idle_secs
+        || old_hot.me_adaptive_floor_min_writers_single_endpoint
+            != new_hot.me_adaptive_floor_min_writers_single_endpoint
+        || old_hot.me_adaptive_floor_min_writers_multi_endpoint
+            != new_hot.me_adaptive_floor_min_writers_multi_endpoint
+        || old_hot.me_adaptive_floor_recover_grace_secs
+            != new_hot.me_adaptive_floor_recover_grace_secs
+        || old_hot.me_adaptive_floor_writers_per_core_total
+            != new_hot.me_adaptive_floor_writers_per_core_total
+        || old_hot.me_adaptive_floor_cpu_cores_override
+            != new_hot.me_adaptive_floor_cpu_cores_override
+        || old_hot.me_adaptive_floor_max_extra_writers_single_per_core
+            != new_hot.me_adaptive_floor_max_extra_writers_single_per_core
+        || old_hot.me_adaptive_floor_max_extra_writers_multi_per_core
+            != new_hot.me_adaptive_floor_max_extra_writers_multi_per_core
+        || old_hot.me_adaptive_floor_max_active_writers_per_core
+            != new_hot.me_adaptive_floor_max_active_writers_per_core
+        || old_hot.me_adaptive_floor_max_warm_writers_per_core
+            != new_hot.me_adaptive_floor_max_warm_writers_per_core
+        || old_hot.me_adaptive_floor_max_active_writers_global
+            != new_hot.me_adaptive_floor_max_active_writers_global
+        || old_hot.me_adaptive_floor_max_warm_writers_global
+            != new_hot.me_adaptive_floor_max_warm_writers_global
+    {
+        info!(
+            "config reload: me_floor: mode={:?} idle={}s min_single={} min_multi={} recover_grace={}s per_core_total={} cores_override={} extra_single_per_core={} extra_multi_per_core={} max_active_per_core={} max_warm_per_core={} max_active_global={} max_warm_global={}",
+            new_hot.me_floor_mode,
+            new_hot.me_adaptive_floor_idle_secs,
+            new_hot.me_adaptive_floor_min_writers_single_endpoint,
+            new_hot.me_adaptive_floor_min_writers_multi_endpoint,
+            new_hot.me_adaptive_floor_recover_grace_secs,
+            new_hot.me_adaptive_floor_writers_per_core_total,
+            new_hot.me_adaptive_floor_cpu_cores_override,
+            new_hot.me_adaptive_floor_max_extra_writers_single_per_core,
+            new_hot.me_adaptive_floor_max_extra_writers_multi_per_core,
+            new_hot.me_adaptive_floor_max_active_writers_per_core,
+            new_hot.me_adaptive_floor_max_warm_writers_per_core,
+            new_hot.me_adaptive_floor_max_active_writers_global,
+            new_hot.me_adaptive_floor_max_warm_writers_global,
+        );
+    }
+
+    if old_hot.me_route_backpressure_base_timeout_ms
+        != new_hot.me_route_backpressure_base_timeout_ms
+        || old_hot.me_route_backpressure_high_timeout_ms
+            != new_hot.me_route_backpressure_high_timeout_ms
+        || old_hot.me_route_backpressure_high_watermark_pct
+            != new_hot.me_route_backpressure_high_watermark_pct
+        || old_hot.me_health_interval_ms_unhealthy
+            != new_hot.me_health_interval_ms_unhealthy
+        || old_hot.me_health_interval_ms_healthy != new_hot.me_health_interval_ms_healthy
+        || old_hot.me_admission_poll_ms != new_hot.me_admission_poll_ms
+        || old_hot.me_warn_rate_limit_ms != new_hot.me_warn_rate_limit_ms
+    {
+        info!(
+            "config reload: me_route_backpressure: base={}ms high={}ms watermark={}%; me_health_interval: unhealthy={}ms healthy={}ms; me_admission_poll={}ms; me_warn_rate_limit={}ms",
+            new_hot.me_route_backpressure_base_timeout_ms,
+            new_hot.me_route_backpressure_high_timeout_ms,
+            new_hot.me_route_backpressure_high_watermark_pct,
+            new_hot.me_health_interval_ms_unhealthy,
+            new_hot.me_health_interval_ms_healthy,
+            new_hot.me_admission_poll_ms,
+            new_hot.me_warn_rate_limit_ms,
+        );
+    }
+
+    if old_hot.users != new_hot.users {
+        let mut added: Vec<&String> = new_hot.users.keys()
+            .filter(|u| !old_hot.users.contains_key(*u))
            .collect();
        added.sort();

-        let mut removed: Vec<&String> = old_hot.access.users.keys()
-            .filter(|u| !new_hot.access.users.contains_key(*u))
+        let mut removed: Vec<&String> = old_hot.users.keys()
+            .filter(|u| !new_hot.users.contains_key(*u))
            .collect();
        removed.sort();

-        let mut changed: Vec<&String> = new_hot.access.users.keys()
+        let mut changed: Vec<&String> = new_hot.users.keys()
            .filter(|u| {
-                old_hot.access.users.get(*u)
-                    .map(|s| s != &new_hot.access.users[*u])
+                old_hot.users.get(*u)
+                    .map(|s| s != &new_hot.users[*u])
                    .unwrap_or(false)
            })
            .collect();
@@ -280,7 +867,7 @@ fn log_changes(
            let host = resolve_link_host(new_cfg, detected_ip_v4, detected_ip_v6);
            let port = new_cfg.general.links.public_port.unwrap_or(new_cfg.server.port);
            for user in &added {
-                if let Some(secret) = new_hot.access.users.get(*user) {
+                if let Some(secret) = new_hot.users.get(*user) {
                    print_user_links(user, secret, &host, port, new_cfg);
                }
            }
@@ -299,28 +886,38 @@ fn log_changes(
        }
    }

-    if old_hot.access.user_max_tcp_conns != new_hot.access.user_max_tcp_conns {
+    if old_hot.user_max_tcp_conns != new_hot.user_max_tcp_conns {
        info!(
            "config reload: user_max_tcp_conns updated ({} entries)",
-            new_hot.access.user_max_tcp_conns.len()
+            new_hot.user_max_tcp_conns.len()
        );
    }
-    if old_hot.access.user_expirations != new_hot.access.user_expirations {
+    if old_hot.user_expirations != new_hot.user_expirations {
        info!(
            "config reload: user_expirations updated ({} entries)",
-            new_hot.access.user_expirations.len()
+            new_hot.user_expirations.len()
        );
    }
-    if old_hot.access.user_data_quota != new_hot.access.user_data_quota {
+    if old_hot.user_data_quota != new_hot.user_data_quota {
        info!(
            "config reload: user_data_quota updated ({} entries)",
-            new_hot.access.user_data_quota.len()
+            new_hot.user_data_quota.len()
        );
    }
-    if old_hot.access.user_max_unique_ips != new_hot.access.user_max_unique_ips {
+    if old_hot.user_max_unique_ips != new_hot.user_max_unique_ips {
        info!(
            "config reload: user_max_unique_ips updated ({} entries)",
-            new_hot.access.user_max_unique_ips.len()
+            new_hot.user_max_unique_ips.len()
+        );
+    }
+    if old_hot.user_max_unique_ips_mode != new_hot.user_max_unique_ips_mode
+        || old_hot.user_max_unique_ips_window_secs
+            != new_hot.user_max_unique_ips_window_secs
+    {
+        info!(
+            "config reload: user_max_unique_ips policy mode={:?} window={}s",
+            new_hot.user_max_unique_ips_mode,
+            new_hot.user_max_unique_ips_window_secs
        );
    }
 }
@@ -347,16 +944,39 @@ fn reload_config(
    }

    let old_cfg = config_tx.borrow().clone();
+    let applied_cfg = overlay_hot_fields(&old_cfg, &new_cfg);
    let old_hot = HotFields::from_config(&old_cfg);
-    let new_hot = HotFields::from_config(&new_cfg);
+    let applied_hot = HotFields::from_config(&applied_cfg);
+    let non_hot_changed = !config_equal(&applied_cfg, &new_cfg);
+    let hot_changed = old_hot != applied_hot;

-    if old_hot == new_hot {
+    if non_hot_changed {
+        warn_non_hot_changes(&old_cfg, &new_cfg, non_hot_changed);
+    }
+
+    if !hot_changed {
        return;
    }

-    warn_non_hot_changes(&old_cfg, &new_cfg);
-    log_changes(&old_hot, &new_hot, &new_cfg, log_tx, detected_ip_v4, detected_ip_v6);
-    config_tx.send(Arc::new(new_cfg)).ok();
+    if old_hot.dns_overrides != applied_hot.dns_overrides
+        && let Err(e) = crate::network::dns_overrides::install_entries(&applied_hot.dns_overrides)
+    {
+        error!(
+            "config reload: invalid network.dns_overrides: {}; keeping old config",
+            e
+        );
+        return;
+    }
+
+    log_changes(
+        &old_hot,
+        &applied_hot,
+        &applied_cfg,
+        log_tx,
+        detected_ip_v4,
+        detected_ip_v6,
+    );
+    config_tx.send(Arc::new(applied_cfg)).ok();
 }

 // ── Public API ────────────────────────────────────────────────────────────────
@@ -482,3 +1102,80 @@ pub fn spawn_config_watcher(

    (config_rx, log_rx)
 }
+
+#[cfg(test)]
+mod tests {
+    use super::*;
+
+    fn sample_config() -> ProxyConfig {
+        ProxyConfig::default()
+    }
+
+    #[test]
+    fn overlay_applies_hot_and_preserves_non_hot() {
+        let old = sample_config();
+        let mut new = old.clone();
+        new.general.hardswap = !old.general.hardswap;
+        new.server.port = old.server.port.saturating_add(1);
+
+        let applied = overlay_hot_fields(&old, &new);
+        assert_eq!(applied.general.hardswap, new.general.hardswap);
+        assert_eq!(applied.server.port, old.server.port);
+    }
+
+    #[test]
+    fn non_hot_only_change_does_not_change_hot_snapshot() {
+        let old = sample_config();
+        let mut new = old.clone();
+        new.server.port = old.server.port.saturating_add(1);
+
+        let applied = overlay_hot_fields(&old, &new);
+        assert_eq!(HotFields::from_config(&old), HotFields::from_config(&applied));
+        assert_eq!(applied.server.port, old.server.port);
+    }
+
+    #[test]
+    fn bind_stale_mode_is_hot() {
+        let old = sample_config();
+        let mut new = old.clone();
+        new.general.me_bind_stale_mode = match old.general.me_bind_stale_mode {
+            MeBindStaleMode::Never => MeBindStaleMode::Ttl,
+            MeBindStaleMode::Ttl => MeBindStaleMode::Always,
+            MeBindStaleMode::Always => MeBindStaleMode::Never,
+        };
+
+        let applied = overlay_hot_fields(&old, &new);
+        assert_eq!(
+            applied.general.me_bind_stale_mode,
+            new.general.me_bind_stale_mode
+        );
+        assert_ne!(HotFields::from_config(&old), HotFields::from_config(&applied));
+    }
+
+    #[test]
+    fn keepalive_is_not_hot() {
+        let old = sample_config();
+        let mut new = old.clone();
+        new.general.me_keepalive_interval_secs = old.general.me_keepalive_interval_secs + 5;
+
+        let applied = overlay_hot_fields(&old, &new);
+        assert_eq!(
+            applied.general.me_keepalive_interval_secs,
+            old.general.me_keepalive_interval_secs
+        );
+        assert_eq!(HotFields::from_config(&old), HotFields::from_config(&applied));
+    }
+
+    #[test]
+    fn mixed_hot_and_non_hot_change_applies_only_hot_subset() {
+        let old = sample_config();
+        let mut new = old.clone();
+        new.general.hardswap = !old.general.hardswap;
+        new.general.use_middle_proxy = !old.general.use_middle_proxy;
+
+        let applied = overlay_hot_fields(&old, &new);
+        assert_eq!(applied.general.hardswap, new.general.hardswap);
+        assert_eq!(applied.general.use_middle_proxy, old.general.use_middle_proxy);
+        assert!(!config_equal(&applied, &new));
+    }
+}
--- a/src/config/load.rs
+++ b/src/config/load.rs
--- a/src/config/types.rs
+++ b/src/config/types.rs
@@ -59,6 +59,219 @@ impl std::fmt::Display for LogLevel {
    }
 }

+/// Middle-End telemetry verbosity level.
+#[derive(Debug, Clone, Copy, PartialEq, Eq, Serialize, Deserialize, Default)]
+#[serde(rename_all = "lowercase")]
+pub enum MeTelemetryLevel {
+    #[default]
+    Normal,
+    Silent,
+    Debug,
+}
+
+impl MeTelemetryLevel {
+    pub fn as_u8(self) -> u8 {
+        match self {
+            MeTelemetryLevel::Silent => 0,
+            MeTelemetryLevel::Normal => 1,
+            MeTelemetryLevel::Debug => 2,
+        }
+    }
+
+    pub fn from_u8(raw: u8) -> Self {
+        match raw {
+            0 => MeTelemetryLevel::Silent,
+            2 => MeTelemetryLevel::Debug,
+            _ => MeTelemetryLevel::Normal,
+        }
+    }
+
+    pub fn allows_normal(self) -> bool {
+        !matches!(self, MeTelemetryLevel::Silent)
+    }
+
+    pub fn allows_debug(self) -> bool {
+        matches!(self, MeTelemetryLevel::Debug)
+    }
+}
+
+impl std::fmt::Display for MeTelemetryLevel {
+    fn fmt(&self, f: &mut std::fmt::Formatter<'_>) -> std::fmt::Result {
+        match self {
+            MeTelemetryLevel::Silent => write!(f, "silent"),
+            MeTelemetryLevel::Normal => write!(f, "normal"),
+            MeTelemetryLevel::Debug => write!(f, "debug"),
+        }
+    }
+}
+
+/// Middle-End SOCKS KDF fallback policy.
+#[derive(Debug, Clone, Copy, PartialEq, Eq, Serialize, Deserialize, Default)]
+#[serde(rename_all = "lowercase")]
+pub enum MeSocksKdfPolicy {
+    #[default]
+    Strict,
+    Compat,
+}
+
+impl MeSocksKdfPolicy {
+    pub fn as_u8(self) -> u8 {
+        match self {
+            MeSocksKdfPolicy::Strict => 0,
+            MeSocksKdfPolicy::Compat => 1,
+        }
+    }
+
+    pub fn from_u8(raw: u8) -> Self {
+        match raw {
+            1 => MeSocksKdfPolicy::Compat,
+            _ => MeSocksKdfPolicy::Strict,
+        }
+    }
+}
+
+/// Stale ME writer bind policy during drain window.
+#[derive(Debug, Clone, Copy, PartialEq, Eq, Serialize, Deserialize, Default)]
+#[serde(rename_all = "lowercase")]
+pub enum MeBindStaleMode {
+    Never,
+    #[default]
+    Ttl,
+    Always,
+}
+
+impl MeBindStaleMode {
+    pub fn as_u8(self) -> u8 {
+        match self {
+            MeBindStaleMode::Never => 0,
+            MeBindStaleMode::Ttl => 1,
+            MeBindStaleMode::Always => 2,
+        }
+    }
+
+    pub fn from_u8(raw: u8) -> Self {
+        match raw {
+            0 => MeBindStaleMode::Never,
+            2 => MeBindStaleMode::Always,
+            _ => MeBindStaleMode::Ttl,
+        }
+    }
+}
+
+/// Middle-End writer floor policy mode.
+#[derive(Debug, Clone, Copy, PartialEq, Eq, Serialize, Deserialize, Default)]
+#[serde(rename_all = "lowercase")]
+pub enum MeFloorMode {
+    Static,
+    #[default]
+    Adaptive,
+}
+
+impl MeFloorMode {
+    pub fn as_u8(self) -> u8 {
+        match self {
+            MeFloorMode::Static => 0,
+            MeFloorMode::Adaptive => 1,
+        }
+    }
+
+    pub fn from_u8(raw: u8) -> Self {
+        match raw {
+            1 => MeFloorMode::Adaptive,
+            _ => MeFloorMode::Static,
+        }
+    }
+}
+
+/// Middle-End route behavior when no writer is immediately available.
+#[derive(Debug, Clone, Copy, PartialEq, Eq, Serialize, Deserialize, Default)]
+#[serde(rename_all = "snake_case")]
+pub enum MeRouteNoWriterMode {
+    AsyncRecoveryFailfast,
+    InlineRecoveryLegacy,
+    #[default]
+    HybridAsyncPersistent,
+}
+
+impl MeRouteNoWriterMode {
+    pub fn as_u8(self) -> u8 {
+        match self {
+            MeRouteNoWriterMode::AsyncRecoveryFailfast => 0,
+            MeRouteNoWriterMode::InlineRecoveryLegacy => 1,
+            MeRouteNoWriterMode::HybridAsyncPersistent => 2,
+        }
+    }
+
+    pub fn from_u8(raw: u8) -> Self {
+        match raw {
+            0 => MeRouteNoWriterMode::AsyncRecoveryFailfast,
+            1 => MeRouteNoWriterMode::InlineRecoveryLegacy,
+            2 => MeRouteNoWriterMode::HybridAsyncPersistent,
+            _ => MeRouteNoWriterMode::HybridAsyncPersistent,
+        }
+    }
+}
+
+/// Middle-End writer selection mode for new client bindings.
+#[derive(Debug, Clone, Copy, PartialEq, Eq, Serialize, Deserialize, Default)]
+#[serde(rename_all = "snake_case")]
+pub enum MeWriterPickMode {
+    SortedRr,
+    #[default]
+    P2c,
+}
+
+impl MeWriterPickMode {
+    pub fn as_u8(self) -> u8 {
+        match self {
+            MeWriterPickMode::SortedRr => 0,
+            MeWriterPickMode::P2c => 1,
+        }
+    }
+
+    pub fn from_u8(raw: u8) -> Self {
+        match raw {
+            0 => MeWriterPickMode::SortedRr,
+            1 => MeWriterPickMode::P2c,
+            _ => MeWriterPickMode::P2c,
+        }
+    }
+}
+
+/// Per-user unique source IP limit mode.
+#[derive(Debug, Clone, Copy, PartialEq, Eq, Serialize, Deserialize, Default)]
+#[serde(rename_all = "snake_case")]
+pub enum UserMaxUniqueIpsMode {
+    /// Count only currently active source IPs.
+    #[default]
+    ActiveWindow,
+    /// Count source IPs seen within the recent time window.
+    TimeWindow,
+    /// Enforce both active and recent-window limits at the same time.
+    Combined,
+}
+
+/// Telemetry controls for hot-path counters and ME diagnostics.
+#[derive(Debug, Clone, PartialEq, Eq, Serialize, Deserialize)]
+pub struct TelemetryConfig {
+    #[serde(default = "default_true")]
+    pub core_enabled: bool,
+    #[serde(default = "default_true")]
+    pub user_enabled: bool,
+    #[serde(default)]
+    pub me_level: MeTelemetryLevel,
+}
+
+impl Default for TelemetryConfig {
+    fn default() -> Self {
+        Self {
+            core_enabled: default_true(),
+            user_enabled: default_true(),
+            me_level: MeTelemetryLevel::Normal,
+        }
+    }
+}
+
 // ============= Sub-Configs =============

 #[derive(Debug, Clone, Serialize, Deserialize)]
@@ -97,6 +310,11 @@ pub struct NetworkConfig {
    #[serde(default)]
    pub multipath: bool,

+    /// Global switch for STUN probing.
+    /// When false, STUN is fully disabled and only non-STUN detection remains.
+    #[serde(default = "default_true")]
+    pub stun_use: bool,
+
    /// STUN servers list for public IP discovery.
    #[serde(default = "default_stun_servers")]
    pub stun_servers: Vec<String>,
@@ -112,6 +330,11 @@ pub struct NetworkConfig {
    /// Cache file path for detected public IP.
    #[serde(default = "default_cache_public_ip_path")]
    pub cache_public_ip_path: String,
+
+    /// Runtime DNS overrides in `host:port:ip` format.
+    /// IPv6 IP values must be bracketed: `[2001:db8::1]`.
+    #[serde(default)]
+    pub dns_overrides: Vec<String>,
 }

 impl Default for NetworkConfig {
@@ -121,10 +344,12 @@ impl Default for NetworkConfig {
            ipv6: default_network_ipv6(),
            prefer: default_prefer_4(),
            multipath: false,
+            stun_use: default_true(),
            stun_servers: default_stun_servers(),
            stun_tcp_fallback: default_stun_tcp_fallback(),
            http_ip_detect_urls: default_http_ip_detect_urls(),
            cache_public_ip_path: default_cache_public_ip_path(),
+            dns_overrides: Vec::new(),
        }
    }
 }
@@ -143,14 +368,23 @@ pub struct GeneralConfig {
    #[serde(default = "default_true")]
    pub use_middle_proxy: bool,

-    #[serde(default)]
-    pub ad_tag: Option<String>,
-
    /// Path to proxy-secret binary file (auto-downloaded if absent).
    /// Infrastructure secret from https://core.telegram.org/getProxySecret.
    #[serde(default = "default_proxy_secret_path")]
    pub proxy_secret_path: Option<String>,

+    /// Optional path to cache raw getProxyConfig (IPv4) snapshot for startup fallback.
+    #[serde(default = "default_proxy_config_v4_cache_path")]
+    pub proxy_config_v4_cache_path: Option<String>,
+
+    /// Optional path to cache raw getProxyConfigV6 snapshot for startup fallback.
+    #[serde(default = "default_proxy_config_v6_cache_path")]
+    pub proxy_config_v6_cache_path: Option<String>,
+
+    /// Global ad_tag (32 hex chars from @MTProxybot). Fallback when user has no per-user tag in access.user_ad_tags.
+    #[serde(default)]
+    pub ad_tag: Option<String>,
+
    /// Public IP override for middle-proxy NAT environments.
    /// When set, this IP is used in ME key derivation and RPC_PROXY_REQ "our_addr".
    #[serde(default)]
@@ -182,6 +416,15 @@ pub struct GeneralConfig {
    #[serde(default = "default_middle_proxy_warm_standby")]
    pub middle_proxy_warm_standby: usize,

+    /// Startup retries for Middle-End pool initialization before ME→Direct fallback.
+    /// 0 means unlimited retries.
+    #[serde(default = "default_me_init_retry_attempts")]
+    pub me_init_retry_attempts: u32,
+
+    /// Allow fallback from Middle-End mode to direct DC when ME startup cannot be initialized.
+    #[serde(default = "default_me2dc_fallback")]
+    pub me2dc_fallback: bool,
+
    /// Enable ME keepalive padding frames.
    #[serde(default = "default_true")]
    pub me_keepalive_enabled: bool,
@@ -198,6 +441,23 @@ pub struct GeneralConfig {
    #[serde(default = "default_true")]
    pub me_keepalive_payload_random: bool,

+    /// Interval in seconds for service RPC_PROXY_REQ activity signals to ME.
+    /// 0 disables service activity signals.
+    #[serde(default = "default_rpc_proxy_req_every")]
+    pub rpc_proxy_req_every: u64,
+
+    /// Capacity of per-ME writer command channel.
+    #[serde(default = "default_me_writer_cmd_channel_capacity")]
+    pub me_writer_cmd_channel_capacity: usize,
+
+    /// Capacity of per-connection ME response route channel.
+    #[serde(default = "default_me_route_channel_capacity")]
+    pub me_route_channel_capacity: usize,
+
+    /// Capacity of per-client command queue from client reader to ME sender task.
+    #[serde(default = "default_me_c2me_channel_capacity")]
+    pub me_c2me_channel_capacity: usize,
+
    /// Max pending ciphertext buffer per client writer (bytes).
    /// Controls FakeTLS backpressure vs throughput.
    #[serde(default = "default_crypto_pending_buffer")]
@@ -261,6 +521,104 @@ pub struct GeneralConfig {
    #[serde(default = "default_me_reconnect_fast_retry_count")]
    pub me_reconnect_fast_retry_count: u32,

+    /// Number of additional reserve writers for DC groups with exactly one endpoint.
+    #[serde(default = "default_me_single_endpoint_shadow_writers")]
+    pub me_single_endpoint_shadow_writers: u8,
+
+    /// Enable aggressive outage recovery mode for single-endpoint DC groups.
+    #[serde(default = "default_me_single_endpoint_outage_mode_enabled")]
+    pub me_single_endpoint_outage_mode_enabled: bool,
+
+    /// Ignore endpoint quarantine while in single-endpoint outage mode.
+    #[serde(default = "default_me_single_endpoint_outage_disable_quarantine")]
+    pub me_single_endpoint_outage_disable_quarantine: bool,
+
+    /// Minimum reconnect backoff in ms for single-endpoint outage mode.
+    #[serde(default = "default_me_single_endpoint_outage_backoff_min_ms")]
+    pub me_single_endpoint_outage_backoff_min_ms: u64,
+
+    /// Maximum reconnect backoff in ms for single-endpoint outage mode.
+    #[serde(default = "default_me_single_endpoint_outage_backoff_max_ms")]
+    pub me_single_endpoint_outage_backoff_max_ms: u64,
+
+    /// Periodic shadow writer rotation interval in seconds for single-endpoint DC groups.
+    /// Set to 0 to disable periodic shadow rotation.
+    #[serde(default = "default_me_single_endpoint_shadow_rotate_every_secs")]
+    pub me_single_endpoint_shadow_rotate_every_secs: u64,
+
+    /// Floor policy mode for ME writer targets.
+    #[serde(default)]
+    pub me_floor_mode: MeFloorMode,
+
+    /// Idle time in seconds before adaptive floor can reduce single-endpoint writer target.
+    #[serde(default = "default_me_adaptive_floor_idle_secs")]
+    pub me_adaptive_floor_idle_secs: u64,
+
+    /// Minimum writer target for single-endpoint DC groups in adaptive floor mode.
+    #[serde(default = "default_me_adaptive_floor_min_writers_single_endpoint")]
+    pub me_adaptive_floor_min_writers_single_endpoint: u8,
+
+    /// Minimum writer target for multi-endpoint DC groups in adaptive floor mode.
+    #[serde(default = "default_me_adaptive_floor_min_writers_multi_endpoint")]
+    pub me_adaptive_floor_min_writers_multi_endpoint: u8,
+
+    /// Grace period in seconds to hold static floor after activity in adaptive mode.
+    #[serde(default = "default_me_adaptive_floor_recover_grace_secs")]
+    pub me_adaptive_floor_recover_grace_secs: u64,
+
+    /// Global ME writer budget per logical CPU core in adaptive mode.
+    #[serde(default = "default_me_adaptive_floor_writers_per_core_total")]
+    pub me_adaptive_floor_writers_per_core_total: u16,
+
+    /// Override logical CPU core count for adaptive floor calculations.
+    /// Set to 0 to use runtime auto-detection.
+    #[serde(default = "default_me_adaptive_floor_cpu_cores_override")]
+    pub me_adaptive_floor_cpu_cores_override: u16,
+
+    /// Per-core max extra writers above base required floor for single-endpoint DC groups.
+    #[serde(default = "default_me_adaptive_floor_max_extra_writers_single_per_core")]
+    pub me_adaptive_floor_max_extra_writers_single_per_core: u16,
+
+    /// Per-core max extra writers above base required floor for multi-endpoint DC groups.
+    #[serde(default = "default_me_adaptive_floor_max_extra_writers_multi_per_core")]
+    pub me_adaptive_floor_max_extra_writers_multi_per_core: u16,
+
+    /// Hard cap for active ME writers per logical CPU core.
+    #[serde(default = "default_me_adaptive_floor_max_active_writers_per_core")]
+    pub me_adaptive_floor_max_active_writers_per_core: u16,
+
+    /// Hard cap for warm ME writers per logical CPU core.
+    #[serde(default = "default_me_adaptive_floor_max_warm_writers_per_core")]
+    pub me_adaptive_floor_max_warm_writers_per_core: u16,
+
+    /// Hard global cap for active ME writers.
+    #[serde(default = "default_me_adaptive_floor_max_active_writers_global")]
+    pub me_adaptive_floor_max_active_writers_global: u32,
+
+    /// Hard global cap for warm ME writers.
+    #[serde(default = "default_me_adaptive_floor_max_warm_writers_global")]
+    pub me_adaptive_floor_max_warm_writers_global: u32,
+
+    /// Connect attempts for the selected upstream before returning error/fallback.
+    #[serde(default = "default_upstream_connect_retry_attempts")]
+    pub upstream_connect_retry_attempts: u32,
+
+    /// Delay in milliseconds between upstream connect attempts.
+    #[serde(default = "default_upstream_connect_retry_backoff_ms")]
+    pub upstream_connect_retry_backoff_ms: u64,
+
+    /// Total wall-clock budget in milliseconds for one upstream connect request across retries.
+    #[serde(default = "default_upstream_connect_budget_ms")]
+    pub upstream_connect_budget_ms: u64,
+
+    /// Consecutive failed requests before upstream is marked unhealthy.
+    #[serde(default = "default_upstream_unhealthy_fail_threshold")]
+    pub upstream_unhealthy_fail_threshold: u32,
+
+    /// Skip additional retries for hard non-transient upstream connect errors.
+    #[serde(default = "default_upstream_connect_failfast_hard_errors")]
+    pub upstream_connect_failfast_hard_errors: bool,
+
    /// Ignore STUN/interface IP mismatch (keep using Middle Proxy even if NAT detected).
    #[serde(default)]
    pub stun_iface_mismatch_ignore: bool,
@@ -269,6 +627,10 @@ pub struct GeneralConfig {
    #[serde(default = "default_unknown_dc_log_path")]
    pub unknown_dc_log_path: Option<String>,

+    /// Enable unknown-DC file logging.
+    #[serde(default = "default_unknown_dc_file_log_enabled")]
+    pub unknown_dc_file_log_enabled: bool,
+
    #[serde(default)]
    pub log_level: LogLevel,

@@ -276,6 +638,58 @@ pub struct GeneralConfig {
    #[serde(default)]
    pub disable_colors: bool,

+    /// Runtime telemetry controls for counters/metrics in hot paths.
+    #[serde(default)]
+    pub telemetry: TelemetryConfig,
+
+    /// SOCKS-bound KDF policy for Middle-End handshake.
+    #[serde(default)]
+    pub me_socks_kdf_policy: MeSocksKdfPolicy,
+
+    /// Base backpressure timeout in milliseconds for ME route channel send.
+    #[serde(default = "default_me_route_backpressure_base_timeout_ms")]
+    pub me_route_backpressure_base_timeout_ms: u64,
+
+    /// High backpressure timeout in milliseconds when queue occupancy is above watermark.
+    #[serde(default = "default_me_route_backpressure_high_timeout_ms")]
+    pub me_route_backpressure_high_timeout_ms: u64,
+
+    /// Queue occupancy percent threshold for high backpressure timeout.
+    #[serde(default = "default_me_route_backpressure_high_watermark_pct")]
+    pub me_route_backpressure_high_watermark_pct: u8,
+
+    /// Health monitor interval in milliseconds while writer coverage is degraded.
+    #[serde(default = "default_me_health_interval_ms_unhealthy")]
+    pub me_health_interval_ms_unhealthy: u64,
+
+    /// Health monitor interval in milliseconds while writer coverage is stable.
+    #[serde(default = "default_me_health_interval_ms_healthy")]
+    pub me_health_interval_ms_healthy: u64,
+
+    /// Poll interval in milliseconds for conditional-admission state checks.
+    #[serde(default = "default_me_admission_poll_ms")]
+    pub me_admission_poll_ms: u64,
+
+    /// Cooldown for repetitive ME warning logs in milliseconds.
+    #[serde(default = "default_me_warn_rate_limit_ms")]
+    pub me_warn_rate_limit_ms: u64,
+
+    /// ME route behavior when no writer is immediately available.
+    #[serde(default)]
+    pub me_route_no_writer_mode: MeRouteNoWriterMode,
+
+    /// Maximum wait time in milliseconds for async-recovery failfast mode.
+    #[serde(default = "default_me_route_no_writer_wait_ms")]
+    pub me_route_no_writer_wait_ms: u64,
+
+    /// Number of inline recovery attempts in legacy mode.
+    #[serde(default = "default_me_route_inline_recovery_attempts")]
+    pub me_route_inline_recovery_attempts: u32,
+
+    /// Maximum wait time in milliseconds for inline recovery in legacy mode.
+    #[serde(default = "default_me_route_inline_recovery_wait_ms")]
+    pub me_route_inline_recovery_wait_ms: u64,
+
    /// [general.links] — proxy link generation overrides.
    #[serde(default)]
    pub links: LinksConfig,
@@ -317,6 +731,18 @@ pub struct GeneralConfig {
    #[serde(default = "default_me_config_apply_cooldown_secs")]
    pub me_config_apply_cooldown_secs: u64,

+    /// Ensure getProxyConfig snapshots are applied only for 2xx HTTP responses.
+    #[serde(default = "default_me_snapshot_require_http_2xx")]
+    pub me_snapshot_require_http_2xx: bool,
+
+    /// Reject empty getProxyConfig snapshots instead of marking them applied.
+    #[serde(default = "default_me_snapshot_reject_empty_map")]
+    pub me_snapshot_reject_empty_map: bool,
+
+    /// Minimum parsed `proxy_for` rows required to accept a snapshot.
+    #[serde(default = "default_me_snapshot_min_proxy_for_lines")]
+    pub me_snapshot_min_proxy_for_lines: u32,
+
    /// Number of identical getProxySecret snapshots required before runtime secret rotation.
    #[serde(default = "default_proxy_secret_stable_snapshots")]
    pub proxy_secret_stable_snapshots: u8,
@@ -325,6 +751,10 @@ pub struct GeneralConfig {
    #[serde(default = "default_proxy_secret_rotate_runtime")]
    pub proxy_secret_rotate_runtime: bool,

+    /// Keep key-selector and secret bytes from one snapshot during ME handshake.
+    #[serde(default = "default_me_secret_atomic_snapshot")]
+    pub me_secret_atomic_snapshot: bool,
+
    /// Maximum allowed proxy-secret length in bytes for startup and runtime refresh.
    #[serde(default = "default_proxy_secret_len_max")]
    pub proxy_secret_len_max: usize,
@@ -334,6 +764,14 @@ pub struct GeneralConfig {
    #[serde(default = "default_me_pool_drain_ttl_secs")]
    pub me_pool_drain_ttl_secs: u64,

+    /// Policy for new binds on stale draining writers.
+    #[serde(default)]
+    pub me_bind_stale_mode: MeBindStaleMode,
+
+    /// TTL for stale bind allowance when `me_bind_stale_mode = \"ttl\"`.
+    #[serde(default = "default_me_bind_stale_ttl_secs")]
+    pub me_bind_stale_ttl_secs: u64,
+
    /// Minimum desired-DC coverage ratio required before draining stale writers.
    /// Range: 0.0..=1.0.
    #[serde(default = "default_me_pool_min_fresh_ratio")]
@@ -354,6 +792,30 @@ pub struct GeneralConfig {
    #[serde(default = "default_proxy_config_reload_secs")]
    pub proxy_config_auto_reload_secs: u64,

+    /// Serialize ME reinit cycles across all trigger sources.
+    #[serde(default = "default_me_reinit_singleflight")]
+    pub me_reinit_singleflight: bool,
+
+    /// Trigger queue capacity for reinit scheduler.
+    #[serde(default = "default_me_reinit_trigger_channel")]
+    pub me_reinit_trigger_channel: usize,
+
+    /// Trigger coalescing window before starting a reinit cycle.
+    #[serde(default = "default_me_reinit_coalesce_window_ms")]
+    pub me_reinit_coalesce_window_ms: u64,
+
+    /// Deterministic candidate sort for ME writer binding path.
+    #[serde(default = "default_me_deterministic_writer_sort")]
+    pub me_deterministic_writer_sort: bool,
+
+    /// Writer selection mode for ME route bind path.
+    #[serde(default)]
+    pub me_writer_pick_mode: MeWriterPickMode,
+
+    /// Number of candidates sampled by writer picker in `p2c` mode.
+    #[serde(default = "default_me_writer_pick_sample_size")]
+    pub me_writer_pick_sample_size: u8,
+
    /// Enable NTP drift check at startup.
    #[serde(default = "default_ntp_check")]
    pub ntp_check: bool,
@@ -380,6 +842,8 @@ impl Default for GeneralConfig {
            use_middle_proxy: default_true(),
            ad_tag: None,
            proxy_secret_path: default_proxy_secret_path(),
+            proxy_config_v4_cache_path: default_proxy_config_v4_cache_path(),
+            proxy_config_v6_cache_path: default_proxy_config_v6_cache_path(),
            middle_proxy_nat_ip: None,
            middle_proxy_nat_probe: default_true(),
            middle_proxy_nat_stun: default_middle_proxy_nat_stun(),
@@ -387,10 +851,16 @@ impl Default for GeneralConfig {
            stun_nat_probe_concurrency: default_stun_nat_probe_concurrency(),
            middle_proxy_pool_size: default_pool_size(),
            middle_proxy_warm_standby: default_middle_proxy_warm_standby(),
+            me_init_retry_attempts: default_me_init_retry_attempts(),
+            me2dc_fallback: default_me2dc_fallback(),
            me_keepalive_enabled: default_true(),
            me_keepalive_interval_secs: default_keepalive_interval(),
            me_keepalive_jitter_secs: default_keepalive_jitter(),
            me_keepalive_payload_random: default_true(),
+            rpc_proxy_req_every: default_rpc_proxy_req_every(),
+            me_writer_cmd_channel_capacity: default_me_writer_cmd_channel_capacity(),
+            me_route_channel_capacity: default_me_route_channel_capacity(),
+            me_c2me_channel_capacity: default_me_c2me_channel_capacity(),
            me_warmup_stagger_enabled: default_true(),
            me_warmup_step_delay_ms: default_warmup_step_delay_ms(),
            me_warmup_step_jitter_ms: default_warmup_step_jitter_ms(),
@@ -398,10 +868,48 @@ impl Default for GeneralConfig {
            me_reconnect_backoff_base_ms: default_reconnect_backoff_base_ms(),
            me_reconnect_backoff_cap_ms: default_reconnect_backoff_cap_ms(),
            me_reconnect_fast_retry_count: default_me_reconnect_fast_retry_count(),
+            me_single_endpoint_shadow_writers: default_me_single_endpoint_shadow_writers(),
+            me_single_endpoint_outage_mode_enabled: default_me_single_endpoint_outage_mode_enabled(),
+            me_single_endpoint_outage_disable_quarantine: default_me_single_endpoint_outage_disable_quarantine(),
+            me_single_endpoint_outage_backoff_min_ms: default_me_single_endpoint_outage_backoff_min_ms(),
+            me_single_endpoint_outage_backoff_max_ms: default_me_single_endpoint_outage_backoff_max_ms(),
+            me_single_endpoint_shadow_rotate_every_secs: default_me_single_endpoint_shadow_rotate_every_secs(),
+            me_floor_mode: MeFloorMode::default(),
+            me_adaptive_floor_idle_secs: default_me_adaptive_floor_idle_secs(),
+            me_adaptive_floor_min_writers_single_endpoint: default_me_adaptive_floor_min_writers_single_endpoint(),
+            me_adaptive_floor_min_writers_multi_endpoint: default_me_adaptive_floor_min_writers_multi_endpoint(),
+            me_adaptive_floor_recover_grace_secs: default_me_adaptive_floor_recover_grace_secs(),
+            me_adaptive_floor_writers_per_core_total: default_me_adaptive_floor_writers_per_core_total(),
+            me_adaptive_floor_cpu_cores_override: default_me_adaptive_floor_cpu_cores_override(),
+            me_adaptive_floor_max_extra_writers_single_per_core: default_me_adaptive_floor_max_extra_writers_single_per_core(),
+            me_adaptive_floor_max_extra_writers_multi_per_core: default_me_adaptive_floor_max_extra_writers_multi_per_core(),
+            me_adaptive_floor_max_active_writers_per_core: default_me_adaptive_floor_max_active_writers_per_core(),
+            me_adaptive_floor_max_warm_writers_per_core: default_me_adaptive_floor_max_warm_writers_per_core(),
+            me_adaptive_floor_max_active_writers_global: default_me_adaptive_floor_max_active_writers_global(),
+            me_adaptive_floor_max_warm_writers_global: default_me_adaptive_floor_max_warm_writers_global(),
+            upstream_connect_retry_attempts: default_upstream_connect_retry_attempts(),
+            upstream_connect_retry_backoff_ms: default_upstream_connect_retry_backoff_ms(),
+            upstream_connect_budget_ms: default_upstream_connect_budget_ms(),
+            upstream_unhealthy_fail_threshold: default_upstream_unhealthy_fail_threshold(),
+            upstream_connect_failfast_hard_errors: default_upstream_connect_failfast_hard_errors(),
            stun_iface_mismatch_ignore: false,
            unknown_dc_log_path: default_unknown_dc_log_path(),
+            unknown_dc_file_log_enabled: default_unknown_dc_file_log_enabled(),
            log_level: LogLevel::Normal,
            disable_colors: false,
+            telemetry: TelemetryConfig::default(),
+            me_socks_kdf_policy: MeSocksKdfPolicy::Strict,
+            me_route_backpressure_base_timeout_ms: default_me_route_backpressure_base_timeout_ms(),
+            me_route_backpressure_high_timeout_ms: default_me_route_backpressure_high_timeout_ms(),
+            me_route_backpressure_high_watermark_pct: default_me_route_backpressure_high_watermark_pct(),
+            me_health_interval_ms_unhealthy: default_me_health_interval_ms_unhealthy(),
+            me_health_interval_ms_healthy: default_me_health_interval_ms_healthy(),
+            me_admission_poll_ms: default_me_admission_poll_ms(),
+            me_warn_rate_limit_ms: default_me_warn_rate_limit_ms(),
+            me_route_no_writer_mode: MeRouteNoWriterMode::default(),
+            me_route_no_writer_wait_ms: default_me_route_no_writer_wait_ms(),
+            me_route_inline_recovery_attempts: default_me_route_inline_recovery_attempts(),
+            me_route_inline_recovery_wait_ms: default_me_route_inline_recovery_wait_ms(),
            links: LinksConfig::default(),
            crypto_pending_buffer: default_crypto_pending_buffer(),
            max_client_frame: default_max_client_frame(),
@@ -420,14 +928,26 @@ impl Default for GeneralConfig {
            me_hardswap_warmup_pass_backoff_base_ms: default_me_hardswap_warmup_pass_backoff_base_ms(),
            me_config_stable_snapshots: default_me_config_stable_snapshots(),
            me_config_apply_cooldown_secs: default_me_config_apply_cooldown_secs(),
+            me_snapshot_require_http_2xx: default_me_snapshot_require_http_2xx(),
+            me_snapshot_reject_empty_map: default_me_snapshot_reject_empty_map(),
+            me_snapshot_min_proxy_for_lines: default_me_snapshot_min_proxy_for_lines(),
            proxy_secret_stable_snapshots: default_proxy_secret_stable_snapshots(),
            proxy_secret_rotate_runtime: default_proxy_secret_rotate_runtime(),
+            me_secret_atomic_snapshot: default_me_secret_atomic_snapshot(),
            proxy_secret_len_max: default_proxy_secret_len_max(),
            me_pool_drain_ttl_secs: default_me_pool_drain_ttl_secs(),
+            me_bind_stale_mode: MeBindStaleMode::default(),
+            me_bind_stale_ttl_secs: default_me_bind_stale_ttl_secs(),
            me_pool_min_fresh_ratio: default_me_pool_min_fresh_ratio(),
            me_reinit_drain_timeout_secs: default_me_reinit_drain_timeout_secs(),
            proxy_secret_auto_reload_secs: default_proxy_secret_reload_secs(),
            proxy_config_auto_reload_secs: default_proxy_config_reload_secs(),
+            me_reinit_singleflight: default_me_reinit_singleflight(),
+            me_reinit_trigger_channel: default_me_reinit_trigger_channel(),
+            me_reinit_coalesce_window_ms: default_me_reinit_coalesce_window_ms(),
+            me_deterministic_writer_sort: default_me_deterministic_writer_sort(),
+            me_writer_pick_mode: MeWriterPickMode::default(),
+            me_writer_pick_sample_size: default_me_writer_pick_sample_size(),
            ntp_check: default_ntp_check(),
            ntp_servers: default_ntp_servers(),
            auto_degradation_enabled: default_true(),
@@ -483,6 +1003,78 @@ impl Default for LinksConfig {
    }
 }

+/// API settings for control-plane endpoints.
+#[derive(Debug, Clone, Serialize, Deserialize, PartialEq)]
+pub struct ApiConfig {
+    /// Enable or disable REST API.
+    #[serde(default)]
+    pub enabled: bool,
+
+    /// Listen address for API in `IP:PORT` format.
+    #[serde(default = "default_api_listen")]
+    pub listen: String,
+
+    /// CIDR whitelist allowed to access API.
+    #[serde(default = "default_api_whitelist")]
+    pub whitelist: Vec<IpNetwork>,
+
+    /// Optional static value for `Authorization` header validation.
+    /// Empty string disables header auth.
+    #[serde(default)]
+    pub auth_header: String,
+
+    /// Maximum accepted HTTP request body size in bytes.
+    #[serde(default = "default_api_request_body_limit_bytes")]
+    pub request_body_limit_bytes: usize,
+
+    /// Enable runtime snapshots that require read-lock aggregation on API request path.
+    #[serde(default = "default_api_minimal_runtime_enabled")]
+    pub minimal_runtime_enabled: bool,
+
+    /// Cache TTL for minimal runtime snapshots in milliseconds (0 disables caching).
+    #[serde(default = "default_api_minimal_runtime_cache_ttl_ms")]
+    pub minimal_runtime_cache_ttl_ms: u64,
+
+    /// Enables runtime edge endpoints with optional cached aggregation.
+    #[serde(default = "default_api_runtime_edge_enabled")]
+    pub runtime_edge_enabled: bool,
+
+    /// Cache TTL for runtime edge aggregation payloads in milliseconds.
+    #[serde(default = "default_api_runtime_edge_cache_ttl_ms")]
+    pub runtime_edge_cache_ttl_ms: u64,
+
+    /// Top-N limit for edge connection leaderboard payloads.
+    #[serde(default = "default_api_runtime_edge_top_n")]
+    pub runtime_edge_top_n: usize,
+
+    /// Ring-buffer capacity for runtime edge control-plane events.
+    #[serde(default = "default_api_runtime_edge_events_capacity")]
+    pub runtime_edge_events_capacity: usize,
+
+    /// Read-only mode: mutating endpoints are rejected.
+    #[serde(default)]
+    pub read_only: bool,
+}
+
+impl Default for ApiConfig {
+    fn default() -> Self {
+        Self {
+            enabled: false,
+            listen: default_api_listen(),
+            whitelist: default_api_whitelist(),
+            auth_header: String::new(),
+            request_body_limit_bytes: default_api_request_body_limit_bytes(),
+            minimal_runtime_enabled: default_api_minimal_runtime_enabled(),
+            minimal_runtime_cache_ttl_ms: default_api_minimal_runtime_cache_ttl_ms(),
+            runtime_edge_enabled: default_api_runtime_edge_enabled(),
+            runtime_edge_cache_ttl_ms: default_api_runtime_edge_cache_ttl_ms(),
+            runtime_edge_top_n: default_api_runtime_edge_top_n(),
+            runtime_edge_events_capacity: default_api_runtime_edge_events_capacity(),
+            read_only: false,
+        }
+    }
+}
+
 #[derive(Debug, Clone, Serialize, Deserialize)]
 pub struct ServerConfig {
    #[serde(default = "default_port")]
@@ -512,12 +1104,19 @@ pub struct ServerConfig {
    #[serde(default)]
    pub proxy_protocol: bool,

+    /// Timeout in milliseconds for reading and parsing PROXY protocol headers.
+    #[serde(default = "default_proxy_protocol_header_timeout_ms")]
+    pub proxy_protocol_header_timeout_ms: u64,
+
    #[serde(default)]
    pub metrics_port: Option<u16>,

    #[serde(default = "default_metrics_whitelist")]
    pub metrics_whitelist: Vec<IpNetwork>,

+    #[serde(default, alias = "admin_api")]
+    pub api: ApiConfig,
+
    #[serde(default)]
    pub listeners: Vec<ListenerConfig>,
 }
@@ -532,8 +1131,10 @@ impl Default for ServerConfig {
            listen_unix_sock_perm: None,
            listen_tcp: None,
            proxy_protocol: false,
+            proxy_protocol_header_timeout_ms: default_proxy_protocol_header_timeout_ms(),
            metrics_port: None,
            metrics_whitelist: default_metrics_whitelist(),
+            api: ApiConfig::default(),
            listeners: Vec::new(),
        }
    }
@@ -663,6 +1264,10 @@ pub struct AccessConfig {
    #[serde(default = "default_access_users")]
    pub users: HashMap<String, String>,

+    /// Per-user ad_tag (32 hex chars from @MTProxybot).
+    #[serde(default)]
+    pub user_ad_tags: HashMap<String, String>,
+
    #[serde(default)]
    pub user_max_tcp_conns: HashMap<String, usize>,

@@ -675,6 +1280,12 @@ pub struct AccessConfig {
    #[serde(default)]
    pub user_max_unique_ips: HashMap<String, usize>,

+    #[serde(default)]
+    pub user_max_unique_ips_mode: UserMaxUniqueIpsMode,
+
+    #[serde(default = "default_user_max_unique_ips_window_secs")]
+    pub user_max_unique_ips_window_secs: u64,
+
    #[serde(default = "default_replay_check_len")]
    pub replay_check_len: usize,

@@ -689,10 +1300,13 @@ impl Default for AccessConfig {
    fn default() -> Self {
        Self {
            users: default_access_users(),
+            user_ad_tags: HashMap::new(),
            user_max_tcp_conns: HashMap::new(),
            user_expirations: HashMap::new(),
            user_data_quota: HashMap::new(),
            user_max_unique_ips: HashMap::new(),
+            user_max_unique_ips_mode: UserMaxUniqueIpsMode::default(),
+            user_max_unique_ips_window_secs: default_user_max_unique_ips_window_secs(),
            replay_check_len: default_replay_check_len(),
            replay_window_secs: default_replay_window_secs(),
            ignore_time_skew: false,
--- a/src/crypto/random.rs
+++ b/src/crypto/random.rs
@@ -21,6 +21,7 @@ struct SecureRandomInner {
    rng: StdRng,
    cipher: AesCtr,
    buffer: Vec<u8>,
+    buffer_start: usize,
 }

 impl Drop for SecureRandomInner {
@@ -48,6 +49,7 @@ impl SecureRandom {
                rng,
                cipher,
                buffer: Vec::with_capacity(1024),
+                buffer_start: 0,
            }),
        }
    }
@@ -59,16 +61,29 @@ impl SecureRandom {

        let mut written = 0usize;
        while written < out.len() {
+            if inner.buffer_start >= inner.buffer.len() {
+                inner.buffer.clear();
+                inner.buffer_start = 0;
+            }
+
            if inner.buffer.is_empty() {
                let mut chunk = vec![0u8; CHUNK_SIZE];
                inner.rng.fill_bytes(&mut chunk);
                inner.cipher.apply(&mut chunk);
                inner.buffer.extend_from_slice(&chunk);
+                inner.buffer_start = 0;
            }

-            let take = (out.len() - written).min(inner.buffer.len());
-            out[written..written + take].copy_from_slice(&inner.buffer[..take]);
-            inner.buffer.drain(..take);
+            let available = inner.buffer.len().saturating_sub(inner.buffer_start);
+            let take = (out.len() - written).min(available);
+            let start = inner.buffer_start;
+            let end = start + take;
+            out[written..written + take].copy_from_slice(&inner.buffer[start..end]);
+            inner.buffer_start = end;
+            if inner.buffer_start >= inner.buffer.len() {
+                inner.buffer.clear();
+                inner.buffer_start = 0;
+            }
            written += take;
        }
    }
--- a/src/ip_tracker.rs
+++ b/src/ip_tracker.rs
@@ -1,252 +1,330 @@
-// src/ip_tracker.rs
-// IP address tracking and limiting for users
+// IP address tracking and per-user unique IP limiting.

