Merge pull request #505 from telemt/flow-me

Teardown Monitoring in API and Metrics
Merge branch 'main' into flow-me
2026-04-17 02:24:10 +03:00 · 2026-03-20 12:59:39 +03:00 · 2026-03-20 12:59:32 +03:00 · 2026-03-20 12:59:09 +03:00 · 2026-03-20 12:58:55 +03:00 · 2026-03-20 12:57:27 +03:00
56 changed files with 7727 additions and 485 deletions
--- a/CODE_OF_CONDUCT.md
+++ b/CODE_OF_CONDUCT.md
@@ -0,0 +1,208 @@
 # Code of Conduct
 ## 1. Purpose
 Telemt exists to solve technical problems.
 Telemt is open to contributors who want to learn, improve and build meaningful systems together.
 It is a place for building, testing, reasoning, documenting, and improving systems.
 Discussions that advance this work are in scope. Discussions that divert it are not.
 Technology has consequences. Responsibility is inherent.
 > **Zweck bestimmt die Form.**
 > Purpose defines form.
 ---
 ## 2. Principles
 * **Technical over emotional**
  Arguments are grounded in data, logs, reproducible cases, or clear reasoning.
 * **Clarity over noise**
  Communication is structured, concise, and relevant.
 * **Openness with standards**
  Participation is open. The work remains disciplined.
 * **Independence of judgment**
  Claims are evaluated on technical merit, not affiliation or posture.
 * **Responsibility over capability**
  Capability does not justify careless use.
 * **Cooperation over friction**
  Progress depends on coordination, mutual support, and honest review.
 * **Good intent, rigorous method**
  Assume good intent, but require rigor.
 > **Aussagen gelten nach ihrer Begründung.**
 > Claims are weighed by evidence.
 ---
 ## 3. Expected Behavior
 Participants are expected to:
 * Communicate directly and respectfully
 * Support claims with evidence
 * Stay within technical scope
 * Accept critique and provide it constructively
 * Reduce noise, duplication, and ambiguity
 * Help others reach correct and reproducible outcomes
 * Act in a way that improves the system as a whole
 Precision is learned.
 New contributors are welcome. They are expected to grow into these standards. Existing contributors are expected to make that growth possible.
 > **Wer behauptet, belegt.**
 > Whoever claims, proves.
 ---
 ## 4. Unacceptable Behavior
 The following is not allowed:
 * Personal attacks, insults, harassment, or intimidation
 * Repeatedly derailing discussion away from Telemt’s purpose
 * Spam, flooding, or repeated low-quality input
 * Misinformation presented as fact
 * Attempts to degrade, destabilize, or exhaust Telemt or its participants
 * Use of Telemt or its spaces to enable harm
 Telemt is not a venue for disputes that displace technical work.
 Such discussions may be closed, removed, or redirected.
 > **Störung ist kein Beitrag.**
 > Disruption is not contribution.
 ---
 ## 5. Security and Misuse
 Telemt is intended for responsible use.
 * Do not use it to plan, coordinate, or execute harm
 * Do not publish vulnerabilities without responsible disclosure
 * Report security issues privately where possible
 Security is both technical and behavioral.
 > **Verantwortung endet nicht am Code.**
 > Responsibility does not end at the code.
 ---
 ## 6. Openness
 Telemt is open to contributors of different backgrounds, experience levels, and working styles.
 Standards are public, legible, and applied to the work itself.
 Questions are welcome. Careful disagreement is welcome. Honest correction is welcome.
 Gatekeeping by obscurity, status signaling, or hostility is not.
 ---
 ## 7. Scope
 This Code of Conduct applies to all official spaces:
 * Source repositories (issues, pull requests, discussions)
 * Documentation
 * Communication channels associated with Telemt
 ---
 ## 8. Maintainer Stewardship
 Maintainers are responsible for final decisions in matters of conduct, scope, and direction.
 This responsibility is stewardship: preserving continuity, protecting signal, maintaining standards, and keeping Telemt workable for others.
 Judgment should be exercised with restraint, consistency, and institutional responsibility.
 Not every decision requires extended debate.
 Not every intervention requires public explanation.
 All decisions are expected to serve the durability, clarity, and integrity of Telemt.
 > **Ordnung ist Voraussetzung der Funktion.**
 > Order is the precondition of function.
 ---
 ## 9. Enforcement
 Maintainers may act to preserve the integrity of Telemt, including by:
 * Removing content
 * Locking discussions
 * Rejecting contributions
 * Restricting or banning participants
 Actions are taken to maintain function, continuity, and signal quality.
 Where possible, correction is preferred to exclusion.
 Where necessary, exclusion is preferred to decay.
 ---
 ## 10. Final
 Telemt is built on discipline, structure, and shared intent.
 Signal over noise.
 Facts over opinion.
 Systems over rhetoric.
 Work is collective.
 Outcomes are shared.
 Responsibility is distributed.
 Precision is learned.
 Rigor is expected.
 Help is part of the work.
 > **Ordnung ist Voraussetzung der Freiheit.**
 If you contribute — contribute with care.
 If you speak — speak with substance.
 If you engage — engage constructively.
 ---
 ## 11. After All
 Systems outlive intentions.
 What is built will be used.
 What is released will propagate.
 What is maintained will define the future state.
 There is no neutral infrastructure, only infrastructure shaped well or poorly.
 > **Jedes System trägt Verantwortung.**
 > Every system carries responsibility.
 Stability requires discipline.
 Freedom requires structure.
 Trust requires honesty.
 In the end, the system reflects its contributors.
--- a/Cargo.lock
+++ b/Cargo.lock
@@ -45,15 +45,24 @@ checksum = "4b46cbb362ab8752921c97e041f5e366ee6297bd428a31275b9fcf1e380f7299"
 [[package]]
 name = "anstyle"
-version = "1.0.13"
+version = "1.0.14"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "5192cca8006f1fd4f7237516f40fa183bb07f8fbdfedaa0036de5ea9b0b45e78"
+checksum = "940b3a0ca603d1eade50a4846a2afffd5ef57a9feac2c0e2ec2e14f9ead76000"
 [[package]]
 name = "anyhow"
-version = "1.0.101"
+version = "1.0.102"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "5f0e0fee31ef5ed1ba1316088939cea399010ed7731dba877ed44aeb407a75ea"
+checksum = "7f202df86484c868dbad7eaa557ef785d5c66295e41b460ef922eca0723b842c"
 [[package]]
 name = "arc-swap"
 version = "1.8.2"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "f9f3647c145568cec02c42054e07bdf9a5a698e15b466fb2341bfc393cd24aa5"
 dependencies = [
 "rustversion",
 ]
 [[package]]
 name = "asn1-rs"
@@ -135,9 +144,9 @@ checksum = "bef38d45163c2f1dde094a7dfd33ccf595c92905c8f8f4fdc18d06fb1037718a"
 [[package]]
 name = "bitflags"
-version = "2.10.0"
+version = "2.11.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "812e12b5285cc515a9c72a5c1d3b6d46a19dac5acfef5265968c166106e31dd3"
+checksum = "843867be96c8daad0d758b57df9392b6d8d271134fce549de6ce169ff98a92af"
 [[package]]
 name = "block-buffer"
@@ -159,9 +168,9 @@ dependencies = [
 [[package]]
 name = "bumpalo"
-version = "3.19.1"
+version = "3.20.2"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "5dd9dc738b7a8311c7ade152424974d8115f2cdad61e8dab8dac9f2362298510"
+checksum = "5d20789868f4b01b2f2caec9f5c4e0213b41e3e5702a50157d699ae31ced2fcb"
 [[package]]
 name = "bytes"
@@ -186,9 +195,9 @@ dependencies = [
 [[package]]
 name = "cc"
-version = "1.2.55"
+version = "1.2.57"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "47b26a0954ae34af09b50f0de26458fa95369a0d478d8236d3f93082b219bd29"
+checksum = "7a0dd1ca384932ff3641c8718a02769f1698e7563dc6974ffd03346116310423"
 dependencies = [
 "find-msvc-tools",
 "shlex",
@@ -214,9 +223,9 @@ checksum = "613afe47fcd5fac7ccf1db93babcb082c5994d996f20b8b159f2ad1658eb5724"
 [[package]]
 name = "chrono"
-version = "0.4.43"
+version = "0.4.44"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "fac4744fb15ae8337dc853fee7fb3f4e48c0fbaa23d0afe49c447b4fab126118"
+checksum = "c673075a2e0e5f4a1dde27ce9dee1ea4558c7ffe648f576438a20ca1d2acc4b0"
 dependencies = [
 "iana-time-zone",
 "js-sys",
@@ -265,18 +274,18 @@ dependencies = [
 [[package]]
 name = "clap"
-version = "4.5.58"
+version = "4.6.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "63be97961acde393029492ce0be7a1af7e323e6bae9511ebfac33751be5e6806"
+checksum = "b193af5b67834b676abd72466a96c1024e6a6ad978a1f484bd90b85c94041351"
 dependencies = [
 "clap_builder",
 ]
 [[package]]
 name = "clap_builder"
-version = "4.5.58"
+version = "4.6.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "7f13174bda5dfd69d7e947827e5af4b0f2f94a4a3ee92912fba07a66150f21e2"
+checksum = "714a53001bf66416adb0e2ef5ac857140e7dc3a0c48fb28b2f10762fc4b5069f"
 dependencies = [
 "anstyle",
 "clap_lex",
@@ -284,9 +293,9 @@ dependencies = [
 [[package]]
 name = "clap_lex"
-version = "1.0.0"
+version = "1.1.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "3a822ea5bc7590f9d40f1ba12c0dc3c2760f3482c6984db1573ad11031420831"
+checksum = "c8d4a3bb8b1e0c1050499d1815f5ab16d04f0959b233085fb31653fbfc9d98f9"
 [[package]]
 name = "core-foundation-sys"
@@ -486,7 +495,7 @@ checksum = "97369cbbc041bc366949bc74d34658d6cda5621039731c6310521892a3a20ae0"
 dependencies = [
 "proc-macro2",
 "quote",
- "syn 2.0.114",
+ "syn 2.0.117",
 ]
 [[package]]
@@ -572,9 +581,9 @@ dependencies = [
 [[package]]
 name = "futures"
-version = "0.3.31"
+version = "0.3.32"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "65bc07b1a8bc7c85c5f2e110c476c7389b4554ba72af57d8445ea63a576b0876"
+checksum = "8b147ee9d1f6d097cef9ce628cd2ee62288d963e16fb287bd9286455b241382d"
 dependencies = [
 "futures-channel",
 "futures-core",
@@ -587,9 +596,9 @@ dependencies = [
 [[package]]
 name = "futures-channel"
-version = "0.3.31"
+version = "0.3.32"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "2dff15bf788c671c1934e366d07e30c1814a8ef514e1af724a602e8a2fbe1b10"
+checksum = "07bbe89c50d7a535e539b8c17bc0b49bdb77747034daa8087407d655f3f7cc1d"
 dependencies = [
 "futures-core",
 "futures-sink",
@@ -597,15 +606,15 @@ dependencies = [
 [[package]]
 name = "futures-core"
-version = "0.3.31"
+version = "0.3.32"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "05f29059c0c2090612e8d742178b0580d2dc940c837851ad723096f87af6663e"
+checksum = "7e3450815272ef58cec6d564423f6e755e25379b217b0bc688e295ba24df6b1d"
 [[package]]
 name = "futures-executor"
-version = "0.3.31"
+version = "0.3.32"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "1e28d1d997f585e54aebc3f97d39e72338912123a67330d723fdbb564d646c9f"
+checksum = "baf29c38818342a3b26b5b923639e7b1f4a61fc5e76102d4b1981c6dc7a7579d"
 dependencies = [
 "futures-core",
 "futures-task",
@@ -614,38 +623,38 @@ dependencies = [
 [[package]]
 name = "futures-io"
-version = "0.3.31"
+version = "0.3.32"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "9e5c1b78ca4aae1ac06c48a526a655760685149f0d465d21f37abfe57ce075c6"
+checksum = "cecba35d7ad927e23624b22ad55235f2239cfa44fd10428eecbeba6d6a717718"
 [[package]]
 name = "futures-macro"
-version = "0.3.31"
+version = "0.3.32"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "162ee34ebcb7c64a8abebc059ce0fee27c2262618d7b60ed8faf72fef13c3650"
+checksum = "e835b70203e41293343137df5c0664546da5745f82ec9b84d40be8336958447b"
 dependencies = [
 "proc-macro2",
 "quote",
- "syn 2.0.114",
+ "syn 2.0.117",
 ]
 [[package]]
 name = "futures-sink"
-version = "0.3.31"
+version = "0.3.32"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "e575fab7d1e0dcb8d0c7bcf9a63ee213816ab51902e6d244a95819acacf1d4f7"
+checksum = "c39754e157331b013978ec91992bde1ac089843443c49cbc7f46150b0fad0893"
 [[package]]
 name = "futures-task"
-version = "0.3.31"
+version = "0.3.32"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "f90f7dce0722e95104fcb095585910c0977252f286e354b5e3bd38902cd99988"
+checksum = "037711b3d59c33004d3856fbdc83b99d4ff37a24768fa1be9ce3538a1cde4393"
 [[package]]
 name = "futures-util"
-version = "0.3.31"
+version = "0.3.32"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "9fa08315bb612088cc391249efdc3bc77536f16c91f6cf495e6fbe85b20a4a81"
+checksum = "389ca41296e6190b48053de0321d02a77f32f8a5d2461dd38762c0593805c6d6"
 dependencies = [
 "futures-channel",
 "futures-core",
@@ -655,7 +664,6 @@ dependencies = [
 "futures-task",
 "memchr",
 "pin-project-lite",
 "pin-utils",
 "slab",
 ]
@@ -691,20 +699,20 @@ dependencies = [
 "cfg-if",
 "js-sys",
 "libc",
- "r-efi",
+ "r-efi 5.3.0",
 "wasip2",
 "wasm-bindgen",
 ]
 [[package]]
 name = "getrandom"
-version = "0.4.1"
+version = "0.4.2"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "139ef39800118c7683f2fd3c98c1b23c09ae076556b435f8e9064ae108aaeeec"
+checksum = "0de51e6874e94e7bf76d726fc5d13ba782deca734ff60d5bb2fb2607c7406555"
 dependencies = [
 "cfg-if",
 "libc",
- "r-efi",
+ "r-efi 6.0.0",
 "wasip2",
 "wasip3",
 ]
@@ -894,7 +902,7 @@ dependencies = [
 "libc",
 "percent-encoding",
 "pin-project-lite",
- "socket2 0.6.2",
+ "socket2 0.6.3",
 "tokio",
 "tower-service",
 "tracing",
@@ -1076,9 +1084,9 @@ dependencies = [
 [[package]]
 name = "ipnet"
-version = "2.11.0"
+version = "2.12.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "469fb0b9cefa57e3ef31275ee7cacb78f2fdca44e4765491884a2b119d4eb130"
+checksum = "d98f6fed1fde3f8c21bc40a1abb88dd75e67924f9cffc3ef95607bad8017f8e2"
 [[package]]
 name = "ipnetwork"
@@ -1127,9 +1135,9 @@ checksum = "92ecc6618181def0457392ccd0ee51198e065e016d1d527a7ac1b6dc7c1f09d2"
 [[package]]
 name = "js-sys"
-version = "0.3.85"
+version = "0.3.91"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "8c942ebf8e95485ca0d52d97da7c5a2c387d0e7f0ba4c35e93bfcaee045955b3"
+checksum = "b49715b7073f385ba4bc528e5747d02e66cb39c6146efb66b781f131f0fb399c"
 dependencies = [
 "once_cell",
 "wasm-bindgen",
@@ -1169,26 +1177,27 @@ checksum = "09edd9e8b54e49e587e4f6295a7d29c3ea94d469cb40ab8ca70b288248a81db2"
 [[package]]
 name = "libc"
-version = "0.2.181"
+version = "0.2.183"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "459427e2af2b9c839b132acb702a1c654d95e10f8c326bfc2ad11310e458b1c5"
+checksum = "b5b646652bf6661599e1da8901b3b9522896f01e736bad5f723fe7a3a27f899d"
 [[package]]
 name = "libredox"
-version = "0.1.12"
+version = "0.1.14"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "3d0b95e02c851351f877147b7deea7b1afb1df71b63aa5f8270716e0c5720616"
+checksum = "1744e39d1d6a9948f4f388969627434e31128196de472883b39f148769bfe30a"
 dependencies = [
- "bitflags 2.10.0",
+ "bitflags 2.11.0",
 "libc",
- "redox_syscall 0.7.1",
+ "plain",
 "redox_syscall 0.7.3",
 ]
 [[package]]
 name = "linux-raw-sys"
-version = "0.11.0"
+version = "0.12.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "df1d3c3b53da64cf5760482273a98e575c651a67eec7f77df96b5b642de8f039"
+checksum = "32a66949e030da00e8c7d4434b251670a91556f4144941d37452769c25d58a53"
 [[package]]
 name = "litemap"
@@ -1295,7 +1304,7 @@ version = "0.28.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "ab2156c4fce2f8df6c499cc1c763e4394b7482525bf2a9701c9d79d215f519e4"
 dependencies = [
- "bitflags 2.10.0",
+ "bitflags 2.11.0",
 "cfg-if",
 "cfg_aliases 0.1.1",
 "libc",
@@ -1318,7 +1327,7 @@ version = "6.1.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "6205bd8bb1e454ad2e27422015fb5e4f2bcc7e08fa8f27058670d208324a4d2d"
 dependencies = [
- "bitflags 2.10.0",
+ "bitflags 2.11.0",
 "crossbeam-channel",
 "filetime",
 "fsevent-sys",
@@ -1385,9 +1394,9 @@ dependencies = [
 [[package]]
 name = "once_cell"
-version = "1.21.3"
+version = "1.21.4"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "42f5e15c9953c5e4ccceeb2e7382a716482c34515315f7b03532b8b4e8393d2d"
+checksum = "9f7c3e4beb33f85d45ae3e3a1792185706c8e16d043238c593331cc7cd313b50"
 [[package]]
 name = "oorandom"
@@ -1426,9 +1435,9 @@ checksum = "9b4f627cb1b25917193a259e49bdad08f671f8d9708acfd5fe0a8c1455d87220"
 [[package]]
 name = "pin-project-lite"
-version = "0.2.16"
+version = "0.2.17"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "3b3cff922bd51709b605d9ead9aa71031d81447142d828eb4a6eba76fe619f9b"
+checksum = "a89322df9ebe1c1578d689c92318e070967d1042b512afbe49518723f4e6d5cd"
 [[package]]
 name = "pin-utils"
@@ -1436,6 +1445,12 @@ version = "0.1.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "8b870d8c151b6f2fb93e84a13146138f05d02ed11c7e7c54f8826aaaf7c9f184"
 [[package]]
 name = "plain"
 version = "0.2.3"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "b4596b6d070b27117e987119b4dac604f3c58cfb0b191112e24771b2faeac1a6"
 [[package]]
 name = "plotters"
 version = "0.3.7"
@@ -1495,7 +1510,7 @@ source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "479ca8adacdd7ce8f1fb39ce9ecccbfe93a3f1344b3d0d97f20bc0196208f62b"
 dependencies = [
 "proc-macro2",
- "syn 2.0.114",
+ "syn 2.0.117",
 ]
 [[package]]
@@ -1515,7 +1530,7 @@ checksum = "37566cb3fdacef14c0737f9546df7cfeadbfbc9fef10991038bf5015d0c80532"
 dependencies = [
 "bit-set",
 "bit-vec",
- "bitflags 2.10.0",
+ "bitflags 2.11.0",
 "num-traits",
 "rand",
 "rand_chacha",
@@ -1545,7 +1560,7 @@ dependencies = [
 "quinn-udp",
 "rustc-hash",
 "rustls",
- "socket2 0.6.2",
+ "socket2 0.6.3",
 "thiserror 2.0.18",
 "tokio",
 "tracing",
@@ -1554,9 +1569,9 @@ dependencies = [
 [[package]]
 name = "quinn-proto"
-version = "0.11.13"
+version = "0.11.14"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "f1906b49b0c3bc04b5fe5d86a77925ae6524a19b816ae38ce1e426255f1d8a31"
+checksum = "434b42fec591c96ef50e21e886936e66d3cc3f737104fdb9b737c40ffb94c098"
 dependencies = [
 "bytes",
 "getrandom 0.3.4",
@@ -1582,16 +1597,16 @@ dependencies = [
 "cfg_aliases 0.2.1",
 "libc",
 "once_cell",
- "socket2 0.6.2",
+ "socket2 0.6.3",
 "tracing",
 "windows-sys 0.60.2",
 ]
 [[package]]
 name = "quote"
-version = "1.0.44"
+version = "1.0.45"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "21b2ebcf727b7760c461f091f9f0f539b77b8e87f2fd88131e7f1b433b3cece4"
+checksum = "41f2619966050689382d2b44f664f4bc593e129785a36d6ee376ddf37259b924"
 dependencies = [
 "proc-macro2",
 ]
@@ -1602,6 +1617,12 @@ version = "5.3.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "69cdb34c158ceb288df11e18b4bd39de994f6657d83847bdffdbd7f346754b0f"
 [[package]]
 name = "r-efi"
 version = "6.0.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "f8dcc9c7d52a811697d2151c701e0d08956f92b0e24136cf4cf27b57a6a0d9bf"
 [[package]]
 name = "rand"
 version = "0.9.2"
@@ -1666,16 +1687,16 @@ version = "0.5.18"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "ed2bf2547551a7053d6fdfafda3f938979645c44812fbfcda098faae3f1a362d"
 dependencies = [
- "bitflags 2.10.0",
+ "bitflags 2.11.0",
 ]
 [[package]]
 name = "redox_syscall"
-version = "0.7.1"
+version = "0.7.3"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "35985aa610addc02e24fc232012c86fd11f14111180f902b67e2d5331f8ebf2b"
+checksum = "6ce70a74e890531977d37e532c34d45e9055d2409ed08ddba14529471ed0be16"
 dependencies = [
- "bitflags 2.10.0",
+ "bitflags 2.11.0",
 ]
 [[package]]
@@ -1703,9 +1724,9 @@ dependencies = [
 [[package]]
 name = "regex-syntax"
-version = "0.8.9"
+version = "0.8.10"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "a96887878f22d7bad8a3b6dc5b7440e0ada9a245242924394987b21cf2210a4c"
+checksum = "dc897dd8d9e8bd1ed8cdad82b5966c3e0ecae09fb1907d58efaa013543185d0a"
 [[package]]
 name = "reqwest"
@@ -1785,11 +1806,11 @@ dependencies = [
 [[package]]
 name = "rustix"
-version = "1.1.3"
+version = "1.1.4"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "146c9e247ccc180c1f61615433868c99f3de3ae256a30a43b49f67c2d9171f34"
+checksum = "b6fe4565b9518b83ef4f91bb47ce29620ca828bd32cb7e408f0062e9930ba190"
 dependencies = [
- "bitflags 2.10.0",
+ "bitflags 2.11.0",
 "errno",
 "libc",
 "linux-raw-sys",
@@ -1798,9 +1819,9 @@ dependencies = [
 [[package]]
 name = "rustls"
-version = "0.23.36"
+version = "0.23.37"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "c665f33d38cea657d9614f766881e4d510e0eda4239891eea56b4cadcf01801b"
+checksum = "758025cb5fccfd3bc2fd74708fd4682be41d99e5dff73c377c0646c6012c73a4"
 dependencies = [
 "once_cell",
 "ring",
@@ -1903,7 +1924,7 @@ checksum = "d540f220d3187173da220f885ab66608367b6574e925011a9353e4badda91d79"
 dependencies = [
 "proc-macro2",
 "quote",
- "syn 2.0.114",
+ "syn 2.0.117",
 ]
 [[package]]
@@ -2011,12 +2032,12 @@ dependencies = [
 [[package]]
 name = "socket2"
-version = "0.6.2"
+version = "0.6.3"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "86f4aa3ad99f2088c990dfa82d367e19cb29268ed67c574d10d0a4bfe71f07e0"
+checksum = "3a766e1110788c36f4fa1c2b71b387a7815aa65f88ce0229841826633d93723e"
 dependencies = [
 "libc",
- "windows-sys 0.60.2",
+ "windows-sys 0.61.2",
 ]
 [[package]]
@@ -2044,9 +2065,9 @@ dependencies = [
 [[package]]
 name = "syn"
-version = "2.0.114"
+version = "2.0.117"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "d4d107df263a3013ef9b1879b0df87d706ff80f65a86ea879bd9c31f9b307c2a"
+checksum = "e665b8803e7b1d2a727f4023456bbbbe74da67099c585258af0ad9c5013b9b99"
 dependencies = [
 "proc-macro2",
 "quote",
@@ -2082,15 +2103,16 @@ checksum = "728a70f3dbaf5bab7f0c4b1ac8d7ae5ea60a4b5549c8a5914361c99147a709d2"
 dependencies = [
 "proc-macro2",
 "quote",
- "syn 2.0.114",
+ "syn 2.0.117",
 ]
 [[package]]
 name = "telemt"
-version = "3.3.15"
+version = "3.3.25"
 dependencies = [
 "aes",
 "anyhow",
 "arc-swap",
 "base64",
 "bytes",
 "cbc",
@@ -2143,12 +2165,12 @@ dependencies = [
 [[package]]
 name = "tempfile"
-version = "3.25.0"
+version = "3.27.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "0136791f7c95b1f6dd99f9cc786b91bb81c3800b639b3478e561ddb7be95e5f1"
+checksum = "32497e9a4c7b38532efcdebeef879707aa9f794296a4f0244f6f69e9bc8574bd"
 dependencies = [
 "fastrand",
- "getrandom 0.4.1",
+ "getrandom 0.4.2",
 "once_cell",
 "rustix",
 "windows-sys 0.61.2",
@@ -2180,7 +2202,7 @@ checksum = "4fee6c4efc90059e10f81e6d42c60a18f76588c3d74cb83a0b242a2b6c7504c1"
 dependencies = [
 "proc-macro2",
 "quote",
- "syn 2.0.114",
+ "syn 2.0.117",
 ]
 [[package]]
@@ -2191,7 +2213,7 @@ checksum = "ebc4ee7f67670e9b64d05fa4253e753e016c6c95ff35b89b7941d6b856dec1d5"
 dependencies = [
 "proc-macro2",
 "quote",
- "syn 2.0.114",
+ "syn 2.0.117",
 ]
 [[package]]
@@ -2256,9 +2278,9 @@ dependencies = [
 [[package]]
 name = "tinyvec"
-version = "1.10.0"
+version = "1.11.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "bfa5fdc3bce6191a1dbc8c02d5c8bffcf557bafa17c124c5264a458f1b0613fa"
+checksum = "3e61e67053d25a4e82c844e8424039d9745781b3fc4f32b8d55ed50f5f667ef3"
 dependencies = [
 "tinyvec_macros",
 ]
@@ -2271,9 +2293,9 @@ checksum = "1f3ccbac311fea05f86f61904b462b55fb3df8837a366dfc601a0161d0532f20"
 [[package]]
 name = "tokio"
-version = "1.49.0"
+version = "1.50.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "72a2903cd7736441aac9df9d7688bd0ce48edccaadf181c3b90be801e81d3d86"
+checksum = "27ad5e34374e03cfffefc301becb44e9dc3c17584f414349ebe29ed26661822d"
 dependencies = [
 "bytes",
 "libc",
@@ -2281,7 +2303,7 @@ dependencies = [
 "parking_lot",
 "pin-project-lite",
 "signal-hook-registry",
- "socket2 0.6.2",
+ "socket2 0.6.3",
 "tokio-macros",
 "tracing",
 "windows-sys 0.61.2",
@@ -2289,13 +2311,13 @@ dependencies = [
 [[package]]
 name = "tokio-macros"
-version = "2.6.0"
+version = "2.6.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "af407857209536a95c8e56f8231ef2c2e2aff839b22e07a1ffcbc617e9db9fa5"
+checksum = "5c55a2eff8b69ce66c84f85e1da1c233edc36ceb85a2058d11b0d6a3c7e7569c"
 dependencies = [
 "proc-macro2",
 "quote",
- "syn 2.0.114",
+ "syn 2.0.117",
 ]
 [[package]]
@@ -2409,7 +2431,7 @@ version = "0.6.8"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "d4e6559d53cc268e5031cd8429d05415bc4cb4aefc4aa5d6cc35fbf5b924a1f8"
 dependencies = [
- "bitflags 2.10.0",
+ "bitflags 2.11.0",
 "bytes",
 "futures-util",
 "http",
@@ -2452,7 +2474,7 @@ checksum = "7490cfa5ec963746568740651ac6781f701c9c5ea257c58e057f3ba8cf69e8da"
 dependencies = [
 "proc-macro2",
 "quote",
- "syn 2.0.114",
+ "syn 2.0.117",
 ]
 [[package]]
@@ -2478,9 +2500,9 @@ dependencies = [
 [[package]]
 name = "tracing-subscriber"
-version = "0.3.22"
+version = "0.3.23"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "2f30143827ddab0d256fd843b7a66d164e9f271cfa0dde49142c5ca0ca291f1e"
+checksum = "cb7f578e5945fb242538965c2d0b04418d38ec25c79d160cd279bf0731c8d319"
 dependencies = [
 "matchers",
 "nu-ansi-term",
@@ -2514,9 +2536,9 @@ checksum = "eaea85b334db583fe3274d12b4cd1880032beab409c0d774be044d4480ab9a94"
 [[package]]
 name = "unicode-ident"
-version = "1.0.23"
+version = "1.0.24"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "537dd038a89878be9b64dd4bd1b260315c1bb94f4d784956b81e27a088d9a09e"
+checksum = "e6e4313cd5fcd3dad5cafa179702e2b244f760991f45397d14d4ebf38247da75"
 [[package]]
 name = "unicode-xid"
@@ -2614,9 +2636,9 @@ dependencies = [
 [[package]]
 name = "wasm-bindgen"
-version = "0.2.108"
+version = "0.2.114"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "64024a30ec1e37399cf85a7ffefebdb72205ca1c972291c51512360d90bd8566"
+checksum = "6532f9a5c1ece3798cb1c2cfdba640b9b3ba884f5db45973a6f442510a87d38e"
 dependencies = [
 "cfg-if",
 "once_cell",
@@ -2627,9 +2649,9 @@ dependencies = [
 [[package]]
 name = "wasm-bindgen-futures"
-version = "0.4.58"
+version = "0.4.64"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "70a6e77fd0ae8029c9ea0063f87c46fde723e7d887703d74ad2616d792e51e6f"
+checksum = "e9c5522b3a28661442748e09d40924dfb9ca614b21c00d3fd135720e48b67db8"
 dependencies = [
 "cfg-if",
 "futures-util",
@@ -2641,9 +2663,9 @@ dependencies = [
 [[package]]
 name = "wasm-bindgen-macro"
-version = "0.2.108"
+version = "0.2.114"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "008b239d9c740232e71bd39e8ef6429d27097518b6b30bdf9086833bd5b6d608"
+checksum = "18a2d50fcf105fb33bb15f00e7a77b772945a2ee45dcf454961fd843e74c18e6"
 dependencies = [
 "quote",
 "wasm-bindgen-macro-support",
@@ -2651,22 +2673,22 @@ dependencies = [
 [[package]]
 name = "wasm-bindgen-macro-support"
-version = "0.2.108"
+version = "0.2.114"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "5256bae2d58f54820e6490f9839c49780dff84c65aeab9e772f15d5f0e913a55"
+checksum = "03ce4caeaac547cdf713d280eda22a730824dd11e6b8c3ca9e42247b25c631e3"
 dependencies = [
 "bumpalo",
 "proc-macro2",
 "quote",
- "syn 2.0.114",
+ "syn 2.0.117",
 "wasm-bindgen-shared",
 ]
 [[package]]
 name = "wasm-bindgen-shared"
-version = "0.2.108"
+version = "0.2.114"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "1f01b580c9ac74c8d8f0c0e4afb04eeef2acf145458e52c03845ee9cd23e3d12"
+checksum = "75a326b8c223ee17883a4251907455a2431acc2791c98c26279376490c378c16"
 dependencies = [
 "unicode-ident",
 ]
@@ -2699,7 +2721,7 @@ version = "0.244.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "47b807c72e1bac69382b3a6fb3dbe8ea4c0ed87ff5629b8685ae6b9a611028fe"
 dependencies = [
- "bitflags 2.10.0",
+ "bitflags 2.11.0",
 "hashbrown 0.15.5",
 "indexmap",
 "semver",
@@ -2707,9 +2729,9 @@ dependencies = [
 [[package]]
 name = "web-sys"
-version = "0.3.85"
+version = "0.3.91"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "312e32e551d92129218ea9a2452120f4aabc03529ef03e4d0d82fb2780608598"
+checksum = "854ba17bb104abfb26ba36da9729addc7ce7f06f5c0f90f3c391f8461cca21f9"
 dependencies = [
 "js-sys",
 "wasm-bindgen",
@@ -2773,7 +2795,7 @@ checksum = "053e2e040ab57b9dc951b72c264860db7eb3b0200ba345b4e4c3b14f67855ddf"
 dependencies = [
 "proc-macro2",
 "quote",
- "syn 2.0.114",
+ "syn 2.0.117",
 ]
 [[package]]
@@ -2784,7 +2806,7 @@ checksum = "3f316c4a2570ba26bbec722032c4099d8c8bc095efccdc15688708623367e358"
 dependencies = [
 "proc-macro2",
 "quote",
- "syn 2.0.114",
+ "syn 2.0.117",
 ]
 [[package]]
@@ -3035,9 +3057,9 @@ checksum = "d6bbff5f0aada427a1e5a6da5f1f98158182f26556f345ac9e04d36d0ebed650"
 [[package]]
 name = "winnow"
-version = "0.7.14"
+version = "0.7.15"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "5a5364e9d77fcdeeaa6062ced926ee3381faa2ee02d3eb83a5c27a8825540829"
+checksum = "df79d97927682d2fd8adb29682d1140b343be4ac0f08fd68b7765d9c059d3945"
 dependencies = [
 "memchr",
 ]
@@ -3072,7 +3094,7 @@ dependencies = [
 "heck",
 "indexmap",
 "prettyplease",
- "syn 2.0.114",
+ "syn 2.0.117",
 "wasm-metadata",
 "wit-bindgen-core",
 "wit-component",
@@ -3088,7 +3110,7 @@ dependencies = [
 "prettyplease",
 "proc-macro2",
 "quote",
- "syn 2.0.114",
+ "syn 2.0.117",
 "wit-bindgen-core",
 "wit-bindgen-rust",
 ]
@@ -3100,7 +3122,7 @@ source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "9d66ea20e9553b30172b5e831994e35fbde2d165325bec84fc43dbf6f4eb9cb2"
 dependencies = [
 "anyhow",
- "bitflags 2.10.0",
+ "bitflags 2.11.0",
 "indexmap",
 "log",
 "serde",
@@ -3172,28 +3194,28 @@ checksum = "b659052874eb698efe5b9e8cf382204678a0086ebf46982b79d6ca3182927e5d"
 dependencies = [
 "proc-macro2",
 "quote",
- "syn 2.0.114",
+ "syn 2.0.117",
 "synstructure 0.13.2",
 ]
 [[package]]
 name = "zerocopy"
-version = "0.8.39"
+version = "0.8.47"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "db6d35d663eadb6c932438e763b262fe1a70987f9ae936e60158176d710cae4a"
+checksum = "efbb2a062be311f2ba113ce66f697a4dc589f85e78a4aea276200804cea0ed87"
 dependencies = [
 "zerocopy-derive",
 ]
 [[package]]
 name = "zerocopy-derive"
-version = "0.8.39"
+version = "0.8.47"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "4122cd3169e94605190e77839c9a40d40ed048d305bfdc146e7df40ab0f3e517"
+checksum = "0e8bc7269b54418e7aeeef514aa68f8690b8c0489a06b0136e5f57c4c5ccab89"
 dependencies = [
 "proc-macro2",
 "quote",
- "syn 2.0.114",
+ "syn 2.0.117",
 ]
 [[package]]
@@ -3213,7 +3235,7 @@ checksum = "d71e5d6e06ab090c67b5e44993ec16b72dcbaabc526db883a360057678b48502"
 dependencies = [
 "proc-macro2",
 "quote",
- "syn 2.0.114",
+ "syn 2.0.117",
 "synstructure 0.13.2",
 ]
@@ -3234,7 +3256,7 @@ checksum = "85a5b4158499876c763cb03bc4e49185d3cccbabb15b33c627f7884f43db852e"
 dependencies = [
 "proc-macro2",
 "quote",
- "syn 2.0.114",
+ "syn 2.0.117",
 ]
 [[package]]
@@ -3267,11 +3289,11 @@ checksum = "eadce39539ca5cb3985590102671f2567e659fca9666581ad3411d59207951f3"
 dependencies = [
 "proc-macro2",
 "quote",
- "syn 2.0.114",
+ "syn 2.0.117",
 ]
 [[package]]
 name = "zmij"
-version = "1.0.20"
+version = "1.0.21"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "4de98dfa5d5b7fef4ee834d0073d560c9ca7b6c46a71d058c48db7960f8cfaf7"
+checksum = "b8848ee67ecc8aedbaf3e4122217aff892639231befc6a1b58d29fff4c2cabaa"
--- a/Cargo.toml
+++ b/Cargo.toml
@@ -1,6 +1,6 @@
 [package]
 name = "telemt"
-version = "3.3.19"
+version = "3.3.27"
 edition = "2024"
 [dependencies]
@@ -40,6 +40,7 @@ tracing = "0.1"
 tracing-subscriber = { version = "0.3", features = ["env-filter"] }
 parking_lot = "0.12"
 dashmap = "5.5"
 arc-swap = "1.7"
 lru = "0.16"
 rand = "0.9"
 chrono = { version = "0.4", features = ["serde"] }
--- a/1
+++ b/1
@@ -38,6 +38,7 @@ USER telemt
 EXPOSE 443
 EXPOSE 9090
 EXPOSE 9091
 ENTRYPOINT ["/app/telemt"]
 CMD ["config.toml"]
--- a/README.md
+++ b/README.md
@@ -19,9 +19,9 @@
 ### 🇷🇺 RU
-#### Релиз 3.3.15 Semistable
+#### О релизах
-[3.3.15](https://github.com/telemt/telemt/releases/tag/3.3.15) по итогам работы в продакшн признан одним из самых стабильных и рекомендуется к использованию, когда cutting-edge фичи некритичны!
+[3.3.27](https://github.com/telemt/telemt/releases/tag/3.3.27) даёт баланс стабильности и передового функционала, а так же последние исправления по безопасности и багам
 Будем рады вашему фидбеку и предложениям по улучшению — особенно в части **API**, **статистики**, **UX**
@@ -40,9 +40,9 @@
 ### 🇬🇧 EN
-#### Release 3.3.15 Semistable
+#### About releases
-[3.3.15](https://github.com/telemt/telemt/releases/tag/3.3.15) is, based on the results of his work in production, recognized as one of the most stable and recommended for use when cutting-edge features are not so necessary!
+[3.3.27](https://github.com/telemt/telemt/releases/tag/3.3.27) provides a balance of stability and advanced functionality, as well as the latest security and bug fixes
 We are looking forward to your feedback and improvement proposals — especially regarding **API**, **statistics**, **UX**
--- a/config.toml
+++ b/config.toml
@@ -32,6 +32,7 @@ show = "*"
 port = 443
 # proxy_protocol = false           # Enable if behind HAProxy/nginx with PROXY protocol
 # metrics_port = 9090
 # metrics_listen = "0.0.0.0:9090"  # Listen address for metrics (overrides metrics_port)
 # metrics_whitelist = ["127.0.0.1", "::1", "0.0.0.0/0"]
 [server.api]
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -7,6 +7,7 @@ services:
    ports:
      - "443:443"
      - "127.0.0.1:9090:9090"
      - "127.0.0.1:9091:9091"
    # Allow caching 'proxy-secret' in read-only container
    working_dir: /run/telemt
    volumes:
--- a/docs/CONFIG_PARAMS.en.md
+++ b/docs/CONFIG_PARAMS.en.md
@@ -0,0 +1,294 @@
 # Telemt Config Parameters Reference
 This document lists all configuration keys accepted by `config.toml`.
 > [!WARNING]
 > 
 > The configuration parameters detailed in this document are intended for advanced users and fine-tuning purposes. Modifying these settings without a clear understanding of their function may lead to application instability or other unexpected behavior. Please proceed with caution and at your own risk.