 #![allow(dead_code)]

-use std::collections::{HashMap, HashSet};
+use std::collections::HashMap;
 use std::net::IpAddr;
 use std::sync::Arc;
+use std::sync::atomic::{AtomicU64, Ordering};
+use std::time::{Duration, Instant};
+
 use tokio::sync::RwLock;

-/// Трекер уникальных IP-адресов для каждого пользователя MTProxy
-/// 
-/// Предоставляет thread-safe механизм для:
-/// - Отслеживания активных IP-адресов каждого пользователя
-/// - Ограничения количества уникальных IP на пользователя
-/// - Автоматической очистки при отключении клиентов
+use crate::config::UserMaxUniqueIpsMode;
+
 #[derive(Debug, Clone)]
 pub struct UserIpTracker {
-    /// Маппинг: Имя пользователя -> Множество активных IP-адресов
-    active_ips: Arc<RwLock<HashMap<String, HashSet<IpAddr>>>>,
-    
-    /// Маппинг: Имя пользователя -> Максимально разрешенное количество уникальных IP
+    active_ips: Arc<RwLock<HashMap<String, HashMap<IpAddr, usize>>>>,
+    recent_ips: Arc<RwLock<HashMap<String, HashMap<IpAddr, Instant>>>>,
    max_ips: Arc<RwLock<HashMap<String, usize>>>,
+    limit_mode: Arc<RwLock<UserMaxUniqueIpsMode>>,
+    limit_window: Arc<RwLock<Duration>>,
+    last_compact_epoch_secs: Arc<AtomicU64>,
 }

 impl UserIpTracker {
-    /// Создать новый пустой трекер
    pub fn new() -> Self {
        Self {
            active_ips: Arc::new(RwLock::new(HashMap::new())),
+            recent_ips: Arc::new(RwLock::new(HashMap::new())),
            max_ips: Arc::new(RwLock::new(HashMap::new())),
+            limit_mode: Arc::new(RwLock::new(UserMaxUniqueIpsMode::ActiveWindow)),
+            limit_window: Arc::new(RwLock::new(Duration::from_secs(30))),
+            last_compact_epoch_secs: Arc::new(AtomicU64::new(0)),
        }
    }

-    /// Установить лимит уникальных IP для конкретного пользователя
-    /// 
-    /// # Arguments
-    /// * `username` - Имя пользователя
-    /// * `max_ips` - Максимальное количество одновременно активных IP-адресов
+    fn now_epoch_secs() -> u64 {
+        std::time::SystemTime::now()
+            .duration_since(std::time::UNIX_EPOCH)
+            .unwrap_or_default()
+            .as_secs()
+    }
+
+    async fn maybe_compact_empty_users(&self) {
+        const COMPACT_INTERVAL_SECS: u64 = 60;
+        let now_epoch_secs = Self::now_epoch_secs();
+        let last_compact_epoch_secs = self.last_compact_epoch_secs.load(Ordering::Relaxed);
+        if now_epoch_secs.saturating_sub(last_compact_epoch_secs) < COMPACT_INTERVAL_SECS {
+            return;
+        }
+        if self
+            .last_compact_epoch_secs
+            .compare_exchange(
+                last_compact_epoch_secs,
+                now_epoch_secs,
+                Ordering::AcqRel,
+                Ordering::Relaxed,
+            )
+            .is_err()
+        {
+            return;
+        }
+
+        let mut active_ips = self.active_ips.write().await;
+        let mut recent_ips = self.recent_ips.write().await;
+        let mut users = Vec::<String>::with_capacity(active_ips.len().saturating_add(recent_ips.len()));
+        users.extend(active_ips.keys().cloned());
+        for user in recent_ips.keys() {
+            if !active_ips.contains_key(user) {
+                users.push(user.clone());
+            }
+        }
+
+        for user in users {
+            let active_empty = active_ips.get(&user).map(|ips| ips.is_empty()).unwrap_or(true);
+            let recent_empty = recent_ips.get(&user).map(|ips| ips.is_empty()).unwrap_or(true);
+            if active_empty && recent_empty {
+                active_ips.remove(&user);
+                recent_ips.remove(&user);
+            }
+        }
+    }
+
+    pub async fn set_limit_policy(&self, mode: UserMaxUniqueIpsMode, window_secs: u64) {
+        {
+            let mut current_mode = self.limit_mode.write().await;
+            *current_mode = mode;
+        }
+        let mut current_window = self.limit_window.write().await;
+        *current_window = Duration::from_secs(window_secs.max(1));
+    }
+
    pub async fn set_user_limit(&self, username: &str, max_ips: usize) {
        let mut limits = self.max_ips.write().await;
        limits.insert(username.to_string(), max_ips);
    }

-    /// Загрузить лимиты из конфигурации
-    /// 
-    /// # Arguments
-    /// * `limits` - HashMap с лимитами из config.toml
-    pub async fn load_limits(&self, limits: &HashMap<String, usize>) {
-        let mut max_ips = self.max_ips.write().await;
-        for (user, limit) in limits {
-            max_ips.insert(user.clone(), *limit);
-        }
+    pub async fn remove_user_limit(&self, username: &str) {
+        let mut limits = self.max_ips.write().await;
+        limits.remove(username);
+    }
+
+    pub async fn load_limits(&self, limits: &HashMap<String, usize>) {
+        let mut max_ips = self.max_ips.write().await;
+        max_ips.clone_from(limits);
+    }
+
+    fn prune_recent(user_recent: &mut HashMap<IpAddr, Instant>, now: Instant, window: Duration) {
+        if user_recent.is_empty() {
+            return;
+        }
+        user_recent.retain(|_, seen_at| now.duration_since(*seen_at) <= window);
    }

-    /// Проверить, может ли пользователь подключиться с данного IP-адреса
-    /// и добавить IP в список активных, если проверка успешна
-    /// 
-    /// # Arguments
-    /// * `username` - Имя пользователя
-    /// * `ip` - IP-адрес клиента
-    /// 
-    /// # Returns
-    /// * `Ok(())` - Подключение разрешено, IP добавлен в активные
-    /// * `Err(String)` - Подключение отклонено с описанием причины
    pub async fn check_and_add(&self, username: &str, ip: IpAddr) -> Result<(), String> {
-        // Получаем лимит для пользователя
-        let max_ips = self.max_ips.read().await;
-        let limit = match max_ips.get(username) {
-            Some(limit) => *limit,
-            None => {
-                // Если лимит не задан - разрешаем безлимитный доступ
-                drop(max_ips);
-                let mut active_ips = self.active_ips.write().await;
-                let user_ips = active_ips
-                    .entry(username.to_string())
-                    .or_insert_with(HashSet::new);
-                user_ips.insert(ip);
-                return Ok(());
-            }
+        self.maybe_compact_empty_users().await;
+        let limit = {
+            let max_ips = self.max_ips.read().await;
+            max_ips.get(username).copied()
        };
-        drop(max_ips);
+        let mode = *self.limit_mode.read().await;
+        let window = *self.limit_window.read().await;
+        let now = Instant::now();

-        // Проверяем и обновляем активные IP
        let mut active_ips = self.active_ips.write().await;
-        let user_ips = active_ips
+        let user_active = active_ips
            .entry(username.to_string())
-            .or_insert_with(HashSet::new);
+            .or_insert_with(HashMap::new);

-        // Если IP уже есть в списке - это повторное подключение, разрешаем
-        if user_ips.contains(&ip) {
+        let mut recent_ips = self.recent_ips.write().await;
+        let user_recent = recent_ips
+            .entry(username.to_string())
+            .or_insert_with(HashMap::new);
+        Self::prune_recent(user_recent, now, window);
+
+        if let Some(count) = user_active.get_mut(&ip) {
+            *count = count.saturating_add(1);
+            user_recent.insert(ip, now);
            return Ok(());
        }

-        // Проверяем, не превышен ли лимит
-        if user_ips.len() >= limit {
-            return Err(format!(
-                "IP limit reached for user '{}': {}/{} unique IPs already connected",
-                username,
-                user_ips.len(),
-                limit
-            ));
+        if let Some(limit) = limit {
+            let active_limit_reached = user_active.len() >= limit;
+            let recent_limit_reached = user_recent.len() >= limit;
+            let deny = match mode {
+                UserMaxUniqueIpsMode::ActiveWindow => active_limit_reached,
+                UserMaxUniqueIpsMode::TimeWindow => recent_limit_reached,
+                UserMaxUniqueIpsMode::Combined => active_limit_reached || recent_limit_reached,
+            };
+
+            if deny {
+                return Err(format!(
+                    "IP limit reached for user '{}': active={}/{} recent={}/{} mode={:?}",
+                    username,
+                    user_active.len(),
+                    limit,
+                    user_recent.len(),
+                    limit,
+                    mode
+                ));
+            }
        }

-        // Лимит не превышен - добавляем новый IP
-        user_ips.insert(ip);
+        user_active.insert(ip, 1);
+        user_recent.insert(ip, now);
        Ok(())
    }

-    /// Удалить IP-адрес из списка активных при отключении клиента
-    /// 
-    /// # Arguments
-    /// * `username` - Имя пользователя
-    /// * `ip` - IP-адрес отключившегося клиента
    pub async fn remove_ip(&self, username: &str, ip: IpAddr) {
+        self.maybe_compact_empty_users().await;
        let mut active_ips = self.active_ips.write().await;
-        
        if let Some(user_ips) = active_ips.get_mut(username) {
-            user_ips.remove(&ip);
-            
-            // Если у пользователя не осталось активных IP - удаляем запись
-            // для экономии памяти
+            if let Some(count) = user_ips.get_mut(&ip) {
+                if *count > 1 {
+                    *count -= 1;
+                } else {
+                    user_ips.remove(&ip);
+                }
+            }
            if user_ips.is_empty() {
                active_ips.remove(username);
            }
        }
    }

-    /// Получить текущее количество активных IP-адресов для пользователя
-    /// 
-    /// # Arguments
-    /// * `username` - Имя пользователя
-    /// 
-    /// # Returns
-    /// Количество уникальных активных IP-адресов
-    pub async fn get_active_ip_count(&self, username: &str) -> usize {
-        let active_ips = self.active_ips.read().await;
-        active_ips
-            .get(username)
-            .map(|ips| ips.len())
-            .unwrap_or(0)
+    pub async fn get_recent_counts_for_users(&self, users: &[String]) -> HashMap<String, usize> {
+        let window = *self.limit_window.read().await;
+        let now = Instant::now();
+        let recent_ips = self.recent_ips.read().await;
+
+        let mut counts = HashMap::with_capacity(users.len());
+        for user in users {
+            let count = if let Some(user_recent) = recent_ips.get(user) {
+                user_recent
+                    .values()
+                    .filter(|seen_at| now.duration_since(**seen_at) <= window)
+                    .count()
+            } else {
+                0
+            };
+            counts.insert(user.clone(), count);
+        }
+        counts
+    }
+
+    pub async fn get_active_ips_for_users(&self, users: &[String]) -> HashMap<String, Vec<IpAddr>> {
+        let active_ips = self.active_ips.read().await;
+        let mut out = HashMap::with_capacity(users.len());
+        for user in users {
+            let mut ips = active_ips
+                .get(user)
+                .map(|per_ip| per_ip.keys().copied().collect::<Vec<_>>())
+                .unwrap_or_else(Vec::new);
+            ips.sort();
+            out.insert(user.clone(), ips);
+        }
+        out
+    }
+
+    pub async fn get_recent_ips_for_users(&self, users: &[String]) -> HashMap<String, Vec<IpAddr>> {
+        let window = *self.limit_window.read().await;
+        let now = Instant::now();
+        let recent_ips = self.recent_ips.read().await;
+
+        let mut out = HashMap::with_capacity(users.len());
+        for user in users {
+            let mut ips = if let Some(user_recent) = recent_ips.get(user) {
+                user_recent
+                    .iter()
+                    .filter(|(_, seen_at)| now.duration_since(**seen_at) <= window)
+                    .map(|(ip, _)| *ip)
+                    .collect::<Vec<_>>()
+            } else {
+                Vec::new()
+            };
+            ips.sort();
+            out.insert(user.clone(), ips);
+        }
+        out
+    }
+
+    pub async fn get_active_ip_count(&self, username: &str) -> usize {
+        let active_ips = self.active_ips.read().await;
+        active_ips.get(username).map(|ips| ips.len()).unwrap_or(0)
    }

-    /// Получить список всех активных IP-адресов для пользователя
-    /// 
-    /// # Arguments
-    /// * `username` - Имя пользователя
-    /// 
-    /// # Returns
-    /// Вектор с активными IP-адресами
    pub async fn get_active_ips(&self, username: &str) -> Vec<IpAddr> {
        let active_ips = self.active_ips.read().await;
        active_ips
            .get(username)
-            .map(|ips| ips.iter().copied().collect())
+            .map(|ips| ips.keys().copied().collect())
            .unwrap_or_else(Vec::new)
    }

-    /// Получить статистику по всем пользователям
-    /// 
-    /// # Returns
-    /// Вектор кортежей: (имя_пользователя, количество_активных_IP, лимит)
    pub async fn get_stats(&self) -> Vec<(String, usize, usize)> {
        let active_ips = self.active_ips.read().await;
        let max_ips = self.max_ips.read().await;

        let mut stats = Vec::new();
-        
-        // Собираем статистику по пользователям с активными подключениями
        for (username, user_ips) in active_ips.iter() {
            let limit = max_ips.get(username).copied().unwrap_or(0);
            stats.push((username.clone(), user_ips.len(), limit));
        }
-        
-        stats.sort_by(|a, b| a.0.cmp(&b.0)); // Сортируем по имени пользователя
+
+        stats.sort_by(|a, b| a.0.cmp(&b.0));
        stats
    }

-    /// Очистить все активные IP для пользователя (при необходимости)
-    /// 
-    /// # Arguments
-    /// * `username` - Имя пользователя
    pub async fn clear_user_ips(&self, username: &str) {
        let mut active_ips = self.active_ips.write().await;
        active_ips.remove(username);
+        drop(active_ips);
+
+        let mut recent_ips = self.recent_ips.write().await;
+        recent_ips.remove(username);
    }

-    /// Очистить всю статистику (использовать с осторожностью!)
    pub async fn clear_all(&self) {
        let mut active_ips = self.active_ips.write().await;
        active_ips.clear();
+        drop(active_ips);
+
+        let mut recent_ips = self.recent_ips.write().await;
+        recent_ips.clear();
    }

-    /// Проверить, подключен ли пользователь с данного IP
-    /// 
-    /// # Arguments
-    /// * `username` - Имя пользователя
-    /// * `ip` - IP-адрес для проверки
-    /// 
-    /// # Returns
-    /// `true` если IP активен, `false` если нет
    pub async fn is_ip_active(&self, username: &str, ip: IpAddr) -> bool {
        let active_ips = self.active_ips.read().await;
        active_ips
            .get(username)
-            .map(|ips| ips.contains(&ip))
+            .map(|ips| ips.contains_key(&ip))
            .unwrap_or(false)
    }

-    /// Получить лимит для пользователя
-    /// 
-    /// # Arguments
-    /// * `username` - Имя пользователя
-    /// 
-    /// # Returns
-    /// Лимит IP-адресов или None, если лимит не установлен
    pub async fn get_user_limit(&self, username: &str) -> Option<usize> {
        let max_ips = self.max_ips.read().await;
        max_ips.get(username).copied()
    }

-    /// Форматировать статистику в читаемый текст
-    /// 
-    /// # Returns
-    /// Строка со статистикой для логов или мониторинга
    pub async fn format_stats(&self) -> String {
        let stats = self.get_stats().await;
-        
+
        if stats.is_empty() {
            return String::from("No active users");
        }
-        
+
        let mut output = String::from("User IP Statistics:\n");
        output.push_str("==================\n");
-        
+
        for (username, active_count, limit) in stats {
            output.push_str(&format!(
                "User: {:<20} Active IPs: {}/{}\n",
                username,
                active_count,
-                if limit > 0 { limit.to_string() } else { "unlimited".to_string() }
+                if limit > 0 {
+                    limit.to_string()
+                } else {
+                    "unlimited".to_string()
+                }
            ));
-            
+
            let ips = self.get_active_ips(&username).await;
            for ip in ips {
-                output.push_str(&format!("  └─ {}\n", ip));
+                output.push_str(&format!("  - {}\n", ip));
            }
        }
-        
+
        output
    }
 }
@@ -257,10 +335,6 @@ impl Default for UserIpTracker {
    }
 }

-// ============================================================================
-// ТЕСТЫ
-// ============================================================================
-
 #[cfg(test)]
 mod tests {
    use super::*;
@@ -283,17 +357,33 @@ mod tests {
        let ip2 = test_ipv4(192, 168, 1, 2);
        let ip3 = test_ipv4(192, 168, 1, 3);

-        // Первые два IP должны быть приняты
        assert!(tracker.check_and_add("test_user", ip1).await.is_ok());
        assert!(tracker.check_and_add("test_user", ip2).await.is_ok());
-
-        // Третий IP должен быть отклонен
        assert!(tracker.check_and_add("test_user", ip3).await.is_err());

-        // Проверяем счетчик
        assert_eq!(tracker.get_active_ip_count("test_user").await, 2);
    }

+    #[tokio::test]
+    async fn test_active_window_rejects_new_ip_and_keeps_existing_session() {
+        let tracker = UserIpTracker::new();
+        tracker.set_user_limit("test_user", 1).await;
+        tracker
+            .set_limit_policy(UserMaxUniqueIpsMode::ActiveWindow, 30)
+            .await;
+
+        let ip1 = test_ipv4(10, 10, 10, 1);
+        let ip2 = test_ipv4(10, 10, 10, 2);
+
+        assert!(tracker.check_and_add("test_user", ip1).await.is_ok());
+        assert!(tracker.is_ip_active("test_user", ip1).await);
+        assert!(tracker.check_and_add("test_user", ip2).await.is_err());
+
+        // Existing session remains active; only new unique IP is denied.
+        assert!(tracker.is_ip_active("test_user", ip1).await);
+        assert_eq!(tracker.get_active_ip_count("test_user").await, 1);
+    }
+
    #[tokio::test]
    async fn test_reconnection_from_same_ip() {
        let tracker = UserIpTracker::new();
@@ -301,16 +391,29 @@ mod tests {

        let ip1 = test_ipv4(192, 168, 1, 1);

-        // Первое подключение
        assert!(tracker.check_and_add("test_user", ip1).await.is_ok());
-        
-        // Повторное подключение с того же IP должно пройти
        assert!(tracker.check_and_add("test_user", ip1).await.is_ok());
-        
-        // Счетчик не должен увеличиться
        assert_eq!(tracker.get_active_ip_count("test_user").await, 1);
    }

+    #[tokio::test]
+    async fn test_same_ip_disconnect_keeps_active_while_other_session_alive() {
+        let tracker = UserIpTracker::new();
+        tracker.set_user_limit("test_user", 2).await;
+
+        let ip1 = test_ipv4(192, 168, 1, 1);
+
+        assert!(tracker.check_and_add("test_user", ip1).await.is_ok());
+        assert!(tracker.check_and_add("test_user", ip1).await.is_ok());
+        assert_eq!(tracker.get_active_ip_count("test_user").await, 1);
+
+        tracker.remove_ip("test_user", ip1).await;
+        assert_eq!(tracker.get_active_ip_count("test_user").await, 1);
+
+        tracker.remove_ip("test_user", ip1).await;
+        assert_eq!(tracker.get_active_ip_count("test_user").await, 0);
+    }
+
    #[tokio::test]
    async fn test_ip_removal() {
        let tracker = UserIpTracker::new();
@@ -320,36 +423,28 @@ mod tests {
        let ip2 = test_ipv4(192, 168, 1, 2);
        let ip3 = test_ipv4(192, 168, 1, 3);

-        // Добавляем два IP
        assert!(tracker.check_and_add("test_user", ip1).await.is_ok());
        assert!(tracker.check_and_add("test_user", ip2).await.is_ok());
-        
-        // Третий не должен пройти
        assert!(tracker.check_and_add("test_user", ip3).await.is_err());

-        // Удаляем первый IP
        tracker.remove_ip("test_user", ip1).await;
-        
-        // Теперь третий должен пройти
+
        assert!(tracker.check_and_add("test_user", ip3).await.is_ok());
-        
        assert_eq!(tracker.get_active_ip_count("test_user").await, 2);
    }

    #[tokio::test]
    async fn test_no_limit() {
        let tracker = UserIpTracker::new();
-        // Не устанавливаем лимит для test_user

        let ip1 = test_ipv4(192, 168, 1, 1);
        let ip2 = test_ipv4(192, 168, 1, 2);
        let ip3 = test_ipv4(192, 168, 1, 3);

-        // Без лимита все IP должны проходить
        assert!(tracker.check_and_add("test_user", ip1).await.is_ok());
        assert!(tracker.check_and_add("test_user", ip2).await.is_ok());
        assert!(tracker.check_and_add("test_user", ip3).await.is_ok());
-        
+
        assert_eq!(tracker.get_active_ip_count("test_user").await, 3);
    }

@@ -362,11 +457,9 @@ mod tests {
        let ip1 = test_ipv4(192, 168, 1, 1);
        let ip2 = test_ipv4(192, 168, 1, 2);

-        // user1 может использовать 2 IP
        assert!(tracker.check_and_add("user1", ip1).await.is_ok());
        assert!(tracker.check_and_add("user1", ip2).await.is_ok());

-        // user2 может использовать только 1 IP
        assert!(tracker.check_and_add("user2", ip1).await.is_ok());
        assert!(tracker.check_and_add("user2", ip2).await.is_err());
    }
@@ -379,10 +472,9 @@ mod tests {
        let ipv4 = test_ipv4(192, 168, 1, 1);
        let ipv6 = test_ipv6();

-        // Должны работать оба типа адресов
        assert!(tracker.check_and_add("test_user", ipv4).await.is_ok());
        assert!(tracker.check_and_add("test_user", ipv6).await.is_ok());
-        
+
        assert_eq!(tracker.get_active_ip_count("test_user").await, 2);
    }

@@ -417,8 +509,7 @@ mod tests {

        let stats = tracker.get_stats().await;
        assert_eq!(stats.len(), 2);
-        
-        // Проверяем наличие обоих пользователей в статистике
+
        assert!(stats.iter().any(|(name, _, _)| name == "user1"));
        assert!(stats.iter().any(|(name, _, _)| name == "user2"));
    }
@@ -427,10 +518,10 @@ mod tests {
    async fn test_clear_user_ips() {
        let tracker = UserIpTracker::new();
        let ip1 = test_ipv4(192, 168, 1, 1);
-        
+
        tracker.check_and_add("test_user", ip1).await.unwrap();
        assert_eq!(tracker.get_active_ip_count("test_user").await, 1);
-        
+
        tracker.clear_user_ips("test_user").await;
        assert_eq!(tracker.get_active_ip_count("test_user").await, 0);
    }
@@ -440,9 +531,9 @@ mod tests {
        let tracker = UserIpTracker::new();
        let ip1 = test_ipv4(192, 168, 1, 1);
        let ip2 = test_ipv4(192, 168, 1, 2);
-        
+
        tracker.check_and_add("test_user", ip1).await.unwrap();
-        
+
        assert!(tracker.is_ip_active("test_user", ip1).await);
        assert!(!tracker.is_ip_active("test_user", ip2).await);
    }
@@ -450,15 +541,85 @@ mod tests {
    #[tokio::test]
    async fn test_load_limits_from_config() {
        let tracker = UserIpTracker::new();
-        
+
        let mut config_limits = HashMap::new();
        config_limits.insert("user1".to_string(), 5);
        config_limits.insert("user2".to_string(), 3);
-        
+
        tracker.load_limits(&config_limits).await;
-        
+
        assert_eq!(tracker.get_user_limit("user1").await, Some(5));
        assert_eq!(tracker.get_user_limit("user2").await, Some(3));
        assert_eq!(tracker.get_user_limit("user3").await, None);
    }
+
+    #[tokio::test]
+    async fn test_load_limits_replaces_previous_map() {
+        let tracker = UserIpTracker::new();
+
+        let mut first = HashMap::new();
+        first.insert("user1".to_string(), 2);
+        first.insert("user2".to_string(), 3);
+        tracker.load_limits(&first).await;
+
+        let mut second = HashMap::new();
+        second.insert("user2".to_string(), 5);
+        tracker.load_limits(&second).await;
+
+        assert_eq!(tracker.get_user_limit("user1").await, None);
+        assert_eq!(tracker.get_user_limit("user2").await, Some(5));
+    }
+
+    #[tokio::test]
+    async fn test_time_window_mode_blocks_recent_ip_churn() {
+        let tracker = UserIpTracker::new();
+        tracker.set_user_limit("test_user", 1).await;
+        tracker
+            .set_limit_policy(UserMaxUniqueIpsMode::TimeWindow, 30)
+            .await;
+
+        let ip1 = test_ipv4(10, 0, 0, 1);
+        let ip2 = test_ipv4(10, 0, 0, 2);
+
+        assert!(tracker.check_and_add("test_user", ip1).await.is_ok());
+        tracker.remove_ip("test_user", ip1).await;
+        assert!(tracker.check_and_add("test_user", ip2).await.is_err());
+    }
+
+    #[tokio::test]
+    async fn test_combined_mode_enforces_active_and_recent_limits() {
+        let tracker = UserIpTracker::new();
+        tracker.set_user_limit("test_user", 1).await;
+        tracker
+            .set_limit_policy(UserMaxUniqueIpsMode::Combined, 30)
+            .await;
+
+        let ip1 = test_ipv4(10, 0, 1, 1);
+        let ip2 = test_ipv4(10, 0, 1, 2);
+
+        assert!(tracker.check_and_add("test_user", ip1).await.is_ok());
+        assert!(tracker.check_and_add("test_user", ip2).await.is_err());
+
+        tracker.remove_ip("test_user", ip1).await;
+        assert!(tracker.check_and_add("test_user", ip2).await.is_err());
+    }
+
+    #[tokio::test]
+    async fn test_time_window_expires() {
+        let tracker = UserIpTracker::new();
+        tracker.set_user_limit("test_user", 1).await;
+        tracker
+            .set_limit_policy(UserMaxUniqueIpsMode::TimeWindow, 1)
+            .await;
+
+        let ip1 = test_ipv4(10, 1, 0, 1);
+        let ip2 = test_ipv4(10, 1, 0, 2);
+
+        assert!(tracker.check_and_add("test_user", ip1).await.is_ok());
+        tracker.remove_ip("test_user", ip1).await;
+        assert!(tracker.check_and_add("test_user", ip2).await.is_err());
+
+        tokio::time::sleep(Duration::from_millis(1100)).await;
+        assert!(tracker.check_and_add("test_user", ip2).await.is_ok());
+    }
 }
--- a/src/main.rs
+++ b/src/main.rs
--- a/src/metrics.rs
+++ b/src/metrics.rs
--- a/src/network/dns_overrides.rs
+++ b/src/network/dns_overrides.rs
@@ -0,0 +1,197 @@
+//! Runtime DNS overrides for `host:port` targets.
+
+use std::collections::HashMap;
+use std::net::{IpAddr, Ipv6Addr, SocketAddr};
+use std::sync::{OnceLock, RwLock};
+
+use crate::error::{ProxyError, Result};
+
+type OverrideMap = HashMap<(String, u16), IpAddr>;
+
+static DNS_OVERRIDES: OnceLock<RwLock<OverrideMap>> = OnceLock::new();
+
+fn overrides_store() -> &'static RwLock<OverrideMap> {
+    DNS_OVERRIDES.get_or_init(|| RwLock::new(HashMap::new()))
+}
+
+fn parse_ip_spec(ip_spec: &str) -> Result<IpAddr> {
+    if ip_spec.starts_with('[') && ip_spec.ends_with(']') {
+        let inner = &ip_spec[1..ip_spec.len() - 1];
+        let ipv6 = inner.parse::<Ipv6Addr>().map_err(|_| {
+            ProxyError::Config(format!(
+                "network.dns_overrides IPv6 override is invalid: '{ip_spec}'"
+            ))
+        })?;
+        return Ok(IpAddr::V6(ipv6));
+    }
+
+    let ip = ip_spec.parse::<IpAddr>().map_err(|_| {
+        ProxyError::Config(format!(
+            "network.dns_overrides IP is invalid: '{ip_spec}'"
+        ))
+    })?;
+    if matches!(ip, IpAddr::V6(_)) {
+        return Err(ProxyError::Config(format!(
+            "network.dns_overrides IPv6 must be bracketed: '{ip_spec}'"
+        )));
+    }
+    Ok(ip)
+}
+
+fn parse_entry(entry: &str) -> Result<((String, u16), IpAddr)> {
+    let trimmed = entry.trim();
+    if trimmed.is_empty() {
+        return Err(ProxyError::Config(
+            "network.dns_overrides entry cannot be empty".to_string(),
+        ));
+    }
+
+    let first_sep = trimmed.find(':').ok_or_else(|| {
+        ProxyError::Config(format!(
+            "network.dns_overrides entry must use host:port:ip format: '{trimmed}'"
+        ))
+    })?;
+    let second_sep = trimmed[first_sep + 1..]
+        .find(':')
+        .map(|idx| first_sep + 1 + idx)
+        .ok_or_else(|| {
+            ProxyError::Config(format!(
+                "network.dns_overrides entry must use host:port:ip format: '{trimmed}'"
+            ))
+        })?;
+
+    let host = trimmed[..first_sep].trim();
+    let port_str = trimmed[first_sep + 1..second_sep].trim();
+    let ip_str = trimmed[second_sep + 1..].trim();
+
+    if host.is_empty() {
+        return Err(ProxyError::Config(format!(
+            "network.dns_overrides host cannot be empty: '{trimmed}'"
+        )));
+    }
+    if host.contains(':') {
+        return Err(ProxyError::Config(format!(
+            "network.dns_overrides host must be a domain name without ':' in this format: '{trimmed}'"
+        )));
+    }
+
+    let port = port_str.parse::<u16>().map_err(|_| {
+        ProxyError::Config(format!(
+            "network.dns_overrides port is invalid: '{trimmed}'"
+        ))
+    })?;
+    let ip = parse_ip_spec(ip_str)?;
+
+    Ok(((host.to_ascii_lowercase(), port), ip))
+}
+
+fn parse_entries(entries: &[String]) -> Result<OverrideMap> {
+    let mut parsed = HashMap::new();
+    for entry in entries {
+        let (key, ip) = parse_entry(entry)?;
+        parsed.insert(key, ip);
+    }
+    Ok(parsed)
+}
+
+/// Validate `network.dns_overrides` entries without updating runtime state.
+pub fn validate_entries(entries: &[String]) -> Result<()> {
+    let _ = parse_entries(entries)?;
+    Ok(())
+}
+
+/// Replace runtime DNS overrides with a new validated snapshot.
+pub fn install_entries(entries: &[String]) -> Result<()> {
+    let parsed = parse_entries(entries)?;
+    let mut guard = overrides_store()
+        .write()
+        .map_err(|_| ProxyError::Config("network.dns_overrides runtime lock is poisoned".to_string()))?;
+    *guard = parsed;
+    Ok(())
+}
+
+/// Resolve a hostname override for `(host, port)` if present.
+pub fn resolve(host: &str, port: u16) -> Option<IpAddr> {
+    let key = (host.to_ascii_lowercase(), port);
+    overrides_store()
+        .read()
+        .ok()
+        .and_then(|guard| guard.get(&key).copied())
+}
+
+/// Resolve a hostname override and construct a socket address when present.
+pub fn resolve_socket_addr(host: &str, port: u16) -> Option<SocketAddr> {
+    resolve(host, port).map(|ip| SocketAddr::new(ip, port))
+}
+
+/// Parse a runtime endpoint in `host:port` format.
+///
+/// Supports:
+/// - `example.com:443`
+/// - `[2001:db8::1]:443`
+pub fn split_host_port(endpoint: &str) -> Option<(String, u16)> {
+    if endpoint.starts_with('[') {
+        let bracket_end = endpoint.find(']')?;
+        if endpoint.as_bytes().get(bracket_end + 1) != Some(&b':') {
+            return None;
+        }
+        let host = endpoint[1..bracket_end].trim();
+        let port = endpoint[bracket_end + 2..].trim().parse::<u16>().ok()?;
+        if host.is_empty() {
+            return None;
+        }
+        return Some((host.to_ascii_lowercase(), port));
+    }
+
+    let split_idx = endpoint.rfind(':')?;
+    let host = endpoint[..split_idx].trim();
+    let port = endpoint[split_idx + 1..].trim().parse::<u16>().ok()?;
+    if host.is_empty() || host.contains(':') {
+        return None;
+    }
+
+    Some((host.to_ascii_lowercase(), port))
+}
+
+#[cfg(test)]
+mod tests {
+    use super::*;
+
+    #[test]
+    fn validate_accepts_ipv4_and_bracketed_ipv6() {
+        let entries = vec![
+            "example.com:443:127.0.0.1".to_string(),
+            "example.net:8443:[2001:db8::10]".to_string(),
+        ];
+        assert!(validate_entries(&entries).is_ok());
+    }
+
+    #[test]
+    fn validate_rejects_unbracketed_ipv6() {
+        let entries = vec!["example.net:443:2001:db8::10".to_string()];
+        let err = validate_entries(&entries).unwrap_err().to_string();
+        assert!(err.contains("must be bracketed"));
+    }
+
+    #[test]
+    fn install_and_resolve_are_case_insensitive_for_host() {
+        let entries = vec!["MyPetrovich.ru:8443:127.0.0.1".to_string()];
+        install_entries(&entries).unwrap();
+
+        let resolved = resolve("mypetrovich.ru", 8443);
+        assert_eq!(resolved, Some("127.0.0.1".parse().unwrap()));
+    }
+
+    #[test]
+    fn split_host_port_parses_supported_shapes() {
+        assert_eq!(
+            split_host_port("example.com:443"),
+            Some(("example.com".to_string(), 443))
+        );
+        assert_eq!(
+            split_host_port("[2001:db8::1]:443"),
+            Some(("2001:db8::1".to_string(), 443))
+        );
+        assert_eq!(split_host_port("2001:db8::1:443"), None);
+    }
+}
--- a/src/network/mod.rs
+++ b/src/network/mod.rs
@@ -1,3 +1,4 @@
+pub mod dns_overrides;
 pub mod probe;
 pub mod stun;

--- a/src/network/probe.rs
+++ b/src/network/probe.rs
@@ -68,7 +68,7 @@ pub async fn run_probe(
    probe.ipv4_is_bogon = probe.detected_ipv4.map(is_bogon_v4).unwrap_or(false);
    probe.ipv6_is_bogon = probe.detected_ipv6.map(is_bogon_v6).unwrap_or(false);

-    let stun_res = if nat_probe {
+    let stun_res = if nat_probe && config.stun_use {
        let servers = collect_stun_servers(config);
        if servers.is_empty() {
            warn!("STUN probe is enabled but network.stun_servers is empty");
@@ -80,6 +80,9 @@ pub async fn run_probe(
            )
            .await
        }
+    } else if nat_probe {
+        info!("STUN probe is disabled by network.stun_use=false");
+        DualStunResult::default()
    } else {
        DualStunResult::default()
    };
--- a/src/network/stun.rs
+++ b/src/network/stun.rs
@@ -7,6 +7,7 @@ use tokio::net::{lookup_host, UdpSocket};
 use tokio::time::{timeout, Duration, sleep};

 use crate::error::{ProxyError, Result};
+use crate::network::dns_overrides::{resolve, split_host_port};

 #[derive(Debug, Clone, Copy, PartialEq, Eq, Hash)]
 pub enum IpFamily {
@@ -40,16 +41,31 @@ pub async fn stun_probe_dual(stun_addr: &str) -> Result<DualStunResult> {
 }

 pub async fn stun_probe_family(stun_addr: &str, family: IpFamily) -> Result<Option<StunProbeResult>> {
+    stun_probe_family_with_bind(stun_addr, family, None).await
+}
+
+pub async fn stun_probe_family_with_bind(
+    stun_addr: &str,
+    family: IpFamily,
+    bind_ip: Option<IpAddr>,
+) -> Result<Option<StunProbeResult>> {
    use rand::RngCore;

-    let bind_addr = match family {
-        IpFamily::V4 => "0.0.0.0:0",
-        IpFamily::V6 => "[::]:0",
+    let bind_addr = match (family, bind_ip) {
+        (IpFamily::V4, Some(IpAddr::V4(ip))) => SocketAddr::new(IpAddr::V4(ip), 0),
+        (IpFamily::V6, Some(IpAddr::V6(ip))) => SocketAddr::new(IpAddr::V6(ip), 0),
+        (IpFamily::V4, Some(IpAddr::V6(_))) | (IpFamily::V6, Some(IpAddr::V4(_))) => {
+            return Ok(None);
+        }
+        (IpFamily::V4, None) => SocketAddr::new(IpAddr::V4(Ipv4Addr::UNSPECIFIED), 0),
+        (IpFamily::V6, None) => SocketAddr::new(IpAddr::V6(Ipv6Addr::UNSPECIFIED), 0),
    };

-    let socket = UdpSocket::bind(bind_addr)
-        .await
-        .map_err(|e| ProxyError::Proxy(format!("STUN bind failed: {e}")))?;
+    let socket = match UdpSocket::bind(bind_addr).await {
+        Ok(socket) => socket,
+        Err(_) if bind_ip.is_some() => return Ok(None),
+        Err(e) => return Err(ProxyError::Proxy(format!("STUN bind failed: {e}"))),
+    };

    let target_addr = resolve_stun_addr(stun_addr, family).await?;
    if let Some(addr) = target_addr {
@@ -198,6 +214,16 @@ async fn resolve_stun_addr(stun_addr: &str, family: IpFamily) -> Result<Option<S
        });
    }

+    if let Some((host, port)) = split_host_port(stun_addr)
+        && let Some(ip) = resolve(&host, port)
+    {
+        let addr = SocketAddr::new(ip, port);
+        return Ok(match (addr.is_ipv4(), family) {
+            (true, IpFamily::V4) | (false, IpFamily::V6) => Some(addr),
+            _ => None,
+        });
+    }
+
    let mut addrs = lookup_host(stun_addr)
        .await
        .map_err(|e| ProxyError::Proxy(format!("STUN resolve failed: {e}")))?;
--- a/src/proxy/client.rs
+++ b/src/proxy/client.rs
@@ -91,9 +91,17 @@ where
    stats.increment_connects_all();
    let mut real_peer = normalize_ip(peer);

+    // For non-TCP streams, use a synthetic local address; may be overridden by PROXY protocol dst
+    let mut local_addr: SocketAddr = format!("0.0.0.0:{}", config.server.port)
+        .parse()
+        .unwrap_or_else(|_| "0.0.0.0:443".parse().unwrap());
+
    if proxy_protocol_enabled {
-        match parse_proxy_protocol(&mut stream, peer).await {
-            Ok(info) => {
+        let proxy_header_timeout = Duration::from_millis(
+            config.server.proxy_protocol_header_timeout_ms.max(1),
+        );
+        match timeout(proxy_header_timeout, parse_proxy_protocol(&mut stream, peer)).await {
+            Ok(Ok(info)) => {
                debug!(
                    peer = %peer,
                    client = %info.src_addr,
@@ -101,13 +109,22 @@ where
                    "PROXY protocol header parsed"
                );
                real_peer = normalize_ip(info.src_addr);
+                if let Some(dst) = info.dst_addr {
+                    local_addr = dst;
+                }
            }
-            Err(e) => {
+            Ok(Err(e)) => {
                stats.increment_connects_bad();
                warn!(peer = %peer, error = %e, "Invalid PROXY protocol header");
                record_beobachten_class(&beobachten, &config, peer.ip(), "other");
                return Err(e);
            }
+            Err(_) => {
+                stats.increment_connects_bad();
+                warn!(peer = %peer, timeout_ms = proxy_header_timeout.as_millis(), "PROXY protocol header timeout");
+                record_beobachten_class(&beobachten, &config, peer.ip(), "other");
+                return Err(ProxyError::InvalidProxyProtocol);
+            }
        }
    }

@@ -119,11 +136,6 @@ where
    let beobachten_for_timeout = beobachten.clone();
    let peer_for_timeout = real_peer.ip();

-    // For non-TCP streams, use a synthetic local address
-    let local_addr: SocketAddr = format!("0.0.0.0:{}", config.server.port)
-        .parse()
-        .unwrap_or_else(|_| "0.0.0.0:443".parse().unwrap());
-
    // Phase 1: handshake (with timeout)
    let outcome = match timeout(handshake_timeout, async {
        let mut first_bytes = [0u8; 5];
@@ -144,6 +156,7 @@ where
                    writer,
                    &first_bytes,
                    real_peer,
+                    local_addr,
                    &config,
                    &beobachten,
                )
@@ -157,7 +170,7 @@ where

            let (read_half, write_half) = tokio::io::split(stream);

-            let (mut tls_reader, tls_writer, _tls_user) = match handle_tls_handshake(
+            let (mut tls_reader, tls_writer, tls_user) = match handle_tls_handshake(
                &handshake, read_half, write_half, real_peer,
                &config, &replay_checker, &rng, tls_cache.clone(),
            ).await {
@@ -169,6 +182,7 @@ where
                        writer,
                        &handshake,
                        real_peer,
+                        local_addr,
                        &config,
                        &beobachten,
                    )
@@ -185,7 +199,7 @@ where

            let (crypto_reader, crypto_writer, success) = match handle_mtproto_handshake(
                &mtproto_handshake, tls_reader, tls_writer, real_peer,
-                &config, &replay_checker, true,
+                &config, &replay_checker, true, Some(tls_user.as_str()),
            ).await {
                HandshakeResult::Success(result) => result,
                HandshakeResult::BadClient { reader: _, writer: _ } => {
@@ -213,6 +227,7 @@ where
                    writer,
                    &first_bytes,
                    real_peer,
+                    local_addr,
                    &config,
                    &beobachten,
                )
@@ -228,7 +243,7 @@ where

            let (crypto_reader, crypto_writer, success) = match handle_mtproto_handshake(
                &handshake, read_half, write_half, real_peer,
-                &config, &replay_checker, false,
+                &config, &replay_checker, false, None,
            ).await {
                HandshakeResult::Success(result) => result,
                HandshakeResult::BadClient { reader, writer } => {
@@ -238,6 +253,7 @@ where
                        writer,
                        &handshake,
                        real_peer,
+                        local_addr,
                        &config,
                        &beobachten,
                    )
@@ -405,9 +421,19 @@ impl RunningClientHandler {
    }

    async fn do_handshake(mut self) -> Result<HandshakeOutcome> {
+        let mut local_addr = self.stream.local_addr().map_err(ProxyError::Io)?;
+
        if self.proxy_protocol_enabled {
-            match parse_proxy_protocol(&mut self.stream, self.peer).await {
-                Ok(info) => {
+            let proxy_header_timeout = Duration::from_millis(
+                self.config.server.proxy_protocol_header_timeout_ms.max(1),
+            );
+            match timeout(
+                proxy_header_timeout,
+                parse_proxy_protocol(&mut self.stream, self.peer),
+            )
+            .await
+            {
+                Ok(Ok(info)) => {
                    debug!(
                        peer = %self.peer,
                        client = %info.src_addr,
@@ -415,8 +441,11 @@ impl RunningClientHandler {
                        "PROXY protocol header parsed"
                    );
                    self.peer = normalize_ip(info.src_addr);
+                    if let Some(dst) = info.dst_addr {
+                        local_addr = dst;
+                    }
                }
-                Err(e) => {
+                Ok(Err(e)) => {
                    self.stats.increment_connects_bad();
                    warn!(peer = %self.peer, error = %e, "Invalid PROXY protocol header");
                    record_beobachten_class(
@@ -427,6 +456,21 @@ impl RunningClientHandler {
                    );
                    return Err(e);
                }
+                Err(_) => {
+                    self.stats.increment_connects_bad();
+                    warn!(
+                        peer = %self.peer,
+                        timeout_ms = proxy_header_timeout.as_millis(),
+                        "PROXY protocol header timeout"
+                    );
+                    record_beobachten_class(
+                        &self.beobachten,
+                        &self.config,
+                        self.peer.ip(),
+                        "other",
+                    );
+                    return Err(ProxyError::InvalidProxyProtocol);
+                }
            }
        }

@@ -440,13 +484,13 @@ impl RunningClientHandler {
        debug!(peer = %peer, is_tls = is_tls, "Handshake type detected");

        if is_tls {
-            self.handle_tls_client(first_bytes).await
+            self.handle_tls_client(first_bytes, local_addr).await
        } else {
-            self.handle_direct_client(first_bytes).await
+            self.handle_direct_client(first_bytes, local_addr).await
        }
    }

-    async fn handle_tls_client(mut self, first_bytes: [u8; 5]) -> Result<HandshakeOutcome> {
+    async fn handle_tls_client(mut self, first_bytes: [u8; 5], local_addr: SocketAddr) -> Result<HandshakeOutcome> {
        let peer = self.peer;
        let _ip_tracker = self.ip_tracker.clone();

@@ -463,6 +507,7 @@ impl RunningClientHandler {
                writer,
                &first_bytes,
                peer,
+                local_addr,
                &self.config,
                &self.beobachten,
            )
@@ -479,10 +524,9 @@ impl RunningClientHandler {
        let stats = self.stats.clone();
        let buffer_pool = self.buffer_pool.clone();

-        let local_addr = self.stream.local_addr().map_err(ProxyError::Io)?;
        let (read_half, write_half) = self.stream.into_split();

-        let (mut tls_reader, tls_writer, _tls_user) = match handle_tls_handshake(
+        let (mut tls_reader, tls_writer, tls_user) = match handle_tls_handshake(
            &handshake,
            read_half,
            write_half,
@@ -502,6 +546,7 @@ impl RunningClientHandler {
                    writer,
                    &handshake,
                    peer,
+                    local_addr,
                    &config,
                    &self.beobachten,
                )
@@ -525,6 +570,7 @@ impl RunningClientHandler {
            &config,
            &replay_checker,
            true,
+            Some(tls_user.as_str()),
        )
        .await
        {
@@ -558,7 +604,7 @@ impl RunningClientHandler {
        )))
    }

-    async fn handle_direct_client(mut self, first_bytes: [u8; 5]) -> Result<HandshakeOutcome> {
+    async fn handle_direct_client(mut self, first_bytes: [u8; 5], local_addr: SocketAddr) -> Result<HandshakeOutcome> {
        let peer = self.peer;
        let _ip_tracker = self.ip_tracker.clone();

@@ -571,6 +617,7 @@ impl RunningClientHandler {
                writer,
                &first_bytes,
                peer,
+                local_addr,
                &self.config,
                &self.beobachten,
            )
@@ -587,7 +634,6 @@ impl RunningClientHandler {
        let stats = self.stats.clone();
        let buffer_pool = self.buffer_pool.clone();

-        let local_addr = self.stream.local_addr().map_err(ProxyError::Io)?;
        let (read_half, write_half) = self.stream.into_split();

        let (crypto_reader, crypto_writer, success) = match handle_mtproto_handshake(
@@ -598,6 +644,7 @@ impl RunningClientHandler {
            &config,
            &replay_checker,
            false,
+            None,
        )
        .await
        {
@@ -609,6 +656,7 @@ impl RunningClientHandler {
                    writer,
                    &handshake,
                    peer,
+                    local_addr,
                    &config,
                    &self.beobachten,
                )
@@ -658,42 +706,16 @@ impl RunningClientHandler {
        R: AsyncRead + Unpin + Send + 'static,
        W: AsyncWrite + Unpin + Send + 'static,
    {
-        let user = &success.user;
+        let user = success.user.clone();

-        if let Err(e) = Self::check_user_limits_static(user, &config, &stats, peer_addr, &ip_tracker).await {
+        if let Err(e) = Self::check_user_limits_static(&user, &config, &stats, peer_addr, &ip_tracker).await {
            warn!(user = %user, error = %e, "User limit exceeded");
            return Err(e);
        }

-        // IP Cleanup Guard: автоматически удаляет IP при выходе из scope
-        struct IpCleanupGuard {
-            tracker: Arc<UserIpTracker>,
-            user: String,
-            ip: std::net::IpAddr,
-        }
-        
-        impl Drop for IpCleanupGuard {
-            fn drop(&mut self) {
-                let tracker = self.tracker.clone();
-                let user = self.user.clone();
-                let ip = self.ip;
-                tokio::spawn(async move {
-                    tracker.remove_ip(&user, ip).await;
-                    debug!(user = %user, ip = %ip, "IP cleaned up on disconnect");
-                });
-            }
-        }
-        
-        let _cleanup = IpCleanupGuard {
-            tracker: ip_tracker,
-            user: user.clone(),
-            ip: peer_addr.ip(),
-        };
-
-        // Decide: middle proxy or direct
-        if config.general.use_middle_proxy {
+        let relay_result = if config.general.use_middle_proxy {
            if let Some(ref pool) = me_pool {
-                return handle_via_middle_proxy(
+                handle_via_middle_proxy(
                    client_reader,
                    client_writer,
                    success,
@@ -704,23 +726,38 @@ impl RunningClientHandler {
                    local_addr,
                    rng,
                )
-                .await;
+                .await
+            } else {
+                warn!("use_middle_proxy=true but MePool not initialized, falling back to direct");
+                handle_via_direct(
+                    client_reader,
+                    client_writer,
+                    success,
+                    upstream_manager,
+                    stats,
+                    config,
+                    buffer_pool,
+                    rng,
+                )
+                .await
            }
-            warn!("use_middle_proxy=true but MePool not initialized, falling back to direct");
-        }
+        } else {
+            // Direct mode (original behavior)
+            handle_via_direct(
+                client_reader,
+                client_writer,
+                success,
+                upstream_manager,
+                stats,
+                config,
+                buffer_pool,
+                rng,
+            )
+            .await
+        };

-        // Direct mode (original behavior)
-        handle_via_direct(
-            client_reader,
-            client_writer,
-            success,
-            upstream_manager,
-            stats,
-            config,
-            buffer_pool,
-            rng,
-        )
-        .await
+        ip_tracker.remove_ip(&user, peer_addr.ip()).await;
+        relay_result
    }

    async fn check_user_limits_static(
@@ -738,22 +775,32 @@ impl RunningClientHandler {
            });
        }

+        let mut ip_reserved = false;
        // IP limit check
-        if let Err(reason) = ip_tracker.check_and_add(user, peer_addr.ip()).await {
-            warn!(
-                user = %user,
-                ip = %peer_addr.ip(),
-                reason = %reason,
-                "IP limit exceeded"
-            );
-            return Err(ProxyError::ConnectionLimitExceeded {
-                user: user.to_string(),
-            });
+        match ip_tracker.check_and_add(user, peer_addr.ip()).await {
+            Ok(()) => {
+                ip_reserved = true;
+            }
+            Err(reason) => {
+                warn!(
+                    user = %user,
+                    ip = %peer_addr.ip(),
+                    reason = %reason,
+                    "IP limit exceeded"
+                );
+                return Err(ProxyError::ConnectionLimitExceeded {
+                    user: user.to_string(),
+                });
+            }
        }

        if let Some(limit) = config.access.user_max_tcp_conns.get(user)
            && stats.get_user_curr_connects(user) >= *limit as u64
        {
+            if ip_reserved {
+                ip_tracker.remove_ip(user, peer_addr.ip()).await;
+                stats.increment_ip_reservation_rollback_tcp_limit_total();
+            }
            return Err(ProxyError::ConnectionLimitExceeded {
                user: user.to_string(),
            });
@@ -762,6 +809,10 @@ impl RunningClientHandler {
        if let Some(quota) = config.access.user_data_quota.get(user)
            && stats.get_user_total_octets(user) >= *quota
        {
+            if ip_reserved {
+                ip_tracker.remove_ip(user, peer_addr.ip()).await;
+                stats.increment_ip_reservation_rollback_quota_limit_total();
+            }
            return Err(ProxyError::DataQuotaExceeded {
                user: user.to_string(),
            });
--- a/src/proxy/direct_relay.rs
+++ b/src/proxy/direct_relay.rs
@@ -34,7 +34,7 @@ where
    let user = &success.user;
    let dc_addr = get_dc_addr_static(success.dc_idx, &config)?;