 ## Top-level keys
 | Parameter | Type | Default | Constraints / validation | Description |
 |---|---|---|---|---|
 | include | `String` (special directive) | `null` | — | Includes another TOML file with `include = "relative/or/absolute/path.toml"`; includes are processed recursively before parsing. |
 | show_link | `"*" \| String[]` | `[]` (`ShowLink::None`) | — | Legacy top-level link visibility selector (`"*"` for all users or explicit usernames list). |
 | dc_overrides | `Map<String, String[]>` | `{}` | — | Overrides DC endpoints for non-standard DCs; key is DC id string, value is `ip:port` list. |
 | default_dc | `u8 \| null` | `null` (effective fallback: `2` in ME routing) | — | Default DC index used for unmapped non-standard DCs. |
 ## [general]
 | Parameter | Type | Default | Constraints / validation | Description |
 |---|---|---|---|---|
 | data_path | `String \| null` | `null` | — | Optional runtime data directory path. |
 | prefer_ipv6 | `bool` | `false` | — | Prefer IPv6 where applicable in runtime logic. |
 | fast_mode | `bool` | `true` | — | Enables fast-path optimizations for traffic processing. |
 | use_middle_proxy | `bool` | `true` | none | Enables ME transport mode; if `false`, runtime falls back to direct DC routing. |
 | proxy_secret_path | `String \| null` | `"proxy-secret"` | Path may be `null`. | Path to Telegram infrastructure proxy-secret file used by ME handshake logic. |
 | proxy_config_v4_cache_path | `String \| null` | `"cache/proxy-config-v4.txt"` | — | Optional cache path for raw `getProxyConfig` (IPv4) snapshot. |
 | proxy_config_v6_cache_path | `String \| null` | `"cache/proxy-config-v6.txt"` | — | Optional cache path for raw `getProxyConfigV6` (IPv6) snapshot. |
 | ad_tag | `String \| null` | `null` | — | Global fallback ad tag (32 hex characters). |
 | middle_proxy_nat_ip | `IpAddr \| null` | `null` | Must be a valid IP when set. | Manual public NAT IP override used as ME address material when set. |
 | middle_proxy_nat_probe | `bool` | `true` | Auto-forced to `true` when `use_middle_proxy = true`. | Enables ME NAT probing; runtime may force it on when ME mode is active. |
 | middle_proxy_nat_stun | `String \| null` | `null` | Deprecated. Use `network.stun_servers`. | Deprecated legacy single STUN server for NAT probing. |
 | middle_proxy_nat_stun_servers | `String[]` | `[]` | Deprecated. Use `network.stun_servers`. | Deprecated legacy STUN list for NAT probing fallback. |
 | stun_nat_probe_concurrency | `usize` | `8` | Must be `> 0`. | Maximum number of parallel STUN probes during NAT/public endpoint discovery. |
 | middle_proxy_pool_size | `usize` | `8` | none | Target size of active ME writer pool. |
 | middle_proxy_warm_standby | `usize` | `16` | none | Reserved compatibility field in current runtime revision. |
 | me_init_retry_attempts | `u32` | `0` | `0..=1_000_000`. | Startup retries for ME pool initialization (`0` means unlimited). |
 | me2dc_fallback | `bool` | `true` | — | Allows fallback from ME mode to direct DC when ME startup fails. |
 | me_keepalive_enabled | `bool` | `true` | none | Enables periodic ME keepalive/ping traffic. |
 | me_keepalive_interval_secs | `u64` | `8` | none | Base ME keepalive interval in seconds. |
 | me_keepalive_jitter_secs | `u64` | `2` | none | Keepalive jitter in seconds to reduce synchronized bursts. |
 | me_keepalive_payload_random | `bool` | `true` | none | Randomizes keepalive payload bytes instead of fixed zero payload. |
 | rpc_proxy_req_every | `u64` | `0` | `0` or `10..=300`. | Interval for service `RPC_PROXY_REQ` activity signals (`0` disables). |
 | me_writer_cmd_channel_capacity | `usize` | `4096` | Must be `> 0`. | Capacity of per-writer command channel. |
 | me_route_channel_capacity | `usize` | `768` | Must be `> 0`. | Capacity of per-connection ME response route channel. |
 | me_c2me_channel_capacity | `usize` | `1024` | Must be `> 0`. | Capacity of per-client command queue (client reader -> ME sender). |
 | me_reader_route_data_wait_ms | `u64` | `2` | `0..=20`. | Bounded wait for routing ME DATA to per-connection queue (`0` = no wait). |
 | me_d2c_flush_batch_max_frames | `usize` | `32` | `1..=512`. | Max ME->client frames coalesced before flush. |
 | me_d2c_flush_batch_max_bytes | `usize` | `131072` | `4096..=2_097_152`. | Max ME->client payload bytes coalesced before flush. |
 | me_d2c_flush_batch_max_delay_us | `u64` | `500` | `0..=5000`. | Max microsecond wait for coalescing more ME->client frames (`0` disables timed coalescing). |
 | me_d2c_ack_flush_immediate | `bool` | `true` | — | Flushes client writer immediately after quick-ack write. |
 | direct_relay_copy_buf_c2s_bytes | `usize` | `65536` | `4096..=1_048_576`. | Copy buffer size for client->DC direction in direct relay. |
 | direct_relay_copy_buf_s2c_bytes | `usize` | `262144` | `8192..=2_097_152`. | Copy buffer size for DC->client direction in direct relay. |
 | crypto_pending_buffer | `usize` | `262144` | — | Max pending ciphertext buffer per client writer (bytes). |
 | max_client_frame | `usize` | `16777216` | — | Maximum allowed client MTProto frame size (bytes). |
 | desync_all_full | `bool` | `false` | — | Emits full crypto-desync forensic logs for every event. |
 | beobachten | `bool` | `true` | — | Enables per-IP forensic observation buckets. |
 | beobachten_minutes | `u64` | `10` | Must be `> 0`. | Retention window (minutes) for per-IP observation buckets. |
 | beobachten_flush_secs | `u64` | `15` | Must be `> 0`. | Snapshot flush interval (seconds) for observation output file. |
 | beobachten_file | `String` | `"cache/beobachten.txt"` | — | Observation snapshot output file path. |
 | hardswap | `bool` | `true` | none | Enables generation-based ME hardswap strategy. |
 | me_warmup_stagger_enabled | `bool` | `true` | none | Staggers extra ME warmup dials to avoid connection spikes. |
 | me_warmup_step_delay_ms | `u64` | `500` | none | Base delay in milliseconds between warmup dial steps. |
 | me_warmup_step_jitter_ms | `u64` | `300` | none | Additional random delay in milliseconds for warmup steps. |
 | me_reconnect_max_concurrent_per_dc | `u32` | `8` | none | Limits concurrent reconnect workers per DC during health recovery. |
 | me_reconnect_backoff_base_ms | `u64` | `500` | none | Initial reconnect backoff in milliseconds. |
 | me_reconnect_backoff_cap_ms | `u64` | `30000` | none | Maximum reconnect backoff cap in milliseconds. |
 | me_reconnect_fast_retry_count | `u32` | `16` | none | Immediate retry budget before long backoff behavior applies. |
 | me_single_endpoint_shadow_writers | `u8` | `2` | `0..=32`. | Additional reserve writers for one-endpoint DC groups. |
 | me_single_endpoint_outage_mode_enabled | `bool` | `true` | — | Enables aggressive outage recovery for one-endpoint DC groups. |
 | me_single_endpoint_outage_disable_quarantine | `bool` | `true` | — | Ignores endpoint quarantine in one-endpoint outage mode. |
 | me_single_endpoint_outage_backoff_min_ms | `u64` | `250` | Must be `> 0`; also `<= me_single_endpoint_outage_backoff_max_ms`. | Minimum reconnect backoff in outage mode (ms). |
 | me_single_endpoint_outage_backoff_max_ms | `u64` | `3000` | Must be `> 0`; also `>= me_single_endpoint_outage_backoff_min_ms`. | Maximum reconnect backoff in outage mode (ms). |
 | me_single_endpoint_shadow_rotate_every_secs | `u64` | `900` | — | Periodic shadow writer rotation interval (`0` disables). |
 | me_floor_mode | `"static" \| "adaptive"` | `"adaptive"` | — | Writer floor policy mode. |
 | me_adaptive_floor_idle_secs | `u64` | `90` | — | Idle time before adaptive floor may reduce one-endpoint target. |
 | me_adaptive_floor_min_writers_single_endpoint | `u8` | `1` | `1..=32`. | Minimum adaptive writer target for one-endpoint DC groups. |
 | me_adaptive_floor_min_writers_multi_endpoint | `u8` | `1` | `1..=32`. | Minimum adaptive writer target for multi-endpoint DC groups. |
 | me_adaptive_floor_recover_grace_secs | `u64` | `180` | — | Grace period to hold static floor after activity. |
 | me_adaptive_floor_writers_per_core_total | `u16` | `48` | Must be `> 0`. | Global writer budget per logical CPU core in adaptive mode. |
 | me_adaptive_floor_cpu_cores_override | `u16` | `0` | — | Manual CPU core count override (`0` uses auto-detection). |
 | me_adaptive_floor_max_extra_writers_single_per_core | `u16` | `1` | — | Per-core max extra writers above base floor for one-endpoint DCs. |
 | me_adaptive_floor_max_extra_writers_multi_per_core | `u16` | `2` | — | Per-core max extra writers above base floor for multi-endpoint DCs. |
 | me_adaptive_floor_max_active_writers_per_core | `u16` | `64` | Must be `> 0`. | Hard cap for active ME writers per logical CPU core. |
 | me_adaptive_floor_max_warm_writers_per_core | `u16` | `64` | Must be `> 0`. | Hard cap for warm ME writers per logical CPU core. |
 | me_adaptive_floor_max_active_writers_global | `u32` | `256` | Must be `> 0`. | Hard global cap for active ME writers. |
 | me_adaptive_floor_max_warm_writers_global | `u32` | `256` | Must be `> 0`. | Hard global cap for warm ME writers. |
 | upstream_connect_retry_attempts | `u32` | `2` | Must be `> 0`. | Connect attempts for selected upstream before error/fallback. |
 | upstream_connect_retry_backoff_ms | `u64` | `100` | — | Delay between upstream connect attempts (ms). |
 | upstream_connect_budget_ms | `u64` | `3000` | Must be `> 0`. | Total wall-clock budget for one upstream connect request (ms). |
 | upstream_unhealthy_fail_threshold | `u32` | `5` | Must be `> 0`. | Consecutive failed requests before upstream is marked unhealthy. |
 | upstream_connect_failfast_hard_errors | `bool` | `false` | — | Skips additional retries for hard non-transient connect errors. |
 | stun_iface_mismatch_ignore | `bool` | `false` | none | Reserved compatibility flag in current runtime revision. |
 | unknown_dc_log_path | `String \| null` | `"unknown-dc.txt"` | — | File path for unknown-DC request logging (`null` disables file path). |
 | unknown_dc_file_log_enabled | `bool` | `false` | — | Enables unknown-DC file logging. |
 | log_level | `"debug" \| "verbose" \| "normal" \| "silent"` | `"normal"` | — | Runtime logging verbosity. |
 | disable_colors | `bool` | `false` | — | Disables ANSI colors in logs. |
 | me_socks_kdf_policy | `"strict" \| "compat"` | `"strict"` | — | SOCKS-bound KDF fallback policy for ME handshake. |
 | me_route_backpressure_base_timeout_ms | `u64` | `25` | Must be `> 0`. | Base backpressure timeout for route-channel send (ms). |
 | me_route_backpressure_high_timeout_ms | `u64` | `120` | Must be `>= me_route_backpressure_base_timeout_ms`. | High backpressure timeout when queue occupancy exceeds watermark (ms). |
 | me_route_backpressure_high_watermark_pct | `u8` | `80` | `1..=100`. | Queue occupancy threshold (%) for high timeout mode. |
 | me_health_interval_ms_unhealthy | `u64` | `1000` | Must be `> 0`. | Health monitor interval while writer coverage is degraded (ms). |
 | me_health_interval_ms_healthy | `u64` | `3000` | Must be `> 0`. | Health monitor interval while writer coverage is healthy (ms). |
 | me_admission_poll_ms | `u64` | `1000` | Must be `> 0`. | Poll interval for conditional-admission checks (ms). |
 | me_warn_rate_limit_ms | `u64` | `5000` | Must be `> 0`. | Cooldown for repetitive ME warning logs (ms). |
 | me_route_no_writer_mode | `"async_recovery_failfast" \| "inline_recovery_legacy" \| "hybrid_async_persistent"` | `"hybrid_async_persistent"` | — | Route behavior when no writer is immediately available. |
 | me_route_no_writer_wait_ms | `u64` | `250` | `10..=5000`. | Max wait in async-recovery failfast mode (ms). |
 | me_route_inline_recovery_attempts | `u32` | `3` | Must be `> 0`. | Inline recovery attempts in legacy mode. |
 | me_route_inline_recovery_wait_ms | `u64` | `3000` | `10..=30000`. | Max inline recovery wait in legacy mode (ms). |
 | fast_mode_min_tls_record | `usize` | `0` | — | Minimum TLS record size when fast-mode coalescing is enabled (`0` disables). |
 | update_every | `u64 \| null` | `300` | If set: must be `> 0`; if `null`: legacy fallback path is used. | Unified refresh interval for ME config and proxy-secret updater tasks. |
 | me_reinit_every_secs | `u64` | `900` | Must be `> 0`. | Periodic interval for zero-downtime ME reinit cycle. |
 | me_hardswap_warmup_delay_min_ms | `u64` | `1000` | Must be `<= me_hardswap_warmup_delay_max_ms`. | Lower bound for hardswap warmup dial spacing. |
 | me_hardswap_warmup_delay_max_ms | `u64` | `2000` | Must be `> 0`. | Upper bound for hardswap warmup dial spacing. |
 | me_hardswap_warmup_extra_passes | `u8` | `3` | Must be within `[0, 10]`. | Additional warmup passes after the base pass in one hardswap cycle. |
 | me_hardswap_warmup_pass_backoff_base_ms | `u64` | `500` | Must be `> 0`. | Base backoff between extra hardswap warmup passes. |
 | me_config_stable_snapshots | `u8` | `2` | Must be `> 0`. | Number of identical ME config snapshots required before apply. |
 | me_config_apply_cooldown_secs | `u64` | `300` | none | Cooldown between applied ME endpoint-map updates. |
 | me_snapshot_require_http_2xx | `bool` | `true` | — | Requires 2xx HTTP responses for applying config snapshots. |
 | me_snapshot_reject_empty_map | `bool` | `true` | — | Rejects empty config snapshots. |
 | me_snapshot_min_proxy_for_lines | `u32` | `1` | Must be `> 0`. | Minimum parsed `proxy_for` rows required to accept snapshot. |
 | proxy_secret_stable_snapshots | `u8` | `2` | Must be `> 0`. | Number of identical proxy-secret snapshots required before rotation. |
 | proxy_secret_rotate_runtime | `bool` | `true` | none | Enables runtime proxy-secret rotation from updater snapshots. |
 | me_secret_atomic_snapshot | `bool` | `true` | — | Keeps selector and secret bytes from the same snapshot atomically. |
 | proxy_secret_len_max | `usize` | `256` | Must be within `[32, 4096]`. | Upper length limit for accepted proxy-secret bytes. |
 | me_pool_drain_ttl_secs | `u64` | `90` | none | Time window where stale writers remain fallback-eligible after map change. |
 | me_pool_drain_threshold | `u64` | `128` | — | Max draining stale writers before batch force-close (`0` disables threshold cleanup). |
 | me_pool_drain_soft_evict_enabled | `bool` | `true` | — | Enables gradual soft-eviction of stale writers during drain/reinit instead of immediate hard close. |
 | me_pool_drain_soft_evict_grace_secs | `u64` | `30` | `0..=3600`. | Grace period before stale writers become soft-evict candidates. |
 | me_pool_drain_soft_evict_per_writer | `u8` | `1` | `1..=16`. | Maximum stale routes soft-evicted per writer in one eviction pass. |
 | me_pool_drain_soft_evict_budget_per_core | `u16` | `8` | `1..=64`. | Per-core budget limiting aggregate soft-eviction work per pass. |
 | me_pool_drain_soft_evict_cooldown_ms | `u64` | `5000` | Must be `> 0`. | Cooldown between consecutive soft-eviction passes (ms). |
 | me_bind_stale_mode | `"never" \| "ttl" \| "always"` | `"ttl"` | — | Policy for new binds on stale draining writers. |
 | me_bind_stale_ttl_secs | `u64` | `90` | — | TTL for stale bind allowance when stale mode is `ttl`. |
 | me_pool_min_fresh_ratio | `f32` | `0.8` | Must be within `[0.0, 1.0]`. | Minimum fresh desired-DC coverage ratio before stale writers are drained. |
 | me_reinit_drain_timeout_secs | `u64` | `120` | `0` disables force-close; if `> 0` and `< me_pool_drain_ttl_secs`, runtime bumps it to TTL. | Force-close timeout for draining stale writers (`0` keeps indefinite draining). |
 | proxy_secret_auto_reload_secs | `u64` | `3600` | Deprecated. Use `general.update_every`. | Deprecated legacy secret reload interval (fallback when `update_every` is not set). |
 | proxy_config_auto_reload_secs | `u64` | `3600` | Deprecated. Use `general.update_every`. | Deprecated legacy config reload interval (fallback when `update_every` is not set). |
 | me_reinit_singleflight | `bool` | `true` | — | Serializes ME reinit cycles across trigger sources. |
 | me_reinit_trigger_channel | `usize` | `64` | Must be `> 0`. | Trigger queue capacity for reinit scheduler. |
 | me_reinit_coalesce_window_ms | `u64` | `200` | — | Trigger coalescing window before starting reinit (ms). |
 | me_deterministic_writer_sort | `bool` | `true` | — | Enables deterministic candidate sort for writer binding path. |
 | me_writer_pick_mode | `"sorted_rr" \| "p2c"` | `"p2c"` | — | Writer selection mode for route bind path. |
 | me_writer_pick_sample_size | `u8` | `3` | `2..=4`. | Number of candidates sampled by picker in `p2c` mode. |
 | ntp_check | `bool` | `true` | — | Enables NTP drift check at startup. |
 | ntp_servers | `String[]` | `["pool.ntp.org"]` | — | NTP servers used for drift check. |
 | auto_degradation_enabled | `bool` | `true` | none | Reserved compatibility flag in current runtime revision. |
 | degradation_min_unavailable_dc_groups | `u8` | `2` | none | Reserved compatibility threshold in current runtime revision. |
 ## [general.modes]
 | Parameter | Type | Default | Constraints / validation | Description |
 |---|---|---|---|---|
 | classic | `bool` | `false` | — | Enables classic MTProxy mode. |
 | secure | `bool` | `false` | — | Enables secure mode. |
 | tls | `bool` | `true` | — | Enables TLS mode. |
 ## [general.links]
 | Parameter | Type | Default | Constraints / validation | Description |
 |---|---|---|---|---|
 | show | `"*" \| String[]` | `"*"` | — | Selects users whose tg:// links are shown at startup. |
 | public_host | `String \| null` | `null` | — | Public hostname/IP override for generated tg:// links. |
 | public_port | `u16 \| null` | `null` | — | Public port override for generated tg:// links. |
 ## [general.telemetry]
 | Parameter | Type | Default | Constraints / validation | Description |
 |---|---|---|---|---|
 | core_enabled | `bool` | `true` | — | Enables core hot-path telemetry counters. |
 | user_enabled | `bool` | `true` | — | Enables per-user telemetry counters. |
 | me_level | `"silent" \| "normal" \| "debug"` | `"normal"` | — | Middle-End telemetry verbosity level. |
 ## [network]
 | Parameter | Type | Default | Constraints / validation | Description |
 |---|---|---|---|---|
 | ipv4 | `bool` | `true` | — | Enables IPv4 networking. |
 | ipv6 | `bool` | `false` | — | Enables/disables IPv6 when set |
 | prefer | `u8` | `4` | Must be `4` or `6`. | Preferred IP family for selection (`4` or `6`). |
 | multipath | `bool` | `false` | — | Enables multipath behavior where supported. |
 | stun_use | `bool` | `true` | none | Global STUN switch; when `false`, STUN probing path is disabled. |
 | stun_servers | `String[]` | Built-in STUN list (13 hosts) | Deduplicated; empty values are removed. | Primary STUN server list for NAT/public endpoint discovery. |
 | stun_tcp_fallback | `bool` | `true` | none | Enables TCP fallback for STUN when UDP path is blocked. |
 | http_ip_detect_urls | `String[]` | `["https://ifconfig.me/ip", "https://api.ipify.org"]` | none | HTTP fallback endpoints for public IP detection when STUN is unavailable. |
 | cache_public_ip_path | `String` | `"cache/public_ip.txt"` | — | File path for caching detected public IP. |
 | dns_overrides | `String[]` | `[]` | Must match `host:port:ip`; IPv6 must be bracketed. | Runtime DNS overrides in `host:port:ip` format. |
 ## [server]
 | Parameter | Type | Default | Constraints / validation | Description |
 |---|---|---|---|---|
 | port | `u16` | `443` | — | Main proxy listen port. |
 | listen_addr_ipv4 | `String \| null` | `"0.0.0.0"` | — | IPv4 bind address for TCP listener. |
 | listen_addr_ipv6 | `String \| null` | `"::"` | — | IPv6 bind address for TCP listener. |
 | listen_unix_sock | `String \| null` | `null` | — | Unix socket path for listener. |
 | listen_unix_sock_perm | `String \| null` | `null` | — | Unix socket permissions in octal string (e.g., `"0666"`). |
 | listen_tcp | `bool \| null` | `null` (auto) | — | Explicit TCP listener enable/disable override. |
 | proxy_protocol | `bool` | `false` | — | Enables HAProxy PROXY protocol parsing on incoming client connections. |
 | proxy_protocol_header_timeout_ms | `u64` | `500` | Must be `> 0`. | Timeout for PROXY protocol header read/parse (ms). |
 | metrics_port | `u16 \| null` | `null` | — | Metrics endpoint port (enables metrics listener). |
 | metrics_listen | `String \| null` | `null` | — | Full metrics bind address (`IP:PORT`), overrides `metrics_port`. |
 | metrics_whitelist | `IpNetwork[]` | `["127.0.0.1/32", "::1/128"]` | — | CIDR whitelist for metrics endpoint access. |
 | max_connections | `u32` | `10000` | — | Max concurrent client connections (`0` = unlimited). |
 ## [server.api]
 | Parameter | Type | Default | Constraints / validation | Description |
 |---|---|---|---|---|
 | enabled | `bool` | `true` | — | Enables control-plane REST API. |
 | listen | `String` | `"0.0.0.0:9091"` | Must be valid `IP:PORT`. | API bind address in `IP:PORT` format. |
 | whitelist | `IpNetwork[]` | `["127.0.0.0/8"]` | — | CIDR whitelist allowed to access API. |
 | auth_header | `String` | `""` | — | Exact expected `Authorization` header value (empty = disabled). |
 | request_body_limit_bytes | `usize` | `65536` | Must be `> 0`. | Maximum accepted HTTP request body size. |
 | minimal_runtime_enabled | `bool` | `true` | — | Enables minimal runtime snapshots endpoint logic. |
 | minimal_runtime_cache_ttl_ms | `u64` | `1000` | `0..=60000`. | Cache TTL for minimal runtime snapshots (ms; `0` disables cache). |
 | runtime_edge_enabled | `bool` | `false` | — | Enables runtime edge endpoints. |
 | runtime_edge_cache_ttl_ms | `u64` | `1000` | `0..=60000`. | Cache TTL for runtime edge aggregation payloads (ms). |
 | runtime_edge_top_n | `usize` | `10` | `1..=1000`. | Top-N size for edge connection leaderboard. |
 | runtime_edge_events_capacity | `usize` | `256` | `16..=4096`. | Ring-buffer capacity for runtime edge events. |
 | read_only | `bool` | `false` | — | Rejects mutating API endpoints when enabled. |
 ## [[server.listeners]]
 | Parameter | Type | Default | Constraints / validation | Description |
 |---|---|---|---|---|
 | ip | `IpAddr` | — | — | Listener bind IP. |
 | announce | `String \| null` | — | — | Public IP/domain announced in proxy links (priority over `announce_ip`). |
 | announce_ip | `IpAddr \| null` | — | — | Deprecated legacy announce IP (migrated to `announce` if needed). |
 | proxy_protocol | `bool \| null` | `null` | — | Per-listener override for PROXY protocol enable flag. |
 | reuse_allow | `bool` | `false` | — | Enables `SO_REUSEPORT` for multi-instance bind sharing. |
 ## [timeouts]
 | Parameter | Type | Default | Constraints / validation | Description |
 |---|---|---|---|---|
 | client_handshake | `u64` | `30` | — | Client handshake timeout. |
 | tg_connect | `u64` | `10` | — | Upstream Telegram connect timeout. |
 | client_keepalive | `u64` | `15` | — | Client keepalive timeout. |
 | client_ack | `u64` | `90` | — | Client ACK timeout. |
 | me_one_retry | `u8` | `12` | none | Fast reconnect attempts budget for single-endpoint DC scenarios. |
 | me_one_timeout_ms | `u64` | `1200` | none | Timeout in milliseconds for each quick single-endpoint reconnect attempt. |
 ## [censorship]
 | Parameter | Type | Default | Constraints / validation | Description |
 |---|---|---|---|---|
 | tls_domain | `String` | `"petrovich.ru"` | — | Primary TLS domain used in fake TLS handshake profile. |
 | tls_domains | `String[]` | `[]` | — | Additional TLS domains for generating multiple links. |
 | mask | `bool` | `true` | — | Enables masking/fronting relay mode. |
 | mask_host | `String \| null` | `null` | — | Upstream mask host for TLS fronting relay. |
 | mask_port | `u16` | `443` | — | Upstream mask port for TLS fronting relay. |
 | mask_unix_sock | `String \| null` | `null` | — | Unix socket path for mask backend instead of TCP host/port. |
 | fake_cert_len | `usize` | `2048` | — | Length of synthetic certificate payload when emulation data is unavailable. |
 | tls_emulation | `bool` | `true` | — | Enables certificate/TLS behavior emulation from cached real fronts. |
 | tls_front_dir | `String` | `"tlsfront"` | — | Directory path for TLS front cache storage. |
 | server_hello_delay_min_ms | `u64` | `0` | — | Minimum server_hello delay for anti-fingerprint behavior (ms). |
 | server_hello_delay_max_ms | `u64` | `0` | — | Maximum server_hello delay for anti-fingerprint behavior (ms). |
 | tls_new_session_tickets | `u8` | `0` | — | Number of `NewSessionTicket` messages to emit after handshake. |
 | tls_full_cert_ttl_secs | `u64` | `90` | — | TTL for sending full cert payload per (domain, client IP) tuple. |
 | alpn_enforce | `bool` | `true` | — | Enforces ALPN echo behavior based on client preference. |
 | mask_proxy_protocol | `u8` | `0` | — | PROXY protocol mode for mask backend (`0` disabled, `1` v1, `2` v2). |
 ## [access]
 | Parameter | Type | Default | Constraints / validation | TOML shape example | Description |
 |---|---|---|---|---|---|
 | users | `Map<String, String>` | `{"default": "000…000"}` | Secret must be 32 hex characters. | `[access.users]`<br>`user = "32-hex secret"`<br>`user2 = "32-hex secret"` | User credentials map used for client authentication. |
 | user_ad_tags | `Map<String, String>` | `{}` | Every value must be exactly 32 hex characters. | `[access.user_ad_tags]`<br>`user = "32-hex ad_tag"` | Per-user ad tags used as override over `general.ad_tag`. |
 | user_max_tcp_conns | `Map<String, usize>` | `{}` | — | `[access.user_max_tcp_conns]`<br>`user = 500` | Per-user maximum concurrent TCP connections. |
 | user_expirations | `Map<String, DateTime<Utc>>` | `{}` | Timestamp must be valid RFC3339/ISO-8601 datetime. | `[access.user_expirations]`<br>`user = "2026-12-31T23:59:59Z"` | Per-user account expiration timestamps. |
 | user_data_quota | `Map<String, u64>` | `{}` | — | `[access.user_data_quota]`<br>`user = 1073741824` | Per-user traffic quota in bytes. |
 | user_max_unique_ips | `Map<String, usize>` | `{}` | — | `[access.user_max_unique_ips]`<br>`user = 16` | Per-user unique source IP limits. |
 | user_max_unique_ips_global_each | `usize` | `0` | — | `user_max_unique_ips_global_each = 0` | Global fallback used when `[access.user_max_unique_ips]` has no per-user override. |
 | user_max_unique_ips_mode | `"active_window" \| "time_window" \| "combined"` | `"active_window"` | — | `user_max_unique_ips_mode = "active_window"` | Unique source IP limit accounting mode. |
 | user_max_unique_ips_window_secs | `u64` | `30` | Must be `> 0`. | `user_max_unique_ips_window_secs = 30` | Window size (seconds) used by unique-IP accounting modes that use time windows. |
 | replay_check_len | `usize` | `65536` | — | `replay_check_len = 65536` | Replay-protection storage length. |
 | replay_window_secs | `u64` | `1800` | — | `replay_window_secs = 1800` | Replay-protection window in seconds. |
 | ignore_time_skew | `bool` | `false` | — | `ignore_time_skew = false` | Disables client/server timestamp skew checks in replay validation when enabled. |
 ## [[upstreams]]
 | Parameter | Type | Default | Constraints / validation | Description |
 |---|---|---|---|---|
 | type | `"direct" \| "socks4" \| "socks5"` | — | Required field. | Upstream transport type selector. |
 | weight | `u16` | `1` | none | Base weight used by weighted-random upstream selection. |
 | enabled | `bool` | `true` | none | Disabled entries are excluded from upstream selection at runtime. |
 | scopes | `String` | `""` | none | Comma-separated scope tags used for request-level upstream filtering. |
 | interface | `String \| null` | `null` | Optional; type-specific runtime rules apply. | Optional outbound interface/local bind hint (supported with type-specific rules). |
 | bind_addresses | `String[] \| null` | `null` | Applies to `type = "direct"`. | Optional explicit local source bind addresses for `type = "direct"`. |
 | address | `String` | — | Required for `type = "socks4"` and `type = "socks5"`. | SOCKS server endpoint (`host:port` or `ip:port`) for SOCKS upstream types. |
 | user_id | `String \| null` | `null` | Only for `type = "socks4"`. | SOCKS4 CONNECT user ID (`type = "socks4"` only). |
 | username | `String \| null` | `null` | Only for `type = "socks5"`. | SOCKS5 username (`type = "socks5"` only). |
 | password | `String \| null` | `null` | Only for `type = "socks5"`. | SOCKS5 password (`type = "socks5"` only). |
--- a/docs/FAQ.en.md
+++ b/docs/FAQ.en.md
@@ -83,6 +83,13 @@ To specify a domain in the links, add to the `[general.links]` section of the co
 public_host = "proxy.example.com"
 ```
 ### Server connection limit
 Limits the total number of open connections to the server:
 ```toml
 [server]
 max_connections = 10000    # 0 - unlimited, 10000 - default
 ```
 ### Upstream Manager
 To specify an upstream, add to the `[[upstreams]]` section of the config.toml file:
 #### Binding to IP
--- a/docs/FAQ.ru.md
+++ b/docs/FAQ.ru.md
@@ -83,6 +83,13 @@ metrics_whitelist = ["127.0.0.1/32", "::1/128", "0.0.0.0/0"]
 public_host = "proxy.example.com"
 ```
 ### Общий лимит подключений к серверу
 Ограничивает общее число открытых подключений к серверу:
 ```toml
 [server]
 max_connections = 10000    # 0 - unlimited, 10000 - default
 ```
 ### Upstream Manager
 Чтобы указать апстрим, добавьте в секцию `[[upstreams]]` файла config.toml:
 #### Привязка к IP
@@ -113,3 +120,4 @@ password = "pass"          # Password for Auth on SOCKS-server
 weight = 1                 # Set Weight for Scenarios
 enabled = true
 ```
--- a/docs/QUICK_START_GUIDE.en.md
+++ b/docs/QUICK_START_GUIDE.en.md
@@ -181,6 +181,8 @@ docker compose down
 docker build -t telemt:local .
 docker run --name telemt --restart unless-stopped \
  -p 443:443 \
  -p 9090:9090 \
  -p 9091:9091 \
  -e RUST_LOG=info \
  -v "$PWD/config.toml:/app/config.toml:ro" \
  --read-only \
--- a/docs/QUICK_START_GUIDE.ru.md
+++ b/docs/QUICK_START_GUIDE.ru.md
@@ -183,6 +183,8 @@ docker compose down
 docker build -t telemt:local .
 docker run --name telemt --restart unless-stopped \
  -p 443:443 \
  -p 9090:9090 \
  -p 9091:9091 \
  -e RUST_LOG=info \
  -v "$PWD/config.toml:/app/config.toml:ro" \
  --read-only \
--- a/docs/fronting-splitting/TLS-F-TCP-S.ru.md
+++ b/docs/fronting-splitting/TLS-F-TCP-S.ru.md
@@ -38,8 +38,9 @@ umweltschutz.de -> A-запись 198.18.88.88
 В конфигурации Telemt:
-```
+```toml
-tls_domain = umweltschutz.de
+[censorship]
 tls_domain = "umweltschutz.de"
 ```
 Этот домен используется клиентом как SNI в ClientHello
@@ -56,8 +57,9 @@ tls_domain = umweltschutz.de
 В конфигурации Telemt:
-```
+```toml
-mask_host = 127.0.0.1
+[censorship]
 mask_host = "127.0.0.1"
 mask_port = 8443
 ```
@@ -151,16 +153,18 @@ mask_host:mask_port
 Например:
-```
+```toml
-tls_domain = github.com
+[censorship]
-mask_host = github.com
+tls_domain = "github.com"
 mask_host = "github.com"
 mask_port = 443
 ```
 или
-```
+```toml
-mask_host = 140.82.121.4
+[censorship]
 mask_host = "140.82.121.4"
 ```
 В этом случае:
--- a/install.sh
+++ b/install.sh
@@ -3,113 +3,554 @@ set -eu
 REPO="${REPO:-telemt/telemt}"
 BIN_NAME="${BIN_NAME:-telemt}"
-VERSION="${1:-${VERSION:-latest}}"
+INSTALL_DIR="${INSTALL_DIR:-/bin}"
-INSTALL_DIR="${INSTALL_DIR:-/usr/local/bin}"
+CONFIG_DIR="${CONFIG_DIR:-/etc/telemt}"
 CONFIG_FILE="${CONFIG_FILE:-${CONFIG_DIR}/telemt.toml}"
 WORK_DIR="${WORK_DIR:-/opt/telemt}"
 TLS_DOMAIN="${TLS_DOMAIN:-petrovich.ru}"
 SERVICE_NAME="telemt"
 TEMP_DIR=""
 SUDO=""
 CONFIG_PARENT_DIR=""
 SERVICE_START_FAILED=0
 ACTION="install"
 TARGET_VERSION="${VERSION:-latest}"
 while [ $# -gt 0 ]; do
    case "$1" in
        -h|--help) ACTION="help"; shift ;;
        uninstall|--uninstall)
            if [ "$ACTION" != "purge" ]; then ACTION="uninstall"; fi
            shift ;;
        purge|--purge) ACTION="purge"; shift ;;
        install|--install) ACTION="install"; shift ;;
        -*) printf '[ERROR] Unknown option: %s\n' "$1" >&2; exit 1 ;;
        *)
            if [ "$ACTION" = "install" ]; then TARGET_VERSION="$1"
            else printf '[WARNING] Ignoring extra argument: %s\n' "$1" >&2; fi
            shift ;;
    esac
 done
 say() {
-    printf '%s\n' "$*"
+    if [ "$#" -eq 0 ] || [ -z "${1:-}" ]; then
        printf '\n'
    else
        printf '[INFO] %s\n' "$*"
    fi
 }
 die() { printf '[ERROR] %s\n' "$*" >&2; exit 1; }
 write_root() { $SUDO sh -c 'cat > "$1"' _ "$1"; }
 cleanup() {
    if [ -n "${TEMP_DIR:-}" ] && [ -d "$TEMP_DIR" ]; then
        rm -rf -- "$TEMP_DIR"
    fi
 }
 trap cleanup EXIT INT TERM
 show_help() {
    say "Usage: $0 [ <version> | install | uninstall | purge | --help ]"
    say "  <version>    Install specific version (e.g. 3.3.15, default: latest)"
    say "  install      Install the latest version"
    say "  uninstall    Remove the binary and service (keeps config and user)"
    say "  purge        Remove everything including configuration, data, and user"
    exit 0
 }
-die() {
+check_os_entity() {
-    printf 'Error: %s\n' "$*" >&2
+    if command -v getent >/dev/null 2>&1; then getent "$1" "$2" >/dev/null 2>&1
-    exit 1
+    else grep -q "^${2}:" "/etc/$1" 2>/dev/null; fi
 }
-need_cmd() {
+normalize_path() {
-    command -v "$1" >/dev/null 2>&1 || die "required command not found: $1"
+    printf '%s\n' "$1" | tr -s '/' | sed 's|/$||; s|^$|/|'
 }
-detect_os() {
+get_realpath() {
-    os="$(uname -s)"
+    path_in="$1"
-    case "$os" in
+    case "$path_in" in /*) ;; *) path_in="$(pwd)/$path_in" ;; esac
-        Linux) printf 'linux\n' ;;
+
-        OpenBSD) printf 'openbsd\n' ;;
+    if command -v realpath >/dev/null 2>&1; then 
-        *) printf '%s\n' "$os" ;;
+        if realpath_out="$(realpath -m "$path_in" 2>/dev/null)"; then
            printf '%s\n' "$realpath_out"
            return
        fi
    fi
    if command -v readlink >/dev/null 2>&1; then
        resolved_path="$(readlink -f "$path_in" 2>/dev/null || true)"
        if [ -n "$resolved_path" ]; then
            printf '%s\n' "$resolved_path"
            return
        fi
    fi
    d="${path_in%/*}"; b="${path_in##*/}"
    if [ -z "$d" ]; then d="/"; fi
    if [ "$d" = "$path_in" ]; then d="/"; b="$path_in"; fi
    if [ -d "$d" ]; then
        abs_d="$(cd "$d" >/dev/null 2>&1 && pwd || true)"
        if [ -n "$abs_d" ]; then
            if [ "$b" = "." ] || [ -z "$b" ]; then printf '%s\n' "$abs_d"
            elif [ "$abs_d" = "/" ]; then printf '/%s\n' "$b"
            else printf '%s/%s\n' "$abs_d" "$b"; fi
        else
            normalize_path "$path_in"
        fi
    else
        normalize_path "$path_in"
    fi
 }
 get_svc_mgr() {
    if command -v systemctl >/dev/null 2>&1 && [ -d /run/systemd/system ]; then echo "systemd"
    elif command -v rc-service >/dev/null 2>&1; then echo "openrc"
    else echo "none"; fi
 }
 verify_common() {
    [ -n "$BIN_NAME" ] || die "BIN_NAME cannot be empty."
    [ -n "$INSTALL_DIR" ] || die "INSTALL_DIR cannot be empty."
    [ -n "$CONFIG_DIR" ] || die "CONFIG_DIR cannot be empty."
    [ -n "$CONFIG_FILE" ] || die "CONFIG_FILE cannot be empty."
    case "${INSTALL_DIR}${CONFIG_DIR}${WORK_DIR}${CONFIG_FILE}" in
        *[!a-zA-Z0-9_./-]*) die "Invalid characters in paths. Only alphanumeric, _, ., -, and / allowed." ;;
    esac
    case "$TARGET_VERSION" in *[!a-zA-Z0-9_.-]*) die "Invalid characters in version." ;; esac
    case "$BIN_NAME" in *[!a-zA-Z0-9_-]*) die "Invalid characters in BIN_NAME." ;; esac
    INSTALL_DIR="$(get_realpath "$INSTALL_DIR")"
    CONFIG_DIR="$(get_realpath "$CONFIG_DIR")"
    WORK_DIR="$(get_realpath "$WORK_DIR")"
    CONFIG_FILE="$(get_realpath "$CONFIG_FILE")"
    CONFIG_PARENT_DIR="${CONFIG_FILE%/*}"
    if [ -z "$CONFIG_PARENT_DIR" ]; then CONFIG_PARENT_DIR="/"; fi
    if [ "$CONFIG_PARENT_DIR" = "$CONFIG_FILE" ]; then CONFIG_PARENT_DIR="."; fi
    if [ "$(id -u)" -eq 0 ]; then
        SUDO=""
    else
        command -v sudo >/dev/null 2>&1 || die "This script requires root or sudo. Neither found."
        SUDO="sudo"
        if ! sudo -n true 2>/dev/null; then
            if ! [ -t 0 ]; then
                die "sudo requires a password, but no TTY detected. Aborting to prevent hang."
            fi
        fi
    fi
    if [ -n "$SUDO" ]; then
        if $SUDO sh -c '[ -d "$1" ]' _ "$CONFIG_FILE"; then
            die "Safety check failed: CONFIG_FILE '$CONFIG_FILE' is a directory."
        fi
    elif [ -d "$CONFIG_FILE" ]; then
        die "Safety check failed: CONFIG_FILE '$CONFIG_FILE' is a directory."
    fi
    for path in "$CONFIG_DIR" "$CONFIG_PARENT_DIR" "$WORK_DIR"; do
        check_path="$(get_realpath "$path")"
        case "$check_path" in
            /|/bin|/sbin|/usr|/usr/bin|/usr/sbin|/usr/local|/usr/local/bin|/usr/local/sbin|/usr/local/etc|/usr/local/share|/etc|/var|/var/lib|/var/log|/var/run|/home|/root|/tmp|/lib|/lib64|/opt|/run|/boot|/dev|/sys|/proc)
                die "Safety check failed: '$path' (resolved to '$check_path') is a critical system directory." ;;
        esac
    done
    check_install_dir="$(get_realpath "$INSTALL_DIR")"
    case "$check_install_dir" in
        /|/etc|/var|/home|/root|/tmp|/usr|/usr/local|/opt|/boot|/dev|/sys|/proc|/run)
            die "Safety check failed: INSTALL_DIR '$INSTALL_DIR' is a critical system directory." ;;
    esac
    for cmd in id uname grep find rm chown chmod mv mktemp mkdir tr dd sed ps head sleep cat tar gzip rmdir; do
        command -v "$cmd" >/dev/null 2>&1 || die "Required command not found: $cmd"
    done
 }
 verify_install_deps() {
    command -v curl >/dev/null 2>&1 || command -v wget >/dev/null 2>&1 || die "Neither curl nor wget is installed."
    command -v cp >/dev/null 2>&1 || command -v install >/dev/null 2>&1 || die "Need cp or install"
    if ! command -v setcap >/dev/null 2>&1; then
        if command -v apk >/dev/null 2>&1; then
            $SUDO apk add --no-cache libcap-utils >/dev/null 2>&1 || $SUDO apk add --no-cache libcap >/dev/null 2>&1 || true
        elif command -v apt-get >/dev/null 2>&1; then
            $SUDO apt-get update -q >/dev/null 2>&1 || true
            $SUDO apt-get install -y -q libcap2-bin >/dev/null 2>&1 || true
        elif command -v dnf >/dev/null 2>&1; then $SUDO dnf install -y -q libcap >/dev/null 2>&1 || true
        elif command -v yum >/dev/null 2>&1; then $SUDO yum install -y -q libcap >/dev/null 2>&1 || true
        fi
    fi
 }
 detect_arch() {
-    arch="$(uname -m)"
+    sys_arch="$(uname -m)"
-    case "$arch" in
+    case "$sys_arch" in
-        x86_64|amd64) printf 'x86_64\n' ;;
+        x86_64|amd64) echo "x86_64" ;;
-        aarch64|arm64) printf 'aarch64\n' ;;
+        aarch64|arm64) echo "aarch64" ;;
-        *) die "unsupported architecture: $arch" ;;
+        *) die "Unsupported architecture: $sys_arch" ;;
    esac
 }
 detect_libc() {
-    case "$(ldd --version 2>&1 || true)" in
+    for f in /lib/ld-musl-*.so.* /lib64/ld-musl-*.so.*; do
-        *musl*) printf 'musl\n' ;;
+        if [ -e "$f" ]; then echo "musl"; return 0; fi
-        *) printf 'gnu\n' ;;
+    done
-    esac
+    if grep -qE '^ID="?alpine"?' /etc/os-release 2>/dev/null; then echo "musl"; return 0; fi
    if command -v ldd >/dev/null 2>&1 && (ldd --version 2>&1 || true) | grep -qi musl; then echo "musl"; return 0; fi
    echo "gnu"
 }
-fetch_to_stdout() {
+fetch_file() {
-    url="$1"
+    if command -v curl >/dev/null 2>&1; then curl -fsSL "$1" -o "$2"
-    if command -v curl >/dev/null 2>&1; then
+    else wget -q -O "$2" "$1"; fi
-        curl -fsSL "$url"
+}
-    elif command -v wget >/dev/null 2>&1; then
+
-        wget -qO- "$url"
+ensure_user_group() {
-    else
+    nologin_bin="$(command -v nologin 2>/dev/null || command -v false 2>/dev/null || echo /bin/false)"
-        die "neither curl nor wget is installed"
+
    if ! check_os_entity group telemt; then
        if command -v groupadd >/dev/null 2>&1; then $SUDO groupadd -r telemt
        elif command -v addgroup >/dev/null 2>&1; then $SUDO addgroup -S telemt
        else die "Cannot create group"; fi
    fi
    if ! check_os_entity passwd telemt; then
        if command -v useradd >/dev/null 2>&1; then
            $SUDO useradd -r -g telemt -d "$WORK_DIR" -s "$nologin_bin" -c "Telemt Proxy" telemt
        elif command -v adduser >/dev/null 2>&1; then
            if adduser --help 2>&1 | grep -q -- '-S'; then
                $SUDO adduser -S -D -H -h "$WORK_DIR" -s "$nologin_bin" -G telemt telemt
            else
                $SUDO adduser --system --home "$WORK_DIR" --shell "$nologin_bin" --no-create-home --ingroup telemt --disabled-password telemt
            fi
        else die "Cannot create user"; fi
    fi
 }
 setup_dirs() {
    $SUDO mkdir -p "$WORK_DIR" "$CONFIG_DIR" "$CONFIG_PARENT_DIR" || die "Failed to create directories"
    $SUDO chown telemt:telemt "$WORK_DIR" && $SUDO chmod 750 "$WORK_DIR"
    $SUDO chown root:telemt "$CONFIG_DIR" && $SUDO chmod 750 "$CONFIG_DIR"
    if [ "$CONFIG_PARENT_DIR" != "$CONFIG_DIR" ] && [ "$CONFIG_PARENT_DIR" != "." ] && [ "$CONFIG_PARENT_DIR" != "/" ]; then
        $SUDO chown root:telemt "$CONFIG_PARENT_DIR" && $SUDO chmod 750 "$CONFIG_PARENT_DIR"
    fi
 }
 stop_service() {
    svc="$(get_svc_mgr)"
    if [ "$svc" = "systemd" ] && systemctl is-active --quiet "$SERVICE_NAME" 2>/dev/null; then
        $SUDO systemctl stop "$SERVICE_NAME" 2>/dev/null || true
    elif [ "$svc" = "openrc" ] && rc-service "$SERVICE_NAME" status >/dev/null 2>&1; then
        $SUDO rc-service "$SERVICE_NAME" stop 2>/dev/null || true
    fi
 }
 install_binary() {
-    src="$1"
+    bin_src="$1"; bin_dst="$2"
-    dst="$2"
+    if [ -e "$INSTALL_DIR" ] && [ ! -d "$INSTALL_DIR" ]; then
        die "'$INSTALL_DIR' is not a directory."
    fi
-    if [ -w "$INSTALL_DIR" ] || { [ ! -e "$INSTALL_DIR" ] && [ -w "$(dirname "$INSTALL_DIR")" ]; }; then
+    $SUDO mkdir -p "$INSTALL_DIR" || die "Failed to create install directory"
-        mkdir -p "$INSTALL_DIR"
+    if command -v install >/dev/null 2>&1; then
-        install -m 0755 "$src" "$dst"
+        $SUDO install -m 0755 "$bin_src" "$bin_dst" || die "Failed to install binary"
    elif command -v sudo >/dev/null 2>&1; then
        sudo mkdir -p "$INSTALL_DIR"
        sudo install -m 0755 "$src" "$dst"
    else
-        die "cannot write to $INSTALL_DIR and sudo is not available"
+        $SUDO rm -f "$bin_dst" 2>/dev/null || true
        $SUDO cp "$bin_src" "$bin_dst" && $SUDO chmod 0755 "$bin_dst" || die "Failed to copy binary"
    fi
    $SUDO sh -c '[ -x "$1" ]' _ "$bin_dst" || die "Binary not executable: $bin_dst"
    if command -v setcap >/dev/null 2>&1; then
        $SUDO setcap cap_net_bind_service=+ep "$bin_dst" 2>/dev/null || true
    fi
 }
-need_cmd uname
+generate_secret() {
-need_cmd tar
+    secret="$(command -v openssl >/dev/null 2>&1 && openssl rand -hex 16 2>/dev/null || true)"
-need_cmd mktemp
+    if [ -z "$secret" ] || [ "${#secret}" -ne 32 ]; then
-need_cmd grep
+        if command -v od >/dev/null 2>&1; then secret="$(dd if=/dev/urandom bs=16 count=1 2>/dev/null | od -An -tx1 | tr -d ' \n')"
-need_cmd install
+        elif command -v hexdump >/dev/null 2>&1; then secret="$(dd if=/dev/urandom bs=16 count=1 2>/dev/null | hexdump -e '1/1 "%02x"')"
        elif command -v xxd >/dev/null 2>&1; then secret="$(dd if=/dev/urandom bs=16 count=1 2>/dev/null | xxd -p | tr -d '\n')"
        fi
    fi
    if [ "${#secret}" -eq 32 ]; then echo "$secret"; else return 1; fi
 }
-ARCH="$(detect_arch)"
+generate_config_content() {
-OS="$(detect_os)"
+    escaped_tls_domain="$(printf '%s\n' "$TLS_DOMAIN" | tr -d '[:cntrl:]' | sed 's/\\/\\\\/g; s/"/\\"/g')"
-if [ "$OS" != "linux" ]; then
+    cat <<EOF
-    case "$OS" in
+[general]
-        openbsd)
+use_middle_proxy = false
            die "install.sh installs only Linux release artifacts. On OpenBSD, build from source (see docs/OPENBSD.en.md)."
            ;;
        *)
            die "unsupported operating system for install.sh: $OS"
            ;;
    esac
 fi
-LIBC="$(detect_libc)"
+[general.modes]
 classic = false
 secure = false
 tls = true
-case "$VERSION" in
+[server]
-    latest)
+port = 443
-        URL="https://github.com/$REPO/releases/latest/download/${BIN_NAME}-${ARCH}-linux-${LIBC}.tar.gz"
+
-        ;;
+[server.api]
-    *)
+enabled = true
-        URL="https://github.com/$REPO/releases/download/${VERSION}/${BIN_NAME}-${ARCH}-linux-${LIBC}.tar.gz"
+listen = "127.0.0.1:9091"
 whitelist = ["127.0.0.1/32"]
 [censorship]
 tls_domain = "${escaped_tls_domain}"
 [access.users]
 hello = "$1"
 EOF
 }
 install_config() {
    if [ -n "$SUDO" ]; then
        if $SUDO sh -c '[ -f "$1" ]' _ "$CONFIG_FILE"; then
            say "  -> Config already exists at $CONFIG_FILE. Skipping creation."
            return 0
        fi
    elif [ -f "$CONFIG_FILE" ]; then
        say "  -> Config already exists at $CONFIG_FILE. Skipping creation."
        return 0
    fi
    toml_secret="$(generate_secret)" || die "Failed to generate secret."
    generate_config_content "$toml_secret" | write_root "$CONFIG_FILE" || die "Failed to install config"
    $SUDO chown root:telemt "$CONFIG_FILE" && $SUDO chmod 640 "$CONFIG_FILE"
    say "  -> Config created successfully."
    say "  -> Generated secret for default user 'hello': $toml_secret"
 }
 generate_systemd_content() {
    cat <<EOF
 [Unit]
 Description=Telemt
 After=network-online.target
 Wants=network-online.target
 [Service]
 Type=simple
 User=telemt
 Group=telemt
 WorkingDirectory=$WORK_DIR
 ExecStart="${INSTALL_DIR}/${BIN_NAME}" "${CONFIG_FILE}"
 Restart=on-failure
 LimitNOFILE=65536
 AmbientCapabilities=CAP_NET_BIND_SERVICE
 CapabilityBoundingSet=CAP_NET_BIND_SERVICE
 [Install]
 WantedBy=multi-user.target
 EOF
 }
 generate_openrc_content() {
    cat <<EOF
 #!/sbin/openrc-run
 name="$SERVICE_NAME"
 description="Telemt Proxy Service"
 command="${INSTALL_DIR}/${BIN_NAME}"
 command_args="${CONFIG_FILE}"
 command_background=true
 command_user="telemt:telemt"
 pidfile="/run/\${RC_SVCNAME}.pid"
 directory="${WORK_DIR}"
 rc_ulimit="-n 65536"
 depend() { need net; use logger; }
 EOF
 }
 install_service() {
    svc="$(get_svc_mgr)"
    if [ "$svc" = "systemd" ]; then
        generate_systemd_content | write_root "/etc/systemd/system/${SERVICE_NAME}.service"
        $SUDO chown root:root "/etc/systemd/system/${SERVICE_NAME}.service" && $SUDO chmod 644 "/etc/systemd/system/${SERVICE_NAME}.service"
        $SUDO systemctl daemon-reload || true
        $SUDO systemctl enable "$SERVICE_NAME" || true
        if ! $SUDO systemctl start "$SERVICE_NAME"; then
            say "[WARNING] Failed to start service"
            SERVICE_START_FAILED=1
        fi
    elif [ "$svc" = "openrc" ]; then
        generate_openrc_content | write_root "/etc/init.d/${SERVICE_NAME}"
        $SUDO chown root:root "/etc/init.d/${SERVICE_NAME}" && $SUDO chmod 0755 "/etc/init.d/${SERVICE_NAME}"
        $SUDO rc-update add "$SERVICE_NAME" default 2>/dev/null || true
        if ! $SUDO rc-service "$SERVICE_NAME" start 2>/dev/null; then
            say "[WARNING] Failed to start service"
            SERVICE_START_FAILED=1
        fi
    else
        cmd="\"${INSTALL_DIR}/${BIN_NAME}\" \"${CONFIG_FILE}\""
        if [ -n "$SUDO" ]; then 
            say "  -> Service manager not found. Start manually: sudo -u telemt $cmd"
        else 
            say "  -> Service manager not found. Start manually: su -s /bin/sh telemt -c '$cmd'"
        fi
    fi
 }
 kill_user_procs() {
    if command -v pkill >/dev/null 2>&1; then
        $SUDO pkill -u telemt "$BIN_NAME" 2>/dev/null || true
        sleep 1
        $SUDO pkill -9 -u telemt "$BIN_NAME" 2>/dev/null || true
    else
        if command -v pgrep >/dev/null 2>&1; then
            pids="$(pgrep -u telemt 2>/dev/null || true)"
        else
            pids="$(ps -u telemt -o pid= 2>/dev/null || true)"
        fi
        if [ -n "$pids" ]; then
            for pid in $pids; do
                case "$pid" in ''|*[!0-9]*) continue ;; *) $SUDO kill "$pid" 2>/dev/null || true ;; esac
            done
            sleep 1
            for pid in $pids; do
                case "$pid" in ''|*[!0-9]*) continue ;; *) $SUDO kill -9 "$pid" 2>/dev/null || true ;; esac
            done
        fi
    fi
 }
 uninstall() {
    say "Starting uninstallation of $BIN_NAME..."
    say ">>> Stage 1: Stopping services"
    stop_service
    say ">>> Stage 2: Removing service configuration"
    svc="$(get_svc_mgr)"
    if [ "$svc" = "systemd" ]; then
        $SUDO systemctl disable "$SERVICE_NAME" 2>/dev/null || true
        $SUDO rm -f "/etc/systemd/system/${SERVICE_NAME}.service"
        $SUDO systemctl daemon-reload 2>/dev/null || true
    elif [ "$svc" = "openrc" ]; then
        $SUDO rc-update del "$SERVICE_NAME" 2>/dev/null || true
        $SUDO rm -f "/etc/init.d/${SERVICE_NAME}"
    fi
    say ">>> Stage 3: Terminating user processes"
    kill_user_procs
    say ">>> Stage 4: Removing binary"
    $SUDO rm -f "${INSTALL_DIR}/${BIN_NAME}"
    if [ "$ACTION" = "purge" ]; then
        say ">>> Stage 5: Purging configuration, data, and user"
        $SUDO rm -rf "$CONFIG_DIR" "$WORK_DIR"
        $SUDO rm -f "$CONFIG_FILE"
        if [ "$CONFIG_PARENT_DIR" != "$CONFIG_DIR" ] && [ "$CONFIG_PARENT_DIR" != "." ] && [ "$CONFIG_PARENT_DIR" != "/" ]; then
            $SUDO rmdir "$CONFIG_PARENT_DIR" 2>/dev/null || true
        fi
        $SUDO userdel telemt 2>/dev/null || $SUDO deluser telemt 2>/dev/null || true
        $SUDO groupdel telemt 2>/dev/null || $SUDO delgroup telemt 2>/dev/null || true
    else
        say "Note: Configuration and user kept. Run with 'purge' to remove completely."
    fi
    printf '\n====================================================================\n'
    printf '                    UNINSTALLATION COMPLETE\n'
    printf '====================================================================\n\n'
    exit 0
 }
 case "$ACTION" in
    help) show_help ;;
    uninstall|purge) verify_common; uninstall ;;
    install)
        say "Starting installation of $BIN_NAME (Version: $TARGET_VERSION)"
        say ">>> Stage 1: Verifying environment and dependencies"
        verify_common; verify_install_deps
        if [ "$TARGET_VERSION" != "latest" ]; then 
            TARGET_VERSION="${TARGET_VERSION#v}"
        fi
        ARCH="$(detect_arch)"; LIBC="$(detect_libc)"
        FILE_NAME="${BIN_NAME}-${ARCH}-linux-${LIBC}.tar.gz"
        if [ "$TARGET_VERSION" = "latest" ]; then
            DL_URL="https://github.com/${REPO}/releases/latest/download/${FILE_NAME}"
        else 
            DL_URL="https://github.com/${REPO}/releases/download/${TARGET_VERSION}/${FILE_NAME}"
        fi
        say ">>> Stage 2: Downloading archive"
        TEMP_DIR="$(mktemp -d)" || die "Temp directory creation failed"
        if [ -z "$TEMP_DIR" ] || [ ! -d "$TEMP_DIR" ]; then
            die "Temp directory is invalid or was not created"
        fi
        fetch_file "$DL_URL" "${TEMP_DIR}/${FILE_NAME}" || die "Download failed"
        say ">>> Stage 3: Extracting archive"
        if ! gzip -dc "${TEMP_DIR}/${FILE_NAME}" | tar -xf - -C "$TEMP_DIR" 2>/dev/null; then
            die "Extraction failed (downloaded archive might be invalid or 404)."
        fi
        EXTRACTED_BIN="$(find "$TEMP_DIR" -type f -name "$BIN_NAME" -print 2>/dev/null | head -n 1 || true)"
        [ -n "$EXTRACTED_BIN" ] || die "Binary '$BIN_NAME' not found in archive"
        say ">>> Stage 4: Setting up environment (User, Group, Directories)"
        ensure_user_group; setup_dirs; stop_service
        say ">>> Stage 5: Installing binary"
        install_binary "$EXTRACTED_BIN" "${INSTALL_DIR}/${BIN_NAME}"
        say ">>> Stage 6: Generating configuration"
        install_config
        say ">>> Stage 7: Installing and starting service"
        install_service
        if [ "${SERVICE_START_FAILED:-0}" -eq 1 ]; then
            printf '\n====================================================================\n'
            printf '               INSTALLATION COMPLETED WITH WARNINGS\n'
            printf '====================================================================\n\n'
            printf 'The service was installed but failed to start automatically.\n'
            printf 'Please check the logs to determine the issue.\n\n'
        else
            printf '\n====================================================================\n'
            printf '                      INSTALLATION SUCCESS\n'
            printf '====================================================================\n\n'
        fi
        svc="$(get_svc_mgr)"
        if [ "$svc" = "systemd" ]; then
            printf 'To check the status of your proxy service, run:\n'
            printf '  systemctl status %s\n\n' "$SERVICE_NAME"
        elif [ "$svc" = "openrc" ]; then
            printf 'To check the status of your proxy service, run:\n'
            printf '  rc-service %s status\n\n' "$SERVICE_NAME"
        fi
        printf 'To get your user connection links (for Telegram), run:\n'
        if command -v jq >/dev/null 2>&1; then
            printf '  curl -s http://127.0.0.1:9091/v1/users | jq -r '\''.data[] | "User: \\(.username)\\n\\(.links.tls[0] // empty)\\n"'\''\n'
        else
            printf '  curl -s http://127.0.0.1:9091/v1/users\n'
            printf '  (Tip: Install '\''jq'\'' for a much cleaner output)\n'
        fi
        printf '\n====================================================================\n'
        ;;
 esac
 TMPDIR="$(mktemp -d)"
 trap 'rm -rf "$TMPDIR"' EXIT INT TERM
 say "Installing $BIN_NAME ($VERSION) for $ARCH-linux-$LIBC..."
 fetch_to_stdout "$URL" | tar -xzf - -C "$TMPDIR"
 [ -f "$TMPDIR/$BIN_NAME" ] || die "archive did not contain $BIN_NAME"
 install_binary "$TMPDIR/$BIN_NAME" "$INSTALL_DIR/$BIN_NAME"
 say "Installed: $INSTALL_DIR/$BIN_NAME"
 "$INSTALL_DIR/$BIN_NAME" --version 2>/dev/null || true
--- a/src/api/model.rs
+++ b/src/api/model.rs
@@ -195,6 +195,8 @@ pub(super) struct ZeroPoolData {
    pub(super) pool_swap_total: u64,
    pub(super) pool_drain_active: u64,
    pub(super) pool_force_close_total: u64,
    pub(super) pool_drain_soft_evict_total: u64,
    pub(super) pool_drain_soft_evict_writer_total: u64,
    pub(super) pool_stale_pick_total: u64,
    pub(super) writer_removed_total: u64,
    pub(super) writer_removed_unexpected_total: u64,
@@ -203,6 +205,16 @@ pub(super) struct ZeroPoolData {
    pub(super) refill_failed_total: u64,
    pub(super) writer_restored_same_endpoint_total: u64,
    pub(super) writer_restored_fallback_total: u64,
    pub(super) teardown_attempt_total_normal: u64,
    pub(super) teardown_attempt_total_hard_detach: u64,
    pub(super) teardown_success_total_normal: u64,
    pub(super) teardown_success_total_hard_detach: u64,
    pub(super) teardown_timeout_total: u64,
    pub(super) teardown_escalation_total: u64,
    pub(super) teardown_noop_total: u64,
    pub(super) teardown_cleanup_side_effect_failures_total: u64,
    pub(super) teardown_duration_count_total: u64,
    pub(super) teardown_duration_sum_seconds_total: f64,
 }
 #[derive(Serialize, Clone)]
@@ -235,6 +247,7 @@ pub(super) struct MeWritersSummary {
    pub(super) available_pct: f64,
    pub(super) required_writers: usize,
    pub(super) alive_writers: usize,
    pub(super) coverage_ratio: f64,
    pub(super) coverage_pct: f64,
    pub(super) fresh_alive_writers: usize,
    pub(super) fresh_coverage_pct: f64,
@@ -283,6 +296,7 @@ pub(super) struct DcStatus {
    pub(super) floor_max: usize,
    pub(super) floor_capped: bool,
    pub(super) alive_writers: usize,
    pub(super) coverage_ratio: f64,
    pub(super) coverage_pct: f64,
    pub(super) fresh_alive_writers: usize,
    pub(super) fresh_coverage_pct: f64,
@@ -360,6 +374,12 @@ pub(super) struct MinimalMeRuntimeData {
    pub(super) me_reconnect_backoff_cap_ms: u64,
    pub(super) me_reconnect_fast_retry_count: u32,
    pub(super) me_pool_drain_ttl_secs: u64,
    pub(super) me_instadrain: bool,
    pub(super) me_pool_drain_soft_evict_enabled: bool,
    pub(super) me_pool_drain_soft_evict_grace_secs: u64,
    pub(super) me_pool_drain_soft_evict_per_writer: u8,
    pub(super) me_pool_drain_soft_evict_budget_per_core: u16,
    pub(super) me_pool_drain_soft_evict_cooldown_ms: u64,
    pub(super) me_pool_force_close_secs: u64,
    pub(super) me_pool_min_fresh_ratio: f32,
    pub(super) me_bind_stale_mode: &'static str,
--- a/src/api/runtime_min.rs
+++ b/src/api/runtime_min.rs
@@ -4,6 +4,9 @@ use std::time::{SystemTime, UNIX_EPOCH};
 use serde::Serialize;
 use crate::config::ProxyConfig;
 use crate::stats::{
    MeWriterCleanupSideEffectStep, MeWriterTeardownMode, MeWriterTeardownReason, Stats,
 };
 use super::ApiShared;
@@ -98,6 +101,50 @@ pub(super) struct RuntimeMeQualityCountersData {
    pub(super) reconnect_success_total: u64,
 }
 #[derive(Serialize)]
 pub(super) struct RuntimeMeQualityTeardownAttemptData {
    pub(super) reason: &'static str,
    pub(super) mode: &'static str,
    pub(super) total: u64,
 }
 #[derive(Serialize)]
 pub(super) struct RuntimeMeQualityTeardownSuccessData {
    pub(super) mode: &'static str,
    pub(super) total: u64,
 }
 #[derive(Serialize)]
 pub(super) struct RuntimeMeQualityTeardownSideEffectData {
    pub(super) step: &'static str,
    pub(super) total: u64,
 }
 #[derive(Serialize)]
 pub(super) struct RuntimeMeQualityTeardownDurationBucketData {
    pub(super) le_seconds: &'static str,
    pub(super) total: u64,
 }
 #[derive(Serialize)]
 pub(super) struct RuntimeMeQualityTeardownDurationData {
    pub(super) mode: &'static str,
    pub(super) count: u64,
    pub(super) sum_seconds: f64,
    pub(super) buckets: Vec<RuntimeMeQualityTeardownDurationBucketData>,
 }
 #[derive(Serialize)]
 pub(super) struct RuntimeMeQualityTeardownData {
    pub(super) attempts: Vec<RuntimeMeQualityTeardownAttemptData>,
    pub(super) success: Vec<RuntimeMeQualityTeardownSuccessData>,
    pub(super) timeout_total: u64,
    pub(super) escalation_total: u64,
    pub(super) noop_total: u64,
    pub(super) cleanup_side_effect_failures: Vec<RuntimeMeQualityTeardownSideEffectData>,
    pub(super) duration: Vec<RuntimeMeQualityTeardownDurationData>,
 }
 #[derive(Serialize)]
 pub(super) struct RuntimeMeQualityRouteDropData {
    pub(super) no_conn_total: u64,
@@ -113,12 +160,14 @@ pub(super) struct RuntimeMeQualityDcRttData {
    pub(super) rtt_ema_ms: Option<f64>,
    pub(super) alive_writers: usize,
    pub(super) required_writers: usize,
    pub(super) coverage_ratio: f64,
    pub(super) coverage_pct: f64,
 }
 #[derive(Serialize)]
 pub(super) struct RuntimeMeQualityPayload {
    pub(super) counters: RuntimeMeQualityCountersData,
    pub(super) teardown: RuntimeMeQualityTeardownData,
    pub(super) route_drops: RuntimeMeQualityRouteDropData,
    pub(super) dc_rtt: Vec<RuntimeMeQualityDcRttData>,
 }
@@ -373,6 +422,7 @@ pub(super) async fn build_runtime_me_quality_data(shared: &ApiShared) -> Runtime
                reconnect_attempt_total: shared.stats.get_me_reconnect_attempts(),
                reconnect_success_total: shared.stats.get_me_reconnect_success(),
            },
            teardown: build_runtime_me_teardown_data(shared),
            route_drops: RuntimeMeQualityRouteDropData {
                no_conn_total: shared.stats.get_me_route_drop_no_conn(),
                channel_closed_total: shared.stats.get_me_route_drop_channel_closed(),
@@ -388,6 +438,7 @@ pub(super) async fn build_runtime_me_quality_data(shared: &ApiShared) -> Runtime
                    rtt_ema_ms: dc.rtt_ms,
                    alive_writers: dc.alive_writers,
                    required_writers: dc.required_writers,
                    coverage_ratio: dc.coverage_ratio,
                    coverage_pct: dc.coverage_pct,
                })
                .collect(),
@@ -395,6 +446,81 @@ pub(super) async fn build_runtime_me_quality_data(shared: &ApiShared) -> Runtime
    }
 }
 fn build_runtime_me_teardown_data(shared: &ApiShared) -> RuntimeMeQualityTeardownData {
    let attempts = MeWriterTeardownReason::ALL
        .iter()
        .copied()
        .flat_map(|reason| {
            MeWriterTeardownMode::ALL
                .iter()
                .copied()
                .map(move |mode| RuntimeMeQualityTeardownAttemptData {
                    reason: reason.as_str(),
                    mode: mode.as_str(),
                    total: shared.stats.get_me_writer_teardown_attempt_total(reason, mode),
                })
        })
        .collect();
    let success = MeWriterTeardownMode::ALL
        .iter()
        .copied()
        .map(|mode| RuntimeMeQualityTeardownSuccessData {
            mode: mode.as_str(),
            total: shared.stats.get_me_writer_teardown_success_total(mode),
        })
        .collect();
    let cleanup_side_effect_failures = MeWriterCleanupSideEffectStep::ALL
        .iter()
        .copied()
        .map(|step| RuntimeMeQualityTeardownSideEffectData {
            step: step.as_str(),
            total: shared
                .stats
                .get_me_writer_cleanup_side_effect_failures_total(step),
        })
        .collect();
    let duration = MeWriterTeardownMode::ALL
        .iter()
        .copied()
        .map(|mode| {
            let count = shared.stats.get_me_writer_teardown_duration_count(mode);
            let mut buckets: Vec<RuntimeMeQualityTeardownDurationBucketData> = Stats::me_writer_teardown_duration_bucket_labels()
                .iter()
                .enumerate()
                .map(|(bucket_idx, label)| RuntimeMeQualityTeardownDurationBucketData {
                    le_seconds: label,
                    total: shared
                        .stats
                        .get_me_writer_teardown_duration_bucket_total(mode, bucket_idx),
                })
                .collect();
            buckets.push(RuntimeMeQualityTeardownDurationBucketData {
                le_seconds: "+Inf",
                total: count,
            });
            RuntimeMeQualityTeardownDurationData {
                mode: mode.as_str(),
                count,
                sum_seconds: shared.stats.get_me_writer_teardown_duration_sum_seconds(mode),
                buckets,
            }
        })
        .collect();
    RuntimeMeQualityTeardownData {
        attempts,
        success,
        timeout_total: shared.stats.get_me_writer_teardown_timeout_total(),
        escalation_total: shared.stats.get_me_writer_teardown_escalation_total(),
        noop_total: shared.stats.get_me_writer_teardown_noop_total(),
        cleanup_side_effect_failures,
        duration,
    }
 }
 pub(super) async fn build_runtime_upstream_quality_data(
    shared: &ApiShared,
 ) -> RuntimeUpstreamQualityData {
--- a/src/api/runtime_stats.rs
+++ b/src/api/runtime_stats.rs
@@ -1,7 +1,7 @@
 use std::time::{Duration, Instant, SystemTime, UNIX_EPOCH};
 use crate::config::ApiConfig;
-use crate::stats::Stats;
+use crate::stats::{MeWriterTeardownMode, Stats};
 use crate::transport::upstream::IpPreference;
 use crate::transport::UpstreamRouteKind;
@@ -96,6 +96,8 @@ pub(super) fn build_zero_all_data(stats: &Stats, configured_users: usize) -> Zer
            pool_swap_total: stats.get_pool_swap_total(),
            pool_drain_active: stats.get_pool_drain_active(),
            pool_force_close_total: stats.get_pool_force_close_total(),
            pool_drain_soft_evict_total: stats.get_pool_drain_soft_evict_total(),
            pool_drain_soft_evict_writer_total: stats.get_pool_drain_soft_evict_writer_total(),
            pool_stale_pick_total: stats.get_pool_stale_pick_total(),
            writer_removed_total: stats.get_me_writer_removed_total(),
            writer_removed_unexpected_total: stats.get_me_writer_removed_unexpected_total(),
@@ -104,6 +106,29 @@ pub(super) fn build_zero_all_data(stats: &Stats, configured_users: usize) -> Zer
            refill_failed_total: stats.get_me_refill_failed_total(),
            writer_restored_same_endpoint_total: stats.get_me_writer_restored_same_endpoint_total(),
            writer_restored_fallback_total: stats.get_me_writer_restored_fallback_total(),
            teardown_attempt_total_normal: stats
                .get_me_writer_teardown_attempt_total_by_mode(MeWriterTeardownMode::Normal),
            teardown_attempt_total_hard_detach: stats
                .get_me_writer_teardown_attempt_total_by_mode(MeWriterTeardownMode::HardDetach),
            teardown_success_total_normal: stats
                .get_me_writer_teardown_success_total(MeWriterTeardownMode::Normal),
            teardown_success_total_hard_detach: stats
                .get_me_writer_teardown_success_total(MeWriterTeardownMode::HardDetach),
            teardown_timeout_total: stats.get_me_writer_teardown_timeout_total(),
            teardown_escalation_total: stats.get_me_writer_teardown_escalation_total(),
            teardown_noop_total: stats.get_me_writer_teardown_noop_total(),
            teardown_cleanup_side_effect_failures_total: stats
                .get_me_writer_cleanup_side_effect_failures_total_all(),
            teardown_duration_count_total: stats
                .get_me_writer_teardown_duration_count(MeWriterTeardownMode::Normal)
                .saturating_add(
                    stats.get_me_writer_teardown_duration_count(MeWriterTeardownMode::HardDetach),
                ),
            teardown_duration_sum_seconds_total: stats
                .get_me_writer_teardown_duration_sum_seconds(MeWriterTeardownMode::Normal)
                + stats.get_me_writer_teardown_duration_sum_seconds(
                    MeWriterTeardownMode::HardDetach,
                ),
        },
        desync: ZeroDesyncData {
            secure_padding_invalid_total: stats.get_secure_padding_invalid(),
@@ -313,6 +338,7 @@ async fn get_minimal_payload_cached(
            available_pct: status.available_pct,
            required_writers: status.required_writers,
            alive_writers: status.alive_writers,
            coverage_ratio: status.coverage_ratio,
            coverage_pct: status.coverage_pct,
            fresh_alive_writers: status.fresh_alive_writers,
            fresh_coverage_pct: status.fresh_coverage_pct,
@@ -370,6 +396,7 @@ async fn get_minimal_payload_cached(
                floor_max: entry.floor_max,
                floor_capped: entry.floor_capped,
                alive_writers: entry.alive_writers,
                coverage_ratio: entry.coverage_ratio,
                coverage_pct: entry.coverage_pct,
                fresh_alive_writers: entry.fresh_alive_writers,
                fresh_coverage_pct: entry.fresh_coverage_pct,
@@ -427,6 +454,12 @@ async fn get_minimal_payload_cached(
        me_reconnect_backoff_cap_ms: runtime.me_reconnect_backoff_cap_ms,
        me_reconnect_fast_retry_count: runtime.me_reconnect_fast_retry_count,
        me_pool_drain_ttl_secs: runtime.me_pool_drain_ttl_secs,
        me_instadrain: runtime.me_instadrain,
        me_pool_drain_soft_evict_enabled: runtime.me_pool_drain_soft_evict_enabled,
        me_pool_drain_soft_evict_grace_secs: runtime.me_pool_drain_soft_evict_grace_secs,
        me_pool_drain_soft_evict_per_writer: runtime.me_pool_drain_soft_evict_per_writer,
        me_pool_drain_soft_evict_budget_per_core: runtime.me_pool_drain_soft_evict_budget_per_core,
        me_pool_drain_soft_evict_cooldown_ms: runtime.me_pool_drain_soft_evict_cooldown_ms,
        me_pool_force_close_secs: runtime.me_pool_force_close_secs,
        me_pool_min_fresh_ratio: runtime.me_pool_min_fresh_ratio,
        me_bind_stale_mode: runtime.me_bind_stale_mode,
@@ -495,6 +528,7 @@ fn disabled_me_writers(now_epoch_secs: u64, reason: &'static str) -> MeWritersDa
            available_pct: 0.0,
            required_writers: 0,
            alive_writers: 0,
            coverage_ratio: 0.0,
            coverage_pct: 0.0,
            fresh_alive_writers: 0,
            fresh_coverage_pct: 0.0,
--- a/src/cli.rs
+++ b/src/cli.rs
@@ -198,8 +198,15 @@ desync_all_full = false
 update_every = 43200
 hardswap = false
 me_pool_drain_ttl_secs = 90
 me_instadrain = false
 me_pool_drain_threshold = 32
 me_pool_drain_soft_evict_grace_secs = 10
 me_pool_drain_soft_evict_per_writer = 2
 me_pool_drain_soft_evict_budget_per_core = 16
 me_pool_drain_soft_evict_cooldown_ms = 1000
 me_bind_stale_mode = "never"
 me_pool_min_fresh_ratio = 0.8
-me_reinit_drain_timeout_secs = 120
+me_reinit_drain_timeout_secs = 90
 [network]
 ipv4 = true
--- a/src/config/defaults.rs
+++ b/src/config/defaults.rs
@@ -27,8 +27,8 @@ const DEFAULT_ME_C2ME_CHANNEL_CAPACITY: usize = 1024;
 const DEFAULT_ME_READER_ROUTE_DATA_WAIT_MS: u64 = 2;
 const DEFAULT_ME_D2C_FLUSH_BATCH_MAX_FRAMES: usize = 32;
 const DEFAULT_ME_D2C_FLUSH_BATCH_MAX_BYTES: usize = 128 * 1024;
-const DEFAULT_ME_D2C_FLUSH_BATCH_MAX_DELAY_US: u64 = 1500;
+const DEFAULT_ME_D2C_FLUSH_BATCH_MAX_DELAY_US: u64 = 500;
-const DEFAULT_ME_D2C_ACK_FLUSH_IMMEDIATE: bool = false;
+const DEFAULT_ME_D2C_ACK_FLUSH_IMMEDIATE: bool = true;
 const DEFAULT_DIRECT_RELAY_COPY_BUF_C2S_BYTES: usize = 64 * 1024;
 const DEFAULT_DIRECT_RELAY_COPY_BUF_S2C_BYTES: usize = 256 * 1024;
 const DEFAULT_ME_WRITER_PICK_SAMPLE_SIZE: u8 = 3;
@@ -36,7 +36,16 @@ const DEFAULT_ME_HEALTH_INTERVAL_MS_UNHEALTHY: u64 = 1000;
 const DEFAULT_ME_HEALTH_INTERVAL_MS_HEALTHY: u64 = 3000;
 const DEFAULT_ME_ADMISSION_POLL_MS: u64 = 1000;
 const DEFAULT_ME_WARN_RATE_LIMIT_MS: u64 = 5000;
 const DEFAULT_ME_ROUTE_HYBRID_MAX_WAIT_MS: u64 = 3000;
 const DEFAULT_ME_ROUTE_BLOCKING_SEND_TIMEOUT_MS: u64 = 250;
 const DEFAULT_ME_C2ME_SEND_TIMEOUT_MS: u64 = 4000;
 const DEFAULT_ME_POOL_DRAIN_SOFT_EVICT_ENABLED: bool = true;
 const DEFAULT_ME_POOL_DRAIN_SOFT_EVICT_GRACE_SECS: u64 = 10;
 const DEFAULT_ME_POOL_DRAIN_SOFT_EVICT_PER_WRITER: u8 = 2;
 const DEFAULT_ME_POOL_DRAIN_SOFT_EVICT_BUDGET_PER_CORE: u16 = 16;
 const DEFAULT_ME_POOL_DRAIN_SOFT_EVICT_COOLDOWN_MS: u64 = 1000;
 const DEFAULT_USER_MAX_UNIQUE_IPS_WINDOW_SECS: u64 = 30;
 const DEFAULT_ACCEPT_PERMIT_TIMEOUT_MS: u64 = 250;
 const DEFAULT_UPSTREAM_CONNECT_RETRY_ATTEMPTS: u32 = 2;
 const DEFAULT_UPSTREAM_UNHEALTHY_FAIL_THRESHOLD: u32 = 5;
 const DEFAULT_UPSTREAM_CONNECT_BUDGET_MS: u64 = 3000;
@@ -85,11 +94,11 @@ pub(crate) fn default_connect_timeout() -> u64 {
 }
 pub(crate) fn default_keepalive() -> u64 {
-    60
+    15
 }
 pub(crate) fn default_ack_timeout() -> u64 {
-    300
+    90
 }
 pub(crate) fn default_me_one_retry() -> u8 {
    12
@@ -151,6 +160,10 @@ pub(crate) fn default_server_max_connections() -> u32 {
    10_000
 }
 pub(crate) fn default_accept_permit_timeout_ms() -> u64 {
    DEFAULT_ACCEPT_PERMIT_TIMEOUT_MS
 }
 pub(crate) fn default_prefer_4() -> u8 {
    4
 }
@@ -375,6 +388,18 @@ pub(crate) fn default_me_warn_rate_limit_ms() -> u64 {
    DEFAULT_ME_WARN_RATE_LIMIT_MS
 }
 pub(crate) fn default_me_route_hybrid_max_wait_ms() -> u64 {
    DEFAULT_ME_ROUTE_HYBRID_MAX_WAIT_MS
 }
 pub(crate) fn default_me_route_blocking_send_timeout_ms() -> u64 {
    DEFAULT_ME_ROUTE_BLOCKING_SEND_TIMEOUT_MS
 }
 pub(crate) fn default_me_c2me_send_timeout_ms() -> u64 {
    DEFAULT_ME_C2ME_SEND_TIMEOUT_MS
 }
 pub(crate) fn default_upstream_connect_retry_attempts() -> u32 {
    DEFAULT_UPSTREAM_CONNECT_RETRY_ATTEMPTS
 }
@@ -581,15 +606,39 @@ pub(crate) fn default_proxy_secret_len_max() -> usize {
 }
 pub(crate) fn default_me_reinit_drain_timeout_secs() -> u64 {
-    120
+    90
 }
 pub(crate) fn default_me_pool_drain_ttl_secs() -> u64 {
    90
 }
 pub(crate) fn default_me_instadrain() -> bool {
    false
 }
 pub(crate) fn default_me_pool_drain_threshold() -> u64 {
-    128
+    32
 }
 pub(crate) fn default_me_pool_drain_soft_evict_enabled() -> bool {
    DEFAULT_ME_POOL_DRAIN_SOFT_EVICT_ENABLED
 }
 pub(crate) fn default_me_pool_drain_soft_evict_grace_secs() -> u64 {
    DEFAULT_ME_POOL_DRAIN_SOFT_EVICT_GRACE_SECS
 }
 pub(crate) fn default_me_pool_drain_soft_evict_per_writer() -> u8 {
    DEFAULT_ME_POOL_DRAIN_SOFT_EVICT_PER_WRITER
 }
 pub(crate) fn default_me_pool_drain_soft_evict_budget_per_core() -> u16 {
    DEFAULT_ME_POOL_DRAIN_SOFT_EVICT_BUDGET_PER_CORE
 }
 pub(crate) fn default_me_pool_drain_soft_evict_cooldown_ms() -> u64 {
    DEFAULT_ME_POOL_DRAIN_SOFT_EVICT_COOLDOWN_MS
 }
 pub(crate) fn default_me_bind_stale_ttl_secs() -> u64 {
--- a/src/config/hot_reload.rs
+++ b/src/config/hot_reload.rs
@@ -39,6 +39,7 @@ use super::load::{LoadedConfig, ProxyConfig};
 const HOT_RELOAD_STABLE_SNAPSHOTS: u8 = 2;
 const HOT_RELOAD_DEBOUNCE: Duration = Duration::from_millis(50);
 const HOT_RELOAD_STABLE_RECHECK: Duration = Duration::from_millis(75);
 // ── Hot fields ────────────────────────────────────────────────────────────────
@@ -55,7 +56,13 @@ pub struct HotFields {
    pub me_reinit_coalesce_window_ms: u64,
    pub hardswap:                bool,
    pub me_pool_drain_ttl_secs:  u64,
    pub me_instadrain: bool,
    pub me_pool_drain_threshold: u64,
    pub me_pool_drain_soft_evict_enabled: bool,
    pub me_pool_drain_soft_evict_grace_secs: u64,
    pub me_pool_drain_soft_evict_per_writer: u8,
    pub me_pool_drain_soft_evict_budget_per_core: u16,
    pub me_pool_drain_soft_evict_cooldown_ms: u64,
    pub me_pool_min_fresh_ratio: f32,
    pub me_reinit_drain_timeout_secs: u64,
    pub me_hardswap_warmup_delay_min_ms: u64,
@@ -137,7 +144,17 @@ impl HotFields {
            me_reinit_coalesce_window_ms: cfg.general.me_reinit_coalesce_window_ms,
            hardswap:                cfg.general.hardswap,
            me_pool_drain_ttl_secs:  cfg.general.me_pool_drain_ttl_secs,
            me_instadrain: cfg.general.me_instadrain,
            me_pool_drain_threshold: cfg.general.me_pool_drain_threshold,
            me_pool_drain_soft_evict_enabled: cfg.general.me_pool_drain_soft_evict_enabled,
            me_pool_drain_soft_evict_grace_secs: cfg.general.me_pool_drain_soft_evict_grace_secs,
            me_pool_drain_soft_evict_per_writer: cfg.general.me_pool_drain_soft_evict_per_writer,
            me_pool_drain_soft_evict_budget_per_core: cfg
                .general
                .me_pool_drain_soft_evict_budget_per_core,
            me_pool_drain_soft_evict_cooldown_ms: cfg
                .general
                .me_pool_drain_soft_evict_cooldown_ms,
            me_pool_min_fresh_ratio: cfg.general.me_pool_min_fresh_ratio,
            me_reinit_drain_timeout_secs: cfg.general.me_reinit_drain_timeout_secs,
            me_hardswap_warmup_delay_min_ms: cfg.general.me_hardswap_warmup_delay_min_ms,
@@ -365,6 +382,14 @@ impl ReloadState {
        self.applied_snapshot_hash = Some(hash);
        self.reset_candidate();
    }
    fn pending_candidate(&self) -> Option<(u64, u8)> {
        let hash = self.candidate_snapshot_hash?;
        if self.candidate_hits < HOT_RELOAD_STABLE_SNAPSHOTS {
            return Some((hash, self.candidate_hits));
        }
        None
    }
 }
 fn normalize_watch_path(path: &Path) -> PathBuf {
@@ -454,7 +479,17 @@ fn overlay_hot_fields(old: &ProxyConfig, new: &ProxyConfig) -> ProxyConfig {
    cfg.general.me_reinit_coalesce_window_ms = new.general.me_reinit_coalesce_window_ms;
    cfg.general.hardswap = new.general.hardswap;
    cfg.general.me_pool_drain_ttl_secs = new.general.me_pool_drain_ttl_secs;
    cfg.general.me_instadrain = new.general.me_instadrain;
    cfg.general.me_pool_drain_threshold = new.general.me_pool_drain_threshold;
    cfg.general.me_pool_drain_soft_evict_enabled = new.general.me_pool_drain_soft_evict_enabled;
    cfg.general.me_pool_drain_soft_evict_grace_secs =
        new.general.me_pool_drain_soft_evict_grace_secs;
    cfg.general.me_pool_drain_soft_evict_per_writer =
        new.general.me_pool_drain_soft_evict_per_writer;
    cfg.general.me_pool_drain_soft_evict_budget_per_core =
        new.general.me_pool_drain_soft_evict_budget_per_core;
    cfg.general.me_pool_drain_soft_evict_cooldown_ms =
        new.general.me_pool_drain_soft_evict_cooldown_ms;
    cfg.general.me_pool_min_fresh_ratio = new.general.me_pool_min_fresh_ratio;
    cfg.general.me_reinit_drain_timeout_secs = new.general.me_reinit_drain_timeout_secs;
    cfg.general.me_hardswap_warmup_delay_min_ms = new.general.me_hardswap_warmup_delay_min_ms;
@@ -580,6 +615,8 @@ fn warn_non_hot_changes(old: &ProxyConfig, new: &ProxyConfig, non_hot_changed: b
        || old.server.listen_tcp != new.server.listen_tcp
        || old.server.listen_unix_sock != new.server.listen_unix_sock
        || old.server.listen_unix_sock_perm != new.server.listen_unix_sock_perm
        || old.server.max_connections != new.server.max_connections
        || old.server.accept_permit_timeout_ms != new.server.accept_permit_timeout_ms
    {
        warned = true;
        warn!("config reload: server listener settings changed; restart required");
@@ -639,6 +676,9 @@ fn warn_non_hot_changes(old: &ProxyConfig, new: &ProxyConfig, non_hot_changed: b
    }
    if old.general.me_route_no_writer_mode != new.general.me_route_no_writer_mode
        || old.general.me_route_no_writer_wait_ms != new.general.me_route_no_writer_wait_ms
        || old.general.me_route_hybrid_max_wait_ms != new.general.me_route_hybrid_max_wait_ms
        || old.general.me_route_blocking_send_timeout_ms
            != new.general.me_route_blocking_send_timeout_ms
        || old.general.me_route_inline_recovery_attempts
            != new.general.me_route_inline_recovery_attempts
        || old.general.me_route_inline_recovery_wait_ms
@@ -647,6 +687,10 @@ fn warn_non_hot_changes(old: &ProxyConfig, new: &ProxyConfig, non_hot_changed: b
        warned = true;
        warn!("config reload: general.me_route_no_writer_* changed; restart required");
    }
    if old.general.me_c2me_send_timeout_ms != new.general.me_c2me_send_timeout_ms {
        warned = true;
        warn!("config reload: general.me_c2me_send_timeout_ms changed; restart required");
    }
    if old.general.unknown_dc_log_path != new.general.unknown_dc_log_path
        || old.general.unknown_dc_file_log_enabled != new.general.unknown_dc_file_log_enabled
    {
@@ -828,6 +872,12 @@ fn log_changes(
            old_hot.me_pool_drain_ttl_secs, new_hot.me_pool_drain_ttl_secs,
        );
    }
    if old_hot.me_instadrain != new_hot.me_instadrain {
        info!(
            "config reload: me_instadrain: {} → {}",
            old_hot.me_instadrain, new_hot.me_instadrain,
        );
    }
    if old_hot.me_pool_drain_threshold != new_hot.me_pool_drain_threshold {
        info!(
@@ -835,6 +885,25 @@ fn log_changes(
            old_hot.me_pool_drain_threshold, new_hot.me_pool_drain_threshold,
        );
    }
    if old_hot.me_pool_drain_soft_evict_enabled != new_hot.me_pool_drain_soft_evict_enabled
        || old_hot.me_pool_drain_soft_evict_grace_secs
            != new_hot.me_pool_drain_soft_evict_grace_secs
        || old_hot.me_pool_drain_soft_evict_per_writer
            != new_hot.me_pool_drain_soft_evict_per_writer
        || old_hot.me_pool_drain_soft_evict_budget_per_core
            != new_hot.me_pool_drain_soft_evict_budget_per_core
        || old_hot.me_pool_drain_soft_evict_cooldown_ms
            != new_hot.me_pool_drain_soft_evict_cooldown_ms
    {
        info!(
            "config reload: me_pool_drain_soft_evict: enabled={} grace={}s per_writer={} budget_per_core={} cooldown={}ms",
            new_hot.me_pool_drain_soft_evict_enabled,
            new_hot.me_pool_drain_soft_evict_grace_secs,
            new_hot.me_pool_drain_soft_evict_per_writer,
            new_hot.me_pool_drain_soft_evict_budget_per_core,
            new_hot.me_pool_drain_soft_evict_cooldown_ms
        );
    }
    if (old_hot.me_pool_min_fresh_ratio - new_hot.me_pool_min_fresh_ratio).abs() > f32::EPSILON {
        info!(
@@ -1211,6 +1280,73 @@ fn reload_config(
    Some(next_manifest)
 }
 async fn reload_with_internal_stable_rechecks(
    config_path: &PathBuf,
    config_tx: &watch::Sender<Arc<ProxyConfig>>,
    log_tx: &watch::Sender<LogLevel>,
    detected_ip_v4: Option<IpAddr>,
    detected_ip_v6: Option<IpAddr>,
    reload_state: &mut ReloadState,
 ) -> Option<WatchManifest> {
    let mut next_manifest = reload_config(
        config_path,
        config_tx,
        log_tx,
        detected_ip_v4,
        detected_ip_v6,
        reload_state,
    );
    let mut rechecks_left = HOT_RELOAD_STABLE_SNAPSHOTS.saturating_sub(1);
    while rechecks_left > 0 {
        let Some((snapshot_hash, candidate_hits)) = reload_state.pending_candidate() else {
            break;
        };
        info!(
            snapshot_hash,
            candidate_hits,
            required_hits = HOT_RELOAD_STABLE_SNAPSHOTS,
            rechecks_left,
            recheck_delay_ms = HOT_RELOAD_STABLE_RECHECK.as_millis(),
            "config reload: scheduling internal stable recheck"
        );
        tokio::time::sleep(HOT_RELOAD_STABLE_RECHECK).await;
        let recheck_manifest = reload_config(
            config_path,
            config_tx,
            log_tx,
            detected_ip_v4,
            detected_ip_v6,
            reload_state,
        );
        if recheck_manifest.is_some() {
            next_manifest = recheck_manifest;
        }
        if reload_state.is_applied(snapshot_hash) {
            info!(
                snapshot_hash,
                "config reload: applied after internal stable recheck"
            );
            break;
        }
        if reload_state.pending_candidate().is_none() {
            info!(
                snapshot_hash,
                "config reload: internal stable recheck aborted"
            );
            break;
        }
        rechecks_left = rechecks_left.saturating_sub(1);
    }
    next_manifest
 }
 // ── Public API ────────────────────────────────────────────────────────────────
 /// Spawn the hot-reload watcher task.
@@ -1334,14 +1470,16 @@ pub fn spawn_config_watcher(
            tokio::time::sleep(HOT_RELOAD_DEBOUNCE).await;
            while notify_rx.try_recv().is_ok() {}
-            if let Some(next_manifest) = reload_config(
+            if let Some(next_manifest) = reload_with_internal_stable_rechecks(
                &config_path,
                &config_tx,
                &log_tx,
                detected_ip_v4,
                detected_ip_v6,
                &mut reload_state,
-            ) {
+            )
            .await
            {
                apply_watch_manifest(
                    inotify_watcher.as_mut(),
                    poll_watcher.as_mut(),
@@ -1498,6 +1636,35 @@ mod tests {
        let _ = std::fs::remove_file(path);
    }
    #[tokio::test]
    async fn reload_cycle_applies_after_single_external_event() {
        let initial_tag = "10101010101010101010101010101010";
        let final_tag = "20202020202020202020202020202020";
        let path = temp_config_path("telemt_hot_reload_single_event");
        write_reload_config(&path, Some(initial_tag), None);
        let initial_cfg = Arc::new(ProxyConfig::load(&path).unwrap());
        let initial_hash = ProxyConfig::load_with_metadata(&path).unwrap().rendered_hash;
        let (config_tx, _config_rx) = watch::channel(initial_cfg.clone());
        let (log_tx, _log_rx) = watch::channel(initial_cfg.general.log_level.clone());
        let mut reload_state = ReloadState::new(Some(initial_hash));
        write_reload_config(&path, Some(final_tag), None);
        reload_with_internal_stable_rechecks(
            &path,
            &config_tx,
            &log_tx,
            None,
            None,
            &mut reload_state,
        )
        .await
        .unwrap();
        assert_eq!(config_tx.borrow().general.ad_tag.as_deref(), Some(final_tag));
        let _ = std::fs::remove_file(path);
    }
    #[test]
    fn reload_keeps_hot_apply_when_non_hot_fields_change() {
        let initial_tag = "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa";
--- a/src/config/load.rs
+++ b/src/config/load.rs
@@ -346,6 +346,12 @@ impl ProxyConfig {
            ));
        }
        if config.general.me_c2me_send_timeout_ms > 60_000 {
            return Err(ProxyError::Config(
                "general.me_c2me_send_timeout_ms must be within [0, 60000]".to_string(),
            ));
        }
        if config.general.me_reader_route_data_wait_ms > 20 {
            return Err(ProxyError::Config(
                "general.me_reader_route_data_wait_ms must be within [0, 20]".to_string(),
@@ -406,6 +412,35 @@ impl ProxyConfig {
            ));
        }
        if config.general.me_pool_drain_soft_evict_grace_secs > 3600 {
            return Err(ProxyError::Config(
                "general.me_pool_drain_soft_evict_grace_secs must be within [0, 3600]".to_string(),
            ));
        }
        if config.general.me_pool_drain_soft_evict_per_writer == 0
            || config.general.me_pool_drain_soft_evict_per_writer > 16
        {
            return Err(ProxyError::Config(
                "general.me_pool_drain_soft_evict_per_writer must be within [1, 16]".to_string(),
            ));
        }
        if config.general.me_pool_drain_soft_evict_budget_per_core == 0
            || config.general.me_pool_drain_soft_evict_budget_per_core > 64
        {
            return Err(ProxyError::Config(
                "general.me_pool_drain_soft_evict_budget_per_core must be within [1, 64]"
                    .to_string(),
            ));
        }
        if config.general.me_pool_drain_soft_evict_cooldown_ms == 0 {
            return Err(ProxyError::Config(
                "general.me_pool_drain_soft_evict_cooldown_ms must be > 0".to_string(),
            ));
        }
        if config.access.user_max_unique_ips_window_secs == 0 {
            return Err(ProxyError::Config(
                "access.user_max_unique_ips_window_secs must be > 0".to_string(),
@@ -577,6 +612,11 @@ impl ProxyConfig {
                "general.me_route_backpressure_base_timeout_ms must be > 0".to_string(),
            ));
        }
        if config.general.me_route_backpressure_base_timeout_ms > 5000 {
            return Err(ProxyError::Config(
                "general.me_route_backpressure_base_timeout_ms must be within [1, 5000]".to_string(),
            ));
        }
        if config.general.me_route_backpressure_high_timeout_ms
            < config.general.me_route_backpressure_base_timeout_ms
@@ -585,6 +625,11 @@ impl ProxyConfig {
                "general.me_route_backpressure_high_timeout_ms must be >= general.me_route_backpressure_base_timeout_ms".to_string(),
            ));
        }
        if config.general.me_route_backpressure_high_timeout_ms > 5000 {
            return Err(ProxyError::Config(
                "general.me_route_backpressure_high_timeout_ms must be within [1, 5000]".to_string(),
            ));
        }
        if !(1..=100).contains(&config.general.me_route_backpressure_high_watermark_pct) {
            return Err(ProxyError::Config(
@@ -598,6 +643,18 @@ impl ProxyConfig {
            ));
        }
        if !(50..=60_000).contains(&config.general.me_route_hybrid_max_wait_ms) {
            return Err(ProxyError::Config(
                "general.me_route_hybrid_max_wait_ms must be within [50, 60000]".to_string(),
            ));
        }
        if config.general.me_route_blocking_send_timeout_ms > 5000 {
            return Err(ProxyError::Config(
                "general.me_route_blocking_send_timeout_ms must be within [0, 5000]".to_string(),
            ));
        }
        if !(2..=4).contains(&config.general.me_writer_pick_sample_size) {
            return Err(ProxyError::Config(
                "general.me_writer_pick_sample_size must be within [2, 4]".to_string(),
@@ -658,6 +715,12 @@ impl ProxyConfig {
            ));
        }
        if config.server.accept_permit_timeout_ms > 60_000 {
            return Err(ProxyError::Config(
                "server.accept_permit_timeout_ms must be within [0, 60000]".to_string(),
            ));
        }
        if config.general.effective_me_pool_force_close_secs() > 0
            && config.general.effective_me_pool_force_close_secs()
                < config.general.me_pool_drain_ttl_secs
@@ -1571,6 +1634,47 @@ mod tests {
        let _ = std::fs::remove_file(path_valid);
    }
    #[test]
    fn me_route_backpressure_base_timeout_ms_out_of_range_is_rejected() {
        let toml = r#"
            [general]
            me_route_backpressure_base_timeout_ms = 5001
            [censorship]
            tls_domain = "example.com"
            [access.users]
            user = "00000000000000000000000000000000"
        "#;
        let dir = std::env::temp_dir();
        let path = dir.join("telemt_me_route_backpressure_base_timeout_ms_out_of_range_test.toml");
        std::fs::write(&path, toml).unwrap();
        let err = ProxyConfig::load(&path).unwrap_err().to_string();
        assert!(err.contains("general.me_route_backpressure_base_timeout_ms must be within [1, 5000]"));
        let _ = std::fs::remove_file(path);
    }
    #[test]
    fn me_route_backpressure_high_timeout_ms_out_of_range_is_rejected() {
        let toml = r#"
            [general]
            me_route_backpressure_base_timeout_ms = 100
            me_route_backpressure_high_timeout_ms = 5001
            [censorship]
            tls_domain = "example.com"
            [access.users]
            user = "00000000000000000000000000000000"
        "#;
        let dir = std::env::temp_dir();
        let path = dir.join("telemt_me_route_backpressure_high_timeout_ms_out_of_range_test.toml");
        std::fs::write(&path, toml).unwrap();
        let err = ProxyConfig::load(&path).unwrap_err().to_string();
        assert!(err.contains("general.me_route_backpressure_high_timeout_ms must be within [1, 5000]"));
        let _ = std::fs::remove_file(path);
    }
    #[test]
    fn me_route_no_writer_wait_ms_out_of_range_is_rejected() {
        let toml = r#"
@@ -1933,6 +2037,45 @@ mod tests {
        let _ = std::fs::remove_file(path);
    }
    #[test]
    fn force_close_default_matches_drain_ttl() {
        let toml = r#"
            [censorship]
            tls_domain = "example.com"
            [access.users]
            user = "00000000000000000000000000000000"
        "#;
        let dir = std::env::temp_dir();
        let path = dir.join("telemt_force_close_default_test.toml");
        std::fs::write(&path, toml).unwrap();
        let cfg = ProxyConfig::load(&path).unwrap();
        assert_eq!(cfg.general.me_reinit_drain_timeout_secs, 90);
        assert_eq!(cfg.general.effective_me_pool_force_close_secs(), 90);
        let _ = std::fs::remove_file(path);
    }
    #[test]
    fn force_close_zero_uses_runtime_safety_fallback() {
        let toml = r#"
            [general]
            me_reinit_drain_timeout_secs = 0
            [censorship]
            tls_domain = "example.com"
            [access.users]
            user = "00000000000000000000000000000000"
        "#;
        let dir = std::env::temp_dir();
        let path = dir.join("telemt_force_close_zero_fallback_test.toml");
        std::fs::write(&path, toml).unwrap();
        let cfg = ProxyConfig::load(&path).unwrap();
        assert_eq!(cfg.general.me_reinit_drain_timeout_secs, 0);
        assert_eq!(cfg.general.effective_me_pool_force_close_secs(), 300);
        let _ = std::fs::remove_file(path);
    }
    #[test]
    fn force_close_bumped_when_below_drain_ttl() {
        let toml = r#"
--- a/src/config/types.rs
+++ b/src/config/types.rs
@@ -135,8 +135,8 @@ impl MeSocksKdfPolicy {
 #[derive(Debug, Clone, Copy, PartialEq, Eq, Serialize, Deserialize, Default)]
 #[serde(rename_all = "lowercase")]
 pub enum MeBindStaleMode {
    Never,
    #[default]
    Never,
    Ttl,
    Always,
 }
@@ -462,6 +462,11 @@ pub struct GeneralConfig {
    #[serde(default = "default_me_c2me_channel_capacity")]
    pub me_c2me_channel_capacity: usize,
    /// Maximum wait in milliseconds for enqueueing C2ME commands when the queue is full.
    /// `0` keeps legacy unbounded wait behavior.
    #[serde(default = "default_me_c2me_send_timeout_ms")]
    pub me_c2me_send_timeout_ms: u64,
    /// Bounded wait in milliseconds for routing ME DATA to per-connection queue.
    /// `0` keeps legacy no-wait behavior.
    #[serde(default = "default_me_reader_route_data_wait_ms")]
@@ -716,6 +721,15 @@ pub struct GeneralConfig {
    #[serde(default = "default_me_route_no_writer_wait_ms")]
    pub me_route_no_writer_wait_ms: u64,
    /// Maximum cumulative wait in milliseconds for hybrid no-writer mode before failfast.
    #[serde(default = "default_me_route_hybrid_max_wait_ms")]
    pub me_route_hybrid_max_wait_ms: u64,
    /// Maximum wait in milliseconds for blocking ME writer channel send fallback.
    /// `0` keeps legacy unbounded wait behavior.
    #[serde(default = "default_me_route_blocking_send_timeout_ms")]
    pub me_route_blocking_send_timeout_ms: u64,
    /// Number of inline recovery attempts in legacy mode.
    #[serde(default = "default_me_route_inline_recovery_attempts")]
    pub me_route_inline_recovery_attempts: u32,
@@ -798,11 +812,35 @@ pub struct GeneralConfig {
    #[serde(default = "default_me_pool_drain_ttl_secs")]
    pub me_pool_drain_ttl_secs: u64,
    /// Force-remove any draining writer on the next cleanup tick, regardless of age/deadline.
    #[serde(default = "default_me_instadrain")]
    pub me_instadrain: bool,
    /// Maximum allowed number of draining ME writers before oldest ones are force-closed in batches.
    /// Set to 0 to disable threshold-based draining cleanup and keep timeout-only behavior.
    #[serde(default = "default_me_pool_drain_threshold")]
    pub me_pool_drain_threshold: u64,
    /// Enable staged client eviction for draining ME writers that remain non-empty past TTL.
    #[serde(default = "default_me_pool_drain_soft_evict_enabled")]
    pub me_pool_drain_soft_evict_enabled: bool,
    /// Extra grace in seconds after drain TTL before soft-eviction stage starts.
    #[serde(default = "default_me_pool_drain_soft_evict_grace_secs")]
    pub me_pool_drain_soft_evict_grace_secs: u64,
    /// Maximum number of client sessions to evict from one draining writer per health tick.
    #[serde(default = "default_me_pool_drain_soft_evict_per_writer")]
    pub me_pool_drain_soft_evict_per_writer: u8,
    /// Soft-eviction budget per CPU core for one health tick.
    #[serde(default = "default_me_pool_drain_soft_evict_budget_per_core")]
    pub me_pool_drain_soft_evict_budget_per_core: u16,
    /// Cooldown for repetitive soft-eviction on the same writer in milliseconds.
    #[serde(default = "default_me_pool_drain_soft_evict_cooldown_ms")]
    pub me_pool_drain_soft_evict_cooldown_ms: u64,
    /// Policy for new binds on stale draining writers.
    #[serde(default)]
    pub me_bind_stale_mode: MeBindStaleMode,
@@ -817,7 +855,7 @@ pub struct GeneralConfig {
    pub me_pool_min_fresh_ratio: f32,
    /// Drain timeout in seconds for stale ME writers after endpoint map changes.
-    /// Set to 0 to keep stale writers draining indefinitely (no force-close).
+    /// Set to 0 to use the runtime safety fallback timeout.
    #[serde(default = "default_me_reinit_drain_timeout_secs")]
    pub me_reinit_drain_timeout_secs: u64,
@@ -901,6 +939,7 @@ impl Default for GeneralConfig {
            me_writer_cmd_channel_capacity: default_me_writer_cmd_channel_capacity(),
            me_route_channel_capacity: default_me_route_channel_capacity(),
            me_c2me_channel_capacity: default_me_c2me_channel_capacity(),
            me_c2me_send_timeout_ms: default_me_c2me_send_timeout_ms(),
            me_reader_route_data_wait_ms: default_me_reader_route_data_wait_ms(),
            me_d2c_flush_batch_max_frames: default_me_d2c_flush_batch_max_frames(),
            me_d2c_flush_batch_max_bytes: default_me_d2c_flush_batch_max_bytes(),
@@ -955,6 +994,8 @@ impl Default for GeneralConfig {
            me_warn_rate_limit_ms: default_me_warn_rate_limit_ms(),
            me_route_no_writer_mode: MeRouteNoWriterMode::default(),
            me_route_no_writer_wait_ms: default_me_route_no_writer_wait_ms(),
            me_route_hybrid_max_wait_ms: default_me_route_hybrid_max_wait_ms(),
            me_route_blocking_send_timeout_ms: default_me_route_blocking_send_timeout_ms(),
            me_route_inline_recovery_attempts: default_me_route_inline_recovery_attempts(),
            me_route_inline_recovery_wait_ms: default_me_route_inline_recovery_wait_ms(),
            links: LinksConfig::default(),
@@ -983,7 +1024,15 @@ impl Default for GeneralConfig {
            me_secret_atomic_snapshot: default_me_secret_atomic_snapshot(),
            proxy_secret_len_max: default_proxy_secret_len_max(),
            me_pool_drain_ttl_secs: default_me_pool_drain_ttl_secs(),
            me_instadrain: default_me_instadrain(),
            me_pool_drain_threshold: default_me_pool_drain_threshold(),
            me_pool_drain_soft_evict_enabled: default_me_pool_drain_soft_evict_enabled(),
            me_pool_drain_soft_evict_grace_secs: default_me_pool_drain_soft_evict_grace_secs(),
            me_pool_drain_soft_evict_per_writer: default_me_pool_drain_soft_evict_per_writer(),
            me_pool_drain_soft_evict_budget_per_core:
                default_me_pool_drain_soft_evict_budget_per_core(),
            me_pool_drain_soft_evict_cooldown_ms:
                default_me_pool_drain_soft_evict_cooldown_ms(),
            me_bind_stale_mode: MeBindStaleMode::default(),
            me_bind_stale_ttl_secs: default_me_bind_stale_ttl_secs(),
            me_pool_min_fresh_ratio: default_me_pool_min_fresh_ratio(),
@@ -1019,8 +1068,13 @@ impl GeneralConfig {
    /// Resolve force-close timeout for stale writers.
    /// `me_reinit_drain_timeout_secs` remains backward-compatible alias.
    /// A configured `0` uses the runtime safety fallback (300s).
    pub fn effective_me_pool_force_close_secs(&self) -> u64 {
-        self.me_reinit_drain_timeout_secs
+        if self.me_reinit_drain_timeout_secs == 0 {
            300
        } else {
            self.me_reinit_drain_timeout_secs
        }
    }
 }
@@ -1156,9 +1210,17 @@ pub struct ServerConfig {
    #[serde(default = "default_proxy_protocol_header_timeout_ms")]
    pub proxy_protocol_header_timeout_ms: u64,
    /// Port for the Prometheus-compatible metrics endpoint.
    /// Enables metrics when set; binds on all interfaces (dual-stack) by default.
    #[serde(default)]
    pub metrics_port: Option<u16>,
    /// Listen address for metrics in `IP:PORT` format (e.g. `"127.0.0.1:9090"`).
    /// When set, takes precedence over `metrics_port` and binds on the specified address only.
    #[serde(default)]
    pub metrics_listen: Option<String>,
    /// CIDR whitelist for the metrics endpoint.
    #[serde(default = "default_metrics_whitelist")]
    pub metrics_whitelist: Vec<IpNetwork>,
@@ -1172,6 +1234,11 @@ pub struct ServerConfig {
    /// 0 means unlimited.
    #[serde(default = "default_server_max_connections")]
    pub max_connections: u32,
    /// Maximum wait in milliseconds while acquiring a connection slot permit.
    /// `0` keeps legacy unbounded wait behavior.
    #[serde(default = "default_accept_permit_timeout_ms")]
    pub accept_permit_timeout_ms: u64,
 }
 impl Default for ServerConfig {
@@ -1186,10 +1253,12 @@ impl Default for ServerConfig {
            proxy_protocol: false,
            proxy_protocol_header_timeout_ms: default_proxy_protocol_header_timeout_ms(),
            metrics_port: None,
            metrics_listen: None,
            metrics_whitelist: default_metrics_whitelist(),
            api: ApiConfig::default(),
            listeners: Vec::new(),
            max_connections: default_server_max_connections(),
            accept_permit_timeout_ms: default_accept_permit_timeout_ms(),
        }
    }
 }
--- a/src/ip_tracker_regression_tests.rs
+++ b/src/ip_tracker_regression_tests.rs
@@ -0,0 +1,450 @@
 use std::collections::HashMap;
 use std::net::{IpAddr, Ipv4Addr};
 use std::sync::Arc;
 use std::time::Duration;
 use crate::config::UserMaxUniqueIpsMode;
 use crate::ip_tracker::UserIpTracker;
 fn ip_from_idx(idx: u32) -> IpAddr {
    let a = 10u8;
    let b = ((idx / 65_536) % 256) as u8;
    let c = ((idx / 256) % 256) as u8;
    let d = (idx % 256) as u8;
    IpAddr::V4(Ipv4Addr::new(a, b, c, d))
 }
 #[tokio::test]
 async fn active_window_enforces_large_unique_ip_burst() {
    let tracker = UserIpTracker::new();
    tracker.set_user_limit("burst_user", 64).await;
    tracker
        .set_limit_policy(UserMaxUniqueIpsMode::ActiveWindow, 30)
        .await;
    for idx in 0..64 {
        assert!(tracker.check_and_add("burst_user", ip_from_idx(idx)).await.is_ok());
    }
    assert!(tracker.check_and_add("burst_user", ip_from_idx(9_999)).await.is_err());
    assert_eq!(tracker.get_active_ip_count("burst_user").await, 64);
 }
 #[tokio::test]
 async fn global_limit_applies_across_many_users() {
    let tracker = UserIpTracker::new();
    tracker.load_limits(3, &HashMap::new()).await;
    for user_idx in 0..150u32 {
        let user = format!("u{}", user_idx);
        assert!(tracker.check_and_add(&user, ip_from_idx(user_idx * 10)).await.is_ok());
        assert!(tracker
            .check_and_add(&user, ip_from_idx(user_idx * 10 + 1))
            .await
            .is_ok());
        assert!(tracker
            .check_and_add(&user, ip_from_idx(user_idx * 10 + 2))
            .await
            .is_ok());
        assert!(tracker
            .check_and_add(&user, ip_from_idx(user_idx * 10 + 3))
            .await
            .is_err());
    }
    assert_eq!(tracker.get_stats().await.len(), 150);
 }
 #[tokio::test]
 async fn user_zero_override_falls_back_to_global_limit() {
    let tracker = UserIpTracker::new();
    let mut limits = HashMap::new();
    limits.insert("target".to_string(), 0);
    tracker.load_limits(2, &limits).await;
    assert!(tracker.check_and_add("target", ip_from_idx(1)).await.is_ok());
    assert!(tracker.check_and_add("target", ip_from_idx(2)).await.is_ok());
    assert!(tracker.check_and_add("target", ip_from_idx(3)).await.is_err());
    assert_eq!(tracker.get_user_limit("target").await, Some(2));
 }
 #[tokio::test]
 async fn remove_ip_is_idempotent_after_counter_reaches_zero() {
    let tracker = UserIpTracker::new();
    tracker.set_user_limit("u", 2).await;
    let ip = ip_from_idx(42);
    tracker.check_and_add("u", ip).await.unwrap();
    tracker.remove_ip("u", ip).await;
    tracker.remove_ip("u", ip).await;
    tracker.remove_ip("u", ip).await;
    assert_eq!(tracker.get_active_ip_count("u").await, 0);
    assert!(!tracker.is_ip_active("u", ip).await);
 }
 #[tokio::test]
 async fn clear_user_ips_resets_active_and_recent() {
    let tracker = UserIpTracker::new();
    tracker.set_user_limit("u", 10).await;
    for idx in 0..6 {
        tracker.check_and_add("u", ip_from_idx(idx)).await.unwrap();
    }
    tracker.clear_user_ips("u").await;
    assert_eq!(tracker.get_active_ip_count("u").await, 0);
    let counts = tracker
        .get_recent_counts_for_users(&["u".to_string()])
        .await;
    assert_eq!(counts.get("u").copied().unwrap_or(0), 0);
 }
 #[tokio::test]
 async fn clear_all_resets_multi_user_state() {
    let tracker = UserIpTracker::new();
    for user_idx in 0..80u32 {
        let user = format!("u{}", user_idx);
        for ip_idx in 0..3 {
            tracker
                .check_and_add(&user, ip_from_idx(user_idx * 100 + ip_idx))
                .await
                .unwrap();
        }
    }
    tracker.clear_all().await;
    assert!(tracker.get_stats().await.is_empty());
    let users = (0..80u32)
        .map(|idx| format!("u{}", idx))
        .collect::<Vec<_>>();
    let recent = tracker.get_recent_counts_for_users(&users).await;
    assert!(recent.values().all(|count| *count == 0));
 }
 #[tokio::test]
 async fn get_active_ips_for_users_are_sorted() {
    let tracker = UserIpTracker::new();
    tracker.set_user_limit("user", 10).await;
    tracker
        .check_and_add("user", IpAddr::V4(Ipv4Addr::new(10, 0, 0, 9)))
        .await
        .unwrap();
    tracker
        .check_and_add("user", IpAddr::V4(Ipv4Addr::new(10, 0, 0, 1)))
        .await
        .unwrap();
    tracker
        .check_and_add("user", IpAddr::V4(Ipv4Addr::new(10, 0, 0, 5)))
        .await
        .unwrap();
    let map = tracker
        .get_active_ips_for_users(&["user".to_string()])
        .await;
    let ips = map.get("user").cloned().unwrap_or_default();
    assert_eq!(
        ips,
        vec![
            IpAddr::V4(Ipv4Addr::new(10, 0, 0, 1)),
            IpAddr::V4(Ipv4Addr::new(10, 0, 0, 5)),
            IpAddr::V4(Ipv4Addr::new(10, 0, 0, 9)),
        ]
    );
 }
 #[tokio::test]
 async fn get_recent_ips_for_users_are_sorted() {
    let tracker = UserIpTracker::new();
    tracker.set_user_limit("user", 10).await;
    tracker
        .check_and_add("user", IpAddr::V4(Ipv4Addr::new(10, 1, 0, 9)))
        .await
        .unwrap();
    tracker
        .check_and_add("user", IpAddr::V4(Ipv4Addr::new(10, 1, 0, 1)))
        .await
        .unwrap();
    tracker
        .check_and_add("user", IpAddr::V4(Ipv4Addr::new(10, 1, 0, 5)))
        .await
        .unwrap();
    let map = tracker
        .get_recent_ips_for_users(&["user".to_string()])
        .await;
    let ips = map.get("user").cloned().unwrap_or_default();
    assert_eq!(
        ips,
        vec![
            IpAddr::V4(Ipv4Addr::new(10, 1, 0, 1)),
            IpAddr::V4(Ipv4Addr::new(10, 1, 0, 5)),
            IpAddr::V4(Ipv4Addr::new(10, 1, 0, 9)),
        ]
    );
 }
 #[tokio::test]
 async fn time_window_expires_for_large_rotation() {
    let tracker = UserIpTracker::new();
    tracker.set_user_limit("tw", 1).await;
    tracker
        .set_limit_policy(UserMaxUniqueIpsMode::TimeWindow, 1)
        .await;
    tracker.check_and_add("tw", ip_from_idx(1)).await.unwrap();
    tracker.remove_ip("tw", ip_from_idx(1)).await;
    assert!(tracker.check_and_add("tw", ip_from_idx(2)).await.is_err());
    tokio::time::sleep(Duration::from_millis(1_100)).await;
    assert!(tracker.check_and_add("tw", ip_from_idx(2)).await.is_ok());
 }
 #[tokio::test]
 async fn combined_mode_blocks_recent_after_disconnect() {
    let tracker = UserIpTracker::new();
    tracker.set_user_limit("cmb", 1).await;
    tracker
        .set_limit_policy(UserMaxUniqueIpsMode::Combined, 2)
        .await;
    tracker.check_and_add("cmb", ip_from_idx(11)).await.unwrap();
    tracker.remove_ip("cmb", ip_from_idx(11)).await;
    assert!(tracker.check_and_add("cmb", ip_from_idx(12)).await.is_err());
 }
 #[tokio::test]
 async fn load_limits_replaces_large_limit_map() {
    let tracker = UserIpTracker::new();
    let mut first = HashMap::new();
    let mut second = HashMap::new();
    for idx in 0..300usize {
        first.insert(format!("u{}", idx), 2usize);
    }
    for idx in 150..450usize {
        second.insert(format!("u{}", idx), 4usize);
    }
    tracker.load_limits(0, &first).await;
    tracker.load_limits(0, &second).await;
    assert_eq!(tracker.get_user_limit("u20").await, None);
    assert_eq!(tracker.get_user_limit("u200").await, Some(4));
    assert_eq!(tracker.get_user_limit("u420").await, Some(4));
 }
 #[tokio::test(flavor = "multi_thread", worker_threads = 4)]
 async fn concurrent_same_user_unique_ip_pressure_stays_bounded() {
    let tracker = Arc::new(UserIpTracker::new());
    tracker.set_user_limit("hot", 32).await;
    tracker
        .set_limit_policy(UserMaxUniqueIpsMode::ActiveWindow, 30)
        .await;
    let mut handles = Vec::new();
    for worker in 0..16u32 {
        let tracker_cloned = tracker.clone();
        handles.push(tokio::spawn(async move {
            let base = worker * 200;
            for step in 0..200u32 {
                let _ = tracker_cloned
                    .check_and_add("hot", ip_from_idx(base + step))
                    .await;
            }
        }));
    }
    for handle in handles {
        handle.await.unwrap();
    }
    assert!(tracker.get_active_ip_count("hot").await <= 32);
 }
 #[tokio::test(flavor = "multi_thread", worker_threads = 4)]
 async fn concurrent_many_users_isolate_limits() {
    let tracker = Arc::new(UserIpTracker::new());
    tracker.load_limits(4, &HashMap::new()).await;
    let mut handles = Vec::new();
    for user_idx in 0..120u32 {
        let tracker_cloned = tracker.clone();
        handles.push(tokio::spawn(async move {
            let user = format!("u{}", user_idx);
            for ip_idx in 0..10u32 {
                let _ = tracker_cloned
                    .check_and_add(&user, ip_from_idx(user_idx * 1_000 + ip_idx))
                    .await;
            }
        }));
    }
    for handle in handles {
        handle.await.unwrap();
    }
    let stats = tracker.get_stats().await;
    assert_eq!(stats.len(), 120);
    assert!(stats.iter().all(|(_, active, limit)| *active <= 4 && *limit == 4));
 }
 #[tokio::test]
 async fn same_ip_reconnect_high_frequency_keeps_single_unique() {
    let tracker = UserIpTracker::new();
    tracker.set_user_limit("same", 2).await;
    let ip = ip_from_idx(9);
    for _ in 0..2_000 {
        tracker.check_and_add("same", ip).await.unwrap();
    }
    assert_eq!(tracker.get_active_ip_count("same").await, 1);
    assert!(tracker.is_ip_active("same", ip).await);
 }
 #[tokio::test]
 async fn format_stats_contains_expected_limited_and_unlimited_markers() {
    let tracker = UserIpTracker::new();
    tracker.set_user_limit("limited", 2).await;
    tracker.check_and_add("limited", ip_from_idx(1)).await.unwrap();
    tracker.check_and_add("open", ip_from_idx(2)).await.unwrap();
    let text = tracker.format_stats().await;
    assert!(text.contains("limited"));
    assert!(text.contains("open"));
    assert!(text.contains("unlimited"));
 }
 #[tokio::test]
 async fn stats_report_global_default_for_users_without_override() {
    let tracker = UserIpTracker::new();
    tracker.load_limits(5, &HashMap::new()).await;
    tracker.check_and_add("a", ip_from_idx(1)).await.unwrap();
    tracker.check_and_add("b", ip_from_idx(2)).await.unwrap();
    let stats = tracker.get_stats().await;
    assert!(stats.iter().any(|(user, _, limit)| user == "a" && *limit == 5));
    assert!(stats.iter().any(|(user, _, limit)| user == "b" && *limit == 5));
 }
 #[tokio::test]
 async fn stress_cycle_add_remove_clear_preserves_empty_end_state() {
    let tracker = UserIpTracker::new();
    for cycle in 0..50u32 {
        let user = format!("cycle{}", cycle);
        tracker.set_user_limit(&user, 128).await;
        for ip_idx in 0..128u32 {
            tracker
                .check_and_add(&user, ip_from_idx(cycle * 10_000 + ip_idx))
                .await
                .unwrap();
        }
        for ip_idx in 0..128u32 {
            tracker
                .remove_ip(&user, ip_from_idx(cycle * 10_000 + ip_idx))
                .await;
        }
        tracker.clear_user_ips(&user).await;
    }
    assert!(tracker.get_stats().await.is_empty());
 }
 #[tokio::test]
 async fn remove_unknown_user_or_ip_does_not_corrupt_state() {
    let tracker = UserIpTracker::new();
    tracker.remove_ip("no_user", ip_from_idx(1)).await;
    tracker.check_and_add("x", ip_from_idx(2)).await.unwrap();
    tracker.remove_ip("x", ip_from_idx(3)).await;
    assert_eq!(tracker.get_active_ip_count("x").await, 1);
    assert!(tracker.is_ip_active("x", ip_from_idx(2)).await);
 }
 #[tokio::test]
 async fn active_and_recent_views_match_after_mixed_workload() {
    let tracker = UserIpTracker::new();
    tracker.set_user_limit("mix", 16).await;
    for ip_idx in 0..12u32 {
        tracker.check_and_add("mix", ip_from_idx(ip_idx)).await.unwrap();
    }
    for ip_idx in 0..6u32 {
        tracker.remove_ip("mix", ip_from_idx(ip_idx)).await;
    }
    let active = tracker
        .get_active_ips_for_users(&["mix".to_string()])
        .await
        .get("mix")
        .cloned()
        .unwrap_or_default();
    let recent_count = tracker
        .get_recent_counts_for_users(&["mix".to_string()])
        .await
        .get("mix")
        .copied()
        .unwrap_or(0);
    assert_eq!(active.len(), 6);
    assert!(recent_count >= active.len());
    assert!(recent_count <= 12);
 }
 #[tokio::test]
 async fn global_limit_switch_updates_enforcement_immediately() {
    let tracker = UserIpTracker::new();
    tracker.load_limits(2, &HashMap::new()).await;
    assert!(tracker.check_and_add("u", ip_from_idx(1)).await.is_ok());
    assert!(tracker.check_and_add("u", ip_from_idx(2)).await.is_ok());
    assert!(tracker.check_and_add("u", ip_from_idx(3)).await.is_err());
    tracker.clear_user_ips("u").await;
    tracker.load_limits(4, &HashMap::new()).await;
    assert!(tracker.check_and_add("u", ip_from_idx(1)).await.is_ok());
    assert!(tracker.check_and_add("u", ip_from_idx(2)).await.is_ok());
    assert!(tracker.check_and_add("u", ip_from_idx(3)).await.is_ok());
    assert!(tracker.check_and_add("u", ip_from_idx(4)).await.is_ok());
    assert!(tracker.check_and_add("u", ip_from_idx(5)).await.is_err());
 }
 #[tokio::test(flavor = "multi_thread", worker_threads = 4)]
 async fn concurrent_reconnect_and_disconnect_preserves_non_negative_counts() {
    let tracker = Arc::new(UserIpTracker::new());
    tracker.set_user_limit("cc", 8).await;
    let mut handles = Vec::new();
    for worker in 0..8u32 {
        let tracker_cloned = tracker.clone();
        handles.push(tokio::spawn(async move {
            let ip = ip_from_idx(50 + worker);
            for _ in 0..500u32 {
                let _ = tracker_cloned.check_and_add("cc", ip).await;
                tracker_cloned.remove_ip("cc", ip).await;
            }
        }));
    }
    for handle in handles {
        handle.await.unwrap();
    }
    assert!(tracker.get_active_ip_count("cc").await <= 8);
 }
--- a/src/maestro/helpers.rs
+++ b/src/maestro/helpers.rs
@@ -205,6 +205,7 @@ pub(crate) fn format_uptime(total_secs: u64) -> String {
    format!("{} / {} seconds", parts.join(", "), total_secs)
 }
 #[allow(dead_code)]
 pub(crate) async fn wait_until_admission_open(admission_rx: &mut watch::Receiver<bool>) -> bool {
    loop {
        if *admission_rx.borrow() {
--- a/src/maestro/listeners.rs
+++ b/src/maestro/listeners.rs
@@ -24,7 +24,7 @@ use crate::transport::{
    ListenOptions, UpstreamManager, create_listener, find_listener_processes,
 };
-use super::helpers::{is_expected_handshake_eof, print_proxy_links, wait_until_admission_open};
+use super::helpers::{is_expected_handshake_eof, print_proxy_links};
 pub(crate) struct BoundListeners {
    pub(crate) listeners: Vec<(TcpListener, bool)>,
@@ -195,7 +195,7 @@ pub(crate) async fn bind_listeners(
        has_unix_listener = true;
        let mut config_rx_unix: watch::Receiver<Arc<ProxyConfig>> = config_rx.clone();
-        let mut admission_rx_unix = admission_rx.clone();
+        let admission_rx_unix = admission_rx.clone();
        let stats = stats.clone();
        let upstream_manager = upstream_manager.clone();
        let replay_checker = replay_checker.clone();
@@ -212,17 +212,44 @@ pub(crate) async fn bind_listeners(
            let unix_conn_counter = Arc::new(std::sync::atomic::AtomicU64::new(1));
            loop {
                if !wait_until_admission_open(&mut admission_rx_unix).await {
                    warn!("Conditional-admission gate channel closed for unix listener");
                    break;
                }
                match unix_listener.accept().await {
                    Ok((stream, _)) => {
-                        let permit = match max_connections_unix.clone().acquire_owned().await {
+                        if !*admission_rx_unix.borrow() {
-                            Ok(permit) => permit,
+                            drop(stream);
-                            Err(_) => {
+                            continue;
-                                error!("Connection limiter is closed");
+                        }
-                                break;
+                        let accept_permit_timeout_ms = config_rx_unix
                            .borrow()
                            .server
                            .accept_permit_timeout_ms;
                        let permit = if accept_permit_timeout_ms == 0 {
                            match max_connections_unix.clone().acquire_owned().await {
                                Ok(permit) => permit,
                                Err(_) => {
                                    error!("Connection limiter is closed");
                                    break;
                                }
                            }
                        } else {
                            match tokio::time::timeout(
                                Duration::from_millis(accept_permit_timeout_ms),
                                max_connections_unix.clone().acquire_owned(),
                            )
                            .await
                            {
                                Ok(Ok(permit)) => permit,
                                Ok(Err(_)) => {
                                    error!("Connection limiter is closed");
                                    break;
                                }
                                Err(_) => {
                                    debug!(
                                        timeout_ms = accept_permit_timeout_ms,
                                        "Dropping accepted unix connection: permit wait timeout"
                                    );
                                    drop(stream);
                                    continue;
                                }
                            }
                        };
                        let conn_id =
@@ -312,7 +339,7 @@ pub(crate) fn spawn_tcp_accept_loops(
 ) {
    for (listener, listener_proxy_protocol) in listeners {
        let mut config_rx: watch::Receiver<Arc<ProxyConfig>> = config_rx.clone();
-        let mut admission_rx_tcp = admission_rx.clone();
+        let admission_rx_tcp = admission_rx.clone();
        let stats = stats.clone();
        let upstream_manager = upstream_manager.clone();
        let replay_checker = replay_checker.clone();
@@ -327,17 +354,46 @@ pub(crate) fn spawn_tcp_accept_loops(
        tokio::spawn(async move {
            loop {
                if !wait_until_admission_open(&mut admission_rx_tcp).await {
                    warn!("Conditional-admission gate channel closed for tcp listener");
                    break;
                }
                match listener.accept().await {
                    Ok((stream, peer_addr)) => {
-                        let permit = match max_connections_tcp.clone().acquire_owned().await {
+                        if !*admission_rx_tcp.borrow() {
-                            Ok(permit) => permit,
+                            debug!(peer = %peer_addr, "Admission gate closed, dropping connection");
-                            Err(_) => {
+                            drop(stream);
-                                error!("Connection limiter is closed");
+                            continue;
-                                break;
+                        }
                        let accept_permit_timeout_ms = config_rx
                            .borrow()
                            .server
                            .accept_permit_timeout_ms;
                        let permit = if accept_permit_timeout_ms == 0 {
                            match max_connections_tcp.clone().acquire_owned().await {
                                Ok(permit) => permit,
                                Err(_) => {
                                    error!("Connection limiter is closed");
                                    break;
                                }
                            }
                        } else {
                            match tokio::time::timeout(
                                Duration::from_millis(accept_permit_timeout_ms),
                                max_connections_tcp.clone().acquire_owned(),
                            )
                            .await
                            {
                                Ok(Ok(permit)) => permit,
                                Ok(Err(_)) => {
                                    error!("Connection limiter is closed");
                                    break;
                                }
                                Err(_) => {
                                    debug!(
                                        peer = %peer_addr,
                                        timeout_ms = accept_permit_timeout_ms,
                                        "Dropping accepted connection: permit wait timeout"
                                    );
                                    drop(stream);
                                    continue;
                                }
                            }
                        };
                        let config = config_rx.borrow_and_update().clone();
--- a/src/maestro/me_startup.rs
+++ b/src/maestro/me_startup.rs
@@ -237,7 +237,13 @@ pub(crate) async fn initialize_me_pool(
                    config.general.me_adaptive_floor_max_warm_writers_global,
                    config.general.hardswap,
                    config.general.me_pool_drain_ttl_secs,
                    config.general.me_instadrain,
                    config.general.me_pool_drain_threshold,
                    config.general.me_pool_drain_soft_evict_enabled,
                    config.general.me_pool_drain_soft_evict_grace_secs,
                    config.general.me_pool_drain_soft_evict_per_writer,
                    config.general.me_pool_drain_soft_evict_budget_per_core,
                    config.general.me_pool_drain_soft_evict_cooldown_ms,
                    config.general.effective_me_pool_force_close_secs(),
                    config.general.me_pool_min_fresh_ratio,
                    config.general.me_hardswap_warmup_delay_min_ms,
@@ -262,6 +268,8 @@ pub(crate) async fn initialize_me_pool(
                    config.general.me_warn_rate_limit_ms,
                    config.general.me_route_no_writer_mode,
                    config.general.me_route_no_writer_wait_ms,
                    config.general.me_route_hybrid_max_wait_ms,
                    config.general.me_route_blocking_send_timeout_ms,
                    config.general.me_route_inline_recovery_attempts,
                    config.general.me_route_inline_recovery_wait_ms,
                );
@@ -324,18 +332,76 @@ pub(crate) async fn initialize_me_pool(
                                            "Middle-End pool initialized successfully"
                                        );
-                                        let pool_health = pool_bg.clone();
+                                            // ── Supervised background tasks ──────────────────
-                                        let rng_health = rng_bg.clone();
+                                            // Each task runs inside a nested tokio::spawn so
-                                        let min_conns = pool_size;
+                                            // that a panic is caught via JoinHandle and the
-                                        tokio::spawn(async move {
+                                            // outer loop restarts the task automatically.