-    info!(
+    debug!(
        user = %user,
        peer = %success.peer,
        dc = success.dc_idx,
@@ -57,6 +57,7 @@ where

    stats.increment_user_connects(user);
    stats.increment_user_curr_connects(user);
+    stats.increment_current_connections_direct();

    let relay_result = relay_bidirectional(
        client_reader,
@@ -69,6 +70,7 @@ where
    )
    .await;

+    stats.decrement_current_connections_direct();
    stats.decrement_user_curr_connects(user);

    match &relay_result {
@@ -118,10 +120,16 @@ fn get_dc_addr_static(dc_idx: i16, config: &ProxyConfig) -> Result<SocketAddr> {
    // Unknown DC requested by client without override: log and fall back.
    if !config.dc_overrides.contains_key(&dc_key) {
        warn!(dc_idx = dc_idx, "Requested non-standard DC with no override; falling back to default cluster");
-        if let Some(path) = &config.general.unknown_dc_log_path
-            && let Ok(mut file) = OpenOptions::new().create(true).append(true).open(path)
+        if config.general.unknown_dc_file_log_enabled
+            && let Some(path) = &config.general.unknown_dc_log_path
+            && let Ok(handle) = tokio::runtime::Handle::try_current()
        {
-            let _ = writeln!(file, "dc_idx={dc_idx}");
+            let path = path.clone();
+            handle.spawn_blocking(move || {
+                if let Ok(mut file) = OpenOptions::new().create(true).append(true).open(path) {
+                    let _ = writeln!(file, "dc_idx={dc_idx}");
+                }
+            });
        }
    }

--- a/src/proxy/handshake.rs
+++ b/src/proxy/handshake.rs
@@ -6,7 +6,7 @@ use std::net::SocketAddr;
 use std::sync::Arc;
 use std::time::Duration;
 use tokio::io::{AsyncRead, AsyncWrite, AsyncWriteExt};
-use tracing::{debug, warn, trace, info};
+use tracing::{debug, warn, trace};
 use zeroize::Zeroize;

 use crate::crypto::{sha256, AesCtr, SecureRandom};
@@ -19,6 +19,31 @@ use crate::stats::ReplayChecker;
 use crate::config::ProxyConfig;
 use crate::tls_front::{TlsFrontCache, emulator};

+fn decode_user_secrets(
+    config: &ProxyConfig,
+    preferred_user: Option<&str>,
+) -> Vec<(String, Vec<u8>)> {
+    let mut secrets = Vec::with_capacity(config.access.users.len());
+
+    if let Some(preferred) = preferred_user
+        && let Some(secret_hex) = config.access.users.get(preferred)
+        && let Ok(bytes) = hex::decode(secret_hex)
+    {
+        secrets.push((preferred.to_string(), bytes));
+    }
+
+    for (name, secret_hex) in &config.access.users {
+        if preferred_user.is_some_and(|preferred| preferred == name.as_str()) {
+            continue;
+        }
+        if let Ok(bytes) = hex::decode(secret_hex) {
+            secrets.push((name.clone(), bytes));
+        }
+    }
+
+    secrets
+}
+
 /// Result of successful handshake
 ///
 /// Key material (`dec_key`, `dec_iv`, `enc_key`, `enc_iv`) is
@@ -82,11 +107,7 @@ where
        return HandshakeResult::BadClient { reader, writer };
    }

-    let secrets: Vec<(String, Vec<u8>)> = config.access.users.iter()
-        .filter_map(|(name, hex)| {
-            hex::decode(hex).ok().map(|bytes| (name.clone(), bytes))
-        })
-        .collect();
+    let secrets = decode_user_secrets(config, None);

    let validation = match tls::validate_tls_handshake(
        handshake,
@@ -201,7 +222,7 @@ where
        return HandshakeResult::Error(ProxyError::Io(e));
    }

-    info!(
+    debug!(
        peer = %peer,
        user = %validation.user,
        "TLS handshake successful"
@@ -223,6 +244,7 @@ pub async fn handle_mtproto_handshake<R, W>(
    config: &ProxyConfig,
    replay_checker: &ReplayChecker,
    is_tls: bool,
+    preferred_user: Option<&str>,
 ) -> HandshakeResult<(CryptoReader<R>, CryptoWriter<W>, HandshakeSuccess), R, W>
 where
    R: AsyncRead + Unpin + Send,
@@ -239,11 +261,9 @@ where

    let enc_prekey_iv: Vec<u8> = dec_prekey_iv.iter().rev().copied().collect();

-    for (user, secret_hex) in &config.access.users {
-        let secret = match hex::decode(secret_hex) {
-            Ok(s) => s,
-            Err(_) => continue,
-        };
+    let decoded_users = decode_user_secrets(config, preferred_user);
+
+    for (user, secret) in decoded_users {

        let dec_prekey = &dec_prekey_iv[..PREKEY_LEN];
        let dec_iv_bytes = &dec_prekey_iv[PREKEY_LEN..];
@@ -311,7 +331,7 @@ where
            is_tls,
        };

-        info!(
+        debug!(
            peer = %peer,
            user = %user,
            dc = dc_idx,
--- a/src/proxy/masking.rs
+++ b/src/proxy/masking.rs
@@ -10,6 +10,7 @@ use tokio::io::{AsyncRead, AsyncWrite, AsyncReadExt, AsyncWriteExt};
 use tokio::time::timeout;
 use tracing::debug;
 use crate::config::ProxyConfig;
+use crate::network::dns_overrides::resolve_socket_addr;
 use crate::stats::beobachten::BeobachtenStore;
 use crate::transport::proxy_protocol::{ProxyProtocolV1Builder, ProxyProtocolV2Builder};

@@ -54,6 +55,7 @@ pub async fn handle_bad_client<R, W>(
    writer: W,
    initial_data: &[u8],
    peer: SocketAddr,
+    local_addr: SocketAddr,
    config: &ProxyConfig,
    beobachten: &BeobachtenStore,
 )
@@ -86,7 +88,29 @@ where
        let connect_result = timeout(MASK_TIMEOUT, UnixStream::connect(sock_path)).await;
        match connect_result {
            Ok(Ok(stream)) => {
-                let (mask_read, mask_write) = stream.into_split();
+                let (mask_read, mut mask_write) = stream.into_split();
+                let proxy_header: Option<Vec<u8>> = match config.censorship.mask_proxy_protocol {
+                    0 => None,
+                    version => {
+                        let header = match version {
+                            2 => ProxyProtocolV2Builder::new().with_addrs(peer, local_addr).build(),
+                            _ => match (peer, local_addr) {
+                                (SocketAddr::V4(src), SocketAddr::V4(dst)) =>
+                                    ProxyProtocolV1Builder::new().tcp4(src.into(), dst.into()).build(),
+                                (SocketAddr::V6(src), SocketAddr::V6(dst)) =>
+                                    ProxyProtocolV1Builder::new().tcp6(src.into(), dst.into()).build(),
+                                _ =>
+                                    ProxyProtocolV1Builder::new().build(),
+                            },
+                        };
+                        Some(header)
+                    }
+                };
+                if let Some(header) = proxy_header {
+                    if mask_write.write_all(&header).await.is_err() {
+                        return;
+                    }
+                }
                if timeout(MASK_RELAY_TIMEOUT, relay_to_mask(reader, writer, mask_read, mask_write, initial_data)).await.is_err() {
                    debug!("Mask relay timed out (unix socket)");
                }
@@ -115,31 +139,26 @@ where
        "Forwarding bad client to mask host"
    );

-    // Connect to mask host
-    let mask_addr = format!("{}:{}", mask_host, mask_port);
+    // Apply runtime DNS override for mask target when configured.
+    let mask_addr = resolve_socket_addr(mask_host, mask_port)
+        .map(|addr| addr.to_string())
+        .unwrap_or_else(|| format!("{}:{}", mask_host, mask_port));
    let connect_result = timeout(MASK_TIMEOUT, TcpStream::connect(&mask_addr)).await;
    match connect_result {
        Ok(Ok(stream)) => {
            let proxy_header: Option<Vec<u8>> = match config.censorship.mask_proxy_protocol {
                0 => None,
                version => {
-                    let header = if let Ok(local_addr) = stream.local_addr() {
-                        match version {
-                            2 => ProxyProtocolV2Builder::new().with_addrs(peer, local_addr).build(),
-                            _ => match (peer, local_addr) {
-                                (SocketAddr::V4(src), SocketAddr::V4(dst)) =>
-                                    ProxyProtocolV1Builder::new().tcp4(src.into(), dst.into()).build(),
-                                (SocketAddr::V6(src), SocketAddr::V6(dst)) =>
-                                    ProxyProtocolV1Builder::new().tcp6(src.into(), dst.into()).build(),
-                                _ =>
-                                    ProxyProtocolV1Builder::new().build(),
-                            },
-                        }
-                    } else {
-                        match version {
-                            2 => ProxyProtocolV2Builder::new().build(),
-                            _ => ProxyProtocolV1Builder::new().build(),
-                        }
+                    let header = match version {
+                        2 => ProxyProtocolV2Builder::new().with_addrs(peer, local_addr).build(),
+                        _ => match (peer, local_addr) {
+                            (SocketAddr::V4(src), SocketAddr::V4(dst)) =>
+                                ProxyProtocolV1Builder::new().tcp4(src.into(), dst.into()).build(),
+                            (SocketAddr::V6(src), SocketAddr::V6(dst)) =>
+                                ProxyProtocolV1Builder::new().tcp6(src.into(), dst.into()).build(),
+                            _ =>
+                                ProxyProtocolV1Builder::new().build(),
+                        },
                    };
                    Some(header)
                }
--- a/src/proxy/middle_relay.rs
+++ b/src/proxy/middle_relay.rs
@@ -6,9 +6,10 @@ use std::sync::atomic::{AtomicU64, Ordering};
 use std::sync::{Arc, Mutex, OnceLock};
 use std::time::{Duration, Instant};

+use bytes::Bytes;
 use tokio::io::{AsyncRead, AsyncReadExt, AsyncWrite, AsyncWriteExt};
 use tokio::sync::{mpsc, oneshot};
-use tracing::{debug, info, trace, warn};
+use tracing::{debug, trace, warn};

 use crate::config::ProxyConfig;
 use crate::crypto::SecureRandom;
@@ -20,12 +21,15 @@ use crate::stream::{BufferPool, CryptoReader, CryptoWriter};
 use crate::transport::middle_proxy::{MePool, MeResponse, proto_flags_for_tag};

 enum C2MeCommand {
-    Data { payload: Vec<u8>, flags: u32 },
+    Data { payload: Bytes, flags: u32 },
    Close,
 }

 const DESYNC_DEDUP_WINDOW: Duration = Duration::from_secs(60);
 const DESYNC_ERROR_CLASS: &str = "frame_too_large_crypto_desync";
+const C2ME_CHANNEL_CAPACITY_FALLBACK: usize = 128;
+const C2ME_SOFT_PRESSURE_MIN_FREE_SLOTS: usize = 64;
+const C2ME_SENDER_FAIRNESS_BUDGET: usize = 32;
 static DESYNC_DEDUP: OnceLock<Mutex<HashMap<u64, Instant>>> = OnceLock::new();

 struct RelayForensicsState {
@@ -166,6 +170,27 @@ fn report_desync_frame_too_large(
    ))
 }

+fn should_yield_c2me_sender(sent_since_yield: usize, has_backlog: bool) -> bool {
+    has_backlog && sent_since_yield >= C2ME_SENDER_FAIRNESS_BUDGET
+}
+
+async fn enqueue_c2me_command(
+    tx: &mpsc::Sender<C2MeCommand>,
+    cmd: C2MeCommand,
+) -> std::result::Result<(), mpsc::error::SendError<C2MeCommand>> {
+    match tx.try_send(cmd) {
+        Ok(()) => Ok(()),
+        Err(mpsc::error::TrySendError::Closed(cmd)) => Err(mpsc::error::SendError(cmd)),
+        Err(mpsc::error::TrySendError::Full(cmd)) => {
+            // Cooperative yield reduces burst catch-up when the per-conn queue is near saturation.
+            if tx.capacity() <= C2ME_SOFT_PRESSURE_MIN_FREE_SLOTS {
+                tokio::task::yield_now().await;
+            }
+            tx.send(cmd).await
+        }
+    }
+}
+
 pub(crate) async fn handle_via_middle_proxy<R, W>(
    mut crypto_reader: CryptoReader<R>,
    crypto_writer: CryptoWriter<W>,
@@ -186,7 +211,7 @@ where
    let proto_tag = success.proto_tag;
    let pool_generation = me_pool.current_generation();

-    info!(
+    debug!(
        user = %user,
        peer = %peer,
        dc = success.dc_idx,
@@ -213,8 +238,24 @@ where

    stats.increment_user_connects(&user);
    stats.increment_user_curr_connects(&user);
+    stats.increment_current_connections_me();

-    let proto_flags = proto_flags_for_tag(proto_tag, me_pool.has_proxy_tag());
+    // Per-user ad_tag from access.user_ad_tags; fallback to general.ad_tag (hot-reloadable)
+    let user_tag: Option<Vec<u8>> = config
+        .access
+        .user_ad_tags
+        .get(&user)
+        .and_then(|s| hex::decode(s).ok())
+        .filter(|v| v.len() == 16);
+    let global_tag: Option<Vec<u8>> = config
+        .general
+        .ad_tag
+        .as_ref()
+        .and_then(|s| hex::decode(s).ok())
+        .filter(|v| v.len() == 16);
+    let effective_tag = user_tag.or(global_tag);
+
+    let proto_flags = proto_flags_for_tag(proto_tag, effective_tag.is_some());
    debug!(
        trace_id = format_args!("0x{:016x}", trace_id),
        user = %user,
@@ -230,9 +271,15 @@ where

    let frame_limit = config.general.max_client_frame;

-    let (c2me_tx, mut c2me_rx) = mpsc::channel::<C2MeCommand>(1024);
+    let c2me_channel_capacity = config
+        .general
+        .me_c2me_channel_capacity
+        .max(C2ME_CHANNEL_CAPACITY_FALLBACK);
+    let (c2me_tx, mut c2me_rx) = mpsc::channel::<C2MeCommand>(c2me_channel_capacity);
    let me_pool_c2me = me_pool.clone();
+    let effective_tag = effective_tag;
    let c2me_sender = tokio::spawn(async move {
+        let mut sent_since_yield = 0usize;
        while let Some(cmd) = c2me_rx.recv().await {
            match cmd {
                C2MeCommand::Data { payload, flags } => {
@@ -241,9 +288,15 @@ where
                        success.dc_idx,
                        peer,
                        translated_local_addr,
-                        &payload,
+                        payload.as_ref(),
                        flags,
+                        effective_tag.as_deref(),
                    ).await?;
+                    sent_since_yield = sent_since_yield.saturating_add(1);
+                    if should_yield_c2me_sender(sent_since_yield, !c2me_rx.is_empty()) {
+                        sent_since_yield = 0;
+                        tokio::task::yield_now().await;
+                    }
                }
                C2MeCommand::Close => {
                    let _ = me_pool_c2me.send_close(conn_id).await;
@@ -360,8 +413,7 @@ where
                    flags |= RPC_FLAG_NOT_ENCRYPTED;
                }
                // Keep client read loop lightweight: route heavy ME send path via a dedicated task.
-                if c2me_tx
-                    .send(C2MeCommand::Data { payload, flags })
+                if enqueue_c2me_command(&c2me_tx, C2MeCommand::Data { payload, flags })
                    .await
                    .is_err()
                {
@@ -372,7 +424,7 @@ where
            Ok(None) => {
                debug!(conn_id, "Client EOF");
                client_closed = true;
-                let _ = c2me_tx.send(C2MeCommand::Close).await;
+                let _ = enqueue_c2me_command(&c2me_tx, C2MeCommand::Close).await;
                break;
            }
            Err(e) => {
@@ -420,6 +472,7 @@ where
        "ME relay cleanup"
    );
    me_pool.registry().unregister(conn_id).await;
+    stats.decrement_current_connections_me();
    stats.decrement_user_curr_connects(&user);
    result
 }
@@ -431,7 +484,7 @@ async fn read_client_payload<R>(
    forensics: &RelayForensicsState,
    frame_counter: &mut u64,
    stats: &Stats,
-) -> Result<Option<(Vec<u8>, bool)>>
+) -> Result<Option<(Bytes, bool)>>
 where
    R: AsyncRead + Unpin + Send + 'static,
 {
@@ -530,7 +583,7 @@ where
            payload.truncate(secure_payload_len);
        }
        *frame_counter += 1;
-        return Ok(Some((payload, quickack)));
+        return Ok(Some((Bytes::from(payload), quickack)));
    }
 }

@@ -647,3 +700,84 @@ where
    // ACK should remain low-latency.
    client_writer.flush().await.map_err(ProxyError::Io)
 }
+
+#[cfg(test)]
+mod tests {
+    use super::*;
+    use tokio::time::{Duration as TokioDuration, timeout};
+
+    #[test]
+    fn should_yield_sender_only_on_budget_with_backlog() {
+        assert!(!should_yield_c2me_sender(0, true));
+        assert!(!should_yield_c2me_sender(C2ME_SENDER_FAIRNESS_BUDGET - 1, true));
+        assert!(!should_yield_c2me_sender(C2ME_SENDER_FAIRNESS_BUDGET, false));
+        assert!(should_yield_c2me_sender(C2ME_SENDER_FAIRNESS_BUDGET, true));
+    }
+
+    #[tokio::test]
+    async fn enqueue_c2me_command_uses_try_send_fast_path() {
+        let (tx, mut rx) = mpsc::channel::<C2MeCommand>(2);
+        enqueue_c2me_command(
+            &tx,
+            C2MeCommand::Data {
+                payload: Bytes::from_static(&[1, 2, 3]),
+                flags: 0,
+            },
+        )
+        .await
+        .unwrap();
+
+        let recv = timeout(TokioDuration::from_millis(50), rx.recv())
+            .await
+            .unwrap()
+            .unwrap();
+        match recv {
+            C2MeCommand::Data { payload, flags } => {
+                assert_eq!(payload.as_ref(), &[1, 2, 3]);
+                assert_eq!(flags, 0);
+            }
+            C2MeCommand::Close => panic!("unexpected close command"),
+        }
+    }
+
+    #[tokio::test]
+    async fn enqueue_c2me_command_falls_back_to_send_when_queue_is_full() {
+        let (tx, mut rx) = mpsc::channel::<C2MeCommand>(1);
+        tx.send(C2MeCommand::Data {
+            payload: Bytes::from_static(&[9]),
+            flags: 9,
+        })
+        .await
+        .unwrap();
+
+        let tx2 = tx.clone();
+        let producer = tokio::spawn(async move {
+            enqueue_c2me_command(
+                &tx2,
+                C2MeCommand::Data {
+                    payload: Bytes::from_static(&[7, 7]),
+                    flags: 7,
+                },
+            )
+            .await
+            .unwrap();
+        });
+
+        let _ = timeout(TokioDuration::from_millis(100), rx.recv())
+            .await
+            .unwrap();
+        producer.await.unwrap();
+
+        let recv = timeout(TokioDuration::from_millis(100), rx.recv())
+            .await
+            .unwrap()
+            .unwrap();
+        match recv {
+            C2MeCommand::Data { payload, flags } => {
+                assert_eq!(payload.as_ref(), &[7, 7]);
+                assert_eq!(flags, 7);
+            }
+            C2MeCommand::Close => panic!("unexpected close command"),
+        }
+    }
+}
--- a/src/startup.rs
+++ b/src/startup.rs
@@ -0,0 +1,373 @@
+use std::time::{Instant, SystemTime, UNIX_EPOCH};
+
+use tokio::sync::RwLock;
+
+pub const COMPONENT_CONFIG_LOAD: &str = "config_load";
+pub const COMPONENT_TRACING_INIT: &str = "tracing_init";
+pub const COMPONENT_API_BOOTSTRAP: &str = "api_bootstrap";
+pub const COMPONENT_TLS_FRONT_BOOTSTRAP: &str = "tls_front_bootstrap";
+pub const COMPONENT_NETWORK_PROBE: &str = "network_probe";
+pub const COMPONENT_ME_SECRET_FETCH: &str = "me_secret_fetch";
+pub const COMPONENT_ME_PROXY_CONFIG_V4: &str = "me_proxy_config_fetch_v4";
+pub const COMPONENT_ME_PROXY_CONFIG_V6: &str = "me_proxy_config_fetch_v6";
+pub const COMPONENT_ME_POOL_CONSTRUCT: &str = "me_pool_construct";
+pub const COMPONENT_ME_POOL_INIT_STAGE1: &str = "me_pool_init_stage1";
+pub const COMPONENT_ME_CONNECTIVITY_PING: &str = "me_connectivity_ping";
+pub const COMPONENT_DC_CONNECTIVITY_PING: &str = "dc_connectivity_ping";
+pub const COMPONENT_LISTENERS_BIND: &str = "listeners_bind";
+pub const COMPONENT_CONFIG_WATCHER_START: &str = "config_watcher_start";
+pub const COMPONENT_METRICS_START: &str = "metrics_start";
+pub const COMPONENT_RUNTIME_READY: &str = "runtime_ready";
+
+#[derive(Clone, Copy, Debug, PartialEq, Eq)]
+pub enum StartupStatus {
+    Initializing,
+    Ready,
+}
+
+impl StartupStatus {
+    pub fn as_str(self) -> &'static str {
+        match self {
+            Self::Initializing => "initializing",
+            Self::Ready => "ready",
+        }
+    }
+}
+
+#[derive(Clone, Copy, Debug, PartialEq, Eq)]
+pub enum StartupComponentStatus {
+    Pending,
+    Running,
+    Ready,
+    Failed,
+    Skipped,
+}
+
+impl StartupComponentStatus {
+    pub fn as_str(self) -> &'static str {
+        match self {
+            Self::Pending => "pending",
+            Self::Running => "running",
+            Self::Ready => "ready",
+            Self::Failed => "failed",
+            Self::Skipped => "skipped",
+        }
+    }
+}
+
+#[derive(Clone, Copy, Debug, PartialEq, Eq)]
+pub enum StartupMeStatus {
+    Pending,
+    Initializing,
+    Ready,
+    Failed,
+    Skipped,
+}
+
+impl StartupMeStatus {
+    pub fn as_str(self) -> &'static str {
+        match self {
+            Self::Pending => "pending",
+            Self::Initializing => "initializing",
+            Self::Ready => "ready",
+            Self::Failed => "failed",
+            Self::Skipped => "skipped",
+        }
+    }
+}
+
+#[derive(Clone, Debug)]
+pub struct StartupComponentSnapshot {
+    pub id: &'static str,
+    pub title: &'static str,
+    pub weight: f64,
+    pub status: StartupComponentStatus,
+    pub started_at_epoch_ms: Option<u64>,
+    pub finished_at_epoch_ms: Option<u64>,
+    pub duration_ms: Option<u64>,
+    pub attempts: u32,
+    pub details: Option<String>,
+}
+
+#[derive(Clone, Debug)]
+pub struct StartupMeSnapshot {
+    pub status: StartupMeStatus,
+    pub current_stage: String,
+    pub init_attempt: u32,
+    pub retry_limit: String,
+    pub last_error: Option<String>,
+}
+
+#[derive(Clone, Debug)]
+pub struct StartupSnapshot {
+    pub status: StartupStatus,
+    pub degraded: bool,
+    pub current_stage: String,
+    pub started_at_epoch_secs: u64,
+    pub ready_at_epoch_secs: Option<u64>,
+    pub total_elapsed_ms: u64,
+    pub transport_mode: String,
+    pub me: StartupMeSnapshot,
+    pub components: Vec<StartupComponentSnapshot>,
+}
+
+#[derive(Clone, Debug)]
+struct StartupComponent {
+    id: &'static str,
+    title: &'static str,
+    weight: f64,
+    status: StartupComponentStatus,
+    started_at_epoch_ms: Option<u64>,
+    finished_at_epoch_ms: Option<u64>,
+    duration_ms: Option<u64>,
+    attempts: u32,
+    details: Option<String>,
+}
+
+#[derive(Clone, Debug)]
+struct StartupState {
+    status: StartupStatus,
+    degraded: bool,
+    current_stage: String,
+    started_at_epoch_secs: u64,
+    ready_at_epoch_secs: Option<u64>,
+    transport_mode: String,
+    me: StartupMeSnapshot,
+    components: Vec<StartupComponent>,
+}
+
+pub struct StartupTracker {
+    started_at_instant: Instant,
+    state: RwLock<StartupState>,
+}
+
+impl StartupTracker {
+    pub fn new(started_at_epoch_secs: u64) -> Self {
+        Self {
+            started_at_instant: Instant::now(),
+            state: RwLock::new(StartupState {
+                status: StartupStatus::Initializing,
+                degraded: false,
+                current_stage: COMPONENT_CONFIG_LOAD.to_string(),
+                started_at_epoch_secs,
+                ready_at_epoch_secs: None,
+                transport_mode: "unknown".to_string(),
+                me: StartupMeSnapshot {
+                    status: StartupMeStatus::Pending,
+                    current_stage: "pending".to_string(),
+                    init_attempt: 0,
+                    retry_limit: "unlimited".to_string(),
+                    last_error: None,
+                },
+                components: component_blueprint(),
+            }),
+        }
+    }
+
+    pub async fn set_transport_mode(&self, mode: &'static str) {
+        self.state.write().await.transport_mode = mode.to_string();
+    }
+
+    pub async fn set_degraded(&self, degraded: bool) {
+        self.state.write().await.degraded = degraded;
+    }
+
+    pub async fn start_component(&self, id: &'static str, details: Option<String>) {
+        let mut guard = self.state.write().await;
+        guard.current_stage = id.to_string();
+        if let Some(component) = guard.components.iter_mut().find(|component| component.id == id) {
+            if component.started_at_epoch_ms.is_none() {
+                component.started_at_epoch_ms = Some(now_epoch_ms());
+            }
+            component.attempts = component.attempts.saturating_add(1);
+            component.status = StartupComponentStatus::Running;
+            component.details = normalize_details(details);
+        }
+    }
+
+    pub async fn complete_component(&self, id: &'static str, details: Option<String>) {
+        self.finish_component(id, StartupComponentStatus::Ready, details)
+            .await;
+    }
+
+    pub async fn fail_component(&self, id: &'static str, details: Option<String>) {
+        self.finish_component(id, StartupComponentStatus::Failed, details)
+            .await;
+    }
+
+    pub async fn skip_component(&self, id: &'static str, details: Option<String>) {
+        self.finish_component(id, StartupComponentStatus::Skipped, details)
+            .await;
+    }
+
+    async fn finish_component(
+        &self,
+        id: &'static str,
+        status: StartupComponentStatus,
+        details: Option<String>,
+    ) {
+        let mut guard = self.state.write().await;
+        let finished_at = now_epoch_ms();
+        if let Some(component) = guard.components.iter_mut().find(|component| component.id == id) {
+            if component.started_at_epoch_ms.is_none() {
+                component.started_at_epoch_ms = Some(finished_at);
+                component.attempts = component.attempts.saturating_add(1);
+            }
+            component.finished_at_epoch_ms = Some(finished_at);
+            component.duration_ms = component
+                .started_at_epoch_ms
+                .map(|started_at| finished_at.saturating_sub(started_at));
+            component.status = status;
+            component.details = normalize_details(details);
+        }
+    }
+
+    pub async fn set_me_status(&self, status: StartupMeStatus, stage: &'static str) {
+        let mut guard = self.state.write().await;
+        guard.me.status = status;
+        guard.me.current_stage = stage.to_string();
+    }
+
+    pub async fn set_me_retry_limit(&self, retry_limit: String) {
+        self.state.write().await.me.retry_limit = retry_limit;
+    }
+
+    pub async fn set_me_init_attempt(&self, attempt: u32) {
+        self.state.write().await.me.init_attempt = attempt;
+    }
+
+    pub async fn set_me_last_error(&self, error: Option<String>) {
+        self.state.write().await.me.last_error = normalize_details(error);
+    }
+
+    pub async fn mark_ready(&self) {
+        let mut guard = self.state.write().await;
+        if guard.status == StartupStatus::Ready {
+            return;
+        }
+        guard.status = StartupStatus::Ready;
+        guard.current_stage = "ready".to_string();
+        guard.ready_at_epoch_secs = Some(now_epoch_secs());
+    }
+
+    pub async fn snapshot(&self) -> StartupSnapshot {
+        let guard = self.state.read().await;
+        StartupSnapshot {
+            status: guard.status,
+            degraded: guard.degraded,
+            current_stage: guard.current_stage.clone(),
+            started_at_epoch_secs: guard.started_at_epoch_secs,
+            ready_at_epoch_secs: guard.ready_at_epoch_secs,
+            total_elapsed_ms: self.started_at_instant.elapsed().as_millis() as u64,
+            transport_mode: guard.transport_mode.clone(),
+            me: guard.me.clone(),
+            components: guard
+                .components
+                .iter()
+                .map(|component| StartupComponentSnapshot {
+                    id: component.id,
+                    title: component.title,
+                    weight: component.weight,
+                    status: component.status,
+                    started_at_epoch_ms: component.started_at_epoch_ms,
+                    finished_at_epoch_ms: component.finished_at_epoch_ms,
+                    duration_ms: component.duration_ms,
+                    attempts: component.attempts,
+                    details: component.details.clone(),
+                })
+                .collect(),
+        }
+    }
+}
+
+pub fn compute_progress_pct(snapshot: &StartupSnapshot, me_stage_progress: Option<f64>) -> f64 {
+    if snapshot.status == StartupStatus::Ready {
+        return 100.0;
+    }
+
+    let mut total_weight = 0.0f64;
+    let mut completed_weight = 0.0f64;
+
+    for component in &snapshot.components {
+        total_weight += component.weight;
+        let unit_progress = match component.status {
+            StartupComponentStatus::Pending => 0.0,
+            StartupComponentStatus::Running => {
+                if component.id == COMPONENT_ME_POOL_INIT_STAGE1 {
+                    me_stage_progress.unwrap_or(0.0).clamp(0.0, 1.0)
+                } else {
+                    0.0
+                }
+            }
+            StartupComponentStatus::Ready
+            | StartupComponentStatus::Failed
+            | StartupComponentStatus::Skipped => 1.0,
+        };
+        completed_weight += component.weight * unit_progress;
+    }
+
+    if total_weight <= f64::EPSILON {
+        0.0
+    } else {
+        ((completed_weight / total_weight) * 100.0).clamp(0.0, 100.0)
+    }
+}
+
+fn component_blueprint() -> Vec<StartupComponent> {
+    vec![
+        component(COMPONENT_CONFIG_LOAD, "Config load", 5.0),
+        component(COMPONENT_TRACING_INIT, "Tracing init", 3.0),
+        component(COMPONENT_API_BOOTSTRAP, "API bootstrap", 5.0),
+        component(COMPONENT_TLS_FRONT_BOOTSTRAP, "TLS front bootstrap", 5.0),
+        component(COMPONENT_NETWORK_PROBE, "Network probe", 10.0),
+        component(COMPONENT_ME_SECRET_FETCH, "ME secret fetch", 8.0),
+        component(COMPONENT_ME_PROXY_CONFIG_V4, "ME config v4 fetch", 4.0),
+        component(COMPONENT_ME_PROXY_CONFIG_V6, "ME config v6 fetch", 4.0),
+        component(COMPONENT_ME_POOL_CONSTRUCT, "ME pool construct", 6.0),
+        component(COMPONENT_ME_POOL_INIT_STAGE1, "ME pool init stage1", 24.0),
+        component(COMPONENT_ME_CONNECTIVITY_PING, "ME connectivity ping", 6.0),
+        component(COMPONENT_DC_CONNECTIVITY_PING, "DC connectivity ping", 8.0),
+        component(COMPONENT_LISTENERS_BIND, "Listener bind", 8.0),
+        component(COMPONENT_CONFIG_WATCHER_START, "Config watcher start", 2.0),
+        component(COMPONENT_METRICS_START, "Metrics start", 1.0),
+        component(COMPONENT_RUNTIME_READY, "Runtime ready", 1.0),
+    ]
+}
+
+fn component(id: &'static str, title: &'static str, weight: f64) -> StartupComponent {
+    StartupComponent {
+        id,
+        title,
+        weight,
+        status: StartupComponentStatus::Pending,
+        started_at_epoch_ms: None,
+        finished_at_epoch_ms: None,
+        duration_ms: None,
+        attempts: 0,
+        details: None,
+    }
+}
+
+fn normalize_details(details: Option<String>) -> Option<String> {
+    details.map(|detail| {
+        if detail.len() <= 256 {
+            detail
+        } else {
+            detail[..256].to_string()
+        }
+    })
+}
+
+fn now_epoch_secs() -> u64 {
+    SystemTime::now()
+        .duration_since(UNIX_EPOCH)
+        .unwrap_or_default()
+        .as_secs()
+}
+
+fn now_epoch_ms() -> u64 {
+    SystemTime::now()
+        .duration_since(UNIX_EPOCH)
+        .unwrap_or_default()
+        .as_millis() as u64
+}
--- a/src/stats/mod.rs
+++ b/src/stats/mod.rs
--- a/src/stats/telemetry.rs
+++ b/src/stats/telemetry.rs
@@ -0,0 +1,29 @@
+use crate::config::{MeTelemetryLevel, TelemetryConfig};
+
+/// Runtime telemetry policy used by hot-path counters.
+#[derive(Debug, Clone, Copy, PartialEq, Eq)]
+pub struct TelemetryPolicy {
+    pub core_enabled: bool,
+    pub user_enabled: bool,
+    pub me_level: MeTelemetryLevel,
+}
+
+impl Default for TelemetryPolicy {
+    fn default() -> Self {
+        Self {
+            core_enabled: true,
+            user_enabled: true,
+            me_level: MeTelemetryLevel::Normal,
+        }
+    }
+}
+
+impl TelemetryPolicy {
+    pub fn from_config(cfg: &TelemetryConfig) -> Self {
+        Self {
+            core_enabled: cfg.core_enabled,
+            user_enabled: cfg.user_enabled,
+            me_level: cfg.me_level,
+        }
+    }
+}
--- a/src/stream/crypto_stream.rs
+++ b/src/stream/crypto_stream.rs
@@ -336,22 +336,35 @@ impl PendingCiphertext {
    }

    fn remaining_capacity(&self) -> usize {
-        self.max_len.saturating_sub(self.buf.len())
+        self.max_len.saturating_sub(self.pending_len())
+    }
+
+    fn compact_consumed_prefix(&mut self) {
+        if self.pos == 0 {
+            return;
+        }
+
+        if self.pos >= self.buf.len() {
+            self.buf.clear();
+            self.pos = 0;
+            return;
+        }
+
+        let _ = self.buf.split_to(self.pos);
+        self.pos = 0;
    }

    fn advance(&mut self, n: usize) {
        self.pos = (self.pos + n).min(self.buf.len());

        if self.pos == self.buf.len() {
-            self.buf.clear();
-            self.pos = 0;
+            self.compact_consumed_prefix();
            return;
        }

        // Compact when a large prefix was consumed.
        if self.pos >= 16 * 1024 {
-            let _ = self.buf.split_to(self.pos);
-            self.pos = 0;
+            self.compact_consumed_prefix();
        }
    }

@@ -379,6 +392,11 @@ impl PendingCiphertext {
            ));
        }

+        // Reclaim consumed prefix when physical storage is the only limiter.
+        if self.pos > 0 && self.buf.len() + plaintext.len() > self.max_len {
+            self.compact_consumed_prefix();
+        }
+
        let start = self.buf.len();
        self.buf.reserve(plaintext.len());
        self.buf.extend_from_slice(plaintext);
@@ -777,3 +795,70 @@ impl<S: AsyncWrite + Unpin> AsyncWrite for PassthroughStream<S> {
        Pin::new(&mut self.inner).poll_shutdown(cx)
    }
 }
+
+#[cfg(test)]
+mod tests {
+    use super::*;
+
+    fn test_ctr() -> AesCtr {
+        AesCtr::new(&[0x11; 32], 0x0102_0304_0506_0708_1112_1314_1516_1718)
+    }
+
+    #[test]
+    fn pending_capacity_reclaims_after_partial_advance_without_compaction_threshold() {
+        let mut pending = PendingCiphertext::new(1024);
+        let mut ctr = test_ctr();
+        let payload = vec![0x41; 900];
+        pending.push_encrypted(&mut ctr, &payload).unwrap();
+
+        // Keep position below compaction threshold to validate logical-capacity accounting.
+        pending.advance(800);
+        assert_eq!(pending.pending_len(), 100);
+        assert_eq!(pending.remaining_capacity(), 924);
+    }
+
+    #[test]
+    fn push_encrypted_respects_pending_limit() {
+        let mut pending = PendingCiphertext::new(64);
+        let mut ctr = test_ctr();
+
+        pending.push_encrypted(&mut ctr, &[0x10; 64]).unwrap();
+        let err = pending.push_encrypted(&mut ctr, &[0x20]).unwrap_err();
+        assert_eq!(err.kind(), ErrorKind::WouldBlock);
+    }
+
+    #[test]
+    fn push_encrypted_compacts_prefix_when_physical_buffer_would_overflow() {
+        let mut pending = PendingCiphertext::new(64);
+        let mut ctr = test_ctr();
+
+        pending.push_encrypted(&mut ctr, &[0x22; 60]).unwrap();
+        pending.advance(30);
+        pending.push_encrypted(&mut ctr, &[0x33; 30]).unwrap();
+
+        assert_eq!(pending.pending_len(), 60);
+        assert!(pending.buf.len() <= 64);
+    }
+
+    #[test]
+    fn pending_ciphertext_preserves_stream_order_across_drain_and_append() {
+        let mut pending = PendingCiphertext::new(128);
+        let mut ctr = test_ctr();
+
+        let first = vec![0xA1; 80];
+        let second = vec![0xB2; 40];
+
+        pending.push_encrypted(&mut ctr, &first).unwrap();
+        pending.advance(50);
+        pending.push_encrypted(&mut ctr, &second).unwrap();
+
+        let mut baseline_ctr = test_ctr();
+        let mut baseline_plain = Vec::with_capacity(first.len() + second.len());
+        baseline_plain.extend_from_slice(&first);
+        baseline_plain.extend_from_slice(&second);
+        baseline_ctr.apply(&mut baseline_plain);
+
+        let expected = &baseline_plain[50..];
+        assert_eq!(pending.pending_slice(), expected);
+    }
+}
--- a/src/tls_front/fetcher.rs
+++ b/src/tls_front/fetcher.rs
@@ -2,8 +2,10 @@ use std::sync::Arc;
 use std::time::Duration;

 use anyhow::{Result, anyhow};
-use tokio::io::{AsyncReadExt, AsyncWriteExt};
+use tokio::io::{AsyncRead, AsyncReadExt, AsyncWrite, AsyncWriteExt};
 use tokio::net::TcpStream;
+#[cfg(unix)]
+use tokio::net::UnixStream;
 use tokio::time::timeout;
 use tokio_rustls::client::TlsStream;
 use tokio_rustls::TlsConnector;
@@ -18,6 +20,7 @@ use x509_parser::prelude::FromDer;
 use x509_parser::certificate::X509Certificate;

 use crate::crypto::SecureRandom;
+use crate::network::dns_overrides::resolve_socket_addr;
 use crate::protocol::constants::{TLS_RECORD_APPLICATION, TLS_RECORD_HANDSHAKE};
 use crate::transport::proxy_protocol::{ProxyProtocolV1Builder, ProxyProtocolV2Builder};
 use crate::tls_front::types::{
@@ -211,7 +214,10 @@ fn gen_key_share(rng: &SecureRandom) -> [u8; 32] {
    key
 }

-async fn read_tls_record(stream: &mut TcpStream) -> Result<(u8, Vec<u8>)> {
+async fn read_tls_record<S>(stream: &mut S) -> Result<(u8, Vec<u8>)>
+where
+    S: AsyncRead + Unpin,
+{
    let mut header = [0u8; 5];
    stream.read_exact(&mut header).await?;
    let len = u16::from_be_bytes([header[3], header[4]]) as usize;
@@ -333,6 +339,55 @@ fn u24_bytes(value: usize) -> Option<[u8; 3]> {
    ])
 }

+async fn connect_with_dns_override(
+    host: &str,
+    port: u16,
+    connect_timeout: Duration,
+) -> Result<TcpStream> {
+    if let Some(addr) = resolve_socket_addr(host, port) {
+        return Ok(timeout(connect_timeout, TcpStream::connect(addr)).await??);
+    }
+    Ok(timeout(connect_timeout, TcpStream::connect((host, port))).await??)
+}
+
+async fn connect_tcp_with_upstream(
+    host: &str,
+    port: u16,
+    connect_timeout: Duration,
+    upstream: Option<std::sync::Arc<crate::transport::UpstreamManager>>,
+) -> Result<TcpStream> {
+    if let Some(manager) = upstream {
+        if let Some(addr) = resolve_socket_addr(host, port) {
+            match manager.connect(addr, None, None).await {
+                Ok(stream) => return Ok(stream),
+                Err(e) => {
+                    warn!(
+                        host = %host,
+                        port = port,
+                        error = %e,
+                        "Upstream connect failed, using direct connect"
+                    );
+                }
+            }
+        } else if let Ok(mut addrs) = tokio::net::lookup_host((host, port)).await {
+            if let Some(addr) = addrs.find(|a| a.is_ipv4()) {
+                match manager.connect(addr, None, None).await {
+                    Ok(stream) => return Ok(stream),
+                    Err(e) => {
+                        warn!(
+                            host = %host,
+                            port = port,
+                            error = %e,
+                            "Upstream connect failed, using direct connect"
+                        );
+                    }
+                }
+            }
+        }
+    }
+    connect_with_dns_override(host, port, connect_timeout).await
+}
+
 fn encode_tls13_certificate_message(cert_chain_der: &[Vec<u8>]) -> Option<Vec<u8>> {
    if cert_chain_der.is_empty() {
        return None;
@@ -362,16 +417,15 @@ fn encode_tls13_certificate_message(cert_chain_der: &[Vec<u8>]) -> Option<Vec<u8
    Some(message)
 }

-async fn fetch_via_raw_tls(
-    host: &str,
-    port: u16,
+async fn fetch_via_raw_tls_stream<S>(
+    mut stream: S,
    sni: &str,
    connect_timeout: Duration,
    proxy_protocol: u8,
-) -> Result<TlsFetchResult> {
-    let addr = format!("{host}:{port}");
-    let mut stream = timeout(connect_timeout, TcpStream::connect(addr)).await??;
-
+) -> Result<TlsFetchResult>
+where
+    S: AsyncRead + AsyncWrite + Unpin,
+{
    let rng = SecureRandom::new();
    let client_hello = build_client_hello(sni, &rng);
    timeout(connect_timeout, async {
@@ -427,36 +481,61 @@ async fn fetch_via_raw_tls(
    })
 }

-async fn fetch_via_rustls(
+async fn fetch_via_raw_tls(
    host: &str,
    port: u16,
    sni: &str,
    connect_timeout: Duration,
    upstream: Option<std::sync::Arc<crate::transport::UpstreamManager>>,
    proxy_protocol: u8,
+    unix_sock: Option<&str>,
 ) -> Result<TlsFetchResult> {
-    // rustls handshake path for certificate and basic negotiated metadata.
-    let mut stream = if let Some(manager) = upstream {
-        // Resolve host to SocketAddr
-        if let Ok(mut addrs) = tokio::net::lookup_host((host, port)).await {
-            if let Some(addr) = addrs.find(|a| a.is_ipv4()) {
-                match manager.connect(addr, None, None).await {
-                    Ok(s) => s,
-                    Err(e) => {
-                        warn!(sni = %sni, error = %e, "Upstream connect failed, using direct connect");
-                        timeout(connect_timeout, TcpStream::connect((host, port))).await??
-                    }
-                }
-            } else {
-                timeout(connect_timeout, TcpStream::connect((host, port))).await??
+    #[cfg(unix)]
+    if let Some(sock_path) = unix_sock {
+        match timeout(connect_timeout, UnixStream::connect(sock_path)).await {
+            Ok(Ok(stream)) => {
+                debug!(
+                    sni = %sni,
+                    sock = %sock_path,
+                    "Raw TLS fetch using mask unix socket"
+                );
+                return fetch_via_raw_tls_stream(stream, sni, connect_timeout, proxy_protocol).await;
+            }
+            Ok(Err(e)) => {
+                warn!(
+                    sni = %sni,
+                    sock = %sock_path,
+                    error = %e,
+                    "Raw TLS unix socket connect failed, falling back to TCP"
+                );
+            }
+            Err(_) => {
+                warn!(
+                    sni = %sni,
+                    sock = %sock_path,
+                    "Raw TLS unix socket connect timed out, falling back to TCP"
+                );
            }
-        } else {
-            timeout(connect_timeout, TcpStream::connect((host, port))).await??
        }
-    } else {
-        timeout(connect_timeout, TcpStream::connect((host, port))).await??
-    };
+    }

+    #[cfg(not(unix))]
+    let _ = unix_sock;
+
+    let stream = connect_tcp_with_upstream(host, port, connect_timeout, upstream).await?;
+    fetch_via_raw_tls_stream(stream, sni, connect_timeout, proxy_protocol).await
+}
+
+async fn fetch_via_rustls_stream<S>(
+    mut stream: S,
+    host: &str,
+    sni: &str,
+    proxy_protocol: u8,
+) -> Result<TlsFetchResult>
+where
+    S: AsyncRead + AsyncWrite + Unpin,
+{
+    // rustls handshake path for certificate and basic negotiated metadata.
    if proxy_protocol > 0 {
        let header = match proxy_protocol {
            2 => ProxyProtocolV2Builder::new().build(),
@@ -473,7 +552,7 @@ async fn fetch_via_rustls(
        .or_else(|_| ServerName::try_from(host.to_owned()))
        .map_err(|_| RustlsError::General("invalid SNI".into()))?;

-    let tls_stream: TlsStream<TcpStream> = connector.connect(server_name, stream).await?;
+    let tls_stream: TlsStream<S> = connector.connect(server_name, stream).await?;

    // Extract negotiated parameters and certificates
    let (_io, session) = tls_stream.get_ref();
@@ -534,6 +613,51 @@ async fn fetch_via_rustls(
    })
 }

+async fn fetch_via_rustls(
+    host: &str,
+    port: u16,
+    sni: &str,
+    connect_timeout: Duration,
+    upstream: Option<std::sync::Arc<crate::transport::UpstreamManager>>,
+    proxy_protocol: u8,
+    unix_sock: Option<&str>,
+) -> Result<TlsFetchResult> {
+    #[cfg(unix)]
+    if let Some(sock_path) = unix_sock {
+        match timeout(connect_timeout, UnixStream::connect(sock_path)).await {
+            Ok(Ok(stream)) => {
+                debug!(
+                    sni = %sni,
+                    sock = %sock_path,
+                    "Rustls fetch using mask unix socket"
+                );
+                return fetch_via_rustls_stream(stream, host, sni, proxy_protocol).await;
+            }
+            Ok(Err(e)) => {
+                warn!(
+                    sni = %sni,
+                    sock = %sock_path,
+                    error = %e,
+                    "Rustls unix socket connect failed, falling back to TCP"
+                );
+            }
+            Err(_) => {
+                warn!(
+                    sni = %sni,
+                    sock = %sock_path,
+                    "Rustls unix socket connect timed out, falling back to TCP"
+                );
+            }
+        }
+    }
+
+    #[cfg(not(unix))]
+    let _ = unix_sock;
+
+    let stream = connect_tcp_with_upstream(host, port, connect_timeout, upstream).await?;
+    fetch_via_rustls_stream(stream, host, sni, proxy_protocol).await
+}
+
 /// Fetch real TLS metadata for the given SNI.
 ///
 /// Strategy:
@@ -547,8 +671,19 @@ pub async fn fetch_real_tls(
    connect_timeout: Duration,
    upstream: Option<std::sync::Arc<crate::transport::UpstreamManager>>,
    proxy_protocol: u8,
+    unix_sock: Option<&str>,
 ) -> Result<TlsFetchResult> {
-    let raw_result = match fetch_via_raw_tls(host, port, sni, connect_timeout, proxy_protocol).await {
+    let raw_result = match fetch_via_raw_tls(
+        host,
+        port,
+        sni,
+        connect_timeout,
+        upstream.clone(),
+        proxy_protocol,
+        unix_sock,
+    )
+    .await
+    {
        Ok(res) => Some(res),
        Err(e) => {
            warn!(sni = %sni, error = %e, "Raw TLS fetch failed");
@@ -556,7 +691,17 @@ pub async fn fetch_real_tls(
        }
    };

-    match fetch_via_rustls(host, port, sni, connect_timeout, upstream, proxy_protocol).await {
+    match fetch_via_rustls(
+        host,
+        port,
+        sni,
+        connect_timeout,
+        upstream,
+        proxy_protocol,
+        unix_sock,
+    )
+    .await
+    {
        Ok(rustls_result) => {
            if let Some(mut raw) = raw_result {
                raw.cert_info = rustls_result.cert_info;
--- a/src/transport/middle_proxy/codec.rs
+++ b/src/transport/middle_proxy/codec.rs
@@ -1,4 +1,5 @@
 use tokio::io::{AsyncReadExt, AsyncWriteExt};
+use bytes::Bytes;

 use crate::crypto::{AesCbc, crc32, crc32c};
 use crate::error::{ProxyError, Result};
@@ -6,8 +7,8 @@ use crate::protocol::constants::*;

 /// Commands sent to dedicated writer tasks to avoid mutex contention on TCP writes.
 pub(crate) enum WriterCommand {
-    Data(Vec<u8>),
-    DataAndFlush(Vec<u8>),
+    Data(Bytes),
+    DataAndFlush(Bytes),
    Close,
 }