-                                            crate::transport::middle_proxy::me_health_monitor(
+                                            let pool_health = pool_bg.clone();
-                                                pool_health,
+                                            let rng_health = rng_bg.clone();
-                                                rng_health,
+                                            let min_conns = pool_size;
-                                                min_conns,
+                                            tokio::spawn(async move {
-                                            )
+                                                loop {
-                                            .await;
+                                                    let p = pool_health.clone();
-                                        });
+                                                    let r = rng_health.clone();
-                                        break;
+                                                    let res = tokio::spawn(async move {
                                                        crate::transport::middle_proxy::me_health_monitor(
                                                            p, r, min_conns,
                                                        )
                                                        .await;
                                                    })
                                                    .await;
                                                    match res {
                                                        Ok(()) => warn!("me_health_monitor exited unexpectedly, restarting"),
                                                        Err(e) => {
                                                            error!(error = %e, "me_health_monitor panicked, restarting in 1s");
                                                            tokio::time::sleep(Duration::from_secs(1)).await;
                                                        }
                                                    }
                                                }
                                            });
                                            let pool_drain_enforcer = pool_bg.clone();
                                            tokio::spawn(async move {
                                                loop {
                                                    let p = pool_drain_enforcer.clone();
                                                    let res = tokio::spawn(async move {
                                                        crate::transport::middle_proxy::me_drain_timeout_enforcer(p).await;
                                                    })
                                                    .await;
                                                    match res {
                                                        Ok(()) => warn!("me_drain_timeout_enforcer exited unexpectedly, restarting"),
                                                        Err(e) => {
                                                            error!(error = %e, "me_drain_timeout_enforcer panicked, restarting in 1s");
                                                            tokio::time::sleep(Duration::from_secs(1)).await;
                                                        }
                                                    }
                                                }
                                            });
                                            let pool_watchdog = pool_bg.clone();
                                            tokio::spawn(async move {
                                                loop {
                                                    let p = pool_watchdog.clone();
                                                    let res = tokio::spawn(async move {
                                                        crate::transport::middle_proxy::me_zombie_writer_watchdog(p).await;
                                                    })
                                                    .await;
                                                    match res {
                                                        Ok(()) => warn!("me_zombie_writer_watchdog exited unexpectedly, restarting"),
                                                        Err(e) => {
                                                            error!(error = %e, "me_zombie_writer_watchdog panicked, restarting in 1s");
                                                            tokio::time::sleep(Duration::from_secs(1)).await;
                                                        }
                                                    }
                                                }
                                            });
                                            // CRITICAL: keep the current-thread runtime
                                            // alive. Without this, block_on() returns,
                                            // the Runtime is dropped, and ALL spawned
                                            // background tasks (health monitor, drain
                                            // enforcer, zombie watchdog) are silently
                                            // cancelled — causing the draining-writer
                                            // leak that brought us here.
                                            std::future::pending::<()>().await;
                                            unreachable!();
                                    }
                                    Err(e) => {
                                        startup_tracker_bg.set_me_last_error(Some(e.to_string())).await;
@@ -393,16 +459,65 @@ pub(crate) async fn initialize_me_pool(
                                    "Middle-End pool initialized successfully"
                                );
-                                let pool_clone = pool.clone();
+                                    // ── Supervised background tasks ──────────────────
-                                let rng_clone = rng.clone();
+                                    let pool_clone = pool.clone();
-                                let min_conns = pool_size;
+                                    let rng_clone = rng.clone();
-                                tokio::spawn(async move {
+                                    let min_conns = pool_size;
-                                    crate::transport::middle_proxy::me_health_monitor(
+                                    tokio::spawn(async move {
-                                        pool_clone, rng_clone, min_conns,
+                                        loop {
-                                    )
+                                            let p = pool_clone.clone();
-                                    .await;
+                                            let r = rng_clone.clone();
-                                });
+                                            let res = tokio::spawn(async move {
-
+                                                crate::transport::middle_proxy::me_health_monitor(
                                                    p, r, min_conns,
                                                )
                                                .await;
                                            })
                                            .await;
                                            match res {
                                                Ok(()) => warn!("me_health_monitor exited unexpectedly, restarting"),
                                                Err(e) => {
                                                    error!(error = %e, "me_health_monitor panicked, restarting in 1s");
                                                    tokio::time::sleep(Duration::from_secs(1)).await;
                                                }
                                            }
                                        }
                                    });
                                    let pool_drain_enforcer = pool.clone();
                                    tokio::spawn(async move {
                                        loop {
                                            let p = pool_drain_enforcer.clone();
                                            let res = tokio::spawn(async move {
                                                crate::transport::middle_proxy::me_drain_timeout_enforcer(p).await;
                                            })
                                            .await;
                                            match res {
                                                Ok(()) => warn!("me_drain_timeout_enforcer exited unexpectedly, restarting"),
                                                Err(e) => {
                                                    error!(error = %e, "me_drain_timeout_enforcer panicked, restarting in 1s");
                                                    tokio::time::sleep(Duration::from_secs(1)).await;
                                                }
                                            }
                                        }
                                    });
                                    let pool_watchdog = pool.clone();
                                    tokio::spawn(async move {
                                        loop {
                                            let p = pool_watchdog.clone();
                                            let res = tokio::spawn(async move {
                                                crate::transport::middle_proxy::me_zombie_writer_watchdog(p).await;
                                            })
                                            .await;
                                            match res {
                                                Ok(()) => warn!("me_zombie_writer_watchdog exited unexpectedly, restarting"),
                                                Err(e) => {
                                                    error!(error = %e, "me_zombie_writer_watchdog panicked, restarting in 1s");
                                                    tokio::time::sleep(Duration::from_secs(1)).await;
                                                }
                                            }
                                        }
                                    });
                                break Some(pool);
                            }
                            Err(e) => {
--- a/src/maestro/mod.rs
+++ b/src/maestro/mod.rs
@@ -476,7 +476,7 @@ pub async fn run() -> std::result::Result<(), Box<dyn std::error::Error>> {
        Duration::from_secs(config.access.replay_window_secs),
    ));
-    let buffer_pool = Arc::new(BufferPool::with_config(16 * 1024, 4096));
+    let buffer_pool = Arc::new(BufferPool::with_config(64 * 1024, 4096));
    connectivity::run_startup_connectivity(
        &config,
--- a/src/maestro/runtime_tasks.rs
+++ b/src/maestro/runtime_tasks.rs
@@ -279,11 +279,32 @@ pub(crate) async fn spawn_metrics_if_configured(
    ip_tracker: Arc<UserIpTracker>,
    config_rx: watch::Receiver<Arc<ProxyConfig>>,
 ) {
-    if let Some(port) = config.server.metrics_port {
+    // metrics_listen takes precedence; fall back to metrics_port for backward compat.
    let metrics_target: Option<(u16, Option<String>)> =
        if let Some(ref listen) = config.server.metrics_listen {
            match listen.parse::<std::net::SocketAddr>() {
                Ok(addr) => Some((addr.port(), Some(listen.clone()))),
                Err(e) => {
                    startup_tracker
                        .skip_component(
                            COMPONENT_METRICS_START,
                            Some(format!("invalid metrics_listen \"{}\": {}", listen, e)),
                        )
                        .await;
                    None
                }
            }
        } else {
            config.server.metrics_port.map(|p| (p, None))
        };
    if let Some((port, listen)) = metrics_target {
        let fallback_label = format!("port {}", port);
        let label = listen.as_deref().unwrap_or(&fallback_label);
        startup_tracker
            .start_component(
                COMPONENT_METRICS_START,
-                Some(format!("spawn metrics endpoint on {}", port)),
+                Some(format!("spawn metrics endpoint on {}", label)),
            )
            .await;
        let stats = stats.clone();
@@ -294,6 +315,7 @@ pub(crate) async fn spawn_metrics_if_configured(
        tokio::spawn(async move {
            metrics::serve(
                port,
                listen,
                stats,
                beobachten,
                ip_tracker_metrics,
@@ -308,7 +330,7 @@ pub(crate) async fn spawn_metrics_if_configured(
                Some("metrics task spawned".to_string()),
            )
            .await;
-    } else {
+    } else if config.server.metrics_listen.is_none() {
        startup_tracker
            .skip_component(
                COMPONENT_METRICS_START,
--- a/src/main.rs
+++ b/src/main.rs
@@ -6,6 +6,8 @@ mod config;
 mod crypto;
 mod error;
 mod ip_tracker;
 #[cfg(test)]
 mod ip_tracker_regression_tests;
 mod maestro;
 mod metrics;
 mod network;
--- a/src/metrics.rs
+++ b/src/metrics.rs
@@ -16,11 +16,14 @@ use tracing::{info, warn, debug};
 use crate::config::ProxyConfig;
 use crate::ip_tracker::UserIpTracker;
 use crate::stats::beobachten::BeobachtenStore;
-use crate::stats::Stats;
+use crate::stats::{
    MeWriterCleanupSideEffectStep, MeWriterTeardownMode, MeWriterTeardownReason, Stats,
 };
 use crate::transport::{ListenOptions, create_listener};
 pub async fn serve(
    port: u16,
    listen: Option<String>,
    stats: Arc<Stats>,
    beobachten: Arc<BeobachtenStore>,
    ip_tracker: Arc<UserIpTracker>,
@@ -28,6 +31,33 @@ pub async fn serve(
    whitelist: Vec<IpNetwork>,
 ) {
    let whitelist = Arc::new(whitelist);
    // If `metrics_listen` is set, bind on that single address only.
    if let Some(ref listen_addr) = listen {
        let addr: SocketAddr = match listen_addr.parse() {
            Ok(a) => a,
            Err(e) => {
                warn!(error = %e, "Invalid metrics_listen address: {}", listen_addr);
                return;
            }
        };
        let is_ipv6 = addr.is_ipv6();
        match bind_metrics_listener(addr, is_ipv6) {
            Ok(listener) => {
                info!("Metrics endpoint: http://{}/metrics and /beobachten", addr);
                serve_listener(
                    listener, stats, beobachten, ip_tracker, config_rx, whitelist,
                )
                .await;
            }
            Err(e) => {
                warn!(error = %e, "Failed to bind metrics on {}", addr);
            }
        }
        return;
    }
    // Fallback: bind on 0.0.0.0 and [::] using metrics_port.
    let mut listener_v4 = None;
    let mut listener_v6 = None;
@@ -264,6 +294,109 @@ async fn render_metrics(stats: &Stats, config: &ProxyConfig, ip_tracker: &UserIp
        "telemt_connections_bad_total {}",
        if core_enabled { stats.get_connects_bad() } else { 0 }
    );
    let _ = writeln!(out, "# HELP telemt_connections_current Current active connections");
    let _ = writeln!(out, "# TYPE telemt_connections_current gauge");
    let _ = writeln!(
        out,
        "telemt_connections_current {}",
        if core_enabled {
            stats.get_current_connections_total()
        } else {
            0
        }
    );
    let _ = writeln!(out, "# HELP telemt_connections_direct_current Current active direct connections");
    let _ = writeln!(out, "# TYPE telemt_connections_direct_current gauge");
    let _ = writeln!(
        out,
        "telemt_connections_direct_current {}",
        if core_enabled {
            stats.get_current_connections_direct()
        } else {
            0
        }
    );
    let _ = writeln!(out, "# HELP telemt_connections_me_current Current active middle-end connections");
    let _ = writeln!(out, "# TYPE telemt_connections_me_current gauge");
    let _ = writeln!(
        out,
        "telemt_connections_me_current {}",
        if core_enabled {
            stats.get_current_connections_me()
        } else {
            0
        }
    );
    let _ = writeln!(
        out,
        "# HELP telemt_relay_adaptive_promotions_total Adaptive relay tier promotions"
    );
    let _ = writeln!(out, "# TYPE telemt_relay_adaptive_promotions_total counter");
    let _ = writeln!(
        out,
        "telemt_relay_adaptive_promotions_total {}",
        if core_enabled {
            stats.get_relay_adaptive_promotions_total()
        } else {
            0
        }
    );
    let _ = writeln!(
        out,
        "# HELP telemt_relay_adaptive_demotions_total Adaptive relay tier demotions"
    );
    let _ = writeln!(out, "# TYPE telemt_relay_adaptive_demotions_total counter");
    let _ = writeln!(
        out,
        "telemt_relay_adaptive_demotions_total {}",
        if core_enabled {
            stats.get_relay_adaptive_demotions_total()
        } else {
            0
        }
    );
    let _ = writeln!(
        out,
        "# HELP telemt_relay_adaptive_hard_promotions_total Adaptive relay hard promotions triggered by write pressure"
    );
    let _ = writeln!(
        out,
        "# TYPE telemt_relay_adaptive_hard_promotions_total counter"
    );
    let _ = writeln!(
        out,
        "telemt_relay_adaptive_hard_promotions_total {}",
        if core_enabled {
            stats.get_relay_adaptive_hard_promotions_total()
        } else {
            0
        }
    );
    let _ = writeln!(out, "# HELP telemt_reconnect_evict_total Reconnect-driven session evictions");
    let _ = writeln!(out, "# TYPE telemt_reconnect_evict_total counter");
    let _ = writeln!(
        out,
        "telemt_reconnect_evict_total {}",
        if core_enabled {
            stats.get_reconnect_evict_total()
        } else {
            0
        }
    );
    let _ = writeln!(
        out,
        "# HELP telemt_reconnect_stale_close_total Sessions closed because they became stale after reconnect"
    );
    let _ = writeln!(out, "# TYPE telemt_reconnect_stale_close_total counter");
    let _ = writeln!(
        out,
        "telemt_reconnect_stale_close_total {}",
        if core_enabled {
            stats.get_reconnect_stale_close_total()
        } else {
            0
        }
    );
    let _ = writeln!(out, "# HELP telemt_handshake_timeouts_total Handshake timeouts");
    let _ = writeln!(out, "# TYPE telemt_handshake_timeouts_total counter");
@@ -1519,6 +1652,36 @@ async fn render_metrics(stats: &Stats, config: &ProxyConfig, ip_tracker: &UserIp
        }
    );
    let _ = writeln!(
        out,
        "# HELP telemt_pool_drain_soft_evict_total Soft-evicted client sessions on stuck draining writers"
    );
    let _ = writeln!(out, "# TYPE telemt_pool_drain_soft_evict_total counter");
    let _ = writeln!(
        out,
        "telemt_pool_drain_soft_evict_total {}",
        if me_allows_normal {
            stats.get_pool_drain_soft_evict_total()
        } else {
            0
        }
    );
    let _ = writeln!(
        out,
        "# HELP telemt_pool_drain_soft_evict_writer_total Draining writers with at least one soft eviction"
    );
    let _ = writeln!(out, "# TYPE telemt_pool_drain_soft_evict_writer_total counter");
    let _ = writeln!(
        out,
        "telemt_pool_drain_soft_evict_writer_total {}",
        if me_allows_normal {
            stats.get_pool_drain_soft_evict_writer_total()
        } else {
            0
        }
    );
    let _ = writeln!(out, "# HELP telemt_pool_stale_pick_total Stale writer fallback picks for new binds");
    let _ = writeln!(out, "# TYPE telemt_pool_stale_pick_total counter");
    let _ = writeln!(
@@ -1531,6 +1694,57 @@ async fn render_metrics(stats: &Stats, config: &ProxyConfig, ip_tracker: &UserIp
        }
    );
    let _ = writeln!(
        out,
        "# HELP telemt_me_writer_close_signal_drop_total Close-signal drops for already-removed ME writers"
    );
    let _ = writeln!(out, "# TYPE telemt_me_writer_close_signal_drop_total counter");
    let _ = writeln!(
        out,
        "telemt_me_writer_close_signal_drop_total {}",
        if me_allows_normal {
            stats.get_me_writer_close_signal_drop_total()
        } else {
            0
        }
    );
    let _ = writeln!(
        out,
        "# HELP telemt_me_writer_close_signal_channel_full_total Close-signal drops caused by full writer command channels"
    );
    let _ = writeln!(
        out,
        "# TYPE telemt_me_writer_close_signal_channel_full_total counter"
    );
    let _ = writeln!(
        out,
        "telemt_me_writer_close_signal_channel_full_total {}",
        if me_allows_normal {
            stats.get_me_writer_close_signal_channel_full_total()
        } else {
            0
        }
    );
    let _ = writeln!(
        out,
        "# HELP telemt_me_draining_writers_reap_progress_total Draining-writer removals processed by reap cleanup"
    );
    let _ = writeln!(
        out,
        "# TYPE telemt_me_draining_writers_reap_progress_total counter"
    );
    let _ = writeln!(
        out,
        "telemt_me_draining_writers_reap_progress_total {}",
        if me_allows_normal {
            stats.get_me_draining_writers_reap_progress_total()
        } else {
            0
        }
    );
    let _ = writeln!(out, "# HELP telemt_me_writer_removed_total Total ME writer removals");
    let _ = writeln!(out, "# TYPE telemt_me_writer_removed_total counter");
    let _ = writeln!(
@@ -1558,6 +1772,169 @@ async fn render_metrics(stats: &Stats, config: &ProxyConfig, ip_tracker: &UserIp
        }
    );
    let _ = writeln!(
        out,
        "# HELP telemt_me_writer_teardown_attempt_total ME writer teardown attempts by reason and mode"
    );
    let _ = writeln!(out, "# TYPE telemt_me_writer_teardown_attempt_total counter");
    for reason in MeWriterTeardownReason::ALL {
        for mode in MeWriterTeardownMode::ALL {
            let _ = writeln!(
                out,
                "telemt_me_writer_teardown_attempt_total{{reason=\"{}\",mode=\"{}\"}} {}",
                reason.as_str(),
                mode.as_str(),
                if me_allows_normal {
                    stats.get_me_writer_teardown_attempt_total(reason, mode)
                } else {
                    0
                }
            );
        }
    }
    let _ = writeln!(
        out,
        "# HELP telemt_me_writer_teardown_success_total ME writer teardown successes by mode"
    );
    let _ = writeln!(out, "# TYPE telemt_me_writer_teardown_success_total counter");
    for mode in MeWriterTeardownMode::ALL {
        let _ = writeln!(
            out,
            "telemt_me_writer_teardown_success_total{{mode=\"{}\"}} {}",
            mode.as_str(),
            if me_allows_normal {
                stats.get_me_writer_teardown_success_total(mode)
            } else {
                0
            }
        );
    }
    let _ = writeln!(
        out,
        "# HELP telemt_me_writer_teardown_timeout_total Teardown operations that timed out"
    );
    let _ = writeln!(out, "# TYPE telemt_me_writer_teardown_timeout_total counter");
    let _ = writeln!(
        out,
        "telemt_me_writer_teardown_timeout_total {}",
        if me_allows_normal {
            stats.get_me_writer_teardown_timeout_total()
        } else {
            0
        }
    );
    let _ = writeln!(
        out,
        "# HELP telemt_me_writer_teardown_escalation_total Watchdog teardown escalations to hard detach"
    );
    let _ = writeln!(
        out,
        "# TYPE telemt_me_writer_teardown_escalation_total counter"
    );
    let _ = writeln!(
        out,
        "telemt_me_writer_teardown_escalation_total {}",
        if me_allows_normal {
            stats.get_me_writer_teardown_escalation_total()
        } else {
            0
        }
    );
    let _ = writeln!(
        out,
        "# HELP telemt_me_writer_teardown_noop_total Teardown operations that became no-op"
    );
    let _ = writeln!(out, "# TYPE telemt_me_writer_teardown_noop_total counter");
    let _ = writeln!(
        out,
        "telemt_me_writer_teardown_noop_total {}",
        if me_allows_normal {
            stats.get_me_writer_teardown_noop_total()
        } else {
            0
        }
    );
    let _ = writeln!(
        out,
        "# HELP telemt_me_writer_teardown_duration_seconds ME writer teardown latency histogram by mode"
    );
    let _ = writeln!(
        out,
        "# TYPE telemt_me_writer_teardown_duration_seconds histogram"
    );
    let bucket_labels = Stats::me_writer_teardown_duration_bucket_labels();
    for mode in MeWriterTeardownMode::ALL {
        for (bucket_idx, label) in bucket_labels.iter().enumerate() {
            let _ = writeln!(
                out,
                "telemt_me_writer_teardown_duration_seconds_bucket{{mode=\"{}\",le=\"{}\"}} {}",
                mode.as_str(),
                label,
                if me_allows_normal {
                    stats.get_me_writer_teardown_duration_bucket_total(mode, bucket_idx)
                } else {
                    0
                }
            );
        }
        let _ = writeln!(
            out,
            "telemt_me_writer_teardown_duration_seconds_bucket{{mode=\"{}\",le=\"+Inf\"}} {}",
            mode.as_str(),
            if me_allows_normal {
                stats.get_me_writer_teardown_duration_count(mode)
            } else {
                0
            }
        );
        let _ = writeln!(
            out,
            "telemt_me_writer_teardown_duration_seconds_sum{{mode=\"{}\"}} {:.6}",
            mode.as_str(),
            if me_allows_normal {
                stats.get_me_writer_teardown_duration_sum_seconds(mode)
            } else {
                0.0
            }
        );
        let _ = writeln!(
            out,
            "telemt_me_writer_teardown_duration_seconds_count{{mode=\"{}\"}} {}",
            mode.as_str(),
            if me_allows_normal {
                stats.get_me_writer_teardown_duration_count(mode)
            } else {
                0
            }
        );
    }
    let _ = writeln!(
        out,
        "# HELP telemt_me_writer_cleanup_side_effect_failures_total Failed cleanup side effects by step"
    );
    let _ = writeln!(
        out,
        "# TYPE telemt_me_writer_cleanup_side_effect_failures_total counter"
    );
    for step in MeWriterCleanupSideEffectStep::ALL {
        let _ = writeln!(
            out,
            "telemt_me_writer_cleanup_side_effect_failures_total{{step=\"{}\"}} {}",
            step.as_str(),
            if me_allows_normal {
                stats.get_me_writer_cleanup_side_effect_failures_total(step)
            } else {
                0
            }
        );
    }
    let _ = writeln!(out, "# HELP telemt_me_refill_triggered_total Immediate ME refill runs started");
    let _ = writeln!(out, "# TYPE telemt_me_refill_triggered_total counter");
    let _ = writeln!(
@@ -1836,6 +2213,8 @@ mod tests {
        stats.increment_connects_all();
        stats.increment_connects_all();
        stats.increment_connects_bad();
        stats.increment_current_connections_direct();
        stats.increment_current_connections_me();
        stats.increment_handshake_timeouts();
        stats.increment_upstream_connect_attempt_total();
        stats.increment_upstream_connect_attempt_total();
@@ -1867,6 +2246,9 @@ mod tests {
        assert!(output.contains("telemt_connections_total 2"));
        assert!(output.contains("telemt_connections_bad_total 1"));
        assert!(output.contains("telemt_connections_current 2"));
        assert!(output.contains("telemt_connections_direct_current 1"));
        assert!(output.contains("telemt_connections_me_current 1"));
        assert!(output.contains("telemt_handshake_timeouts_total 1"));
        assert!(output.contains("telemt_upstream_connect_attempt_total 2"));
        assert!(output.contains("telemt_upstream_connect_success_total 1"));
@@ -1909,6 +2291,9 @@ mod tests {
        let output = render_metrics(&stats, &config, &tracker).await;
        assert!(output.contains("telemt_connections_total 0"));
        assert!(output.contains("telemt_connections_bad_total 0"));
        assert!(output.contains("telemt_connections_current 0"));
        assert!(output.contains("telemt_connections_direct_current 0"));
        assert!(output.contains("telemt_connections_me_current 0"));
        assert!(output.contains("telemt_handshake_timeouts_total 0"));
        assert!(output.contains("telemt_user_unique_ips_current{user="));
        assert!(output.contains("telemt_user_unique_ips_recent_window{user="));
@@ -1942,11 +2327,39 @@ mod tests {
        assert!(output.contains("# TYPE telemt_uptime_seconds gauge"));
        assert!(output.contains("# TYPE telemt_connections_total counter"));
        assert!(output.contains("# TYPE telemt_connections_bad_total counter"));
        assert!(output.contains("# TYPE telemt_connections_current gauge"));
        assert!(output.contains("# TYPE telemt_connections_direct_current gauge"));
        assert!(output.contains("# TYPE telemt_connections_me_current gauge"));
        assert!(output.contains("# TYPE telemt_relay_adaptive_promotions_total counter"));
        assert!(output.contains("# TYPE telemt_relay_adaptive_demotions_total counter"));
        assert!(output.contains("# TYPE telemt_relay_adaptive_hard_promotions_total counter"));
        assert!(output.contains("# TYPE telemt_reconnect_evict_total counter"));
        assert!(output.contains("# TYPE telemt_reconnect_stale_close_total counter"));
        assert!(output.contains("# TYPE telemt_handshake_timeouts_total counter"));
        assert!(output.contains("# TYPE telemt_upstream_connect_attempt_total counter"));
        assert!(output.contains("# TYPE telemt_me_rpc_proxy_req_signal_sent_total counter"));
        assert!(output.contains("# TYPE telemt_me_idle_close_by_peer_total counter"));
        assert!(output.contains("# TYPE telemt_me_writer_removed_total counter"));
        assert!(output.contains("# TYPE telemt_me_writer_teardown_attempt_total counter"));
        assert!(output.contains("# TYPE telemt_me_writer_teardown_success_total counter"));
        assert!(output.contains("# TYPE telemt_me_writer_teardown_timeout_total counter"));
        assert!(output.contains("# TYPE telemt_me_writer_teardown_escalation_total counter"));
        assert!(output.contains("# TYPE telemt_me_writer_teardown_noop_total counter"));
        assert!(output.contains(
            "# TYPE telemt_me_writer_teardown_duration_seconds histogram"
        ));
        assert!(output.contains(
            "# TYPE telemt_me_writer_cleanup_side_effect_failures_total counter"
        ));
        assert!(output.contains("# TYPE telemt_me_writer_close_signal_drop_total counter"));
        assert!(output.contains(
            "# TYPE telemt_me_writer_close_signal_channel_full_total counter"
        ));
        assert!(output.contains(
            "# TYPE telemt_me_draining_writers_reap_progress_total counter"
        ));
        assert!(output.contains("# TYPE telemt_pool_drain_soft_evict_total counter"));
        assert!(output.contains("# TYPE telemt_pool_drain_soft_evict_writer_total counter"));
        assert!(output.contains(
            "# TYPE telemt_me_writer_removed_unexpected_minus_restored_total gauge"
        ));
--- a/src/proxy/adaptive_buffers.rs
+++ b/src/proxy/adaptive_buffers.rs
@@ -0,0 +1,383 @@
 use dashmap::DashMap;
 use std::cmp::max;
 use std::sync::OnceLock;
 use std::time::{Duration, Instant};
 const EMA_ALPHA: f64 = 0.2;
 const PROFILE_TTL: Duration = Duration::from_secs(300);
 const THROUGHPUT_UP_BPS: f64 = 8_000_000.0;
 const THROUGHPUT_DOWN_BPS: f64 = 2_000_000.0;
 const RATIO_CONFIRM_THRESHOLD: f64 = 1.12;
 const TIER1_HOLD_TICKS: u32 = 8;
 const TIER2_HOLD_TICKS: u32 = 4;
 const QUIET_DEMOTE_TICKS: u32 = 480;
 const HARD_COOLDOWN_TICKS: u32 = 20;
 const HARD_PENDING_THRESHOLD: u32 = 3;
 const HARD_PARTIAL_RATIO_THRESHOLD: f64 = 0.25;
 const DIRECT_C2S_CAP_BYTES: usize = 128 * 1024;
 const DIRECT_S2C_CAP_BYTES: usize = 512 * 1024;
 const ME_FRAMES_CAP: usize = 96;
 const ME_BYTES_CAP: usize = 384 * 1024;
 const ME_DELAY_MIN_US: u64 = 150;
 #[derive(Debug, Clone, Copy, PartialEq, Eq, PartialOrd, Ord)]
 pub enum AdaptiveTier {
    Base = 0,
    Tier1 = 1,
    Tier2 = 2,
    Tier3 = 3,
 }
 impl AdaptiveTier {
    pub fn promote(self) -> Self {
        match self {
            Self::Base => Self::Tier1,
            Self::Tier1 => Self::Tier2,
            Self::Tier2 => Self::Tier3,
            Self::Tier3 => Self::Tier3,
        }
    }
    pub fn demote(self) -> Self {
        match self {
            Self::Base => Self::Base,
            Self::Tier1 => Self::Base,
            Self::Tier2 => Self::Tier1,
            Self::Tier3 => Self::Tier2,
        }
    }
    fn ratio(self) -> (usize, usize) {
        match self {
            Self::Base => (1, 1),
            Self::Tier1 => (5, 4),
            Self::Tier2 => (3, 2),
            Self::Tier3 => (2, 1),
        }
    }
    pub fn as_u8(self) -> u8 {
        self as u8
    }
 }
 #[derive(Debug, Clone, Copy, PartialEq, Eq)]
 pub enum TierTransitionReason {
    SoftConfirmed,
    HardPressure,
    QuietDemotion,
 }
 #[derive(Debug, Clone, Copy, PartialEq, Eq)]
 pub struct TierTransition {
    pub from: AdaptiveTier,
    pub to: AdaptiveTier,
    pub reason: TierTransitionReason,
 }
 #[derive(Debug, Clone, Copy, Default)]
 pub struct RelaySignalSample {
    pub c2s_bytes: u64,
    pub s2c_requested_bytes: u64,
    pub s2c_written_bytes: u64,
    pub s2c_write_ops: u64,
    pub s2c_partial_writes: u64,
    pub s2c_consecutive_pending_writes: u32,
 }
 #[derive(Debug, Clone, Copy)]
 pub struct SessionAdaptiveController {
    tier: AdaptiveTier,
    max_tier_seen: AdaptiveTier,
    throughput_ema_bps: f64,
    incoming_ema_bps: f64,
    outgoing_ema_bps: f64,
    tier1_hold_ticks: u32,
    tier2_hold_ticks: u32,
    quiet_ticks: u32,
    hard_cooldown_ticks: u32,
 }
 impl SessionAdaptiveController {
    pub fn new(initial_tier: AdaptiveTier) -> Self {
        Self {
            tier: initial_tier,
            max_tier_seen: initial_tier,
            throughput_ema_bps: 0.0,
            incoming_ema_bps: 0.0,
            outgoing_ema_bps: 0.0,
            tier1_hold_ticks: 0,
            tier2_hold_ticks: 0,
            quiet_ticks: 0,
            hard_cooldown_ticks: 0,
        }
    }
    pub fn max_tier_seen(&self) -> AdaptiveTier {
        self.max_tier_seen
    }
    pub fn observe(&mut self, sample: RelaySignalSample, tick_secs: f64) -> Option<TierTransition> {
        if tick_secs <= f64::EPSILON {
            return None;
        }
        if self.hard_cooldown_ticks > 0 {
            self.hard_cooldown_ticks -= 1;
        }
        let c2s_bps = (sample.c2s_bytes as f64 * 8.0) / tick_secs;
        let incoming_bps = (sample.s2c_requested_bytes as f64 * 8.0) / tick_secs;
        let outgoing_bps = (sample.s2c_written_bytes as f64 * 8.0) / tick_secs;
        let throughput = c2s_bps.max(outgoing_bps);
        self.throughput_ema_bps = ema(self.throughput_ema_bps, throughput);
        self.incoming_ema_bps = ema(self.incoming_ema_bps, incoming_bps);
        self.outgoing_ema_bps = ema(self.outgoing_ema_bps, outgoing_bps);
        let tier1_now = self.throughput_ema_bps >= THROUGHPUT_UP_BPS;
        if tier1_now {
            self.tier1_hold_ticks = self.tier1_hold_ticks.saturating_add(1);
        } else {
            self.tier1_hold_ticks = 0;
        }
        let ratio = if self.outgoing_ema_bps <= f64::EPSILON {
            0.0
        } else {
            self.incoming_ema_bps / self.outgoing_ema_bps
        };
        let tier2_now = ratio >= RATIO_CONFIRM_THRESHOLD;
        if tier2_now {
            self.tier2_hold_ticks = self.tier2_hold_ticks.saturating_add(1);
        } else {
            self.tier2_hold_ticks = 0;
        }
        let partial_ratio = if sample.s2c_write_ops == 0 {
            0.0
        } else {
            sample.s2c_partial_writes as f64 / sample.s2c_write_ops as f64
        };
        let hard_now = sample.s2c_consecutive_pending_writes >= HARD_PENDING_THRESHOLD
            || partial_ratio >= HARD_PARTIAL_RATIO_THRESHOLD;
        if hard_now && self.hard_cooldown_ticks == 0 {
            return self.promote(TierTransitionReason::HardPressure, HARD_COOLDOWN_TICKS);
        }
        if self.tier1_hold_ticks >= TIER1_HOLD_TICKS && self.tier2_hold_ticks >= TIER2_HOLD_TICKS {
            return self.promote(TierTransitionReason::SoftConfirmed, 0);
        }
        let demote_candidate = self.throughput_ema_bps < THROUGHPUT_DOWN_BPS && !tier2_now && !hard_now;
        if demote_candidate {
            self.quiet_ticks = self.quiet_ticks.saturating_add(1);
            if self.quiet_ticks >= QUIET_DEMOTE_TICKS {
                self.quiet_ticks = 0;
                return self.demote(TierTransitionReason::QuietDemotion);
            }
        } else {
            self.quiet_ticks = 0;
        }
        None
    }
    fn promote(
        &mut self,
        reason: TierTransitionReason,
        hard_cooldown_ticks: u32,
    ) -> Option<TierTransition> {
        let from = self.tier;
        let to = from.promote();
        if from == to {
            return None;
        }
        self.tier = to;
        self.max_tier_seen = max(self.max_tier_seen, to);
        self.hard_cooldown_ticks = hard_cooldown_ticks;
        self.tier1_hold_ticks = 0;
        self.tier2_hold_ticks = 0;
        self.quiet_ticks = 0;
        Some(TierTransition { from, to, reason })
    }
    fn demote(&mut self, reason: TierTransitionReason) -> Option<TierTransition> {
        let from = self.tier;
        let to = from.demote();
        if from == to {
            return None;
        }
        self.tier = to;
        self.tier1_hold_ticks = 0;
        self.tier2_hold_ticks = 0;
        Some(TierTransition { from, to, reason })
    }
 }
 #[derive(Debug, Clone, Copy)]
 struct UserAdaptiveProfile {
    tier: AdaptiveTier,
    seen_at: Instant,
 }
 fn profiles() -> &'static DashMap<String, UserAdaptiveProfile> {
    static USER_PROFILES: OnceLock<DashMap<String, UserAdaptiveProfile>> = OnceLock::new();
    USER_PROFILES.get_or_init(DashMap::new)
 }
 pub fn seed_tier_for_user(user: &str) -> AdaptiveTier {
    let now = Instant::now();
    if let Some(entry) = profiles().get(user) {
        let value = entry.value();
        if now.duration_since(value.seen_at) <= PROFILE_TTL {
            return value.tier;
        }
    }
    AdaptiveTier::Base
 }
 pub fn record_user_tier(user: &str, tier: AdaptiveTier) {
    let now = Instant::now();
    if let Some(mut entry) = profiles().get_mut(user) {
        let existing = *entry;
        let effective = if now.duration_since(existing.seen_at) > PROFILE_TTL {
            tier
        } else {
            max(existing.tier, tier)
        };
        *entry = UserAdaptiveProfile {
            tier: effective,
            seen_at: now,
        };
        return;
    }
    profiles().insert(
        user.to_string(),
        UserAdaptiveProfile { tier, seen_at: now },
    );
 }
 pub fn direct_copy_buffers_for_tier(
    tier: AdaptiveTier,
    base_c2s: usize,
    base_s2c: usize,
 ) -> (usize, usize) {
    let (num, den) = tier.ratio();
    (
        scale(base_c2s, num, den, DIRECT_C2S_CAP_BYTES),
        scale(base_s2c, num, den, DIRECT_S2C_CAP_BYTES),
    )
 }
 pub fn me_flush_policy_for_tier(
    tier: AdaptiveTier,
    base_frames: usize,
    base_bytes: usize,
    base_delay: Duration,
 ) -> (usize, usize, Duration) {
    let (num, den) = tier.ratio();
    let frames = scale(base_frames, num, den, ME_FRAMES_CAP).max(1);
    let bytes = scale(base_bytes, num, den, ME_BYTES_CAP).max(4096);
    let delay_us = base_delay.as_micros() as u64;
    let adjusted_delay_us = match tier {
        AdaptiveTier::Base => delay_us,
        AdaptiveTier::Tier1 => (delay_us.saturating_mul(7)).saturating_div(10),
        AdaptiveTier::Tier2 => delay_us.saturating_div(2),
        AdaptiveTier::Tier3 => (delay_us.saturating_mul(3)).saturating_div(10),
    }
    .max(ME_DELAY_MIN_US)
    .min(delay_us.max(ME_DELAY_MIN_US));
    (frames, bytes, Duration::from_micros(adjusted_delay_us))
 }
 fn ema(prev: f64, value: f64) -> f64 {
    if prev <= f64::EPSILON {
        value
    } else {
        (prev * (1.0 - EMA_ALPHA)) + (value * EMA_ALPHA)
    }
 }
 fn scale(base: usize, numerator: usize, denominator: usize, cap: usize) -> usize {
    let scaled = base
        .saturating_mul(numerator)
        .saturating_div(denominator.max(1));
    scaled.min(cap).max(1)
 }
 #[cfg(test)]
 mod tests {
    use super::*;
    fn sample(
        c2s_bytes: u64,
        s2c_requested_bytes: u64,
        s2c_written_bytes: u64,
        s2c_write_ops: u64,
        s2c_partial_writes: u64,
        s2c_consecutive_pending_writes: u32,
    ) -> RelaySignalSample {
        RelaySignalSample {
            c2s_bytes,
            s2c_requested_bytes,
            s2c_written_bytes,
            s2c_write_ops,
            s2c_partial_writes,
            s2c_consecutive_pending_writes,
        }
    }
    #[test]
    fn test_soft_promotion_requires_tier1_and_tier2() {
        let mut ctrl = SessionAdaptiveController::new(AdaptiveTier::Base);
        let tick_secs = 0.25;
        let mut promoted = None;
        for _ in 0..8 {
            promoted = ctrl.observe(
                sample(
                    300_000, // ~9.6 Mbps
                    320_000, // incoming > outgoing to confirm tier2
                    250_000,
                    10,
                    0,
                    0,
                ),
                tick_secs,
            );
        }
        let transition = promoted.expect("expected soft promotion");
        assert_eq!(transition.from, AdaptiveTier::Base);
        assert_eq!(transition.to, AdaptiveTier::Tier1);
        assert_eq!(transition.reason, TierTransitionReason::SoftConfirmed);
    }
    #[test]
    fn test_hard_promotion_on_pending_pressure() {
        let mut ctrl = SessionAdaptiveController::new(AdaptiveTier::Base);
        let transition = ctrl
            .observe(
                sample(10_000, 20_000, 10_000, 4, 1, 3),
                0.25,
            )
            .expect("expected hard promotion");
        assert_eq!(transition.reason, TierTransitionReason::HardPressure);
        assert_eq!(transition.to, AdaptiveTier::Tier1);
    }
    #[test]
    fn test_quiet_demotion_is_slow_and_stepwise() {
        let mut ctrl = SessionAdaptiveController::new(AdaptiveTier::Tier2);
        let mut demotion = None;
        for _ in 0..QUIET_DEMOTE_TICKS {
            demotion = ctrl.observe(sample(1, 1, 1, 1, 0, 0), 0.25);
        }
        let transition = demotion.expect("expected quiet demotion");
        assert_eq!(transition.from, AdaptiveTier::Tier2);
        assert_eq!(transition.to, AdaptiveTier::Tier1);
        assert_eq!(transition.reason, TierTransitionReason::QuietDemotion);
    }
 }
--- a/src/proxy/client.rs
+++ b/src/proxy/client.rs
@@ -40,6 +40,7 @@ use crate::proxy::handshake::{HandshakeSuccess, handle_mtproto_handshake, handle
 use crate::proxy::masking::handle_bad_client;
 use crate::proxy::middle_relay::handle_via_middle_proxy;
 use crate::proxy::route_mode::{RelayRouteMode, RouteRuntimeController};
 use crate::proxy::session_eviction::register_session;
 fn beobachten_ttl(config: &ProxyConfig) -> Duration {
    Duration::from_secs(config.general.beobachten_minutes.saturating_mul(60))
@@ -731,6 +732,17 @@ impl RunningClientHandler {
            return Err(e);
        }
        let registration = register_session(&user, success.dc_idx);
        if registration.replaced_existing {
            stats.increment_reconnect_evict_total();
            warn!(
                user = %user,
                dc = success.dc_idx,
                "Reconnect detected: replacing active session for user+dc"
            );
        }
        let session_lease = registration.lease;
        let route_snapshot = route_runtime.snapshot();
        let session_id = rng.u64();
        let relay_result = if config.general.use_middle_proxy
@@ -750,6 +762,7 @@ impl RunningClientHandler {
                    route_runtime.subscribe(),
                    route_snapshot,
                    session_id,
                    session_lease.clone(),
                )
                .await
            } else {
@@ -766,6 +779,7 @@ impl RunningClientHandler {
                    route_runtime.subscribe(),
                    route_snapshot,
                    session_id,
                    session_lease.clone(),
                )
                .await
            }
@@ -783,6 +797,7 @@ impl RunningClientHandler {
                route_runtime.subscribe(),
                route_snapshot,
                session_id,
                session_lease.clone(),
            )
            .await
        };
--- a/src/proxy/direct_relay.rs
+++ b/src/proxy/direct_relay.rs
@@ -18,6 +18,8 @@ use crate::proxy::route_mode::{
    RelayRouteMode, RouteCutoverState, ROUTE_SWITCH_ERROR_MSG, affected_cutover_state,
    cutover_stagger_delay,
 };
 use crate::proxy::adaptive_buffers;
 use crate::proxy::session_eviction::SessionLease;
 use crate::stats::Stats;
 use crate::stream::{BufferPool, CryptoReader, CryptoWriter};
 use crate::transport::UpstreamManager;
@@ -34,6 +36,7 @@ pub(crate) async fn handle_via_direct<R, W>(
    mut route_rx: watch::Receiver<RouteCutoverState>,
    route_snapshot: RouteCutoverState,
    session_id: u64,
    session_lease: SessionLease,
 ) -> Result<()>
 where
    R: AsyncRead + Unpin + Send + 'static,
@@ -67,16 +70,26 @@ where
    stats.increment_user_curr_connects(user);
    stats.increment_current_connections_direct();
    let seed_tier = adaptive_buffers::seed_tier_for_user(user);
    let (c2s_copy_buf, s2c_copy_buf) = adaptive_buffers::direct_copy_buffers_for_tier(
        seed_tier,
        config.general.direct_relay_copy_buf_c2s_bytes,
        config.general.direct_relay_copy_buf_s2c_bytes,
    );
    let relay_result = relay_bidirectional(
        client_reader,
        client_writer,
        tg_reader,
        tg_writer,
-        config.general.direct_relay_copy_buf_c2s_bytes,
+        c2s_copy_buf,
-        config.general.direct_relay_copy_buf_s2c_bytes,
+        s2c_copy_buf,
        user,
        success.dc_idx,
        Arc::clone(&stats),
        buffer_pool,
        session_lease,
        seed_tier,
    );
    tokio::pin!(relay_result);
    let relay_result = loop {
--- a/src/proxy/middle_relay.rs
+++ b/src/proxy/middle_relay.rs
@@ -20,6 +20,8 @@ use crate::proxy::route_mode::{
    RelayRouteMode, RouteCutoverState, ROUTE_SWITCH_ERROR_MSG, affected_cutover_state,
    cutover_stagger_delay,
 };
 use crate::proxy::adaptive_buffers::{self, AdaptiveTier};
 use crate::proxy::session_eviction::SessionLease;
 use crate::stats::Stats;
 use crate::stream::{BufferPool, CryptoReader, CryptoWriter};
 use crate::transport::middle_proxy::{MePool, MeResponse, proto_flags_for_tag};
@@ -59,8 +61,8 @@ struct MeD2cFlushPolicy {
 }
 impl MeD2cFlushPolicy {
-    fn from_config(config: &ProxyConfig) -> Self {
+    fn from_config(config: &ProxyConfig, tier: AdaptiveTier) -> Self {
-        Self {
+        let base = Self {
            max_frames: config
                .general
                .me_d2c_flush_batch_max_frames
@@ -71,6 +73,18 @@ impl MeD2cFlushPolicy {
                .max(ME_D2C_FLUSH_BATCH_MAX_BYTES_MIN),
            max_delay: Duration::from_micros(config.general.me_d2c_flush_batch_max_delay_us),
            ack_flush_immediate: config.general.me_d2c_ack_flush_immediate,
        };
        let (max_frames, max_bytes, max_delay) = adaptive_buffers::me_flush_policy_for_tier(
            tier,
            base.max_frames,
            base.max_bytes,
            base.max_delay,
        );
        Self {
            max_frames,
            max_bytes,
            max_delay,
            ack_flush_immediate: base.ack_flush_immediate,
        }
    }
 }
@@ -208,6 +222,7 @@ fn should_yield_c2me_sender(sent_since_yield: usize, has_backlog: bool) -> bool
 async fn enqueue_c2me_command(
    tx: &mpsc::Sender<C2MeCommand>,
    cmd: C2MeCommand,
    send_timeout: Duration,
 ) -> std::result::Result<(), mpsc::error::SendError<C2MeCommand>> {
    match tx.try_send(cmd) {
        Ok(()) => Ok(()),
@@ -217,7 +232,17 @@ async fn enqueue_c2me_command(
            if tx.capacity() <= C2ME_SOFT_PRESSURE_MIN_FREE_SLOTS {
                tokio::task::yield_now().await;
            }
-            tx.send(cmd).await
+            if send_timeout.is_zero() {
                return tx.send(cmd).await;
            }
            match tokio::time::timeout(send_timeout, tx.reserve()).await {
                Ok(Ok(permit)) => {
                    permit.send(cmd);
                    Ok(())
                }
                Ok(Err(_)) => Err(mpsc::error::SendError(cmd)),
                Err(_) => Err(mpsc::error::SendError(cmd)),
            }
        }
    }
 }
@@ -235,6 +260,7 @@ pub(crate) async fn handle_via_middle_proxy<R, W>(
    mut route_rx: watch::Receiver<RouteCutoverState>,
    route_snapshot: RouteCutoverState,
    session_id: u64,
    session_lease: SessionLease,
 ) -> Result<()>
 where
    R: AsyncRead + Unpin + Send + 'static,
@@ -244,6 +270,7 @@ where
    let peer = success.peer;
    let proto_tag = success.proto_tag;
    let pool_generation = me_pool.current_generation();
    let seed_tier = adaptive_buffers::seed_tier_for_user(&user);
    debug!(
        user = %user,
@@ -295,6 +322,15 @@ where
        return Err(ProxyError::Proxy(ROUTE_SWITCH_ERROR_MSG.to_string()));
    }
    if session_lease.is_stale() {
        stats.increment_reconnect_stale_close_total();
        let _ = me_pool.send_close(conn_id).await;
        me_pool.registry().unregister(conn_id).await;
        stats.decrement_current_connections_me();
        stats.decrement_user_curr_connects(&user);
        return Err(ProxyError::Proxy("Session evicted by reconnect".to_string()));
    }
    // Per-user ad_tag from access.user_ad_tags; fallback to general.ad_tag (hot-reloadable)
    let user_tag: Option<Vec<u8>> = config
        .access
@@ -330,6 +366,7 @@ where
        .general
        .me_c2me_channel_capacity
        .max(C2ME_CHANNEL_CAPACITY_FALLBACK);
    let c2me_send_timeout = Duration::from_millis(config.general.me_c2me_send_timeout_ms);
    let (c2me_tx, mut c2me_rx) = mpsc::channel::<C2MeCommand>(c2me_channel_capacity);
    let me_pool_c2me = me_pool.clone();
    let effective_tag = effective_tag;
@@ -338,15 +375,42 @@ where
        while let Some(cmd) = c2me_rx.recv().await {
            match cmd {
                C2MeCommand::Data { payload, flags } => {
-                    me_pool_c2me.send_proxy_req(
+                    if c2me_send_timeout.is_zero() {
-                        conn_id,
+                        me_pool_c2me
-                        success.dc_idx,
+                            .send_proxy_req(
-                        peer,
+                                conn_id,
-                        translated_local_addr,
+                                success.dc_idx,
-                        payload.as_ref(),
+                                peer,
-                        flags,
+                                translated_local_addr,
-                        effective_tag.as_deref(),
+                                payload.as_ref(),
-                    ).await?;
+                                flags,
                                effective_tag.as_deref(),
                            )
                            .await?;
                    } else {
                        match tokio::time::timeout(
                            c2me_send_timeout,
                            me_pool_c2me.send_proxy_req(
                                conn_id,
                                success.dc_idx,
                                peer,
                                translated_local_addr,
                                payload.as_ref(),
                                flags,
                                effective_tag.as_deref(),
                            ),
                        )
                        .await
                        {
                            Ok(send_result) => send_result?,
                            Err(_) => {
                                return Err(ProxyError::Proxy(format!(
                                    "ME send timeout after {}ms",
                                    c2me_send_timeout.as_millis()
                                )));
                            }
                        }
                    }
                    sent_since_yield = sent_since_yield.saturating_add(1);
                    if should_yield_c2me_sender(sent_since_yield, !c2me_rx.is_empty()) {
                        sent_since_yield = 0;
@@ -368,7 +432,7 @@ where
    let rng_clone = rng.clone();
    let user_clone = user.clone();
    let bytes_me2c_clone = bytes_me2c.clone();
-    let d2c_flush_policy = MeD2cFlushPolicy::from_config(&config);
+    let d2c_flush_policy = MeD2cFlushPolicy::from_config(&config, seed_tier);
    let me_writer = tokio::spawn(async move {
        let mut writer = crypto_writer;
        let mut frame_buf = Vec::with_capacity(16 * 1024);
@@ -528,6 +592,12 @@ where
    let mut frame_counter: u64 = 0;
    let mut route_watch_open = true;
    loop {
        if session_lease.is_stale() {
            stats.increment_reconnect_stale_close_total();
            let _ = enqueue_c2me_command(&c2me_tx, C2MeCommand::Close, c2me_send_timeout).await;
            main_result = Err(ProxyError::Proxy("Session evicted by reconnect".to_string()));
            break;
        }
        if let Some(cutover) = affected_cutover_state(
            &route_rx,
            RelayRouteMode::Middle,
@@ -542,7 +612,7 @@ where
                "Cutover affected middle session, closing client connection"
            );
            tokio::time::sleep(delay).await;
-            let _ = enqueue_c2me_command(&c2me_tx, C2MeCommand::Close).await;
+            let _ = enqueue_c2me_command(&c2me_tx, C2MeCommand::Close, c2me_send_timeout).await;
            main_result = Err(ProxyError::Proxy(ROUTE_SWITCH_ERROR_MSG.to_string()));
            break;
        }
@@ -576,9 +646,13 @@ where
                            flags |= RPC_FLAG_NOT_ENCRYPTED;
                        }
                        // Keep client read loop lightweight: route heavy ME send path via a dedicated task.
-                        if enqueue_c2me_command(&c2me_tx, C2MeCommand::Data { payload, flags })
+                        if enqueue_c2me_command(
-                            .await
+                            &c2me_tx,
-                            .is_err()
+                            C2MeCommand::Data { payload, flags },
                            c2me_send_timeout,
                        )
                        .await
                        .is_err()
                        {
                            main_result = Err(ProxyError::Proxy("ME sender channel closed".into()));
                            break;
@@ -587,7 +661,12 @@ where
                    Ok(None) => {
                        debug!(conn_id, "Client EOF");
                        client_closed = true;
-                        let _ = enqueue_c2me_command(&c2me_tx, C2MeCommand::Close).await;
+                        let _ = enqueue_c2me_command(
                            &c2me_tx,
                            C2MeCommand::Close,
                            c2me_send_timeout,
                        )
                        .await;
                        break;
                    }
                    Err(e) => {
@@ -636,6 +715,7 @@ where
        frames_ok = frame_counter,
        "ME relay cleanup"
    );
    adaptive_buffers::record_user_tier(&user, seed_tier);
    me_pool.registry().unregister(conn_id).await;
    stats.decrement_current_connections_me();
    stats.decrement_user_curr_connects(&user);
@@ -961,6 +1041,7 @@ mod tests {
                payload: Bytes::from_static(&[1, 2, 3]),
                flags: 0,
            },
            TokioDuration::from_millis(50),
        )
        .await
        .unwrap();
@@ -996,6 +1077,7 @@ mod tests {
                    payload: Bytes::from_static(&[7, 7]),
                    flags: 7,
                },
                TokioDuration::from_millis(100),
            )
            .await
            .unwrap();
--- a/src/proxy/mod.rs
+++ b/src/proxy/mod.rs
@@ -1,5 +1,6 @@
 //! Proxy Defs
 pub mod adaptive_buffers;
 pub mod client;
 pub mod direct_relay;
 pub mod handshake;
@@ -7,6 +8,7 @@ pub mod masking;
 pub mod middle_relay;
 pub mod route_mode;
 pub mod relay;
 pub mod session_eviction;
 pub use client::ClientHandler;
 #[allow(unused_imports)]
--- a/src/proxy/relay.rs
+++ b/src/proxy/relay.rs
@@ -63,6 +63,10 @@ use tokio::io::{
 use tokio::time::Instant;
 use tracing::{debug, trace, warn};
 use crate::error::Result;
 use crate::proxy::adaptive_buffers::{
    self, AdaptiveTier, RelaySignalSample, SessionAdaptiveController, TierTransitionReason,
 };
 use crate::proxy::session_eviction::SessionLease;
 use crate::stats::Stats;
 use crate::stream::BufferPool;
@@ -79,6 +83,7 @@ const ACTIVITY_TIMEOUT: Duration = Duration::from_secs(1800);
 /// 10 seconds gives responsive timeout detection (±10s accuracy)
 /// without measurable overhead from atomic reads.
 const WATCHDOG_INTERVAL: Duration = Duration::from_secs(10);
 const ADAPTIVE_TICK: Duration = Duration::from_millis(250);
 // ============= CombinedStream =============
@@ -155,6 +160,16 @@ struct SharedCounters {
    s2c_ops: AtomicU64,
    /// Milliseconds since relay epoch of last I/O activity
    last_activity_ms: AtomicU64,
    /// Bytes requested to write to client (S→C direction).
    s2c_requested_bytes: AtomicU64,
    /// Total write operations for S→C direction.
    s2c_write_ops: AtomicU64,
    /// Number of partial writes to client.
    s2c_partial_writes: AtomicU64,
    /// Number of times S→C poll_write returned Pending.
    s2c_pending_writes: AtomicU64,
    /// Consecutive pending writes in S→C direction.
    s2c_consecutive_pending_writes: AtomicU64,
 }
 impl SharedCounters {
@@ -165,6 +180,11 @@ impl SharedCounters {
            c2s_ops: AtomicU64::new(0),
            s2c_ops: AtomicU64::new(0),
            last_activity_ms: AtomicU64::new(0),
            s2c_requested_bytes: AtomicU64::new(0),
            s2c_write_ops: AtomicU64::new(0),
            s2c_partial_writes: AtomicU64::new(0),
            s2c_pending_writes: AtomicU64::new(0),
            s2c_consecutive_pending_writes: AtomicU64::new(0),
        }
    }
@@ -259,9 +279,21 @@ impl<S: AsyncWrite + Unpin> AsyncWrite for StatsIo<S> {
        buf: &[u8],
    ) -> Poll<io::Result<usize>> {
        let this = self.get_mut();
        this.counters
            .s2c_requested_bytes
            .fetch_add(buf.len() as u64, Ordering::Relaxed);
        match Pin::new(&mut this.inner).poll_write(cx, buf) {
            Poll::Ready(Ok(n)) => {
                this.counters.s2c_write_ops.fetch_add(1, Ordering::Relaxed);
                this.counters
                    .s2c_consecutive_pending_writes
                    .store(0, Ordering::Relaxed);
                if n < buf.len() {
                    this.counters
                        .s2c_partial_writes
                        .fetch_add(1, Ordering::Relaxed);
                }
                if n > 0 {
                    // S→C: data written to client
                    this.counters.s2c_bytes.fetch_add(n as u64, Ordering::Relaxed);
@@ -275,6 +307,15 @@ impl<S: AsyncWrite + Unpin> AsyncWrite for StatsIo<S> {
                }
                Poll::Ready(Ok(n))
            }
            Poll::Pending => {
                this.counters
                    .s2c_pending_writes
                    .fetch_add(1, Ordering::Relaxed);
                this.counters
                    .s2c_consecutive_pending_writes
                    .fetch_add(1, Ordering::Relaxed);
                Poll::Pending
            }
            other => other,
        }
    }
@@ -316,8 +357,11 @@ pub async fn relay_bidirectional<CR, CW, SR, SW>(
    c2s_buf_size: usize,
    s2c_buf_size: usize,
    user: &str,
    dc_idx: i16,
    stats: Arc<Stats>,
    _buffer_pool: Arc<BufferPool>,
    session_lease: SessionLease,
    seed_tier: AdaptiveTier,
 ) -> Result<()>
 where
    CR: AsyncRead + Unpin + Send + 'static,
@@ -345,13 +389,33 @@ where
    // ── Watchdog: activity timeout + periodic rate logging ──────────
    let wd_counters = Arc::clone(&counters);
    let wd_user = user_owned.clone();
    let wd_dc = dc_idx;
    let wd_stats = Arc::clone(&stats);
    let wd_session = session_lease.clone();
    let watchdog = async {
-        let mut prev_c2s: u64 = 0;
+        let mut prev_c2s_log: u64 = 0;
-        let mut prev_s2c: u64 = 0;
+        let mut prev_s2c_log: u64 = 0;
        let mut prev_c2s_sample: u64 = 0;
        let mut prev_s2c_requested_sample: u64 = 0;
        let mut prev_s2c_written_sample: u64 = 0;
        let mut prev_s2c_write_ops_sample: u64 = 0;
        let mut prev_s2c_partial_sample: u64 = 0;
        let mut accumulated_log = Duration::ZERO;
        let mut adaptive = SessionAdaptiveController::new(seed_tier);
        loop {
-            tokio::time::sleep(WATCHDOG_INTERVAL).await;
+            tokio::time::sleep(ADAPTIVE_TICK).await;
            if wd_session.is_stale() {
                wd_stats.increment_reconnect_stale_close_total();
                warn!(
                    user = %wd_user,
                    dc = wd_dc,
                    "Session evicted by reconnect"
                );
                return;
            }
            let now = Instant::now();
            let idle = wd_counters.idle_duration(now, epoch);
@@ -370,11 +434,80 @@ where
                return; // Causes select! to cancel copy_bidirectional
            }
            let c2s_total = wd_counters.c2s_bytes.load(Ordering::Relaxed);
            let s2c_requested_total = wd_counters
                .s2c_requested_bytes
                .load(Ordering::Relaxed);
            let s2c_written_total = wd_counters.s2c_bytes.load(Ordering::Relaxed);
            let s2c_write_ops_total = wd_counters
                .s2c_write_ops
                .load(Ordering::Relaxed);
            let s2c_partial_total = wd_counters
                .s2c_partial_writes
                .load(Ordering::Relaxed);
            let consecutive_pending = wd_counters
                .s2c_consecutive_pending_writes
                .load(Ordering::Relaxed) as u32;
            let sample = RelaySignalSample {
                c2s_bytes: c2s_total.saturating_sub(prev_c2s_sample),
                s2c_requested_bytes: s2c_requested_total
                    .saturating_sub(prev_s2c_requested_sample),
                s2c_written_bytes: s2c_written_total
                    .saturating_sub(prev_s2c_written_sample),
                s2c_write_ops: s2c_write_ops_total
                    .saturating_sub(prev_s2c_write_ops_sample),
                s2c_partial_writes: s2c_partial_total
                    .saturating_sub(prev_s2c_partial_sample),
                s2c_consecutive_pending_writes: consecutive_pending,
            };
            if let Some(transition) = adaptive.observe(sample, ADAPTIVE_TICK.as_secs_f64()) {
                match transition.reason {
                    TierTransitionReason::SoftConfirmed => {
                        wd_stats.increment_relay_adaptive_promotions_total();
                    }
                    TierTransitionReason::HardPressure => {
                        wd_stats.increment_relay_adaptive_promotions_total();
                        wd_stats.increment_relay_adaptive_hard_promotions_total();
                    }
                    TierTransitionReason::QuietDemotion => {
                        wd_stats.increment_relay_adaptive_demotions_total();
                    }
                }
                adaptive_buffers::record_user_tier(&wd_user, adaptive.max_tier_seen());
                debug!(
                    user = %wd_user,
                    dc = wd_dc,
                    from_tier = transition.from.as_u8(),
                    to_tier = transition.to.as_u8(),
                    reason = ?transition.reason,
                    throughput_ema_bps = sample
                        .c2s_bytes
                        .max(sample.s2c_written_bytes)
                        .saturating_mul(8)
                        .saturating_mul(4),
                    "Adaptive relay tier transition"
                );
            }
            prev_c2s_sample = c2s_total;
            prev_s2c_requested_sample = s2c_requested_total;
            prev_s2c_written_sample = s2c_written_total;
            prev_s2c_write_ops_sample = s2c_write_ops_total;
            prev_s2c_partial_sample = s2c_partial_total;
            accumulated_log = accumulated_log.saturating_add(ADAPTIVE_TICK);
            if accumulated_log < WATCHDOG_INTERVAL {
                continue;
            }
            accumulated_log = Duration::ZERO;
            // ── Periodic rate logging ───────────────────────────────
            let c2s = wd_counters.c2s_bytes.load(Ordering::Relaxed);
            let s2c = wd_counters.s2c_bytes.load(Ordering::Relaxed);
-            let c2s_delta = c2s - prev_c2s;
+            let c2s_delta = c2s.saturating_sub(prev_c2s_log);
-            let s2c_delta = s2c - prev_s2c;
+            let s2c_delta = s2c.saturating_sub(prev_s2c_log);
            if c2s_delta > 0 || s2c_delta > 0 {
                let secs = WATCHDOG_INTERVAL.as_secs_f64();
@@ -388,8 +521,8 @@ where
                );
            }
-            prev_c2s = c2s;
+            prev_c2s_log = c2s;
-            prev_s2c = s2c;
+            prev_s2c_log = s2c;
        }
    };
@@ -424,6 +557,7 @@ where
    let c2s_ops = counters.c2s_ops.load(Ordering::Relaxed);
    let s2c_ops = counters.s2c_ops.load(Ordering::Relaxed);
    let duration = epoch.elapsed();
    adaptive_buffers::record_user_tier(&user_owned, seed_tier);
    match copy_result {
        Some(Ok((c2s, s2c))) => {
--- a/src/proxy/session_eviction.rs
+++ b/src/proxy/session_eviction.rs
@@ -0,0 +1,46 @@
 /// Session eviction is intentionally disabled in runtime.
 ///
 /// The initial `user+dc` single-lease model caused valid parallel client
 /// connections to evict each other. Keep the API shape for compatibility,
 /// but make it a no-op until a safer policy is introduced.
 #[derive(Debug, Clone, Default)]
 pub struct SessionLease;
 impl SessionLease {
    pub fn is_stale(&self) -> bool {
        false
    }
    #[allow(dead_code)]
    pub fn release(&self) {}
 }
 pub struct RegistrationResult {
    pub lease: SessionLease,
    pub replaced_existing: bool,
 }
 pub fn register_session(_user: &str, _dc_idx: i16) -> RegistrationResult {
    RegistrationResult {
        lease: SessionLease,
        replaced_existing: false,
    }
 }
 #[cfg(test)]
 mod tests {
    use super::*;
    #[test]
    fn test_session_eviction_disabled_behavior() {
        let first = register_session("alice", 2);
        let second = register_session("alice", 2);
        assert!(!first.replaced_existing);
        assert!(!second.replaced_existing);
        assert!(!first.lease.is_stale());
        assert!(!second.lease.is_stale());
        first.lease.release();
        second.lease.release();
    }
 }
--- a/src/stats/mod.rs
+++ b/src/stats/mod.rs
@@ -19,6 +19,137 @@ use tracing::debug;
 use crate::config::{MeTelemetryLevel, MeWriterPickMode};
 use self::telemetry::TelemetryPolicy;
 const ME_WRITER_TEARDOWN_MODE_COUNT: usize = 2;
 const ME_WRITER_TEARDOWN_REASON_COUNT: usize = 11;
 const ME_WRITER_CLEANUP_SIDE_EFFECT_STEP_COUNT: usize = 2;
 const ME_WRITER_TEARDOWN_DURATION_BUCKET_COUNT: usize = 12;
 const ME_WRITER_TEARDOWN_DURATION_BUCKET_BOUNDS_MICROS: [u64; ME_WRITER_TEARDOWN_DURATION_BUCKET_COUNT] = [
    1_000,
    5_000,
    10_000,
    25_000,
    50_000,
    100_000,
    250_000,
    500_000,
    1_000_000,
    2_500_000,
    5_000_000,
    10_000_000,
 ];
 const ME_WRITER_TEARDOWN_DURATION_BUCKET_LABELS: [&str; ME_WRITER_TEARDOWN_DURATION_BUCKET_COUNT] = [
    "0.001",
    "0.005",
    "0.01",
    "0.025",
    "0.05",
    "0.1",
    "0.25",
    "0.5",
    "1",
    "2.5",
    "5",
    "10",
 ];
 #[derive(Clone, Copy, Debug, PartialEq, Eq, Hash)]
 #[repr(u8)]
 pub enum MeWriterTeardownMode {
    Normal = 0,
    HardDetach = 1,
 }
 impl MeWriterTeardownMode {
    pub const ALL: [Self; ME_WRITER_TEARDOWN_MODE_COUNT] =
        [Self::Normal, Self::HardDetach];
    pub const fn as_str(self) -> &'static str {
        match self {
            Self::Normal => "normal",
            Self::HardDetach => "hard_detach",
        }
    }
    const fn idx(self) -> usize {
        self as usize
    }
 }
 #[derive(Clone, Copy, Debug, PartialEq, Eq, Hash)]
 #[repr(u8)]
 pub enum MeWriterTeardownReason {
    ReaderExit = 0,
    WriterTaskExit = 1,
    PingSendFail = 2,
    SignalSendFail = 3,
    RouteChannelClosed = 4,
    CloseRpcChannelClosed = 5,
    PruneClosedWriter = 6,
    ReapTimeoutExpired = 7,
    ReapThresholdForce = 8,
    ReapEmpty = 9,
    WatchdogStuckDraining = 10,
 }
 impl MeWriterTeardownReason {
    pub const ALL: [Self; ME_WRITER_TEARDOWN_REASON_COUNT] = [
        Self::ReaderExit,
        Self::WriterTaskExit,
        Self::PingSendFail,
        Self::SignalSendFail,
        Self::RouteChannelClosed,
        Self::CloseRpcChannelClosed,
        Self::PruneClosedWriter,
        Self::ReapTimeoutExpired,
        Self::ReapThresholdForce,
        Self::ReapEmpty,
        Self::WatchdogStuckDraining,
    ];
    pub const fn as_str(self) -> &'static str {
        match self {
            Self::ReaderExit => "reader_exit",
            Self::WriterTaskExit => "writer_task_exit",
            Self::PingSendFail => "ping_send_fail",
            Self::SignalSendFail => "signal_send_fail",
            Self::RouteChannelClosed => "route_channel_closed",
            Self::CloseRpcChannelClosed => "close_rpc_channel_closed",
            Self::PruneClosedWriter => "prune_closed_writer",
            Self::ReapTimeoutExpired => "reap_timeout_expired",
            Self::ReapThresholdForce => "reap_threshold_force",
            Self::ReapEmpty => "reap_empty",
            Self::WatchdogStuckDraining => "watchdog_stuck_draining",
        }
    }
    const fn idx(self) -> usize {
        self as usize
    }
 }
 #[derive(Clone, Copy, Debug, PartialEq, Eq, Hash)]
 #[repr(u8)]
 pub enum MeWriterCleanupSideEffectStep {
    CloseSignalChannelFull = 0,
    CloseSignalChannelClosed = 1,
 }
 impl MeWriterCleanupSideEffectStep {
    pub const ALL: [Self; ME_WRITER_CLEANUP_SIDE_EFFECT_STEP_COUNT] =
        [Self::CloseSignalChannelFull, Self::CloseSignalChannelClosed];
    pub const fn as_str(self) -> &'static str {
        match self {
            Self::CloseSignalChannelFull => "close_signal_channel_full",
            Self::CloseSignalChannelClosed => "close_signal_channel_closed",
        }
    }
    const fn idx(self) -> usize {
        self as usize
    }
 }
 // ============= Stats =============
 #[derive(Default)]
@@ -120,9 +251,26 @@ pub struct Stats {
    pool_swap_total: AtomicU64,
    pool_drain_active: AtomicU64,
    pool_force_close_total: AtomicU64,
    pool_drain_soft_evict_total: AtomicU64,
    pool_drain_soft_evict_writer_total: AtomicU64,
    pool_stale_pick_total: AtomicU64,
    me_writer_close_signal_drop_total: AtomicU64,
    me_writer_close_signal_channel_full_total: AtomicU64,
    me_draining_writers_reap_progress_total: AtomicU64,
    me_writer_removed_total: AtomicU64,
    me_writer_removed_unexpected_total: AtomicU64,
    me_writer_teardown_attempt_total:
        [[AtomicU64; ME_WRITER_TEARDOWN_MODE_COUNT]; ME_WRITER_TEARDOWN_REASON_COUNT],
    me_writer_teardown_success_total: [AtomicU64; ME_WRITER_TEARDOWN_MODE_COUNT],
    me_writer_teardown_timeout_total: AtomicU64,
    me_writer_teardown_escalation_total: AtomicU64,
    me_writer_teardown_noop_total: AtomicU64,
    me_writer_cleanup_side_effect_failures_total:
        [AtomicU64; ME_WRITER_CLEANUP_SIDE_EFFECT_STEP_COUNT],
    me_writer_teardown_duration_bucket_hits:
        [[AtomicU64; ME_WRITER_TEARDOWN_DURATION_BUCKET_COUNT + 1]; ME_WRITER_TEARDOWN_MODE_COUNT],
    me_writer_teardown_duration_sum_micros: [AtomicU64; ME_WRITER_TEARDOWN_MODE_COUNT],
    me_writer_teardown_duration_count: [AtomicU64; ME_WRITER_TEARDOWN_MODE_COUNT],
    me_refill_triggered_total: AtomicU64,
    me_refill_skipped_inflight_total: AtomicU64,
    me_refill_failed_total: AtomicU64,
@@ -133,6 +281,11 @@ pub struct Stats {
    me_inline_recovery_total: AtomicU64,
    ip_reservation_rollback_tcp_limit_total: AtomicU64,
    ip_reservation_rollback_quota_limit_total: AtomicU64,
    relay_adaptive_promotions_total: AtomicU64,
    relay_adaptive_demotions_total: AtomicU64,
    relay_adaptive_hard_promotions_total: AtomicU64,
    reconnect_evict_total: AtomicU64,
    reconnect_stale_close_total: AtomicU64,
    telemetry_core_enabled: AtomicBool,
    telemetry_user_enabled: AtomicBool,
    telemetry_me_level: AtomicU8,
@@ -285,6 +438,36 @@ impl Stats {
    pub fn decrement_current_connections_me(&self) {
        Self::decrement_atomic_saturating(&self.current_connections_me);
    }
    pub fn increment_relay_adaptive_promotions_total(&self) {
        if self.telemetry_core_enabled() {
            self.relay_adaptive_promotions_total
                .fetch_add(1, Ordering::Relaxed);
        }
    }
    pub fn increment_relay_adaptive_demotions_total(&self) {
        if self.telemetry_core_enabled() {
            self.relay_adaptive_demotions_total
                .fetch_add(1, Ordering::Relaxed);
        }
    }
    pub fn increment_relay_adaptive_hard_promotions_total(&self) {
        if self.telemetry_core_enabled() {
            self.relay_adaptive_hard_promotions_total
                .fetch_add(1, Ordering::Relaxed);
        }
    }
    pub fn increment_reconnect_evict_total(&self) {
        if self.telemetry_core_enabled() {
            self.reconnect_evict_total
                .fetch_add(1, Ordering::Relaxed);
        }
    }
    pub fn increment_reconnect_stale_close_total(&self) {
        if self.telemetry_core_enabled() {
            self.reconnect_stale_close_total
                .fetch_add(1, Ordering::Relaxed);
        }
    }
    pub fn increment_handshake_timeouts(&self) {
        if self.telemetry_core_enabled() {
            self.handshake_timeouts.fetch_add(1, Ordering::Relaxed);
@@ -680,11 +863,41 @@ impl Stats {
            self.pool_force_close_total.fetch_add(1, Ordering::Relaxed);
        }
    }
    pub fn increment_pool_drain_soft_evict_total(&self) {
        if self.telemetry_me_allows_normal() {
            self.pool_drain_soft_evict_total
                .fetch_add(1, Ordering::Relaxed);
        }
    }
    pub fn increment_pool_drain_soft_evict_writer_total(&self) {
        if self.telemetry_me_allows_normal() {
            self.pool_drain_soft_evict_writer_total
                .fetch_add(1, Ordering::Relaxed);
        }
    }
    pub fn increment_pool_stale_pick_total(&self) {
        if self.telemetry_me_allows_normal() {
            self.pool_stale_pick_total.fetch_add(1, Ordering::Relaxed);
        }
    }
    pub fn increment_me_writer_close_signal_drop_total(&self) {
        if self.telemetry_me_allows_normal() {
            self.me_writer_close_signal_drop_total
                .fetch_add(1, Ordering::Relaxed);
        }
    }
    pub fn increment_me_writer_close_signal_channel_full_total(&self) {
        if self.telemetry_me_allows_normal() {
            self.me_writer_close_signal_channel_full_total
                .fetch_add(1, Ordering::Relaxed);
        }
    }
    pub fn increment_me_draining_writers_reap_progress_total(&self) {
        if self.telemetry_me_allows_normal() {
            self.me_draining_writers_reap_progress_total
                .fetch_add(1, Ordering::Relaxed);
        }
    }
    pub fn increment_me_writer_removed_total(&self) {
        if self.telemetry_me_allows_debug() {
            self.me_writer_removed_total.fetch_add(1, Ordering::Relaxed);
@@ -695,6 +908,74 @@ impl Stats {
            self.me_writer_removed_unexpected_total.fetch_add(1, Ordering::Relaxed);
        }
    }
    pub fn increment_me_writer_teardown_attempt_total(
        &self,
        reason: MeWriterTeardownReason,
        mode: MeWriterTeardownMode,
    ) {
        if self.telemetry_me_allows_normal() {
            self.me_writer_teardown_attempt_total[reason.idx()][mode.idx()]
                .fetch_add(1, Ordering::Relaxed);
        }
    }
    pub fn increment_me_writer_teardown_success_total(&self, mode: MeWriterTeardownMode) {
        if self.telemetry_me_allows_normal() {
            self.me_writer_teardown_success_total[mode.idx()].fetch_add(1, Ordering::Relaxed);
        }
    }
    pub fn increment_me_writer_teardown_timeout_total(&self) {
        if self.telemetry_me_allows_normal() {
            self.me_writer_teardown_timeout_total
                .fetch_add(1, Ordering::Relaxed);
        }
    }
    pub fn increment_me_writer_teardown_escalation_total(&self) {
        if self.telemetry_me_allows_normal() {
            self.me_writer_teardown_escalation_total
                .fetch_add(1, Ordering::Relaxed);
        }
    }
    pub fn increment_me_writer_teardown_noop_total(&self) {
        if self.telemetry_me_allows_normal() {
            self.me_writer_teardown_noop_total
                .fetch_add(1, Ordering::Relaxed);
        }
    }
    pub fn increment_me_writer_cleanup_side_effect_failures_total(
        &self,
        step: MeWriterCleanupSideEffectStep,
    ) {
        if self.telemetry_me_allows_normal() {
            self.me_writer_cleanup_side_effect_failures_total[step.idx()]
                .fetch_add(1, Ordering::Relaxed);
        }
    }
    pub fn observe_me_writer_teardown_duration(
        &self,
        mode: MeWriterTeardownMode,
        duration: Duration,
    ) {
        if !self.telemetry_me_allows_normal() {
            return;
        }
        let duration_micros = duration.as_micros().min(u64::MAX as u128) as u64;
        let mut bucket_idx = ME_WRITER_TEARDOWN_DURATION_BUCKET_COUNT;
        for (idx, upper_bound_micros) in ME_WRITER_TEARDOWN_DURATION_BUCKET_BOUNDS_MICROS
            .iter()
            .copied()
            .enumerate()
        {
            if duration_micros <= upper_bound_micros {
                bucket_idx = idx;
                break;
            }
        }
        self.me_writer_teardown_duration_bucket_hits[mode.idx()][bucket_idx]
            .fetch_add(1, Ordering::Relaxed);
        self.me_writer_teardown_duration_sum_micros[mode.idx()]
            .fetch_add(duration_micros, Ordering::Relaxed);
        self.me_writer_teardown_duration_count[mode.idx()].fetch_add(1, Ordering::Relaxed);
    }
    pub fn increment_me_refill_triggered_total(&self) {
        if self.telemetry_me_allows_debug() {
            self.me_refill_triggered_total.fetch_add(1, Ordering::Relaxed);
@@ -933,6 +1214,22 @@ impl Stats {
        self.get_current_connections_direct()
            .saturating_add(self.get_current_connections_me())
    }
    pub fn get_relay_adaptive_promotions_total(&self) -> u64 {
        self.relay_adaptive_promotions_total.load(Ordering::Relaxed)
    }
    pub fn get_relay_adaptive_demotions_total(&self) -> u64 {
        self.relay_adaptive_demotions_total.load(Ordering::Relaxed)
    }
    pub fn get_relay_adaptive_hard_promotions_total(&self) -> u64 {
        self.relay_adaptive_hard_promotions_total
            .load(Ordering::Relaxed)
    }
    pub fn get_reconnect_evict_total(&self) -> u64 {
        self.reconnect_evict_total.load(Ordering::Relaxed)
    }
    pub fn get_reconnect_stale_close_total(&self) -> u64 {
        self.reconnect_stale_close_total.load(Ordering::Relaxed)
    }
    pub fn get_me_keepalive_sent(&self) -> u64 { self.me_keepalive_sent.load(Ordering::Relaxed) }
    pub fn get_me_keepalive_failed(&self) -> u64 { self.me_keepalive_failed.load(Ordering::Relaxed) }
    pub fn get_me_keepalive_pong(&self) -> u64 { self.me_keepalive_pong.load(Ordering::Relaxed) }
@@ -1185,15 +1482,105 @@ impl Stats {
    pub fn get_pool_force_close_total(&self) -> u64 {
        self.pool_force_close_total.load(Ordering::Relaxed)
    }
    pub fn get_pool_drain_soft_evict_total(&self) -> u64 {
        self.pool_drain_soft_evict_total.load(Ordering::Relaxed)
    }
    pub fn get_pool_drain_soft_evict_writer_total(&self) -> u64 {
        self.pool_drain_soft_evict_writer_total.load(Ordering::Relaxed)
    }
    pub fn get_pool_stale_pick_total(&self) -> u64 {
        self.pool_stale_pick_total.load(Ordering::Relaxed)
    }
    pub fn get_me_writer_close_signal_drop_total(&self) -> u64 {
        self.me_writer_close_signal_drop_total.load(Ordering::Relaxed)
    }
    pub fn get_me_writer_close_signal_channel_full_total(&self) -> u64 {
        self.me_writer_close_signal_channel_full_total
            .load(Ordering::Relaxed)
    }
    pub fn get_me_draining_writers_reap_progress_total(&self) -> u64 {
        self.me_draining_writers_reap_progress_total
            .load(Ordering::Relaxed)
    }
    pub fn get_me_writer_removed_total(&self) -> u64 {
        self.me_writer_removed_total.load(Ordering::Relaxed)
    }
    pub fn get_me_writer_removed_unexpected_total(&self) -> u64 {
        self.me_writer_removed_unexpected_total.load(Ordering::Relaxed)
    }
    pub fn get_me_writer_teardown_attempt_total(
        &self,
        reason: MeWriterTeardownReason,
        mode: MeWriterTeardownMode,
    ) -> u64 {
        self.me_writer_teardown_attempt_total[reason.idx()][mode.idx()]
            .load(Ordering::Relaxed)
    }
    pub fn get_me_writer_teardown_attempt_total_by_mode(&self, mode: MeWriterTeardownMode) -> u64 {
        MeWriterTeardownReason::ALL
            .iter()
            .copied()
            .map(|reason| self.get_me_writer_teardown_attempt_total(reason, mode))
            .sum()
    }
    pub fn get_me_writer_teardown_success_total(&self, mode: MeWriterTeardownMode) -> u64 {
        self.me_writer_teardown_success_total[mode.idx()].load(Ordering::Relaxed)
    }
    pub fn get_me_writer_teardown_timeout_total(&self) -> u64 {
        self.me_writer_teardown_timeout_total.load(Ordering::Relaxed)
    }
    pub fn get_me_writer_teardown_escalation_total(&self) -> u64 {
        self.me_writer_teardown_escalation_total
            .load(Ordering::Relaxed)
    }
    pub fn get_me_writer_teardown_noop_total(&self) -> u64 {
        self.me_writer_teardown_noop_total.load(Ordering::Relaxed)
    }
    pub fn get_me_writer_cleanup_side_effect_failures_total(
        &self,
        step: MeWriterCleanupSideEffectStep,
    ) -> u64 {
        self.me_writer_cleanup_side_effect_failures_total[step.idx()]
            .load(Ordering::Relaxed)
    }
    pub fn get_me_writer_cleanup_side_effect_failures_total_all(&self) -> u64 {
        MeWriterCleanupSideEffectStep::ALL
            .iter()
            .copied()
            .map(|step| self.get_me_writer_cleanup_side_effect_failures_total(step))
            .sum()
    }
    pub fn me_writer_teardown_duration_bucket_labels(
    ) -> &'static [&'static str; ME_WRITER_TEARDOWN_DURATION_BUCKET_COUNT] {
        &ME_WRITER_TEARDOWN_DURATION_BUCKET_LABELS
    }
    pub fn get_me_writer_teardown_duration_bucket_hits(
        &self,
        mode: MeWriterTeardownMode,
        bucket_idx: usize,
    ) -> u64 {
        self.me_writer_teardown_duration_bucket_hits[mode.idx()][bucket_idx]
            .load(Ordering::Relaxed)
    }
    pub fn get_me_writer_teardown_duration_bucket_total(
        &self,
        mode: MeWriterTeardownMode,
        bucket_idx: usize,
    ) -> u64 {
        let capped_idx = bucket_idx.min(ME_WRITER_TEARDOWN_DURATION_BUCKET_COUNT);
        let mut total = 0u64;
        for idx in 0..=capped_idx {
            total = total.saturating_add(self.get_me_writer_teardown_duration_bucket_hits(mode, idx));
        }
        total
    }
    pub fn get_me_writer_teardown_duration_count(&self, mode: MeWriterTeardownMode) -> u64 {
        self.me_writer_teardown_duration_count[mode.idx()].load(Ordering::Relaxed)
    }
    pub fn get_me_writer_teardown_duration_sum_seconds(&self, mode: MeWriterTeardownMode) -> f64 {
        self.me_writer_teardown_duration_sum_micros[mode.idx()].load(Ordering::Relaxed) as f64
            / 1_000_000.0
    }
    pub fn get_me_refill_triggered_total(&self) -> u64 {
        self.me_refill_triggered_total.load(Ordering::Relaxed)
    }
@@ -1258,6 +1645,9 @@ impl Stats {
    }
    pub fn decrement_user_curr_connects(&self, user: &str) {
        if !self.telemetry_user_enabled() {
            return;
        }
        self.maybe_cleanup_user_stats();
        if let Some(stats) = self.user_stats.get(user) {
            Self::touch_user_stats(stats.value());
@@ -1694,6 +2084,79 @@ mod tests {
        assert_eq!(stats.get_me_keepalive_sent(), 0);
        assert_eq!(stats.get_me_route_drop_queue_full(), 0);
    }
    #[test]
    fn test_teardown_counters_and_duration() {
        let stats = Stats::new();
        stats.increment_me_writer_teardown_attempt_total(
            MeWriterTeardownReason::ReaderExit,
            MeWriterTeardownMode::Normal,
        );
        stats.increment_me_writer_teardown_success_total(MeWriterTeardownMode::Normal);
        stats.observe_me_writer_teardown_duration(
            MeWriterTeardownMode::Normal,
            Duration::from_millis(3),
        );
        stats.increment_me_writer_cleanup_side_effect_failures_total(
            MeWriterCleanupSideEffectStep::CloseSignalChannelFull,
        );
        assert_eq!(
            stats.get_me_writer_teardown_attempt_total(
                MeWriterTeardownReason::ReaderExit,
                MeWriterTeardownMode::Normal
            ),
            1
        );
        assert_eq!(
            stats.get_me_writer_teardown_success_total(MeWriterTeardownMode::Normal),
            1
        );
        assert_eq!(
            stats.get_me_writer_teardown_duration_count(MeWriterTeardownMode::Normal),
            1
        );
        assert!(
            stats.get_me_writer_teardown_duration_sum_seconds(MeWriterTeardownMode::Normal) > 0.0
        );
        assert_eq!(
            stats.get_me_writer_cleanup_side_effect_failures_total(
                MeWriterCleanupSideEffectStep::CloseSignalChannelFull
            ),
            1
        );
    }
    #[test]
    fn test_teardown_counters_respect_me_silent() {
        let stats = Stats::new();
        stats.apply_telemetry_policy(TelemetryPolicy {
            core_enabled: true,
            user_enabled: true,
            me_level: MeTelemetryLevel::Silent,
        });
        stats.increment_me_writer_teardown_attempt_total(
            MeWriterTeardownReason::ReaderExit,
            MeWriterTeardownMode::Normal,
        );
        stats.increment_me_writer_teardown_timeout_total();
        stats.observe_me_writer_teardown_duration(
            MeWriterTeardownMode::Normal,
            Duration::from_millis(1),
        );
        assert_eq!(
            stats.get_me_writer_teardown_attempt_total(
                MeWriterTeardownReason::ReaderExit,
                MeWriterTeardownMode::Normal
            ),
            0
        );
        assert_eq!(stats.get_me_writer_teardown_timeout_total(), 0);
        assert_eq!(
            stats.get_me_writer_teardown_duration_count(MeWriterTeardownMode::Normal),
            0
        );
    }
    #[test]
    fn test_replay_checker_basic() {
--- a/src/stream/buffer_pool.rs
+++ b/src/stream/buffer_pool.rs
@@ -14,8 +14,7 @@ use std::sync::Arc;
 // ============= Configuration =============
 /// Default buffer size
-/// CHANGED: Reduced from 64KB to 16KB to match TLS record size and prevent bufferbloat.
+pub const DEFAULT_BUFFER_SIZE: usize = 64 * 1024;
 pub const DEFAULT_BUFFER_SIZE: usize = 16 * 1024;
 /// Default maximum number of pooled buffers
 pub const DEFAULT_MAX_BUFFERS: usize = 1024;
--- a/src/transport/middle_proxy/config_updater.rs
+++ b/src/transport/middle_proxy/config_updater.rs
@@ -298,7 +298,13 @@ async fn run_update_cycle(
    pool.update_runtime_reinit_policy(
        cfg.general.hardswap,
        cfg.general.me_pool_drain_ttl_secs,
        cfg.general.me_instadrain,
        cfg.general.me_pool_drain_threshold,
        cfg.general.me_pool_drain_soft_evict_enabled,
        cfg.general.me_pool_drain_soft_evict_grace_secs,
        cfg.general.me_pool_drain_soft_evict_per_writer,
        cfg.general.me_pool_drain_soft_evict_budget_per_core,
        cfg.general.me_pool_drain_soft_evict_cooldown_ms,
        cfg.general.effective_me_pool_force_close_secs(),
        cfg.general.me_pool_min_fresh_ratio,
        cfg.general.me_hardswap_warmup_delay_min_ms,
@@ -525,7 +531,13 @@ pub async fn me_config_updater(
                pool.update_runtime_reinit_policy(
                    cfg.general.hardswap,
                    cfg.general.me_pool_drain_ttl_secs,
                    cfg.general.me_instadrain,
                    cfg.general.me_pool_drain_threshold,
                    cfg.general.me_pool_drain_soft_evict_enabled,
                    cfg.general.me_pool_drain_soft_evict_grace_secs,
                    cfg.general.me_pool_drain_soft_evict_per_writer,
                    cfg.general.me_pool_drain_soft_evict_budget_per_core,
                    cfg.general.me_pool_drain_soft_evict_cooldown_ms,
                    cfg.general.effective_me_pool_force_close_secs(),
                    cfg.general.me_pool_min_fresh_ratio,
                    cfg.general.me_hardswap_warmup_delay_min_ms,
--- a/src/transport/middle_proxy/health.rs
+++ b/src/transport/middle_proxy/health.rs
@@ -10,8 +10,10 @@ use tracing::{debug, info, warn};
 use crate::config::MeFloorMode;
 use crate::crypto::SecureRandom;
 use crate::network::IpFamily;
 use crate::stats::MeWriterTeardownReason;
 use super::MePool;
 use super::pool::MeWriter;
 const JITTER_FRAC_NUM: u64 = 2; // jitter up to 50% of backoff
 #[allow(dead_code)]
@@ -25,6 +27,13 @@ const HEALTH_RECONNECT_BUDGET_PER_CORE: usize = 2;
 const HEALTH_RECONNECT_BUDGET_PER_DC: usize = 1;
 const HEALTH_RECONNECT_BUDGET_MIN: usize = 4;
 const HEALTH_RECONNECT_BUDGET_MAX: usize = 128;
 const HEALTH_DRAIN_CLOSE_BUDGET_PER_CORE: usize = 16;
 const HEALTH_DRAIN_CLOSE_BUDGET_MIN: usize = 16;
 const HEALTH_DRAIN_CLOSE_BUDGET_MAX: usize = 256;
 const HEALTH_DRAIN_SOFT_EVICT_BUDGET_MIN: usize = 8;
 const HEALTH_DRAIN_SOFT_EVICT_BUDGET_MAX: usize = 256;
 const HEALTH_DRAIN_REAP_OPPORTUNISTIC_INTERVAL_SECS: u64 = 1;
 const HEALTH_DRAIN_TIMEOUT_ENFORCER_INTERVAL_SECS: u64 = 1;
 #[derive(Debug, Clone)]
 struct DcFloorPlanEntry {
@@ -63,6 +72,7 @@ pub async fn me_health_monitor(pool: Arc<MePool>, rng: Arc<SecureRandom>, _min_c
    let mut adaptive_recover_until: HashMap<(i32, IpFamily), Instant> = HashMap::new();
    let mut floor_warn_next_allowed: HashMap<(i32, IpFamily), Instant> = HashMap::new();
    let mut drain_warn_next_allowed: HashMap<u64, Instant> = HashMap::new();
    let mut drain_soft_evict_next_allowed: HashMap<u64, Instant> = HashMap::new();
    let mut degraded_interval = true;
    loop {
        let interval = if degraded_interval {
@@ -72,7 +82,12 @@ pub async fn me_health_monitor(pool: Arc<MePool>, rng: Arc<SecureRandom>, _min_c
        };
        tokio::time::sleep(interval).await;
        pool.prune_closed_writers().await;
-        reap_draining_writers(&pool, &mut drain_warn_next_allowed).await;
+        reap_draining_writers(
            &pool,
            &mut drain_warn_next_allowed,
            &mut drain_soft_evict_next_allowed,
        )
        .await;
        let v4_degraded = check_family(
            IpFamily::V4,
            &pool,
@@ -88,6 +103,8 @@ pub async fn me_health_monitor(pool: Arc<MePool>, rng: Arc<SecureRandom>, _min_c
            &mut adaptive_idle_since,
            &mut adaptive_recover_until,
            &mut floor_warn_next_allowed,
            &mut drain_warn_next_allowed,
            &mut drain_soft_evict_next_allowed,
        )
        .await;
        let v6_degraded = check_family(
@@ -105,15 +122,67 @@ pub async fn me_health_monitor(pool: Arc<MePool>, rng: Arc<SecureRandom>, _min_c
            &mut adaptive_idle_since,
            &mut adaptive_recover_until,
            &mut floor_warn_next_allowed,
            &mut drain_warn_next_allowed,
            &mut drain_soft_evict_next_allowed,
        )
        .await;
        degraded_interval = v4_degraded || v6_degraded;
    }
 }
-async fn reap_draining_writers(
+pub async fn me_drain_timeout_enforcer(pool: Arc<MePool>) {
    let mut drain_warn_next_allowed: HashMap<u64, Instant> = HashMap::new();
    let mut drain_soft_evict_next_allowed: HashMap<u64, Instant> = HashMap::new();
    loop {
        tokio::time::sleep(Duration::from_secs(
            HEALTH_DRAIN_TIMEOUT_ENFORCER_INTERVAL_SECS,
        ))
        .await;
        reap_draining_writers(
            &pool,
            &mut drain_warn_next_allowed,
            &mut drain_soft_evict_next_allowed,
        )
        .await;
    }
 }
 fn draining_writer_timeout_expired(
    pool: &MePool,
    writer: &MeWriter,
    now_epoch_secs: u64,
    drain_ttl_secs: u64,
 ) -> bool {
    if pool
        .me_instadrain
        .load(std::sync::atomic::Ordering::Relaxed)
    {
        return true;
    }
    let deadline_epoch_secs = writer
        .drain_deadline_epoch_secs
        .load(std::sync::atomic::Ordering::Relaxed);
    if deadline_epoch_secs != 0 {
        return now_epoch_secs >= deadline_epoch_secs;
    }
    if drain_ttl_secs == 0 {
        return false;
    }
    let drain_started_at_epoch_secs = writer
        .draining_started_at_epoch_secs
        .load(std::sync::atomic::Ordering::Relaxed);
    if drain_started_at_epoch_secs == 0 {
        return false;
    }
    now_epoch_secs.saturating_sub(drain_started_at_epoch_secs) > drain_ttl_secs
 }
 pub(super) async fn reap_draining_writers(
    pool: &Arc<MePool>,
    warn_next_allowed: &mut HashMap<u64, Instant>,
    soft_evict_next_allowed: &mut HashMap<u64, Instant>,
 ) {
    let now_epoch_secs = MePool::now_epoch_secs();
    let now = Instant::now();
@@ -122,14 +191,27 @@ async fn reap_draining_writers(
        .me_pool_drain_threshold
        .load(std::sync::atomic::Ordering::Relaxed);
    let writers = pool.writers.read().await.clone();
    let activity = pool.registry.writer_activity_snapshot().await;
    let mut draining_writers = Vec::new();
    let mut empty_writer_ids = Vec::<u64>::new();
    let mut timeout_expired_writer_ids = Vec::<u64>::new();
    let mut force_close_writer_ids = Vec::<u64>::new();
    for writer in writers {
        if !writer.draining.load(std::sync::atomic::Ordering::Relaxed) {
            continue;
        }
-        let is_empty = pool.registry.is_writer_empty(writer.id).await;
+        if draining_writer_timeout_expired(pool, &writer, now_epoch_secs, drain_ttl_secs) {
-        if is_empty {
+            timeout_expired_writer_ids.push(writer.id);
-            pool.remove_writer_and_close_clients(writer.id).await;
+            continue;
        }
        if activity
            .bound_clients_by_writer
            .get(&writer.id)
            .copied()
            .unwrap_or(0)
            == 0
        {
            empty_writer_ids.push(writer.id);
            continue;
        }
        draining_writers.push(writer);
@@ -156,12 +238,13 @@ async fn reap_draining_writers(
            "ME draining writer threshold exceeded, force-closing oldest draining writers"
        );
        for writer in draining_writers.drain(..overflow) {
-            pool.stats.increment_pool_force_close_total();
+            force_close_writer_ids.push(writer.id);
            pool.remove_writer_and_close_clients(writer.id).await;
        }
    }
-    for writer in draining_writers {
+    let mut active_draining_writer_ids = HashSet::with_capacity(draining_writers.len());
    for writer in &draining_writers {
        active_draining_writer_ids.insert(writer.id);
        let drain_started_at_epoch_secs = writer
            .draining_started_at_epoch_secs
            .load(std::sync::atomic::Ordering::Relaxed);
@@ -186,15 +269,166 @@ async fn reap_draining_writers(
                "ME draining writer remains non-empty past drain TTL"
            );
        }
-        let deadline_epoch_secs = writer
+    }
-            .drain_deadline_epoch_secs
+
-            .load(std::sync::atomic::Ordering::Relaxed);
+    warn_next_allowed.retain(|writer_id, _| active_draining_writer_ids.contains(writer_id));
-        if deadline_epoch_secs != 0 && now_epoch_secs >= deadline_epoch_secs {
+    soft_evict_next_allowed.retain(|writer_id, _| active_draining_writer_ids.contains(writer_id));
-            warn!(writer_id = writer.id, "Drain timeout, force-closing");
+
-            pool.stats.increment_pool_force_close_total();
+    if pool.drain_soft_evict_enabled() && drain_ttl_secs > 0 && !draining_writers.is_empty() {
-            pool.remove_writer_and_close_clients(writer.id).await;
+        let mut force_close_ids = HashSet::<u64>::with_capacity(force_close_writer_ids.len());
        for writer_id in &force_close_writer_ids {
            force_close_ids.insert(*writer_id);
        }
        let soft_grace_secs = pool.drain_soft_evict_grace_secs();
        let soft_trigger_age_secs = drain_ttl_secs.saturating_add(soft_grace_secs);
        let per_writer_limit = pool.drain_soft_evict_per_writer();
        let soft_budget = health_drain_soft_evict_budget(pool);
        let soft_cooldown = pool.drain_soft_evict_cooldown();
        let mut soft_evicted_total = 0usize;
        for writer in &draining_writers {
            if soft_evicted_total >= soft_budget {
                break;
            }
            if force_close_ids.contains(&writer.id) {
                continue;
            }
            if pool.writer_accepts_new_binding(writer) {
                continue;
            }
            let started_epoch_secs = writer
                .draining_started_at_epoch_secs
                .load(std::sync::atomic::Ordering::Relaxed);
            if started_epoch_secs == 0
                || now_epoch_secs.saturating_sub(started_epoch_secs) < soft_trigger_age_secs
            {
                continue;
            }
            if !should_emit_writer_warn(
                soft_evict_next_allowed,
                writer.id,
                now,
                soft_cooldown,
            ) {
                continue;
            }
            let remaining_budget = soft_budget.saturating_sub(soft_evicted_total);
            let limit = per_writer_limit.min(remaining_budget);
            if limit == 0 {
                break;
            }
            let conn_ids = pool
                .registry
                .bound_conn_ids_for_writer_limited(writer.id, limit)
                .await;
            if conn_ids.is_empty() {
                continue;
            }
            let mut evicted_for_writer = 0usize;
            for conn_id in conn_ids {
                if pool.registry.evict_bound_conn_if_writer(conn_id, writer.id).await {
                    evicted_for_writer = evicted_for_writer.saturating_add(1);
                    soft_evicted_total = soft_evicted_total.saturating_add(1);
                    pool.stats.increment_pool_drain_soft_evict_total();
                    if soft_evicted_total >= soft_budget {
                        break;
                    }
                }
            }
            if evicted_for_writer > 0 {
                pool.stats.increment_pool_drain_soft_evict_writer_total();
                info!(
                    writer_id = writer.id,
                    writer_dc = writer.writer_dc,
                    endpoint = %writer.addr,
                    drained_connections = evicted_for_writer,
                    soft_budget,
                    soft_trigger_age_secs,
                    "ME draining writer soft-evicted bound clients"
                );
            }
        }
    }
    let mut closed_writer_ids = HashSet::<u64>::new();
    for writer_id in timeout_expired_writer_ids {
        if !closed_writer_ids.insert(writer_id) {
            continue;
        }
        pool.stats.increment_pool_force_close_total();
        pool.remove_writer_and_close_clients(writer_id, MeWriterTeardownReason::ReapTimeoutExpired)
            .await;
        pool.stats
            .increment_me_draining_writers_reap_progress_total();
    }
    let requested_force_close = force_close_writer_ids.len();
    let requested_empty_close = empty_writer_ids.len();
    let requested_close_total = requested_force_close.saturating_add(requested_empty_close);
    let close_budget = health_drain_close_budget();
    let mut closed_total = 0usize;
    for writer_id in force_close_writer_ids {
        if closed_total >= close_budget {
            break;
        }
        if !closed_writer_ids.insert(writer_id) {
            continue;
        }
        pool.stats.increment_pool_force_close_total();
        pool.remove_writer_and_close_clients(writer_id, MeWriterTeardownReason::ReapThresholdForce)
            .await;
        pool.stats
            .increment_me_draining_writers_reap_progress_total();
        closed_total = closed_total.saturating_add(1);
    }
    for writer_id in empty_writer_ids {
        if closed_total >= close_budget {
            break;
        }
        if !closed_writer_ids.insert(writer_id) {
            continue;
        }
        pool.remove_writer_and_close_clients(writer_id, MeWriterTeardownReason::ReapEmpty)
            .await;
        pool.stats
            .increment_me_draining_writers_reap_progress_total();
        closed_total = closed_total.saturating_add(1);
    }
    let pending_close_total = requested_close_total.saturating_sub(closed_total);
    if pending_close_total > 0 {
        warn!(
            close_budget,
            closed_total,
            pending_close_total,
            "ME draining close backlog deferred to next health cycle"
        );
    }
 }
 pub(super) fn health_drain_close_budget() -> usize {
    let cpu_cores = std::thread::available_parallelism()
        .map(std::num::NonZeroUsize::get)
        .unwrap_or(1);
    cpu_cores
        .saturating_mul(HEALTH_DRAIN_CLOSE_BUDGET_PER_CORE)
        .clamp(HEALTH_DRAIN_CLOSE_BUDGET_MIN, HEALTH_DRAIN_CLOSE_BUDGET_MAX)
 }
 pub(super) fn health_drain_soft_evict_budget(pool: &MePool) -> usize {
    let cpu_cores = std::thread::available_parallelism()
        .map(std::num::NonZeroUsize::get)
        .unwrap_or(1);
    let per_core = pool.drain_soft_evict_budget_per_core();
    cpu_cores
        .saturating_mul(per_core)
        .clamp(
            HEALTH_DRAIN_SOFT_EVICT_BUDGET_MIN,
            HEALTH_DRAIN_SOFT_EVICT_BUDGET_MAX,
        )
 }
 fn should_emit_writer_warn(
@@ -229,6 +463,8 @@ async fn check_family(
    adaptive_idle_since: &mut HashMap<(i32, IpFamily), Instant>,
    adaptive_recover_until: &mut HashMap<(i32, IpFamily), Instant>,
    floor_warn_next_allowed: &mut HashMap<(i32, IpFamily), Instant>,
    drain_warn_next_allowed: &mut HashMap<u64, Instant>,
    drain_soft_evict_next_allowed: &mut HashMap<u64, Instant>,
 ) -> bool {
    let enabled = match family {
        IpFamily::V4 => pool.decision.ipv4_me,
@@ -309,8 +545,15 @@ async fn check_family(
        floor_plan.active_writers_current,
        floor_plan.warm_writers_current,
    );
    let mut next_drain_reap_at = Instant::now();
    for (dc, endpoints) in dc_endpoints {
        if Instant::now() >= next_drain_reap_at {
            reap_draining_writers(pool, drain_warn_next_allowed, drain_soft_evict_next_allowed)
                .await;
            next_drain_reap_at = Instant::now()
                + Duration::from_secs(HEALTH_DRAIN_REAP_OPPORTUNISTIC_INTERVAL_SECS);
        }
        if endpoints.is_empty() {
            continue;
        }
@@ -454,6 +697,12 @@ async fn check_family(
        let mut restored = 0usize;
        for _ in 0..missing {
            if Instant::now() >= next_drain_reap_at {
                reap_draining_writers(pool, drain_warn_next_allowed, drain_soft_evict_next_allowed)
                    .await;
                next_drain_reap_at = Instant::now()
                    + Duration::from_secs(HEALTH_DRAIN_REAP_OPPORTUNISTIC_INTERVAL_SECS);
            }
            if reconnect_budget == 0 {
                break;
            }
@@ -1305,6 +1554,187 @@ async fn maybe_rotate_single_endpoint_shadow(
    );
 }
 /// Last-resort safety net for draining writers stuck past their deadline.