--- a/src/transport/middle_proxy/config_updater.rs
+++ b/src/transport/middle_proxy/config_updater.rs
@@ -1,19 +1,20 @@
 use std::collections::HashMap;
 use std::hash::{DefaultHasher, Hash, Hasher};
 use std::net::IpAddr;
+use std::path::Path;
 use std::sync::Arc;
 use std::time::Duration;

 use httpdate;
-use tokio::sync::watch;
+use tokio::sync::{mpsc, watch};
 use tracing::{debug, info, warn};

 use crate::config::ProxyConfig;
 use crate::error::Result;

 use super::MePool;
+use super::rotation::{MeReinitTrigger, enqueue_reinit_trigger};
 use super::secret::download_proxy_secret_with_max_len;
-use crate::crypto::SecureRandom;
 use std::time::SystemTime;

 async fn retry_fetch(url: &str) -> Option<ProxyConfigData> {
@@ -38,6 +39,89 @@ async fn retry_fetch(url: &str) -> Option<ProxyConfigData> {
 pub struct ProxyConfigData {
    pub map: HashMap<i32, Vec<(IpAddr, u16)>>,
    pub default_dc: Option<i32>,
+    pub http_status: u16,
+    pub proxy_for_lines: u32,
+}
+
+pub fn parse_proxy_config_text(text: &str, http_status: u16) -> ProxyConfigData {
+    let mut map: HashMap<i32, Vec<(IpAddr, u16)>> = HashMap::new();
+    let mut proxy_for_lines: u32 = 0;
+    for line in text.lines() {
+        if let Some((dc, ip, port)) = parse_proxy_line(line) {
+            map.entry(dc).or_default().push((ip, port));
+            proxy_for_lines = proxy_for_lines.saturating_add(1);
+        }
+    }
+
+    let default_dc = text.lines().find_map(|l| {
+        let t = l.trim();
+        if let Some(rest) = t.strip_prefix("default") {
+            return rest.trim().trim_end_matches(';').parse::<i32>().ok();
+        }
+        None
+    });
+
+    ProxyConfigData {
+        map,
+        default_dc,
+        http_status,
+        proxy_for_lines,
+    }
+}
+
+pub async fn load_proxy_config_cache(path: &str) -> Result<ProxyConfigData> {
+    let text = tokio::fs::read_to_string(path).await.map_err(|e| {
+        crate::error::ProxyError::Proxy(format!("read proxy-config cache '{path}' failed: {e}"))
+    })?;
+    Ok(parse_proxy_config_text(&text, 200))
+}
+
+pub async fn save_proxy_config_cache(path: &str, raw_text: &str) -> Result<()> {
+    if let Some(parent) = Path::new(path).parent()
+        && !parent.as_os_str().is_empty()
+    {
+        tokio::fs::create_dir_all(parent).await.map_err(|e| {
+            crate::error::ProxyError::Proxy(format!(
+                "create proxy-config cache dir '{}' failed: {e}",
+                parent.display()
+            ))
+        })?;
+    }
+
+    tokio::fs::write(path, raw_text).await.map_err(|e| {
+        crate::error::ProxyError::Proxy(format!("write proxy-config cache '{path}' failed: {e}"))
+    })?;
+    Ok(())
+}
+
+pub async fn fetch_proxy_config_with_raw(url: &str) -> Result<(ProxyConfigData, String)> {
+    let resp = reqwest::get(url)
+        .await
+        .map_err(|e| crate::error::ProxyError::Proxy(format!("fetch_proxy_config GET failed: {e}")))?
+        ;
+    let http_status = resp.status().as_u16();
+
+    if let Some(date) = resp.headers().get(reqwest::header::DATE)
+        && let Ok(date_str) = date.to_str()
+        && let Ok(server_time) = httpdate::parse_http_date(date_str)
+        && let Ok(skew) = SystemTime::now().duration_since(server_time).or_else(|e| {
+            server_time.duration_since(SystemTime::now()).map_err(|_| e)
+        })
+    {
+        let skew_secs = skew.as_secs();
+        if skew_secs > 60 {
+            warn!(skew_secs, "Time skew >60s detected from fetch_proxy_config Date header");
+        } else if skew_secs > 30 {
+            warn!(skew_secs, "Time skew >30s detected from fetch_proxy_config Date header");
+        }
+    }
+
+    let text = resp
+        .text()
+        .await
+        .map_err(|e| crate::error::ProxyError::Proxy(format!("fetch_proxy_config read failed: {e}")))?;
+    let parsed = parse_proxy_config_text(&text, http_status);
+    Ok((parsed, text))
 }

 #[derive(Debug, Default)]
@@ -168,60 +252,46 @@ fn parse_proxy_line(line: &str) -> Option<(i32, IpAddr, u16)> {
 }

 pub async fn fetch_proxy_config(url: &str) -> Result<ProxyConfigData> {
-    let resp = reqwest::get(url)
+    fetch_proxy_config_with_raw(url)
        .await
-        .map_err(|e| crate::error::ProxyError::Proxy(format!("fetch_proxy_config GET failed: {e}")))?
-        ;
+        .map(|(parsed, _raw)| parsed)
+}

-    if let Some(date) = resp.headers().get(reqwest::header::DATE)
-        && let Ok(date_str) = date.to_str()
-        && let Ok(server_time) = httpdate::parse_http_date(date_str)
-        && let Ok(skew) = SystemTime::now().duration_since(server_time).or_else(|e| {
-            server_time.duration_since(SystemTime::now()).map_err(|_| e)
-        })
+fn snapshot_passes_guards(
+    cfg: &ProxyConfig,
+    snapshot: &ProxyConfigData,
+    snapshot_name: &'static str,
+) -> bool {
+    if cfg.general.me_snapshot_require_http_2xx
+        && !(200..=299).contains(&snapshot.http_status)
    {
-        let skew_secs = skew.as_secs();
-        if skew_secs > 60 {
-            warn!(skew_secs, "Time skew >60s detected from fetch_proxy_config Date header");
-        } else if skew_secs > 30 {
-            warn!(skew_secs, "Time skew >30s detected from fetch_proxy_config Date header");
-        }
+        warn!(
+            snapshot = snapshot_name,
+            http_status = snapshot.http_status,
+            "ME snapshot rejected by non-2xx HTTP status"
+        );
+        return false;
    }

-    let text = resp
-        .text()
-        .await
-        .map_err(|e| crate::error::ProxyError::Proxy(format!("fetch_proxy_config read failed: {e}")))?;
-
-    let mut map: HashMap<i32, Vec<(IpAddr, u16)>> = HashMap::new();
-    for line in text.lines() {
-        if let Some((dc, ip, port)) = parse_proxy_line(line) {
-            map.entry(dc).or_default().push((ip, port));
-        }
+    let min_proxy_for = cfg.general.me_snapshot_min_proxy_for_lines;
+    if snapshot.proxy_for_lines < min_proxy_for {
+        warn!(
+            snapshot = snapshot_name,
+            parsed_proxy_for_lines = snapshot.proxy_for_lines,
+            min_proxy_for_lines = min_proxy_for,
+            "ME snapshot rejected by proxy_for line floor"
+        );
+        return false;
    }

-    let default_dc = text
-        .lines()
-        .find_map(|l| {
-            let t = l.trim();
-            if let Some(rest) = t.strip_prefix("default") {
-                return rest
-                    .trim()
-                    .trim_end_matches(';')
-                    .parse::<i32>()
-                    .ok();
-            }
-            None
-        });
-
-    Ok(ProxyConfigData { map, default_dc })
+    true
 }

 async fn run_update_cycle(
    pool: &Arc<MePool>,
-    rng: &Arc<SecureRandom>,
    cfg: &ProxyConfig,
    state: &mut UpdaterState,
+    reinit_tx: &mpsc::Sender<MeReinitTrigger>,
 ) {
    pool.update_runtime_reinit_policy(
        cfg.general.hardswap,
@@ -232,6 +302,34 @@ async fn run_update_cycle(
        cfg.general.me_hardswap_warmup_delay_max_ms,
        cfg.general.me_hardswap_warmup_extra_passes,
        cfg.general.me_hardswap_warmup_pass_backoff_base_ms,
+        cfg.general.me_bind_stale_mode,
+        cfg.general.me_bind_stale_ttl_secs,
+        cfg.general.me_secret_atomic_snapshot,
+        cfg.general.me_deterministic_writer_sort,
+        cfg.general.me_writer_pick_mode,
+        cfg.general.me_writer_pick_sample_size,
+        cfg.general.me_single_endpoint_shadow_writers,
+        cfg.general.me_single_endpoint_outage_mode_enabled,
+        cfg.general.me_single_endpoint_outage_disable_quarantine,
+        cfg.general.me_single_endpoint_outage_backoff_min_ms,
+        cfg.general.me_single_endpoint_outage_backoff_max_ms,
+        cfg.general.me_single_endpoint_shadow_rotate_every_secs,
+        cfg.general.me_floor_mode,
+        cfg.general.me_adaptive_floor_idle_secs,
+        cfg.general.me_adaptive_floor_min_writers_single_endpoint,
+        cfg.general.me_adaptive_floor_min_writers_multi_endpoint,
+        cfg.general.me_adaptive_floor_recover_grace_secs,
+        cfg.general.me_adaptive_floor_writers_per_core_total,
+        cfg.general.me_adaptive_floor_cpu_cores_override,
+        cfg.general.me_adaptive_floor_max_extra_writers_single_per_core,
+        cfg.general.me_adaptive_floor_max_extra_writers_multi_per_core,
+        cfg.general.me_adaptive_floor_max_active_writers_per_core,
+        cfg.general.me_adaptive_floor_max_warm_writers_per_core,
+        cfg.general.me_adaptive_floor_max_active_writers_global,
+        cfg.general.me_adaptive_floor_max_warm_writers_global,
+        cfg.general.me_health_interval_ms_unhealthy,
+        cfg.general.me_health_interval_ms_healthy,
+        cfg.general.me_warn_rate_limit_ms,
    );

    let required_cfg_snapshots = cfg.general.me_config_stable_snapshots.max(1);
@@ -242,44 +340,48 @@ async fn run_update_cycle(
    let mut ready_v4: Option<(ProxyConfigData, u64)> = None;
    let cfg_v4 = retry_fetch("https://core.telegram.org/getProxyConfig").await;
    if let Some(cfg_v4) = cfg_v4 {
-        let cfg_v4_hash = hash_proxy_config(&cfg_v4);
-        let stable_hits = state.config_v4.observe(cfg_v4_hash);
-        if stable_hits < required_cfg_snapshots {
-            debug!(
-                stable_hits,
-                required_cfg_snapshots,
-                snapshot = format_args!("0x{cfg_v4_hash:016x}"),
-                "ME config v4 candidate observed"
-            );
-        } else if state.config_v4.is_applied(cfg_v4_hash) {
-            debug!(
-                snapshot = format_args!("0x{cfg_v4_hash:016x}"),
-                "ME config v4 stable snapshot already applied"
-            );
-        } else {
-            ready_v4 = Some((cfg_v4, cfg_v4_hash));
+        if snapshot_passes_guards(cfg, &cfg_v4, "getProxyConfig") {
+            let cfg_v4_hash = hash_proxy_config(&cfg_v4);
+            let stable_hits = state.config_v4.observe(cfg_v4_hash);
+            if stable_hits < required_cfg_snapshots {
+                debug!(
+                    stable_hits,
+                    required_cfg_snapshots,
+                    snapshot = format_args!("0x{cfg_v4_hash:016x}"),
+                    "ME config v4 candidate observed"
+                );
+            } else if state.config_v4.is_applied(cfg_v4_hash) {
+                debug!(
+                    snapshot = format_args!("0x{cfg_v4_hash:016x}"),
+                    "ME config v4 stable snapshot already applied"
+                );
+            } else {
+                ready_v4 = Some((cfg_v4, cfg_v4_hash));
+            }
        }
    }

    let mut ready_v6: Option<(ProxyConfigData, u64)> = None;
    let cfg_v6 = retry_fetch("https://core.telegram.org/getProxyConfigV6").await;
    if let Some(cfg_v6) = cfg_v6 {
-        let cfg_v6_hash = hash_proxy_config(&cfg_v6);
-        let stable_hits = state.config_v6.observe(cfg_v6_hash);
-        if stable_hits < required_cfg_snapshots {
-            debug!(
-                stable_hits,
-                required_cfg_snapshots,
-                snapshot = format_args!("0x{cfg_v6_hash:016x}"),
-                "ME config v6 candidate observed"
-            );
-        } else if state.config_v6.is_applied(cfg_v6_hash) {
-            debug!(
-                snapshot = format_args!("0x{cfg_v6_hash:016x}"),
-                "ME config v6 stable snapshot already applied"
-            );
-        } else {
-            ready_v6 = Some((cfg_v6, cfg_v6_hash));
+        if snapshot_passes_guards(cfg, &cfg_v6, "getProxyConfigV6") {
+            let cfg_v6_hash = hash_proxy_config(&cfg_v6);
+            let stable_hits = state.config_v6.observe(cfg_v6_hash);
+            if stable_hits < required_cfg_snapshots {
+                debug!(
+                    stable_hits,
+                    required_cfg_snapshots,
+                    snapshot = format_args!("0x{cfg_v6_hash:016x}"),
+                    "ME config v6 candidate observed"
+                );
+            } else if state.config_v6.is_applied(cfg_v6_hash) {
+                debug!(
+                    snapshot = format_args!("0x{cfg_v6_hash:016x}"),
+                    "ME config v6 stable snapshot already applied"
+                );
+            } else {
+                ready_v6 = Some((cfg_v6, cfg_v6_hash));
+            }
        }
    }

@@ -292,28 +394,40 @@ async fn run_update_cycle(
            let update_v6 = ready_v6
                .as_ref()
                .map(|(snapshot, _)| snapshot.map.clone());
-
-            let changed = pool.update_proxy_maps(update_v4, update_v6).await;
-
-            if let Some((snapshot, hash)) = ready_v4 {
-                if let Some(dc) = snapshot.default_dc {
-                    pool.default_dc
-                        .store(dc, std::sync::atomic::Ordering::Relaxed);
-                }
-                state.config_v4.mark_applied(hash);
-            }
-
-            if let Some((_snapshot, hash)) = ready_v6 {
-                state.config_v6.mark_applied(hash);
-            }
-
-            state.last_map_apply_at = Some(tokio::time::Instant::now());
-
-            if changed {
-                maps_changed = true;
-                info!("ME config update applied after stable-gate");
+            let update_is_empty =
+                update_v4.is_empty() && update_v6.as_ref().is_none_or(|v| v.is_empty());
+            let apply_outcome = if update_is_empty && !cfg.general.me_snapshot_reject_empty_map {
+                super::pool_config::SnapshotApplyOutcome::AppliedNoDelta
            } else {
-                debug!("ME config stable-gate applied with no map delta");
+                pool.update_proxy_maps(update_v4, update_v6).await
+            };
+
+            if matches!(
+                apply_outcome,
+                super::pool_config::SnapshotApplyOutcome::RejectedEmpty
+            ) {
+                warn!("ME config stable snapshot rejected (empty endpoint map)");
+            } else {
+                if let Some((snapshot, hash)) = ready_v4 {
+                    if let Some(dc) = snapshot.default_dc {
+                        pool.default_dc
+                            .store(dc, std::sync::atomic::Ordering::Relaxed);
+                    }
+                    state.config_v4.mark_applied(hash);
+                }
+
+                if let Some((_snapshot, hash)) = ready_v6 {
+                    state.config_v6.mark_applied(hash);
+                }
+
+                state.last_map_apply_at = Some(tokio::time::Instant::now());
+
+                if apply_outcome.changed() {
+                    maps_changed = true;
+                    info!("ME config update applied after stable-gate");
+                } else {
+                    debug!("ME config stable-gate applied with no map delta");
+                }
            }
        } else if let Some(last) = state.last_map_apply_at {
            let wait_secs = map_apply_cooldown_remaining_secs(last, apply_cooldown);
@@ -325,8 +439,7 @@ async fn run_update_cycle(
    }

    if maps_changed {
-        pool.zero_downtime_reinit_after_map_change(rng.as_ref())
-            .await;
+        enqueue_reinit_trigger(reinit_tx, MeReinitTrigger::MapChanged);
    }

    pool.reset_stun_state();
@@ -367,8 +480,8 @@ async fn run_update_cycle(

 pub async fn me_config_updater(
    pool: Arc<MePool>,
-    rng: Arc<SecureRandom>,
    mut config_rx: watch::Receiver<Arc<ProxyConfig>>,
+    reinit_tx: mpsc::Sender<MeReinitTrigger>,
 ) {
    let mut state = UpdaterState::default();
    let mut update_every_secs = config_rx
@@ -387,7 +500,7 @@ pub async fn me_config_updater(
        tokio::select! {
            _ = &mut sleep => {
                let cfg = config_rx.borrow().clone();
-                run_update_cycle(&pool, &rng, cfg.as_ref(), &mut state).await;
+                run_update_cycle(&pool, cfg.as_ref(), &mut state, &reinit_tx).await;
                let refreshed_secs = cfg.general.effective_update_every_secs().max(1);
                if refreshed_secs != update_every_secs {
                    info!(
@@ -415,6 +528,34 @@ pub async fn me_config_updater(
                    cfg.general.me_hardswap_warmup_delay_max_ms,
                    cfg.general.me_hardswap_warmup_extra_passes,
                    cfg.general.me_hardswap_warmup_pass_backoff_base_ms,
+                    cfg.general.me_bind_stale_mode,
+                    cfg.general.me_bind_stale_ttl_secs,
+                    cfg.general.me_secret_atomic_snapshot,
+                    cfg.general.me_deterministic_writer_sort,
+                    cfg.general.me_writer_pick_mode,
+                    cfg.general.me_writer_pick_sample_size,
+                    cfg.general.me_single_endpoint_shadow_writers,
+                    cfg.general.me_single_endpoint_outage_mode_enabled,
+                    cfg.general.me_single_endpoint_outage_disable_quarantine,
+                    cfg.general.me_single_endpoint_outage_backoff_min_ms,
+                    cfg.general.me_single_endpoint_outage_backoff_max_ms,
+                    cfg.general.me_single_endpoint_shadow_rotate_every_secs,
+                    cfg.general.me_floor_mode,
+                    cfg.general.me_adaptive_floor_idle_secs,
+                    cfg.general.me_adaptive_floor_min_writers_single_endpoint,
+                    cfg.general.me_adaptive_floor_min_writers_multi_endpoint,
+                    cfg.general.me_adaptive_floor_recover_grace_secs,
+                    cfg.general.me_adaptive_floor_writers_per_core_total,
+                    cfg.general.me_adaptive_floor_cpu_cores_override,
+                    cfg.general.me_adaptive_floor_max_extra_writers_single_per_core,
+                    cfg.general.me_adaptive_floor_max_extra_writers_multi_per_core,
+                    cfg.general.me_adaptive_floor_max_active_writers_per_core,
+                    cfg.general.me_adaptive_floor_max_warm_writers_per_core,
+                    cfg.general.me_adaptive_floor_max_active_writers_global,
+                    cfg.general.me_adaptive_floor_max_warm_writers_global,
+                    cfg.general.me_health_interval_ms_unhealthy,
+                    cfg.general.me_health_interval_ms_healthy,
+                    cfg.general.me_warn_rate_limit_ms,
                );
                let new_secs = cfg.general.effective_update_every_secs().max(1);
                if new_secs == update_every_secs {
@@ -429,7 +570,7 @@ pub async fn me_config_updater(
                    );
                    update_every_secs = new_secs;
                    update_every = Duration::from_secs(update_every_secs);
-                    run_update_cycle(&pool, &rng, cfg.as_ref(), &mut state).await;
+                    run_update_cycle(&pool, cfg.as_ref(), &mut state, &reinit_tx).await;
                    next_tick = tokio::time::Instant::now() + update_every;
                } else {
                    info!(
--- a/src/transport/middle_proxy/handshake.rs
+++ b/src/transport/middle_proxy/handshake.rs
@@ -1,5 +1,8 @@
 use std::net::{IpAddr, SocketAddr};
+use std::sync::atomic::Ordering;
 use std::time::{Duration, Instant};
+use std::collections::hash_map::DefaultHasher;
+use std::hash::{Hash, Hasher};
 use socket2::{SockRef, TcpKeepalive};
 #[cfg(target_os = "linux")]
 use libc;
@@ -14,13 +17,16 @@ use tokio::net::{TcpStream, TcpSocket};
 use tokio::time::timeout;
 use tracing::{debug, info, warn};

+use crate::config::MeSocksKdfPolicy;
 use crate::crypto::{SecureRandom, build_middleproxy_prekey, derive_middleproxy_keys, sha256};
 use crate::error::{ProxyError, Result};
 use crate::network::IpFamily;
+use crate::network::probe::is_bogon;
 use crate::protocol::constants::{
    ME_CONNECT_TIMEOUT_SECS, ME_HANDSHAKE_TIMEOUT_SECS, RPC_CRYPTO_AES_U32,
    RPC_HANDSHAKE_ERROR_U32, rpc_crypto_flags,
 };
+use crate::transport::{UpstreamEgressInfo, UpstreamRouteKind};

 use super::codec::{
    RpcChecksumMode, build_handshake_payload, build_nonce_payload, build_rpc_frame,
@@ -30,6 +36,24 @@ use super::codec::{
 use super::wire::{extract_ip_material, IpMaterial};
 use super::MePool;

+const ME_KDF_DRIFT_STRICT: bool = false;
+
+#[derive(Clone, Copy, Debug, PartialEq, Eq, Hash)]
+enum KdfClientPortSource {
+    LocalSocket = 0,
+    SocksBound = 1,
+}
+
+impl KdfClientPortSource {
+    fn from_socks_bound_port(socks_bound_port: Option<u16>) -> Self {
+        if socks_bound_port.is_some() {
+            Self::SocksBound
+        } else {
+            Self::LocalSocket
+        }
+    }
+}
+
 /// Result of a successful ME handshake with timings.
 pub(crate) struct HandshakeOutput {
    pub rd: ReadHalf<TcpStream>,
@@ -43,33 +67,115 @@ pub(crate) struct HandshakeOutput {
 }

 impl MePool {
+    fn kdf_material_fingerprint(
+        local_ip_nat: IpAddr,
+        peer_addr_nat: SocketAddr,
+        reflected_ip: Option<IpAddr>,
+        socks_bound_ip: Option<IpAddr>,
+        client_port_source: KdfClientPortSource,
+    ) -> u64 {
+        let mut hasher = DefaultHasher::new();
+        local_ip_nat.hash(&mut hasher);
+        peer_addr_nat.hash(&mut hasher);
+        reflected_ip.hash(&mut hasher);
+        socks_bound_ip.hash(&mut hasher);
+        client_port_source.hash(&mut hasher);
+        hasher.finish()
+    }
+
+    async fn resolve_dc_idx_for_endpoint(&self, addr: SocketAddr) -> Option<i16> {
+        i16::try_from(self.resolve_dc_for_endpoint(addr).await).ok()
+    }
+
+    fn direct_bind_ip_for_stun(
+        family: IpFamily,
+        upstream_egress: Option<UpstreamEgressInfo>,
+    ) -> Option<IpAddr> {
+        let info = upstream_egress?;
+        if info.route_kind != UpstreamRouteKind::Direct {
+            return None;
+        }
+        match (family, info.direct_bind_ip) {
+            (IpFamily::V4, Some(IpAddr::V4(ip))) => Some(IpAddr::V4(ip)),
+            (IpFamily::V6, Some(IpAddr::V6(ip))) => Some(IpAddr::V6(ip)),
+            _ => None,
+        }
+    }
+
+    fn select_socks_bound_addr(
+        family: IpFamily,
+        upstream_egress: Option<UpstreamEgressInfo>,
+    ) -> Option<SocketAddr> {
+        let info = upstream_egress?;
+        if !matches!(
+            info.route_kind,
+            UpstreamRouteKind::Socks4 | UpstreamRouteKind::Socks5
+        ) {
+            return None;
+        }
+        let bound = info.socks_bound_addr?;
+        let family_matches = matches!(
+            (family, bound.ip()),
+            (IpFamily::V4, IpAddr::V4(_)) | (IpFamily::V6, IpAddr::V6(_))
+        );
+        if !family_matches || is_bogon(bound.ip()) || bound.ip().is_unspecified() {
+            return None;
+        }
+        Some(bound)
+    }
+
+    fn is_socks_route(upstream_egress: Option<UpstreamEgressInfo>) -> bool {
+        matches!(
+            upstream_egress.map(|info| info.route_kind),
+            Some(UpstreamRouteKind::Socks4 | UpstreamRouteKind::Socks5)
+        )
+    }
+
    /// TCP connect with timeout + return RTT in milliseconds.
-    pub(crate) async fn connect_tcp(&self, addr: SocketAddr) -> Result<(TcpStream, f64)> {
+    pub(crate) async fn connect_tcp(
+        &self,
+        addr: SocketAddr,
+        dc_idx_override: Option<i16>,
+    ) -> Result<(TcpStream, f64, Option<UpstreamEgressInfo>)> {
        let start = Instant::now();
-        let connect_fut = async {
-            if addr.is_ipv6()
-                && let Some(v6) = self.detected_ipv6
-            {
-                match TcpSocket::new_v6() {
-                    Ok(sock) => {
-                        if let Err(e) = sock.bind(SocketAddr::new(IpAddr::V6(v6), 0)) {
-                            debug!(error = %e, bind_ip = %v6, "ME IPv6 bind failed, falling back to default bind");
-                        } else {
-                            match sock.connect(addr).await {
-                                Ok(stream) => return Ok(stream),
-                                Err(e) => debug!(error = %e, target = %addr, "ME IPv6 bound connect failed, retrying default connect"),
+        let (stream, upstream_egress) = if let Some(upstream) = &self.upstream {
+            let dc_idx = if let Some(dc_idx) = dc_idx_override {
+                Some(dc_idx)
+            } else {
+                self.resolve_dc_idx_for_endpoint(addr).await
+            };
+            let (stream, egress) = upstream.connect_with_details(addr, dc_idx, None).await?;
+            (stream, Some(egress))
+        } else {
+            let connect_fut = async {
+                if addr.is_ipv6()
+                    && let Some(v6) = self.detected_ipv6
+                {
+                    match TcpSocket::new_v6() {
+                        Ok(sock) => {
+                            if let Err(e) = sock.bind(SocketAddr::new(IpAddr::V6(v6), 0)) {
+                                debug!(error = %e, bind_ip = %v6, "ME IPv6 bind failed, falling back to default bind");
+                            } else {
+                                match sock.connect(addr).await {
+                                    Ok(stream) => return Ok(stream),
+                                    Err(e) => debug!(error = %e, target = %addr, "ME IPv6 bound connect failed, retrying default connect"),
+                                }
                            }
                        }
+                        Err(e) => debug!(error = %e, "ME IPv6 socket creation failed, falling back to default connect"),
                    }
-                    Err(e) => debug!(error = %e, "ME IPv6 socket creation failed, falling back to default connect"),
                }
-            }
-            TcpStream::connect(addr).await
+                TcpStream::connect(addr).await
+            };
+
+            let stream = timeout(Duration::from_secs(ME_CONNECT_TIMEOUT_SECS), connect_fut)
+                .await
+                .map_err(|_| ProxyError::ConnectionTimeout {
+                    addr: addr.to_string(),
+                })??;
+            (stream, None)
        };

-        let stream = timeout(Duration::from_secs(ME_CONNECT_TIMEOUT_SECS), connect_fut)
-            .await
-            .map_err(|_| ProxyError::ConnectionTimeout { addr: addr.to_string() })??;
        let connect_ms = start.elapsed().as_secs_f64() * 1000.0;
        stream.set_nodelay(true).ok();
        if let Err(e) = Self::configure_keepalive(&stream) {
@@ -79,7 +185,7 @@ impl MePool {
        if let Err(e) = Self::configure_user_timeout(stream.as_raw_fd()) {
            warn!(error = %e, "ME TCP_USER_TIMEOUT setup failed");
        }
-        Ok((stream, connect_ms))
+        Ok((stream, connect_ms, upstream_egress))
    }

    fn configure_keepalive(stream: &TcpStream) -> std::io::Result<()> {
@@ -117,12 +223,14 @@ impl MePool {
        &self,
        stream: TcpStream,
        addr: SocketAddr,
+        upstream_egress: Option<UpstreamEgressInfo>,
        rng: &SecureRandom,
    ) -> Result<HandshakeOutput> {
        let hs_start = Instant::now();

        let local_addr = stream.local_addr().map_err(ProxyError::Io)?;
-        let peer_addr = stream.peer_addr().map_err(ProxyError::Io)?;
+        let transport_peer_addr = stream.peer_addr().map_err(ProxyError::Io)?;
+        let peer_addr = addr;

        let _ = self.maybe_detect_nat_ip(local_addr.ip()).await;
        let family = if local_addr.ip().is_ipv4() {
@@ -130,8 +238,32 @@ impl MePool {
        } else {
            IpFamily::V6
        };
-        let reflected = if self.nat_probe {
-            self.maybe_reflect_public_addr(family).await
+        let is_socks_route = Self::is_socks_route(upstream_egress);
+        let socks_bound_addr = Self::select_socks_bound_addr(family, upstream_egress);
+        let reflected = if let Some(bound) = socks_bound_addr {
+            Some(bound)
+        } else if is_socks_route {
+            match self.socks_kdf_policy() {
+                MeSocksKdfPolicy::Strict => {
+                    self.stats.increment_me_socks_kdf_strict_reject();
+                    return Err(ProxyError::InvalidHandshake(
+                        "SOCKS route returned no valid BND.ADDR for ME KDF (strict policy)"
+                            .to_string(),
+                    ));
+                }
+                MeSocksKdfPolicy::Compat => {
+                    self.stats.increment_me_socks_kdf_compat_fallback();
+                    if self.nat_probe {
+                        let bind_ip = Self::direct_bind_ip_for_stun(family, upstream_egress);
+                        self.maybe_reflect_public_addr(family, bind_ip).await
+                    } else {
+                        None
+                    }
+                }
+            }
+        } else if self.nat_probe {
+            let bind_ip = Self::direct_bind_ip_for_stun(family, upstream_egress);
+            self.maybe_reflect_public_addr(family, bind_ip).await
        } else {
            None
        };
@@ -146,7 +278,16 @@ impl MePool {
            .unwrap_or_default()
            .as_secs() as u32;

-        let ks = self.key_selector().await;
+        let secret_atomic_snapshot = self.secret_atomic_snapshot.load(Ordering::Relaxed);
+        let (ks, secret) = if secret_atomic_snapshot {
+            let snapshot = self.secret_snapshot().await;
+            (snapshot.key_selector, snapshot.secret)
+        } else {
+            // Backward-compatible mode: key selector and secret may come from different updates.
+            let key_selector = self.key_selector().await;
+            let secret = self.secret_snapshot().await.secret;
+            (key_selector, secret)
+        };
        let nonce_payload = build_nonce_payload(ks, crypto_ts, &my_nonce);
        let nonce_frame = build_rpc_frame(-2, &nonce_payload, RpcChecksumMode::Crc32);
        let dump = hex_dump(&nonce_frame[..nonce_frame.len().min(44)]);
@@ -197,7 +338,9 @@ impl MePool {
            %local_addr_nat,
            reflected_ip = reflected.map(|r| r.ip()).as_ref().map(ToString::to_string),
            %peer_addr,
+            %transport_peer_addr,
            %peer_addr_nat,
+            socks_bound_addr = socks_bound_addr.map(|v| v.to_string()),
            key_selector = format_args!("0x{ks:08x}"),
            crypto_schema = format_args!("0x{schema:08x}"),
            skew_secs = skew,
@@ -206,7 +349,56 @@ impl MePool {

        let ts_bytes = crypto_ts.to_le_bytes();
        let server_port_bytes = peer_addr_nat.port().to_le_bytes();
-        let client_port_bytes = local_addr_nat.port().to_le_bytes();
+        let socks_bound_port = socks_bound_addr
+            .map(|bound| bound.port())
+            .filter(|port| *port != 0);
+        let client_port_for_kdf = socks_bound_port.unwrap_or(local_addr_nat.port());
+        let client_port_source = KdfClientPortSource::from_socks_bound_port(socks_bound_port);
+        let kdf_fingerprint = Self::kdf_material_fingerprint(
+            local_addr_nat.ip(),
+            peer_addr_nat,
+            reflected.map(|value| value.ip()),
+            socks_bound_addr.map(|value| value.ip()),
+            client_port_source,
+        );
+        let previous_kdf_fingerprint = {
+            let kdf_fingerprint_guard = self.kdf_material_fingerprint.read().await;
+            kdf_fingerprint_guard.get(&peer_addr_nat).copied()
+        };
+        if let Some((prev_fingerprint, prev_client_port)) = previous_kdf_fingerprint
+        {
+            if prev_fingerprint != kdf_fingerprint {
+                self.stats.increment_me_kdf_drift_total();
+                warn!(
+                    %peer_addr_nat,
+                    %local_addr_nat,
+                    client_port_for_kdf,
+                    client_port_source = ?client_port_source,
+                    "ME KDF material drift detected for endpoint"
+                );
+                if ME_KDF_DRIFT_STRICT {
+                    return Err(ProxyError::InvalidHandshake(
+                        "ME KDF material drift detected (strict mode)".to_string(),
+                    ));
+                }
+            } else if prev_client_port != client_port_for_kdf {
+                self.stats.increment_me_kdf_port_only_drift_total();
+                debug!(
+                    %peer_addr_nat,
+                    previous_client_port_for_kdf = prev_client_port,
+                    client_port_for_kdf,
+                    client_port_source = ?client_port_source,
+                    "ME KDF client port changed with stable material"
+                );
+            }
+        }
+        // Keep fingerprint updates eventually consistent for diagnostics while avoiding
+        // serializing all concurrent handshakes on a single async mutex.
+        let mut kdf_fingerprint_guard = self.kdf_material_fingerprint.write().await;
+        kdf_fingerprint_guard.insert(peer_addr_nat, (kdf_fingerprint, client_port_for_kdf));
+        drop(kdf_fingerprint_guard);
+
+        let client_port_bytes = client_port_for_kdf.to_le_bytes();

        let server_ip = extract_ip_material(peer_addr_nat);
        let client_ip = extract_ip_material(local_addr_nat);
@@ -230,8 +422,6 @@ impl MePool {

        let diag_level: u8 = std::env::var("ME_DIAG").ok().and_then(|v| v.parse().ok()).unwrap_or(0);

-        let secret: Vec<u8> = self.proxy_secret.read().await.clone();
-
        let prekey_client = build_middleproxy_prekey(
            &srv_nonce,
            &my_nonce,
@@ -405,6 +595,8 @@ impl MePool {
                    } else {
                        -1
                    };
+                    self.stats.increment_me_handshake_reject_total();
+                    self.stats.increment_me_handshake_error_code(err_code);
                    return Err(ProxyError::InvalidHandshake(format!(
                        "ME rejected handshake (error={err_code})"
                    )));
--- a/src/transport/middle_proxy/health.rs
+++ b/src/transport/middle_proxy/health.rs
--- a/src/transport/middle_proxy/mod.rs
+++ b/src/transport/middle_proxy/mod.rs
@@ -10,6 +10,7 @@ mod pool_init;
 mod pool_nat;
 mod pool_refill;
 mod pool_reinit;
+mod pool_runtime_api;
 mod pool_writer;
 mod ping;
 mod reader;
@@ -18,19 +19,24 @@ mod rotation;
 mod send;
 mod secret;
 mod wire;
+mod pool_status;

 use bytes::Bytes;

 pub use health::me_health_monitor;
 #[allow(unused_imports)]
-pub use ping::{run_me_ping, format_sample_line, MePingReport, MePingSample, MePingFamily};
+pub use ping::{run_me_ping, format_sample_line, format_me_route, MePingReport, MePingSample, MePingFamily};
 pub use pool::MePool;
 #[allow(unused_imports)]
 pub use pool_nat::{stun_probe, detect_public_ip};
 pub use registry::ConnRegistry;
 pub use secret::fetch_proxy_secret;
-pub use config_updater::{fetch_proxy_config, me_config_updater};
-pub use rotation::me_rotation_task;
+#[allow(unused_imports)]
+pub use config_updater::{
+    ProxyConfigData, fetch_proxy_config, fetch_proxy_config_with_raw, load_proxy_config_cache,
+    me_config_updater, save_proxy_config_cache,
+};
+pub use rotation::{MeReinitTrigger, me_reinit_scheduler, me_rotation_task};
 pub use wire::proto_flags_for_tag;

 #[derive(Debug)]
--- a/src/transport/middle_proxy/ping.rs
+++ b/src/transport/middle_proxy/ping.rs
@@ -2,8 +2,12 @@ use std::collections::HashMap;
 use std::net::{IpAddr, SocketAddr};
 use std::sync::Arc;

+use tokio::net::UdpSocket;
+
+use crate::config::{UpstreamConfig, UpstreamType};
 use crate::crypto::SecureRandom;
 use crate::error::ProxyError;
+use crate::transport::{UpstreamEgressInfo, UpstreamRouteKind};

 use super::MePool;

@@ -17,6 +21,7 @@ pub enum MePingFamily {
 pub struct MePingSample {
    pub dc: i32,
    pub addr: SocketAddr,
+    pub route: Option<String>,
    pub connect_ms: Option<f64>,
    pub handshake_ms: Option<f64>,
    pub error: Option<String>,
@@ -50,6 +55,208 @@ pub fn format_sample_line(sample: &MePingSample) -> String {
    }
 }

+fn format_direct_with_config(
+    interface: &Option<String>,
+    bind_addresses: &Option<Vec<String>>,
+) -> Option<String> {
+    let mut direct_parts: Vec<String> = Vec::new();
+    if let Some(dev) = interface.as_deref().filter(|v| !v.is_empty()) {
+        direct_parts.push(format!("dev={dev}"));
+    }
+    if let Some(src) = bind_addresses.as_ref().filter(|v| !v.is_empty()) {
+        direct_parts.push(format!("src={}", src.join(",")));
+    }
+    if direct_parts.is_empty() {
+        None
+    } else {
+        Some(format!("direct {}", direct_parts.join(" ")))
+    }
+}
+
+fn pick_target_for_family(reports: &[MePingReport], family: MePingFamily) -> Option<SocketAddr> {
+    reports.iter().find_map(|report| {
+        if report.family != family {
+            return None;
+        }
+        report
+            .samples
+            .iter()
+            .find(|s| s.error.is_none() && s.handshake_ms.is_some())
+            .map(|s| s.addr)
+    })
+}
+
+fn route_from_egress(egress: Option<UpstreamEgressInfo>) -> Option<String> {
+    let info = egress?;
+    match info.route_kind {
+        UpstreamRouteKind::Direct => {
+            let src_ip = info
+                .direct_bind_ip
+                .or_else(|| info.local_addr.map(|addr| addr.ip()));
+            let ip = src_ip?;
+            let mut parts = Vec::new();
+            if let Some(dev) = detect_interface_for_ip(ip) {
+                parts.push(format!("dev={dev}"));
+            }
+            parts.push(format!("src={ip}"));
+            Some(format!("direct {}", parts.join(" ")))
+        }
+        UpstreamRouteKind::Socks4 => {
+            let route = info
+                .socks_proxy_addr
+                .map(|addr| format!("socks4://{addr}"))
+                .unwrap_or_else(|| "socks4://unknown".to_string());
+            Some(match info.socks_bound_addr {
+                Some(bound) => format!("{route} bnd={bound}"),
+                None => route,
+            })
+        }
+        UpstreamRouteKind::Socks5 => {
+            let route = info
+                .socks_proxy_addr
+                .map(|addr| format!("socks5://{addr}"))
+                .unwrap_or_else(|| "socks5://unknown".to_string());
+            Some(match info.socks_bound_addr {
+                Some(bound) => format!("{route} bnd={bound}"),
+                None => route,
+            })
+        }
+    }
+}
+
+#[cfg(unix)]
+fn detect_interface_for_ip(ip: IpAddr) -> Option<String> {
+    use nix::ifaddrs::getifaddrs;
+
+    if let Ok(addrs) = getifaddrs() {
+        for iface in addrs {
+            if let Some(address) = iface.address {
+                if let Some(v4) = address.as_sockaddr_in() {
+                    if IpAddr::V4(v4.ip()) == ip {
+                        return Some(iface.interface_name);
+                    }
+                } else if let Some(v6) = address.as_sockaddr_in6() {
+                    if IpAddr::V6(v6.ip()) == ip {
+                        return Some(iface.interface_name);
+                    }
+                }
+            }
+        }
+    }
+    None
+}
+
+#[cfg(not(unix))]
+fn detect_interface_for_ip(_ip: IpAddr) -> Option<String> {
+    None
+}
+
+async fn detect_direct_route_details(
+    reports: &[MePingReport],
+    prefer_ipv6: bool,
+    v4_ok: bool,
+    v6_ok: bool,
+) -> Option<String> {
+    let target_addr = if prefer_ipv6 && v6_ok {
+        pick_target_for_family(reports, MePingFamily::V6)
+            .or_else(|| pick_target_for_family(reports, MePingFamily::V4))
+    } else if v4_ok {
+        pick_target_for_family(reports, MePingFamily::V4)
+            .or_else(|| pick_target_for_family(reports, MePingFamily::V6))
+    } else {
+        pick_target_for_family(reports, MePingFamily::V6)
+            .or_else(|| pick_target_for_family(reports, MePingFamily::V4))
+    }?;
+
+    let local_ip = if target_addr.is_ipv4() {
+        let sock = UdpSocket::bind("0.0.0.0:0").await.ok()?;
+        sock.connect(target_addr).await.ok()?;
+        sock.local_addr().ok().map(|a| a.ip())
+    } else {
+        let sock = UdpSocket::bind("[::]:0").await.ok()?;
+        sock.connect(target_addr).await.ok()?;
+        sock.local_addr().ok().map(|a| a.ip())
+    };
+
+    let mut parts = Vec::new();
+    if let Some(ip) = local_ip {
+        if let Some(dev) = detect_interface_for_ip(ip) {
+            parts.push(format!("dev={dev}"));
+        }
+        parts.push(format!("src={ip}"));
+    }
+
+    if parts.is_empty() {
+        None
+    } else {
+        Some(format!("direct {}", parts.join(" ")))
+    }
+}
+
+pub async fn format_me_route(
+    upstreams: &[UpstreamConfig],
+    reports: &[MePingReport],
+    prefer_ipv6: bool,
+    v4_ok: bool,
+    v6_ok: bool,
+) -> String {
+    if let Some(route) = reports
+        .iter()
+        .flat_map(|report| report.samples.iter())
+        .find(|sample| sample.error.is_none() && sample.handshake_ms.is_some())
+        .and_then(|sample| sample.route.clone())
+    {
+        return route;
+    }
+
+    let enabled_upstreams: Vec<_> = upstreams.iter().filter(|u| u.enabled).collect();
+    if enabled_upstreams.is_empty() {
+        return detect_direct_route_details(reports, prefer_ipv6, v4_ok, v6_ok)
+            .await
+            .unwrap_or_else(|| "direct".to_string());
+    }
+
+    if enabled_upstreams.len() == 1 {
+        return match &enabled_upstreams[0].upstream_type {
+            UpstreamType::Direct {
+                interface,
+                bind_addresses,
+            } => {
+                if let Some(route) = format_direct_with_config(interface, bind_addresses) {
+                    route
+                } else {
+                    detect_direct_route_details(reports, prefer_ipv6, v4_ok, v6_ok)
+                        .await
+                        .unwrap_or_else(|| "direct".to_string())
+                }
+            }
+            UpstreamType::Socks4 { address, .. } => format!("socks4://{address}"),
+            UpstreamType::Socks5 { address, .. } => format!("socks5://{address}"),
+        };
+    }
+
+    let has_direct = enabled_upstreams
+        .iter()
+        .any(|u| matches!(u.upstream_type, UpstreamType::Direct { .. }));
+    let has_socks4 = enabled_upstreams
+        .iter()
+        .any(|u| matches!(u.upstream_type, UpstreamType::Socks4 { .. }));
+    let has_socks5 = enabled_upstreams
+        .iter()
+        .any(|u| matches!(u.upstream_type, UpstreamType::Socks5 { .. }));
+    let mut kinds = Vec::new();
+    if has_direct {
+        kinds.push("direct");
+    }
+    if has_socks4 {
+        kinds.push("socks4");
+    }
+    if has_socks5 {
+        kinds.push("socks5");
+    }
+    format!("mixed upstreams ({})", kinds.join(", "))
+}
+
 #[cfg(test)]
 mod tests {
    use super::*;
@@ -64,6 +271,7 @@ mod tests {
        let s = sample(MePingSample {
            dc: 4,
            addr: SocketAddr::new(IpAddr::V4(Ipv4Addr::new(1, 2, 3, 4)), 8888),
+            route: Some("direct src=1.2.3.4".to_string()),
            connect_ms: Some(12.3),
            handshake_ms: Some(34.7),
            error: None,
@@ -80,6 +288,7 @@ mod tests {
        let s = sample(MePingSample {
            dc: -5,
            addr: SocketAddr::new(IpAddr::V4(Ipv4Addr::new(5, 6, 7, 8)), 80),
+            route: Some("socks5".to_string()),
            connect_ms: Some(10.0),
            handshake_ms: None,
            error: Some("handshake timeout".to_string()),
@@ -120,11 +329,13 @@ pub async fn run_me_ping(pool: &Arc<MePool>, rng: &SecureRandom) -> Vec<MePingRe
            let mut connect_ms = None;
            let mut handshake_ms = None;
            let mut error = None;
+            let mut route = None;

-            match pool.connect_tcp(addr).await {
-                Ok((stream, conn_rtt)) => {
+            match pool.connect_tcp(addr, None).await {
+                Ok((stream, conn_rtt, upstream_egress)) => {
                    connect_ms = Some(conn_rtt);
-                    match pool.handshake_only(stream, addr, rng).await {
+                    route = route_from_egress(upstream_egress);
+                    match pool.handshake_only(stream, addr, upstream_egress, rng).await {
                        Ok(hs) => {
                            handshake_ms = Some(hs.handshake_ms);
                            // drop halves to close
@@ -144,6 +355,7 @@ pub async fn run_me_ping(pool: &Arc<MePool>, rng: &SecureRandom) -> Vec<MePingRe
            samples.push(MePingSample {
                dc,
                addr,
+                route,
                connect_ms,
                handshake_ms,
                error,
--- a/src/transport/middle_proxy/pool.rs
+++ b/src/transport/middle_proxy/pool.rs
--- a/src/transport/middle_proxy/pool_config.rs
+++ b/src/transport/middle_proxy/pool_config.rs
@@ -7,12 +7,29 @@ use tracing::warn;

 use super::pool::MePool;

+#[derive(Debug, Clone, Copy, PartialEq, Eq)]
+pub enum SnapshotApplyOutcome {
+    AppliedChanged,
+    AppliedNoDelta,
+    RejectedEmpty,
+}
+
+impl SnapshotApplyOutcome {
+    pub fn changed(self) -> bool {
+        matches!(self, SnapshotApplyOutcome::AppliedChanged)
+    }
+}
+
 impl MePool {
    pub async fn update_proxy_maps(
        &self,
        new_v4: HashMap<i32, Vec<(IpAddr, u16)>>,
        new_v6: Option<HashMap<i32, Vec<(IpAddr, u16)>>>,
-    ) -> bool {
+    ) -> SnapshotApplyOutcome {
+        if new_v4.is_empty() && new_v6.as_ref().is_none_or(|v| v.is_empty()) {
+            return SnapshotApplyOutcome::RejectedEmpty;
+        }
+
        let mut changed = false;
        {
            let mut guard = self.proxy_map_v4.write().await;
@@ -37,6 +54,7 @@ impl MePool {
                    && let Some(addrs) = guard.get(&k).cloned()
                {
                    guard.insert(-k, addrs);
+                    changed = true;
                }
            }
        }
@@ -48,10 +66,19 @@ impl MePool {
                    && let Some(addrs) = guard.get(&k).cloned()
                {
                    guard.insert(-k, addrs);
+                    changed = true;
                }
            }
        }
-        changed
+        if changed {
+            self.rebuild_endpoint_dc_map().await;
+            self.writer_available.notify_waiters();
+        }
+        if changed {
+            SnapshotApplyOutcome::AppliedChanged
+        } else {
+            SnapshotApplyOutcome::AppliedNoDelta
+        }
    }

    pub async fn update_secret(self: &Arc<Self>, new_secret: Vec<u8>) -> bool {
@@ -60,8 +87,19 @@ impl MePool {
            return false;
        }
        let mut guard = self.proxy_secret.write().await;
-        if *guard != new_secret {
-            *guard = new_secret;
+        if guard.secret != new_secret {
+            guard.secret = new_secret;
+            guard.key_selector = if guard.secret.len() >= 4 {
+                u32::from_le_bytes([
+                    guard.secret[0],
+                    guard.secret[1],
+                    guard.secret[2],
+                    guard.secret[3],
+                ])
+            } else {
+                0
+            };
+            guard.epoch = guard.epoch.saturating_add(1);
            drop(guard);
            self.reconnect_all().await;
            return true;
@@ -72,7 +110,10 @@ impl MePool {
    pub async fn reconnect_all(self: &Arc<Self>) {
        let ws = self.writers.read().await.clone();
        for w in ws {
-            if let Ok(()) = self.connect_one(w.addr, self.rng.as_ref()).await {
+            if let Ok(()) = self
+                .connect_one_for_dc(w.addr, w.writer_dc, self.rng.as_ref())
+                .await
+            {
                self.mark_writer_draining(w.id).await;
                tokio::time::sleep(Duration::from_secs(2)).await;
            }
--- a/src/transport/middle_proxy/pool_init.rs
+++ b/src/transport/middle_proxy/pool_init.rs
@@ -1,4 +1,4 @@
-use std::collections::{HashMap, HashSet};
+use std::collections::HashSet;
 use std::net::{IpAddr, SocketAddr};
 use std::sync::Arc;

@@ -14,50 +14,67 @@ use super::pool::MePool;
 impl MePool {
    pub async fn init(self: &Arc<Self>, pool_size: usize, rng: &Arc<SecureRandom>) -> Result<()> {
        let family_order = self.family_order();
+        let connect_concurrency = self.me_reconnect_max_concurrent_per_dc.max(1) as usize;
        let ks = self.key_selector().await;
        info!(
            me_servers = self.proxy_map_v4.read().await.len(),
            pool_size,
+            connect_concurrency,
            key_selector = format_args!("0x{ks:08x}"),
-            secret_len = self.proxy_secret.read().await.len(),
+            secret_len = self.proxy_secret.read().await.secret.len(),
            "Initializing ME pool"
        );

        for family in family_order {
            let map = self.proxy_map_for_family(family).await;
-            let mut grouped_dc_addrs: HashMap<i32, Vec<(IpAddr, u16)>> = HashMap::new();
-            for (dc, addrs) in map {
-                if addrs.is_empty() {
-                    continue;
-                }
-                grouped_dc_addrs.entry(dc.abs()).or_default().extend(addrs);
-            }
-            let mut dc_addrs: Vec<(i32, Vec<(IpAddr, u16)>)> = grouped_dc_addrs
+            let mut dc_addrs: Vec<(i32, Vec<(IpAddr, u16)>)> = map
                .into_iter()
                .map(|(dc, mut addrs)| {
                    addrs.sort_unstable();
                    addrs.dedup();
                    (dc, addrs)
                })
+                .filter(|(_, addrs)| !addrs.is_empty())
                .collect();
            dc_addrs.sort_unstable_by_key(|(dc, _)| *dc);
+            dc_addrs.sort_by_key(|(_, addrs)| (addrs.len() != 1, addrs.len()));

-            // Ensure at least one live writer per DC group; run missing DCs in parallel.
+            // Stage 1: build base coverage for conditional-cast.
+            // Single-endpoint DCs are prefilled first; multi-endpoint DCs require one live writer.
            let mut join = tokio::task::JoinSet::new();
            for (dc, addrs) in dc_addrs.iter().cloned() {
                if addrs.is_empty() {
                    continue;
                }
+                let target_writers = if addrs.len() == 1 {
+                    self.required_writers_for_dc_with_floor_mode(addrs.len(), false)
+                } else {
+                    1usize
+                };
                let endpoints: HashSet<SocketAddr> = addrs
                    .iter()
                    .map(|(ip, port)| SocketAddr::new(*ip, *port))
                    .collect();
-                if self.active_writer_count_for_endpoints(&endpoints).await > 0 {
+                if self
+                    .active_writer_count_for_dc_endpoints(dc, &endpoints)
+                    .await
+                    >= target_writers
+                {
                    continue;
                }
                let pool = Arc::clone(self);
                let rng_clone = Arc::clone(rng);
-                join.spawn(async move { pool.connect_primary_for_dc(dc, addrs, rng_clone).await });
+                join.spawn(async move {
+                    pool.connect_primary_for_dc(
+                        dc,
+                        addrs,
+                        target_writers,
+                        rng_clone,
+                        connect_concurrency,
+                        true,
+                    )
+                    .await
+                });
            }
            while join.join_next().await.is_some() {}

@@ -67,7 +84,7 @@ impl MePool {
                    .iter()
                    .map(|(ip, port)| SocketAddr::new(*ip, *port))
                    .collect();
-                if self.active_writer_count_for_endpoints(&endpoints).await == 0 {
+                if self.active_writer_count_for_dc_endpoints(*dc, &endpoints).await == 0 {
                    missing_dcs.push(*dc);
                }
            }
@@ -77,47 +94,36 @@ impl MePool {
                )));
            }