 ///
 /// Runs every `TICK_SECS` and force-closes any draining writer whose
 /// `drain_deadline_epoch_secs` has been exceeded by more than a threshold.
 ///
 /// Two thresholds:
 ///   - `SOFT_THRESHOLD_SECS` (60s): writers with no bound clients
 ///   - `HARD_THRESHOLD_SECS` (300s): writers WITH bound clients (unconditional)
 ///
 /// Intentionally kept trivial and independent of pool config to minimise
 /// the probability of panicking itself. Uses `SystemTime` directly
 /// as a fallback clock source and timeouts on every lock acquisition
 /// and writer removal so one stuck writer cannot block the rest.
 pub async fn me_zombie_writer_watchdog(pool: Arc<MePool>) {
    use std::time::{SystemTime, UNIX_EPOCH};
    const TICK_SECS: u64 = 30;
    const SOFT_THRESHOLD_SECS: u64 = 60;
    const HARD_THRESHOLD_SECS: u64 = 300;
    const LOCK_TIMEOUT_SECS: u64 = 5;
    const REMOVE_TIMEOUT_SECS: u64 = 10;
    const HARD_DETACH_TIMEOUT_STREAK: u8 = 3;
    let mut removal_timeout_streak = HashMap::<u64, u8>::new();
    loop {
        tokio::time::sleep(Duration::from_secs(TICK_SECS)).await;
        let now = match SystemTime::now().duration_since(UNIX_EPOCH) {
            Ok(d) => d.as_secs(),
            Err(_) => continue,
        };
        // Phase 1: collect zombie IDs under a short read-lock with timeout.
        let zombie_ids_with_meta: Vec<(u64, bool)> = {
            let Ok(ws) = tokio::time::timeout(
                Duration::from_secs(LOCK_TIMEOUT_SECS),
                pool.writers.read(),
            )
            .await
            else {
                warn!("zombie_watchdog: writers read-lock timeout, skipping tick");
                continue;
            };
            ws.iter()
                .filter(|w| w.draining.load(std::sync::atomic::Ordering::Relaxed))
                .filter_map(|w| {
                    let deadline = w
                        .drain_deadline_epoch_secs
                        .load(std::sync::atomic::Ordering::Relaxed);
                    if deadline == 0 {
                        return None;
                    }
                    let overdue = now.saturating_sub(deadline);
                    if overdue == 0 {
                        return None;
                    }
                    let started = w
                        .draining_started_at_epoch_secs
                        .load(std::sync::atomic::Ordering::Relaxed);
                    let drain_age = now.saturating_sub(started);
                    if drain_age > HARD_THRESHOLD_SECS {
                        return Some((w.id, true));
                    }
                    if overdue > SOFT_THRESHOLD_SECS {
                        return Some((w.id, false));
                    }
                    None
                })
                .collect()
        };
        // read lock released here
        if zombie_ids_with_meta.is_empty() {
            removal_timeout_streak.clear();
            continue;
        }
        let mut active_zombie_ids = HashSet::<u64>::with_capacity(zombie_ids_with_meta.len());
        for (writer_id, _) in &zombie_ids_with_meta {
            active_zombie_ids.insert(*writer_id);
        }
        removal_timeout_streak.retain(|writer_id, _| active_zombie_ids.contains(writer_id));
        warn!(
            zombie_count = zombie_ids_with_meta.len(),
            soft_threshold_secs = SOFT_THRESHOLD_SECS,
            hard_threshold_secs = HARD_THRESHOLD_SECS,
            "Zombie draining writers detected by watchdog, force-closing"
        );
        // Phase 2: remove each writer individually with a timeout.
        // One stuck removal cannot block the rest.
        for (writer_id, had_clients) in &zombie_ids_with_meta {
            let result = tokio::time::timeout(
                Duration::from_secs(REMOVE_TIMEOUT_SECS),
                pool.remove_writer_and_close_clients(
                    *writer_id,
                    MeWriterTeardownReason::WatchdogStuckDraining,
                ),
            )
            .await;
            match result {
                Ok(true) => {
                    removal_timeout_streak.remove(writer_id);
                    pool.stats.increment_pool_force_close_total();
                    pool.stats
                        .increment_me_draining_writers_reap_progress_total();
                    info!(
                        writer_id,
                        had_clients,
                        "Zombie writer removed by watchdog"
                    );
                }
                Ok(false) => {
                    removal_timeout_streak.remove(writer_id);
                    debug!(
                        writer_id,
                        had_clients,
                        "Zombie writer watchdog removal became no-op"
                    );
                }
                Err(_) => {
                    pool.stats.increment_me_writer_teardown_timeout_total();
                    let streak = removal_timeout_streak
                        .entry(*writer_id)
                        .and_modify(|value| *value = value.saturating_add(1))
                        .or_insert(1);
                    warn!(
                        writer_id,
                        had_clients,
                        timeout_streak = *streak,
                        "Zombie writer removal timed out"
                    );
                    if *streak < HARD_DETACH_TIMEOUT_STREAK {
                        continue;
                    }
                    pool.stats.increment_me_writer_teardown_escalation_total();
                    let hard_detach = tokio::time::timeout(
                        Duration::from_secs(REMOVE_TIMEOUT_SECS),
                        pool.remove_draining_writer_hard_detach(
                            *writer_id,
                            MeWriterTeardownReason::WatchdogStuckDraining,
                        ),
                    )
                    .await;
                    match hard_detach {
                        Ok(true) => {
                            removal_timeout_streak.remove(writer_id);
                            pool.stats.increment_pool_force_close_total();
                            pool.stats
                                .increment_me_draining_writers_reap_progress_total();
                            info!(
                                writer_id,
                                had_clients,
                                "Zombie writer hard-detached after repeated timeouts"
                            );
                        }
                        Ok(false) => {
                            removal_timeout_streak.remove(writer_id);
                            debug!(
                                writer_id,
                                had_clients,
                                "Zombie hard-detach skipped (writer already gone or no longer draining)"
                            );
                        }
                        Err(_) => {
                            pool.stats.increment_me_writer_teardown_timeout_total();
                            warn!(
                                writer_id,
                                had_clients,
                                "Zombie hard-detach timed out, will retry next tick"
                            );
                        }
                    }
                }
            }
        }
    }
 }
 #[cfg(test)]
 mod tests {
    use std::collections::HashMap;
@@ -1381,7 +1811,13 @@ mod tests {
            general.me_adaptive_floor_max_warm_writers_global,
            general.hardswap,
            general.me_pool_drain_ttl_secs,
            general.me_instadrain,
            general.me_pool_drain_threshold,
            general.me_pool_drain_soft_evict_enabled,
            general.me_pool_drain_soft_evict_grace_secs,
            general.me_pool_drain_soft_evict_per_writer,
            general.me_pool_drain_soft_evict_budget_per_core,
            general.me_pool_drain_soft_evict_cooldown_ms,
            general.effective_me_pool_force_close_secs(),
            general.me_pool_min_fresh_ratio,
            general.me_hardswap_warmup_delay_min_ms,
@@ -1406,6 +1842,8 @@ mod tests {
            general.me_warn_rate_limit_ms,
            MeRouteNoWriterMode::default(),
            general.me_route_no_writer_wait_ms,
            general.me_route_hybrid_max_wait_ms,
            general.me_route_blocking_send_timeout_ms,
            general.me_route_inline_recovery_attempts,
            general.me_route_inline_recovery_wait_ms,
        )
@@ -1463,8 +1901,9 @@ mod tests {
        let conn_b = insert_draining_writer(&pool, 20, now_epoch_secs.saturating_sub(20)).await;
        let conn_c = insert_draining_writer(&pool, 30, now_epoch_secs.saturating_sub(10)).await;
        let mut warn_next_allowed = HashMap::new();
        let mut soft_evict_next_allowed = HashMap::new();
-        reap_draining_writers(&pool, &mut warn_next_allowed).await;
+        reap_draining_writers(&pool, &mut warn_next_allowed, &mut soft_evict_next_allowed).await;
        let writer_ids: Vec<u64> = pool.writers.read().await.iter().map(|writer| writer.id).collect();
        assert_eq!(writer_ids, vec![20, 30]);
@@ -1481,8 +1920,9 @@ mod tests {
        let conn_b = insert_draining_writer(&pool, 20, now_epoch_secs.saturating_sub(20)).await;
        let conn_c = insert_draining_writer(&pool, 30, now_epoch_secs.saturating_sub(10)).await;
        let mut warn_next_allowed = HashMap::new();
        let mut soft_evict_next_allowed = HashMap::new();
-        reap_draining_writers(&pool, &mut warn_next_allowed).await;
+        reap_draining_writers(&pool, &mut warn_next_allowed, &mut soft_evict_next_allowed).await;
        let writer_ids: Vec<u64> = pool.writers.read().await.iter().map(|writer| writer.id).collect();
        assert_eq!(writer_ids, vec![10, 20, 30]);
--- a/src/transport/middle_proxy/health_adversarial_tests.rs
+++ b/src/transport/middle_proxy/health_adversarial_tests.rs
@@ -0,0 +1,458 @@
 use std::collections::HashMap;
 use std::net::{IpAddr, Ipv4Addr, SocketAddr};
 use std::sync::Arc;
 use std::sync::atomic::{AtomicBool, AtomicU8, AtomicU32, AtomicU64, Ordering};
 use std::time::{Duration, Instant};
 use tokio::sync::mpsc;
 use tokio_util::sync::CancellationToken;
 use super::codec::WriterCommand;
 use super::health::{health_drain_close_budget, reap_draining_writers};
 use super::pool::{MePool, MeWriter, WriterContour};
 use super::registry::ConnMeta;
 use super::me_health_monitor;
 use crate::config::{GeneralConfig, MeRouteNoWriterMode, MeSocksKdfPolicy, MeWriterPickMode};
 use crate::crypto::SecureRandom;
 use crate::network::probe::NetworkDecision;
 use crate::stats::Stats;
 async fn make_pool(
    me_pool_drain_threshold: u64,
    me_health_interval_ms_unhealthy: u64,
    me_health_interval_ms_healthy: u64,
 ) -> (Arc<MePool>, Arc<SecureRandom>) {
    let general = GeneralConfig {
        me_pool_drain_threshold,
        me_health_interval_ms_unhealthy,
        me_health_interval_ms_healthy,
        ..GeneralConfig::default()
    };
    let rng = Arc::new(SecureRandom::new());
    let pool = MePool::new(
        None,
        vec![1u8; 32],
        None,
        false,
        None,
        Vec::new(),
        1,
        None,
        12,
        1200,
        HashMap::new(),
        HashMap::new(),
        None,
        NetworkDecision::default(),
        None,
        rng.clone(),
        Arc::new(Stats::default()),
        general.me_keepalive_enabled,
        general.me_keepalive_interval_secs,
        general.me_keepalive_jitter_secs,
        general.me_keepalive_payload_random,
        general.rpc_proxy_req_every,
        general.me_warmup_stagger_enabled,
        general.me_warmup_step_delay_ms,
        general.me_warmup_step_jitter_ms,
        general.me_reconnect_max_concurrent_per_dc,
        general.me_reconnect_backoff_base_ms,
        general.me_reconnect_backoff_cap_ms,
        general.me_reconnect_fast_retry_count,
        general.me_single_endpoint_shadow_writers,
        general.me_single_endpoint_outage_mode_enabled,
        general.me_single_endpoint_outage_disable_quarantine,
        general.me_single_endpoint_outage_backoff_min_ms,
        general.me_single_endpoint_outage_backoff_max_ms,
        general.me_single_endpoint_shadow_rotate_every_secs,
        general.me_floor_mode,
        general.me_adaptive_floor_idle_secs,
        general.me_adaptive_floor_min_writers_single_endpoint,
        general.me_adaptive_floor_min_writers_multi_endpoint,
        general.me_adaptive_floor_recover_grace_secs,
        general.me_adaptive_floor_writers_per_core_total,
        general.me_adaptive_floor_cpu_cores_override,
        general.me_adaptive_floor_max_extra_writers_single_per_core,
        general.me_adaptive_floor_max_extra_writers_multi_per_core,
        general.me_adaptive_floor_max_active_writers_per_core,
        general.me_adaptive_floor_max_warm_writers_per_core,
        general.me_adaptive_floor_max_active_writers_global,
        general.me_adaptive_floor_max_warm_writers_global,
        general.hardswap,
        general.me_pool_drain_ttl_secs,
        general.me_instadrain,
        general.me_pool_drain_threshold,
        general.me_pool_drain_soft_evict_enabled,
        general.me_pool_drain_soft_evict_grace_secs,
        general.me_pool_drain_soft_evict_per_writer,
        general.me_pool_drain_soft_evict_budget_per_core,
        general.me_pool_drain_soft_evict_cooldown_ms,
        general.effective_me_pool_force_close_secs(),
        general.me_pool_min_fresh_ratio,
        general.me_hardswap_warmup_delay_min_ms,
        general.me_hardswap_warmup_delay_max_ms,
        general.me_hardswap_warmup_extra_passes,
        general.me_hardswap_warmup_pass_backoff_base_ms,
        general.me_bind_stale_mode,
        general.me_bind_stale_ttl_secs,
        general.me_secret_atomic_snapshot,
        general.me_deterministic_writer_sort,
        MeWriterPickMode::default(),
        general.me_writer_pick_sample_size,
        MeSocksKdfPolicy::default(),
        general.me_writer_cmd_channel_capacity,
        general.me_route_channel_capacity,
        general.me_route_backpressure_base_timeout_ms,
        general.me_route_backpressure_high_timeout_ms,
        general.me_route_backpressure_high_watermark_pct,
        general.me_reader_route_data_wait_ms,
        general.me_health_interval_ms_unhealthy,
        general.me_health_interval_ms_healthy,
        general.me_warn_rate_limit_ms,
        MeRouteNoWriterMode::default(),
        general.me_route_no_writer_wait_ms,
        general.me_route_hybrid_max_wait_ms,
        general.me_route_blocking_send_timeout_ms,
        general.me_route_inline_recovery_attempts,
        general.me_route_inline_recovery_wait_ms,
    );
    (pool, rng)
 }
 async fn insert_draining_writer(
    pool: &Arc<MePool>,
    writer_id: u64,
    drain_started_at_epoch_secs: u64,
    bound_clients: usize,
    drain_deadline_epoch_secs: u64,
 ) {
    let (tx, _writer_rx) = mpsc::channel::<WriterCommand>(8);
    let writer = MeWriter {
        id: writer_id,
        addr: SocketAddr::new(IpAddr::V4(Ipv4Addr::LOCALHOST), 6000 + writer_id as u16),
        source_ip: IpAddr::V4(Ipv4Addr::LOCALHOST),
        writer_dc: 2,
        generation: 1,
        contour: Arc::new(AtomicU8::new(WriterContour::Draining.as_u8())),
        created_at: Instant::now() - Duration::from_secs(writer_id),
        tx: tx.clone(),
        cancel: CancellationToken::new(),
        degraded: Arc::new(AtomicBool::new(false)),
        rtt_ema_ms_x10: Arc::new(AtomicU32::new(0)),
        draining: Arc::new(AtomicBool::new(true)),
        draining_started_at_epoch_secs: Arc::new(AtomicU64::new(drain_started_at_epoch_secs)),
        drain_deadline_epoch_secs: Arc::new(AtomicU64::new(drain_deadline_epoch_secs)),
        allow_drain_fallback: Arc::new(AtomicBool::new(false)),
    };
    pool.writers.write().await.push(writer);
    pool.registry.register_writer(writer_id, tx).await;
    pool.conn_count.fetch_add(1, Ordering::Relaxed);
    for idx in 0..bound_clients {
        let (conn_id, _rx) = pool.registry.register().await;
        assert!(
            pool.registry
                .bind_writer(
                    conn_id,
                    writer_id,
                    ConnMeta {
                        target_dc: 2,
                        client_addr: SocketAddr::new(
                            IpAddr::V4(Ipv4Addr::LOCALHOST),
                            8000 + idx as u16,
                        ),
                        our_addr: SocketAddr::new(IpAddr::V4(Ipv4Addr::LOCALHOST), 443),
                        proto_flags: 0,
                    },
                )
                .await
        );
    }
 }
 async fn writer_count(pool: &Arc<MePool>) -> usize {
    pool.writers.read().await.len()
 }
 async fn sorted_writer_ids(pool: &Arc<MePool>) -> Vec<u64> {
    let mut ids = pool
        .writers
        .read()
        .await
        .iter()
        .map(|writer| writer.id)
        .collect::<Vec<_>>();
    ids.sort_unstable();
    ids
 }
 #[tokio::test]
 async fn reap_draining_writers_clears_warn_state_when_pool_empty() {
    let (pool, _rng) = make_pool(128, 1, 1).await;
    let mut warn_next_allowed = HashMap::new();
    let mut soft_evict_next_allowed = HashMap::new();
    warn_next_allowed.insert(11, Instant::now() + Duration::from_secs(5));
    warn_next_allowed.insert(22, Instant::now() + Duration::from_secs(5));
    reap_draining_writers(&pool, &mut warn_next_allowed, &mut soft_evict_next_allowed).await;
    assert!(warn_next_allowed.is_empty());
 }
 #[tokio::test]
 async fn reap_draining_writers_respects_threshold_across_multiple_overflow_cycles() {
    let threshold = 3u64;
    let (pool, _rng) = make_pool(threshold, 1, 1).await;
    pool.me_pool_drain_soft_evict_enabled
        .store(false, Ordering::Relaxed);
    let now_epoch_secs = MePool::now_epoch_secs();
    for writer_id in 1..=60u64 {
        insert_draining_writer(
            &pool,
            writer_id,
            now_epoch_secs.saturating_sub(20),
            1,
            0,
        )
        .await;
    }
    let mut warn_next_allowed = HashMap::new();
    let mut soft_evict_next_allowed = HashMap::new();
    for _ in 0..64 {
        reap_draining_writers(&pool, &mut warn_next_allowed, &mut soft_evict_next_allowed).await;
        if writer_count(&pool).await <= threshold as usize {
            break;
        }
    }
    assert_eq!(writer_count(&pool).await, threshold as usize);
    assert_eq!(sorted_writer_ids(&pool).await, vec![1, 2, 3]);
 }
 #[tokio::test]
 async fn reap_draining_writers_handles_large_empty_writer_population() {
    let (pool, _rng) = make_pool(128, 1, 1).await;
    let now_epoch_secs = MePool::now_epoch_secs();
    let total = health_drain_close_budget().saturating_mul(3).saturating_add(27);
    for writer_id in 1..=total as u64 {
        insert_draining_writer(
            &pool,
            writer_id,
            now_epoch_secs.saturating_sub(120),
            0,
            0,
        )
        .await;
    }
    let mut warn_next_allowed = HashMap::new();
    let mut soft_evict_next_allowed = HashMap::new();
    for _ in 0..24 {
        if writer_count(&pool).await == 0 {
            break;
        }
        reap_draining_writers(&pool, &mut warn_next_allowed, &mut soft_evict_next_allowed).await;
    }
    assert_eq!(writer_count(&pool).await, 0);
 }
 #[tokio::test]
 async fn reap_draining_writers_processes_mass_deadline_expiry_without_unbounded_growth() {
    let (pool, _rng) = make_pool(128, 1, 1).await;
    let now_epoch_secs = MePool::now_epoch_secs();
    let total = health_drain_close_budget().saturating_mul(4).saturating_add(31);
    for writer_id in 1..=total as u64 {
        insert_draining_writer(
            &pool,
            writer_id,
            now_epoch_secs.saturating_sub(180),
            1,
            now_epoch_secs.saturating_sub(1),
        )
        .await;
    }
    let mut warn_next_allowed = HashMap::new();
    let mut soft_evict_next_allowed = HashMap::new();
    for _ in 0..40 {
        if writer_count(&pool).await == 0 {
            break;
        }
        reap_draining_writers(&pool, &mut warn_next_allowed, &mut soft_evict_next_allowed).await;
    }
    assert_eq!(writer_count(&pool).await, 0);
 }
 #[tokio::test]
 async fn reap_draining_writers_maintains_warn_state_subset_property_under_bulk_churn() {
    let (pool, _rng) = make_pool(128, 1, 1).await;
    let now_epoch_secs = MePool::now_epoch_secs();
    let mut warn_next_allowed = HashMap::new();
    let mut soft_evict_next_allowed = HashMap::new();
    for wave in 0..40u64 {
        for offset in 0..8u64 {
            insert_draining_writer(
                &pool,
                wave * 100 + offset,
                now_epoch_secs.saturating_sub(400 + offset),
                1,
                0,
            )
            .await;
        }
        reap_draining_writers(&pool, &mut warn_next_allowed, &mut soft_evict_next_allowed).await;
        assert!(warn_next_allowed.len() <= writer_count(&pool).await);
        let ids = sorted_writer_ids(&pool).await;
        for writer_id in ids.into_iter().take(3) {
            let _ = pool
                .remove_writer_and_close_clients(
                    writer_id,
                    crate::stats::MeWriterTeardownReason::ReapEmpty,
                )
                .await;
        }
        reap_draining_writers(&pool, &mut warn_next_allowed, &mut soft_evict_next_allowed).await;
        assert!(warn_next_allowed.len() <= writer_count(&pool).await);
    }
 }
 #[tokio::test]
 async fn reap_draining_writers_budgeted_cleanup_never_increases_pool_size() {
    let (pool, _rng) = make_pool(5, 1, 1).await;
    let now_epoch_secs = MePool::now_epoch_secs();
    for writer_id in 1..=200u64 {
        insert_draining_writer(
            &pool,
            writer_id,
            now_epoch_secs.saturating_sub(240).saturating_add(writer_id),
            1,
            0,
        )
        .await;
    }
    let mut warn_next_allowed = HashMap::new();
    let mut soft_evict_next_allowed = HashMap::new();
    let mut previous = writer_count(&pool).await;
    for _ in 0..32 {
        reap_draining_writers(&pool, &mut warn_next_allowed, &mut soft_evict_next_allowed).await;
        let current = writer_count(&pool).await;
        assert!(current <= previous);
        previous = current;
    }
 }
 #[tokio::test]
 async fn me_health_monitor_converges_to_threshold_under_live_injection_churn() {
    let threshold = 7u64;
    let (pool, rng) = make_pool(threshold, 1, 1).await;
    let now_epoch_secs = MePool::now_epoch_secs();
    for writer_id in 1..=40u64 {
        insert_draining_writer(
            &pool,
            writer_id,
            now_epoch_secs.saturating_sub(300).saturating_add(writer_id),
            1,
            0,
        )
        .await;
    }
    let monitor = tokio::spawn(me_health_monitor(pool.clone(), rng, 0));
    for wave in 0..8u64 {
        for offset in 0..10u64 {
            insert_draining_writer(
                &pool,
                1000 + wave * 100 + offset,
                now_epoch_secs.saturating_sub(120).saturating_add(offset),
                1,
                0,
            )
            .await;
        }
        tokio::time::sleep(Duration::from_millis(5)).await;
    }
    tokio::time::sleep(Duration::from_millis(120)).await;
    monitor.abort();
    let _ = monitor.await;
    assert!(writer_count(&pool).await <= threshold as usize);
 }
 #[tokio::test]
 async fn me_health_monitor_drains_deadline_storm_with_budgeted_progress() {
    let (pool, rng) = make_pool(128, 1, 1).await;
    let now_epoch_secs = MePool::now_epoch_secs();
    for writer_id in 1..=220u64 {
        insert_draining_writer(
            &pool,
            writer_id,
            now_epoch_secs.saturating_sub(120),
            1,
            now_epoch_secs.saturating_sub(1),
        )
        .await;
    }
    let monitor = tokio::spawn(me_health_monitor(pool.clone(), rng, 0));
    tokio::time::sleep(Duration::from_millis(120)).await;
    monitor.abort();
    let _ = monitor.await;
    assert_eq!(writer_count(&pool).await, 0);
 }
 #[tokio::test]
 async fn me_health_monitor_eliminates_mixed_empty_and_deadline_backlog() {
    let threshold = 12u64;
    let (pool, rng) = make_pool(threshold, 1, 1).await;
    let now_epoch_secs = MePool::now_epoch_secs();
    for writer_id in 1..=180u64 {
        let bound_clients = if writer_id % 3 == 0 { 0 } else { 1 };
        let deadline = if writer_id % 2 == 0 {
            now_epoch_secs.saturating_sub(1)
        } else {
            0
        };
        insert_draining_writer(
            &pool,
            writer_id,
            now_epoch_secs.saturating_sub(250).saturating_add(writer_id),
            bound_clients,
            deadline,
        )
        .await;
    }
    let monitor = tokio::spawn(me_health_monitor(pool.clone(), rng, 0));
    tokio::time::sleep(Duration::from_millis(140)).await;
    monitor.abort();
    let _ = monitor.await;
    assert!(writer_count(&pool).await <= threshold as usize);
 }
 #[test]
 fn health_drain_close_budget_is_within_expected_bounds() {
    let budget = health_drain_close_budget();
    assert!((16..=256).contains(&budget));
 }
--- a/src/transport/middle_proxy/health_integration_tests.rs
+++ b/src/transport/middle_proxy/health_integration_tests.rs
@@ -0,0 +1,235 @@
 use std::collections::HashMap;
 use std::net::{IpAddr, Ipv4Addr, SocketAddr};
 use std::sync::Arc;
 use std::sync::atomic::{AtomicBool, AtomicU8, AtomicU32, AtomicU64, Ordering};
 use std::time::{Duration, Instant};
 use tokio::sync::mpsc;
 use tokio_util::sync::CancellationToken;
 use super::codec::WriterCommand;
 use super::health::health_drain_close_budget;
 use super::pool::{MePool, MeWriter, WriterContour};
 use super::registry::ConnMeta;
 use super::me_health_monitor;
 use crate::config::{GeneralConfig, MeRouteNoWriterMode, MeSocksKdfPolicy, MeWriterPickMode};
 use crate::crypto::SecureRandom;
 use crate::network::probe::NetworkDecision;
 use crate::stats::Stats;
 async fn make_pool(
    me_pool_drain_threshold: u64,
    me_health_interval_ms_unhealthy: u64,
    me_health_interval_ms_healthy: u64,
 ) -> (Arc<MePool>, Arc<SecureRandom>) {
    let general = GeneralConfig {
        me_pool_drain_threshold,
        me_health_interval_ms_unhealthy,
        me_health_interval_ms_healthy,
        ..GeneralConfig::default()
    };
    let rng = Arc::new(SecureRandom::new());
    let pool = MePool::new(
        None,
        vec![1u8; 32],
        None,
        false,
        None,
        Vec::new(),
        1,
        None,
        12,
        1200,
        HashMap::new(),
        HashMap::new(),
        None,
        NetworkDecision::default(),
        None,
        rng.clone(),
        Arc::new(Stats::default()),
        general.me_keepalive_enabled,
        general.me_keepalive_interval_secs,
        general.me_keepalive_jitter_secs,
        general.me_keepalive_payload_random,
        general.rpc_proxy_req_every,
        general.me_warmup_stagger_enabled,
        general.me_warmup_step_delay_ms,
        general.me_warmup_step_jitter_ms,
        general.me_reconnect_max_concurrent_per_dc,
        general.me_reconnect_backoff_base_ms,
        general.me_reconnect_backoff_cap_ms,
        general.me_reconnect_fast_retry_count,
        general.me_single_endpoint_shadow_writers,
        general.me_single_endpoint_outage_mode_enabled,
        general.me_single_endpoint_outage_disable_quarantine,
        general.me_single_endpoint_outage_backoff_min_ms,
        general.me_single_endpoint_outage_backoff_max_ms,
        general.me_single_endpoint_shadow_rotate_every_secs,
        general.me_floor_mode,
        general.me_adaptive_floor_idle_secs,
        general.me_adaptive_floor_min_writers_single_endpoint,
        general.me_adaptive_floor_min_writers_multi_endpoint,
        general.me_adaptive_floor_recover_grace_secs,
        general.me_adaptive_floor_writers_per_core_total,
        general.me_adaptive_floor_cpu_cores_override,
        general.me_adaptive_floor_max_extra_writers_single_per_core,
        general.me_adaptive_floor_max_extra_writers_multi_per_core,
        general.me_adaptive_floor_max_active_writers_per_core,
        general.me_adaptive_floor_max_warm_writers_per_core,
        general.me_adaptive_floor_max_active_writers_global,
        general.me_adaptive_floor_max_warm_writers_global,
        general.hardswap,
        general.me_pool_drain_ttl_secs,
        general.me_instadrain,
        general.me_pool_drain_threshold,
        general.me_pool_drain_soft_evict_enabled,
        general.me_pool_drain_soft_evict_grace_secs,
        general.me_pool_drain_soft_evict_per_writer,
        general.me_pool_drain_soft_evict_budget_per_core,
        general.me_pool_drain_soft_evict_cooldown_ms,
        general.effective_me_pool_force_close_secs(),
        general.me_pool_min_fresh_ratio,
        general.me_hardswap_warmup_delay_min_ms,
        general.me_hardswap_warmup_delay_max_ms,
        general.me_hardswap_warmup_extra_passes,
        general.me_hardswap_warmup_pass_backoff_base_ms,
        general.me_bind_stale_mode,
        general.me_bind_stale_ttl_secs,
        general.me_secret_atomic_snapshot,
        general.me_deterministic_writer_sort,
        MeWriterPickMode::default(),
        general.me_writer_pick_sample_size,
        MeSocksKdfPolicy::default(),
        general.me_writer_cmd_channel_capacity,
        general.me_route_channel_capacity,
        general.me_route_backpressure_base_timeout_ms,
        general.me_route_backpressure_high_timeout_ms,
        general.me_route_backpressure_high_watermark_pct,
        general.me_reader_route_data_wait_ms,
        general.me_health_interval_ms_unhealthy,
        general.me_health_interval_ms_healthy,
        general.me_warn_rate_limit_ms,
        MeRouteNoWriterMode::default(),
        general.me_route_no_writer_wait_ms,
        general.me_route_hybrid_max_wait_ms,
        general.me_route_blocking_send_timeout_ms,
        general.me_route_inline_recovery_attempts,
        general.me_route_inline_recovery_wait_ms,
    );
    (pool, rng)
 }
 async fn insert_draining_writer(
    pool: &Arc<MePool>,
    writer_id: u64,
    drain_started_at_epoch_secs: u64,
    bound_clients: usize,
    drain_deadline_epoch_secs: u64,
 ) {
    let (tx, _writer_rx) = mpsc::channel::<WriterCommand>(8);
    let writer = MeWriter {
        id: writer_id,
        addr: SocketAddr::new(IpAddr::V4(Ipv4Addr::LOCALHOST), 5500 + writer_id as u16),
        source_ip: IpAddr::V4(Ipv4Addr::LOCALHOST),
        writer_dc: 2,
        generation: 1,
        contour: Arc::new(AtomicU8::new(WriterContour::Draining.as_u8())),
        created_at: Instant::now() - Duration::from_secs(writer_id),
        tx: tx.clone(),
        cancel: CancellationToken::new(),
        degraded: Arc::new(AtomicBool::new(false)),
        rtt_ema_ms_x10: Arc::new(AtomicU32::new(0)),
        draining: Arc::new(AtomicBool::new(true)),
        draining_started_at_epoch_secs: Arc::new(AtomicU64::new(drain_started_at_epoch_secs)),
        drain_deadline_epoch_secs: Arc::new(AtomicU64::new(drain_deadline_epoch_secs)),
        allow_drain_fallback: Arc::new(AtomicBool::new(false)),
    };
    pool.writers.write().await.push(writer);
    pool.registry.register_writer(writer_id, tx).await;
    pool.conn_count.fetch_add(1, Ordering::Relaxed);
    for idx in 0..bound_clients {
        let (conn_id, _rx) = pool.registry.register().await;
        assert!(
            pool.registry
                .bind_writer(
                    conn_id,
                    writer_id,
                    ConnMeta {
                        target_dc: 2,
                        client_addr: SocketAddr::new(
                            IpAddr::V4(Ipv4Addr::LOCALHOST),
                            7200 + idx as u16,
                        ),
                        our_addr: SocketAddr::new(IpAddr::V4(Ipv4Addr::LOCALHOST), 443),
                        proto_flags: 0,
                    },
                )
                .await
        );
    }
 }
 #[tokio::test]
 async fn me_health_monitor_drains_expired_backlog_over_multiple_cycles() {
    let (pool, rng) = make_pool(128, 1, 1).await;
    let now_epoch_secs = MePool::now_epoch_secs();
    let writer_total = health_drain_close_budget().saturating_mul(2).saturating_add(9);
    for writer_id in 1..=writer_total as u64 {
        insert_draining_writer(
            &pool,
            writer_id,
            now_epoch_secs.saturating_sub(120),
            1,
            now_epoch_secs.saturating_sub(1),
        )
        .await;
    }
    let monitor = tokio::spawn(me_health_monitor(pool.clone(), rng, 0));
    tokio::time::sleep(Duration::from_millis(60)).await;
    monitor.abort();
    let _ = monitor.await;
    assert!(pool.writers.read().await.is_empty());
 }
 #[tokio::test]
 async fn me_health_monitor_cleans_empty_draining_writers_without_force_close() {
    let (pool, rng) = make_pool(128, 1, 1).await;
    let now_epoch_secs = MePool::now_epoch_secs();
    for writer_id in 1..=24u64 {
        insert_draining_writer(&pool, writer_id, now_epoch_secs.saturating_sub(60), 0, 0).await;
    }
    let monitor = tokio::spawn(me_health_monitor(pool.clone(), rng, 0));
    tokio::time::sleep(Duration::from_millis(30)).await;
    monitor.abort();
    let _ = monitor.await;
    assert!(pool.writers.read().await.is_empty());
 }
 #[tokio::test]
 async fn me_health_monitor_converges_retry_like_threshold_backlog_to_empty() {
    let threshold = 4u64;
    let (pool, rng) = make_pool(threshold, 1, 1).await;
    let now_epoch_secs = MePool::now_epoch_secs();
    let writer_total = threshold as usize + health_drain_close_budget().saturating_add(11);
    for writer_id in 1..=writer_total as u64 {
        insert_draining_writer(
            &pool,
            writer_id,
            now_epoch_secs.saturating_sub(300).saturating_add(writer_id),
            1,
            0,
        )
        .await;
    }
    let monitor = tokio::spawn(me_health_monitor(pool.clone(), rng, 0));
    tokio::time::sleep(Duration::from_millis(60)).await;
    monitor.abort();
    let _ = monitor.await;
    assert!(pool.writers.read().await.is_empty());
 }
--- a/src/transport/middle_proxy/health_regression_tests.rs
+++ b/src/transport/middle_proxy/health_regression_tests.rs
@@ -0,0 +1,677 @@
 use std::collections::HashMap;
 use std::net::{IpAddr, Ipv4Addr, SocketAddr};
 use std::sync::Arc;
 use std::sync::atomic::{AtomicBool, AtomicU8, AtomicU32, AtomicU64, Ordering};
 use std::time::{Duration, Instant};
 use bytes::Bytes;
 use tokio::sync::mpsc;
 use tokio_util::sync::CancellationToken;
 use super::codec::WriterCommand;
 use super::health::{health_drain_close_budget, reap_draining_writers};
 use super::pool::{MePool, MeWriter, WriterContour};
 use super::registry::ConnMeta;
 use crate::config::{
    GeneralConfig, MeBindStaleMode, MeRouteNoWriterMode, MeSocksKdfPolicy, MeWriterPickMode,
 };
 use crate::crypto::SecureRandom;
 use crate::network::probe::NetworkDecision;
 use crate::stats::Stats;
 async fn make_pool(me_pool_drain_threshold: u64) -> Arc<MePool> {
    let general = GeneralConfig {
        me_pool_drain_threshold,
        ..GeneralConfig::default()
    };
    MePool::new(
        None,
        vec![1u8; 32],
        None,
        false,
        None,
        Vec::new(),
        1,
        None,
        12,
        1200,
        HashMap::new(),
        HashMap::new(),
        None,
        NetworkDecision::default(),
        None,
        Arc::new(SecureRandom::new()),
        Arc::new(Stats::new()),
        general.me_keepalive_enabled,
        general.me_keepalive_interval_secs,
        general.me_keepalive_jitter_secs,
        general.me_keepalive_payload_random,
        general.rpc_proxy_req_every,
        general.me_warmup_stagger_enabled,
        general.me_warmup_step_delay_ms,
        general.me_warmup_step_jitter_ms,
        general.me_reconnect_max_concurrent_per_dc,
        general.me_reconnect_backoff_base_ms,
        general.me_reconnect_backoff_cap_ms,
        general.me_reconnect_fast_retry_count,
        general.me_single_endpoint_shadow_writers,
        general.me_single_endpoint_outage_mode_enabled,
        general.me_single_endpoint_outage_disable_quarantine,
        general.me_single_endpoint_outage_backoff_min_ms,
        general.me_single_endpoint_outage_backoff_max_ms,
        general.me_single_endpoint_shadow_rotate_every_secs,
        general.me_floor_mode,
        general.me_adaptive_floor_idle_secs,
        general.me_adaptive_floor_min_writers_single_endpoint,
        general.me_adaptive_floor_min_writers_multi_endpoint,
        general.me_adaptive_floor_recover_grace_secs,
        general.me_adaptive_floor_writers_per_core_total,
        general.me_adaptive_floor_cpu_cores_override,
        general.me_adaptive_floor_max_extra_writers_single_per_core,
        general.me_adaptive_floor_max_extra_writers_multi_per_core,
        general.me_adaptive_floor_max_active_writers_per_core,
        general.me_adaptive_floor_max_warm_writers_per_core,
        general.me_adaptive_floor_max_active_writers_global,
        general.me_adaptive_floor_max_warm_writers_global,
        general.hardswap,
        general.me_pool_drain_ttl_secs,
        general.me_instadrain,
        general.me_pool_drain_threshold,
        general.me_pool_drain_soft_evict_enabled,
        general.me_pool_drain_soft_evict_grace_secs,
        general.me_pool_drain_soft_evict_per_writer,
        general.me_pool_drain_soft_evict_budget_per_core,
        general.me_pool_drain_soft_evict_cooldown_ms,
        general.effective_me_pool_force_close_secs(),
        general.me_pool_min_fresh_ratio,
        general.me_hardswap_warmup_delay_min_ms,
        general.me_hardswap_warmup_delay_max_ms,
        general.me_hardswap_warmup_extra_passes,
        general.me_hardswap_warmup_pass_backoff_base_ms,
        general.me_bind_stale_mode,
        general.me_bind_stale_ttl_secs,
        general.me_secret_atomic_snapshot,
        general.me_deterministic_writer_sort,
        MeWriterPickMode::default(),
        general.me_writer_pick_sample_size,
        MeSocksKdfPolicy::default(),
        general.me_writer_cmd_channel_capacity,
        general.me_route_channel_capacity,
        general.me_route_backpressure_base_timeout_ms,
        general.me_route_backpressure_high_timeout_ms,
        general.me_route_backpressure_high_watermark_pct,
        general.me_reader_route_data_wait_ms,
        general.me_health_interval_ms_unhealthy,
        general.me_health_interval_ms_healthy,
        general.me_warn_rate_limit_ms,
        MeRouteNoWriterMode::default(),
        general.me_route_no_writer_wait_ms,
        general.me_route_hybrid_max_wait_ms,
        general.me_route_blocking_send_timeout_ms,
        general.me_route_inline_recovery_attempts,
        general.me_route_inline_recovery_wait_ms,
    )
 }
 async fn insert_draining_writer(
    pool: &Arc<MePool>,
    writer_id: u64,
    drain_started_at_epoch_secs: u64,
    bound_clients: usize,
    drain_deadline_epoch_secs: u64,
 ) -> Vec<u64> {
    let mut conn_ids = Vec::with_capacity(bound_clients);
    let (tx, _writer_rx) = mpsc::channel::<WriterCommand>(8);
    let writer = MeWriter {
        id: writer_id,
        addr: SocketAddr::new(IpAddr::V4(Ipv4Addr::LOCALHOST), 4500 + writer_id as u16),
        source_ip: IpAddr::V4(Ipv4Addr::LOCALHOST),
        writer_dc: 2,
        generation: 1,
        contour: Arc::new(AtomicU8::new(WriterContour::Draining.as_u8())),
        created_at: Instant::now() - Duration::from_secs(writer_id),
        tx: tx.clone(),
        cancel: CancellationToken::new(),
        degraded: Arc::new(AtomicBool::new(false)),
        rtt_ema_ms_x10: Arc::new(AtomicU32::new(0)),
        draining: Arc::new(AtomicBool::new(true)),
        draining_started_at_epoch_secs: Arc::new(AtomicU64::new(drain_started_at_epoch_secs)),
        drain_deadline_epoch_secs: Arc::new(AtomicU64::new(drain_deadline_epoch_secs)),
        allow_drain_fallback: Arc::new(AtomicBool::new(false)),
    };
    pool.writers.write().await.push(writer);
    pool.registry.register_writer(writer_id, tx).await;
    pool.conn_count.fetch_add(1, Ordering::Relaxed);
    for idx in 0..bound_clients {
        let (conn_id, _rx) = pool.registry.register().await;
        assert!(
            pool.registry
                .bind_writer(
                    conn_id,
                    writer_id,
                    ConnMeta {
                        target_dc: 2,
                        client_addr: SocketAddr::new(
                            IpAddr::V4(Ipv4Addr::LOCALHOST),
                            6200 + idx as u16,
                        ),
                        our_addr: SocketAddr::new(IpAddr::V4(Ipv4Addr::LOCALHOST), 443),
                        proto_flags: 0,
                    },
                )
                .await
        );
        conn_ids.push(conn_id);
    }
    conn_ids
 }
 async fn current_writer_ids(pool: &Arc<MePool>) -> Vec<u64> {
    let mut writer_ids = pool
        .writers
        .read()
        .await
        .iter()
        .map(|writer| writer.id)
        .collect::<Vec<_>>();
    writer_ids.sort_unstable();
    writer_ids
 }
 #[tokio::test]
 async fn reap_draining_writers_drops_warn_state_for_removed_writer() {
    let pool = make_pool(128).await;
    let now_epoch_secs = MePool::now_epoch_secs();
    let conn_ids = insert_draining_writer(
        &pool,
        7,
        now_epoch_secs.saturating_sub(180),
        1,
        now_epoch_secs.saturating_add(3_600),
    )
    .await;
    let mut warn_next_allowed = HashMap::new();
    let mut soft_evict_next_allowed = HashMap::new();
    reap_draining_writers(&pool, &mut warn_next_allowed, &mut soft_evict_next_allowed).await;
    assert!(warn_next_allowed.contains_key(&7));
    let _ = pool
        .remove_writer_and_close_clients(7, crate::stats::MeWriterTeardownReason::ReapEmpty)
        .await;
    assert!(pool.registry.get_writer(conn_ids[0]).await.is_none());
    reap_draining_writers(&pool, &mut warn_next_allowed, &mut soft_evict_next_allowed).await;
    assert!(!warn_next_allowed.contains_key(&7));
 }
 #[tokio::test]
 async fn reap_draining_writers_removes_empty_draining_writers() {
    let pool = make_pool(128).await;
    let now_epoch_secs = MePool::now_epoch_secs();
    insert_draining_writer(&pool, 1, now_epoch_secs.saturating_sub(40), 0, 0).await;
    insert_draining_writer(&pool, 2, now_epoch_secs.saturating_sub(30), 0, 0).await;
    insert_draining_writer(&pool, 3, now_epoch_secs.saturating_sub(20), 1, 0).await;
    let mut warn_next_allowed = HashMap::new();
    let mut soft_evict_next_allowed = HashMap::new();
    reap_draining_writers(&pool, &mut warn_next_allowed, &mut soft_evict_next_allowed).await;
    assert_eq!(current_writer_ids(&pool).await, vec![3]);
 }
 #[tokio::test]
 async fn reap_draining_writers_does_not_block_on_stuck_writer_close_signal() {
    let pool = make_pool(128).await;
    let now_epoch_secs = MePool::now_epoch_secs();
    let (blocked_tx, blocked_rx) = mpsc::channel::<WriterCommand>(1);
    assert!(
        blocked_tx
            .try_send(WriterCommand::Data(Bytes::from_static(b"stuck")))
            .is_ok()
    );
    let blocked_rx_guard = tokio::spawn(async move {
        let _hold_rx = blocked_rx;
        tokio::time::sleep(Duration::from_secs(30)).await;
    });
    let blocked_writer_id = 90u64;
    let blocked_writer = MeWriter {
        id: blocked_writer_id,
        addr: SocketAddr::new(
            IpAddr::V4(Ipv4Addr::LOCALHOST),
            4500 + blocked_writer_id as u16,
        ),
        source_ip: IpAddr::V4(Ipv4Addr::LOCALHOST),
        writer_dc: 2,
        generation: 1,
        contour: Arc::new(AtomicU8::new(WriterContour::Draining.as_u8())),
        created_at: Instant::now() - Duration::from_secs(blocked_writer_id),
        tx: blocked_tx.clone(),
        cancel: CancellationToken::new(),
        degraded: Arc::new(AtomicBool::new(false)),
        rtt_ema_ms_x10: Arc::new(AtomicU32::new(0)),
        draining: Arc::new(AtomicBool::new(true)),
        draining_started_at_epoch_secs: Arc::new(AtomicU64::new(
            now_epoch_secs.saturating_sub(120),
        )),
        drain_deadline_epoch_secs: Arc::new(AtomicU64::new(0)),
        allow_drain_fallback: Arc::new(AtomicBool::new(false)),
    };
    pool.writers.write().await.push(blocked_writer);
    pool.registry
        .register_writer(blocked_writer_id, blocked_tx)
        .await;
    pool.conn_count.fetch_add(1, Ordering::Relaxed);
    insert_draining_writer(&pool, 91, now_epoch_secs.saturating_sub(110), 0, 0).await;
    let mut warn_next_allowed = HashMap::new();
    let mut soft_evict_next_allowed = HashMap::new();
    let reap_res = tokio::time::timeout(
        Duration::from_millis(500),
        reap_draining_writers(&pool, &mut warn_next_allowed, &mut soft_evict_next_allowed),
    )
    .await;
    blocked_rx_guard.abort();
    assert!(reap_res.is_ok(), "reap should not block on close signal");
    assert!(current_writer_ids(&pool).await.is_empty());
    assert_eq!(pool.stats.get_me_writer_close_signal_drop_total(), 2);
    assert_eq!(pool.stats.get_me_writer_close_signal_channel_full_total(), 1);
    assert_eq!(pool.stats.get_me_draining_writers_reap_progress_total(), 2);
    let activity = pool.registry.writer_activity_snapshot().await;
    assert!(!activity.bound_clients_by_writer.contains_key(&blocked_writer_id));
    assert!(!activity.bound_clients_by_writer.contains_key(&91));
    let (probe_conn_id, _rx) = pool.registry.register().await;
    assert!(
        !pool.registry
            .bind_writer(
                probe_conn_id,
                blocked_writer_id,
                ConnMeta {
                    target_dc: 2,
                    client_addr: SocketAddr::new(IpAddr::V4(Ipv4Addr::LOCALHOST), 6400),
                    our_addr: SocketAddr::new(IpAddr::V4(Ipv4Addr::LOCALHOST), 443),
                    proto_flags: 0,
                },
            )
            .await
    );
    let _ = pool.registry.unregister(probe_conn_id).await;
 }
 #[tokio::test]
 async fn reap_draining_writers_overflow_closes_oldest_non_empty_writers() {
    let pool = make_pool(2).await;
    let now_epoch_secs = MePool::now_epoch_secs();
    insert_draining_writer(&pool, 11, now_epoch_secs.saturating_sub(40), 1, 0).await;
    insert_draining_writer(&pool, 22, now_epoch_secs.saturating_sub(30), 1, 0).await;
    insert_draining_writer(&pool, 33, now_epoch_secs.saturating_sub(20), 1, 0).await;
    insert_draining_writer(&pool, 44, now_epoch_secs.saturating_sub(10), 1, 0).await;
    let mut warn_next_allowed = HashMap::new();
    let mut soft_evict_next_allowed = HashMap::new();
    reap_draining_writers(&pool, &mut warn_next_allowed, &mut soft_evict_next_allowed).await;
    assert_eq!(current_writer_ids(&pool).await, vec![33, 44]);
 }
 #[tokio::test]
 async fn reap_draining_writers_deadline_force_close_applies_under_threshold() {
    let pool = make_pool(128).await;
    let now_epoch_secs = MePool::now_epoch_secs();
    insert_draining_writer(
        &pool,
        50,
        now_epoch_secs.saturating_sub(15),
        1,
        now_epoch_secs.saturating_sub(1),
    )
    .await;
    let mut warn_next_allowed = HashMap::new();
    let mut soft_evict_next_allowed = HashMap::new();
    reap_draining_writers(&pool, &mut warn_next_allowed, &mut soft_evict_next_allowed).await;
    assert!(current_writer_ids(&pool).await.is_empty());
 }
 #[tokio::test]
 async fn reap_draining_writers_limits_closes_per_health_tick() {
    let pool = make_pool(1).await;
    let now_epoch_secs = MePool::now_epoch_secs();
    let close_budget = health_drain_close_budget();
    let writer_total = close_budget.saturating_add(20);
    for writer_id in 1..=writer_total as u64 {
        insert_draining_writer(
            &pool,
            writer_id,
            now_epoch_secs.saturating_sub(20),
            1,
            0,
        )
        .await;
    }
    let mut warn_next_allowed = HashMap::new();
    let mut soft_evict_next_allowed = HashMap::new();
    reap_draining_writers(&pool, &mut warn_next_allowed, &mut soft_evict_next_allowed).await;
    assert_eq!(pool.writers.read().await.len(), writer_total - close_budget);
 }
 #[tokio::test]
 async fn reap_draining_writers_backlog_drains_across_ticks() {
    let pool = make_pool(128).await;
    let now_epoch_secs = MePool::now_epoch_secs();
    let close_budget = health_drain_close_budget();
    let writer_total = close_budget.saturating_mul(2).saturating_add(7);
    for writer_id in 1..=writer_total as u64 {
        insert_draining_writer(
            &pool,
            writer_id,
            now_epoch_secs.saturating_sub(20),
            0,
            0,
        )
        .await;
    }
    let mut warn_next_allowed = HashMap::new();
    let mut soft_evict_next_allowed = HashMap::new();
    for _ in 0..8 {
        if pool.writers.read().await.is_empty() {
            break;
        }
        reap_draining_writers(&pool, &mut warn_next_allowed, &mut soft_evict_next_allowed).await;
    }
    assert!(pool.writers.read().await.is_empty());
 }
 #[tokio::test]
 async fn reap_draining_writers_threshold_backlog_converges_to_threshold() {
    let threshold = 5u64;
    let pool = make_pool(threshold).await;
    let now_epoch_secs = MePool::now_epoch_secs();
    let close_budget = health_drain_close_budget();
    let writer_total = threshold as usize + close_budget.saturating_add(12);
    for writer_id in 1..=writer_total as u64 {
        insert_draining_writer(
            &pool,
            writer_id,
            now_epoch_secs.saturating_sub(20),
            1,
            0,
        )
        .await;
    }
    let mut warn_next_allowed = HashMap::new();
    let mut soft_evict_next_allowed = HashMap::new();
    for _ in 0..16 {
        reap_draining_writers(&pool, &mut warn_next_allowed, &mut soft_evict_next_allowed).await;
        if pool.writers.read().await.len() <= threshold as usize {
            break;
        }
    }
    assert_eq!(pool.writers.read().await.len(), threshold as usize);
 }
 #[tokio::test]
 async fn reap_draining_writers_threshold_zero_preserves_non_expired_non_empty_writers() {
    let pool = make_pool(0).await;
    let now_epoch_secs = MePool::now_epoch_secs();
    insert_draining_writer(&pool, 10, now_epoch_secs.saturating_sub(40), 1, 0).await;
    insert_draining_writer(&pool, 20, now_epoch_secs.saturating_sub(30), 1, 0).await;
    insert_draining_writer(&pool, 30, now_epoch_secs.saturating_sub(20), 1, 0).await;
    let mut warn_next_allowed = HashMap::new();
    let mut soft_evict_next_allowed = HashMap::new();
    reap_draining_writers(&pool, &mut warn_next_allowed, &mut soft_evict_next_allowed).await;
    assert_eq!(current_writer_ids(&pool).await, vec![10, 20, 30]);
 }
 #[tokio::test]
 async fn reap_draining_writers_prioritizes_force_close_before_empty_cleanup() {
    let pool = make_pool(1).await;
    let now_epoch_secs = MePool::now_epoch_secs();
    let close_budget = health_drain_close_budget();
    for writer_id in 1..=close_budget.saturating_add(1) as u64 {
        insert_draining_writer(
            &pool,
            writer_id,
            now_epoch_secs.saturating_sub(20),
            1,
            0,
        )
        .await;
    }
    let empty_writer_id = close_budget.saturating_add(2) as u64;
    insert_draining_writer(&pool, empty_writer_id, now_epoch_secs.saturating_sub(20), 0, 0).await;
    let mut warn_next_allowed = HashMap::new();
    let mut soft_evict_next_allowed = HashMap::new();
    reap_draining_writers(&pool, &mut warn_next_allowed, &mut soft_evict_next_allowed).await;
    assert_eq!(current_writer_ids(&pool).await, vec![1, empty_writer_id]);
 }
 #[tokio::test]
 async fn reap_draining_writers_empty_cleanup_does_not_increment_force_close_metric() {
    let pool = make_pool(128).await;
    let now_epoch_secs = MePool::now_epoch_secs();
    insert_draining_writer(&pool, 1, now_epoch_secs.saturating_sub(60), 0, 0).await;
    insert_draining_writer(&pool, 2, now_epoch_secs.saturating_sub(50), 0, 0).await;
    let mut warn_next_allowed = HashMap::new();
    let mut soft_evict_next_allowed = HashMap::new();
    reap_draining_writers(&pool, &mut warn_next_allowed, &mut soft_evict_next_allowed).await;
    assert!(current_writer_ids(&pool).await.is_empty());
    assert_eq!(pool.stats.get_pool_force_close_total(), 0);
 }
 #[tokio::test]
 async fn reap_draining_writers_handles_duplicate_force_close_requests_for_same_writer() {
    let pool = make_pool(1).await;
    let now_epoch_secs = MePool::now_epoch_secs();
    insert_draining_writer(
        &pool,
        10,
        now_epoch_secs.saturating_sub(30),
        1,
        now_epoch_secs.saturating_sub(1),
    )
    .await;
    insert_draining_writer(
        &pool,
        20,
        now_epoch_secs.saturating_sub(20),
        1,
        now_epoch_secs.saturating_sub(1),
    )
    .await;
    let mut warn_next_allowed = HashMap::new();
    let mut soft_evict_next_allowed = HashMap::new();
    reap_draining_writers(&pool, &mut warn_next_allowed, &mut soft_evict_next_allowed).await;
    assert!(current_writer_ids(&pool).await.is_empty());
 }
 #[tokio::test]
 async fn reap_draining_writers_warn_state_never_exceeds_live_draining_population_under_churn() {
    let pool = make_pool(128).await;
    let now_epoch_secs = MePool::now_epoch_secs();
    let mut warn_next_allowed = HashMap::new();
    let mut soft_evict_next_allowed = HashMap::new();
    for wave in 0..12u64 {
        for offset in 0..9u64 {
            insert_draining_writer(
                &pool,
                wave * 100 + offset,
                now_epoch_secs.saturating_sub(120 + offset),
                1,
                0,
            )
            .await;
        }
        reap_draining_writers(&pool, &mut warn_next_allowed, &mut soft_evict_next_allowed).await;
        assert!(warn_next_allowed.len() <= pool.writers.read().await.len());
        let existing_writer_ids = current_writer_ids(&pool).await;
        for writer_id in existing_writer_ids.into_iter().take(4) {
            let _ = pool
                .remove_writer_and_close_clients(
                    writer_id,
                    crate::stats::MeWriterTeardownReason::ReapEmpty,
                )
                .await;
        }
        reap_draining_writers(&pool, &mut warn_next_allowed, &mut soft_evict_next_allowed).await;
        assert!(warn_next_allowed.len() <= pool.writers.read().await.len());
    }
 }
 #[tokio::test]
 async fn reap_draining_writers_mixed_backlog_converges_without_leaking_warn_state() {
    let pool = make_pool(6).await;
    let now_epoch_secs = MePool::now_epoch_secs();
    let mut warn_next_allowed = HashMap::new();
    let mut soft_evict_next_allowed = HashMap::new();
    for writer_id in 1..=18u64 {
        let bound_clients = if writer_id % 3 == 0 { 0 } else { 1 };
        let deadline = if writer_id % 2 == 0 {
            now_epoch_secs.saturating_sub(1)
        } else {
            0
        };
        insert_draining_writer(
            &pool,
            writer_id,
            now_epoch_secs.saturating_sub(300).saturating_add(writer_id),
            bound_clients,
            deadline,
        )
        .await;
    }
    for _ in 0..16 {
        reap_draining_writers(&pool, &mut warn_next_allowed, &mut soft_evict_next_allowed).await;
        if pool.writers.read().await.len() <= 6 {
            break;
        }
    }
    assert!(pool.writers.read().await.len() <= 6);
    assert!(warn_next_allowed.len() <= pool.writers.read().await.len());
 }
 #[tokio::test]
 async fn reap_draining_writers_soft_evicts_stuck_writer_with_per_writer_cap() {
    let pool = make_pool(128).await;
    pool.me_pool_drain_soft_evict_enabled.store(true, Ordering::Relaxed);
    pool.me_pool_drain_soft_evict_grace_secs.store(0, Ordering::Relaxed);
    pool.me_pool_drain_soft_evict_per_writer.store(1, Ordering::Relaxed);
    pool.me_pool_drain_soft_evict_budget_per_core.store(8, Ordering::Relaxed);
    pool.me_pool_drain_soft_evict_cooldown_ms
        .store(1, Ordering::Relaxed);
    let now_epoch_secs = MePool::now_epoch_secs();
    insert_draining_writer(
        &pool,
        77,
        now_epoch_secs.saturating_sub(240),
        3,
        now_epoch_secs.saturating_add(3_600),
    )
    .await;
    let mut warn_next_allowed = HashMap::new();
    let mut soft_evict_next_allowed = HashMap::new();
    reap_draining_writers(&pool, &mut warn_next_allowed, &mut soft_evict_next_allowed).await;
    let activity = pool.registry.writer_activity_snapshot().await;
    assert_eq!(activity.bound_clients_by_writer.get(&77), Some(&2));
    assert_eq!(pool.stats.get_pool_drain_soft_evict_total(), 1);
    assert_eq!(pool.stats.get_pool_drain_soft_evict_writer_total(), 1);
    assert_eq!(current_writer_ids(&pool).await, vec![77]);
 }
 #[tokio::test]
 async fn reap_draining_writers_soft_evict_respects_cooldown_per_writer() {
    let pool = make_pool(128).await;
    pool.me_pool_drain_soft_evict_enabled.store(true, Ordering::Relaxed);
    pool.me_pool_drain_soft_evict_grace_secs.store(0, Ordering::Relaxed);
    pool.me_pool_drain_soft_evict_per_writer.store(1, Ordering::Relaxed);
    pool.me_pool_drain_soft_evict_budget_per_core.store(8, Ordering::Relaxed);
    pool.me_pool_drain_soft_evict_cooldown_ms
        .store(60_000, Ordering::Relaxed);
    let now_epoch_secs = MePool::now_epoch_secs();
    insert_draining_writer(
        &pool,
        88,
        now_epoch_secs.saturating_sub(240),
        3,
        now_epoch_secs.saturating_add(3_600),
    )
    .await;
    let mut warn_next_allowed = HashMap::new();
    let mut soft_evict_next_allowed = HashMap::new();
    reap_draining_writers(&pool, &mut warn_next_allowed, &mut soft_evict_next_allowed).await;
    reap_draining_writers(&pool, &mut warn_next_allowed, &mut soft_evict_next_allowed).await;
    let activity = pool.registry.writer_activity_snapshot().await;
    assert_eq!(activity.bound_clients_by_writer.get(&88), Some(&2));
    assert_eq!(pool.stats.get_pool_drain_soft_evict_total(), 1);
    assert_eq!(pool.stats.get_pool_drain_soft_evict_writer_total(), 1);
 }
 #[tokio::test]
 async fn reap_draining_writers_instadrain_removes_non_expired_writers_immediately() {
    let pool = make_pool(0).await;
    pool.me_instadrain.store(true, Ordering::Relaxed);
    let now_epoch_secs = MePool::now_epoch_secs();
    insert_draining_writer(&pool, 101, now_epoch_secs.saturating_sub(5), 1, 0).await;
    insert_draining_writer(&pool, 102, now_epoch_secs.saturating_sub(4), 1, 0).await;
    let mut warn_next_allowed = HashMap::new();
    let mut soft_evict_next_allowed = HashMap::new();
    reap_draining_writers(&pool, &mut warn_next_allowed, &mut soft_evict_next_allowed).await;
    assert!(current_writer_ids(&pool).await.is_empty());
 }
 #[test]
 fn general_config_default_drain_threshold_remains_enabled() {
    assert_eq!(GeneralConfig::default().me_pool_drain_threshold, 32);
    assert!(GeneralConfig::default().me_pool_drain_soft_evict_enabled);
    assert_eq!(
        GeneralConfig::default().me_pool_drain_soft_evict_grace_secs,
        10
    );
    assert_eq!(
        GeneralConfig::default().me_pool_drain_soft_evict_per_writer,
        2
    );
    assert_eq!(
        GeneralConfig::default().me_pool_drain_soft_evict_budget_per_core,
        16
    );
    assert_eq!(
        GeneralConfig::default().me_pool_drain_soft_evict_cooldown_ms,
        1000
    );
    assert_eq!(GeneralConfig::default().me_bind_stale_mode, MeBindStaleMode::Never);
 }
--- a/src/transport/middle_proxy/mod.rs
+++ b/src/transport/middle_proxy/mod.rs
@@ -21,10 +21,16 @@ mod secret;
 mod selftest;
 mod wire;
 mod pool_status;
 #[cfg(test)]
 mod health_regression_tests;
 #[cfg(test)]
 mod health_integration_tests;
 #[cfg(test)]
 mod health_adversarial_tests;
 use bytes::Bytes;
-pub use health::me_health_monitor;
+pub use health::{me_drain_timeout_enforcer, me_health_monitor, me_zombie_writer_watchdog};
 #[allow(unused_imports)]
 pub use ping::{run_me_ping, format_sample_line, format_me_route, MePingReport, MePingSample, MePingFamily};
 pub use pool::MePool;
--- a/src/transport/middle_proxy/pool.rs
+++ b/src/transport/middle_proxy/pool.rs
@@ -18,6 +18,8 @@ use crate::transport::UpstreamManager;
 use super::ConnRegistry;
 use super::codec::WriterCommand;
 const ME_FORCE_CLOSE_SAFETY_FALLBACK_SECS: u64 = 300;
 #[derive(Debug, Clone, Copy, PartialEq, Eq, Hash)]
 pub(super) struct RefillDcKey {
    pub dc: i32,
@@ -171,7 +173,13 @@ pub struct MePool {
    pub(super) endpoint_quarantine: Arc<Mutex<HashMap<SocketAddr, Instant>>>,
    pub(super) kdf_material_fingerprint: Arc<RwLock<HashMap<SocketAddr, (u64, u16)>>>,
    pub(super) me_pool_drain_ttl_secs: AtomicU64,
    pub(super) me_instadrain: AtomicBool,
    pub(super) me_pool_drain_threshold: AtomicU64,
    pub(super) me_pool_drain_soft_evict_enabled: AtomicBool,
    pub(super) me_pool_drain_soft_evict_grace_secs: AtomicU64,
    pub(super) me_pool_drain_soft_evict_per_writer: AtomicU8,
    pub(super) me_pool_drain_soft_evict_budget_per_core: AtomicU32,
    pub(super) me_pool_drain_soft_evict_cooldown_ms: AtomicU64,
    pub(super) me_pool_force_close_secs: AtomicU64,
    pub(super) me_pool_min_fresh_ratio_permille: AtomicU32,
    pub(super) me_hardswap_warmup_delay_min_ms: AtomicU64,
@@ -188,6 +196,8 @@ pub struct MePool {
    pub(super) me_reader_route_data_wait_ms: Arc<AtomicU64>,
    pub(super) me_route_no_writer_mode: AtomicU8,
    pub(super) me_route_no_writer_wait: Duration,
    pub(super) me_route_hybrid_max_wait: Duration,
    pub(super) me_route_blocking_send_timeout: Duration,
    pub(super) me_route_inline_recovery_attempts: u32,
    pub(super) me_route_inline_recovery_wait: Duration,
    pub(super) me_health_interval_ms_unhealthy: AtomicU64,
@@ -221,6 +231,14 @@ impl MePool {
            .as_secs()
    }
    fn normalize_force_close_secs(force_close_secs: u64) -> u64 {
        if force_close_secs == 0 {
            ME_FORCE_CLOSE_SAFETY_FALLBACK_SECS
        } else {
            force_close_secs
        }
    }
    pub fn new(
        proxy_tag: Option<Vec<u8>>,
        proxy_secret: Vec<u8>,
@@ -272,7 +290,13 @@ impl MePool {
        me_adaptive_floor_max_warm_writers_global: u32,
        hardswap: bool,
        me_pool_drain_ttl_secs: u64,
        me_instadrain: bool,
        me_pool_drain_threshold: u64,
        me_pool_drain_soft_evict_enabled: bool,
        me_pool_drain_soft_evict_grace_secs: u64,
        me_pool_drain_soft_evict_per_writer: u8,
        me_pool_drain_soft_evict_budget_per_core: u16,
        me_pool_drain_soft_evict_cooldown_ms: u64,
        me_pool_force_close_secs: u64,
        me_pool_min_fresh_ratio: f32,
        me_hardswap_warmup_delay_min_ms: u64,
@@ -297,6 +321,8 @@ impl MePool {
        me_warn_rate_limit_ms: u64,
        me_route_no_writer_mode: MeRouteNoWriterMode,
        me_route_no_writer_wait_ms: u64,
        me_route_hybrid_max_wait_ms: u64,
        me_route_blocking_send_timeout_ms: u64,
        me_route_inline_recovery_attempts: u32,
        me_route_inline_recovery_wait_ms: u64,
    ) -> Arc<Self> {
@@ -448,8 +474,22 @@ impl MePool {
            endpoint_quarantine: Arc::new(Mutex::new(HashMap::new())),
            kdf_material_fingerprint: Arc::new(RwLock::new(HashMap::new())),
            me_pool_drain_ttl_secs: AtomicU64::new(me_pool_drain_ttl_secs),
            me_instadrain: AtomicBool::new(me_instadrain),
            me_pool_drain_threshold: AtomicU64::new(me_pool_drain_threshold),
-            me_pool_force_close_secs: AtomicU64::new(me_pool_force_close_secs),
+            me_pool_drain_soft_evict_enabled: AtomicBool::new(me_pool_drain_soft_evict_enabled),
            me_pool_drain_soft_evict_grace_secs: AtomicU64::new(me_pool_drain_soft_evict_grace_secs),
            me_pool_drain_soft_evict_per_writer: AtomicU8::new(
                me_pool_drain_soft_evict_per_writer.max(1),
            ),
            me_pool_drain_soft_evict_budget_per_core: AtomicU32::new(
                me_pool_drain_soft_evict_budget_per_core.max(1) as u32,
            ),
            me_pool_drain_soft_evict_cooldown_ms: AtomicU64::new(
                me_pool_drain_soft_evict_cooldown_ms.max(1),
            ),
            me_pool_force_close_secs: AtomicU64::new(Self::normalize_force_close_secs(
                me_pool_force_close_secs,
            )),
            me_pool_min_fresh_ratio_permille: AtomicU32::new(Self::ratio_to_permille(
                me_pool_min_fresh_ratio,
            )),
@@ -469,6 +509,10 @@ impl MePool {
            me_reader_route_data_wait_ms: Arc::new(AtomicU64::new(me_reader_route_data_wait_ms)),
            me_route_no_writer_mode: AtomicU8::new(me_route_no_writer_mode.as_u8()),
            me_route_no_writer_wait: Duration::from_millis(me_route_no_writer_wait_ms),
            me_route_hybrid_max_wait: Duration::from_millis(me_route_hybrid_max_wait_ms),
            me_route_blocking_send_timeout: Duration::from_millis(
                me_route_blocking_send_timeout_ms,
            ),
            me_route_inline_recovery_attempts,
            me_route_inline_recovery_wait: Duration::from_millis(me_route_inline_recovery_wait_ms),
            me_health_interval_ms_unhealthy: AtomicU64::new(me_health_interval_ms_unhealthy.max(1)),
@@ -495,7 +539,13 @@ impl MePool {
        &self,
        hardswap: bool,
        drain_ttl_secs: u64,
        instadrain: bool,
        pool_drain_threshold: u64,
        pool_drain_soft_evict_enabled: bool,
        pool_drain_soft_evict_grace_secs: u64,
        pool_drain_soft_evict_per_writer: u8,
        pool_drain_soft_evict_budget_per_core: u16,
        pool_drain_soft_evict_cooldown_ms: u64,
        force_close_secs: u64,
        min_fresh_ratio: f32,
        hardswap_warmup_delay_min_ms: u64,
@@ -534,10 +584,25 @@ impl MePool {
        self.hardswap.store(hardswap, Ordering::Relaxed);
        self.me_pool_drain_ttl_secs
            .store(drain_ttl_secs, Ordering::Relaxed);
        self.me_instadrain.store(instadrain, Ordering::Relaxed);
        self.me_pool_drain_threshold
            .store(pool_drain_threshold, Ordering::Relaxed);
-        self.me_pool_force_close_secs
+        self.me_pool_drain_soft_evict_enabled
-            .store(force_close_secs, Ordering::Relaxed);
+            .store(pool_drain_soft_evict_enabled, Ordering::Relaxed);
        self.me_pool_drain_soft_evict_grace_secs
            .store(pool_drain_soft_evict_grace_secs, Ordering::Relaxed);
        self.me_pool_drain_soft_evict_per_writer
            .store(pool_drain_soft_evict_per_writer.max(1), Ordering::Relaxed);
        self.me_pool_drain_soft_evict_budget_per_core.store(
            pool_drain_soft_evict_budget_per_core.max(1) as u32,
            Ordering::Relaxed,
        );
        self.me_pool_drain_soft_evict_cooldown_ms
            .store(pool_drain_soft_evict_cooldown_ms.max(1), Ordering::Relaxed);
        self.me_pool_force_close_secs.store(
            Self::normalize_force_close_secs(force_close_secs),
            Ordering::Relaxed,
        );
        self.me_pool_min_fresh_ratio_permille
            .store(Self::ratio_to_permille(min_fresh_ratio), Ordering::Relaxed);
        self.me_hardswap_warmup_delay_min_ms
@@ -682,12 +747,39 @@ impl MePool {
    }
    pub(super) fn force_close_timeout(&self) -> Option<Duration> {
-        let secs = self.me_pool_force_close_secs.load(Ordering::Relaxed);
+        let secs =
-        if secs == 0 {
+            Self::normalize_force_close_secs(self.me_pool_force_close_secs.load(Ordering::Relaxed));
-            None
+        Some(Duration::from_secs(secs))
-        } else {
+    }
-            Some(Duration::from_secs(secs))
+
-        }
+    pub(super) fn drain_soft_evict_enabled(&self) -> bool {
        self.me_pool_drain_soft_evict_enabled
            .load(Ordering::Relaxed)
    }
    pub(super) fn drain_soft_evict_grace_secs(&self) -> u64 {
        self.me_pool_drain_soft_evict_grace_secs
            .load(Ordering::Relaxed)
    }
    pub(super) fn drain_soft_evict_per_writer(&self) -> usize {
        self.me_pool_drain_soft_evict_per_writer
            .load(Ordering::Relaxed)
            .max(1) as usize
    }
    pub(super) fn drain_soft_evict_budget_per_core(&self) -> usize {
        self.me_pool_drain_soft_evict_budget_per_core
            .load(Ordering::Relaxed)
            .max(1) as usize
    }
    pub(super) fn drain_soft_evict_cooldown(&self) -> Duration {
        Duration::from_millis(
            self.me_pool_drain_soft_evict_cooldown_ms
                .load(Ordering::Relaxed)
                .max(1),
        )
    }
    pub(super) async fn key_selector(&self) -> u32 {
--- a/src/transport/middle_proxy/pool_refill.rs
+++ b/src/transport/middle_proxy/pool_refill.rs
@@ -74,9 +74,8 @@ impl MePool {
            debug!(
                %addr,
                wait_ms = expiry.saturating_duration_since(now).as_millis(),
-                "All ME endpoints are quarantined for the DC group; retrying earliest one"
+                "All ME endpoints are quarantined for the DC group; waiting for quarantine expiry"
            );
            return vec![addr];
        }
        Vec::new()
--- a/src/transport/middle_proxy/pool_reinit.rs
+++ b/src/transport/middle_proxy/pool_reinit.rs
@@ -70,10 +70,12 @@ impl MePool {
        let mut missing_dc = Vec::<i32>::new();
        let mut covered = 0usize;
        let mut total = 0usize;
        for (dc, endpoints) in desired_by_dc {
            if endpoints.is_empty() {
                continue;
            }
            total += 1;
            if endpoints
                .iter()
                .any(|addr| active_writer_addrs.contains(&(*dc, *addr)))
@@ -85,7 +87,9 @@ impl MePool {
        }
        missing_dc.sort_unstable();
-        let total = desired_by_dc.len().max(1);
+        if total == 0 {
            return (1.0, missing_dc);
        }
        let ratio = (covered as f32) / (total as f32);
        (ratio, missing_dc)
    }
@@ -399,29 +403,21 @@ impl MePool {
        }
        if hardswap {
-            let mut fresh_missing_dc = Vec::<(i32, usize, usize)>::new();
+            let fresh_writer_addrs: HashSet<(i32, SocketAddr)> = writers
-            for (dc, endpoints) in &desired_by_dc {
+                .iter()
-                if endpoints.is_empty() {
+                .filter(|w| !w.draining.load(Ordering::Relaxed))
-                    continue;
+                .filter(|w| w.generation == generation)
-                }
+                .map(|w| (w.writer_dc, w.addr))
-                let required = self.required_writers_for_dc(endpoints.len());
+                .collect();
-                let fresh_count = writers
+            let (fresh_coverage_ratio, fresh_missing_dc) =
-                    .iter()
+                Self::coverage_ratio(&desired_by_dc, &fresh_writer_addrs);
                    .filter(|w| !w.draining.load(Ordering::Relaxed))
                    .filter(|w| w.generation == generation)
                    .filter(|w| w.writer_dc == *dc)
                    .filter(|w| endpoints.contains(&w.addr))
                    .count();
                if fresh_count < required {
                    fresh_missing_dc.push((*dc, fresh_count, required));
                }
            }
            if !fresh_missing_dc.is_empty() {
                warn!(
                    previous_generation,
                    generation,
                    fresh_coverage_ratio = format_args!("{fresh_coverage_ratio:.3}"),
                    missing_dc = ?fresh_missing_dc,
-                    "ME hardswap pending: fresh generation coverage incomplete"
+                    "ME hardswap pending: fresh generation DC coverage incomplete"
                );
                return;
            }
@@ -491,3 +487,61 @@ impl MePool {
        self.zero_downtime_reinit_after_map_change(rng).await;
    }
 }
 #[cfg(test)]
 mod tests {
    use std::collections::{HashMap, HashSet};
    use std::net::{IpAddr, Ipv4Addr, SocketAddr};
    use super::MePool;
    fn addr(octet: u8, port: u16) -> SocketAddr {
        SocketAddr::new(IpAddr::V4(Ipv4Addr::new(127, 0, 0, octet)), port)
    }
    #[test]
    fn coverage_ratio_counts_dc_coverage_not_floor() {
        let dc1 = addr(1, 2001);
        let dc2 = addr(2, 2002);
        let mut desired_by_dc = HashMap::<i32, HashSet<SocketAddr>>::new();
        desired_by_dc.insert(1, HashSet::from([dc1]));
        desired_by_dc.insert(2, HashSet::from([dc2]));
        let active_writer_addrs = HashSet::from([(1, dc1)]);
        let (ratio, missing_dc) = MePool::coverage_ratio(&desired_by_dc, &active_writer_addrs);
        assert_eq!(ratio, 0.5);
        assert_eq!(missing_dc, vec![2]);
    }
    #[test]
    fn coverage_ratio_ignores_empty_dc_groups() {
        let dc1 = addr(1, 2001);
        let mut desired_by_dc = HashMap::<i32, HashSet<SocketAddr>>::new();
        desired_by_dc.insert(1, HashSet::from([dc1]));
        desired_by_dc.insert(2, HashSet::new());
        let active_writer_addrs = HashSet::from([(1, dc1)]);
        let (ratio, missing_dc) = MePool::coverage_ratio(&desired_by_dc, &active_writer_addrs);
        assert_eq!(ratio, 1.0);
        assert!(missing_dc.is_empty());
    }
    #[test]
    fn coverage_ratio_reports_missing_dcs_sorted() {
        let dc1 = addr(1, 2001);
        let dc2 = addr(2, 2002);
        let mut desired_by_dc = HashMap::<i32, HashSet<SocketAddr>>::new();
        desired_by_dc.insert(2, HashSet::from([dc2]));
        desired_by_dc.insert(1, HashSet::from([dc1]));
        let (ratio, missing_dc) = MePool::coverage_ratio(&desired_by_dc, &HashSet::new());
        assert_eq!(ratio, 0.0);
        assert_eq!(missing_dc, vec![1, 2]);
    }
 }
--- a/src/transport/middle_proxy/pool_status.rs
+++ b/src/transport/middle_proxy/pool_status.rs
@@ -40,6 +40,7 @@ pub(crate) struct MeApiDcStatusSnapshot {
    pub floor_max: usize,
    pub floor_capped: bool,
    pub alive_writers: usize,
    pub coverage_ratio: f64,
    pub coverage_pct: f64,
    pub fresh_alive_writers: usize,
    pub fresh_coverage_pct: f64,
@@ -62,6 +63,7 @@ pub(crate) struct MeApiStatusSnapshot {
    pub available_pct: f64,
    pub required_writers: usize,
    pub alive_writers: usize,
    pub coverage_ratio: f64,
    pub coverage_pct: f64,
    pub fresh_alive_writers: usize,
    pub fresh_coverage_pct: f64,
@@ -124,6 +126,12 @@ pub(crate) struct MeApiRuntimeSnapshot {
    pub me_reconnect_backoff_cap_ms: u64,
    pub me_reconnect_fast_retry_count: u32,
    pub me_pool_drain_ttl_secs: u64,
    pub me_instadrain: bool,
    pub me_pool_drain_soft_evict_enabled: bool,
    pub me_pool_drain_soft_evict_grace_secs: u64,
    pub me_pool_drain_soft_evict_per_writer: u8,
    pub me_pool_drain_soft_evict_budget_per_core: u16,
    pub me_pool_drain_soft_evict_cooldown_ms: u64,
    pub me_pool_force_close_secs: u64,
    pub me_pool_min_fresh_ratio: f32,
    pub me_bind_stale_mode: &'static str,
@@ -337,6 +345,8 @@ impl MePool {
        let mut available_endpoints = 0usize;
        let mut alive_writers = 0usize;
        let mut fresh_alive_writers = 0usize;
        let mut coverage_ratio_dcs_total = 0usize;
        let mut coverage_ratio_dcs_covered = 0usize;
        let floor_mode = self.floor_mode();
        let adaptive_cpu_cores = (self
            .me_adaptive_floor_cpu_cores_effective
@@ -388,6 +398,12 @@ impl MePool {
            available_endpoints += dc_available_endpoints;
            alive_writers += dc_alive_writers;
            fresh_alive_writers += dc_fresh_alive_writers;
            if endpoint_count > 0 {
                coverage_ratio_dcs_total += 1;
                if dc_alive_writers > 0 {
                    coverage_ratio_dcs_covered += 1;
                }
            }
            dcs.push(MeApiDcStatusSnapshot {
                dc,
@@ -410,6 +426,11 @@ impl MePool {
                floor_max,
                floor_capped,
                alive_writers: dc_alive_writers,
                coverage_ratio: if endpoint_count > 0 && dc_alive_writers > 0 {
                    100.0
                } else {
                    0.0
                },
                coverage_pct: ratio_pct(dc_alive_writers, dc_required_writers),
                fresh_alive_writers: dc_fresh_alive_writers,
                fresh_coverage_pct: ratio_pct(dc_fresh_alive_writers, dc_required_writers),
@@ -426,6 +447,7 @@ impl MePool {
            available_pct: ratio_pct(available_endpoints, configured_endpoints),
            required_writers,
            alive_writers,
            coverage_ratio: ratio_pct(coverage_ratio_dcs_covered, coverage_ratio_dcs_total),
            coverage_pct: ratio_pct(alive_writers, required_writers),
            fresh_alive_writers,
            fresh_coverage_pct: ratio_pct(fresh_alive_writers, required_writers),
@@ -562,6 +584,23 @@ impl MePool {
            me_reconnect_backoff_cap_ms: self.me_reconnect_backoff_cap.as_millis() as u64,
            me_reconnect_fast_retry_count: self.me_reconnect_fast_retry_count,
            me_pool_drain_ttl_secs: self.me_pool_drain_ttl_secs.load(Ordering::Relaxed),
            me_instadrain: self.me_instadrain.load(Ordering::Relaxed),
            me_pool_drain_soft_evict_enabled: self
                .me_pool_drain_soft_evict_enabled
                .load(Ordering::Relaxed),
            me_pool_drain_soft_evict_grace_secs: self
                .me_pool_drain_soft_evict_grace_secs
                .load(Ordering::Relaxed),
            me_pool_drain_soft_evict_per_writer: self
                .me_pool_drain_soft_evict_per_writer
                .load(Ordering::Relaxed),
            me_pool_drain_soft_evict_budget_per_core: self
                .me_pool_drain_soft_evict_budget_per_core
                .load(Ordering::Relaxed)
                .min(u16::MAX as u32) as u16,
            me_pool_drain_soft_evict_cooldown_ms: self
                .me_pool_drain_soft_evict_cooldown_ms
                .load(Ordering::Relaxed),
            me_pool_force_close_secs: self.me_pool_force_close_secs.load(Ordering::Relaxed),
            me_pool_min_fresh_ratio: Self::permille_to_ratio(
                self.me_pool_min_fresh_ratio_permille.load(Ordering::Relaxed),
--- a/src/transport/middle_proxy/pool_writer.rs
+++ b/src/transport/middle_proxy/pool_writer.rs
@@ -8,6 +8,7 @@ use bytes::Bytes;
 use bytes::BytesMut;
 use rand::Rng;
 use tokio::sync::mpsc;
 use tokio::sync::mpsc::error::TrySendError;
 use tokio_util::sync::CancellationToken;
 use tracing::{debug, info, warn};
@@ -15,11 +16,13 @@ use crate::config::MeBindStaleMode;
 use crate::crypto::SecureRandom;
 use crate::error::{ProxyError, Result};
 use crate::protocol::constants::{RPC_CLOSE_EXT_U32, RPC_PING_U32};
 use crate::stats::{
    MeWriterCleanupSideEffectStep, MeWriterTeardownMode, MeWriterTeardownReason,
 };
 use super::codec::{RpcWriter, WriterCommand};
 use super::pool::{MePool, MeWriter, WriterContour};
 use super::reader::reader_loop;
 use super::registry::BoundConn;
 use super::wire::build_proxy_req_payload;
 const ME_ACTIVE_PING_SECS: u64 = 25;
@@ -27,6 +30,12 @@ const ME_ACTIVE_PING_JITTER_SECS: i64 = 5;
 const ME_IDLE_KEEPALIVE_MAX_SECS: u64 = 5;
 const ME_RPC_PROXY_REQ_RESPONSE_WAIT_MS: u64 = 700;
 #[derive(Clone, Copy)]
 enum WriterRemoveGuardMode {
    Any,
    DrainingOnly,
 }
 fn is_me_peer_closed_error(error: &ProxyError) -> bool {
    matches!(error, ProxyError::Io(ioe) if ioe.kind() == ErrorKind::UnexpectedEof)
 }
@@ -43,9 +52,16 @@ impl MePool {
        for writer_id in closed_writer_ids {
            if self.registry.is_writer_empty(writer_id).await {
-                let _ = self.remove_writer_only(writer_id).await;
+                let _ = self
                    .remove_writer_only(writer_id, MeWriterTeardownReason::PruneClosedWriter)
                    .await;
            } else {
-                let _ = self.remove_writer_and_close_clients(writer_id).await;
+                let _ = self
                    .remove_writer_and_close_clients(
                        writer_id,
                        MeWriterTeardownReason::PruneClosedWriter,
                    )
                    .await;
            }
        }
    }
@@ -142,6 +158,9 @@ impl MePool {
            crc_mode: hs.crc_mode,
        };
        let cancel_wr = cancel.clone();
        let cleanup_done = Arc::new(AtomicBool::new(false));
        let cleanup_for_writer = cleanup_done.clone();
        let pool_writer_task = Arc::downgrade(self);
        tokio::spawn(async move {
            loop {
                tokio::select! {
@@ -159,6 +178,20 @@ impl MePool {
                    _ = cancel_wr.cancelled() => break,
                }
            }
            if cleanup_for_writer
                .compare_exchange(false, true, Ordering::AcqRel, Ordering::Relaxed)
                .is_ok()
            {
                if let Some(pool) = pool_writer_task.upgrade() {
                    pool.remove_writer_and_close_clients(
                        writer_id,
                        MeWriterTeardownReason::WriterTaskExit,
                    )
                    .await;
                } else {
                    cancel_wr.cancel();
                }
            }
        });
        let writer = MeWriter {
            id: writer_id,
@@ -195,7 +228,6 @@ impl MePool {
        let cancel_ping = cancel.clone();
        let tx_ping = tx.clone();
        let ping_tracker_ping = ping_tracker.clone();
        let cleanup_done = Arc::new(AtomicBool::new(false));
        let cleanup_for_reader = cleanup_done.clone();
        let cleanup_for_ping = cleanup_done.clone();
        let keepalive_enabled = self.me_keepalive_enabled;
@@ -241,21 +273,29 @@ impl MePool {
                stats_reader_close.increment_me_idle_close_by_peer_total();
                info!(writer_id, "ME socket closed by peer on idle writer");
            }
-            if let Some(pool) = pool.upgrade()
+            if cleanup_for_reader
-                && cleanup_for_reader
+                .compare_exchange(false, true, Ordering::AcqRel, Ordering::Relaxed)
-                    .compare_exchange(false, true, Ordering::AcqRel, Ordering::Relaxed)
+                .is_ok()
                    .is_ok()
            {
-                pool.remove_writer_and_close_clients(writer_id).await;
+                if let Some(pool) = pool.upgrade() {
                    pool.remove_writer_and_close_clients(
                        writer_id,
                        MeWriterTeardownReason::ReaderExit,
                    )
                    .await;
                } else {
                    // Fallback for shutdown races: make writer task exit quickly so stale
                    // channels are observable by periodic prune.
                    cancel_reader_token.cancel();
                }
            }
            if let Err(e) = res {
                if !idle_close_by_peer {
                    warn!(error = %e, "ME reader ended");
                }
            }
-            let mut ws = writers_arc.write().await;
+            let remaining = writers_arc.read().await.len();
-            ws.retain(|w| w.id != writer_id);
+            debug!(writer_id, remaining, "ME reader task finished");
            info!(remaining = ws.len(), "Dead ME writer removed from pool");
        });
        let pool_ping = Arc::downgrade(self);
@@ -312,41 +352,28 @@ impl MePool {
                let mut p = Vec::with_capacity(12);
                p.extend_from_slice(&RPC_PING_U32.to_le_bytes());
                p.extend_from_slice(&sent_id.to_le_bytes());
-                {
+                let now_epoch_ms = std::time::SystemTime::now()
-                    let mut tracker = ping_tracker_ping.lock().await;
+                    .duration_since(std::time::UNIX_EPOCH)
-                    let now_epoch_ms = std::time::SystemTime::now()
+                    .unwrap_or_default()
-                        .duration_since(std::time::UNIX_EPOCH)
+                    .as_millis() as u64;
-                        .unwrap_or_default()
+                let mut run_cleanup = false;
-                        .as_millis() as u64;
+                if let Some(pool) = pool_ping.upgrade() {
-                    let mut run_cleanup = false;
+                    let last_cleanup_ms = pool
-                    if let Some(pool) = pool_ping.upgrade() {
+                        .ping_tracker_last_cleanup_epoch_ms
-                        let last_cleanup_ms = pool
+                        .load(Ordering::Relaxed);
                    if now_epoch_ms.saturating_sub(last_cleanup_ms) >= 30_000
                        && pool
                            .ping_tracker_last_cleanup_epoch_ms
-                            .load(Ordering::Relaxed);
+                            .compare_exchange(
-                        if now_epoch_ms.saturating_sub(last_cleanup_ms) >= 30_000
+                                last_cleanup_ms,
-                            && pool
+                                now_epoch_ms,
-                                .ping_tracker_last_cleanup_epoch_ms
+                                Ordering::AcqRel,
-                                .compare_exchange(
+                                Ordering::Relaxed,
-                                    last_cleanup_ms,
+                            )
-                                    now_epoch_ms,
+                            .is_ok()
-                                    Ordering::AcqRel,
+                    {
-                                    Ordering::Relaxed,
+                        run_cleanup = true;
                                )
                                .is_ok()
                        {
                            run_cleanup = true;
                        }
                    }
                    if run_cleanup {
                        let before = tracker.len();
                        tracker.retain(|_, (ts, _)| ts.elapsed() < Duration::from_secs(120));
                        let expired = before.saturating_sub(tracker.len());
                        if expired > 0 {
                            stats_ping.increment_me_keepalive_timeout_by(expired as u64);
                        }
                    }
                    tracker.insert(sent_id, (std::time::Instant::now(), writer_id));
                }
                ping_id = ping_id.wrapping_add(1);
                stats_ping.increment_me_keepalive_sent();
@@ -363,10 +390,24 @@ impl MePool {
                            .compare_exchange(false, true, Ordering::AcqRel, Ordering::Relaxed)
                            .is_ok()
                    {
-                        pool.remove_writer_and_close_clients(writer_id).await;
+                        pool.remove_writer_and_close_clients(
                            writer_id,
                            MeWriterTeardownReason::PingSendFail,
                        )
                        .await;
                    }
                    break;
                }
                let mut tracker = ping_tracker_ping.lock().await;
                if run_cleanup {
                    let before = tracker.len();
                    tracker.retain(|_, (ts, _)| ts.elapsed() < Duration::from_secs(120));
                    let expired = before.saturating_sub(tracker.len());
                    if expired > 0 {
                        stats_ping.increment_me_keepalive_timeout_by(expired as u64);
                    }
                }
                tracker.insert(sent_id, (std::time::Instant::now(), writer_id));
            }
        });
@@ -446,7 +487,11 @@ impl MePool {
                        .compare_exchange(false, true, Ordering::AcqRel, Ordering::Relaxed)
                        .is_ok()
                    {
-                        pool.remove_writer_and_close_clients(writer_id).await;
+                        pool.remove_writer_and_close_clients(
                            writer_id,
                            MeWriterTeardownReason::SignalSendFail,
                        )
                        .await;
                    }
                    break;
                }
@@ -480,7 +525,11 @@ impl MePool {
                        .compare_exchange(false, true, Ordering::AcqRel, Ordering::Relaxed)
                        .is_ok()
                    {
-                        pool.remove_writer_and_close_clients(writer_id).await;
+                        pool.remove_writer_and_close_clients(
                            writer_id,
                            MeWriterTeardownReason::SignalSendFail,
                        )
                        .await;
                    }
                    break;
                }
@@ -493,23 +542,83 @@ impl MePool {
        Ok(())
    }
-    pub(crate) async fn remove_writer_and_close_clients(self: &Arc<Self>, writer_id: u64) {
+    pub(crate) async fn remove_writer_and_close_clients(
-        let conns = self.remove_writer_only(writer_id).await;
+        self: &Arc<Self>,
-        for bound in conns {
+        writer_id: u64,
-            let _ = self.registry.route(bound.conn_id, super::MeResponse::Close).await;
+        reason: MeWriterTeardownReason,
-            let _ = self.registry.unregister(bound.conn_id).await;
+    ) -> bool {
-        }
+        // Full client cleanup now happens inside `registry.writer_lost` to keep
        // writer reap/remove paths strictly non-blocking per connection.
        self.remove_writer_with_mode(
            writer_id,
            reason,
            MeWriterTeardownMode::Normal,
            WriterRemoveGuardMode::Any,
        )
        .await
    }
-    async fn remove_writer_only(self: &Arc<Self>, writer_id: u64) -> Vec<BoundConn> {
+    pub(super) async fn remove_draining_writer_hard_detach(
        self: &Arc<Self>,
        writer_id: u64,
        reason: MeWriterTeardownReason,
    ) -> bool {
        self.remove_writer_with_mode(
            writer_id,
            reason,
            MeWriterTeardownMode::HardDetach,
            WriterRemoveGuardMode::DrainingOnly,
        )
        .await
    }
    async fn remove_writer_only(
        self: &Arc<Self>,
        writer_id: u64,
        reason: MeWriterTeardownReason,
    ) -> bool {
        self.remove_writer_with_mode(
            writer_id,
            reason,
            MeWriterTeardownMode::Normal,
            WriterRemoveGuardMode::Any,
        )
        .await
    }
    // Authoritative teardown primitive shared by normal cleanup and watchdog path.
    // Lock-order invariant:
    // 1) mutate `writers` under pool write lock,
    // 2) release pool lock,
    // 3) run registry/metrics/refill side effects.
    // `registry.writer_lost` must never run while `writers` lock is held.
    async fn remove_writer_with_mode(
        self: &Arc<Self>,
        writer_id: u64,
        reason: MeWriterTeardownReason,
        mode: MeWriterTeardownMode,
        guard_mode: WriterRemoveGuardMode,
    ) -> bool {
        let started_at = Instant::now();
        self.stats
            .increment_me_writer_teardown_attempt_total(reason, mode);
        let mut close_tx: Option<mpsc::Sender<WriterCommand>> = None;
        let mut removed_addr: Option<SocketAddr> = None;
        let mut removed_dc: Option<i32> = None;
        let mut removed_uptime: Option<Duration> = None;
        let mut trigger_refill = false;
        let mut removed = false;
        {
            let mut ws = self.writers.write().await;
            if let Some(pos) = ws.iter().position(|w| w.id == writer_id) {
                if matches!(guard_mode, WriterRemoveGuardMode::DrainingOnly)
                    && !ws[pos].draining.load(Ordering::Relaxed)
                {
                    self.stats.increment_me_writer_teardown_noop_total();
                    self.stats
                        .observe_me_writer_teardown_duration(mode, started_at.elapsed());
                    return false;
                }
                let w = ws.remove(pos);
                let was_draining = w.draining.load(Ordering::Relaxed);
                if was_draining {
@@ -526,27 +635,65 @@ impl MePool {
                }
                close_tx = Some(w.tx.clone());
                self.conn_count.fetch_sub(1, Ordering::Relaxed);
                removed = true;
            }
        }
-        let conns = self.registry.writer_lost(writer_id).await;
+        // State invariant:
        // - writer is removed from `self.writers` (pool visibility),
        // - writer is removed from registry routing/binding maps via `writer_lost`.
        // The close command below is only a best-effort accelerator for task shutdown.
        // Cleanup progress must never depend on command-channel availability.
        let _ = self.registry.writer_lost(writer_id).await;
        {
            let mut tracker = self.ping_tracker.lock().await;
            tracker.retain(|_, (_, wid)| *wid != writer_id);
        }
        self.rtt_stats.lock().await.remove(&writer_id);
        if let Some(tx) = close_tx {
-            let _ = tx.send(WriterCommand::Close).await;
+            match tx.try_send(WriterCommand::Close) {
                Ok(()) => {}
                Err(TrySendError::Full(_)) => {
                    self.stats.increment_me_writer_close_signal_drop_total();
                    self.stats
                        .increment_me_writer_close_signal_channel_full_total();
                    self.stats.increment_me_writer_cleanup_side_effect_failures_total(
                        MeWriterCleanupSideEffectStep::CloseSignalChannelFull,
                    );
                    debug!(
                        writer_id,
                        "Skipping close signal for removed writer: command channel is full"
                    );
                }
                Err(TrySendError::Closed(_)) => {
                    self.stats.increment_me_writer_close_signal_drop_total();
                    self.stats.increment_me_writer_cleanup_side_effect_failures_total(
                        MeWriterCleanupSideEffectStep::CloseSignalChannelClosed,
                    );
                    debug!(
                        writer_id,
                        "Skipping close signal for removed writer: command channel is closed"
                    );
                }
            }
        }
-        if trigger_refill
+        if let Some(addr) = removed_addr {
            && let Some(addr) = removed_addr
            && let Some(writer_dc) = removed_dc
        {
            if let Some(uptime) = removed_uptime {
                self.maybe_quarantine_flapping_endpoint(addr, uptime).await;
            }
-            self.trigger_immediate_refill_for_dc(addr, writer_dc);
+            if trigger_refill
                && let Some(writer_dc) = removed_dc
            {
                self.trigger_immediate_refill_for_dc(addr, writer_dc);
            }
        }
-        conns
+        if removed {
            self.stats.increment_me_writer_teardown_success_total(mode);
        } else {
            self.stats.increment_me_writer_teardown_noop_total();
        }
        self.stats
            .observe_me_writer_teardown_duration(mode, started_at.elapsed());
        removed
    }
    pub(crate) async fn mark_writer_draining_with_timeout(
--- a/src/transport/middle_proxy/reader.rs
+++ b/src/transport/middle_proxy/reader.rs
@@ -8,6 +8,7 @@ use bytes::{Bytes, BytesMut};
 use tokio::io::AsyncReadExt;
 use tokio::net::TcpStream;
 use tokio::sync::{Mutex, mpsc};
 use tokio::sync::mpsc::error::TrySendError;
 use tokio_util::sync::CancellationToken;
 use tracing::{debug, trace, warn};
@@ -173,12 +174,12 @@ pub(crate) async fn reader_loop(
            } else if pt == RPC_CLOSE_EXT_U32 && body.len() >= 8 {
                let cid = u64::from_le_bytes(body[0..8].try_into().unwrap());
                debug!(cid, "RPC_CLOSE_EXT from ME");
-                reg.route(cid, MeResponse::Close).await;
+                let _ = reg.route_nowait(cid, MeResponse::Close).await;
                reg.unregister(cid).await;
            } else if pt == RPC_CLOSE_CONN_U32 && body.len() >= 8 {
                let cid = u64::from_le_bytes(body[0..8].try_into().unwrap());
                debug!(cid, "RPC_CLOSE_CONN from ME");
-                reg.route(cid, MeResponse::Close).await;
+                let _ = reg.route_nowait(cid, MeResponse::Close).await;
                reg.unregister(cid).await;
            } else if pt == RPC_PING_U32 && body.len() >= 8 {
                let ping_id = i64::from_le_bytes(body[0..8].try_into().unwrap());
@@ -186,13 +187,15 @@ pub(crate) async fn reader_loop(
                let mut pong = Vec::with_capacity(12);
                pong.extend_from_slice(&RPC_PONG_U32.to_le_bytes());
                pong.extend_from_slice(&ping_id.to_le_bytes());
-                if tx
+                match tx.try_send(WriterCommand::DataAndFlush(Bytes::from(pong))) {
-                    .send(WriterCommand::DataAndFlush(Bytes::from(pong)))
+                    Ok(()) => {}
-                    .await
+                    Err(TrySendError::Full(_)) => {
-                    .is_err()
+                        debug!(ping_id, "PONG dropped: writer command channel is full");
-                {
+                    }
-                    warn!("PONG send failed");
+                    Err(TrySendError::Closed(_)) => {
-                    break;
+                        warn!("PONG send failed: writer channel closed");
                        break;
                    }
                }
            } else if pt == RPC_PONG_U32 && body.len() >= 8 {
                let ping_id = i64::from_le_bytes(body[0..8].try_into().unwrap());
@@ -232,6 +235,13 @@ async fn send_close_conn(tx: &mpsc::Sender<WriterCommand>, conn_id: u64) {
    let mut p = Vec::with_capacity(12);
    p.extend_from_slice(&RPC_CLOSE_CONN_U32.to_le_bytes());
    p.extend_from_slice(&conn_id.to_le_bytes());
-
+    match tx.try_send(WriterCommand::DataAndFlush(Bytes::from(p))) {
-    let _ = tx.send(WriterCommand::DataAndFlush(Bytes::from(p))).await;
+        Ok(()) => {}
        Err(TrySendError::Full(_)) => {
            debug!(conn_id, "ME close_conn signal skipped: writer command channel is full");
        }
        Err(TrySendError::Closed(_)) => {
            debug!(conn_id, "ME close_conn signal skipped: writer command channel is closed");
        }
    }
 }
--- a/src/transport/middle_proxy/registry.rs
+++ b/src/transport/middle_proxy/registry.rs
@@ -169,6 +169,7 @@ impl ConnRegistry {
        None
    }
    #[allow(dead_code)]
    pub async fn route(&self, id: u64, resp: MeResponse) -> RouteResult {
        let tx = {
            let inner = self.inner.read().await;
@@ -394,31 +395,89 @@ impl ConnRegistry {
        inner.writer_for_conn.keys().copied().collect()
    }
-    pub async fn writer_lost(&self, writer_id: u64) -> Vec<BoundConn> {
+    pub(super) async fn bound_conn_ids_for_writer_limited(
-        let mut inner = self.inner.write().await;
+        &self,
-        inner.writers.remove(&writer_id);
+        writer_id: u64,
-        inner.last_meta_for_writer.remove(&writer_id);
+        limit: usize,
-        inner.writer_idle_since_epoch_secs.remove(&writer_id);
+    ) -> Vec<u64> {
-        let conns = inner
+        if limit == 0 {
-            .conns_for_writer
+            return Vec::new();
-            .remove(&writer_id)
+        }
-            .unwrap_or_default()
+        let inner = self.inner.read().await;
-            .into_iter()
+        let Some(conn_ids) = inner.conns_for_writer.get(&writer_id) else {
-            .collect::<Vec<_>>();
+            return Vec::new();
        };
        let mut out = conn_ids.iter().copied().collect::<Vec<_>>();
        out.sort_unstable();
        out.truncate(limit);
        out
    }
-        let mut out = Vec::new();
+    pub(super) async fn evict_bound_conn_if_writer(&self, conn_id: u64, writer_id: u64) -> bool {
-        for conn_id in conns {
+        let maybe_client_tx = {
            let mut inner = self.inner.write().await;
            if inner.writer_for_conn.get(&conn_id).copied() != Some(writer_id) {
-                continue;
+                return false;
            }
            let client_tx = inner.map.get(&conn_id).cloned();
            inner.map.remove(&conn_id);
            inner.meta.remove(&conn_id);
            inner.writer_for_conn.remove(&conn_id);
-            if let Some(m) = inner.meta.get(&conn_id) {
+
-                out.push(BoundConn {
+            let became_empty = if let Some(set) = inner.conns_for_writer.get_mut(&writer_id) {
-                    conn_id,
+                set.remove(&conn_id);
-                    meta: m.clone(),
+                set.is_empty()
-                });
+            } else {
                false
            };
            if became_empty {
                inner
                    .writer_idle_since_epoch_secs
                    .insert(writer_id, Self::now_epoch_secs());
            }
            client_tx
        };
        if let Some(client_tx) = maybe_client_tx {
            let _ = client_tx.try_send(MeResponse::Close);
        }
        true
    }
    pub async fn writer_lost(&self, writer_id: u64) -> Vec<BoundConn> {
        let mut close_txs = Vec::<mpsc::Sender<MeResponse>>::new();
        let mut out = Vec::new();
        {
            let mut inner = self.inner.write().await;
            inner.writers.remove(&writer_id);
            inner.last_meta_for_writer.remove(&writer_id);
            inner.writer_idle_since_epoch_secs.remove(&writer_id);
            let conns = inner
                .conns_for_writer
                .remove(&writer_id)
                .unwrap_or_default()
                .into_iter()
                .collect::<Vec<_>>();
            for conn_id in conns {
                if inner.writer_for_conn.get(&conn_id).copied() != Some(writer_id) {
                    continue;
                }
                inner.writer_for_conn.remove(&conn_id);
                if let Some(client_tx) = inner.map.remove(&conn_id) {
                    close_txs.push(client_tx);
                }
                if let Some(meta) = inner.meta.remove(&conn_id) {
                    out.push(BoundConn { conn_id, meta });
                }
            }
        }
        for client_tx in close_txs {
            let _ = client_tx.try_send(MeResponse::Close);
        }
        out
    }
@@ -441,9 +500,11 @@ impl ConnRegistry {
 #[cfg(test)]
 mod tests {
    use std::net::{IpAddr, Ipv4Addr, SocketAddr};
    use std::time::Duration;
    use super::ConnMeta;
    use super::ConnRegistry;
    use super::MeResponse;
    #[tokio::test]
    async fn writer_activity_snapshot_tracks_writer_and_dc_load() {
@@ -612,6 +673,39 @@ mod tests {
        assert!(registry.is_writer_empty(20).await);
    }
    #[tokio::test]
    async fn writer_lost_removes_bound_conn_from_registry_and_signals_close() {
        let registry = ConnRegistry::new();
        let (conn_id, mut rx) = registry.register().await;
        let (writer_tx, _writer_rx) = tokio::sync::mpsc::channel(8);
        registry.register_writer(10, writer_tx).await;
        let addr = SocketAddr::new(IpAddr::V4(Ipv4Addr::LOCALHOST), 443);
        assert!(
            registry
                .bind_writer(
                    conn_id,
                    10,
                    ConnMeta {
                        target_dc: 2,
                        client_addr: addr,
                        our_addr: addr,
                        proto_flags: 0,
                    },
                )
                .await
        );
        let lost = registry.writer_lost(10).await;
        assert_eq!(lost.len(), 1);
        assert_eq!(lost[0].conn_id, conn_id);
        assert!(registry.get_writer(conn_id).await.is_none());
        assert!(registry.get_meta(conn_id).await.is_none());
        assert_eq!(registry.unregister(conn_id).await, None);
        let close = tokio::time::timeout(Duration::from_millis(50), rx.recv()).await;
        assert!(matches!(close, Ok(Some(MeResponse::Close))));
    }
    #[tokio::test]
    async fn bind_writer_rejects_unregistered_writer() {
        let registry = ConnRegistry::new();
@@ -634,4 +728,86 @@ mod tests {
        );
        assert!(registry.get_writer(conn_id).await.is_none());
    }
    #[tokio::test]
    async fn bound_conn_ids_for_writer_limited_is_sorted_and_bounded() {
        let registry = ConnRegistry::new();
        let (writer_tx, _writer_rx) = tokio::sync::mpsc::channel(8);
        registry.register_writer(10, writer_tx).await;
        let addr = SocketAddr::new(IpAddr::V4(Ipv4Addr::LOCALHOST), 443);
        let mut conn_ids = Vec::new();
        for _ in 0..5 {
            let (conn_id, _rx) = registry.register().await;
            assert!(
                registry
                    .bind_writer(
                        conn_id,
                        10,
                        ConnMeta {
                            target_dc: 2,
                            client_addr: addr,
                            our_addr: addr,
                            proto_flags: 0,
                        },
                    )
                    .await
            );
            conn_ids.push(conn_id);
        }
        conn_ids.sort_unstable();
        let limited = registry.bound_conn_ids_for_writer_limited(10, 3).await;
        assert_eq!(limited.len(), 3);
        assert_eq!(limited, conn_ids.into_iter().take(3).collect::<Vec<_>>());
    }
    #[tokio::test]
    async fn evict_bound_conn_if_writer_does_not_touch_rebound_conn() {
        let registry = ConnRegistry::new();
        let (conn_id, mut rx) = registry.register().await;
        let (writer_tx_a, _writer_rx_a) = tokio::sync::mpsc::channel(8);
        let (writer_tx_b, _writer_rx_b) = tokio::sync::mpsc::channel(8);
        registry.register_writer(10, writer_tx_a).await;
        registry.register_writer(20, writer_tx_b).await;
        let addr = SocketAddr::new(IpAddr::V4(Ipv4Addr::LOCALHOST), 443);
        assert!(
            registry
                .bind_writer(
                    conn_id,
                    10,
                    ConnMeta {
                        target_dc: 2,
                        client_addr: addr,
                        our_addr: addr,
                        proto_flags: 0,
                    },
                )
                .await
        );
        assert!(
            registry
                .bind_writer(
                    conn_id,
                    20,
                    ConnMeta {
                        target_dc: 2,
                        client_addr: addr,
                        our_addr: addr,
                        proto_flags: 1,
                    },
                )
                .await
        );
        let evicted = registry.evict_bound_conn_if_writer(conn_id, 10).await;
        assert!(!evicted);
        assert_eq!(registry.get_writer(conn_id).await.expect("writer").writer_id, 20);
        assert!(rx.try_recv().is_err());
        let evicted = registry.evict_bound_conn_if_writer(conn_id, 20).await;
        assert!(evicted);
        assert!(registry.get_writer(conn_id).await.is_none());
        assert!(matches!(rx.try_recv(), Ok(MeResponse::Close)));
    }
 }
--- a/src/transport/middle_proxy/send.rs
+++ b/src/transport/middle_proxy/send.rs
@@ -6,6 +6,7 @@ use std::sync::atomic::Ordering;
 use std::time::{Duration, Instant};
 use bytes::Bytes;
 use tokio::sync::mpsc;
 use tokio::sync::mpsc::error::TrySendError;
 use tracing::{debug, warn};
@@ -13,6 +14,7 @@ use crate::config::{MeRouteNoWriterMode, MeWriterPickMode};
 use crate::error::{ProxyError, Result};
 use crate::network::IpFamily;
 use crate::protocol::constants::{RPC_CLOSE_CONN_U32, RPC_CLOSE_EXT_U32};
 use crate::stats::MeWriterTeardownReason;
 use super::MePool;
 use super::codec::WriterCommand;
@@ -29,6 +31,29 @@ const PICK_PENALTY_DRAINING: u64 = 600;
 const PICK_PENALTY_STALE: u64 = 300;
 const PICK_PENALTY_DEGRADED: u64 = 250;
 enum TimedSendError<T> {
    Closed(T),
    Timeout(T),
 }
 async fn send_writer_command_with_timeout(
    tx: &mpsc::Sender<WriterCommand>,
    cmd: WriterCommand,
    timeout: Duration,
 ) -> std::result::Result<(), TimedSendError<WriterCommand>> {
    if timeout.is_zero() {
        return tx.send(cmd).await.map_err(|err| TimedSendError::Closed(err.0));
    }
    match tokio::time::timeout(timeout, tx.reserve()).await {
        Ok(Ok(permit)) => {
            permit.send(cmd);
            Ok(())
        }
        Ok(Err(_)) => Err(TimedSendError::Closed(cmd)),
        Err(_) => Err(TimedSendError::Timeout(cmd)),
    }
 }
 impl MePool {
    /// Send RPC_PROXY_REQ. `tag_override`: per-user ad_tag (from access.user_ad_tags); if None, uses pool default.