-            // Warm reserve writers asynchronously so startup does not block after first working pool is ready.
+            // Stage 2: continue saturating multi-endpoint DC groups in background.
            let pool = Arc::clone(self);
            let rng_clone = Arc::clone(rng);
            let dc_addrs_bg = dc_addrs.clone();
            tokio::spawn(async move {
-                if pool.me_warmup_stagger_enabled {
-                    for (dc, addrs) in &dc_addrs_bg {
-                        for (ip, port) in addrs {
-                            if pool.connection_count() >= pool_size {
-                                break;
-                            }
-                            let addr = SocketAddr::new(*ip, *port);
-                            let jitter = rand::rng()
-                                .random_range(0..=pool.me_warmup_step_jitter.as_millis() as u64);
-                            let delay_ms = pool.me_warmup_step_delay.as_millis() as u64 + jitter;
-                            tokio::time::sleep(std::time::Duration::from_millis(delay_ms)).await;
-                            if let Err(e) = pool.connect_one(addr, rng_clone.as_ref()).await {
-                                debug!(%addr, dc = %dc, error = %e, "Extra ME connect failed (staggered)");
-                            }
-                        }
-                    }
-                } else {
-                    for (dc, addrs) in &dc_addrs_bg {
-                        for (ip, port) in addrs {
-                            if pool.connection_count() >= pool_size {
-                                break;
-                            }
-                            let addr = SocketAddr::new(*ip, *port);
-                            if let Err(e) = pool.connect_one(addr, rng_clone.as_ref()).await {
-                                debug!(%addr, dc = %dc, error = %e, "Extra ME connect failed");
-                            }
-                        }
-                        if pool.connection_count() >= pool_size {
-                            break;
-                        }
+                let mut join_bg = tokio::task::JoinSet::new();
+                for (dc, addrs) in dc_addrs_bg {
+                    if addrs.len() <= 1 {
+                        continue;
                    }
+                    let target_writers = pool.required_writers_for_dc_with_floor_mode(addrs.len(), false);
+                    let pool_clone = Arc::clone(&pool);
+                    let rng_clone_local = Arc::clone(&rng_clone);
+                    join_bg.spawn(async move {
+                        pool_clone
+                            .connect_primary_for_dc(
+                                dc,
+                                addrs,
+                                target_writers,
+                                rng_clone_local,
+                                connect_concurrency,
+                                false,
+                            )
+                            .await
+                    });
                }
+                while join_bg.join_next().await.is_some() {}
                debug!(
-                    target_pool_size = pool_size,
                    current_pool_size = pool.connection_count(),
-                    "Background ME reserve warmup finished"
+                    "Background ME saturation warmup finished"
                );
            });

@@ -140,62 +146,111 @@ impl MePool {
        self: Arc<Self>,
        dc: i32,
        mut addrs: Vec<(IpAddr, u16)>,
+        target_writers: usize,
        rng: Arc<SecureRandom>,
+        connect_concurrency: usize,
+        allow_coverage_override: bool,
    ) -> bool {
        if addrs.is_empty() {
            return false;
        }
+        let target_writers = target_writers.max(1);
        addrs.shuffle(&mut rand::rng());
-        if addrs.len() > 1 {
-            let concurrency = 2usize;
+        let endpoints: Vec<SocketAddr> = addrs
+            .iter()
+            .map(|(ip, port)| SocketAddr::new(*ip, *port))
+            .collect();
+        let endpoint_set: HashSet<SocketAddr> = endpoints.iter().copied().collect();
+
+        loop {
+            let alive = self
+                .active_writer_count_for_dc_endpoints(dc, &endpoint_set)
+                .await;
+            if alive >= target_writers {
+                info!(
+                    dc = %dc,
+                    alive,
+                    target_writers,
+                    "ME connected"
+                );
+                return true;
+            }
+
+            let missing = target_writers.saturating_sub(alive).max(1);
+            let concurrency = connect_concurrency.max(1).min(missing);
            let mut join = tokio::task::JoinSet::new();
-            let mut next_idx = 0usize;
+            for _ in 0..concurrency {
+                let pool = Arc::clone(&self);
+                let rng_clone = Arc::clone(&rng);
+                let endpoints_clone = endpoints.clone();
+                let generation = self.current_generation();
+                join.spawn(async move {
+                    pool.connect_endpoints_round_robin_with_generation_contour(
+                        dc,
+                        &endpoints_clone,
+                        rng_clone.as_ref(),
+                        generation,
+                        super::pool::WriterContour::Active,
+                        allow_coverage_override,
+                    )
+                    .await
+                });
+            }

-            while next_idx < addrs.len() || !join.is_empty() {
-                while next_idx < addrs.len() && join.len() < concurrency {
-                    let (ip, port) = addrs[next_idx];
-                    next_idx += 1;
-                    let addr = SocketAddr::new(ip, port);
-                    let pool = Arc::clone(&self);
-                    let rng_clone = Arc::clone(&rng);
-                    join.spawn(async move {
-                        (addr, pool.connect_one(addr, rng_clone.as_ref()).await)
-                    });
-                }
-
-                let Some(res) = join.join_next().await else {
-                    break;
-                };
+            let mut progress = false;
+            while let Some(res) = join.join_next().await {
                match res {
-                    Ok((addr, Ok(()))) => {
-                        info!(%addr, dc = %dc, "ME connected");
-                        join.abort_all();
-                        while join.join_next().await.is_some() {}
-                        return true;
-                    }
-                    Ok((addr, Err(e))) => {
-                        warn!(%addr, dc = %dc, error = %e, "ME connect failed, trying next");
+                    Ok(true) => {
+                        progress = true;
                    }
+                    Ok(false) => {}
                    Err(e) => {
                        warn!(dc = %dc, error = %e, "ME connect task failed");
                    }
                }
            }
-            warn!(dc = %dc, "All ME servers for DC failed at init");
-            return false;
-        }

-        for (ip, port) in addrs {
-            let addr = SocketAddr::new(ip, port);
-            match self.connect_one(addr, rng.as_ref()).await {
-                Ok(()) => {
-                    info!(%addr, dc = %dc, "ME connected");
-                    return true;
+            let alive_after = self
+                .active_writer_count_for_dc_endpoints(dc, &endpoint_set)
+                .await;
+            if alive_after >= target_writers {
+                info!(
+                    dc = %dc,
+                    alive = alive_after,
+                    target_writers,
+                    "ME connected"
+                );
+                return true;
+            }
+            if !progress {
+                let active_writers_current = self.active_contour_writer_count_total().await;
+                let active_cap_configured = self.adaptive_floor_active_cap_configured_total();
+                if !allow_coverage_override && active_writers_current >= active_cap_configured {
+                    info!(
+                        dc = %dc,
+                        alive = alive_after,
+                        target_writers,
+                        active_writers_current,
+                        active_cap_configured,
+                        "ME init saturation stopped by active writer cap"
+                    );
+                } else {
+                    warn!(
+                        dc = %dc,
+                        alive = alive_after,
+                        target_writers,
+                        "All ME servers for DC failed at init"
+                    );
                }
-                Err(e) => warn!(%addr, dc = %dc, error = %e, "ME connect failed, trying next"),
+                return false;
+            }
+
+            if self.me_warmup_stagger_enabled {
+                let jitter = rand::rng()
+                    .random_range(0..=self.me_warmup_step_jitter.as_millis() as u64);
+                let delay_ms = self.me_warmup_step_delay.as_millis() as u64 + jitter;
+                tokio::time::sleep(std::time::Duration::from_millis(delay_ms)).await;
            }
        }
-        warn!(dc = %dc, "All ME servers for DC failed at init");
-        false
    }
 }
--- a/src/transport/middle_proxy/pool_nat.rs
+++ b/src/transport/middle_proxy/pool_nat.rs
@@ -8,7 +8,7 @@ use tracing::{debug, info, warn};

 use crate::error::{ProxyError, Result};
 use crate::network::probe::is_bogon;
-use crate::network::stun::{stun_probe_dual, IpFamily, StunProbeResult};
+use crate::network::stun::{stun_probe_dual, stun_probe_family_with_bind, IpFamily};

 use super::MePool;
 use std::time::Instant;
@@ -52,6 +52,7 @@ impl MePool {
        servers: &[String],
        family: IpFamily,
        attempt: u8,
+        bind_ip: Option<IpAddr>,
    ) -> (Vec<String>, Option<std::net::SocketAddr>) {
        let mut join_set = JoinSet::new();
        let mut next_idx = 0usize;
@@ -64,7 +65,11 @@ impl MePool {
                let stun_addr = servers[next_idx].clone();
                next_idx += 1;
                join_set.spawn(async move {
-                    let res = timeout(STUN_BATCH_TIMEOUT, stun_probe_dual(&stun_addr)).await;
+                    let res = timeout(
+                        STUN_BATCH_TIMEOUT,
+                        stun_probe_family_with_bind(&stun_addr, family, bind_ip),
+                    )
+                    .await;
                    (stun_addr, res)
                });
            }
@@ -74,12 +79,7 @@ impl MePool {
            };

            match task {
-                Ok((stun_addr, Ok(Ok(res)))) => {
-                    let picked: Option<StunProbeResult> = match family {
-                        IpFamily::V4 => res.v4,
-                        IpFamily::V6 => res.v6,
-                    };
-
+                Ok((stun_addr, Ok(Ok(picked)))) => {
                    if let Some(result) = picked {
                        live_servers.push(stun_addr.clone());
                        let entry = best_by_ip
@@ -207,10 +207,21 @@ impl MePool {
    pub(super) async fn maybe_reflect_public_addr(
        &self,
        family: IpFamily,
+        bind_ip: Option<IpAddr>,
    ) -> Option<std::net::SocketAddr> {
        const STUN_CACHE_TTL: Duration = Duration::from_secs(600);
+        let use_shared_cache = bind_ip.is_none();
+        if !use_shared_cache {
+            match (family, bind_ip) {
+                (IpFamily::V4, Some(IpAddr::V4(_)))
+                | (IpFamily::V6, Some(IpAddr::V6(_)))
+                | (_, None) => {}
+                _ => return None,
+            }
+        }
        // Backoff window
-        if let Some(until) = *self.stun_backoff_until.read().await
+        if use_shared_cache
+            && let Some(until) = *self.stun_backoff_until.read().await
            && Instant::now() < until
        {
            if let Ok(cache) = self.nat_reflection_cache.try_lock() {
@@ -223,7 +234,9 @@ impl MePool {
            return None;
        }

-        if let Ok(mut cache) = self.nat_reflection_cache.try_lock() {
+        if use_shared_cache
+            && let Ok(mut cache) = self.nat_reflection_cache.try_lock()
+        {
            let slot = match family {
                IpFamily::V4 => &mut cache.v4,
                IpFamily::V6 => &mut cache.v6,
@@ -235,7 +248,48 @@ impl MePool {
            }
        }

-        let attempt = self.nat_probe_attempts.fetch_add(1, std::sync::atomic::Ordering::Relaxed);
+        let _singleflight_guard = if use_shared_cache {
+            Some(match family {
+                IpFamily::V4 => self.nat_reflection_singleflight_v4.lock().await,
+                IpFamily::V6 => self.nat_reflection_singleflight_v6.lock().await,
+            })
+        } else {
+            None
+        };
+
+        if use_shared_cache
+            && let Some(until) = *self.stun_backoff_until.read().await
+            && Instant::now() < until
+        {
+            if let Ok(cache) = self.nat_reflection_cache.try_lock() {
+                let slot = match family {
+                    IpFamily::V4 => cache.v4,
+                    IpFamily::V6 => cache.v6,
+                };
+                return slot.map(|(_, addr)| addr);
+            }
+            return None;
+        }
+
+        if use_shared_cache
+            && let Ok(mut cache) = self.nat_reflection_cache.try_lock()
+        {
+            let slot = match family {
+                IpFamily::V4 => &mut cache.v4,
+                IpFamily::V6 => &mut cache.v6,
+            };
+            if let Some((ts, addr)) = slot
+                && ts.elapsed() < STUN_CACHE_TTL
+            {
+                return Some(*addr);
+            }
+        }
+
+        let attempt = if use_shared_cache {
+            self.nat_probe_attempts.fetch_add(1, std::sync::atomic::Ordering::Relaxed)
+        } else {
+            0
+        };
        let configured_servers = self.configured_stun_servers();
        let live_snapshot = self.nat_stun_live_servers.read().await.clone();
        let primary_servers = if live_snapshot.is_empty() {
@@ -245,12 +299,12 @@ impl MePool {
        };

        let (mut live_servers, mut selected_reflected) = self
-            .probe_stun_batch_for_family(&primary_servers, family, attempt)
+            .probe_stun_batch_for_family(&primary_servers, family, attempt, bind_ip)
            .await;

        if selected_reflected.is_none() && !configured_servers.is_empty() && primary_servers != configured_servers {
            let (rediscovered_live, rediscovered_reflected) = self
-                .probe_stun_batch_for_family(&configured_servers, family, attempt)
+                .probe_stun_batch_for_family(&configured_servers, family, attempt, bind_ip)
                .await;
            live_servers = rediscovered_live;
            selected_reflected = rediscovered_reflected;
@@ -264,14 +318,18 @@ impl MePool {
        }

        if let Some(reflected_addr) = selected_reflected {
-            self.nat_probe_attempts.store(0, std::sync::atomic::Ordering::Relaxed);
+            if use_shared_cache {
+                self.nat_probe_attempts.store(0, std::sync::atomic::Ordering::Relaxed);
+            }
            info!(
                family = ?family,
                live_servers = live_server_count,
                "STUN-Quorum reached, IP: {}",
                reflected_addr.ip()
            );
-            if let Ok(mut cache) = self.nat_reflection_cache.try_lock() {
+            if use_shared_cache
+                && let Ok(mut cache) = self.nat_reflection_cache.try_lock()
+            {
                let slot = match family {
                    IpFamily::V4 => &mut cache.v4,
                    IpFamily::V6 => &mut cache.v6,
@@ -281,8 +339,10 @@ impl MePool {
            return Some(reflected_addr);
        }

-        let backoff = Duration::from_secs(60 * 2u64.pow((attempt as u32).min(6)));
-        *self.stun_backoff_until.write().await = Some(Instant::now() + backoff);
+        if use_shared_cache {
+            let backoff = Duration::from_secs(60 * 2u64.pow((attempt as u32).min(6)));
+            *self.stun_backoff_until.write().await = Some(Instant::now() + backoff);
+        }
        None
    }
 }
--- a/src/transport/middle_proxy/pool_refill.rs
+++ b/src/transport/middle_proxy/pool_refill.rs
@@ -1,28 +1,162 @@
-use std::collections::HashSet;
+use std::collections::{HashMap, HashSet};
 use std::net::SocketAddr;
 use std::sync::Arc;
 use std::sync::atomic::Ordering;
+use std::time::{Duration, Instant};

 use tracing::{debug, info, warn};

 use crate::crypto::SecureRandom;
+use crate::network::IpFamily;

-use super::pool::MePool;
+use super::pool::{MePool, RefillDcKey, RefillEndpointKey, WriterContour};
+
+const ME_FLAP_UPTIME_THRESHOLD_SECS: u64 = 20;
+const ME_FLAP_QUARANTINE_SECS: u64 = 25;

 impl MePool {
+    pub(super) async fn maybe_quarantine_flapping_endpoint(
+        &self,
+        addr: SocketAddr,
+        uptime: Duration,
+    ) {
+        if uptime > Duration::from_secs(ME_FLAP_UPTIME_THRESHOLD_SECS) {
+            return;
+        }
+
+        let until = Instant::now() + Duration::from_secs(ME_FLAP_QUARANTINE_SECS);
+        let mut guard = self.endpoint_quarantine.lock().await;
+        guard.retain(|_, expiry| *expiry > Instant::now());
+        guard.insert(addr, until);
+        self.stats.increment_me_endpoint_quarantine_total();
+        warn!(
+            %addr,
+            uptime_ms = uptime.as_millis(),
+            quarantine_secs = ME_FLAP_QUARANTINE_SECS,
+            "ME endpoint temporarily quarantined due to rapid writer flap"
+        );
+    }
+
+    pub(super) async fn is_endpoint_quarantined(&self, addr: SocketAddr) -> bool {
+        let mut guard = self.endpoint_quarantine.lock().await;
+        let now = Instant::now();
+        guard.retain(|_, expiry| *expiry > now);
+        guard.contains_key(&addr)
+    }
+
+    async fn connectable_endpoints(&self, endpoints: &[SocketAddr]) -> Vec<SocketAddr> {
+        if endpoints.is_empty() {
+            return Vec::new();
+        }
+
+        let mut guard = self.endpoint_quarantine.lock().await;
+        let now = Instant::now();
+        guard.retain(|_, expiry| *expiry > now);
+
+        let mut ready = Vec::<SocketAddr>::with_capacity(endpoints.len());
+        let mut earliest_quarantine: Option<(SocketAddr, Instant)> = None;
+        for addr in endpoints {
+            if let Some(expiry) = guard.get(addr).copied() {
+                match earliest_quarantine {
+                    Some((_, current_expiry)) if current_expiry <= expiry => {}
+                    _ => earliest_quarantine = Some((*addr, expiry)),
+                }
+            } else {
+                ready.push(*addr);
+            }
+        }
+
+        if !ready.is_empty() {
+            return ready;
+        }
+
+        if let Some((addr, expiry)) = earliest_quarantine {
+            debug!(
+                %addr,
+                wait_ms = expiry.saturating_duration_since(now).as_millis(),
+                "All ME endpoints are quarantined for the DC group; retrying earliest one"
+            );
+            return vec![addr];
+        }
+
+        Vec::new()
+    }
+
+    pub(super) async fn has_refill_inflight_for_dc_key(&self, key: RefillDcKey) -> bool {
+        let guard = self.refill_inflight_dc.lock().await;
+        guard.contains(&key)
+    }
+
    pub(super) async fn connect_endpoints_round_robin(
        self: &Arc<Self>,
+        dc: i32,
        endpoints: &[SocketAddr],
        rng: &SecureRandom,
    ) -> bool {
-        if endpoints.is_empty() {
+        self.connect_endpoints_round_robin_with_generation_contour(
+            dc,
+            endpoints,
+            rng,
+            self.current_generation(),
+            WriterContour::Active,
+            false,
+        )
+        .await
+    }
+
+    pub(super) async fn connect_endpoints_round_robin_with_generation_contour(
+        self: &Arc<Self>,
+        dc: i32,
+        endpoints: &[SocketAddr],
+        rng: &SecureRandom,
+        generation: u64,
+        contour: WriterContour,
+        allow_coverage_override: bool,
+    ) -> bool {
+        let mut candidates = self.connectable_endpoints(endpoints).await;
+        if candidates.is_empty() {
            return false;
        }
-        let start = (self.rr.fetch_add(1, Ordering::Relaxed) as usize) % endpoints.len();
-        for offset in 0..endpoints.len() {
-            let idx = (start + offset) % endpoints.len();
-            let addr = endpoints[idx];
-            match self.connect_one(addr, rng).await {
+        if candidates.len() > 1 {
+            let mut active_by_endpoint = HashMap::<SocketAddr, usize>::new();
+            let ws = self.writers.read().await;
+            for writer in ws.iter() {
+                if writer.draining.load(Ordering::Relaxed) {
+                    continue;
+                }
+                if writer.writer_dc != dc {
+                    continue;
+                }
+                if !matches!(
+                    super::pool::WriterContour::from_u8(
+                        writer.contour.load(Ordering::Relaxed),
+                    ),
+                    super::pool::WriterContour::Active
+                ) {
+                    continue;
+                }
+                if candidates.contains(&writer.addr) {
+                    *active_by_endpoint.entry(writer.addr).or_insert(0) += 1;
+                }
+            }
+            drop(ws);
+            candidates.sort_by_key(|addr| (active_by_endpoint.get(addr).copied().unwrap_or(0), *addr));
+        }
+        let start = (self.rr.fetch_add(1, Ordering::Relaxed) as usize) % candidates.len();
+        for offset in 0..candidates.len() {
+            let idx = (start + offset) % candidates.len();
+            let addr = candidates[idx];
+            match self
+                .connect_one_with_generation_contour_for_dc_with_cap_policy(
+                    addr,
+                    rng,
+                    generation,
+                    contour,
+                    dc,
+                    allow_coverage_override,
+                )
+                .await
+            {
                Ok(()) => return true,
                Err(e) => debug!(%addr, error = %e, "ME connect failed during round-robin warmup"),
            }
@@ -30,48 +164,23 @@ impl MePool {
        false
    }

-    async fn endpoints_for_same_dc(&self, addr: SocketAddr) -> Vec<SocketAddr> {
-        let mut target_dc = HashSet::<i32>::new();
+    async fn endpoints_for_dc(&self, target_dc: i32) -> Vec<SocketAddr> {
        let mut endpoints = HashSet::<SocketAddr>::new();

        if self.decision.ipv4_me {
-            let map = self.proxy_map_v4.read().await.clone();
-            for (dc, addrs) in &map {
-                if addrs
-                    .iter()
-                    .any(|(ip, port)| SocketAddr::new(*ip, *port) == addr)
-                {
-                    target_dc.insert(dc.abs());
-                }
-            }
-            for dc in &target_dc {
-                for key in [*dc, -*dc] {
-                    if let Some(addrs) = map.get(&key) {
-                        for (ip, port) in addrs {
-                            endpoints.insert(SocketAddr::new(*ip, *port));
-                        }
-                    }
+            let map = self.proxy_map_v4.read().await;
+            if let Some(addrs) = map.get(&target_dc) {
+                for (ip, port) in addrs {
+                    endpoints.insert(SocketAddr::new(*ip, *port));
                }
            }
        }

        if self.decision.ipv6_me {
-            let map = self.proxy_map_v6.read().await.clone();
-            for (dc, addrs) in &map {
-                if addrs
-                    .iter()
-                    .any(|(ip, port)| SocketAddr::new(*ip, *port) == addr)
-                {
-                    target_dc.insert(dc.abs());
-                }
-            }
-            for dc in &target_dc {
-                for key in [*dc, -*dc] {
-                    if let Some(addrs) = map.get(&key) {
-                        for (ip, port) in addrs {
-                            endpoints.insert(SocketAddr::new(*ip, *port));
-                        }
-                    }
+            let map = self.proxy_map_v6.read().await;
+            if let Some(addrs) = map.get(&target_dc) {
+                for (ip, port) in addrs {
+                    endpoints.insert(SocketAddr::new(*ip, *port));
                }
            }
        }
@@ -81,34 +190,42 @@ impl MePool {
        sorted
    }

-    async fn refill_writer_after_loss(self: &Arc<Self>, addr: SocketAddr) -> bool {
+    async fn refill_writer_after_loss(self: &Arc<Self>, addr: SocketAddr, writer_dc: i32) -> bool {
        let fast_retries = self.me_reconnect_fast_retry_count.max(1);
+        let same_endpoint_quarantined = self.is_endpoint_quarantined(addr).await;

-        for attempt in 0..fast_retries {
-            self.stats.increment_me_reconnect_attempt();
-            match self.connect_one(addr, self.rng.as_ref()).await {
-                Ok(()) => {
-                    self.stats.increment_me_reconnect_success();
-                    self.stats.increment_me_writer_restored_same_endpoint_total();
-                    info!(
-                        %addr,
-                        attempt = attempt + 1,
-                        "ME writer restored on the same endpoint"
-                    );
-                    return true;
-                }
-                Err(e) => {
-                    debug!(
-                        %addr,
-                        attempt = attempt + 1,
-                        error = %e,
-                        "ME immediate same-endpoint reconnect failed"
-                    );
+        if !same_endpoint_quarantined {
+            for attempt in 0..fast_retries {
+                self.stats.increment_me_reconnect_attempt();
+                match self.connect_one_for_dc(addr, writer_dc, self.rng.as_ref()).await {
+                    Ok(()) => {
+                        self.stats.increment_me_reconnect_success();
+                        self.stats.increment_me_writer_restored_same_endpoint_total();
+                        info!(
+                            %addr,
+                            attempt = attempt + 1,
+                            "ME writer restored on the same endpoint"
+                        );
+                        return true;
+                    }
+                    Err(e) => {
+                        debug!(
+                            %addr,
+                            attempt = attempt + 1,
+                            error = %e,
+                            "ME immediate same-endpoint reconnect failed"
+                        );
+                    }
                }
            }
+        } else {
+            debug!(
+                %addr,
+                "Skipping immediate same-endpoint reconnect because endpoint is quarantined"
+            );
        }

-        let dc_endpoints = self.endpoints_for_same_dc(addr).await;
+        let dc_endpoints = self.endpoints_for_dc(writer_dc).await;
        if dc_endpoints.is_empty() {
            self.stats.increment_me_refill_failed_total();
            return false;
@@ -117,7 +234,7 @@ impl MePool {
        for attempt in 0..fast_retries {
            self.stats.increment_me_reconnect_attempt();
            if self
-                .connect_endpoints_round_robin(&dc_endpoints, self.rng.as_ref())
+                .connect_endpoints_round_robin(writer_dc, &dc_endpoints, self.rng.as_ref())
                .await
            {
                self.stats.increment_me_reconnect_success();
@@ -135,25 +252,63 @@ impl MePool {
        false
    }

-    pub(crate) fn trigger_immediate_refill(self: &Arc<Self>, addr: SocketAddr) {
+    pub(crate) fn trigger_immediate_refill_for_dc(self: &Arc<Self>, addr: SocketAddr, writer_dc: i32) {
+        let endpoint_key = RefillEndpointKey {
+            dc: writer_dc,
+            addr,
+        };
+        let pre_inserted = if let Ok(mut guard) = self.refill_inflight.try_lock() {
+            if !guard.insert(endpoint_key) {
+                self.stats.increment_me_refill_skipped_inflight_total();
+                return;
+            }
+            true
+        } else {
+            false
+        };
+
        let pool = Arc::clone(self);
        tokio::spawn(async move {
-            {
+            let dc_key = RefillDcKey {
+                dc: writer_dc,
+                family: if addr.is_ipv4() {
+                    IpFamily::V4
+                } else {
+                    IpFamily::V6
+                },
+            };
+
+            if !pre_inserted {
                let mut guard = pool.refill_inflight.lock().await;
-                if !guard.insert(addr) {
+                if !guard.insert(endpoint_key) {
                    pool.stats.increment_me_refill_skipped_inflight_total();
                    return;
                }
            }
-            pool.stats.increment_me_refill_triggered_total();

-            let restored = pool.refill_writer_after_loss(addr).await;
+            {
+                let mut dc_guard = pool.refill_inflight_dc.lock().await;
+                if dc_guard.contains(&dc_key) {
+                    pool.stats.increment_me_refill_skipped_inflight_total();
+                    drop(dc_guard);
+                    let mut guard = pool.refill_inflight.lock().await;
+                    guard.remove(&endpoint_key);
+                    return;
+                }
+                dc_guard.insert(dc_key);
+            }
+
+            pool.stats.increment_me_refill_triggered_total();
+            let restored = pool.refill_writer_after_loss(addr, writer_dc).await;
            if !restored {
-                warn!(%addr, "ME immediate refill failed");
+                warn!(%addr, dc = writer_dc, "ME immediate refill failed");
            }

            let mut guard = pool.refill_inflight.lock().await;
-            guard.remove(&addr);
+            guard.remove(&endpoint_key);
+            drop(guard);
+            let mut dc_guard = pool.refill_inflight_dc.lock().await;
+            dc_guard.remove(&dc_key);
        });
    }
 }
--- a/src/transport/middle_proxy/pool_reinit.rs
+++ b/src/transport/middle_proxy/pool_reinit.rs
@@ -1,4 +1,5 @@
 use std::collections::{HashMap, HashSet};
+use std::hash::{Hash, Hasher};
 use std::net::SocketAddr;
 use std::sync::Arc;
 use std::sync::atomic::Ordering;
@@ -7,15 +8,61 @@ use std::time::Duration;
 use rand::Rng;
 use rand::seq::SliceRandom;
 use tracing::{debug, info, warn};
+use std::collections::hash_map::DefaultHasher;

 use crate::crypto::SecureRandom;

-use super::pool::MePool;
+use super::pool::{MePool, WriterContour};
+
+const ME_HARDSWAP_PENDING_TTL_SECS: u64 = 1800;

 impl MePool {
+    fn desired_map_hash(desired_by_dc: &HashMap<i32, HashSet<SocketAddr>>) -> u64 {
+        let mut hasher = DefaultHasher::new();
+        let mut dcs: Vec<i32> = desired_by_dc.keys().copied().collect();
+        dcs.sort_unstable();
+        for dc in dcs {
+            dc.hash(&mut hasher);
+            let mut endpoints: Vec<SocketAddr> = desired_by_dc
+                .get(&dc)
+                .map(|set| set.iter().copied().collect())
+                .unwrap_or_default();
+            endpoints.sort_unstable();
+            for endpoint in endpoints {
+                endpoint.hash(&mut hasher);
+            }
+        }
+        hasher.finish()
+    }
+
+    fn clear_pending_hardswap_state(&self) {
+        self.pending_hardswap_generation.store(0, Ordering::Relaxed);
+        self.pending_hardswap_started_at_epoch_secs
+            .store(0, Ordering::Relaxed);
+        self.pending_hardswap_map_hash.store(0, Ordering::Relaxed);
+        self.warm_generation.store(0, Ordering::Relaxed);
+    }
+
+    async fn promote_warm_generation_to_active(&self, generation: u64) {
+        self.active_generation.store(generation, Ordering::Relaxed);
+        self.warm_generation.store(0, Ordering::Relaxed);
+
+        let ws = self.writers.read().await;
+        for writer in ws.iter() {
+            if writer.draining.load(Ordering::Relaxed) {
+                continue;
+            }
+            if writer.generation == generation {
+                writer
+                    .contour
+                    .store(WriterContour::Active.as_u8(), Ordering::Relaxed);
+            }
+        }
+    }
+
    fn coverage_ratio(
        desired_by_dc: &HashMap<i32, HashSet<SocketAddr>>,
-        active_writer_addrs: &HashSet<SocketAddr>,
+        active_writer_addrs: &HashSet<(i32, SocketAddr)>,
    ) -> (f32, Vec<i32>) {
        if desired_by_dc.is_empty() {
            return (1.0, Vec::new());
@@ -29,7 +76,7 @@ impl MePool {
            }
            if endpoints
                .iter()
-                .any(|addr| active_writer_addrs.contains(addr))
+                .any(|addr| active_writer_addrs.contains(&(*dc, *addr)))
            {
                covered += 1;
            } else {
@@ -44,32 +91,25 @@ impl MePool {
    }

    pub async fn reconcile_connections(self: &Arc<Self>, rng: &SecureRandom) {
-        let writers = self.writers.read().await;
-        let current: HashSet<SocketAddr> = writers
-            .iter()
-            .filter(|w| !w.draining.load(Ordering::Relaxed))
-            .map(|w| w.addr)
-            .collect();
-        drop(writers);
-
        for family in self.family_order() {
            let map = self.proxy_map_for_family(family).await;
-            for (_dc, addrs) in &map {
+            for (dc, addrs) in &map {
                let dc_addrs: Vec<SocketAddr> = addrs
                    .iter()
                    .map(|(ip, port)| SocketAddr::new(*ip, *port))
                    .collect();
-                if !dc_addrs.iter().any(|a| current.contains(a)) {
+                let dc_endpoints: HashSet<SocketAddr> = dc_addrs.iter().copied().collect();
+                if self.active_writer_count_for_dc_endpoints(*dc, &dc_endpoints).await == 0 {
                    let mut shuffled = dc_addrs.clone();
                    shuffled.shuffle(&mut rand::rng());
                    for addr in shuffled {
-                        if self.connect_one(addr, rng).await.is_ok() {
+                        if self.connect_one_for_dc(addr, *dc, rng).await.is_ok() {
                            break;
                        }
                    }
                }
            }
-            if !self.decision.effective_multipath && !current.is_empty() {
+            if !self.decision.effective_multipath && self.connection_count() > 0 {
                break;
            }
        }
@@ -81,7 +121,7 @@ impl MePool {
        if self.decision.ipv4_me {
            let map_v4 = self.proxy_map_v4.read().await.clone();
            for (dc, addrs) in map_v4 {
-                let entry = out.entry(dc.abs()).or_default();
+                let entry = out.entry(dc).or_default();
                for (ip, port) in addrs {
                    entry.insert(SocketAddr::new(ip, port));
                }
@@ -91,7 +131,7 @@ impl MePool {
        if self.decision.ipv6_me {
            let map_v6 = self.proxy_map_v6.read().await.clone();
            for (dc, addrs) in map_v6 {
-                let entry = out.entry(dc.abs()).or_default();
+                let entry = out.entry(dc).or_default();
                for (ip, port) in addrs {
                    entry.insert(SocketAddr::new(ip, port));
                }
@@ -101,10 +141,6 @@ impl MePool {
        out
    }

-    pub(super) fn required_writers_for_dc(endpoint_count: usize) -> usize {
-        endpoint_count.max(3)
-    }
-
    fn hardswap_warmup_connect_delay_ms(&self) -> u64 {
        let min_ms = self.me_hardswap_warmup_delay_min_ms.load(Ordering::Relaxed);
        let max_ms = self.me_hardswap_warmup_delay_max_ms.load(Ordering::Relaxed);
@@ -131,26 +167,30 @@ impl MePool {
        core.saturating_add(rand::rng().random_range(0..=jitter))
    }

-    async fn fresh_writer_count_for_endpoints(
+    async fn fresh_writer_count_for_dc_endpoints(
        &self,
        generation: u64,
+        dc: i32,
        endpoints: &HashSet<SocketAddr>,
    ) -> usize {
        let ws = self.writers.read().await;
        ws.iter()
            .filter(|w| !w.draining.load(Ordering::Relaxed))
            .filter(|w| w.generation == generation)
+            .filter(|w| w.writer_dc == dc)
            .filter(|w| endpoints.contains(&w.addr))
            .count()
    }

-    pub(super) async fn active_writer_count_for_endpoints(
+    pub(super) async fn active_writer_count_for_dc_endpoints(
        &self,
+        dc: i32,
        endpoints: &HashSet<SocketAddr>,
    ) -> usize {
        let ws = self.writers.read().await;
        ws.iter()
            .filter(|w| !w.draining.load(Ordering::Relaxed))
+            .filter(|w| w.writer_dc == dc)
            .filter(|w| endpoints.contains(&w.addr))
            .count()
    }
@@ -174,10 +214,10 @@ impl MePool {

            let mut endpoint_list: Vec<SocketAddr> = endpoints.iter().copied().collect();
            endpoint_list.sort_unstable();
-            let required = Self::required_writers_for_dc(endpoint_list.len());
+            let required = self.required_writers_for_dc(endpoint_list.len());
            let mut completed = false;
            let mut last_fresh_count = self
-                .fresh_writer_count_for_endpoints(generation, endpoints)
+                .fresh_writer_count_for_dc_endpoints(generation, *dc, endpoints)
                .await;

            for pass_idx in 0..total_passes {
@@ -202,7 +242,16 @@ impl MePool {
                    let delay_ms = self.hardswap_warmup_connect_delay_ms();
                    tokio::time::sleep(Duration::from_millis(delay_ms)).await;

-                    let connected = self.connect_endpoints_round_robin(&endpoint_list, rng).await;
+                    let connected = self
+                        .connect_endpoints_round_robin_with_generation_contour(
+                            *dc,
+                            &endpoint_list,
+                            rng,
+                            generation,
+                            WriterContour::Warm,
+                            false,
+                        )
+                        .await;
                    debug!(
                        dc = *dc,
                        pass = pass_idx + 1,
@@ -215,7 +264,7 @@ impl MePool {
                }

                last_fresh_count = self
-                    .fresh_writer_count_for_endpoints(generation, endpoints)
+                    .fresh_writer_count_for_dc_endpoints(generation, *dc, endpoints)
                    .await;
                if last_fresh_count >= required {
                    completed = true;
@@ -265,11 +314,61 @@ impl MePool {
            return;
        }

+        let desired_map_hash = Self::desired_map_hash(&desired_by_dc);
+        let now_epoch_secs = Self::now_epoch_secs();
        let previous_generation = self.current_generation();
-        let generation = self.generation.fetch_add(1, Ordering::Relaxed) + 1;
        let hardswap = self.hardswap.load(Ordering::Relaxed);
+        let generation = if hardswap {
+            let pending_generation = self.pending_hardswap_generation.load(Ordering::Relaxed);
+            let pending_started_at = self
+                .pending_hardswap_started_at_epoch_secs
+                .load(Ordering::Relaxed);
+            let pending_map_hash = self.pending_hardswap_map_hash.load(Ordering::Relaxed);
+            let pending_age_secs = now_epoch_secs.saturating_sub(pending_started_at);
+            let pending_ttl_expired = pending_started_at > 0 && pending_age_secs > ME_HARDSWAP_PENDING_TTL_SECS;
+            let pending_matches_map = pending_map_hash != 0 && pending_map_hash == desired_map_hash;
+
+            if pending_generation != 0
+                && pending_generation >= previous_generation
+                && pending_matches_map
+                && !pending_ttl_expired
+            {
+                self.stats.increment_me_hardswap_pending_reuse_total();
+                debug!(
+                    previous_generation,
+                    generation = pending_generation,
+                    pending_age_secs,
+                    "ME hardswap continues with pending generation"
+                );
+                pending_generation
+            } else {
+                if pending_generation != 0 && pending_ttl_expired {
+                    self.stats.increment_me_hardswap_pending_ttl_expired_total();
+                    warn!(
+                        previous_generation,
+                        generation = pending_generation,
+                        pending_age_secs,
+                        pending_ttl_secs = ME_HARDSWAP_PENDING_TTL_SECS,
+                        "ME hardswap pending generation expired by TTL; starting fresh generation"
+                    );
+                }
+                let next_generation = self.generation.fetch_add(1, Ordering::Relaxed) + 1;
+                self.pending_hardswap_generation
+                    .store(next_generation, Ordering::Relaxed);
+                self.pending_hardswap_started_at_epoch_secs
+                    .store(now_epoch_secs, Ordering::Relaxed);
+                self.pending_hardswap_map_hash
+                    .store(desired_map_hash, Ordering::Relaxed);
+                self.warm_generation.store(next_generation, Ordering::Relaxed);
+                next_generation
+            }
+        } else {
+            self.clear_pending_hardswap_state();
+            self.generation.fetch_add(1, Ordering::Relaxed) + 1
+        };

        if hardswap {
+            self.warm_generation.store(generation, Ordering::Relaxed);
            self.warmup_generation_for_all_dcs(rng, generation, &desired_by_dc)
                .await;
        } else {
@@ -277,10 +376,10 @@ impl MePool {
        }

        let writers = self.writers.read().await;
-        let active_writer_addrs: HashSet<SocketAddr> = writers
+        let active_writer_addrs: HashSet<(i32, SocketAddr)> = writers
            .iter()
            .filter(|w| !w.draining.load(Ordering::Relaxed))
-            .map(|w| w.addr)
+            .map(|w| (w.writer_dc, w.addr))
            .collect();
        let min_ratio = Self::permille_to_ratio(
            self.me_pool_min_fresh_ratio_permille
@@ -305,11 +404,12 @@ impl MePool {
                if endpoints.is_empty() {
                    continue;
                }
-                let required = Self::required_writers_for_dc(endpoints.len());
+                let required = self.required_writers_for_dc(endpoints.len());
                let fresh_count = writers
                    .iter()
                    .filter(|w| !w.draining.load(Ordering::Relaxed))
                    .filter(|w| w.generation == generation)
+                    .filter(|w| w.writer_dc == *dc)
                    .filter(|w| endpoints.contains(&w.addr))
                    .count();
                if fresh_count < required {
@@ -334,9 +434,13 @@ impl MePool {
            return;
        }

-        let desired_addrs: HashSet<SocketAddr> = desired_by_dc
-            .values()
-            .flat_map(|set| set.iter().copied())
+        if hardswap {
+            self.promote_warm_generation_to_active(generation).await;
+        }
+
+        let desired_addrs: HashSet<(i32, SocketAddr)> = desired_by_dc
+            .iter()
+            .flat_map(|(dc, set)| set.iter().copied().map(|addr| (*dc, addr)))
            .collect();

        let stale_writer_ids: Vec<u64> = writers
@@ -346,7 +450,7 @@ impl MePool {
                if hardswap {
                    w.generation < generation
                } else {
-                    !desired_addrs.contains(&w.addr)
+                    !desired_addrs.contains(&(w.writer_dc, w.addr))
                }
            })
            .map(|w| w.id)
@@ -354,6 +458,9 @@ impl MePool {
        drop(writers);

        if stale_writer_ids.is_empty() {
+            if hardswap {
+                self.clear_pending_hardswap_state();
+            }
            debug!("ME reinit cycle completed with no stale writers");
            return;
        }
@@ -375,6 +482,9 @@ impl MePool {
            self.mark_writer_draining_with_timeout(writer_id, drain_timeout, !hardswap)
                .await;
        }
+        if hardswap {
+            self.clear_pending_hardswap_state();
+        }
    }

    pub async fn zero_downtime_reinit_periodic(self: &Arc<Self>, rng: &SecureRandom) {
--- a/src/transport/middle_proxy/pool_runtime_api.rs
+++ b/src/transport/middle_proxy/pool_runtime_api.rs
@@ -0,0 +1,128 @@
+use std::collections::HashMap;
+use std::time::Instant;
+
+use super::pool::{MePool, RefillDcKey};
+use crate::network::IpFamily;
+
+#[derive(Clone, Debug)]
+pub(crate) struct MeApiRefillDcSnapshot {
+    pub dc: i16,
+    pub family: &'static str,
+    pub inflight: usize,
+}
+
+#[derive(Clone, Debug)]
+pub(crate) struct MeApiRefillSnapshot {
+    pub inflight_endpoints_total: usize,
+    pub inflight_dc_total: usize,
+    pub by_dc: Vec<MeApiRefillDcSnapshot>,
+}
+
+#[derive(Clone, Debug)]
+pub(crate) struct MeApiNatReflectionSnapshot {
+    pub addr: std::net::SocketAddr,
+    pub age_secs: u64,
+}
+
+#[derive(Clone, Debug)]
+pub(crate) struct MeApiNatStunSnapshot {
+    pub nat_probe_enabled: bool,
+    pub nat_probe_disabled_runtime: bool,
+    pub nat_probe_attempts: u8,
+    pub configured_servers: Vec<String>,
+    pub live_servers: Vec<String>,
+    pub reflection_v4: Option<MeApiNatReflectionSnapshot>,
+    pub reflection_v6: Option<MeApiNatReflectionSnapshot>,
+    pub stun_backoff_remaining_ms: Option<u64>,
+}
+
+impl MePool {
+    pub(crate) async fn api_refill_snapshot(&self) -> MeApiRefillSnapshot {
+        let inflight_endpoints_total = self.refill_inflight.lock().await.len();
+        let inflight_dc_keys = self
+            .refill_inflight_dc
+            .lock()
+            .await
+            .iter()
+            .copied()
+            .collect::<Vec<RefillDcKey>>();
+
+        let mut by_dc_map = HashMap::<(i16, &'static str), usize>::new();
+        for key in inflight_dc_keys {
+            let family = match key.family {
+                IpFamily::V4 => "v4",
+                IpFamily::V6 => "v6",
+            };
+            let dc = key.dc as i16;
+            *by_dc_map.entry((dc, family)).or_insert(0) += 1;
+        }
+
+        let mut by_dc = by_dc_map
+            .into_iter()
+            .map(|((dc, family), inflight)| MeApiRefillDcSnapshot {
+                dc,
+                family,
+                inflight,
+            })
+            .collect::<Vec<_>>();
+        by_dc.sort_by_key(|entry| (entry.dc, entry.family));
+
+        MeApiRefillSnapshot {
+            inflight_endpoints_total,
+            inflight_dc_total: by_dc.len(),
+            by_dc,
+        }
+    }
+
+    pub(crate) async fn api_nat_stun_snapshot(&self) -> MeApiNatStunSnapshot {
+        let now = Instant::now();
+        let mut configured_servers = if !self.nat_stun_servers.is_empty() {
+            self.nat_stun_servers.clone()
+        } else if let Some(stun) = &self.nat_stun {
+            if stun.trim().is_empty() {
+                Vec::new()
+            } else {
+                vec![stun.clone()]
+            }
+        } else {
+            Vec::new()
+        };
+        configured_servers.sort();
+        configured_servers.dedup();
+
+        let mut live_servers = self.nat_stun_live_servers.read().await.clone();
+        live_servers.sort();
+        live_servers.dedup();
+
+        let reflection = self.nat_reflection_cache.lock().await;
+        let reflection_v4 = reflection.v4.map(|(ts, addr)| MeApiNatReflectionSnapshot {
+            addr,
+            age_secs: now.saturating_duration_since(ts).as_secs(),
+        });
+        let reflection_v6 = reflection.v6.map(|(ts, addr)| MeApiNatReflectionSnapshot {
+            addr,
+            age_secs: now.saturating_duration_since(ts).as_secs(),
+        });
+        drop(reflection);
+
+        let backoff_until = *self.stun_backoff_until.read().await;
+        let stun_backoff_remaining_ms = backoff_until.and_then(|until| {
+            (until > now).then_some(until.duration_since(now).as_millis() as u64)
+        });
+
+        MeApiNatStunSnapshot {
+            nat_probe_enabled: self.nat_probe,
+            nat_probe_disabled_runtime: self
+                .nat_probe_disabled
+                .load(std::sync::atomic::Ordering::Relaxed),
+            nat_probe_attempts: self
+                .nat_probe_attempts
+                .load(std::sync::atomic::Ordering::Relaxed),
+            configured_servers,
+            live_servers,
+            reflection_v4,
+            reflection_v6,
+            stun_backoff_remaining_ms,
+        }
+    }
+}
--- a/src/transport/middle_proxy/pool_status.rs
+++ b/src/transport/middle_proxy/pool_status.rs
@@ -0,0 +1,636 @@
+use std::collections::{BTreeMap, BTreeSet, HashMap};
+use std::net::{IpAddr, SocketAddr};
+use std::sync::atomic::Ordering;
+use std::time::Instant;
+
+use super::pool::{MePool, WriterContour};
+use crate::config::{MeBindStaleMode, MeFloorMode, MeSocksKdfPolicy};
+use crate::transport::upstream::IpPreference;
+
+#[derive(Clone, Debug)]
+pub(crate) struct MeApiWriterStatusSnapshot {
+    pub writer_id: u64,
+    pub dc: Option<i16>,
+    pub endpoint: SocketAddr,
+    pub generation: u64,
+    pub state: &'static str,
+    pub draining: bool,
+    pub degraded: bool,
+    pub bound_clients: usize,
+    pub idle_for_secs: Option<u64>,
+    pub rtt_ema_ms: Option<f64>,
+}
+
+#[derive(Clone, Debug)]
+pub(crate) struct MeApiDcStatusSnapshot {
+    pub dc: i16,
+    pub endpoints: Vec<SocketAddr>,
+    pub endpoint_writers: Vec<MeApiDcEndpointWriterSnapshot>,
+    pub available_endpoints: usize,
+    pub available_pct: f64,
+    pub required_writers: usize,
+    pub floor_min: usize,
+    pub floor_target: usize,
+    pub floor_max: usize,
+    pub floor_capped: bool,
+    pub alive_writers: usize,
+    pub coverage_pct: f64,
+    pub rtt_ms: Option<f64>,
+    pub load: usize,
+}
+
+#[derive(Clone, Debug)]
+pub(crate) struct MeApiDcEndpointWriterSnapshot {
+    pub endpoint: SocketAddr,
+    pub active_writers: usize,
+}
+
+#[derive(Clone, Debug)]
+pub(crate) struct MeApiStatusSnapshot {
+    pub generated_at_epoch_secs: u64,
+    pub configured_dc_groups: usize,
+    pub configured_endpoints: usize,
+    pub available_endpoints: usize,
+    pub available_pct: f64,
+    pub required_writers: usize,
+    pub alive_writers: usize,
+    pub coverage_pct: f64,
+    pub writers: Vec<MeApiWriterStatusSnapshot>,
+    pub dcs: Vec<MeApiDcStatusSnapshot>,
+}
+
+#[derive(Clone, Debug)]
+pub(crate) struct MeApiQuarantinedEndpointSnapshot {
+    pub endpoint: SocketAddr,
+    pub remaining_ms: u64,
+}
+
+#[derive(Clone, Debug)]
+pub(crate) struct MeApiDcPathSnapshot {
+    pub dc: i16,
+    pub ip_preference: Option<&'static str>,
+    pub selected_addr_v4: Option<SocketAddr>,
+    pub selected_addr_v6: Option<SocketAddr>,
+}
+
+#[derive(Clone, Debug)]
+pub(crate) struct MeApiRuntimeSnapshot {
+    pub active_generation: u64,
+    pub warm_generation: u64,
+    pub pending_hardswap_generation: u64,
+    pub pending_hardswap_age_secs: Option<u64>,
+    pub hardswap_enabled: bool,
+    pub floor_mode: &'static str,
+    pub adaptive_floor_idle_secs: u64,
+    pub adaptive_floor_min_writers_single_endpoint: u8,
+    pub adaptive_floor_min_writers_multi_endpoint: u8,
+    pub adaptive_floor_recover_grace_secs: u64,
+    pub adaptive_floor_writers_per_core_total: u16,
+    pub adaptive_floor_cpu_cores_override: u16,
+    pub adaptive_floor_max_extra_writers_single_per_core: u16,
+    pub adaptive_floor_max_extra_writers_multi_per_core: u16,
+    pub adaptive_floor_max_active_writers_per_core: u16,
+    pub adaptive_floor_max_warm_writers_per_core: u16,
+    pub adaptive_floor_max_active_writers_global: u32,
+    pub adaptive_floor_max_warm_writers_global: u32,
+    pub adaptive_floor_cpu_cores_detected: u32,
+    pub adaptive_floor_cpu_cores_effective: u32,
+    pub adaptive_floor_global_cap_raw: u64,
+    pub adaptive_floor_global_cap_effective: u64,
+    pub adaptive_floor_target_writers_total: u64,
+    pub adaptive_floor_active_cap_configured: u64,
+    pub adaptive_floor_active_cap_effective: u64,
+    pub adaptive_floor_warm_cap_configured: u64,
+    pub adaptive_floor_warm_cap_effective: u64,
+    pub adaptive_floor_active_writers_current: u64,
+    pub adaptive_floor_warm_writers_current: u64,
+    pub me_keepalive_enabled: bool,
+    pub me_keepalive_interval_secs: u64,
+    pub me_keepalive_jitter_secs: u64,
+    pub me_keepalive_payload_random: bool,
+    pub rpc_proxy_req_every_secs: u64,
+    pub me_reconnect_max_concurrent_per_dc: u32,
+    pub me_reconnect_backoff_base_ms: u64,
+    pub me_reconnect_backoff_cap_ms: u64,
+    pub me_reconnect_fast_retry_count: u32,
+    pub me_pool_drain_ttl_secs: u64,
+    pub me_pool_force_close_secs: u64,
+    pub me_pool_min_fresh_ratio: f32,
+    pub me_bind_stale_mode: &'static str,
+    pub me_bind_stale_ttl_secs: u64,
+    pub me_single_endpoint_shadow_writers: u8,
+    pub me_single_endpoint_outage_mode_enabled: bool,
+    pub me_single_endpoint_outage_disable_quarantine: bool,
+    pub me_single_endpoint_outage_backoff_min_ms: u64,
+    pub me_single_endpoint_outage_backoff_max_ms: u64,
+    pub me_single_endpoint_shadow_rotate_every_secs: u64,
+    pub me_deterministic_writer_sort: bool,
+    pub me_writer_pick_mode: &'static str,
+    pub me_writer_pick_sample_size: u8,
+    pub me_socks_kdf_policy: &'static str,
+    pub quarantined_endpoints: Vec<MeApiQuarantinedEndpointSnapshot>,
+    pub network_path: Vec<MeApiDcPathSnapshot>,
+}
+
+impl MePool {
+    pub(crate) async fn admission_ready_conditional_cast(&self) -> bool {
+        let mut endpoints_by_dc = BTreeMap::<i16, BTreeSet<SocketAddr>>::new();
+        if self.decision.ipv4_me {
+            let map = self.proxy_map_v4.read().await.clone();
+            extend_signed_endpoints(&mut endpoints_by_dc, map);
+        }
+        if self.decision.ipv6_me {
+            let map = self.proxy_map_v6.read().await.clone();
+            extend_signed_endpoints(&mut endpoints_by_dc, map);
+        }
+
+        if endpoints_by_dc.is_empty() {
+            return false;
+        }
+
+        let writers = self.writers.read().await.clone();
+        let mut live_writers_by_dc = HashMap::<i16, usize>::new();
+        for writer in writers {
+            if writer.draining.load(Ordering::Relaxed) {
+                continue;
+            }
+            if let Ok(dc) = i16::try_from(writer.writer_dc) {
+                *live_writers_by_dc.entry(dc).or_insert(0) += 1;
+            }
+        }
+
+        for dc in endpoints_by_dc.keys() {
+            let alive = live_writers_by_dc.get(dc).copied().unwrap_or(0);
+            if alive == 0 {
+                return false;
+            }
+        }
+
+        true
+    }
+
+    #[allow(dead_code)]
+    pub(crate) async fn admission_ready_full_floor(&self) -> bool {
+        let mut endpoints_by_dc = BTreeMap::<i16, BTreeSet<SocketAddr>>::new();
+        if self.decision.ipv4_me {
+            let map = self.proxy_map_v4.read().await.clone();
+            extend_signed_endpoints(&mut endpoints_by_dc, map);
+        }
+        if self.decision.ipv6_me {
+            let map = self.proxy_map_v6.read().await.clone();
+            extend_signed_endpoints(&mut endpoints_by_dc, map);
+        }
+
+        if endpoints_by_dc.is_empty() {
+            return false;
+        }
+
+        let writers = self.writers.read().await.clone();
+        let mut live_writers_by_dc = HashMap::<i16, usize>::new();
+        for writer in writers {
+            if writer.draining.load(Ordering::Relaxed) {
+                continue;
+            }
+            if let Ok(dc) = i16::try_from(writer.writer_dc) {
+                *live_writers_by_dc.entry(dc).or_insert(0) += 1;
+            }
+        }
+
+        for (dc, endpoints) in endpoints_by_dc {
+            let endpoint_count = endpoints.len();
+            if endpoint_count == 0 {
+                return false;
+            }
+            let required = self.required_writers_for_dc_with_floor_mode(endpoint_count, false);
+            let alive = live_writers_by_dc.get(&dc).copied().unwrap_or(0);
+            if alive < required {
+                return false;
+            }
+        }
+
+        true
+    }
+
+    pub(crate) async fn api_status_snapshot(&self) -> MeApiStatusSnapshot {
+        let now_epoch_secs = Self::now_epoch_secs();
+
+        let mut endpoints_by_dc = BTreeMap::<i16, BTreeSet<SocketAddr>>::new();
+        if self.decision.ipv4_me {
+            let map = self.proxy_map_v4.read().await.clone();
+            extend_signed_endpoints(&mut endpoints_by_dc, map);
+        }
+        if self.decision.ipv6_me {
+            let map = self.proxy_map_v6.read().await.clone();
+            extend_signed_endpoints(&mut endpoints_by_dc, map);
+        }
+
+        let configured_dc_groups = endpoints_by_dc.len();
+        let configured_endpoints = endpoints_by_dc.values().map(BTreeSet::len).sum();
+
+        let required_writers = endpoints_by_dc
+            .values()
+            .map(|endpoints| self.required_writers_for_dc_with_floor_mode(endpoints.len(), false))
+            .sum();
+
+        let idle_since = self.registry.writer_idle_since_snapshot().await;
+        let activity = self.registry.writer_activity_snapshot().await;
+        let rtt = self.rtt_stats.lock().await.clone();
+        let writers = self.writers.read().await.clone();
+
+        let mut live_writers_by_dc_endpoint = HashMap::<(i16, SocketAddr), usize>::new();
+        let mut live_writers_by_dc = HashMap::<i16, usize>::new();
+        let mut dc_rtt_agg = HashMap::<i16, (f64, u64)>::new();
+        let mut writer_rows = Vec::<MeApiWriterStatusSnapshot>::with_capacity(writers.len());
+
+        for writer in writers {
+            let endpoint = writer.addr;
+            let dc = i16::try_from(writer.writer_dc).ok();
+            let draining = writer.draining.load(Ordering::Relaxed);
+            let degraded = writer.degraded.load(Ordering::Relaxed);
+            let bound_clients = activity
+                .bound_clients_by_writer
+                .get(&writer.id)
+                .copied()
+                .unwrap_or(0);
+            let idle_for_secs = idle_since
+                .get(&writer.id)
+                .map(|idle_ts| now_epoch_secs.saturating_sub(*idle_ts));
+            let rtt_ema_ms = rtt.get(&writer.id).map(|(_, ema)| *ema);
+            let state = match WriterContour::from_u8(writer.contour.load(Ordering::Relaxed)) {
+                WriterContour::Warm => "warm",
+                WriterContour::Active => "active",
+                WriterContour::Draining => "draining",
+            };
+
+            if !draining {
+                if let Some(dc_idx) = dc {
+                    *live_writers_by_dc_endpoint
+                        .entry((dc_idx, endpoint))
+                        .or_insert(0) += 1;
+                    *live_writers_by_dc.entry(dc_idx).or_insert(0) += 1;
+                    if let Some(ema_ms) = rtt_ema_ms {
+                        let entry = dc_rtt_agg.entry(dc_idx).or_insert((0.0, 0));
+                        entry.0 += ema_ms;
+                        entry.1 += 1;
+                    }
+                }
+            }
+
+            writer_rows.push(MeApiWriterStatusSnapshot {
+                writer_id: writer.id,
+                dc,
+                endpoint,
+                generation: writer.generation,
+                state,
+                draining,
+                degraded,
+                bound_clients,
+                idle_for_secs,
+                rtt_ema_ms,
+            });
+        }
+
+        writer_rows.sort_by_key(|row| (row.dc.unwrap_or(i16::MAX), row.endpoint, row.writer_id));
+
+        let mut dcs = Vec::<MeApiDcStatusSnapshot>::with_capacity(endpoints_by_dc.len());
+        let mut available_endpoints = 0usize;
+        let mut alive_writers = 0usize;
+        let floor_mode = self.floor_mode();
+        let adaptive_cpu_cores = (self
+            .me_adaptive_floor_cpu_cores_effective
+            .load(Ordering::Relaxed) as usize)
+            .max(1);
+        for (dc, endpoints) in endpoints_by_dc {
+            let endpoint_count = endpoints.len();
+            let dc_available_endpoints = endpoints
+                .iter()
+                .filter(|endpoint| live_writers_by_dc_endpoint.contains_key(&(dc, **endpoint)))
+                .count();
+            let base_required = self.required_writers_for_dc(endpoint_count);
+            let dc_required_writers =
+                self.required_writers_for_dc_with_floor_mode(endpoint_count, false);
+            let floor_min = if endpoint_count <= 1 {
+                (self
+                    .me_adaptive_floor_min_writers_single_endpoint
+                    .load(Ordering::Relaxed) as usize)
+                    .max(1)
+                    .min(base_required.max(1))
+            } else {
+                (self
+                    .me_adaptive_floor_min_writers_multi_endpoint
+                    .load(Ordering::Relaxed) as usize)
+                    .max(1)
+                    .min(base_required.max(1))
+            };
+            let extra_per_core = if endpoint_count <= 1 {
+                self.me_adaptive_floor_max_extra_writers_single_per_core
+                    .load(Ordering::Relaxed) as usize
+            } else {
+                self.me_adaptive_floor_max_extra_writers_multi_per_core
+                    .load(Ordering::Relaxed) as usize
+            };
+            let floor_max = base_required.saturating_add(adaptive_cpu_cores.saturating_mul(extra_per_core));
+            let floor_capped = matches!(floor_mode, MeFloorMode::Adaptive)
+                && dc_required_writers < base_required;
+            let dc_alive_writers = live_writers_by_dc.get(&dc).copied().unwrap_or(0);
+            let dc_load = activity
+                .active_sessions_by_target_dc
+                .get(&dc)
+                .copied()
+                .unwrap_or(0);
+            let dc_rtt_ms = dc_rtt_agg
+                .get(&dc)
+                .and_then(|(sum, count)| (*count > 0).then_some(*sum / (*count as f64)));
+
+            available_endpoints += dc_available_endpoints;
+            alive_writers += dc_alive_writers;
+
+            dcs.push(MeApiDcStatusSnapshot {
+                dc,
+                endpoint_writers: endpoints
+                    .iter()
+                    .map(|endpoint| MeApiDcEndpointWriterSnapshot {
+                        endpoint: *endpoint,
+                        active_writers: live_writers_by_dc_endpoint
+                            .get(&(dc, *endpoint))
+                            .copied()
+                            .unwrap_or(0),
+                    })
+                    .collect(),
+                endpoints: endpoints.into_iter().collect(),
+                available_endpoints: dc_available_endpoints,
+                available_pct: ratio_pct(dc_available_endpoints, endpoint_count),
+                required_writers: dc_required_writers,
+                floor_min,
+                floor_target: dc_required_writers,
+                floor_max,
+                floor_capped,
+                alive_writers: dc_alive_writers,
+                coverage_pct: ratio_pct(dc_alive_writers, dc_required_writers),
+                rtt_ms: dc_rtt_ms,
+                load: dc_load,
+            });
+        }
+
+        MeApiStatusSnapshot {
+            generated_at_epoch_secs: now_epoch_secs,
+            configured_dc_groups,
+            configured_endpoints,
+            available_endpoints,
+            available_pct: ratio_pct(available_endpoints, configured_endpoints),
+            required_writers,
+            alive_writers,
+            coverage_pct: ratio_pct(alive_writers, required_writers),
+            writers: writer_rows,
+            dcs,
+        }
+    }
+
+    pub(crate) async fn api_runtime_snapshot(&self) -> MeApiRuntimeSnapshot {
+        let now = Instant::now();
+        let now_epoch_secs = Self::now_epoch_secs();
+        let pending_started_at = self
+            .pending_hardswap_started_at_epoch_secs
+            .load(Ordering::Relaxed);
+        let pending_hardswap_age_secs = (pending_started_at > 0)
+            .then_some(now_epoch_secs.saturating_sub(pending_started_at));
+
+        let mut quarantined_endpoints = Vec::<MeApiQuarantinedEndpointSnapshot>::new();
+        {
+            let guard = self.endpoint_quarantine.lock().await;
+            for (endpoint, expires_at) in guard.iter() {
+                if *expires_at <= now {
+                    continue;
+                }
+                let remaining_ms = expires_at.duration_since(now).as_millis() as u64;
+                quarantined_endpoints.push(MeApiQuarantinedEndpointSnapshot {
+                    endpoint: *endpoint,
+                    remaining_ms,
+                });
+            }
+        }
+        quarantined_endpoints.sort_by_key(|entry| entry.endpoint);
+
+        let mut network_path = Vec::<MeApiDcPathSnapshot>::new();
+        if let Some(upstream) = &self.upstream {
+            for dc in 1..=5 {
+                let dc_idx = dc as i16;
+                let ip_preference = upstream
+                    .get_dc_ip_preference(dc_idx)
+                    .await
+                    .map(ip_preference_label);
+                let selected_addr_v4 = upstream.get_dc_addr(dc_idx, false).await;
+                let selected_addr_v6 = upstream.get_dc_addr(dc_idx, true).await;
+                network_path.push(MeApiDcPathSnapshot {
+                    dc: dc_idx,
+                    ip_preference,
+                    selected_addr_v4,
+                    selected_addr_v6,
+                });
+            }
+        }
+
+        MeApiRuntimeSnapshot {
+            active_generation: self.active_generation.load(Ordering::Relaxed),
+            warm_generation: self.warm_generation.load(Ordering::Relaxed),
+            pending_hardswap_generation: self.pending_hardswap_generation.load(Ordering::Relaxed),
+            pending_hardswap_age_secs,
+            hardswap_enabled: self.hardswap.load(Ordering::Relaxed),
+            floor_mode: floor_mode_label(self.floor_mode()),
+            adaptive_floor_idle_secs: self.me_adaptive_floor_idle_secs.load(Ordering::Relaxed),
+            adaptive_floor_min_writers_single_endpoint: self
+                .me_adaptive_floor_min_writers_single_endpoint
+                .load(Ordering::Relaxed),
+            adaptive_floor_min_writers_multi_endpoint: self
+                .me_adaptive_floor_min_writers_multi_endpoint
+                .load(Ordering::Relaxed),
+            adaptive_floor_recover_grace_secs: self
+                .me_adaptive_floor_recover_grace_secs
+                .load(Ordering::Relaxed),
+            adaptive_floor_writers_per_core_total: self
+                .me_adaptive_floor_writers_per_core_total
+                .load(Ordering::Relaxed) as u16,
+            adaptive_floor_cpu_cores_override: self
+                .me_adaptive_floor_cpu_cores_override
+                .load(Ordering::Relaxed) as u16,
+            adaptive_floor_max_extra_writers_single_per_core: self
+                .me_adaptive_floor_max_extra_writers_single_per_core
+                .load(Ordering::Relaxed) as u16,
+            adaptive_floor_max_extra_writers_multi_per_core: self
+                .me_adaptive_floor_max_extra_writers_multi_per_core
+                .load(Ordering::Relaxed) as u16,
+            adaptive_floor_max_active_writers_per_core: self
+                .me_adaptive_floor_max_active_writers_per_core
+                .load(Ordering::Relaxed) as u16,
+            adaptive_floor_max_warm_writers_per_core: self
+                .me_adaptive_floor_max_warm_writers_per_core
+                .load(Ordering::Relaxed) as u16,
+            adaptive_floor_max_active_writers_global: self
+                .me_adaptive_floor_max_active_writers_global
+                .load(Ordering::Relaxed),
+            adaptive_floor_max_warm_writers_global: self
+                .me_adaptive_floor_max_warm_writers_global
+                .load(Ordering::Relaxed),
+            adaptive_floor_cpu_cores_detected: self
+                .me_adaptive_floor_cpu_cores_detected
+                .load(Ordering::Relaxed),
+            adaptive_floor_cpu_cores_effective: self
+                .me_adaptive_floor_cpu_cores_effective
+                .load(Ordering::Relaxed),
+            adaptive_floor_global_cap_raw: self
+                .me_adaptive_floor_global_cap_raw
+                .load(Ordering::Relaxed),
+            adaptive_floor_global_cap_effective: self
+                .me_adaptive_floor_global_cap_effective
+                .load(Ordering::Relaxed),
+            adaptive_floor_target_writers_total: self
+                .me_adaptive_floor_target_writers_total
+                .load(Ordering::Relaxed),
+            adaptive_floor_active_cap_configured: self
+                .me_adaptive_floor_active_cap_configured
+                .load(Ordering::Relaxed),
+            adaptive_floor_active_cap_effective: self
+                .me_adaptive_floor_active_cap_effective
+                .load(Ordering::Relaxed),
+            adaptive_floor_warm_cap_configured: self
+                .me_adaptive_floor_warm_cap_configured
+                .load(Ordering::Relaxed),
+            adaptive_floor_warm_cap_effective: self
+                .me_adaptive_floor_warm_cap_effective
+                .load(Ordering::Relaxed),
+            adaptive_floor_active_writers_current: self
+                .me_adaptive_floor_active_writers_current
+                .load(Ordering::Relaxed),
+            adaptive_floor_warm_writers_current: self
+                .me_adaptive_floor_warm_writers_current
+                .load(Ordering::Relaxed),
+            me_keepalive_enabled: self.me_keepalive_enabled,
+            me_keepalive_interval_secs: self.me_keepalive_interval.as_secs(),
+            me_keepalive_jitter_secs: self.me_keepalive_jitter.as_secs(),
+            me_keepalive_payload_random: self.me_keepalive_payload_random,
+            rpc_proxy_req_every_secs: self.rpc_proxy_req_every_secs.load(Ordering::Relaxed),
+            me_reconnect_max_concurrent_per_dc: self.me_reconnect_max_concurrent_per_dc,
+            me_reconnect_backoff_base_ms: self.me_reconnect_backoff_base.as_millis() as u64,
+            me_reconnect_backoff_cap_ms: self.me_reconnect_backoff_cap.as_millis() as u64,
+            me_reconnect_fast_retry_count: self.me_reconnect_fast_retry_count,
+            me_pool_drain_ttl_secs: self.me_pool_drain_ttl_secs.load(Ordering::Relaxed),
+            me_pool_force_close_secs: self.me_pool_force_close_secs.load(Ordering::Relaxed),
+            me_pool_min_fresh_ratio: Self::permille_to_ratio(
+                self.me_pool_min_fresh_ratio_permille.load(Ordering::Relaxed),
+            ),
+            me_bind_stale_mode: bind_stale_mode_label(self.bind_stale_mode()),
+            me_bind_stale_ttl_secs: self.me_bind_stale_ttl_secs.load(Ordering::Relaxed),
+            me_single_endpoint_shadow_writers: self
+                .me_single_endpoint_shadow_writers
+                .load(Ordering::Relaxed),
+            me_single_endpoint_outage_mode_enabled: self
+                .me_single_endpoint_outage_mode_enabled
+                .load(Ordering::Relaxed),
+            me_single_endpoint_outage_disable_quarantine: self
+                .me_single_endpoint_outage_disable_quarantine
+                .load(Ordering::Relaxed),
+            me_single_endpoint_outage_backoff_min_ms: self
+                .me_single_endpoint_outage_backoff_min_ms
+                .load(Ordering::Relaxed),
+            me_single_endpoint_outage_backoff_max_ms: self
+                .me_single_endpoint_outage_backoff_max_ms
+                .load(Ordering::Relaxed),
+            me_single_endpoint_shadow_rotate_every_secs: self
+                .me_single_endpoint_shadow_rotate_every_secs
+                .load(Ordering::Relaxed),
+            me_deterministic_writer_sort: self
+                .me_deterministic_writer_sort
+                .load(Ordering::Relaxed),
+            me_writer_pick_mode: writer_pick_mode_label(self.writer_pick_mode()),
+            me_writer_pick_sample_size: self.writer_pick_sample_size() as u8,
+            me_socks_kdf_policy: socks_kdf_policy_label(self.socks_kdf_policy()),
+            quarantined_endpoints,
+            network_path,
+        }
+    }
+}
+
+fn ratio_pct(part: usize, total: usize) -> f64 {
+    if total == 0 {
+        return 0.0;
+    }
+    let pct = ((part as f64) / (total as f64)) * 100.0;
+    pct.clamp(0.0, 100.0)
+}
+
+fn extend_signed_endpoints(
+    endpoints_by_dc: &mut BTreeMap<i16, BTreeSet<SocketAddr>>,
+    map: HashMap<i32, Vec<(IpAddr, u16)>>,
+) {
+    for (dc, addrs) in map {
+        if dc == 0 {
+            continue;
+        }
+        let Ok(dc_idx) = i16::try_from(dc) else {
+            continue;
+        };
+        let entry = endpoints_by_dc.entry(dc_idx).or_default();
+        for (ip, port) in addrs {
+            entry.insert(SocketAddr::new(ip, port));
+        }
+    }
+}
+
+fn floor_mode_label(mode: MeFloorMode) -> &'static str {
+    match mode {
+        MeFloorMode::Static => "static",
+        MeFloorMode::Adaptive => "adaptive",
+    }
+}
+
+fn bind_stale_mode_label(mode: MeBindStaleMode) -> &'static str {
+    match mode {
+        MeBindStaleMode::Never => "never",
+        MeBindStaleMode::Ttl => "ttl",
+        MeBindStaleMode::Always => "always",
+    }
+}
+
+fn writer_pick_mode_label(mode: crate::config::MeWriterPickMode) -> &'static str {
+    match mode {
+        crate::config::MeWriterPickMode::SortedRr => "sorted_rr",
+        crate::config::MeWriterPickMode::P2c => "p2c",
+    }
+}
+
+fn socks_kdf_policy_label(policy: MeSocksKdfPolicy) -> &'static str {
+    match policy {
+        MeSocksKdfPolicy::Strict => "strict",
+        MeSocksKdfPolicy::Compat => "compat",
+    }
+}
+
+fn ip_preference_label(preference: IpPreference) -> &'static str {
+    match preference {
+        IpPreference::Unknown => "unknown",
+        IpPreference::PreferV6 => "prefer_v6",
+        IpPreference::PreferV4 => "prefer_v4",
+        IpPreference::BothWork => "both",
+        IpPreference::Unavailable => "unavailable",
+    }
+}
+
+#[cfg(test)]
+mod tests {
+    use super::ratio_pct;
+
+    #[test]
+    fn ratio_pct_is_zero_when_denominator_is_zero() {
+        assert_eq!(ratio_pct(1, 0), 0.0);
+    }
+
+    #[test]
+    fn ratio_pct_is_capped_at_100() {
+        assert_eq!(ratio_pct(7, 3), 100.0);
+    }
+
+    #[test]
+    fn ratio_pct_reports_expected_value() {
+        assert_eq!(ratio_pct(1, 4), 25.0);
+    }
+}
--- a/src/transport/middle_proxy/pool_writer.rs
+++ b/src/transport/middle_proxy/pool_writer.rs
@@ -1,26 +1,35 @@
 use std::net::SocketAddr;
 use std::sync::Arc;
-use std::sync::atomic::{AtomicBool, AtomicU64, Ordering};
+use std::sync::atomic::{AtomicBool, AtomicU8, AtomicU32, AtomicU64, Ordering};
 use std::time::{Duration, Instant};
+use std::io::ErrorKind;

+use bytes::Bytes;
 use bytes::BytesMut;
 use rand::Rng;
 use tokio::sync::mpsc;
 use tokio_util::sync::CancellationToken;
 use tracing::{debug, info, warn};

+use crate::config::MeBindStaleMode;
 use crate::crypto::SecureRandom;
 use crate::error::{ProxyError, Result};
-use crate::protocol::constants::RPC_PING_U32;
+use crate::protocol::constants::{RPC_CLOSE_EXT_U32, RPC_PING_U32};

 use super::codec::{RpcWriter, WriterCommand};
-use super::pool::{MePool, MeWriter};
+use super::pool::{MePool, MeWriter, WriterContour};
 use super::reader::reader_loop;
 use super::registry::BoundConn;
+use super::wire::build_proxy_req_payload;

 const ME_ACTIVE_PING_SECS: u64 = 25;
 const ME_ACTIVE_PING_JITTER_SECS: i64 = 5;
 const ME_IDLE_KEEPALIVE_MAX_SECS: u64 = 5;
+const ME_RPC_PROXY_REQ_RESPONSE_WAIT_MS: u64 = 700;
+
+fn is_me_peer_closed_error(error: &ProxyError) -> bool {
+    matches!(error, ProxyError::Io(ioe) if ioe.kind() == ErrorKind::UnexpectedEof)
+}

 impl MePool {
    pub(crate) async fn prune_closed_writers(self: &Arc<Self>) {
@@ -41,23 +50,90 @@ impl MePool {
        }
    }

-    pub(crate) async fn connect_one(self: &Arc<Self>, addr: SocketAddr, rng: &SecureRandom) -> Result<()> {
-        let secret_len = self.proxy_secret.read().await.len();
+    pub(crate) async fn connect_one_for_dc(
+        self: &Arc<Self>,
+        addr: SocketAddr,
+        writer_dc: i32,
+        rng: &SecureRandom,
+    ) -> Result<()> {
+        self.connect_one_with_generation_contour(
+            addr,
+            rng,
+            self.current_generation(),
+            WriterContour::Active,
+            writer_dc,
+        )
+        .await
+    }
+
+    pub(super) async fn connect_one_with_generation_contour(
+        self: &Arc<Self>,
+        addr: SocketAddr,
+        rng: &SecureRandom,
+        generation: u64,
+        contour: WriterContour,
+        writer_dc: i32,
+    ) -> Result<()> {
+        self.connect_one_with_generation_contour_for_dc(addr, rng, generation, contour, writer_dc)
+            .await
+    }
+
+    pub(super) async fn connect_one_with_generation_contour_for_dc(
+        self: &Arc<Self>,
+        addr: SocketAddr,
+        rng: &SecureRandom,
+        generation: u64,
+        contour: WriterContour,
+        writer_dc: i32,
+    ) -> Result<()> {
+        self.connect_one_with_generation_contour_for_dc_with_cap_policy(
+            addr,
+            rng,
+            generation,
+            contour,
+            writer_dc,
+            false,
+        )
+        .await
+    }
+
+    pub(super) async fn connect_one_with_generation_contour_for_dc_with_cap_policy(
+        self: &Arc<Self>,
+        addr: SocketAddr,
+        rng: &SecureRandom,
+        generation: u64,
+        contour: WriterContour,
+        writer_dc: i32,
+        allow_coverage_override: bool,
+    ) -> Result<()> {
+        if !self
+            .can_open_writer_for_contour(contour, allow_coverage_override)
+            .await
+        {
+            return Err(ProxyError::Proxy(format!(
+                "ME {contour:?} writer cap reached"
+            )));
+        }
+
+        let secret_len = self.proxy_secret.read().await.secret.len();
        if secret_len < 32 {
            return Err(ProxyError::Proxy("proxy-secret too short for ME auth".into()));
        }

-        let (stream, _connect_ms) = self.connect_tcp(addr).await?;
-        let hs = self.handshake_only(stream, addr, rng).await?;
+        let dc_idx = i16::try_from(writer_dc).ok();
+        let (stream, _connect_ms, upstream_egress) = self.connect_tcp(addr, dc_idx).await?;
+        let hs = self.handshake_only(stream, addr, upstream_egress, rng).await?;

        let writer_id = self.next_writer_id.fetch_add(1, Ordering::Relaxed);
-        let generation = self.current_generation();
+        let contour = Arc::new(AtomicU8::new(contour.as_u8()));
        let cancel = CancellationToken::new();
        let degraded = Arc::new(AtomicBool::new(false));
+        let rtt_ema_ms_x10 = Arc::new(AtomicU32::new(0));
        let draining = Arc::new(AtomicBool::new(false));
        let draining_started_at_epoch_secs = Arc::new(AtomicU64::new(0));
+        let drain_deadline_epoch_secs = Arc::new(AtomicU64::new(0));
        let allow_drain_fallback = Arc::new(AtomicBool::new(false));
-        let (tx, mut rx) = mpsc::channel::<WriterCommand>(4096);
+        let (tx, mut rx) = mpsc::channel::<WriterCommand>(self.writer_cmd_channel_capacity);
        let mut rpc_writer = RpcWriter {
            writer: hs.wr,
            key: hs.write_key,
@@ -87,15 +163,21 @@ impl MePool {
        let writer = MeWriter {
            id: writer_id,
            addr,
+            writer_dc,
            generation,
+            contour: contour.clone(),
+            created_at: Instant::now(),
            tx: tx.clone(),
            cancel: cancel.clone(),
            degraded: degraded.clone(),
+            rtt_ema_ms_x10: rtt_ema_ms_x10.clone(),
            draining: draining.clone(),
            draining_started_at_epoch_secs: draining_started_at_epoch_secs.clone(),
+            drain_deadline_epoch_secs: drain_deadline_epoch_secs.clone(),
            allow_drain_fallback: allow_drain_fallback.clone(),
        };
        self.writers.write().await.push(writer.clone());
+        self.registry.mark_writer_idle(writer_id).await;
        self.conn_count.fetch_add(1, Ordering::Relaxed);
        self.writer_available.notify_one();

@@ -105,6 +187,7 @@ impl MePool {
        let ping_tracker_reader = ping_tracker.clone();
        let rtt_stats = self.rtt_stats.clone();
        let stats_reader = self.stats.clone();
+        let stats_reader_close = self.stats.clone();
        let stats_ping = self.stats.clone();
        let pool = Arc::downgrade(self);
        let cancel_ping = cancel.clone();
@@ -116,6 +199,13 @@ impl MePool {
        let keepalive_enabled = self.me_keepalive_enabled;
        let keepalive_interval = self.me_keepalive_interval;
        let keepalive_jitter = self.me_keepalive_jitter;
+        let rpc_proxy_req_every_secs = self.rpc_proxy_req_every_secs.load(Ordering::Relaxed);
+        let tx_signal = tx.clone();
+        let stats_signal = self.stats.clone();
+        let cancel_signal = cancel.clone();
+        let cleanup_for_signal = cleanup_done.clone();
+        let pool_signal = Arc::downgrade(self);
+        let keepalive_jitter_signal = self.me_keepalive_jitter;
        let cancel_reader_token = cancel.clone();
        let cancel_ping_token = cancel_ping.clone();

@@ -134,9 +224,19 @@ impl MePool {
                stats_reader,
                writer_id,
                degraded.clone(),
+                rtt_ema_ms_x10.clone(),
                cancel_reader_token.clone(),
            )
            .await;
+            let idle_close_by_peer = if let Err(e) = res.as_ref() {
+                is_me_peer_closed_error(e) && reg.is_writer_empty(writer_id).await
+            } else {
+                false
+            };
+            if idle_close_by_peer {
+                stats_reader_close.increment_me_idle_close_by_peer_total();
+                info!(writer_id, "ME socket closed by peer on idle writer");
+            }
            if let Some(pool) = pool.upgrade()
                && cleanup_for_reader
                    .compare_exchange(false, true, Ordering::AcqRel, Ordering::Relaxed)
@@ -145,7 +245,9 @@ impl MePool {
                pool.remove_writer_and_close_clients(writer_id).await;
            }
            if let Err(e) = res {
-                warn!(error = %e, "ME reader ended");
+                if !idle_close_by_peer {
+                    warn!(error = %e, "ME reader ended");
+                }
            }
            let mut ws = writers_arc.write().await;
            ws.retain(|w| w.id != writer_id);
@@ -208,17 +310,47 @@ impl MePool {
                p.extend_from_slice(&sent_id.to_le_bytes());
                {
                    let mut tracker = ping_tracker_ping.lock().await;
-                    let before = tracker.len();
-                    tracker.retain(|_, (ts, _)| ts.elapsed() < Duration::from_secs(120));
-                    let expired = before.saturating_sub(tracker.len());
-                    if expired > 0 {
-                        stats_ping.increment_me_keepalive_timeout_by(expired as u64);
+                    let now_epoch_ms = std::time::SystemTime::now()
+                        .duration_since(std::time::UNIX_EPOCH)
+                        .unwrap_or_default()
+                        .as_millis() as u64;
+                    let mut run_cleanup = false;
+                    if let Some(pool) = pool_ping.upgrade() {
+                        let last_cleanup_ms = pool
+                            .ping_tracker_last_cleanup_epoch_ms
+                            .load(Ordering::Relaxed);
+                        if now_epoch_ms.saturating_sub(last_cleanup_ms) >= 30_000
+                            && pool
+                                .ping_tracker_last_cleanup_epoch_ms
+                                .compare_exchange(
+                                    last_cleanup_ms,
+                                    now_epoch_ms,
+                                    Ordering::AcqRel,
+                                    Ordering::Relaxed,
+                                )
+                                .is_ok()
+                        {
+                            run_cleanup = true;
+                        }
+                    }
+
+                    if run_cleanup {
+                        let before = tracker.len();
+                        tracker.retain(|_, (ts, _)| ts.elapsed() < Duration::from_secs(120));
+                        let expired = before.saturating_sub(tracker.len());
+                        if expired > 0 {
+                            stats_ping.increment_me_keepalive_timeout_by(expired as u64);
+                        }
                    }
                    tracker.insert(sent_id, (std::time::Instant::now(), writer_id));
                }
                ping_id = ping_id.wrapping_add(1);
                stats_ping.increment_me_keepalive_sent();
-                if tx_ping.send(WriterCommand::DataAndFlush(p)).await.is_err() {
+                if tx_ping
+                    .send(WriterCommand::DataAndFlush(Bytes::from(p)))
+                    .await
+                    .is_err()
+                {
                    stats_ping.increment_me_keepalive_failed();
                    debug!("ME ping failed, removing dead writer");
                    cancel_ping.cancel();
@@ -234,6 +366,120 @@ impl MePool {
            }
        });

+        tokio::spawn(async move {
+            if rpc_proxy_req_every_secs == 0 {
+                return;
+            }
+
+            let interval = Duration::from_secs(rpc_proxy_req_every_secs);
+            let startup_jitter_ms = {
+                let jitter_cap_ms = interval.as_millis() / 2;
+                let effective_jitter_ms = keepalive_jitter_signal
+                    .as_millis()
+                    .min(jitter_cap_ms)
+                    .max(1);
+                rand::rng().random_range(0..=effective_jitter_ms as u64)
+            };
+
+            tokio::select! {
+                _ = cancel_signal.cancelled() => return,
+                _ = tokio::time::sleep(Duration::from_millis(startup_jitter_ms)) => {}
+            }
+
+            loop {
+                let wait = {
+                    let jitter_cap_ms = interval.as_millis() / 2;
+                    let effective_jitter_ms = keepalive_jitter_signal
+                        .as_millis()
+                        .min(jitter_cap_ms)
+                        .max(1);
+                    interval + Duration::from_millis(rand::rng().random_range(0..=effective_jitter_ms as u64))
+                };
+
+                tokio::select! {
+                    _ = cancel_signal.cancelled() => break,
+                    _ = tokio::time::sleep(wait) => {}
+                }
+
+                let Some(pool) = pool_signal.upgrade() else {
+                    break;
+                };
+
+                let Some(meta) = pool.registry.get_last_writer_meta(writer_id).await else {
+                    stats_signal.increment_me_rpc_proxy_req_signal_skipped_no_meta_total();
+                    continue;
+                };
+
+                let (conn_id, mut service_rx) = pool.registry.register().await;
+                pool.registry
+                    .bind_writer(conn_id, writer_id, tx_signal.clone(), meta.clone())
+                    .await;
+
+                let payload = build_proxy_req_payload(
+                    conn_id,
+                    meta.client_addr,
+                    meta.our_addr,
+                    &[],
+                    pool.proxy_tag.as_deref(),
+                    meta.proto_flags,
+                );
+
+                if tx_signal
+                    .send(WriterCommand::DataAndFlush(payload))
+                    .await
+                    .is_err()
+                {
+                    stats_signal.increment_me_rpc_proxy_req_signal_failed_total();
+                    let _ = pool.registry.unregister(conn_id).await;
+                    cancel_signal.cancel();
+                    if cleanup_for_signal
+                        .compare_exchange(false, true, Ordering::AcqRel, Ordering::Relaxed)
+                        .is_ok()
+                    {
+                        pool.remove_writer_and_close_clients(writer_id).await;
+                    }
+                    break;
+                }
+
+                stats_signal.increment_me_rpc_proxy_req_signal_sent_total();
+
+                if matches!(
+                    tokio::time::timeout(
+                        Duration::from_millis(ME_RPC_PROXY_REQ_RESPONSE_WAIT_MS),
+                        service_rx.recv(),
+                    )
+                    .await,
+                    Ok(Some(_))
+                ) {
+                    stats_signal.increment_me_rpc_proxy_req_signal_response_total();
+                }
+
+                let mut close_payload = Vec::with_capacity(12);
+                close_payload.extend_from_slice(&RPC_CLOSE_EXT_U32.to_le_bytes());
+                close_payload.extend_from_slice(&conn_id.to_le_bytes());
+
+                if tx_signal
+                    .send(WriterCommand::DataAndFlush(Bytes::from(close_payload)))
+                    .await
+                    .is_err()
+                {
+                    stats_signal.increment_me_rpc_proxy_req_signal_failed_total();
+                    let _ = pool.registry.unregister(conn_id).await;
+                    cancel_signal.cancel();
+                    if cleanup_for_signal
+                        .compare_exchange(false, true, Ordering::AcqRel, Ordering::Relaxed)
+                        .is_ok()
+                    {
+                        pool.remove_writer_and_close_clients(writer_id).await;
+                    }
+                    break;
+                }
+
+                stats_signal.increment_me_rpc_proxy_req_signal_close_sent_total();
+                let _ = pool.registry.unregister(conn_id).await;
+            }
+        });
+
        Ok(())
    }

@@ -248,6 +494,8 @@ impl MePool {
    async fn remove_writer_only(self: &Arc<Self>, writer_id: u64) -> Vec<BoundConn> {
        let mut close_tx: Option<mpsc::Sender<WriterCommand>> = None;
        let mut removed_addr: Option<SocketAddr> = None;
+        let mut removed_dc: Option<i32> = None;
+        let mut removed_uptime: Option<Duration> = None;
        let mut trigger_refill = false;
        {
            let mut ws = self.writers.write().await;
@@ -260,6 +508,8 @@ impl MePool {
                self.stats.increment_me_writer_removed_total();
                w.cancel.cancel();
                removed_addr = Some(w.addr);
+                removed_dc = Some(w.writer_dc);
+                removed_uptime = Some(w.created_at.elapsed());
                trigger_refill = !was_draining;
                if trigger_refill {
                    self.stats.increment_me_writer_removed_unexpected_total();
@@ -273,8 +523,12 @@ impl MePool {
        }
        if trigger_refill
            && let Some(addr) = removed_addr
+            && let Some(writer_dc) = removed_dc
        {
-            self.trigger_immediate_refill(addr);
+            if let Some(uptime) = removed_uptime {
+                self.maybe_quarantine_flapping_endpoint(addr, uptime).await;
+            }
+            self.trigger_immediate_refill_for_dc(addr, writer_dc);
        }
        self.rtt_stats.lock().await.remove(&writer_id);
        self.registry.writer_lost(writer_id).await
@@ -293,11 +547,19 @@ impl MePool {
                let already_draining = w.draining.swap(true, Ordering::Relaxed);
                w.allow_drain_fallback
                    .store(allow_drain_fallback, Ordering::Relaxed);
+                let now_epoch_secs = Self::now_epoch_secs();
                w.draining_started_at_epoch_secs
-                    .store(Self::now_epoch_secs(), Ordering::Relaxed);
+                    .store(now_epoch_secs, Ordering::Relaxed);
+                let drain_deadline_epoch_secs = timeout
+                    .map(|duration| now_epoch_secs.saturating_add(duration.as_secs()))
+                    .unwrap_or(0);
+                w.drain_deadline_epoch_secs
+                    .store(drain_deadline_epoch_secs, Ordering::Relaxed);
                if !already_draining {
                    self.stats.increment_pool_drain_active();
                }
+                w.contour
+                    .store(WriterContour::Draining.as_u8(), Ordering::Relaxed);
                w.draining.store(true, Ordering::Relaxed);
                true
            } else {
@@ -316,26 +578,6 @@ impl MePool {
            allow_drain_fallback,
            "ME writer marked draining"
        );
-
-        let pool = Arc::downgrade(self);
-        tokio::spawn(async move {
-            let deadline = timeout.map(|t| Instant::now() + t);
-            while let Some(p) = pool.upgrade() {
-                if let Some(deadline_at) = deadline
-                    && Instant::now() >= deadline_at
-                {
-                    warn!(writer_id, "Drain timeout, force-closing");
-                    p.stats.increment_pool_force_close_total();
-                    let _ = p.remove_writer_and_close_clients(writer_id).await;
-                    break;
-                }
-                if p.registry.is_writer_empty(writer_id).await {
-                    let _ = p.remove_writer_only(writer_id).await;
-                    break;
-                }
-                tokio::time::sleep(Duration::from_secs(1)).await;
-            }
-        });
    }

    pub(crate) async fn mark_writer_draining(self: &Arc<Self>, writer_id: u64) {
@@ -351,16 +593,22 @@ impl MePool {
            return false;
        }

-        let ttl_secs = self.me_pool_drain_ttl_secs.load(Ordering::Relaxed);
-        if ttl_secs == 0 {
-            return true;
-        }
+        match self.bind_stale_mode() {
+            MeBindStaleMode::Never => false,
+            MeBindStaleMode::Always => true,
+            MeBindStaleMode::Ttl => {
+                let ttl_secs = self.me_bind_stale_ttl_secs.load(Ordering::Relaxed);
+                if ttl_secs == 0 {
+                    return true;
+                }

-        let started = writer.draining_started_at_epoch_secs.load(Ordering::Relaxed);
-        if started == 0 {
-            return false;
-        }
+                let started = writer.draining_started_at_epoch_secs.load(Ordering::Relaxed);
+                if started == 0 {
+                    return false;
+                }

-        Self::now_epoch_secs().saturating_sub(started) <= ttl_secs
+                Self::now_epoch_secs().saturating_sub(started) <= ttl_secs
+            }
+        }
    }
 }
--- a/src/transport/middle_proxy/reader.rs
+++ b/src/transport/middle_proxy/reader.rs
@@ -1,6 +1,7 @@
 use std::collections::HashMap;
+use std::io::ErrorKind;
 use std::sync::Arc;
-use std::sync::atomic::{AtomicBool, Ordering};
+use std::sync::atomic::{AtomicBool, AtomicU32, Ordering};
 use std::time::Instant;

 use bytes::{Bytes, BytesMut};
@@ -33,6 +34,7 @@ pub(crate) async fn reader_loop(
    stats: Arc<Stats>,
    _writer_id: u64,
    degraded: Arc<AtomicBool>,
+    writer_rtt_ema_ms_x10: Arc<AtomicU32>,
    cancel: CancellationToken,
 ) -> Result<()> {
    let mut raw = enc_leftover;
@@ -45,7 +47,11 @@ pub(crate) async fn reader_loop(
            _ = cancel.cancelled() => return Ok(()),
        };
        if n == 0 {
-            return Ok(());
+            stats.increment_me_reader_eof_total();
+            return Err(ProxyError::Io(std::io::Error::new(
+                ErrorKind::UnexpectedEof,
+                "ME socket closed by peer",
+            )));
        }
        raw.extend_from_slice(&tmp[..n]);

@@ -119,12 +125,19 @@ pub(crate) async fn reader_loop(
                let data = Bytes::copy_from_slice(&body[12..]);
                trace!(cid, flags, len = data.len(), "RPC_PROXY_ANS");

-                let routed = reg.route(cid, MeResponse::Data { flags, data }).await;
+                let routed = reg.route_nowait(cid, MeResponse::Data { flags, data }).await;
                if !matches!(routed, RouteResult::Routed) {
                    match routed {
                        RouteResult::NoConn => stats.increment_me_route_drop_no_conn(),
                        RouteResult::ChannelClosed => stats.increment_me_route_drop_channel_closed(),
-                        RouteResult::QueueFull => stats.increment_me_route_drop_queue_full(),
+                        RouteResult::QueueFullBase => {
+                            stats.increment_me_route_drop_queue_full();
+                            stats.increment_me_route_drop_queue_full_base();
+                        }
+                        RouteResult::QueueFullHigh => {
+                            stats.increment_me_route_drop_queue_full();
+                            stats.increment_me_route_drop_queue_full_high();
+                        }
                        RouteResult::Routed => {}
                    }
                    reg.unregister(cid).await;
@@ -135,12 +148,19 @@ pub(crate) async fn reader_loop(
                let cfm = u32::from_le_bytes(body[8..12].try_into().unwrap());
                trace!(cid, cfm, "RPC_SIMPLE_ACK");

-                let routed = reg.route(cid, MeResponse::Ack(cfm)).await;
+                let routed = reg.route_nowait(cid, MeResponse::Ack(cfm)).await;
                if !matches!(routed, RouteResult::Routed) {
                    match routed {
                        RouteResult::NoConn => stats.increment_me_route_drop_no_conn(),
                        RouteResult::ChannelClosed => stats.increment_me_route_drop_channel_closed(),
-                        RouteResult::QueueFull => stats.increment_me_route_drop_queue_full(),
+                        RouteResult::QueueFullBase => {
+                            stats.increment_me_route_drop_queue_full();
+                            stats.increment_me_route_drop_queue_full_base();
+                        }
+                        RouteResult::QueueFullHigh => {
+                            stats.increment_me_route_drop_queue_full();
+                            stats.increment_me_route_drop_queue_full_high();
+                        }
                        RouteResult::Routed => {}
                    }
                    reg.unregister(cid).await;
@@ -162,7 +182,11 @@ pub(crate) async fn reader_loop(
                let mut pong = Vec::with_capacity(12);
                pong.extend_from_slice(&RPC_PONG_U32.to_le_bytes());
                pong.extend_from_slice(&ping_id.to_le_bytes());
-                if tx.send(WriterCommand::DataAndFlush(pong)).await.is_err() {
+                if tx
+                    .send(WriterCommand::DataAndFlush(Bytes::from(pong)))
+                    .await
+                    .is_err()
+                {
                    warn!("PONG send failed");
                    break;
                }
@@ -185,6 +209,8 @@ pub(crate) async fn reader_loop(
                    }
                    let degraded_now = entry.1 > entry.0 * 2.0;
                    degraded.store(degraded_now, Ordering::Relaxed);
+                    writer_rtt_ema_ms_x10
+                        .store((entry.1 * 10.0).clamp(0.0, u32::MAX as f64) as u32, Ordering::Relaxed);
                    trace!(writer_id = wid, rtt_ms = rtt, ema_ms = entry.1, base_ms = entry.0, degraded = degraded_now, "ME RTT sample");
                }
            } else {
@@ -203,5 +229,5 @@ async fn send_close_conn(tx: &mpsc::Sender<WriterCommand>, conn_id: u64) {
    p.extend_from_slice(&RPC_CLOSE_CONN_U32.to_le_bytes());
    p.extend_from_slice(&conn_id.to_le_bytes());

-    let _ = tx.send(WriterCommand::DataAndFlush(p)).await;
+    let _ = tx.send(WriterCommand::DataAndFlush(Bytes::from(p))).await;
 }
--- a/src/transport/middle_proxy/registry.rs
+++ b/src/transport/middle_proxy/registry.rs
@@ -1,7 +1,7 @@
 use std::collections::{HashMap, HashSet};
 use std::net::SocketAddr;
-use std::sync::atomic::{AtomicU64, Ordering};
-use std::time::Duration;
+use std::sync::atomic::{AtomicU8, AtomicU64, Ordering};
+use std::time::{Duration, SystemTime, UNIX_EPOCH};

 use tokio::sync::{mpsc, RwLock};
 use tokio::sync::mpsc::error::TrySendError;
@@ -9,15 +9,17 @@ use tokio::sync::mpsc::error::TrySendError;
 use super::codec::WriterCommand;
 use super::MeResponse;

-const ROUTE_CHANNEL_CAPACITY: usize = 4096;
-const ROUTE_BACKPRESSURE_TIMEOUT: Duration = Duration::from_millis(25);
+const ROUTE_BACKPRESSURE_BASE_TIMEOUT_MS: u64 = 25;
+const ROUTE_BACKPRESSURE_HIGH_TIMEOUT_MS: u64 = 120;
+const ROUTE_BACKPRESSURE_HIGH_WATERMARK_PCT: u8 = 80;

 #[derive(Debug, Clone, Copy, PartialEq, Eq)]
 pub enum RouteResult {
    Routed,
    NoConn,
    ChannelClosed,
-    QueueFull,
+    QueueFullBase,
+    QueueFullHigh,
 }

 #[derive(Clone)]
@@ -42,12 +44,20 @@ pub struct ConnWriter {
    pub tx: mpsc::Sender<WriterCommand>,
 }

+#[derive(Clone, Debug, Default)]
+pub(super) struct WriterActivitySnapshot {
+    pub bound_clients_by_writer: HashMap<u64, usize>,
+    pub active_sessions_by_target_dc: HashMap<i16, usize>,
+}
+
 struct RegistryInner {
    map: HashMap<u64, mpsc::Sender<MeResponse>>,
    writers: HashMap<u64, mpsc::Sender<WriterCommand>>,
    writer_for_conn: HashMap<u64, u64>,
    conns_for_writer: HashMap<u64, HashSet<u64>>,
    meta: HashMap<u64, ConnMeta>,
+    last_meta_for_writer: HashMap<u64, ConnMeta>,
+    writer_idle_since_epoch_secs: HashMap<u64, u64>,
 }

 impl RegistryInner {
@@ -58,6 +68,8 @@ impl RegistryInner {
            writer_for_conn: HashMap::new(),
            conns_for_writer: HashMap::new(),
            meta: HashMap::new(),
+            last_meta_for_writer: HashMap::new(),
+            writer_idle_since_epoch_secs: HashMap::new(),
        }
    }
 }
@@ -65,20 +77,63 @@ impl RegistryInner {
 pub struct ConnRegistry {
    inner: RwLock<RegistryInner>,
    next_id: AtomicU64,
+    route_channel_capacity: usize,
+    route_backpressure_base_timeout_ms: AtomicU64,
+    route_backpressure_high_timeout_ms: AtomicU64,
+    route_backpressure_high_watermark_pct: AtomicU8,
 }

 impl ConnRegistry {
-    pub fn new() -> Self {
+    fn now_epoch_secs() -> u64 {
+        SystemTime::now()
+            .duration_since(UNIX_EPOCH)
+            .unwrap_or_default()
+            .as_secs()
+    }
+
+    pub fn with_route_channel_capacity(route_channel_capacity: usize) -> Self {
        let start = rand::random::<u64>() | 1;
        Self {
            inner: RwLock::new(RegistryInner::new()),
            next_id: AtomicU64::new(start),
+            route_channel_capacity: route_channel_capacity.max(1),
+            route_backpressure_base_timeout_ms: AtomicU64::new(
+                ROUTE_BACKPRESSURE_BASE_TIMEOUT_MS,
+            ),
+            route_backpressure_high_timeout_ms: AtomicU64::new(
+                ROUTE_BACKPRESSURE_HIGH_TIMEOUT_MS,
+            ),
+            route_backpressure_high_watermark_pct: AtomicU8::new(
+                ROUTE_BACKPRESSURE_HIGH_WATERMARK_PCT,
+            ),
        }
    }

+    #[cfg(test)]
+    pub fn new() -> Self {
+        Self::with_route_channel_capacity(4096)
+    }
+
+    pub fn update_route_backpressure_policy(
+        &self,
+        base_timeout_ms: u64,
+        high_timeout_ms: u64,
+        high_watermark_pct: u8,
+    ) {
+        let base = base_timeout_ms.max(1);
+        let high = high_timeout_ms.max(base);
+        let watermark = high_watermark_pct.clamp(1, 100);
+        self.route_backpressure_base_timeout_ms
+            .store(base, Ordering::Relaxed);
+        self.route_backpressure_high_timeout_ms
+            .store(high, Ordering::Relaxed);
+        self.route_backpressure_high_watermark_pct
+            .store(watermark, Ordering::Relaxed);
+    }
+
    pub async fn register(&self) -> (u64, mpsc::Receiver<MeResponse>) {
        let id = self.next_id.fetch_add(1, Ordering::Relaxed);
-        let (tx, rx) = mpsc::channel(ROUTE_CHANNEL_CAPACITY);
+        let (tx, rx) = mpsc::channel(self.route_channel_capacity);
        self.inner.write().await.map.insert(id, tx);
        (id, rx)
    }
@@ -89,8 +144,16 @@ impl ConnRegistry {
        inner.map.remove(&id);
        inner.meta.remove(&id);
        if let Some(writer_id) = inner.writer_for_conn.remove(&id) {
-            if let Some(set) = inner.conns_for_writer.get_mut(&writer_id) {
+            let became_empty = if let Some(set) = inner.conns_for_writer.get_mut(&writer_id) {
                set.remove(&id);
+                set.is_empty()
+            } else {
+                false
+            };
+            if became_empty {
+                inner
+                    .writer_idle_since_epoch_secs
+                    .insert(writer_id, Self::now_epoch_secs());
            }
            return Some(writer_id);
        }
@@ -112,15 +175,62 @@ impl ConnRegistry {
            Err(TrySendError::Closed(_)) => RouteResult::ChannelClosed,
            Err(TrySendError::Full(resp)) => {
                // Absorb short bursts without dropping/closing the session immediately.
-                match tokio::time::timeout(ROUTE_BACKPRESSURE_TIMEOUT, tx.send(resp)).await {
+                let base_timeout_ms =
+                    self.route_backpressure_base_timeout_ms.load(Ordering::Relaxed).max(1);
+                let high_timeout_ms = self
+                    .route_backpressure_high_timeout_ms
+                    .load(Ordering::Relaxed)
+                    .max(base_timeout_ms);
+                let high_watermark_pct = self
+                    .route_backpressure_high_watermark_pct
+                    .load(Ordering::Relaxed)
+                    .clamp(1, 100);
+                let used = self.route_channel_capacity.saturating_sub(tx.capacity());
+                let used_pct = if self.route_channel_capacity == 0 {
+                    100
+                } else {
+                    (used.saturating_mul(100) / self.route_channel_capacity) as u8
+                };
+                let high_profile = used_pct >= high_watermark_pct;
+                let timeout_ms = if high_profile {
+                    high_timeout_ms
+                } else {
+                    base_timeout_ms
+                };
+                let timeout_dur = Duration::from_millis(timeout_ms);
+
+                match tokio::time::timeout(timeout_dur, tx.send(resp)).await {
                    Ok(Ok(())) => RouteResult::Routed,
                    Ok(Err(_)) => RouteResult::ChannelClosed,
-                    Err(_) => RouteResult::QueueFull,
+                    Err(_) => {
+                        if high_profile {
+                            RouteResult::QueueFullHigh
+                        } else {
+                            RouteResult::QueueFullBase
+                        }
+                    }
                }
            }
        }
    }