    pub async fn send_proxy_req(
@@ -78,8 +103,18 @@ impl MePool {
        let mut hybrid_last_recovery_at: Option<Instant> = None;
        let hybrid_wait_step = self.me_route_no_writer_wait.max(Duration::from_millis(50));
        let mut hybrid_wait_current = hybrid_wait_step;
        let hybrid_deadline = Instant::now() + self.me_route_hybrid_max_wait;
        loop {
            if matches!(no_writer_mode, MeRouteNoWriterMode::HybridAsyncPersistent)
                && Instant::now() >= hybrid_deadline
            {
                self.stats.increment_me_no_writer_failfast_total();
                return Err(ProxyError::Proxy(
                    "No ME writer available in hybrid wait window".into(),
                ));
            }
            let mut skip_writer_id: Option<u64> = None;
            let current_meta = self
                .registry
                .get_meta(conn_id)
@@ -90,16 +125,42 @@ impl MePool {
                match current.tx.try_send(WriterCommand::Data(current_payload.clone())) {
                    Ok(()) => return Ok(()),
                    Err(TrySendError::Full(cmd)) => {
-                        if current.tx.send(cmd).await.is_ok() {
+                        match send_writer_command_with_timeout(
-                            return Ok(());
+                            &current.tx,
                            cmd,
                            self.me_route_blocking_send_timeout,
                        )
                        .await
                        {
                            Ok(()) => return Ok(()),
                            Err(TimedSendError::Closed(_)) => {
                                warn!(writer_id = current.writer_id, "ME writer channel closed");
                                self.remove_writer_and_close_clients(
                                    current.writer_id,
                                    MeWriterTeardownReason::RouteChannelClosed,
                                )
                                .await;
                                continue;
                            }
                            Err(TimedSendError::Timeout(_)) => {
                                debug!(
                                    conn_id,
                                    writer_id = current.writer_id,
                                    timeout_ms = self.me_route_blocking_send_timeout.as_millis()
                                        as u64,
                                    "ME writer send timed out for bound writer, trying reroute"
                                );
                                skip_writer_id = Some(current.writer_id);
                            }
                        }
                        warn!(writer_id = current.writer_id, "ME writer channel closed");
                        self.remove_writer_and_close_clients(current.writer_id).await;
                        continue;
                    }
                    Err(TrySendError::Closed(_)) => {
                        warn!(writer_id = current.writer_id, "ME writer channel closed");
-                        self.remove_writer_and_close_clients(current.writer_id).await;
+                        self.remove_writer_and_close_clients(
                            current.writer_id,
                            MeWriterTeardownReason::RouteChannelClosed,
                        )
                        .await;
                        continue;
                    }
                }
@@ -200,6 +261,9 @@ impl MePool {
                    .candidate_indices_for_dc(&writers_snapshot, routed_dc, true)
                    .await;
            }
            if let Some(skip_writer_id) = skip_writer_id {
                candidate_indices.retain(|idx| writers_snapshot[*idx].id != skip_writer_id);
            }
            if candidate_indices.is_empty() {
                let pick_mode = self.writer_pick_mode();
                match no_writer_mode {
@@ -403,7 +467,11 @@ impl MePool {
                    Err(TrySendError::Closed(_)) => {
                        self.stats.increment_me_writer_pick_closed_total(pick_mode);
                        warn!(writer_id = w.id, "ME writer channel closed");
-                        self.remove_writer_and_close_clients(w.id).await;
+                        self.remove_writer_and_close_clients(
                            w.id,
                            MeWriterTeardownReason::RouteChannelClosed,
                        )
                        .await;
                        continue;
                    }
                }
@@ -422,7 +490,13 @@ impl MePool {
            self.stats.increment_me_writer_pick_blocking_fallback_total();
            let effective_our_addr = SocketAddr::new(w.source_ip, our_addr.port());
            let (payload, meta) = build_routed_payload(effective_our_addr);
-            match w.tx.send(WriterCommand::Data(payload.clone())).await {
+            match send_writer_command_with_timeout(
                &w.tx,
                WriterCommand::Data(payload.clone()),
                self.me_route_blocking_send_timeout,
            )
            .await
            {
                Ok(()) => {
                    self.stats
                        .increment_me_writer_pick_success_fallback_total(pick_mode);
@@ -439,10 +513,23 @@ impl MePool {
                    }
                    return Ok(());
                }
-                Err(_) => {
+                Err(TimedSendError::Closed(_)) => {
                    self.stats.increment_me_writer_pick_closed_total(pick_mode);
                    warn!(writer_id = w.id, "ME writer channel closed (blocking)");
-                    self.remove_writer_and_close_clients(w.id).await;
+                    self.remove_writer_and_close_clients(
                        w.id,
                        MeWriterTeardownReason::RouteChannelClosed,
                    )
                    .await;
                }
                Err(TimedSendError::Timeout(_)) => {
                    self.stats.increment_me_writer_pick_full_total(pick_mode);
                    debug!(
                        conn_id,
                        writer_id = w.id,
                        timeout_ms = self.me_route_blocking_send_timeout.as_millis() as u64,
                        "ME writer blocking fallback send timed out"
                    );
                }
            }
        }
@@ -573,13 +660,23 @@ impl MePool {
            let mut p = Vec::with_capacity(12);
            p.extend_from_slice(&RPC_CLOSE_EXT_U32.to_le_bytes());
            p.extend_from_slice(&conn_id.to_le_bytes());
-            if w.tx
+            match w.tx.try_send(WriterCommand::DataAndFlush(Bytes::from(p))) {
-                .send(WriterCommand::DataAndFlush(Bytes::from(p)))
+                Ok(()) => {}
-                .await
+                Err(TrySendError::Full(_)) => {
-                .is_err()
+                    debug!(
-            {
+                        conn_id,
-                debug!("ME close write failed");
+                        writer_id = w.writer_id,
-                self.remove_writer_and_close_clients(w.writer_id).await;
+                        "ME close skipped: writer command channel is full"
                    );
                }
                Err(TrySendError::Closed(_)) => {
                    debug!("ME close write failed");
                    self.remove_writer_and_close_clients(
                        w.writer_id,
                        MeWriterTeardownReason::CloseRpcChannelClosed,
                    )
                    .await;
                }
            }
        } else {
            debug!(conn_id, "ME close skipped (writer missing)");
@@ -596,8 +693,12 @@ impl MePool {
            p.extend_from_slice(&conn_id.to_le_bytes());
            match w.tx.try_send(WriterCommand::DataAndFlush(Bytes::from(p))) {
                Ok(()) => {}
-                Err(TrySendError::Full(cmd)) => {
+                Err(TrySendError::Full(_)) => {
-                    let _ = tokio::time::timeout(Duration::from_millis(50), w.tx.send(cmd)).await;
+                    debug!(
                        conn_id,
                        writer_id = w.writer_id,
                        "ME close_conn skipped: writer command channel is full"
                    );
                }
                Err(TrySendError::Closed(_)) => {
                    debug!(conn_id, "ME close_conn skipped: writer channel closed");
--- a/src/transport/socket.rs
+++ b/src/transport/socket.rs
@@ -11,6 +11,8 @@ use tokio::net::TcpStream;
 use socket2::{Socket, TcpKeepalive, Domain, Type, Protocol};
 use tracing::debug;
 const DEFAULT_SOCKET_BUFFER_BYTES: usize = 256 * 1024;
 /// Configure TCP socket with recommended settings for proxy use
 #[allow(dead_code)]
 pub fn configure_tcp_socket(
@@ -34,10 +36,10 @@ pub fn configure_tcp_socket(
        socket.set_tcp_keepalive(&keepalive)?;
    }
-    
+
-    // CHANGED: Removed manual buffer size setting (was 256KB).
+    // Use explicit baseline buffers to reduce slow-start stalls on high RTT links.
-    // Allowing the OS kernel to handle TCP window scaling (Autotuning) is critical
+    socket.set_recv_buffer_size(DEFAULT_SOCKET_BUFFER_BYTES)?;
-    // for mobile clients to avoid bufferbloat and stalled connections during uploads.
+    socket.set_send_buffer_size(DEFAULT_SOCKET_BUFFER_BYTES)?;
    Ok(())
 }
@@ -62,6 +64,10 @@ pub fn configure_client_socket(
    let keepalive = keepalive.with_interval(Duration::from_secs(keepalive_secs));
    socket.set_tcp_keepalive(&keepalive)?;
    // Keep explicit baseline buffers for predictable throughput across busy hosts.
    socket.set_recv_buffer_size(DEFAULT_SOCKET_BUFFER_BYTES)?;
    socket.set_send_buffer_size(DEFAULT_SOCKET_BUFFER_BYTES)?;
    // Set TCP user timeout (Linux only)
    // NOTE: iOS does not support TCP_USER_TIMEOUT - application-level timeout 
@@ -124,6 +130,8 @@ pub fn create_outgoing_socket_bound(addr: SocketAddr, bind_addr: Option<IpAddr>)
    // Disable Nagle
    socket.set_nodelay(true)?;
    socket.set_recv_buffer_size(DEFAULT_SOCKET_BUFFER_BYTES)?;
    socket.set_send_buffer_size(DEFAULT_SOCKET_BUFFER_BYTES)?;
    if let Some(bind_ip) = bind_addr {
        let bind_sock_addr = SocketAddr::new(bind_ip, 0);
--- a/tools/telemt_api.py
+++ b/tools/telemt_api.py
@@ -0,0 +1,728 @@
 """
 Telemt Control API Python Client
 Full-coverage client for https://github.com/telemt/telemt
 Usage:
    client = TelemtAPI("http://127.0.0.1:9091", auth_header="your-secret")
    client.health()
    client.create_user("alice", max_tcp_conns=10)
    client.patch_user("alice", data_quota_bytes=1_000_000_000)
    client.delete_user("alice")
 """
 from __future__ import annotations
 import json
 import secrets
 from dataclasses import dataclass, field
 from typing import Any, Dict, List, Optional, Union
 from urllib.error import HTTPError, URLError
 from urllib.request import Request, urlopen
 # ---------------------------------------------------------------------------
 # Exceptions
 # ---------------------------------------------------------------------------
 class TememtAPIError(Exception):
    """Raised when the API returns an error envelope or a transport error."""
    def __init__(self, message: str, code: str | None = None,
                 http_status: int | None = None, request_id: int | None = None):
        super().__init__(message)
        self.code = code
        self.http_status = http_status
        self.request_id = request_id
    def __repr__(self) -> str:
        return (f"TememtAPIError(message={str(self)!r}, code={self.code!r}, "
                f"http_status={self.http_status}, request_id={self.request_id})")
 # ---------------------------------------------------------------------------
 # Response wrapper
 # ---------------------------------------------------------------------------
@dataclass
 class APIResponse:
    """Wraps a successful API response envelope."""
    ok: bool
    data: Any
    revision: str | None = None
    def __repr__(self) -> str:  # pragma: no cover
        return f"APIResponse(ok={self.ok}, revision={self.revision!r}, data={self.data!r})"
 # ---------------------------------------------------------------------------
 # Main client
 # ---------------------------------------------------------------------------
 class TememtAPI:
    """
    HTTP client for the Telemt Control API.
    Parameters
    ----------
    base_url:
        Scheme + host + port, e.g. ``"http://127.0.0.1:9091"``.
        Trailing slash is stripped automatically.
    auth_header:
        Exact value for the ``Authorization`` header.
        Leave *None* when ``auth_header`` is not configured server-side.
    timeout:
        Socket timeout in seconds for every request (default 10).
    """
    def __init__(
        self,
        base_url: str = "http://127.0.0.1:9091",
        auth_header: str | None = None,
        timeout: int = 10,
    ) -> None:
        self.base_url = base_url.rstrip("/")
        self.auth_header = auth_header
        self.timeout = timeout
    # ------------------------------------------------------------------
    # Low-level HTTP helpers
    # ------------------------------------------------------------------
    def _headers(self, extra: dict | None = None) -> dict:
        h = {"Content-Type": "application/json; charset=utf-8",
             "Accept": "application/json"}
        if self.auth_header:
            h["Authorization"] = self.auth_header
        if extra:
            h.update(extra)
        return h
    def _request(
        self,
        method: str,
        path: str,
        body: dict | None = None,
        if_match: str | None = None,
        query: dict | None = None,
    ) -> APIResponse:
        url = self.base_url + path
        if query:
            qs = "&".join(f"{k}={v}" for k, v in query.items())
            url = f"{url}?{qs}"
        raw_body: bytes | None = None
        if body is not None:
            raw_body = json.dumps(body).encode()
        extra_headers: dict = {}
        if if_match is not None:
            extra_headers["If-Match"] = if_match
        req = Request(
            url,
            data=raw_body,
            headers=self._headers(extra_headers),
            method=method,
        )
        try:
            with urlopen(req, timeout=self.timeout) as resp:
                payload = json.loads(resp.read())
        except HTTPError as exc:
            raw = exc.read()
            try:
                payload = json.loads(raw)
            except Exception:
                raise TememtAPIError(
                    str(exc), http_status=exc.code
                ) from exc
            err = payload.get("error", {})
            raise TememtAPIError(
                err.get("message", str(exc)),
                code=err.get("code"),
                http_status=exc.code,
                request_id=payload.get("request_id"),
            ) from exc
        except URLError as exc:
            raise TememtAPIError(str(exc)) from exc
        if not payload.get("ok"):
            err = payload.get("error", {})
            raise TememtAPIError(
                err.get("message", "unknown error"),
                code=err.get("code"),
                request_id=payload.get("request_id"),
            )
        return APIResponse(
            ok=True,
            data=payload.get("data"),
            revision=payload.get("revision"),
        )
    def _get(self, path: str, query: dict | None = None) -> APIResponse:
        return self._request("GET", path, query=query)
    def _post(self, path: str, body: dict | None = None,
              if_match: str | None = None) -> APIResponse:
        return self._request("POST", path, body=body, if_match=if_match)
    def _patch(self, path: str, body: dict,
               if_match: str | None = None) -> APIResponse:
        return self._request("PATCH", path, body=body, if_match=if_match)
    def _delete(self, path: str, if_match: str | None = None) -> APIResponse:
        return self._request("DELETE", path, if_match=if_match)
    # ------------------------------------------------------------------
    # Health & system
    # ------------------------------------------------------------------
    def health(self) -> APIResponse:
        """GET /v1/health — liveness probe."""
        return self._get("/v1/health")
    def system_info(self) -> APIResponse:
        """GET /v1/system/info — binary version, uptime, config hash."""
        return self._get("/v1/system/info")
    # ------------------------------------------------------------------
    # Runtime gates & initialization
    # ------------------------------------------------------------------
    def runtime_gates(self) -> APIResponse:
        """GET /v1/runtime/gates — admission gates and startup progress."""
        return self._get("/v1/runtime/gates")
    def runtime_initialization(self) -> APIResponse:
        """GET /v1/runtime/initialization — detailed startup timeline."""
        return self._get("/v1/runtime/initialization")
    # ------------------------------------------------------------------
    # Limits & security
    # ------------------------------------------------------------------
    def limits_effective(self) -> APIResponse:
        """GET /v1/limits/effective — effective timeout/upstream/ME limits."""
        return self._get("/v1/limits/effective")
    def security_posture(self) -> APIResponse:
        """GET /v1/security/posture — API auth, telemetry, log-level summary."""
        return self._get("/v1/security/posture")
    def security_whitelist(self) -> APIResponse:
        """GET /v1/security/whitelist — current IP whitelist CIDRs."""
        return self._get("/v1/security/whitelist")
    # ------------------------------------------------------------------
    # Stats
    # ------------------------------------------------------------------
    def stats_summary(self) -> APIResponse:
        """GET /v1/stats/summary — uptime, connection totals, user count."""
        return self._get("/v1/stats/summary")
    def stats_zero_all(self) -> APIResponse:
        """GET /v1/stats/zero/all — zero-cost counters (core, upstream, ME, pool, desync)."""
        return self._get("/v1/stats/zero/all")
    def stats_upstreams(self) -> APIResponse:
        """GET /v1/stats/upstreams — upstream health + zero counters."""
        return self._get("/v1/stats/upstreams")
    def stats_minimal_all(self) -> APIResponse:
        """GET /v1/stats/minimal/all — ME writers + DC snapshot (requires minimal_runtime_enabled)."""
        return self._get("/v1/stats/minimal/all")
    def stats_me_writers(self) -> APIResponse:
        """GET /v1/stats/me-writers — per-writer ME status (requires minimal_runtime_enabled)."""
        return self._get("/v1/stats/me-writers")
    def stats_dcs(self) -> APIResponse:
        """GET /v1/stats/dcs — per-DC coverage and writer counts (requires minimal_runtime_enabled)."""
        return self._get("/v1/stats/dcs")
    # ------------------------------------------------------------------
    # Runtime deep-dive
    # ------------------------------------------------------------------
    def runtime_me_pool_state(self) -> APIResponse:
        """GET /v1/runtime/me_pool_state — ME pool generation/writer/refill snapshot."""
        return self._get("/v1/runtime/me_pool_state")
    def runtime_me_quality(self) -> APIResponse:
        """GET /v1/runtime/me_quality — ME KDF, route-drop, and per-DC RTT counters."""
        return self._get("/v1/runtime/me_quality")
    def runtime_upstream_quality(self) -> APIResponse:
        """GET /v1/runtime/upstream_quality — per-upstream health, latency, DC preferences."""
        return self._get("/v1/runtime/upstream_quality")
    def runtime_nat_stun(self) -> APIResponse:
        """GET /v1/runtime/nat_stun — NAT probe state, STUN servers, reflected IPs."""
        return self._get("/v1/runtime/nat_stun")
    def runtime_me_selftest(self) -> APIResponse:
        """GET /v1/runtime/me-selftest — KDF/timeskew/IP/PID/BND health state."""
        return self._get("/v1/runtime/me-selftest")
    def runtime_connections_summary(self) -> APIResponse:
        """GET /v1/runtime/connections/summary — live connection totals + top-N users (requires runtime_edge_enabled)."""
        return self._get("/v1/runtime/connections/summary")
    def runtime_events_recent(self, limit: int | None = None) -> APIResponse:
        """GET /v1/runtime/events/recent — recent ring-buffer events (requires runtime_edge_enabled).
        Parameters
        ----------
        limit:
            Optional cap on returned events (1–1000, server default 50).
        """
        query = {"limit": str(limit)} if limit is not None else None
        return self._get("/v1/runtime/events/recent", query=query)
    # ------------------------------------------------------------------
    # Users (read)
    # ------------------------------------------------------------------
    def list_users(self) -> APIResponse:
        """GET /v1/users — list all users with connection/traffic info."""
        return self._get("/v1/users")
    def get_user(self, username: str) -> APIResponse:
        """GET /v1/users/{username} — single user info."""
        return self._get(f"/v1/users/{_safe(username)}")
    # ------------------------------------------------------------------
    # Users (write)
    # ------------------------------------------------------------------
    def create_user(
        self,
        username: str,
        *,
        secret: str | None = None,
        user_ad_tag: str | None = None,
        max_tcp_conns: int | None = None,
        expiration_rfc3339: str | None = None,
        data_quota_bytes: int | None = None,
        max_unique_ips: int | None = None,
        if_match: str | None = None,
    ) -> APIResponse:
        """POST /v1/users — create a new user.
        Parameters
        ----------
        username:
            ``[A-Za-z0-9_.-]``, length 1–64.
        secret:
            Exactly 32 hex chars. Auto-generated if omitted.
        user_ad_tag:
            Exactly 32 hex chars.
        max_tcp_conns:
            Per-user concurrent TCP limit.
        expiration_rfc3339:
            RFC3339 expiration timestamp, e.g. ``"2025-12-31T23:59:59Z"``.
        data_quota_bytes:
            Per-user traffic quota in bytes.
        max_unique_ips:
            Per-user unique source IP limit.
        if_match:
            Optional ``If-Match`` revision for optimistic concurrency.
        """
        body: Dict[str, Any] = {"username": username}
        _opt(body, "secret", secret)
        _opt(body, "user_ad_tag", user_ad_tag)
        _opt(body, "max_tcp_conns", max_tcp_conns)
        _opt(body, "expiration_rfc3339", expiration_rfc3339)
        _opt(body, "data_quota_bytes", data_quota_bytes)
        _opt(body, "max_unique_ips", max_unique_ips)
        return self._post("/v1/users", body=body, if_match=if_match)
    def patch_user(
        self,
        username: str,
        *,
        secret: str | None = None,
        user_ad_tag: str | None = None,
        max_tcp_conns: int | None = None,
        expiration_rfc3339: str | None = None,
        data_quota_bytes: int | None = None,
        max_unique_ips: int | None = None,
        if_match: str | None = None,
    ) -> APIResponse:
        """PATCH /v1/users/{username} — partial update; only provided fields change.
        Parameters
        ----------
        username:
            Existing username to update.
        secret:
            New secret (32 hex chars).
        user_ad_tag:
            New ad tag (32 hex chars).
        max_tcp_conns:
            New TCP concurrency limit.
        expiration_rfc3339:
            New expiration timestamp.
        data_quota_bytes:
            New quota in bytes.
        max_unique_ips:
            New unique IP limit.
        if_match:
            Optional ``If-Match`` revision.
        """
        body: Dict[str, Any] = {}
        _opt(body, "secret", secret)
        _opt(body, "user_ad_tag", user_ad_tag)
        _opt(body, "max_tcp_conns", max_tcp_conns)
        _opt(body, "expiration_rfc3339", expiration_rfc3339)
        _opt(body, "data_quota_bytes", data_quota_bytes)
        _opt(body, "max_unique_ips", max_unique_ips)
        if not body:
            raise ValueError("patch_user: at least one field must be provided")
        return self._patch(f"/v1/users/{_safe(username)}", body=body,
                           if_match=if_match)
    def delete_user(
        self,
        username: str,
        *,
        if_match: str | None = None,
    ) -> APIResponse:
        """DELETE /v1/users/{username} — remove user; blocks deletion of last user.
        Parameters
        ----------
        if_match:
            Optional ``If-Match`` revision for optimistic concurrency.
        """
        return self._delete(f"/v1/users/{_safe(username)}", if_match=if_match)
    # NOTE: POST /v1/users/{username}/rotate-secret currently returns 404
    # in the route matcher (documented limitation). The method is provided
    # for completeness and future compatibility.
    def rotate_secret(
        self,
        username: str,
        *,
        secret: str | None = None,
        if_match: str | None = None,
    ) -> APIResponse:
        """POST /v1/users/{username}/rotate-secret — rotate user secret.
        .. warning::
            This endpoint currently returns ``404 not_found`` in all released
            versions (documented route matcher limitation). The method is
            included for future compatibility.
        Parameters
        ----------
        secret:
            New secret (32 hex chars). Auto-generated if omitted.
        """
        body: Dict[str, Any] = {}
        _opt(body, "secret", secret)
        return self._post(f"/v1/users/{_safe(username)}/rotate-secret",
                          body=body or None, if_match=if_match)
    # ------------------------------------------------------------------
    # Convenience helpers
    # ------------------------------------------------------------------
    @staticmethod
    def generate_secret() -> str:
        """Generate a random 32-character hex secret suitable for user creation."""
        return secrets.token_hex(16)  # 16 bytes → 32 hex chars
 # ---------------------------------------------------------------------------
 # Internal helpers
 # ---------------------------------------------------------------------------
 def _safe(username: str) -> str:
    """Minimal guard: reject obvious path-injection attempts."""
    if "/" in username or "\\" in username:
        raise ValueError(f"Invalid username: {username!r}")
    return username
 def _opt(d: dict, key: str, value: Any) -> None:
    """Add key to dict only when value is not None."""
    if value is not None:
        d[key] = value
 # ---------------------------------------------------------------------------
 # CLI
 # ---------------------------------------------------------------------------
 def _print(resp: APIResponse) -> None:
    print(json.dumps(resp.data, indent=2))
    if resp.revision:
        print(f"# revision: {resp.revision}", flush=True)
 def _build_parser():
    import argparse
    p = argparse.ArgumentParser(
        prog="telemt_api.py",
        description="Telemt Control API CLI",
        formatter_class=argparse.RawDescriptionHelpFormatter,
        epilog="""
 COMMANDS (read)
  health                          Liveness check
  info                            System info (version, uptime, config hash)
  status                          Runtime gates + startup progress
  init                            Runtime initialization timeline
  limits                          Effective limits (timeouts, upstream, ME)
  posture                         Security posture summary
  whitelist                       IP whitelist entries
  summary                         Stats summary (conns, uptime, users)
  zero                            Zero-cost counters (core/upstream/ME/pool/desync)
  upstreams                       Upstream health + zero counters
  minimal                         ME writers + DC snapshot  [minimal_runtime_enabled]
  me-writers                      Per-writer ME status      [minimal_runtime_enabled]
  dcs                             Per-DC coverage           [minimal_runtime_enabled]
  me-pool                         ME pool generation/writer/refill snapshot
  me-quality                      ME KDF, route-drops, per-DC RTT
  upstream-quality                Per-upstream health + latency
  nat-stun                        NAT probe state + STUN servers
  me-selftest                     KDF/timeskew/IP/PID/BND health
  connections                     Live connection totals + top-N  [runtime_edge_enabled]
  events [--limit N]              Recent ring-buffer events       [runtime_edge_enabled]
 COMMANDS (users)
  users                           List all users
  user <username>                 Get single user
  create <username> [OPTIONS]     Create user
  patch  <username> [OPTIONS]     Partial update user
  delete <username>               Delete user
  secret <username> [--secret S]  Rotate secret (reserved; returns 404 in current release)
  gen-secret                      Print a random 32-hex secret and exit
 USER OPTIONS (for create / patch)
  --secret S          32 hex chars
  --ad-tag S          32 hex chars (ad tag)
  --max-conns N       Max concurrent TCP connections
  --expires DATETIME  RFC3339 expiration (e.g. 2026-12-31T23:59:59Z)
  --quota N           Data quota in bytes
  --max-ips N         Max unique source IPs
 EXAMPLES
  telemt_api.py health
  telemt_api.py -u http://10.0.0.1:9091 -a mysecret users
  telemt_api.py create alice --max-conns 5 --quota 10000000000
  telemt_api.py patch  alice --expires 2027-01-01T00:00:00Z
  telemt_api.py delete alice
  telemt_api.py events --limit 20
        """,
    )
    p.add_argument("-u", "--url", default="http://127.0.0.1:9091",
                   metavar="URL", help="API base URL (default: http://127.0.0.1:9091)")
    p.add_argument("-a", "--auth", default=None, metavar="TOKEN",
                   help="Authorization header value")
    p.add_argument("-t", "--timeout", type=int, default=10, metavar="SEC",
                   help="Request timeout in seconds (default: 10)")
    p.add_argument("command", nargs="?", default="help",
                   help="Command to run (see COMMANDS below)")
    p.add_argument("arg", nargs="?", default=None, metavar="USERNAME",
                   help="Username for user commands")
    # user create/patch fields
    p.add_argument("--secret",    default=None)
    p.add_argument("--ad-tag",    dest="ad_tag", default=None)
    p.add_argument("--max-conns", dest="max_conns", type=int, default=None)
    p.add_argument("--expires",   default=None)
    p.add_argument("--quota",     type=int, default=None)
    p.add_argument("--max-ips",   dest="max_ips", type=int, default=None)
    # events
    p.add_argument("--limit", type=int, default=None,
                   help="Max events for `events` command")
    # optimistic concurrency
    p.add_argument("--if-match", dest="if_match", default=None,
                   metavar="REVISION", help="If-Match revision header")
    return p
 if __name__ == "__main__":
    import sys
    parser = _build_parser()
    args = parser.parse_args()
    cmd = (args.command or "help").lower()
    if cmd in ("help", "--help"):
        parser.print_help()
        sys.exit(0)
    if cmd == "gen-secret":
        print(TememtAPI.generate_secret())
        sys.exit(0)
    api = TememtAPI(args.url, auth_header=args.auth, timeout=args.timeout)
    try:
        # -- read endpoints --------------------------------------------------
        if cmd == "health":
            _print(api.health())
        elif cmd == "info":
            _print(api.system_info())
        elif cmd == "status":
            _print(api.runtime_gates())
        elif cmd == "init":
            _print(api.runtime_initialization())
        elif cmd == "limits":
            _print(api.limits_effective())
        elif cmd == "posture":
            _print(api.security_posture())
        elif cmd == "whitelist":
            _print(api.security_whitelist())
        elif cmd == "summary":
            _print(api.stats_summary())
        elif cmd == "zero":
            _print(api.stats_zero_all())
        elif cmd == "upstreams":
            _print(api.stats_upstreams())
        elif cmd == "minimal":
            _print(api.stats_minimal_all())
        elif cmd == "me-writers":
            _print(api.stats_me_writers())
        elif cmd == "dcs":
            _print(api.stats_dcs())
        elif cmd == "me-pool":
            _print(api.runtime_me_pool_state())
        elif cmd == "me-quality":
            _print(api.runtime_me_quality())
        elif cmd == "upstream-quality":
            _print(api.runtime_upstream_quality())
        elif cmd == "nat-stun":
            _print(api.runtime_nat_stun())
        elif cmd == "me-selftest":
            _print(api.runtime_me_selftest())
        elif cmd == "connections":
            _print(api.runtime_connections_summary())
        elif cmd == "events":
            _print(api.runtime_events_recent(limit=args.limit))
        # -- user read -------------------------------------------------------
        elif cmd == "users":
            resp = api.list_users()
            users = resp.data or []
            if not users:
                print("No users configured.")
            else:
                fmt = "{:<24} {:>7}  {:>14}  {}"
                print(fmt.format("USERNAME", "CONNS", "OCTETS", "LINKS"))
                print("-" * 72)
                for u in users:
                    links = (u.get("links") or {})
                    all_links = (links.get("classic") or []) + \
                                (links.get("secure") or []) + \
                                (links.get("tls") or [])
                    link_str = all_links[0] if all_links else "-"
                    print(fmt.format(
                        u["username"],
                        u.get("current_connections", 0),
                        u.get("total_octets", 0),
                        link_str,
                    ))
            if resp.revision:
                print(f"# revision: {resp.revision}")
        elif cmd == "user":
            if not args.arg:
                parser.error("user command requires <username>")
            _print(api.get_user(args.arg))
        # -- user write ------------------------------------------------------
        elif cmd == "create":
            if not args.arg:
                parser.error("create command requires <username>")
            resp = api.create_user(
                args.arg,
                secret=args.secret,
                user_ad_tag=args.ad_tag,
                max_tcp_conns=args.max_conns,
                expiration_rfc3339=args.expires,
                data_quota_bytes=args.quota,
                max_unique_ips=args.max_ips,
                if_match=args.if_match,
            )
            d = resp.data or {}
            print(f"Created: {d.get('user', {}).get('username')}")
            print(f"Secret:  {d.get('secret')}")
            links = (d.get("user") or {}).get("links") or {}
            for kind, lst in links.items():
                for link in (lst or []):
                    print(f"Link ({kind}): {link}")
            if resp.revision:
                print(f"# revision: {resp.revision}")
        elif cmd == "patch":
            if not args.arg:
                parser.error("patch command requires <username>")
            if not any([args.secret, args.ad_tag, args.max_conns,
                        args.expires, args.quota, args.max_ips]):
                parser.error("patch requires at least one field (--secret, --max-conns, --expires, --quota, --max-ips, --ad-tag)")
            _print(api.patch_user(
                args.arg,
                secret=args.secret,
                user_ad_tag=args.ad_tag,
                max_tcp_conns=args.max_conns,
                expiration_rfc3339=args.expires,
                data_quota_bytes=args.quota,
                max_unique_ips=args.max_ips,
                if_match=args.if_match,
            ))
        elif cmd == "delete":
            if not args.arg:
                parser.error("delete command requires <username>")
            resp = api.delete_user(args.arg, if_match=args.if_match)
            print(f"Deleted: {resp.data}")
            if resp.revision:
                print(f"# revision: {resp.revision}")
        elif cmd == "secret":
            if not args.arg:
                parser.error("secret command requires <username>")
            _print(api.rotate_secret(args.arg, secret=args.secret,
                                     if_match=args.if_match))
        else:
            print(f"Unknown command: {cmd!r}\nRun with 'help' to see available commands.",
                  file=sys.stderr)
            sys.exit(1)
    except TememtAPIError as exc:
        print(f"API error [{exc.http_status}] {exc.code}: {exc}", file=sys.stderr)
        sys.exit(1)
    except KeyboardInterrupt:
        sys.exit(130)
--- a/tools/zbx_telemt_template.yaml
+++ b/tools/zbx_telemt_template.yaml
@@ -1165,6 +1165,60 @@ zabbix_export:
              tags:
                - tag: Application
                  value: 'Users connections'
          graph_prototypes:
            - uuid: 4199de3dcea943d8a1ec62dc297b2e9f
              name: 'User {#TELEMT_USER}: Connections'
              graph_items:
                - color: 1A7C11
                  item:
                    host: Telemt
                    key: 'telemt.active_conn_[{#TELEMT_USER}]'
                - color: F63100
                  sortorder: '1'
                  item:
                    host: Telemt
                    key: 'telemt.total_conn_[{#TELEMT_USER}]'
            - uuid: 84b8f22d891e49768891f497cac12fb3
              name: 'User {#TELEMT_USER}: IPs'
              graph_items:
                - color: 0080FF
                  item:
                    host: Telemt
                    key: 'telemt.ips_current_[{#TELEMT_USER}]'
                - color: FF8000
                  sortorder: '1'
                  item:
                    host: Telemt
                    key: 'telemt.ips_limit_[{#TELEMT_USER}]'
                - color: AA00FF
                  sortorder: '2'
                  item:
                    host: Telemt
                    key: 'telemt.ips_utilization_[{#TELEMT_USER}]'
            - uuid: 09dabe7125114e36a6ce40788a7cb888
              name: 'User {#TELEMT_USER}: Traffic'
              graph_items:
                - color: 00AA00
                  item:
                    host: Telemt
                    key: 'telemt.octets_from_[{#TELEMT_USER}]'
                - color: AA0000
                  sortorder: '1'
                  item:
                    host: Telemt
                    key: 'telemt.octets_to_[{#TELEMT_USER}]'
            - uuid: 367f458962574b0ab3c02278a4cd7ecb
              name: 'User {#TELEMT_USER}: Messages'
              graph_items:
                - color: 00AAFF
                  item:
                    host: Telemt
                    key: 'telemt.msgs_from_[{#TELEMT_USER}]'
                - color: FF5500
                  sortorder: '1'
                  item:
                    host: Telemt
                    key: 'telemt.msgs_to_[{#TELEMT_USER}]'
          master_item:
            key: telemt.prom_metrics
          lld_macro_paths:
@@ -1177,3 +1231,206 @@ zabbix_export:
      tags:
        - tag: target
          value: Telemt
  graphs:
    - uuid: f162658049ca4f50893c5cc02515ff10
      name: 'Telemt: Server Connections Overview'
      graph_items:
        - color: 1A7C11
          item:
            host: Telemt
            key: telemt.conn_total
        - color: F63100
          sortorder: '1'
          item:
            host: Telemt
            key: telemt.conn_bad_total
        - color: FC6EA3
          sortorder: '2'
          item:
            host: Telemt
            key: telemt.handshake_timeouts_total
    - uuid: 759eca5e687142f19248f9d9343e1adf
      name: 'Telemt: Uptime'
      graph_items:
        - color: 0080FF
          item:
            host: Telemt
            key: telemt.uptime
    - uuid: 0a27dbd0490d4a508c03ed39fa18545d
      name: 'Telemt: ME Keepalive'
      graph_items:
        - color: 1A7C11
          item:
            host: Telemt
            key: telemt.me_keepalive_sent_total
        - color: 00AA00
          sortorder: '1'
          item:
            host: Telemt
            key: telemt.me_keepalive_pong_total
        - color: F63100
          sortorder: '2'
          item:
            host: Telemt
            key: telemt.me_keepalive_failed_total
        - color: FF8000
          sortorder: '3'
          item:
            host: Telemt
            key: telemt.me_keepalive_timeout_total
    - uuid: 4015e24ff70b49f484e884d1dde687c0
      name: 'Telemt: ME Reconnects'
      graph_items:
        - color: 0080FF
          item:
            host: Telemt
            key: telemt.me_reconnect_attempts_total
        - color: 1A7C11
          sortorder: '1'
          item:
            host: Telemt
            key: telemt.me_reconnect_success_total
    - uuid: f3e3eeb0663c471aa26cf4b6872b0c50
      name: 'Telemt: ME Route Drops'
      graph_items:
        - color: F63100
          item:
            host: Telemt
            key: telemt.me_route_drop_channel_closed_total
        - color: FF8000
          sortorder: '1'
          item:
            host: Telemt
            key: telemt.me_route_drop_no_conn_total
        - color: AA00FF
          sortorder: '2'
          item:
            host: Telemt
            key: telemt.me_route_drop_queue_full_total
    - uuid: 49b51ed78a5943bdbd6d1d34fe28bf61
      name: 'Telemt: ME Writer Pool'
      graph_items:
        - color: 0080FF
          item:
            host: Telemt
            key: telemt.pool_drain_active
        - color: F63100
          sortorder: '1'
          item:
            host: Telemt
            key: telemt.pool_force_close_total
        - color: FF8000
          sortorder: '2'
          item:
            host: Telemt
            key: telemt.pool_stale_pick_total
        - color: 1A7C11
          sortorder: '3'
          item:
            host: Telemt
            key: telemt.pool_swap_total
    - uuid: a0779e6c979f4c1ab7ac4da7123a5ecb
      name: 'Telemt: ME Writer Removals and Restores'
      graph_items:
        - color: F63100
          item:
            host: Telemt
            key: telemt.me_writer_removed_total
        - color: FF8000
          sortorder: '1'
          item:
            host: Telemt
            key: telemt.me_writer_removed_unexpected_total
        - color: FFAA00
          sortorder: '2'
          item:
            host: Telemt
            key: telemt.me_writer_removed_unexpected_minus_restored_total
        - color: 1A7C11
          sortorder: '3'
          item:
            host: Telemt
            key: telemt.me_writer_restored_same_endpoint_total
        - color: 00AA00
          sortorder: '4'
          item:
            host: Telemt
            key: telemt.me_writer_restored_fallback_total
    - uuid: 4fead70290664953b026a228108bee0e
      name: 'Telemt: Desync Detections'
      graph_items:
        - color: F63100
          item:
            host: Telemt
            key: telemt.desync_total
        - color: 1A7C11
          sortorder: '1'
          item:
            host: Telemt
            key: telemt.desync_full_logged_total
        - color: FF8000
          sortorder: '2'
          item:
            host: Telemt
            key: telemt.desync_suppressed_total
    - uuid: 9f8c9f48cb534a66ac21b1bba1acb602
      name: 'Telemt: Upstream Connect Cycles'
      graph_items:
        - color: 0080FF
          item:
            host: Telemt
            key: telemt.upstream_connect_attempt_total
        - color: 1A7C11
          sortorder: '1'
          item:
            host: Telemt
            key: telemt.upstream_connect_success_total
        - color: F63100
          sortorder: '2'
          item:
            host: Telemt
            key: telemt.upstream_connect_fail_total
        - color: FF8000
          sortorder: '3'
          item:
            host: Telemt
            key: telemt.upstream_connect_failfast_hard_error_total
    - uuid: 05182057727547f8b8884b7e71e34f19
      name: 'Telemt: ME Single-Endpoint Outages'
      graph_items:
        - color: F63100
          item:
            host: Telemt
            key: telemt.me_single_endpoint_outage_enter_total
        - color: 1A7C11
          sortorder: '1'
          item:
            host: Telemt
            key: telemt.me_single_endpoint_outage_exit_total
        - color: 0080FF
          sortorder: '2'
          item:
            host: Telemt
            key: telemt.me_single_endpoint_outage_reconnect_attempt_total
        - color: 00AA00
          sortorder: '3'
          item:
            host: Telemt
            key: telemt.me_single_endpoint_outage_reconnect_success_total
    - uuid: 6892e8b7fbd2445d9ccc0574af58a354
      name: 'Telemt: ME Refill Activity'
      graph_items:
        - color: 0080FF
          item:
            host: Telemt
            key: telemt.me_refill_triggered_total
        - color: F63100
          sortorder: '1'
          item:
            host: Telemt
            key: telemt.me_refill_failed_total
        - color: FF8000
          sortorder: '2'
          item:
            host: Telemt
            key: telemt.me_refill_skipped_inflight_total
Author	SHA1	Message	Date
Alexey	dd07fa9453	Merge pull request #505 from telemt/flow-me Teardown Monitoring in API and Metrics	2026-03-20 12:59:39 +03:00
Alexey	bb1a372ac4	Merge branch 'main' into flow-me	2026-03-20 12:59:32 +03:00
Alexey	6661401a34	Merge pull request #506 from telemt/about-releases Update README.md	2026-03-20 12:59:09 +03:00
Alexey	cd65fb432b	Update README.md	2026-03-20 12:58:55 +03:00
Alexey	caf0717789	Merge branch 'main' into flow-me	2026-03-20 12:57:27 +03:00
Alexey	4a610d83a3	Update Cargo.toml Co-Authored-By: brekotis <93345790+brekotis@users.noreply.github.com>	2026-03-20 12:56:13 +03:00
Alexey	aba4205dcc	Teardown Monitoring in Metrics Co-Authored-By: brekotis <93345790+brekotis@users.noreply.github.com>	2026-03-20 12:46:35 +03:00
Alexey	ef9b7b1492	Teardown Monitoring in API Co-Authored-By: brekotis <93345790+brekotis@users.noreply.github.com>	2026-03-20 12:45:53 +03:00
Alexey	d112f15b90	ME Writers Anti-stuck + Quarantine fixes + ME Writers Advanced Cleanup + Authoritative Teardown + Orphan Watchdog + Force-Close Safery Policy: merge pull request #504 from telemt/flow-me ME Writers Anti-stuck + Quarantine fixes + ME Writers Advanced Cleanup + Authoritative Teardown + Orphan Watchdog + Force-Close Safery Policy	2026-03-20 12:41:45 +03:00
Alexey	b55b264345	Merge branch 'main' into flow-me	2026-03-20 12:20:51 +03:00
Alexey	f61d25ebe0	Authoritative Teardown + Orphan Watchdog + Force-Close Safery Policy Co-Authored-By: brekotis <93345790+brekotis@users.noreply.github.com>	2026-03-20 12:11:47 +03:00
Alexey	ed4d1167dd	ME Writers Advanced Cleanup Co-Authored-By: brekotis <93345790+brekotis@users.noreply.github.com>	2026-03-20 12:09:23 +03:00
Alexey	dc6948cf39	Merge pull request #502 from telemt/about-releases Update README.md	2026-03-20 11:25:19 +03:00
Alexey	4f11aa0772	Update README.md	2026-03-20 11:25:07 +03:00
Alexey	e40361b171	Cargo.toml + Cargo.lock Co-Authored-By: brekotis <93345790+brekotis@users.noreply.github.com>	2026-03-20 00:45:04 +03:00
Alexey	1c6c73beda	ME Writers Anti-stuck and Quarantine fixes Co-Authored-By: Nook Scheel <nook@live.ru>	2026-03-20 00:41:40 +03:00
Alexey	67dc1e8d18	Merge pull request #498 from telemt/bump Update Cargo.toml	2026-03-19 18:25:14 +03:00
Alexey	ad8ada33c9	Update Cargo.toml	2026-03-19 18:24:01 +03:00
Alexey	bbb201b433	Instadrain + Hard-remove for long draining-state: merge pull request #497 from telemt/flow-stuck-writer Instadrain + Hard-remove for long draining-state	2026-03-19 18:23:38 +03:00
Alexey	8d1faece60	Instadrain + Hard-remove for long draining-state Co-Authored-By: brekotis <93345790+brekotis@users.noreply.github.com>	2026-03-19 17:45:17 +03:00
Alexey	a603505f90	Merge pull request #492 from temandroid/main fix(docker): expose port 9091 and allow external API access	2026-03-19 17:32:49 +03:00
Alexey	f8c42c324f	Merge pull request #494 from Dimasssss/patch-1 Update install.sh	2026-03-19 17:32:05 +03:00
Dimasssss	dc3363aa0d	Update install.sh	2026-03-19 16:23:32 +03:00
Alexey	f655924323	Update health.rs Co-Authored-By: brekotis <93345790+brekotis@users.noreply.github.com>	2026-03-19 16:15:00 +03:00
TEMAndroid	05c066c676	fix(docker): expose port 9091 and allow external API access Add 9091 port mapping to compose.yml to make the REST API reachable from outside the container. Previously only port 9090 (metrics) was published, making the documented curl commands non-functional. fixes #434	2026-03-19 15:54:01 +03:00
Alexey	1e000c2e7e	ME Writer stuck-up in draining-state fixes: merge pull request #491 from telemt/flow-stuck-writer ME Writer stuck-up in draining-state fixes	2026-03-19 14:44:43 +03:00
Alexey	fa17e719f6	Merge pull request #490 from telemt/bump Update Cargo.toml	2026-03-19 14:43:15 +03:00
Alexey	ae3ced8e7c	Update Cargo.toml	2026-03-19 14:42:59 +03:00
Alexey	3279f6d46a	Cleanup-path as non-blocking Co-Authored-By: brekotis <93345790+brekotis@users.noreply.github.com>	2026-03-19 14:07:20 +03:00
Alexey	6f9aef7bb4	ME Writer stuck-up in draining-state fixes Co-Authored-By: brekotis <93345790+brekotis@users.noreply.github.com>	2026-03-19 13:08:35 +03:00
Alexey	049db1196f	Merge pull request #487 from telemt/code-of-conduct Update CODE_OF_CONDUCT.md	2026-03-19 01:18:14 +03:00
Alexey	c8ffc23cf7	Update CODE_OF_CONDUCT.md	2026-03-19 01:18:02 +03:00
Alexey	f230f2ce0e	Merge pull request #486 from telemt/code-of-conduct Create CODE_OF_CONDUCT.md	2026-03-19 00:59:50 +03:00
Alexey	bdac6e3480	Create CODE_OF_CONDUCT.md	2026-03-19 00:59:37 +03:00
Alexey	a4e9746dc7	Merge pull request #485 from Dimasssss/patch-3 Update install.sh	2026-03-19 00:43:14 +03:00
Dimasssss	c47495d671	Update install.sh Вернул старый функционал + добавил новый: - Вернул автоматическое создание конфига с секретом - Вернул автоматическое создание службы - Добавил удаление службы и telemt через `install.sh uninstall` - Полное удаление вместе с конфигом через `install.sh --purge` - Добавил установку нужной версии `install.sh 3.3.15`	2026-03-19 00:36:02 +03:00
Alexey	5ae3a90d5e	Merge pull request #483 from Dimasssss/patch-1 Update CONFIG_PARAMS.en.md	2026-03-18 23:02:33 +03:00
Alexey	901a0b7c23	Runtime guardrails: merge pull request #484 from telemt/flow-runtime Runtime guardrails	2026-03-18 22:37:17 +03:00
Alexey	03891db0c9	Update Cargo.toml Co-Authored-By: brekotis <93345790+brekotis@users.noreply.github.com>	2026-03-18 22:36:33 +03:00
Alexey	89e5668c7e	Runtime guardrails Co-Authored-By: brekotis <93345790+brekotis@users.noreply.github.com>	2026-03-18 22:33:41 +03:00
Dimasssss	1935455256	Update CONFIG_PARAMS.en.md	2026-03-18 18:20:23 +03:00
Alexey	1544e3fcff	Merge pull request #481 from telemt/bump Update Cargo.toml	2026-03-18 13:58:39 +03:00
Alexey	85295a9961	Update Cargo.toml	2026-03-18 13:58:27 +03:00
Alexey	a54f807a45	Hot-Reload fixes: merge pull request #480 from telemt/flow-user Hot-Reload fixes	2026-03-18 13:57:58 +03:00
Alexey	31f6258c47	Hot-Reload fixes Co-Authored-By: brekotis <93345790+brekotis@users.noreply.github.com>	2026-03-18 13:54:59 +03:00
Alexey	30ba41eb47	Merge pull request #479 from telemt/bump Update Cargo.toml	2026-03-18 11:57:25 +03:00
Alexey	42f946f29e	Update Cargo.toml	2026-03-18 11:57:09 +03:00
Alexey	c53d7951b5	Merge pull request #468 from temandroid/main feat: add Telemt Control API Python simple client with CLI	2026-03-18 11:56:32 +03:00
Alexey	f36e264093	Merge pull request #477 from Dimasssss/CONFIG_PARAMS.md Create CONFIG_PARAMS.en.md	2026-03-18 11:56:17 +03:00
Alexey	a3bdf64353	ME Coverage Ratio in API + as Draining Factor: merge pull request #478 from telemt/flow-api ME Coverage Ratio in API + as Draining Factor	2026-03-18 11:56:01 +03:00
Alexey	2aa7ea5137	ME Coverage Ratio in API + as Draining Factor	2026-03-18 11:46:13 +03:00
Dimasssss	462c927da6	Create CONFIG_PARAMS.en.md	2026-03-18 10:53:09 +03:00
Alexey	cb87b2eac3	Adaptive Buffers + Session Eviction Method: merge pull request #475 from telemt/flow-buffers Adaptive Buffers + Session Eviction Method	2026-03-18 10:52:22 +03:00
Alexey	3739f38440	Adaptive Buffers + Session Eviction Method	2026-03-18 10:49:02 +03:00
TEMAndroid	8e96039a1c	Merge branch 'telemt:main' into main	2026-03-17 20:09:50 +03:00
TEMAndroid	36b360dfb6	feat: add Telemt Control API Python simple client with CLI Stdlib-only HTTP client covering all /v1 endpoints with argparse CLI. Supports If-Match concurrency, typed errors, user CRUD, and all runtime/stats routes. Usage: ./telemt_api.py help AI-Generated from API.md. Partially tested. Use with caution...	2026-03-17 20:09:36 +03:00
Alexey	5dd0c47f14	Merge pull request #464 from temandroid/patch-1 feat(zabbix): add graphs to Telemt template	2026-03-17 18:53:07 +03:00
TEMAndroid	4739083f57	feat(zabbix): add graphs to Telemt template - Add per-user graph prototypes (Connections, IPs, Traffic, Messages) - Add server-level graphs (Connections, Uptime, ME Keepalive, ME Reconnects, ME Route Drops, ME Writer Pool/Removals, Desync, Upstream, Refill)	2026-03-17 18:24:57 +03:00
Alexey	37a31c13cb	Merge pull request #460 from telemt/bump Update Cargo.toml	2026-03-17 16:31:46 +03:00
Alexey	35bca7d4cc	Update Cargo.toml	2026-03-17 16:31:32 +03:00
Alexey	f39d317d93	Merge pull request #459 from telemt/flow-perf Flow perf	2026-03-17 16:28:59 +03:00
Alexey	d4d93aabf5	Merge pull request #458 from DavidOsipov/ME-draining-fix-3.3.19 Add health monitoring tests for draining writers	2026-03-17 16:17:41 +03:00
David Osipov	c9271d9083	Add health monitoring tests for draining writers - Introduced adversarial tests to validate the behavior of the health monitoring system under various conditions, including the management of draining writers. - Implemented integration tests to ensure the health monitor correctly handles expired and empty draining writers. - Added regression tests to verify the functionality of the draining writers' cleanup process, ensuring it adheres to the defined thresholds and budgets. - Updated the module structure to include the new test files for better organization and maintainability.	2026-03-17 17:11:51 +04:00
Alexey	9c9ba4becd	Merge pull request #452 from Dimasssss/patch-1 Update TLS-F-TCP-S.ru.md	2026-03-17 15:27:43 +03:00
Dimasssss	bd0cefdb12	Update TLS-F-TCP-S.ru.md	2026-03-17 11:56:56 +03:00
Alexey	e2ed1eb286	Merge pull request #450 from kutovoys/main feat: add metrics_listen option for metrics endpoint bind address	2026-03-17 11:46:52 +03:00
Sergey Kutovoy	a74def9561	Update metrics configuration to support custom listen address - Bump telemt dependency version from 3.3.15 to 3.3.19. - Add `metrics_listen` option to `config.toml` for specifying a custom address for the metrics endpoint. - Update `ServerConfig` struct to include `metrics_listen` and adjust logic in `spawn_metrics_if_configured` to prioritize this new option over `metrics_port`. - Enhance error handling for invalid listen addresses in metrics setup.	2026-03-17 12:58:40 +05:00
Alexey	95c1306166	Merge pull request #444 from Dimasssss/patch-1 Update FAQ (add max_connections)	2026-03-16 22:06:27 +03:00
Dimasssss	e1ef192c10	Update FAQ.en.md	2026-03-16 22:03:28 +03:00
Dimasssss	ee4d15fed6	Update FAQ.ru.md	2026-03-16 22:02:55 +03:00