+    pub async fn route_nowait(&self, id: u64, resp: MeResponse) -> RouteResult {
+        let tx = {
+            let inner = self.inner.read().await;
+            inner.map.get(&id).cloned()
+        };
+
+        let Some(tx) = tx else {
+            return RouteResult::NoConn;
+        };
+
+        match tx.try_send(resp) {
+            Ok(()) => RouteResult::Routed,
+            Err(TrySendError::Closed(_)) => RouteResult::ChannelClosed,
+            Err(TrySendError::Full(_)) => RouteResult::QueueFullBase,
+        }
+    }
+
    pub async fn bind_writer(
        &self,
        conn_id: u64,
@@ -129,8 +239,10 @@ impl ConnRegistry {
        meta: ConnMeta,
    ) {
        let mut inner = self.inner.write().await;
-        inner.meta.entry(conn_id).or_insert(meta);
+        inner.meta.entry(conn_id).or_insert(meta.clone());
        inner.writer_for_conn.insert(conn_id, writer_id);
+        inner.last_meta_for_writer.insert(writer_id, meta);
+        inner.writer_idle_since_epoch_secs.remove(&writer_id);
        inner.writers.entry(writer_id).or_insert_with(|| tx.clone());
        inner
            .conns_for_writer
@@ -139,6 +251,62 @@ impl ConnRegistry {
            .insert(conn_id);
    }

+    pub async fn mark_writer_idle(&self, writer_id: u64) {
+        let mut inner = self.inner.write().await;
+        inner.conns_for_writer.entry(writer_id).or_insert_with(HashSet::new);
+        inner
+            .writer_idle_since_epoch_secs
+            .entry(writer_id)
+            .or_insert(Self::now_epoch_secs());
+    }
+
+    pub async fn get_last_writer_meta(&self, writer_id: u64) -> Option<ConnMeta> {
+        let inner = self.inner.read().await;
+        inner.last_meta_for_writer.get(&writer_id).cloned()
+    }
+
+    pub async fn writer_idle_since_snapshot(&self) -> HashMap<u64, u64> {
+        let inner = self.inner.read().await;
+        inner.writer_idle_since_epoch_secs.clone()
+    }
+
+    pub async fn writer_idle_since_for_writer_ids(
+        &self,
+        writer_ids: &[u64],
+    ) -> HashMap<u64, u64> {
+        let inner = self.inner.read().await;
+        let mut out = HashMap::<u64, u64>::with_capacity(writer_ids.len());
+        for writer_id in writer_ids {
+            if let Some(idle_since) = inner.writer_idle_since_epoch_secs.get(writer_id).copied() {
+                out.insert(*writer_id, idle_since);
+            }
+        }
+        out
+    }
+
+    pub(super) async fn writer_activity_snapshot(&self) -> WriterActivitySnapshot {
+        let inner = self.inner.read().await;
+        let mut bound_clients_by_writer = HashMap::<u64, usize>::new();
+        let mut active_sessions_by_target_dc = HashMap::<i16, usize>::new();
+
+        for (writer_id, conn_ids) in &inner.conns_for_writer {
+            bound_clients_by_writer.insert(*writer_id, conn_ids.len());
+        }
+        for conn_meta in inner.meta.values() {
+            if conn_meta.target_dc == 0 {
+                continue;
+            }
+            *active_sessions_by_target_dc
+                .entry(conn_meta.target_dc)
+                .or_insert(0) += 1;
+        }
+
+        WriterActivitySnapshot {
+            bound_clients_by_writer,
+            active_sessions_by_target_dc,
+        }
+    }
+
    pub async fn get_writer(&self, conn_id: u64) -> Option<ConnWriter> {
        let inner = self.inner.read().await;
        let writer_id = inner.writer_for_conn.get(&conn_id).cloned()?;
@@ -146,9 +314,16 @@ impl ConnRegistry {
        Some(ConnWriter { writer_id, tx: writer })
    }

+    pub async fn active_conn_ids(&self) -> Vec<u64> {
+        let inner = self.inner.read().await;
+        inner.writer_for_conn.keys().copied().collect()
+    }
+
    pub async fn writer_lost(&self, writer_id: u64) -> Vec<BoundConn> {
        let mut inner = self.inner.write().await;
        inner.writers.remove(&writer_id);
+        inner.last_meta_for_writer.remove(&writer_id);
+        inner.writer_idle_since_epoch_secs.remove(&writer_id);
        let conns = inner
            .conns_for_writer
            .remove(&writer_id)
@@ -184,3 +359,70 @@ impl ConnRegistry {
            .unwrap_or(true)
    }
 }
+
+#[cfg(test)]
+mod tests {
+    use std::net::{IpAddr, Ipv4Addr, SocketAddr};
+
+    use super::ConnMeta;
+    use super::ConnRegistry;
+
+    #[tokio::test]
+    async fn writer_activity_snapshot_tracks_writer_and_dc_load() {
+        let registry = ConnRegistry::new();
+
+        let (conn_a, _rx_a) = registry.register().await;
+        let (conn_b, _rx_b) = registry.register().await;
+        let (conn_c, _rx_c) = registry.register().await;
+        let (writer_tx_a, _writer_rx_a) = tokio::sync::mpsc::channel(8);
+        let (writer_tx_b, _writer_rx_b) = tokio::sync::mpsc::channel(8);
+
+        let addr = SocketAddr::new(IpAddr::V4(Ipv4Addr::LOCALHOST), 443);
+        registry
+            .bind_writer(
+                conn_a,
+                10,
+                writer_tx_a.clone(),
+                ConnMeta {
+                    target_dc: 2,
+                    client_addr: addr,
+                    our_addr: addr,
+                    proto_flags: 0,
+                },
+            )
+            .await;
+        registry
+            .bind_writer(
+                conn_b,
+                10,
+                writer_tx_a,
+                ConnMeta {
+                    target_dc: -2,
+                    client_addr: addr,
+                    our_addr: addr,
+                    proto_flags: 0,
+                },
+            )
+            .await;
+        registry
+            .bind_writer(
+                conn_c,
+                20,
+                writer_tx_b,
+                ConnMeta {
+                    target_dc: 4,
+                    client_addr: addr,
+                    our_addr: addr,
+                    proto_flags: 0,
+                },
+            )
+            .await;
+
+        let snapshot = registry.writer_activity_snapshot().await;
+        assert_eq!(snapshot.bound_clients_by_writer.get(&10), Some(&2));
+        assert_eq!(snapshot.bound_clients_by_writer.get(&20), Some(&1));
+        assert_eq!(snapshot.active_sessions_by_target_dc.get(&2), Some(&1));
+        assert_eq!(snapshot.active_sessions_by_target_dc.get(&-2), Some(&1));
+        assert_eq!(snapshot.active_sessions_by_target_dc.get(&4), Some(&1));
+    }
+}
--- a/src/transport/middle_proxy/rotation.rs
+++ b/src/transport/middle_proxy/rotation.rs
@@ -1,19 +1,111 @@
 use std::sync::Arc;
 use std::time::Duration;

-use tokio::sync::watch;
-use tracing::{info, warn};
+use tokio::sync::{mpsc, watch};
+use tracing::{debug, info, warn};

 use crate::config::ProxyConfig;
 use crate::crypto::SecureRandom;

 use super::MePool;

-/// Periodically reinitialize ME generations and swap them after full warmup.
-pub async fn me_rotation_task(
+#[derive(Debug, Clone, Copy, PartialEq, Eq)]
+pub enum MeReinitTrigger {
+    Periodic,
+    MapChanged,
+}
+
+impl MeReinitTrigger {
+    fn as_str(self) -> &'static str {
+        match self {
+            MeReinitTrigger::Periodic => "periodic",
+            MeReinitTrigger::MapChanged => "map-change",
+        }
+    }
+}
+
+pub fn enqueue_reinit_trigger(
+    tx: &mpsc::Sender<MeReinitTrigger>,
+    trigger: MeReinitTrigger,
+) {
+    match tx.try_send(trigger) {
+        Ok(()) => {}
+        Err(tokio::sync::mpsc::error::TrySendError::Full(_)) => {
+            debug!(trigger = trigger.as_str(), "ME reinit trigger dropped (queue full)");
+        }
+        Err(tokio::sync::mpsc::error::TrySendError::Closed(_)) => {
+            warn!(trigger = trigger.as_str(), "ME reinit trigger dropped (scheduler closed)");
+        }
+    }
+}
+
+pub async fn me_reinit_scheduler(
    pool: Arc<MePool>,
    rng: Arc<SecureRandom>,
+    config_rx: watch::Receiver<Arc<ProxyConfig>>,
+    mut trigger_rx: mpsc::Receiver<MeReinitTrigger>,
+) {
+    info!("ME reinit scheduler started");
+    loop {
+        let Some(first_trigger) = trigger_rx.recv().await else {
+            warn!("ME reinit scheduler stopped: trigger channel closed");
+            break;
+        };
+
+        let mut map_change_seen = matches!(first_trigger, MeReinitTrigger::MapChanged);
+        let mut periodic_seen = matches!(first_trigger, MeReinitTrigger::Periodic);
+        let cfg = config_rx.borrow().clone();
+        let coalesce_window = Duration::from_millis(cfg.general.me_reinit_coalesce_window_ms);
+        if !coalesce_window.is_zero() {
+            let deadline = tokio::time::Instant::now() + coalesce_window;
+            loop {
+                let now = tokio::time::Instant::now();
+                if now >= deadline {
+                    break;
+                }
+                match tokio::time::timeout(deadline - now, trigger_rx.recv()).await {
+                    Ok(Some(next)) => {
+                        if next == MeReinitTrigger::MapChanged {
+                            map_change_seen = true;
+                        } else {
+                            periodic_seen = true;
+                        }
+                    }
+                    Ok(None) => break,
+                    Err(_) => break,
+                }
+            }
+        }
+
+        let reason = if map_change_seen && periodic_seen {
+            "map-change+periodic"
+        } else if map_change_seen {
+            "map-change"
+        } else {
+            "periodic"
+        };
+
+        if cfg.general.me_reinit_singleflight {
+            debug!(reason, "ME reinit scheduled (single-flight)");
+            pool.zero_downtime_reinit_periodic(rng.as_ref()).await;
+        } else {
+            debug!(reason, "ME reinit scheduled (concurrent mode)");
+            let pool_clone = pool.clone();
+            let rng_clone = rng.clone();
+            tokio::spawn(async move {
+                pool_clone
+                    .zero_downtime_reinit_periodic(rng_clone.as_ref())
+                    .await;
+            });
+        }
+
+    }
+}
+
+/// Periodically enqueue reinitialization triggers for ME generations.
+pub async fn me_rotation_task(
    mut config_rx: watch::Receiver<Arc<ProxyConfig>>,
+    reinit_tx: mpsc::Sender<MeReinitTrigger>,
 ) {
    let mut interval_secs = config_rx
        .borrow()
@@ -31,7 +123,7 @@ pub async fn me_rotation_task(

        tokio::select! {
            _ = &mut sleep => {
-                pool.zero_downtime_reinit_periodic(rng.as_ref()).await;
+                enqueue_reinit_trigger(&reinit_tx, MeReinitTrigger::Periodic);
                let refreshed_secs = config_rx
                    .borrow()
                    .general
@@ -70,7 +162,7 @@ pub async fn me_rotation_task(
                    );
                    interval_secs = new_secs;
                    interval = Duration::from_secs(interval_secs);
-                    pool.zero_downtime_reinit_periodic(rng.as_ref()).await;
+                    enqueue_reinit_trigger(&reinit_tx, MeReinitTrigger::Periodic);
                    next_tick = tokio::time::Instant::now() + interval;
                } else {
                    info!(
--- a/src/transport/middle_proxy/send.rs
+++ b/src/transport/middle_proxy/send.rs
@@ -1,21 +1,36 @@
+use std::cmp::Reverse;
+use std::collections::{HashMap, HashSet};
 use std::net::SocketAddr;
 use std::sync::Arc;
 use std::sync::atomic::Ordering;
-use std::time::Duration;
+use std::time::{Duration, Instant};

+use bytes::Bytes;
+use tokio::sync::mpsc::error::TrySendError;
 use tracing::{debug, warn};

+use crate::config::{MeRouteNoWriterMode, MeWriterPickMode};
 use crate::error::{ProxyError, Result};
 use crate::network::IpFamily;
-use crate::protocol::constants::RPC_CLOSE_EXT_U32;
+use crate::protocol::constants::{RPC_CLOSE_CONN_U32, RPC_CLOSE_EXT_U32};

 use super::MePool;
 use super::codec::WriterCommand;
+use super::pool::WriterContour;
 use super::wire::build_proxy_req_payload;
 use rand::seq::SliceRandom;
 use super::registry::ConnMeta;

+const IDLE_WRITER_PENALTY_MID_SECS: u64 = 45;
+const IDLE_WRITER_PENALTY_HIGH_SECS: u64 = 55;
+const HYBRID_GLOBAL_BURST_PERIOD_ROUNDS: u32 = 4;
+const PICK_PENALTY_WARM: u64 = 200;
+const PICK_PENALTY_DRAINING: u64 = 600;
+const PICK_PENALTY_STALE: u64 = 300;
+const PICK_PENALTY_DEGRADED: u64 = 250;
+
 impl MePool {
+    /// Send RPC_PROXY_REQ. `tag_override`: per-user ad_tag (from access.user_ad_tags); if None, uses pool default.
    pub async fn send_proxy_req(
        self: &Arc<Self>,
        conn_id: u64,
@@ -24,13 +39,15 @@ impl MePool {
        our_addr: SocketAddr,
        data: &[u8],
        proto_flags: u32,
+        tag_override: Option<&[u8]>,
    ) -> Result<()> {
+        let tag = tag_override.or(self.proxy_tag.as_deref());
        let payload = build_proxy_req_payload(
            conn_id,
            client_addr,
            our_addr,
            data,
-            self.proxy_tag.as_deref(),
+            tag,
            proto_flags,
        );
        let meta = ConnMeta {
@@ -39,19 +56,32 @@ impl MePool {
            our_addr,
            proto_flags,
        };
-        let mut emergency_attempts = 0;
+        let no_writer_mode =
+            MeRouteNoWriterMode::from_u8(self.me_route_no_writer_mode.load(Ordering::Relaxed));
+        let (routed_dc, unknown_target_dc) = self
+            .resolve_target_dc_for_routing(target_dc as i32)
+            .await;
+        let mut no_writer_deadline: Option<Instant> = None;
+        let mut emergency_attempts = 0u32;
+        let mut async_recovery_triggered = false;
+        let mut hybrid_recovery_round = 0u32;
+        let mut hybrid_last_recovery_at: Option<Instant> = None;
+        let hybrid_wait_step = self.me_route_no_writer_wait.max(Duration::from_millis(50));
+        let mut hybrid_wait_current = hybrid_wait_step;

        loop {
            if let Some(current) = self.registry.get_writer(conn_id).await {
-                let send_res = {
-                    current
-                        .tx
-                        .send(WriterCommand::Data(payload.clone()))
-                        .await
-                };
-                match send_res {
+                match current.tx.try_send(WriterCommand::Data(payload.clone())) {
                    Ok(()) => return Ok(()),
-                    Err(_) => {
+                    Err(TrySendError::Full(cmd)) => {
+                        if current.tx.send(cmd).await.is_ok() {
+                            return Ok(());
+                        }
+                        warn!(writer_id = current.writer_id, "ME writer channel closed");
+                        self.remove_writer_and_close_clients(current.writer_id).await;
+                        continue;
+                    }
+                    Err(TrySendError::Closed(_)) => {
                        warn!(writer_id = current.writer_id, "ME writer channel closed");
                        self.remove_writer_and_close_clients(current.writer_id).await;
                        continue;
@@ -62,118 +92,315 @@ impl MePool {
            let mut writers_snapshot = {
                let ws = self.writers.read().await;
                if ws.is_empty() {
-                    // Create waiter before recovery attempts so notify_one permits are not missed.
-                    let waiter = self.writer_available.notified();
                    drop(ws);
-                    for family in self.family_order() {
-                        let map = match family {
-                            IpFamily::V4 => self.proxy_map_v4.read().await.clone(),
-                            IpFamily::V6 => self.proxy_map_v6.read().await.clone(),
-                        };
-                        for (_dc, addrs) in map.iter() {
-                            for (ip, port) in addrs {
-                                let addr = SocketAddr::new(*ip, *port);
-                                if self.connect_one(addr, self.rng.as_ref()).await.is_ok() {
-                                    self.writer_available.notify_one();
-                                    break;
+                    match no_writer_mode {
+                        MeRouteNoWriterMode::AsyncRecoveryFailfast => {
+                            let deadline = *no_writer_deadline.get_or_insert_with(|| {
+                                Instant::now() + self.me_route_no_writer_wait
+                            });
+                            if !async_recovery_triggered && !unknown_target_dc {
+                                let triggered =
+                                    self.trigger_async_recovery_for_target_dc(routed_dc).await;
+                                if !triggered {
+                                    self.trigger_async_recovery_global().await;
+                                }
+                                async_recovery_triggered = true;
+                            }
+                            if self.wait_for_writer_until(deadline).await {
+                                continue;
+                            }
+                            self.stats.increment_me_no_writer_failfast_total();
+                            return Err(ProxyError::Proxy(
+                                "No ME writer available in failfast window".into(),
+                            ));
+                        }
+                        MeRouteNoWriterMode::InlineRecoveryLegacy => {
+                            self.stats.increment_me_inline_recovery_total();
+                            if !unknown_target_dc {
+                                for _ in 0..self.me_route_inline_recovery_attempts.max(1) {
+                                    for family in self.family_order() {
+                                        let map = match family {
+                                            IpFamily::V4 => self.proxy_map_v4.read().await.clone(),
+                                            IpFamily::V6 => self.proxy_map_v6.read().await.clone(),
+                                        };
+                                        for (dc, addrs) in &map {
+                                            for (ip, port) in addrs {
+                                                let addr = SocketAddr::new(*ip, *port);
+                                                let _ = self
+                                                    .connect_one_for_dc(addr, *dc, self.rng.as_ref())
+                                                    .await;
+                                            }
+                                        }
+                                    }
+                                    if !self.writers.read().await.is_empty() {
+                                        break;
+                                    }
                                }
                            }
-                        }
-                    }
-                    if !self.writers.read().await.is_empty() {
-                        continue;
-                    }
-                    if tokio::time::timeout(Duration::from_secs(3), waiter).await.is_err() {
-                        if !self.writers.read().await.is_empty() {
+
+                            if !self.writers.read().await.is_empty() {
+                                continue;
+                            }
+                            let deadline = *no_writer_deadline
+                                .get_or_insert_with(|| Instant::now() + self.me_route_inline_recovery_wait);
+                            if !self.wait_for_writer_until(deadline).await {
+                                if !self.writers.read().await.is_empty() {
+                                    continue;
+                                }
+                                self.stats.increment_me_no_writer_failfast_total();
+                                return Err(ProxyError::Proxy(
+                                    "All ME connections dead (legacy wait timeout)".into(),
+                                ));
+                            }
+                            continue;
+                        }
+                        MeRouteNoWriterMode::HybridAsyncPersistent => {
+                            if !unknown_target_dc {
+                                self.maybe_trigger_hybrid_recovery(
+                                    routed_dc,
+                                    &mut hybrid_recovery_round,
+                                    &mut hybrid_last_recovery_at,
+                                    hybrid_wait_current,
+                                )
+                                .await;
+                            }
+                            let deadline = Instant::now() + hybrid_wait_current;
+                            let _ = self.wait_for_writer_until(deadline).await;
+                            hybrid_wait_current =
+                                (hybrid_wait_current.saturating_mul(2))
+                                    .min(Duration::from_millis(400));
                            continue;
                        }
-                        return Err(ProxyError::Proxy("All ME connections dead (waited 3s)".into()));
                    }
-                    continue;
                }
                ws.clone()
            };

-            let mut candidate_indices = self.candidate_indices_for_dc(&writers_snapshot, target_dc).await;
+            let mut candidate_indices = self
+                .candidate_indices_for_dc(&writers_snapshot, routed_dc, false)
+                .await;
            if candidate_indices.is_empty() {
-                // Emergency connect-on-demand
-                if emergency_attempts >= 3 {
-                    return Err(ProxyError::Proxy("No ME writers available for target DC".into()));
-                }
-                emergency_attempts += 1;
-                for family in self.family_order() {
-                    let map_guard = match family {
-                        IpFamily::V4 => self.proxy_map_v4.read().await,
-                        IpFamily::V6 => self.proxy_map_v6.read().await,
-                    };
-                    if let Some(addrs) = map_guard.get(&(target_dc as i32)) {
-                        let mut shuffled = addrs.clone();
-                        shuffled.shuffle(&mut rand::rng());
-                        drop(map_guard);
-                        for (ip, port) in shuffled {
-                            let addr = SocketAddr::new(ip, port);
-                            if self.connect_one(addr, self.rng.as_ref()).await.is_ok() {
+                candidate_indices = self
+                    .candidate_indices_for_dc(&writers_snapshot, routed_dc, true)
+                    .await;
+            }
+            if candidate_indices.is_empty() {
+                let pick_mode = self.writer_pick_mode();
+                match no_writer_mode {
+                    MeRouteNoWriterMode::AsyncRecoveryFailfast => {
+                        let deadline = *no_writer_deadline.get_or_insert_with(|| {
+                            Instant::now() + self.me_route_no_writer_wait
+                        });
+                        if !async_recovery_triggered && !unknown_target_dc {
+                            let triggered = self.trigger_async_recovery_for_target_dc(routed_dc).await;
+                            if !triggered {
+                                self.trigger_async_recovery_global().await;
+                            }
+                            async_recovery_triggered = true;
+                        }
+                        if self.wait_for_candidate_until(routed_dc, deadline).await {
+                            continue;
+                        }
+                        self.stats.increment_me_writer_pick_no_candidate_total(pick_mode);
+                        self.stats.increment_me_no_writer_failfast_total();
+                        return Err(ProxyError::Proxy(
+                            "No ME writers available for target DC in failfast window".into(),
+                        ));
+                    }
+                    MeRouteNoWriterMode::InlineRecoveryLegacy => {
+                        self.stats.increment_me_inline_recovery_total();
+                        if unknown_target_dc {
+                            let deadline = *no_writer_deadline
+                                .get_or_insert_with(|| Instant::now() + self.me_route_inline_recovery_wait);
+                            if self.wait_for_candidate_until(routed_dc, deadline).await {
+                                continue;
+                            }
+                            self.stats.increment_me_writer_pick_no_candidate_total(pick_mode);
+                            self.stats.increment_me_no_writer_failfast_total();
+                            return Err(ProxyError::Proxy("No ME writers available for target DC".into()));
+                        }
+                        if emergency_attempts >= self.me_route_inline_recovery_attempts.max(1) {
+                            self.stats.increment_me_writer_pick_no_candidate_total(pick_mode);
+                            self.stats.increment_me_no_writer_failfast_total();
+                            return Err(ProxyError::Proxy("No ME writers available for target DC".into()));
+                        }
+                        emergency_attempts += 1;
+                        let mut endpoints = self.endpoint_candidates_for_target_dc(routed_dc).await;
+                        endpoints.shuffle(&mut rand::rng());
+                        for addr in endpoints {
+                            if self.connect_one_for_dc(addr, routed_dc, self.rng.as_ref()).await.is_ok() {
                                break;
                            }
                        }
-                        tokio::time::sleep(Duration::from_millis(100 * emergency_attempts)).await;
+                        tokio::time::sleep(Duration::from_millis(100 * emergency_attempts as u64)).await;
                        let ws2 = self.writers.read().await;
                        writers_snapshot = ws2.clone();
                        drop(ws2);
-                        candidate_indices = self.candidate_indices_for_dc(&writers_snapshot, target_dc).await;
-                        if !candidate_indices.is_empty() {
-                            break;
+                        candidate_indices = self
+                            .candidate_indices_for_dc(&writers_snapshot, routed_dc, false)
+                            .await;
+                        if candidate_indices.is_empty() {
+                            candidate_indices = self
+                                .candidate_indices_for_dc(&writers_snapshot, routed_dc, true)
+                                .await;
+                        }
+                        if candidate_indices.is_empty() {
+                            self.stats.increment_me_writer_pick_no_candidate_total(pick_mode);
+                            return Err(ProxyError::Proxy("No ME writers available for target DC".into()));
                        }
                    }
-                }
-                if candidate_indices.is_empty() {
-                    return Err(ProxyError::Proxy("No ME writers available for target DC".into()));
+                    MeRouteNoWriterMode::HybridAsyncPersistent => {
+                        if !unknown_target_dc {
+                            self.maybe_trigger_hybrid_recovery(
+                                routed_dc,
+                                &mut hybrid_recovery_round,
+                                &mut hybrid_last_recovery_at,
+                                hybrid_wait_current,
+                            )
+                            .await;
+                        }
+                        let deadline = Instant::now() + hybrid_wait_current;
+                        let _ = self.wait_for_candidate_until(routed_dc, deadline).await;
+                        hybrid_wait_current = (hybrid_wait_current.saturating_mul(2))
+                            .min(Duration::from_millis(400));
+                        continue;
+                    }
                }
            }
-
-            candidate_indices.sort_by_key(|idx| {
-                let w = &writers_snapshot[*idx];
-                let degraded = w.degraded.load(Ordering::Relaxed);
-                let stale = (w.generation < self.current_generation()) as usize;
-                (stale, degraded as usize)
-            });
-
+            hybrid_wait_current = hybrid_wait_step;
+            let pick_mode = self.writer_pick_mode();
+            let pick_sample_size = self.writer_pick_sample_size();
+            let writer_ids: Vec<u64> = candidate_indices
+                .iter()
+                .map(|idx| writers_snapshot[*idx].id)
+                .collect();
+            let writer_idle_since = self
+                .registry
+                .writer_idle_since_for_writer_ids(&writer_ids)
+                .await;
+            let now_epoch_secs = Self::now_epoch_secs();
            let start = self.rr.fetch_add(1, Ordering::Relaxed) as usize % candidate_indices.len();
+            let ordered_candidate_indices = if pick_mode == MeWriterPickMode::P2c {
+                self.p2c_ordered_candidate_indices(
+                    &candidate_indices,
+                    &writers_snapshot,
+                    &writer_idle_since,
+                    now_epoch_secs,
+                    start,
+                    pick_sample_size,
+                )
+            } else {
+                if self.me_deterministic_writer_sort.load(Ordering::Relaxed) {
+                    candidate_indices.sort_by(|lhs, rhs| {
+                        let left = &writers_snapshot[*lhs];
+                        let right = &writers_snapshot[*rhs];
+                        let left_key = (
+                            self.writer_contour_rank_for_selection(left),
+                            (left.generation < self.current_generation()) as usize,
+                            left.degraded.load(Ordering::Relaxed) as usize,
+                            self.writer_idle_rank_for_selection(
+                                left,
+                                &writer_idle_since,
+                                now_epoch_secs,
+                            ),
+                            Reverse(left.tx.capacity()),
+                            left.addr,
+                            left.id,
+                        );
+                        let right_key = (
+                            self.writer_contour_rank_for_selection(right),
+                            (right.generation < self.current_generation()) as usize,
+                            right.degraded.load(Ordering::Relaxed) as usize,
+                            self.writer_idle_rank_for_selection(
+                                right,
+                                &writer_idle_since,
+                                now_epoch_secs,
+                            ),
+                            Reverse(right.tx.capacity()),
+                            right.addr,
+                            right.id,
+                        );
+                        left_key.cmp(&right_key)
+                    });
+                } else {
+                    candidate_indices.sort_by_key(|idx| {
+                        let w = &writers_snapshot[*idx];
+                        let degraded = w.degraded.load(Ordering::Relaxed);
+                        let stale = (w.generation < self.current_generation()) as usize;
+                        (
+                            self.writer_contour_rank_for_selection(w),
+                            stale,
+                            degraded as usize,
+                            self.writer_idle_rank_for_selection(
+                                w,
+                                &writer_idle_since,
+                                now_epoch_secs,
+                            ),
+                            Reverse(w.tx.capacity()),
+                        )
+                    });
+                }

-            for offset in 0..candidate_indices.len() {
-                let idx = candidate_indices[(start + offset) % candidate_indices.len()];
+                let mut ordered = Vec::<usize>::with_capacity(candidate_indices.len());
+                for offset in 0..candidate_indices.len() {
+                    ordered.push(candidate_indices[(start + offset) % candidate_indices.len()]);
+                }
+                ordered
+            };
+            let mut fallback_blocking_idx: Option<usize> = None;
+
+            for idx in ordered_candidate_indices {
                let w = &writers_snapshot[idx];
                if !self.writer_accepts_new_binding(w) {
                    continue;
                }
-                if w.tx.send(WriterCommand::Data(payload.clone())).await.is_ok() {
-                    self.registry
-                        .bind_writer(conn_id, w.id, w.tx.clone(), meta.clone())
-                        .await;
-                    if w.generation < self.current_generation() {
-                        self.stats.increment_pool_stale_pick_total();
-                        debug!(
-                            conn_id,
-                            writer_id = w.id,
-                            writer_generation = w.generation,
-                            current_generation = self.current_generation(),
-                            "Selected stale ME writer for fallback bind"
-                        );
+                match w.tx.try_send(WriterCommand::Data(payload.clone())) {
+                    Ok(()) => {
+                        self.stats.increment_me_writer_pick_success_try_total(pick_mode);
+                        self.registry
+                            .bind_writer(conn_id, w.id, w.tx.clone(), meta.clone())
+                            .await;
+                        if w.generation < self.current_generation() {
+                            self.stats.increment_pool_stale_pick_total();
+                            debug!(
+                                conn_id,
+                                writer_id = w.id,
+                                writer_generation = w.generation,
+                                current_generation = self.current_generation(),
+                                "Selected stale ME writer for fallback bind"
+                            );
+                        }
+                        return Ok(());
+                    }
+                    Err(TrySendError::Full(_)) => {
+                        if fallback_blocking_idx.is_none() {
+                            fallback_blocking_idx = Some(idx);
+                        }
+                    }
+                    Err(TrySendError::Closed(_)) => {
+                        self.stats.increment_me_writer_pick_closed_total(pick_mode);
+                        warn!(writer_id = w.id, "ME writer channel closed");
+                        self.remove_writer_and_close_clients(w.id).await;
+                        continue;
                    }
-                    return Ok(());
-                } else {
-                    warn!(writer_id = w.id, "ME writer channel closed");
-                    self.remove_writer_and_close_clients(w.id).await;
-                    continue;
                }
            }

-            let w = writers_snapshot[candidate_indices[start]].clone();
+            let Some(blocking_idx) = fallback_blocking_idx else {
+                self.stats.increment_me_writer_pick_full_total(pick_mode);
+                continue;
+            };
+
+            let w = writers_snapshot[blocking_idx].clone();
            if !self.writer_accepts_new_binding(&w) {
+                self.stats.increment_me_writer_pick_full_total(pick_mode);
                continue;
            }
+            self.stats.increment_me_writer_pick_blocking_fallback_total();
            match w.tx.send(WriterCommand::Data(payload.clone())).await {
                Ok(()) => {
+                    self.stats
+                        .increment_me_writer_pick_success_fallback_total(pick_mode);
                    self.registry
                        .bind_writer(conn_id, w.id, w.tx.clone(), meta.clone())
                        .await;
@@ -183,6 +410,7 @@ impl MePool {
                    return Ok(());
                }
                Err(_) => {
+                    self.stats.increment_me_writer_pick_closed_total(pick_mode);
                    warn!(writer_id = w.id, "ME writer channel closed (blocking)");
                    self.remove_writer_and_close_clients(w.id).await;
                }
@@ -190,12 +418,136 @@ impl MePool {
        }
    }

+    async fn wait_for_writer_until(&self, deadline: Instant) -> bool {
+        let waiter = self.writer_available.notified();
+        if !self.writers.read().await.is_empty() {
+            return true;
+        }
+        let now = Instant::now();
+        if now >= deadline {
+            return !self.writers.read().await.is_empty();
+        }
+        let timeout = deadline.saturating_duration_since(now);
+        if tokio::time::timeout(timeout, waiter).await.is_ok() {
+            return true;
+        }
+        !self.writers.read().await.is_empty()
+    }
+
+    async fn wait_for_candidate_until(&self, routed_dc: i32, deadline: Instant) -> bool {
+        loop {
+            if self.has_candidate_for_target_dc(routed_dc).await {
+                return true;
+            }
+
+            let now = Instant::now();
+            if now >= deadline {
+                return self.has_candidate_for_target_dc(routed_dc).await;
+            }
+
+            let waiter = self.writer_available.notified();
+            if self.has_candidate_for_target_dc(routed_dc).await {
+                return true;
+            }
+            let remaining = deadline.saturating_duration_since(Instant::now());
+            if remaining.is_zero() {
+                return self.has_candidate_for_target_dc(routed_dc).await;
+            }
+            if tokio::time::timeout(remaining, waiter).await.is_err() {
+                return self.has_candidate_for_target_dc(routed_dc).await;
+            }
+        }
+    }
+
+    async fn has_candidate_for_target_dc(&self, routed_dc: i32) -> bool {
+        let writers_snapshot = {
+            let ws = self.writers.read().await;
+            if ws.is_empty() {
+                return false;
+            }
+            ws.clone()
+        };
+        let mut candidate_indices = self
+            .candidate_indices_for_dc(&writers_snapshot, routed_dc, false)
+            .await;
+        if candidate_indices.is_empty() {
+            candidate_indices = self
+                .candidate_indices_for_dc(&writers_snapshot, routed_dc, true)
+                .await;
+        }
+        !candidate_indices.is_empty()
+    }
+
+    async fn trigger_async_recovery_for_target_dc(self: &Arc<Self>, routed_dc: i32) -> bool {
+        let endpoints = self.endpoint_candidates_for_target_dc(routed_dc).await;
+        if endpoints.is_empty() {
+            return false;
+        }
+        self.stats.increment_me_async_recovery_trigger_total();
+        for addr in endpoints.into_iter().take(8) {
+            self.trigger_immediate_refill_for_dc(addr, routed_dc);
+        }
+        true
+    }
+
+    async fn trigger_async_recovery_global(self: &Arc<Self>) {
+        self.stats.increment_me_async_recovery_trigger_total();
+        let mut seen = HashSet::<(i32, SocketAddr)>::new();
+        for family in self.family_order() {
+            let map_guard = match family {
+                IpFamily::V4 => self.proxy_map_v4.read().await,
+                IpFamily::V6 => self.proxy_map_v6.read().await,
+            };
+            for (dc, addrs) in map_guard.iter() {
+                for (ip, port) in addrs {
+                    let addr = SocketAddr::new(*ip, *port);
+                    if seen.insert((*dc, addr)) {
+                        self.trigger_immediate_refill_for_dc(addr, *dc);
+                    }
+                    if seen.len() >= 8 {
+                        return;
+                    }
+                }
+            }
+        }
+    }
+
+    async fn endpoint_candidates_for_target_dc(&self, routed_dc: i32) -> Vec<SocketAddr> {
+        self.preferred_endpoints_for_dc(routed_dc).await
+    }
+
+    async fn maybe_trigger_hybrid_recovery(
+        self: &Arc<Self>,
+        routed_dc: i32,
+        hybrid_recovery_round: &mut u32,
+        hybrid_last_recovery_at: &mut Option<Instant>,
+        hybrid_wait_step: Duration,
+    ) {
+        if let Some(last) = *hybrid_last_recovery_at
+            && last.elapsed() < hybrid_wait_step
+        {
+            return;
+        }
+
+        let round = *hybrid_recovery_round;
+        let target_triggered = self.trigger_async_recovery_for_target_dc(routed_dc).await;
+        if !target_triggered || round % HYBRID_GLOBAL_BURST_PERIOD_ROUNDS == 0 {
+            self.trigger_async_recovery_global().await;
+        }
+        *hybrid_recovery_round = round.saturating_add(1);
+        *hybrid_last_recovery_at = Some(Instant::now());
+    }
+
    pub async fn send_close(self: &Arc<Self>, conn_id: u64) -> Result<()> {
        if let Some(w) = self.registry.get_writer(conn_id).await {
            let mut p = Vec::with_capacity(12);
            p.extend_from_slice(&RPC_CLOSE_EXT_U32.to_le_bytes());
            p.extend_from_slice(&conn_id.to_le_bytes());
-            if w.tx.send(WriterCommand::DataAndFlush(p)).await.is_err() {
+            if w.tx
+                .send(WriterCommand::DataAndFlush(Bytes::from(p)))
+                .await
+                .is_err()
+            {
                debug!("ME close write failed");
                self.remove_writer_and_close_clients(w.writer_id).await;
            }
@@ -207,6 +559,37 @@ impl MePool {
        Ok(())
    }

+    pub async fn send_close_conn(self: &Arc<Self>, conn_id: u64) -> Result<()> {
+        if let Some(w) = self.registry.get_writer(conn_id).await {
+            let mut p = Vec::with_capacity(12);
+            p.extend_from_slice(&RPC_CLOSE_CONN_U32.to_le_bytes());
+            p.extend_from_slice(&conn_id.to_le_bytes());
+            match w.tx.try_send(WriterCommand::DataAndFlush(Bytes::from(p))) {
+                Ok(()) => {}
+                Err(TrySendError::Full(cmd)) => {
+                    let _ = tokio::time::timeout(Duration::from_millis(50), w.tx.send(cmd)).await;
+                }
+                Err(TrySendError::Closed(_)) => {
+                    debug!(conn_id, "ME close_conn skipped: writer channel closed");
+                }
+            }
+        } else {
+            debug!(conn_id, "ME close_conn skipped (writer missing)");
+        }
+
+        self.registry.unregister(conn_id).await;
+        Ok(())
+    }
+
+    pub async fn shutdown_send_close_conn_all(self: &Arc<Self>) -> usize {
+        let conn_ids = self.registry.active_conn_ids().await;
+        let total = conn_ids.len();
+        for conn_id in conn_ids {
+            let _ = self.send_close_conn(conn_id).await;
+        }
+        total
+    }
+
    pub fn connection_count(&self) -> usize {
        self.conn_count.load(Ordering::Relaxed)
    }
@@ -214,69 +597,149 @@ impl MePool {
    pub(super) async fn candidate_indices_for_dc(
        &self,
        writers: &[super::pool::MeWriter],
-        target_dc: i16,
+        routed_dc: i32,
+        include_warm: bool,
    ) -> Vec<usize> {
-        let key = target_dc as i32;
-        let mut preferred = Vec::<SocketAddr>::new();
-
-        for family in self.family_order() {
-            let map_guard = match family {
-                IpFamily::V4 => self.proxy_map_v4.read().await,
-                IpFamily::V6 => self.proxy_map_v6.read().await,
-            };
-
-            if let Some(v) = map_guard.get(&key) {
-                preferred.extend(v.iter().map(|(ip, port)| SocketAddr::new(*ip, *port)));
-            }
-            if preferred.is_empty() {
-                let abs = key.abs();
-                if let Some(v) = map_guard.get(&abs) {
-                    preferred.extend(v.iter().map(|(ip, port)| SocketAddr::new(*ip, *port)));
-                }
-            }
-            if preferred.is_empty() {
-                let abs = key.abs();
-                if let Some(v) = map_guard.get(&-abs) {
-                    preferred.extend(v.iter().map(|(ip, port)| SocketAddr::new(*ip, *port)));
-                }
-            }
-            if preferred.is_empty() {
-                let def = self.default_dc.load(Ordering::Relaxed);
-                if def != 0
-                    && let Some(v) = map_guard.get(&def)
-                {
-                    preferred.extend(v.iter().map(|(ip, port)| SocketAddr::new(*ip, *port)));
-                }
-            }
-
-            drop(map_guard);
-
-            if !preferred.is_empty() && !self.decision.effective_multipath {
-                break;
-            }
-        }
-
+        let preferred = self.preferred_endpoints_for_dc(routed_dc).await;
        if preferred.is_empty() {
-            return (0..writers.len())
-                .filter(|i| self.writer_accepts_new_binding(&writers[*i]))
-                .collect();
+            return Vec::new();
        }

        let mut out = Vec::new();
        for (idx, w) in writers.iter().enumerate() {
-            if !self.writer_accepts_new_binding(w) {
+            if !self.writer_eligible_for_selection(w, include_warm) {
                continue;
            }
-            if preferred.contains(&w.addr) {
+            if w.writer_dc == routed_dc && preferred.iter().any(|endpoint| *endpoint == w.addr) {
                out.push(idx);
            }
        }
-        if out.is_empty() {
-            return (0..writers.len())
-                .filter(|i| self.writer_accepts_new_binding(&writers[*i]))
-                .collect();
-        }
        out
    }

+    fn writer_eligible_for_selection(
+        &self,
+        writer: &super::pool::MeWriter,
+        include_warm: bool,
+    ) -> bool {
+        if !self.writer_accepts_new_binding(writer) {
+            return false;
+        }
+
+        match WriterContour::from_u8(writer.contour.load(Ordering::Relaxed)) {
+            WriterContour::Active => true,
+            WriterContour::Warm => include_warm,
+            WriterContour::Draining => true,
+        }
+    }
+
+    fn writer_contour_rank_for_selection(&self, writer: &super::pool::MeWriter) -> usize {
+        match WriterContour::from_u8(writer.contour.load(Ordering::Relaxed)) {
+            WriterContour::Active => 0,
+            WriterContour::Warm => 1,
+            WriterContour::Draining => 2,
+        }
+    }
+
+    fn writer_idle_rank_for_selection(
+        &self,
+        writer: &super::pool::MeWriter,
+        idle_since_by_writer: &HashMap<u64, u64>,
+        now_epoch_secs: u64,
+    ) -> usize {
+        let Some(idle_since) = idle_since_by_writer.get(&writer.id).copied() else {
+            return 0;
+        };
+        let idle_age_secs = now_epoch_secs.saturating_sub(idle_since);
+        if idle_age_secs >= IDLE_WRITER_PENALTY_HIGH_SECS {
+            2
+        } else if idle_age_secs >= IDLE_WRITER_PENALTY_MID_SECS {
+            1
+        } else {
+            0
+        }
+    }
+
+    fn writer_pick_score(
+        &self,
+        writer: &super::pool::MeWriter,
+        idle_since_by_writer: &HashMap<u64, u64>,
+        now_epoch_secs: u64,
+    ) -> u64 {
+        let contour_penalty = match WriterContour::from_u8(writer.contour.load(Ordering::Relaxed)) {
+            WriterContour::Active => 0,
+            WriterContour::Warm => PICK_PENALTY_WARM,
+            WriterContour::Draining => PICK_PENALTY_DRAINING,
+        };
+        let stale_penalty = if writer.generation < self.current_generation() {
+            PICK_PENALTY_STALE
+        } else {
+            0
+        };
+        let degraded_penalty = if writer.degraded.load(Ordering::Relaxed) {
+            PICK_PENALTY_DEGRADED
+        } else {
+            0
+        };
+        let idle_penalty =
+            (self.writer_idle_rank_for_selection(writer, idle_since_by_writer, now_epoch_secs) as u64)
+                * 100;
+        let queue_cap = self.writer_cmd_channel_capacity.max(1) as u64;
+        let queue_remaining = writer.tx.capacity() as u64;
+        let queue_used = queue_cap.saturating_sub(queue_remaining.min(queue_cap));
+        let queue_util_pct = queue_used.saturating_mul(100) / queue_cap;
+        let queue_penalty = queue_util_pct.saturating_mul(4);
+        let rtt_penalty = ((writer.rtt_ema_ms_x10.load(Ordering::Relaxed) as u64).saturating_add(5) / 10)
+            .min(400);
+
+        contour_penalty
+            .saturating_add(stale_penalty)
+            .saturating_add(degraded_penalty)
+            .saturating_add(idle_penalty)
+            .saturating_add(queue_penalty)
+            .saturating_add(rtt_penalty)
+    }
+
+    fn p2c_ordered_candidate_indices(
+        &self,
+        candidate_indices: &[usize],
+        writers_snapshot: &[super::pool::MeWriter],
+        idle_since_by_writer: &HashMap<u64, u64>,
+        now_epoch_secs: u64,
+        start: usize,
+        sample_size: usize,
+    ) -> Vec<usize> {
+        let total = candidate_indices.len();
+        if total == 0 {
+            return Vec::new();
+        }
+
+        let mut sampled = Vec::<usize>::with_capacity(sample_size.min(total));
+        let mut seen = HashSet::<usize>::with_capacity(total);
+        for offset in 0..sample_size.min(total) {
+            let idx = candidate_indices[(start + offset) % total];
+            if seen.insert(idx) {
+                sampled.push(idx);
+            }
+        }
+
+        sampled.sort_by_key(|idx| {
+            let writer = &writers_snapshot[*idx];
+            (
+                self.writer_pick_score(writer, idle_since_by_writer, now_epoch_secs),
+                writer.addr,
+                writer.id,
+            )
+        });
+
+        let mut ordered = Vec::<usize>::with_capacity(total);
+        ordered.extend(sampled.iter().copied());
+        for offset in 0..total {
+            let idx = candidate_indices[(start + offset) % total];
+            if seen.insert(idx) {
+                ordered.push(idx);
+            }
+        }
+        ordered
+    }
 }
--- a/src/transport/middle_proxy/wire.rs
+++ b/src/transport/middle_proxy/wire.rs
@@ -1,4 +1,5 @@
 use std::net::{IpAddr, Ipv4Addr, SocketAddr};
+use bytes::Bytes;

 use crate::protocol::constants::*;

@@ -48,7 +49,7 @@ pub(crate) fn build_proxy_req_payload(
    data: &[u8],
    proxy_tag: Option<&[u8]>,
    proto_flags: u32,
-) -> Vec<u8> {
+) -> Bytes {
    let mut b = Vec::with_capacity(128 + data.len());

    b.extend_from_slice(&RPC_PROXY_REQ_U32.to_le_bytes());
@@ -85,7 +86,7 @@ pub(crate) fn build_proxy_req_payload(
    }

    b.extend_from_slice(data);
-    b
+    Bytes::from(b)
 }

 pub fn proto_flags_for_tag(tag: crate::protocol::constants::ProtoTag, has_proxy_tag: bool) -> u32 {
--- a/src/transport/mod.rs
+++ b/src/transport/mod.rs
@@ -14,5 +14,5 @@ pub use socket::*;
 #[allow(unused_imports)]
 pub use socks::*;
 #[allow(unused_imports)]
-pub use upstream::{DcPingResult, StartupPingResult, UpstreamManager};
+pub use upstream::{DcPingResult, StartupPingResult, UpstreamEgressInfo, UpstreamManager, UpstreamRouteKind};
 pub mod middle_proxy;
--- a/src/transport/socks.rs
+++ b/src/transport/socks.rs
@@ -5,11 +5,16 @@ use tokio::io::{AsyncReadExt, AsyncWriteExt};
 use tokio::net::TcpStream;
 use crate::error::{ProxyError, Result};

+#[derive(Debug, Clone, Copy)]
+pub struct SocksBoundAddr {
+    pub addr: SocketAddr,
+}
+
 pub async fn connect_socks4(
    stream: &mut TcpStream,
    target: SocketAddr,
    user_id: Option<&str>,
-) -> Result<()> {
+) -> Result<SocksBoundAddr> {
    let ip = match target.ip() {
        IpAddr::V4(ip) => ip,
        IpAddr::V6(_) => return Err(ProxyError::Proxy("SOCKS4 does not support IPv6".to_string())),
@@ -36,8 +41,13 @@ pub async fn connect_socks4(
    if resp[1] != 90 {
        return Err(ProxyError::Proxy(format!("SOCKS4 request rejected: code {}", resp[1])));
    }
-    
-    Ok(())
+
+    let bound_port = u16::from_be_bytes([resp[2], resp[3]]);
+    let bound_ip = IpAddr::from([resp[4], resp[5], resp[6], resp[7]]);
+
+    Ok(SocksBoundAddr {
+        addr: SocketAddr::new(bound_ip, bound_port),
+    })
 }

 pub async fn connect_socks5(
@@ -45,7 +55,7 @@ pub async fn connect_socks5(
    target: SocketAddr,
    username: Option<&str>,
    password: Option<&str>,
-) -> Result<()> {
+) -> Result<SocksBoundAddr> {
    // 1. Auth negotiation
    // VER (1) | NMETHODS (1) | METHODS (variable)
    let mut methods = vec![0u8]; // No auth
@@ -122,24 +132,36 @@ pub async fn connect_socks5(
        return Err(ProxyError::Proxy(format!("SOCKS5 request failed: code {}", head[1])));
    }
    
-    // Skip address part of response
-    match head[3] {
+    // Parse bound address from response.
+    let bound_addr = match head[3] {
        1 => { // IPv4
            let mut addr = [0u8; 4 + 2];
            stream.read_exact(&mut addr).await.map_err(ProxyError::Io)?;
+            let ip = IpAddr::from([addr[0], addr[1], addr[2], addr[3]]);
+            let port = u16::from_be_bytes([addr[4], addr[5]]);
+            SocketAddr::new(ip, port)
        },
        3 => { // Domain
            let mut len = [0u8; 1];
            stream.read_exact(&mut len).await.map_err(ProxyError::Io)?;
            let mut addr = vec![0u8; len[0] as usize + 2];
            stream.read_exact(&mut addr).await.map_err(ProxyError::Io)?;
+            // Domain-bound response is not useful for KDF IP material.
+            let port_pos = addr.len().saturating_sub(2);
+            let port = u16::from_be_bytes([addr[port_pos], addr[port_pos + 1]]);
+            SocketAddr::new(IpAddr::from([0, 0, 0, 0]), port)
        },
        4 => { // IPv6
            let mut addr = [0u8; 16 + 2];
            stream.read_exact(&mut addr).await.map_err(ProxyError::Io)?;
+            let ip = IpAddr::from(<[u8; 16]>::try_from(&addr[..16]).map_err(|_| {
+                ProxyError::Proxy("Invalid SOCKS5 IPv6 bound address".to_string())
+            })?);
+            let port = u16::from_be_bytes([addr[16], addr[17]]);
+            SocketAddr::new(ip, port)
        },
        _ => return Err(ProxyError::Proxy("Invalid address type in SOCKS5 response".to_string())),
-    }
-    
-    Ok(())
-}
+    };
+
+    Ok(SocksBoundAddr { addr: bound_addr })
+}
--- a/src/transport/upstream.rs
+++ b/src/transport/upstream.rs
--- a/telemt.service
+++ b/telemt.service
@@ -1,13 +1,16 @@
 [Unit]
 Description=Telemt
-After=network.target
+After=network-online.target
+Wants=network-online.target

 [Service]
 Type=simple
-WorkingDirectory=/bin
+WorkingDirectory=/etc/telemt
 ExecStart=/bin/telemt /etc/telemt.toml
 Restart=on-failure
-LimitNOFILE=65536
+LimitNOFILE=262144
+TasksMax=8192
+MemoryAccounting=yes

 [Install]
 WantedBy=multi-user.target
--- a/tools/aesdiag.py
+++ b/tools/aesdiag.py
@@ -0,0 +1,403 @@
+#!/usr/bin/env python3
+"""
+AES-CBC validation tool for telemt middle proxy logs with support for noop padding.
+
+Parses log lines containing:
+  - "ME diag: derived keys and handshake plaintext" (provides write_key, write_iv, hs_plain)
+  - "ME diag: handshake ciphertext" (provides hs_cipher)
+
+For each pair it:
+  - Decrypts the ciphertext using the provided key and IV.
+  - Compares the beginning of the decrypted data with hs_plain.
+  - Attempts to identify the actual padding scheme (PKCS#7, zero padding, noop padding).
+  - Re-encrypts with different paddings and reports mismatches block by block.
+  - Accumulates statistics for final summary.
+"""
+
+import sys
+import re
+from collections import defaultdict
+from Crypto.Cipher import AES
+
+# Constants
+NOOP_FRAME = bytes([0x04, 0x00, 0x00, 0x00])   # noop frame used for padding
+
+def hex_str_to_bytes(hex_str):
+    """Convert a hex string like 'aa bb cc' to bytes."""
+    return bytes.fromhex(hex_str.replace(' ', ''))
+
+def parse_params(line):
+    """Extract key=value pairs where value is a space-separated hex string."""
+    pattern = r'(\w+)=((?:[0-9a-f]{2} )*[0-9a-f]{2})'
+    return {key: val for key, val in re.findall(pattern, line)}
+
+def pkcs7_pad(data, block_size=16):
+    """Apply PKCS#7 padding to the given data."""
+    pad_len = block_size - (len(data) % block_size)
+    if pad_len == 0:
+        pad_len = block_size
+    return data + bytes([pad_len]) * pad_len
+
+def zero_pad(data, block_size=16):
+    """Pad with zeros to the next block boundary."""
+    pad_len = block_size - (len(data) % block_size)
+    if pad_len == block_size:
+        return data  # already full blocks, no zero padding needed
+    return data + bytes(pad_len)
+
+def noop_pad(data):
+    """
+    Pad with minimal number of noop frames (b'\\x04\\x00\\x00\\x00')
+    to reach a multiple of 16 bytes.
+    """
+    block_size = 16
+    frame_len = len(NOOP_FRAME)  # 4
+    remainder = len(data) % block_size
+    if remainder == 0:
+        return data  # no padding needed
+    # We need to add k frames such that (len(data) + k*frame_len) % block_size == 0
+    # => k*frame_len ≡ -remainder (mod block_size)
+    # Since frame_len=4 and block_size=16, we need k*4 ≡ (16-remainder) mod 16
+    # k must be an integer in {1,2,3} (because 4*4=16 ≡0 mod16, so k=4 gives remainder 0, but then total increase=16,
+    # but if remainder==0 we already handled; if remainder!=0, k=4 gives (len+16)%16 == remainder, not 0,
+    # so k=4 doesn't solve unless remainder=0. Actually 4*4=16 ≡0, so k=4 gives (len+16)%16 = remainder, so still not 0.
+    # The equation is k*4 ≡ (16-remainder) mod 16. Let r=16-remainder (1..15). Then k ≡ r*inv(4) mod 4? Since mod 16,
+    # 4 has no inverse modulo 16 because gcd(4,16)=4. So solutions exist only if r is multiple of 4.
+    # Therefore remainder must be 4,8,12 (so that r = 12,8,4). This matches the idea that noop padding is only added
+    # when the plaintext length mod 16 is 4,8,12. In our logs it's always 44 mod16=12, so r=4, so k=1 works.
+    # For safety, we compute k as (block_size - remainder) // frame_len, but this only works if that value is integer.
+    need = block_size - remainder
+    if need % frame_len != 0:
+        # This shouldn't happen by protocol, but if it does, fall back to adding full blocks of noop until multiple.
+        # We'll add ceil(need/frame_len) frames.
+        k = (need + frame_len - 1) // frame_len
+    else:
+        k = need // frame_len
+    return data + NOOP_FRAME * k
+
+def unpad_pkcs7(data):
+    """Remove PKCS#7 padding (assumes correct padding)."""
+    if not data:
+        return data
+    pad_len = data[-1]
+    if pad_len < 1 or pad_len > 16:
+        return data  # not valid PKCS#7, return as is
+    # Check that all padding bytes are equal to pad_len
+    if all(b == pad_len for b in data[-pad_len:]):
+        return data[:-pad_len]
+    return data
+
+def is_noop_padded(decrypted, plain_log):
+    """
+    Check if the extra bytes after plain_log in decrypted consist of one or more NOOP_FRAMEs.
+    Returns True if they do, False otherwise.
+    """
+    extra = decrypted[len(plain_log):]
+    if len(extra) == 0:
+        return False
+    # Split into chunks of 4
+    if len(extra) % 4 != 0:
+        return False
+    for i in range(0, len(extra), 4):
+        if extra[i:i+4] != NOOP_FRAME:
+            return False
+    return True
+
+def main():
+    derived_list = []   # entries from "derived keys and handshake plaintext"
+    cipher_list = []    # entries from "handshake ciphertext"
+
+    for line in sys.stdin:
+        if 'ME diag: derived keys and handshake plaintext' in line:
+            params = parse_params(line)
+            if all(k in params for k in ('write_key', 'write_iv', 'hs_plain')):
+                derived_list.append(params)
+        elif 'ME diag: handshake ciphertext' in line:
+            params = parse_params(line)
+            if 'hs_cipher' in params:
+                cipher_list.append(params)
+
+    # Warn about count mismatch but process as many pairs as possible
+    n_pairs = min(len(derived_list), len(cipher_list))
+    if len(derived_list) != len(cipher_list):
+        print(f"\n[WARN] Number of derived entries ({len(derived_list)}) "
+              f"differs from cipher entries ({len(cipher_list)}). "
+              f"Processing first {n_pairs} pairs.\n")
+
+    # Statistics accumulators
+    stats = {
+        'total': n_pairs,
+        'key_length_ok': 0,
+        'iv_length_ok': 0,
+        'cipher_aligned': 0,
+        'decryption_match_start': 0,      # first bytes equal hs_plain
+        'pkcs7_after_unpad_matches': 0,   # after removing PKCS7, equals hs_plain
+        'extra_bytes_all_zero': 0,         # extra bytes after hs_plain are zero
+        'extra_bytes_noop': 0,             # extra bytes are noop frames
+        'pkcs7_encrypt_ok': 0,             # re-encryption with PKCS7 matches ciphertext
+        'zero_encrypt_ok': 0,               # re-encryption with zero padding matches
+        'noop_encrypt_ok': 0,                # re-encryption with noop padding matches
+        'no_padding_encrypt_ok': 0,         # only if plaintext multiple of 16 and matches
+        'no_padding_applicable': 0,         # number of tests where plaintext len %16 ==0
+    }
+
+    detailed_results = []  # store per-test summary for final heuristic
+
+    for idx, (der, ciph) in enumerate(zip(derived_list[:n_pairs], cipher_list[:n_pairs]), 1):
+        print(f"\n{'='*60}")
+        print(f"Test #{idx}")
+        print(f"{'='*60}")
+
+        # Local stats for this test
+        test_stats = defaultdict(bool)
+
+        try:
+            key = hex_str_to_bytes(der['write_key'])
+            iv = hex_str_to_bytes(der['write_iv'])
+            plain_log = hex_str_to_bytes(der['hs_plain'])
+            ciphertext = hex_str_to_bytes(ciph['hs_cipher'])
+
+            # Basic sanity checks
+            print(f"[INFO] Key length       : {len(key)} bytes (expected 32)")
+            print(f"[INFO] IV length        : {len(iv)} bytes (expected 16)")
+            print(f"[INFO] hs_plain length  : {len(plain_log)} bytes")
+            print(f"[INFO] hs_cipher length : {len(ciphertext)} bytes")
+
+            if len(key) == 32:
+                stats['key_length_ok'] += 1
+                test_stats['key_ok'] = True
+            else:
+                print("[WARN] Key length is not 32 bytes – AES-256 requires 32-byte key.")
+
+            if len(iv) == 16:
+                stats['iv_length_ok'] += 1
+                test_stats['iv_ok'] = True
+            else:
+                print("[WARN] IV length is not 16 bytes – AES-CBC requires 16-byte IV.")
+
+            if len(ciphertext) % 16 == 0:
+                stats['cipher_aligned'] += 1
+                test_stats['cipher_aligned'] = True
+            else:
+                print("[ERROR] Ciphertext length is not a multiple of 16 – invalid AES-CBC block alignment.")
+                # Skip further processing for this test
+                detailed_results.append(test_stats)
+                continue
+
+            # --- Decryption test ---
+            cipher_dec = AES.new(key, AES.MODE_CBC, iv)
+            decrypted = cipher_dec.decrypt(ciphertext)
+            print(f"[INFO] Decrypted ({len(decrypted)} bytes): {decrypted.hex()}")
+
+            # Compare beginning with hs_plain
+            match_len = min(len(plain_log), len(decrypted))
+            if decrypted[:match_len] == plain_log[:match_len]:
+                print(f"[OK] First {match_len} bytes match hs_plain.")
+                stats['decryption_match_start'] += 1
+                test_stats['decrypt_start_ok'] = True
+            else:
+                print(f"[FAIL] First bytes do NOT match hs_plain.")
+                for i in range(match_len):
+                    if decrypted[i] != plain_log[i]:
+                        print(f"       First mismatch at byte {i}: hs_plain={plain_log[i]:02x}, decrypted={decrypted[i]:02x}")
+                        break
+                test_stats['decrypt_start_ok'] = False
+
+            # --- Try to identify actual padding ---
+            # Remove possible PKCS#7 padding from decrypted data
+            decrypted_unpadded = unpad_pkcs7(decrypted)
+            if decrypted_unpadded != decrypted:
+                print(f"[INFO] After removing PKCS#7 padding: {len(decrypted_unpadded)} bytes left.")
+                if decrypted_unpadded == plain_log:
+                    print("[OK] Decrypted data with PKCS#7 removed exactly matches hs_plain.")
+                    stats['pkcs7_after_unpad_matches'] += 1
+                    test_stats['pkcs7_unpad_matches'] = True
+                else:
+                    print("[INFO] Decrypted (PKCS#7 removed) does NOT match hs_plain.")
+                    test_stats['pkcs7_unpad_matches'] = False
+            else:
+                print("[INFO] No valid PKCS#7 padding detected in decrypted data.")
+                test_stats['pkcs7_unpad_matches'] = False
+
+            # Check if the extra bytes after hs_plain in decrypted are all zero (zero padding)
+            extra = decrypted[len(plain_log):]
+            if extra and all(b == 0 for b in extra):
+                print("[INFO] Extra bytes after hs_plain are all zeros – likely zero padding.")
+                stats['extra_bytes_all_zero'] += 1
+                test_stats['extra_zero'] = True
+            else:
+                test_stats['extra_zero'] = False
+
+            # Check for noop padding in extra bytes
+            if is_noop_padded(decrypted, plain_log):
+                print(f"[OK] Extra bytes after hs_plain consist of noop frames ({NOOP_FRAME.hex()}).")
+                stats['extra_bytes_noop'] += 1
+                test_stats['extra_noop'] = True
+            else:
+                test_stats['extra_noop'] = False
+                if extra:
+                    print(f"[INFO] Extra bytes after hs_plain (hex): {extra.hex()}")
+
+            # --- Re-encryption tests ---
+            # PKCS#7
+            padded_pkcs7 = pkcs7_pad(plain_log)
+            cipher_enc = AES.new(key, AES.MODE_CBC, iv)
+            computed_pkcs7 = cipher_enc.encrypt(padded_pkcs7)
+            if computed_pkcs7 == ciphertext:
+                print("[OK] PKCS#7 padding produces the expected ciphertext.")
+                stats['pkcs7_encrypt_ok'] += 1
+                test_stats['pkcs7_enc_ok'] = True
+            else:
+                print("[FAIL] PKCS#7 padding does NOT match the ciphertext.")
+                test_stats['pkcs7_enc_ok'] = False
+                # Show block where first difference occurs
+                block_size = 16
+                for blk in range(len(ciphertext)//block_size):
+                    start = blk*block_size
+                    exp = ciphertext[start:start+block_size]
+                    comp = computed_pkcs7[start:start+block_size]
+                    if exp != comp:
+                        print(f"       First difference in block {blk}:")
+                        print(f"         expected : {exp.hex()}")
+                        print(f"         computed : {comp.hex()}")
+                        break
+
+            # Zero padding
+            padded_zero = zero_pad(plain_log)
+            # Ensure multiple of 16
+            if len(padded_zero) % 16 != 0:
+                padded_zero += bytes(16 - (len(padded_zero)%16))
+            cipher_enc_zero = AES.new(key, AES.MODE_CBC, iv)
+            computed_zero = cipher_enc_zero.encrypt(padded_zero)
+            if computed_zero == ciphertext:
+                print("[OK] Zero padding produces the expected ciphertext.")
+                stats['zero_encrypt_ok'] += 1
+                test_stats['zero_enc_ok'] = True
+            else:
+                print("[INFO] Zero padding does NOT match (expected, unless log used PKCS#7).")
+                test_stats['zero_enc_ok'] = False
+
+            # Noop padding
+            padded_noop = noop_pad(plain_log)
+            # Ensure multiple of 16 (noop_pad already returns multiple of 16)
+            cipher_enc_noop = AES.new(key, AES.MODE_CBC, iv)
+            computed_noop = cipher_enc_noop.encrypt(padded_noop)
+            if computed_noop == ciphertext:
+                print("[OK] Noop padding produces the expected ciphertext.")
+                stats['noop_encrypt_ok'] += 1
+                test_stats['noop_enc_ok'] = True
+            else:
+                print("[FAIL] Noop padding does NOT match the ciphertext.")
+                test_stats['noop_enc_ok'] = False
+                # Show block difference if needed
+                for blk in range(len(ciphertext)//16):
+                    start = blk*16
+                    if computed_noop[start:start+16] != ciphertext[start:start+16]:
+                        print(f"       First difference in block {blk}:")
+                        print(f"         expected : {ciphertext[start:start+16].hex()}")
+                        print(f"         computed : {computed_noop[start:start+16].hex()}")
+                        break
+
+            # No padding (only possible if plaintext is already multiple of 16)
+            if len(plain_log) % 16 == 0:
+                stats['no_padding_applicable'] += 1
+                cipher_enc_nopad = AES.new(key, AES.MODE_CBC, iv)
+                computed_nopad = cipher_enc_nopad.encrypt(plain_log)
+                if computed_nopad == ciphertext:
+                    print("[OK] No padding (plaintext multiple of 16) matches.")
+                    stats['no_padding_encrypt_ok'] += 1
+                    test_stats['no_pad_enc_ok'] = True
+                else:
+                    print("[INFO] No padding does NOT match.")
+                    test_stats['no_pad_enc_ok'] = False
+            else:
+                print("[INFO] Skipping no‑padding test because plaintext length is not a multiple of 16.")
+
+        except Exception as e:
+            print(f"[EXCEPTION] {e}")
+            test_stats['exception'] = True
+
+        detailed_results.append(test_stats)
+
+    # --- Final statistics and heuristic summary ---
+    print("\n" + "="*60)
+    print("STATISTICS SUMMARY")
+    print("="*60)
+    print(f"Total tests processed          : {stats['total']}")
+    print(f"Key length OK (32)              : {stats['key_length_ok']}/{stats['total']}")
+    print(f"IV length OK (16)                : {stats['iv_length_ok']}/{stats['total']}")
+    print(f"Ciphertext 16-byte aligned       : {stats['cipher_aligned']}/{stats['total']}")
+    print(f"Decryption starts with hs_plain  : {stats['decryption_match_start']}/{stats['total']}")
+    print(f"After PKCS#7 removal matches     : {stats['pkcs7_after_unpad_matches']}/{stats['total']}")
+    print(f"Extra bytes after hs_plain are 0 : {stats['extra_bytes_all_zero']}/{stats['total']}")
+    print(f"Extra bytes are noop frames       : {stats['extra_bytes_noop']}/{stats['total']}")
+    print(f"PKCS#7 re-encryption OK           : {stats['pkcs7_encrypt_ok']}/{stats['total']}")
+    print(f"Zero padding re-encryption OK     : {stats['zero_encrypt_ok']}/{stats['total']}")
+    print(f"Noop padding re-encryption OK     : {stats['noop_encrypt_ok']}/{stats['total']}")
+    if stats['no_padding_applicable'] > 0:
+        print(f"No-padding applicable tests      : {stats['no_padding_applicable']}")
+        print(f"No-padding re-encryption OK       : {stats['no_padding_encrypt_ok']}/{stats['no_padding_applicable']}")
+
+    # Heuristic: determine most likely padding
+    print("\n" + "="*60)
+    print("HEURISTIC CONCLUSION")
+    print("="*60)
+
+    if stats['decryption_match_start'] == stats['total']:
+        print("✓ All tests: first bytes of decrypted data match hs_plain → keys and IV are correct.")
+    else:
+        print("✗ Some tests: first bytes mismatch → possible key/IV issues or corrupted ciphertext.")
+
+    # Guess padding based on re-encryption success and extra bytes
+    candidates = []
+    if stats['pkcs7_encrypt_ok'] == stats['total']:
+        candidates.append("PKCS#7")
+    if stats['zero_encrypt_ok'] == stats['total']:
+        candidates.append("zero padding")
+    if stats['noop_encrypt_ok'] == stats['total']:
+        candidates.append("noop padding")
+    if stats['no_padding_applicable'] == stats['total'] and stats['no_padding_encrypt_ok'] == stats['total']:
+        candidates.append("no padding")
+
+    if len(candidates) == 1:
+        print(f"✓ All tests consistent with padding scheme: {candidates[0]}.")
+    elif len(candidates) > 1:
+        print(f"⚠ Multiple padding schemes succeed in all tests: {', '.join(candidates)}. This is unusual.")
+    else:
+        # No scheme succeeded in all tests – look at ratios
+        print("Mixed padding results:")
+        total = stats['total']
+        pkcs7_ratio = stats['pkcs7_encrypt_ok'] / total if total else 0
+        zero_ratio = stats['zero_encrypt_ok'] / total if total else 0
+        noop_ratio = stats['noop_encrypt_ok'] / total if total else 0
+        print(f"  PKCS#7 success = {stats['pkcs7_encrypt_ok']}/{total} ({pkcs7_ratio*100:.1f}%)")
+        print(f"  Zero success   = {stats['zero_encrypt_ok']}/{total} ({zero_ratio*100:.1f}%)")
+        print(f"  Noop success   = {stats['noop_encrypt_ok']}/{total} ({noop_ratio*100:.1f}%)")
+
+        if noop_ratio > max(pkcs7_ratio, zero_ratio):
+            print("→ Noop padding is most frequent. Check if extra bytes are indeed noop frames.")
+        elif pkcs7_ratio > zero_ratio:
+            print("→ PKCS#7 is most frequent, but fails in some tests.")
+        elif zero_ratio > pkcs7_ratio:
+            print("→ Zero padding is most frequent, but fails in some tests.")
+        else:
+            print("→ No clear winner; possibly a different padding scheme or random data.")
+
+    # Additional heuristics based on extra bytes
+    if stats['extra_bytes_noop'] == stats['total']:
+        print("✓ All tests: extra bytes after hs_plain are noop frames → strongly indicates noop padding.")
+    if stats['extra_bytes_all_zero'] == stats['total']:
+        print("✓ All tests: extra bytes are zeros → suggests zero padding.")
+
+    # Final health check
+    if (stats['decryption_match_start'] == stats['total'] and
+        (stats['pkcs7_encrypt_ok'] == stats['total'] or
+         stats['zero_encrypt_ok'] == stats['total'] or
+         stats['noop_encrypt_ok'] == stats['total'] or
+         stats['no_padding_encrypt_ok'] == stats['no_padding_applicable'] == stats['total'])):
+        print("\n✅ OVERALL: All tests consistent. The encryption parameters and padding are correct.")
+    else:
+        print("\n⚠️ OVERALL: Inconsistencies detected. Review the detailed output for failing tests.")
+
+if __name__ == '__main__':
+    main()
--- a/tools/zbx_telemt_template.yaml
+++ b/tools/zbx_telemt_template.yaml
@@ -47,6 +47,54 @@ zabbix_export:
          tags:
            - tag: Application
              value: 'Server connections'
+        - uuid: 2af8ff0f27e4408db3f9798dc3141457
+          name: 'Full forensic desync logs emitted'
+          type: DEPENDENT
+          key: telemt.desync_full_logged_total
+          delay: '0'
+          preprocessing:
+            - type: PROMETHEUS_PATTERN
+              parameters:
+                - telemt_desync_full_logged_total
+                - value
+                - ''
+          master_item:
+            key: telemt.prom_metrics
+          tags:
+            - tag: Application
+              value: 'Telemt other'
+        - uuid: f4439948a49f4b1d85c3eeee963259bc
+          name: 'Suppressed desync forensic events'
+          type: DEPENDENT
+          key: telemt.desync_suppressed_total
+          delay: '0'
+          preprocessing:
+            - type: PROMETHEUS_PATTERN
+              parameters:
+                - telemt_desync_suppressed_total
+                - value
+                - ''
+          master_item:
+            key: telemt.prom_metrics
+          tags:
+            - tag: Application
+              value: 'Telemt other'
+        - uuid: 721627b8c10a414a82be1e08873604c1
+          name: 'Total crypto-desync detections'
+          type: DEPENDENT
+          key: telemt.desync_total
+          delay: '0'
+          preprocessing:
+            - type: PROMETHEUS_PATTERN
+              parameters:
+                - telemt_desync_total
+                - value
+                - ''
+          master_item:
+            key: telemt.prom_metrics
+          tags:
+            - tag: Application
+              value: 'Telemt other'
        - uuid: 1618272cf68e44509425f5fab029db7b
          name: 'Handshake timeouts total'
          type: DEPENDENT
@@ -64,6 +112,152 @@ zabbix_export:
          tags:
            - tag: Application
              value: 'Server connections'
+        - uuid: 4e5c0d10a4494c959445b4cd7a2e696e
+          name: 'ME CRC mismatches'
+          type: DEPENDENT
+          key: telemt.me_crc_mismatch_total
+          delay: '0'
+          preprocessing:
+            - type: PROMETHEUS_PATTERN
+              parameters:
+                - telemt_me_crc_mismatch_total
+                - value
+                - ''
+          master_item:
+            key: telemt.prom_metrics
+          tags:
+            - tag: Application
+              value: 'Middle-End connections'
+        - uuid: 21a4a48b6e98457d87c56c3ae7b56c55
+          name: 'ME endpoint quarantines due to rapid flaps'
+          type: DEPENDENT
+          key: telemt.me_endpoint_quarantine_total
+          delay: '0'
+          preprocessing:
+            - type: PROMETHEUS_PATTERN
+              parameters:
+                - telemt_me_endpoint_quarantine_total
+                - value
+                - ''
+          master_item:
+            key: telemt.prom_metrics
+          tags:
+            - tag: Application
+              value: 'Telemt other'
+        - uuid: c8ffc30dc3d94a6d9085ac79413fbdd6
+          name: 'Runtime ME writer floor policy mode'
+          type: DEPENDENT
+          key: telemt.me_floor_mode
+          delay: '0'
+          value_type: TEXT
+          trends: '0'
+          preprocessing:
+            - type: PROMETHEUS_PATTERN
+              parameters:
+                - 'telemt_me_floor_mode == 1'
+                - label
+                - mode
+          master_item:
+            key: telemt.prom_metrics
+          tags:
+            - tag: Application
+              value: 'Telemt other'
+        - uuid: 4814b52d5d184f63b64654e7635bdf6a
+          name: 'ME handshake rejects from upstream'
+          type: DEPENDENT
+          key: telemt.me_handshake_reject_total
+          delay: '0'
+          preprocessing:
+            - type: PROMETHEUS_PATTERN
+              parameters:
+                - telemt_me_handshake_reject_total
+                - value
+                - ''
+          master_item:
+            key: telemt.prom_metrics
+          tags:
+            - tag: Application
+              value: 'Telemt other'
+        - uuid: 72d11caecefb4472b6c3e07f1ee90053
+          name: 'Hardswap cycles that reused an existing pending generation'
+          type: DEPENDENT
+          key: telemt.me_hardswap_pending_reuse_total
+          delay: '0'
+          preprocessing:
+            - type: PROMETHEUS_PATTERN
+              parameters:
+                - telemt_me_hardswap_pending_reuse_total
+                - value
+                - ''
+          master_item:
+            key: telemt.prom_metrics
+          tags:
+            - tag: Application
+              value: 'Telemt other'
+        - uuid: 447030854e8840a393874f54e25861d5
+          name: 'Pending hardswap generations reset by TTL expiration'
+          type: DEPENDENT
+          key: telemt.me_hardswap_pending_ttl_expired_total
+          delay: '0'
+          preprocessing:
+            - type: PROMETHEUS_PATTERN
+              parameters:
+                - telemt_me_hardswap_pending_ttl_expired_total
+                - value
+                - ''
+          master_item:
+            key: telemt.prom_metrics
+          tags:
+            - tag: Application
+              value: 'Telemt other'
+        - uuid: 47f55dd7d9394405b1c0eba6e6eb3e5c
+          name: 'ME idle writers closed by peer'
+          type: DEPENDENT
+          key: telemt.me_idle_close_by_peer_total
+          delay: '0'
+          preprocessing:
+            - type: PROMETHEUS_PATTERN
+              parameters:
+                - telemt_me_idle_close_by_peer_total
+                - value
+                - ''
+          master_item:
+            key: telemt.prom_metrics
+          tags:
+            - tag: Application
+              value: 'Telemt other'
+        - uuid: 9e4598efbfe246fab9360270002b0cfa
+          name: 'ME KDF input drift detections'
+          type: DEPENDENT
+          key: telemt.me_kdf_drift_total
+          delay: '0'
+          preprocessing:
+            - type: PROMETHEUS_PATTERN
+              parameters:
+                - telemt_me_kdf_drift_total
+                - value
+                - ''
+          master_item:
+            key: telemt.prom_metrics
+          tags:
+            - tag: Application
+              value: 'Telemt other'
+        - uuid: 565cc9780c5541bfb7acbb1f4973b5fc
+          name: 'ME KDF client-port changes with stable non-port material'
+          type: DEPENDENT
+          key: telemt.me_kdf_port_only_drift_total
+          delay: '0'
+          preprocessing:
+            - type: PROMETHEUS_PATTERN
+              parameters:
+                - telemt_me_kdf_port_only_drift_total
+                - value
+                - ''
+          master_item:
+            key: telemt.prom_metrics
+          tags:
+            - tag: Application
+              value: 'Telemt other'
        - uuid: fb95391c7f894e3eb6984b92885813d2
          name: 'ME keepalive send failures'
          type: DEPENDENT
@@ -81,6 +275,22 @@ zabbix_export:
          tags:
            - tag: Application
              value: 'Middle-End connections'
+        - uuid: 7b5995401195430e9f9e02e5dd8c3313
+          name: 'ME keepalive pong replies'
+          type: DEPENDENT
+          key: telemt.me_keepalive_pong_total
+          delay: '0'
+          preprocessing:
+            - type: PROMETHEUS_PATTERN
+              parameters:
+                - telemt_me_keepalive_pong_total
+                - value
+                - ''
+          master_item:
+            key: telemt.prom_metrics
+          tags:
+            - tag: Application
+              value: 'Middle-End connections'
        - uuid: fb95391c7f894e3eb6984b92885813c2
          name: 'ME keepalive frames sent'
          type: DEPENDENT
@@ -98,6 +308,38 @@ zabbix_export:
          tags:
            - tag: Application
              value: 'Middle-End connections'
+        - uuid: da5af5fd691d4f40bc6cad78b4758eac
+          name: 'ME keepalive ping timeouts'
+          type: DEPENDENT
+          key: telemt.me_keepalive_timeout_total
+          delay: '0'
+          preprocessing:
+            - type: PROMETHEUS_PATTERN
+              parameters:
+                - telemt_me_keepalive_timeout_total
+                - value
+                - ''
+          master_item:
+            key: telemt.prom_metrics
+          tags:
+            - tag: Application
+              value: 'Middle-End connections'
+        - uuid: 50b45e494d584a7b86fca8b80c727411
+          name: 'ME reader EOF terminations'
+          type: DEPENDENT
+          key: telemt.me_reader_eof_total
+          delay: '0'
+          preprocessing:
+            - type: PROMETHEUS_PATTERN
+              parameters:
+                - telemt_me_reader_eof_total
+                - value
+                - ''
+          master_item:
+            key: telemt.prom_metrics
+          tags:
+            - tag: Application
+              value: 'Telemt other'
        - uuid: fb95391c7f894e3eb6984b92885811a2
          name: 'ME reconnect attempts'
          type: DEPENDENT
@@ -132,6 +374,470 @@ zabbix_export:
          tags:
            - tag: Application
              value: 'Middle-End connections'
+        - uuid: 6288b537b7964aadb8a483abd716855a
+          name: 'Immediate ME refill failures'
+          type: DEPENDENT
+          key: telemt.me_refill_failed_total
+          delay: '0'
+          preprocessing:
+            - type: PROMETHEUS_PATTERN
+              parameters:
+                - telemt_me_refill_failed_total
+                - value
+                - ''
+          master_item:
+            key: telemt.prom_metrics
+          tags:
+            - tag: Application
+              value: 'Telemt other'
+        - uuid: 8450bdb48f9b4505beb8fdfc665b37c5
+          name: 'Immediate ME refill skips due to inflight dedup'
+          type: DEPENDENT
+          key: telemt.me_refill_skipped_inflight_total
+          delay: '0'
+          preprocessing:
+            - type: PROMETHEUS_PATTERN
+              parameters:
+                - telemt_me_refill_skipped_inflight_total
+                - value
+                - ''
+          master_item:
+            key: telemt.prom_metrics
+          tags:
+            - tag: Application
+              value: 'Telemt other'
+        - uuid: cb192264c03a40578140863970333515
+          name: 'Immediate ME refill runs started'
+          type: DEPENDENT
+          key: telemt.me_refill_triggered_total
+          delay: '0'
+          preprocessing:
+            - type: PROMETHEUS_PATTERN
+              parameters:
+                - telemt_me_refill_triggered_total
+                - value
+                - ''
+          master_item:
+            key: telemt.prom_metrics
+          tags:
+            - tag: Application
+              value: 'Telemt other'
+        - uuid: 8f46b374332848fba0daba72e17eaad0
+          name: 'ME route drops: channel closed'
+          type: DEPENDENT
+          key: telemt.me_route_drop_channel_closed_total
+          delay: '0'
+          preprocessing:
+            - type: PROMETHEUS_PATTERN
+              parameters:
+                - telemt_me_route_drop_channel_closed_total
+                - value
+                - ''
+          master_item:
+            key: telemt.prom_metrics
+          tags:
+            - tag: Application
+              value: 'Middle-End connections'
+        - uuid: de5fa7a316554d099bcf5e000b33bfed
+          name: 'ME route drops: no conn'
+          type: DEPENDENT
+          key: telemt.me_route_drop_no_conn_total
+          delay: '0'
+          preprocessing:
+            - type: PROMETHEUS_PATTERN
+              parameters:
+                - telemt_me_route_drop_no_conn_total
+                - value
+                - ''
+          master_item:
+            key: telemt.prom_metrics
+          tags:
+            - tag: Application
+              value: 'Middle-End connections'
+        - uuid: d9e1630ce38946f7a8d179187793f12c
+          name: 'ME route drops: queue full by adaptive profile'
+          type: DEPENDENT
+          key: telemt.me_route_drop_queue_full_profile_total
+          delay: '0'
+          preprocessing:
+            - type: PROMETHEUS_PATTERN
+              parameters:
+                - 'telemt_me_route_drop_queue_full_profile_total == 1'
+                - label
+                - profile
+          master_item:
+            key: telemt.prom_metrics
+          tags:
+            - tag: Application
+              value: 'Telemt other'
+        - uuid: d5caefb8978e4f3eac4dcdecd4655c46
+          name: 'ME route drops: queue full'
+          type: DEPENDENT
+          key: telemt.me_route_drop_queue_full_total
+          delay: '0'
+          preprocessing:
+            - type: PROMETHEUS_PATTERN
+              parameters:
+                - telemt_me_route_drop_queue_full_total
+                - value
+                - ''
+          master_item:
+            key: telemt.prom_metrics
+          tags:
+            - tag: Application
+              value: 'Telemt other'
+        - uuid: f682298c2dfc46dda45771a58faa9ffa
+          name: 'Service RPC_CLOSE_EXT sent after activity signals'
+          type: DEPENDENT
+          key: telemt.me_rpc_proxy_req_signal_close_sent_total
+          delay: '0'
+          preprocessing:
+            - type: PROMETHEUS_PATTERN
+              parameters:
+                - telemt_me_rpc_proxy_req_signal_close_sent_total
+                - value
+                - ''
+          master_item:
+            key: telemt.prom_metrics
+          tags:
+            - tag: Application
+              value: 'Telemt other'
+        - uuid: 5db4bdc93959473eade9281c221e34b6
+          name: 'Service RPC_PROXY_REQ activity signal failures'
+          type: DEPENDENT
+          key: telemt.me_rpc_proxy_req_signal_failed_total
+          delay: '0'
+          preprocessing:
+            - type: PROMETHEUS_PATTERN
+              parameters:
+                - telemt_me_rpc_proxy_req_signal_failed_total
+                - value
+                - ''
+          master_item:
+            key: telemt.prom_metrics
+          tags:
+            - tag: Application
+              value: 'Telemt other'
+        - uuid: 4e75611bc3854415b63a1863e9bf176f
+          name: 'Service RPC_PROXY_REQ responses observed'
+          type: DEPENDENT
+          key: telemt.me_rpc_proxy_req_signal_response_total
+          delay: '0'
+          preprocessing:
+            - type: PROMETHEUS_PATTERN
+              parameters:
+                - telemt_me_rpc_proxy_req_signal_response_total
+                - value
+                - ''
+          master_item:
+            key: telemt.prom_metrics
+          tags:
+            - tag: Application
+              value: 'Telemt other'
+        - uuid: ecbffb29f2784839bea0ce2a38393438
+          name: 'Service RPC_PROXY_REQ activity signals sent'
+          type: DEPENDENT
+          key: telemt.me_rpc_proxy_req_signal_sent_total
+          delay: '0'
+          preprocessing:
+            - type: PROMETHEUS_PATTERN
+              parameters:
+                - telemt_me_rpc_proxy_req_signal_sent_total
+                - value
+                - ''
+          master_item:
+            key: telemt.prom_metrics
+          tags:
+            - tag: Application
+              value: 'Telemt other'
+        - uuid: 078eff3deeec435597f0c531457bb906
+          name: 'Service RPC_PROXY_REQ skipped due to missing writer metadata'
+          type: DEPENDENT
+          key: telemt.me_rpc_proxy_req_signal_skipped_no_meta_total
+          delay: '0'
+          preprocessing:
+            - type: PROMETHEUS_PATTERN
+              parameters:
+                - telemt_me_rpc_proxy_req_signal_skipped_no_meta_total
+                - value
+                - ''
+          master_item:
+            key: telemt.prom_metrics
+          tags:
+            - tag: Application
+              value: 'Telemt other'
+        - uuid: 7429ffbd94a340d7a600bc1690eb57e7
+          name: 'ME sequence mismatches'
+          type: DEPENDENT
+          key: telemt.me_seq_mismatch_total
+          delay: '0'
+          preprocessing:
+            - type: PROMETHEUS_PATTERN
+              parameters:
+                - telemt_me_seq_mismatch_total
+                - value
+                - ''
+          master_item:
+            key: telemt.prom_metrics
+          tags:
+            - tag: Application
+              value: 'Telemt other'
+        - uuid: 0f1f77ae34df4a48b36ad263359b5ad3
+          name: 'Single-endpoint DC outage transitions to active state'
+          type: DEPENDENT
+          key: telemt.me_single_endpoint_outage_enter_total
+          delay: '0'
+          preprocessing:
+            - type: PROMETHEUS_PATTERN
+              parameters:
+                - telemt_me_single_endpoint_outage_enter_total
+                - value
+                - ''
+          master_item:
+            key: telemt.prom_metrics
+          tags:
+            - tag: Application
+              value: 'Telemt other'
+        - uuid: 63d44ef672ff4df288914eb98f6fa72c
+          name: 'Single-endpoint DC outage recovery transitions'
+          type: DEPENDENT
+          key: telemt.me_single_endpoint_outage_exit_total
+          delay: '0'
+          preprocessing:
+            - type: PROMETHEUS_PATTERN
+              parameters:
+                - telemt_me_single_endpoint_outage_exit_total
+                - value
+                - ''
+          master_item:
+            key: telemt.prom_metrics
+          tags:
+            - tag: Application
+              value: 'Telemt other'
+        - uuid: 1b72ff95f1ba4fb2924aa3a129b22f4d
+          name: 'Reconnect attempts performed during single-endpoint outages'
+          type: DEPENDENT
+          key: telemt.me_single_endpoint_outage_reconnect_attempt_total
+          delay: '0'
+          preprocessing:
+            - type: PROMETHEUS_PATTERN
+              parameters:
+                - telemt_me_single_endpoint_outage_reconnect_attempt_total
+                - value
+                - ''
+          master_item:
+            key: telemt.prom_metrics
+          tags:
+            - tag: Application
+              value: 'Telemt other'
+        - uuid: 466bb352d55946a0bb78efc63e1ed71e
+          name: 'Successful reconnect attempts during single-endpoint outages'
+          type: DEPENDENT
+          key: telemt.me_single_endpoint_outage_reconnect_success_total
+          delay: '0'
+          preprocessing:
+            - type: PROMETHEUS_PATTERN
+              parameters:
+                - telemt_me_single_endpoint_outage_reconnect_success_total
+                - value
+                - ''
+          master_item:
+            key: telemt.prom_metrics
+          tags:
+            - tag: Application
+              value: 'Telemt other'
+        - uuid: 295b4a519a4d46f7b1ddbdf5b5268751
+          name: 'Outage reconnect attempts that bypassed quarantine'
+          type: DEPENDENT
+          key: telemt.me_single_endpoint_quarantine_bypass_total
+          delay: '0'
+          preprocessing:
+            - type: PROMETHEUS_PATTERN
+              parameters:
+                - telemt_me_single_endpoint_quarantine_bypass_total
+                - value
+                - ''
+          master_item:
+            key: telemt.prom_metrics
+          tags:
+            - tag: Application
+              value: 'Telemt other'
+        - uuid: bffa4861f83f4445bb0b2259e100e04c
+          name: 'Shadow rotations skipped because endpoint is quarantined'
+          type: DEPENDENT
+          key: telemt.me_single_endpoint_shadow_rotate_skipped_quarantine_total
+          delay: '0'
+          preprocessing:
+            - type: PROMETHEUS_PATTERN
+              parameters:
+                - telemt_me_single_endpoint_shadow_rotate_skipped_quarantine_total
+                - value
+                - ''
+          master_item:
+            key: telemt.prom_metrics
+          tags:
+            - tag: Application
+              value: 'Telemt other'
+        - uuid: f80ce02b50824f8ea0ddabac9ff97757
+          name: 'Successful periodic shadow rotations for single-endpoint DC groups'
+          type: DEPENDENT
+          key: telemt.me_single_endpoint_shadow_rotate_total
+          delay: '0'
+          preprocessing:
+            - type: PROMETHEUS_PATTERN
+              parameters:
+                - telemt_me_single_endpoint_shadow_rotate_total
+                - value
+                - ''
+          master_item:
+            key: telemt.prom_metrics
+          tags:
+            - tag: Application
+              value: 'Telemt other'
+        - uuid: bf2a0ff89c314f78904aa43351601111
+          name: 'Total ME writer removals'
+          type: DEPENDENT
+          key: telemt.me_writer_removed_total
+          delay: '0'
+          preprocessing:
+            - type: PROMETHEUS_PATTERN
+              parameters:
+                - telemt_me_writer_removed_total
+                - value
+                - ''
+          master_item:
+            key: telemt.prom_metrics
+          tags:
+            - tag: Application
+              value: 'Telemt other'
+        - uuid: 0d12ea02187745eba55498dfb16daa5c
+          name: 'Unexpected writer removals not yet compensated by restore'
+          type: DEPENDENT
+          key: telemt.me_writer_removed_unexpected_minus_restored_total
+          delay: '0'
+          preprocessing:
+            - type: PROMETHEUS_PATTERN
+              parameters:
+                - telemt_me_writer_removed_unexpected_minus_restored_total
+                - value
+                - ''
+          master_item:
+            key: telemt.prom_metrics
+          tags:
+            - tag: Application
+              value: 'Telemt other'
+        - uuid: 644278e7f87947e1a49483ba4487e32b
+          name: 'Unexpected ME writer removals that triggered refill'
+          type: DEPENDENT
+          key: telemt.me_writer_removed_unexpected_total
+          delay: '0'
+          preprocessing:
+            - type: PROMETHEUS_PATTERN
+              parameters:
+                - telemt_me_writer_removed_unexpected_total
+                - value
+                - ''
+          master_item:
+            key: telemt.prom_metrics
+          tags:
+            - tag: Application
+              value: 'Telemt other'
+        - uuid: a6c24dfc85d643dab1c81fc1e63fe3cc
+          name: 'Refilled ME writer restored via fallback endpoint'
+          type: DEPENDENT
+          key: telemt.me_writer_restored_fallback_total
+          delay: '0'
+          preprocessing:
+            - type: PROMETHEUS_PATTERN
+              parameters:
+                - telemt_me_writer_restored_fallback_total
+                - value
+                - ''
+          master_item:
+            key: telemt.prom_metrics
+          tags:
+            - tag: Application
+              value: 'Telemt other'
+        - uuid: d7d0a78ca6da4bb9b4a0991fd83149cf
+          name: 'Refilled ME writer restored on the same endpoint'
+          type: DEPENDENT
+          key: telemt.me_writer_restored_same_endpoint_total
+          delay: '0'
+          preprocessing:
+            - type: PROMETHEUS_PATTERN
+              parameters:
+                - telemt_me_writer_restored_same_endpoint_total
+                - value
+                - ''
+          master_item:
+            key: telemt.prom_metrics
+          tags:
+            - tag: Application
+              value: 'Telemt other'
+        - uuid: beb906ab89564cf9adfbb7b1d4553c44
+          name: 'Active draining ME writers'
+          type: DEPENDENT
+          key: telemt.pool_drain_active
+          delay: '0'
+          preprocessing:
+            - type: PROMETHEUS_PATTERN
+              parameters:
+                - telemt_pool_drain_active
+                - value
+                - ''
+          master_item:
+            key: telemt.prom_metrics
+          tags:
+            - tag: Application
+              value: 'Telemt other'
+        - uuid: 2f0926e00d7a4e5aa1783cb33b1192ea
+          name: 'Forced close events for draining writers'
+          type: DEPENDENT
+          key: telemt.pool_force_close_total
+          delay: '0'
+          preprocessing:
+            - type: PROMETHEUS_PATTERN
+              parameters:
+                - telemt_pool_force_close_total
+                - value
+                - ''
+          master_item:
+            key: telemt.prom_metrics
+          tags:
+            - tag: Application
+              value: 'Telemt other'
+        - uuid: 70d0b4da6079435ebe978e99bda8f1d3
+          name: 'Stale writer fallback picks for new binds'
+          type: DEPENDENT
+          key: telemt.pool_stale_pick_total
+          delay: '0'
+          preprocessing:
+            - type: PROMETHEUS_PATTERN
+              parameters:
+                - telemt_pool_stale_pick_total
+                - value
+                - ''
+          master_item:
+            key: telemt.prom_metrics
+          tags:
+            - tag: Application
+              value: 'Telemt other'
+        - uuid: 8a1d240b9b554905a8add9bf730bf1f4
+          name: 'Successful ME pool swaps'
+          type: DEPENDENT
+          key: telemt.pool_swap_total
+          delay: '0'
+          preprocessing:
+            - type: PROMETHEUS_PATTERN
+              parameters:
+                - telemt_pool_swap_total
+                - value
+                - ''
+          master_item:
+            key: telemt.prom_metrics
+          tags:
+            - tag: Application
+              value: 'Telemt other'
        - uuid: 991b1858e3f94b3098ff0f84859efc41
          name: 'Prometheus metrics'
          type: HTTP_AGENT
@@ -139,11 +845,158 @@ zabbix_export:
          value_type: TEXT
          trends: '0'
          url: '{$TELEMT_URL}'
+        - uuid: cef2547bb9464d10b11b6c19beac089d
+          name: 'Invalid secure frame lengths'
+          type: DEPENDENT
+          key: telemt.secure_padding_invalid_total
+          delay: '0'
+          preprocessing:
+            - type: PROMETHEUS_PATTERN
+              parameters:
+                - telemt_secure_padding_invalid_total
+                - value
+                - ''
+          master_item:
+            key: telemt.prom_metrics
+          tags:
+            - tag: Application
+              value: 'Telemt other'
+        - uuid: c164d7b59bdc4429a23b908558de8cf4
+          name: 'Runtime core telemetry switch'
+          type: DEPENDENT
+          key: telemt.telemetry_core_enabled
+          delay: '0'
+          preprocessing:
+            - type: PROMETHEUS_PATTERN
+              parameters:
+                - telemt_telemetry_core_enabled
+                - value
+                - ''
+          master_item:
+            key: telemt.prom_metrics
+          tags:
+            - tag: Application
+              value: 'Telemt other'
+        - uuid: ff16438417d842178d26033d13520833
+          name: 'Runtime ME telemetry level flag'
+          type: DEPENDENT
+          key: telemt.telemetry_me_level
+          delay: '0'
+          value_type: TEXT
+          trends: '0'
+          preprocessing:
+            - type: PROMETHEUS_PATTERN
+              parameters:
+                - 'telemt_telemetry_me_level == 1'
+                - label
+                - level
+          master_item:
+            key: telemt.prom_metrics
+          tags:
+            - tag: Application
+              value: 'Telemt other'
+        - uuid: 9fec0bb7c3c84ada96668b74d5849556
+          name: 'Runtime per-user telemetry switch'
+          type: DEPENDENT
+          key: telemt.telemetry_user_enabled
+          delay: '0'
+          preprocessing:
+            - type: PROMETHEUS_PATTERN
+              parameters:
+                - telemt_telemetry_user_enabled
+                - value
+                - ''
+          master_item:
+            key: telemt.prom_metrics
+          tags:
+            - tag: Application
+              value: 'Telemt other'
+        - uuid: 378b765aa7bc4a4ea87d3bc876c50d12
+          name: 'User-labeled metric series suppression flag'
+          type: DEPENDENT
+          key: telemt.telemetry_user_series_suppressed
+          delay: '0'
+          preprocessing:
+            - type: PROMETHEUS_PATTERN
+              parameters:
+                - telemt_telemetry_user_series_suppressed
+                - value
+                - ''
+          master_item:
+            key: telemt.prom_metrics
+          tags:
+            - tag: Application
+              value: 'Telemt other'
+        - uuid: 17972d992fa84fc1b53fdefed123ccd8
+          name: 'Upstream connect attempts across all requests'
+          type: DEPENDENT
+          key: telemt.upstream_connect_attempt_total
+          delay: '0'
+          preprocessing:
+            - type: PROMETHEUS_PATTERN
+              parameters:
+                - telemt_upstream_connect_attempt_total
+                - value
+                - ''
+          master_item:
+            key: telemt.prom_metrics
+          tags:
+            - tag: Application
+              value: 'Telemt other'
+        - uuid: 38627dd1cb7145e180d111bdee1d2c23
+          name: 'Hard errors that triggered upstream connect failfast'
+          type: DEPENDENT
+          key: telemt.upstream_connect_failfast_hard_error_total
+          delay: '0'
+          preprocessing:
+            - type: PROMETHEUS_PATTERN
+              parameters:
+                - telemt_upstream_connect_failfast_hard_error_total
+                - value
+                - ''
+          master_item:
+            key: telemt.prom_metrics
+          tags:
+            - tag: Application
+              value: 'Telemt other'
+        - uuid: 0ffd4c35b6734c83bd77c59f30bf3246
+          name: 'Failed upstream connect request cycles'
+          type: DEPENDENT
+          key: telemt.upstream_connect_fail_total
+          delay: '0'
+          preprocessing:
+            - type: PROMETHEUS_PATTERN
+              parameters:
+                - telemt_upstream_connect_fail_total
+                - value
+                - ''
+          master_item:
+            key: telemt.prom_metrics
+          tags:
+            - tag: Application
+              value: 'Telemt other'
+        - uuid: 7da255f4f38c4095921bc876d16d3586
+          name: 'Successful upstream connect request cycles'
+          type: DEPENDENT
+          key: telemt.upstream_connect_success_total
+          delay: '0'
+          preprocessing:
+            - type: PROMETHEUS_PATTERN
+              parameters:
+                - telemt_upstream_connect_success_total
+                - value
+                - ''
+          master_item:
+            key: telemt.prom_metrics
+          tags:
+            - tag: Application
+              value: 'Telemt other'
        - uuid: fb95391c7f894e3eb6984b92885813b2
          name: 'Telemt Uptime'
          type: DEPENDENT
          key: telemt.uptime
          delay: '0'
+          value_type: FLOAT
          trends: '0'
          units: s
          preprocessing:
@@ -180,6 +1033,56 @@ zabbix_export:
              tags:
                - tag: Application
                  value: 'Users connections'
+            - uuid: f7ad02d1635542b584bba5941375ae41
+              name: 'Current number of unique active IPs by {#TELEMT_USER}'
+              type: DEPENDENT
+              key: 'telemt.ips_current_[{#TELEMT_USER}]'
+              delay: '0'
+              preprocessing:
+                - type: PROMETHEUS_PATTERN
+                  parameters:
+                    - 'telemt_user_unique_ips_current{user="{#TELEMT_USER}"}'
+                    - value
+                    - ''
+              master_item:
+                key: telemt.prom_metrics
+              tags:
+                - tag: Application
+                  value: 'Users IPs'
+            - uuid: 100b09bf1cff420495c5c105bdb0af6c
+              name: 'Configured unique IP limit to {#TELEMT_USER}'
+              type: DEPENDENT
+              key: 'telemt.ips_limit_[{#TELEMT_USER}]'
+              delay: '0'
+              description: '0 means unlimited'
+              preprocessing:
+                - type: PROMETHEUS_PATTERN
+                  parameters:
+                    - 'telemt_user_unique_ips_limit{user="{#TELEMT_USER}"}'
+                    - value
+                    - ''
+              master_item:
+                key: telemt.prom_metrics
+              tags:
+                - tag: Application
+                  value: 'Users IPs'
+            - uuid: ef3ac8f5c5d746bbaa4b0b698ba0d9f6
+              name: 'Unique IP usage ratio by {#TELEMT_USER}'
+              type: DEPENDENT
+              key: 'telemt.ips_utilization_[{#TELEMT_USER}]'
+              delay: '0'
+              value_type: FLOAT
+              preprocessing:
+                - type: PROMETHEUS_PATTERN
+                  parameters:
+                    - 'telemt_user_unique_ips_utilization{user="{#TELEMT_USER}"}'
+                    - value
+                    - ''
+              master_item:
+                key: telemt.prom_metrics
+              tags:
+                - tag: Application
+                  value: 'Users IPs'
            - uuid: 3ccce91ab5d54b4d972280c7b7bda910
              name: 'Messages received from {#TELEMT_USER}'
              type: DEPENDENT